Back from Vegas and feeling good

Once again I made the annual pilgrimage to Las Vegas for BlackHat and Decfon.  As expected it was another great week spent attending interesting talks and hanging out with some of my favorite people…doesn’t get much better than that.  My last day in Vegas somehow got me roped into a fitness challenge, sadly I can’t use alcohol as an excuse.  My buddy Ward decided we should have a little competition to see who can get in better shape for BlackHat 2011.  I’m not one to back away from a challenge so it’s on!  This is going to spread into more of an open challenge for all, but my goal is really just to beat Ward.  Good luck buddy, you are going to need it.

I really wanted to get this post out last night but for various reasons it didn’t happen.  Since a day late is better than nothing, here it goes.  Yesterday Kaspersky announced that the First SMS Trojan for Android has been found in the wild.  Usually this is not something that I would blog about, sms for profit on a mobile device is nothing new.  What I think stands out though is how much easier Android makes this type of attack.  There are very little controls in place to prevent users from installing anything they want, good or bad.  This is kind of the point of Android but I see it as a flaw in the current implementation.  I decided to re-tweet this announcement from Kaspersky and it raised some questions over why I and the security industry make a big deal out of these things.  I get where that attitude comes from, really I do.  From a technical standpoint it isn’t impressive, new, or surprising.  In Vegas, between BlackHat and Defcon, there were a lot of sessions related to Android, so it is expected that there would be malware out there.  However; from a general awareness standpoint, I think it is a valid story.  So why do I think it is valid from an awareness standpoint if it is expected?  Expected by a security or tech guy is different than expected by the masses.  My non techie friends have no idea this kind of stuff is possible unless I tell them or they see it on the news.  Taking that up a notch, I often have discussions about security risks with CxO folks who after the explanation ask “Has it happened?” They want real life examples.  I can talk until I am blue in the face about something that was demonstrated onstage at Defcon or in my lab, but until it happens to someone in the real world and it gets press, it is as if it can’t/won’t happen.  Mobile devices are still looked at simply as cell phones by many, but they are much more.

Now, I’ll admit that this is not something people should freak out about and vendors are going to milk this to try and profit (what else is new).  As I mentioned before, malware for a phone that allows someone to initiate SMS messages and profit from it isn’t new.  As an individual the worst that can happen is you get a big bill and then have the hassle of disputing the charges.  You would probably call Verizon and tell them you didn’t send those text messages they would work something out and you would not pay the full amount.  Now if the malware was smart, it would only initiate a few messages per month and hide on the phone, therefore not raising the eyebrows of most users.  Would you notice a few extra dollars on your personal mobile account or family plan?  What about companies that have corporate plans for employee phones?  They have hundreds if not thousands of phones.  The likelihood of a few premium text messages being caught is low.  I know that at our small company with less than 100 mobile lines that are paid for by the company the finance department would never notice an extra $5-$10 per line each month. It was pointed out that premium SMS isn’t really bad like giving away company secrets, so why are we talking so much about it.

My argument to that is the SMS vector is the quick hit for profit and just the tip of the iceberg.  It takes much less effort by an attacker to write code that will send a text and instantly make money than to invest the time to write much more complicated spy software, grab the data, look for company secrets, and then try to profit from it (more risk too).  That doesn’t mean it can’t be done right, it just isn’t being done yet.  There are a few companies selling this type of spy software today (Flexispy, MobiStealth, and Mobile-Spy to name a few), so it exists.  It requires you to have access to the phone as after installing the application you need to activate and configure it but it will log location data, sms messages, email messages, call logs (some record actual calls).  Sure, turning that into a piece of malware that self activates and configures is more work but I don’t think it is far off.

Make no mistake, I do not think installing an agent from Kaspersky, McAfee, Sophos, Symantec etc. is the answer.  It isn’t the answer on desktops and it will not be the answer on Android and other mobile devices.  We need to treat these mobile devices more like a computer and less like a phone.  A lot of the same protections we use on the laptop/desktop side should carry over, for example:

1.  Better protection for users.  That may take away some of the functionality but have a user mode and admin mode.  Just as you don’t need to run everything as root, users don’t need complete admin access to their mobile device at all times.
2.  Better controls for corporate IT departments.  Allow them to push policies for what can be installed and what can be accessed on the device.
3.  More user awareness is needed.  Many Android users do not understand that the device is really a mini computer that allows them to text and place calls.  They look at it like a cell phone with cool features.  They need to change how they think of the device.

Interested to hear what others think.


*** This is a Security Bloggers Network syndicated blog from Techdulla authored by Dan. Read the original post at: