 January 13th, 2012 by ctriplett
Join us for our May mobile forensic training in Chicago IL May 21-25! We are offering our full five day series containing the following courses:
Courses come with our virtual machine build containing useful forensic utilities, as well as the tools needed for Android physical recovery. At the end of these five days investigators will be intimately familiar with the Linux environment and the data carving process through physical and logical recovery on iPhone and Android devices. Investigators will also learn how to bypass the pattern code on certain devices. Follow the link on the course name above to learn more about each course.
The training is open to both law enforcement and non-law enforcement! The exact venue for this event is TBD. If your agency is in the Chicago area and would be interested in hosting this event you would qualify for a hosting agency discount. Contact us for more information!
Law Enforcement $4295 and non-LE is $6295 for the entire series . Individual course pricing is available – please contact us for details.
 
January 12th, 2012 by lhaas
Support is ramping up for smartphone wireless payment systems.
Visa announced today its approval of Samsung, LG and BlackBerry smartphones to utilise its new Visa payWave technology, as part of efforts to widen adoption of mobile device wireless payments.
It’s a step in the right direction, but the path to wireless payment success is still fraught with hurdles. It does however pave the way for a future roll-out for smartphone payments.
The financial giant certified Samsung’s Galaxy S II, LG’s Optimus Net NFC, BlackBerry Bold 9900 and 9790, and BlackBerry Curve 9360 and 9380 devices. The smartphones will work with the estimated 185,000 contactless payment terminals used in shops and stores.
The new devices host the payWave application on a secure SIM card, allowing users to wave their mobile devices in front of a terminal to wirelessly transmit payments.
In the U.S., mobile commerce company Isis — a joint venture between AT&T, T-Mobile and Verizon — signed a deal last year with Visa, MasterCard, Discover and American Express in a bid to deploy a wider mobile payments ecosystem.
via Visa approves smartphones for NFC payments: Good start, but still hurdles ahead | ZDNet.
January 11th, 2012 by lhaas
The Defense Department is taking the point in the federal government’s campaign to deploy mobile devices. But in its role as trail blazer, DOD must also wrestle with a number of issues key to a successful rollout of approved smart phones and tablets.
Among those issues are security, authentication and the logistics of managing many devices with varying degrees of access across the DOD enterprise.
Recent developments make government officials confident that high levels of security can be achieved for devices running on the Android operating system, but verifying who is using a particular piece of equipment remains a challenge. The department is looking at a range of identity verification techniques, from biometrics to physical and software user certificates to ensure that person sending that text or phone call is who they say they are.
via Army’s plans for Androids and other mobile devices could spread across federal government — Government Computer News.
January 10th, 2012 by lhaas
As mobile marketers latch onto the convenience and cool-factor of QR codes, hackers are starting to take advantage of these square, scannable bar codes as a new way to distribute malware. Like all mobile attack vectors, it is a new frontier that security researchers say is not extremely prevalent, but which has a lot of potential to wreak havoc if mobile developers and users stand by unaware.
The success behind QR code usage among mobile fans has largely been pinned on its simplicity.
“QR codes are growing in popularity and seem to be popping up everywhere — magazine ads, newsletters, real-estate signs, newspaper ads, and in trade-show booths,” says Paul Henry, security and forensic analyst at Lumension. “In the simplest of terms, a QR code is a 2D bar code that can store data which can then be read by smartphone users. The data is an easy way to direct a user to a particular website with a simple scan of the QR code, but it could also just as easily be a link to a malicious website.”
Just point your mobile device’s camera on the code and scan it, and the reading will take you to the website or mobile app download that its promoter promises to provide. The difficulty is that you’re depending on the honesty of that provider or the assumption that the code hasn’t been tampered with to know the destination is legitimate.
“QR codes, while perhaps convenient for the user, clearly open the door to the clever obfuscation of malicious links for would-be bad guys,” Henry says.
via QR Code Malware Picks Up Steam – Dark Reading.
January 9th, 2012 by lhaas
Threatpost deems Android security issues an “appropriately hyped” story of 2011 and suggests that security on Android will continue to be a concern in the year ahead.
It’s that most un-wonderful time of the year: the time when everyone writes fluffy articles full of lists, retrospectives and look-aheads. Even we did it. Many of these lists involve some variation on the theme of most overhyped or least organic or or most awesomest or lowest fat content. This article is not those articles.
Instead, this is the article that will inform you about the stories this year that are neither overhyped nor underhyped. Not the ones that beat you over the head all year, making you long for the days of the Pony Express and six-month news cycles. Nor the ones that slipped by unnoticed and then snuck up you on a week later, which may as well be three years later at this point. No, these are the stories that neither got too much nor too little attention, but exactly the amount of hype, furor and attention that they deserved.
Android security
You could probably argue that some of the individual bugs and pieces of malware that affected Android this year were overhyped, but the overall problem of security on the Android platform is bad and not getting any better soon. Android apps have been found stealing texts and intercepting phone calls and using root exploits, researchers have found a variety of serious vulnerabilities in the operating system and Google has been mostly quiet about all of this. Expect this giant ball of twine to gather even more string in 2012 as Android continues to grow in popularity and researchers and attackers continue to hammer on it.
via The Appropriately Hyped Stories of 2011 | threatpost.
January 6th, 2012 by lhaas
Researchers have built an Android app that sails right past the smartphone software’s permissions protocol and could enable a hacker to install and run corrupt code on a target’s mobile device.
The proof-of-concept app, as described in a blog post by the security firm ViaForensics called “No-permission Android App Remote Shell,” gives its creators remote access to an infected Android device. The app exploits Android’s permissions system, which is designed to put security in the hands of customers by giving them explicit control over what capabilities each app can perform.
This is yet another blow to Google’s massively popular but vulnerable smartphone operating system, which has been hit with a multitude of malware attacks in the past few months.
The ViaForensics app, as shown in a video on the company’s website, gave researchers the ability to extract data about the target device and read data form the SD Card and send it back to its server.
Thomas Cannon, director of research and development at ViaForensics, wrote that the functionality the app exploits is not new, and has “been quietly pointed out for a number of years.”
“We are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel,” Cannon wrote.
Researchers tested the rogue Android app — it is not a legitimate app in Android’s App Market — on versions from 1.5 up to 4.0 (Ice Cream Sandwich) and said it successfully performed its devious function in all cases.
“In this demonstration Android’s power and flexibility were perhaps also its downfall,” Cannon wrote. “Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user.”
via Malicious Android app sneaks past permissions – Technology & science – Security – msnbc.com.
January 5th, 2012 by lhaas
Some quick tips for mobile security:
1. be cognizant of what you install on your phone and who the company is that makes the app;
2. put a “strong” passcode on your phone to protect against casual theft;
3. turn off your Wi-Fi when traveling to protect against the device automatically associating itself with a public Wi-Fi network;
4. ask your mobile provider to remove all rooted apps that that came with the phone that you do not intend to use and that can be safely removed;
5. ensure that corporate mobile device policies are up to date; and
6. consider mobile security software to help protect against malicious downloads.
Consumer mobile devices are an ideal target for criminals. You should assume at some point it will be lost, stolen, or become infected with malicious code. The bottom line, it is not recommended that you store highly sensitive data on them.
via Six Tips to Safeguard Your Mobile Devices.
For more in depth information, get viaForensics’ Mobile Security Risk Report and check out our appWatchdog findings.
January 3rd, 2012 by lhaas
viaForensics’ white paper on mobile security was included in the U.S. House Committee on Small Business recent subcommittee hearing on Cyber Security.
House Small Business Healthcare and Technology Subcommittee Chairman Renee Ellmers (R-NC) today held a subcommittee hearing to examine the issues faced by small businesses in combating cyber security threats, including the role of the federal government and best practice solutions.
“For small businesses, a cyber attack can be catastrophic, leaving them paralyzed and unable to recover from the loss of their intellectual property and resources,” said Ellmers. “Unlike larger firms, most small companies cannot afford to purchase security software or hire staff to specifically monitor their security systems, leaving them as an easy target for cyber criminals. In fact, Symantec reports that 40 percent of all targeted cyber attacks were directed at small businesses. Statistics also show that nearly 60 percent of small businesses will close within six months after a cyber attack. Given the fact that small companies are our nation’s best job creators and economic drivers— this is greatly alarming.
“There is no one-size-fits-all solution for combating cyber attacks— it will take partnership from both the public and private sectors to protect against these threats. As Congress moves forward in considering legislation and modernizing cyber security laws, we must ensure that small companies are not burdened with more costly regulations. Congressman Mac Thornberry (R-TX) and our witnesses today provided great insight on what role the federal government should play in helping the private sector combat cyber terrorism, and I am confident this will lead to viable solutions.”
via Press Release: Ellmers Subcommittee Examines Issues Facing Small Businesses in Combating Cyber Terrorism
December 29th, 2011 by lhaas
Jonathan Zdziarski’s new book “Hacking and Securing iOS Applications: Stealing Data, Hijacking Software, and How to Prevent It,” is due out next month. Pre-order your copy now!
Based on unique and previously undocumented research, this book by noted iOS expert Jonathan Zdziarski shows the numerous weaknesses that exist in typical iPhone and iPad apps. Zdziarski shows finance companies, large institutions and others where the exploitable flaws lie in their code, and in this book he will show you as well, in a clear, direct, and immediately applicable style. More importantly, this book will teach the reader how to write more secure code to make breaching your applications more difficult. Topics cover manipulating the Objective-C runtime, debugger abuse, hijacking network traffic, implementing encryption, geo-encryption, PKI without depending on certificate authorities, how to detect and prevent debugging, infection testing and class validation, jailbreak detection, and much more.
December 28th, 2011 by lhaas
The NIJ has published the test results for viaForensics’ AFLogical 1.4. Mobile Device Acquisition Tool. The report shows the results from testing the tool against the Smart Phone Tool Test Assertions and Test Plans.
Read the report here.
|
|
