Izzy 2006, the threat would go undetected. Another issue with signature-based antivirus is that it is reactive instead of proactive. For the threat to be detected it needs to be known first. To become known, the malware needs to have already infected enough machines to garner the attention of the antivirus software vendors. That seems like a bit of a Catch-22 - you''ll be protected once enough computers have become infected.
Given the obvious shortfalls of antivirus software, it is easy to understand why zero-day protection is becoming such a hot item. Zero-day protection can identify malware by what it does, not just by how it looks. Protecting against the unknown is certainly the wave of the future when it comes to malware protection. Keep in mind, though, that protecting against malware requires a multifaceted, layered approach. In addition to antivirus software, mobile devices should
* Be equipped with personal firewalls, which can directly help prevent malware, as well as deter its propagation and the extent of the damage
* Have the latest updates, as malware will often take advantage of vulnerabilities that may not be present if the proper updates are installed
* Be configured securely
* Possess available non-traditional antivirus programs, such as zero-day protection, antispyware, etc.
This is very similar to how you would protect a laptop or desktop computer. That''s really the point! BlackBerrys, PDAs, and cell phones need to be protected with the same types of software and services as laptops and desktops. Later in this book, specific malware threats and specific preventative security solutions will be covered in detail.
Direct Attack
One of the most dangerous ways a mobile device can be exploited is by a direct attack, in which a hacker finds the device and takes deliberate actions to exploit it.
Mobile users employ their devices in a variety of venues and under a variety of circumstances. To attack the devices directly, a hacker needs to find the device, which can be done a number of different ways.
Perhaps the easiest way to find the device to exploit is to simply see it. If someone is checking their email with a BlackBerry or PDA, or simply speaking on the phone while sitting on a train, all a person with ill intent needs to do is see the device being used. Sounds simple, and it is. Once the device is found and identified, a hacker can determine which exploits to use against it.
Another way is to see the person using the device while actively connected to a network. In some cases a mobile user is more vulnerable when connected to the Internet while in a public Wi-Fi hotspot. If a user is checking their email with a PDA at Starbucks, then a hacker knows there is someone on the network and they can run utilities to determine the device''s IP address and launch an attack. I''ve participated in a number of security videos that show in great detail how to attack a mobile user in a public Wi-Fi hotspot. There are few scenarios in which a mobile user is more vulnerable to attack than this one.
It''s not necessary to see the device or the user to attack the device directly. If the device is connected to the Internet, it has an IP address. If it has an IP address it is on a network and anyone who can get on that network could find that device. If a hacker can determine the IP address of the device and can access that IP address, the device can be attacked from anywhere in the world. A mobile user could be connected to the Internet with their EvDO (Evolution Data Optimized) card while traveling in a taxi in New York, and a hacker sitting on the beach in LA can scan a range of IP addresses and happen to find their device. That''s one of the very good and very bad things about the Internet. It enables different devices to be interconnected all around the world, though not everyone connected is acting ethically.
Figure 1.3 illustrates how a hacker can find a mobile device from anywhere in the world. The hacker can use any number of free tools to quickly and easily scan hundreds of thousands of IP addresses. These IP addresses can be assigned to networks and devices anywhere in the world. The scan will then show the hacker which IP addresses have devices attached, and the hacker can then attempt to find more information about the device and launch an attack.
Another method for finding a device is to identify the signals being emitted from the device. Bluetooth is a good example of this. If a Bluetooth-enabled device is in use, a Bluetooth-sniffing tool can find and identify that signal. Once discovered, all types of bad things can be done to exploit the device. I will cover Bluetooth exploitations in detail later in this book.
I''ve covered how devices can be discovered, but what can be done to devices once they are found? This depends on the particular device and the technologies the device is using. Examples of things that can be done include
* Removing data from the device * Altering data on the device
* Uploading data (including malware) to the device * Modifying the device''s configuration
* Utilizing the device in an unauthorized manner
* Rendering the device useless
Figure 1.4 illustrates the different direct attack threats to a mobile device. Neither of the examples in the figure bodes particularly well for enterprises. In later sections of this book, specific examples of direct attacks will be illustrated, as will specific applications and actions that can be taken to protect the devices. In a general sense, the following tactics can protect mobile devices from direct attack:
* Personal firewalls can prohibit unauthorized access, as well as help devices become stealthier to avoid detection.
* The latest operating system and application antivirus updates will remove vulnerabilities, preventing direct attacks from taking advantage of ones that may not be present if the proper updates are installed.
* A secure configuration can leave fewer exploits open.
Data-Communication Interception
Sometimes the easiest and best means of attacking a device is indirect. Many devices are now capable of connecting to other devices and networks. Often these devices can connect via a number of methods. It''s this communication that can be hacked and used for malicious intent.
One quick trip to an electronics store will yield a plethora of devices capable of connecting via Wi-Fi, EvDO and other 3G (third-generation) technologies, infrared, and so on. Enterprises are challenged to get their hands around these different types of connectivity and ensure that these connections are secure and that the info being transmitted over these devices is secure and encrypted.
Believe it or not, there are still enterprises out there that do not allow their mobile laptop devices to utilize wireless technology. They view Wi-Fi as simply too dangerous and too difficult to secure. But these companies really don''t have a good way to stop their laptops from utilizing Wi-Fi - it''s a written policy that they have no way to enforce. When it comes to nontraditional mobile devices such as PDAs, the threat is largely ignored.
As stated previously, mobile devices need at least the same protection as desktop and laptop computer systems. The fact that enterprises will attempt to prohibit Wi-Fi on laptops and have no strategy for PDAs and other devices is quite disturbing. These mobile devices will be used with no enterprise-provided protection or strategy, but they contain the same data and perform the same functions. This is explicitly true when it comes to data-communication threats.
A good way to protect a laptop or desktop computer that utilizes Wi-Fi is to implement WPA2 (Wi-Fi protected access 2) technology. That way, there is authentication to the wireless network that is encrypted and the data being transmitted and received is encrypted as well. Companies implement this technology on their wireless LANs, though 802.1x technology generally isn''t used at public Wi-Fi hotspots.
One good way to address this with mobile laptops is to ensure - via technology not written policy - that VPN tunnels are up and running when the laptop is connected via wireless. With split-tunneling disabled, all communication leaving that interface will be forced to go through the VPN tunnel and be encrypted, commonly with IPSec via 3DES or AES, or via SSL. This is a good approach, but not rarely thought of with mobile devices.
When mobile devices connect to public Wi-Fi hotpots, enterprises generally ignore the threat and pretend there really isn''t any of their data being transmitted from mobile devices over unprotected wireless networks. Clearly, not admitting there is a problem doesn''t make it go away. Without question, mobile workers will use their PDAs and other devices for tasks such as checking email and sending instant messages. As with a laptop, this information can be easily sniffed and is therefore susceptible to exploitation. You''ll learn exactly how later in this book
Figure 1.5 illustrates the sniffing of data in a public Wi-Fi hotspot. In this example, a PDA is connected at the hotspot and the user is sending instant messages to a coworker. Because the data being transmitted wirelessly is not encrypted, it can be viewed by anyone within range. The data shown in the figure is actual data sniffed from a Yahoo! Messenger session.
Another consideration is that new mobile devices are coming with Bluetooth technology. This can be particularly helpful when using wireless headsets for phone conversations and for synching Bluetooth-enabled devices with other Bluetooth-enabled devices. As with Wi-Fi technology, this information is flying through the air and can be sniffed.
Often people think of Wi-Fi and are aware and concerned that the data is flying through the air. Sometimes, though, they overlook another threat associated with Wi-Fi: access point (AP) phishing. If a user attempts to be productive by using their Wi-Fi enabled PDA while standing in line to board a plane, what mechanism do they have in place to ensure that the Wi-Fi hotspot to which they are connecting is valid and not malicious? AP phishing is an attack in which a hacker configures a fake wireless access point (WAP) and attempts to trick users into connecting to it. Users may think they are connecting and entering authentication or credit card information into a valid hotspot, but they are actually doing so into the hacker''s hotspot. I cover this in greater detail later in the book.
Protecting against data-communication interception includes
* Ensuring that data being transmitted to and received by a device is encrypted * Ensuring that best practices are implemented when utilizing Bluetooth and other technologies
* Ensuring that network/connection interfaces are disabled when not in use
Authentication Spoofing and Sniffing
Whether you''re logging into a T-Mobile Wi-Fi hotspot or accessing Yahoo! Mail, authentication takes place. This authentication verifies the identity of the person attempting to get access to the resource, which makes perfect sense. You don''t want just anybody checking your email. You also don''t want just anybody using your T-Mobile account for Internet connectivity, as you can incur additional charges. With mobile devices, the threat of authentication spoofing becomes considerably more prevalent.
When I worked at UUNET (an ISP) there were issues with dial-up fraud in Russia. Basically, groups would steal usernames and passwords from mobile users and use them to gain dial-up access to the Internet. You could just create a Microsoft Dial-Up Network Connection, enter the stolen username and password and get free Internet access. The problem was that this was done on a massive scale, where victimized companies would incur charges of thousands and thousands of dollars for Internet access that was being used by unauthorized people. The problem was very serious.
This threat is just as real now as it was back then. Some things have changed from a technological standpoint, but groups still can steal credentials for Internet access - these days it''s mostly for public wireless hotspot Internet access. Credentials for means of access still need to be protected.
(Continues...)
Excerpted from Blackjackingby Daniel V. Hoffman Copyright © 2007 by Daniel V. Hoffman. Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
