mobile security

I just found this article (I’ve been out of the loop for most of February) and couldn’t help but write something. If the claims in here are to be believed, we are in the middle of a mobile virus pandemic. There are some very interesting statistics:

The Situation Today
The purpose of the study was to discover to what extent mobile operators are affected by mobile threats. The findings revealed that:

* 83 percent of mobile operators questioned have been hit by mobile device infections
* The number of reported security incidents in 2006 was more than five times as high as in 2005
* The number of mobile operators in Europe and APAC reporting incidents affecting more than 1,000 devices more than doubled in 2006
* 100 percent more operators spent over $200,000 on mobile security in 2006 compared to 2005
* The number of mobile operators estimating that the cost of dealing with mobile threats is more than 1000 hours increased by 700 percent

Good grief! This all looks like pretty hairy stuff. And there’s more…

Nearly one-third (29 percent) of operators stated that subscriber satisfaction had suffered more than any other factor including revenue. The second most serious impact from mobile malware infections was on network performance.

Revenue? Network performance? Switch to DEFCON 1. Get me the president!

Whilst I will agree that mobile devices are becoming more of a target, it doesn’t mean history is going to necessarily repeat itself (with respect to Windows), although that’s not to say MS mobile platforms couldn’t do without a patch or two.

And perhaps McAfee could update their mobile site. Are they really are the only company in the world to have deployed a mobile suite? I think not.

UPDATE: It seems someone at McAfee took heed and their mobile site has been updated.  Original web page text from here.

Powered by Gregarious (41)

I am keen to get in on the Joost Beta Programme, so if any of you kind hearted souls out there would be willing to give me an invitation, I would be eternally grateful.

I can be contacted by email from joost@mobsec.com

Mission accomplished!. Thanks Antonio. You’re a gentleman.

Powered by Gregarious (41)

I’ve noticed a few people have been in search of bluetooth security tips so I felt compelled to write a quick guide on ways in which you can minimise your exposure to mobile malware. Of course the best way to secure your bluetooth device is to just disable bluetooth itself, but in cases where this not possible I recommend you follow these simple steps:

1. Set Bluetooth Name To Hidden. From your bluetooth preferences, switch your bluetooth visibility to ‘hidden’. In most common cases this stops your phone from being discovered when scans for bluetooth devices are made. The downside of this is you need to enable discoverable mode when someone legitimately wants to send you something then disable discoverable mode once you’ve finished.

2. Secure Paring. When paring any bluetooth device, it should be carried out in a secure area (think top floor of a deserted parking lot at 2am!) Paring in public areas should be avoided. This is because when paring takes place, the two devices generate a shared key which then used for all subsequant communication. If somone can sniff that shared key, it is possible they too could pair with your deivce.

3. Choose a strong PIN. PIN lengths should be a minumum of 16 characters. In order to further strengthen the PIN, upper and lower case characters should be used (if possible) and also numbers. If it is not possible to use alphabetic characters and you are stuck to using numbers only, you should never use less than 12 digits – and that is an absolute minimum!

4. Unsolicited Connection Requests. Under no circimstances should you accept unsolicited connection requests. Mobile malware that propogates over bluetooth exhibits itself by making persistent repeated prompts until the person accepts the connection request. In some cases, the phone is unusable until such times as a) the infecting phone has moved out of BT range or b) the owner of the recieving phone has accepted the connection request and subsequantly accepted all the installation prompts. The problem with the latter is that even if you accept all and install all, once the malware is installed, your phone will still be prompted as common malware broadcasts to all devices that are in range.

Attackers almost always go for the weakest link. Following these steps will help them focus their attention on other people’s devices and not yours.

Closing thought: Like malware on PC’s, what is it with humans that makes the yes button so much more attractive than the no button?

Powered by Gregarious (41)

I’ve been up to my eyeballs these past few weeks both at work and at home so no time to post. Anyway, I wanted to write a taunt post about Windows Mobile 6 which was announced recently at 3GSM in Barcelona. According to their press release, WM6 contains a host of new security features.

Security options. The platform offers a variety of security options, giving IT departments ways to help secure a device, including new Exchange Server policies and certificate options, storage card encryption, and continued support for remote and local device wipe.

Old habits die hard, so what I want to know is will the old exploits still work (scroll down for descriptions). Or is this a new code base? Sadly, I doubt it. However, besides that, features I do like are remote lock and remote wipe and also built in encryption (bitlocker/EFS technology?) So good on Microsoft for that. Innovate features, too. I guess you could say its Microsoft way of putting consumers back into control of their PC’s (I just love this video!)

Powered by Gregarious (41)

Trend Micro has discovered a nice little flaw in Windows Mobile which affects Windows Mobile 5.0 and PPC which is reported on their Blog. It temporarily bricks the device for up to 15 minutes when it tries to process a malformed jpeg (nice). They simultaneously reported another vulnerability which relates to IE which when executed makes the device unstable.

I personally am interested in finding out more information about the latter. What does this mean? Is it permanently or temporarily unstable?

Powered by Gregarious (41)