Daily Archives: February 25, 2015

Mobile app developers slow to address security concerns: McAfee report

image

With malware and other security threats continue to chase mobile users, a new McAfee report reveals mobile app providers have been slow to address the most basic SSL vulnerabilities – improper digital certificate chain validation.

In September 2014, the Computer Emergency Response Team (CERT) at Carnegie Mellon University released a list of mobile apps possessing this weakness, including apps with millions of downloads to their credit.

Intel Security’s McAfee Labs Threats Report: February 2015, includes assessments of the mobile threat landscape and the failure of mobile app developers to patch critical secure sockets layer (SSL) vulnerabilities, potentially impacting millions of mobile phone users.

McAfee Labs also revealed details on the increasingly popular Angler exploit kit, and warned of increasingly aggressive potentially unwanted programs (PUPs) that change system settings and gather personal information without the knowledge of users.

The new report comes shortly after F-Secure released a similar report highlighting growth of malware and banking related threats for Internet users in India.

In January, McAfee Labs tested the 25 most popular apps on CERT’s list of vulnerable mobile apps that send login credentials through insecure connections and found that 18 still have not been patched despite public disclosure, vendor notification, and, in some cases, multiple version updates addressing concerns other than security. McAfee Labs researchers simulated man-in-the-middle (MITM) attacks that successfully intercepted information shared during supposedly secure SSL sessions. The vulnerable data included usernames and passwords and in some instances, login credentials from social networks and other third party services.

Although there is no evidence that these mobile apps have been exploited, the cumulative number of downloads for these apps ranges into the hundreds of millions. Given these numbers, McAfee Labs’ findings suggest that the choice by mobile app developers to not patch the SSL vulnerabilities has potentially put millions of users at risk of becoming targets of MITM attacks.

“Mobile devices have become essential tools for home to enterprises users as we increasing live our lives through these devices and the applications created to run on them ,” said Vincent Weafer, SVP of McAfee Labs, part of Intel Security. “Digital trust is an imperative for us to truly engage with and benefit from the functionality they can provide. Mobile app developers must take greater responsibility for ensuring that their applications follow the secure programing practices and vulnerability responses developed over the past decade, and by doing so provide the level of protection required for us to trust our digital lives with them.”

Another Q4 development followed closely by McAfee Labs was the rise of the Angler exploit kit – one of the cybercrime-as-a-service economy’s latest contributions to off-the-shelf tools delivering ever greater malicious functionality. Researchers saw cybercriminals migrate to Angler in the second half of 2014, when it surpassed Blacole in popularity among exploit kits. Angler employs a variety of evasion techniques to remain undetected by virtual machines, sandboxes, and security software, and frequently changes patterns and payloads to hide its presence from some security products.

This crimeware package contains easy-to-use attack features and new capabilities such as file-less infection, virtual machine and security product evasion, and the ability to deliver a wide range of payloads including banking Trojans, rootkits, ransomware, CryptoLocker, and backdoor Trojans.

The report also identified a number of other developments in the final quarter of 2014:

Mobile Malware. McAfee Labs reported that mobile malware samples grew 14 percent during the fourth quarter of 2014, with Asia and Africa registering the highest infection rates. At least 8 percent of all McAfee-monitored mobile systems reported an infection in Q4 2014, with much of the activity being attributed to the AirPush ad network.

· Potentially Unwanted Programs. In Q4, McAfee Labs detected PUPs on 91 million systems each day. McAfee Labs sees PUPs becoming more and more aggressive, posing as legitimate apps while performing unauthorized actions such as displaying unintended ads, modifying browser settings, or collecting user and system data.

· Ransomware. Beginning in Q3, the number of new ransomware samples began to grow again after a four-quarter decline. In Q4, the number of new samples grew 155 percent.

· Signed Malware. After a brief drop in new malicious signed binaries, the pace of growth resumed in Q4 with a 17 percent increase in total signed binaries.

· Total Malware. McAfee Labs now detects 387 new samples of malware every minute, or more than six every second.

TD

Advertisements

India can’t dump radioactive waste in Lanka: Ranawaka

image

Colombo: The Indo-Lanka civil nuclear agreement would not permit India to dump its radioactive waste in Sri Lankan territory, a senior minister has said.

‘Management of radioactive waste does not authorise India to unload radioactive waste produced in Indian Nuclear Power Plants in Sri Lankan territory,’ Minister of Power and Energy Champika Ranawaka said.

The Minister was commenting on the bilateral agreement signed on February 16 in New Delhi on cooperation in the peaceful uses of nuclear energy.

He said the agreement focussed on peaceful uses of nuclear energy in line with multilateral conventions entered by both India and Sri Lanka.

The agreement will facilitate cooperation in the transfer and exchange of knowledge, expertise, sharing of resources, capacity-building and training of personnel in peaceful uses of nuclear energy.

Ranawaka said Sri Lanka hopes to sign an MoU with Pakistan on the development of nuclear applications.

A similar MoU had been already signed with a Russian state-owned atomic energy entity.

PTI

%d bloggers like this: