CrowdStrike CEO to reveal 'major mobile vulnerability' at RSA
CSO - A significant vulnerability affecting all versions of the Webkit mobile browser could give malware complete control of your phone. The malware could listen in on your conversations, view through your camera and record everything in your email and messages. It can also track your locations at the time. George Kurtz, CEO of the new security company CrowdStrike, has told CSO he'll demonstrate how the vulnerability works at a presentation at RSA Wednesday.
According to Kurtz, the new vulnerability affects all Android, iOS and newer BlackBerry devices. It does not affect devices running Microsoft Windows Phone 7. Kurtz said this means virtually every smartphone and tablet in use globally shares this vulnerability. Worse, security software currently available for mobile devices won't detect such malware and won't protect against it.
Kurtz is perhaps best known for his revelations regarding the Chinese Shady Rat operation that compromised US government and defense contractors in 2011. Kurtz discovered the Chinese cyber attacks on the US while he was CTO at McAfee. He left that company after the Intel acquisition.
In his interview with CSO, Kurtz said that he compares the use of malware to the use of a gun. If someone is shooting at you, it makes more sense to take out the shooter rather than to stop the bullets, especially since the shooter can change the type of bullets he's using at any time. He said that users of malware can do the same thing and change the method of attack at any time.
Kurtz added that mobile devices are the next battlefield. "One of the things we talk about is the nation-state activity," Kurtz said. "We believe that this scenario is happening today. It's happening on mobile devices."
Kurtz said his company has been able to repurpose Chinese malware so it can take advantage of the Webkit vulnerability and take control of any mobile device. He said he's been able to control the camera and microphone on a mobile device, read email and text messages, and use the device to record what's happening around it. "It's the ultimate spy tool," he said.
Kurtz said the malware can be distributed by simply getting a user to click on a link that takes them to an infected website. Simply visiting the site would infect the device, and allow the remote operator of the malware to send data to a site anywhere in the world. "SMS messages could be a potential point of infection," Kurtz said.
For now, until the vulnerability is fixed, there's little anyone can do to prevent infection by the malware he describes, except to know not to click on links. In addition, he said it's important to make sure that software on mobile devices is kept updated, something that's not always possible on Android devices because of the fragmented update situation in the Android world.
Until security managers know that the mobile devices in their organizations have been updated, he said the best they can do is train users not to open links, and to be aware of what's installed on the devices. He also suggested disabling Android's ability to load applications from anywhere.
Kurtz will be present his findings Wednesday, at 10:40 a.m.
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Top tips for securing big data environments - Why big data doesn't have to mean big security challenges Organizations don't have to feel overwhelmed when it comes to securing big data environments. The same security fundamentals for securing databases, data warehouses...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- Three guiding principles for data security and compliance Data security is a moving target-as data grows, more sophisticated threats emerge; the number of regulations increase; and changing economic times make it...
- Mitigate the OWASP Top 10 Web Application Security Risks This technical brief analyzes each of the ten risks and outlines how you can protect your organization from threats targeting your high-value applications...
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva.
- How SIEM Addresses the Challenges of Big Security Data This webcast will help you understand today's big data security challenges and how intelligent and scalable SIEM solutions give IT the tools and... All Data Security White Papers | Webcasts