STE WILLIAMS

Scotland Yard’s cybercrime crackdown squad has cuffed suspected crims accused of masterminding a phishing scam that netted more than £1m in cash from hundreds of unsuspecting students.

The Met’s Police Central e-Crime Unit (PCeU) began an investigation in August after a tip-off that students signed up to a government loan scheme had received emails inviting them to update account details via a bogus website ahead of the next term.

However the police action was too late for many undergraduates who were persuaded to hand over their details – the information was used to gain unauthorised access to bank accounts with up to £5,000 extracted in some cases.

The Met said it worked with the Students Loan Company, the banking sector and ISPs as part of the probe, which culminated in raids to properties in the capital, Manchester and Bolton yesterday.

Six individuals – four men and two women – were arrested on suspicion of conspiracy to defraud, breaches of the Computer Misuse Act and money laundering offences, the Met said late last on Thursday.

Computers and storage media seized by the officers are in the hands of the forensics team.

Detective Inspector Mark Raymond of the PCeU said: “A great deal of personal information was compromised and cleverly exploited for substantial profits. [We have] disrupted a suspected organised group of cyber criminals and prevented further loss to individuals and institutions in the UK.”

GetSafeOnline.org claimed that research in November 2010 revealed that 23 per cent of UK web users were victims of phishing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/09/met_arrest_phishing_scam/

Download.com has apologised for bundling open-source packages, including Namp and VLC, with crudware toolbar installers.

But Sean Murphy, the vice-president and general manager of CNet’s Download.com, defended the policy of bundling more generally and fell short of endorsing an opt-in policy for software extras.

A row kicked off on Monday after it emerged that users who have downloaded Nmap, a popular network auditing and penetration testing tool, from Download.com found the Babylon Toolbar included by default.

Gordon Lyon (aka Fyodor), the developer of Nmap, cried foul over the way the toolbar was foisted on users. The toolbar – which changes users’ browsing experience, sets the browser’s home page to MSN and makes Bing the default search engine – was also offered to consumers downloading the popular VLC media player software. Fyodor also alleged that Download.com’s installer violates Nmap’s copyright.

Within hours of venting his anger online, Microsoft got in touch with Fyodor saying, as he puts it, that they “didn’t know they were sponsoring Cnet to trojan open-source software, and that they have stopped doing it”. At around the same time the Nmap installer available from Download.com switched to punting “special offers” from Cnet, and after various other changes it eventually offered a clean install, at least in the case of Nmap.

In a statement (extract below), Murphy said that bundling the toolbar with the open-source package was a mistake:

The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused. In addition to immediately taking Nmap out of the download manager, we reviewed all open source files in our catalog to ensure none are being bundled. It is a Download.com policy not to bundle open source software and we will continue to take pains to ensure this does not happen again.

Cnet’s Nmap installer was initially detected as a Trojan by BitDefender and F-Secure, and as a potentially unwanted program by Panda, McAfee and others, according to an initial report by VirusTotal on Monday. However by Wednesday, of all the major suppliers of anti-virus software, only McAfee reported anything amiss.

Murphy said warnings that the installer might be malware were all false alarms. Download.com is removing the registration requirement for directly fetching files from developers’ websites rather than via its download manager.

It’s unclear whether the apology will be enough to draw a line under the controversy. Proprietary freeware and trial software available from Download.com will still be offered in conjunction with Download.com’s installer packaging. Users can opt-out but many are likely to just follow the default option and accept what they are fed. All this falls far short of an opt-in policy that critics would like Download.com to adopt.

Fyodor has created a webpage with background on the controversy, links to the news articles, and the latest updates here.

Unwrapping the wrapper costs extra

The initial controversy sparked condemnation from security firm Sophos (here) and struck a chord with other developers, who also objected to CNet’s wrapper bundling business practices, albeit for slightly different reasons.

“I pay $79 a year to list my application ‘Chit Chat for Facebook’ on the website, with which I fund development through a toolbar app,” programmer Daniel Offer told El Reg.

“That said, I’ve noted that Cnet have ‘wrapped’ it in a downloader application without notice, which is shameful given that I pay to list my software on their website. Cnet is not the first download site to do this, but it’s eating away at genuine developers’ funds to pay for new development,” he added.

Chit Chat for Facebook is not open source and developers like Offer have the option of getting rid of the wrapper, but only for a price.

“I spoke with Cnet and they told me that I could get rid of their wrapper by ‘opting out by paying $99 a month for their premium service, or by paying for the pay per download’. Everyone is suffering with the recession, but they’re helping to kill the little ISVs which produce so much great software,” he concluded.

A contrasting view comes from Reg reader Charles, who argues download.com was doing nothing untoward (at least in the case of Nmap) and that it’s up to users to check what they are downloading.

“Adding default opt-ins to software is one of the most common practices among vendors, especially where ‘freeware’ is concerned,” he writes. “How do you think the bills get paid? When end users download or install software it is their responsibility, and a very simple one at that, to watch what they are doing. New applications whether from the internet, a CD or DVD should always be inspected or scanned for malware prior to installation, regardless the source.”

“When I buy an automobile should I expect the dealer to drive it for me? Just how lazy and irresponsible are folks becoming that they cannot watch what they are doing even when it may involve great pain and effort such as opening their eyes or clicking a mouse button or two. These whiners need to wake up and smell the reality,” he concludes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/09/download_nmap_toolbar_row_latest/

Google Chrome offers more protection against online attacks than any other mainstream browser, according to an evaluation that compares exploit mitigations, malicious link detection, and other safety features offered in Chrome, Internet Explorer, and Firefox.

The 102-page report, prepared by researchers from security firm Accuvant, started with the premise that buffer overflow bugs and other security vulnerabilities were inevitable in any complex piece of software. Rather than relying on metrics such as the number of flaws fixed or the amount of time it took to release updates, the authors examined the practical effect protections included by default in each browser had on a wide class of exploits.

Their conclusion: Chrome is the most secured browser, followed closely by Microsoft IE. Mozilla’s open-source Firefox came in third, largely because of its omission of a security sandbox that shields vital parts of the Windows operating system from functions that parse JavaScript, images and other web content.

“We found that Google Chrome did the most sandboxing,” Chris Valasek, who is a senior research scientist for Accuvant, told The Register. “It restricted the movements more than any other browser. Internet Explorer came up a close second because it implemented a sandbox where you could do certain things but you were allowed to do more things than you could in Chrome. Lastly, Firefox came in last because it didn’t implement a sandbox yet.”

The report was commissioned by Google, but the authors insist they had complete autonomy in deciding what metrics to use and what conclusions they made. The researchers have released more than 20MB worth of data, software tools, and methodology so peers may review or build upon the research. The study focused solely on the security offered by Chrome, IE, and Firefox, which when combined account for more than 93 percent of web users, according to the report. All three browsers tested were run on Windows 7.

Their finding is backed up by anecdotal evidence, as well. Chrome has emerged unscathed during the annual Pwn2Own hacker contest for three years in a row, something no other browser entered has done. Reports of in-the-wild exploits that target the browser are also extremely rare.

Not all sandboxes are equal

In much the way traditional sandboxes prevent sand from mixing with grass on a playground, security sandboxes isolate application code inside a perimeter that’s confined from sensitive OS functions. By placing severe restrictions on an application’s ability to read and write to the hard drive and interact with other peripheral resources, sandboxes are designed to lessen the damage attackers can do when they successfully exploit a vulnerability in the underlying code base.

The so-called token in the Chrome sandbox, for instance, doesn’t allow browser processes to access files outside of an extremely limited set of directories. It also forbids them from creating connections known as network sockets to communicate directly with servers over the internet. The sandbox in IE, by contrast, allows browser resources to read almost all parts of a hard drive and puts few restrictions on the creation of network sockets, the researchers said.

As a result, attackers who exploit a vulnerability in the Microsoft browser will have an easier time accessing contacts, documents, and other data stored on the hard drive of a targeted computer and uploading it to a command and control server.

“The Google Chrome token is far more restrictive,” said Accuvant Chief Research Scientist Ryan Smith, who compared tokens to a driver’s license that spells out what vehicles a holder is permitted to drive and other conditions, such as whether eyeglasses are required. “It’s more like a learner’s permit, whereas the Internet Explorer token is more like a Class C regular driver’s license.”

The researchers analyzed each browser’s ability to read files, write files, and perform 13 other actions. As indicated in the graphic below, Chrome blocked all but two of them. Of those, one known as “system parameters” was partially blocked. IE, meanwhile, completely blocked only two actions, and partially blocked seven more actions. Seven additional actions, including the ability to read files, access networks, and create processes, were completely unrestricted.

In last place was Firefox, which allowed nine actions and partially blocked the remaining six actions.

Side-by-side comparison of sandbox protections in Chrome, IE, and Firefox. Source Accuvant (click to enlarge)

Next page: Sin of omission

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/09/chrome_ie_firefox_security_bakeoff/

Police have raided a UK office they suspect was a front for spam texters and are eyeing up other hotspots of SMS spam in a crackdown announced today by the Information Commissioner’s Office (ICO).

The police action comes after an ICO campaign to eradicate the practice which they say is distressing to recipients. In a survey also announced today, the ICO said that 95 per cent of people are concerned, inconvenienced or distressed when they receive spam texts and the unsolicited messages often about insurance claims have landed some of them into trouble.

The ICO’s Director of Operations, Simon Entwisle, said:

We’ve raided one office, visited various others and are still actively working with mobile phone networks to trace various locations.

We have a good idea about who is behind the messages and we continue to gather evidence to enable us to take enforcement action. So far these individuals have managed to cover their tracks but we’d encourage anyone with information to come forward.

Spam texts are usually sent from unregistered pay-as-you-go SIM cards, but telecoms companies have helped the police by tracking the locations from which clusters of texts have been sent. Sometimes data thieving is involved too – with people’s numbers filched from other companies databases, or even sold on. The ICO is separately investigating data protection polices of insurance and accident ligitation companies. Often though, phone numbers are just randomly generated. Spam texting is a fineable offence, carrying a penalty of up to £500,000.

An ICO survey published today shows that spam texts can cause significant distress to recipients. Out of 1,014 respondents, 681 people said that receiving a text caused them concern. They felt troubled about why they had received the text and how their details had been obtained. 205 people said that it was inconvenient, while 61 respondents said the text had caused them substantial damage or distress. Though 12 people said they actually found the texts helpful.

A page on the site lists some of the worst experiences of the people victimised by spam texters. For one person, a bogus text got them into trouble in the office:

I received the text while in the company of my manager on my work phone which I am not allowed to use for private calls. My manager now believes that I am pursuing a claim against the company for a recent injury and this has caused bad relationships between us. Please act now to protect individuals from these vultures.

Another writes:

I made the mistake of texting STOP to the first message I received – now I am getting 4 or 5 a day. It is irritating and intrusive. I have been told the only way to stop it is to change my phone number!

Entwisle advised recipients to never reply to spam texts. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/09/police_crack_down_spam_texts/

The Post Office has won a contract to take photographs and fingerprints of foreign nationals seeking biometric residence permits (BRPs).

Immigration minister Damian Green announced the plan as part of a package of measures, also including an online checking service for employers, aimed at reducing the number of illegal workers in the UK. They are included in the draft Immigration (Biometric Registration) Regulations 2012, which will complete the rollout of BRPs to all foreign nationals in the UK applying to extend their stays to more than six months.

From 29 February 2012, BRPs will be issued to more categories of foreign nationals, including refugees and those granted permission to settle in the UK. The anticipated increase in demand has led the Home Office to award a four-year contract, with a value of £36.4m, to the Post Office to collect the information and biometric details from applicants. It will provide a network of about 100 locations from the spring of 2012.

The online checking service is scheduled to become available around the same time. It will make it possible for potential employers to run real time checks on permits presented by job applicants to verify their identity and right to work in the UK.

Green said: “It is vital that we work with employers to give them the tools they need to meet their obligations.

“Our new online checking service will also turn up the pressure on those who wish to live and work here illegally. The message is clear – the UK is no longer a soft touch for illegal workers.”

The Olympic and Paralympic Games are expected to lead to a temporary surge in demand for BRPs. Green said in a written statement to Parliament that no major technical changes are to be made to the systems between 30 March and 8 November, but that after that the government will produce new policy proposals for the final stage of the roll out.

According to the Home Office, about 600,000 BRPs have been issued since their introduction in November 2008.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/09/post_office_wins_biometric_collection_contract/

Analysis The first impression of this leaked text is that this version of the Regulation is more prescriptive than Directive 95/46/EC and will get up most data controllers and governmental noses. I think the text makes far too many fundamental changes than can be reasonably done via a “Regulation” (which has three times as many Articles as the Directive it replaces). And this conclusion is from someone who thinks changes to the UK data protection regime are badly needed*.

I think this text is open to the argument that the Regulation is so long that it should be discussed as a new Directive which can be debated by member states and national parliaments; this ensures the issue then goes into the long grass.

Another risk is that many governments will respond to data controller complaints and argue that in the current economic circumstances that this Regulation should be shelved. I can see the Greeks, Spanish, Portuguese, Irish, Italians and UK opposing the text for this reason. Indeed, I wonder whether this is the intent of the leak, but that is perhaps too Machiavellian.

I cannot see the UK accepting this – and to be honest, I doubt whether it will make progress in its current form!! However, this is a summary of its content for what its worth. Remember it is a leaked version and I would not depend on it; wait until you see the real McCoy (on Data Protection Day, 25 January).

In summary:

• Article 3 contains new definitions (“personal data breach” based on Article 2(i) of the e-privacy Directive 2002/58/EC as amended by Directive 2009/136/EC, “genetic data”, “biometric data”, “data concerning health” which is based on the definition of “health data” provided for by ISO 27799, “main establishment”, “representative”, “enterprise”, “group of undertakings”, “binding corporate rules”, and of a “child” which is based on the United Nation’s Convention on the Rights of the Child.)
• Article 4 sets out the principles relating to personal data processing, which correspond to those in Article 6 of Directive 95/46/EC. Additional new elements are in particular the transparency principle, the clarification of the data minimisation principle and the establishment of a comprehensive responsibility and liability of the controller.
• Article 5 sets out – based on Article 7 of Directive 95/46/EC – the criteria for lawful processing, which are further specified as regards the balance of interest criterion and processing for the purposes of direct marketing for commercial purposes, the compliance with legal obligations and public interest.
• Article 6 clarifies the conditions the change of purpose of the processing, ie, for another purpose than that for which the data have been initially collected.
• Article 7 clarifies the conditions for consent to be valid as a legal ground for lawful processing. Public authorities cannot rely on consent.
• Article 8 sets out the general prohibition for processing special categories of personal data and the exceptions from this general rule, building on Article 8 of the Directive 95/46/EC.
• Article 9 introduces the obligation for transparent and easily accessible and understandable information, inspired in particular by the Madrid Resolution on international standards on the protection of personal data and privacy.
• Article 10 obliges the controller to provide procedures and mechanism for exercising the data subject’s rights, including means for electronic requests, requiring response to the data subject’s request within a defined a deadline, and the motivation of refusals.
• Article 11 provides rights in relation to recipients, based on Article 12(c) of Directive 95/46/EC, extended to all recipients, including joint controllers and processors.
• Article 15 provides the data subject’s right to be forgotten and to erasure. It further elaborates and specifies the right of erasure in Article 12(b) of Directive 95/46/EC and provides the conditions of the right to be forgotten, including the right to obtain erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service. It also integrates the right to have the processing restricted in certain cases, avoiding the ambiguous terminology “blocking”.
• Article 16 introduces the data subject’s right to data portability – ie, to transfer data from one automated processing system to and into another – without being prevented from doing so by the controller. As a precondition, it provides the right to obtain from the controller those data in a commonly used format.
• Article 17 provides the data subject’s rights to object. It is based on Article 14 of Directive 95/46/EC, with some modifications, including as regards the burden of proof and its application to non-commercial direct marketing, in contrast to Article 5(2) which provides that for purposes of commercial direct marketing the data subject’s consent is required to make the processing lawful. There is also to be a right to object to profiling.
• Article 19 takes account of the debate on a “principle of accountability” and describes in detail the obligation of responsibility of the controller to comply with this Regulation and to demonstrate this compliance, including by way of adoption of internal policies and mechanisms for ensuring such compliance.
• Article 20 sets out the obligations of the controller arising from the principles of data protection by design and by default.
• Article 21 – on joint controllers – clarifies the responsibilities of joint controllers as regards their internal relationship and towards the data subject.
• Article 22 obliges controllers not established in the European Union – where the Regulation applies to their processing activities – to designate a representative in the Union.
• Article 27 obliges the controller and the processor to implement appropriate measures for the security of processing, based on Article 17(1) of Directive 95/46/EC and extending that obligation to processors, irrespective of the contract with the controller. There is an obligation of controllers to inform the supervisory body within 24 hours of any breach, and to inform data subjects within 24 hours if the breach endangers their personal data.
• Article 32 introduces a mandatory data protection officer for the public sector, and, in the private sector, for large enterprises or where the core activities of the controller or processor consist of processing operations which require regular and systematic monitoring.

There is to be a stronger data protection authority, more trans-European co-ordination on data protection issues (a European Data Protection Board), higher penalties and more powers to the Commission – to get consistency and an obligation on national governments to give their supervisory bodies sufficient monies to operate effectively.

An that is why I think it won’t see the light of day in this form. I am not doing a further analysis of it; I await the final text. I suggest you do likewise.

References *

Draft leaked version of a Regulation is on Statewatch here (PDF).

See also “European Commission explains why UK’s Data Protection Act is deficient“.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/09/draft_data_protection_leak_unlikely_to_be_enacted_in_current_form/

Websites belonging to a Netherlands-based issuer of digital certificates were unavailable following reports hackers penetrated their security and accessed databases that should have been off limits.

Dutch telecommunications giant KPN issued a statement (translation here) that said it temporarily shut the website of it’s Gemnet subsidiary while it investigated the hack. A second website belonging to a KPN subsidiary that issues digital certificates to the Dutch government was also taken down.

The breach, which was first reported by Webwereld journalist Brenno de Winter, is the latest to compromise one of the several hundred online businesses authorized to mint digital certificates millions of websites and government and corporate networks rely on to shield communications from eavesdroppers. In August, another Netherlands-based certificate authority also suspended operations after it issued a fraudulent secure sockets layer certificate for Google.

DigiNotar eventually went bankrupt after an investigation revealed that shoddy security led to the issuance of dozens of counterfeit credentials, including one for Google Mail that was used to target more than 300,000 people accessing their Gmail accounts.

A half-dozen or so other authorities are also known to have suffered security breaches in the past year or so. One of them happened last month to KPN Corporate Market, which is owned by the same Netherlands-based firm that operates Gemnet.

According to de Winter’s report on Webwereld, a hacker broke into a Gemnet database after exploiting poor password policies set up on its PHPMyAdmin server. As a result, attackers were not only able to access all documents stored on the machine, but also to take control of it. The article said the hacker came forward to prevent the kind of debacle DigiNotar created, but “he has also found evidence that he is not the first person who have gained access to the systems.”

In its statement, KPN said there was no connection between the possible website breach and the issuance of digital certificates. It appears that the only contents available in the database was the information visible to website visitors, the company said. It said it decided to temporarily close the website out of an abundance of caution.

Representatives of Microsoft, Mozilla, and Google, makers of the world’s three most widely used browsers, said security personnel are investigating the reports to learn if end users are at risk. This article will be updated if they respond with their findings.

The breach is being investigated by the Dutch government, IT World reported. Both Gemnet and Gemnet CSP provide digital certificates to the Dutch government, the publication said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/08/certificate_authority_hacked/

While the world slowly implements DNSSec in the backbone of the Internet, OpenDNS has put forward its solution to securing the user-side of DNS, with the preview version of a DNS encryption tool.

DNSCrypt only works on Macs at the moment. According to OpenDNS, the idea is to encrypt all users’ DNS requests, preventing nasties like man-in-the-middle attacks, and snooping of DNS traffic (such as would be mandated by any government seeking to block citizens’ access to a particular class of Website, whether over concerns about decency or piracy).

Schemes that demand site-blocking based on an ISP failing to resolve the site, for example, would fail if the user’s request is sent encrypted to OpenDNS as the resolver.

OpenDNS emphasizes that it’s not trying to replace DNSSec. The latter provides authentication of the DNS record returned to the user, along with a chain of trust back to the source record. DNSCrypt, the company says, is just a cryptographic wrapper around communications between its customers and its servers.

The preview release is available here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/08/dns_crypt/

Eight in 10 applications failed to pass stricter security testing standards in test by application security assessment firm Veracode.

Veracode tightened up its testing procedures so that apps prone to cross-site scripting and SQL injection errors automatically failed. This zero tolerance policy reflects that fact that these two classes of errors are so frequently exploited by hackers of varied stripes to access customer data or intellectual property.

Data from the Web Hacking Incident Database suggests that 20 per cent of reported breaches can be traced back to SQL injection exploits of one type or another.

Last year, under a less strict testing regime, 57 per cent of apps failed to pass muster on first inspection. This figure has reached 80 per cent under the new zero-tolerance for SQL injection policy.

The latest edition of Veracode’s State of Software Security Report covers results from the analysis of 9,910 applications submitted to Veracode’s cloud-based application security testing platform over the last 18 months. The security firm reports that government apps are “less resilient to common attacks compared to other sectors”. For example, analysis by Veracode revealed that 40 percent of government web applications accessed had SQL Injection issues as compared to 29 percent for finance and 30 percent for software development firms.

The study also discovered that common application development mistakes are also creep into mobile applications. Veracode found that mobile developers tend to make similar mistakes to enterprise developers, such as the use of hard-coded cryptographic keys. More than 40 per cent of the Android applications analysed had at least one instance of this flaw, which makes it easier for attackers to launch broader assaults. Attackers need only obtain the one common key to attack all instances of a vulnerable application in the same way and (perhaps) at the same time.

On a more positive note, Veracode reckons insecure software can usually be remediated quickly, without negatively impacting rapid development cycles. More than 80 per cent of the apps that flunked Veracode’s tests at the first attempt were successfully modified to make a passing grade within one week, it reports. Developer training and education can successfully improve the security quality of the applications out of the gate, Veracode adds.

The latest edition of Veracode’s State of Software Security Report can be downloaded here. The study includes more details on the most commonly exploited vulnerabilities and the risks associated with commercial software as well as a detailed remediation workflow study. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/08/veracode_app_security_survey/

Analysis Some Android anti-virus firms have begun releasing Carrier IQ detection apps, but only after the controversial software became a talking point on Capitol Hill … and a month after a security researcher first discovered it.

BitDefender released Carrier IQ Finder, an app that identifies the presence of the controversial mobile diagnostic tool, following Lookout’s earlier release of a similar tool called Carrier IQ Detector. Both applications let mobile phone users know if they have Carrier IQ running on their Android phone without actually removing it. Each has been available at no charge via the official Android Market since last Saturday (3 December).

In a statement, BitDefender said that Carrier IQ’s mobile network diagnostic tool is “so deeply integrated with the device’s firmware [that] Carrier IQ Finder cannot remove it”.

Catalin Cosoi, global research director at Bitdefender, explained: “The Carrier IQ package can’t be removed by the users themselves if they don’t have root access on the device. They can, however, take the issue with the carrier and ask that the package be removed from the system.”

All this leaves still us with the question of why these anti-virus firms needed an extra app to detect Carrier IQ? Shouldn’t this application have been detected as potentially unwanted, at least, some time ago?

In a blog post, Lookout explained why signature detection for Carrier IQ was not added to its stand-alone Android security applications.

“Based on what we know so far, it doesn’t appear that Carrier IQ’s software is malware, and for that reason it’s not flagged as such by Lookout,” it said.

Kevin Mahaffey, co-founder and CTO of Lookout, told El Reg that it released its tool in response to requests from users. He added that even though Carrier IQ wasn’t malware, it did raise transparency and privacy issues. Mahaffey suggested that anti-malware protection ought to be all-in-one in mobiles (anti-spyware started off as a separate utility in the Windows world some years back), but didn’t rule out the possibility of releasing other stand-alone tools in future.

Kaspersky Lab said it too had decide Carrier IQ wasn’t malware but had decided, unlike Lookout, not to release a stand-alone tool.

Ram Herkanaidu, education manager at Kaspersky Lab, explained: “Kaspersky Lab does not currently detect Carrier IQ on Android devices because leaving aside the question of whether service providers need to collect this level of information, it is not strictly speaking malicious software. Currently there are no plans for Kaspersky to create a separate tool to detect Carrier IQ on mobile devices. That said, our global security researchers are investigating this and if any developments occur, we will take action appropriately.”

Lookout’s line is that although technically savvy users might be able to find out if Carrier IQ is running on their devices, its tool is needed because it allows less technically sophisticated users to do the same thing.

The whole episode leaves us wondering about the ability of Lookout or other Android anti-virus firms to flag up something potentially unwanted on devices, especially if it happens to be made by a commercial developer who might sue. We put this point to Lookout but weren’t able to get a specific answer on whether or not it was up for contesting such actions.

Anti-virus firms have been stung with lawsuits before over the detection of user-installed bundled spyware on Windows machines, something that might easily be repeated in the Android arena. Notorious, defunct crapware vendor Zango unsuccessfully sued security software maker Kaspersky Lab for calling its product “spyware”. Kaspersky manned up and fought the action, defending an important principle in the process. Other security firms might decide to duck this kind of fight.

Carrier IQ’s initial response to the discovery of its software by security researcher Trevor Eckhart in the middle of last month was to issue a cease and desist letter, though in fairness the firm has since tried to explain what it’s about and how its technology operates in a way that has defused many (but not all) of the original concerns.

Smartphone manufacturers and network providers confirmed that phones using Carrier IQ tracking software include Apple, ATT, Sprint, HTC, and Samsung. Although iPhone users are also affected, the issue of whether anti-malware software can protect them doesn’t arise because on-board anti-virus scanners for iOS are against the Jobsian faith. Users of Android devices who take the trouble to apply security software are entitled to feel more protected, but the Carrier IQ affair raises doubts about this.

It’s notable that Android anti-virus firms weren’t saying: “Wow this app is weird and it has all these privileges” and asking questions about Carrier IQ until the same day Senator Al Franken sent a letter to Carrier IQ. This raises the question of whether these mobile security apps have the ability to detect something clearly malign – a future Android rootkit, for example. Recent tests by AV-Test.org that revealed the inadequacies of some Android freebie scanner products (Lookout wasn’t tested) hardly inspire confidence on this point either.

Computer researchers at Rutgers University in the US developed a proof-of-concept rootkit back in March 2010. Security firms including Fortify Software and Imperva have since expressly warned of this risk. Lessons from history suggest not every security vendor will respond promptly to the risk if and when it arrives.

Seven years ago, when the Sony BMG CD copy-protection rootkit scandal broke, security researcher Mark Russinovich and F-Secure independently discovered the software at about the same time. F/Secure quickly and decisively stood up and condemned Sony’s use of the same tactics used by virus writers in its copyright protection software. But it was only after Sony admitted it had erred that other anti-virus vendors belatedly added detection, as explained in a good historical overview of the whole sorry affair by Bruce Schneier here.

Lookout disagrees that this analogy was appropriate. The Sony rootlet involved a third-party modifying software, it said. Carrier IQ supplied a diagnostic kit built into phones and was more akin to Microsoft Software Update. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/08/carrier_iq_android_detection/