Attacks/Breaches
8/19/2014
12:00 PM
Peter Zavlaris
Peter Zavlaris
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Why John McAfee Is Paranoid About Mobile

Mobile apps are posing expanding risks to both enterprises and their customers. But maybe being paranoid about mobile is actually healthy for security.

At this year’s SecureCIO event in San Francisco, in front of an audience of CISOs, CIOs, VPs, Directors collectively representing some of the largest corporations in America, John McAfee, the enigmatic founder and namesake of McAfee, proclaimed a veritable state of emergency in enterprise security.

"Our paradigms for protecting corporate assets [online] no longer work," said MacAfee, who, after a brief hiatus (one in which he went toe to toe with the Belize Government), is back on the security scene serving as a consultant as well as founding his own startup.

In this talk, McAfee took square aim at mobile. He discussed a recent consulting engagement with an unnamed defense contractor. Apparently, out of nowhere and for no apparent reason, the contractor began losing contracts it would normally win. Eventually, it was discovered that a man-in-the-middle attack had successfully infiltrated the mobile devices belonging to the sales team. Anything they saw wound up in the hands of the competition.

John McAfee at BSides and DEF CON  
Photo: Apneet Jolly
John McAfee at BSides and DEF CON
Photo: Apneet Jolly

As he explained, thanks to mobile devices, each employee has become a potential weak link in the enterprise security chain. Corporate data shared on mobile devices and tablets has become highly valuable to competitors. Meanwhile, forced permissions within mobile applications are granting access to sensitive data stored on phones.

It really is a big problem
The size and scope of this problem is substantial, and there is no end in sight. Anonymized data from more than 6 million active customer mobile applications analyzed by RiskIQ helps quantify the issue:

  • 245,000+ apps have account grabbing capabilities
  • 497,000+ apps can control vibration
  • 212,000+ apps are capable of accessing the camera
  • 184,000+ apps can access contacts
  • 66,000+ apps can read SMS

Why should we care if an application has access to a phone’s vibrate function? Because when hackers access a phone they can make changes, receive messages, download other applications, change settings, etc., without setting off the vibration alert. "Read SMS" allows hackers to capture SMS-based authentication tokens. "Get Accounts" allows the phone to access online accounts. With access to contact lists a cyber criminal can steal this information. There are literally dozens of standard permissions one could leverage to carry out a cyber attack -- without needing malware.

With many large consumer-facing businesses like banks and healthcare providers distributing their own branded mobile applications the risks associated with copycat apps distributed and controlled by cyber criminals are magnified by escalating app permissions.

SMS text phishing
A recent example of this technique is Operation Emmental, discovered by Trend Micro. The attack uses an email phishing campaign to target customers of banks that use SMS-based authentication. It tricks victims into installing a fake but official-looking mobile app, which captures SMS messages sent from the bank. (Trend Micro found several variations of these apps wrapped with names and logos of popular German banks.) By stealing the victim’s username and password, and intercepting “out of band” authentication tokens sent to his or her mobile phone, attackers can take over the bank account to commit fraud.

In addition to excessive permissions and fake apps, mobile platform vulnerabilities are putting data at risk. For example, security firm Blue Box recently reported a major flaw in the Android operating system it dubbed "FakeID." It affects Android’s verification of digital signatures, which are used to vouch for the identity of mobile applications. Theoretically, this would allow attackers to successfully impersonate legitimate apps, like an online banking app, since the Android cryptographic code will not be able to verify its origin.

It’s becoming apparent that mobile applications are posing expanding risks to both enterprises and their customers. Whether it’s excessive permissions, fake (e.g., copycat) apps that claim to be from a trusted brand, or platform vulnerabilities like FakeID, it appears being paranoid about mobile might actually be healthy for security.

Peter Zavlaris is one of the primary analysts and contributors to the RiskIQ blog, which provides weekly insights on the latest threats and attacks that target companies outside the firewall and put customers at risk. He has held various customer satisfaction positions with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/3/2014 | 8:10:45 AM
Re: Mobile Risk is the purpose in this article
Agree @jspivey282. If using a controversial public figure like John McAfee can shed light on an an important, growing concern, the press can be forgiven for a little sensationalism. Peter's article raises very good ponts about a threat that everyone in the security should legitimately be paranoid about! Thx for commenting. 
jspivey282
50%
50%
jspivey282,
User Rank: Apprentice
9/2/2014 | 5:21:56 PM
Mobile Risk is the purpose in this article
I see the value Peter brought to light is about the threats and vulnerabilities of mobile technology and how it is both growing in number of mobile devices and in the diversity of types of threats.  Whether through malware or asking "permission", the risk associated with mobile is misunderstood by most- so this article or others similar in content help to shed light on the issues and bring awareness to the issues.  Using a contoversial name, such as John McAfee as a story back drop helps to bring attention...to this issue-  

I applaud Peter's efforts !
InfoSec14
100%
0%
InfoSec14,
User Rank: Apprentice
8/21/2014 | 11:04:30 AM
Re: He is not that crazy
How crazy John McAfee is or is not is irrelevant. What is relevant is that he has stated that Hezbollah, Los Zetas, Sinaloa Cartel, The Belize Government and the Portland Police Department are trying to kill him.

His latest claim on Bloomberg this past week is that The Belize Government is trying to murder him. bloom.bg/1l0mRJB

So either CIOsynergy has already decided he is a liar or they don't give a rats butt about the security and safety of the people who attend their events. Either way it makes them ignorant and wreckless bottom feeders.

It's not as if McAfee's whereabouts are really all that secret especially when CIOsynergy has it plastered all over their website.

 

 

 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
8/21/2014 | 10:19:45 AM
Re: He is not that crazy
There is a legitimate debate about how crazy or not crazy John McAfee is. But it's hard to argue against the fact that mobile is a substantial security risk. 
drchaos
67%
33%
drchaos,
User Rank: Apprentice
8/21/2014 | 9:00:08 AM
He is not that crazy
This is a great article by Peter! John, apprently isn't as crazy as people thought he was. His points make quite a bit of sense and it is hard not to see validity in them. Mobile is the single most enabler these for most orgnazations. It is also the single biggest risk. It's true it is getting harder to attack mobile devices in some ways because the code footprint is smaller (techically making it tighter) as well more people are concentrating their efforts on the PC. I do think we will see a radical shift as more attacker focus on mobile platforms just based on their popularity.
NipsUtopia
50%
50%
NipsUtopia,
User Rank: Apprentice
8/20/2014 | 11:06:12 AM
Re: Interesting
His lawsuits have nothing to do with the value i talk of. No doubt he made some wrong turns - so did Bill Clinton. The US lawsuit by the way was for negligence after Greg died sporting on John's propelled hang glider - a simple wiaver form would have avoided that mess.

Mens Warhouse fired George Zimmer, Apple fired Steve Jobs -- so what it happens! But no one ever can deny that it was their vision, passion and insight that birthed the organizatiions to where they are now.

You're mixing your arguments up here. This article is not about his personal life and decisions. its about his insight, knowledge and experience within the realm of security.

You have to make that separation. Half of your favorite musicians and actors you adore likley have similar lives - stoned out and on the wrong side of the law. Does that make you appreciate their talent any less. 

My only context to McAfee and I believe the authors direction here is security education - NOT social ethics.

 
InfoSec14
100%
0%
InfoSec14,
User Rank: Apprentice
8/20/2014 | 10:47:51 AM
Re: Interesting
NipsUtopia,

There is zero value in what McAfee and his gaggle of retards has to say. McAfee just lost a lawsuit for 2.5 million a month ago for the death of 2 men. Deaths that he was clearly responsible for. The very same suit he ran to Belize to avoid.

He is on the run from a second suit for the murder of Greg Faull - a lawsuit he refuses to be served a summons for (Even after saying he would face it). He is running from the suit because he knows he will lose and will be promptly extradited back to Belize. He was having sex with children, was making his own dope and did kill Greg Faull. None of this is a joke nor will it be forgotten.

All the uninformed mindless drones keep repeating that John McAfee made the McAfee brand what it is and it's an uneducated lie. McAfee was forced out of his own company in 1992 by Bill Larson because John Was always stoned off his butt and could not function. Bill Larson made McAfee what it is- he secured the product lines and did all the work and John McAfee was nothing more than a bad joke.

John has been stuck on stupid for many, many years.

John has made mention many times that he has 17,000 hours of recordings and data recorded that was stolen from Belize officials after he gave them all malware infused laptops.

On August 11, 2014 he gave interviews to both Fox News and Bloomberg West and clearly stated he would disclose "The whole ball of wax" on Monday August 18, 2014. He said he would be posting it all on his website brownlist. He lied AGAIN.

NipsUtopia
67%
33%
NipsUtopia,
User Rank: Apprentice
8/20/2014 | 10:18:17 AM
Re: Interesting
There is huge value in what McAfee is doing, just because he does not conform to what we believe are societies 'standard' or 'code of ethics' you can't dis-credit his achievments. McAfee Associates paved the path for modern anti-virus detection that put it in the hands of every computer user.

We rely on people like McAfee to distrust the process and create solutions to open our eyes to the next threat. His message is beware of the unknown!, understand the reach of your smart phones and the infancy of its use. We access more private info on our smart phones than we do on our computers yet how many have anti-virus applications installed - we all have it on our computers but why not on our smart phones. Its simply because we are blind to its dangers.

McAfee is just taking a stand and saying 'open your eyes'. We access email, banks, paypal, and much more from these small devices with little thought to their security.

Bravo to the author and thanks John - keep the message strong - education is the key to threat mitigation.
InfoSec14
50%
50%
InfoSec14,
User Rank: Apprentice
8/19/2014 | 7:40:20 PM
Re: Interesting
@RiskIQBlogger,McAfee rehearses a few lines of BS and repeats it ad infinitum. Look at his recent interviews on Fox and Bloomberg West, exact same blah blah blah followed by completely irrelevant. He is no more than an advertisement for Smart Phone apps he is offering while in the same breath he tells you to quit using smart phones. He has become so confused by his own contradictions that he is contradicting himself. You mention he was a Genius for building McAfee Antivirus and cashing out in 1994 for 100 million bucks. On the flip side a foole and his money soon be at debate. He lost every dime he had in less than 20 years - That's not genius, smart or wise. That's plain stupidity. You using his name to promote your article doesn't make you look any smarter.

 

@Thomas Claburn, Emptor Cavete
soozyg
100%
0%
soozyg,
User Rank: Apprentice
8/19/2014 | 6:55:06 PM
email has flags
Phishing and malware emails have flags if you know how to look for them. Sometimes there is a word in another color for no reason. Sometimes a word is capped unnecessarily. Sometimes the address says Dear [Name]; (colon is inappropriate).
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.