SPOTLIGHT ON SECURITY

New Tool Alerts Etailers to Suspicious Characters

As thoughtful as mobile phone makers are when they design their products, there are always punters who want something that isn’t there and are willing to hack a device to get it.

In the Android world such a hack is called “rooting” a phone; in the iOS world, it’s called “jailbreaking.” Regardless of what it’s called, it can turn a phone into a can of worms for retailers.

“Jailbroken phones aren’t always indicative of a problem, but in a majority of cases there’s a higher correlation of fraud than there is with normal phones,” Scott Olson, vice president of product at Iovation, told TechNewsWorld.

Iovation recently released an SDK for mobile apps that allows retailers using the company’s risk assessment system to identify jailbroken or rooted phones accessing their site.

That SDK, along with others from Iovation, identifies characteristics of risky devices.

“It’s always interesting to know when there are changes to a device associated with an account, because it can be indicative of account takeover,” Olson said.

Garden Wall Cracked

Both rooting and jailbreaking make a phone vulnerable to cyberattack, but tinkering with an iPhone can be particularly worrisome.

“Jailbreaking is one of the only ways to get malware apps or other rogue apps on an iPhone, because iOS has a fairly closed system,” Olson explained.

That closed system, however, last week was pried open by a malware campaign launched against Chinese iPhone users.

The campaign, revealed by Palo Alto Networks’ Unit 42, used a novel method for cracking into an iPhone. Its malware, called “WireLurker,” is spread through infected OS X apps downloaded from an online app store not affiliated with Apple.

Once the infected app lands on a Mac, it waits for an iPhone to be connected to the computer through a USB port and then infects the iPhone.

That kind of attack has been used in the Windows world to infect Android phones, but it’s a first for the Mac, and it’s a sign that Apple devices are appearing prominently on the radar of Net predators.

“Historically, attackers have focused their efforts on Android, given its popularity,” Kevin Mahaffey, CTO and cofounder of Lookout Mobile Security, told TechNewsWorld.

“As the number of iOS devices has grown, especially in geographies where malware tends to originate,” he continued, “iPhones and iPads have become attractive attack targets as well.”

Cyber Catastrophe

As the world becomes increasingly connected, it’s almost inevitable that something is going to break and break bad.

Some folks believe that a massive malfunction will be deliberate.

Of 1,600 experts and Internet builders recently canvassed by the Pew Research Center, 61 percent believed that by 2025 a cyberattack would occur that would cause widespread harm to a nation’s security and capacity to defend itself and its people.

Other folks believe the bad break will be accidental.

“I’m less inclined to think it will be intentional,” Fengmin Gong, cofounder and chief architect of Cyphort.

Nations will try to act in a measured way when engaging in cyberwarfare, he argued.

“They feel they can manage things, but all it takes is for one incident to get out of control for a catastrophic event to occur,” Gong said.

“Cyberattacks can easily get out of control,” he emphasized. “We can’t be confident that we can control them.”

Doom isn’t in everyone’s forecast, though.

“The security industry is making progress in preventing one of these catastrophes,” Tom Bain, senior vice president for security strategy for CounterTack, told TechNewsWorld.

“There is enough progress being made to avoid something linked to cyber that would be deemed as catastrophic,” he added.

Breach Diary

  • Nov. 3. Jessie Trice Community Health Center in Miami reports it has been informed by law enforcement authorities that personal information on nearly 8,000 patents was stolen from the provider in a data breach discovered in July, which currently is being probed by the IRS and FBI.
  • Nov. 4. TechInsurance publishes “The Small-Business Owner’s Guide to Identity Theft Prevention and Data Security,” a free e-book that can be downloaded from the company’s website.
  • Nov. 4. Electronic Frontier Foundation publishes scorecard on messaging applications. It finds only six of 39 apps have features needed to guarantee security of communications over the Internet.
  • Nov. 5. Palo Alto Networks reports thousands of Apple devices in China are at risk from a malware campaign that uses Macintosh computers to infect iOS devices. Malware called “WireLurker” steals contacts and other information from a compromised device.
  • Nov. 6. Documents made public in litigation against the government of the United Kindgom reveal Britsh spy agencies given permission to secretly eavesdrop on confidential lawyer-client communications, as well as anyone else working in a “sensitive profession” handling confidential information.
  • Nov. 6. Harvard University acknowledges it used hidden cameras to photograph lectures without telling professors and students. University says clandestine photography was part of a study on attendance.
  • Nov. 6. Home Depot reports that in addition to payment card information of 56 million customers stolen in data breach revealed in September, 53 million email addresses were taken. Retailer also reveals breach was caused by credential compromise of one its vendors.
  • Nov. 6. In letter to leaders of the U.S. Congress, a coalition of retail groups call for passage of a national law governing disclosure of data breach information.
  • Nov. 7. Europol, FBI and U.S. Department of Homeland Security announce results of “Operation Onymous.” The sweeping attack on the “Dark Web” resulted in 17 arrests, seizure of hundreds of domains associated with dozens of black market websites, US$1 million in bitcoin and $250,000 in cash.

Nov. 7. Damballa reports that detections of Backoff malware have increased 33 percent since the end of the quarter ending Sept. 30. Backoff was used in breach of Target and other retailers.

Upcoming Security Events

  • Nov. 11. Phones, Phablets and Clouds – Securing the New Infrastructure. 9 a.m. ET. webinar sponsored by Information Security Forum. Free with registration.
  • Nov. 12-13. Seattle Secureworld. Meydenbauer Center, Seattle. Registration: $695, two days; $545, one day.
  • Nov. 14-15. B-Sides Delaware. Wilmington University, 320 North Dupont Highway, New Castle, Delaware. Free.
  • Nov. 15. B-Sides Jacksonville. The Sheraton Hotel, 10605 Deerwood Park Blvd., Jacksonville, Florida. Free.
  • Nov. 18. Powerful Strategies for Account Takeover Fraud Prevention. 2 p.m. ET. Webinar sponsored by PhishLabs. Free with registration.
  • Nov. 19. Stealing from Uncle Sam. 7:30 a.m.-1:30 p.m. ET. Newseum, Washington, D.C. Registration: government and press, free; before Nov. 19, $495; Nov. 19, $595.
  • Nov. 20. Amazon Aws Services’ Security Basics — Escalating Privileges from EC2. 2 p.m. ET. Black Hat webcast. Free with registration.
  • Nov. 21-22. B-Sides Charleston. College of Charleston campus, Charleston, South Carolina. Free.
  • Nov. 22. B-Sides Vienna. Top Kino, Rahlgasse 1 (Ecke Theobaldgasse, 1060 Wien, Vienna, Austria. Free.
  • Dec. 2-4. Gartner Identity & Access Management Summit. Caesars Palace, Las Vegas, Nevada. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.
  • Dec. 5. Be an Onion not an Apple. 9 a.m.-4 p.m. ET. Capital Technology University, 11301 Springfield Rd., Laurel, Maryland. Workshop sponsored by Cybersecurity Forum Initiative. $195/seat.
  • Dec. 10. Fill the Security Gaps in Your Firm’s Mobile Deployment. 1 p.m. ET. Webinar sponsored by Lacoon Mobile Security. Free with registration.
  • Dec. 8-11. Black Hat Trainings. The Bolger Center, Potomac, Maryland. Course Registation: before Nov. 1, $2,500-$3,800; before Dec. 6, $2,700-$4,000; after Dec. 10, $3,800-$4,300.
  • Dec. 12. B-Sides Zgora. Biurowiec ASTEC, ul. Wyspianskiego 11, Zielona Gra, Poland. Free.
  • Jan. 19, 2015. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Fee: $20.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

CRM Buyer Channels