Last week there were a couple of particularly interesting articles in Dark Reading relating to the emerging apocalypse of mobile bots and the potentially hundreds of millions or billions of infected cell phones conducting malicious activities on behalf of their hacker masters.
The first article discussed a warning issued by the US Computer Emergency Response Team (or US-CERT) on a new free and commercially available application that transforms a Blackberry into a bugging or listening device with no warning to the user. The article titled, US-CERT Warns of Blackberry Spying Application, quotes PhoneSnoop and the developer of the app, Sheran Gunasekera, as having been “surprised US-CERT identified his app in an advisory.” In Sheran’s defense, he appears genuinely interested in getting the word out regarding the vulnerability of the Blackberry mobile devices and its potential for abuse. This abuse can lead to incredible breaches of security and confidential/classified communications occurring in board rooms, government facilities, financial trading floors…anywhere.
The second article was focused around the vulnerability of smart phones, their rich web browsers, and how social engineering can open huge holes in their security. The article titled, iPhone, Blackberry, Palm Pre All Vulnerable to Spear-Phishing Experiment, describes an experiment conducted by PacketFocus with an opted-in group of users across various organizations. A spoofed LinkedIn invitation message made to look as if it came from Bill Gates was sent to all the users in the experiment. According to Joshua Perryman, CEO of PacketFocus, “the trouble with socially engineered, targeted attacks is that there’s no real “patch” to protect products and users from falling for them.” But the ONE thing that is the scariest to me (no post-Halloween pun intended) is that Joshua was successful in getting the targeted users to accept the spoofed LinkedIn message 100% of the time! How do you protect against that?
Indeed, how does an organization protect against these vulnerabilities affecting most of the increasingly popular and purchased smart phones on the market? I think there are a few things that can be done, for now:
1) Have full visibility and collect analytics on where these devices are within your organization and how they are being used. Why? You can’t protect what you don’t know is there.
2) Establish security and usage policies for these devices, especially when they are not necessarily used for business purposes.
3) Work with vendors and service providers to implement security and authentication mechanisms to at least minimize the impact of important information being lost or compromised.
In an increasingly mobile and connected society, this is certainly a sign of the times.