HomeNewsroomAbout Website Mail & Guardian

Mobile devices open to cyber attacks

Issued by ITWeb
Johannesburg, May 6, 2011

Mobile phone users often assume their devices' applications are impossible to hack, and tend to not apply security software to their devices.

This is according to Dr Frans Lategan, Absa security consultant, who will speak at next week's ITWeb Security Summit, to be held between 10 and 12 May at the Sandton Convention Centre.

Lategan will demonstrate how easy it is to extract the contents of an iPhone back-up file, modify the contents, and restore this back to the iPhone.

He will also show how a user's credentials can be exposed on an iPhone, how applications can be modified and even how users can cheat in games. Lategan says the biggest security threat is the loss of the mobile device, and the data it contains.

However, he adds: “Although there have been some instances of viruses and Trojans on mobile devices, they are not yet widespread.”

According to Lategan, losing business data via a mobile device is exactly the same as losing business data through any other means. However, he notes the biggest problem is it's much easier to lose a mobile device that contains sensitive business information, than it is to lose a server or backup tape.

Lategan says another problem with mobile devices is that they are not patched as often as desktop PCs. He explains that many mobile devices are still running on the firmware they were released with; which in some cases can be several years old.

He points out tablet devices such as the iPad are attractive theft targets by cyber criminals, because business users are storing and accessing valuable information via these tablet PCs.

“Fortunately, they are generally based on cellphone platforms, and can be secured in the same way. For instance, iPads can be secured like iPhones, and Android tablets can be secured like Android phones.”

Lategan believes the BlackBerry mobile operating system has the best security in terms of depth. “iOS, Windows Phone 7 and Android are not as good, though they can be configured to be reasonably secure, unless 'jailbroken'.”

iOS jailbreaking is a process that allows devices running Apple's iOS to remove limitations imposed by Apple. Once jailbroken, iOS users are able to download additional applications, extensions and themes that are unavailable through the official Apple App Store.

According to a Symantec blog post, jailbreaking iPhones has its risks, because it opens the door to devices becoming more susceptible to attack and malware infection.

The security vendor states: “Another concern is the vulnerabilities in the devices the jailbreak code exploits could also be used to carry out malicious attacks.”

“There have been a few instances of malicious Android apps, and of course Android devices are currently the only mobile devices that are Flash-enabled, making them the least secure of the major players,” Lategan notes.

At the sixth annual ITWeb Security Summit, to be held in Sandton, South Africa, from 10 - 12 May 2011, international and local IT security experts will discuss hot topics like Stuxnet, WikiLeaks and data privacy in an increasingly connected world.

The ITWeb Security Summit is South Africa's premier ICT security event. It includes a conference, expo and workshops to inform business managers, CIOs and chief IT security officers about the current and future information security threat landscape.

This year, the event will focus on security in an increasingly connected world, featuring cloud security, web services and online security, as well as the growing trend to use malicious code for industrial espionage and sabotage.

On the agenda are experts from powerhouses like SalesForce, Google and Zynga Game Network, with practical insights coming from leading financial institutions such as Nedbank, Standard Bank, Barclays, Absa, and the Co-operative Bank of Kenya.

Among the key speakers at the event are:

Caroline Wong, strategic security manager at Zynga Game Network. She will explain how to plan for cloud implementations. Wong was formerly the chief of staff for the Global Information Security Team at eBay, where she built the security metrics program from the ground up. She is well known for her expertise in the area of security metrics and has been a featured speaker at numerous industry conferences.

Patrick Gray, host of the RiskyBusiness Security News Podcast. Gray, a renowned international IT security news journalist, will elaborate on the three things that shaped the information security news agenda in 2010: Stuxnet, WikiLeaks and the resulting militarisation of the Internet.

Robert Fly, who heads up the Product Security team at salesforce.com, will take a look at what salesforce.com has done to build a security ecosystem around Force.com and the challenges associated with doing so.

Parisa Tabriz, Google's information security engineer, will describe some of the unique approaches Google's information security engineering team takes to help secure Google's wide array of Web services, including engineering practices and technologies to address common web security bugs.

Other international speakers include:

* Bradley Anstis, VP Technical Strategy at M86 Security, will demonstrate how readily available attack toolkits are used and explain how cyber criminals make their money. * Greg Day, director of Security Strategy, EMEA at McAfee, will examine how such attacks bypass existing security controls and how they can be stopped. * Rik Ferguson, Trend Micro's solutions architect, will discuss “life after Stuxnet, what businesses should know”. * Haroon Meer, lead researcher of thinkst, an applied research company with a deep focus on information security. He will discuss “the IT security lies we tell ourselves”.

Additional highlights at this event will be:

* A one-day workshop on governance, risk and compliance in public and private clouds presented by Dan Crisp, strategic director, Global of Operational Risk Initiatives at Barclays Bank, Caroline Wong of Zynga, and Lynn Terwoerds of the Cloud Security Alliance. The international panel of experts will examine the business and IT processes, which need to be governed in public and private clouds, including the top threats and mitigations with a specific focus on PCI DSS requirements. * An innovative expo area offering hands-on demonstrations of the latest information security solutions from leading global anti-virus and information security vendors. * A community hub where infosec bloggers will congregate.

ITWeb Security Summit, visit http://www.securityummit.co.za.

ITWeb's Security Summit 2011 More information about the ITWeb's Security Summit 2011, which takes place from 10-12 May 2011, at the Sandton Convention Centre, is available online here.