It seems black hats are once again in demand as companies like Google seek out hackers to break their code paying Sergey Glazunov $10,000 for identifying a UXSS vulnerability in Chrome 21 as part of nearly $30K paid out for discovering such vulnerabilities fixed in Chrome 22. Mozilla started the trend in 2004 to prove newbie Firefox was safe and is reported to have paid out in excess of $750,000 in bounties.
Veracode says bug bounty programs are more popular than ever with companies including Google, Mozilla, PayPal, Etsy and Facebook offering bounties up to $60K to hackers to find critical vulnerabilities in their programs. Google increased the total reward pot for “Pwnium” – its Chrome hacking contest to $3,141,590 – that’s a lot of bugs to kill. Facebook is more austere with bounties from $500 to $10,000. YouTube will pay up to $20,000.
And it is not just busting program bugs but busting security systems – as the thinking goes who better than a hacker to beat a hacker?
Adobe, Apple and Microsoft don’t actively offer bounties but MS’s Bluehat security program pays up to $250,000 to “security professionals” who can develop the best counter attacks.
Veracode stated that a majority of mobile app developers fail to achieve compliance/security on their first review. Of course they want to sell their services but spend some time at their web site and you will wonder if it is ever safe to surf the net again – especially from your mobile device.
Their focus is presently on mobile application risks where they review the top 10 mobility App security issues. These include:
1. Activity monitoring and data retrieval mainly via spyware which can monitor and intercept: Messaging; audio calls and open mic recording; video and stills; location; contact list; call history; browsing history, text input and stored data files.
2. Unauthorised dialling, SMS and payments by switching a phone to premium rate calls and SMS messages. The dialling Trojan can also run up the victim’s phone bill and use a legitimate telco to collect their ill-gotten gains for them.
3. Unauthorised network connectivity (exfiltration or command and control) where such programs can turn on the microphone or camera and download data files at a certain time
4. UI impersonation – think of it as doing banking and a pop up screen that looks legitimate (i.e. the same as your own bank) asks you to click on something that sends details to the attacker.
5. System modification like root kit modification that may make later attacks easier (like the Botnet attacks).
6. Logic or time bombs that trigger malicious activity based on a specific event or time.
7. Sensitive data leakage sending location, Owner ID, device ID, authentication credentials or authorisation tokens to the attacker.
8. Unsafe sensitive data storage such as PIN numbers and passwords stored in plain text in contact managers.
9. Unsafe sensitive data transmission over Wi-Fi, especially public Wi-Fi.
10. Hardcoded password/keys can be used by developers as backdoors and attackers can reverse engineer Apps and compromise system security.
Yes Toto we are not in Kansas any more and all these issues really do exist in the wild and are continual problems mainly for Android and less so for Windows 8 Phone and iOS.
AVG’s main prediction for 2013 is that Cybercriminals will target cloud and mobile as their growth areas.
But mobile is just the latest frontier – all net/note/PC and Mac devices connecting to the cloud have similar issues that need protection. According to AVG’s Michael McKinnon:
1. online advertising will become even more aggressively personalised as data is the new “black gold”. Advertisers will use browser tracking, social media trawling and geo-location to identify individual users, build a profile and serve them customised advertisements – all without the need for their consent. See iTWire article for more on this.
2. Cloud security will be compromised - well-known cloud systems such as Dropbox, SkyDrive(MS), Cloud Drive (Amazon) and Google Drive have reportedly been attacked by malware, and we will see an increase in attacks against such systems from Denial of Service (DoS) /Distributed Denial of Service (DDoS) attacks that simply deny users access to their files.
3. Android as the world’s most popular mobile operating system is now the prime target for smartphone and tablet malware. Threats will become more sophisticated and use polymorphic code that mutates to avoid detection by traditional app store security.
4. Infected websites targeting all OS will also increase with the growing popularity of “commercial’ exploit kits such as Blackhole - don’t trust built-in security systems.
5. Mobile-to-computer threats: Increased connectivity between mobile devices and all OS's combined with the growing Bring Your Own Device trend will make it much easier for malware and viruses to spread across business and home networks. We also expect to register more attacks that target PC and mobile internet banking apps. These multi-factor authentication attacks will be stealthier, more polished and more location-oriented.
Opinion: None - I ain't coming out from under my safe, comfortable rock for anyone! But to be serious its time to install premium paid virus protection on all your devices especially if they have internet access.