mCrime Higher on Hackers’ Radar

Monday, August 30, 2010

Robert Siciliano


This year’s Defcon convention of hackers in August brought to light a fact that many in the security industry have known: mobile phones are becoming a bigger target for criminals.

Recent news of applications on the iPhone and Android that are vulnerable to attack and possibly designed to send your data offshore have reinforced the security concerns for mobiles.

It is inevitable that over the next few years as millions of smartphones replace handhelds and billions of applications are downloaded, risks of mobile crime (mCrime) will rise. As we speak, the large antivirus companies are snapping up smaller mobile phone security companies in anticipation of a deluge of mobile attacks.

Right now, however, the path of least resistance continues to be the data-rich computer that sits in your home or office, or maybe your mortgage broker’s office. Unprotected PCs with outdated operating systems, unsecured wireless connections, antivirus software that hasn’t been updated, and reckless user behavior will continue to provide a goldmine for criminals.

The problems with computer security will continue as Microsoft abandons XP users and stops offering security updates. But as more and more users shed Windows XP and upgrade to Windows 7 and beyond, mobiles will become attractive targets.

In the meantime, protect your mobile phone.

The Blackberry is the most “natively” secure. It’s been vetted by corporations the world over to protect company data.

Enable your password. Under “General Settings,” set your password to “On” and select a secure password. You may also want to limit the number of password attempts.

Encrypt your data. Under “Content Protection,” enable encryption. Then, under “Strength,” select either “stronger” or “strongest.” When visiting password-protected Internet sites, do not save your passwords to the browser. Anyone who finds your phone and manages to unlock it will then have access to all of your account data and, ultimately, your identity.

The key to being a “safe” iPhone owner is to add apps that help secure your information. Enable the passcode lock and auto-lock. Go into your phone’s “General Settings” and set the four-digit passcode to something that you will remember but is not overtly significant to you.

That means no birth dates, anniversary dates, children’s ages, etc. Then go back into “General Settings” and set the auto-lock. And turn your Bluetooth off when you aren’t using it.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses mobile phone spyware on Good Morning America. (Disclosures)

Possibly Related Articles:
PDAs/Smart Phones
Wireless Attacks
Post Rating I Like this!
Ray Tan Blackberry has provided its encryption key to the security agency and ISP in some countries,such as India, China and so on.
If the encryption key is not kept properly, it can be used by malicious purpose, of course.
Shalom Cohen This is definitely a problem for blackberry.
India is one of those countries where money buys everything(including government personnel). This means it is only a matter of time until malicious will get this key or buy mail data for industrial espionage. BTW, what guaranty does BB users have that China or India will not use it to capture emails in other countries, they can easily perform man in the middle attack and capture mail from anywhere in the world.
Who knows what this info will be used for (beyond the obvious purpose)?
Fredrick Cote As a Network Admin and manager, it's a fine balance between providing connectivity for iPhones and Android devices, and keeping things secure. The important distinction here is that the two devices listed above are consumer-grade, no matter what a company officer or senior manager may think. These devices are not inherently designed to be used in enterprise environments, where the BlackBerry is made precisely for that purpose (which is why it's bombing as a consumer device, but that's another story).

In short, it shouldn't be a shiny new object that defines security policy. It should be risk tolerance and security policy that defines what device will be used in an enterprise network. And therein lies our challenge as security professionals, in educating the decision-makers and giving them the information they need, in writing, to understand the implications of using consumer equipment in a secured setting.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.