Mobile technology use in the Middle East is set to soar in the next two years. The consumerisation of information technology is pushing businesses away from a linear and static IT infrastructure to a more flexible model that makes use of different types of computing devices, including smartphones and tablets. With this adoption of new technology comes a greater security risk.
Smartphones are not a big target yet, but will be … [chances] will open up for criminals as devices [get] more advanced
Greg Day, Mcafee
There were an estimated 282 million mobile subscribers across the Arab states in 2010, according to figures from the Geneva-based International Telecommunications Union. The US’ Pyramid Research anticipates more than 1 billion mobile broadband connections will be made by 2012 in the Middle East. By 2013, mobile devices will overtake personal computers as the most common web access device worldwide, predicts US research firm Gartner.
However, these devices are attracting criminals. Few people switch off their phones, which makes them open to attacks 24 hours a day.
New targets for cyber criminals
Traditionally cyber criminals have targeted PCs, the world’s most common computing platform. Releasing malicious software (malware) designed for PCs running Microsoft’s Windows can guarantee higher access to information and individuals than any other platform. As computing habits change, other devices will be targeted.
US-based security firm Mcafee’s Threat Predictions report for 2011 highlights mobile phone devices as one of the main targets for cyber criminals over the coming year. As these devices become more web-enabled they will leave business more vulnerable to attacks. “Smartphones are not a big target yet, but they soon will be,” says Greg Day, Mcafee’s director of Europe, Middle East and Africa security strategy.
As security controls get better, the easier route … is to con the user. We’ll see a new breed of the cyber trickster
Greg Day, Mcafee
These attacks can range from gaining access to company data and intellectual property (IP) or causing sabotage. Currently the legal framework is not yet robust enough to protect company data in the digital sphere. “One of the biggest worries for firms in the region is data protection,” says Antony Garrod, partner at law firm, Clyde & Co.
Cyber criminal activity has evolved over the past few years. Most attacks are financially driven with the intention to gain access to personal information, such as credit card and bank account details. The recent Zeus Trojan virus enabled an Eastern European cyber gang to steal more than £700,000 ($1.1m) in less than a month from online customer bank accounts in the UK. Such a virus cannot be detected by traditional firewalls and security software.
|Top phishing sectors*|
|*=Europe, Middle East and Africa. Source: Symantec|
For firms, financial loss is not the only worry. Breach of privacy and loss of IP can have more devastating effects, particularly on reputation. Devices, such as smartphones and tablet PCs, are beginning to change the way employees communicate with one another and access company information. This information and data is being taken out of the central network and onto a mobile device where it becomes more exposed.
“More people are working outside of the office. There is high level of travel between the GCC states in particular, and the advancements in technology has driven the need to access large amounts of data on a variety of platforms,” says Tony Karam, Middle East head of technology at US consultancy firm Accenture.
Diverse market in the Middle East
As phones become more advanced with the ability to store larger amounts of data, more services are moving onto the mobile platform. Services such as mobile-banking and mobile-health have gradually been introduced in the Middle East. Abu Dhabi’s Etisalat and Qatar Telecom are two operators in the region that offer m-banking. Hacking mobile phones gives access to such information and leaves both company and employees at risk.
|Top malicious code samples*|
|Rank||Sample||Type||Most Infected EMEA Country|
|2||Mabezat.B||Worm, virus||Saudi Arabia|
|5||Downadup||Worm, back door||Italy|
|*=Europe, Middle East and Africa, 2009; Virus=A program that attaches itself to an executable file or hidden within downloads. It spreads via human interaction, eg by emailing it; Worm=Similar to a virus. A program that replicates itself automatically and spreads quickly; Trojan=Appears to be legitimate software or files but hides a malicious program within that will damage a computer once installed. Not self-replicating; Back door=A security weak point in a system, often made by a malicious program, that allows people to access a network or computer. Source: Symantec|
So far attacks on phones have remained relatively low due to the diversity of these devices. While there are a limited number of operating systems (OS) for desktops, the market for smartphones is much more diverse. Attacking a smartphone through its OS would require hackers to write codes unique to each system, which is time consuming and has less potential to reach large numbers.
One of the key entry points is through the browser. “The challenge for criminals is that most smartphones do not support all web languages. For example, Apple does not support Adobe’s Flash, but attacks can come through the web language and opportunities will be opened up for criminals as devices become more advanced,” says Day.
Client-side software and applications such as Adobe Flash, PDF or Internet Explorer have become a weak point, which attackers are increasingly exploiting as a means to compromise access. Symantec’s quarterly report for Emea from July-September 2010 shows that 34 per cent of web-based attacks were related to malicious PDF activity.
|Top web-based attacks*|
|1||PDF suspicious file download||34|
|2||Microsoft Internet Explorer ADODB.stream file installation weakness||33|
|3||C6 Messenger ActiveX file overwrite||8|
|4||Embed tag NPDSPlay DLL buffer overflow||6|
|5||Microsoft Internet Explorer WPAD spoofing||6|
|6||Adobe SWF remote code execution||4|
|7||Microsoft Internet Explorer popup window address bar spoofing weakness||3|
|8||Microsoft GDI malformed BMP code execution||1|
|9||Microsoft Internet Explorer 7 uninitialised memory code execution||1|
|10||Microsoft Internet Explorer createtextrange remote code execution||1|
|*=Europe, Middle East and Africa, July-September 2010. Source: Symantec|
Applications on smartphones are even more vulnerable. The applications development market is highly competitive. Developers are under pressure to create a commercially successful application with limited resources. In order to make revenue in an appstore, these products have to be released quickly, pushing security down the list of priorities.
Apple currently dominates the smartphone market globally. Its success is primarily down to its vibrant applications (apps) store. To date, more than 6.5 billion apps have been downloaded from its store. The company has put in place a stringent regime to validate quality. For every 1,000 applications created for Apple’s appstore, there are 10,000 being developed for Google’s Android Marketplace. “This creates opportunities for misuse,” says Day.
According to Gartner, more than half of all employees download applications without considering the security implications. As there are no systems preventing or blocking access to applications stores on smartphones and tablets, there is little firms can do besides issuing guidelines and implementing a company policy.
Recent reports indicate a rise in the number of rogue applications. According to Karam, users are more concerned with the “coolness of a new app than the security issues”.
Software is not yet available to prevent employees from downloading applications onto their work phones. While firms can block access to social networking sites, such as Facebook and Twitter, little can be done to prevent access to them on a smartphone.
|Goods on underground economy servers*|
|Rank||Item||%||Range of prices ($)|
|1||Credit cards||23||$2-$20 or 50 for $100; $100-$150 for 100; 1,000 for $300|
|2||Bank accounts||18||No specified prices|
|3||Email accounts||11||No specified prices|
|4||Credit card dumps||6||$15-$120|
|5||Email addresses||6||$10-$20 per MB|
|6||Cash-out services||5||$400-$500 or 50-60 per cent|
|7||Full identities||5||$6-$80 or 30-40 for $20|
|9||R57 & C99 shells||3||$4 or 20 for $70|
|10||Scams||2||No specified prices|
|*=Europe, Middle East and Africa, July-September 2010. Source: Symantec|
Such sites are more susceptible to malicious links particularly through shortened URLs, another major threat highlighted by McAfee’s report. They are being used by criminals to socially engineer an attack.
Through Twitter, it has become very easy to identify key people in organisations. Criminals can target executives and get information that is usually readily available on their profiles. Day says: “Users need to understand that an online social profile impacts work life and it’s hard to separate the two.” The increased use of geo-tagging and location-based services can help criminals to pinpoint an individual’s exact location.
The Operation Aurora attacks that took place in December 2009 were a socially engineered attack on US technology firms in China including Google, Adobe and Microsoft. Various employees in these firms were identified and targeted. The attackers had communicated with them over a period of time, gaining their trust before sending them a message urging them to click onto a web link. The link installed a piece of malware that was designed to gain access to intellectual property.
“As security controls get better, the easier route is not to break security; it is to con the user. We’ll see a new breed of the cyber trickster,” says Day.
Keeping pace with the Middle East mobile market
One of the biggest issues is the pace at which the mobile market is developing. Penetration rates are increasing in the Middle East and the demand for data is increasing rapidly, creating a need for better, fast-paced networks. Telecoms firms are pressed to build networks and put the infrastructure in place. In doing so, security becomes a secondary feature.
“This is not a good scenario to be in, but investment in security is high,” says Bahaa Hudairi, a systems security professional at Mcafee. “New initiatives, like e-government services, are being introduced with the highest levels of security in mind. It has to be, because the consequences of data theft can be devastating.”
There are new technologies to help prevent cyber attacks. Intel is due to release silicon-based security, which incorporates security features onto their chips and processors used to power computer devices. If combined with virtualisation technology, which enables the use of a system on a variety of platforms, then it will create a more robust network. But it will not solve all security issues.
Employee negligence is one of the most common causes of security breaches. Most cases of data loss are a result of human error. “The best approach for corporations is to accept that employees are mobile. They ought to acknowledge the risks and manage them. It comes down to managing technology with the correct policies. There is a people aspect to technology and there needs to be greater awareness of the issues,” adds Karam.
Security requires multi-tier solutions. It needs the efforts of the device manufacturers, software and applications developers, telecommunications operators and the businesses and employees. “There has been a big shift in the way we use IT, the challenge for businesses is finding the right way to embrace it,” says Day.