http://www.nwfusion.com/news/2003/1124comdex.html By John Cox and Denise Dubie Network World, 11/24/03 LAS VEGAS - Traversing the carpeted walkways of the Las Vegas Convention Center last week, Caleb Sima looked like many other programmers at Comdex: young, lean, laid-back and with a taste for earth tones. What was less apparent is that he also has a penchant for uncovering new security threats. "I dabble in cell phone security for fun," said the CTO and co-founder of Spi Dynamics, an Atlanta company that makes software for uncovering vulnerabilities in Web applications. Sima spoke on a panel about the growing handheld security threat, a hot topic at a conference where dozens of mobile network products were on display. What Sima said he has learned dabbling with cell phone security is that no one - not software developers, carriers, corporate network executives and certainly not end users - appears to have looked seriously at this issue. This, despite the fact that millions of cell phones are now in the hands of corporate employees. Sima recently began playing with Short Message Service (SMS) as a way to launch a denial-of-service attack against cell phone users, using his own phone and those of co-workers. "I can send 1,000 SMS messages to your cell phone in the blink of an eye," he said. "And I can do it anonymously." He created an SMS flood, as he terms it, that rendered his cell phone unable to make or take calls. After the experiment, he contacted his cellular carrier, T-Mobile, and asked if it could stop or block an SMS flood. He said the answer was "no." Rubbing salt into the wound was his subsequent discovery that T-Mobile charges the subscriber on the receiving end of the flood for every SMS message over a certain limit. Sima paid more than $30 for being attacked. Two IT professionals from a big aerospace company sat glumly at the end of Sima's presentation. They heard him say, "People can attack your phones and PDAs very easily. " "It's alarming," says Fred Brooks, who heads an IT team supporting executives at the aerospace company, which he requested not be named. His end users have Research In Motion Blackberries, which sport an array of built-in security and data-protection features. But cell phones and smart phones are another matter. "We forbid cell phones with cameras," Brooks says. "But how do you enforce that? We don't have the resources or the mandate to pat people down [and physically search them]." That could be next, as network executives realize the scope and seriousness of the potential security problem. "One of our enterprise customers stated the problem very clearly," says Dave Nagel, chairman and CEO of PalmSource, the recent Palm spinoff that has responsibility for the PalmOS operating system. "He said, 'I have a $250 device with $250 million worth of corporate data. How are you going to help us protect that?' "A lot of the problems have to be solved in the network and in the device itself," Nagel says. The next release of PalmOS, due by year-end, will feature protected memory and support digitally signed applications. Among other things, protected memory can prevent malicious applications from accessing data or parts of the operating system, Nagel says. Digital signatures will make it easier to block malicious or untrusted applications from finding a home on the PalmOS device. But security experts, and at least some users, are underwhelmed by what vendors and service providers are doing to solve the problem of device security. Most of that work falls to network, IT and security professionals. Jody Patilla, information security manager at the J. Craig Venter Science Foundation in Rockland, Md., says she spent about six months building security policies into the organization. She still struggles to keep those policies enforced across wireless LANs (WLAN) and mobile clients. One problem is end users who consider themselves exempt from following security policies. Patilla recommends getting human resources or upper management backing for wireless and mobile security. The potential problems are daunting. Tom Goodwin, vice president of operations at Bluefire Security, spoke on the handheld security panel and ran through a litany of threats: theft and corruption of corporate data; unauthorized access; disruption of transactions to and from the handheld; loss of data; and malicious code passed to an enterprise network from the handheld. If the device is stolen or lost, and unprotected, corporate e-mails and other data are exposed, Goodwin says. With handheld memory capacities on the rise, the amount of data lost could be substantial. Worse, Goodwin says, your current tools, which are designed for wireline networks over which you have broad control of client PCs anchored to desks, don't work. "Conventional [security] techniques don't reach out to protect handheld devices," he says. Goodwin cites the practice of businesspeople "beaming" their electronic business cards to each other, via infrared, Bluetooth or a peer-to-peer WLAN connection. "That data could have a Trojan horse," he says. "Then when you sync your handheld to your desktop PC, you introduce that Trojan horse to the corporate net." He recommends in-depth security: policies that spell out the threat to users, and their responsibilities; and an analysis of what corporate data is on the handhelds or accessed by them, its sensitivity and how it's accessed. Then, make use of personal firewalls, create a solid anti-virus architecture, and run regular scans of the software versions and patches on the handhelds. Use VPNs for connections and file encryption on the device, he says. Global Hauri, an anti-virus vendor, unveiled at Comdex its PalmOS and Microsoft Pocket PC versions of its ViRobot anti-virus scanner. Reviewers have lauded the notebook version for its easy-to-use interface and extremely fast scanning speed, plus its ability to restore infected files to their original condition. It is priced at $20. The company has a management application for enterprise users. WLANs, PDAs, phones and other handhelds are the rails over which the next generation of complex and sophisticated viruses, worms and Trojan horses will run, says Larry Bridwell, program manager for content security programs with TruSecure, a provider of intelligent risk management products and services. "It's a dangerous world, and when you go into the jungle, you have to be prepared for it," he says. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Nov 28 2003 - 03:54:39 PST