Monday, March 25, 2013

Mobile Malware: 3 Key Differences and 3 Top Tips

Traditional malware is relatively easy to spot - well, ok, I am sure most security vendors would disagree, but it is. Compared to mobile malware - I did say “relatively”, didn’t I?

Why is mobile malware so different to regular “desktop”  malware? Well, for a start, there’s the environment. Even on our most lightweight laptops, we’re willing to leave an antivirus running 100% of the time. Sure we’ll bitch and moan about it slowing the whole show down from time to time (usually poor software, or underwhelming tin... but still...) , but in the end, it stays. On our ‘phones however, small is king (don’t get me started on “phablets”, if I wanted to walk around with a plasma telly in my pocket i’d shoplift at dixon’s). Small devices mean small batteries, and we generally can’t afford to keep cpu chewers around “unnecessarily”. This means that anti-malware often takes a back seat: most users won’t run it.

Second up, there’s the homogeneity of the devices. Android often gets slated for a “fragmented platform”, but if you’re looking to have the same fundamental attack vectors, mobile is a great place to be. This was a criticism levelled at the Microsoft environment 5 years ago, but while Windows is still highly popular, the software stack is much more varied - Outlook is no longer de-facto, and nor is IE. iOS is going to give you even more of a predictable basis for attack, so as a malware author, it’s a great place to be. Our user has less control of the OS too, coming behind the vendor and the network in the pecking order - often a good thing, less rope to hang one’s self, but it means any AV has less foothold in the OS, and makes it hard for the user to spot “interesting” issues: the diagnostic tools aren’t readily available.

Finally, we come to the killer feature - the ability to make calls. If I “own” (or pwn, if you’re 17) your PC, you’re going to make me work to turn a profit: I can sell it, but for peanuts, I need 1000s. You probably don’t have your bank details in a text file on the desktop (do you? If so, please send your IP address on a postcard...), or at least I can’t rely on it. Your phone, however has the ability to spend money on your behalf right out of the box by placing calls to premium numbers, or signing up to text services. Even the appstore is more likely to be an easy place to slyly spend your coin than anything I can find on your PC.

So - before this post becomes “TL;DR”, i’ll leave you with a few tips on how to avoid getting your phone hacked (russian mafia style hack, rather than lazy journalist style hack)...

Rule Zero: The fundamental rule of safety - if it looks too good to be true, that’s because it is. If an app is normally 70p, and there’s a free copy offered: pony up, you tightwad. Best case, the free/cheap one’s ad supported, worst case, it’s worse. If an app offers you something for nothing that you know normally costs money, well, you’re paying somewhere. See also: Free lunch, existence or otherwise thereof.

Rule One: Check the permissions. Both iOS and Android apps will state what the app is allowed to do. Be especially cautious with things that could cost you money. Sadly, most things need network capability for something or other, so that’s not really a good red flag, but think: does this app need this permission? Why?

Rule Two: Follow the crowd. Wildebeest know there’s safety in numbers, and you should too. If an app has many users it is more likely to be kosher, but if an app is brand new to the app store and has very few downloads, tread carefully - especially if it looks like a mature app. Check the reviews while you’re at it.

Tuesday, March 19, 2013

Death of the Keyboard? It's not just the keys that are numbered...

I bet there's a keyboard within two feet of you right now, be it mechanical, or virtual.
You'll probably use at least three different keyboards today, which for me at least makes the keyboard more ubiquitous than the teacup.

In one guise or another, the idea of pressing buttons to produce one character at a time has been with us since 1714 and has evolved considerably in that period.
So it's been with us for a while, but personally I think the keyboard's days are well and truly numbered.

Don't get me wrong, the day you have to go to a specialist shop for an antique piece of 'typing aparatus' aren't upon us yet, but I think soon it will be possible for even the most hardened technophile to get through the average day without typing a letter.

We're halfway there already. Between Google Now and Siri, you don't really have to touch your smartphone any more to bend it's powers to your will, though there are still limitations. Touchscreens are making a valiant effort to kill the mouse and even the humble Ford Focus comes with voice control (dubbed SYNC).

In the office, things like the Leap Motion and Space Top are promising to revolutionise the way we think of the 'desktop', stripping out the middlemen of the mouse and keyboard and freeing your hands to be the expressive and dexterous tools that they were meant to be.

Couple these concepts together in a package like Google Glass or the Oculus Rift you end up with a picture more advanced than Star Trek, with people searching for, creating and sharing information without ever pushing a button. It's a fascinating technological landscape that has sweeping implications for Smoothwall and our ilk.