In January, more than 100 000 Britons a week were struck down by Norovirus, a nasty bug transmitted by contaminated food, water or surfaces and by person-to-person contact. Sometimes known as winter vomiting disease, due to its annual peak during colder months, this year a strange side effect was observed. Signify, a Cambridge-based secure authentication service company, reported nearly 18% more remote logins to corporate systems at the height of the epidemic.
“We put this down to people taking NHS advice to stay away from the office and simply logging into the corporate network from home and getting on with their work,” said John Stewart, Signify’s marketing director.
Such an epidemic is notable for its obvious business continuity impact and because mobile and remote technology offers a partial insurance against contagious diseases. Allowing work to continue away from the office can prevent infection spreading between workers.
Push out of the way
But mobile devices have their own problems with disease, data loss and subversion. These are predictable, and have been slowly growing for years, but still do not command the required respect, says Mike Hawkes, m-commerce director of the Mobile Data Association. “People don’t realise they are working on a radio communications device, and they treat it as if it was wired,” he says. “People tend to be a lot less robust than they would with a net device. I’ve yet to meet, for instance, somebody who admits to reading even a single set of terms and conditions for a mobile service. They may do so on a web page, but on the mobile device they tend to accept things.”
As an example, Hawkes mentions the worrying trend for advertisers to push out content as users go past a shop. “People are therefore being encouraged to leave Bluetooth on and to accept content from an unknown source,” he says.
| " It’s frightening that eight people on a train would accept some content from a complete stranger, not knowing what it was, and that could have been dialling premium rate numbers or deleting their inbox and outbox." |
| Mike Hawkes, Mobile Data Association |
“At least the latest devices do ask the user if they would like to accept the message,” he adds, but even the test of acceptance can be irritation to a user bombarded with repeated requests, and a viral message will not give up just because it has been refused.
As Mikko Hyppönen, chief research officer at Finnish computer security vendor F-Secure, explains, the device simply beeps and repeats the question. As long as a user says “no,” they will be unable to make a call, send messages or use any other software on the phone. They are denied the phone’s services until they accept the message. Turning off Bluetooth is not an option because the phone is too busy responding to the messages. The only defence is to walk out of range of the infected device.
An example is the CommWarrior worm, and over 15 variants have been identified since it was first spotted in March 2005. CommWarrior exploits Bluetooth to persuade victims to install malware, and once active, it can spread rapidly via Bluetooth, multimedia (MMS) messages or memory cards.
Avoiding the operator
The trouble is, according to Hyppönen, that while mobile phones have always relied on the service providers to filter out malware, spam and obnoxious content, Bluetooth and Wi-Fi – features not common on mobile devices – usually remain unprotected. “When you go online with your phone, you go online using GPRS or 3G, which means you actually go online through your operator’s network, and the operator runs central firewalls and filtering to protect the end user, “ he says.
“But now when I pick up my phone and start surfing, depending on whether I choose 3G or the hotspot at the local Starbucks, there is a world of difference which is not obvious at all to the end user. You get online fine from both places, but when you go online through the operator there’s a firewall, when you go online through Starbucks there is no firewall.”
| "The problem right now is not the Bluetooth or mobile malware, it’s the targeted spyware where somebody who wants to spy on you will steal your phone, or borrow your phone for a minute while you are not looking, and install something; it’s the physical security" |
| Mikko Hyppönen, chief research officer, F-Secure |
Hyppönen’s interest is not just that his company develops and sells firewalls for mobile devices, but that with no firewall any mobile device is vulnerable to attacks normally reserved for desktop or laptop computers. Echoing Hawkes, and commenting that the user does not know what he has, Hyppönen says: “Any computer in the world can now connect back to your mobile phone which is online with a public IP address, no firewall and with open ports.”
He quickly stresses that the situation is not as bad, and there are far fewer risks than in the days of Windows 98. “I really want to underline, we haven’t seen real attacks or real worms or anything like that, because the number of these devices online is still quite low and trying to find them on purpose is quite hard. But there are loads of bots and automated scripts scanning the net all the time trying to find vulnerable machines, and these things will find mobile phones. They think you are a Windows server or a Linux server and actually you are a hundred pound mobile phone.”
Yet for all Hyppönen’s fears for unprotected mobile devices, he is clear about reality today: “The problem right now is not the Bluetooth or mobile malware, it’s the targeted spyware where somebody who wants to spy on you will steal your phone, or borrow your phone for a minute while you are not looking, and install something; it’s the physical security.”
Hyppönen points to Flexispy.com where mobile phone spyware kits are traded on the internet. He explains how they may be used for spying on your spouse, your boss, or your competition, recording conversations and forwarding email. It is not illegal to sell such kits.
Preventing others from accessing your mobile device and installing malicious software can be difficult, but, as Hyppönen says, “you are only going to be hit by a spying programme if you have something interesting,” so determining your risks to spying or theft should be part of the strategy.
Squelching BlackBerries
One way to minimise the risk that your device could have applications installed without your knowledge is to password protect the various functions, preventing access to all but authorised users. But there is a balance to be maintained. Steve Corsbie, chief technology officer of Multi-Media International Services, a company with more than 1600 advertising sites in the
Instead, Corsbie relies on prompt reporting of loss and the knowledge that such events happen rarely. In the incidence of prompt reporting, the BlackBerry enterprise server can deactivate the device within 20 minutes. “If somebody loses or has the BlackBerry stolen, then that sensitive information is available. But it would have to fall into the hands of somebody that knew how to use that information, and they would have a very small window. There is a concern, but it is very low risk.”
Corsbie’s risk assessment told him business continuity was the critical hazard. A mobile device has never been lost or stolen, but three years ago the company suffered a server failure leaving the business blind for days. It prompted an IT overhaul and proper fail-safe infrastructure; software and procedures were installed, including
Further, Corsbie has a strict IT policy governing all aspects of usage and security, setting out forbidden activities, proper procedure and even disciplinary actions should the policy be transgressed. “We had a lot of different people looking at that one document, making sure that the company was protected from all angles, and that the employee was protected in terms of their own privacy,” he says.
Policy decision
Mark Blowers, security analyst for
Blowers is optimistic that most companies now understand the need for a comprehensive policy but believes there is always more work to do. “Security is a moving feast, you’ll never be 100% secure or nobody will be able to use anything. Aim for visibility and control that is linked in, end-to-end, so you’re not just installing a point solution here and a point solution there. You’re only as strong as your weakest link,” he says.
And let’s not forget, better mobile device security means that companies can confidently extend their flexible mobile workforce, meaning that next year’s Norovirus outbreak might see staff working at home in good, productive, health, rather than a choice between them doing nothing at home and coming into the office and perhaps falling ill.
Disease is as threatening to software as it is to people, but strangely, you can sometimes fight both with your IT strategy.