VideoFebruary 18, 2005, CNET News.com: A version of the Cabir virus has turned up in two Nokia 6600s on display in a California cell phone store, in what is believed to be the first "on-the-ground" sighting of the virus in the United States.
In a month filled with front-page stories about breached databases and purloined Social Security numbers, the news item above went unnoticed by most. But experts in the U.S. computer-security industry paid attention—and were alarmed. Created as a test by a Spanish computer researcher, the Cabir virus was designed to infect, via Bluetooth, other smart phones only in close proximity to the original infection. Consequently, many experts doubted that the virus would even reach these shores.
But this new strain was different. Upon reboot, the infected Nokias sought out and contaminated all the compatible phones within range. Thus, users of infected cell phones spread the virus as they moved through airports in large cities. "It was like a digital version of SARS," says Vincent Weafer, senior director of Symantec Security Response, an information-security and threat-intelligence company based in Cupertino, California.
While the initial damage from the original Cabir virus was minor (it drained the batteries of infected phones), a later virus family called Skulls, which carries Cabir, destroyed some files on infected phones. Ominously, some security experts see this viral outbreak as the opening salvo in a new assault on corporate networks. In the past few years, businesses have gotten reasonably good at defending their networks from traditional E-mail attacks. But hackers may be moving to a mobile battleground—of cell phones, smart phones, personal digital assistants (PDAs), and other portable devices.
Last year, 15 percent of surveyed companies in the United States reported cases of abuse of their wireless networks. To date, more than 9 million people in this country have reported receiving unsolicited commercial text messages on their cell phones. This first wave of wireless intrusions has been relatively benign; viruses have typically been of the harmless, smiley-face variety that PC users first encountered years ago.
But in Japan and Europe, where smart phones are widely used, wireless-borne viruses have gone on the attack. Security vendors have reported cell-phone-launched denial-of-service attacks, "phishing" (tricking consumers into revealing personal information by routing them to a fake Website designed to look like the home page of a reputable company), and browser redirections. "These wireless devices often contain [corporate] passwords and user IDs," notes Weafer. "The attackers are already getting interested."
Policy Gap
Meanwhile, consumers are getting nervous, thanks to recent data thefts at companies like ChoicePoint and Lexis-Nexis (see "Take My Life, Please," at the end of this story). Experts say people will be less likely to conduct business with a company over cell phones or PDAs if they're worried about the security of such transactions. And there is good reason to worry. Symantec, for one, has already identified more than 22 strains of malware (malicious software) designed to attack mobile devices.
That number is bound to go up. The reality is, wireless technology is miles ahead of security for wireless technology. And despite the availability of IT policy management software such as Desktop Armor and BlueFire Mobile Security, scores of businesses simply have not caught up with the mobile devices that many workers now use on a daily basis.
A recent survey of nearly 1,000 businesses conducted by the Association for Information and Image Management (AIIM) and Kahn Consulting (see chart at the end of this story) underscores the point. According to the poll, 81 percent of respondents reported that employees use wireless handheld devices for business purposes. Less than half of the those businesses, however, have company policies governing the usage of wireless handhelds.
Compounding the problem: traditional cybersecurity models may not be a good fit with mobile communications. Most corporate security strategies have grown out of government and military practices, notes Mark Lindig, national partner in charge of information risk management at audit, tax, and advisory firm KPMG LLP. "But [the military is] a command-and-control environment," says Lindig. "Companies are a project or collaborative environment."
Hence, restricting employee use of collaborative technologies like Blackberries or instant messaging (IM) could backfire. Sharon Finney, information security administrator at Dekalb Medical Center in Decatur, Georgia, says the hospital does have some policies restricting the use of mobile devices and the Internet. But she also points out that ham-fisted security policies could make it more difficult to compete in the Information Age. "We want people to use technology," she stresses. Dekalb's solution? "Sometimes we've told employees to not use a technology until we've examined the business need for it," says Finney.
Reader Comments» Post a comment