Upload
duongthu
View
213
Download
0
Embed Size (px)
Citation preview
NEWS
Smartphone apps need securing at software development stages
7MARCH/APRIL 2010
Smartphones could very easily become spy phones, with hackers
able to eavesdrop on your conversations, researchers at Rutgers
University in the US have warned. The handsets could be hijacked
using malware, as they have now become as advanced as computers,
say experts.
Researchers at Rutger’s University have developed a proof-of-
concept rootkit that can be ported to multiple smartphone operating
systems such as the Apple iPhone plus Google Android, and allows
hackers to remotely turn on the GPS function, as well as remote-
enable the phone’s microphone.
Rootkits – which have been around on PCs since the mid-
1990s – are notable for masking their own existence on the
computer, and can be installed via emails that trick users into
opening attachments.
“Smartphones are essentially becoming regular computers’”, said
Vinod Ganapathy at Rutgers University in New Jersey. “They run the
same class of operating systems as desktop and laptop computers,
so they are just as vulnerable to attack.”
“What we’re doing today is raising a warning flag”, said fellow
researcher Liviu Iftode. “We’re showing that people with general
computer proficiency can create rootkit malware for smartphones.
The next step is to work on defences”, he added.
Fortunately for the many hundreds of millions of smartphone
users around the world, the researchers concede it is much harder
to slip rootkits into smartphones – which tend to have strict rules on
non-approved code being installed.
According to Richard Kirk, European director with application
vulnerability specialist Fortify Software, with the rootkit, the
researchers have developed a full-blown hacker code methodology
that allows all the features of a smartphone to be turned over to a
hacker’s control.
“Just like a compromised desktop PC, all the operations of the
hacked smartphone can be used for all manner of hacking purposes,
including data theft, botnet swarming, distributed denial of service
attacks and even remote automated mass hacking of critical national
IT systems infrastructures”, he said.
Kirk added that desktop software secure code development
strategies have evolved to ensure that desktop systems software
cannot normally be compromised by this type of hackery.
But, he noted, smartphone code developers – owing to the relative
youth of their industry – have had no similar pressures imposed on
them, as smartphones have always been viewed as a less powerful
computing option.
All that changes, he explained, with the evolution of rootkits for
smartphones, as it means that hackers can assume control over a
handset that is every bit as powerful as a computer of just a decade ago.
“As the Rutgers University scientists say, as the population of
mobile devices increases, there will be an increasing interest in
attacking these devices. This means there is a rising security risk from
operating system-driven smartphones”, said Kirk.
“With hundreds of millions of these devices in active use,
and the majority of them wirelessly connected, you can see the
potential scale of the problem. Code developers must wake up to
this pressing security issue and adopt secure code development
practices, such as regular security testing, at the earliest available
opportunity”, he added.
Serious Fraud Office warns on social networking data harvestingThe Serious Fraud Office (SFO) has warned that Facebook and Twitter
– two of the most popular social networking sites – are actively being
used by criminals to harvest users’ personal financial details. The
SFO says it has written to around 10 000 users of the sites, warning
that their details are on a ‘master list’ being circulated by fraudsters.
Reports suggest that the master list includes a range of personal
information including their name, address, birthday, phone number,
place of business, income and relationship status.
Infosecurity notes that, whilst Facebook no longer lists all
information from users on its site, criminals can still look on various
other sites, such as LinkedIn and Twitter, and collate data on
individuals. Newswire reports suggest that this appears to be what
criminal gangs are doing, even going to the extent of setting up boiler
rooms dedicated to calling users on the master list and selling them
non-existent goods or services at heavily discounted prices.
The sole purpose of the calls appears to be generating extra
information, such as bank or credit payment card details, as
well as confirming other data such as home addresses. The
criminals then sell the resulting data on to identity fraudsters.
Recently published research from CIFAS, the fraud
prevention service, found that levels of identity theft rose
by 32% during 2009, compared to figures published a year
earlier.
Commenting on the surge in identity thefts, Peter Hurst,
chief executive of CIFAS, said that anything that helps bring
an understanding to all parties of the impact of fraud on our
economy has to be beneficial. “It also represents a first step. By
attempting to quantify fraud losses, it provides a foundation for
further work towards reducing them”, he said.
The key to beating this kind of fraud – the kind that involves
criminals sharing personal information amongst themselves –
is to share fraud information between members of CIFAS.
Members of CIFAS report nearly £1bn in savings each year from
sharing fraud information, Hurst explained.
“Following the Serious Crime Act of 2007, there are no
legal impediments preventing public sector organisations from
participating in these data sharing arrangements and CIFAS
would welcome them into membership”, he said.
“Discussions are already taking place with a number of public
sector organisations and, by next year, we are hopeful that they
too will be able to prevent more fraud by taking advantage of the
benefits that data sharing can offer”, he added.