Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Raimund Genes



    Nov10
    2:15 am (UTC-7)   |    by

    Last year, as part of our predictions for 2014 we said there would be one major data breach every month. At the time, many people said that our prediction was overly pessimistic. It was one prediction I would have been happy to have gotten wrong.

    Unfortunately, I haven’t been proven wrong. We’ve seen major data breaches hit large institutions left and right. In many cases, these breaches have been due to attacks by point-of-sale (PoS) malware that hit these companies. In other cases, attackers got into their networks directly and stole the information of their users.

    People may think that financial information is the most valuable information that can be lost, but that’s not always the case. Banks and other financial institutions are very good about not letting consumers eat the cost of financial fraud, so even if, say, your credit card number gets stolen and used by cybercriminals, you won’t have to bear the final cost.

    In some ways, in fact, your personal information getting leaked is more dangerous. I can change my credit card easily, but unless I move I can’t change my address.  Neither can I change my birthday. Personally identifiable information does not only identify the user, it is also frequently difficult, if not impossible, to change.

    These kinds of attacks can be used to make future social engineering attacks “better”. For example, a future attack can now give me my address, phone number, and other personal information and sound more convincing. Many users will be fooled and fall victim to all sorts of attacks.

    To many governments, it looks like companies are not protecting the information they have on their users. This may be why we’re seeing moves to impose regulations on how companies should protect the data of their users.

    For example, in Europe, the new EU Data Protection Regulations could mean that companies could face severe fines if they were breached – fines of up to 100 million Euros. Other countries are imposing their own sets of regulations, with their own sets of penalties.

    If you’re a company doing business in various countries, these will be some difficult times, as you will now have to cope with differing sets of rules and regulations, increasing the cost of compliance to your company.

    There is a silver lining to this, however. Maybe when company directors everywhere realize the cost of being breached, they’ll finally approve putting in place Intrusion Detection Systems and the other tools needed in today’s threat landscape.

     
    Posted in Bad Sites |



    There are many mobile app developers today who want to develop the next hot mobile app. After all, if you pay your cards right, you could end up being bought by a much larger company like Facebook, Google, or Microsoft for billions of dollars.

    It’s hard enough to build a mobile app that will have the features and ease of use that will make it popular with millions of users. There are other things that apps can compete on, however: this includes the privacy and security of their users.

    How can developers do this? First of all, consider how the app is written. Are best practices being followed? Developers on PCs and Macs have already learned that their apps can suffer from vulnerabilities that can be exploited. Are you doing your best to avoid these issues?

    One reason to harden your apps against possible exploitation is repackaging. This is when the bad guys take a legitimate app and add their own malicious code to it. This added code can be anything – premium SMS abuse, cryptocurrency mining, even information theft. Not only does this harm the end user, it also damages your good name as well. (For more in-depth information about app repackaging, read our relevant paper, Fake Apps: Feigning Legitimacy.)

    If your business model revolves around ads served by third-party ad networks, be careful in choosing which ad networks you choose to partner with. Some ad networks are less reputable than others, either asking for too much user information to target their ads or allowing malicious ads to run on their networks. Remember: it’s not just their reputation on the line, it’s yours as well.

    Another issue is how you integrate with various social networks. It’s become very popular to integrate social networks into mobile apps. This is perfectly safe, so long as it’s done correctly. Social networks generally use some sort of API to allow third-party apps to access their information; use these APIs instead of just asking for your user’s private login credentials.

    In terms of privacy, consider what you’re asking from the user. We’ve all seen how some apps ask for permissions that have absolutely nothing to do with their main purpose. Why would a flashlight app need access to your calendar or contacts? Consider what you actually need from your users and don’t just ask for anything and everything just because you can.

    We offer tools that will help mobile app developers check if their apps are secure. The Mobile App Reputation Service checks apps based on their behavior and identifies any potentially problematic behavior on their apps. We hope that these tools will help developers realize that protecting the privacy and security of their users should be something that is an integral part of creating the next mobile app.

     
    Posted in Bad Sites, CTO Insights, Mobile |


    Sep1
    10:12 pm (UTC-7)   |    by

    For the past year or so, I’ve noticed that people are getting increasingly concerned about how protected their information is – not just from hackers, but from governments and large Internet companies as well. Individual users and organizations are now saying – more than ever before – that privacy and security matters.

    Of course, the desire for privacy and security is sometimes trumped by the desire for added convenience and features. However, one thing that will cause changes in how data is protected is government regulation. In some quarters, it is perceived – rightly or wrongly – that private companies cannot be trusted with the data of their users, and that the government must step in.

    The European Union is well on its way with a new set of rules that will control how organizations that do business in Europe will have to store, manage, and control user data. A company does not have to be located in Europe to be affected, making the scope of these regulations larger than immediately apparent.

    Will this be enough to make consumers trust that their data is in safe hands? Not entirely. Some users will not trust companies that protect their data just to comply with regulations. Companies that hold the personal data of their users need to go above and beyond what regulations call for, to reassure their users that they are doing all they can to protect their users.

    The Internet has been an amazingly valuable tool to connect people all over the world with each other. However, recent events have unfortunately shaken the confidence we once had in our online lives. Both individuals and organizations need to take steps to rebuild that trust and confidence to keep the Internet safe and open for everyone. We are all digital natives now. The Internet is too important in all our lives to be treated any other way.

     
    Posted in CTO Insights | Comments Off


    Aug4
    9:09 pm (UTC-7)   |    by

    When you work for a security company, sometimes people think you must know everything there is to know about technology. So sometimes I get asked, “Will Bitcoin and other cryptocurrencies succeed?”

    Unfortunately, I’m an engineer, not an economist. I can’t speak to how big central banks like the Federal Reserve in America, the Bundesbank here in Germany, or the Bank of England in Britain will react to it. Maybe they’ll try to regulate it. Maybe they’ll try to ban it. Who knows? Ask an economist or a banker; they might know better.

    What I do know is that more and more brands are accepting cryptocurrencies as payment. In America, for example, online tech stores like Dell and Newegg have started to accept bitcoins. Not only can you buy your gadgets with bitcoins, but you can also go on vacation with them — online travel agencies like Expedia.com and airlines like airBaltic accept bitcoins as well.

    However, they’re not the only ones who have embraced Bitcoin. Cybercriminals have embraced it too. If you’re affected by ransomware, you can pay for your ransom with bitcoins. Cybercriminals buying goods and services from each other are using it, too.

    Why are these crooks using Bitcoin? One reason may be they think that it’s safe and anonymous. Certainly, many of its biggest supporters say the same thing. However, that’s not really accurate. Yes, your Bitcoin address doesn’t directly say anything about you, but all transactions are part of the blockchain – which means anyone can see it.

    Any organization with skills in organizing large data sets and gathering information from various sources could – if they wanted to, de-anonymize Bitcoin transactions. It’s not as safe as people think. Let’s not even go into detail about how malware is trying to steal bitcoins from the wallets of users.

    So, is Bitcoin the future of cryptocurrencies? What I do know is that cybercriminals like it just as much as real-world currency, and it has its own share of risks too. In some ways, the new digital currency is just like the old ones.

    For more of my thoughts on Bitcoin and other cryptocurrencies, watch the video below titled Bitcoin: Here today, gone tomorrow?.

     


    Jul6
    6:43 pm (UTC-7)   |    by

    Whenever I hear about the Internet of Everything, I find myself somewhat conflicted. There’s no doubt that it is the new “mega trend” in technology, but at the same time I wonder how secure it is. Let me explain.

    When a company creates a smart device, they not only need to create the hardware for the device, they also need to write the software for it. This is not a simple task, particularly for complex items. Take, for example, a modern car. Think of all the features it has: distance assistance, lane assistance, and even notification of emergency services if I crash. It can even compile various statistics about how I drive and compare it to other drivers of that model.

    All this results in a very large amount of software that needs to be written. A modern car has more than 100 million lines of code. This is more than double that of an office suite like Microsoft Office (45 million); or seven times more than that of a Boeing 787 Dreamliner (14 million). More code not only means more features, but also more opportunities for various security flaws and vulnerabilities.

    Software vulnerabilities are something that, unfortunately, we’ve learned how to deal with. Software vendors all over the world regularly send updates to their customers; smart devices should be no different. All of my cars in the past decade have received regular updates, including changes in their steering. Given how on the autobahn, 140 miles per hour (or 225 kilometers per hour) is normal cruising speed, it’s rather important that there be no blue screens of death in these situations.

    We already know that vulnerable devices are under attack by cybercriminals. For example, routers are under attack all the time, and can be quite easily compromised. We need the vendors of smart devices to realize that their products, too, can become targets. Security vendors like Trend Micro will do what we can to protect users, but it’s better for all parties that smart devices be as secure as possible in the first place. Not only must the vendors of these devices try to develop their products in line with sound security practices; they must also test these devices so that they stay safe in the face of new threats.

    More of my thoughts on the Internet of Everything are in the video below:

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.

     
    Posted in CTO Insights, Internet of Everything | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice