[Omnitech]

It isn't a joke. The more obstacles you put in the way of an opponent the harder he must work, and the more likely he will fail. Did you ever wonder why secrecy (obscurity) existed in military and diplomatic circles since civilization began?

Heh. Whatever you say. Go ask Bruce Schneier what he thinks of "security by obscurity". Oh heck, this is so easy, I'll spoon-feed it to you:


Avoid security by obscurity: The Open Web Application Security Project

Security though obscurity is a weak security control, and nearly always fails when it is the only control.

Security through obscurity: The Jargon File for hackers:

A term applied by hackers to most OS vendors' favorite way of coping with security holes — namely, ignoring them, documenting neither any known holes nor the underlying security algorithms, trusting that nobody will find out about them and that people who do find out about them won't exploit them. This “strategy” never works for long and occasionally sets the world up for debacles like the RTM worm of 1988 (see Great Worm), but once the brief moments of panic created by such events subside most vendors are all too willing to turn over and go back to sleep.

Why Security-Through-Obscurity Won't Work: Bruce Perens

Why Security Through Obscurity Still Does Not Work: Infosec Island

Avoiding Security by Obscurity: IBM Systems Magazine

Security through obscurity - Wikipedia

Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security. [...]

Security through obscurity has never achieved engineering acceptance as an approach to securing a system, as it contradicts the principle of "keeping it simple". The United States National Institute of Standards and Technology (NIST) specifically recommends against security through obscurity in more than one document.

The best you will ever get from someone who actually knows about and works with data security on a regular basis is that Security by Obscurity can be useful only if it is added on top of real, robust security measures, but never by itself, or as a substitute for real security.

[jivegirl14]

It's so funny reading about all these so called mal ware attacks. Never had a problem with my Samsung Galaxy SIII, don't know anyone who has either and no one can produce a litany of these so called holes. Seriously the Android bad blackberry good trip is just old. OK back to my phone, just popped in and saw this.

Sent from my SGH-I747M using Tapatalk 2

[kbz1960]

It's so funny reading about all these so called mal ware attacks. Never had a problem with my Samsung Galaxy SIII, don't know anyone who has either and no one can produce a litany of these so called holes. Seriously the Android bad blackberry good trip is just old. OK back to my phone, just popped in and saw this.

Sent from my SGH-I747M using Tapatalk 2

Do you know anyone who has gotten a virus or malware on their pc?

[Omnitech]

Just FWIW: a good hacker will pwn you without you ever knowing a thing.

Gone are the days of the kids who just wanted some notoriety for breaking-in, who wanted to pop up some mocking message with a skull on it or something. Today, technology exploits and malware are probably the fastest-growing segment of organized crime worldwide. Their intention is to make money illicitly. If the objective is to steal money from you, the most absolutely stupid way of doing that is to be obvious about it.

You'd might be surprised how quickly a few pennies from a few million bank accounts adds up.

Oh and that email account of yours that got hacked last year, sending out spam to a bunch of people? Don't be surprised to find that one of your technology devices had been under the control of the bad guys for months or years prior to you noticing that.

[brmiller1976]

It's pointless to engage with him though, as reneebob pointed out, he actually believes his own **** so he can't even see the discussion anymore. It's a complete mental block.

I have to laugh here.

By my count, there have been at least sixty-three links posted to research from security companies on Android's malware problem that have all been completely ignored both by the quoted poster and others claiming Android has no problem.

(To be fair, one poster did reply by claiming that all the security research is part of a conspiracy theory against Android, but that's hardly a serious reply).

The focus has been exclusively on the anecdotal situations of my friends, rather than on the quantitative data by security experts worldwide. Even then, the response has been "well I'm not familiar with those apps, so they don't exist."

And the poster quoted above claims that *I* have the mental block.

Why do I claim that Android has a security issue?

1) Personal experiences... which may or may not be relevant to other posters;
2) Security research data -- which is VERY relevant and shows a serious problem that Android folks want to pretend doesn't exist.

Fact: 10% of the Google Play store is malware, versus a teeny proportion of competing stores (well under 0.01% in Apple's case, the "runner up" in malware on the App Store).

Fact: Android now has more malware titles after three years than Windows, the prior king of malware, had after 14.

Fact: Every security consultancy out there has researched and validated these statistics.

Fact: The Fandroid brigade steadfastly refuses to acknowledge or discuss the issue, claiming it's "overblown" and "doesn't matter" and, in some cases, "is a conspiracy."

Other operating systems, including BB 10, do not suffer from this problem to the same extreme degree as Android. Period.

For users who value security and integrity of data, including corporate and personal users, this is important data that should not be dismissed simply because it makes Android Fanboys angry.

For those who don't care about security, don't need security or believe that malware can be avoided through limiting use of apps, burning incense, or chanting a mantra, it's not a relevant discussion.

[KermEd]

Lol.

There is plenty of malware on Google Play.

As I mentioned, I've seen Malware on iOS, Android and BlackBerry and yes it was in the store.

Being in the store does not promise security. And none of the 3 check for apps "calling home" to allow apps in store.

via Tapatalk

[anon4164832]

Just had a quick look through some of the posts here.

A bit of background information here. I own one of the leading software security testing labs in the world, we provide efficacy assessments for Trusteer, Trend Micro, Webroot, Kaspersky Lab etc. We are also the largest supplier of malicious binaries (malware) and malicious URLs in the world and supply the vast majority of testing labs and security vendors (For instance, we supply PCMag with a live zero hour feed of malware for their testing and the BBC made a dedicated TV programme on our testing work)

Now to state some facts:

There is pretty much ZERO malware for BB, IOS or Windows Mobile. (in 2012 there were 2 for IOS and 1 for BB)

There are tens of thousands of malicious apps for Android.

There are millions of malicious binaries for Windows Desktop.

We process over 500,000 unique malicious binaries per day and about the same number of URLs.

We now have a dedicated feed of Android malware and can pull in thousands per day.

You need to be aware that the volume of malware for Android is expanding very fast. Various reports show that there has been a 400% increase of malware on the play store since 2011.

The performance of Android antimalware applications is usually pretty bad. You should note, a lot of malware when installed will in fact disable the AV.

You can believe what you want, but these are the facts

I would NEVER use Android. I use BB10. I would use IOS but the OS is too limiting (no filing system, only one attachment per email etc) and I would consider Windows Mobile - but don't like the OS.

Just some advice. Take it or leave it!

Cheers,

Chris.

[donnation]

Just had a quick look through some of the posts here.

A bit of background information here. I own one of the leading software security testing labs in the world, we provide efficacy assessments for Trusteer, Trend Micro, Webroot, Kaspersky Lab etc. We are also the largest supplier of malicious binaries (malware) and malicious URLs in the world and supply the vast majority of testing labs and security vendors (For instance, we supply PCMag with a live zero hour feed of malware for their testing and the BBC made a dedicated TV programme on our testing work)

Now to state some facts:

There is pretty much ZERO malware for BB, IOS or Windows Mobile. (in 2012 there were 2 for IOS and 1 for BB)

There are tens of thousands of malicious apps for Android.

There are millions of malicious binaries for Windows Desktop.

We process over 500,000 unique malicious binaries per day and about the same number of URLs.

We now have a dedicated feed of Android malware and can pull in thousands per day.

You need to be aware that the volume of malware for Android is expanding very fast. Various reports show that there has been a 400% increase of malware on the play store since 2011.

The performance of Android antimalware applications is usually pretty bad. You should note, a lot of malware when installed will in fact disable the AV.

You can believe what you want, but these are the facts

I would NEVER use Android. I use BB10. I would use IOS but the OS is too limiting (no filing system, only one attachment per email etc) and I would consider Windows Mobile - but don't like the OS.

Just some advice. Take it or leave it!

Cheers,

Chris.

Great info and insightful post. Thanks for sharing.

[Bbnivende]

Just had a quick look through some of the posts here.

A bit of background information here. I own one of the leading software security testing labs in the world, we provide efficacy assessments for Trusteer, Trend Micro, Webroot, Kaspersky Lab etc. We are also the largest supplier of malicious binaries (malware) and malicious URLs in the world and supply the vast majority of testing labs and security vendors (For instance, we supply PCMag with a live zero hour feed of malware for their testing and the BBC made a dedicated TV programme on our testing work)

Now to state some facts:

There is pretty much ZERO malware for BB, IOS or Windows Mobile. (in 2012 there were 2 for IOS and 1 for BB)

There are tens of thousands of malicious apps for Android.

There are millions of malicious binaries for Windows Desktop.

We process over 500,000 unique malicious binaries per day and about the same number of URLs.

We now have a dedicated feed of Android malware and can pull in thousands per day.

You need to be aware that the volume of malware for Android is expanding very fast. Various reports show that there has been a 400% increase of malware on the play store since 2011.

The performance of Android antimalware applications is usually pretty bad. You should note, a lot of malware when installed will in fact disable the AV.

You can believe what you want, but these are the facts

I would NEVER use Android. I use BB10. I would use IOS but the OS is too limiting (no filing system, only one attachment per email etc) and I would consider Windows Mobile - but don't like the OS.

Just some advice. Take it or leave it!

Cheers,

Chris.

Does this mean that it is very harmful to run a android app on BB10 even if it is snaped from Google Play? Should BB be abandoning its android run time strategy ?

Sent from my Nexus 7 using CB Forums mobile app

[anon4164832]

We don't specialise in Android testing right now, but have been doing some behind the scenes work. I do not know exactly how BB10 sandboxes the Android apps, but I believe it is in much the same way that VMware operates on a Windows PC.

The great thing about this is, as with VMware, one can create say a Win 7 64 PC, fill it with malware, test on the virtual machine then when done, just delete the virtual machine and the host PC will be 100% clean.

Now, a point to consider is this. We use VMWare virtual machines to test financial malware, such as Zeus etc. We reverse engineer financial malware and create simulators that employ exactly the same Man in the Browser attacks as the real malware. Zeus and other financial malware is designed to steal users logon details, credit card numbers etc when entered in as SSL protected banking or social media website.

If we infect a virtual machine with one of our simulators and then used that virtual machine to go to paypal and I were to enter my email address and password, that data will be exfiltrated (captured and sent to another one of our servers) The same thing applies to Zeus or any financial malware, it will steal your data when its entered in to the virtual machine. Your data will be in the hands of criminals. Deleting the virtual machine afterwards will not help as your data will have gone.

Take a look at the BBC programme based on our simulation work and browser security (Google "BBC Man in the Browser" and you will see someone has uploaded it as a two part video) - . All the testing they filmed was me testing on a virtual machine using reverse engineered SpyEye, but you will see in the video that the data entered in the banking sites immediately appeared on a real physical laptop via the internet.

My point is this, I believe whilst the android apps are essentially run in the same way as is the case when a virtual PC runs on VMWare on a physical host, whilst its running / installed, it can still perform malicious acts such as steal data, send premium SMS messages etc.

In the case of BB10, As its run in a virtual environment, depending on app permissions , it may be less likely to steal data from native BB10 environment. (The Virtual PC uses the host webcam, soundcard, internet connection)

Just Google "Fake Flappy Bird" and you will see reports of clones which sent out premium SMS messages etc.

MalwareBytes makes a pretty good antimalware app for Android. Does not necessarily have the best detection, but gives very detailed analysis and descriptions of APKs, particularly those that use the SMS methods.

I have Netflix and Kindle installed on my Z30 and you will probably find most of the big brand apps are not going to risk doing anything naughty.

This said however, does not detract from the fact that there are so many apps out there that are malicious - and malicious in various ways - those that may simply want to know your location or which other apps you use, some may harvest your contact lists, use your smartphone as part of a botnet to perform DDOS attacks, or simply capture data entered in to your banking site.

One other note of caution is that to counter cybercriminals, banks increasing use multi factor authentication, the most popular method is sending a one time only keycode to your smartphone. More and more financial malware is now running on Android so as to capture this keycode.

Apps with malware can be found on legit sites like Google play etc as well a elsewhere. Systems can also become compromised just by visiting a website and getting hit by a driveby attack - with the advent of QR codes and their increased popularity, cybercriminals are starting to use these more to infect systems with driveby attacks - so be warned, don't be tempted to scan things you see on flyers left under your windscreen wiper, posted on walls etc.

Also, I tested one native BB10 antimalware and it did not detect a single malicious file - and yet it has great feedback - don't trust user reviews for these products as unless you have malware on tap, you cant assess efficacy!

Cheers,

Chris.

[jopfet]

If you install android apps then the cm Security is a must and it runs in the background. Jim

Posted via CB10

[anon4164832]

If you install android apps then the cm Security is a must and it runs in the background. Jim

Posted via CB10

Just tested that against 30 malicious APKs and it only got 5!

Did some other quick tests:

MBAM 8/30
AVAST 12/30
Bitdefender 10/30
F-Secure 18/30

Also, another issue with running Android antimalware apps on your BB10 device is that there is a chance it wont be running in the background.

What is needed is a native BB10 antimalware that is headless and so able to constantly scan for phishing sites, malicious Androind apps (and indeed would be wise to have the ability scan native apps as you can never be sure)

I also just did a quick test using the BB10 Max Secure. I installed the same 30 malicious APKs in the DL folder and did a dull scan and it detected 16/30, however, when doing a dedicated APK scan of the APK files themselves, it only detected 4/30 as "threats"., then 1 critical, 17 "moderate and 12 as "as "low privacy risk" - flakey, but good on the APK scan, but need more data.

I will do a false positive test on this app later (scan known good APKs and see what it gets)

Cheers,

Chris

[BitPusher2600]

The stuff you've pointed out Chris is exactly why I can't for the life of me (such as it is) figure out how or why BlackBerry decided to incorporate Android apps and it's accompanying runtime into their new OS. The sheer existence of it's code on my device is how I ended up reactivating my 9930 in place of my Q10 for my daily driver. That may be taking paranoia too far but oh well. Still, a company whose primary focus and market orientation is supposed to be security and they go thru all this effort to allow Android apps to be ran? Totally unreal.

[Bbnivende]

These posts by ChrisBP are incredibly informative. CrackBerry would do well if he would be writing articles for their site. I was shocked by what he had to say. Maybe BB should jettison the run time OS update and advertise their security advantage directly to consumers and users.

[robhenry24]

Saw this article in the times of India. Confirms the worst about Android. But still there will be people who say folks don't care about security. Till they lose money....
http://toi.in/uVtxWb

Posted via CB10

In the past I have used this nice little sit for installing side loaded android apps. One has to
install their app to do this. I have picked up malware from some of these apps.

[Tre Lawrence]

Just had a quick look through some of the posts here.

A bit of background information here. I own one of the leading software security testing labs in the world, we provide efficacy assessments for Trusteer, Trend Micro, Webroot, Kaspersky Lab etc. We are also the largest supplier of malicious binaries (malware) and malicious URLs in the world and supply the vast majority of testing labs and security vendors (For instance, we supply PCMag with a live zero hour feed of malware for their testing and the BBC made a dedicated TV programme on our testing work)

Now to state some facts:

There is pretty much ZERO malware for BB, IOS or Windows Mobile. (in 2012 there were 2 for IOS and 1 for BB)

There are tens of thousands of malicious apps for Android.

There are millions of malicious binaries for Windows Desktop.

We process over 500,000 unique malicious binaries per day and about the same number of URLs.

We now have a dedicated feed of Android malware and can pull in thousands per day.

You need to be aware that the volume of malware for Android is expanding very fast. Various reports show that there has been a 400% increase of malware on the play store since 2011.

The performance of Android antimalware applications is usually pretty bad. You should note, a lot of malware when installed will in fact disable the AV.

You can believe what you want, but these are the facts

I would NEVER use Android. I use BB10. I would use IOS but the OS is too limiting (no filing system, only one attachment per email etc) and I would consider Windows Mobile - but don't like the OS.

Just some advice. Take it or leave it!

Cheers,

Chris.

Thanks for sharing.

Can you share what the name of your lab is, and formal published results?

[anon4164832]

Hi, my lab is MRG Effitas.

We focus on financial malware and browser security mainly but you will see we do time to detect tests as well.

Some tests are available on our site but most of our work is private, however, if you Google "Kaspersky MRG" or "Trusteer Apex MRG " you can sign up to the last one and see we did the assessment of their technology.

Also if you install Kaspersky Internet Security on your PC, you will see my company logo appear during installation.

Now, in terms of working with Android and BlackBerry, we will be conducting Android tests later in the year once we have our other new testing programmes up and running .

If one of the Crackberry team wants to contact me I'm happy to have a chat or fix up a telcon.

If someone from BlackBerry wants to contact me they can do so via LinkedIn as I'm easy to find on there.

I would be interested to have them discuss exactly how Android runs on BB10.

I don't think there is enough public awareness of how much malware there is out there on PC and Android and this needs to change.

Modern malware is designed to be stealthy so it can reside on the host as long as possible allowing it to do its thing as long as possible for the criminals.

Cybercrime is set to become the highest revenue generating crime this year overtaking drug crime on a worldwide basis.

Malware and Cybercrime are big business and have money, brains and serious people behind them.

BlackBerry need to make more of a thing about security. Like I said, I'm happy to have a chat with the Crackberry team or BlackBerry direct if they contact me via LinkedIn.

Cheers,

Chris.

Posted via CB10

[anon4164832]

42 percent of applications for Android analyzed were classified as malicious, unwanted, or suspicious.

http://www.bcbr.com/article/20140228...0802/140229951

Google the above quote and you will find the original detailed report conducted by one of my clients Webroot.

You will see from the full report that there is pretty much no malware for ios.

Previous reports have shown that there is less malware for BlackBerry 7.

As far as I know there is none for BlackBerry 10

Android is a cesspit of malware. IOS is so crippled. BlackBerry really need to make a thing about their security.


Posted via CB10

[2Peks1Bird]

These posts by ChrisBP are incredibly informative. CrackBerry would do well if he would be writing articles for their site. I was shocked by what he had to say. Maybe BB should jettison the run time OS update and advertise their security advantage directly to consumers and users.

+1. We need people who knows their stuff, and what they are talking about.

Z10 STL100-2 / Official Release 10.2.1.1925

[Coachbulldog]

It is this type of thread that keeps me coming back to CrackBerry even though the only BlackBerry product I use is cross-platform BBM. Very interesting and informative.


Sent from my iPhone using CB Forums mobile app

[Ecm]

All,
This thread was moving along quite nicely, until the personal jabs started. Those posts, and the posts in which they were quoted, have been deleted.

Feel free to continue -- discuss, debate, even disagree. But DO NOT resort to insults!

[bennelong]

+1. We need people who knows their stuff, and what they are talking about.

Z10 STL100-2 / Official Release 10.2.1.1925

+1000
As I see it, a person can risk data loss to unknown app developers, or even potentially the control of their device merely through inappropriate permissions being granted.
People need to be educated in order to make informed decisions in this area.


Posted via CB10 on a Z10

[Prem WatsApp]

All,
This thread was moving along quite nicely, until the personal jabs started. Those posts, and the posts in which they were quoted, have been deleted.

Feel free to continue -- discuss, debate, even disagree. But DO NOT resort to insults!

Thanks Elessar, for saving me having to read through those insults. What a pity this stuff has to happen on CB.

iPhone for me? Scr... ahem Q that! (posted from the latter)

[Prem WatsApp]

Hi, my lab is MRG Effitas.

We focus on financial malware and browser security mainly but you will see we do time to detect tests as well.

Some tests are available on our site but most of our work is private, however, if you Google "Kaspersky MRG" or "Trusteer Apex MRG " you can sign up to the last one and see we did the assessment of their technology.

Also if you install Kaspersky Internet Security on your PC, you will see my company logo appear during installation.

Now, in terms of working with Android and BlackBerry, we will be conducting Android tests later in the year once we have our other new testing programmes up and running .

If one of the Crackberry team wants to contact me I'm happy to have a chat or fix up a telcon.

If someone from BlackBerry wants to contact me they can do so via LinkedIn as I'm easy to find on there.

I would be interested to have them discuss exactly how Android runs on BB10.

I don't think there is enough public awareness of how much malware there is out there on PC and Android and this needs to change.

Modern malware is designed to be stealthy so it can reside on the host as long as possible allowing it to do its thing as long as possible for the criminals.

Cybercrime is set to become the highest revenue generating crime this year overtaking drug crime on a worldwide basis.

Malware and Cybercrime are big business and have money, brains and serious people behind them.

BlackBerry need to make more of a thing about security. Like I said, I'm happy to have a chat with the Crackberry team or BlackBerry direct if they contact me via LinkedIn.

Cheers,

Chris.

Posted via CB10

So glad someone is giving that info out. I fight with malware and stuff everyday, relying on a lot of those products you mentioned. Thanks for everything. Thanks for making the world a safer place.



iPhone for me? Scr... ahem Q that! (posted from the latter)

[birdman_38]

A mobile OS that commands 81% of the market has the most malware compared to one that holds 1%. Kudos to Times of India for breaking this story.