Archive for the ‘Phones’ Category
Smishing
August 30th, 2006
Have you heard about Smishing? Apparently, that’s what you call it when you get a phish SMS on your cell phone. The scenario is the following: you get a suspicious SMS with a link in it, you follow the link which downloads a file, you are asked if you want to install the file, you agree and install it, and finally you get some trojan that hoses you. Totally a raw deal for the phone user. Although sometimes you have to draw a line in the sand, and I’m *not* going to call it smishing. Really, it sounds too dumb. So I’m just not gonna do it.
Ancillary to that, I’m less concerned about the phone-phish (see, not calling it smishing) that installs a trojan and more concerned about the phishing that asks you for information like your profile password, PIN, or other information. A few weeks ago, I probably would have discounted this as something serious to worry about, but then I got signed up for DateSite and now I fully understand the power of the nagging, insistent, and unstoppable SMS. Seriously, if my phone lights into “This Corrosion” or whatever at 2AM, I think I’d be ready to give away just about any information they want if that’ll get the texting to stop.
In other, totally unrelated, news – AT&T Loses all our data.
Posted in 
CA’s Right on the Money
July 25th, 2006
Computer Associates slapped F-Secure the other day for hyping up phone-borne malware when no real threat exists. Check it out; CA’s Simon Perry had this to say:
“While F-Secure’s bankers and owners may be pleased with the cash flowing into their coffers from the deal, every security professional should be appalled by the perception this creates of our market. Industry and vendors are now more consultative and honest about risks, not just beating something up to sell it. F-Secure has done the industry a disservice.
And he’s right. Despite what McAfee told us about 2006 being the “year of mobile malware”, we still have yet to see any significant traction from phone-borne malware. F-Secure’s retort acknowledged this:
It’s not a global epidemic, but there are real people who have got it. There have been several tens of different viruses
Mobile Malware vs. the Goat Sucker
May 1st, 2006
Have you ever heard of “El Chupacabra?” Well, just in case you haven’t, El Chupacabra (in English, the “goat sucker”) is a South American spiked, fanged, goat-eating beast that strikes terror in residents of Puerto Rico and (more recently) South and North America. There’ve been hundreds of Chupacabra sightings in the past decade, and there are thousands of people (smart, educated people) the world over who swear that the Chupacabra exists. But scientists disagree. Scientists argue that the Chupacabra is “mass hysteria” (“folie
Phone Malware (again)
January 9th, 2006
I’m getting sick of the whole “malware on the phone” propaganda; I’ve been saying that phone-borne malware is not “brewing like bird flu” for years now. However, every few weeks, the press picks up and runs with some story about how huge a problem it is. The stories typically have quotes from certain AV vendors spinning a tale of woe about how phones are a ticking time-bomb of infestation – a veritable petri dish of scum. I would like to (once again) attempt to put this into proper perspective.
For example, this week BusinessWeek is running a story called If Not Now, Soon about how Mobile Viruses are going to be a huge issue in 2006 – or if not in 2006, then at least by 2009. The thing about making predictions four years out is that nobody remembers (or cares by that point) whether or not they come true.
I’m not saying that the article is in the wrong – I am saying, however, to read between the lines of who says what. First and foremost, who is the loudest voice in the phone-borne malware camp? In this article, the sources most quoted are Trend Micro and Symantec; in other articles, you’ll see names like F-Secure, McAfee, Sophos, etc. These are all vendors who have some interest in selling phone-borne malware products; these vendors are not dishonest – they just believe that malware is the most important thing (hence why they are in the AV business.) From their point of view, of course phones will run malware – why wouldn’t they?
Look, it’s going to take a lot more than smarter phones to make malware a problem on these platforms. There are a number of reasons that phone-borne malware isn’t huge over and above smarter phones: phone models and brands are diverse, there’s not a ubiquitous population of smart-phones, inter-phone application sharing is rare, etc. In other words, we don’t just need a change in how many smart-phones are out there to see the malware rate increase, we need a fundamental change in the way that people use their phones. Take, for example, mass-mailers; on the PC, these spread because we are used to opening executable content from friends. When was the last time you exchanged executable content with a friend via your phone? Never? Once? Until how we use the phone changes, mass-mailers are unlikely to work.
Look, my point isn’t that phone-borne malware is a non-issue – it’s important to keep your head out of the sand. All I’m saying is to use discretion when reading articles like this. Right now, the generally-recognized “malware experts” are the AV folks – and the AV folks are predisposed to see stuff like this as a huge issue (when maybe it isn’t all that big after all) because of the business they’re in.
Not very heartening news from the “Secure Phone” Front
May 16th, 2003
Secure phones no obstacle to wiretapping – US Govt.
The Register quotes from the recent US gov’t report on wiretapping and provides comments and analysis from crypto-pundit Bruce Schneier.