Last week, a new report (PDF) on emerging threats from the Georgia Tech Information Security Center mentioned, among other predictions, that botnets were likely to hit mobile phones sometime in the next year. On Tuesday, I spoke with VeriSign CTO Ken Silva about that possibility and why it might happen within the coming year.
"Criminals will go where the money is," Silva told CNET News. "If you start doing things of financial interest with your mobile phone, they will find a way to get your money."
Silva said the mobile phone market is changing. Today's mobile phones don't just make phone calls, they stream video and support content. "Most consumers did not care about a smartphone until Windows Mobile, the Apple iPhone, and now Google Android came along. Now more and more consumers want smartphones. Kids want them; it's a cool phone to have."
Silva said that smartphones tend to use either Java-based Blackberry OS, Mac OS, or Windows Mobile OS as platforms, and it is this standardization of operating systems that should make it easier for criminals to target their victims. The way mobile users browse the Web already is standardizing. With Windows Mobile you have Internet Explorer, and on Apple's iPhone you have Safari. Both of these browsers have vulnerabilities that can be exploited, although not always on the mobile version.
Another compelling reason to think malware is coming soon to your smartphone is more bandwidth. Because of the streaming media options, this year's phones process data much faster than last year's models.
One possible malware vector might be new application downloads. "People are thirsty for applications to run on their devices," Silva said. "Despite the fact Apple has gone to great lengths to make sure the applications are signed (and) have gone through a vetting process, users continue to break their iPhone and install software outside the channel."
Silva doesn't, however, think denial-of-service (DoS) attacks will be the first choice of botnets operating on mobile phones. For one thing, DoS attacks require always-on computers, and mobile devices are not always on or connected to the Internet.
He ranks DoS attacks second behind data theft. "These smartphones now have e-mail on them--and also corporate e-mail on them. We're doing more personal transactions with them." Silva thinks it's the rise of mobile payments and the popularity of banking on mobile phones in Europe and Asia that are leading malware to the mobile phone.
"If we've learned nothing else from the desktop, we should have learned that software needs to be secure right from the get-go." We have opportunity on the mobile platform to write secure code, he said, knowing what has happened on the desktop.
As for the currently status of botnets operating on mobile phones: "Definitely theoretical." But Silva adds, "Someone--just to prove the point--will develop a toolkit to do it." So it's never too early to be thinking about this problem.
On Wednesday, VeriSign invited companies to join their VeriSign Identity Protection (VIP) Network by announcing the VIP Quick Start. As encouragement, vendors who sign up between now and September 30 will receive 5,000 free tokens to distribute to their customers. The customers can then use the tokens on any of the participating VIP sites.
VIP is part of a two-factor authentication process created by VeriSign. Customers are given tokens or cards that display a digital password that's time-synced with a server on the corporate bank end. When one goes to access the site, you simply enter the digital code displayed on the token or card. The code is then refreshed. This extra step in using one-time passwords is designed to prevent Internet identity theft, phishing, and online financial fraud.
The news on Wednesday is that many sites, including the initial dozen or so that have been testing the program, will now offer the use of the VeriSign tokens or cards, so that if you register with Charles Schwab, you can use the token on eBay as well.
Fran Rosch, vice president of identity and authentication services at VeriSign, likened the experience to using an ATM. "You can go to any ATM, even one that isn't your own bank's, and still withdraw cash so long as your bank card includes one of the ATM network logos (for example, Plus or Star)." With the VIP token, a customer need only to see the VeriSign Identity Protection logo to use the token on that site.
At next week's RSA 2008 conference in San Francisco, VeriSign will hand out tokens to participants who register with VeriSign at the show, while supplies last.
Update 3:15 p.m. PDT: The headline and opening sentence have been changed to clarify that VeriSign is expanding its Project Titan initiative to strengthen and secure Net infrastructure.
On Thursday, VeriSign announced plans to increase the level of security within Project Titan, a global initiative to expand the infrastructure of the Internet to anticipate future demand brought by increased e-commerce transactions.
In its announcement, VeriSign said that it is going to spend more than the $100 million-plus initially budgeted.
One of the goals of Project Titan is to increase the overall capacity of the Internet to sustain a predicted increase in the daily load of Domain Name Server (DNS) queries. DNS is how a domain's common name (say CNET.com) is converted to its Internet address consisting of numbers. It also allows major companies to move their Internet-facing servers yet keep the common name for its customers.
Currently the DNS system handles about 400 billion queries today; VeriSign predicts a load of 4 trillion queries by 2010. To do this, Project Titan will better distribute the current infrastructure so that the .com and .net systems will have greater redundancy and reduced latency. This should improve the end-user experience for users by reducing bottlenecks and increasing speed despite ever increasing demand. It will also introduce more security to prevent attacks on the DNS system.
- prev
- 1
- next
