Jan 24 2013

Controls against Mobile Code

Category: ISO 27k,Mobile SecurityDISC @ 12:16 pm

ISO 27002 control A 10.4.2 of the standard requires that mobile code execution should be restricted to an intended environment to support an authorized organization mobile code policy.

What is a mobile code so let’s first start with the definition: ‘Program or a code that can execute on remote locations without any modification in the code can travel and execute from one machine to another on a network during its lifetime.’ Some of the computer languages used for mobile code include but not limited to Java, JavaScript, Active x, VB script, C++, C#, ASP.NET, macros and postscripts.

Mobile code could be use for some benign to a very malicious activity which basically depend on coder intentions. Malicious activities may include collection of personal and private information, patient healthcare information, introducing Trojans & worms, and sometime used to modify or destroy information.

Different mobile code languages are used to achieve various goals by the the coder, most pop-ups are coded in JavaScript, Active x for downloading apps and patches. Only If a coder/hacker is enable to execute a mobile code on an organization infrastructure (PC, router, switch, server..) will make it possible to download, collect personal and private information and for that matter any other malicious activity.

example, if one window or frame hosted on one server tries to access the properties of a window or a frame that contains a page from a different server, then the policy of the browser comes into play and restricts that type of action from happening. The idea behind such restrictions is to prevent hackers from putting their pages inside the original page and extract unauthorized information where codes inside their pages are written for that purpose

Protections for Mobile Code
One of the solutions to secure the JavaScript from using it to write a mobile code and run it on the client-side is to perform parsing of the code before execution. If the code can be parsed before execution i.e. having access to the stack, where control over the execution of the code can be achieved the malicious virus can be prevented.

The best and the easiest way to block mobile code is to have an authorized policy to ban or restrict the mobile code into your organization. To implement this policy, an organization can build a rule set on their firewall to block all the mobile code at the perimeter and stop entering into the organization. At the same this may not be feasible for many organizations since languages like JavaScript and active x are used heavily in building website to add bells and whistles. This takes us back to familiar risk assessment question, how much and what mobile code should be allowed into the organization. Organization should assess the related risk to each mobile code and allow or disallow based on the risk it pose to business. If there’s an exception make sure the business owner sign off the exemption form.

Ongoing user awareness to mobile code policy and risk assessment process will be necessary to minimize risk. Block mobile code should be monitored or scanned based on the policy and appropriate measures should be taken if rogue mobile code is detected.

Do you check your verdors or partners are not downloading malicious mobile code on your website?

To know more about Mobile Code
.
Titles on eBay
Titles on DISC InfoSec Store

Related articles

Tags: ActiveX, Business, ISO/IEC 27002, Java, JavaScript, Mobile code, Personal computer, VBScript

Nov 01 2012

10 reasons to ponder before using your smartphone for banking

Category: Smart PhoneDISC @ 11:55 am


 

Mobile Payment Security

01) There is no clear legislation that sets out your rights to receive a refund if your bank account is fraudulently emptied due to mobile bank app insecurity. The burden of proof seems to be on the user to protect their handset, operating system, software, mobile operator infrastructure and everything else in the “chain” of the transaction.

02) Of course you want to be able to use WiFi hotspots, this means you are in most cases operating on an insecure wireless network. It’s so easy for “bad guys” to sniff the air with a free utility and read your details.

03) Most users have not even set up a basic passcode on their devices (smartphones). Therefore if some gets access to the device, they have potentially access to their bank account.

04)  Most app stores do not test the security of apps. It is very easy for the “bad guys” to put Malware in the apps that can steal information from your device or other apps on your phone/device (e.g. banking app). Or it can happen when the app updates.

05) Most Smartphone device users have not installed security software on their device. Therefore they have less security than comparing to a laptop or PC with security software installed.

06) The average Smartphone users does not regularly perform OS (Operating System) updates. Many of these updates are critical security patches.

07) Due to performance issues, many of the lower cost handset manufacturers are disabling security features in order to improve performance of the device.

08) Malware on the Android platform smartphone alone has gone up over 400% in the last year

09) The technology that keeps apps separate on device does not separate them out into private sandboxes. This means that one app can read the details stored in another app without much difficulty.

10) ) If you check the T&C’s (terms and conditions) from  local  banking app and they may  want you to grant permission for the app to know your phone location (GeoIP).

Related articles

Tags: Android, Geolocation, Malware, Operating system, Personal computer, Security, Smartphone, Wi-Fi

Apr 21 2010

Raid said to have hacked Google password system

Category: CybercrimeDISC @ 3:30 pm

Google Appliance as shown at RSA Expo 2008 in ...
Image via Wikipedia

John Markoff, New York Times

Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret.


But a source with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s services, including e-mail.


The program, code-named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days in December, the source said. The software is intended to enable users to sign in with their password just once to operate a range of services.


The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making changes to the security of its networks after the intrusions. But the theft leaves open the possibility that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.


The new details seem likely to increase the debate about the security and privacy of systems that now centralize the personal information of millions of individuals and businesses.


Link to ‘poisoned’ site


The theft began with a single instant message sent to a Google employee in China, according to the person with knowledge of the inquiry, who spoke on the condition he not be identified. By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View.


Ultimately, the intruders were able to gain control of a software repository used by that team.


Tightening security


The details surrounding the theft of the software have been a closely guarded secret by the company. Google first publicly disclosed the theft in a Jan. 12 posting, which stated that the company was changing its policy toward China in the wake of the theft of unidentified “intellectual property” and the apparent compromise of the e-mail accounts of two human rights activists.


Company executives declined to comment Monday about the new details of the case.


Google continues to use the Gaia password system, now known as Single Sign-On, but has tightened the security of its data centers.


Several technical experts said that because Google had quickly learned of the theft of the software, it is unclear what the consequences of the theft have been. One of the most alarming possibilities is that the attackers might have intended to insert a Trojan Horse – a secret backdoor – into Gaia and install it in dozens of Google’s global data centers to establish clandestine entry points.


This article appeared on page D — 1 of the San Francisco Chronicle on Apr 20, 2010

Cyber War: The Next Threat to National Security and What to Do About It

Tags: china, Gaia, Google, Human rights, Personal computer, Software developer, Trojan horse, Website

Dec 04 2009

Five ways to lose your identity

Category: Identity TheftDISC @ 2:42 pm

beconstructive12

By Jaikumar Vijayan
The rush by shoppers to the Web makes the season a great time for online retailers. It’s also a great time for hackers looking to steal data and money from the unwary millions expected to search for great deals online.

Checkout huge savings on Today’s Hot Deals on Information Security Solutions for the holidays

The growth of holiday hackers has annually prompted security analysts, identity theft awareness groups, and various government agencies to come up with lists of precautions that consumers can take to avoid becoming a victim of online fraud. Such lists can prove a benefit to consumers, but unfortunately some people ignore it.

Below are the identity theft awareness tips which can help maximize your exposure to online fraud.

Tip No. 1: Open all attachments from strangers and click on all embedded links in such e-mail messages. Such actions remain one of the most effective ways to provide thieves with personal information and financial data. All a hacker needs to do is find computer users who instinctively open e-mail messages from strangers, even those who write in a foreign language. The action can open the door to keystroke loggers, rootkits, or Trojan horse programs. Crooks can also easily install backdoors to easily steal data without attracting any attention. Once installed, hackers gain unfettered access to personal data and can even remotely control and administer systems from anywhere.

Tip No. 2: Respond to Dr. (Mrs.) Mariam Abacha, whose name is used by many hackers who say they have close friends and relatives in Nigeria who have recently been widowed or deposed in a military coup and need your help to get their millions of dollars out of the country. Users are told they will undoubtedly be rewarded for helping to get their “well-packed trunk boxes” full of cash out of Nigeria. And to make sure to provide bank account information, login credentials, date of birth, and mother’s maiden name so that they can wire the reward directly into a checking account in time for the holidays.

Tip No. 3: Install a peer-to-peer file-sharing client on your PC and configure it so all files, including bank account, Social Security, and credit card numbers, along with copies of mortgage and tax return documents, are easily available to anyone on the same P2P network. Your personal data will stream over the Internet while you check out what songs you can download for free without getting sued by the RIAA.

Tip No. 4: Come up with passwords that are easy to crack. It saves hackers from spending too much time and effort trying to access your PC. Clever sequences such as “123456” and “abcdef” and your firstname.lastname all make fine, easy-to-remember default passwords for you and for hackers. For maximum exposure, keep passwords short, don’t mix alphabets and numerals, and use the same password for all accounts.

Tip No. 5: Avoid installing the latest anti-malware tools and security updates. Keeping operating systems properly patched and anti-virus and anti-spyware tools updated make life hard for hackers. Users can help them out by making sure their anti-virus software and anti-spyware tools are at least 18 months out of date or by not using them at all. Either way, it’s very likely that your computer will be infected with a full spectrum of malware.

For additional tips on how to shop securely on Christmas and holidays season:
How to shop safely online this Christmas
Identity theft tip-off countermeasure and consequence | DISC

Please comment below regarding any other new and emerging threat which needs to be addressed during holiday’s season?

Reblog this post [with Zemanta]

Tags: antivirus, Christmas and holiday season, Computer security, Credit card, File sharing, hacker, Identity Theft, Malicious Software, Malware, Online shopping, Personal computer, Security, shop safely, shop securely, Spyware, threats, trojan, Trojan horse