The Digital TV Blog ...

According to research carried out by Gartner, smartphones may be endangering company security as their popularity continues to grow.

More and more employees are using smartphones instead of laptops to access company email and connect to company networks when they are out of the office.

Sales of mobile devices in the second quarter of this year grew 16.5% year-on-year, whilst for smartphones the figure was 74%, accounting for 25% of overall sales. This has risen 17% since the previous quarter in business sales.

Wick Hill Group plc have warned that this raises key issues pertaining to security which companies have given little or no thought to.

It is thought the biggest threat is that these devices are more often lost or stolen than many of the larger devices, such as laptops and netbooks.

Research by getsafeonline shows that 1 in 5 smartphone owners can expect to, or have, lost their device at some point. It is also thought that people consistently lose their phones in London taxis and there is “a fairly consistent 10,000 per month” devices left in the vehicles.

It is also believed that phones connected to a VPN could be at risk of becoming infected with malware or being hacked.

Philippe Winthrop, an analyst at consultancy Strategy Analytics , commented: “If I take your device and muck around with it, what if the VPN is set up on it? It’s a huge risk not being dealt with enough today.”

Getsafeonline’s Tony Neate says: “Users must remember that they are essentially carrying around a tiny laptop with a wealth of personal information that is very attractive to fraudsters.”

Smartphone security has become high profile recently as the infection rate in Android devices has risen dramatically. Many don’t realise that there is a need for security software to be installed on the devices, leaving them open to different kinds of attack.

Security experts have warned that smartphones now represent the easiest way for criminals to steal personal information and use information fraudulently.

Bearing this in mind, it is more important than ever for companies to have security policies and implement protective measures across the business.

This is especially true when companies allow employees to use their devices for both business and personal use.

The mixture of voice and data also means that firms have failed to take into account the additional security issues that this could raise, especially when it comes to secure connections.

According to the report, there are a number of steps that businesses can take to better protect devices used by employees.

These include setting up a PIN in order to secure the phone and not relying on default settings.

There should also be a facility which allows the data on the device to be wiped if a criminal should attempt to enter the pin more than three times.

A central management system should be set up in order to prevent a phone being used in the event that it is lost or stolen.

Another recommended step is to install GPS tracking and a “SIM watch” which sends any new number back to the company if a new SIM is placed into the handset.

As with personal phones, it is also a good idea to make a note of the IMEI numbers of company phones. If a device is lost or stolen, the number is placed on a database and blocked, meaning that it can no longer be used.

Further useful advice is to simply treat the devices as you would a PC and train employees to take care when opening mail or clicking on links.

As with computers on a network, companies should install antivirus solutions and ensure that these are properly licensed and kept up to date.

One thing I hear regularly when working in the computer security field are comments from Apple users along the lines of: "Why doesn't everybody use Apple because there are no viruses for Macs?" or "All viruses target Windows because Windows sucks so bad" or "Microsoft is the target because Microsoft sucks!"

None of these comments are based on accurate information about the real security situation facing Apple products. In fact, I would claim that the current security level of Windows 7 is better than on Mac OS X, and that it's more likely we will see a major mobile worm outbreak on iPhone than on smartphones running Windows Phone.

Some years ago, Apple was running a version of their popular "I'm a Mac" TV ad campaign. This particular ad made fun of the PC and the high likelihood of virus infections. Macs, on the other hand, simply had no virus problems, at least according to the advert. This kind of an attitude is still quite common among Mac fans.

What those same Mac fans don't want to hear is the simple truth that the current version of Mac OS X operating system isn't in any significant way more secure than Windows 7. The main reason why Macs have not been attacked more is because there are so few of them compared to PCs. In other words, they simply have not been a very interesting target for online criminals because there is a lot more money to be made from the much larger number of people using PCs.

This is changing, however. Especially Apple laptops have been gaining in popularity and in some markets 10 percent or more of new laptop sales are already Macs. This is starting to make them a more lucrative target for the online criminals.

Attitudes inside Apple are changing, too. The latest release of the OS X operating system actually has an extremely simplified antivirus program built-in. Apple also released this statement: "With virtually no effort on your part, OS X offers a multilayered system of defenses against viruses and other malicious applications, or malware".

We see all this in our labs here at F-Secure. In fact, years ago we used to have our own Mac antivirus product but it was discontinued in 1998 because there was no market for it. Now we have seen more than one hundred new Mac OS X viruses and Trojans, so we are bringing the product back to the market.

Target: iPhone

The situation regarding iPhone is also very interesting. If we look at the global market shares of the smartphone operating systems, Symbian had traditionally been the king of the hill, with more than 50 percent of all smartphones running it; but Symbian share is falling fast -- beaten back by surging Android and iPhone sales and Nokia's transition to Windows Phone 7. Symbian's market share, based on actual sales to end users, fell from 40 percent to 22 percent year over year in second quarter, according to Gartner. In less than four years, the iPhone has gained more than 18 percent of the smartphone market and it's share is still growing fast.

The amount of underground interest in the iPhone has been phenomenal. On the iPhone, you can't install unapproved third-party applications, and you can't use it with the cell phone carrier of your choice. These kinds of restrictions are not taken lightly by the computer underground and as a result, there is a vast amount of information on iPhone internals available on hacker boards and elsewhere.

According to one study, 7 percent of iPhone users have already 'jailbroken' their devices, which means removing all the restrictions on the device so they can use it as they want.

Jailbreaking is dangerous, and we do not recommend it. The main reason why we haven't seen more mobile malware on any smartphone platform is exactly because the code signing or application approval mechanisms make it harder to create simple Trojans or other malware.

Think about it. On all the popular computer operating systems, the application development is totally open. Anybody can write applications and anyone else can run them. This is not the way it works on mobile phones. Anybody can write code, but the code can be run by others only if it is approved by the vendor. This is a major difference in mindset.

The first iPhone worms targeting jailbroken devices, which remain the most vulnerable. Infecting such devices is much easier than trying to access the standard device. Interestingly, while we haven't seen many financially motivated attacks on smartphones, the second known iPhone worm was a banking Trojan. In this particular case, the Trojan targeted customers of a particular Dutch bank and redirected them to a copycat site when they try to do online banking from their phone. We do not believe this attack was particularly successful in stealing money, but it's a clear sign of the kinds of risks that we expect to see more of in the future. Newer Trojans pose greater risk.

Malware that infects iPhones or any other smartphones can also make phone calls which are also money transactions since you pay money for each call. Especially if the call is to an expensive premium-rate number.

However, so far we haven't seen massive mobile malware that infects large numbers of smartphones through these exploits. They either rely on the user to install the malware because he or she thinks it is something useful, or by using known system passwords to gain access, like the first iPhone worms did. It’s also perfectly possible that we will also see more exploit-based worms on standard iPhones in the future. In theory, such worms would be able to go around the world in minutes. F-Secure identified the first iPhone Trojan more than three-and-a-half years ago, and luckily that was just as prank. The clock is ticking.

It's also possible that some criminals will come up with ways of subverting the iPhone signing process. We have seen similar systems bypassed before. For example, a malicious application could be submitted for approval as something harmless, and it would activate at a later date or based on some other threshold.

Finally, it’s worth remembering that even if Apple users don't have as many viruses to worry about, they do still have the same amount of spam and phishing emails as anyone else. So at least some data security headaches are distributed democratically.

Photo Credit: 1000 Words / Shutterstock

Mikko Hypponen is the Chief Research Officer for F-Secure and is based in Finland. He has worked with computer security for more than 20 years. Please follow him on Twitter.

Hacking group LulzSec is fast becoming the focus of a growing number of news stories with its network breaching shenanigans.

Previously the group has announced successful hacking forays onto the Sony Pictures website – where they reportedly made off with at least 50,000 customer details – and also Nintendo, who they said they didn’t mean any harm (and no data was taken anyway).

And now LulzSec has hit the NHS, although again, the group said it didn’t mean any harm to the organisation, and was merely informing it of network weaknesses.

LulzSec wrote on its Twitter feed: “Subdomain NHS access compromised 5 core admins and contact info of several affiliates. Luckily they stored nothing of importance on that DB.”

Other tweets noted that “no, we never planned to exploit those passwords” because “if we [censored] over those that give health, people would literally die laughing at our antics”.

The stolen info is linked to on the group’s Twitter feed, but sensitive details are blacked out “until they fix the problem”, which presumably the NHS is now doing or has done.

For its part, the NHS was quick to make it clear that no patient data files had been compromised.