Tag Archive for Smartphone

RB | January 17, 2012
One comment

QR Codes Can Put Users at Risk

QR malware-Updated 01-26-12- It was just a matter of time and now the Websense (WBSN) ThreatSeeker Network has started spotting spam messages that lead to URLs that use embedded QR codes. According to a report at Help Net Security this is a clear evolution of traditional spammers towards targeting mobile technology. The spam email messages look like traditional pharmaceutical spam emails and contain a link to the Web site 2tag.nl. Once the 2tag.nl URL from the mail message is loaded in the browser, a QR code is displayed, along with the full URL. When the QR code is read by a QR reader, it automatically loads the spam URL.

Quick Response codes (QR codes) are a “new” type of barcode that can be used for a variety of purposes tracking, ticketing, labeling of products, etc. They can be put anywhere, in magazines, buses, websites, TV, tickets, and on almost any object which they might want to learn more about.

 Help Net Security writes that when used for legitimate purposes, they make life easier for users. “All you need to ‘visualize such a code is a smartphone with a camera and a QR reader application to scan it – the code can direct you to websites or online videos, send text messages and e-mails, or launch apps,” point out BullGuard’s researchers.

Unfortunately, QR codes can just as easily be used to compromise users’ mobile devices. “Much like URL shortening services can be and are used maliciously because of the fact that they obscure the real target URL, QR codes can also be used for such deception,” Joe Levy, CTO of Solera Networks told DarkReading. “QR codes … provide a direct link to other smart phone capabilities such as email, SMS, and application installation. So potential attack vectors extend beyond obscured URLs and browser exploits very nearly to the full suite of device capabilities.”

Mobile malwareThere are several ways attackers are already using malicious QR codes to perpetrate their scams. A recent attack via QR code “Attaging” took place in Russia and involved a Trojan disguised as a mobile app called Jimm. Once installed, “Jimm” sent a series of expensive text messages ($6 each), racking up unwanted charges.

On Apple (AAPL) iOS devices, hackers are sending users to websites that will jailbreak the device and install more malicious malware. Tomer Teller, security evangelist at Check Point Software Technologies, told DarkReading, “a user scans a barcode and is redirected to an unknown website … the user phone will be jail broken and additional malware could be deployed (such as key loggers and GPS trackers).”

Android malware“On the Google (GOOG) Android  … Criminals are redirecting users to download malicious applications. All a user needs to do is scan a barcode and it will redirect to a website that will download the Android Application” according to the article.

In addition attackers are using QR codes to redirect users to fake websites for phishing. “A QR code will redirect to a fake Bank that will look exactly like your bank. Since most smart phone screens are small, a normal user may not see the difference and will type in his or her (information) and hand it to the attackers,” Teller says. According to Mobile Commerce News some apps, like the NeoReader from Neomedia, that collect personal identifiable information (PII). This information is then sent to third parties who mine the data and possibly resell it.

Mobile paymentsThe trend to mobile QR based payment systems from firms like LevelUp, Kuapay, and Paypal are developing will drive QR code malware forward Mr. Levy says. “As our mobile devices and our wallets continue to converge through such technologies as near field communications (NFC), Bump and QR, malware authors are bound to prefer these very direct paths to the money. After all, these devices and apps are well on the road to becoming our new currency.”

So how do you protect yourself and the data on your mobile?

  • Download an app that scans QR codes and barcodes and shows the URL to which the codes want to take you. “Only use QR code reader software that allows the user to confirm the action to be taken i.e. visit a website link,” Paul Henry, security and forensic analyst at Lumension told DarkReading. “If you do not know and trust the link, cancel the action.
  • Do not scan QR codes from random stickers on walls and similar surfaces. Help Net Security says scammers are counting on people to do that because they can’t curb their curiosity.
  • Consider installing a mobile security app on your device, especially if it runs the Android OS. “Android is an open platform, which means that its source code can be examined by criminals and exploited easily when they find a weakness in, say, the Android browser,” according to the article. “That’s why most malicious apps transmitted via QR codes target the Android-based smartphones.”

rb-

I am not a fan of QR codes they seem to take you to an advertisement. Most of the destinations are fluff at best and dangerous at worst. Now that they have become nearly ubiquitous, they present more risk than necessary. Avoid QR codes.

Related articles

 

Category: Security | Tags: , , , , , , , , , ,
RB | November 10, 2011
One comment

Tablet Security Tips

Portable computingICSA Labs suggests a series of security tips for users of smartphones, tablets and apps Help Net Security reports.

App store1. Only buy apps from recognized app stores. Apps from unofficial third-party stores and applications downloaded from peer-to-peer sites are much more likely to contain malware than apps sanctioned by official vendor stores such as the Android App Market or Apple App Store.

2. Think twice about accepting “permissions.” Most applications, legitimate as well as malicious ones, need users to accept several “permissions” before the apps are installed. Check carefully to be sure that the app comes from a legitimate source. I wrote about mobile phones leaking data previously.

Inspect bills3. Monitor bills for irregular charges. If attackers gain access to personal information stored on the mobile device, they can quickly rack up charges by sending “silent” text messages to high-priced call services. For example, if the Google (GOOG) Android Trojan GGTracker is inadvertently installed on a device, it can sign up users, without their knowledge, for premium text messaging services.

4. Employ security policies to protect employer-issued devices. Employers should enforce password-based access and require voice mail codes so that only authorized users can get access to data on employer-issued devices.

Bring your own device5. Be mindful that more and more employees bring their personal devices to work. Companies must have security systems and policies in place to safeguard their business environment and prevent access to company networks from employees’ personal devices. I wrote about BYOT here

6. Remember that mobile devices are tiny handheld PCs. Many security threats that apply to traditional computers also apply to mobile devices, such as smartphones and tablets, and consumers should take necessary measures to protect themselves. One way to do this is to install anti-malware software on mobile devices and enable VPN functionality.

7. Protect your mobile phone password and voicemail PIN. If your mobile phone does not have a password, add one that is at least six digits. Try to choose a unique password that is not already used across other systems and accounts. Do not use repeating digits in passwords or voice mail pins. Remember that your provider will never request your voice mail pin, so do not be tempted to give it to anyone who requests it.

Related articles
Category: Security | Tags: , , , , , , , , , , ,
RB | December 22, 2010
No comments

Smartphone Sales to Pass Computers in 2012

Wall Street investment firm Morgan Stanley predicts that by 2012 smartphone sales will be more than 450 million units, surpassing PC and laptop sales. Mary Meeker called “Queen of the Net” by Barron’s during the run up to the dot-bomb, made the prediction during her “State of the Internet”  presentation (PDF) at the Web 2.0 Summit in San Francisco. The Washington Post reports that Ms. Meeker further projected that by 2013, smart phone sales will approach 650 million units. Meeker spoke about growth in the smartphone market and its link to social networking sites, as well as about Internet video and advertising.

Ms. Meeker, says to watch out for mobile growth in China. The rehabilitated dot-bomb cheerleader says that China’s population of smartphone users is relatively nascent, with 14.5 million 3G users, or two percent of the population. That compares with 37 million in the United States. But that population grew by 941 percent in the third quarter compared with one year ago.

Techcrunch points out that Ms. Meeker’s predictions are reasonable. Smartphones are cheaper and phones, in general, are more ubiquitous. To the extent that all phones are becoming smartphones, they will be much more accessible and portable and than PCs (laptops included). They are certainly becoming just as capable, at least as far as surfing the Web is concerned, not to mention the hundreds of thousands of apps available for platforms like the Apple (AAPL) iPhone, Google (GOOG) Android, and Research In Motion’s (RIMM) Blackberry.

Related articles
Category: Hardware, Wireless | Tags: , , , , , , , , ,
RB | March 13, 2010
No comments

Smartphone Botnet

Two researchers from TippingPoint’s Digital Vaccine Group duped thousands of iPhone and Android smartphone users into joining a mobile botnet by spreading a seemingly innocuous weather application. Kelly Jackson Higgins at DarkReading writes that Derek Brown and Daniel Tijerina created a smartphone application called WeatherFist. Over 8,000 users downloaded WeatherFist, which grabbed information from users, including their GPS co-ordinates and telephone numbers, before displaying local weather information.

The researchers chose not to distribute their application via the official iPhone and Android application stores, rather TippingPointthey distributed the WeatherFist application via third-party app markets like Cydia, SlideME and Modmyi. The apps could only be installed on jailbroken iPhones or Android devices where users had specifically given permission for non-approved applications to be run. “We wanted people to feel comfortable using the application and putting it on their phone so we would have permission to do a lot of things like pass GPS coordinates, write to the file system, and surf,” Brown told DarkReading.

At the 2010 RSA Security Conference the researchers claimed they also wrote a malicious version of their WeatherFist application, which they dubbed WeatherFistBadMonkey. According to the DarkReading report, the malicious app behaves more like traditional botnet code, stealing information and capable of distributing spam. “We could enable or disable system services [with a malicious app],” Brown says. The TippingPoint researchers told Dark Reading they wanted to prove how an app could behave like much of the traditional Windows malware which, steals information, and allows hackers to gain remote control of hijacked devices.

rb-

Smartphones are a part of  today’s network and Brown and Tijerina claim that the results of this research shows a security hole in networks. Some of the ways to plug these new holes are to:

  1. Update policies for the  proper use of smartphones
  2. Prohibit unsafe modifications of smartphones
  3. Allow apps only from reputable app stores
  4. Provide training on smartphone application usage
  5. Lock down the Wi-Fi network settings to keep smartphones from ‘phoning home’ any information that shouldn’t leave the firm.
Category: Security | Tags: ,
RB | February 6, 2010
No comments

Taxman Still Coming

Updated 04-13-2010 It is being reported that the U.S. House has scheduled for April 15th consideration of the Taxpayer Assistance Act of 2010—a bill whose major provision would remove cell phones and similar telecommunications devices as listed property, effective for tax year beginning after 2009.

Ways and Mean member John Lewis (D-GA) was expected to introduce the bill. It would include several individual taxpayer assistance measures. As offsets to the bill’s cost of $411 million, it would expand the bad-check penalty to electronic payments and increase information return penalties.

rb-

By 2013 mobile phones will overtake PCs as the most common Web access device worldwide according to Gartner forecasts. The IT research firm says the total number of PCs in use will reach 1.78 billion in 2013. By 2013, the combined installed base of smartphones and browser-equipped enhanced phones will exceed 1.82 billion units and will be greater than the installed base for PCs afterwards.

Despite these projections, the U.S. Internal Revenue Service (IRS) continues to treat mobile phones as a luxury.  According to an article on Mobile Enterprise,  since 1989 IRS regulations have identified the cellphone as “listed property.” A listed property is  an  item obtained for use in a business but designated by the Internal Revenue Code as lending themselves easily to personal use. According to the IRS, “unless the employer has a policy requiring employees to keep records, or the employee does not keep records, the value of the use of the phone will be income to the employee.” The IRS goes on to say, “At a minimum, the employee should keep a record of each call and its business purpose. If calls are itemized on a monthly statement, they should be identifiable as personal or business, and the employee should retain any supporting evidence of the business calls. This information should be submitted to the employer, who must maintain these records to support the exclusion of the phone use from the employee’s wages.” On the other hand, if the phone is employee-owned, the IRS says “the listed property requirements do not apply. Any amounts the employer reimburses the employee for business use of the employee’s own phone may be excludable from wages if the employee accounts for the expense under the accountable plan rules.”

After proposing in June 2009 to tax up to  one quarter of an employee’s use of a work cellphone, the IRS has since decided to let Congress handle the matter.  IRS Commissioner Doug Shulman announced on January 8, 2010,  the IRS is now taking a “wait-and-see” attitude that leaves its current regulations in place until Congress passes new legislation. Shulman said on the C-Span’s “Newsmaker” program: “We’re quite hopeful Congress is going to act on this. In the meantime, we’re not doing anything special or moving forward with any initiatives. Our hope is that there will be legislation to clean this up.” Senator John Kerry (D-MA) sponsored the Modernize Our Bookkeeping In the Law for Employees – Mobile Cell Phone Act of 2009, (S. 144/H.R. 690) to remove mobile devices from the listed property rule to exempt them from the tax. The House approved the bill during the last Congress, but is still in committee in the current session.
The Cellular Telecommunications & Internet Association (CTIA) trade association welcomed the news. In a Jan. 11, 2010, prepared statement CTIA President Steve Largent said, “The existing rule is an anachronism and it can’t be saved simply by giving it a facelift. That’s why we are focused on continuing to secure congressional support for the Mobile Cell Phone Act , which enjoys broad bipartisan support on both sides of the Capitol. It is our hope that Congress act soon to help employers and employees alike by repealing this absurd, outdated rule.” According to CTIA,  employees are still required to maintain logs detailing their business use on a mobile device. The IRS expects individuals to record the following items , according to the CTIA:
  1. the amount of such expense or other item
  2. the time and place of the use of the property
  3. the business purpose of the expense, and
  4. the business relationship to the taxpayer of the persons using the property.
The results of  the stalled legislation have been predictable, the article cites the example of Rocky Mount, VA, which stopped issuing cellphones to employees. Town employees whose job requires 24×7 availability via cell phone are required to purchase their own phone and will be given a flat stipend for using the phone for work purposes. If employees do not keep careful records, despite paying for their own cellphones for business purposes they may not be able to claim the service as a business deduction.  The article notes that “For a for-profit business, the designation of an item as ‘listed property’ has implications for depreciation deductions taken by the business and the computation of net income.”
To comply with existing tax rules, Thompson’s Employer’s Guide to Fringe Benefits Rules says employers must  satisfy the onerous substantiation requirements by requiring annotated monthly statements from employees to support deductions and employee income exclusions or they must treat the value of the benefits as wages for Federal employment tax purposes and report this value as wages on Forms W-2.

For practical reasons, Thompson says, some employers opt to reimburse employees for cell phone purchases on an after-tax basis to negate the employer’s ownership of the phones and the requisite fixed asset tracking that follows. Employers should also provide reimbursements of service and usage fees on an after-tax basis unless they collect annotated documentation from employees to substantiate the reimbursements. Employers should either collect all monthly statements from employees or, at a minimum, require employees to maintain those records to effectively respond if the IRS inquires into the claims.

What should a firm do if they provide employees with cellphones?

  1. Assess your existing policies for corporate-issued smartphones, and require employees to keep records of each call and its business purpose.
  2. Regularly audit smartphone records and require employees to reimburse the company for all personal use.
  3. Consider whether an individual-liable model for the cellphone users in your enterprise would work.
  4. Get involved and contract your Senator or Representative and tell them to update the IRS code.
Category: Legal, Policy | Tags: , ,
 

Switch to our mobile site