Obama Birth Certificate search results yield malware

It’s long been a tactic of ne’er-do-wells to capitalize on topical issues to deliver malware.  Today is no different.  Many of the “1st page” Google image results for “Obama Birth Certificate” yielded images which had embedded exploits which would take advantage of known browser and/or Java vulnerabilities.

When you think about it, this is a very effective mechanism for malware delivery.  In our post-physical newspaper society, many get their news from online news sources.  Of that many, some will consistently goto the same sites to get information, the rest will simply search for (dare I say Google) what specific piece of news they are looking for.

Malware authors are well aware of this and capitalize on it quite often. While users may have become more aware of this when looking a links in a typical Google search, they may not be as aware when doing searches on images (like have occurred recently with Charlie Sheen and the Obama Birth Certificate searches).

So what can you do to help protect yourself in this ever changing malicious environment we call the Internet?

  1. As a “safe browsing technique” – try to use known, “reputable” new sites when you are looking for topical information.  I will concede that just because news site is well known does not make it immune from being hacked or to be delivering malware.  But the chances are much less with those sites than general unknown sites.
  2. Certainly use caution with all pop-ups that ask you to download, install, or run anything.  Also do not rely on the little red X to close those windows.  Chances are, it won’t do what you expect it to.  You are best off to bring up your system processes and just kill off your browsing sessions and start over.
  3. Make sure you operating system and security applications are kept up to date.  If you stay current with your patches and keep your security protection suite updated, you have reduced the opportunity for any of the known exploits to actually work on your system.
Follow these precautionary steps and you could be “winning” too…
Advertisements

Does my cell phone have a virus?

Many users aren’t worried about viruses or malware on their cell phones.  However, most companies are.

To date, there isn’t any exploit based malware for the major smartphone OSs (Andriod, Symbian, iPhone, Windows Mobile, Blackberry and… oh yeah.. Palm).  What this means is that, unlike the Windows operating system, there isn’t piece of malware that has been written that takes advantage of a weakness in the code or device which would allow for an exploit to occur (at least not yet).

This means that all attacks on your cell phone require an action by the end user for them to work.  I think alot of people are still hung up on this point, so I’m going to restate it.  I can take advantage of a web server exploit and place malware in an iframe.  When, from your PC, you simply browse to that site, you can become infected assuming you don’t have an AV scanner or content filtering service that would protect you from the redirect and download.  In browsing the website, you have “done” something.

GREAT! Make sure everyone knows not to do anything to allow themselves to be compromised (or pwned)!

Rickrolled iPhone

Rickrolled iPhone

If only it were that easy, right?

What we have is a combination of a social engineering problem and end user education/awareness.

In many aspects, all malware delivered via email, web, sms, etc. has some context of social engineering to it.  One would either used a compromised account from a friends device and delivered messages to the contact lists, therefore making it seem like a trusted source or falsify the origination of the email to make it appear that it’s coming from a large trusted source (e.g. Microsoft.com).  Either way, they are trying to not raise any red flags and get you to open the email, the attachment, or follow the url.

We try to mitigate this with device control policies and the above mentioned user education/awareness.  By providing our users with examples and scenarios we try to make sure they are as informed as possible so they don’t fall prey to these attacks.

I have written a list of best practices for cell phone use to help protect you and your information.  If you are interested in those recommendations, please check out my post on Cell Phone Security Best Practices – keeping your personal information personal.

Droid

Droid

But wait, there’s another big hole here!  These are smartphones.  It’s not about email, text, and phone anymore.  These things can have applications installed on them!

Yep.

And so we have the app stores.  Each major manufacture has them for their respective OS (see list above).  What we have now is a channel by which a malicious person could deliver their application (aka malware) to your device.  What makes this more interesting is that you are willingly downloading and installing this application (aka malware).

These are supposed to be trusted channels.  Each manufacture has a process by which they test and verify some aspects of the application before they sign the app and publish it to their respective store.  This may range from, does the app start?  Does it crash my phone OS?  Or is it secure?  We can’t really assume they are checking for the security of it’s actions.

And why is that you ask?

Let me give you an example of a published application, that you would very likely not want.  Let’s just call this app “Flex(insert a vowel here)spy” and the vowel rhymes with the word try.  This company writes this application.  Submits it to an app store and says “This is a personal backup app.  It backs up your files, emails, contacts, etc to a website for you”.  Sounds good.  App store tests it and approves for sale.  It was posted in the app store and sold for a period of time.  Until our good friends at F-Secure notified them “um, you guys are selling an app that allows someone to spy on another users phone use”.  What????

What may have been presented to the app store as one thing, was in practice quite something else.  The app could be deployed directly to the phone or just put onto a memory card and slipped inside a phone to be activated.  So if you wanted to track someones usage and get their info, all you needed was 30 seconds of access to their phone.  What’s even more interesting is this is what the company’s website indicated you could do with the product.  If only the app testers had read it…

While not perfect, the app stores do provide a level of protection that should help keep users from putting malicious applications on their phones.  That is, until the users decide they need to “assert their freedoms” and jailbreak their devices so they can do things like install application not reviewed by the manufacturer.  Are you jailbreakers still sure your in the right here?

Even the new and highly touted Droid has seen issues with developers posting “apps” to help you connect to your online banking site.  Seriously though, when I want to connect to Citibank, do I need an app from 09driod that costs $.99 to do so?

Mobile Device Management

Mobile Device Management

Where does that leave us?

  1. Have policies for your device
  2. Use management applications for the device to enforce those policy settings
  3. Educate your users

This should look remarkably like any policy for managing a PC.  Well it is.  Lets take the approach that, as smartphones continue to mature and gain functionality, they will be under attack as much (if not more) than our PCs.  Since we have the perspective of having dealt with PC security issues, let’s try and stay in front of the smartphone security issues.

How do I really know this is you?

The recent OWA (Outlook Web Access) themed spam/crimeware reinforces what has been known for some time.  Criminals continue to get better and better at what they do. (http://ddanchev.blogspot.com/2010/01/outlook-web-access-themed-spam-campaign.html)

What is also enforces is that, it’s not about just keeping up.

Through the tiers of systematic scans and filters, we have managed to reduce an inordinate amount of SPAM and crimeware.  The use of signatures, heuristics, dictionaries, and external reputation scoring you can dramatically reduce the amount of spam received.  Through these mechanisms we now only deal with a single digit percentage of the total emails received at the gateway.

The next step in this battle has relied on the education of end users.  Given the fast changing landscape of how spam/malware/crimeware is changing, it’s a difficult prospect to expect end users to be able to dissect each email with a keen technological and investigative eye.  Though I will admit, this has been the common practice to help fight that which makes it through all your technical controls.

In the case of this OWA themed spam the emails look remarkably like they OWA system and sound professional enough to be legitimate.  It’s very easy for end users to discern spam when the wording of the email is similar to this:

“Good news dear, It is my pleasure to inform you that the latest development regarding the news from the New president of the United State of America to release all your fund through bank of america without any further delay.” (http://www.scambusters.org/scamlanguage.html)

However when the images are done well, the wording is grammatically correct, and the emails appropriately targeted, this can be a difficult task.

While this may be considered a tactical approach to combating these issues, I have a suggestion that can help fight this battle:

Provide your end users with a validation that internal emails are authentic.

By utilizing certificates to digitally sign your email communications, you provide your end users with:

  1. Message integrity (content is reliable)
  2. Validate origination (this came from a known trusted source)

In the case of the OWA spam, users would note that this is not digitally signed and from their trusted source.  So they don’t have to worry about discerning if the wording is correct, mousing over links to see if they are legitimate urls, etc.

This approach will help your organization communicate two messages to your end users.  One, the message you are sending in the email communications, and two the concern and support for reliable trusted communications between the company and the user base. Utilize your education and awareness campaigns to inform users of the point of digitally signed communications and hope that the applications of the technology find it’s way into other applications.  In the case you have an external certificate store, there is an excellent opportunity to use this to communicate with your customer base also.