Proliferation of Wireless Devices and E-applications - The Emerging Security Challenges for Global Enterprises Date:   Wednesday , May 06, 2009 Emerging Mobile Devices Security Challenges Across the globe, the usage of small wireless mobile devices such as PDAs, Blackberrys and smartphones is growing faster than the Internet. The number of smartphones worldwide crossed 130 million by the end of 2008, according to IDC. As wireless devices grow in sophistication and numbers, it’s no surprise that virus writers, hackers, and organized criminals have begun targeting them. What’s surprising is how quickly they’ve found so many ways to exploit them. Enterprises should not underestimate this emerging threat. We will discuss here the 3 primary technologies deployed in all cell phones, PDAs, and smartphones and the possible security threats. * Bluetooth * Mobile telephony * Smartphones and PDAs Bluetooth Bluetooth is a short-range wireless technology. It is a radio frequency standard that allows any sort of electronic equipment to make its own short-range connections, without wires or cables. When two bluetooth enabled devices encounter one another, they can automatically communicate with each other to establish whether they should form a personal area network. This simple facility creates the opportunity for bluetooth attacks, viz, blue jacking, blue bugging, and blue snarfing. Blue jacking Here, third parties can send text messages anonymously to the smartphones or PDAs of any users who are within range (usually 10 to 20 meters) and it could be used maliciously and for blue spam. As a remedy to this problem, phone owners should not add senders of blue jack messages to their address book and should remain hidden from blue jackers by keeping their bluetooth settings in non-discoverable mode. Blue bugging A blue bugging attack is a hack attack on a bluetooth-enabled device. Blue bugging enables the attacker to initiate phone calls on the victim’s phone, to read and send SMS messages, read and write phone book contacts, eavesdrop on phone conversations, divert incoming calls, and surf the Internet. Blue snarfing A blue snarfing attack can involve the theft of all contact information stored in the cell phone. The best way to ward off these attacks is whenever the bluetooth is on avoid ‘pairing’ with any unknown devices. Similarly, avoid downloading or installing suspicious software on to your cell phone. Wherever possible, upgrade your cell phone PIN to an 8-digit code from the standard 4-digit code with which it is issued. Never share the PIN with unknown devices or individuals. Mobile Telephony The mobile telephony universe boasts of cell phones, PDAs, and smartphones. There are essentially 3 principal cell phone risks. * Blue attacks (dealt with in bluetooth above) * Loss of essential data (through accident or theft of the cell phone) * Viruses, worms, trojans, and malware Cell Phone Loss When a cell phone is lost, two things happen, apart from the cost and inconvenience of the loss, someone else can use the phone to make calls, and all data is lost. As a precaution, remember to do the following: 1. Do not use the phone in areas where it could be stolen 2. Lock your cell phone, using the following methods a. Key lock – this locks your key pad to prevent accidental number keying b. SIM PIN Code – this locks your SIM card, protecting your account b. Phone Security Code – this locks your handset d. Voice Mail PIN – this secures your voice mail service Viruses, Worms, and Malware that Affect Mobile Telephony Mobile phone viruses, worms, and trojans are now beginning to spread. Skulls, a trojan horse program that poses as a gaming software, is one of the earliest malicious codes to successfully infect mobiles. If installed on mobile phones running Symbian OS, Skulls will render the smartphone features of the phone useless by deactivating messaging, Net access, and other apps. The malware replaces application icons with a picture of a skull, hence its name. Anti-virus software for Symbian Series 60 is able to detect and remove Skulls. The Cabir worm and Mosquito Trojans target smartphones that run the Symbian Series 60 operating system, while a third, called Duts 1520 attacks Pocket PCs with a Windows CE operating system. Mosquito Trojans hijack the device into calling special phone numbers that carry high fees, running up the owner’s bill. The Mosquito Trojan is hidden inside a game that’s downloaded over a wireless network, while Cabir is spread via bluetooth. Protecting from Them Expand the company wireless policies to forbid downloading games and other applications not directly related to work. Educate the employees about the sources and symptoms of mobile viruses. Explore antivirus software for mobile devices. Make it mandatory for wireless carriers to outline their network safeguards. PDAs and smartphones should be password protected. The wireless port on them must be disabled. Device operating systems must have the latest patches installed. Any confidential information stored on a device must be encrypted. Also, back up regularly - by synchronizing the device with a linked computer. Emerging Mobile Devices Security Challenges With the proliferation of Web applications and e-commerce, you know how important it is for those applications to be secure. Hackers are always looking for that overlooked gap so that they can work their way into your application and your data. Some of the most significant Web application threats are discussed below. Invalidated input: Information from Web requests is not validated before being used by a Web application. Attackers can use these flaws to attack backend components through a Web application. Broken access control: Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users’ accounts, view sensitive files, or use unauthorized functions. Broken access and session management: Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users’ identities. Cross-site scripting flaws: The Web application can be used as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user. Buffer overflows: Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and Web application server components. Injection flaws: Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the Web application. Insecure storage: Web applications frequently use cryptographic functions to protect information and credentials. Writing the codes for these functions and the codes used to integrate them have proven to be difficult, frequently resulting in weak protection. Denial of service: Attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. Insecure configuration management: Having a strong server configuration standard is critical to a secure Web application. These servers have many configuration options that affect security and are not secure out of the box. Conclusion The explosion of wireless devices and e-applications has become a necessity in today’s world. However, they have also increased the security risks manifold and no security solution can be foolproof to hacker attacks and virus writers, as they constantly innovate new methods of penetrating in to these devices and applications, but the fight against these cyber criminals will nevertheless continue undaunted. The author is CEO, Derisk IT Solutions Pvt Ltd