Posts Tagged ‘Accountability’
Accountability – Not Code Quality- Makes iOS Safer Than Android
Last Updated on Friday, 25 May 2012 04:23 Written by Celframe Security Team Thursday, 18 October 2012 10:27
BOSTON: Accountability, not superior technology, has kept Apple’s iOS ecosystem free of viruses, even as the competing Android platform strains under the weight of repeated malicious code outbreaks, say researchers Dan Guido of the firm Trail of Bits and Michael Arpaia of iSEC Partners.
The two researchers said an empirical analysis of existing malicious programs for the Android and iOS platforms shows that Google is losing the mobile security contest badly – every piece of malicious code the two identified was for the company’s Android OS, which made up 50% of the U.S. smart phone market, while Apple’s iOS remained free of malware, despite accounting for more than 40% 30% of the same market.* Apple’s special sauce? Policies that demand accountability from iOS developers, and stricter controls on what applications can do once they are installed on Apple devices.
Guido, whose company Trail of Bits helps enterprises defend against targeted attacks, told Threatpost that mobile operating systems are far more secure than their desktop counterparts, forcing scammers to follow a well worn path to own mobile devices – what Guido refers to as the mobile “kill chain.” Mobile malware is delivered in a bundle with mobile applications, which are typically uploaded to and promoted from mobile marketplaces like Google’s Android Market. Once mobile attackers have a foothold on a device, they use vulnerabilities in the operating system or application permissions model to escalate their privileges on the device, connect to an Internet-based command and control network and then begin to siphon saleable data from the device, Guido said.
Guido and Arpaia’s survey of mobile malware identified 100 unique instances of mobile malware that were used in around 500 separate campaigns. Together the malware was downloaded hundreds of thousands of times by mobile device users. But even as Apple, Google and Microsoft battle it out for mobile market share, in the eyes of mobile malware authors, there’s no contest: all of the malware the two researchers identified was for Google’s Android operating system, they said.
“We looked for iOS malware, but there is none to collect,” he said. “It’s amazing that there’s just none out there.”
The reasons for that are complex, and don’t suggest that iOS has any technological superiority over Android. “This isn’t a technology issue or an application security thing,” Guido said. “It’s not like there are fewer vulnerabilities in iOS.”
The researchers findings are supported by other surveys of mobile malware. Juniper Networks’ 2011 Mobile Threats Report (PDF), for example, found 13,302 samples of malware targeting the Android platform between June and December, 2011 – a more than 3,000 percent increase over the period covering Android’s release in 2007, through May of 2011. During the same period, there were no examples of iOS-specific malware.
The key differences between Apple’s iOS and Google’s Android are what Guido termed “design decisions” that both platform makers made that have created incentives and disincentives for mobile malware writers and cybercriminals in the intervening years, he said.
Foremost among them is Apple’s insistence that mobile application developers verify their identity before they can introduce new applications. That includes submitting actual identifying documents like a Social Security Number or official articles of incorporation.
“There’s something that gets back to you,” Guido said. “That way, when Apple finds a malicious application, there’s the possibility that you could suffer real world punishment.”
In contrast, Google’s Android Marketplace and Google Play platforms have much more generous terms for developers, who must pay a small ($25) fee and agree to abide by the company’s Developer Distribution Agreement to begin publishing. That’s a low bar that makes it easy for malicious authors to get their wares out to hundreds of millions of Android users, according to Guido.
“You can upload dozens of applications at once. If any get banned, you can just resign, sign up under a new identity and resubmit them,” Guido said.
Beyond that, Guido said that Apple’s iOS ecosystem has put controls in place that squeeze malware authors in other ways. An automated and manual application vetting system includes static analysis of compiled binaries that make it very difficult for developers to merely repackage malicious or legitimate applications for sale on the AppStore. That prevents infections of Trojaned applications like the DroidDream malware, which frequently popped up on Google’s Android Market.
Further, Apple rejects applications that use self modifying code, which could appear legitimate or malicious depending on the context in which it was run. Apple’s decision to ban star researcher Charlie Miller from its Application Developer program for submitting an application that could dynamically update its runtime code was proof that the company takes that prohibition seriously, Guido said.
“Of course, they knew who Charlie was when he submitted that,” he said.
In contrast, Google’s decision early-on to allow self-modifying applications in the Android Marketplace means that attempts to spot malicious applications using its BOUNCER dynamic analysis technology will likely miss a healthy percentage of malicious applications, he said.
Despite the researchers’ dour views on the security of Android, both Guido and Arpaia said that -based on their survey – much of the coverage of mobile security issues and mobile malware is overblown, and misses the point.
“People blab about ‘there are so many vuln(erabilitie)s.’ It’s like the sky is falling,” Guido said. “The truth is that every piece of software we use is vulnerable. These things are a fact of life and we have to learn to live with them.”
But Guido said that his study of the contemporary mobile malware scene revealed a shocking lack of sophistication. Every piece of malware for the Android platform relies on one of three OS exploits – all of them developed by those looking to jailbreak the platform, not by malware authors.
Rather than focusing on vulnerabilities in the underlying platform, enterprises and the security community should look for easy ways to break the mobile “kill chain” – for instance by limiting access to mobile stores and enforcing accountability for application developers and by limiting what applications can do after they are installed. Beyond that, the security community should start to rank mobile threats based on how difficult they would be to carry out, and the access they would provide to data that would be useful to attacks – in particular: data that could be resold. And, when it comes to thwarting attacks, both platform makers and the security community should focus on making the repercussions for writing mobile malware real by making it easy to get caught and punished, Guido said.
(*) comScore data
Editor’s note: This story originally included incorrect information on Apple’s smart phone market share in the U.S. The story has been updated with the correct market share data. (4/20/2012)
View the original article here
Tags: Accountability, Android, Makes, Quality, SAFER | Posted under Celframe Security | No Comments
Corporate Security Accountability
Last Updated on Sunday, 15 April 2012 11:19 Written by Celframe Security Team Saturday, 14 July 2012 03:07
In order to ensure consumer information is well protected, corporate security accountability must be established at the highest levels. Companies in some industries where consumer personal information is needed to execute business transactions such as in the banking and healthcare industries must be held accountable for protecting the information they collect from their customers. This accountability not only should apply to protecting the information they have already collected but also to the amount of information they collect for business reasons. Sometimes, companies unnecessarily collect more information than they need from their customers, placing both the company and consumers at risk.
Corporate security accountability means taking information protection seriously and ensuring all the required controls are in place to protect consumer personal information. Once the controls are in place, they must not be overridden, especially by executive management, unless a very good justification exists. Corporate accountability sometimes is imposed by Federal and State laws, however, I think consumer information protection should be part of reasonable business practices to ensure long term consumer trust, loyalty and business relationships.
Corporate security accountability includes many components such as designating a competent Information Security Officer also known as CSO, ISO or CISO. The ISO is then responsible for implementing and maintaining an information security program that includes policies and standards which should be followed by all employees without exception including the executive management members.
I have witnessed many times corporate executives demanding policy override and ask for passwords that never expire or more computer inactivity time before the computer is locked. This is an indication of either senior management doesn’t understand the risks of their actions to the companies and their customers they are charged to protect or they absolutely don’t care about information security and only think about making their life a little easier while at work. Typically, executives have access to more corporate resources whether it’s to the computer systems or locations and buildings. As such, they should be subject to more security and not less when compared to the general population of the company.
In most regulated industries where consumer information is routinely collected as part of the business operations, an Information Security Officer is hired and charged with the protection of the company’s information assets whether it’s business information or consumer personal information. If the ISO is not supported with adequate budgets and authority by the companies’ executive management, the ISO will not be effective in executing his or her job responsibilities. During major and publicized corporate security breaches, the finger is almost always pointed to the ISO even if he or she was never given the power to protect the confidential information. You may then wonder why appoint an ISO and never provide the right resources. Well, because sometimes it’s the laws which companies must comply with by placing an ISO on their organizational charts to give the appearance of accountability and when a security breach gets out of hand and can’t be swept under the rug, the ISO gets fired to portray an image of corporate responsibility and leadership to the outsiders. However, these tricks don’t work any more and consumers are more than ever aware of their rights and business obligations thanks in part to the awareness that websites like this one provide.
Please visit the legal section of this site to learn about corporate security accountability laws.
View the original article here
Tags: Accountability, Corporate, security | Posted under Celframe Security, Celframe Server, Security, Web | No Comments