This text is replaced by the Flash movie.
 

Posts Tagged ‘ QuickTime ’

Mobile Apps Security: Apple iOS v. Google Android

By on August 16, 2010

By Barbara E. Hernandez
August 16, 2010

SAN FRANCISCO – The Apple iOS, which runs on its iPhone, iPod Touch, and iPad, has a flaw in how it reads PDF documents that makes it easier to hack. This flaw is exploited by JailbreakMe, a one-click site that makes it easy for anyone without any real tech skills to hack into their own iPhone.

The flaw lets JailbreakMe open up an Apple operating system, and enables the user to load non Apple-approved applications on to an Apple device. JailbreakMe brought the security risk to light, finally causing Apple to release security updates for iOS 4.0.2 for iPhone and iPod touch and iOS 3.2.2 for iPad this week. (By the way, doesn’t this sound a lot like the same security flaw that Adobe learned about in late July?)

But the threat to the iOS is not the operating system itself but in its third-party software, such as the Safari browser, QuickTime, Java, or apps from Adobe. Nonetheless, it’s Apple that bears the responsibility for monitoring security, since it’s made the choice to use the software and package it for users. This is a weird conundrum since Apple believes in the “walled garden” approach to applications. Shouldn’t it be patrolling the garden more?

Android has similar issues, such as an innocuous Jackeey wallpaper application that retrieved personal information from each phone that downloaded its application. Neither JailBreakMe nor Jackeey were hacking into anyone’s phone; however, their code could be used for evil rather than good, which worries most security experts.

So how does Apple’s security for its mobile operating system stack up against that of Google’s Android, the biggest competitor?

1. Walled Garden v. the Wild Jungle

The biggest problem with Apple’s security is its walled garden philosophy, which relies on the wisdom of Apple approving applications rather than by consensus or the individual user. While many Apple fans say this decreases iOS problems, others say that it actually contributes to them by closing a door on the application after it has gained entrance into the App Store. Apple’s gatekeeping system on its walled garden is also virtually unknown, and it may also prove to give a false sense of security.

The Android Market, on the other hand, resembles a swap meet. The applications are available without restriction, and are monitored and reviewed by users themselves, including analyzing code–something not offered by Apple. While some worry that the free-for-all will be a security risk, at least one security research firm, Lookout, says Android’s applications are less problematic than Apple’s.

2. Pig-in-the-Poke v. the Test-Drive

Another way that app security for the Linux-based Android platform is better is that each application must disclose to the user what part of the device it plans to use and how. Google also publicly talks about operating a “honeypot,” or a computer not hooked up to all parts of its system, which monitors Android applications for malicious programs. Such open discussion is not part of Apple’s corporate climate, users frequently don’t know what they are buying until damage is done–but if they’re lucky, they found out about their vulnerability through JailbreakMe.

3. Freedom v. Establishment

With Google’s new App Inventor, you don’t have to be a software engineer to create an application for the anything-goes Android platform. Not so at Apple. It takes an experienced software developer to create anything on the iOS, and it’s up to the corporate honchos at Apple to approve it. As for security in the “walled garden,” there are no guarantees.

While the iPhone has some important security features, like sophisticated memory protection and a required digitally signed code requirement, security analysts say Android’s protection is stronger because of its source openness and the way it isolates applications which causes less harm to users. While business owners should block or limit access to applications to company machines to protect their data, the Android platform may prove just a little safer.

  • Squidoo
  • Multiply
  • Facebook
  • Delicious
  • Digg
  • StumbleUpon
  • Twitter
  • TechNet
  • Technorati Favorites
  • MySpace
  • Share/Save/Bookmark

Malware Aims to Evade Windows 7 Safeguards

By on February 1, 2010

By Erik Larkin
February 1, 2009

SAN FRANCISCO – Experts agree that Windows 7 has enhanced security to ward off attacks on vulnerabilities in old software. But what if a money-minded online scammer can persuade you to download malware onto your PC?

“Windows 7 is more secure, and upgrading to it is a big improvement,” says Chester Wisniewski, a senior security advisor with software-maker Sophos. “But it’s not going to stop malware in its tracks.”

Exploits Take a Hit

Digital crooks generally use two tactics to install malware on a PC. Exploits often take the form of a snippet of attack code hidden on a Web page–often a hacked-but-otherwise-benign site. When you browse the page, the exploit hunts for software flaws in Windows or in third-party programs such as Adobe Flash or QuickTime. If it finds one, the exploit may surreptitiously install malware without any hint of the attack.

In contrast, social engineering attacks try to trick you into downloading and installing bot malware that poses as a useful program or video. Some attacks combine tactics, as when a scammer sends an e-mail message encouraging you to open an attached PDF file, only to trigger an exploit buried in the file that then hunts for a flaw in Adobe Reader.

Security upgrades in Windows 7 could help prevent many attacks that target software flaws. ActiveX attacks, once the bane of Internet Explorer users, may “pretty much disappear” due to IE 8′s Protected Mode, says H.D. Moore, chief security officer at Rapid7 and creator of the Metasploit testing tool.

The arcane-sounding Address Space Layer Randomization makes it harder for crooks to find a vulnerability for a running program in your computer’s memory. The related Data Execution Prevention feature attempts to prohibit an attack from taking advantage of any flaw that it may discover.

“These two, in particular, could have a very large impact,” says Wisniewski. Still, though ASLR and DEP were expanded to protect more programs in Windows 7 than in Vista, they don’t cover all applications.

Vista Safer Than XP?

For a sense of what that impact might be, we can look at how Vista fared against malware. Microsoft’s latest Security Intelligence Report covers the first half of 2009, prior to Windows 7′s release. It’s based on data from the Malicious Software Removal Tool, which Microsoft distributes via Automatic Updates to fight common malware infections. According to that data, the infection rate for an up-to-date Vista computer was 62 percent lower than that for an up-to-date XP system.

It’s possible, of course, that Vista users are technologically savvier on average, and so less likely to fall victim to malware. The sample sizes for XP and Vista, which Microsoft didn’t include in the report, might skew the statistics, as well.

But Sophos’s Wisniewski thinks that ASLR and DEP are factors, too. And since those features are expanded in Windows 7, there’s reason to hope they’ll continue to be effective.

“I don’t see this going away anytime soon,” says Moore. He notes that there are plenty of ways crooks can and likely will continue to ply their evil trade against the new OS. But “it does raise the bar,” Moore says.

Hacking People, Not Programs

Exploit-based attacks may be harder to pull off against Windows 7, but social engineering attacks may be as dangerous as ever. And the theoretically less-annoying User Account Control does little to disable poisoned downloads.

In October, Sophos ran a test to see how Windows 7 and UAC would handle malware. First, the testers grabbed the first ten samples of malicious software that came into their lab. They then ran those samples on a fresh Windows 7 machine with UAC at its default settings, and with no antivirus installed.

Two samples couldn’t run on Windows 7 at all. But at its default setting, UAC blocked only one sample, leaving seven pieces of malware that loaded right up.

Sophos’s test highlights two points. First, Wisniewski and others say, UAC isn’t designed to block malware as much as it is to encourage programmers to write software that doesn’t require special privileges–so you shouldn’t count on it for protection.

Second, if a bad guy tricks you into downloading a Trojan horse, ASLR and DEP don’t matter. IE 8′s SmartScreen filter and similar features in other browsers might block known nasties, but the malware universe is bigger than that.

Social engineering ruses include using a hijacked social network account to send malware lures to friends of the owner, sending a link to a supposed video taken of a friend, and hiding a poisoned URL in a shortened link of the type commonly used on Twitter. (For more on such dangers, see “How to Stop 11 Hidden Security Threats.”)

Toss in other tried-and-true scams such as videos that instruct you to in­­stall a codec file (but instead lead you to a malware download), and phony documents attached to e-mail messages that appear to come from coworkers, and it becomes clear why Windows 7 users can’t let their guard down.

  • Squidoo
  • Multiply
  • Facebook
  • Delicious
  • Digg
  • StumbleUpon
  • Twitter
  • TechNet
  • Technorati Favorites
  • MySpace
  • Share/Save/Bookmark
Subscribe E-Newsletter

Don't get left behind. Sign up to receive the latest news.

Our Sponsors
Kerio
Ozaki
redwood
Super Micro
Kaspersky
KOSS
Xitrix
ArcusIT
Emerson
Copylandia
Piso Cloud
ePLDT
Bitdefender
Multi-Color
Chikka
Smart
Peplink
Sophos
Astaro
itproasia
MEC
APC
wsi
 
 
 
PC World Magazine Subscription
subscribe now
Web Design