Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/19/2014
12:00 PM
Peter Zavlaris
Peter Zavlaris
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Why John McAfee Is Paranoid About Mobile

Mobile apps are posing expanding risks to both enterprises and their customers. But maybe being paranoid about mobile is actually healthy for security.

At this year’s SecureCIO event in San Francisco, in front of an audience of CISOs, CIOs, VPs, Directors collectively representing some of the largest corporations in America, John McAfee, the enigmatic founder and namesake of McAfee, proclaimed a veritable state of emergency in enterprise security.

"Our paradigms for protecting corporate assets [online] no longer work," said MacAfee, who, after a brief hiatus (one in which he went toe to toe with the Belize Government), is back on the security scene serving as a consultant as well as founding his own startup.

In this talk, McAfee took square aim at mobile. He discussed a recent consulting engagement with an unnamed defense contractor. Apparently, out of nowhere and for no apparent reason, the contractor began losing contracts it would normally win. Eventually, it was discovered that a man-in-the-middle attack had successfully infiltrated the mobile devices belonging to the sales team. Anything they saw wound up in the hands of the competition.

As he explained, thanks to mobile devices, each employee has become a potential weak link in the enterprise security chain. Corporate data shared on mobile devices and tablets has become highly valuable to competitors. Meanwhile, forced permissions within mobile applications are granting access to sensitive data stored on phones.

It really is a big problem
The size and scope of this problem is substantial, and there is no end in sight. Anonymized data from more than 6 million active customer mobile applications analyzed by RiskIQ helps quantify the issue:

  • 245,000+ apps have account grabbing capabilities
  • 497,000+ apps can control vibration
  • 212,000+ apps are capable of accessing the camera
  • 184,000+ apps can access contacts
  • 66,000+ apps can read SMS

Why should we care if an application has access to a phone’s vibrate function? Because when hackers access a phone they can make changes, receive messages, download other applications, change settings, etc., without setting off the vibration alert. "Read SMS" allows hackers to capture SMS-based authentication tokens. "Get Accounts" allows the phone to access online accounts. With access to contact lists a cyber criminal can steal this information. There are literally dozens of standard permissions one could leverage to carry out a cyber attack -- without needing malware.

With many large consumer-facing businesses like banks and healthcare providers distributing their own branded mobile applications the risks associated with copycat apps distributed and controlled by cyber criminals are magnified by escalating app permissions.

SMS text phishing
A recent example of this technique is Operation Emmental,
discovered by Trend Micro. The attack uses an email phishing campaign to target customers of banks that use SMS-based authentication. It tricks victims into installing a fake but official-looking mobile app, which captures SMS messages sent from the bank. (Trend Micro found several variations of these apps wrapped with names and logos of popular German banks.) By stealing the victim’s username and password, and intercepting “out of band” authentication tokens sent to his or her mobile phone, attackers can take over the bank account to commit fraud.

In addition to excessive permissions and fake apps, mobile platform vulnerabilities are putting data at risk. For example, security firm Blue Box recently reported a major flaw in the Android operating system it dubbed "FakeID." It affects Android’s verification of digital signatures, which are used to vouch for the identity of mobile applications. Theoretically, this would allow attackers to successfully impersonate legitimate apps, like an online banking app, since the Android cryptographic code will not be able to verify its origin.

It’s becoming apparent that mobile applications are posing expanding risks to both enterprises and their customers. Whether it’s excessive permissions, fake (e.g., copycat) apps that claim to be from a trusted brand, or platform vulnerabilities like FakeID, it appears being paranoid about mobile might actually be healthy for security.

Peter Zavlaris is one of the primary analysts and contributors to the RiskIQ blog, which provides weekly insights on the latest threats and attacks that target companies outside the firewall and put customers at risk. He has held various customer satisfaction positions with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
PZav
50%
50%
PZav,
User Rank: Author
8/19/2014 | 6:36:01 PM
Re: Interesting
Interesting criticism, John Mcafee has built a billion dollar security giant in his lifetime, is asked to speak all over the world (accept Belize) and consults some of the world's largest companies.  Also, since your interested in my career--I've also been featured on Wired and contributed to another article released on Tech News World today...so actually this isn't my first article.  Thank you for reading!

 
Thomas Claburn
100%
0%
Thomas Claburn,
User Rank: Ninja
8/19/2014 | 6:27:28 PM
Re: Interesting
Why is John McAfee paranoid about mobile? Because men in the dark glasses are watching.
InfoSec14
50%
50%
InfoSec14,
User Rank: Apprentice
8/19/2014 | 2:11:19 PM
Interesting
The very first article you write is about John McAfee which really isn't about McAfee?

The man peddles apps for smart phones and then says dump your smart phone. His solution is not a solution is it? He reminds me of the saying, "If you can't dazzle them with your brilliance then baffle them with Bullsh!t".

Your article was long winded and not on point and failed to become relevant.
<<   <   Page 2 / 2
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Inside North Korea's Rapid Evolution to Cyber Superpower
Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27409
PUBLISHED: 2020-12-04
OpenSIS Community Edition before 7.5 is affected by a cross-site scripting (XSS) vulnerability in SideForStudent.php via the modname parameter.
CVE-2020-27408
PUBLISHED: 2020-12-04
OpenSIS Community Edition through 7.6 is affected by incorrect access controls for the file ResetUserInfo.php that allow an unauthenticated attacker to change the password of arbitrary users.
CVE-2020-27765
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/segment.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause ot...
CVE-2020-27766
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned long`. This would most likely lead to an impact to application availability, b...
CVE-2020-27767
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of types `float` and `unsigned char`. This would most likely lead to an impact to application avai...