Norton recently released their 2011 Cybercrime Report, and while there may be some contention around the specific numbers used and the comparison of the total cost of Cybercrime to the estimated revenue of drug trade, several aspects ring true:

• Cybercrime is a significant and growing problem (Estimated at $388 billion last year).
• Computer users are generally bad at estimating their risk of cyber attack.
• Users expect complete security, but most don’t install sufficient security controls.
• Mobile Cybercrime is a rapidly advancing attack vector.

It shouldn’t be a surprise to anyone paying attention that cybercrime is a growing problem, but what may be a surprise to some is the magnitude and financial impact of the problem. According to Norton’s survey this is estimated at 344 billion dollars last year alone.  There are many caveats to note in this estimate such as:

1. 144 billion dollars were reported as direct financial loss, while 274 billion dollars of the total estimate was due to the cost of time lost resolving the cyber attacks.
2. These estimates are based on reported cybercrimes; however, many online crimes go either unnoticed or unreported.

Despite these caveats the core arguments cannot be contested: the threat of cybercrime is real, significant, and growing.

An interesting result that came from  this report was the sheer disconnect in a computer user’s perception of risk from reality.  According to the survey, adults are three times more likely to be victims of cyber crime than offline crime, yet only 31% of those surveyed thought they were more at risk for online crime that offline crime (burglary, etc.).  For those of us in the information security industry this too is not surprising, but the magnitude of the gap between perception of risk to reality of risk is quite stunning.

It is difficult psychologically for computer users and enterprise IT managers to accurately assess the risk and impact of cyber crimes or infrastructure compromises, which often affects their ability to build effective programs and justify the cost for security controls within their infrastructure.  Furthermore, IT departments as well as home users, expect and demand complete security from their systems.  However, more often than not, they do not invest in the proper security controls, as seen in this report by the lack of simple antivirus software to prevent trojans and other malware.  Furthermore, many even assume (supported by implications in vendor propaganda, like in this report) that a single control such as a firewall, anti-virus, IDS, SIEM, etc. will be sufficient to solve all of their security needs.  The reality is that it requires a combination of systems, each with their own specialty, and a defense in depth approach with multiple levels of detection, prevention, and mitigation.

Beyond technical controls, an organization must build and foster a security program, rather than expecting technology to solve all of the problems.  Oversight and executive buy-in must be integrated, users and developers must be trained, and policies must be defined and enforced . Only by addressing the people and processes that support the technologies, will an organization achieve a complete security program.  Users are often the weakest link to security programs and educational training such as SANS securing the human are aimed at addressing that core gap in user awareness.

Finally, the report mentions that mobile cybercrime is on the rise.  From our perspective, we see this as another psychological and user awareness problem as well as a technical problem.  One of the major threats we’ve seen on the Android mobile devices is the ability to download and install applications from anywhere, including non-official third party marketplaces hosted in foreign countries.  When coupled with the power and capabilities of Android applications, this presents a clear danger in which users have no ability to thoroughly vet or determine provenance or intent of the application. Yet, they are expected to be able to determine which applications to trust and install.  This is equivalent to the well known practice of using Windows as the administrator user and then going out and downloading and installing arbitrary open source or free applications from the Internet, private forum, or p2p networks.  Obviously this model hinges its security on the user being well educated and aware of the dangers, however the reality is that this education and awareness is nowhere close to where it needs to be, if present at all.

This report reinforced and provided metrics for many of the beliefs held widely through the security community.  Here are a few final thoughts that we came away with:

• Cybercrime is a significant and growing problem, which is difficult to quantify.
• Computer users generally underestimate the risk and impact of cyber attacks.
• Enterprises should build security programs that address people, process, and technology, rather than relying solely on technical controls for security.
• The rise of mobile attacks and vulnerabilities is analogous to problems we had in the early days of the PC, both technologically, and in terms of user psychology, and presents a rapidly growing threat to future enterprises.

Researchers at AndroidPolice have reported a massive privacy vulnerability in the latest update to the HTC Android Mobile OS.  This vulnerability allows applications that request the permission “android.permission.INTERNET” to access much more than the Internet, including: phone numbers dialed, GPS information, SMS data, account and email information, system logs, a full list of applications installed, and a list of running tasks.  Obviously this is much more information than the Internet permission is intended to grant access to, and Artem Russakovskii, the author of the original report, warns that these are just the initial results and that the full extent of the leak is not yet known.

This vulnerability was introduced by HTC in their latest software upgrade, which included several powerful logging services and applications which had access to and collected this sensitive information.  Setting aside for now questions about the nature and purpose of these panoptic logging  tools, it appears that HTC did not have the proper access controls in place to prevent access to the sensitive data being collected.  Malicious applications are able to access the data through a local network port, thus by simply requesting permission to access the Internet, the attacker can access the additional sensitive data that they do not otherwise have permission to access.  According to the original report, there was no authentication on this local port at all, so any application on the device requesting Internet access would have full access to the service and all the sensitive data within.

This new vulnerability reinforces what we’ve mentioned in our previous reports on android applications, that the user must be vigilant in vetting applications and that simply reviewing permissions requested is not a good measure for evaluating trustworthiness.  We’ve said before that it only takes a single permission for an application to be malicious, and this vulnerability confirms that ten-fold.

For those who own, or are considering Android phones, there are a few things to take away from this:

1) Not all Androids are made equal

• Android handset manufacturers can significantly alter the base Android Operating System, there are many options to choose from, each with their own strengths and weaknesses.

2) Applications should be vetted and installed with great care

• Android allows for very powerful applications to be developed and installed, which carries with it the risk of abuse of those privileges.  Users should provide due diligence and consider the potential risks of installing additional applications, even applications that don’t appear to request concerning permissions.

This discussion will also include a detailed breakdown of the JavaScript syntax and its execution process. The presentation will categorize the JavaScript obfuscation into two groups: 1) Static obfuscation techniques, and 2) Dynamic obfuscation techniques.

Static obfuscation techniques leverage current JavaScript standards to obfuscate the syntax of the payload. For example, the common ECMA-262 standard is the basis for many of the JavaScript interpreters implemented across production software today; however, this standard is feature rich and supports functionality that is not commonly known in the field or by practitioners. Furthermore, this syntax could be used to create near non-human readable content that is even difficult to analyze in a run-time context.

Dynamic, or “run-time”, based obfuscation techniques leverage custom JavaScript methods to utilize binary images, encoded strings, or encrypted data as delivery mechanisms for payloads. This talk will further expand on how these techniques can be identified in malicious JavaScript and malvertizing samples. Additionally, the discussion will illustrate how attackers leverage these techniques to avoid both automated and manual detection.

The overall goal of the presentation is to increase awareness and visibility into common “in use” attack techniques present in the online eco-system today. This talk will also provide offensive security members additional techniques to bypass common technologies implemented in production environments intended to prevent technical injection attacks.

Register for LASCON Today! »

Why focus on LASCON? Texas has more Fortune 500 companies than any other state. Executives from these companies along with technical thought leaders, security architects, and lead developers gather to share cutting-edge ideas, initiatives, and technology advancements. If you have not already registered to attend LASCON, we highly recommend you join the talks.

Ryan’s Google Summer of Code student Cong Zheng, has completed his final project APKinspector, a powerful APK analysis GUI tool with control flow graphs, code views, annotations and many other useful tools. Cong and Ryan have released a BETA version with a demo video that highlights some of the useful features.

Find more information about the tool and video here:
http://www.honeynet.org/node/761

To download the released BETA code directly visit:
http://code.google.com/p/apkinspector/

Ryan would like to publicly recognize Cong for doing a great job on this project this summer. It was completed entirely in the last 3 months, and overlapped with his finals at Peking University. Cong has done a great job implementing what started out as a very basic project description: http://www.honeynet.org/gsoc/ideas#project7

Please note that this is a BETA release; some features may be missing, not working optimally, or not working on your system, so please test and report issues on the project page at: http://code.google.com/p/apkinspector/issues/list

When: September 22-23, 2011 6:00 – 9:00 PM
Where: Minneapolis Convention Center (map)

Speaker: Matt Tesauro (Learn more about Matt)

Registration and more details at http://www.appsecusa.org/

[Talk Details can be found at http://www.appsecusa.org/talks.html#skyfalling]

Testing from the Cloud: Is the Sky Falling?

More and more IT is being moved to the cloud, why shouldn’t your testing move there too? This talk will cover what it takes to take your testing tools from your laptop to the cloud using new features of the OWASP Web Testing Environment (WTE). WTE allows you to create custom installations of application security tools in the cloud on demand. Has your IP been shunned? No problem, kill that cloud instance and startup another. Is your life as mobile as your phone? No problem, a laptop + Internet = access to all your favorite tools from anywhere. Multiple clients? No problem, start an an instance for each one. By the end of this talk, you’ll know all you need to fire up an cloud instance with all of your favorite tools and start having fun.