Study: Nefarious Apps Easily Slip Past Jelly Bean Security
Dec 17, 2012 8:41 AM PT
The findings weren't very sweet when researchers tested Android 4.2 Jelly Bean's beefed-up security.
Of the 1,260 malware samples the team at North Carolina State University tossed at the OS, only 15 percent of them were detected by Google's app verification service.
By contrast, Android anti-malware programs from 10 third-party software makers had detection rates ranging from 51 to 100 percent, the researchers found.
The blacklisting approach used by Google is an ineffective one, said Jerry Hoff, vice president for static code analysis at WhiteHat Security, told TechNewsWorld.. "The malware blacklist approach, which originated on the desktop and seems to be bleeding over to the mobile side, is outdated and will always be vulnerable to new forms of malware."
Even though Google has tried to boost its security capabilities by purchasing Virus Total, it apparently hasn't improved the security picture, according to Alexandru Catalin Cosoi, chief security researcher at BitDefender.
"It's no surprise to Bitdefender's research team that Jelly Bean's app verification system would still be far behind those of third-party mobile antivirus vendors, as Google has not made a name for itself by detecting and proactively fighting malware," he told TechNewsWorld. "Google's reputation in this area has been scarred repeatedly as Google's Bouncer failed to prevent malicious apps from being uploaded onto Google Play on several occasions," he added.
Google did not respond to our request for comment for this story.
USB Infection Innoculation
A popular way to infect computers and avoid network defenses is through an infected USB drive. That's how one of the most infamous malware program in recent times -- Stuxnet -- was spread. Such infections can be snuffed in the bud, though, with USB drives with antivirus software preinstalled on them.
That's what Kingston Technology is doing with some new versions of its popular enterprise products released last week. The drives -- the DataTraveler 4000 (DT4000) and DataTraveler Vault Privacy (DTVP) -- include antivirus software from Eset.
Eset's software met two criteria Kingston was looking for: a small footprint and effective protection. "Its virus definition are small," John Terpening, secure USB business manager for Kingston, told TechNewsWorld. "In the tests in our labs, Eset did very well identifying the viruses in our virus definition files."
With AV software on the drive, it can be protected from malicious traffic, he added. "Any time files are copied to the USB drive, the AV engine will scan those files," he explained. "If it finds a virus or potential threat in the file, it will alert the user."
According to Eset North America CEO Andrew Lee, portable media are a common source of malware infection. Kingston and Eset, he noted in a statement, can offer a solution which keeps the contents of USB flash drives safe and malware-free, and prevents malware from spreading via removable media.
Despite the popularity of the cloud in corner offices and boardrooms, IT professionals remain skeptical of the safety of data stored there.
Of the IT professionals surveyed at the 2012 Cloud Security Alliance Congress, 88 percent surveyed felt that their data hosted in the cloud could be lost, corrupted or accessed by unauthorized individuals.
Why technology that their organizations have reaped benefits with the cloud deployments -- 86 percent deemed their cloud deployments a success and more than half (56 percent) toward cloud services save their shop's money -- only 46 percent believe that their movement to the cloud increased their outfit's IT security.
An overwhelming number of the respondents (86 percent) said they chose to keep their organization's sensitive data on their local servers, rather than in the cloud, and more than half of them (51 percent) confessed that they do not trust their personal data to the cloud.
In addition, nearly half the respondents (48 percent) said the thought of governmental and legal action deterred them from stashing their data in the cloud.
- Dec. 10: Carolinas HealthCare System begins informing some 5,600 patients of a data breach at the Carolinas Medical Center-Randolph in Charlotte, N.C. An unspecified number of emails were exposed during the breach. Most did not contain patient information, although five of the emails contained Social Security numbers and a few others contained medical and patient information. The healthcare provider is unaware of any misuse of the information.
- Dec. 10: The ambulance billing program for Frederick County, Md., is informed by ADP that account information for some of program's customers may have been illegally accessed and exposed to a theft ring suspected of filing fraudulent federal income tax returns. Information may have included names, dates of birth and Social Security numbers. The employee who illegally accessed the data has been fired and is facing criminal charges, ADP said.
- Dec. 10: Canada would have one of the weakest data breach laws in the western world, even if proposed revisions to its current law were adopted by its parliament, the Montreal Gazette reports. The United States, Australia, Britain, France, Germany, Ireland and Spain have or are planning stiffer enforcement measures than Canada, an analysis of world data breach laws prepared by Canada's Privacy Commissioner's office and obtained by the newspaper through the Access to Information Act says.
- Dec. 11 The University of Georgia reports that the perpetrator of an October data breach at the school in which personnel records of some 8,500 current and former university employees were compromised was a former student who has died. According to police investigators, the student, Charles Stapler Stell, 26, most likely committed suicide. The university said it has no evidence that the compromised information was used for criminal purposes.
- Dec. 12: South Carolina State Budget and Control Board approves US$20 million loan to the state Revenue Department to pay for expenses connected to data breach in which 3.8 million taxpayers' Social Security numbers, 3.3 million bank account numbers and data on 700,000 businesses were compromised. Money will pay for credit monitoring, data encryption, mail costs of notifying victims and the services of a public relations firm and cyber security company.
- Dec. 12: California Department of Health Care Services discloses that 14,000 Social Security numbers belonging to healthcare providers in 25 counties were accidentally posted online for nine days before the mistake was discovered. The department is offering no-cost credit-monitoring for providers affected by the breach.
- Dec. 12: The Miami Family Medical Center on Australia's Gold Coast reveals that hackers penetrated the facility's computer systems and encrypted all of its data. The cyber extortionists are demanding AU$4,000 to decrypt the data. The center is trying to restore the information from backups but it's still unclear whether or not its database can be returned to a usable scale.
Upcoming Security Events
- Dec. 17: Securing Web and Mobile Apps: The Future of Digital Identity. 1 p.m. ET. Webcast sponsored by Vasco and Dark Reading. Free with registration.
- Dec. 20: Black Hat Webcast: Another Year in Web Security-- What did 2012 teach us about surviving 2013? 1 p.m. ET. Free.
- Jan. 7-9: Redmond Identity, Access & Directory Knowledge Summit 2013. Microsoft Conference Center, Redmond, Wash. Sponsored by Oxford Computer Group. Registration: $650.
- Feb. 8-9: Suits and Spooks Conference: Should Private Companies Take Measured Offensive Actions against Attackers? Waterview Conference Center, Washington, D.C. Registration: $595.
- Feb. 24-25: BSides San Francisco. DNA Lounge, 375 Eleventh St., San Francisco.
- Feb. 25-Mar. 1: RSA Conference USA 2013: Security in Knowledge. Moscone Convention Center, San Francisco. Registration: Jan. 25 and before, $1,895. After Jan. 25, $2,295.