Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Raimund Genes



    Dec7
    11:00 pm (UTC-7)   |    by

    It’s that time of year again – the last quarter of the year is a time for many of us to buy a new smartphone, as we look at the new devices launched relatively recently by Apple, Samsung, and all the other phone providers and decide which one we shall use for the duration of our next smartphone contract.

    I’m sure that many of us will take home brand new iPhones and Android devices and set it up just the way we want our personal devices to be. We should take a minute to remember, however, that because these devices are so personal to us, the damage a hacked smartphone can do to is significant.

    Imagine what would happen if a hacker stole your personal data. We don’t have to imagine, however, as this has happened to many users in 2014. At the very least, this is embarrassing to the user in question, but to some it may be more than that.

    Your wallet may be at risk as well. Some cybercriminals try to sign their victims up for various premium SMS services that charge users as part of their monthly bill; others go for bigger fish and try to compromise the user’s online banking accounts – either by intercepting any confirmation codes sent to the user or by hijacking any mobile banking sessions completely.

    Either way, we need to do what we can and make sure that our personal mobile devices stay that way – personal. When you buy a new smartphone or tablet you need to set it up not only to make yourself comfortable with the device, but also to make things more secure.

    On Apple devices, the best hing you can do to stay safe is not do something else: jailbreaking.  By default, all iOS devices like the new iPhone live in a walled garden – what gets in has been approved by Apple. They do a reasonably good job of keeping their users safe.

    This changes, however, if you jailbreak your phone. Yes, you can now install apps that Apple didn’t approve, but these apps can be security risks. In addition, you may not be able to update your device to the latest version of iOS. In short: if you want to keep your iOS device secure, not jailbreaking is an excellent start.

    What about Android devices? What you can do here is to minimize your exposure to malicious apps. Don’t allow apps to be installed from risky sources, like third-party app stores. You should also install a security solution on your phone to catch any threats that may slip through and reach your phone.

    In addition to protecting yourself from mobile malware, you should also realize that because you carry a smartphone everywhere, you can lose your device very easily. If this happens, you may end up losing control of your personal data. Make sure you turn on your lock screen password and device encryption so that if you do lose your phone, the risk of losing your own data is minimized.

    A smartphone is not just a shiny gadget; it is also a storehouse for large amounts of your own valuable information. When you buy your new phone, keep that in mind and set your phone up accordingly.

     
    Posted in CTO Insights, Mobile |


    Nov10
    2:15 am (UTC-7)   |    by

    Last year, as part of our predictions for 2014 we said there would be one major data breach every month. At the time, many people said that our prediction was overly pessimistic. It was one prediction I would have been happy to have gotten wrong.

    Unfortunately, I haven’t been proven wrong. We’ve seen major data breaches hit large institutions left and right. In many cases, these breaches have been due to attacks by point-of-sale (PoS) malware that hit these companies. In other cases, attackers got into their networks directly and stole the information of their users.

    People may think that financial information is the most valuable information that can be lost, but that’s not always the case. Banks and other financial institutions are very good about not letting consumers eat the cost of financial fraud, so even if, say, your credit card number gets stolen and used by cybercriminals, you won’t have to bear the final cost.

    In some ways, in fact, your personal information getting leaked is more dangerous. I can change my credit card easily, but unless I move I can’t change my address.  Neither can I change my birthday. Personally identifiable information does not only identify the user, it is also frequently difficult, if not impossible, to change.

    These kinds of attacks can be used to make future social engineering attacks “better”. For example, a future attack can now give me my address, phone number, and other personal information and sound more convincing. Many users will be fooled and fall victim to all sorts of attacks.

    To many governments, it looks like companies are not protecting the information they have on their users. This may be why we’re seeing moves to impose regulations on how companies should protect the data of their users.

    For example, in Europe, the new EU Data Protection Regulations could mean that companies could face severe fines if they were breached – fines of up to 100 million Euros. Other countries are imposing their own sets of regulations, with their own sets of penalties.

    If you’re a company doing business in various countries, these will be some difficult times, as you will now have to cope with differing sets of rules and regulations, increasing the cost of compliance to your company.

    There is a silver lining to this, however. Maybe when company directors everywhere realize the cost of being breached, they’ll finally approve putting in place Intrusion Detection Systems and the other tools needed in today’s threat landscape.

     
    Posted in Bad Sites |



    There are many mobile app developers today who want to develop the next hot mobile app. After all, if you pay your cards right, you could end up being bought by a much larger company like Facebook, Google, or Microsoft for billions of dollars.

    It’s hard enough to build a mobile app that will have the features and ease of use that will make it popular with millions of users. There are other things that apps can compete on, however: this includes the privacy and security of their users.

    How can developers do this? First of all, consider how the app is written. Are best practices being followed? Developers on PCs and Macs have already learned that their apps can suffer from vulnerabilities that can be exploited. Are you doing your best to avoid these issues?

    One reason to harden your apps against possible exploitation is repackaging. This is when the bad guys take a legitimate app and add their own malicious code to it. This added code can be anything – premium SMS abuse, cryptocurrency mining, even information theft. Not only does this harm the end user, it also damages your good name as well. (For more in-depth information about app repackaging, read our relevant paper, Fake Apps: Feigning Legitimacy.)

    If your business model revolves around ads served by third-party ad networks, be careful in choosing which ad networks you choose to partner with. Some ad networks are less reputable than others, either asking for too much user information to target their ads or allowing malicious ads to run on their networks. Remember: it’s not just their reputation on the line, it’s yours as well.

    Another issue is how you integrate with various social networks. It’s become very popular to integrate social networks into mobile apps. This is perfectly safe, so long as it’s done correctly. Social networks generally use some sort of API to allow third-party apps to access their information; use these APIs instead of just asking for your user’s private login credentials.

    In terms of privacy, consider what you’re asking from the user. We’ve all seen how some apps ask for permissions that have absolutely nothing to do with their main purpose. Why would a flashlight app need access to your calendar or contacts? Consider what you actually need from your users and don’t just ask for anything and everything just because you can.

    We offer tools that will help mobile app developers check if their apps are secure. The Mobile App Reputation Service checks apps based on their behavior and identifies any potentially problematic behavior on their apps. We hope that these tools will help developers realize that protecting the privacy and security of their users should be something that is an integral part of creating the next mobile app.

     
    Posted in Bad Sites, CTO Insights, Mobile | Comments Off


    Sep1
    10:12 pm (UTC-7)   |    by

    For the past year or so, I’ve noticed that people are getting increasingly concerned about how protected their information is – not just from hackers, but from governments and large Internet companies as well. Individual users and organizations are now saying – more than ever before – that privacy and security matters.

    Of course, the desire for privacy and security is sometimes trumped by the desire for added convenience and features. However, one thing that will cause changes in how data is protected is government regulation. In some quarters, it is perceived – rightly or wrongly – that private companies cannot be trusted with the data of their users, and that the government must step in.

    The European Union is well on its way with a new set of rules that will control how organizations that do business in Europe will have to store, manage, and control user data. A company does not have to be located in Europe to be affected, making the scope of these regulations larger than immediately apparent.

    Will this be enough to make consumers trust that their data is in safe hands? Not entirely. Some users will not trust companies that protect their data just to comply with regulations. Companies that hold the personal data of their users need to go above and beyond what regulations call for, to reassure their users that they are doing all they can to protect their users.

    The Internet has been an amazingly valuable tool to connect people all over the world with each other. However, recent events have unfortunately shaken the confidence we once had in our online lives. Both individuals and organizations need to take steps to rebuild that trust and confidence to keep the Internet safe and open for everyone. We are all digital natives now. The Internet is too important in all our lives to be treated any other way.

     
    Posted in CTO Insights | Comments Off


    Aug4
    9:09 pm (UTC-7)   |    by

    When you work for a security company, sometimes people think you must know everything there is to know about technology. So sometimes I get asked, “Will Bitcoin and other cryptocurrencies succeed?”

    Unfortunately, I’m an engineer, not an economist. I can’t speak to how big central banks like the Federal Reserve in America, the Bundesbank here in Germany, or the Bank of England in Britain will react to it. Maybe they’ll try to regulate it. Maybe they’ll try to ban it. Who knows? Ask an economist or a banker; they might know better.

    What I do know is that more and more brands are accepting cryptocurrencies as payment. In America, for example, online tech stores like Dell and Newegg have started to accept bitcoins. Not only can you buy your gadgets with bitcoins, but you can also go on vacation with them — online travel agencies like Expedia.com and airlines like airBaltic accept bitcoins as well.

    However, they’re not the only ones who have embraced Bitcoin. Cybercriminals have embraced it too. If you’re affected by ransomware, you can pay for your ransom with bitcoins. Cybercriminals buying goods and services from each other are using it, too.

    Why are these crooks using Bitcoin? One reason may be they think that it’s safe and anonymous. Certainly, many of its biggest supporters say the same thing. However, that’s not really accurate. Yes, your Bitcoin address doesn’t directly say anything about you, but all transactions are part of the blockchain – which means anyone can see it.

    Any organization with skills in organizing large data sets and gathering information from various sources could – if they wanted to, de-anonymize Bitcoin transactions. It’s not as safe as people think. Let’s not even go into detail about how malware is trying to steal bitcoins from the wallets of users.

    So, is Bitcoin the future of cryptocurrencies? What I do know is that cybercriminals like it just as much as real-world currency, and it has its own share of risks too. In some ways, the new digital currency is just like the old ones.

    For more of my thoughts on Bitcoin and other cryptocurrencies, watch the video below titled Bitcoin: Here today, gone tomorrow?.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice