CISCO report on malware

Cisco published an interesting report on the 2010 developments on the malware scene. They discuss the economics of malware, the recruiting of mules (people who funnel stolen money on criminal's accounts) and future developments. The prediction I find most interesting is that Apple computers will be targeted next year. Another prediction is of course that smartphones will targeted.

Smartphones Not Ready for Mobile TANs

In the last weeks we had an outbreak of security issues with smart phones. The most famous was the pdf font bug that hit the iPhone and other iOS devices which was fixed by Apple with iOS 4.0.2. This one was really dangerous because it could infect iPhones just by opening an infective web site.

Then we had a rootkit for Android phones. A first criminal exploitation was a Trojan, also for Android, that sent text messages to premium numbers.

Of course there is much more. The reason for this is, of course, that there is no magical security for telephones. Old-style telephone-and-SMS-only phones were simply too dumb to be hacked (if we disregard the occasional bluetooth hack). Modern smartphones are normal computers that happen to contain a radio baseband chip.

However, we have that security feature M-TAN or Mobile TAN for online banking. When a M-TAN user has entered their transaction into the online banking website, they get a SMS with some details on the transaction and the M-TAN number. If the details of the transaction look good, they enter the M-TAN into the web site to complete the transaction.

So, here is the criminal master plan:

1. own as many PCs as you get
2. own as many smartphones as possible
3. match smartphones and PCs
4. start phony transactions on the PC
5. capture the resulting SMS
6. send the M-TAN to the Trojan on the PC
7. Profit

Sounds complicated, but if everyone has a backup of their smart phone on the PCs step 3 should be quite easy and the only remaining issue for the criminal is whether they find enough matches so that the plan is worth the effort.

A promising version of this plan would be to attack the smart phone via the infected PC. In iPhone speak this would be called the "trojan jailbreak". If this can be done without the user noticing it, the M-TAN is completely broken.

I don't recommend using M-TANs on a smartphone.

MacOS X is not Invulnerable

Apple has fixed a nasty longstanding bug. This bug seems to enable user space programs to overwrite arbitrary locations in the kernel memory. The impact of this depends on how easy it is to guess the location of the target. A technique called Address Space Layout Randomization is expected to help here. Attackers need to guess the location of target variables or code for many computers in order to create a worm or rootkit that spreads using this vulnerability. However, it seems that the kernel memory is not randomized so all macs prior to the latest version of Leopard are vulnerable.

iPhones' Hardware encryption without Key Management

Jonathan Zdziarski claims that the "hardware encryption" of the new iPhone 3Gs can be bypassed by removing the PIN that somehow manages said hardware encryption.

I don't know how this is implemented, but given that the iPhone OS is not unbreakable, it seems recommendable to manage the key for that encryption in the hardware encryption device, too.

Anyway, if Jonathan can recover the files without giving the PIN (we have to take his word here, as the clip does not really demonstrate it) something is really wrong there.

Signature Software for MacOS with CommonCriteria

Intarsys' signature software for MacOS X has been evaluated by the german ffice for information security with the security level EAL3+. It's good that Mac users get something, now we're looking forward to EAL4+.