Security looms as growing mobile problem

Experts warn businesses and individuals of escalating risks

Internet security experts are warning that mobile Internet users are facing a rapidly escalating threat from hackers and spyware.

As the computing capacity and the popularity of small mobile devices and gadgets have increased, so have the risks of attack from other mobile devices and computers, creating a growing threat of mobile users losing their privacy or confidential business data.

International computer security firm Symantec said in a recent Internet Security Threat Report that a massive threat volume of more than 286 million new threats were detected last year, accompanied by several new megatrends in the threat landscape.

Security experts say that once a hacker has successfully gained access to a computer network via a mobile device, it is very difficult to prevent illegal activities such as data leaks, malware infections and privacy violations.

The president and founder of ACIS Professional Centre, Prinya Hom-Anek, said that mobile devices now had all the functions of a desktop computer. Therefore, it is necessary for users to protect their information and control the data available to mobile devices so as to avoid attacks upon their networks and loss of privacy and data.

At present, he pointed out, there was no anti-virus protection for mobile devices.

Prinya said businesses using mobile devices should understand the threats inherent in the practice. They should establish a primary policy relating to information that can be accessed via mobile devices and educate their mobile users on habits to adopt to minimise risks of attack.

Hackers are, these days, able to approach mobile devices with cookie attacks, e-crimes and smart-phone spyware, involving GPS location maps, SMS logs, SMS details and GPS tracking.

He said mobile users should be concerned about their GPS privacy. Geo-location or location services are activated on smart phones by default, and the physical locations of both current and historical users can be continuously tracked. Mobile-phone markets create a database that identifies and records the location of all mobile cell towers and Wi-Fi access points. Rootkit attacks by hackers on smart phones or upcoming tablet computers may become a lot more devastating because smart phone owners tend to carry their phones with them all the time, he said.

S-Generation chief executive Chaiyakorn Apiwathanokul said that information security on mobile devices was a very important issue for individuals and businesses.

He said executives should develop a policy, standards and tools to control their organisation's information so as to prevent it being downloaded by computer criminals. Owners and enterprises using mobile devices should regard mobile security applications as essential for the protection of their privacy and their business data.

NForce Security Systems managing director Nakrop Niamnamtham said research studies had found that the role of mobile devices in business would grow to the point where, next year, the number of new smart phones and tablet PCs would outpace desktop computers and notebooks.

Therefore, users and business should have security applications in place, such as encryption, in order to protect their mobile devices from data threats and illegal access.

Sourcefire's security architect Suwitcha Musijaral said that security on mobile devices should be a matter for both mobile users and mobile operators.

The operators are beginning to be concerned about illegal information on their networks that might be affecting mobile users. They are providing a "basic level" of security to support and protect mobile users from virus and spyware attacks.

"I think it is important that mobile users should protect themselves from attack on the network, such as updating anti-virus applications to protect thread information and data such as pictures and telephone numbers," he said.

In a recent Internet Security Threat Report, global security firm Symantec said there had been dramatic increases in both the frequency and sophistication of targeted attacks on enterprises. Social-networking sites are increasingly being used as attack-distribution platforms and there has been a change in attackers' infection tactics. Increasingly, they are targeting vulnerabilities in Java to break into traditional computer systems.

Symantec's report explores how attackers are exhibiting a notable shift in focus toward mobile devices.

It finds that an overwhelming majority of attackers have leveraged the news-feed capabilities provided by popular social-networking sites to mass-distribute attacks. In a typical scenario, the attacker logs into a compromised social-networking account and posts a shortened link to a malicious website in the victim's status area. The social-networking site then automatically distributes the link to news feeds of the victim's friends, spreading the link to potentially hundreds or thousands of victims in minutes.

Last year, 65 per cent of malicious links in news feeds observed by Symantec used shortened URLs. Of these, 73 per cent were clicked 11 times or more, with 33 per cent of them receiving between 11 and 50 clicks.

Symantec said the major mobile platforms were also becoming sufficiently ubiquitous to attract the attention of attackers. It expects attacks on these platforms to increase.

In 2010, most malware attacks against mobile devices took the form of Trojan Horse programs that posed as legitimate applications. While attackers generated some of this malware from scratch, in many cases, they infected users by inserting malicious logic into existing legitimate applications. The attacker then distributed these tainted applications via public app stores.

While the new security architectures employed in today's mobile devices are at least as effective as their desktop and server predecessors, Symantec said attackers could often bypass this protection by attacking inherent vulnerabilities in the mobile platforms' implementations. Unfortunately, such flaws are relatively commonplace - Symantec documented 163 vulnerabilities last year that could be used by attackers to gain partial or complete control over devices running popular mobile platforms. In the first few months of this year, attackers leveraged these flaws to infect hundreds of thousands of unique devices.

According to Internet-security firm Mocana, it is no surprise that 47 per cent of organisations do not believe they can adequately manage the risks introduced by mobile devices. Neither is it surprising that more than 45 per cent of organisations say security concerns are one of the biggest obstacles to rolling out more smart devices.