Brace Yourself for the Post-PC Threat Era

It was inevitable. As computing has evolved, so has its nemesis: malware.

in play”2012 is truly the year we entered the post-PC era as cybercriminals moved to embrace Android, social media platforms, and even Macs with their attacks,” Trend Micro declared in its annual Security Roundup last week.

A characteristic of the post-PC threat landscape is the accelerated growth of malware, said Trend Micro CTO Raimund Genes.

“We saw mobile malware grow from zero to 350,000 in three years, while in the PC world, it took 14 years to reach that number,” he told TechNewsWorld.

However, it’s unfair to compare the nascent environment for malware writers in the PC era with the environment for mobile malware writers today, Genes noted.

“When the first PC viruses were written, they were written for fun,” he explained. “There were no commercial interests behind them. All malware now is there to make money. That’s a big change from the early PC days.”

Another big change in the malware landscape is the industrialization of bad app production, according to the report.

“Beyond this move away from the PC, 2012 saw attackers focus on refining their attacks and adopting more professional software development practices rather than introducing new attack means,” it said. “The Black Hole Exploit kit, automatic transfer systems (ATSs), and ransomware were all refined and improved in ways that would make any commercial software vendor proud.”

Things won’t be getting any better for malware fighters in 2013, Trend Micro predicted. Malware threats for Google’s Android operating system alone will hit 1 million this year.

Google’s War on Passwords

Two Google security gurus made some headlines last week when they revealed the search giant was working on a scheme to replace passwords as a means of authentication on the Internet.

Google is working on a Web protocol to make it easier for everyone to use tokens to access their online accounts, VP of Security Eric Grosse and engineer Mayank Upadhyay divulged in a paper set for publication in this month’s IEEE Security & Privacy Magazine.

The news attracted the attention of companies that focus on both token and tokenless security solutions.

“Imagine that you have one single key and one single password to securely access all your Internet life,” wrote Stina Ehrensvard in a blog hosted byYubico.

Yubico’s hardware, which can be plugged into a card reader or USB port, has some consumer perks, according to Philip Lieberman, president ofLieberman Software.

“They are the only solution that allows the consumer to program their own token, rather than depend on the vendor of the token itself,” he told TechNewsWorld.

Yubico’s tokens can also be erased and reused, and can hold multiple secrets that can be used for multiple application at the same time, Lieberman added.

The problem with tokens is that you have carry them around with you.

“We have learned over the past 10-plus years that people don’t want to carry physical tokens in any shape or form,” Steve Watts, sales manager forSecurEnvoy, told TechNewsWorld.

Gozi Gang Indicted

The leaders of a cyberbank robbery gang were brought before a federal judge in New York City last week to face a variety of conspiracy and fraud charges from the U.S. Justice Department.

The three allegedly masterminded a worldwide bank fraud scheme that compromised more than a million computers, including 40,000 in the United States, and siphoned tens of millions of dollars from their victims’ bank accounts using the Gozi trojan malware.

Charged at the Jan. 23 proceeding were Nikita Kuzmin, 25, of Moscow, who developed the malware in 2005; Deniss Calovskis, 27, of Riga, Latvia, who enabled the Trojan to infect bank Web pages; and Mihai Ionut Paunescu, 28, of Bucharest, who ran the servers that kept the ring in business.

Gozi was distributed in a number of ways, including via infected PDF files, according to the Justice Department. After installation, the malware collected personal banking information from a machine, and shipped the data to a network of computers controlled by the ring which used the info to transfer funds out of their victims’ accounts.

“Banking Trojans are to cybercriminals what safe cracking or acetylene torches are to traditional bank burglars — but far more effective and less detectable,” FBI Assistant Director-in-Charge George Venizelos said.

Although law enforcement authorities are claiming Gozi is dead, it may be too early to write off the malware, according to Daniel Cohen, head of business development for online threats atRSA.

“The arrests are certainly an encouraging sign of how seriously authorities are taking these gangs,” he told TechNewsWorld. “While we have not seen any new developments around the Gozi Prinimalka scene, time will tell what the effects of these charges will have.”

Data Breach Diary

• Jan. 21. Human Resources and Skills Canada bans use of portable data devices following a data breach affecting 583,000 persons. The breach resulted from a hard drive discovered missing since November 2012. The disk contained names, birth dates, addresses, social insurance numbers and student loan balances for persons with loans through the Canada Student Loan Program from 2000 to 2006.
• Jan 23. Lucile Packard Children’s Hospital in Palo Alto, Calif., and the Stanford University School of Medicine reveal they’re notifying about 57,000 patients about a data breach that occurred Jan. 9. The breach happened when a password-protected laptop was stolen from a physician’s car.
• Jan 24. Jeffrey Ness, one of 5000 people affected by unauthorized access to motor vehicle records by a Minnesota state employee, files lawsuit in federal district court alleging violation of data privacy laws.
• Jan. 24. Sony Computer Entertainment Europe is fined $395,000 by the UK’s Information Commissioners Office for a data breach in April 2011 that compromised information — including credit card numbers — for millions of customers.

Upcoming Security Events

• Jan. 30. How Big Data Is Transforming Security. 9 a.m. ET. Webinar sponsored by RSA. Free.
• Feb. 7. Three Ways to Insure Data Loss Does Not “Deep Six” Your Business. 2 p.m. ET. Webinar sponsored by WatchGuard. Free.
• Feb. 8-9. Suits and Spooks Conference: Should Private Companies Take Measured Offensive Actions against Attackers? Waterview Conference Center, Washington, D.C. Registration: US$595.
• Feb. 12. Transforming Intelligence Operations Through IT. Sponsored by INSA and Nextgov. Ronald Reagan Building, 1300 Pennsylvania Ave., NW, Washington, D.C. Free.
• Feb. 14. Optimizing and Safeguarding Your Data Network. 1:30 p.m. ET. Webinar sponsored by Bank Info Security. Free.
• Feb. 24-25. BSides San Francisco. DNA Lounge, 375 Eleventh St., San Francisco.
• Feb. 25-Mar. 1. RSA Conference USA 2013: Security in Knowledge. Moscone Convention Center, San Francisco. Registration: $2295.
• Feb. 26. Optimizing and Safeguarding Your Data Network. 11:30 p.m. ET. Webinar sponsored by Bank Info Security. Free.
• Mar. 12-15. Black Hat Europe. Grand Hotel Krasnapolsky, Amsterdam, Netherlands. Registration: through Jan. 10: 1,095 euros (US$1,447); through Feb. 28: 1,295 euros (US$1,711); Mar. 1-15: 1,495 euros (US$1,975).
• Jun. 11. Cyber Security Brainstorm. 8 a.m.-2:30 p.m. ET. Newseum, Washington, D.C. Registration for non-government attendees before March 3: $395; Mar. 3-Jun. 10: $495; Onsite: $595.