Mobile Anti-Virus Firms Prey on Fear, Uncertainty, and Doubt (FUD)

Security software companies more and more prey on people’s fear to help sell more products. This shady marketing practice is commonly known as FUD which stands for Fear, Uncertainty, and Doubt. They tend to over-inflate threats to scare people into buying their product, usually through their studies showing startling statistics. These reports are fed to reporters, many whom post the information without any further investigation, helping to feed the frenzy. Many security software firms rely on the fact that many reporters are technically illiterate when it comes to security and count on them not digging into their research methods, or even asking a neutral third party and let them draw their conclusions. The one possible exceptions are VPN companies whose products actually are useful and can help keep you safe online.

“There are three kinds of lies: lies, damned lies, and statistics.” – Mark Twain

VPNs aside, one good example of such scare tactics revolves around mobile anti-virus products. I have written about the mobile anti-virus myth before regarding how these apps do very little to protect you, and in fact, in many cases, they decrease the performance and battery life of your phone. These applications do primary signature-based detection of applications but are not able to do heuristic detection, which means they cannot protect you from zero-day attacks, by the time the malicious app is detected it is pulled from the app stores. In actual cases where malware has been identified it is too late for those who have already installed the malicious application.

Google engineer Chris DiBona stated in a post:

“Yes, virus companies are playing on your fears to try to sell you bs protection software for Android, RIM and IOS. They are charlatans and scammers. IF you work for a company selling virus protection for android, rim or IOS you should be ashamed of yourself… If you read a report from a vendor that trys to sell you something based on protecting android, rim or ios from viruses they are also likely as not to be scammers and charlatans.”

Many of the actual malware cases we have seen have been applications that are installed outside the app store that affected only a handful of people, but this did not stop many of the folks who make mobile anti-virus products from telling everyone the sky is falling. Other cases have not been malware at all, but merely an application accessing data that it shouldn’t, this is hardly malware, if it were then companies such as Path, Twitter, Hipster and a handful of others would fall under this classification for accessing and uploading users’ contacts without consent.

Symantec Malware Scare

One such scare campaign backfired. When Symantec recently announced that they discovered a malware application they called Android.Counterclank in 13 apps which they claimed was a “a bot-like threat that can receive commands to carry out certain actions, as well as steal information from the device” infecting between 1-5 million devices. Are you scared yet? Well fear not, when third parties investigated the “malware” they discovered that it was merely a poorly designed slightly intrusive ad platform. Symantec then back peddled with an update on their blog where they even list the actual data the platform collects, which is no worse than any other analytics or adware platform. Symantec submitted the information to Google; Google responded saying that the applications met their terms of service. However Symantec achieved their goal, more reporters wrote about the original malware story than covered the recant and probably a lot of people downloaded and purchased their mobile anti-virus app as a result.

Anti Malware Useless

Security firm AV-Test conducted a test where they analyzed free Android virus scanners, keep in mind that these tools are using signature-based detection only, the malware used in the test does not exist in any app stores. They found that even those apps that have been identified as malware the detection rate was between 0 and 32%:

It is great that they did detect some of the malware. However, the likelihood of getting these applications are close to zero considering they do not exist in the Android Marketplace and have to be installed. Commerical Anti-Virus applications from F-Secure and Kaspersky identified the 10 sample files as malware, but again this is based on signature detection of known malware applications that do not exist in the Marketplace. The mobile apps need to be kept up to data consistently to ensure that any new malware discovered is added to their database, this requires the vendor to keep their data up to date and will do little to detect any new malware not in their database until it is too late.

Caution Over Fear

So is there no risk when it comes to mobile malware? No, there still exists dangers, but most of them can be avoided by being careful what you download and checking the permissions of the applications that you are installing. If a simple game requests permissions to access your contacts, browsing history, IP address (which can be used for tracking) and calls the odds are that it does not need such permissions and it should not be installed. You can also always use a VPN as a secondary line of defenese. We are living in a world where even brands we trust with our data abuse that trust by invading our privacy and mining data for profit and market share.

There is a possibility that in the future a real mobile worm or virus could wreak havoc on a particular platform or even on a specific subset of IPs. However, this is highly unlikely given the restricted sandbox apps run in on most platforms. If there were such a security hole, it would only be fixed by a firmware update from the manufacturer or carrier, not a third party app.

Sony PSN Data Breach – Plain Text vs. Hashed Passwords Explained

There has been a rash of data breaches where passwords are compromised that were stored as plain text and not converted to a one-way hash as they should be. However, most consumers and even many developers, particularly in startups, don’t know about the best practice of hashing passwords, what it means and how it can help protect users.

The Sony PlayStation Network hack and data breach are one of the most prominent examples to date, putting over 70 million customers at risk. But sadly, they are not alone. DSL Reports, Gawker and Trapster, have also learned this lesson the hard way and in the process, lost the trust of their customers.

Attackers who gain access to databases where passwords are stored in plain text it especially problematic. Recent studies show the majority of us use the same password across multiple sites. Worse yet, according to SecurityWeek, about 75% of social network usernames and passwords are identical to the ones used for email accounts.

What Is A “Hash”?

A hash is like a digital fingerprint of a chunk of data. It is a way of passing data through a one-way algorithm that returns a digital signature in place of the original data. A critical property of that signature is that it is unique but cannot be turned back into the original data. Another way to think about this is in terms of sausages. A sausage can be identified as pork, but it cannot be turned back into a pig.

The unique and irreversible nature of this process makes hashes ideal for storing your passwords. Although an attacker may compromise a database and reveal your list of password hashes, they can’t determine from the hashes alone what the actual password is and will not be able to try and log into other accounts with that password.

For example, if I use a popular hashing algorithm called SHA-1 (Secure Hash Algorithm) and run the word “sausage” through it I get a value of:

“0bd7ea460f5fb0fa2d368f737c3ce63e19fdec50“

If I run “sausage” through the same algorithm I get the same result every time, but if I change the word slightly and run “snausage” the signature is completely different:

“c419e1d2f0f173b170d85b520db7acb2bb777604“

You may see that there is an issue here. Assume, for example, the password the user sets is “password123” which generates a signature of:

“cbfdac6008f9cab4083784cbd1874f76618d2a97“

If a hacker runs this through a simple batch process of common password hashes, the hacker will be able to see that the user is using the password of “password123”. So we will need to take things a step further. We are going to add what is called a salt.

A salt is an additional value that helps randomize the unique key with a secret key that only we know. In our sausage analogy think of the salt as a proprietary secret blend of spices that we sprinkle in our sausage to make it uniquely ours. For this example I will hash the word “sausage” with a salt of “mysecretsalt” using the SHA-1 algorithm which gives me :

“1cf4c502ddd89b918c4bfefea76dadd590693b48“

This process will give me a result unique to my application that will be different from the generic “unsalted” one, so the hacker will not be able to guess what the value is based on known unsalted signatures.

One important thing to think about with security, a mentor told me a while back, is that it is never “if your system is compromised.” The attitude instead should be “when the system is compromised” and then think about how you can mitigate the risk when the data breach occurs. By hashing the passwords used to login you help protect your customers from the inconvenience of having to change all of their passwords or worse, risk having their email compromised.