Geinimi Android Trojan horse discovered

January 2, 2011

There has been something of a sting in the tail of the year for lovers of the Android mobile operating system, as researchers uncovered a new Trojan horse.

The Troj/Geinimi-A malware (also known as "Gemini") has been seen incorporated into repackaged versions of various applications and games, and attempts to steal data, and may contact remote URLs.

Although some media reports have portrayed Geinimi as the first ever malware for the Google Android operating system, this isn't correct. For instance, in the past we've seen banking malware has been found in the Android Market, security researchers have demonstrated spyware rootkits for Android devices, and users have been warned about Trojans from Russia which send SMS text messages to premium-rate numbers.

In the case of the Geinimi malware, the good news is that it appears not to have made it into the official Android market app store - meaning that you would only have been putting yourself at risk if you installed poisoned software from an unauthorised source. Researchers at mobile security firm Lookout say they have only seen the software on unofficial Chinese app stores.

And you have to deliberately change the settings on your Android smartphone to make it possible to install software from such "unknown sources".

So, the sky is not falling - and it's not the end of the the world as we know it if you love all things Android. But Android users should still be sensible about security.

Android is a much more "open" operating system than the Apple iOS used on iPhones and iPads, and Android users don't have to jump through as many hoops to install applications that have not been made "officially" available.

And, it shouldn't be forgotten that not all attacks are OS-specific. Phishing attacks, for instance, don't care what operating system you're running - they just rely on you not taking enough care about the link you are clicking on (something that's pretty easy to do when you have a small screensize to view a - perhaps - long url).

And increasingly we are seeing examples of threats which only exist "within the browser" or spreading entirely inside a social network, never touching your smartphone's operating system.

So there are dangers out there whatever kind of browsing device you are using. Desktop or laptop, mobile or tablet.

Sophos products can detect samples of the Geinimi Trojan we have seen to date as Troj/Geinimi-A.
 

Searching for free stuff online can be costly

September 16, 2010
This pie chart shows the different threats that can come from 
visiting Web sites that advertise unauthorized content.

This pie chart shows the different threats that can come from visiting Web sites that advertise unauthorized content.

(Credit: McAfee)

It's common knowledge that you can catch computer viruses on porn Web sites. But did you know it's also risky to surf the Web searching for free movies or music?

A study from McAfee to be released on Tuesday finds that adding the word "free" when looking for entertainment content in search engines greatly increases the chances of landing on a site hosting malware.

For instance, searching for free music ringtones increases the chances of hitting a malicious site by 300 percent, according to the report, "Digital Music & Movies Report: The True Cost of Free Entertainment." (PDF)

Searching for "lyrics" for a particular artist is twice as risky on average as searching for "ringtones" for the same artist for the first five pages of results, the report found.

And including the term "MP3" increases the riskiness of music searches in general. There has been a 40 percent increase in the number of Web sites that are delivering infected MP3 files or that seem to be built for purposes of financial fraud or delivering malware, according to the report.

Meanwhile, McAfee found malware associated with a number of Web sites around the world advertising free downloads of sports games, movies, and TV shows.

Twelve percent of sites that distribute unauthorized content are distributing malware, and 7 percent of sites offering unauthorized content have associations with cybercrime organizations, the report concluded.

"The sites often look very professional and attempt to lure the user with the idea of a 'trial period' or even some nominal fee that is much less than what may ultimately be charged," the report says. "Once the user agrees, they have to authorize their computer to access and interact with computers that are involved in a wide range of schemes--from money laundering to stealing credentials such as user names and passwords. In addition, with this access, your computer is profiled--with all of its software versions, user agents, and any other date--and this information can be provided to third parties for malicious purposes. (This is often called 'fingerprinting.')"

To reduce the chances of landing on malicious sites, McAfee recommends avoiding the use of the word "free" in searches for entertainment content, avoiding clicking on links in banner ads on content sites that aren't well established, not clicking on links posted in forums and on fan pages, keeping security software up to date, and using safe search plug-ins like McAfee Site Advisor that warns of potentially risky sites.

 

How secure is your e-mail password?

September 16, 2010
Access to an e-mail account opens up access to all sorts of other information that could be used to steal someone's identity and drain bank accounts, open up credit cards, and even take out loans in their name.

It's not just personal information at stake in e-mail accounts. Use of weak password-reset security questions is believed to have allowed someone to access the Yahoo e-mail account of a Twitter employee last year and then use that to access the person's Google Docs account where there was sensitive corporate information.

In agreeing to the project, Thompson(Adjunct professor of software security at Columbia University and founder of consultancy People Security) had already done some homework and had a list of specific security questions that the major Web-based e-mail providers use. The questions include a mix of preference questions, like what is your favorite book, musician, town, and restaurant. Easy questions as they may seem on the surface, they are subject to change as peoples' tastes change. For instance, you are likely to have a different favorite movie every couple of months or at least likely to forget what your original answer was. These aren't always easy for a stalker to find either, unless the target happens to be a blogger who shares a lot of personal information. It's the same for the category I'll call "firsts," such as what was your first pet's name, teacher's name or job.

Then there are the fact-based questions that are easier to find from public databases, such as the hospital you were born at, the street you grew up on or the town, your first phone number, high school you attended, last four digits of your Social Security number, mother's birthplace and grandfather's occupation.

Finally, there are the questions that people don't usually remember or tend to have handy so they are less likely to choose them. These include what is your primary frequent flier number or library card number.

Armed with a list of common questions from Gmail, Yahoo, Live Mail and AOL, Thompson knew what information to look for. Using a Web-based conferencing system, I was able to watch his screen as he traversed the Internet. His first stop was Google where he typed in my first and last name. (All Thompson knew about me at the onset was my first and last name and that I work at CNET.)

Thompson went straight to my LinkedIn profile where he learned where I went to college and details of my past work experience. He then searched for me on a people search engine called Pipl.com and came across references for city, state, age, middle name, address and phone numbers. He found additional addresses on 123people.com.

On Intelius.com, another site that offers some basic information for free but charges for additional data, he came across other people with the same last name who were supposedly associated with me and their ages. (Most but not all of the information uncovered in this experiment was accurate.) By comparing information on the various sites and cross checking purported relatives and addresses, Thompson was able to guess which state I grew up in and what cities I have lived in.

Then Thompson called in the big guns--Ancestry.com. The site, which is designed for people creating family trees and doing genealogy research, pulls data from a host of public databases and provides more information than the free searches on the other sites but charges a subscription, of course. There is also a 14-day trial offer.

On Ancestry.com he had to guess at the birth year after learning my age on a different site but not knowing the exact date and took an educated guess at the city of residence too. Voila! Up came a birth date, a bunch of previous addresses, and even at least one phone number.

Someone could easily take the address information to figure out answers to some of the preferential security questions by using Google Street View to zoom in on bars, restaurants, and other hangouts in the immediate vicinity, said Thompson, who also is chair of the RSA Conference. "The longer you lived at an address, the more interesting those searches are," he said.

Then he used Ancestry.com to search on one of the names linked to me and that he suspected was my mother because of the associated ages. "Your mother is the most interesting relative for us to look up because her name typically tells us what your maiden name is, but it also is a gateway to find out who her parents were," Thompson said. "If we know their names then we know what your mother's maiden name was."

A common address between mother and subject also indicates the childhood home address. "That's valuable for password reset questions that ask what street you grew up on," he said. "Then you can search the addresses for the schools that are nearby and then go on Classmates.com and bring up teachers by year at that school."

Thompson then went back to Google to see if I had a resume online, but that proved to be a dead end. Resumes have a wealth of personal information, including e-mail addresses, phone numbers, addresses and college. Outdated resumes are even more valuable, according to Thompson.

Following the e-mail trail
Satisfied with the amount of biographical information he had accumulated on me, Thompson then decided to see what e-mail addresses he could find. Since e-mail services allow you to reset your password by sending a message to your alternate e-mail address, getting the earliest e-mail address for someone is key because that is the one most likely to offer up security questions. If it's a school e-mail address, that is even better because those security questions are likely to be the least secure, he said. The idea is to follow the trail of e-mail addresses as far back as possible. Corporate e-mail addresses, meanwhile, aren't much help because they typically reset passwords internally through the corporate IT department.

Since I was in school before e-mail was popular (now you know I'm no spring chicken!) there was no school e-mail address for me. If there had been one, Thompson said he would have searched for the school on Classmates.com and checked for the domain there and guessed what my e-mail address would have been. He also could have looked for public records associated with possible student loans to get an e-mail address that way, he said.

Thompson guessed that I would have a Gmail address and that as an early adopter it would follow a particular, simple format. But when he tried to reset the password, the system offered to have password reset information sent to my alternate e-mail address or phone number. Gmail provided enough of the other e-mail address to figure it out and a few letters of the cell phone that could be compared against phone numbers uncovered on the people search sites. He then would have had to hack my cell phone or otherwise get physical access to it in order to get to the text message and choose the password he wants in order to hijack my account.

Thompson and I ran out of time, but I went ahead and finished the process and tried to reset the password on my alternate e-mail account. I struck gold--from an attacker's point of view--in that it did ask security questions instead of referring me on to yet another e-mail address. But two of the three questions it asked (which I must have created) were unlikely to appear in any public databases and were not based on preferences. I'd share them with you, but then I'd have to kill you. (Just kidding. See below for some suggestions.)

The third security question asked was (yikes!) my mother's maiden name, which Thompson had not yet uncovered but would have eventually if we had had more time.

I compared the accurate information uncovered by Thompson with the list of about 30 or so security questions that the e-mail providers offer as default questions and found that about eight of them would have easily been answered and another four probably could have been.

Phew! Safe enough--for now
Because of the time constraint and the fact that I write about computer security issues and am thus more likely to be more security-conscious, Thompson did not hijack my e-mail account. But the experiment was fascinating, nonetheless. It showed how easily a stranger can dig up all sorts of information on someone. And it showed just how easy to guess many of the password-reset security questions are.

Thompson recommends that people conduct this experiment on their own identity to see what the results are and how secure their e-mail accounts are. And I would suggest the same. Then, either choose the safest default questions or, better yet, create your own, if that is an option.

When selecting a question option, think of an event in your life or a fond memory that is not going to be found on a public document and which you won't likely forget. Choose something that you haven't exposed to the public in a blog, Facebook posting or other online site. And think about specifics related to that memory, like a person, place or thing. Avoid referencing anything that can change over time such as a preference or feeling. Then set the question based on that.

When I realized the amount of information Thompson had amassed on me in a relatively short period of time, I was shocked and a little nervous. It's fine for someone I trust to be trawling the Internet for details of my personal life, but if he could do this so could someone else.
 



Best Communitation Website
Which communication website is best?

Myspace
Facebook
Twitter
Furry-paws
Youtube


Make a free website with Yola