Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Raimund Genes (Chief Technology Officer)




    There are many mobile app developers today who want to develop the next hot mobile app. After all, if you pay your cards right, you could end up being bought by a much larger company like Facebook, Google, or Microsoft for billions of dollars.

    It’s hard enough to build a mobile app that will have the features and ease of use that will make it popular with millions of users. There are other things that apps can compete on, however: this includes the privacy and security of their users.

    How can developers do this? First of all, consider how the app is written. Are best practices being followed? Developers on PCs and Macs have already learned that their apps can suffer from vulnerabilities that can be exploited. Are you doing your best to avoid these issues?

    One reason to harden your apps against possible exploitation is repackaging. This is when the bad guys take a legitimate app and add their own malicious code to it. This added code can be anything – premium SMS abuse, cryptocurrency mining, even information theft. Not only does this harm the end user, it also damages your good name as well. (For more in-depth information about app repackaging, read our relevant paper, Fake Apps: Feigning Legitimacy.)

    If your business model revolves around ads served by third-party ad networks, be careful in choosing which ad networks you choose to partner with. Some ad networks are less reputable than others, either asking for too much user information to target their ads or allowing malicious ads to run on their networks. Remember: it’s not just their reputation on the line, it’s yours as well.

    Another issue is how you integrate with various social networks. It’s become very popular to integrate social networks into mobile apps. This is perfectly safe, so long as it’s done correctly. Social networks generally use some sort of API to allow third-party apps to access their information; use these APIs instead of just asking for your user’s private login credentials.

    In terms of privacy, consider what you’re asking from the user. We’ve all seen how some apps ask for permissions that have absolutely nothing to do with their main purpose. Why would a flashlight app need access to your calendar or contacts? Consider what you actually need from your users and don’t just ask for anything and everything just because you can.

    We offer tools that will help mobile app developers check if their apps are secure. The Mobile App Reputation Service checks apps based on their behavior and identifies any potentially problematic behavior on their apps. We hope that these tools will help developers realize that protecting the privacy and security of their users should be something that is an integral part of creating the next mobile app.

     
    Posted in Bad Sites, CTO Insights, Mobile |



    For the past year or so, I’ve noticed that people are getting increasingly concerned about how protected their information is – not just from hackers, but from governments and large Internet companies as well. Individual users and organizations are now saying – more than ever before – that privacy and security matters.

    Of course, the desire for privacy and security is sometimes trumped by the desire for added convenience and features. However, one thing that will cause changes in how data is protected is government regulation. In some quarters, it is perceived – rightly or wrongly – that private companies cannot be trusted with the data of their users, and that the government must step in.

    The European Union is well on its way with a new set of rules that will control how organizations that do business in Europe will have to store, manage, and control user data. A company does not have to be located in Europe to be affected, making the scope of these regulations larger than immediately apparent.

    Will this be enough to make consumers trust that their data is in safe hands? Not entirely. Some users will not trust companies that protect their data just to comply with regulations. Companies that hold the personal data of their users need to go above and beyond what regulations call for, to reassure their users that they are doing all they can to protect their users.

    The Internet has been an amazingly valuable tool to connect people all over the world with each other. However, recent events have unfortunately shaken the confidence we once had in our online lives. Both individuals and organizations need to take steps to rebuild that trust and confidence to keep the Internet safe and open for everyone. We are all digital natives now. The Internet is too important in all our lives to be treated any other way.

     
    Posted in CTO Insights |



    When you work for a security company, sometimes people think you must know everything there is to know about technology. So sometimes I get asked, “Will Bitcoin and other cryptocurrencies succeed?”

    Unfortunately, I’m an engineer, not an economist. I can’t speak to how big central banks like the Federal Reserve in America, the Bundesbank here in Germany, or the Bank of England in Britain will react to it. Maybe they’ll try to regulate it. Maybe they’ll try to ban it. Who knows? Ask an economist or a banker; they might know better.

    What I do know is that more and more brands are accepting cryptocurrencies as payment. In America, for example, online tech stores like Dell and Newegg have started to accept bitcoins. Not only can you buy your gadgets with bitcoins, but you can also go on vacation with them — online travel agencies like Expedia.com and airlines like airBaltic accept bitcoins as well.

    However, they’re not the only ones who have embraced Bitcoin. Cybercriminals have embraced it too. If you’re affected by ransomware, you can pay for your ransom with bitcoins. Cybercriminals buying goods and services from each other are using it, too.

    Why are these crooks using Bitcoin? One reason may be they think that it’s safe and anonymous. Certainly, many of its biggest supporters say the same thing. However, that’s not really accurate. Yes, your Bitcoin address doesn’t directly say anything about you, but all transactions are part of the blockchain – which means anyone can see it.

    Any organization with skills in organizing large data sets and gathering information from various sources could – if they wanted to, de-anonymize Bitcoin transactions. It’s not as safe as people think. Let’s not even go into detail about how malware is trying to steal bitcoins from the wallets of users.

    So, is Bitcoin the future of cryptocurrencies? What I do know is that cybercriminals like it just as much as real-world currency, and it has its own share of risks too. In some ways, the new digital currency is just like the old ones.

    For more of my thoughts on Bitcoin and other cryptocurrencies, watch the video below titled Bitcoin: Here today, gone tomorrow?.

     



    Whenever I hear about the Internet of Everything, I find myself somewhat conflicted. There’s no doubt that it is the new “mega trend” in technology, but at the same time I wonder how secure it is. Let me explain.

    When a company creates a smart device, they not only need to create the hardware for the device, they also need to write the software for it. This is not a simple task, particularly for complex items. Take, for example, a modern car. Think of all the features it has: distance assistance, lane assistance, and even notification of emergency services if I crash. It can even compile various statistics about how I drive and compare it to other drivers of that model.

    All this results in a very large amount of software that needs to be written. A modern car has more than 100 million lines of code. This is more than double that of an office suite like Microsoft Office (45 million); or seven times more than that of a Boeing 787 Dreamliner (14 million). More code not only means more features, but also more opportunities for various security flaws and vulnerabilities.

    Software vulnerabilities are something that, unfortunately, we’ve learned how to deal with. Software vendors all over the world regularly send updates to their customers; smart devices should be no different. All of my cars in the past decade have received regular updates, including changes in their steering. Given how on the autobahn, 140 miles per hour (or 225 kilometers per hour) is normal cruising speed, it’s rather important that there be no blue screens of death in these situations.

    We already know that vulnerable devices are under attack by cybercriminals. For example, routers are under attack all the time, and can be quite easily compromised. We need the vendors of smart devices to realize that their products, too, can become targets. Security vendors like Trend Micro will do what we can to protect users, but it’s better for all parties that smart devices be as secure as possible in the first place. Not only must the vendors of these devices try to develop their products in line with sound security practices; they must also test these devices so that they stay safe in the face of new threats.

    More of my thoughts on the Internet of Everything are in the video below:

    For more information on the security risks and how to secure smart devices, visit our Internet of Everything hub which contains our materials that discuss this emerging field.

     
    Posted in CTO Insights, Internet of Everything | Comments Off



    Last month, there was a very interesting decision out of the European Court of Justice. The decision established what can be called the “right to be forgotten“. People can now ask search engines like Google to remove links from search results about them.

    So, for example, say you are now a successful businessman. However, the first search results for your name is a slightly embarrassing incident that took place in your youth. Now, you can ask Google to “forget” about that incident so it won’t show up first when someone searches for your name.

    You can debate whether this is a good idea or not. Europeans like myself tend to think this is a good idea – after all, who else should control your data but you, right? Americans tend to look at it as a free speech issue. There is a cultural divide here that will not be easy to resolve.

    What it does teach us, though, is how much data there is out there about all of us. Our web browsing, our purchases, our personal information – it’s all out there in the hands of various companies. And what are they doing with it? There’s an adage that says that if you’re not paying for the product, you are the product. The real customers are advertisers who want to sell you whatever it is they’re selling.

    Now, some will say that this isn’t all bad. After all, don’t you get free services and more relevant advertising? How can this be a bad thing?

    It’s not necessarily a bad thing either. What it has to be is an informed decision by users – that they give up some of their data in exchange for some service of value to them. Today, it’s hard to say that is the case - too often, the allure of “free” trumps everything else, and people will give up data about themselves without being completely aware.

    Privacy is ultimately defined by what people decide to share or not. It remains to be seen what people decide should be made public and what remains “forgotten”, as it were.

    More of my thoughts on privacy can be found in the following video:

     
    Posted in CTO Insights | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice