AffiliatesNeeded.Com What's New In Affiliate Marketing

Norton’s Smartphone Security couldn’t have been released at a better time. Recently Trustwave,  a Chicago based data security company, released information about a rootkit program they have written for Android phones that proves smartphones are not immune to malicious software.

Although the rootkit will be presented in greater detail at the upcoming Defcon hacking conference in Las Vegas, the researchers who created this piece of malware did offer some specifics on how it works and what it is capable of.

Christian Papathanasiou one of the security consultants who worked on the program for Trustwave said, “You call the phone, the phone doesn’t ring, and when the phone realizes that it’s being called by an attacker’s phone number, it sends him back a shell [program].”

This rootkit runs as a module in Android’s Linux kernel giving the attacker the highest level of access to the phone known as “root” access.  “Once someone gets root, the game is essentially up,” said Rich Cannings, Android’s security leader.

With root access, the attacker can pull data from the victim’s phone, track the victim, reroute the browser to malicious websites, or even reroute calls. By coupling the rootkit with other malicious software, the possibilities for attack are endless.

Potential Dangers

Rootkits, often mistakenly thought to provide access, actually hides the malicious program from being detected by security software by covering up the tracks of its activity.

But Google is aware of the problem. “What we do is prevent people from getting full control of the kernel,” said Canning.

Through application sandboxing, Android keeps programs from gaining access to other parts of the device. So if malware is installed on an Android phone, the sandboxing feature should prevent it from gaining control of other applications – including the operating system and kernel. Once the kernel is compromised, as it is in this case, other malware can be built on top of the rootkit. Not only will the malware have access to the kernel, but it will also have the ability to do its damage stealthily.

What Happens Next?

Will Trustwave be able to build additional malicious programs and use the rootkit as a way to deliver a payload of malware to an Android? Will malicious apps start showing up in the Android market? What does the future hold for mobile privacy?

These are good questions, especially since it has already been proven that a well written malicious program can sneak its way into the Apple’s iPhone app store when Nicolas Seriot demonstrated his proof of concept app called SpyPhone that could make its way past the strict controls of the app store and steal private data from an iPhone user.

Luckily, Google seems to get it when it comes the possibility of malware on a smartphone. In addressing Trustwave’s research, Canning commented:

“I think that it helps show that these mobile operating systems are extremely powerful. They’re just as powerful as your desktop computer.”

It will be interesting to see what further research is done using this malware.  Protecting our mobile phones may soon become a high priority as more and more people are investing in them. What are your thoughts on your mobile security? Are you concerned about malware on your mobile?

Reading over the Apple discussion forums I came across a post from a concerned iPhone user whose phone was mimicking actions that resembled malware infections they had seen on different PCs running Windows and were symptomatic “of 3 well documented viruses/worms on unlocked iPhones”.

The response to these concerns were somewhat depressing, albeit common when the discussion comes up regarding any Apple product and malware:

“There are no viruses that affect or infect OS X which has been available for 10 years now, and the iPhone runs an optimized version of OS X.

Nothing can be installed on an iPhone from a received email, from a received MMS, or from a website except for a photo which can be done manually only, and I haven’t read any reports about malware much less a virus being included with a JPEG file even with that Swiss cheese for security OS that is Windows.

There have been reports about malware (not a virus, which is different from malware) being included with unofficial software downloaded from unknown and untrusted sources which requires a hacked/jailbroken iPhone. A carrier locked iPhone can be hacked/jailbroken to unlock it unofficially, or just to install unofficial software from unknown and untrusted sources.

If you haven’t hacked/jailbroken your iPhone, your iPhone doesn’t have any malware and certainly doesn’t have a virus which is different since there are no viruses that affect or infect OS X on a Mac or on an iPhone.”1

The possible malware infection risk to jailbroken iPhones has been well documented by Apple and others but so many forget that just a few months ago, Nicolas Seriot  showed how an app that had been approved by iTunes and downloaded through the App Store could easily compromise the owner’s private data using nothing more that the API officially sanctioned by Apple.

In the real world, we call applications that do this malware, plain and simple.
The common counterpoint to this argument is that there is no malware in the wild that can infect the iPhone OS, which is built on OS X. But as Seriot pointed out, while Apple’s strict controls can keep a lot of the bad out, it certainly can’t keep everything out forever. Give it time and we will start to see malware written for the iPhone because that is where the data/money is.

Norton’s Answer

Symantec seems to be getting an early jump on Smartphone security with their release of Norton Smartphone Security that will be available for smartphones running Android 1.0. The Android version of Smartphone Security works much like the Symbian counterpart. The main focus of the application is to protect user data from being compromised should the phone be lost or stolen. With a simple text message, the user of the missing phone can wipe all data off the phone to protect it from prying eyes. Additionally, it locks up a stolen phone even if the SIM card is removed so the device becomes worthless to anyone who doesn’t know how to unlock it.

What is most impressive about Norton’s Smartphone Security and the two operating systems that run it, is the fact that they address the need to prevent mobile malware threats. Norton claims that Smartphone Security on both the Symbian and Andriod operating systems:

• Detects and removes threats and forbidden files without affecting your mobile device’s performance
• Scans all the files and app updates you download to your mobile device for threats

With so many new threats, like ClickJacking and malvertising, and traditional vulnerabilities, such as SQL Injection and Cross-Site Scripting, it is a relief to see Symbian and Google making an effort to address the need to protect their users. As a happy, and dedicated iPhone user, I hope that Apple follows suit in the near future.

1.    NB – This response is not that of an Apple employee but a register user on the Apple discussion forum.

Facebook’s privacy gaffes have created a great deal of fodder for news sites and blogs over the past few years, but being called out on a constant basis seemed to have little impact on the way they handle their users’ private data. The timeline below shows the evolution of Facebook’s privacy policies over the past five years:

• 2005 - No personal information that you submit to Facebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings.
• 2006 - We understand you may not want everyone in the world to have the information you share on Facebook; that is why we give you control of your information. Our default privacy settings limit the information displayed in your profile to your school, your specified local area, and other reasonable community limitations that we tell you about.
• 2007 - Profile information you submit to Facebook will be available to users of Facebook who belong to at least one of the networks you allow to access the information through your privacy settings (e.g., school, geography, friends of friends). Your name, school name, and profile picture thumbnail will be available in search results across the Facebook network unless you alter your privacy settings.

2009 brought a plethora of changes:

• Nov. 2009 - Facebook is designed to make it easy for you to share your information with anyone you want. You decide how much information you feel comfortable sharing on Facebook and you control how it is distributed through your privacy settings. You should review the default privacy settings and change them if necessary to reflect your preferences. You should also consider your settings whenever you share information…Information set to “everyone” is publicly available information, may be accessed by everyone on the Internet (including people not logged into Facebook), is subject to indexing by third party search engines, may be associated with you outside of Facebook (such as when you visit other sites on the internet), and may be imported and exported by us and others without privacy limitations. The default privacy setting for certain types of information you post on Facebook is set to “everyone.” You can review and change the default settings in your privacy settings.
• Dec. 2009 - Certain categories of information such as your name, profile photo, list of friends, and pages you are a fan of, gender, geographic region, and networks you belong to are considered publicly available to everyone, including Facebook-enhanced applications, and therefore do not have privacy settings. You can, however, limit the ability of others to find this information through search using your search privacy settings.
• Apr. 2010 - When you connect with an application or website it will have access to General Information about you. The term General Information includes you and your friends’ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. … The default privacy setting for certain types of information you post on Facebook is set to “everyone.” … Because it takes two to connect, your privacy settings only control who can see the connection on your profile page. If you are uncomfortable with the connection being publicly available, you should consider removing (or not making) the connection.¹

When you look at these changes in succession, it is easy to see how in the beginning, data wasn’t to be shared. So for the millions who signed up, they were pretty confident that Facebook would not regard their personal data as a commodity. The same cannot be said in the excerpt from the April Terms of Service of 2010.

The Latest Turn

Just last Sunday, Mark Zuckerberg sent a letter to Robert Scoble stating:

“We’ve been listening to all the feedback and have been trying to distill it down to the key things we need to improve. I’d like to show an improved product rather than just talk about things we might do…I know we’ve made a bunch of mistakes, but my hope at the end of this is that the service ends up in a better place and that people understand that our intentions are in the right place and we respond to the feedback from the people we serve.”

Not to speculate, but I would imagine that the response to the feedback from the people is Facebook’s reaction to recent movements encouraging people to quit Facebook as a result of their changes to privacy policies and other issues dealing with users’ personal data. Led by the likes of Cory Doctorow, Leo Laporte, Peter Rojas, and Matt Cutts users began to search for How to Delete My Facebook Account and other similar instructions in droves.

The Aftermath

Just last week CT Moore started up a great debate on the Facebook privacy issue with his post Facebook Isn’t Evil, We’re Just Naïve with points being made that Facebook is in the business of selling data and if we are uncomfortable with that then it is on us, as the user, to deal with it.

When all is said and done, the protection of our personal data is our responsibility. If we feel the tradeoff for Farmville and Mafia Wars is worth exposing this to the world for is worth it, then we cannot complain when we become unhappy with the ramifications.

By this point in time, it seems that the lessons have been learned. On behalf of the users, if you trust companies with your private information know what they plan on doing with it. If they insist on changing this halfway through the game, then read the new Terms of Service to see if you are OK with them. Don’t just accept them because you have to hurry up and water your crops.

To companies who feel that they can show blatant disregard for information held dear to their user base – you may want to think twice about what you say and do, because the threat of losing 60 percent of your users may not be worth the quick buck you can make through deception.

Back in April, I wrote a piece about Yahoo’s RightMedia Manager being the number one distributor of malvertising. Despite the attention malvertising gained from delivering malicious ads on large web sites like The New York Times, TechCrunch, Gizmodo, WhitePages.com, and the Drudge Report this type of cyber criminal activity still permeates the Internet.
How Malvertising Works
The misconception about malware is that if the user doesn’t download and execute the malicious file, they have nothing to worry about. Back in the early nineties this was the case but as Internet technologies have advanced, so have the attack methods used by cyber criminals. Using a technique called a drive-by download attackers are able to infect a user’s computer without them doing anything except view the infected web page in their browser. And as recent malvertising attacks have shown, some of these infected pages are among the most trusted, and most visited, sites on the web.
Troubling Statistics
To tackle the growing problem of malvertising, Dasient Inc. , came up with a new solution designed to help publishers and advertising networks monitor and remediate malicious advertising attacks. Dasient’s Anti-Malvertising Solution uses a telemetry system that detects and monitors these attacks through a behavior-based system.  By tracking these events, Dasient was able to determine the following about malvertising attacks:

• 59% of malvertising attacks are drive-by downloads
• 41% of these attacks are from scareware installed on the victim’s computer that advertise fake anti-virus solutions
• An average of 1.3 million malicious ads are viewed every day
• The average lifespan of a malicious ad is 7.3 days
• Users are twice as likely to be infected on a weekend as on a weekday

Ramifications

Dr. Neil Daswani, one of Dasient’s three co-founders and current Chief Technology Officer, stated:

“with malvertising attacks, not only are users at risk, but publishers, ad networks and website owners also feel the pain – their websites can be potentially blacklisted, and they suffer brand loss and reputation damage, resulting in lost customers and increased technical support costs.”

So far, Dasient’s Anti Malware Solution is the only automated tool that actively scans advertisements and offers protection against this type of attack. But there is money to be made from malvertising. Not just by cyber criminals though. As these attacks continue to cause publishers and ad networks problems, it is only a matter of time before more security companies offer solutions to this problem.

Google made recent headlines when they announced that while cruising around different neighborhoods to collect photographs for Street View, they had inadvertently collected private information from various Wi-Fi networks that were unencrypted. Like their previous step into hot water with privacy advocates when they published a bit too much Buzz information, Google was quick to respond to questions raised by the data protection authority in Hamburg, Germany.

After finding that in their quest to provide better location based services they had actually captured, and stored, payload data from various WiFi networks. Payload data is the actual packets of information that is being sent across a network. Data like credit card numbers, online orders, emails, and just about anything else that travels across a wireless network.

As it turns out, back in 2007 a piece of code written for an experimental WiFi project was included in the software used by the Street View cars. So for three years, Google had been, assumingly, unknowingly collecting payload data from unsecured networks.

Response

So they weren’t so quick to realize their privacy gaffe. After all, it took them three years to realize that they were spying on people. In their defense, however, Google did immediately take steps to rectify the situation. Thus far they have:

• Requested a code review for the software in question to be completed by a third party
• Request that the same third party confirm that any data collected inadvertently is deleted
• Complete an internal review of their procedures to avoid similar problems in the future
• Stopped the Street View cars from collecting WiFi network data altogether

Basically what Google did can be equated to a nosy friend peeking at your bank statement that you left out on the dining room table in plain view. Sure the case can be made that you were stupid for leaving it out in plain view, but all the same, it’s your house (network) and your private stuff. Shame on your friend for poking around even if that was not their intention.

The Facebook Comparison

So I have been picking on Facebook recently. But as a result of all the pressure that the blogosphere and other negative press Facebook decided to discuss how users’ private information is handled by the company.

But there are distinct differences in what Facebook has done over the years and Google’s recent mistake. Google is in the awkward position of getting caught peeping. Although the case can be made that payload data can be used in location based advertising, Google has claimed that this is not what they were after. Although there have been past incidents, the public is often quick to forgive Google. They aren’t arrogant about their mistakes and their philanthropic work helps support their “Do no evil” claim. They give us an “Aw shucks” and we forgive.

Facebook, on the other hand, drops the privacy ball in an entirely different way. They are the neighbor who goes through your trash and finds out every bit of juicy gossip they can. With this information in hand they turn to fellow neighbors spreading their treasures around hoping for something in return. When confronted, they are full of excuses but next trash day there they are, rooting around for something even better.

Yet, whether we buy Google’s claims of innocence or we admonish Facebook’s arrogance, we will return to both because lack of privacy is what we have come to expect in this day and age.

For some reason, Facebook can’t seem to keep out of the news when it comes to privacy issues. Unlike recent issues, the latest event comes from a software glitch rather than a poor policy choice.

This month, capping a long string of recent security and privacy blunders, Facebook allowed users to see the private chats their friends were engaged in. Another glitch allowed users to view the pending requests of their friends. In their defense, Facebook staff immediately brought down the chat feature and fixed the bugs to prevent any additional information leakage, and things were back to normal within a few hours.

Noble as their efforts to fix this latest privacy breach, Facebook has earned quite a reputation as being completely carefree in regards to their users’ privacy. This is evident by CEO Mark Zuckerberg’s statement in a January interview with Mashable where he stated that users no longer care about privacy.

“People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people. That social norm is just something that’s evolved over time.”

There are two issues I find contradictory in this quote. As I see it, the first addresses the social norm. Yes, we are much freer with sharing information nowadays. We use tools like Facebook and Twitter to tell people what we are doing all day long and it’s quite normal to find out that an old friend from high school is on their third cup of coffee and ready to freak out with the guy in the next cubicle. People share information like that all day on social sites because it is harmless banter among people we generally know and trust. It is a norm because it represents normal conversation among friends.

What isn’t normal is allowing anyone with Google to find out who my friends are, where I went to school, my favorite sports teams, the names of my children, etc.

The second part of Zuckerberg’s statement that needs evaluated is his use of the word “people”. He claims that people have become more comfortable sharing information, and this much is true. But just because someone shares it with others online doesn’t make it okay for Facebook, or any other social networking service, to feel they have carte blanche to distribute that information publicly.

Just because I tell my friends online that my family is going on vacation next week doesn’t mean I want Facebook to tell everyone. If I make the decision to share it with a few people it does not give someone else the right to make it public information. Period. As far as I am concerned, end of argument.

Ultimately Zuckerberg’s statement is simply wrong. Watchdog groups and Congress are putting corporations like Facebook to task on how information their users share online is handled for a reason. If people truly do not care about privacy anymore there would have been no outcry when suddenly their private chats were shown publicly; instead users would have mistaken it as another anomaly in the constantly shifting bipolar landscape of Facebook’s UI.

Facebook has taken quite a bit of heat over privacy concerns lately. Back in November of 2009 it was found that a Flash vulnerability could allow an attacker to steal all of a user’s personal information. Before that, users protested en masse to the Terms of Use change that allowed the social networking site to do whatever they wanted with any content hosted on the network, including photographs and comments. And who could forget the controversy that followed concerns when Facebook’s content, or should I say their users’ content, was opened to the search engines. This week Facebook’s f8 developers conference proved to be no exception.

As we all know, Facebook’s reaction to all of these, and other privacy concerns, has been well received. Whenever something that threatens user privacy is exposed, Facebook is quick to respond and patch things up. However admirable their reactions are to these issues, the latest security issue that was uncovered shows that Facebook is not overly proactive when it comes to protecting against security exploits.

Session Hijacking

Session hijacking refers to a practice that attackers use to gain access to a valid session so that they can take control of information or services linked to that computer session. By controlling what is called a session ID, the attacker can masquerade as the legitimate user and has access to anything that the user has rights to. For instance, if a Facebook user were to fall victim to this sort of attack, the bad guy would have free reign over all the information in their account – simple as that.

The Latest Concern

In a proof-of-concept attack, security engineer Joey Tyson was able to build a harmless looking web site external to Facebook where he inserted an inline frame, or iFrame, that was small enough to be invisible to the visitor/victim. The frame actually loaded the login page to Facebook but because it was invisible, the victim had no idea that this was happening.

Now, the way the exploit worked is that using certain parameters the malicious page created by Tyson would be able to target any third-party apps that the victim had allowed access to their Facebook page. In his demonstration, Farmville was used because of its popularity but the same could have been done with any of the many apps that users allow to connect to their account. Piggybacking on the credentials used by the authorized application the attacker would then have hijacked an authorized Facebook session for the victim – without the victim’s knowledge.

Proactivity

As usual, Facebook was quick to correct the errors that allowed this exploit and Tyson even stated in his blog that:

I commend Facebook for responding quickly to this issue and for being open to white-hat security reports. But in my opinion, this vulnerability is simply the latest reminder that the Facebook Platform can open users to many problems quite separate from the security of Facebook itself. I personally think that aspects of the Platform’s implementation fail to match user expectations of privacy, as I’ve discussed previously. And while this particular problem may be solved, vulnerabilities in specific applications and the nature of application access continue to put private data at risk of unwanted disclosure.

Seeing vulnerabilities in web applications on a daily basis, I have to agree with Tyson 100 percent. So many applications are built with grand expectations of usability, interactivity, and profitability while at the same time ignoring vulnerabilities. The latest find by Tyson hammers this point home. The security team at Facebook is certainly some of the brightest minds in the business so why was this not caught in a code review?

In most applications, security is an afterthought. It is viewed as something that can be fixed in subsequent patches and versions. Users suffer, but they still come back to see what’s been posted on their wall and how many people liked their last comment. Until the lackadaisical attitude towards security and privacy changes in the minds of the application users, it certainly won’t change in attitude of the developers.

Side note:

As I was writing this post, Facebook announced that they are taking steps to help users better understand what actions to take if they are: harassed, bullied, a witness to illegal or terrorist activities, or if their account has been compromised. While this information does not help prevent someone from becoming a victim on the Facebook network it does show users where they can find help. Interestingly enough during F8’s wrap-up session (click closing remarks video) Chris Cox did not focus on privacy in the roadmap he laid out. It seems that privacy will remain an afterthought.

Recently, Avast Anti-Virus released a report claiming that Yahoo’s Right Media YieldManager is the leading distributor of “malvertising”. Malvertising being malware that exploits holes in the web  applications that are used to deliver web ads from the big ad delivery platforms. Yahoo! is not alone, malware was also found to be served by Fox Audience Network’s Fimserve.com, Google’s Double Click, and MySpace.

Visitors to sites like The New York Times, The Drudge Report, TechCrunch, and many others found their computers infected with a trojan that looks for vulnerabilities in Java, QuickTime, and multiple Adobe products. Even security savvy surfers were not protected as computers were infected once the ad loaded, not when the ad was clicked.

Once the dust settled, the finger pointing began. According to a CNET interview with Avast Researcher Jiri Sejtko, the malware is a Trojan Javascript form that targets the Windows operating system. Sejtko said that of the ad networks impacted by the Trojan, dubbed JS:Prontexi, only Double Click took proactive measures against it.

“The Google portion of JS:Prontexi is quite small and has gotten visibly even smaller as they have taken steps to improve the situation. That is not the case with Yahoo and Fox.”

Right Media VP Bennie Smith responded to his  network being accused of serving up malicious ads on TechCrunch:

“Partnering with a third-party ad network is a good thing, but you can’t remove all the risk and shift all the responsibility to the ad network…The user is coming to your site, not to the ad network. The primary responsibility still resides with you.”

That’s right. According to Smith it’s the publisher’s fault that the applications that they have no control over are serving up malware.

Working in web security, there I have seen plenty of web applications that are vulnerable to attacks. If I run a blog that is powered by WordPress, then I need to do everything I can to secure it. If a plug-in has known vulnerabilities I have to either look for a patch, disable it, or replace it.

However, unlike the blog example above, publishers have no way of working with the applications that run these ad networks to better secure it. Instead, they have to trust that the ad manager they are running on their site has been secured. They have to trust that the advertisements have gone through some type of review to insure that they are not delivering up malicious code to the visitors.

Unfortunately for the publishers, when their site infects a visitor, the visitor doesn’t blame the ad manager. They blame the web site. If my computer was infected after visiting TechCrunch, I am going to stop visiting. If The Drudge Report is flagged as unsafe, then I will go elsewhere.

Maybe publishers do need to take the initiative. To protect their visitors, perhaps they need to look at which ad networks are doing everything they can to prevent the spread of malware through their network. Ask them questions like:

•    What is the review process for ensuring an ad does not contain malware?
•    What is done to ensure that attackers cannot exploit the code of legitimate ads?
•    Is there a web application firewall in place to inspect web layer traffic?
•    When was the last time your application underwent a code review?
•    Who do I contact if I suspect an ad is serving malware to my visitors?
•    What will you do if your network serves ads on my site that contain malware?

If your questions can’t be answered to your satisfaction, maybe it is time to take responsibility and look for a new ad network. One who is willing to make sure your reputation isn’t damaged by the content they serve on your web site.