Criminals Remotely Erasing Smartphone Data

Smartphones taken as evidence by police in the UK are being wiped remotely by crooks in order to remove potentially incriminating data, an investigation has uncovered.

Dorset police told the BBC that six devices were wiped within the space of a year while they were being kept in police custody, and Cambridgeshire, Derbyshire, Nottingham and Durham police also confirmed similar incidents.

The technology being used was originally designed to allow device owners to remove sensitive data from phones or tablets if they are lost or stolen.

“We have cases where phones get seized, and they are not necessarily taken from an arrested person, but we don’t know the details of these cases as there is not a reason to keep records of this,” a spokeswoman for Dorset police told the BBC.

A spokeswoman for Derbyshire police also confirmed one incident of a device being remotely wiped while in police custody.

“We can’t share many details about it, but the case concerned romance fraud, and a phone involved with the investigation was remotely wiped,” she said. “It did not impact upon the investigation, and we went on to secure a conviction.”

Software that enables this remote wiping has been available from a variety of security firms for some time now.

For example, BitDefender announced a product a while back intended to track  lost or stolen Android devices. Not only did it allow users to connect remotely and ‘wipe’ data from a web profile via the internet, but to activate commands with text messages.

Pen Test Partners’ digital forensics expert, Ken Munro, said it is common practice to immediately put devices that are seized as evidence into a radio-frequency shielded bag to prevent any signals getting through and stop remote wipes.

“If we can’t get to the scene within an hour, we tell the client to pop it in a microwave oven,” he said. “The microwave is reasonably effective as a shield against mobile or tablet signals – just don’t turn it on.”

Source

Can Android Fight Cyber Threats With A.I.?

A security firm called Zimperium has launched mobile software that learns from smartphones to fend off malicious cyber attacks.

Claiming to be the first security software to be powered by artificial intelligence (AI), the app is called zIPS, with the “IPS” standing for “intrusion prevention system”. The aim of the AI is to better spot malware before it causes harm or spreads to other devices.

The zIPS software works whether the smartphone is offline or online and can protect against malicious apps, such as those that can self-modify, and network attacks like a “man in the middle” attack where a hacker intercepts data being sent between one user and another.

“With zIPS, corporations will now have the opportunity to use [bring your own device] as an advantage to their security. zIPS is the first security solution that can combat modern cyber-attacks on mobile,” said Zimperium’s founder and CEO Zuk Avraham. “There is already evidence of attacks that are happening to infiltrate organisations, which only zIPS can prevent.”

Prior to working on the Android app, Avraham worked as a security researcher for the Israeli Defense Forces and Samsung electronics before setting up Zimperium in response to what he thinks is a poor selection of good mobile security software.

According to MIT Technology Review, Zimperium said that there have as yet been no programs that can detect, notify and protect against cyber attacks deployed through mobile devices.

The zIPS Android app has arrived in the Google Play store for all Android devices at a time when malware on Android is at an all time high.

Last year, Trend Micro warned that Google’s Android mobile operating system is so beset by cyber criminals creating malicious apps that the malware was on track to hit the million mark before the end of 2013.

The firm said that this was attributable to hackers seeking to exploit Android’s growing global user base.

Source

Google Updates It’s SSL Certificate

Google has announced plans to upgrade its Secure Sockets Layer (SSL) certificates to 2048-bit keys by the end of 2013 to strengthen its SSL implementation.

Announcing the news on a blog post today, Google’s director of information security engineering Stephen McHenry said it will begin switching to the new 2048-bit certificates on 1 August to ensure adequate time for a careful rollout before the end of the year.

“We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key,” McHenry said.

“Most client software won’t have any problems with either of these changes, but we know that some configurations will require some extra steps to avoid complications. This is more often true of client software embedded in devices such as certain types of phones, printers, set-top boxes, gaming consoles, and cameras.”

McHenry advised that for a smooth upgrade, client software that makes SSL connections to Google, for example, HTTPS must: “perform normal validation of the certificate chain; include a properly extensive set of root certificates contained […]; and support Subject Alternative Names (SANs)”.

He also recommended that clients support the Server Name Indication (SNI) extension because they might need to make an extra API call to set the hostname on an SSL connection.

He pointed out some of the problems that the change might trigger, and pointed to a FAQ addressing certificate changes, as well as instructions for developers on how to adapt to certificate changes.

F-secure’s security researcher Sean Sullivan advised, “By updating its SSL standards, Google will make it easier to spot forged certificates.

“Certificate authorities have been abused and/or hacked in the past. I imagine it will be more difficult to forge one of these upgraded certs. Therefore, users can have more confidence.”

Source

Apple Blasted For Not Blocking Stolen Certificates

A security researcher blasted Apple for what he called “foot dragging” over the DigiNotar certificate fiasco, and urged the company to act fast to update Mac OS X to protect users.

“We’re looking at some very serious issues [about trust on the Web] and it doesn’t help matters when Apple is dragging its feet,” said Paul Henry, a security and forensics analyst with Arizona-based Lumension.

Unlike Microsoft, which updated Windows Tuesday to block all SSL (secure socket layer) certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same.

DigiNotar, one of hundreds of firms authorized to issue digital certificates that authenticate a website’s identity, admitted on Aug. 30 that its servers were compromised weeks earlier. A report made public Monday said that hackers had acquired 531 certificates, including many used by the Dutch government, and that DigiNotar was unaware of the intrusion for weeks.

Because almost all the people who were routed to a site secured with one of the stolen certificates were from Iran, many experts suspect that the DigiNotar hack was sponsored or encouraged by the Iranian government, which could use them to spy on its citizens.

Microsoft isn’t the only software maker to block all DigiNotar certificates: Google, Mozilla and Opera have also issued new versions of their browsers — Chrome, Firefox and Opera — to completely, or in Opera’s case, partially prevent users from reaching websites secured with a DigiNotar certificate.

Users of Safari on Mac OS X, however, remain at risk to possible “man-in-the-middle” attacks based on the fraudulently obtained certificates.

Because Safari relies on the underlying operating system to tell it which certificates have been revoked or banned entirely, Apple must update Mac OS X. The Windows edition of Safari, which has a negligible share of the browser market, taps Windows’ certificate list: That version is safe to use once Microsoft’s Tuesday patch is applied.

Read More….