RealTime IT News

Norm Laudermilch, CTO, Trust Digital

Norm LaudermilchWhat is believed to be the first instance of a mobile phone virus in the U.S. reportedly occurred in an electronics store in Santa Monica, Calif.

The Cabir virus, discovered on a Symbian-based phone, was capable of doing little more than blocking Bluetooth connections or quickly draining the host device's battery.

However, its existence marked the entry of cell phone-based viruses into U.S. air space and was a subtle wake-up call to IT network and security managers charged with protecting corporate computer systems.

This call has suddenly become a more urgent alarm, as wireless phones have become more data-capable and an increasing number of companies use them as wireless tools and mobile terminals.

Today, smartphones and other small, cellular-enabled devices are every bit as powerful as handheld computers or entry-level notebook PCs.

Using them is a lot more risky, however, since most companies are not prepared to deal with viruses that enter networks through cellular networks or a cell phone multimedia message.

Internetnews.com talked recently with mobile security expert Norm Laudermilch, CTO of Trust Digital, about the problem of cell phone viruses and the threats they pose to unprotected enterprise networks.

Q: Just how much of a threat are cell phone-based viruses to enterprise networks?

The interesting thing about smartphones and other converged devices is that people turn on things like Bluetooth connectivity and don't realize the vulnerabilities that are associated with it, and the fact that you can be sitting in Starbuck's contracting a worm or a virus without your knowledge.

The thing that really changed things recently was the "cross over" virus, which is the proof-of-concept code that was just written and released to the antivirus vendors.

It is a perfect example of how to use cell phones to get to the heart of enterprises, where most people think they are most protected and without anybody knowing it.

Q: If the problem is so apparent and the potential impact so great, why aren't more enterprises doing something about it now?

Until you get a billion-dollar problem like Code Red or Nimda or one of those big ones that hit the PC side, you're not going to get an adequate focus on the problem.

Security administrators are not sleeping well because of this, and what they probably don't realize is if it does happen through cell phones, they'll have no way to track it.

Despite all the money spent on firewalls, IDS [intrusion detection systems] and antivirus technologies, no one is going to be able to see these viruses once they are injected because they are coming through an unexpected and unprotected part of the enterprise.

Once this happens, CEOs will come screaming down to find out who's responsible and how this happened, and network administrators won't have a clue.

Q: Are the risks associated with cell phone viruses increasing as companies integrate cellular systems with existing call center and customer resource management (CRM) technologies?

Absolutely. It's a fundamental paradigm shift. We talk a lot about mobile devices and the fact they are the latest problem, but they're just the indicator.

The real problem is the way security and network administrators think about the network perimeter. It has all changed.

Most of the security money today is being spent on firewalls, IDS, IPS [intrusion protection systems] and antivirus protection. This is because administrators continue to think about the perimeter of a network in terms that were acceptable 10 years ago. And it's just not like that anymore.

Q: Do technologies such as radio frequency ID (RFID) tags and cell phone-based Wi-Fi increase the potential and risk for virus infections of enterprise resources?

All of these things have the ability to carry what may be malicious code. Yes, it might just be a small bit of code, but it doesn't take very much to do a SQL injection or take advantage of the vulnerability in a PHP Web site.

Smartphones and cellular-based mobile devices are more like handheld computers, so you have to apply the same safeguards and precautions on a mobile phone as you do on your desktop. You need authentication, you need encryption, and you need application behavioral control.

Q: Just how difficult would it be to provide even basic protection against cell phone-based viruses? Are we talking about a substantial commitment in terms of time and money?

Basically, it comes down to using good and current security methodologies when you're writing software.

If you look at RFID tags in an abstract way, they are not all that different than PDAs and other devices. They are small computers with very limited processing power that primarily operate in a passive state.

Mobile devices started out in much the very same way. Nobody thought they might be a threat because what could the tiny processor of a Palm Pilot really do? Well, look what's happened over the past five or six years.

It is also important to have the right tools that constantly look at a device to make sure nothing funny is happening in the operating system and protecting that device against any malicious behavior. These tools should also be able to block e-mails or messages that may be suspected of carrying or propagating a worm or virus.