Predators

Today, just about every individual walks around with a smartphone, instead of

a mobile phone, thanks to the declining prices of these devices. The good thing

here is that though their prices are declining, the number of features they

offer is increasing. So, pretty much every smartphone today let's you browse the

Internet, download emails, manage calendars, and install applications. It's like

having a micro-PC in your pocket. The exponential growth in the number of

smartphones has also resulted in a rise in the number of App Stores that provide

applications for them, a trend that was started by Apple a few years ago. So

just about every smartphone vendor worth his name today, and even service

providers like Airtel, Vodafone, etc have setup and are promoting their own App

Stores, hosting apps that run into hundred thousands of numbers.

Where is all this activity heading? On one side, these devices are becoming

handy business tools, because your employees can now be productive from

anywhere. That's a boon for organizations, which is why we're seeing so many

mobile field force apps being deployed, and so many enterprise software vendors

porting their apps to mobile devices, and so on.

But there's a downside to it as well, and a pretty dangerous one at

that-security threats. As more applications are ported to smartphones, the

number of vulnerabilities on them will also increase. There have been many proof

of concept viruses (like the first one, Cabir) developed to proove that security

threats on mobile devices are definitely real, and will become a menace in the

coming years. Let's take a real life example of the most successful enterprise

mobile success story of them all-the Blackberry. Most enterprises today, hand

out Blackberries to at least key people in their organization. If you visit the

Blackberry website, you'll find an entire section devoted to Blackberry

security, which is regularly updated with the latest vulnerabilities found on

the Blackberry platform.

For instance, one threat we found on the site was a vulnerability in the PDF

distiller of the Blackberry Attachment Service for the Blackberry Enterprise

Server. Using this vulnerability, someone could send out an email with a

specially crafted PDF as an attachment to a Blackberry device owner. When

opened, this file could do things like cause memory corruption, do arbitrary

code execution in the Blackberry Attachment Service component of the BES, etc.

Similarly, there's a host of other vulnerabilities listed on the website. With

declining prices of the Blackberry service, more users will own them, and your

security related tasks will just multiply.

So it's no longer about kiddy stuff like a malicious person on the prowl for

mobile devices with Bluetooth enabled so that a malicious program could be

uploaded to them. It's no longer about malware that causes no harm, but is only

a nuisance. All that is certainly going to remain, but things will become much

more serious than that. After all, why should a malicious person bother about

finding such weak channels to get into the devices, when the devices themselves

can connect to the Internet and to a corporate network? It becomes easier to

penetrate these devices via these two channels.

And you can imagine what happens when 3G sets in. There will be a sharp

increase in the number of mobile applications. Users would then start storing

even more sensitive information on their devices, due to which, they'll become

even more vulnerable to attack.

So the time to act on mobile security is now. Find out what kinds of mobile

predators await you, and identify the kinds of solutions that can be used to

protect you against them. Our story focuses on these two aspects.

Mobile predators and the damage they cause



It's human nature to take measures only after a crisis or emergency occurs.

For instance, how many people back-up data from their systems? Mostly nobody,

except when a catastrophe happens and they loose their precious data. Similarly,

people believe that mobile security threats are not real, and are unlikely to do

something about it until a catastrophe occurs. Maybe it won't happen in the near

future, because currently the amount of malware available for mobile phones

isn't as high as that for the regular desktop OSs. But, maybe it will, because

cellphones are increasingly competing with PCs in terms of functionality they

provide, which is why they're called smartphones. As they start becoming as

powerful as computers, they'll also become vulnerable to threats.

Without understanding the different types of mobile security threats you can

face, and how they spread, it would be impossible to identify the right

solutions to protect against them. A mobile device is like a micro-PC. It has

its own OS, memory, display, various ports to connect to external devices,

network connectivity, etc. So you can install different types of applications on

it, connect it to the Internet, network, etc. Due to this similarity, the

security threats on mobile devices would be no different from those found on

PCs-viruses, trojans, key loggers, and other types of malware.

Viruses and Trojans don't need an introduction. Just as they cause damage on

PCs, they can do the same on mobiles as well. On one side, they could do

annoying things like drain out your phone's battery fast, disable certain

functions, rename or change certain icons making it difficult for you to find

information or operate the device. They could get slightly uglier and also

damage your phone's memory and other controls, rendering the device completely

useless, or even delete important business information.

Viruses and Trojans could become worse, and do more serious damage, like

steal important information such as your bank account details if you use mobile

banking (explained later) and cause monetary loss, do false billing, spread

themselves to other devices, and so on. Further still, they could even mis-use

your identity.

Security Measures for Your Smartphone

For providing end-to-end mobile security solution, the security measures can be deployed at multiple points. Different solutions would be required at these points. Source: iPolicy Networks The end device should be able to synchronize the security policies with the centralized security server for the latest policies. Mobile Core Network: The security solution for the Mobile Core Network must be GTP (GPRS Tunneling Protocol) aware & must be a high-performance security solution capable of serving the bandwidth requirements of GPRS & UMTS mobile network traffic. Typically a carrier grade appliance like the one based on Advanced Telecommunications Computing Architecture (ATCA) specifications would be required.The latency for processing should be very low and the appliance should be able to manage a high number of concurrent sessions. The solution should also meet High Availability (HA) and Fault Tolerance requirements. The security functionality that should be available on the solution are: Firewall — GTP Stateful Inspection, GSN Tunnel/Rate Limiting etc, IDS/IPS for Attacks Detection/Prevention, Content and URL Filtering for filtering undesired sites for e.g. sites hosting malwares, Anti-Spam on SMS/MMS/e-mail, Anti-Virus on file download/upload, mail attachments, QoS for Bandwidth Management, etc. Enterprise Security Solution: At the enterprise,a lower-end security appliance can be deployed. Some of the security functionalities required at this level are: FW, IPS, Anti Virus, Anti Spam, Internet Filterin, Mobile Workforce Data Protection (Contacts/Messages/Data backup to a centralized secure server with authentication mechanism for recovery of the data), Centralized Policy Server for transparently applying the security policies and data protection on the device, Mobile IPSec/SSL VPN, Secured Wi-Fi. End Device: The security solution for the End Device i.e. mobile phone should cater to the following security functionalities: Personal Firewall, Personal Intrusion Prevention, Application Security — Anti-Virus, Anti-Spyware, etc. URL Filtering — Parental Control, VPN Client, Data Leak Prevention, Secured Backup/Recovery among others. Sandeep Gupta, CTO, iPolicy Networks, TechMahindra

Next come mobile keyloggers. These programs would log every key you press on

the smartphone, every message you send out or receive, and scan all data within

the mobile banking or trading software that you might be using.Then, there would

be security threats like spying tools that are specific to the mobile phone

function of these devices. PhoneSnoop for instance, is a tool that can remotely

turn on the microphone of your smartphone so that somebody else can listen in on

the conversation. Similarly, there would be other tools that can intercept

communication, turn on phones, etc.

Finally, the most common predators of all are people who physical steal your

smartphone.  Most of the times, the only aim for these people to steal is to

earn a few easy bucks by selling them to somebody else. That's the least bit of

damage you can expect, but it could get worse, if somebody steals it for

malicious intent. Since there's no way to find out the thief's intentions, it's

better that you're prepared for such a calamity as a user, and as a CIO who has

to protect all the data on those smartphones. What do you do to secure the

confidential data in your phone after losing it in the back of a cab? There are

solutions like CompuTrace Mobile that can remotely delete valuable information

from your device.

How mobile predators attack



If you think your smartphone is safe from security threats, then think

again. It might be safe now, but as you start using it more aggressively beyond

a basic phone, by installing different types of applications on it, you're bound

to face the security threats. And when 3G sets in, besides the higher bandwidth,

you'll also get 'other guests' coming in!

The regular channels of attack are of course SMS and Bluetooth. You use SMS

to send out important information to your clients, or send SMS queries to your

ERP system to find out the prices of your latest product. Plus, you send out

SMSs to participate in contests, and of course to friends.

SMS based ads have become a menace. Everyday, there's an ad about a new

property for sale, or about a company offering cheap website hosting, etc. SMS

is also used to receive news from various channels. Somebody could easily send

you a link via SMS, which takes you to a malicious website. Bluetooth is one of

the oldest way spreading malware, so it would suffice to say that you might

transfer a program from somebody, which contains a Trojan or a worm.

Email is becoming the other common way of spreading malware on mobiles. You

download emails to your smartphone, just as you do to your desktop or laptop.

The only difference is that these emails could contain vulnerabilities specific

to your mobile phone, just like the Blackberry PDF vulnerability that we talked

about earlier in this story.

Finally, as web browsing becomes more popular on smartphones, the world of

malware will just open up. The browsing could happen over 3G when you're on the

move, or over WiFi when you're in office.

Memory cards



One typical issue that 'on the go' employees face is transfer of worms and

other malware through memory cards from infected mobile devices. This leads to

further infection of corporate resources. Also, data piracy resulting from the

stolen and misplaced phone can compromise corporate network.

Enterprise apps like mobile banking



Mobile banking in the US is pretty hot, with most of the banks offering this

facility to their customers. Several banks in India, like ICICI are also

offering mobile banking. As more users start using their cellphones and

smartphones for mobile banking, security threats are likely to follow. So if

your smartphone gets stolen, you loose more than just your contact information,

especially if you have your mobile banking software installed on it, and access

it over GPRS.

Through a harmless game



You might for instance have found a good game on the Internet and install it

on your smartphone.  Without your knowledge, the game also installs a Trojan in

the background, turning your smartphone into a gateway for sending out

information without your knowledge. A company called Storm8 had developed free

games that collected users' mobile numbers. It is said that this was not done

with malicious intent, but there can certainly be others that would take

advantage of the opportunity.

Securing your smartphone from attacks



As the very first step, you should register for the Do not disturb (DND)

service from the service provider of your phone.  It's a different matter of

course that even after registering, some SMS based spam is likely to creep

through but at least you'll have some protection. So, the next step is to just

be careful about links you might get on your SMS.

Encrypt data on your phone, so that even if it gets stolen, you don't have to

worry about your information being mis-used. The Blackberry service for

instance, allows strong encryption of the data residing on the device.

Configure your mobile device so that it asks for a password every time you

access your email or a VPN. Then of course, you should back up your mobile data

frequently.

What if your mobile gets stolen? There are services like Lookout Mobile

Security, which can back up your data and remotely wipe out the same if it gets

stolen. F-Secure Mobile Security 6 has the Premium Anti-theft with Locator

feature, which can help you locate the phone on a map. With its anti-theft

feature, you can also lock or erase data remotely.

Smartphones are one arena that changes every year. IT administrators are due

to see more and more of these powerful devices on their networks in the future.

It's important to gain visibility into which devices are connecting into the

network and manage the devices with policies designed to protect the same. You

should have policies that require smartphones that access your network be

protected by password or biometrics. Monitoring which devices are connected to

your corporate network, when they are connected, etc are of equal importance. IT

managers should be able to generate a complete inventory of all

enterprise-connected devices to ensure they are compliant with IT policy. Again,

given the host of mobile platforms available today, like BlackBerry, Windows

Mobile, iPhone, Symbian, and Android, single platform strategies will not help

you keep pace with the innovation. There are solutions like MobileIron Virtual

Smartphone Platform that help enterprises with smartphone management. These

provide visibility into what's on a smartphone and how it's being used, thus

enabling both IT admin and users secure data without compromising privacy. The

Virtual Smartphone Platform is packaged as an easy-to-install appliance that

plugs into your corporate network.

Types of mobile security solutions



Anti-Virus: With smartphones increasingly being adopted, given the slew of

functionalities in them including emailing, anti virus prove to be critical to

do away with any Web based attacks.

Encryption: Encryption based solutions are essentially targeted at and

useful for the enterprise users. This type of solutions help employees secure

their data by avoiding third-party access to the same.

Firewall: The solutions providers have upgraded their anti virus

modules to include firewalls for the smartphones. These firewalls, just like the

ones for normal computers provide the first level of security by pro-actively

stopping attacks from unwanted sources. The firewall concept is all the more

important for smartphones as your active Bluetooth connection or an active Wi-Fi

network can be a source for a mobile hack attack which basically compromises

your data safety.

Remote Data Recovery: What worries you most when you lose your mobile

phone? It is essentially the data that resides within and not the device. Remote

data deletion helps you wipe out your sensitive information in your mobile

remotely.

Enable content protection: Smartphones store a whole lot of important

information, so it's important that you protect it. In Blackberry devices for

instance, you can easily enable content protection and all the information would

lie in encrypted form in the device. This way, if anybody tries to pull out the

data using a USB port, they won't get anything out of it. There is also software

available to prevent the download and installation of unauthorized software on

smartphones.

What to look for in mobile security solution



To decide which mobile security solution is right for you, keep in mind how

much protection you need and which software program your device will support.

Some of the factors to keep in mind while deciding your security solution are:

Protection:  The best security solution is the one that provides

maximum level of protection. Its look and usability should ideally take a back

seat for a security product. A typical mobile security solution will incorporate

anti virus, anti-spam, and firewall security with real time protection.

Features: Most security solutions provide additional

features apart from the regular ones like anti virus, etc. But these invariably

come at a price premium or sometimes at the cost of taking over the performance

of your device by unnecessary usage of resources. Thus it is important to match

solution with your needs before you buy one.

Installation and Ease of Use: The ease of usage is a

major criteria in deciding the security product. For mobiles, the preference

gets magnified as the device has lesser resources at hand. The product should be

one that is easy to install, operate and easy to understand which helps in

optimizing the use of resources and freeing them up as soon as possible.

Updates: Threats keep updating and multiplying with

the passage of time. Software which helps protect from these threats is only as

effective if it is kept updated. Thus it is important that the security solution

be updated regularly. The software vendors do keep providing updates but these

should be easily accessible, which forms the basis for complete protection from

latest threats.

Technical Support: Ideally, the solution should not

require much support or documentation. But, it helps if the vendor provides

technical support in a variety of accessible formats. This may be important if

the user faces any glitches in his handling the product. The idea is to minimize

the downtime of the security layer as even a small time frame is sufficient

enough for a dedicated attack at your precious security.

Costs: Since data security is of prime concern for

any individual or an enterprise, the cost of the security solution may not be an

issue.  This is because the costs associated with losing data may be much higher

than the cost of buying and deploying a solution.  However, with  multiple

options available in the market today with varying prices,  the cost of the

solution can also be kept in mind while opting for a solution.