New Holes for Hackers

Are businesses prepared for the digital demons about to be unleashed by smart phones and PDAs?
John GoffMay 4, 2005

February 18, 2005, CNET A version of the Cabir virus has turned up in two Nokia 6600s on display in a California cell phone store, in what is believed to be the first “on-the-ground” sighting of the virus in the United States.

In a month filled with front-page stories about breached databases and purloined Social Security numbers, the news item above went unnoticed by most. But experts in the U.S. computer-security industry paid attention—and were alarmed. Created as a test by a Spanish computer researcher, the Cabir virus was designed to infect, via Bluetooth, other smart phones only in close proximity to the original infection. Consequently, many experts doubted that the virus would even reach these shores.

But this new strain was different. Upon reboot, the infected Nokias sought out and contaminated all the compatible phones within range. Thus, users of infected cell phones spread the virus as they moved through airports in large cities. “It was like a digital version of SARS,” says Vincent Weafer, senior director of Symantec Security Response, an information-security and threat-intelligence company based in Cupertino, California.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

While the initial damage from the original Cabir virus was minor (it drained the batteries of infected phones), a later virus family called Skulls, which carries Cabir, destroyed some files on infected phones. Ominously, some security experts see this viral outbreak as the opening salvo in a new assault on corporate networks. In the past few years, businesses have gotten reasonably good at defending their networks from traditional E-mail attacks. But hackers may be moving to a mobile battleground—of cell phones, smart phones, personal digital assistants (PDAs), and other portable devices.

Last year, 15 percent of surveyed companies in the United States reported cases of abuse of their wireless networks. To date, more than 9 million people in this country have reported receiving unsolicited commercial text messages on their cell phones. This first wave of wireless intrusions has been relatively benign; viruses have typically been of the harmless, smiley-face variety that PC users first encountered years ago.

But in Japan and Europe, where smart phones are widely used, wireless-borne viruses have gone on the attack. Security vendors have reported cell-phone-launched denial-of-service attacks, “phishing” (tricking consumers into revealing personal information by routing them to a fake Website designed to look like the home page of a reputable company), and browser redirections. “These wireless devices often contain [corporate] passwords and user IDs,” notes Weafer. “The attackers are already getting interested.”

Policy Gap

Meanwhile, consumers are getting nervous, thanks to recent data thefts at companies like ChoicePoint and Lexis-Nexis (see “Take My Life, Please,” at the end of this story). Experts say people will be less likely to conduct business with a company over cell phones or PDAs if they’re worried about the security of such transactions. And there is good reason to worry. Symantec, for one, has already identified more than 22 strains of malware (malicious software) designed to attack mobile devices.

That number is bound to go up. The reality is, wireless technology is miles ahead of security for wireless technology. And despite the availability of IT policy management software such as Desktop Armor and BlueFire Mobile Security, scores of businesses simply have not caught up with the mobile devices that many workers now use on a daily basis.

A recent survey of nearly 1,000 businesses conducted by the Association for Information and Image Management (AIIM) and Kahn Consulting (see chart at the end of this story) underscores the point. According to the poll, 81 percent of respondents reported that employees use wireless handheld devices for business purposes. Less than half of the those businesses, however, have company policies governing the usage of wireless handhelds.

Compounding the problem: traditional cybersecurity models may not be a good fit with mobile communications. Most corporate security strategies have grown out of government and military practices, notes Mark Lindig, national partner in charge of information risk management at audit, tax, and advisory firm KPMG LLP. “But [the military is] a command-and-control environment,” says Lindig. “Companies are a project or collaborative environment.”

Hence, restricting employee use of collaborative technologies like Blackberries or instant messaging (IM) could backfire. Sharon Finney, information security administrator at Dekalb Medical Center in Decatur, Georgia, says the hospital does have some policies restricting the use of mobile devices and the Internet. But she also points out that ham-fisted security policies could make it more difficult to compete in the Information Age. “We want people to use technology,” she stresses. Dekalb’s solution? “Sometimes we’ve told employees to not use a technology until we’ve examined the business need for it,” says Finney.

For most large companies, the business need for cell phones and PDAs is well established. And therein lies the dilemma. “As business processes are extended,” asks Lindig, “how do you defend a company beyond its four walls?”

That Syncing Feeling

Some security consultants argue that the abundance of cell phone/smart phone platforms will discourage hackers, who generally target the largest possible audience. Others, however, are not so sanguine. They point out that consolidation in the wireless telecommunications industry will likely lead to fewer mobile platforms. (Currently, Symbian is the leading operating system for mobile devices, with Microsoft-based operating platforms second.) That, in turn, will make mobile phones a more inviting target for hackers.

“You will absolutely see spyware and adware on cell phones,” predicts Rick Carlson, president of Orlando-based security vendor Aluria Software. “They offer the same possibility for stealing personal information.”

Some corporate managers agree with that assessment. Bill Maguire, CIO of San Jose, California-based Aspect Communications Corp., began reexamining the call-center specialists’ network security in January 2004. Maguire says it turned out that Aspect’s servers and desktop computers were well protected against traditional attacks launched against the company’s Microsoft products, the target of choice for most hackers. “But a cell phone opens a whole new realm,” Maguire concedes. “There are not a lot of security solutions yet for that device.”

To keep intruders out, Maguire has been speaking to representatives of Aspect’s cell phone providers, including MCI, AT&T, and Verizon. Mostly, he’s been trying to assess what the carriers are doing to filter out potential pathogens. Even that may not be enough, he grants. “Hackers are getting increasingly creative, and now they’re going after telecom networks. The scary part is, where can they go if they get in?”

Text-messaging devices and handhelds raise similar concerns. Some companies that deploy Bluetooth-enabled Blackberries have chosen to disable the devices’ “discoverable” feature, which instructs the devices to automatically seek out and communicate with other Bluetooth devices in the vicinity. Still, once an infected handheld returns to the office, the potential for trouble is clear. “You synchronize mobile devices with a PC,” notes Bob Johnson, CEO at SecureWave, a Luxembourg-based provider of endpoint threat-prevention software. “So if handhelds get enough standardization with their [operating system] like we have with Microsoft, it will pose a problem.”

Flying Blind

The many and varied headaches involving notebook computers provide an inkling of what mobile devices may be in for. Network administrators have long warned of the security risks posed by portable PCs, even as employees enthusiastically embraced the concept of mobile computing.

In recent years, however, some of that enthusiasm has been dampened by stolen machines, pilfered files, and corrupted executable files. Take the case of TEC International, a corporate executive mentoring network based in San Diego. Jonathan Anderson, the security and privacy manager at TEC, says the company has invested $750,000 in computer security in the past three years, including antivirus programs and several firewalls.

Nevertheless, the company’s employees, who mostly use laptops, recently ran into trouble. Anderson says workers often take their portables home at night, using them to visit different Websites. Not surprisingly, several notebooks started showing up at TEC filled with spyware. While the company’s network antivirus software detected the bad code, it took time for IT staffers to restore the notebooks to their original condition. (Spyware slows a computer’s performance and can substantially drain network resources.)

“We could have put $10 million in [computer] security into the building and we might have still had a problem,” says Anderson. “You put a lot of effort into securing the perimeter, but you need to secure the endpoint, too.”

That message is becoming painfully clear as employees come to rely on instant messaging, which is often sent via cell phone or notebook. Maguire says that IM is very popular at Aspect—all the way up to the CEO. Indeed, about half the corporations in the AIIM/Kahn survey indicated workers now use IM for business. That number doesn’t include employees who use IM at work for personal messages (which is to say, 99 percent of workers under 30). But barely 28 percent of the respondents in the survey said they have company policies for IM. Says AIIM president John Mancini, “Most businesses are flying blind on IM.”

This lack of vision can lead to all sorts of problems. For starters, workers tend to see IM as a free flow of information, akin to a phone conversation. But in reality, IM is more like E-mail. Hence, IM that goes out over public networks or open air needs to be encrypted. And all IM should be archived. Without archiving, searching for past instant messages can quickly turn into a maddening experience. Says KPMG’s Lindig, “IM is really onerous in a subpoena environment.”

Moreover, malware has already started showing up in IM. Websense Security Labs reported a 300 percent increase last quarter (over the previous quarter) in the number of attacks using IM and malicious Websites. In time, phishing will spread. Even now, users can send Webcam shots and JPEG files through IM, points out Tim Derstine, director of business development at security vendor Centurion Technologies Inc. in St. Louis. That, he predicts, “will open the door for spyware.”

USB Ports of Call

Code writers are already exploiting vulnerabilities in applications that process files like JPEGs and MP3s. In fact, many security experts say they’re worried about the ever-expanding roster of consumer handhelds that are showing up in places of work. “If there’s a machine, there’s going to be malicious code targeting it,” warns Mark Rash, chief security counsel and senior vice president at Omaha-based managed services provider Solutionary Inc. and former head of the Department of Justice’s cybercrime unit.

That’s troubling, considering how many employees transfer personal files from MP3 players, iPods, and digital cameras to their work computers. Even more worrisome, this transfer of data goes both ways. The tremendous advances in miniaturization mean a single worker toting a couple of portable devices could swipe just about the entire contents of a network server. “We have people walking around with camera phones and iPods, and vendors are continuing to add functionality to those devices,” notes Finney of Dekalb Medical Center. “Right now, our security committee is having a very large discussion about these sorts of portable devices.”

Managers at hospital-staffing specialist Martin, Fletcher & Associates know the drill. The company retains 20 to 30 gigabytes of personal data on doctors and nurses, including résumés. Fabi Gower, vice president of information systems at Irving, Texas-based Martin, Fletcher, says the company had been able to lock down every device on workers’ computers (CD drives, floppy disks, and so on) except one: the USB port. “With USB devices becoming smaller and more powerful, it’s a real problem,” says Gower. “We can’t be having sensitive data like résumés walking out of here.”

In the spring of 2004, Martin, Fletcher deployed an application called Sanctuary, from SecureWave. The program, which runs invisibly on desktops, enabled the company to restrict or disable USB ports on individual computers. Not surprisingly, the action didn’t thrill workers, some of whom were simply looking to turn family photographs into desktop wallpaper.

“Employees were surprised that they couldn’t run their USB devices,” admits Gower. “It’s one thing to read the policy, but it’s another to get handcuffed and say you can’t use it.”

Some companies have gone a step further. SecureWave’s Johnson claims managers at one client were so spooked by the risks stemming from back-of-the-box theft that they poured epoxy into the slots that house the USB ports on all their desktop computers. Others have employed a variation on that theme, soldering the ports shut. “Ever since Microsoft launched Windows XP, it’s been plug and play for consumers,” Johnson says. “But for businesses, it’s been more like plug and pray.”

John Goff is technology editor of CFO.

Take My Life, Please

In a recent ad Campaign, Citibank has been dramatizing the perils of identity theft. The irony of the campaign—some would say chutzpah—is that financial-services companies are among the biggest sharers of consumers’ nonpublic personal information. According to research specialist Financial Insights, 6 of the top 15 U.S. banks sell information to unrelated third-party vendors. Moreover, most banks (and all of the top 15) require customers to opt out of data-sharing arrangements the banks have with affiliates. Experts warn that sharing of data with affiliates or unrelated third parties can leave customers’ sensitive personal information vulnerable to misuse or theft.

The recent fiasco at ChoicePoint Inc. illustrates the risk. In February, the information broker sold data to a sham business group that was actually fronting for a criminal syndicate. The files included the Social Security numbers (SSNs) of 145,000 people.

It remains to be seen if the ChoicePoint scandal will spur politicians to act. Consumer advocates have long argued that businesses should be required to get customers’ permission before sharing that information with others. But last year, Congress voted merely to require financial-services companies to provide an opt-out mechanism. Under that model, consumers must proactively request that their information not be resold.

In January, Sen. Dianne Feinstein (D-Calif.) introduced legislation that would make it tougher for companies to sell SSNs to unrelated third parties. Mark Rash, chief security counsel and senior vice president at managed services provider Solutionary Inc., thinks businesses should be required to treat consumer data as the asset of the consumer. “Customers need to create a property interest in their information,” he argues. “They should be charging royalties for lookups.”

In the meantime, it’s unclear if the opt-out method is any option at all. Critics say scores of companies bury opt-out notifications in long letters that look more like promos than pledges. In one recent incident, a new-car buyer was asked to sign a form that, according to the salesman, merely stated that the car company’s captive finance unit did not share nonpublic general information. The hitch? The form said just the opposite. It also failed to mention anything about the consumer’s right to opt out of the very one-sided arrangement. —J.G.

Can We Talk?
Communications technology allowed for business purposes.
  2005 % change from 2003
Text messaging or E-mail enabled phones 63 +11
Laptop computers 98 +2
Discussion forums, message boards, etc. 69 0
File transfer protocol 69 -8
Newsgroups 50 -12
Put it in writing
Organizations with formal written policies on technology use.
  2005 % change from 2003
Text messaging or E-mail enabled phones 27 +29
Laptop computers 68 +10
Discussion forums, message boards, etc. 83 +
File transfer protocol 17 0
Newsgroups 50 -9
January 2005 survey of more than 1,000 organizations
Source: AIIM/Kahn Consulting