iPhone worm steals online banking codes

The smartphones have become a big part of the digital world. We have the ability to do everything we would do at a computer terminal on our smartphones. The iPhone and blackberry are the two major players in the cellphone/internet world.

However, will all technology comes exploitation, and in the world of digital security in the 21st century iPhones have become victim.

I came across this article reporting on a worm stealing bank codes via the iPhone, iPhone users beware.

New iPhone worm steals online banking codes, builds botnet

'Duh' worm strikes only jailbroken iPhones, but ups the ante by snatching banking credentials

By Gregg Keizer Framingham | Tuesday, 24 November, 2009

Hackers have borrowed a tactic from the world's first iPhone worm to build a botnet that steals data, including online banking credentials, from jailbroken Apple smartphones.

A new worm, dubbed "Duh" by UK-based security firm Sophos, is related to the "ikee" worm released earlier this month only in its approach, not in its code, said Chester Wisniewski, a senior security advisory with Sophos.

"It's different code, but the same conceptually," Wisniewski said today.

Both ikee and the new Duh worms take advantage of the default password used by the SSH (secure shell) Unix utility, which is installed by some users after they've "jailbroken" their iPhones. That term refers to the process of modifying an iPhone so its owner can download and install software outside Apple's official App Store channel. SSH lets users connect to their iPhone remotely over the Internet via an encrypted channel.

Duh changes the default SSH password of "alpine" to its own "ohshit" password, Wisniewski said.

Two weeks ago, noted iPhone and Mac vulnerability researcher Charlie Miller warned users that jailbreaking their iPhone puts them at greater risk from attack.

The Duh worm uses the command-and-control strategy employed by traditional PC-based botnets to hijack data from the compromised device, then send it to a central server operated by the attackers, Wisniewski said. The server appears to be based in Lithuania, but the worm itself was probably crafted by Dutch hackers.

One task of Duh is to steal SMS-based authentication codes that some banks use to protect customers who are conducting financial transactions from their iPhones.

"Historically, hackers haven't been able to defeat the mTAN technology," said Wisniewski, talking about the mobile transaction authentication numbers that some banks send to customers as a second layer of authentication. When a user logs into a bank that supports mTAN, he or she receives a six-digit code that must be entered within the next 90 seconds to prove ownership of the account.

Last month, a variant of the Zbot Trojan watched for TANs on hijacked PCs, and used silent instant messaging to transmit the codes to waiting hackers, who then had a short window during which they could preempt the legitimate account owner to access funds. "Duh is using a similar concept," said Wisniewski. "It's looking for incoming SMS with mTANs, capturing those mTANs in real-time and sending them to the command-and-control server. That gives the criminals time to log on using the mTAN."

Although the Duh worm's resulting botnet may be among the first to target iPhones, Wisniewski downplayed the danger. "You're likely to know you've been hacked," he said, noting that Duh's constant network activity quickly depletes the iPhone's battery.
"And anyone playing by Apple's rules is, of course, safe," Wisniewski added. Since only jailbroken iPhones can be compromised by Duh, he recommended that users restore their devices to the most up-to-date Apple firmware by connecting it to their PC or Mac, then accessing iTunes.

But even though Duh strikes only a subset of iPhones, the worm and its botnet illustrates an often-overlooked fact, Wisniewski argued. "People don't realize that an iPhone is essentially an entire Unix-based computer in their pocket," he said.

"It's probably not practical to run spam bots on a phone, not with the battery drain, but data theft like this is a sign of what practical future worms will be like on the mobile platforms," Wisniewski concluded.

BEWARE - 2010 is coming and brining many virus with it.

You read correctly, 2010 is bringing with it a slew of new viruses and malware.

I recently stumbled across this news article and thought to share it with my readers. For those of you who are intrigued, please feel free to check out the link and follow other news stories.

Some statistics:
currently 1 in 400 instant messages contain some form of hyperlink and
1 in 78 of those hyperlinks are associated with a malicious website. That
number is expected to increase to 1 in 12 as the adoption of instant messaging within trusted frameworks increases.

LINK


Attackers proved in 2009 that social networks could be used to spread malware and trick users into giving up their data, but in 2010, according to two senior Symantec researchers, cybercriminals will turn to more sophisticated methods, including using social network architectures for the backbone of their attacks.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In an effort to sustain growth and pick up new users, more social networks are opening up their architecture to allow third-party applications. Cybercriminals can take advantage of this by developing applications out of the social network environment to target users. In addition, access to social network APIs gives attackers a roadmap to vulnerabilities in legitimate third-party applications and a way to tap into user accounts.
"The bad guys can implant malicious code into the social network application and gain access to personal information and other data," said Paul Wood, senior analyst at MessageLabs Intelligence at Cupertino, Calif.-based Symantec Corp. "As the applications themselves become quite enticing and they may in turn be generated with some other purpose in mind … there may be less reputable motives behind some of these applications."
Wood and Zulfikar Ramzan, technical director of Symantec Security Response, presented their predictions for 2010 during a presentation this week. Many of the data security risks will be more of the same, the two researchers said. Drive-by downloads will continue to target people who fail to fully patch Web browsers and third-party plug-ins; rogue antivirus programs will continue to trick victims into buying software they don't need, and botnet operators will continue to control hordes of zombie machines to spread spam and harvest personal information.

2009 security threat predictions: Future security threats: Enterprise attacks of 2009: Were organizations ready for this year's enterprise security threats? Expert John Strand predicted what was in store for 2009. Encryption, DLP, disaster recovery topped 2009 priorities: Information Security magazine's annual Priorities 2009 survey identified data protection and disaster recovery among the top priorities for security managers.

Ramzon said that while attackers will use much of the same tactics, they will learn to sharpen their methods to evade security technologies and enable cybercriminal gangs to pull in more money. Rogue security software, which was successful in 2009 with the spread of the Bredolab downloader could move into instances of computer hijacking, rendering them useless, he said.
Researchers have seen changes in malware in 2009 with cybercriminals producing multiple variants to trick antivirus signatures. While 2010 malware will be similar, targeted or specialized malware will aim at embedded devices, predicts Wood. Attackers will target ATM vulnerabilities, errors in electronic voting systems and even holes in systems that provide premium pay-per-view content to get access to streaming movies.
"It requires a significant degree of insider knowledge about the way these systems work and the ways they can be exploited," Wood said. "Seeing attacks against vulnerabilities in systems like computer-aided designed tools are not going to be mass marketed, but they're very useful for a targeted attack if you want to gain access to an organization."
Both researchers said instant messaging could represent a new way for attackers to spread malicious links. Many social networks are incorporating instant messaging features, and when combined with the high level of trust users have on social networks, they could create a lucrative environment for cybercriminals. Some attackers may combine URL shortening with spam techniques and instant messaging giving them a greater chance of success.
"There's a level of trust built up on these sites that if a user gets a message from someone on their buddy list, they're more likely to click on a link," Wood said.

Mac users are no longer immune
As in any business, cybercriminals need a large audience to generate enough successful attacks to make the effort worth it. Until now, Mac users have been relatively immune to the onslaught of attacks targeting operating system flaws. Apple users can become a victim of the company's success. As its marketshare increases in both Apple computer and smartphone sales, the opportunity for attack increases, Ramzon said.
"In 2009 we saw Macs and smartphones targeted more than in the past, and we expect that trend to continue," he said.
Smartphone popularity is also resulting in renewed interest from hackers, Ramzon said. The Sexy Space botnet was aimed at the Symbian mobile device operating system and the OSX.Iservice Trojan targeted Mac users in 2009. Malware authors will see more money making opportunities as a result of Apple's increased marketshare and the growth of smartphones in 2010, he said.
An interest in Mac users doesn't mean Windows users can breathe any easier. Windows 7 adoption is sure to increase next year and with that, hackers will be probing the new OS for vulnerabilities to give them a way in, Ramzon said.

SearchSecurity radio:

"We're dealing with large and fairly complex systems with literally many, many millions of lines of code, so to me it's not a matter of if the vulnerabilities crop up, it's a matter of when they are going to crop up," he said. "Microsoft's new operating system is no exception to this rule, and as Windows 7 hits the pavement and gains traction in 2010, attackers without a doubt are going to find a way to exploit the people who use it."
So far, Microsoft has had two known vulnerabilities in its latest OS. While many enterprises have gotten a handle on patching systems for OS vulnerabilities, third-party plug-ins in browsers and Internet-facing applications such as PDF readers and Flash players, have remained a pesky problem for IT security pros, he said.
"We will probably expect to see attackers look for vulnerabilities in both the applications that run on top of these platforms as well as the human psychological vulnerabilities of the person who operates the applications," Ramzon said.

AVG - FREE Anti-Virus Software

As the headlines put it `AVG Continues To Protect Consumers From Computer Security Threats`. I`m a big believer in online security which will protect you from any nasties that may find their way into your system and cause problems.

This is my first post in the list I promised to provide in security protection of the 21 century.

Your first line of defense should be your firewall, but these days that comes pre-installed on your computer.
The first real line of defense that you can get yourself is a good anti-virus program. There are many out there that require subscriptions on an annual basis and many that are free.

As a student I`m a big fan of the freebies and for me it`s been AVG for quite sometime. Not only do they give me active proteciton, scanning all downloads and emails, but will notify me and give me options as to what I would like to do with any potential threats.

Now I know almost all decent anti-virus software's do this, however, AVG is super easy to use and did I mention they have a free version?

If you want to get hooked up with AVG Anti-Virus Security protection for yourself click on the link below:
AVG Security Link

One final note, if you ever get some weird strange code associated with computer virus` just google the code, chances are you`re not the only one suffering.

How responsible are you for your internet security?

In the 21st Century we have many more responsibilities at a younger age than in the past. Of course this is due in part to the boom in the internet. Relating back to my previous post of who the responsibility should be with, in regards to online security a recent poll should that behaviours of some Americans ”limit their ability to protect their valuable information and data,” despite the fact that the study results show that 85 percent of Americans feel they are “most responsible for keeping their computers secure, and 40% feel that individual computer users are most responsible for keeping the entire Internet secure.

Clearly we can't be responsible for the entire security of the internet, however, we need to maintain proper 'cyber hygiene' if you will. This could come in the form of having proper anti-virus software, anti-spyware, malware etc, etc.

Some other interesting statistics from the same report are
only 27% of Americans make an electronic backup of their critical files on a weekly basis
more than 55% backup their files less often than once a month. 

“Couple those findings with the fact that the use of computers to store personal data such as photos (76%), music (60%), banking information (39%) and tax returns (30%) continues to steadily rise, computer users face potential significant losses of valuable information,” warns NCSA executive director, Michael Kaiser.

Kaiser makes the point that passwords are also a critical component of cybersecurity enabling computer users to securely access online services and personal information, but nevertheless, the study found that less than 25% of those polled change passwords quarterly and more than 50% of Americans never change them.  In addition, 40% of those surveyed don’t use different passwords for their various online accounts. 


I'll admit, I am certainly a contributor to some of these stats, and we become so complacent with our online security that we neglect to take a proactive approach to ensuring our security in the 21st century.
 
Stay tuned for a list of my favourite and effective "anti-'softwares' to better protect yourself.

The stats were retrieved from an article on iTwire, if you are interested here ya go:

iTwire article

Just For Fun

I thought this was a fun video. We don't always need to be concerned about security. In the 21st Century we can do fun silly things like this.