Cybercrime is no longer exclusive to PCs and Macs, with hacks, spam, malware and trojans hitting smartphones, tablets and cloud storage services too. No-one knows this better than Costin Raiu of the security specialists at Kaspersky Lab. As the company’s Director of Global Research and Analysis Team, he’s got over ten years worth of computer and mobile security knowledge. We caught up with him at the InfoSec conference in London’s Earls Court today and had a chat about the increased threat from smartphone hackers, social networking spam and the growing danger of international cyber warfare.
We associate malware and viruses most closely with desktop computing, but we’re increasingly told that smartphone platforms are vulnerable too. Is there any particular mobile OS that is especially vulnerable?
There are four strong players on the market in terms of mobile platforms; Google with Android, Apple’s iOS, RIM’s BlackBerry OS, and with Nokia’s Symbian OS effectively dead, Microsoft’s Windows Phone 7. In my opinion Android will become the standard operating system in smartphones, but has a few quirks that makes it attractive not only to users but malware creators too.
Firstly, it’s very open, secondly it’s well documented in terms of the best ways to make applications for it, and thirdly has security vulnerabilities, especially in older Android versions. The problem here is that Google left the responsibility of patching Android largely to the carriers or smartphone developers. Looking back over past years, patching has always been a weak point of operating systems and third party software, and I have a feeling this will be a problem for Android as well because it’s not very easy to update the operating system. There will always be flaws and vulnerabilities that will be exploited by hackers.
Will the vulnerabilities of mobile operating systems extend into security flaws with tablet devices then?
Yes. Netbooks being replaced by tablets seems to be the trend for the future. I believe that with Android becoming more and more popular, growing in popularity on tablet devices too, we’re going to see more and more threats here. Do we need protection? I believe so. What is different with Android is maybe the kind of protection that is necessary is different here. Applications bought from the Android Market come with a prerequisite set of permissions, and there’s no easy way to allow only certain permissions to be given to an app without not installing it altogether. In the near future Android security needs to focus on application control, and restricting the length in which applications can access data on your tablet or mobile phone.
More and more of our personal data is stored on a wider number of sources online, sometimes without our knowledge. Should we be concerned with how we safeguard our cloud-stored data?
Yeah, I think this is another interesting development. For instance, Google recently launched version 10 of Google Chrome which has the feature to synchronise passwords to the cloud, meaning you don’t need to enter passwords for things like Facebook every time you use a different computer running that browser. It’s my feeling that Google and other big cloud providers are not doing a very good job at informing the user as to the extent to which they are storing user data into the cloud.
Interestingly, Twitter recently settled with the Federal Trade Commission (FTC) about the fact that they put their users at risk by not providing a decent level of security. The fact that Twitter agreed to implement HTTPS encryption is not only a giant “Win” for consumers, but also shows that we need a greater level of security when dealing with social media in general. Remember, it’s not only about ensuring that companies do their best to protect our data, but that the connection sending the data back and forth is secure too.
Are the social networks doing enough to educate users as to how to identify dodgy links and phishing scams?
The FTC ruling shows that at least Twitter aren’t doing enough, but this problem goes back several years. MySpace for instance didn’t have secure log-in, with passwords going without encryption over Wi-Fi networks and the like for anyone to steal. All the social networks could be doing more about it, especially in terms of making users aware of the risks. But the FTC did a wonderful job, and it’s exciting that Twitter understood the problems and took the necessary steps to improve their security.
So the more general authorities are now taking cybercrime more seriously too?
Yes. Security companies are pretty limited in the amount of things they can do. We can tell the big players that they aren’t fully secure, but it takes more than that to make them change their ways. Governments have a very important role here, not just in the US but all around the world.
Kaspersky Labs have previously stated that the recent Stuxnet worm could only have been implemented with “nation/state” support. What does this tell us about international cyber security in relation to foreign policy?
Stuxnet is a “one-of-a-kind” malware, totally different to anything we’ve seen before. We thought it couldn’t be unique but we haven’t been able to find anything similar. Stuxnet is opening the door to a new kind of security threat which indicates the existence of cyber way at the highest possible level within super powers. In the future we’re going to see more of this as I believe it’s a very cheap and effective way of attacking major targets. The evidence we’ve seen seems to indicate Stuxnet was successful in gaining the access it needed. Attacking an industrial installation with physical force is a lot more expensive and more complicated.
What sorts of security systems do you have planned for the future?
In terms of future Kaspersky Lab software we’re looking into three new, very interesting directions for our products, be it in cloud and virtualisation, whitelisting and reputation or mobile software. Data Leakage Prevention is also important now; it’s a lot more easy for you to lose your tablet or mobile phone than it is to misplace your desktop PC! A really interesting product we’re looking to launch this year is for VMWare Visual; we’ve had a lot of talks with our customers and bigger cloud providers and they’ve all expressed an interest in having a security product that can be worked into their data centres.
OK to round things up then; if you could give three tips as to how Tech Digest readers can protect their data today, at as little cost as possible, what would they be?
In order of importance, firstly they should update their operating systems; Android, Windows, Mac OSX, Linux, whatever. I know this can be quite painful, but it’s very, very important.
The second on is to make sure they don’t use pirate software. A lot of pirate software, particularly with Mac OS, come loaded with trojans. This can also be extended to pirate movies; recently we’ve seen “movies” on pirate torrent websites where the files aren’t actually real videos. Instead they claim the user doesn’t have the proper codec to view the film, directing them to download it from unsafe websites. When they download it obviously their machines get infected. So staying away from pirate sources in general is my second free tip!
The third tip has to do with user mentality. A lot of things happen because users aren’t aware of security threats, so they click on strange links or don’t properly screen links that friends have sent purely because they trust their pals, even if they’re not so sure of the source. It’s about using common sense and being careful if you spot unusual messages from your friends or social network contacts. If you see strange applications trying to access your profile on Twitter or Facebook, just don’t allow them unless you’re absolutely sure they’re approved! So that’s my three tips for your readers!
Cool, thank you very much Costin!