According to the post:

The service performs a set of analyses on new applications, applications already in Android Market, and developer accounts. Here’s how it works: once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google’s cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior. We also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back.

While the malware bouncer system may be a step in the right direction, there is a more dangerous aspect of apps in the Android market that needs to be fixed and that is the permissions that applications demand before they can be installed. A quick look at the permissions required by some applications on the market immediately shows that security in the Android space will continue to be an issue.

For example, why would a text editor require access to phone records and GPS location information? One can understand needing network (Internet) access to push some ads, but access to phone records and logs? The same goes for any category from  games to business use applications.

It is this permission free-for-all that got Symantec into some controversy recently when the company announced the discovery of apps in the Android Market that it deemed malicious. The apps, according to Symantec, were able to change the default home page in the web browsers of the “infected” devices, add bookmarks, and place shortcuts – actions one could easily associate with browser hijackers, and it is doubtful that users who installed these apps were expecting the applications to perform those actions without “explicit” consent.

And there lies the problem because technically, the user may have “explicitly” given permission when he or she clicked on “OK” or “Install. This issue arises because as in anything that requires clicking through, most users blindly click through messages boxes  without bothering to read through what they are consenting to. A quick browse of apps on the the android market will show several applications that request unnecessary permissions before they are installed.

For example, here is the permission requirement of an app called password notes, which is supposedly meant to “protect your notes with password”:

Permissions
This application has access to the following:

Your location
coarse (network-based) location
Access coarse location sources such as the cellular network database to determine an approximate device location, where available. Malicious applications can use this to determine approximately where you are.
fine (GPS) location
Access fine location sources such as the Global Positioning System on the device, where available. Malicious applications can use this to determine where you are, and may consume additional battery power.
Network communication
full Internet access
Allows an application to create network sockets.
Phone calls
read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.

Really? Access to GPS and phone records etc. for a note app?

Granted, Google does give this warning about permissions:

Permissions: Android provides a permission system to help you understand the capabilities of the apps you install, and manage your own preferences. That way, if you see a game unnecessarily requests permission to send SMS, for example, you don’t need to install it.

But the company needs to remove the onus from users and demand to know from the developers why “a game unnecessarily requests permission to send SMS”. After all, it is the Android name and the integrity of Google that is at stake here.

Apparently, that was then. Fyodor, the creator of nmap recently wrote a scathing article about how CNET has now become the very essence of a drive-by download – where you get a little more than you bargained for when you download software from a website. CNET has taken the concept to another level by actually reverse-engineering submitted software and injecting malicious content before presenting them to trusting users.

The article is a serious indictment on CNET for abusing the trust placed on them by millions of users and the software developers who are kind enough to create a program and give it to users for free. By monetizing the hard work of these developers without their knowledge (unless they are willing to pay a “premium fee), it is not far-fetched to accuse CNET of “stealing”. It is just now, after they were outed that there is talk of ” giving the developers a cut” of the money they’ve been raking in from dropping trojans and adware on the computers of millions of unsuspecting users, including kids, for crying out loud.

Why is this a problem? We know that most users click through installation prompts without bothering to read, and this is exactly what CNET was taking advantage of, until they messed with Wireshark and NMap.

The unethical nature of it is that while CNET was raking in millions of dollars, the creators of the software they were reverse-engineering were catching grief for infecting users’ computers with bogus web browser toolbars, home pages and adware that could very well have leaked private information.

As Alan Shimel of networkworld explains it, here’s how these “wrappers” work:
“[W]hen you click to download software from their site (which is software developed by others), they are “wrapping” it in their own installers.  This C/Net installer will either ask you (if they are polite) or in some cases not so obviously install other 3rd party software on your computer.  Things like web toolbars, alternate search engines and other programs that usually pay money for every copy that gets installed.”

Is this practice limited to just CNET? Not by a long shot, but most do it on the website – like when you are presented with the download button for something different than what you originally wanted to download. The argument is always that ” this is to help us pay the bills”. No one is arguing with the need to generate revenue. It is the deceptive way in which that goal is being achieved that is drawing some angst. There is a difference between giving the user an option to install a toolbar and respecting the choice when the user selects “No”, and installing a toolbar, changing the home page and dropping adware on a user’s computer through a deceptive “accept” button.

Then there is the other part of the equation – the enablers of CNET’s unethical behavior. The parties who were encouraging CNET to bundle toolbars, browsers, search engines etc. in the software they were hosting should also be ashamed of their dirty tricks.

It is important to remind users to take the time to read the dialog boxes that pop up when trying to install an application:

• If available, always choose the “Custom” option so you can at least see what other crap is going to be dumped on your computer by the installer. In most cases, you can decline or uncheck the box for items you do not want.
• After the installation, go through the “add/remove” (Windows XP) or “program features” (Windows Vista/7) section in control panel to see if some strange software was installed without your knowledge and promptly remove them.
• Run “msconfig” and look through the “startup” tab to see if some strange application has inserted itself to automatically start with Windows and disable them.

It is only going to get worse, unfortunately.

In today’s business world, where organizations face ever-escalating customer demands and expectations and little room for downtime, logic dictates that businesses today are seriously revamping their business continuity and risk management plans, or developing one if they did not have any.

This is even more pertinent given what we have witnessed in recent months in the areas of data breaches, hack attempts and the underground “war” being waged in cyberspace that has put most of the world’s powerful organizations on the defensive.
Business continuity management is usually regarded as “the capability to assist in preventing, preparing for, responding to, managing and recovering from the impacts of a disruptive event”. (Business Continuity Management, Australian National Audit Office, 2009)

We have always been told that to remain competitive we must build a resilient IT infrastructure, or risk our competition having us for lunch. Apparently, the folks at Distribute IT were not listening.

As few may be aware, Distribute IT, one of Australia’s web hosting providers got hacked on June 14, 2011 and practically went out of business overnight. In what could only be described as weird, absurd or the greatest display of corporate irresponsibility, the company did not have sufficient redundant backups to save its or most of its customers’ data. The company did not take offline backups and was forced to shamefully admit that:

Our Data Recovery teams have been working around the clock in an attempt to recover data from the affected servers shared Servers [sic]. At this time, we regret to inform that the data, sites and emails that were hosted on Drought, Hurricane, Blizzard and Cyclone can be considered by all the experts to be unrecoverable… our greatest fears have been confirmed that not only was the production data erased during the attack, but also key backups, snapshots and other information that would allow us to reconstruct these Servers from the remaining data.

Aptly named servers apparently, because nothing good usually comes out of an encounter with drought, blizzard, hurricane or cyclone unless you heed safety warnings and take appropriate measures! As the company explained to its customers, the hack and its aftermath left them with “…little choice but to assist you in any way possible to transfer your hosting and email needs to other hosting providers.”

Business continuity management is supposed to be an essential part of an organization’s overall approach to effective risk management. It is or was the overall responsibility of DIT’s executive to raise awareness and implement some form of resilience into the infrastructure and sadly, it failed woefully in that regard.

It is amazing that despite what we have experienced this year in terms of hacks, breaches and what not by the likes of Google, RSA, Comodo, Barracuda, and City Group to name a few, Distribute IT did not think it was pertinent to take precautions and bolster the security of its servers. The company has since been acquired by NetRegistry, but questions remain.

Distribute IT was ICANN accredited, but it appears that there is no form of auditing performed by the organization to determine whether registries are doing enough to secure their systems and preserve customer data.

Second, is the check-box “methodologies” of risk management experts creating a false sense of security and the ability to recover in the minds of clients?

How do information security “experts” do a better job of encouraging better risk and security decisions? Or avoid making the assumption that an organization will always recover if its risk controls fail?

Distribute IT is a small business compared to other providers in the industry, but it is not too farfetched to think that we couldn’t see similar sorts of existential threats to larger, IT-dependent businesses that might not be as risk savvy as a financial entity, for example – heck even those are feeling the pain – just ask CitiGroup or Bank of America, or Commerica Bank.

This unfortunate incident is yet another example of what happens when businesses ignore the risks that they shouldn’t. This situation will continue as long as executives think that security is all about installing firewalls and running the latest antivirus software.

As is always the case, it is only after a tragedy happens that people spring to action, despite several warnings that could have prevented the problem in the first place. Of course, there is always the reminder by company executives that they have tape and/or offline backups, but how many have taken the time to do a proper risk assessment?

Are we truly in an era when people can claim that “[t]here is no security, there will be no security. The horse has bolted, and it’s not going to be the infrastructure that’s going to change, it’s going to be us”?

Are these recent spate of breaches and hacks that have been exposed just old occurrences coming to light? US Department of Homeland Security advisor Jeff Moss Tweeted recently, “When I heard RSA had a shiny new half million dollar HSM to store seed files I wondered where had they been stored before”.

The same cannot be said of executives in small and medium-sized organizations, especially when it comes to loss of personal information, including credit card data, patient records or other financial information, stored by the company. Data breaches happen and information is lost every day due to small mistakes that could have been avoided. For small businesses, these events can be devastating.

With news makers such as Wiki Leaks and other high-profile breaches over the last several months, you never know where your information will end up if it lands in the wrong hands – so of course, you must protect it.

With the advances in technology, it is not uncommon to find a user lugging around a laptop with 500GB of hard drive space. That is a lot of  space for corporate data and with the breaches like we have witnessed recently – Wiki Leaks, HBGary, etc. you never really know who will end up with your corporate data should it get stolen.

Couple that with the fact that small organizations do not have the resources to set up a sophisticated VPN architecture that would require a user to log in the mother-ship before accessing data. They cannot afford expensive data plans.

Research records from the Ponemon Institute show that over 75% of organizations are aware of an incident in the organization where confidential or sensitive information was at risk as a result of a lost or stolen laptop.

It is assumed that presently, almost 40% of sensitive and confidential corporate information is being accessed at any given time by remote workers, including corporate execs.

It is strongly believed in the IT security field that humans are the weakest link in the area of data security and that employees are careless. Moreover, in many small businesses and organizations there is no IT personnel to take ownership of securing corporate data.

It is not uncommon to find contents on the laptops of executives that could put the company at risk should it get on the wrong hands – pictures and videos of a wild night out, for example.

While most modern laptops contain whole-disk encryption software, not many users are aware of them. The are also location tracking, and file-level encryption.

Expanded use of encryption has become the most popular technology solution to data protection. So here is a round-up a few tools that could be useful for the traveling executive:

AxCrypt:

AxCrypt – Personal Privacy and Security with AES-128 File Encryption and Compression for Windows 2000/2003/XP/Vista/2008/7. Double-click to automatically decrypt and open documents. Store strong keys on removable USB-devices.

Features:
Seamless integration with Windows Explorer.
Double-click to decrypt, open and re-encrypt.
No configuration required.
Many languages supported.
Extensive command-line interface for scripting and programming.

TrueCrypt:

Main Features:

• Creates a virtual encrypted disk within a file and mounts it as a real disk.
• Encrypts an entire partition or storage device such as USB flash drive or hard drive.
• Encrypts a partition or drive where Windows is installed (pre-boot authentication).
• Encryption is automatic, real-time (on-the-fly) and transparent.
• Provides plausible deniability, in case an adversary forces you to reveal the password
• Hidden volume (steganography) and hidden operating system.
• Encryption algorithms: AES-256, Serpent, and Twofish.

Personally, I believe this should be your first choice. What you can do is create an encrypted file on your system that the software mounts as an encrypted virtual hard drive and you can dump all your critical documents in there. It is possible to use a folder, file or image as a key (password). So for example, you can create a text file of your favorite movies and use that as your key – one less password to remember.

The nice thing about TrueCrypt  is that depending on how paranoid you are, the options are endless.

MyTextIsTreasure:

I stumbled on this during a frustrated search for a password “holding cell”. With so many passwords, login credentials, online subscriptions etc. to manage, I was getting irritated by the limitations of an Excel spreadsheet and a plain text file was dangerous at best.

It is a simple password manager for your PC and Smartphone. It works like a text editor and uses a strong cryptography algorithm to generate the end file.

What MyTextIsTreasure (MTT) does is give you a notepad-like page that you can type your sensitive data in and secure with a password. It has been an awesome tool because I can save it on an FTP site, a USB flash disk or a Synced online folder without worrying about unauthorized access.

Features:

• It is a password manager
• It works like a simple text editor
• It protects your private information using the known crypt algorithm AES
• It can be installed in your PC and in your Smartphone
• You can organize passwords by categories like credit cards, websites, forums, internet banking, personal life, and so on.

You don´t have to fill a lot of fields and follow a square structure.

SecureFolder Portable:

This is another application that allows you to hide, lock and encrypt folders using 256-bit AES encryption through an intuitive and simple interface. If you had the app installed on a laptop, you can password protect a specific folder use the tool to open the folder when you need access to it.

Key Features:

• Unlimited number of folders can be protected.
• Intuitive & easy-to-use interface.
• NTFS, FAT32 and FAT volumes are supported.
• Implements 256-bit AES (Rijndael) to encrypt files.
• Effective password protection.
• System Cleaner, File shredder, Virtual Drive.
• Removing or uninstalling will not uncover locked folders.
• Windows Explorer integration.
• Supports Drag & Drop.

It is compatible with Windows XP, Vista, 7

WinSCP:

WinSCP is a SFTP client and FTP client for Windows. Its main function is the secure file transfer between a local and a remote computer. It uses Secure Shell (SSH) and supports, in addition to Secure FTP, also legacy SCP protocol.

Portable PGP:

Portable PGP is a fully featured, lightweight, java based, open source PGP tool.
It allows to encrypt,decrypt,sign and verify text and files with a nice and absolutely straight graphical interface.
It’s absolutely simple to use and provides everything you need to get started with PGP cryptography.

There is a USB-Stick version of PortablePGP which comes as a simple zip file that you can decompress on the root folder of your USB drive and allows to run PortablePGP on both Window and Linux platforms without the need of installing it and without the need to have a Java virtual machine installed(a private JRE is bundled in)

Requirements:
Java Runtime Environment 6 (or greater)
Java(TM) Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files

HaDES:

HaDES (Short for Hard Disk Encryption System) is an enterprise level open source hard disk encryption tool, which enhances TrueCrypt by adding functionality that enables TrueCrypt for enterprise use, for example multi-user capability and recovery

HaDES Additional Features:Creates a virtual encrypted disk within a file and mounts it as a real disk

• several users have access to the encrypted disk via username and password
• Encrypts a partition or drive where Windows is installed (pre-boot authentication)
• Users can be administrated in volumes and partitions with multi-user capability:
  • users can be created
  • users can be deleted and
  • every user has the possibility to change his or her password.

Ultimately, the best way to protect corporate data is to assess risks by identifying and classifying confidential information and them implementing the following:

• Educate employees on information protection policies and procedures, then hold them accountable
• Deploy data loss prevention technologies which enable policy compliance and enforcement
• Proactively encrypt laptops to minimize consequences of a lost device
• Integrate information protection practices into businesses processes

FreeOTFE:

FreeOTFE is a free, open source, “on-the-fly” transparent disk encryption program for PCs and PDAs with a simple goal: the secure storage of bulk data, while making it readily accessible to authorized users.

With this software, you can create one or more “virtual disks” on your PC/PDA. These disks operate exactly like a normal disk, with the exception that anything written to one of them is transparently, and securely, encrypted before being stored on your computer’s hard drive.

Features include:

Highly portable – Not only does FreeOTFE offer “portable mode”, eliminating the need for it to be installed before use, it also offers FreeOTFE Explorer – a system which allows FreeOTFE volumes to be accessed not only without installing any software, but also on PCs where no administrator rights are available. This makes it ideal for use (for example) with USB flash drives, and when visiting Internet Cafés (AKA Cybercafés), where PCs are available for use, but only as a “standard” user.

TAILS LiveCD:

The Amnesiac and Incognito LiveCD System is a secure web browsing platform that is ideal for travelers who frequent Internet Cafés and want to prevent the possibility of their systems being compromised.

From the website:

The Amnesic Incognito Live System (Live CD, Live USB) is aimed at preserving your privacy and anonymity by forcing all outgoing connections to the Internet to go through the Tor network; and not leaving any trace on local storage devices unless explicitly asked.

It’s a LiveCD which means that you do not have to install it. You set your laptop’s BIOS to boot from CD and no changes are made to your operating system. The software can also be to run off of a USB stick.

Some important features of TAILS include:

• Tor and the Vidalia graphical front-end
• Firefox preconfigured with: Torbutton for anonymity and protection against evil JavaScript
• FireGPG for e-mail encryption
• All cookies are treated as session cookies by default; the CS Lite extension provides more fine-grained cookie control for those who need it
• OnBoard virtual keyboard as a countermeasure against hardware keyloggers
• Shamir’s Secret Sharing – a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret.
• To prevent cold-boot attacks and various memory forensics, Tails erases memory on shutdown and when the boot media is physically removed.

Of course there other LiveCDs out there like Kiosk from rPath, Webconverger and Ubuntu Kiosk. The difference is that TAILS has the tor software enabled by default.

Necessary Warning:
Please bear in mind that the subject of encryption can get overwhelming at times. If you are not comfortable using these tools, please seek assistance. We must tell you that you bear total responsibility for lost data – seriously. Do not attempt disk/folder encryption if you have no clue on how to go about it.
Enough said.

Shameless Plug:

If you own a small business in the Austin area and have less than 20 employees, see how you can protect your mobile users and data in transit without upfront or out-of-pocket cost here.

Mikko Hyppönen of F-Secure has warned of a new variant of what he calls “Ransomware” or ransom trojans. These are attacks by malware that takes a computer hostage and then tries to extort a payment in return for returning control of the computer or its files to the owner. Sometimes, the malware will encrypt files (using AES – Advanced Encryption Standard, for example) until  some “ransom” is paid by buying a key to unlock the hostage computer.

The attack tries to extort money from users by pretending to be Microsoft and convincing the victims to dial international telephone numbers to” reactivate” Windows. The initial stage of the attack displays a message claiming that Windows is “locked” and must be reactivated. At this stage, the victims are unable to boot their computers into normal or even safe mode.

“To regain control of the PC, users are told to reactivate Windows online or via a phone call. The former, however, is not available; a follow-up message instructs users to dial one of six telephone numbers, then enter a six-digit code to reactivate the operating system.” The telephone numbers actually lead to an automated call center where users are kept on hold for several minutes, racking up long-distance charges.

While these numbers may look like generic service numbers, they aren’t.
•  002392216368
•  002392216469
•  004525970180
•  00261221000181
•  00261221000183
•  00881935211841

The numbers go to various countries (“00″ is the prefix for international dialing). The countries are: São Tomé and Principe (239), Denmark (45), Madagascar (261) and Globalstar Mobile Satellite Service (8819).

The trojan claims that the call is “free of charge” but it isn’t, and the trojan author will earn money from the call via a technique known as short stopping. This method involves rogue phone operators who route the expensive calls to cheaper countries.

After three minutes or so, the caller is given this unlock code: 1351236 and the unlock code appears to be the same every time the number is called. Mikko believes that this number will unlock any affected computer. As he put it, “I hate the idea of paying money to these clowns, just enter that code.”

He explains that it is a pretty clever bit of social engineering and that some victims may never even realize that they’ve been scammed. The scammers make money through “short stopping,” or the practice of billing a call at a rate higher than the actual destination.

F-Secure detect this trojan as Trojan.Generic.KDV.153863 (with a hash of md5: 9a6f87b4be79d0090944c198a68012b6).

You can watch Mikko’s video of the malware here.