Generate Revenue Through IT Using Business Service Management Sponsored by HP Making sure that your business applications are available to their end users is an important part of running your business smoothly. Business operations have evolved to where IT must now broaden its focus to help the company attract, retain and grow customer relationships and increase customer satisfaction. Business service management (BSM) helps lay the foundation by managing services in dynamic support of business requirements. »     Managing the Modern Network Sponsored by HP Networks are more than vehicles to transport e-mail and Web pages. In a global economy where information crosses the globe in an instant, and where Web-based applications power business, it's more important than ever to ensure your network is safe from threats and optimized to deliver the data your business needs. »     Storage Networking 2, Configuration and Planning Sponsored by HP In Part 1, we discussed storage area networks (SANs) and fibre channel. In Part 2, delve into best practices and cover the general concepts you must know before configuring SAN-attached storage. The most critical, sometimes tedious, part of setting up a SAN is configuring each individual disk array. This guide examines configurations for SAN-attached servers and disk arrays, and also includes a look at the future of IP storage. »     Is Your Disaster Recovery Plan Good Enough? Get Disaster Recovery Right Sponsored by HP Preparing for a disaster is more often than not part of the storage planning process, and without question it is one of the most difficult task, since it includes local hardware and software, networking equipment, and a test plan to ensure that you can recover from the disaster. Learn how to put your organization on the proper disaster recovery plan, now. »

Related Articles •Feel Vulnerable? Time for Vulnerability Management Tools •IT Belt Tightening? Don't Let Security Suffer •Does Zero Day Mean Zero Profit?

Security Products • Message Classification / Document Classification (Titus Labs) • IronKey (IronKey, Inc) • Mazu Profiler (Mazu Networks, Inc) • MHZ2 CJ Series (Fujitsu Computer Products of America, Inc) • Secure Mail / Secure DOX (Echoworx Corp) • Enterprise Security Reporter (ScriptLogic Corp)

Smartphones: Pocketable Endpoints or Network Backdoor?

Email Print Digg This Add to del.icio.us

In today's corporate environment, very few people are without some kind of cell phone. And many phones have more functions and options than the average user needs. For better or worse, they are a ubiquitous part of life, and for many, they are simply indispensable.

As a result these are becoming the backdoor into corporate networks.

Backdoors, in this context, describe non-obvious devices and technologies that can interface with a network and pry open an attack vector that most security mechanisms don't account for. For example, unauthorized wireless access points can be considered backdoors. Software backdoors -- and the paranoia surrounding them -- is a topic for another site...

This whole article came about when a friend asked about what items he should put on his new smartphone to protect his small business. It occurred to me that, in his scenario may not be all that unique. And, on a larger scale, corporations may be overlooking a glaring backdoor in their network security.

So what are the risks?

Many of the ones that we see for wireless and Bluetooth as well as existing desktop OS risks are the same ones that can affect phones. Many phones today are being bundled with Windows Mobile, Microsoft's PDA/cell phone OS. This OS allows for greater interoperability with standard Windows applications and allows users to feel comfortable since they are already used to Windows on their desktop.

So, unsurprisingly, there exists malware and viruses for these tiny computers. Take a look at yours. Where's the firewall to protect against intruders? No? What about encryption to protect those passwords you use to access email or your voice-mail? No? What about anti-virus and spyware detection? No?

It is becoming evident that as part of the cell phone package, providers may need to include these items, particularly for their corporate customers. There are a few ways infection can occur. The first is the standard and most obvious one: get the user to download something, preferably something they want. Say, for instance, a free Texas Hold ‘em Poker or Sudoku game for the phone.

Or perhaps something that "promises" ways to get more messages to and from friends. Whatever the program, it's enticing; it's important; it's "needed". Once the program is downloaded and run, the malware is launched.

This, in case you haven't already noticed, is very similar to what happens in the desktop world.

An additional factor is ever-present, never-dying spam.

It is easier to fill a cell phone mailbox with spam than it is a modern computer. And yet, we have no filters for this. I personally experienced a mini-flood done by my personal cell phone provider when their email server began sending out things in triplicate.

It can be frustrating since there is no header info, no filter options for MMS and no mouse to easily select a bunch and just delete. While reports of this are sporadic, it will undoubtedly, climb since it's not hard to generate phone lists.

The other two methods include MMS messages with attachments and the Bluetooth option.

The MMS option works very similar to that of email: double-click on the attachment and the virus/malware launches. The one that is most interesting is the use of Bluetooth as a vector of attack. Similar to wireless, Bluetooth is often used in cell phones and PCs, and used to allow communication between phones and PCs. If the phone is in discoverable mode (that is, it's attempting to find a Bluetooth device nearby), then an attacker can connect and inject.

Find Me

The challenge is finding devices in discoverable mode. An application like Blooover II makes finding discoverable phone easier. Blooover is one of a few tools out there; others include Super Bluetooth Hack, BlueTest, BTCrack, T-Bear, Bluesnarfer and many others.

A simple search for "Bluetooth hack" will generate enough results to keep someone busy for a little while (most of these will require installation on a phone with Jave ME to work). The biggest impact made by these tools, like their predecessors in the wired world like ettercap, is that they make it easier to get into systems with little to no knowledge.

In essence, these tools allow for an attacker to sniff a Bluetooth stream for info or to inject nastiness.

In addition, they can also find Bluetooth devices that are discoverable and, if encryption is used, crack it. Of course, for any of these attacks to prove successful, proximity is critical (10m/30ft but some devices have a range of roughly 100m/300ft). But when the financial institutions of the world are close to each other and everyone goes for lunch to the same deli or sushi place, it shouldn't be too hard to do.

With all these threats are there steps that can be taken at the enterprise level to address this? You could invest in existing technologies that address cell phone issues such as McAfee's Total Protection or Sophos Endpoint Security and Control. But in addition to this, education remains the primary method of addressing cell phone security. Users should be reminded of the following:

• Work cell phones are corporate property. No unauthorized applications should be installed

• Personal cell phones should be disabled at work and/or the Bluetooth discoverable feature disabled.

• Bluetooth discoverable should only be used with encryption and only for specific devices (that is, set the discovery for manual pick up rather than automatic).

• Set a boot password and a main phone password. This helps secure the phone even when lost.

• Remind users that work phones are NOT to be unlocked (this avoids someone bypassing security measures that may be tied to a SIM).

Even though Cabir, the first mobile phone virus, is a toddler of sorts now that it's 4 years old, it's not the last virus or malware attack we'll see for the mobile. The rest are just over the horizon.

Are you ready?

Email Print Digg This Add to del.icio.us

eBook: Evaluating Software as a Service for Your Business. Sponsored by Webroot
Whitepaper: Enterprise Information Integration--Deployment Best Practices for Low-Cost Implementation
Five Trends for Application Development. Download Your Complimentary Report. Exclusive. Act Now.
What's The Future Of IT? Find Out By Reading "IT in 2018" Now. Free Registration Required.
Download: Solaris 8 Migration Assistant. Run Solaris 8 apps on the latest SPARC systems and Solaris 10.