Peter Wood and his team conduct ethical hacking engagements for multi-national organisations in varied business sectors. Peter will address the top three emerging threats, how they affect the attack surface of a typical business and how they can be exploited.
35. Need more information?
Peter Wood
Chief Executive Officer
First•Base Technologies LLP
peterw@firstbase.co.uk
http://firstbase.co.uk
http://white-hats.co.uk
http://peterwood.com
Blog: fpws.blogspot.com
Twitter: peterwoodx
Notas del editor
Activity monitoring and data retrieval are the core functionality of any spyware. Data can be intercepted real time as it is being generated on the device. Examples would be sending each email sent on the device to a hidden 3rd party address, letting an attacker listen in on phone calls or simply open microphone recording. Stored data such as a contact list or saved email messages can also be retrieved. Secret SMS Replicator for Android: http://www.switched.com/2010/10/28/sms-replicator-forwards-texts-banned-android/ RBackupPRO for Symbian: http://www.theregister.co.uk/2007/05/23/symbian_signed_spyware/
Sensitive data leakage can be either inadvertent or side channel. A legitimate apps usage of device information and authentication credentials can be poorly implemented thereby exposing this sensitive data to 3rd parties. Location Owner ID info: name, number, device ID Authentication credentials Authorization tokens http://boingboing.net/2009/11/05/iphone-game-dev-accu.html
Citigroup warned customers of a security flaw in its free iPhone app and urged customers to update to the newest version, which fixes the problem. The Citigroup iPhone app accidentally stored sensitive customer information, potentially exposing it to compromise. Banks have been on the cutting edge--developing apps for smartphone platforms that let users view account balances, transfer funds, review pending transactions, make payments, and more. There are an estimated 18 million mobile banking customers in the United States, of which Citi has about 800,000--placing them in fifth place behind banks such as Bank of America. The security concern in the Citigroup iPhone app is related to a file within the app that is accidentally storing sensitive information. Data such as account numbers, bill payments and security access codes are stored on the iPhone where they could be accessed later by attackers or other unauthorized users. http://www.pcworld.com/businesscenter/article/201994/citi_iphone_app_ Wells Fargo Mobile Application for Android contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the program stores a username and password, along with account balances, in cleartext, which will disclose sensitive banking information to a physically present attacker who reads the application data. http://osvdb.org/show/osvdb/69217
With a vast increase in the number of people working from home or on the move, wireless networking has become pervasive. The average home user doesn’t want to know about the complexities of wireless security (WPA PSK versus WEP etc) so most home wireless networks are inadequately protected or just plain open. The same is true of many wireless hot spots of course, if you don’t have to authenticate and enter a key, then it’s unlikely to be safe.
Many people don’t understand that wireless networking is like a wired hub – there is no packet switching, so anyone connected to an open wireless access point can see everyone else’s traffic. Again discovering how to do this isn’t hard and the tools are free. A criminal attacker could be sitting some distance away with a directional antenna and watching everything on the unprotected network.