Hackers prey on smartphone use at work during holidays

Hackers prey on smartphone use at work during holidays


good read from USAToday


The convergence of two trends has created a ripe opportunity for hackers looking to crack into corporate networks this holiday season.

More people than ever are using their personally owned smartphones as an essential work tool. And now an unprecedented number of them are using their smartphones to hunt for bargains and buy gifts.

This development has created a new tier of risk for corporate networks, says John Pironti, an adviser with ISACA, a global IT professionals association. "Cybercriminals are actively trying to leverage mobile devices as part of their attacks," he says. "The holiday season provides them a perfect time to test out new attacks."

Roughly 50% of mobile device users are likely to use their smartphonea or touchscreen tablet computera to shop this year, up from 22% in 2010, according to a recent survey of 1,215 mobile device users conducted by Webroot .

An ISACA survey found that smartphone users planned to spend an average of 32 hours shopping online this holiday season - 18 of which will be on devices also used for work.

Employees have begun using their smartphones to download coupons and price-comparison apps and to make online purchases. That puts consumers and their companies at elevated risks, say technologists and security experts.

"In our bring-your-own-device to work culture, people are using smartphones for both personal and business use — and attacks on these devices are on the rise," says Harry Sverdlove, chief technology officer at network security firm Bit9.

Smartphone attacks are in their infancy compared with PC hacks. They mostly come in the form of malicious apps for games, music and ringtones that phone users get enticed to download, says Armando Orozco, mobile threats analyst at Webroot.

"When installed, these apps gain control of your device to transmit your personal information, control search results and send text messages to premium numbers," Orozco says.

There is little stopping hackers from expanding the capabilities of malicious apps. Hackers "know users will actively be shopping and looking for deals in places they normally may not access," Pironti says.

Android phones, so far, are the biggest target because of Google's open approach to letting third-party apps run on its operating system. Bit9 recently released a report showing the Top 12 smartphone handset models most vulnerable to being hacked. All 12 were Android models, led by the Samsung Galaxy Mini, HTC Desire and Sony Ericsson Xperia X10.

Apple's iPhone isn't immune. Websites such as Jailbreakme.com offer free programs to iPhone owners who wish to circumvent Apple's tight restrictions on which apps they can load on their phones. Hackers could use similar techniques to slip malicious apps onto Apple products, says Matthew Prince, CEO of website security firm CloudFlare.

"The real concern going forward is that once connected to a corporate network, there is a risk the phones could steal information previously secured behind a firewall," Prince says.

A bad guy in control of an employee's smartphone could steal any sensitive messages and attachments stored on the phone. Or he could create and send viral e-mails throughout the corporate network, via messages that appear to come from the phone's owner.

"A limited number of highly skilled attackers are able to leverage these attacks today," Pironti says. "Given the sheer number of devices in use, this is likely to become a highly leveraged attack vector by a broad spectrum of adversaries."

Prince notes that a hacker could also use a smartphone's Wi-Fi capabilities to spy on sensitive internal communications between employees using the company's Wi-Fi network. The attacker could then transmit stolen intelligence unnoticed via the smartphone line.

"That information can be transmitted out because the phone has access to the mobile carrier's network," says Prince. "Modern firewalls that look for information leakage could effectively be bypassed."



more @ http://www.usatoday.com/tech/news/story/2011-11-22/bring-your-own-devices/51438324/1