Enterprise Security Today

Google's Bouncer Searches for Misbehaving Android Apps

Fri, 03 Feb 2012 12:01:42 -0500

Looking to bolster confidence in the security of its fast-growing market for mobile applications, Google is posting a bouncer at the door.

The service analyzes new applications in the Android Market as well as those already posted, and even developer accounts, looking for known malware, spyware and trojans.

Google's Bouncer also looks for "behaviors that indicate an application might be misbehaving," according to a post on Google's mobile blog Thursday announcing the service.

The service develops a baseline of previously analyzed apps and compares it with new ones for signs of trouble.

"We actually run every application on Google's cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior," writes Hiroshi Lockheimer, vice president of engineering for Google's Android division.

And Stay Out!

Bouncer will also scrutinize new developer accounts to make sure those who are tossed as repeat offenders do not come back.

Bouncer works in addition to existing Android tools such as sandboxing, which builds virtual walls between applications and other software on the device so malware can't access data; permissions, which scrutinizes the capabilities of apps to help users make decisions; and malware removal tools that can remotely scrub intruders from a phone or tablet.

Still, the Android Market's growth -- it topped 11 billion downloads -- has made it a top source of malware. Juniper Networks in November announced that its Global Threat Center believes the easy process for posting apps led to a 472 percent increase in malware samples since the previous July.

"These days, it seems all you need is a developer account, that is relatively easy to anonymize, pay $25 and you can post your applications," wrote Juniper on its threat center blog. Lack of sufficient screening means poorly defined, unscreened apps will only be removed if malware is reported or detected by...

Hackers: We Intercepted FBI, Scotland Yard Call

Mon, 06 Feb 2012 08:50:06 -0500

A sensitive conference call between the FBI and Scotland Yard was recorded by the very people they were trying to catch, the hacking group known as Anonymous claimed Friday.

The group released a roughly 15-minute-long recording of what appears to be a Jan. 17 conference call devoted to tracking and prosecuting members of the loose-knit hacking group.

The recording's authenticity could not immediately be verified, and it's not clear how the hackers got their hands on it. It appears to have been edited to bleep out the names of some of the suspects being discussed.

Anonymous also published an email purportedly sent by an FBI agent which gave details and a password for accessing the call.

"The FBI might be curious how we're able to continuously read their internal comms for some time now," the group gloated in a message posted to Twitter.

Calls to law enforcement officials on both sides of the Atlantic were not immediately returned.

Amid the material published by Anonymous was a message purportedly sent by an FBI agent to international law enforcement agencies. It invites his foreign counterparts to join the call to "discuss the on-going investigations related to Anonymous ... and other associated splinter groups." The email contained a phone number and password for accessing the call.

The email is addressed to officials in the U.K., Ireland, the Netherlands, Sweden and France, but only American and British officials can be heard on the recording.

Emails to the FBI agent and others coded in on the call were not immediately returned, but the discussion itself appears sensitive. Those on the call talk about what legal strategy to pursue in the cases of Ryan Cleary and Jake Davis -- two British suspects linked to Anonymous -- and discuss details of the evidence gathered against other suspects.

Karen Todner, a lawyer for Cleary, said that the...

EU Probes New Google Privacy Policy

Mon, 06 Feb 2012 08:53:21 -0500

The European Union's data protection authorities have asked Google to delay the rollout of its new privacy policy until they have verified that it doesn't break the bloc's data protection laws.

Google publicized its new privacy rules -- which regulate how the Web giant uses the enormous amounts of personal data its collects through its search engine, email and other services -- with much fanfare last week.

Since then, it has launched a huge publicity campaign informing its users around the globe of the new policy, which is set to come into force on March 1.

But that launch date may now be under threat.

In a letter to Google Chief Executive Larry Page, Jacob Kohnstamm, the chairman of the group of 27 national privacy regulators in the EU, said the French data protection agency has launched an investigation into the new rules and how they will affect Google users in the EU.

"We call for a pause (in the rollout of the new rules) in the interests of ensuring that there can be no misunderstanding about Google's commitments to information rights of their users and EU citizens, until we have completed our analysis," Kohnstamm wrote in the letter, which was sent Thursday and published on Friday.

Google's search engine has a market share of more than 90 percent in the EU, with rival services like Microsoft's Bing gaining little traction. The EU's competition authorities are already examining whether Google uses this dominance to stop other search engines from entering the market.

Google said in a statement that it had briefed data protection agencies before making its new policy announcement and that none of them had had substantial concerns at the time.

"Delaying the policy would cause significant confusion," it said in the e-mailed note.

In its descriptions of the new privacy policy, Google says its main aim is...

New Malware Attacks Target Online Banking

Mon, 06 Feb 2012 08:48:54 -0500

Computer criminals have found a way to hack their way past the latest generation of online banking security techniques, British researchers say.

In the scheme, account holders are tricked by an offer of training in a new "upgraded security system" after being logged into the bank's real site, after which money is moved out of their account but evidence of the theft is invisible to the user, the BBC reported Thursday.

The scam involves what has been dubbed the Man in the Browser attack, or MitB, where the malware the user has been tricked into downloading lives in their Web browser and can get between the user and the bank Web site, altering what is seen and changing details of what is being entered.

Some versions of the MitB will change payment details and amounts and can also change on-screen balances to hide its activities, experts said.

"The man in the browser attack is a very focused, very specific, advanced threat, specifically focused against banking," said Daniel Brett of malware testing lab S21sec.

Every time a new update to the malware is released, it takes security companies a number of weeks to learn how to spot it, he said.

Online banking fraud losses totaled $27 million in the first six months of 2011, a Financial Fraud Action U.K. spokesman said.

But banks are taking action against such scams, FFA's Mark Bowerman said.

"We've got intelligent fraud detection software, and it's used to seeing how you operate your online bank account.

"Any deviations from the norm and the software is going to pick it up -- that may be the type of transaction you've made or the amount," he said.

Mozilla's Firefox 10 Targets Businesses, Developers

Thu, 02 Feb 2012 14:15:28 -0500

Mozilla has unleashed a new Firefox 10 browser that marks the organization's first implementation of a new schedule that will give businesses and their vendors enough time to certify each new Firefox release while maintaining a high level of Web security.

Many enterprises, SMBs, academic institutions and government agencies have found it difficult to deploy Firefox to their users in a managed environment. To address their concerns, Firefox 10 will be Mozilla's first extended support release, or ESR.

Though future ESRs for business environments will occur at 42-week intervals, enterprises and other organizations will continue to receive security updates in the interim -- but without Mozilla making any other changes to the Web or its Firefox add-ons platform.

The new ESR schedule is key for enterprise adoption, said Al Hilwa, director of applications software development at IDC.

"Mozilla does not have a big base of enterprise customers at this point, but does have a few who have found rapid, forced updates a problem," Hilwa said in an e-mail Thursday. "This should help these customers and also potentially win over others."

Keeping Developers in the Fold

Thursday's release of Firefox 10 comes at a time when the upward trend for Google's Chrome browser on desktop PCs and laptops has come to a halt, according to Net Applications. The bad news for Mozilla is that Internet Explorer's market share rose 1.1 percent last month to 53 percent, while Firefox slipped one percentage point to 20.9 percent. Google's Chrome declined 0.17 percent to 18.9 percent of the browser market.

Going forward, however, Mozilla will be able to distinguish itself by offering "a more customized browser that supports a broader range of operating systems -- and one that can help enterprises protect their privacy," Hilwa said. "I think this is a win for Mozilla, which stands to...

IBM Rolls Out Endpoint Manager for Mobile Devices

Wed, 01 Feb 2012 11:22:45 -0500

IBM just got into the mobile management game. Big Blue rolled out software based on its 2010 BigFix acquisition that helps organizations manage and secure smartphones and tablets in the workplace while also managing laptops, desktops and servers.

Dubbed IBM Endpoint Manager for Mobile Devices, the new offering lets companies use a single solution to manages Apple iOS, Google Android, Nokia Symbian, and Microsoft Windows Mobile and Windows Phone devices. The software also adds a layer of security to combat the escalating threats from the bring your own device, or BYOD, trend.

"If you plant yourself in the data center and think about all the data and applications around you, somehow it has to all get pushed out so that people can use it on PCs, laptops, servers or elsewhere," said Bob Sutor, vice president of IBM Mobile Platform. "Many of the things you have to do in terms of provisioning applications, updating operating systems, and knowing what version is running, is very consistent with what's going on with mobile."

A Mobile Uprising

It's consistent -- and it's happening on a grand scale. IDC expects the mobile workforce to reach more than 1.19 billion by 2013, putting new pressures on enterprises to connect personal smartphones and tablets to corporate networks and provide employee access to business data on them.

At the end of 2011, almost half of mobile devices used in the workplace were employee owned, according to IDC. This BYOD trend raises additional concerns about managing security risks. Mobile exploits doubled in 2011 from 2010, according to the IBM X-Force Mid-Year Trend and Risk Report.

"Let's say that you discover that there is an incredible security flaw in some app. How can I push out an update to 100,000 employees?" Sutor asked. "What happens if you lose your phone? Remotely you need to either...

HELIOS WebShare UB2 Eases Access, Collaboration

Wed, 01 Feb 2012 07:38:18 -0500

HELIOS Software GmbH, a leading developer of cross-platform file, print, image, proofing, remote collaboration, and PDF server software, announced major new features to its server-based HELIOS WebShare UB2 remote access, managed file transfer, and collaboration software. WebShare UB2 makes it simple to add secure remote file access to any file server.

INDUSTRIAL STRENGTH FILE MANAGEMENT

HELIOS WebShare UB2 facilitates enterprise-wide document collaboration, enabling easy yet secure remote access to server files via any web browser, from Mac, Windows, Linux, or mobile devices.

The new Gallery view presents scalable previews of images, and multi-page PDFs and Microsoft Office files within the web browser. Even Japanese, Chinese, and Cyrillic documents can be previewed without the need to have specific character sets installed on a local computer.

Also new to WebShare UB2 is the Apple Spotlight compatible search system, allowing users to quickly find server files by file name, text content, and meta data.

TAKES THE WORK OUT OF REMOTE COLLABORATION

The WebShare Manager component enables automatic two-way remote synchronization of files, with customizable synchronization plans. Mac, Windows, and UNIX/Linux users can easily drag & drop project files from the web browser or local workstation into the WebShare Manager window to enable synchronization of files between the remote WebShare server and the local workstation. Even automatic file versioning can be enabled.

WebShare Manager lets teams quickly find and use files scattered in various locations on a file server without the need to move or collect those files into a single folder. This project oriented approach speeds the remote collaboration process, reducing the work required to a few mouse clicks.

WebShare Manager also offers a Resume Transfer capability that supports resumption of interrupted uploads, to ensure high file synchronization reliability even for low...

E-Mail Providers Unite To Fight Spam and Phishing

Mon, 30 Jan 2012 11:06:03 -0500

Companies will soon have a new weapon in the ongoing war against phishing and spam. On Monday, a group of leading e-mail and technology companies announced a proposed new standard to make it more difficult for fraudulent and other unwanted e-mail to get through.

The companies have formed DMARC.org, a technical working group based in San Jose, California. DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, builds on a year-and-a-half of collaborative effort that has created a draft specification.

Authenticated Messages

Participating e-mail providers include AOL, Gmail, Hotmail, and Yahoo. Other members include Bank of America, Fidelity Investments, PayPal, Facebook, LinkedIn, Cloudmark, eCert, and Return Path.

The organization noted that e-mail systems currently lack a reliable way to tell if an e-mail sender uses standards like Sending Policy Framework, or SPF, and DomainKeys Identified Mail, or DKIM, to authenticate messages. As a result, the group noted that "complex and imperfect measures to separate legitimate unauthenticated messages" from fraudulent messages are currently used.

SPF and DKIM were created more than 10 years ago to help authenticate an e-mail sender's identity. But full implementation of those authentication technologies has been hampered by several factors. DMARC does not directly determine if an e-mail is fraudulent, but whether it aligns to the fraud detection configuration -- such as SPF or DKIM -- or not. It is designed to replace the ADSP, or Author Domain Signing Practices, an optional extension to DKIM.

Pioneered by PayPal

DMARC intends to provide a more comprehensive and integrated way to integrate authentication technologies into e-mail systems. Once data and input from the field has been gathered, DMARC.org will submit its revised spec to the Internet Engineering Task Force for acceptance as a standard.

Under DMARC's approach, a sender can show that their e-mails are protected by SPF or DKIM, and it informs the receiver the...

Facebook, Washington State Target Online Spam

Mon, 30 Jan 2012 09:35:43 -0500

Facebook is partnering with the U.S. state of Washington to combat a type of spam called "clickjacking" that is plaguing the social networking site, company and state officials announced Thursday.

Two separate lawsuits were filed in federal courts in California and Washington state against Delaware-based Adscend Media LLC, which officials say is behind the spamming.

"The way we think about it, security is an arms race," Facebook's general counsel, Ted Ullyot, said alongside Washington state Attorney General Rob McKenna at the social media company's Seattle offices. "It's important to stay ahead of spammers and scammers."

In "clickjacking," links on Facebook promising shocking or salacious videos have code embedded in them that spreads the link to the user's page. That makes it seem like the user "liked" the link, with the aim of attracting more clicks from the user's friends. The links eventually lead users to a survey or information from an advertiser.

Adscend Media is spreading spam through misleading and deceptive tactics and has encouraged others to do the same, McKenna's office said.

An email inquiry sent to Adscend was not immediately returned, and an attorney for the company had not yet been listed in federal court records.

Social networking sites are popular targets for spammers because people are more likely to trust and share content that comes from people they know. This makes spam, scams and viruses easy to spread.

Still, Facebook says less than 4 percent of content shared on the site is spam. By comparison, about 74 percent of email is spam, according to security company Symantec Corp., though the bulk of it gets filtered out before reaching someone's inbox.

Facebook has more than 800 million users.

Named in Washington state's lawsuit are Adscend co-owners Jeremy Bash, of West Virginia, and Fehzan Ali, of Texas. The lawsuit says Adscend violated several state laws, as well as...

U.S. Cybersecurity Efforts Trigger Privacy Concerns

Mon, 30 Jan 2012 09:52:47 -0500

The federal government's plan to expand computer security protections into critical parts of private industry is raising concerns that the move will threaten Americans' civil liberties.

In a report for release Friday, The Constitution Project warns that as the Obama administration partners more with the energy, financial, communications and health care industries to monitor and protect networks, sensitive personal information of people who work for or communicate with those companies could be improperly or inadvertently disclosed.

While the government may have good intentions, it "runs the risk of establishing a program akin to wiretapping all network users' communications," the nonpartisan legal think tank says. The Associated Press obtained a copy of the report in advance.

Cybersecurity has become a rapidly expanding priority for the government as federal agencies, private companies and everyday people come under persistent and increasingly sophisticated computer attacks. The threat is diverse, ranging from computer hackers going after banking and financial accounts to terrorists or other nations breaching government networks to steal sensitive data or sabotage critical systems such as the electrical grid, nuclear plants or Wall Street.

Privacy has been a hotly debated issue, particularly as the Pentagon broadens its pilot program to help defense contractors protect their networks and systems. Several companies, including critical jet fighter and drone programs, have been attacked, although the Pentagon has said that no classified information was lost.

And there are plans for the Homeland Security Department to use the defense program as a model to prevent hackers and hostile nations from breaching critical infrastructure. Officials have suggested that Congress needs to craft legislation that would protect companies from certain privacy and other laws in order to share information with the government for cybersecurity purposes.

DHS spokesman Matt Chandler said the legislative proposals reflect the administration's commitment to privacy protections and contain standards to minimize contact...