Wireless Web Security: Enter Data at Your Own Risk

When you ask consumers if their PCs are protected by antivirus applications
lurking on the system in search of malicious code, some of the more
technically knowledgeable people will tell you confidently that they are
protected by Norton or McAfee, or one of any number of security applications
on the market today.


But pose the same question about their personal digital assistants, wireless
pagers or any other mobile device? Yeah, right. But don’t take it from the
last sentence — security software provider Central Command conducted a
study this month and found that almost 99 percent of Windows CE and Palm
users are not protected against nasty little buggers like the Liberty Crack
viruses A and its evil sister B.


Incredible, isn’t it? Not really, seeing as how the wireless industry does
not yet have an iota of security standards to fall back on. This has caused
some in the industry to be more than a little disturbed. According to the
Central Command study, users want protection: 81 percent of the 3011
respondents surveyed said they were concerned about mobile viruses infecting
their handhelds.


“A lot of these security apps are relatively new,” Central Command Inc.
President and Chief Executive Officer Keith Peer told InternetNews.com.
“People have passwords for PDAs that can be modified by hackers using an
executable command. What makes mobile devices so vulnerable is that they’re
so open source.”


Peer said that although there are about four main Palm viruses, Liberties A
and B, Phage and Vapor, the ceiling for hackers to script new strains of
malicious code is limitless, the black hole into which important information
may be stolen, altered or lost, bottomless.


“Virus writers are focusing on making them more cross-platform,” Peer said.
Peer warns that, just as it did for PCs, technology will advance, paving the
way for hackers to meet new challenges.


But Peer also said users looking for protection can take heart in the fact
that many security software developers are gearing up for mobile device use
growth with new solutions. In fact, Central Command has recently released
antivirus software solutions for the Windows CE and Palm OS.


While the Palm offering may seem anticlimactic at first given the industry’s
current awareness of the four Palm viruses, it actually isn’t. Few people
were infected by the documented viruses and the ones created weren’t nearly
as migratory as the notorious Melissa e-mail virus that assailed PCs. And
Peer’s firm is ahead of the game when it comes to Windows CE, as it has been
tested and approved before a virus for that device has ever been reported.
Still, the anticipation may be slightly disquieting.


Certicom Corp. CEO Rick Dalmazzi told InternetNews.com he was not surprised
by the lack of game plan PDA owners had when it comes to device protection.
Dalmazzi said the idea of wireless security presents security applications
creators with an interesting, if not nerve-racking dichotomy. He said
wireless users want security, but don’t want to have to get security. Come
again?


Dalmazzi, whose firm supplies encryption technology for mobile computing and
wireless devices, decrypted this conundrum by saying that users want
security inherent in the products they buy and do not want to be troubled by
buying software to stave off bugs and intruders.


“They either don’t have it or don’t know they have it,” Dalmazzi said.


But not every person or outfit devotes their time to worrying about viruses
for PDAs. CEOs such as Internet Security Solutions’ skipper Chris Klaus said
security for wireless internet is not only compromised by viruses, but by
hackers who can tap into wireless local area networks (LANs) to wreak havoc.


Klaus said a greater threat exists at the infrastructure level, especially
with such wireless technologies as Bluetooth, which is still in its infancy.
Klaus said one of the biggest p

roblems is that only one password can be set
for wireless LANs.


“For companies, they are all set up using the same system and there are a
lot of internal employees,” Klaus told InternetNews.com. “Suppose one of
them leaves disgruntled. Then you’re looking at situation where you have to
change the password — it’s a maintenance headache.”


Klaus said ISS looks to implement security doors between wireless LANs and
internal networks. But one of the things he has seen that his scared him the
most, is the number of companies that do not implement security solutions
properly, which is one of the services ISS provides. He has put together a
crew he calls the X Force — benevolent hackers who preach and implement
security risk management protection.


“They check for vulnerabilities within a system and come up with the
antivenin,” Klaus said.


Inside the Numbers with IDC


A white paper IDC recently published in conjunction with Tivoli Systems Inc.
points to the importance of wireless security.


One of the leaders in analyzing the impact of the burgeoning wireless
sector, IDC estimates that the worldwide market for wireless Internet
transactions (the most important no doubt being banking, folks) will balloon
to $38 billion by 2003.


“Voice traffic will still comprise much of the wireless transmission
growth,” the paper said in its introduction. “However, IDC forecasts that in
the next three years, data over wireless TCP/IP will account for 55 percent
of wireless transmission.”


Okay, so obviously cell phones will still be the most ubiquitous, but IDC
expects to see strong growth for subscribers with some level of Internet
access.


The paper went on to confirm that although standards have yet to be passed,
members of the Wireless Application Protocol Forum hope to gain increased
endorsement of Wireless Transport Layer (WTLS), the wireless brother of the
Transport Layer Security (TLS) protocol.


But until such standards are put firmly in place, IDC said it expects to
continue to see hesitancy surrounding the use of wireless devices. One
anonymous bank IDC talked to said it would not extend online banking functions without
guaranteeing client authenticity.


And that is a major downfall for wireless transactions anywhere, whether it
be for a hospital, bank — anything. Suppose someone loses their PDA and a
technically adroit prankster picks it up? They could log-in and conduct
transactions if they had the right information. How would the company
safeguard this? It can’t. The problem is that the science of biometrics —
identifying people in some James Bondian way through a fingerprint, retina,
or voice scan — needs to be implemented for recognition and verification
purposes.


But those concerns do not begin to detail the “encryption gap” problem
techsters face in the WAP gateway, which is the barrier between the client
and the Web server. That merits a whole different venue of analysis, which
the paper delves into in great depth.


Remote Spies: It Could Happen to You


Suppose you run a telco business in Colorado. What would you say if someone
told you people in Germany are eavesdropping on your wireless activity,
tapping in to your network? Would you tell the doomsayer that they are nuts?


Ken Williams, vice president of global consulting for e-Security, painted a
dark picture for wireless security, saying that as the world turns daily,
spies in foreign countries have the ability to monitor networks and
fraudulently use their services. He like, ISS’ Klaus, said wireless security
is threatened by much more than viruses.


To allay suspicions that Williams is a conspiracy theorist, look again at
his title — he’s not a veep of “global consulting” for nothing. He has
spent time in Curacas and other parts of the world checking out

telecommunications systems for the likes of Bell South and Bell Canada, most
of which he says are hugely susceptible to attack.


“Malicious code is not limited to viruses,” Williams stressed. “What we
should be concerned with is that a lot of foreign governments are doing
surveillance on our networks and can break in to see or alter documents
through weak spots.”


Williams explained that it all begins with cell phones, which serve as
virtual beacons for prospective spies to pick up signals. According to
Williams, the whole wireless environment is susceptible to theft of service,
denial of service and altering information through mobile satellite services
and wireless LANs.


Citing his work in developing nations, Williams said he knows of many
telcos who will offer wireless routers, but will not offer protection for
them. Williams declined to name specific firms, but said that many outfits
are unwilling to provide that service in mountainous areas where traditional
wiring is not a possibility, so as to keep costs down. Such wireless hubs
are, incredibly, not protected by firewalls.


Then there is the subject of Ethernet, Williams said, where mature hackers
can exploit cable companies’ networks by finding the junction box and
tapping in to it.

Through all of his illustrations, Williams made it clear that the U.S. is
just as guilty of borderline mercenary wireless tactics. He cited the Gulf
War, where wireless applications were used to intercept and jam transmitted
signals from the enemy.


What Williams does for e-Security, is look at a company at the network,
platform and applications levels to see exactly where vulnerabilities exist.


He then implements a security alarm to tip off the firm about intruders. But
despite the confidence in his firm’s risk detection abilities, Williams said
it is very possible the world could be looking at another Y2K-type scare in
the mobile arena.


In terms of setting up wireless security in the enterprise, IDC concluded
that technical adversity is not the main issue with wireless security —
scalability and designing applications that compensate for security
deficiencies are.


Regardless of what happens in the future in terms of viruses and hackers,
the world can rest assured that, as with the overhyped Y2K scare, the number
of firms developing solutions for wireless transactions are legion —
representatives of more than 60 security firms offered to provide comment
for this piece.


Like the gladiatorial spectacle of watching e-commerce companies rise and
fall, there most likely will come a time when audiences will be able to sit
back and see the ones that prosper and the ones that implode.

News Around the Web