Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    February 2015
    S M T W T F S
    « Jan    
  • Email Subscription

  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Raimund Genes

    For many users today, how they use technology is defined by mobile devices. Their primary device is not a desktop computer, or even a laptop. Instead, it’s a tablet or a smartphone. Instead of data stored on a hard drive or a USB stick, corporate data is now stored in the cloud and accessed as needed by users. If we look at the number of PCs versus smartphones sold, the trend is clear. In the 3rd quarter of 2014, analysts estimate that 79.4 million PCs were sold – compared to 301 million smartphones in the same period.

    This changes the relationship that IT people have with end users. In the past, they would have given their users PCs that they could centrally control. However, for many organizations, that policy has not been acceptable: mobile devices are thought of as “personal” in a way that PCs are not.

    The result has been the rise of BYOD, short for Bring Your Own Device. Users buy their own devices and are responsible for them, but the company pays at least some of the costs.  In theory, everyone is happy: the user gets to use a device they chose, the company sees reduced costs and increased usage of newer, more efficient IT systems. What could possibly go wrong?

    Unfortunately, BYOD can turn out not be a dream, but a nightmare. Company data ends up being mixed with personal data and thus put at a higher risk of leakage. The devices can also be compromised and used to target the rest of an organization. BYOD can turn out to be Bring Your Own Disaster.

    There have been attempts to try and fix this, but they don’t work all that well. They try to separate the personal and the work-related on the device, but for both the user and the company they’re difficult to use.

    So, what is a good solution to this seemingly intractable problem? We can look to the world of PCs for a possible solution. In a Virtual Desktop Infrastructure (VDI), users access virtual machines running on a server. Why can’t we do something similar for mobile devices?

    Let’s call it a Virtual Mobile Infrastructure, or VMI. The client on the phone will do nothing but access a virtual mobile operating system running on company servers. Because it’s essentially the same OS as they’re used to on their devices, user acceptance should be high.

    More importantly, though, a properly implemented VMI solution would not leave data at risk on the user’s device. There are many industries where this would be useful: for example, in medicine, there would be no risk that sensitive medical data would actually leave hospital servers. In industries where there are severe regulatory restrictions on how and where data can be accessed, this can allow employees to work in a more flexible manner.

    VMI is an option that enterprises looking into implementing BYOD policies should seriously consider. BYOD brings many benefits to a company, but also attendant risks. VMI helps manage those risks so that companies can fully enjoy BYOD while reducing any potential problems.

    For more information, you can watch the video below.

    Posted in CTO Insights, Mobile |

    11:00 pm (UTC-7)   |    by

    It’s that time of year again – the last quarter of the year is a time for many of us to buy a new smartphone, as we look at the new devices launched relatively recently by Apple, Samsung, and all the other phone providers and decide which one we shall use for the duration of our next smartphone contract.

    I’m sure that many of us will take home brand new iPhones and Android devices and set it up just the way we want our personal devices to be. We should take a minute to remember, however, that because these devices are so personal to us, the damage a hacked smartphone can do to is significant.

    Imagine what would happen if a hacker stole your personal data. We don’t have to imagine, however, as this has happened to many users in 2014. At the very least, this is embarrassing to the user in question, but to some it may be more than that.

    Your wallet may be at risk as well. Some cybercriminals try to sign their victims up for various premium SMS services that charge users as part of their monthly bill; others go for bigger fish and try to compromise the user’s online banking accounts – either by intercepting any confirmation codes sent to the user or by hijacking any mobile banking sessions completely.

    Either way, we need to do what we can and make sure that our personal mobile devices stay that way – personal. When you buy a new smartphone or tablet you need to set it up not only to make yourself comfortable with the device, but also to make things more secure.

    On Apple devices, the best hing you can do to stay safe is not do something else: jailbreaking.  By default, all iOS devices like the new iPhone live in a walled garden – what gets in has been approved by Apple. They do a reasonably good job of keeping their users safe.

    This changes, however, if you jailbreak your phone. Yes, you can now install apps that Apple didn’t approve, but these apps can be security risks. In addition, you may not be able to update your device to the latest version of iOS. In short: if you want to keep your iOS device secure, not jailbreaking is an excellent start.

    What about Android devices? What you can do here is to minimize your exposure to malicious apps. Don’t allow apps to be installed from risky sources, like third-party app stores. You should also install a security solution on your phone to catch any threats that may slip through and reach your phone.

    In addition to protecting yourself from mobile malware, you should also realize that because you carry a smartphone everywhere, you can lose your device very easily. If this happens, you may end up losing control of your personal data. Make sure you turn on your lock screen password and device encryption so that if you do lose your phone, the risk of losing your own data is minimized.

    A smartphone is not just a shiny gadget; it is also a storehouse for large amounts of your own valuable information. When you buy your new phone, keep that in mind and set your phone up accordingly.

    Posted in CTO Insights, Mobile |

    2:15 am (UTC-7)   |    by

    Last year, as part of our predictions for 2014 we said there would be one major data breach every month. At the time, many people said that our prediction was overly pessimistic. It was one prediction I would have been happy to have gotten wrong.

    Unfortunately, I haven’t been proven wrong. We’ve seen major data breaches hit large institutions left and right. In many cases, these breaches have been due to attacks by point-of-sale (PoS) malware that hit these companies. In other cases, attackers got into their networks directly and stole the information of their users.

    People may think that financial information is the most valuable information that can be lost, but that’s not always the case. Banks and other financial institutions are very good about not letting consumers eat the cost of financial fraud, so even if, say, your credit card number gets stolen and used by cybercriminals, you won’t have to bear the final cost.

    In some ways, in fact, your personal information getting leaked is more dangerous. I can change my credit card easily, but unless I move I can’t change my address.  Neither can I change my birthday. Personally identifiable information does not only identify the user, it is also frequently difficult, if not impossible, to change.

    These kinds of attacks can be used to make future social engineering attacks “better”. For example, a future attack can now give me my address, phone number, and other personal information and sound more convincing. Many users will be fooled and fall victim to all sorts of attacks.

    To many governments, it looks like companies are not protecting the information they have on their users. This may be why we’re seeing moves to impose regulations on how companies should protect the data of their users.

    For example, in Europe, the new EU Data Protection Regulations could mean that companies could face severe fines if they were breached – fines of up to 100 million Euros. Other countries are imposing their own sets of regulations, with their own sets of penalties.

    If you’re a company doing business in various countries, these will be some difficult times, as you will now have to cope with differing sets of rules and regulations, increasing the cost of compliance to your company.

    There is a silver lining to this, however. Maybe when company directors everywhere realize the cost of being breached, they’ll finally approve putting in place Intrusion Detection Systems and the other tools needed in today’s threat landscape.

    Posted in Bad Sites |

    There are many mobile app developers today who want to develop the next hot mobile app. After all, if you pay your cards right, you could end up being bought by a much larger company like Facebook, Google, or Microsoft for billions of dollars.

    It’s hard enough to build a mobile app that will have the features and ease of use that will make it popular with millions of users. There are other things that apps can compete on, however: this includes the privacy and security of their users.

    How can developers do this? First of all, consider how the app is written. Are best practices being followed? Developers on PCs and Macs have already learned that their apps can suffer from vulnerabilities that can be exploited. Are you doing your best to avoid these issues?

    One reason to harden your apps against possible exploitation is repackaging. This is when the bad guys take a legitimate app and add their own malicious code to it. This added code can be anything – premium SMS abuse, cryptocurrency mining, even information theft. Not only does this harm the end user, it also damages your good name as well. (For more in-depth information about app repackaging, read our relevant paper, Fake Apps: Feigning Legitimacy.)

    If your business model revolves around ads served by third-party ad networks, be careful in choosing which ad networks you choose to partner with. Some ad networks are less reputable than others, either asking for too much user information to target their ads or allowing malicious ads to run on their networks. Remember: it’s not just their reputation on the line, it’s yours as well.

    Another issue is how you integrate with various social networks. It’s become very popular to integrate social networks into mobile apps. This is perfectly safe, so long as it’s done correctly. Social networks generally use some sort of API to allow third-party apps to access their information; use these APIs instead of just asking for your user’s private login credentials.

    In terms of privacy, consider what you’re asking from the user. We’ve all seen how some apps ask for permissions that have absolutely nothing to do with their main purpose. Why would a flashlight app need access to your calendar or contacts? Consider what you actually need from your users and don’t just ask for anything and everything just because you can.

    We offer tools that will help mobile app developers check if their apps are secure. The Mobile App Reputation Service checks apps based on their behavior and identifies any potentially problematic behavior on their apps. We hope that these tools will help developers realize that protecting the privacy and security of their users should be something that is an integral part of creating the next mobile app.

    Posted in Bad Sites, CTO Insights, Mobile | Comments Off

    10:12 pm (UTC-7)   |    by

    For the past year or so, I’ve noticed that people are getting increasingly concerned about how protected their information is – not just from hackers, but from governments and large Internet companies as well. Individual users and organizations are now saying – more than ever before – that privacy and security matters.

    Of course, the desire for privacy and security is sometimes trumped by the desire for added convenience and features. However, one thing that will cause changes in how data is protected is government regulation. In some quarters, it is perceived – rightly or wrongly – that private companies cannot be trusted with the data of their users, and that the government must step in.

    The European Union is well on its way with a new set of rules that will control how organizations that do business in Europe will have to store, manage, and control user data. A company does not have to be located in Europe to be affected, making the scope of these regulations larger than immediately apparent.

    Will this be enough to make consumers trust that their data is in safe hands? Not entirely. Some users will not trust companies that protect their data just to comply with regulations. Companies that hold the personal data of their users need to go above and beyond what regulations call for, to reassure their users that they are doing all they can to protect their users.

    The Internet has been an amazingly valuable tool to connect people all over the world with each other. However, recent events have unfortunately shaken the confidence we once had in our online lives. Both individuals and organizations need to take steps to rebuild that trust and confidence to keep the Internet safe and open for everyone. We are all digital natives now. The Internet is too important in all our lives to be treated any other way.

    Posted in CTO Insights | Comments Off


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice