protection

Symantec made its first major acquisition of the Blue Coat Systems era with a $ 2.3 billion acquisition of identity protection firm LifeLock.

The Symantec-LifeLock deal is expected to close in the first quarter of 2017; the antivirus software maker paid $ 24 a share for LifeLock, which is approximately 16 percent higher than LifeLock's closing stock price of $ 20.75. Rumors of the acquisition emerged last week with Bloomberg News reporting that Symantec, along with investment firms Permira and TPG Capital, were interested in bidding on LifeLock.

The LifeLock purchase comes just a few months after a major shakeup at Symantec. The security software giant purchased web and cloud security firm Blue Coat Systems for $ 4.65 billion in June; Blue Coat CEO Greg Clark was named as Symantec's chief executive, filling the voice left by former CEO Michael Brown, who resigned from Symantec in April.

However, the acquisition of LifeLock is a departure from Symantec's recent efforts to chart a new course beyond its legacy antivirus and consumer-focused businesses and focus on new opportunities in cloud security. Following the Blue Coat acquisition, Symantec outlined its "cloud generation" vision, which was carried over from Blue Coat's own strategy to increase its cloud security offerings and combine them with existing web and networking technology.

But in Symantec's second quarter 2017 earnings call earlier this month, Clark stated that although the consumer security business had been in decline, he felt there was still room to grow.

"We believe the market opportunity for protecting consumers is larger than what our current consumer products address today," Clark said. "As we move to further penetrate these opportunities, we expect the Consumer Security business to improve its growth trajectory as we move beyond the PC."

In a conference call Monday, Clark said LifeLock's technology will compliment Symantec's Norton consumer products and expand the scope of consumer security offerings.

"Consumers pay between 2x and 3x more for identify protection than they pay for endpoint malware protection," he said. "With this acquisition Symantec accelerates its Consumer Business' return to growth by offering a digital safety platform to protect information, devices, networks and identities of consumers."

LifeLock, which was founded in 2005, has established itself as one of the leading companies in the consumer identity protection market, but the company ran afoul of the U.S. Federal Trade Commission over the years. In 2010, the company paid $ 12 million to settle claims that it used false claims to promote its identity theft protection services. Under the 2010 settlement, LifeLock agreed to refrain from making deceptive marketing claims and promised to "take more stringent measures to safeguard the personal information they collect from customers," according to the FTC.

However, in 2015 LifeLock was forced to pay an additional $ 100 million to settle FTC contempt charges after the agency found that LifeLock had violated aspects of the 2010 settlement. Specifically, the FTC said LifeLock "failed to establish and maintain a comprehensive information security program to protect users' sensitive personal information including their social security, credit card and bank account numbers." In addition, the FTC found that LifeLock continued to engage in false advertising claims and failed to abide by the 2010 settlement's recordkeeping requirements. 

Next Steps

Learn how behavioral assessments can benefit threat detection

Read more on the most important endpoint security features for enterprises

Discover how data obfuscation techniques can protect information

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

EU countries must not be too restrictive in how they apply EU data protection laws or risk damaging the development of big data projects, German chancellor Angela Merkel has said.

Germany has traditionally been cautious over data collection, but if countries are too restrictive then "big data management will not be possible", Merkel told the 10th IT Summit (link to video in German) in Saarbrücken.

Europeans are famous for banning things, Merkel said. These bans are put in place for good reason, she said, but can be damaging if taken to excess.

"In Germany we have the principle of 'data minimisation', but we may have to give a little on that. Such a principle doesn't seem as appropriate when you are looking at big data," she said.

While it is important to protect personal data, it is also important to enable new developments, she said.

"Courts will have to be careful not to be too strict if that means limiting opportunities", Merkel said.

Munich-based data protection expert Kirsten Wolgast of Pinsent Masons, the law firm behind Out-Law.com said Merkel's comments suggest a change of direction.

"Merkel obviously wants to create some space for big data business models, and make it a bit easier to establish. But we'll have to wait and see whether the data protection authorities or courts take her comments into account," Wolgast said.

Berlin data protection commissioner Maja Smoltczyk said this month that nine of the country's federal data protection authorities are to conduct a review of 500 businesses' data transfer arrangements.

The review will focus on arrangements the businesses have in place for transferring personal data outside of the European Economic Area (EEA).

Copyright © 2016, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Sponsored: Customer Identity and Access Management


The Register - Security

Software vendor CA Technologies is best known for its mainframe, business-to-business and distributed computing offerings. As an expansion of its enterprise-based offerings, the company also offers a data loss prevention suite called CA Technologies Data Protection. Formerly known as CA Technologies DataMinder, CA Technologies Data Protection is capable of supporting large enterprises with thousands of users and desktops. The DLP software suite components include CA Data Protection Endpoint, CA Data Protection for Networks, CA Data Protection for Stored Data and CA Email Supervision.

Data scanners

This CA Technologies Data Protection suite is able to protect data at rest, data in transit and data in use. It also integrates with CA Technologies Identity and Access Management products to allow access to sensitive information based on content and data classification. CA Technologies Data Protection is also able to quarantine data and protect sensitive information by granting or blocking access based on the reviewer's access privileges.

Endpoint agents

CA Data Protection Endpoint agents are application plug-ins for securing data at rest that execute on an endpoint device. These agents can monitor user activity and execute capture and control actions based on DLP policy. They either work with a gateway server or report directly to the DLP central management server. The agents are also able to continue policy enforcement even if disconnected from the central management server. CA Data Protection Endpoint is able to encrypt data sent to removable media. This action is controlled in part by the Client File System Agent (CFSA). In addition to monitoring local file copy actions, the CFSA is able to enforce policy for synchronization folders connecting to cloud resources such as Drop Box.

Network security

The CA Data Protection for Networks network appliance is able to control SMTP, web browser, webmail and social media HTTP/HTTPS traffic, instant messaging and peer-to-peer messaging such as Skype. Using SPAN ports, it can function as a passive DLP monitoring tool or be deployed in line to block sensitive data traffic, including decoding SSL traffic while inline.

Stored data

CA Data Protection for Stored Data secures data at rest by protecting and controlling sensitive information stored in network file shares and document repositories, public folders, ODBC sources and information collaboration servers such as Microsoft SharePoint. It can recognize and classify over 300 file types including HTML, XML, ZIP and others. CA Data Protection for Stored Data can also conduct full and partial fingerprinting of text and graphical content in order to the file content's transmission and usage. The product's scalable and distributed architecture enables file scan rates of up to 500 gigabytes per hour.

Email data

CA Email Supervision controls and reports on sensitive email in motion and at rest for popular email servers such as Microsoft Exchange and Lotus Domino as well as mail transport agents such as sendmail and postfix. The CA Email Supervision lightweight agent is deployed at the email sever and supports any number of email policies designed to product an organization from potentially criminal as well as unintentional sensitive data exposure. Supported email endpoints include laptops, virtual desktops and smartphones for DLP controls inside and outside the corporate network.

Summary

CA Technologies' DLP suite offers several components and features designed to address a wide array of data protection needs for large enterprises. CA Data Protection cover endpoints and data in use as well as data in transit on the network, data at rest in storage or databases, and mobile and cloud data as well. The product suite comes with 24/7 technical support from CA Technologies; free training and educational courses are also available for customers. Organizations interested in pricing and licensing terms for CA Data Protection products should contact the vendor or authorized CA reseller partners.

Next Steps

Part one of this series looks at the basics of data loss prevention products

Part two examines the business case for DLP products

Part three explores usage scenarios for DLP products

Part four focuses on procuring DLP products

Part five offers insight on selecting the right DLP product

Part six compares the best DLP products on the market

This was last published in November 2016

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

blog-gfi-oneconnect-beta_sqEnsuring safe and continuous delivery of business emails is one of IT department’s top priorities. Today we’re presenting GFI OneConnect Beta, a solution delivering a more secure and reliable email service for businesses of all sizes.

In a continuous effort to deliver new and innovative solutions to the market and our customers, GFI Software’s engineering team has developed a new product, named GFI OneConnect. For more details on this product and its beta version that just became available, we’ve spoken with Joe Kern, Director of Product Integration at GFI Software.

TalkTechToMe: Can you explain what is GFI OneConnect?

Joe Kern: To describe it briefly, GFI OneConnect is our newest cloud-based email security and continuity platform, a solution built to help IT admins in protecting their infrastructure from spam, viruses, malware threats, and email service outages.

TTTM: What are the key features that GFI OneConnect brings?

blog-joe-kern-gfiJoe: We used our expertise and experience in building on-premise and cloud software to create a hybrid solution, that would protect and ensure high availability of one of the most important business services of today – email.

With two anti-virus engines and lots of advanced spam detection mechanisms, our new solution filters out spam and stops virus threats coming through emails. And in case the company on-premise Exchange Server is down, GFI OneConnect takes over the delivery of emails, so no important messages get lost and business continuity is ensured.

By using our email protection, continuity and disaster recovery solution, IT professionals are delivering a definitive value to companies, and we expect this to be the main benefit which will attract IT admins and business owners in using GFI OneConnect.

blog-gfi-oneconnect-beta-screenshot-1

TTTM: So how does exactly GFI OneConnect work?

Joe: To begin using it, you need to install the GFI OneConnect Server on a Windows Server, whether physical or virtualized, located in your local infrastructure, and setup the connection between the GFI OneConnect Server and your Exchange Server, on one side, and the GFI OneConnect Data Center, on the other side.

After the initial configuration, all your emails are being routed through GFI OneConnect. The solution uses two AV engines, ClamAV and Kaspersky, to search all incoming messages for viruses and other malware threats, such as ransomware, before sending them through to the Exchange Server for further distribution to users. GFI OneConnect also uses RBL’s Bayesian analysis, SPF and other advanced technologies to filter out up to 99% of spam messages before they even come to inboxes of users.

And on top of this, if for any reason your on-premise Exchange Server goes down, you can turn on the Continuity mode with a click of a button, and GFI OneConnect will send and receive all emails until you restore availability of your existing email server. Once your Exchange Server is back on, all sent and received emails will be synced, and end users won’t experience any email downtime or lost messages.

blog-gfi-oneconnect-components-ports

TTTM: Since it is still in beta phase, when can we expect the final version of GFI OneConnect?

Joe: We have launched this public beta so that our customers can evaluate it and see for themselves that we’ve created a powerful and versatile product which brings a very specific value to them. We expect the final version to become available in early 2017, when we will announce all product details, including pricing. The product will be available as service, and we plan to add an archiving feature in future releases.

Since this is a Beta release, we expect that users may encounter bugs or missing features, so we would be very thankful for any user insights or reports on bugs. To report any issues you’ve noticed while using GFI OneConnect Beta, we kindly ask users to file a bug report at http://feedback.gfi.com so we can look into it before the final release.

– – –

So, it seems like the best is yet to come, but in the meantime, if you’re interested in the features and benefits that GFI OneConnect has to offer, you can find more information about the product and download and install a fully functional 30-day trial of the beta version at www.gfi.com/oneconnect

You may also like:

  • Great improvements for even greater GFI Support
  • GFI Prime Brings More Value to Customers by Providing Additional…
  • Introducing GFI LanGuard 12 – now with a web-based reporting…


GFI Blog

BlackBerry and mobile security firm Zimperium have announced that Zimperium's zIPS threat protection system now integrates with the Blackberry EMM, which comprises Good Technology and BES12 enterprise mobile management systems (EMMs).

Because EMMs do not generally include protection against malware and hacker threats, users typically require a separate threat protection system to run with the mobility management system.

Following BlackBerry's purchase of Good Technology and Watchdox , "This is part of a continuing drive for us to provide a complete security solution for the mobile ecosphere," BlackBerry's CSO David Kleidermacher told SecurityWeek. "We do not believe that enterprises should have to shop around for bits and pieces of the solution, but should be able to come to a single supplier for a complete integrated solution."

zIPS is a behavioral analysis system. "We look at three areas," said John Michelsen, Zimperium's Chief Product Officer: "the device, the network, and the applications that run on the device." zIPS continuously monitors for aberrant behavior. "We're checking to see if there has been any exploitation or device tampering; whether there is a network attack in progress such as a man-in-the-middle attack or problems with SSL; or whether there is any malicious activity from any of the apps."

The process is 99% about behavior. "We're the only vendor in mobile," claimed Michelsen, "that had already discovered, had already detected, every fundamental device exploit -- whether it came over Safari payload in iOS, like Trident/Pegasus did; or whether it was StageFright, which was exploited by a maliciously crafted multi-media file sent to an Android device; or malicious apps that download and detonate on the device -- we are the only software that could detect every one of those before they were identified and disclosed."

But being able to detect malicious behavior does not in itself protect against that behavior. Consider ransomware -- detecting the encryption process and determining it is malicious is not enough; the process needs to be stopped immediately. While zIPS itself is primarily behavioral analysis, "There are a number of things we can do on the device immediately," said Michelsen. "We have a cloud-based configuration system called zConsole." It provides security teams with visibility across all devices; and it is where the admin defines what he wants zIPS to do in the event of bad behavior. 

"In many cases," he continued, "we have the ability to do lots of good things without any help from third party software. But it's not complete -- especially in the enterprise context." Here the enterprise will have sensitive data on the users' phones, including company information, company apps and company connectivity. Depending on what activity zIPS detects, the enterprise might for example want to remove the user's entitlement to SharePoint because the hacker could use the phone to read the entire SharePoint repository that the user is able to access. 

"So one of the things the enterprise will want to do that we cannot do ourselves is remove that entitlement. That's why," he added, "we integrate with the EMMs like BlackBerry, and why we integrate to ecosystems like Good. Good gives us the integration between the zIPS app and the Good Technology platform that allows us to trigger remediation immediately in the Good ecosystem."

zIPS has support for all of the major EMMs. The primary ones, said Michelsen, "are BES, AirWatch, Citrix and MobileIron -- with Microsoft improving." The advantage of working with BlackBerry is the market range it covers. "Good itself is not a management system per se," he added: "it's a containerization system." This is particularly attractive to companies that get privacy push back from staff -- Good co-exists on the user's device rather than takes over the management of that device. BES is more of an EMM. Customers, however, can have Good or BES; or both -- and zIPS integrates with whichever configuration.

Gartner recently rated BlackBerry as a top EMM solution currently available. If BlackBerry without zIPS was good, BlackBerry with zIPS is even stronger.

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:


SecurityWeek RSS Feed

If you’re a member of my generation living in the U.S., you may remember the Bubble Boy. His story grabbed the national consciousness and was made into a TV movie featuring John Travolta. It was a sad tale of how a boy with a severe immune deficiency was forced to live his life inside a plastic bubble to protect him from pathogens. A single breach of that perimeter could end his life.

Patching the Bubble

In a way, an organization that relies on perimeter controls for critical data protection is in a similar sensitive situation. It can be easy for attackers to breach barriers using stolen credentials or via SQL injection. On top of that, organizations need to stay competitive by having data flow through traditional boundaries, such as to the cloud and through mobile applications.

Data needs to break free of barriers so that your organization can thrive, but it must have a strong security immune system to protect it every step of the way. Data protection is not a single silver bullet; it relies on an ecosystem of security disciplines along with collaboration and expertise.

Health Care Industry Struggles With Data Protection

Vendors are often so focused on showing off product capabilities that they forget there are really compelling security issues to be solved. Their job is to bring the pieces together and show the art of the possible.

The problem of a weak security immune system really hit home for me after my health care data was breached twice in the past year. Sure, I was angry, but beyond that, I wanted to demonstrate that there is a better way to protect data and that all organizations can do better.

Out of this experience was born a real-life demonstration that we built on the cloud. To me, it’s much more effective than PowerPoint slides in demonstrating a more robust approach to data protection that leverages an integrated, layered approach to security.

Whether you work in health care or not, we can all relate to getting medical treatment — that’s where our story begins. In my upcoming tech talk, you will see how attacks occur and how a security immune system can help you detect and prevent loss of your valuable data.

The Story of Gullible Janet

prom picture of

The demo starts with Janet Stevens, patient intake coordinator at Pretty Good Health — a fictional health company, of course — who is on a break from her emergency room duties. Here’s Janet:

Janet notices an email in her inbox from a Facebook friend. She opens it and sees a photo of an adorable King Charles puppy for sale, just the kind she’s been looking to buy. She double clicks on the link, and that’s where the trouble begins. She’s been spear phished!

cute puppy that phished Janet because her prom photo was hawt.

Breaking the Attack Chain

In the demo, you’ll see how this attack and the resulting data breach could have been prevented or mitigated at a number of points in the attack chain, culminating in an integrated incident response. Like Janet, you can learn from this experience to avoid having your bubble popped.

To see the demo and to learn more about the technology behind the scenes, join me for the Guardium Tech Talk titled, “Behind the Scenes of the Security Immune System Demo: Guardium Integration Architecture” on Sept. 22, 2016.

Register Now for the Sept. 22 tech talk


Security Intelligence

Mistakes made in the implementation of proxy authentication in a variety of operating systems and applications have resulted in security vulnerabilities that allow MitM attackers to effectively hijack HTTPS sessions, security researcher Jerry Decime has discovered.

crack HTTPS protection

It has been confirmed that the flaw – dubbed FalseCONNECT – affects products by Apple, Microsoft, Opera and Oracle. Lenovo says that their products are not vulnerable, but other vendors who have been notified of the flaw’s existence are yet to comment on this issue.

“Web browsers and operating systems making a HTTPS request via a proxy server are vulnerable to man-in-the-middle (MITM) attacks against HTTP CONNECT requests and proxy response messages. HTTP CONNECT requests are made in clear text over HTTP, meaning an attacker in the position to modify proxy traffic may force the use of 407 Proxy Authentication Required responses to phish for credentials,” Carnegie Mellon University’s CERT/CC has explained.

“WebKit-based clients are vulnerable to additional vectors due to the fact that HTML markup and JavaScript are rendered by the client Document Object Model (DOM) in the context of the originally requested HTTPS domain.”

Decime set up a dedicated website to share technical details about the flaw and how it affects various products, and has started with Apple’s iOS and OS X. The vulnerability impacts WebKit, so any iOS or OS X application that uses WebKit when using proxies is also vulnerable (iTunes, Google Drive, Safari, etc.).

He says that all users that use proxies – with or without their knowledge – may be impacted by this vulnerability. This includes users whose company requires the use of proxies to connect to the Internet.

“Are you a government employee or police officer? Many government agencies and corporations utilize proxies for network optimization and as a layer of protection for their users. You might not even know you’re vulnerable if you’ve installed a proxy auto configuration (PAC) file from a WiFi hotspot or have employer controlled device management software on your iPhone, iPad, Android device, Chromebook, Mac, or PC which configures a proxy for you,” he noted, adding that Windows users are likely also affected as Microsoft enabled automatic proxy configuration by default.

“Are you a human rights, political, or privacy advocate, or someone who chose to use a VPN provider in conjunction with a privacy proxy for that added bit of safety? You might be impacted,” he also pointed out.

“Your secure communications could have been intercepted or tampered with by anyone exploiting this vulnerability via a WiFi evil-twin network or OpenLTE based cellular communications interception solution. Nation state actors with access to Stingray devices and nation level networking gateways could have exploited the FalseCONNECT vulnerabilities.”

Exploitation of the flaws requires the attacker to already have a MitM position on the network which targeted users are a part of. The really bad news is that most if not all victims won’t notice the attack as, for as far as they can see, there is no indication that the connection isn’t secure.

Until more vendors come up with fixes (Apple already has), users are advised to avoid using proxy-configured clients while connected to untrusted networks, and to disable proxy configuration settings if they don’t need them.


Help Net Security

A cybersecurity company claims to have developed a ransomware vaccine that can protect enterprises. How does this...

ransomware vaccine work, and do you think it has merit?

Ransomware is malware that prevents users from accessing their computers or files. Some prevent access to the operating system, others encrypt files or stop certain apps from running. Once a system has been infected, a lock screen appears, and to regain access the victim has to pay a ransom or perform a task such as completing a survey. Ransomware spreads through phishing campaigns, malicious links in emails and downloads, and is a problem for both consumers and enterprises, as many attacks are delivered by mass random emails. It occupies the number two spot of top malware varieties within crimeware in Verizon's 2016 Data Breach Investigations Report.

To try and prevent ransomware from encrypting a user's files, should they fall victim to a phishing email or malicious attachment, Bitdefender Labs has released a free Crypto-Ransomware Vaccine tool aimed at blocking the encryption process of certain strains of ransomware. It works by making the ransomware think that the device has already been infected.

To encourage victims to pay up, an attacker has to "gain a reputation" for decrypting files once the ransom has been paid. Things can get awkward if the ransomware keeps encrypting already encrypted files, so most ransomware runs checks to ensure that already infected devices are not attacked again. By making minor system modifications, the Bitdefender tool can make a device appear as if it's already infected to prevent the current variants of CTB-Locker, Locky and TeslaCrypt from trying to hold the user to ransom.

While this is a commendable attempt to tackle the growing problem of ransomware, the ransomware vaccine only works against certain ransomware families and won't work indefinitely, as malware writers will quickly update their code to circumvent this trick. For example, an earlier tool designed to prevent the CryptoWall ransomware from encrypting files no longer works, as those behind CryptoWall have changed the way it operates. Even if the Bitdefender tool is updated the whenever a new variant of ransomware evades the existing ransomware vaccine, it should only be viewed as a short term solution. System administers are unlikely to want yet another app to test, deploy and constantly update, particularly as a ransomware vaccine only provides a short period of protection and relies on arbitrary changes to the Windows registry.

Instead, administrators should focus their efforts on other areas of security. A well-tested and thorough backup policy is the most reliable method for recovering infected systems. Backups should be stored offline because many ransomware variants will try to encrypt data on connected network shares and removable drives. Security awareness training programs should cover the latest tricks attackers are using to spread their malware, while antivirus and web filtering software should be kept right up-to-date. As the delivery of most ransomware payloads takes advantage of known vulnerabilities rather than using a zero-day exploit, keeping operating systems patched and up-to-date should prevent many attacks from succeeding. Finally, ensuring users only have minimum privileges will limit the ransomware's access to the device's resources.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn about a new ransomware variant that tricks victims into paying for deleted data

Find out how your enterprise can avoid ransomware attacks

Top methods for preventing ransomware attacks on healthcare data

This was first published in August 2016


SearchSecurity: Security Wire Daily News

The Linux kernel is at the heart of the Android OS, and with that in mind, Google has detailed a number of Android security improvements that defend  the kernel.

Jeff Vander Stoep, software engineer for the Android security team at Google, organized the improvements made into two categories -- memory protections and attack surface reduction.

"Android relies heavily on the Linux kernel for enforcement of its security model. One of the major security features provided by the kernel is memory protection for userspace processes in the form of address space separation," Vander Stoep wrote in a blog post. "Unlike userspace processes, the kernel's various tasks live within one address space and a vulnerability anywhere in the kernel can potentially impact unrelated portions of the system's memory. Kernel memory protections are designed to maintain the integrity of the kernel in spite of vulnerabilities."

Alex Cox, senior researcher for the FirstWatch team at RSA Security, the security division of EMC, told SearchSecurity "memory protection is the most important protection on the list" of improvements released by Google.

"Control of the contents of system memory is often the route to an OS takeover, so these protections will pay dividends as new attack vectors and vulnerabilities are discovered," Cox said. "Reducing the attack surface is also important, but memory protection is a critical security mechanism when it comes to protecting any system."

Vander Stoep detailed features which set restrictive read-only or no-execute page access permissions on each segment of kernel memory, prevent the kernel from accessing userspace memory and protect against stack buffer overflows.

According to Chris Fearon, research director for Black Duck Open Source Security Research, these features will improve Android security by mitigating an attack vector where hardware drivers are allowed to execute in kernel memory.

"Tried and tested userspace memory protection techniques are now being applied to the kernel. This prevents rogue processes being able to read and modify other core data in use by the Android operating system," Fearon told SearchSecurity via email. "Kernel memory segments can now be marked as read-only or no execute. This prevents rogue processes from overwriting protected areas of memory and executing malicious code in them."

For attack surface reduction features, Vander Stoep described how certain system calls and access to the kernel would be restricted or blocked completely.

"Attack surface reduction attempts to expose fewer entry points to the kernel without breaking legitimate functionality," Vander Stoep wrote. "Reducing attack surface can include removing code, removing access to entry points, or selectively exposing features."

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said these new restrictions should help improve Android security, but it is too early to tell if other attack surfaces will arise.

"Restricting applications from accessing ioctl commands should also prevent vulnerabilities in drivers from being exploited to execute arbitrary code within the context of the kernel. The addition of Seccomp and restricting ioctl commands are two security features that should prevent a wide range of attacks that deal with kernel privilege escalation," Arsene told SearchSecurity. "Trying to run malicious apps with elevated privileges is usually an attacker's goal and while the new security mechanism should hinder some of their abilities, other attack surfaces will surely be exploited."                                                                         

Next Steps

Learn more about the questions that remained after Google detailed the Android N security improvements.

Find out about automated security analysis of Android applications.

Get info on why the second annual Android Security Report is a mixed bag.


SearchSecurity: Security Wire Daily News