What to Wear

Many high-tech companies are researching wearable technologies, i.e. things that you can wear and help to make your life easier. Probably causing the biggest stir in the technology community recently are smart glasses, with Google Glass being the primary example. Giving you visual aid with augmented reality is a fascinating thought for me. But it also sparked the discussion on what should be allowed regarding the respect of privacy. Do you need to inform your friends whenever you are filming them? Maybe a red LED in your glasses should turn on whenever you are recording, taking the term “evil eye” to a whole new level. If you search the Web for people who are planning on extending the built-in functionality of the Google Glass, you will come across all kinds of interesting integration ideas, including the controversial face-recognition feature.

But there are quite a few other wearable devices worth discussing. From smart bracelets and intelligent shoes to watches that can interact with other objects— all devices that are available to purchase. Recently at the D: All things Digital conference (D11), a few more prototypes were revealed to the public.

For example, Motorola demonstrated an electronic circuit tattoo that could be used to authenticate a person, acting as a key. They even went one step further and introduced a pill that would be able to transmit a signal from within your body once swallowed. Both ideas would render your body into something like a password token – something you are – that could be used for authentication purposes.

Of course, we already have similar technologies—my car opens magically at the touch of my finger. Or RFID cards that you can wear in your pocket. Not forgetting biometric factors. After all, your fingerprint is something you always have with you. Unfortunately, fingerprint readers are not contactless, so it might not be as convenient as the wireless technology.  Conversely, broadcasting signals always raises concerns about privacy and tracking. We have seen this concern in most countries where RFID passports were introduced. Even if you can’t extract the secret key from the chip to impersonate someone, you might still be able to generate a digital fingerprint response that allows you to start creating a tracking profile. This is one of the reasons that many people are using faraday-cadging wallets that block any unwanted RFID reading. I don’t think that we will have to wear faraday shield T-shirts anytime soon, but those are some of the challenges that we need to solve with regards to wearable authentication tokens when we want to have a broad acceptance rate.

Still, it is an interesting field and would definitely help some people who always forget their passwords – unless, of course, they forget to take their pill. It could also solve the problem of weak passwords as they would be strong by default and could act as a master password for a password safe. But we will have to wait and see how these concepts get implemented and if people are willing to wear such devices. Depending on this, it might still be possible to attack these systems, or just steal an authenticated session by ignoring the password completely.

In any case, we at Symantec are curious about what the future holds and are closely monitoring scam emails to see if they begin asking you to send your pill to them instead of offering cheap pills for you.

Malicious Dating, Ad Services Plague Japanese Users

In a previous blog McAfee Mobile Research reported on fraudulent adult dating-service applications on Google Play that target Japanese users. Many other suspicious applications are spreading on Google Play in Japan, and try to lure users to similar fraudulent sites.

These suspicious applications have appeared on Google Play since May. They offer adult or nonadult image viewers, article collection sites (known as a matome site in Japan), viewers for a well-known online BBS, information for popular games, silent cameras, and others, as well as the previously mentioned bogus dating services.

 

gp-bad-push-1

Suspicious apps include a BBS article-collection services and a silent camera app.

 

gp-bad-push-2

Suspicious information apps for a popular game.

Once a user installs one of these applications, its background service using server-to-device push notification mechanism (Google Cloud Messaging) is registered and started. Through this mechanism, the application developer can send any information to the device at any time, and the corresponding background service can run its code in response to the notification. This background processing can occur even when the application itself is not running.

The push notification mechanism is generally used by, for example, a major mobile advertisement network targeted at Android devices in its SDK, and by this any advertisement can be displayed on the devices’ system notification area. By incorporating this ad module, developers can get revenues once the ads are displayed or users buy the advertised services.

By investigating the message contents sent by push notification and displayed on the notification area, we can see that in some cases these suspicious applications are receiving and displaying links to the previously mentioned malicious dating-service sites. Other notifications display links to other applications’ download pages on Google Play, probably to gather affiliate revenues. Nonetheless, these applications are risky or even malicious because they try to send users to fraudulent websites.

 

gp-bad-push-3

gp-bad-push-4

gp-bad-push-5

Examples of ads via push notification sent from suspicious servers.

Push notifications of this sort are risky because a notification is sent without any prior explanation or an opportunity for users to reject the notifications at installation or the first launch of the application. Without these options, this type of notification can mislead users to unwanted or risky services.

We have found that Google Play has many applications containing this suspicious ad module and more of these apps are uploaded almost every day. We have confirmed about 350 of these applications in total, and more than 160 are still alive on Google Play. (Others have been deleted for some reason.) The total number of downloads of current apps is between 20,000 and 70,000, and would be much more than that if we include the deleted ones.

 

gp-bad-push-6

Examples of suspicious apps uploaded every day.

So far our investigation shows there is no publicly hosted service operating this advertising module. We believe that this module is not provided through any official ad network agency, but instead is privately operated by the application developers using their own server. Because of this arrangement, we consider this ad module a fake that imitates official modules provided by legitimate ad agencies.

A similar malware, Android/BadNews, targeted mainly at Russian speakers, also uses a fake ad network. This malware uses a module provided by a fake network and displays links to a malicious application that sends premium SMS without the user’s knowledge. In the case of Android/BadNews it appears the ad module was developed as a separate software module; in the case of the suspicious Japanese apps the module is embedded into the application.

Many apps containing this fake ad module are published on Google Play across multiple developer accounts. But we believe that all of them are created and published by a single developer or group of related developers, considering the similarities in their implementation code and the naming conventions used for the apps’ package names. Moreover, the developer(s) of these suspicious apps also publish many fraudulent adult dating-service apps. So we can conclude this developer operates with malicious intent, trying to capture users by embedding this risky ad module into many apps under various genres on Google Play.

 

gp-bad-push-7

Fraudulent dating-service apps published by the same developers.

McAfee Mobile Security detects these applications with the fake ad module as Android/BadPush.A.

Fraudulent Adult Dating Services Turn 10 Years Old, Still Evolving

McAfee Mobile Research monitors adult one-click-fraud applications on Google Play that are targeted at Japanese users. Although the attackers appeared to have stopped uploading these apps in May, they have now resumed the attacks. We have confirmed about 600 malicious applications have been published since the beginning of April.

We have also confirmed that another type of well-known fraudulent application–bogus adult dating services–are increasing on Google Play. These fraudulent dating-service applications have been published before on Google Play, and now we’ve seen new apps appear every day since May. We’ve counted in total more than 400 fraudulent dating applications, and more than 130 are still on Google Play. The number of total downloads lies between 90,000 and 310,000. The figure would be higher if we counted already deleted apps.

 

gp-deai-fraud-1

Fraudulent adult dating-service applications in Japan.

Fraudulent dating services have existed in Japan for more than 10 years. They generally operate using decoys, called sakura in Japanese. These are the service operators themselves or paid agents who pretend to want to meet the victims. The sakura have no intention of meeting, but do want to make callers pay money to keep in touch. In most cases, the victims are lured to these malicious sites via spam mails, links on web pages, and search engines. Recently new media–such as social networking services and free messaging tools–also attract victims to these services.

Today, the attackers increasingly trick their potential victims using mobile applications, especially on Google Play. In most cases, these apps simply show fraudulent websites on its WebView component or run a browser to show the sites.

 

gp-deai-fraud-2

Initial screens of fraudulent dating service apps displayed on WebView.

We now know that a developer of a series of one-click-fraud applications also publishes fraudulent dating-service apps. It is not clear whether the developer is actually operating the dating services but they are related, for example, by receiving affiliate revenues from the service operator.

 

gp-deai-fraud-3

Fraudulent dating service apps published by a one-click-fraud apps developer.

It appears that other developers are publishing bogus dating applications. The apps vary in format: displaying fraudulent websites, providing fake advertisement links to websites, providing links a set of websites including malicious sites and legitimate dating services, imitating article threads from a well-known BBS and tricking readers into believing their story and registering for the malicious services, and so on.

 

gp-deai-fraud-4

Fraudulent dating-service apps published by another developer.

 

gp-deai-fraud-5-1

gp-deai-fraud-5-2

Links to fraudulent dating-service apps embedded in a BBS article-collection app.

 

gp-deai-fraud-6

Fraudulent dating-service app as a collection of links.

The landing pages of these malicious sites often imitate pages on Google Play–to make users believe the services are safe and endorsed by the official app store.

 

gp-deai-fraud-7

Landing pages of fraudulent apps imitating Google Play pages.

These applications do not automatically collect private information from the devices or send spam mails/SMS messages; they just lead users to their fraudulent sites. On those sites, users are requested to input their email address on their devices or in some cases their mobile phone numbers.

Once users register for the service, the decoy sends mail, which always has the same message. At first, users can exchange messages with the potential “partner” for free, but the free period suddenly expires just as the decoy promises to meet; the victims have to pay to keep in touch. Sometimes the decoy says she wants to give the victim a huge amount of money and requests a minimum charge to the service to proceed; of course such offers are always baloney!

Other characteristics are that users are automatically registered in one or more dating services at the same time, probably operated by the same fraudulent group. Once registered in these services, users will receive a massive amount of spam to trick them into paying money; in the worst case two or three mails are sent every minute, up to more than 1,000 mails per day.

Users can avoid these risks by not registering for the services or not communicating with the service operator even if they accidentally register. But even with this easy defense, some victims suffer again and again. Professional fraudsters catch the unguarded with their tricky tactics.

McAfee Mobile Security detects these fraudulent dating-service apps as Android/DeaiFraud and protects customers from this common Japanese fraud. We also block web access to such malicious sites by registering their URLs in our Web Reputation Database.

Gartner EA Conference Summary in Top Influential Tweets

I usually don’t post recaps of events in their tweets but since I was unable to do full coverage of the event I have picked out what I thought to be the most influential tweets. Lots of good nuggets from the Gartner analysts along with commentary from myself and other EA’s at the event.

 

Day One

· Mike Walker ‏(@mikejwalker) - Good advice from Betsey Burton: Time box your EA activities. Ex. Allstate Chief Arch 16 wks. To keep atten. of the biz #entarch #GartnerEA

· Mike Walker ‏(@mikejwalker) - Betsy Burton: business capability should be named <verb> <noun>. Do you agree? Not sure I do, mixing concerns. #entarch #bizarch #GartnerEA

· Mike Walker ‏(@mikejwalker) - Great overview on Business Capabilities by Betsy Burton. Here's a useful BCM I use. #entarch #bizarch #gartnerea http://mikejwalker.typepad.com/.a/6a011279700eb728a4016306b433f8970d-pi …

· Pete G. ‏(@pgrivas) - Beyond a level 0/1 diagram, #ArchiMate seems to me like a great tool to continue on with Business Capability Modeling. Thoughts? #GartnerEA

· Olivier Laquinte ‏(@OLaquinte) - A process model describes how the business operates, while a business capability model describes what the business does #gartnerEA

· Mike Walker ‏(@mikejwalker) - Connecting Strategy to Execution Enablers. More than business capabilities. #entarch #bizarch #gartnerea http://mikejwalker.typepad.com/.a/6a011279700eb728a4017c31f84119970b-pi …

· Brian Oberman ‏(@brianoberman) - Business capabilities modeling bridges the gap between business strategy and IT execution. #GartnerEA

· Mike Walker ‏(@mikejwalker) - Extending #GartnerEA thinking: Connecting Strategy to Execution is more than business capabilities. #entarch #bizarch http://mikejwalker.typepad.com/.a/6a011279700eb728a4017c33f8323e970b-pi …

· Voytek Janisz ‏(@VoytekTheEA) -Business Capability modeling is a great way to bridge communication gap between business and IT #GartnerEA #entarch

· Homero Padilla Cano ‏(@zerkhufu) - “nobody cares about your work, they care about your impact in creating/pushing business outcomes” @ #GartnerEA

· Olivier Laquinte ‏(@OLaquinte) - @brian_burke - since #EA are influencers, should they be on projects steering committees to ensure alignment? #gartnerEA

· Olivier Laquinte ‏(@OLaquinte) - Effectiveness + Efficiency = #EA Impact #gartnerEA

· Olivier Laquinte ‏(@OLaquinte) - Measuring #EA : actions as a result of influence is an impact #gartnerEA

· Fred (‏@froidianslip) - Change is a team sport. #GartnerEA

· Fred (‏@froidianslip) - Brian Burke told me no one cares about me, they only care about what I've done for them lately. #GartnerEA #welcometothebusiness

· Duncan Mundell ‏(@dcmundell) - It's the EA's responsibility to negotiate non-functional requirements by helping the business balance cost, risk and capabilities #GartnerEA

· Voytek Janisz ‏(@VoytekTheEA) - Use "Mickey Mouse" diagrams when communicating architecture to business. Leave UML, BPMN, ArchiMate behind. #entarch #GartnerEA

· Voytek Janisz ‏(@VoytekTheEA) - Panel discussion: "Architecture is about managing change and about communication" #entarch #GartnerEA

· Rebecca Newland ‏(@NewlandRebecca) - Five Things I Learned At The #Gartner Enterprise Architecture Summit #GartnerEA http://buff.ly/17YtlAn

· Derek E. Weeks ‏(@weekstweets) - Gartner's @MarkRaskino "watch out for new roles of ChiefDataOfficer and ChiefDigitalOfficer at your corp this year". #gartnerea #opentext

· Fred (‏@froidianslip) - The new CIO... Chief Innovation Officer. But the role is about much more than technology. #GartnerEA

· Fred (‏@froidianslip) - Entrepreneurial is not a word that sits well with most CIOs. #GartnerEA

· Derek E. Weeks ‏(@weekstweets) -Who is managing your unstructured information? #gartnerea #opentext pic.twitter.com/tqKAvhuEnd

· Brian Oberman ‏(@brianoberman) -The way to succeed in social media: purpose, purpose, purpose. #GartnerEA #socialmedia

· Brian Oberman ‏(@brianoberman) - 90% of organizations social collaboration efforts fail. #GartnerEA

· Steve Armstrong (‏@sakarmstrong) - Enterprise architecture is something we do, not something we deliver. #gartnerea

· Homero Padilla Cano ‏(@zerkhufu) - “sharing information leads to business innovation and new ways to use information” @ #GartnerEA

· David Middleton (‏@_dmiddleton) - Social collaboration isn't disruptive b/c of the technology but b/c of how it is leveraged and utilized to affect change. #GartnerEA

· Fred (‏@froidianslip) - Great talk on CEO concerns, but I keep thinking, "Bring me the holy hand grenade. #GartnerEA #projectingmontypython

· Fred (‏@froidianslip) - The gap between the business and IT is one of understanding and ultimately a language gap between people. #GartnerEA

· Fred (‏@froidianslip) - You should never trust a survey people, really. #GartnerEA #CEOconcerns

· Derek E. Weeks ‏(@weekstweets) - @MarkRaskino Recession is still problem but tech is not slowing...expect more tech demand as growth strategies unfold #gartnerea #opentext

· Brian Oberman ‏(@brianoberman) - Build systems to empower people. #GartnerEA #socialmedia

· Pete G. ‏(@pgrivas) - @mikejwalker From your tweets we must be at the same session at #GartnerEA. I love your site BTW - great information.

· Mike Walker ‏(@mikejwalker) - #GartnerEA is echoing my thoughts of #BizArch It's NOT creating strategy but rationalizing into execution #entarch http://architectureandgovernance.com/content/walker-talks-business-architecture-and-best-practices-using-it …

· David Middleton (‏@_dmiddleton) - By 2020, alternatives to formal higher education will make education more engaging, broadly accessible and broadly recognized. #GartnerEA

· Mike Walker ‏(@mikejwalker) - Betsy Burton: No.1 #bizarch mistake is to separate it from #EntArch They are one in the same. <-Agreed! #GartnerEA

· Michael McNamara ‏(@mfMcNamara) - Develop a crisis management playbook #GartnerEA

· Pete G. ‏(@pgrivas) - Worst practice in #EnterpriseArchitecture is starting out with current state #GartnerEA

· Pete G. ‏(@pgrivas) - #EnterpriseArchitecture is going to be a discipline of Strategic Planning by 2020 - #GartnerEA

· Homero Padilla Cano ‏(@zerkhufu) - increase sales is not strategy #GartnerEA

· Matt Edwards ‏(@mwedward) - "Only 10% of enterprises successfully execute their strategies - Michael Hammer." #gartnerea

· Matt Edwards ‏(@mwedward) - The key to successful business architecture is family counseling. Get past the tears and differences, and work together. #gartnerea

· Ryan Pehrson ‏(@rpehrson) - #GartnerEA Betsy Burton. "60% of EA is 'Family Counseling'"

· Brian Oberman ‏(@brianoberman) - Want to add value as an EA? 1. deliver real outcomes, 2. deliver signature ready recommendations. #GartnerEA

· Brian Oberman ‏(@brianoberman) - There are no IT projects. There are only business projects. #GartnerEA

· Mike Walker ‏(@mikejwalker) - #GartnerEA External disruptions effect EA. <- Agreed posted in '09: EA is Different Based On Where You Live #entarch http://www.mikethearchitect.com/2009/05/is-architecture-different-based-on-where-you-live.html …

· Voytek Janisz ‏(@VoytekTheEA) - When strategy is not articulated, it is the business outcomes that can help frame it up. #entarch #GartnerEA

· Brian Oberman ‏(@brianoberman) - Even if your strategy isn't explicitly documented you can derive it from what you are currently doing. #GartnerEA

· Mike Walker ‏(@mikejwalker) - #GartnerEA Keynote: Let industry frameworks guide not prescribe <-Agree #entarch

· Mike Walker ‏(@mikejwalker) - #GartnerEA Keynote: Frameworks are bad, let us introduce a new framework and method #entarch

· Brian Oberman ‏(@brianoberman) - Categorize EA business driven outcomes as: run, grow or transform. #GartnerEA

· Fred (‏@froidianslip) - EA goes agile and pragmatic according to Brian Burke. #GartnerEA

· Matt Edwards ‏(@mwedward) - Business objectives should be timeboxed (as should everything)... #gartnerea

· Voytek Janisz ‏(@VoytekTheEA) - Business outcome driven EA is the next wave after the framework-driven EA #GartnerEA #entarch

· Brian Oberman ‏(@brianoberman) - EA is entering third phase. First was framework, followed by process and moving towards business outcome driven EA. #GartnerEA

· Brian Oberman ‏(@brianoberman) - By 2015 40% of global 1000 companies will use gamification as a strategy. #GartnerEA

· Mike Walker ‏(@mikejwalker) - BYOD will double the amount of malware in the enterprise through 2014 #GartnerEA #entarch

· Duncan Mundell ‏(@dcmundell) - Successful #enterprisearchitecture is all about outcomes and not just processes and standards alone. #gartnerea

· Mike Walker ‏(@mikejwalker) - By 2015 #bigdata demand will reach 1 million jobs but only 1/3 will be filled #GartnerEA #entarch

· Brian Oberman ‏(@brianoberman) - By 2015 big data will reach 1 million jobs in global 1000 but only 1/3 will be filled. #GartnerEA

· Matt Durham ‏(@matthewdurham) - Enterprise architects influence $1.1 trillion in enterprise IT spend according to #Gartner #GartnerEA. My influence is somewhat smaller.

 

Day Two

· Fred (‏@froidianslip) - BYOD = Bring Your Own Data #GartnerEA

· Brian Oberman ‏(@brianoberman) - Prediction: we will use 4 - 6 devices and share data via the cloud. #GartnerEA #hopenot

· Fred (‏@froidianslip) - BYO-let-my-company-and-I-decide-what-is-best-for-both-of-us #GartnerEA

· Fred (‏@froidianslip) - 13% NEVER use company supplied devices for personal communications. Is that on or off the record? #GartnerEA #neverisaverystrongword

· Brian Damiani ‏(@bwdamiani) - Interesting: The majority of speakers are British. All very good but an indicator that the US is still lagging in EA adoption? #GartnerEA

· Vijay Nuthulapaty ‏(@VNatGartnerEA) - @markmcgregor Coming to #GartnerEA made me realize that my team is not alone in challenges with EA. Definitely therapeutic.

· Fred (‏@froidianslip) - Found my new favorite phrase in the disruption session: behavioral economics. Can I now have a behavioral recession? #GartnerEA

· Brian Oberman ‏(@brianoberman) - #5 disruption: brain science and neurobusiness. #GartnerEA

· Vijay Nuthulapaty ‏(@VNatGartnerEA) - @mikejwalker Amen brother. And not just detailed designs, issue resolution as well. #gartnerea

· Mike Walker ‏(@mikejwalker) - Scott Bittler - “Just because you can do something [detail design] as an EA doesn’t mean you should” #GartnerEA #EntArch

· Brian Oberman ‏(@brianoberman) - #3 disruption to business: robotics and human augmentation. #GartnerEA

· Brian Oberman ‏(@brianoberman) - #2 disruption to business: human system interaction. #GartnerEA

· Brian Oberman ‏(@brianoberman) - #1 disruption to business: the internet of things. #GartnerEA

· Vijay Nuthulapaty ‏(@VNatGartnerEA) - Met a lot of interesting architects at #gartnerea . By my guesstimate only 50% are in an EA role currently.

· Voytek Janisz ‏(@VoytekTheEA) - EA roadmaps are visualization of strategy. Use them to articulate known strategy or to help elicit it from business. #GartnerEA #entarch

· Brian Oberman ‏(@brianoberman) - Favor enablement not control in your EA program. #GartnerEA

· Duncan Mundell ‏(@dcmundell) - Successful enterprise architecture is about doing the basics right. Focus on the business and communicate. #GartnerEA

· Mike Walker ‏(@mikejwalker) - Agree with Keith Meador -> At the end of the day, the last mile is all that matters. Make your efforts signature ready #EntArch #GartnerEA

· Olivier Laquinte (‏@OLaquinte) - K.Meador, #starbucks |The job of an #EA is not to get the right answer, it's to get the best one in a collaborative way #gartnerEA

· Fred (‏@froidianslip) - Keith Meador has captured the essence of EA. The fact he works for @Starbucks and is also from Seattle introduces no bias. #GartnerEA

· Mike Walker ‏(@mikejwalker) - Starbucks preso started w/ a coffee tasting & biz overview. Kudos to Keith on EA leadership and focus. #GartnerEA #EntArch

· Fred (‏@froidianslip) - Coffee is a connection at Starbucks. EA is about connections as well. Well played coffee giant. #GartnerEA

· Brian Oberman ‏(@brianoberman) - Starbucks is giving out free coffee at their presentation. #GartnerEA @Starbucks #score pic.twitter.com/LyfXnDY612

· Fred (‏@froidianslip) - On an innovation slide: Design serendipitous workspaces. <- Acceptance is a big cultural indicator. Trust me, I know. #GartnerEA

· Wes DeVault ‏(@wvipersg) - Use caution when trying to roll up risk Indicators to one indicator score. You may end up missing things you will need. #gartnerEA

· Michael McNamara ‏(@mfMcNamara) - WIIFT - What's in it for them? "... thats the bacon!" Cathleen Blanton #GartnerEA

· Fred (‏@froidianslip) - I've fallen in love with the six roles of technology innovation. Someone please tell my wife I'm sorry. #GartnerEA

· Brian Damiani ‏(@bwdamiani) - Enterprise Architecture should be done with others, not to them. From Cathleen Blanton's Roadmap presentation. #GartnerEA

· Pete G. ‏(@pgrivas) - "Roadmapping uses a graphical approach to visualize strategy". Key phrase: visualize strategy #GartnerEA

· Vijay Nuthulapaty ‏(@VNatGartnerEA) - Gartner's message around business value driven EA is consistent, not hearing the same from the crowd though. Thoughts? #GartnerEA