TORONTO — Few security breaches have been traced to wireless devices or smart phones, but industry experts say the proliferation of these devices is still causing a concern.
“”I have not heard of a lot of attacks on mobile devices,”” said Michelle Warren, a market analyst with Toronto-based
Evans Research Corp. “”It’s more ‘What if? When it is it going to happen? What will it hit? How will it affect business?’ I haven’t heard of any actual attacks.””
Warren made her comments Tuesday after a presentation to journalists and analysts by Santa Clara, Calif.-based McAfee Inc.
McAfee officials said IT departments should be concerned about mobile device security, but agreed there have been few attacks.
“”I think that many of us in the industry thought we would have more of a problem with these things than we actually have,”” said Vincent Gullotto, vice-president of McAfee’s Anti-virus and Vulnerability Emergency Response Team (AVERT). “”That’s somewhat good news.””
He added past breaches have included “”porn dialler”” software, which is surreptitiously loaded on to cell phones and is programmed to dial 900 numbers, racking up subscribers’ bills.
Gullotto said some malicious code is designed to spread to wireless devices through Bluetooth connections, but most viruses and malware loaded on to mobile devices do not spread as quickly as if they were downloaded on to PCs connected to a corporate network.
“”In order for them to spread today, they take more of the routes that viruses took on floppies,”” he said. “”It’s really the only way that the wireless threat can spread. It doesn’t mean that wireless devices can’t host PC infections. If you take a bunch of files on your iPaq with you, then you can host those files and take them someplace with you.””
Executives from other security software makers vendors offered similar sentiment.
Matt Ekram, product manager for mobile security at Cupertino, Calif.-based Symantec Corp., said in an interview that mobile devices have a “”limited impact”” on corporate security, and any malware designed specifically for these devices would be a “”proof of concept.””
Ekram recommends network managers set up virtual private networks (VPNs) in order to help protect against attacks from workers who connect without the knowledge of the IT department.
IT departments can protect their networks by setting up perimeter firewalls and other devices, but Gullotto said security gets more complicated when the network boundaries become blurred.
“”In the good old days, everybody had PCs and a LAN and we all went to the Internet through our firewall gateway,”” Gollotto said. “”If we look at it now – what about my home users or my portable laptop users? Are they inside or outside? And that kind of gets worse with more and more of these portable devices.””
He added network managers have no choice but to leave some ports open so that users can access external resources, such as the Internet. Therefore, the only defence is to monitor the network for unusual activity.
“”We now have to be very careful about how we monitor those channels that we have open, and what can we do to validate that the traffic that is coming through is genuine and somebody isn’t piggybacking across the channel to do something bad.””
Some of the most publicized threats are viruses activated by users who click on email attachments, but other attacks, such as mass mailers, can take over machines without the users’ knowledge, said Greg Day, security strategist for McAfee.
“”One of the things customers are getting more fearful of, more than anything else nowadays, is whether they actually really own their environment,”” Day said. “”Do they really own that system or is somebody else using it in the background for some secondary means?””
Gullotto said more workers are aware that they should not click on unexpected e-mail attachments, but virus writers are finding other ways of tricking workers into activating malware.
This year, for example, McAfee has found more than 20,000 newsgroup posts containing links to viruses.
“”In probably 99 per cent of the cases, those messages were maliciously posted by a virus writer trying to get somebody to bite on alt.sex.footfetish and think that they were going to get a picture, and open it up and see somebody getting a little freaky with the feet.””