network

SECURITY

ISSN 1353-4858 August 2013

www.networksecuritynewsletter.com

Featured in this issue:

Contents

Why APIs are central to a BYOD security strategy

nterprises that cannot support

a Bring Your Own Device
(BYOD) strategy risk losing
talented employees. By successfully
implementing an IT infrastructure
that allows employees to use the
latest technology, businesses are
much more likely to retain, as well as
attract, top talent.

Yet this is the very stuff of a Chief

Security Officers (CSO) nightmares. A

secure and scalable BYOD strategy is

required to manage the risks introduced
by employee-owned devices. The answer
may lay in Application Programming
Interfaces (APIs). If an organisation
delivers its data via mobile APIs, then
the data does not actually reside on the
mobile device, explains John Thielens of
Axway.
Full story on page 5

Following in the footsteps of Windows: how Android

malware development is looking very familiar

he number of new mobile threat

families and variants discovered in
Q1 2013 rose by 49% on the previous
quarter. Most concerning for Android
users is that 91% of these were for
their preferred platform.

The evolution of the malicious

software on Android echoes that for the

Windows platform. However, change is

afoot. Tom Gaffney of F-Secure analyses
what the first quarter of 2013 has shown
us in terms of where Android malware is
going, and analyses some of the nastier
examples.

rganisations invest small fortunes

in equipment, software and
specialist skills. Yet there is a critical
element to security that is often
overlooked trust.

A recent survey suggested that, while

people continue to shop and bank

online, they are cynical about the

ability of the firms with which theyre
doing business to protect their personal
data. We spoke with Mick Ebsworth,
information security consulting director
at Integralis about this paradox.
Full story on page 11

TOR attacked possibly by the NSA

ulnerabilities in the version of

Firefox used by the TOR Project
may have been exploited by law
enforcement authorities to track and
finally arrest a man accused of hosting
child pornography.

The TOR network uses multiple

layers of encryption via proxy servers
to anonymise Internet traffic. The

Mobile insecurities multiply

Firms making it easy for attackers, says KMPG

1
2
20

FEATURES
Why APIs are central to a BYOD
security strategy
5
The Bring Your Own Device (BYOD) phenomenon
affects most organisations. A secure and scalable
BYOD strategy is essential to manage the risks.
The answer may lay in Application Programming
Interfaces (APIs). If an organisation delivers its data
via mobile APIs, then the data does not actually
reside on the device, explains John Thielens of
Axway.

Following in the footsteps of Windows:

how Android malware development
is looking very familiar
7
Mobile threats are on the rise and most of them
target Android. The evolution of malicious software
on Android echoes that for the Windows platform.
However, change is afoot. Tom Gaffney of F-Secure
analyses what the first quarter of 2013 has shown
us in terms of where Android malware is going, and
analyses some of the nastier examples.

Full story on page 7

Interview: Mick Ebsworth a matter of trust

NEWS
TOR attacked possibly by the NSA

technology is widely used by journalists,

activists, whistle-blowers and others who
feel their life or liberty may be at stake.
But its also used by cyber-criminals of
various types.
TOR was a key component in the
services offered by Freedom Hosting,

Interview: Mick Ebsworth a matter

of trust
11
A great deal is spent on security systems, but
the most critical element is often overlooked
trust. People may shop and bank online, but they
dont trust online firms to protect their personal
data. We spoke with Mick Ebsworth, information
security consulting director at Integralis about this
paradox.

Subverting cellular technology:

evolution, not revolution
14
Cellular communications have a long history of
security weaknesses dating right back to the origins
of GSM. Researchers have shown many times how
cellular technologies are open to abuse. Steve Gold
gives the historical background to how mobile
communications have been subverted and brings the
story up to date.

REGULARS
News in brief

Reviews

Events

20

Continued on page 2

ISSN 1353-4858/13
1353-4858/10 2013
2011 Elsevier Ltd. All rights reserved
This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:
Photocopying
Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple
or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit
educational classroom use.

NEWS

Editorial Office:
Elsevier Ltd
The Boulevard, Langford Lane, Kidlington,
Oxford, OX5 1GB, United Kingdom
Fax: +44 (0)1865 843973
Web: www.networksecuritynewsletter.com
Publisher:
GregHopwood
Valero
Publisher:
David
E-mail: g.valero@elsevier.com
Editor: Steve Mansfield-Devine
Editor:
Mansfield-Devine
E-mail:Steve
smd@contrarisk.com
E-mail: smd@contrarisk.com
Senior Editor: Sarah Gordon
Senior Editor: Sarah Gordon
International Editoral Advisory Board:
International
Advisory
Board:
Dario
Forte, Edward Editoral
Amoroso, AT&T
Bell Laboratories;
Dario
Forte, Edward
Amoroso,
AT&T BellJon
Laboratories;
Fred Cohen,
Fred Cohen
& Associates;
David, The
Fred Cohen,
Fred Cohen
& Communications;
Associates; Jon David,
The
Fortress;
Bill Hancock,
Exodus
Ken Lindup,
Fortress; BillatHancock,
ExodusLongley,
Communications;
Lindup,
Consultant
Cylink; Dennis
QueenslandKen
University
Consultant
at Cylink;
Queensland
University
of Technology;
TimDennis
Myers, Longley,
Novell; Tom
Mulhall; Padget
of Technology;
TimMarietta;
Myers, Novell;
Mulhall;
Padget
Petterson,
Martin
EugeneTom
Schultz,
Hightower;
Petterson,
Martin
Marietta;
Eugene
Hightower;
Eugene
Spafford,
Purdue
University;
WinnSchultz,
Schwartau,
Inter.Pact
Eugene Spafford, Purdue University; Winn Schwartau, Inter.Pact
Production Support Manager: Lin Lucas
Production
Support
Manager: Lin Lucas
E-mail:
l.lucas@elsevier.com
E-mail: l.lucas@elsevier.com
Subscription Information
Subscription
Information
An
annual subscription
to Network Security includes 12
An annual
issues
and subscription
online accesstoforNetwork
up to 5 Security
users. includes 12
issues
and online access for up to 5 users.
Prices:
Prices:
1221 for all European countries & Iran
1112
forfor
allall
European
& Iran and Japan
US$1367
countriescountries
except Europe
US$1244
countries except Europe and Japan
162 000 for
for all
Japan
147
foruntil
Japan
(Prices525
valid
31 December 2013)
(Prices
valid until
Augustto2013)
To subscribe
send 31
payment
the address above.
To
subscribe
send
payment to the address above.
Tel: +44 (0)1865 843687
Tel:
+44
(0)1865
843687/Fax:
+44
(0)1865 834971
or via www.networksecuritynewsletter.com
Email:
commsales@elsevier.com,
Subscriptions
run for 12 months, from the date payment
or
via www.networksecuritynewsletter.com
is received.
Subscriptions run for 12 months, from the date payment is
received.
postage
is paid
Rahway,Global
NJ 07065,
PermissionsPeriodicals
may be sought
directly
fromat Elsevier
Rights
USA.
Postmaster
send
all Oxford
USA address
corrections
to: Network
Department,
PO Box
800,
OX5 1DX,
UK; phone:
+44 1865
Security,
365
Blair
Road,
Avenel,
NJ
07001,
USA
843830, fax: +44 1865 853333, email: permissions@elsevier.com. You
may also contact Global Rights directly through Elseviers home page
Permissions
may beselecting
soughtfirst
directly
from
Elsevier then
Global
Rights
(www.elsevier.com),
Support
& contact,
Copyright
Department,
OX5 clear
1DX, permissions
UK; phone: and
+44 make
1865
& permission.POInBox
the 800,
USA,Oxford
users may
843830,
+44 1865
853333, Clearance
email: permissions@elsevier.com.
You
paymentsfax:
through
the Copyright
Center, Inc., 222 Rosewood
may
contact
through
Elseviers
home
Drive,also
Danvers,
MAGlobal
01923,Rights
USA; directly
phone: +1
978 750
8400, fax:
+1page
978
(www.elsevier.com),
firstthe
Support
& contact,
Copyright
750 4744, and in theselecting
UK through
Copyright
Licensingthen
Agency
Rapid
&
permission.
In (CLARCS),
the USA, users
may clear
permissions
and make
Clearance
Service
90 Tottenham
Court
Road, London
W1P
payments
through
the
Copyright
Clearance
Center,
Inc.,
222
Rosewood
0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other
Drive,
Danvers,
MA
01923,
USA;
phone:
+1
978
750
8400,
fax:
+1
978
countries may have a local reprographic rights agency for payments.
750
4744, and
in the UK through the Copyright Licensing Agency Rapid
Derivative
Works
Clearance
(CLARCS),tables
90 Tottenham
Court
Road, London
SubscribersService
may reproduce
of contents
or prepare
lists of W1P
arti0LP,
UK; tel: +44
(0)20 7631
5555; circulation
fax: +44 (0)20
Other
cles including
abstracts
for internal
within7631
their5500.
institutions.
countries
may
have
a
local
reprographic
rights
agency
for
payments.
Permission of the Publisher is required for resale or distribution outside
Derivative
Works
the institution.
Permission of the Publisher is required for all other
Subscribers
may reproduce
tables of contents
or prepare lists of artiderivative works,
including compilations
and translations.
cles
including
abstracts
internal circulation within their institutions.
Electronic Storage orfor
Usage
Permission
outside
Permission of
of the
thePublisher
Publisherisisrequired
requiredfortoresale
storeorordistribution
use electronically
the
Permission
of the
Publisher
is required
for orallpart
other
any institution.
material contained
in this
journal,
including
any article
of
derivative
compilations
an article. works,
Exceptincluding
as outlined
above, noand
parttranslations.
of this publication may
Electronic
Storage
or
Usage
be reproduced, stored in a retrieval system or transmitted in any form
Permission
of the Publisher
required tophotocopying,
store or use electronically
or by any means,
electronic,ismechanical,
recording or
any
material
contained
this journal,
including
anyPublisher.
article orAddress
part of
otherwise,
without
priorinwritten
permission
of the
an
article.
Except
as
outlined
above,
no
part
of
this
publication
may
permissions requests to: Elsevier Science Global Rights Department,
at
be
a retrievalnoted
system
or transmitted in any form
thereproduced,
mail, fax andstored
emailinaddresses
above.
or
by
any
means,
electronic,
mechanical,
photocopying,
recording
or
Notice
otherwise,
without
prior written
of any
the injury
Publisher.
Address
No responsibility
is assumed
by thepermission
Publisher for
and/or
dampermissions
requests
to: Elsevier
ScienceofGlobal
Rights
Department,
at
age to persons
or property
as a matter
products
liability,
negligence
the
mail,
fax
and
email
addresses
noted
above.
or otherwise, or from any use or operation of any methods, products,
Notice
instructions or ideas contained in the material herein. Because of
No
responsibility
is assumed
by thesciences,
Publisherinforparticular,
any injury independent
and/or damrapid
advances in
the medical
age
to persons
or propertyand
as drug
a matter
of products
verification
of diagnoses
dosages
should liability,
be made.negligence
Although
or
from anyis use
or operation
of anytomethods,
products,
all otherwise,
advertisingormaterial
expected
to conform
ethical (medical)
instructions
or
ideas
contained
in
the
material
herein.
Because
of
standards, inclusion in this publication does not constitute a guarantee
rapid
advances of
in the
thequality
medical
sciences,
in product
particular,
independent
or endorsement
or value
of such
or of
the claims
verification
of its
diagnoses
and drug dosages should be made. Although
made of it by
manufacturer.
all advertising material is expected to conform to ethical (medical)
standards, inclusion in this publication does not constitute a guarantee
or endorsement of the quality or value of such product or of the claims
made of it by its manufacturer.

12987
Pre-press/Printed by
Mayfield
Press (Oxford) by
Limited
Pre-press/Printed
Mayfield Press (Oxford) Limited

Network Security

a web hosting company that has

been accused of being home to child
pornography. The firms owner, Eric
Eoin Marques, has been arrested
in Ireland and is the subject of an
extradition request by the US. The FBI
has described Marques as the largest
facilitator of child porn on the planet.
Its possible that Marques was
tracked using malware that used
JavaScript to exploit a flaw in Firefox
17, which is part of the TOR Browser
Bundle. And now there are allegations
that the malware was created and
planted by US law enforcement
agencies. Both Baneki Privacy Labs
and Cryptocloud have claimed that the
IP address to which the malware sends
its information is owned by Science
Applications International Corporation
(SAIC), a US defence contractor, and
allocated to the NSA. There have also
been allegations that the FBI might
have been involved.
Freedom Hosting is one of the biggest
hosting firms on the TOR network but
has also been dogged by allegations
of shady practices, including hosting
child pornography and an illegal drug
marketplace known as Silk Road.
The version of Firefox used by
the TOR Browser Bundle, Firefox
ESR, is a long-term support version
that doesnt have the lastest security
improvements. And the flaw used
to compromise it works only on
Windows, which has led to the TOR
Project advising people not to use
Windows if they want to use TOR.
It also recommended switching off
JavaScript. The JavaScript-based
malware collects the hostname and
MAC address of the infected machine
and relays these to a remote address.
In a statement, the TOR project said:
The attack appears to have been injected
into (or by) various Tor hidden services,
and its reasonable to conclude that the
attacker now has a list of vulnerable Tor
users who visited those hidden services.
The functionality of the malware is
very similar to that of CIPAV malware
that has been used by the FBI for at least
10 years, and publicly known about for
the past five thanks to revelations by the
Electronic Frontier Foundation (EFF).

Mobile insecurities
multiply

ecurity issues with mobile devices

have been hitting the headlines
again. And this time, not only is it not
just trojanised apps for Android, its
also the Apple iOS platform that is the
target of attackers.

Android has been shown to be

vulnerable to a so-called master
key attack. It arises because an APK
package (basically a zip file) can contain
multiple files with the same name.
Androids integrity checking examines
the first file to see that it passes the
signature check. But when the app
runs, its the last file that is used. This
means hackers can modify apps by
loading them with malicious files that
match the names of the genuine ones,
easily creating malware-laden versions
of legitimate apps.
This flaw was made public by Bluebox
Software, since when a second version
of the exploit using a genuine file
in one location but tricking Android
into running a malicious version in a
different location has appeared and is
already being exploited in China.
Although these flaws have been
fixed in the CyanogenMod alternative
firmware, getting the patch out to most
users with vendor-supplied software on
their devices is trickier. Open Signal has
warned that the Android environment
is now more fragmented than ever.
Aside from making life difficult for
developers, this also raises security
issues such as fixing the master
key issue. The firm said that 11,868
unique devices accessed its application
in the past year. That was up from just
under 4,000 the year before. And those
devices were running eight different
versions of Android.
Meanwhile, Googles Play store has
been flooded with scam apps, according
to Symantec. The firm claims that, over
a seven-month period, more than 1,200
suspicious apps had been added to
the online store. Many were removed
almost immediately but others were able
to remain available for at least a few
days enough time to be downloaded
thousands of times. Symantec believes
Continued on page 20...

August 2013