Cyber crooks target digital signatures
- By Mark Rockwell
- Nov 22, 2013
McAfee reports that a new family of mobile phone malware allows electronic attackers to bypass the digital signature apps on Android devices.
As the federal government works to foster an identification ecosystem that can tie identities to a central, known, reliable source to bolster defenses against tampering, cyber criminals are developing new ways to get around the digital signature apps that protect smart phones and personal computers
A new study by cyber security provider McAfee details a new family of mobile phone malware that allows electronic attackers to bypass the digital signature apps on Android devices. The new malware, said the lab's third quarter 2013 report, contributed to a 30 percent increase in Android-based malware during the period.
"The efforts to bypass code validation on mobile devices and commandeer it altogether on PCs, both represents attempts to circumvent trust mechanisms upon which our digital ecosystems rely," said Vincent Weafer, senior vice president of McAfee Labs in a statement. "The industry must work harder to ensure the integrity of these technologies given they are becoming more pervasive in every aspect of our daily lives."
At the federal level, the National Strategy for Trusted Identities in Cyberspace at the National Institute of Standards and Technology coordinates with the private sector, advocacy groups, public sector agencies, and others to improve privacy, security, and convenience of sensitive online transactions with an aim of creating an overarching "identity ecosystem." NIST and NSTIC identity management experts hold that government credentials that translate across agencies are key to such an ecosystem.
The U.S. Postal Service has rolled out the Federal Cloud Credential Exchange aimed at creating a single federated ID to make tracking, verifying and authenticating identities across federal agencies that have public-facing web applications easier.
Such efforts, even if successful, will face a continuous barrage of fresh challenges.
Along with the new wrinkle in smart phone malware, the McAfee report said it found a steady growth in mobile and overall malware during the third quarter of 2013, as well as a sharp upturn in spam worldwide.
The rise in spam, the report said, could be driven by rising centers for the malware. In looking closely at spam senders in various countries, statistics showed marked differences from quarter to quarter. China and Italy had an increase of greater than 50 percent during the third quarter, while Kazakhstan (down 61 percent), Belarus (down 55 percent), and Ukraine (down 51 percent) saw large declines.
After a slight decline in May and June, said the study, the volume of worldwide spam more than doubled in the third quarter. Spam volume hasn't been this high since August 2010, according to McAfee. The study shows almost 4 trillion spam messages were sent in September 2013, compared with about one trillion legitimate email messages.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.