Whether it's your iPhone, Windows Mobile device, Android, or BlackBerry -- you're probably using your smartphone more like a computer more and more. That's great, but the more your phone acts like a PC -- the more likely all of the problems associated with PCs will follow, researchers said today. Should you care?

We've been warning about the security of mobile devices for years, and years, and years. I've written so many stories about the security risks of mobile phones that I'm starting to feel like Chicken Little. So far, we've not seen a major virus or malware event. That doesn't mean it's not going to happen. The infamous Morris worm hit in 1988 -- and we didn't see a similar event at any time in the 1990s. Viruses were a problem, but they didn't become a really big humungo problem until the LoveBug overloaded e-mail servers in the spring of 2000.

These things don't always happen when we first expect them. But we can see the trend lines: more criminals are turning to cybercrime to steal, snoop, and destroy; and smartphones are growing exponentially in processing and storage power. We're also starting to see smartphones with more open, generative platforms, such as Google's Android.

It's a safe bet to predict these two trend lines will cross, and criminals will turn to mobile phones to conduct all of the types of crimes they do on PCs and the Internet today. Predicting exactly when this will happen: not so easy.

Researchers contributing to Georgia Tech's Emerging Cyber Threats Report for 2009: Data, Mobility, and Questions of Responsibility Will Drive Cyber Threats in 2009 And Beyond, see the risks.

The comments below, from the report, are from Patrick Traynor assistant professor at the School of Computer Science at Georgia Tech:

According to Traynor, "malware will be injected onto cell phones to turn them into bots. Large cellular botnets could then be used to perpetrate a DoS attack against the core of the cellular network. But because the mobile communications field is evolving so quickly, it presents a unique opportunity to design security properly -- an opportunity we missed with the PC."

 

Traynor pointed out that most people buy a new mobile device every two years -- a much shorter life cycle than the typical PC and Windows installation, which is closer to 10 years.

"The short life cycle of mobile devices gives manufacturers, developers, and the security community an opportunity to learn what works from a security standpoint and apply it to devices and applications more quickly," said Traynor. "However, it is not going to be an easy problem to solve."

Tom Cross, X-Force Researcher with IBM Internet Security Systems, along with Traynor, cites Google's Android -- because of it's openness, it makes it easier for security vendors to build defenses for the device. On that, I agree. However, it also makes it much easier for malware authors, as well. Which means we'll be in the same PC security arms race we've experienced for more than 20 years now.

The ultimate solution is what both Traynor and Cross stated in their closing thought: a layered approach to security on mobile devices that encompasses carriers, manufacturers, and application developers.

That type of industry security synergy is exactly the best shot we have at ensuring smart phones don't become the battleground we're now fighting on PCs and corporate networks.

It's also expensive and difficult to get all of these constituents to work so closely together.

It may happen. But my prediction is that it's going to take a significantly enough nasty event for the industry to come together that tightly over security concerns.

Check out the Georgia Tech's Emerging Cyber Threats Report for 2009, available here.

The topic of cyberwarfare reared its head again in this DefenseTech.org post. There's been talk about cyberwar for quite some time. Kevin Coleman writes that a 2002 CIA report noted that several groups were beginning to plan attacks on Western networks. I wrote this cover story about cyberwarfare on the eve of the Iraqi war.

Today, Coleman cites a number of estimated Hezbollah capabilities:

Equipment: Hezbollah possesses up-to-date information technologies -- broadband wireless networks and computers.

Cyber Capabilities: Global Rating in Cyber Capabilities -- Tied at Number 37
Hezbollah has been able to engage in fiber optic cable tapping, enabling data interception and the hijacking of Internet and communication connections.

Cyber Warfare Budget: $935,000 USD

Offensive Cyber Capabilities: 3.1 (1 = Low, 3 = Moderate and 5 = Significant)

Cyber Weapons Rating: Basic -- but developing intermediate capabilities

The post goes on:

Using new hacking techniques, taking advantage of security vulnerabilities, and using simple, proven cyberattack methods, terrorists have the capability to attack us in ways not seen before. Key infrastructure systems that include utilities, banking, media/TV systems, telecommunications, and air traffic control systems have already been compromised. No one knows if cyber terrorists created trap doors and left logic bombs allowing them to easily bypass security systems and disrupt our critical infrastructure in coordination with traditional style attacks.

The notion that cyberterrorists have created trap doors, or left logic bombs behind in previous attacks, strikes me as a bit far-fetched. It's possible, and the recent alarm from the FBI about counterfeit Cisco (NSDQ: CSCO) routers is cause for concern. But IT systems change fairly quickly, and the utility of such digital plants wouldn't have a long shelf life, and couldn't be guaranteed to work when needed. I'm not sure what the "new" hacking techniques would be.

However, there's no doubt in my mind that cyberattacks against Western interests are going to supplement traditional warfare. They'll be used to attempt to disrupt financial networks, emergency responders, power, and other fundamental aspects of society.

The good news is that there's no secret nation-state or terrorist attack kit. I'm not aware of any super-duper denial-of-service attack capabilities that have yet to be unleashed. These attacks, if they happen at all, will most likely resemble the attacks against unpatched systems, or social engineering a user to somehow provide access. The odds of sustaining such an attack are in your favor, if you build a resilient architecture, with good security, risk management, and business-continuity procedures in place. In fact, any such attacks should be far less disruptive than the possible hacks, hurricanes, tornadoes, fires, or any other natural disaster you're already planning for.

The takeaway: If you're prepared for a sizable natural disaster, and already hardening your systems, you're as covered as you can be.

Two new state medical privacy laws, AB211 and SB541, make it possible for institutions and individuals to be fined up to $250,000 for being lax when it comes to the medical privacy of California residents. It's about time.

The fines can't roll enough as far as I'm concerned.

From this story, which originally appeared in the AIS's Health Business Daily:

Hospitals and other covered entities in California may have to beef up their privacy and security compliance programs in light of recently enacted state legislation that slaps stiffer penalties on entities and employees who violate patient privacy. The legislation, approved in mid-September and signed by Gov. Arnold Schwarzenegger (R) on Sept. 29, follows privacy breaches of several high-profile celebrities, including singer Britney Spears and California First Lady Maria Shriver.

We covered the Britney Spears UCLA fiasco when that story broke, and I delivered an overview of these two new California laws on my other blog at TransformationEnablers.com.

In a nutshell, AB211 requires health care providers to take appropriate safeguards to protect patient medical information, while SB541 sees that those in violation could be penalized $100 a day, up to $250,000.

Some say that these security requirements aren't necessary, because we already have HIPAA. This quote is from the same story as above:

"There is an argument to be made that a law like this isn't absolutely necessary, because certainly HIPAA required reasonable safeguards of patient information or protected health information," says Reece Hirsch, a partner in Sonnenschein Nath & Rosenthal's San Francisco office.

Still, the California legislation is significant in some respects, he tells RPP. It takes data-security concepts found in federal law and applies them at the state-law level, he says.

"Perhaps most significantly, it also attaches a whole new regime of fines and penalties related to violations of those standards," Hirsch adds. "Some people might say the HIPAA privacy and security rule has not been very vigorously enforced thus far by HHS. This sort of provides a basis for state authorities to impose some fairly significant penalties when there is a perceived privacy or security breach."

I say the stronger argument is that HIPAA has not been vigorously enforced, and it's about time a state has stood up to do so.

California set the precedent with SB 1386, and the state is about to do it again.

How bad is it?  Well, in an">http://debeveiligingsupdate.nl/audio/bevupd_0003.mp3"target="new">an interview --- (fast-forward five minutes in to hear it in English), the two were asked if they could take out a data center.  While they've never tried, it appears to be a totally plausible attack.  Worse yet, unlike most DoS attacks, the machines often do not come back online once the attack is over.  The victim system just doesn’t respond any more.  Great, huh?