This has been an interesting summer in the computing world. The first item that caught my attention was the hack of Jeep by some white hat hackers (http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ if you haven’t already seen it). When I first heard that Audi was allowing an Internet connection from their Audi A6 vehicle some time before the Jeep hack, my first reaction was “Now I have to find a firewall for my car???” I knew other manufacturers would follow and it would be the newest “neat” feature.
Talking about the above hack with a friend of mine that just bought a new Chevy Impala, he said that he wasn’t concerned because the OnStar™ wasn’t connected to any of the engine systems. A few days later I caught a news story talking about how OnStar slowed down that had been carjacked so the police could capture the thief. Here’s a story on how the new technology works http://www.geek.com/mobile/onstar-now-slows-down-stolen-vehicles-1373845/ . So much for that theory.
A month or so later I was at CompTIA’s ChannelCon2015 event in Chicago and one of the session titles was “Refrigerators Telling Secrets: How the Internet of Things Will Change Privacy”. Of course I went to this session. Tim Hahn, a Distinguished Engineer at IBM presented on some of the basics of what his group was doing. Basically, he described the Internet of Things (IoT) as being the same thing that has been done by process control machines for decades. The difference is rather than the connections being wires running to a computer, the devices are reporting to the control computer over the Internet. The biggest problem is that people programing these devices are looking at resolving the problem they have been presented rather than the security problems they could be creating.
This is nothing new. We saw this with web browsers way back in the last century. One thing I learned early on in my software development career is that you never know what users will do with the code you write. They will find ways of using that code to do things you never thought about. So whatever you write, you need to think of security with the same priority that you do fulfilling the task you are trying to accomplish.
So as an end-user what can you do? Do you really need a refrigerator to tell you that you need milk? Do you have to adjust the heat in your house from your office? But we know people will want the convenience and not care about the cost. How many of you don’t like that people know where you are all the time, but don’t turn off the GPS on your phone? What you need to do as a consumer is make yourself aware of what you are giving up and make an informed decision on what you feel comfortable with giving up.
Recently I wrote about the number of malware apps for the android operating system. Well, I think the article I found interesting was found interesting by other people. From an article posted in Network World, it appears that HP found that 90% of Apple iOS mobile apps show security vulnerabilities. Now in reading this summary of the HP report in detail, the point made by HP is not that 90% of iOS apps are malware, rather “86% of the apps tested lacked the means to protect themselves from common exploits.”
As companies expand their IT presence into phone and tablet apps, the question of the security of those platforms needs to be answered. After spending the first 20 years of my career as an application developer, I understand the problem. The first thing you do as a developer is find a solution to the problem that is presented to you. The second to last thing you do (the last always being documentation, if you ever do it) is test your code for unexpected usages. And you never think of all of them. I remember being thanked by a user for writing a particular function a year or so after I had released the code. He told me what he was doing with what I had written and my response was “It does that?” The user was using what I had written to do one thing for something completely different and totally unexpected. What was more interesting is that it was working perfectly.
The problem according to HP is that adequate penetration testing is not done. This is probably because of the speed in which apps are being developed and released. Like any other client, mobile apps are at some point going to be connected back to the corporate servers. Then, like any other client, malware on the client may be transported to the server. As noted above, you never know what someone will do with something you wrote.
As an IT professional, you need to be aware of what apps you are recommending/developing do and what they might do under malicious conditions. Although malware protection is a reactive science, you should be as proactive as possible when evaluating mobile apps.
After taking some time off to attend to my real business, I have found some time to write again. The article the peaked my attention the most was a recent article in Fox Business News. The headline to this article is “Cyber Hackers on Course for One Million Malware Apps” and they are talking just about the Android operating system! According to the article it took over a decade to reach that many malware applications on the “much” beleaguered Microsoft operating environments. However, do we hear a cry from the public about how bad the Google Android operating system is? Not really, we just hear sales numbers on how that OS is selling better than anyone else.
I can go on about the details in the article, but it is written in plain English and doesn’t need any technical translation. What I really what you to think about is how this affects your policy on Bring Your Own Device (BYOD). It is evident the malicious software industry is turning its attention from the evermore hardening arena of the PC environment to the easy pastures of the mobile environment. Not to get too into Google bashing, but it is evident that Google has not learned from the mistakes of its predecessors in the industry. I will not say they are ignoring the security of their customer’s data and money, but they are evidently not doing what is necessary to control the massive outbreak of malware in their OS environment. The excuse that they just create the OS with associated patches and it is up to the licensees to distribute and implement those patch is ludicrous. If Google wants to be recognized as a true software vendor for the business environment, it needs to step up to the responsibilities of a true software vendor. This means they have to reach out beyond the environment that they completely control and make sure that the people using their software are protected as much as reasonable possible.
Recently the Microsoft Trustworthy Computing group released their Microsoft Security Intelligence Report covering the first half of 2012. It is interesting to look at where most malware comes from and what has been the most vulnerable software.
The most prevalent method of malware distribution according to Microsoft had been what they call “unsecure distribution chains.” Fallowing in this category are websites that distribute “free software”, both legal and not legal. Some of the popular software names listed by Microsoft as containing malware include:
- SonyVegasPro Patch.exe
- Nero Multimedia Suite 10 – Keygen.exe
- Guitar Pro v6.0.7+Soundbanks+Keygen(Registered) [ kk ].rar
They also listed a number of movie named files that contained Malware, including:
- The Avengers 2012 720p BDRip QEBS7 AAC20 MP4-FASM.avi
- Prometheus 2012 DVDRip.avi
- Wrath of the Titans 2012 DVDRip aXXo.avi
- Battleship 2012 DVDRip.avi
- What to Expect When You’re Expecting 2012.BRRip.XviD-KAZAN.avi
- The Hunger Games 2012 TRUE FRENCH DVDRIP XViD FiCTiON L S79.avi
- The Five-Year Engagement 2012 HDRip XviD-HOPE.avi
- Project X 2012 TRUE FRENCH DVDRIP XViD FiCTiON L S79.avi
- Amazing SpiderMan 2012 DVDRiP XviD.avi
When looking at what got attacked by malware, the report notes that of the 3 categories, core operating systems, browsers and applications, most malware attacked applications and least attacked were core operating systems, In the application category, Java and Java Script were by far the most attacked, followed by Adobe readers and Adobe flash.
What was even more interesting is that when looking at the implementation of updates of these four applications, over 50% of users were missing the latest updates. In the case of Java, over 90% of users did not have the latest updates installed.
Looking at infections by operating system, Windows XP had the highest percentage of infections at 9.5% of estimated installed computers while Windows 7 SP1 64-bit had the lowest at 3.1%.
So what should a user learn from this report?
- Be careful what you download. You may get more than you asked for.
- Install your updates. Not just Microsoft ones but Java and Adobe are key.
- Run a current operating system. The newer the OS, the less likely you are to get infected. Remember, support for Windows XP ends April, 2014.