Stories by Paul F Roberts

One in five mobile devices running malware: study

The SANS Institute's Internet Storm Center (ISC) has surveyed its membership on the subject of malicious programs that target mobile devices like iPhones and BlackBerrys, and the results are sobering.
In a running poll that has, so far, netted 540 respondents, SANS researchers found that 85 percent were not scanning their mobile devices for malicious programs. Of the 15 percent who were, 18 percent found mobile malware running on their devices. That's higher than the overall infection rate for PCs in North America, which Microsoft pegs at between 7 and 10 percent of all Windows systems in the United States and Canada. In fact, 18 percent is close to the infection rate for XP SP1 systems. "As secure as XP SP1" isn't the kind of security you want.
Extrapolate that number and it suggests that, as SANS points out, as many as 83 of the 457 participants who weren't scanning their mobile devices could be missing an active malware infection. Look at the number of smartphones in use globally and the infection numbers get even scarier, but also more hypothetical — after all, the mobile universe isn't a monoculture like the PC world. There are endless variations of Symbian, Windows Mobile, Palm, as well as BlackBerry, iPhone, Android and the like. Not all are equally valuable or attractive to attackers. It's also not clear what kinds of malware turned up on the self-reported scans and whether false positives might be in the mix.
The conventional wisdom is that mobile malware isn't a big concern so much as a gushing font of vendor FUD and scare tactics. The enterprises I talk to are far more concerned about the data on mobile devices that might get lost or stolen than they are about mobile devices as a malware bridge to their enterprise networks.
Anecdotally, anti-malware vendors tell me that mobile malware is still a tiny sliver of a fat malware pie — but it's also a growth area with new instances of mobile malware coming online at an alarming rate. We've also written about some of the big security loopholes that scammers and malware authors are getting hip to — notably the loosely policed application marketplaces for platforms like iPhone and, especially, Android.
Despite all that, if we're to believe that 85 percent of mobile phone users don't scan for malware, then there's clearly some waking up that will need to take place. The SANS report may be one alarm bell. Also look to this year's Black Hat and Defcon events to raise the heat under the mobile malware pot.

3Com CTO sees smart networking change coming

Dr Marc Willebeek-LeMair, chief technical officer of networking company 3Com, is used to wrestling with weighty problems. After all, the man spent a decade at IBM’s T J Watson Research Centre working on so-called intelligent infrastructure technologies and has done research on everything from distributed computing and high-speed networking technologies to network processors and management systems. So when Willebeek-LeMair talks about the problems facing the enterprise networking industry, people tend to listen.

British telco heading for 100% SOA model

While many enterprises are still trying to get their arms around just what SOAs (service-oriented architectures) really are, British Telecom is nearing the end of an eight-year effort to move to an entirely SOA-based IT environment, according to W George Glass, the company’s chief architect.
Glass, speaking to attendees at the recent InfoWorld SOA Executive Forum in New York, said that the company is on target to have enterprise-wide SOA by 2009, capping off a shift that began with provisioning of the company’s mainframe systems in 2001.

Tech firms swarm on data protection problem

Enterprise IT administrators didn’t need the recent stories about large-scale data breaches at Canadian Imperial Bank of Commerce, where a lost hard drive contained personal financial information on 470,000 mutual fund customers, or that at Nationwide Health Plans, where backup tapes with data on 28,000 patients was stolen from a lockbox, to convince them that data protection was an urgent problem in need of attention.

Oracle tackles identity governance

There’s a common nightmare haunting CISOs (computer information security officers) that features a glance at the morning paper, and 72-point banner headline with the name of their employer and the words “LOST” and “CUSTOMER DATA”.

Dell and Sony knew about blazing battery problem early on

Dell and Sony knew about — and had discussed — manufacturing problems with Sony-made lithium-ion batteries as long as ten months ago, according to a Sony spokesman Rick Clancy. But they held off issuing a recall until the flaws were clearly linked to catastrophic failures causing those batteries to catch fire, says Clancy.

EMC’s ‘blinged up’ RSA buy provokes mixed reactions

Joe Tucci, EMC’s chief EXECUTIVE, likes to describe his company’s acquisition strategy as a “string of pearls” approach, focusing on small buys of top-notch technology such as Documentum, VMware and Captiva.

Taking the uncertainty out of risk management

Developing an enterprise risk management strategy is an enormous undertaking. Despite the wealth of best-practices frameworks out there, serious planning and communication across silos are always required to create policies and processes that work for an individual organisation. Here are some tips from security and risk professionals on how to go about it.

Cybercrims focus on Macs and zero-day

The SANS Institute has warned of a steep increase in critical security holes in Apple’s Mac OS X operating system and in previously undiscovered (“zero day”) vulnerabilities in web browsers.

Antispyware veterans launch anti-zero day startup

Bob Bales and Roger Thompson hit it big with their last venture, antispyware company PestPatrol. Now the two have launched a new company. Their target: drive by downloads and zero day exploits, like the recent Windows Meta File (WMF).