mobile security

I took the time to read McAfee Avert Labs’ top ten security threats for 2007. The section on mobile security caught my eye:

More mobile attacks

Mobile threats will continue to grow as platform convergence continues. The use of smartphone technology has played a pivotal role in the threat’s transition from multifunction, semi-stationary PCs to palm-sized “wearable” devices. With increased connectivity through BlueTooth, SMS, instant messaging, email, WiFi, USB, audio, video and Web, there are more possibilities for cross device contamination.

2006 saw efforts by mobile malware authors to achieve PC-to-phone and phone-to-PC infection vectors. The PC-to-phone vector was achieved with the creation of MSIL/Xrove.A, a .NET malware that can infect a smartphone via ActiveSync. Existing phone-to-PC vectors remain primitive in nature at this time, such as infecting via removable memory cards. However, McAfee expects that this next stage will be achieved in 2007.

SMiShing, which involves taking the techniques of phishing by email and porting them to SMS (SMiShing instead of phishing), is also expected to increase in prevalence. In August 2006, McAfee Avert Labs received its first sample of a SMiShing attack with VBS/Eliles, a mass mailing worm that also sends short message service (SMS) messages to mobile phones. By the end of September 2006, four variants of the worm had been discovered.

In addition, for-profit mobile malware is expected to increase in 2007. While most of the malware Avert Labs has run across includes relatively simple Trojan horses, the outlook has changed with the J2ME/Redbrowser Trojan. J2ME/Redbrowser is a Trojan horse program that pretends to access Wireless Access Protocol (WAP) web pages via SMS messages. In reality, instead of retrieving WAP pages, it sends SMS messages to Premium Rate numbers, thus costing the user more than intended. A second J2ME, Wesber, appearing in late 2006, also sends out messages to a premium SMS number.

Late 2006 saw a flurry of spy-ware offerings in the mobile world. Most are designed to monitor phone-numbers and SMS call-logs, or to steal SMS messages by forwarding copies to another phone. One spyware in particular, SymbOS/Flexispy.B, is able to remotely activate the microphone of the victim’s device, allowing someone to eavesdrop upon that person. Other spyware can activate the camera. McAfee expects that the offerings of commercial spyware targeting mobile devices to grow in 2007.

It is easy for such reports to over-simplify and tar all mobile devices with the same brush. The same statement written for the PC world wouldn’t fly.

In the PC world we have Linux, Windows, BSD or OS X * just as in the mobile world we have various S60 incarnations, Windows Mobile/Pocket PC and a whole host of other proprietary mobile OS’s - all of which are very different beasts.

Analysts in other leading companies said this exact same thing last year, perhaps with the exception of IBM who pointed out:

However, other much-hyped security trends are unlikely to break out in 2006, including attacks on VOIP (voice-over-IP) systems and on mobile devices

Whilst I agree with some of what is written, I would like to emphasise that some mobile OS’s are more vulnerable than others. And layer 8 will probably continue to be the most effective attack vector - as is the case on the PC side.

* Well, sort of

Powered by Gregarious (41)

It seems almost every day new articles appear on new websites relating to the theft or loss of laptops. This week, the UK based Nationwide building society will mail all of their 11m (yes, ELEVEN MILLION) customers to inform them of a laptop which was stolen in August. Why it has taken Nationwide 3 months to mention this hiccup will only serve to further exacerbate customer anger. Trying to cover things up in this way will cost them more dearly than if they were just open and honest in the first place.
Other details Nationwide refuse to disclose include:

• what customer information was on the laptop
• where the laptop was stolen from
• how many customer details were on the laptop
• why so much sensitive data was there in the 1st place
• if any encryption was used laptop was using

All in all, this amounts to a huge embarrassing situation for Nationwide. Looking at the big picture, it seems they first tried to sweep the incident under the carpet and that has just made matters worse. Furthermore, failing to answer basic questions about the event and how secure the laptop will surely makes matters worse.

Who does incident handling and damage control at Nationwide?

If they have they don’t appear to be doing a very good job of it. The only useful piece of information that they have disclosed is:

the information did not include any PINs, passwords, account balance information or memorable data.

They go on to say:

since the loss of the laptop we have taken steps to improve our security measures further and provide additional protection to our customers

Could this be a case of shutting the stable door after the horse has bolted? I certainly think so.

The main customer concern here seems to be one of Identity Theft. In the UK, a criminal needs very little information in order to impersonate you. Your name, age, sex and address is all they need in order to start impersonating you. For more information about protecting your identity, see the UK Home Office’s Identity Theft website.

If you wish to read on about other laptops that have been stolen this week, the BBC is reporting another interesting theft of some laptops from some offices used by LogicaCMG that contain payroll information for 50% of the workforce of London’s Metropolitan Police.

Powered by Gregarious (41)

Last week Fox News ran an interesting story on what would appear to be a growing problem - phishing over SMS, or SMiShing. Scammers are sending large volumes of SMS messages and telling users to perform similar actions as seen in the traditional phishing scams.

So far, malicious SMS’s have been seen to:

• have a URL embedded within the message instructing the user to invoke that link with the phone web browser
• instruct the user to divulge sensitive information
• tell the user to download and install software to their phone that will compromise information on that device

Again, as in the traditional forms of phishing, this technique relies heavily on fraudsters masquerading as legitimate entities or using some form of deception.

Fox News story available on Google Video from here

Powered by Gregarious (41)