Partner With Us

When you ask consumers if their PCs are protected by antivirus applications lurking on the system in search of malicious code, some of the more technically knowledgeable people will tell you confidently that they are protected by Norton or McAfee, or one of any number of security applications on the market today.

But pose the same question about their personal digital assistants, wireless pagers or any other mobile device? Yeah, right. But don't take it from the last sentence -- security software provider Central Command conducted a study this month and found that almost 99 percent of Windows CE and Palm users are not protected against nasty little buggers like the Liberty Crack viruses A and its evil sister B.

Incredible, isn't it? Not really, seeing as how the wireless industry does not yet have an iota of security standards to fall back on. This has caused some in the industry to be more than a little disturbed. According to the Central Command study, users want protection: 81 percent of the 3011 respondents surveyed said they were concerned about mobile viruses infecting their handhelds.

"A lot of these security apps are relatively new," Central Command Inc. President and Chief Executive Officer Keith Peer told InternetNews.com. "People have passwords for PDAs that can be modified by hackers using an executable command. What makes mobile devices so vulnerable is that they're so open source."

Peer said that although there are about four main Palm viruses, Liberties A and B, Phage and Vapor, the ceiling for hackers to script new strains of malicious code is limitless, the black hole into which important information may be stolen, altered or lost, bottomless.

"Virus writers are focusing on making them more cross-platform," Peer said. Peer warns that, just as it did for PCs, technology will advance, paving the way for hackers to meet new challenges.

But Peer also said users looking for protection can take heart in the fact that many security software developers are gearing up for mobile device use growth with new solutions. In fact, Central Command has recently released antivirus software solutions for the Windows CE and Palm OS.

While the Palm offering may seem anticlimactic at first given the industry's current awareness of the four Palm viruses, it actually isn't. Few people were infected by the documented viruses and the ones created weren't nearly as migratory as the notorious Melissa e-mail virus that assailed PCs. And Peer's firm is ahead of the game when it comes to Windows CE, as it has been tested and approved before a virus for that device has ever been reported. Still, the anticipation may be slightly disquieting.

Certicom Corp. CEO Rick Dalmazzi told InternetNews.com he was not surprised by the lack of game plan PDA owners had when it comes to device protection. Dalmazzi said the idea of wireless security presents security applications creators with an interesting, if not nerve-racking dichotomy. He said wireless users want security, but don't want to have to get security. Come again?

Dalmazzi, whose firm supplies encryption technology for mobile computing and wireless devices, decrypted this conundrum by saying that users want security inherent in the products they buy and do not want to be troubled by buying software to stave off bugs and intruders.

"They either don't have it or don't know they have it," Dalmazzi said.

But not every person or outfit devotes their time to worrying about viruses for PDAs. CEOs such as Internet Security Solutions' skipper Chris Klaus said security for wireless internet is not only compromised by viruses, but by hackers who can tap into wireless local area networks (LANs) to wreak havoc.

Klaus said a greater threat exists at the infrastructure level, especially with such wireless technologies as Bluetooth, which is still in its infancy. Klaus said one of the biggest problems is that only one password can be set for wireless LANs.

"For companies, they are all set up using the same system and there are a lot of internal employees," Klaus told InternetNews.com. "Suppose one of them leaves disgruntled. Then you're looking at situation where you have to change the password -- it's a maintenance headache."

Klaus said ISS looks to implement security doors between wireless LANs and internal networks. But one of the things he has seen that his scared him the most, is the number of companies that do not implement security solutions properly, which is one of the services ISS provides. He has put together a crew he calls the X Force -- benevolent hackers who preach and implement security risk management protection.

"They check for vulnerabilities within a system and come up with the antivenin," Klaus said.

Inside the Numbers with IDC

A white paper IDC recently published in conjunction with Tivoli Systems Inc. points to the importance of wireless security.

One of the leaders in analyzing the impact of the burgeoning wireless sector, IDC estimates that the worldwide market for wireless Internet transactions (the most important no doubt being banking, folks) will balloon to $38 billion by 2003.

"Voice traffic will still comprise much of the wireless transmission growth," the paper said in its introduction. "However, IDC forecasts that in the next three years, data over wireless TCP/IP will account for 55 percent of wireless transmission."

Okay, so obviously cell phones will still be the most ubiquitous, but IDC expects to see strong growth for subscribers with some level of Internet access.

The paper went on to confirm that although standards have yet to be passed, members of the Wireless Application Protocol Forum hope to gain increased endorsement of Wireless Transport Layer (WTLS), the wireless brother of the Transport Layer Security (TLS) protocol.

But until such standards are put firmly in place, IDC said it expects to continue to see hesitancy surrounding the use of wireless devices. One anonymous bank IDC talked to said it would not extend online banking functions without guaranteeing client authenticity.

And that is a major downfall for wireless transactions anywhere, whether it be for a hospital, bank -- anything. Suppose someone loses their PDA and a technically adroit prankster picks it up? They could log-in and conduct transactions if they had the right information. How would the company safeguard this? It can't. The problem is that the science of biometrics -- identifying people in some James Bondian way through a fingerprint, retina, or voice scan -- needs to be implemented for recognition and verification purposes.

But those concerns do not begin to detail the "encryption gap" problem techsters face in the WAP gateway, which is the barrier between the client and the Web server. That merits a whole different venue of analysis, which the paper delves into in great depth.

Remote Spies: It Could Happen to You

Suppose you run a telco business in Colorado. What would you say if someone told you people in Germany are eavesdropping on your wireless activity, tapping in to your network? Would you tell the doomsayer that they are nuts?

Ken Williams, vice president of global consulting for e-Security, painted a dark picture for wireless security, saying that as the world turns daily, spies in foreign countries have the ability to monitor networks and fraudulently use their services. He like, ISS' Klaus, said wireless security is threatened by much more than viruses.

To allay suspicions that Williams is a conspiracy theorist, look again at his title -- he's not a veep of "global consulting" for nothing. He has spent time in Curacas and other parts of the world checking out telecommunications systems for the likes of Bell South and Bell Canada, most of which he says are hugely susceptible to attack.

"Malicious code is not limited to viruses," Williams stressed. "What we should be concerned with is that a lot of foreign governments are doing surveillance on our networks and can break in to see or alter documents through weak spots."

Williams explained that it all begins with cell phones, which serve as virtual beacons for prospective spies to pick up signals. According to Williams, the whole wireless environment is susceptible to theft of service, denial of service and altering information through mobile satellite services and wireless LANs.

Citing his work in developing nations, Williams said he knows of many telcos who will offer wireless routers, but will not offer protection for them. Williams declined to name specific firms, but said that many outfits are unwilling to provide that service in mountainous areas where traditional wiring is not a possibility, so as to keep costs down. Such wireless hubs are, incredibly, not protected by firewalls.

Then there is the subject of Ethernet, Williams said, where mature hackers can exploit cable companies' networks by finding the junction box and tapping in to it.

Through all of his illustrations, Williams made it clear that the U.S. is just as guilty of borderline mercenary wireless tactics. He cited the Gulf War, where wireless applications were used to intercept and jam transmitted signals from the enemy.

What Williams does for e-Security, is look at a company at the network, platform and applications levels to see exactly where vulnerabilities exist.

He then implements a security alarm to tip off the firm about intruders. But despite the confidence in his firm's risk detection abilities, Williams said it is very possible the world could be looking at another Y2K-type scare in the mobile arena.

In terms of setting up wireless security in the enterprise, IDC concluded that technical adversity is not the main issue with wireless security -- scalability and designing applications that compensate for security deficiencies are.

Regardless of what happens in the future in terms of viruses and hackers, the world can rest assured that, as with the overhyped Y2K scare, the number of firms developing solutions for wireless transactions are legion -- representatives of more than 60 security firms offered to provide comment for this piece.

Like the gladiatorial spectacle of watching e-commerce companies rise and fall, there most likely will come a time when audiences will be able to sit back and see the ones that prosper and the ones that implode.