Archive for December, 2012

 A story that should be no surprise to anyone (but, no doubt will catch many off guard), BBC News is reporting that, unbeknownst to their owners, Android phones are being used as spam relays.

Yes, that smart phone that goes with you everywhere you go, fits easily in either a pocket or a purse, and has become an indispensable tool of modern life is, in fact, a small, fully functional computer. As such, it can not only place and receive calls but also do most the great things that we’ve come to expect from a PC (e.g. send/receive email, browse the web, run apps, play music, etc.). In addition, it can do most of the really awful things that PC can do as well such as crash at inopportune times, leak personal information and get infected with viruses.

Although, the amount of malware affecting smart phones to date is relatively small as compared to PCs, the threat is not insignificant and will only continue to grow.

So it shouldn’t surprise us when we read that infected versions of popular apps like Angry Birds are beginning to circulate. The latest twist is just a variation on a theme we learned about more than a decade ago with the advent of so called “zombies” or “bots” — systems under the control of a remote attacker that can be coordinated to form an army of denial of service attackers or spam senders. If you could do it on a PC, there’s no reason to believe it couldn’t (and wouldn’t) be done on a smart phone and, in fact, now it has been.

What can you do to protect yourself from being an unwilling accomplice and avoid a monstrously large cell phone bill if the zombie happens to exceed your monthly data limit or, potentially worse, leverages premium SMS text messaging services without your knowledge?

  1. Don’t install apps from untrusted sources.

    Even the official Google Play store is known to have more than its share of sketchy apps but if you veer off into some lesser known (and less reliable) sources, you are really playing with fire.

  2. Don’t install apps that you don’t really need.

    What constitutes “need” vs. “nice to have” is an endless debate topic that varies from person to person. Suffice it say, if that by limiting the number of apps you have to those that you will really use, you will have reduced your risk by effectively reducing the attack surface.

  3. Check the permissions before granting access.

    One of the nice features of Androids over iPhones is that they actually tell you during the install process what resources on your phone the app is going to access. At that point you can choose to proceed or abort the install based upon your tolerance for risk. Unfortunately, there isn’t much granularity in this process as you can’t see the details of how these resources will be used or have the ability to selectively grant access to some but not others but at least it’s a start.

  4. Install anti-malware.

    Yes, they have this for smart phones now. It’s not a perfect solution and some will argue that it’s unnecessary given the relatively small number of malware examples on smart phones but it wasn’t all that long ago that people were saying the same thing about Macs and, before that, PCs and time eventually proved them wrong.

Apple does a good job of vetting apps before they make it into their app store but that doesn’t mean there is no risk with that option either as there have been some cases where bad stuff slipped through.

Bottom line: If it does the good things a computer can do then it can also do the bad things a computer can do and that means you need to be mindful of security threats to not only desktops, laptops and servers, but also to phones and tablets. Can TVs and cars be far behind?

Quick Response (QR) codes can be really nice. You see an ad in a magazine or a poster on a wall and want more info? Just point your smart phone at the pattern and scan it with the appropriate app and, voila, all the detail you could care to know pops up in your hand.

At least, that’s how it’s supposed to work when everybody plays nice, and most people do. Of course, if you’ve been reading this blog at all, you know that not everyone does and that for every new turn of the technological crank brings not only great opportunity to do some really cool things but also an equal opportunity that bad actors can exploit do to some really not so cool things. QR codes are no different.


For example, here’s a QR code that contains a link to this blog. It would be easy to add more info such as a phone number, email address, etc. but let’s keep it simple.

A QR reader app on your phone should be able to verify this for you. (Note: you may have to print it off and then try scanning the printed version if your phone’s camera has trouble reading it.)

But what if I was a bad guy and instead of pointing you to a benign site, I sent you to a malicious site which automatically downloaded malware to your phone that then sent me a copy of your confidential emails, stored passwords/acct numbers, contacts, text messages, etc. and started sending SMSs to premium services without your knowledge and racked huge charges for you? Not so good, right?

How can you tell just by looking at a QR code whether it is good or bad? The answer is, you can’t, and that’s the problem. Bad guys know this and some have taken to printing up their own QR codes and sticking them over the top of legitimate ones so as to snare unsuspecting victims.

The better QR reader apps will show you the link they have scanned first so that you can then choose whether to send your browser there or not. Unfortunately, if the bad guy has used a URL shortener such as bitly, TinyURL or others, the actual web site you will be taken to may still be obscured from view.

So, be careful. The best advice is to “trust, but verify.”

In perhaps the least shocking news you will hear all day, “password” is really not a great authentication secret for online accounts. Unfortunately, not enough people seem to realize this as, yet again, it topped the list of most popular passwords according to Splashdata, which analyzed results from some of the highest profile security breaches of 2012. Here’s the top 5:

1) password (#1 in 2011 as well)
2) 123456
3) 12345678
4) abc123
5) qwerty

No real surprises there. The next 5 are a bit more curious:

6) monkey
7) letmein
8) dragon
9) 111111
10) baseball

OK, so “111111” is easy to type and “baseball” is the national past time and “letmein”, well, that’s what you’re trying to do when you enter a password so I get all of that but “monkey”? Really? Maybe it’s best I don’t know…

Another interesting one came in at #12 and it was “trustno1”, which sounds like pretty good advice on one level but apparently the paranoia has reached such a level that it now causes a significant number of people to choose it as their authenticator.

Once again, I think this makes the case for single sign-on tools which can automatically generate strong, random passwords that they manage so you don’t have to break out the yellow sticky pads and post your secrets around the edge of your monitor…