Monthly Archives: July 2013

Worldwide mobile phone market grows 6%


July 31, 2013

Mobile application security may become an increasingly important issue, following news that the mobile phone market continues to expand rapidly.

The International Data Corporation's Worldwide Quarterly Mobile Phone Tracker revealed six per cent annual growth in the second quarter of 2013.

According to the figures, vendors shipped more than 432 million mobiles during the three-month period, when compared with Q2 of last year.

The smartphone market in particular experienced a surge, with companies shipping 237.9 million units during the quarter, while 216.3 million were shipped over the preceding three months.

Year on year, smartphones saw 52.3 per cent growth, which is the highest figure in five quarters.

Kevin Restivo, senior research analyst at IDC, said the market is "still a rising tide that's lifting many ships".

"Though Samsung and Apple are the dominant players, the market is as fragmented as ever," he added.

"There is ample opportunity for smartphone vendors with differentiated offerings."

Ramon Llamas, research manager with IDC's mobile phone team, said the lower end of the price spectrum is particularly interesting, with companies beginning to gain traction in this segment.

However, this rapid growth does have disadvantages, with a 2013 Sophos Security Threat Report showing that mobiles are increasingly becoming the targets of malicious activity.

According to the organisation, modern malware and the trend towards bring your own device (BYOD) policies are the major areas of concern.

"BYOD can be a win-win for users and employers, but the security challenges are real, while boundaries between business and private use are blurring," the report explained.

This not only raises the question of who owns smartphones and similar devices, but who is responsible for managing and securing the data on them, it added.

Protecting against online security threats is becoming more of a user-centric problem rather than a device-centric one, Sophos stated.

Google Glass faces more security concerns

Google Glass faces fresh concerns over security vulnerabilities, with ethical hacking showing the device's operating system (OS) can be overridden and replaced. 

The search engine giant claimed in a Google+ post in June that it would not be approving facial recognition programs for Glass, adding that such applications could be blocked from being installed.

However, co-founder of software company Lambda Labs Stephen Balaban re-engineered his Google Glass's OS with an alternative, unauthorised version. 

Mr Balaban was then able to use this to install his own custom-made facial recognition application that generates a summary of mutual friends the user has with the person and other shared interests.

Rob Livingstone, fellow at Sydney's University of Technology, stated in an article for academic news portal The Conversation that this development opens up many questions about security and privacy for the device.

"Eyes are on Google to set a standard of good practice for wearable technology," he explained.

Mr Livingstone said Google Glass use has a number of implications for both the person wearing the device and those who come into contact with them.

"Its biggest challenge will be to balance the opportunities for the technology and those keen to explore it, with those who see insurmountable problems with a more invasive technology."

National cybercrime plan launched


July 30, 2013

The federal government has unveiled a new national cybercrime plan in an effort to ensure better vulnerability management across the country.

Attorney-general Mark Dreyfus and parliamentary secretary to the attorney-general Shayne Neumann announced the framework yesterday (July 29), which will aim to boost collaboration when tackling malicious online attacks.

This plan will make Australia a more difficult target for sophisticated cyber criminals, Mr Dreyfus confirmed.

"While it brings tremendous benefits, the internet has created new opportunities for financially motivated cyber criminals and those who seek to target vulnerable members of our community," he stated.

"Organised criminals are increasingly using the internet and legitimate communications tools to target Australians and to facilitate their illegal activities."

The attorney-general said the framework will represent a nationwide commitment to providing a more secure digital environment for the country's inhabitants.

No official figures are available, Mr Neumann claimed, but estimates put the cost of cybercrime in Australia in the billions of dollars annually.

The National Plan to Combat Cybercrime will operate on six key foundations, including educating the community, partnering with industry, boosting information sharing and strengthening international engagement.

Mr Neumann remarked: "As a key initiative under the National Plan to Combat Cybercrime, governments will implement a national online reporting facility for cybercrime."

The facility will be named the Australian Cybercrime Online Reporting Network (ACORN).

"ACORN will make it easier for the public to report cybercrime, get the information they need to protect themselves and ensure that agencies can respond quickly," Mr Neumann continued.

He said this will allow the government to gain a better idea of how badly cybercrime is affecting the average Australian, enabling agencies to formulate improved strategies for tackling the issue.

According to the government, it is vital that the country's criminal justice framework keeps pace with any technological developments.

The National Plan to Combat Cybercrime aims to build on the National Security Strategy initiative, which identified malicious online actors as a central concern to Australia's economic and social health.

The attorney-general's office said the scheme will also support Australia's end goal of being a world-leading digital economy within the next seven years.

Earlier this year, the country entered the Council of Europe Convention on Cybercrime – the first international treaty to tackle online threats.

By becoming a party to the treaty, Australia will now be able to collaborate more effectively with other countries to develop its own cybercrime policies.

NAB: Phishing attacks still work


July 29, 2013

Phishing attacks remain a top concern at National Australia Bank (NAB), with 300 fake sites set up each month to steal customer data.

Rick Smith, principal security architect for personal and business banking at NAB, stated vulnerability management is an ongoing job that requires a dedicated team and much investment.

Mr Smith, speaking at the Digital Security Summit in Canberra last week, noted that even the most basic phishing attacks still work, Lifehacker reports.

Whether they are full of spelling mistakes, obvious errors or laughable content, they remain a worthwhile means of attack against a sizeable percentage of the population, he stated.

"Three hundred is the maximum number of new phishing sites per month trying to steal customer information.

"Three thousand is the number of newly-infected customer machines we find every month."

'Spear' phishing is also becoming prevalent, with cybercriminals less likely to spam out mass emails and instead send targeted attacks using information gleaned from social media sites – appearing to come from trustworthy sources.

His comments came as recent Kaspersky Lab statistics showed banks are the main targets of more than 20 per cent of phishing attacks, with 37 per cent of global financial organisations admitting being victims over the last 12 months.

And Mr Smith added that mobile application security is becoming increasingly important as more people look to access online banking via their phone.

"Nearly half of NAB's online banking logins are from mobile devices," he explained.

"We get 2,000 new downloads of our app every day."

However, despite this growing area of concern, NAB was quick to point out that desktops are still an easier target for malicious attacks.

This is because malware for desktops has been around for 15 years, meaning it is feature-rich and sophisticated, while mobile threats tend to be a lot less functional from a banking perspective.

69% of executives concerned about cyber security

More than two-thirds of business executives are worried their IT systems are open to malicious attacks.

The ThreatTrack Security survey of US companies revealed 69 per cent of senior personnel felt they needed effective vulnerability management against malware attacks, advanced persistent threats (APTs) and other sophisticated cybercrime.

Financial organisations were among the businesses most likely to fear online espionage, with 82 per cent claiming they are anxious about APTs.

Just 50 per cent of firms in the sector said they are aware of targeted malware attacks against their company, while 53 per cent of manufacturing firms said the same.

These still compared well with the overall average, which was 33 per cent.

Around one in five enterprises admitted that not knowing whether an attack is currently taking place is their largest concern.

Loss of proprietary intellectual property and trade secrets to a breach was more important for 36 per cent of businesses than compromising customers' personal information, including credit card data, social security numbers or medical records.

Cyber security remained a concern even for companies that had budgets of over US$1 million (AU$1.08 million) to deal with such threats, with 97 per cent of high-level executives still saying they felt vulnerable to attack.

Banks target of ‘over 20%’ of phishing attacks


July 26, 2013

Financial institutions are the targets of one in five (20.64 per cent) phishing attacks, according to recent statistics.

The data was compiled by Kaspersky Lab between May 2012 and late April 2013, and followed a global survey completed in spring this year that emphasised the importance of vulnerability management

Some 37 per cent of banks and other finance firms polled were the victims of a phishing attack at least once in the last 12 months.

"It's no surprise that banking and e-commerce has attracted unwanted criminal attention," the organisation explained.

"Even a successful attack on search pages, social networks or email can only yield personal data."

According to the company, cyber criminals need to find buyers for this personal information in order to turn a profit, while phishing attacks are much better for achieving quick gains.

Fake online banking or shopping pages can, if used successfully, act as a more direct route to financial rewards, the firm said.

Kaspersky Lab's Global Corporate IT Security Risks survey in May revealed the average cost of a 'serious' security incident is US$649,000 (AU$702,800) for a large company and $50,000 for a small to medium-sized business.

Phishing attacks were judged to lead to the loss of sensitive information between five and six per cent of the time.

Cybercrime costing up to $500bn a year


July 25, 2013

The global economy could be losing as much as US$500 billion (AU$545 billion) a year through cybercrime.

This is according to a new study sponsored by McAfee, with the company stating it is a world first in terms of quantifying the real economic impact of malicious attacks online.

Based on a model put together by the Center for Strategic and International Studies, the results revealed cybercrime was responsible for between $100 billion and $500 billion being drained from international economies.

This included the loss of intellectual property, reputational damage, the price of secure networks and insurance, and opportunity costs relating to service disruptions.

Mike Fey, executive vice-president and chief technology officer at McAfee, said the report is the only one of its kind to use established economic modeling techniques.

"Other estimates have been bandied about for years, but no one has put any rigor behind the effort," he explained.

"As policymakers, business leaders and others struggle to get their arms around why cyber security matters, they need solid information on which to base their actions."

The report also highlighted the effect cybercrime has on employment, estimating that as many as 508,000 US jobs are lost annually through malicious cyber activity.

SIM card vulnerability ‘puts mobile phones at risk’


July 24, 2013

Millions of mobile phones across the world could have their security threatened as an expert from Germany claims to have found a SIM card vulnerability.

Karsten Nohl, founder of Security Research Labs in Berlin, explained to the New York Times that the encryption hole meant that hackers could gain access to a SIM card's digital key.

With this information, it is possible to send a virus to the SIM card in the form of a text message, therefore putting mobile application security at risk.

He noted: "We can spy on you. We know your encryption keys for calls. We can read your SMS.

"More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account."

The operation was completed in around two minutes with the aid of just a simple computer, suggesting that mobile users across the globe could be under threat.

Google recently made a new patch available to address a security flaw in Android devices, which it believed left 900 million smartphones and tablets open to hackers.

The flaw has existed at least since the release of Android 1.6 and is estimated to have affected 90 per cent of devices that are currently in circulation.

 

Apple admits developer site hacked


July 23, 2013

Apple has been forced to take its developer site offline after it revealed that a hacker attempted to steal personal information during an attack last week.

In a message on the site, the technology giant announced that the intruder instigated the breach last Thursday (July 18), where the information of registered developers was put under threat.

"Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers' names, mailing addresses, and/or email addresses may have been accessed," the note read.

Users have been made aware of the attack "in the spirit of transparency", Apple said, and the site was immediately taken offline as soon as the breach had been acknowledged.

Experts have been working ever since to rectify the problem, which may see a significant security audit being undertaken at the company to prevent further issues arising.

In a bid to improve security in the future, Apple is overhauling its developer systems and updating server software wherever necessary.

Not only this, the company is rebuilding its entire database and assures developers that the website will be back up and running as soon as possible.

Google Glass QR codes vulnerable to attack?


July 22, 2013

A security vulnerability has been detected in Google Glass – more specifically the QR codes that are used to give the system instructions.

Lookout, a security technology firm, found that it could create malicious QR codes, which when seen by a Google Glass user, could encourage the system to connect to a hostile WiFi access point controlled by hackers.

This would mean that attackers could see whatever the Google Glass user was looking at, as well as diverting the system to view an access point that contained a well-known Android 4.0.4 web vulnerability.

As a result, Glass could be hacked as it browsed the page – a situation that is unique to Google Glass and results from "it becoming a connected thing".

Lookout researcher Marc Rogers highlighted the need for vulnerability management to be at the heart of any new technology, emphasising that "connected things need to be treated like software when it comes to security".

Mr Rogers also highlighted that although the benefits that these latest technologies bring to our lives are vast, the potential security risks they face are equally as great.

Once technology is granted intelligence, the necessary safeguards need to be put in place to avoid them posing a threat to security.