STE WILLIAMS

Rather than picking off online banking customers one by one, ambitious hackers took control of a Brazilian bank’s entire DNS infrastructure to rob punters blind.

The heist, detailed by security engineers at Kaspersky Lab, took place over about five hours on Saturday October 22, 2016, after the miscreants managed to get control of the bank’s DNS hosting service using targeted attacks. They managed to transfer all 36 of the bank’s domains to phony websites that used free HTTPS certs from Let’s Encrypt. These sites masqueraded as the bank’s legit online services, tricking marks into believing the malicious servers were the real deal. That allowed the crims to steal customers’ usernames and passwords as they were typed into the sites’ login boxes.

“All domains, including corporate domains, were in control of the bad guy,” said Fabio Assolini, a senior security researcher at Kaspersky, in a blog post. He said the attackers also took over the bank’s email servers so that staff couldn’t warn customers not to log in.

During the attack, every time a customer logged in, they were handing over their details to the attackers, all of which were sent off to a command and control server in Canada. In addition, the dummy websites dropped malware onto each visitor’s computer in the form of .zip’d Java plugin files: clicking on those would start an infection on machines capable of running the malicious code.

The malware had eight separate modules, covering abilities like credential-stealing for Microsoft Exchange, Thunderbird, and the local address book, updating systems, and a program called Avenger. This software is a legitimate rootkit removal tool that had been modified to shut down security software on any computer that downloaded it.

“The bad guys wanted to use that opportunity to hijack operations of the original bank, but also drop malware with the capacity to steal money from banks of other countries,” said Dmitry Bestuzhev, director of Kaspersky Lab’s global research and analysis team in Latin America.

The burst of malware did set off alarms elsewhere, and the source was traced back to the bank. Security staff managed to get the original DNS credentials restored to the bank, however the attack shows the importance of managing such things much more tightly.

“Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad,” Bestuzhev said. “If DNS was under control of the criminals, you’re screwed.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/hackers_take_over_banks_dns_system/

Key internet standards-making body the Internet Society (ISOC) and security and privacy org the Online Trust Alliance (OTA) are merging.

The move, announced Wednesday, sees an important standards-driver combining with an org that has guided best practices for the commercialisation of the web.

From now on the OTA will operate within the Internet Society. Existing OTA initiatives such as annual Online Trust Audit and Cyber Incident Response Guide and Internet of Things (IoT) Trust Framework will be retained and expanded, the new org said.

“OTA and ISOC are excited to join forces in order to improve online trust, enhance data security, promote responsible privacy practices, and bolster the development and use of an open internet,” said OTA president and executive director, Craig Spiezle. “By working together, OTA’s vision and mission will be sustained and amplified with the resources, reach and stature of the Internet Society.”

Internet Society president and chief exec Kathryn Brown added: “At a time when cyber-attacks and identity theft are on the rise, this partnership will help improve security and data privacy for users.”

OTA was founded in 2004, and has since worked with industry leaders to develop technical standards to fight spam, advance Secure Sockets Layer (SSL) and email authentication best practices. More recently it has introduced a foundation for a future IoT certification programme and has worked on measures to address online fraud such as malvertising.

Founded in 1992, the Internet Society is the organisational home of the Internet Engineering Task Force (IETF). It is backed by more than 95,000 individual members and supporters as well as more than 110 organisational members. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/ota_isoc_merger/

+Comment Prominent next-gen antivirus vendor Cylance has confirmed a wide-ranging restructure involving swingeing job cuts.

In response to queries based on an anonymous tip to El Reg on Tuesday that as many as one in five workers had been shown the door, Cylance confirmed it was restructuring its business without commenting on the job cut numbers that were the focus of our question.

Yes, the company did realign some resources to balance skill sets and focus on our strongest growth areas. Given the rapid growth over the past few years we had to move some resources and redeploy in other areas and this will enable us to continue expanding product lines and customer base globally.

The statement followed an earlier response that painted a rosy picture of Cylance’s business performance.

Cylance has experienced unprecedented growth and each fiscal year we have realigned our resources to support our strategic direction. These changes are a normal part of balancing business needs and company capabilities that we carry out each year. Our focus remains on our customers and removing legacy antivirus and weak protection layers to protect the world from cyber attacks. Cylance is on pace to more than double revenues year over year in FY17.

Cylance, which was founded in 2012, is attempting to differentiate itself in the crowded anti-malware market by emphasising its use of “artificial intelligence” and “machine learning” techniques. The firm closed a $100 million Series D funding round last June. Insight Venture Partners and funds managed by Blackstone Tactical Opportunities led the round. Cylance counts Dell Ventures as an investor and Dell Inc as a technology partner.

The firm boasted 425 employees as well as more than 1,000 customers, including 50 of the Fortune 500, at the time, as well as worldwide launches. Cylance was positioned as a visionary in the 2016 Gartner Magic Quadrant for Endpoint Protection Platforms.

+Comment

It all sounds very impressive. We’ve seen Cylance’s booth at shows like Black Hat drawing in the sysadmin and CISO crowd for cutdown demos of its technology (the full fat Cylance Unbelievable presentations to media last a bladder-challenging two hours plus). Potential customers are interested in the ability of its technology to offer a much smaller footprint and agility in defending against new threats than the likes of competitors such as Symantec and McAfee.

If there is a fly in the ointment then it’s significant false positives. Cylance is said to flag up everything from software deployment packages to Office365 automatic updates as potentially malign, although it contests this (PDF).

Resolving this might involve whitelisting and other measures, we’re told, contrary to claims of easy deployment. If the issue is as bad as we’re led to believe then it would explain why pilot programs in Fortune 500 firms aren’t graduating to prime time, or at least not at the rate Cylance’s investors might have hoped for. This might all turn out to be a teething problem but it does illustrate, once again, that the computer malware problem is a tough nut to crack, despite frequent and long-standing marketing claims to the contrary. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/cylance_restructuring/

Thanks to Rowland Yu of SophosLabs for providing the research for this article.

A recent SophosLabs statistical analysis comparing the ratio of malware to potentially unwanted applications (PUA) across Windows, Mac and Android illustrates a trend we’ve been seeing for some time: attackers are heavily focused on Android devices.

The analysis also shows the bad guys using PUAs to slip past security sensors and penetrate Android and Mac devices.

When we pull back the lens on the bigger picture, Windows continues to be the most-targeted of all operating systems, SophosLabs researcher Rowland Yu said. But the ferocity against Android is clear.

Follow the money

In an email exchange, Yu reiterated a point we’ve made in the past: the more open the system, the more susceptible it is to malware:

On the other hand, if the system has its own app store such as Mac and Android – or undergoes a system or human review – then malware writers will use PUA instead of malware.

Malware writers see PUA as a way to more easily bypass security systems and achieve the same end goal they have with other malware – making money, Yu said. 

By the numbers

A look at the raw volume of samples analyzed by SophosLabs in 2016 painted the following picture:

• Of everything targeting Windows, 6% were PUAs while 95% was straight-up malware.
• Of everything targeting Android, 75% is pure malware and 25% were PUAs.
• Of everything targeting Macs, 6% was pure malware and 94% were PUAs.

While malware is designed to do harm, PUAs fall more into the nuisance category: annoying apps that run ads and pop-ups until you finally uninstall them.

Android malware examined

In the SophosLabs 2017 malware forecast released in February, the researchers explored the specific malware designed for Android devices.

SophosLabs analysis systems processed more than 8.5m suspicious Android applications in 2016. More than half of them were either malware or potentially unwanted applications (PUA), including poorly behaved adware.

When the lab reviewed the top 10 malware families targeting Android, Andr/PornClk is the biggest, accounting for more than 20% of the cases reviewed in 2016. Andr/CNSMS, an SMS sender with Chinese origins, was the second largest (13% of cases), followed by Andr/ DroidRT, an Android rootkit (10%), and Andr/SmsSend (8%). The top 10 are broken down in this pie chart:

Defensive measures

Though Android security risks remain pervasive, there’s plenty users can do to minimize their exposure, especially when it comes to the apps they choose.

• Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
• Consider using an Android anti-virus. By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.
• Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
• Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “cooler camera” and “funkier screen”?

If you use a Mac, our recommendations typically include using a real-time anti-virus, even (or perhaps especially) if you have managed unharmed for years without one, and promptly downloading security updates as Apple releases them.

Similar advice applies to malware and PUAs targeting Windows. Apply patches immediately and be careful of attachments and links delivered via Outlook.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1qfXlyX9YxM/

Four members of Congress – two Republicans and two Democrats – have introduced legislation that steers US border officials toward obtaining warrants before searching American citizens’ phones and laptops.

The Protecting Data at the Border Act would not only require a warrant from a judge to rummage through citizens’ devices, but would also institute a four-hour time limit for detaining Americans at the border.

This would raise the bar for carrying out searches beyond a simple hunch or suspicion of anyone who looks vaguely Middle Eastern: under the proposed law, border officers must show probable cause, meaning they must convince a judge the search is reasonable and that evidence of wrongdoing is likely to be found.

Right now, anyone – citizen or not – entering the Land of the Free^TM can be subject to warrantless probing of their electronics, which can be seized for further study in the lab for months if necessary. It’s just that citizens can’t be prevented from entering their home country: you can have your equipment taken and scanned, you can be questioned for hours, but you’re still ultimately allowed in. Foreigners, on the other hand, have no such protections: they can be searched, grilled, and sent back the way they came, if immigration officials deem you to be a problem.

The draft legislation – which is still in its early stages – is essentially designed to make it a lot tougher to stop and search citizens on the spot when they return to the US of A. However, the bill is weighed down with one major caveat. If officers have serious concerns about a traveller but have no time to get a warrant, they can seize the electronics and later apply for a warrant retroactively. If the warrant application fails, all the information harvested must be destroyed and may not be used in further prosecutions.

We suspect this exception, which is available for pressing national security purposes, was written in to ensure the bill has bipartisan support. We have no idea whether or not border officials will trigger this caveat on a regular basis, if this law is passed.

The act has big-name backing: it is sponsored in the senate by Ron Wyden (D-OR) and Rand Paul (R-KY), with support in the House of Representatives from Jared Polis (D-CO) and Blake Farenthold (R-TX).

“Americans’ Constitutional rights shouldn’t disappear at the border,” said Senator Wyden.

“By requiring a warrant to search Americans’ devices and prohibiting unreasonable delay, this bill makes sure that border agents are focused on criminals and terrorists instead of wasting their time thumbing through innocent Americans’ personal photos and other data.”

While border patrol has carte blanche within 100 miles of America’s boundaries, a 2014 Supreme Court ruling took away warrantless searches from police officers.

“As the Supreme Court unanimously recognized in 2014, innovation does not render the Fourth Amendment obsolete,” said Senator Paul.

“It still stands today as a shield between the American people and a government all too eager to invade their digital lives. Americans should not be asked to surrender their rights or privacy at the border, and our bill will put an end to the government’s intrusive practices.”

“The government should not have the right to access your personal electronic devices without probable cause,” Representative Polis said.

“Whether you are at home, walking down the street, or at the border, we must make it perfectly clear that our Fourth Amendment protections extend regardless of location. This bill is overdue, and I am glad we can come together in a bicameral, bipartisan manner to ensure that Customs and Border Patrol agents don’t continue to violate essential privacy safeguards.”

As for the rest of you, life could get a lot worse

On the same day that the new legislation was introduced, the Wall Street Journal reports that the Trump administration is planning even more “extreme vetting” of foreigners coming to the US than first thought.

Multiple government sources whispered that the White House wants to give immigration agents the right to demand not only devices, but also social media account and online banking passwords, plus access to photographs and emails of anyone coming into the US. That could include folks from Uncle Sam’s old allies – such as France and Germany – that have existing visa-waiver arrangements for tourists.

Officials are also considering questioning those seeking to enter the US about their personal beliefs. A Department of Homeland Security bigwig said questions could include how they view the treatment of women in society, whether they value the “sanctity of human life,” and who they view as a legitimate target in a military operation.

The proposed rule changes could wreak havoc with travelers to America. For UK and other visa-waiver travelers, all it takes to get clearance to come to the US is filling out an online ESTA application before flying. If users also have to hand over their social media and email passwords then they may pick somewhere else for their holidays.

Business travelers too might well be dissuaded – potentially giving a boost to the videoconferencing business, or commerce in rival nations. But there would also, most likely, be a knock-on effect for US travelers, as has been shown before: other countries will start demanding personal and sensitive info from visiting Americans.

In 2004, the US government introduced a new rule requiring Brazilian visitors to be fingerprinted and photographed when entering America. In retaliation the Brazilians introduced the same rule for Americans entering their country, and the results weren’t good.

Long lines ensued at Brazilian airports and a frustrated American Airlines pilot, Dale Robin Hersh, was fined $12,750 after he made an obscene gesture when being photographed entering the South American country. He paid up and charges were dropped.

If other countries start insisting that US citizens open up their email and social media accounts, there will be a load of angry Americans, on top of a lot of angry people trying to visit America, creating a nightmare for tourism industries. This is aside from the fact that it will give foreign governments, as well as Uncle Sam, the go-ahead to vacuum up globetrotters’ personal info in the name of border security. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/safeguard_americans_data_border_cops/

Yesterday, Apple rushed out an emergency patch to plug a severe security hole that can be exploited to wirelessly and silently commandeer iPhones, iPads and iPods.

Now we know why: this remote-code execution vulnerability lies in Broadcom’s Wi-Fi stack, which Apple uses in its handhelds. Many other handsets also use Broadcom’s naff chipset, and, as a result, we expect – and hope – a lot of other phone and tablet makers push out patches: any gadget using Broadcom’s vulnerable tech is at risk to over-the-air hijacking, not just Apple’s iThings.

Here’s a summary of the work by Google Project Zero’s Gal Beniamini: the firmware running on Broadcom’s wireless system-on-chip (SoC) can be tricked into overrunning its stack buffers. He was able to send carefully crafted wireless frames, with abnormal values in the metadata, to the Wi-Fi controller to overflow the firmware’s stack, and combine this with the chipset’s frequent timer firings to gradually overwrite specific chunks of device RAM until arbitrary code is executed.

In other words, an attacker simply needs to be within Wi-Fi range to silently take over an at-risk Apple or Android device. Beniamini today detailed his research in this epic 8,500-word blog post.

What he found is that Broadcom’s “firmware implementation … lags behind in terms of security. Specifically, it lacks all basic exploit mitigations – including stack cookies, safe unlinking and access permission protection.”

Android devices that use Broadcom’s crappy SoC software include the Nexus 5, 6 and 6P, most Samsung flagship devices, plus all iPhones since the iPhone 4 and newer iPods and iPads: these will all need patching as soon as updates are available. The proof-of-concept exploit detailed in the blog post was successfully performed on an up-to-date Nexus 6P running Android 7.1.1 version NUF26K.

Project Zero didn’t go to work as a hit job on Broadcom, Beniamini says. Rather, most vulnerability research focuses on application processors. Peripherals like Broadcom’s Wi-Fi SoC don’t get the same degree of scrutiny, and Broadcom is the nine-hundred-pound gorilla in the business.

Only the beginning: the Wi-Fi SoC is just one attack surface in a smartphone

After a lot of work to extract and analyse the chip’s firmware – the blog post thanks various peeps for their assistance – and identify the Wi-Fi handling code in the binary image, Beniamini settled on Broadcom’s implementation of tunneled direct link setup (TDLS).

Published as a standard in 2011 and given Wi-Fi Alliance certification in 2012, TDLS lets devices exchange data as peers, without passing data through an access point, as long as they’re both associated with the same access point – for example, to send video from a phone to a Chromecast without clogging up the rest of the network.

TDLS has two characteristics that make it an attractive attack vector:

• It’s an automatic process that doesn’t demand user interaction.
• Because it’s a peer-to-peer process, an attacker doesn’t have to route packets through an access point to get to the victim.

It turned out that TDLS frames had fields that could cause the firmware to overrun its buffers. “Putting it all together we can now hijack a code chunk to store our shellcode, then hijack a timer to point it at our stored shellcode. Once the timer expires, our code will be executed on the firmware,” Beniamini explained.

Beniamini has promised a followup post explaining how to escalate the injected code from running on the SoC to running on the main application processor.

Broadcom said its latest firmware now uses the Wi-Fi SoC’s ARM Cortex R4 core’s builtin memory protection mechanisms to prevent code running from the stack. These mechanisms were effectively disabled on the versions probed by Beniamini, and all memory was marked as readable, writeable and executable, rendering exploitation easy peasy.

Broadcom added that it is “considering implementing exploit mitigations in future firmware versions.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/broadcom_wifi_chip_bugs/

Cisco Talos researchers reckon South Korean users are again under attack from a new malicious RAT (remote administration tool) they’ve dubbed ROKRAT.

Back in February, the security researchers reported an attack that used a compromised government Website to distribute malware in macro-laden documents attacking users of the local-language word processor Hangul.

The new attack posted Monday again uses Hangul documents in phishing e-mails to carry the payload, this time ROKRAT.

The RAT uses Twitter, Yandex and Mediafire for command-and-control and data exfiltration, since these are “difficult to block globally” because they’re legitimate business tools, and also because their use of HTTPS makes it hard to spot at the firewall.

If the RAT finds it’s been installed on Windows XP, it puts itself into an infinite sleep; if it executes, it checks the victim’s process list to see whether they’re running antivirus or analytical tools like Wireshark.

“If any of these processes are discovered running on the system during this phase of execution, the malware jumps to a fake function which generates dummy HTTP traffic. Additionally we discovered that if the malware is being debugged or if it was not executed from the HWP document (i.e. double clicking the binary) or if the OpenProcess() function succeed on the parent process, the fake function is also called”, Talos notes.

If it’s executed in a sandbox, ROKRAT tries to conceal itself by firing off requests to Amazon and Hulu.

As well as the Twitter/Yandex/Mediafire CC connections, the RAT includes a screen-shot uploader and a keylogger.

The main point of interest in ROKRAT’s infection technique is that it uses an old Encapsulated PostScript exploit, CVE-2013-0808. The malicious document contains shellcode masquerading as a Hangul document. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/rokrat_malware/

That “don’t use hard-coded passwords” infosec rule? Someone needs to use a needle to write it on the corner of Schneider Electric’s developers’ eyes so they don’t forget it.

Yes, it’s happened again, this time on the SCADA vendor’s Schneider Modicon TM221CE16R, Firmware 1.3.3.3 – and without new firmware, users are stuck, because they can’t change the password.

It’s a real Friday-afternoon-special: someone encrypted the user/password XML file with the fixed key “SoMachineBasicSoMachineBasicSoMa”.

That means an attacker can open the control environment (SoMachine Basic 1.4 SP1), get and decrypt the user file, and take over.

As the discoverers, Simon Heming, Maik Brüggemann, Hendrik Schwartke, Ralf Spenneberg of Germany’s Open Source Security note, they went public because Schneider didn’t respond to their contact.

The same group dropped another treat, again from Schneider, again on the TM221CE16R, Firmware 1.3.3.3 hardware: the password protecting its applications can be retrieved remotely without authentication.

A user need only send the command below over Modbus using TCP Port 502:

echo -n -e 'x00x01x00x00x00x05x01x5ax00x03x00' | nc IP 502

“After that the retrieved password can be entered in SoMachine Basic to download, modify and subsequently upload again any desired application”, they write.

America’s ICS-CERT classifies Schneider Modicon kit as falling in the “Critical Manufacturing, Food and Agriculture, Water and Wastewater Systems” critical infrastructure sectors – something The Register thinks should make it more careful about putting passwords inside its firmware.

It’s not, after all, the first time it’s had trouble with passwords. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/schneider_istilli_shipping_passwords_in_firmware/

LOGO WATCH McAfee is McAfee again: the security company that Intel thought was worth US$7.68bn in 2010 and then sold 51 per cent of for $3.1bn in 2016 is now independent once more.

McAfee LLC’s new CEO, a chap named Christopher D. Young, has penned a letter setting out his stall.

It’s a minor masterpiece of ShinyHappyCorpSpeak™, starting with the premise that “Our connected world is under siege by adversaries threatening the digital freedom sacred to us all.”

Next we get “The McAfee we unveil today points to a future of promise, as it stands on this foundation of leadership” and some “our employees are our greatest asset” stuff.

But there’s also some interesting nuggets, such as the admission that “We realize that even one of the largest cybersecurity companies can’t go it alone” and a pledge to start selling “cybersecurity outcomes, not fragmented products.”

Young declares McAfee 3.0^* an entity “… that vows to move this industry forward by working with competitors, not just partners.”

If that co-operative stuff is real it could be interesting. But we’re not holding out much hope because the letter also says “We believe the threat defense lifecycle is better when orchestrated as a unified system.”

Thats hard to argue against. But also damnably hard to execute, especially if it involves multiple products from diverse sources. Let’s see how it plays out, shall we? And while we do so, let’s also consider the company’s new SLOGO^** (visible here for mobile readers), which the company says “features two interlocking frames that form an open and unified shield, an element long associated with the McAfee brand.”

“The new design reflects our belief that Together is power, a concept so central to the new McAfee brand that we have adopted it as our tagline,” the brand blurb continues. “To depict our pledge to help customers defend all that matters, you’ll see us use the shield to surround images that convey the connected world and the need to protect all aspects of it. A refreshed shade of red, a color strongly associated with both the McAfee brand and power itself, offers a timeless reminder of our enduring commitment to a cybersecurity marketplace we’ve served for more than two decades.”

So now we know what McAfee’s up to. And that whatever you do for a living, it’s probably paid worse, but far more sincere than writing brand blurbs. ®

^* McAfee 1.0: McAfee before acquisition. 2.0: McAfee while called Intel Security. 3.0: new McAfee

^** That’s a combination slogan and logo, for the uninitiated among you

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/05/mcafee_relaunches/

Thanks to Rowland Yu of SophosLabs for providing the research for this article.

A recent SophosLabs statistical analysis comparing the ratio of malware to potentially unwanted applications (PUA) across Windows, Mac and Android illustrates a trend we’ve been seeing for some time: attackers are rapidly focusing their malware creation and exploit techniques on Android devices.

The analysis also shows the bad guys increasingly using PUAs to slip past security sensors and penetrate Android and Mac devices.

When we pull back the lens on the bigger picture, Windows continues to be the most-targeted of all operating systems, SophosLabs researcher Rowland Yu said. But the growing ferocity against Android is clear.

Follow the money

In an email exchange, Yu reiterated a point we’ve made in the past: the more open the system, the more susceptible it is to malware:

On the other hand, if the system has its own app store such as Mac and Android – or undergoes a system or human review – then malware writers will use PUA instead of malware.

The current thinking in the lab is that malware writers see PUA as a way to more easily bypass security systems and achieve the same end goal they have with other malware – making money. 

By the numbers

A look at the raw volume of samples analyzed by SophosLabs in 2016 painted the following picture:

• Of everything targeting Windows, 6% were PUAs while 95% was straight-up malware.
• Of everything targeting Android, 75% is pure malware and 25% were PUAs.
• Of everything targeting Macs, 6% was pure malware and 94% were PUAs.

While malware is designed to do harm, PUAs fall more into the nuisance category: annoying apps that run ads and pop-ups until you finally uninstall them.

Android malware examined

In the SophosLabs 2017 malware forecast released in February, the researchers explored the specific malware designed for Android devices.

SophosLabs analysis systems processed more than 8.5m suspicious Android applications in 2016. More than half of them were either malware or potentially unwanted applications (PUA), including poorly behaved adware.

When the lab reviewed the top 10 malware families targeting Android, Andr/PornClk is the biggest, accounting for more than 20% of the cases reviewed in 2016. Andr/CNSMS, an SMS sender with Chinese origins, was the second largest (13% of cases), followed by Andr/ DroidRT, an Android rootkit (10%), and Andr/SmsSend (8%). The top 10 are broken down in this pie chart:

Defensive measures

Though Android security risks remain pervasive, there’s plenty users can do to minimize their exposure, especially when it comes to the apps they choose.

• Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
• Consider using an Android anti-virus. By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.
• Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
• Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “cooler camera” and “funkier screen”?

If you use a Mac, our recommendations typically include using a real-time anti-virus, even (or perhaps especially) if you have managed unharmed for years without one, and promptly downloading security updates as Apple releases them.

Similar advice applies to malware and PUAs targeting Windows. Apply patches immediately and be careful of attachments and links delivered via Outlook.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/1qfXlyX9YxM/