Blog
Quantifying the Risk of Cybercrime: Are You Accurately Estimating Your Risk?
Norton recently released their 2011 Cybercrime Report, and while there may be some contention around the specific numbers used and the comparison of the total cost of Cybercrime to the estimated revenue of drug trade, several aspects ring true:
- Cybercrime is a significant and growing problem (Estimated at $388 billion last year).
- Computer users are generally bad at estimating their risk of cyber attack.
- Users expect complete security, but most don’t install sufficient security controls.
- Mobile Cybercrime is a rapidly advancing attack vector.
It shouldn’t be a surprise to anyone paying attention that cybercrime is a growing problem, but what may be a surprise to some is the magnitude and financial impact of the problem. According to Norton’s survey this is estimated at 344 billion dollars last year alone. There are many caveats to note in this estimate such as:
- 144 billion dollars were reported as direct financial loss, while 274 billion dollars of the total estimate was due to the cost of time lost resolving the cyber attacks.
- These estimates are based on reported cybercrimes; however, many online crimes go either unnoticed or unreported.
Despite these caveats the core arguments cannot be contested: the threat of cybercrime is real, significant, and growing.
HTC Introduces Massive Privacy Vulnerabilities in Latest Update
We’ve said before that it only takes a single permission for an application to be malicious, and this vulnerability confirms that ten-fold.
Researchers at AndroidPolice have reported a massive privacy vulnerability in the latest update to the HTC Android Mobile OS. This vulnerability allows applications that request the permission “android.permission.INTERNET” to access much more than the Internet, including: phone numbers dialed, GPS information, SMS data, account and email information, system logs, a full list of applications installed, and a list of running tasks. Obviously this is much more information than the Internet permission is intended to grant access to, and Artem Russakovskii, the author of the original report, warns that these are just the initial results and that the full extent of the leak is not yet known.
Daniel Herrera on Common Obfuscation Techniques for Modern Browsers
Praetorian’s newest team member, Daniel Herrera, has been selected to present at this years LASCON Conference in Austin, TX on Oct 28th. In his LASCON presentation, Daniel will focus on common obfuscation techniques identified in the wild that function in all modern browsers. In this talk, each technique will be explained with functional examples demonstrating how and why a particular obfuscated method works.
This discussion will also include a detailed breakdown of the JavaScript syntax and its execution process. The presentation will categorize the JavaScript obfuscation into two groups: 1) Static obfuscation techniques, and 2) Dynamic obfuscation techniques.
Visual Analysis GUI for Android Apps (BETA)
Praetorian’s VP of Engineering, Ryan W Smith, has volunteered over the summer to be a mentor in The Google Summer of Code through The Honeynet Project. Google Summer of Code is a global program that provides stipends for students around the world to work on open source projects for a few months out of the year (the Summer for those in the US).
Ryan’s Google Summer of Code student Cong Zheng, has completed his final project APKinspector, a powerful APK analysis GUI tool with control flow graphs, code views, annotations and many other useful tools. Cong and Ryan have released a BETA version with a demo video that highlights some of the useful features.
Learn To Take Security Testing Tools to the Cloud at AppSec USA 2011
Praetorian’s Matt Tesauro is scheduled to speak at OWASP AppSec USA 2011. Matt will cover steps for taking your testing tools from laptop to the cloud using new features of the OWASP Web Testing Environment (WTE).
When: September 22-23, 2011 6:00 – 9:00 PM
Where: Minneapolis Convention Center (map)
Speaker: Matt Tesauro (Learn more about Matt)
Registration and more details at http://www.appsecusa.org/
