Slashdot Mirror
Security Firms Bicker Over Mobile Viruses
Fijer Nrosikjen writes to mention a ZDNet article about a claim by CA that F-Secure is just spreading FUD over mobile virus code, in order to promote its product. From the article: "CA said criminals do not have an economic incentive to develop malicious code and that the risk of such attacks spreading around smart phones is minimal because of a lack of interoperability between platforms and phone models. Network services don't allow for the fast spreading of code from phone to phone, and user interaction is required for any viruses to spread, the company added. It said F-Secure has created an atmosphere of fear, uncertainty and doubt to sell its product, undermining the relationship of trust that has been established between the industry and vendors. "
These people have never heard of viruses that can look like something else, seem useful, et cetera. And it's not that hard to make a virus that says "You're a windows mobile device, i'll download THAT code"
Show this to your friends and family that don't know what a real hacker is
Quicker than ZDNet Asia: http://news.zdnet.com/2100-1009_22-6097733.html/
Isn't that the essence of all security products for Windows? To either a) cover up flaws in the use cases of the OS or b) strike irrational fear into the minds of people?
Most people don't need AV software, and even when they use it, most people are still not secure because of HOW they use their computers. So this is really a case of pot calling the kettle black.
Tom
Someday, I'll have a real sig.
... that microsoft doesn't make OS for mobile phones (or at least not all of them).
Most mobiles run J2ME, and you can't do anything interesting in J2ME. You can't even get the whole screen on some mobiles, let alone use directory services. And because J2ME allows the phone creators to load on different modules to there phones (JSR-182, etc), you don't even know if you will be able to do something when you get to a phone. You would have to be very clever indeed!
Yeah, so do I. I remember the days of viruses that had to have 'user intervention' to run. You know, run this file, get the virus? Man how things have changed. I fear for the day when cell phone viruses can cause as much damage and, more importantly, are as easy to spread as the PC ones we have today. Or SMS spyware. That'd suck as well -_-
"Geeze, I wonder if this new version of McAfee works with my Nokia?"
AccountKiller
So I guess the only reason anyone ever wrote a virus was for monetary gain. Gee, I wonder how the first virus writers got paid before we got to the age of spyware and such.
The definition of bluejacking is to send a contact via Bluetooth to another Bluetooth enabled phone often titled something like "you got bluejacked!" or something else to startle the other phone user. It is a harmless activity.
What you described, while in theory a profitable form of malware attack is not bluejacking
See www.bluejackq.com for more on bluejacking.
These people are angry at another company for having a MARKETING department? It's just too bad this is what you do to sell computer security products to the masses, because masses of people are stupid and overly swayed by emotions.
WikiAfterDark.com It's a sex wiki, go now!
If anything, F-Secure is sounding a warning. Mobile viruses may not be the primary attack vector now, but with smart devices ever increasing (and a propensity of some executives to store everything on them, including passwords), it makes sense to stir up a little fear in the hope of preventing future harm.
Fear is not bad if it is founded in reality. I've seen enough reality to know that this fear is warranted.
I use irony whenever I can, but my shirts are still wrinkled...
We all know who writes viruses ( http://en.wikipedia.org/wiki/Plural_of_virus ) its the anti-virus software companies ... JOKE!!!!
No, we really know it's the hackers .... JOKE!!!!
And as to mobile phone anti-virus software companies spreading INFO, commonly known as FUD, more commonly known as BULLSHIT ..... JOKE!!!! .... oh no, that one isn't a joke.
monk.e.boy
And its relatively easy to keep a box patched, run anti-virus and anti-spyware, yet old exploits are still being used to turn desktops into zombies. Just because people can do it, doesn't mean they do.
Nothing new here. Here in Finland F-Secure is spreading FUD on Finnish television every now and then. Finnish television often uses F-secure's "experts" on news programs and such. Sometimes it is painful to watch how these "experts" feed FUD to average persons through television news.
undermining the relationship of trust that has been established between the industry and vendors.
Trust. Right. Gotcha. I think I saw some of that laying around here the other day. Oh, wait, that wasnt you. Oh, you meant vendors, not consumers. Now I get it, it's a money thing.
Let me give you a hand with that:
Get your useless crap over here! Step up and win useless crap!
(sorry, I can't remember exactly how it goes, I will demote my geek ranking)
I think you underestimate just how much I just dont care.
once you pair with a bluejacked device, its yours, you 0wn it
/
you can dial any number you like, transmit files etc
just because people use it for harmless things doesnt mean you cannot cause harm
What is bluebugging?
Bluebugging allows skilled individuals to access the mobile phone commands using Bluetooth wireless technology without notifying or alerting the phone's user. This vulnerability allows the hacker to initiate phone calls, send and receive text messages, read and write phonebook contacts, eavesdrop on phone conversations, and connect to the Internet. As with all the attacks, without specialized equipment, the hacker must be within a 10 meter range of the phone. This is a separate vulnerability from bluesnarfing and does not affect all of the same phones as bluesnarfing.
http://www.bluetooth.com/Bluetooth/Learn/Security
see the videos on f-secures site on what happens when you get jacked badly (commwarrior)
but hey they are the FUD runners so of course the video is doctored right ?
Twice now I've checked my phone after a beep to find viruses trying to worm their way in. I just keep bluetooth turned off unless I need it now, but still, it's a real and present threat.
For what it's worth, I have ZERO faith in CA. My one brush with their products has tarnished my opinion of them forever. I think they're completely inept.
While writing an article comparing small\medium business spyware solutions I installed a trial of eTrust Pest Patrol Corporate. Their crappy demo detected spyware (that none of the 4 other products detected, suspiciously) but informed me that only the pay version would remove it. I uninstalled the product but the eTrust right-click dialogs remained in Explorer. I called their tech support and they said they don't support product demos. I eventually found the registry key pertaining to the Explorer extension, emailed the info to them, and chewed them out.
I suspect CA is in the business of FUD, including spreading FUD about its competitors. Then again, nearly the whole antivirus industry is that way. Free clients ftw!!
If anyone cares, I blogged about the history of Norton\Symantec and how they've made a successful business with their increasingly inferior products.
I looked it up on the net, and out what it was. Can't remember off the top of my head though. It's purpose was to spread itself to other Nokia bluetooth enabled devices, and apparently in the early hours of the morning it would call premium rate numbers.
Trouble was, it hammered the battery with its constant bluetooth searching that it would only last a few hours before dying. Plus the constant "bluetooth busy" symbol on the phone was a dead giveaway.
Funilly enough, it was F-Secure that I used to get rid of it.
So what?
FUD is what sells the product, one can expect that it will apply to cell phones and all other new devices that even have one virus written for them.
He who knows best knows how little he knows. - Thomas Jefferson
If anyone knows about criminal activities for fun and profit it'd have to be CA.
Too lazy to create a sig...
"user interaction is required for any viruses to spread" So? We recently had a virus at my work (a large fortune 500 company) that required you to open up a zip file, put in a supplied 6-digit password from the email into the application the zipfile opened, and run the executible application. We still had people do this, because they thought it was "secret pictures" or something from their co-workers.
A virus could require you to bleed onto the keyboard by stabbing yourself in the hand. If it promised nude pics and said it was from someone you know, there are enough people out there that will run it to give me a headache.
Maybe we DID take the blue pill. You wouldn't remember anyway.
That's akin to claiming that anything security related is sold by creating FUD. Unfortunately, there IS a real threat out there. At least if you have a PC and if you are running Windows. 99% of the current malware is targeted for this platform, and (since it's profitable) people invest a LOT of time and effort to find and abuse code bugs, buffer overflows or simply user dumbness.
A security product can help there. It is, to a degree, pleading guilty of being too stupid to keep your system secure (or using a secure system altogether), but it does work against a good deal of malware.
Yes, we do exaggerate the threat a little. The reason for this is simple: Management apathy. If you say "Oh well, this virus is spreading, but usually it affects only those stupid enough to open it" the result is an I.Love.You. The only way to get through a thick manager's skull is to hype it enough so he actually SEES through the layers of fog surrounding his head when it comes to "tech foo" that yes, there is a threat and yes, it can cost him a lot of dough if it strikes.
That's why we exaggerate threats, if they exist. Some companies... ok, let's be honest here: This cellphone virus crap is first class FUD.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's been said that people use OSS because it's free, more secure, performs better, architected better
However I think I like OSS most because there's no marketing department intruding into my life and in many cases lying to me.
Let's all raise our glasses to this wonderful phenomenon.
people only make viruses that destroy files because they need the money. Otherwise the comment "criminals do not have an economic incentive to develop malicious code " wouldn't be made right? Personally I know a number of people that might try something like that just to see if they could. My guess would be that none of them would do anything damaging but imagine if you could make a virus that changed you ringtone to something else. On the side of non communication between different phone makers well gee I guess its alot better than only the Motorolla phones can catch this virus (this would work well with the changing ringtone as you could use a ringtone that was default to the phone).
It's messages like that that give the AV biz a bad name.
Do cell viruses exist? Yes. At least they did, as far as I know there used to be a few repackaged installers for Symbian based cells that got tainted. That was, though, something you could easily handle with a PC based scanner. Since those tainted kits were invariably available from shady sites or P2P, but none from legit download-to-cell sites, you could very easily squish that bugger when it had to pass through your PC.
Afaik, Symbian closed that hole quite a long while ago. And since then, no virus emerged that would've concerned me. Yes, viruses for cells exist. But every single of them requires YOU to install it. There is no such thing as nimda for cell that hops from one to the next, not even via bluetooth or wifi. YOU have to install it.
And when someone's dumb enough... c'mon, let Darwin be right for a change.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
http://www.engadget.com/2004/08/05/who-you-gonna-c all-the-bluesniper/
http://www.tomsnetworking.com/2005/03/08/how_to_bl uesniper_pt1/
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
Are these guys kidding? This is a mobile phone, there's plenty of financial incentives for viruses. Mainly in the form of 900 numbers or text messages. Check out this Symbian virus: http://www.newscientist.com/article.ns?id=dn6273&l pos=home1
Reporter asks Hillary: "Why did you climb Everest?"
Hillary: "Because it's there"
Same story, different environment.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
How about phone companies go back to using older phones that didn't use these stupid operating systems and go back to pure hardware-logic controlled phones like the older Nokia phones? Then the cell companies could advertise "More secure from Viruses compared to X-brand phone with such-an-such OS!"
Nevermind, I forgot, cell companies NEED that kind of OS because everyone and their mom has to have a camera/minicamcorder/flashlight/mp3 player in their damned phone now. Hey, there's a thought - The more the consumer wants, the less security they're going to have, all thanks to corporate greed.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
> AC said:
> Stop using acronyms in story summaries. Not everyone knows what FUD is.
FUD! Get him!
PGP KeyId: 0x08D63965
Interesting that people here started discussing Windows when the article didn't mention it!
When Windows Mobile 5 came out or had just done so, F-Secure had a product ready, and you could argue that the statements that F-Secure made at the time saying that you could benefit from their software were inaccurate, given than there was virtually no malware for the OS at the time. When I looked at it (a few months ago) there was allegedly a fair bit of malware for Symbian, and I'm guessing that F-Secure got to producing WM5 software because they already produced Symbian / Nokia software, and because of the historically huge takeup of Nokia devices in Finland.
I can't comment on how good F-Secure's WM5 software is because I've never used it. I have used Windows Mobile 5 (and hated it - but that's a different story), but was surprised that how hard it was to install an updated version of it - it essentially requires a whole new image to be installed, and you reinstall all your data.
ALL operating systems have flaws - because software has bugs, period. The discovery of a 0-day flaw that could be remotely exploited in an OS with this "reinstall from scratch" requirement, like WM5, would be a major headache to the wireless carriers that typically supply the devices and users.
I'd also disagree that "most people don't need AV software". As devices become more capable, they're more likely to need functions to protect users from themselves. You may not need this, but "most people" do.
These scare tactics have a wider scope in the mobile market; see Microsoft's new application security model. Now, every binary you install on a smartphone has to be signed by a certificate authority (Verisign or GetTrust I think). Developers get the shaft since they don't allow you to purchase your own certificate, you have to purchase blocks of "signing events" that us use for the authority to sign your binaries for you. The events are individually cheap, but if you have to resign every installer and updated binary every time you make a change, you're talking serious bucks. One newsgroup poster claimed he'd be paying about $10K a year for application signing. So, a little FUD gets converted into a lot of profit for the corporate bigshots.
God forbid this new security model makes its way to the desktop. We're probably going to see the death of the one-man shop for mobile device products as a result of this shameless money grab.
I swear to God...I swear to God! That is NOT how you treat your human!
Hate to tell you, but for some of us who DO get out in the big blue room once in a while, finding a geek or anyone within 30 feet can yield quite a few results, even if you ARE searching for unusual behavior. Just having lunch, say in the food court near my office, looking around within 30 feet will yield at least 4 people using a laptop, 5-6 people on a cellphone and any number of kids around crowded tables.
"I'm not a procrastinator, I'm temporally challenged"
"...undermining the relationship of trust that has been established between the industry and vendors."
What trust?
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
That's all well and good, all I was saying is that bluejacking is not bluebugging
When I hear about somebody getting a real, actual virus on a Linux machine I'll buy some Linux anti-virus.
Same thing with the phone.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
I'm currently posting from a Commodore 128D (running C64 mode), you insensative clod! 8-)P
(Ok, just kidding. I haven't used my C128D in decades - I think it may have grown legs and wandered off in boredom.)