Posts

Should You Worry About Smartphone Security?

Every industry involves four main parties. There are, most obviously consumers and manufacturers. There are also those who provide services or supplies to the manufactures, or produce peripheral products that work in tandem with the original product. Finally, there are the watchdogs, keeping tabs. Watchdogs are usually either government regulators or third party nonprofits.

IBM predicts rising mobile threats, critical infrastructure attacks in 2011.

As reported by BoingBoing, former Google Android security framework engineer Chris Palmer, who is now technology director of the nonprofit Electronic Frontier Foundation, addresses the risks posed by mobile operating system manufacturers’ lax approach to security:

“Mobile systems lag far behind the established industry standard for open disclosure about problems and regular patch distribution. For example, Google has never made an announcement to its android-security-announce mailing list, although of course they have released many patches to resolve many security problems, just like any OS vendor. But Android open source releases are made only occasionally and contain security fixes unmarked, in among many other fixes and enhancements…

Android is hardly the only mobile security offender. Apple tends to ship patches for terrible bugs very late. For example, iOS 4.2 (shipped in early December 2010) contains fixes for remotely exploitable flaws such as this FreeType bug that were several months old at the time of patch release. To ship important patches so late is below the standard set by Microsoft and Ubuntu, who are usually (though not always) much more timely. (For example, Ubuntu shipped a patch for CVE-2010-2805 in mid-August, more than three months before Apple.)”

Other industry leaders disagree. CIO.com’s Bill Snyder has stated:

“I was sitting in the middle of one of the most security conscious crowds you’d ever come across—about 200 computer security professionals listening to a high-powered panel on mobile security threats at the RSA Conference in San Francisco last week. And you’d think that after nearly 90 minutes of discussion, I’d leave the room all a twitter (pardon the pun) and scared that my iPhone was about to go rogue. Not at all. In fact, I left feeling a lot more relaxed about the security of my smartphone, and a little more skeptical about the barrage of hacker warnings to which we’ve all been subjected.”

Ed Amoroso, chief security officer of AT&T, said:

“Day-to-day mobile threats haven’t (yet) caused much harm.”

Ian Robertson, security research manager for BlackBerry developers  Research in Motion, said:

“I can count on one hand the pieces of (mobile) malware I’ve seen installed.”

And quoted in NPRs All Things Considered is Paul Smocer, who is in charge of technology at the banking trade group The Financial Services Roundtable:

“I have begun to use mobile banking myself, yes. We haven’t seen a whole lot of malicious software yet. Part of that relates to the fact that there are so many different manufacturers and operating systems in the mobile world. But part of it, I think, is also to do with the fact that this is a relatively new environment, and unfortunately, crime follows growth.”

The truth, of course, lies in the middle. While the mobile security industry isn’t exactly under siege, there is clearly more work to be done. It’s smart to invest in antivirus protection for your mobile phone, keep its operating system updated, and be cognizant of how you use you phone, so that you can avoid putting your data at risk.

Robert Siciliano is a personal security expert contributor to Just Ask Gemalto. (Disclosures)

Shoring Up National Cyber Security Infrastructure

The wild, wild web is the most exciting, alluring, and all-around awesome thing available to us today. It’s also something we have come to rely on to a fault. And that’s a little scary. The Internet is a decentralized wilderness, used by billions of devices worldwide.

Joe Lieberman, chairman of the Homeland Security and Governmental Affairs Committee, introduced a controversial bill designed to empower the United States to shut down the Internet, explaining, “For all of its user-friendly allure, the Internet can also be a dangerous place with electronic pipelines that run directly into everything from personal bank accounts to key infrastructure to government and industrial secrets, our economic security, national security and public safety are now all at risk from new kinds of enemies — cyber-warriors, cyber-spies, cyber-terrorists and cyber-criminals.”

Regardless of the politics behind the issue, shutting down the Internet would have dire consequence on everything from electricity, water delivery, transportation, and food production. We simply aren’t prepared for that kind of shift.

But the question remains, how do we shore up our nation’s critical infrastructure against online attacks?

States, governments, and corporations are investing billions in online infrastructure. Thousands of cyber security professionals are being trained to keep us safe. I can only hope that many are decentralizing their systems in order to become self-reliant if necessary.

While technologists and government leaders are sorting this out, the weakest link in the chain is still…drum roll, please…you.

Corporations and government agencies are legally required to secure their systems, at least minimally. But no such standards exist for the consumer. No laws require you to take a single step for the sake of your own security. Software vendors should certainly be held accountable if their products aren’t secure, but this alone is inadequate.

If you buy a bike for your child, for example, it’s up to you to teach him to ride safely, and to require him to wear a helmet. In many places, children are legally required to wear bike helmets. Similarly, you can’t drive a car without a license, and you can’t get that license without proper training.

It should be the same with technology. Before you come to rely on a smartphone or PC, you ought to receive training on how to use it securely. I have enough faith in people to believe that if we truly understand the consequences of inaction, we’ll come together and act to resolve whatever problems we face. We need to get together on this issue and do something about it…like, yesterday.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses the possibility of an Internet crash on Fox Boston. (Disclosures)

How Does Device Reputation Protect Me?

Device reputation spots online evildoers by examining the computer, smartphone, or tablet they are using to connect to any website. If a device is recognized as having previously committed some type of unwanted behavior, the website has the opportunity to reject the transaction, preventing damage before it occurs.

In the physical world, as the saying goes, “You are only as good as your word.” And when somebody says one thing and does another, we no longer trust them.

Online, people say and do things they never would in the real world. Internet anonymity fuels bad behavior. Websites’ comments sections are filled with vitriol that you’d never hear real people utter. Pedophiles who’d never approach a child on the street contact kids over the Internet. Sex offenders avoid the stigma of their label on dating sites and social media. Scammers create accounts in order to con people and businesses into forking over money. And identity thieves use your personal information to fill out online applications for credit.

All of this is made possible by the anonymity of the Internet.

As fraudsters develop more sophisticated schemes and collaborate in elaborate fraud rings, the threat of cybercrime increases. Online businesses are getting hit hard by fraud and abuse, and it’s critical that fraud protection solutions save them from significant losses and damaged reputations.

A device reputation service checks for suspect history, but also investigates for characteristics consistent with fraudulent users. And the best part is that it denies criminals, often even before their first attempt.

According to Greg Pierson, Founder and CEO of iovation, “Device reputation helps prevent identity thieves from monetizing the credentials that they have stolen.  At the same time we are protecting online businesses, we’re also protecting the consumer.”

Device-based fraud management and a shared device reputation infrastructure play a critical role in identifying online fraud and abuse. Neglecting to take advantage of these tools severely limits a business’s ability to prevent fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses Scambaiting on Fox News. (Disclosures)