[ISN] Era of picking your own PDA draws to a close

From: InfoSec News (isnat_private)
Date: Wed Sep 19 2001 - 11:37:52 PDT

  • Next message: InfoSec News: "Re: [ISN] "Increased Cyber Awareness""

    http://www.theregister.co.uk/content/55/21732.html
    
    By John Leyden
    Posted: 18/09/2001 at 16:12 GMT
    
    Firms may soon mandate the use of particular handheld devices and
    mobile phones in order to establish some kind of control over security
    risks.
    
    That's the view Symantec's director of wireless strategy, Jason
    Conyard, who is encouraging firms to develop security policies to
    combat mobile security threats such as hacking into wireless networks
    and next-generation malicious code.
    
    Conyard isn't suggesting a particular platform (Symbian, Palm OS,
    Pocket PC) for firms to use. He said standardising on the same device
    and configuration to limit both support costs, and manage security
    exposure, is more important that what the device a firm might pick.
    
    Symantec is under no illusions that implementing a mobile security
    policy will be easy.
    
    Users are used to choosing their own mobile device based on what they
    consider "cool and sexy" and a change in culture to use of uniform
    corporate issue kit is unlikely to go down well. Low adoption of
    current security standards (often "too complicated" according to
    Conyard) is another issue. Tools for managing the application and
    configuration of mobile devices are "very basic", Symantec admits,
    which hardly helps.
    
    Enterprises (or service providers) run the risk of running foul of the
    Data Protection Act if they don't access due care over customer data,
    which might be exposed by flaky wireless security, so Symantec is
    right that the issue can't be simply ignored.
    
    Wireless LANs can be secured by measures such as only allowing access
    over a VPN and restricting use to authorised devices but anecdotal
    evidence suggests 802.11b networks are often put up which are wide
    open to drive-by hacking.
    
    This is only the start of the problems that Symantec outlined in a
    threat timeline for us today. Threats we take as serious include DoS
    attacks on mobile networks in 2002, location based spam (late 2002)
    and hacking attacks on GPRS networks in 2003. Very nasty.
    
    We're far less convinced about the emergence of mobile viruses on
    next-generation phones, in part because the anti-vendors like Symantec
    have such a vested interest in hyping this one up.
    
    It remains unproven whether Symbian or even Stinger-based devices will
    be particularly susceptible to mobile viruses even as they become more
    common-place and therefore a more attractive target to s'kiddies. The
    basic PDA viruses we've seen so far have not convinced us that we'll
    see wireless worms along the lines of the Anna Kournikova virus by
    2003, as Symantec suggests.
    
    If mobile phones ever come with Word macros or potentially infectious
    mobile attachments things will change but, for now, the threat remains
    unproven.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 15:33:54 PDT