CLLB Information Security Newsletter. Volume 2 Number 6 June 2009.

Volume 2 Number 6 June 2009.

From the Desk of David Badertscher
All This Functionality in One Device!

Mobile communication devices (includes Blackberrys, iPhones, smart phones in general) have become indispensable tools for today’s highly mobile society. Small and relatively inexpensive, these multifunction devices can be used not only for voice calls but also text messages, email, Internet access along with stand alone applications similar to those performed on a desktop computer. A significant amount of personal, private and/or sensitive information may accumulate or be accessed via these devices. Additionally, some of these devices may allow you to access your home computer or your corporate network.

What Risks Do They Present?

While the devices offer many benefits and conveniences, they also pose risks to you and/or your organization’s security. As these devices continue to take on the characteristics of personal computers, they also inherit the same potential risks. Some of the primary risks include the following:

The portability of the device leads to a higher likelihood of loss of the device. Millions of mobile communication devices are lost each year.

When Bluetooth and/or wireless (not cellular) communications are enabled, these devices are subject to the risk of eavesdropping and “highjacking”.

“Malware” available, that if installed on your device, can allow a perpetrator remote access to your device to listen and record all of your calls, send text messages to the perpetrator whenever you make or receive a call, read all of your messages, make calls on your behalf from your phone, access all of the information on your phone, trace your location and enable the speaker functionally on the phone to listen in on conversations even when the phone is not in use.

Sites purporting to offer “free games or ring tones” are major vectors for distributing malware.
While the reports of worms and viruses impacting these devices are relatively low, this is expected to increase in the future.

Despite the risks outlined above, many users do not understand how vulnerable their mobile device is or how to deploy important security settings and controls.

What Can I Do to Secure My Mobile Communication Device?

The following outlines steps you can take to protect your mobile communication device. Some of the steps are dependant upon the functionality of your device.

Use a password to access your device. If the device is used for work purposes, you should follow the password policy issued by your organization.

If the Bluetooth functionality is not used, check to be sure this setting is disabled. Some devices have Bluetooth-enabled by default. If the Bluetooth functionality is used, be sure to change the default password for connecting to a Bluetooth enabled device.

Do not open attachments from untrusted sources. Similar to the risk when using your desktop, you risk being exposed to malware when opening unexpected attachments.

Do not follow links to untrusted sources, especially from unsolicited email or text messages. Again, as with your desktop, you risk being infected with malware.

If your device is lost, report it immediately to your carrier or organization. Some devices allow the data to be erased remotely.

Review the security setting on your device to ensure appropriate protection. Be sure to encrypt data transmissions whenever possible.

Enable storage encryption. This will help protect the data stored on your device in the event it is lost or stolen, assuming you have it password protected!

Beware of downloading any software to your device. If the device is used for work, follow your organization’s policy on downloading software.

Before disposing of the device be sure to wipe all data from it and/or or follow your organization’s policy for disposing of computer equipment.

For more information on securing mobile communication devices, please visit:

National Cyber Alert System – Cyber Security Tip ST06-007, Defending Cell Phones and PDAs Against Attack
http://www.us-cert.gov/cas/tips/ST06-007.html

NIST Special Publication 800-124, Guidelines on Cell Phone and PDA Security
http://csrc.nist.gov/publications/nistpubs/800-124/SP800-124.pdf

FTC Consumer Alert – The 411 on Disposing of Your Old Cell Phone http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt044.shtm

WTHR News story on “Tapping Your Cell Phone” http://www.wthr.com/Global/story.asp?s=9346833 McAfee – The Web’s Most Dangerous Search Terms
http://us.mcafee.com/en-us/local/docs/most_dangerous_searchterm_us.pdf

*The above comments are based on information tips provided by the Multi-State Information and Analysis Center (MS-ISAC). To learn more about MS-ISAC go to http://www.msisac.org/

OTHER NEWS:

DON’T FALL FOR JURY DUTY SCAM.
The phone rings, you pick it up, and the caller identifies himself as an officer of the court. He says you failed to report for jury duty and that a warrant is out for your arrest.

You say you never received a notice. To clear it up, the caller says he’ll need some information for “verification purposes”- your birth date, social security number, maybe even a credit card number.

This is when you should hang up the phone. It’s a scam!

Jury scams have been around for years, but have seen a resurgence in recent months.

Communities in more than a dozen states have issued public warnings about cold calls from people claiming to be court officials seeking personal information. As a rule, court officers never ask for confidential information over the phone; they generally correspond with prospective jurors via mail.

The scam’s bold simplicity may be what makes it so effective. Facing the unexpected threat of arrest, victims are caught off guard and may be quick to part with some information to defuse the situation.

In recent months, communities in Florida, New York, Minnesota, Illinois, Colorado, Oregon, California, Virginia, Oklahoma, Arizona and New Hampshire reported scams or posted warnings or press releases on their local websites.

The jury scam is a simple variation of the identity-theft ploys that have proliferated in recent years as personal information and good credit have become thieves’ preferred prey, particularly on the Internet.

Scammers might tap your information to make a purchase on your credit card, but could just as easily sell your information to the highest bidder on the Internet’s black market.

Protecting yourself is the key: Never give out personal information when you receive an unsolicited phone call.

Contact Information