Ethical Hacker

On Monday, we released our Mobile Threat Report for Q1, and in that report we mention there’s a growing number of mobile trojans that “deliver on their promises”. What do we mean by that?

Well, in the past, mobile malware often offered something such as “free” mobile web services as bait, but then, during installation, the trojan would display some kind of decoy error message.

At that point the folks installing the trojan would typically search for answers, either because they were suspicious or because they were troubleshooting. That would then lead to actual answers on forums that what they had in fact installed was a trojan. These days, when even non-nerds have smartphones, the bait is quite a bit different.

No decoy messages. The “bait” actually works.

Here’s a video of trojan installing a working copy of Rovio’s Angry Birds Space as it compromises the phone.

Video: Trojanized Angry Birds Space.

So, nothing to troubleshoot… and how many non-nerds do you think will find getting what they were promised to be suspicious? It’s quite possible that somebody could compromise their phone and they’ll never come to realize it.

Android malware is definitely evolving.

Here’s a short preview of something which developed during Q2: drive-by Android malware.

Video: Drive-by Android Malware.

On 18/05/12 At 02:19 PM

More here

In his blog:

I think the most important security issues going forward center around identity and trust. Before knowing I would soon encounter Bruce again in the media, I bought and read his new book Liars & Outliers and it is a must-read book for people looking forward into our security future and thinking about where this all leads. For my colleagues inside the government working the various identity management, security clearance, and risk-based- security issues, L&O should be required reading.

[...]

L&O is fresh thinking about live fire issues of today as well as moral issues that are ahead. Whatever your policy bent, this book will help you. Trust me on this, you don’t have to buy everything Bruce says about TSA to read this book, take it to work, put it down on the table and say, “this is brilliant stuff.”

I’m hosting Kip Hawley on FireDogLake’s Book Salon on Sunday at 5:00 – 7:00 PM EDT. Join me and we’ll ask him some tough questions about his new book.

More here

Google is set to launch Android 5.0, aka Jelly Bean, this fall. But do we even need it? While Google has made some steps in securing its Play branded marketplace, and offered a few security updates to the operating system, it is a fact that the most targeted Android platform is still 2.x. Why is that? There are several reasons, not the least of which is a lack of security patches provided to previously deployed operating system versions.

More here

It was written in 1971, but this still seems like a cool book:

For an elementary illustration of tactics, take parts of your face as the point of reference; your eyes, your ears, and your nose. First the eyes: if you have organized a vast, mass-based people’s organization, you can parade it visibly before the enemy and openly show your power. Second the ears; if your organization is small in numbers, then do what Gideon did: conceal the members in the dark but raise a din and clamor that will make the listener believe that your organization numbers many more than it does. Third, the nose; if your organization is too tiny even for noise, stink up the place.

Always remember the first rule of power tactics: Power is not only what you have but what the enemy thinks you have.

The second rule is: Never go outside the experience of your people. When an action or tactic is outside the experience of the people, the result is confusion, fear, and retreat. It also means a collapse of communication, as we have notes.

The third rule is: Wherever possible go outside the experience of the enemy. Here you want to cause confusion, fear, and retreat.

The fourth rule is: Make the enemy live up to their own book of rules. You can kill them with this, for they can no more obey their own rules than the Christian church can live up to Christianity.

The fourth rule carries within in the fifth rule: Ridicule is man’s most potent weapon. It is almost impossible to counterattack ridicule. Also it infuriates the opposition, who then react to your advantage.

The sixth rule is: A good tactic is one that your people enjoy. If your people are not having a ball doing it, there is something very wrong with the tactic.

The seventh rule: A tactic that drags on too long becomes a drag.

[...]

The twelfth rule: The price of a successful attack is a constructive alternative. You cannot risk being trapped by the enemy in his sudden agreement with your demand and saying “You’re right–we don’t know what to do about this issue. Now you tell us.”

The thirteenth rule: Pick the target, freeze it, personalize it, and polarize it.

More here

I like this essay because it nicely illustrates the security mindset.

More here

Jarno Niemela, a Senior Researcher here at F-Secure Labs, will be taking part in a Black Hat Webcast on Thursday, May 17, 2012.

The subject is “Making Life Difficult for Malware” and will focus on system modifications that can be used to prevent malware from functioning properly in the event that your system is compromised.

More information can be found from the webinar’s registration page.

Over 1,000 people have registered thus far!

On 16/05/12 At 12:59 PM

More here

According to a report from the DHS Office of Inspector General:

Federal investigators “identified vulnerabilities in the screening process” at domestic airports using so-called “full body scanners,” according to a classified internal Department of Homeland Security report.

EPIC obtained an unclassified version of the report in a FOIA response. Here’s the summary.

More here

Need some pre-industrial security for your USB drive? How about a wax seal? Neat, but I recommend combining it with encryption for even more security!

More here

    Carolina Dieckmann, a famous Brazilian actress, recently became the victim of cyber attacks that allowed cybercriminals to steal personal property – nude pictures of her- from her computer. Many pictures or maybe all of them got leaked to the Internet. This incident has served as a good incentive for the Brazilian government to have new cybercrime laws in the country (the current law to fight cybercrime in Brazil was approved back in the 40’s of XX century). As a result of this incident, a new cybercrime law that carries a punishment of up to 2 years in prison for such crimes has finally been proposed for consideration. This is a good and right move! A press article in Portuguese can be

More here

To New Zealand:

United States Secretary of Homeland Security Janet Napolitano has warned the New Zealand Government about the latest terrorist threat known as “body bombers.”

[...]

“Do we have specific credible evidence of a [body bomb] threat today? I would not say that we do, however, the importance is that we all lean forward.”

Why the headline of this article is “NZ warned over ‘body bombers,’” and not “Napolitano admits ‘no credible evidence’ of body bomber threat” is beyond me.

More here