Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Security Firms Bicker Over Mobile Viruses 90

Posted by Zonk
from the angry-hens dept.
Fijer Nrosikjen writes to mention a ZDNet article about a claim by CA that F-Secure is just spreading FUD over mobile virus code, in order to promote its product. From the article: "CA said criminals do not have an economic incentive to develop malicious code and that the risk of such attacks spreading around smart phones is minimal because of a lack of interoperability between platforms and phone models. Network services don't allow for the fast spreading of code from phone to phone, and user interaction is required for any viruses to spread, the company added. It said F-Secure has created an atmosphere of fear, uncertainty and doubt to sell its product, undermining the relationship of trust that has been established between the industry and vendors. "
This discussion has been archived. No new comments can be posted.

Security Firms Bicker Over Mobile Viruses

Comments Filter:
  • Apparently (Score:3, Insightful)

    by PunkOfLinux (870955) <mewshi@mewshi.com> on Tuesday July 25, 2006 @09:15AM (#15775800) Homepage
    These people have never heard of viruses that can look like something else, seem useful, et cetera. And it's not that hard to make a virus that says "You're a windows mobile device, i'll download THAT code"
    • Re:Apparently (Score:3, Interesting)

      by kjorn (687709)

      That's interesting, a mobile phone virus that talks to you through the phone handset.

      "Please upload me. Pleeeeeease."

      Or perhaps they just wait until you are talking to your mom, and insert helpful phrases into the gaps in the conversation. The virus could say stuff like, "I'm gay." or "I'm straight." or "I'm pregnant." or "I want to suck on you nipples now please." or "I've got the semtex." (that would be helpful to the FBI, not you or your mom). Or it could just make random grunting noises. Mind you, hal

      • I hope to god no one ever writes a virus like that, cause I'm sure there would be a lot of people (myself included) who would make every possible effort to spread that baby far and wide! ;)
  • ZDNet US link (Score:3, Informative)

    by Anonymous Coward on Tuesday July 25, 2006 @09:16AM (#15775806)
    Quicker than ZDNet Asia: http://news.zdnet.com/2100-1009_22-6097733.html/ [zdnet.com]
  • Um... (Score:3, Interesting)

    by tomstdenis (446163) <tomstdenis@@@gmail...com> on Tuesday July 25, 2006 @09:17AM (#15775809) Homepage
    Isn't that the essence of all security products for Windows? To either a) cover up flaws in the use cases of the OS or b) strike irrational fear into the minds of people?

    Most people don't need AV software, and even when they use it, most people are still not secure because of HOW they use their computers. So this is really a case of pot calling the kettle black.

    Tom
    • Re:Um... (Score:4, Insightful)

      by Tx (96709) on Tuesday July 25, 2006 @09:32AM (#15775912) Journal
      Most people don't need AV software

      WTF? Most nerds may not need AV software on their PCs. Most other people do. They do not know how to recognize and avoid malware, manually remove it and repair damage done by it, or follow good practice to avoid it in the first place. If you're arguing that they should learn, that's pie in the sky. Believe me, they need AV software.
      • Yeah, but that's like saying you need a solid metal door on your mudhut to protect from intruders.

        The AV provides little "real" protection since

        a) Most people fail to update it [my parents NEVER update the damn thing, whenever I visit I do it myself]
        b) Uninstall it once the trial period expires
        c) Will run just about anything they can get their hands on [whether on purpose or by exploit].

        I can write a dozen programs that will kill the average windows box and not be detected by AV. AV is a good line of defen
        • by Tx (96709)
          AV is a good line of defense only IN ADDITION to proper training and use.

          So what you're saying is that when you said "Most people don't need AV software", you actually meant "Most people do need AV software".

          My parents AV auto-updates without their intervention (and why on earth didn't you configure your parents AV software to auto-update, WTF were you thinking?), and thanks to their belief that I want a running commentary on their computing activities, I know that it has succesfully protected them from nu
          • No, see had you practiced the art of "reading the entire sentence" you'd see I wrote "only in addition to ..."

            No amount of AV software will save your "lets run all random binaries we can find" parents. thinking that AV alone will make your environment safe is harmful.

            Tom
            • Small point of correction here... If the hypothetical parents in this example were to download "nigerian_bank_account_transfer_program.exe" and said program was a known trojan, its execution would be blocked by most anti-virus programs. It's not a 100% sure-fire way to protect dumb users from themselves but it can help.
              • How many people know the "free party poker" downloads are spyware? Are they caught by commonly installed AV programs?

                Tom
                • (Warning, deviation from SheepThink ahead!)

                  Installing Windows Live OneCare and Windows Defender (Which OneCare asked if I wanted to download) catches them. Auto updates are enforced, and it even does a nice regular backup for you.

                  You may want to consider getting people who need their PC's to 'just work' to buy a subscription to OneCare, since I've found it's worth the effort when it maintains updates, firewall and antivirus and also does housekeeping such as defrag, temp files cleanup etc.
                  • So long as phishing works so will viruses. People are stupid and they will welcome pretty much anything into their private space.

                    Ooh, free poker game, ooh free screen saver, oooh free animation, ooh....

                    The problem isn't so much the technology [though there are many ways to improve it] but the lack of training. People just don't know what the hell they're doing with computers.

                    Give them a friggin C64 and be done with...

                    Tom
                    • I'm currently posting from a Commodore 128D (running C64 mode), you insensative clod! 8-)P

                      (Ok, just kidding. I haven't used my C128D in decades - I think it may have grown legs and wandered off in boredom.)
      • The great mass of users (non-nerds) need an operating system impervious to viruses and other malware. The structure of Windows is such that it is not the right "operating system" for the vast majority of users!
    • Re:Um... (Score:3, Informative)

      by gothzilla (676407)
      That's why there are so many people making cash hand over foot reinstalling windows for people who supposedly don't need AV. I live in a city of 25,000 people and there are 4 successful businesses that spend 90% of their time cleaning machines of viruses and reinstalling windows.

      So yeah, you don't really need AV. Yeah.

      Also, since when do people have to manually update their antivirus? There's this thing called auto-update. If you're talking about re-subscribing then that's different. Sure, most people don't
      • Re:Um... (Score:3, Insightful)

        by lgw (121541)
        For the average user it sure seems easier to pay the AV guys than to pay the reinstall guys - cheaper too.
    • Interesting that people here started discussing Windows when the article didn't mention it!

      When Windows Mobile 5 came out or had just done so, F-Secure had a product ready, and you could argue that the statements that F-Secure made at the time saying that you could benefit from their software were inaccurate, given than there was virtually no malware for the OS at the time. When I looked at it (a few months ago) there was allegedly a fair bit of malware for Symbian, and I'm guessing that F-Secure got to pr
  • Thank god (Score:4, Informative)

    by mgblst (80109) on Tuesday July 25, 2006 @09:21AM (#15775834) Homepage
    ... that microsoft doesn't make OS for mobile phones (or at least not all of them).

    Most mobiles run J2ME, and you can't do anything interesting in J2ME. You can't even get the whole screen on some mobiles, let alone use directory services. And because J2ME allows the phone creators to load on different modules to there phones (JSR-182, etc), you don't even know if you will be able to do something when you get to a phone. You would have to be very clever indeed!
    • Most mobiles run J2ME, and you can't do anything interesting in J2ME. You can't even get the whole screen on some mobiles, let alone use directory services. And because J2ME allows the phone creators to load on different modules to there phones (JSR-182, etc), you don't even know if you will be able to do something when you get to a phone. You would have to be very clever indeed!

      Given the profusion of virii and trojans and the insidiousness of some of their mechanisms, are you implying that virus writer

      • Re:Thank god (Score:1, Insightful)

        by Anonymous Coward
        Think you're smart, eh? The plural of Virus is NOT Virii. Dumb-ass.
      • Well, there is clever, and then there is the impossible. When you application is running in a sandbox, and you are really limited to what you can do... that doesn't leave a lot open to virus writers to do. I remember trying to write an application that set itself to run at a certain time, before it even ran you would have to allow it to do this (a box would popup asking if you want to allow th app to change the alarm) - then everytime you set the alarm, you would get another box popping up asking for persmi
        • Exactly.
          The worst you could do in a sandbox is exploit a bug in it. With J2ME, the differences in phone models and VM implementations mean that even if you found such a bug, it would be most likely be limited to such a small number of phone models that your virus would never get very far.

          Ahh, the advantages of a hetrogeneous environment...
  • Yeah, so do I. I remember the days of viruses that had to have 'user intervention' to run. You know, run this file, get the virus? Man how things have changed. I fear for the day when cell phone viruses can cause as much damage and, more importantly, are as easy to spread as the PC ones we have today. Or SMS spyware. That'd suck as well -_-

    "Geeze, I wonder if this new version of McAfee works with my Nokia?"
  • Really? (Score:3, Funny)

    by Nos. (179609) <(ac.srrekeht) (ta) (werdna)> on Tuesday July 25, 2006 @09:21AM (#15775838) Homepage
    So I guess the only reason anyone ever wrote a virus was for monetary gain. Gee, I wonder how the first virus writers got paid before we got to the age of spyware and such.
    • So I guess the only reason anyone ever wrote a virus was for monetary gain.
      Absolutely. Just ask Peter, Michael, and Samir. [wikipedia.org]
    • Re:Really? (Score:2, Insightful)

      by Anonymous Coward
      Don't confuse "economic gain" with "monetary gain". The two are often mistakenly used interchangeably. See this discussion [wikipedia.org] for more information, but the basic assumption is that the perceived utility, or gain (which does not have to be monetary - it could be something as simple as public recognition, personal satisfaction, etc outweighs the cost - again, cost is not necessarily monetary, but could include effort required to write something, or learn the right language, whatever. Finally, there is utility
  • So... (Score:3, Informative)

    by CtrlPhreak (226872) on Tuesday July 25, 2006 @09:25AM (#15775865) Homepage
    These people are angry at another company for having a MARKETING department? It's just too bad this is what you do to sell computer security products to the masses, because masses of people are stupid and overly swayed by emotions.
  • by HikingStick (878216) <z01riemerNO@SPAMhotmail.com> on Tuesday July 25, 2006 @09:26AM (#15775871)
    CA said criminals do not have an economic incentive to develop malicious code and...
    I spend a good number of my waking hours working with tech auditors who look at financial institutions and big firms. Saying that there is no economic incentive to develop malicious code (even if only limiting the argument to mobile devices) is absurd. Script kiddies will still wreak periodic havoc, but fear the coder who can't make ends meet (especially in the former soviet block) and sells out to organized crime interests.

    If anything, F-Secure is sounding a warning. Mobile viruses may not be the primary attack vector now, but with smart devices ever increasing (and a propensity of some executives to store everything on them, including passwords), it makes sense to stir up a little fear in the hope of preventing future harm.

    Fear is not bad if it is founded in reality. I've seen enough reality to know that this fear is warranted.
    • by laffer1 (701823) <.moc.semaghsiloof. .ta. .ekul.> on Tuesday July 25, 2006 @09:33AM (#15775918) Homepage Journal
      Both are ignorant. Any type of device could have a virus written for it. Even CA implies that. Its a warning that nothing is safe, but I don't think its time to buy software for viruses yet. Its like buying antivirus for a mac or linux desktop. There isn't anything in the wild that is going to hurt you right now. Sure there's a few token viruses but if you are patched they can't hurt you. Someday mac os and linux will be hit as bad as Windows. Why? Users are stupid. It only takes one click to get you in trouble. Most malware is concealed in something useful now.

      The question is when will consumers figure out the scam. Why is it that no antivirus product I've tried for Windows has a small footprint and detects reasonably well. The closest I've seen is clam antivirus for windows and that can't remove anything. Remember when antivirus vendors pushed the new version because it was faster and sometimes smaller? What happened to that. I actually don't run with antivirus on anymore. A monthly scan is enough. I patch windows religiously and only do special scans when I download from untrustworthy sources. There is a small risk one of them will spread a virus but its unlikely.

      Home users shouldn't fear this at all yet. Businesses should consider telling their users to watch what they install on their phones.
      • I agree that nothing is safe, and I will concede that home users don't need to get in a huff over this, but I disagree that the smaller target (whether linux, or Mac, or smart phone) makes for an acceptable risk.

        Were I intent on getting into an enterprise's information systems today, I would be targeting attacks specifically at systems people will assume are "safer".

        The days of brute force attacks against the front gate are dwindling. Unless the frontal assault is a distraction for the orcs in the tun
    • If anything, F-Secure is sounding a warning. Mobile viruses may not be the primary attack vector now, but with smart devices ever increasing (and a propensity of some executives to store everything on them, including passwords), it makes sense to stir up a little fear in the hope of preventing future harm.

      And let's not forget that as people demand there mobile phones to be more things and be able to interface with other computers, the possibility of using a person's mobile phone as a backdoor through se

      • Absolutely true! I just wish I could package a pill that would give executives a dose of healthy paranoia.

        Of course, on the converse, I would also like to have a pill (or hammer) to use when they are using baseless fears as an excuse to inhibit technological progress (e.g. the "all wireless is evil" approach).
    • I don't think CA is ignorant, I think they are finding themselves behind the curve on development of AV for mobile devices. A common practice in marketing is to dismiss features or products you don't have by making it sound like people really don't need it.
  • Nothing new here. Here in Finland F-Secure is spreading FUD on Finnish television every now and then. Finnish television often uses F-secure's "experts" on news programs and such. Sometimes it is painful to watch how these "experts" feed FUD to average persons through television news.
  • undermining the relationship of trust that has been established between the industry and vendors.

    Trust. Right. Gotcha. I think I saw some of that laying around here the other day. Oh, wait, that wasnt you. Oh, you meant vendors, not consumers. Now I get it, it's a money thing.

    Let me give you a hand with that:

    Get your useless crap over here! Step up and win useless crap!
    (sorry, I can't remember exactly how it goes, I will demote my geek ranking)
  • ...for late breaking virus information. These clowns just replicate everything Symantec, F-Secure, McAfee, and others do anyway. ZERO innovation, ZERO leadership, ZERO initiative. Screw you, CA.

  • Twice now I've checked my phone after a beep to find viruses trying to worm their way in. I just keep bluetooth turned off unless I need it now, but still, it's a real and present threat.
    • What kind of phone do you have that your only choices are "off" and "here I am!"

      Even my POS motorola only announces itself on my explicit command to do so, and then only for 30 seconds or so.
  • by spyrochaete (707033) on Tuesday July 25, 2006 @09:51AM (#15776036) Homepage Journal
    For what it's worth, I have ZERO faith in CA. My one brush with their products has tarnished my opinion of them forever. I think they're completely inept.

    While writing an article comparing small\medium business spyware solutions I installed a trial of eTrust Pest Patrol Corporate. Their crappy demo detected spyware (that none of the 4 other products detected, suspiciously) but informed me that only the pay version would remove it. I uninstalled the product but the eTrust right-click dialogs remained in Explorer. I called their tech support and they said they don't support product demos. I eventually found the registry key pertaining to the Explorer extension, emailed the info to them, and chewed them out.

    I suspect CA is in the business of FUD, including spreading FUD about its competitors. Then again, nearly the whole antivirus industry is that way. Free clients [avast.com] ftw!!

    If anyone cares, I blogged [blogspot.com] about the history of Norton\Symantec and how they've made a successful business with their increasingly inferior products.
    • by SSpade (549608) on Tuesday July 25, 2006 @11:37AM (#15776784) Homepage
      Pestpatrol. A word synonymous with incompetence in my mind.

      They listed one of my applications (Sam Spade [samspade.org] - an elderly windows whois / traceroute client, basically) as a security risk. I started to get phone calls about it from users (I have quite a lot of users, so a few of them were bound to be running pestpatrol).

      I called the company responsible for pestpatrol several times, and they told me many things that turned out not to be true ("It's not listed", "We can certainly remove it", "Traceroute is a major security risk for enterprise customers.", "We have removed it", "Oh, when we said we'd removed it we meant, uh....", "We'll remove it within six weeks...").

      The sheer level of corporate and technical incompetence involved was staggering (and I've dealt with some spectacularly incompetent companies). The idea that anyone would rely on them for anything security related is scary. (To be fair, I believe that I dealt with them early on in their buyout process, so it's conceivable that they've picked up some basic business practices from their new owner since then, but it's not something I'd bet the security of my network on).
  • I had a phone virus. (Score:5, Informative)

    by celardore (844933) on Tuesday July 25, 2006 @09:54AM (#15776057)
    I looked it up on the net, and out what it was. Can't remember off the top of my head though. It's purpose was to spread itself to other Nokia bluetooth enabled devices, and apparently in the early hours of the morning it would call premium rate numbers.

    Trouble was, it hammered the battery with its constant bluetooth searching that it would only last a few hours before dying. Plus the constant "bluetooth busy" symbol on the phone was a dead giveaway.

    Funilly enough, it was F-Secure that I used to get rid of it.
    • In the Philippines, state of the art cellphones are status symbols. Your Nokia 6600 is something to brag about, sort of like what we would do if we got a new Mercedes or BMW here in the US.

      So a close friend of mine had a Nokia 6600 and she told me "Something is wrong. I think Celly is sick."

      I took a look at "Celly", my name for her cellphone. You see, in the Philippines the girls just love their cellphones, and if you want to be around a Filipina, you quickly get used to the fact that her cellphone is a
  • FUD is what sells the product, one can expect that it will apply to cell phones and all other new devices that even have one virus written for them.
    • That's akin to claiming that anything security related is sold by creating FUD. Unfortunately, there IS a real threat out there. At least if you have a PC and if you are running Windows. 99% of the current malware is targeted for this platform, and (since it's profitable) people invest a LOT of time and effort to find and abuse code bugs, buffer overflows or simply user dumbness.

      A security product can help there. It is, to a degree, pleading guilty of being too stupid to keep your system secure (or using a
  • CA should know. (Score:3, Insightful)

    by GomezAdams (679726) on Tuesday July 25, 2006 @10:35AM (#15776340)
    If anyone knows about criminal activities for fun and profit it'd have to be CA.
    • Yes, the company that was caught for illegaly financial activities by there top managment, and then they made all their employees go to Ethics traning...except for the top managers.
  • by lonesome phreak (142354) on Tuesday July 25, 2006 @10:36AM (#15776348) Journal
    "user interaction is required for any viruses to spread" So? We recently had a virus at my work (a large fortune 500 company) that required you to open up a zip file, put in a supplied 6-digit password from the email into the application the zipfile opened, and run the executible application. We still had people do this, because they thought it was "secret pictures" or something from their co-workers.

    A virus could require you to bleed onto the keyboard by stabbing yourself in the hand. If it promised nude pics and said it was from someone you know, there are enough people out there that will run it to give me a headache.
  • by psbrogna (611644) on Tuesday July 25, 2006 @11:03AM (#15776559)
    After listening to the fud exchange between these two parties I just realized the major reason I use OSS.


    It's been said that people use OSS because it's free, more secure, performs better, architected better ... all things I do take into consideration.


    However I think I like OSS most because there's no marketing department intruding into my life and in many cases lying to me.


    Let's all raise our glasses to this wonderful phenomenon.

  • I guess... (Score:1, Interesting)

    by Anonymous Coward
    people only make viruses that destroy files because they need the money. Otherwise the comment "criminals do not have an economic incentive to develop malicious code " wouldn't be made right? Personally I know a number of people that might try something like that just to see if they could. My guess would be that none of them would do anything damaging but imagine if you could make a virus that changed you ringtone to something else. On the side of non communication between different phone makers well ge
  • It's messages like that that give the AV biz a bad name.

    Do cell viruses exist? Yes. At least they did, as far as I know there used to be a few repackaged installers for Symbian based cells that got tainted. That was, though, something you could easily handle with a PC based scanner. Since those tainted kits were invariably available from shady sites or P2P, but none from legit download-to-cell sites, you could very easily squish that bugger when it had to pass through your PC.

    Afaik, Symbian closed that hole
  • by collectivescott (885118) on Tuesday July 25, 2006 @11:31AM (#15776750)
    Are these guys kidding? This is a mobile phone, there's plenty of financial incentives for viruses. Mainly in the form of 900 numbers or text messages. Check out this Symbian virus: http://www.newscientist.com/article.ns?id=dn6273&l pos=home1 [newscientist.com]
    • I was just about to post that very idea (900 numbers). Not to mention you could send people trying to call Dominos to Pizza Hut, etc. Not to mention the "requires user action" tidbit -- once you get control of the phone, every keypress to dial a number is a "user action" that could do *something*.

      That is not to say that folks might not be over-hyping the risks, but the start of this discussion was definitely UNDER-hyping the risks.

  • by mpapet (761907) on Tuesday July 25, 2006 @11:44AM (#15776836) Homepage
    Reporter asks Hillary: "Why did you climb Everest?"

    Hillary: "Because it's there"

    Same story, different environment.
  • How about phone companies go back to using older phones that didn't use these stupid operating systems and go back to pure hardware-logic controlled phones like the older Nokia phones? Then the cell companies could advertise "More secure from Viruses compared to X-brand phone with such-an-such OS!"

    Nevermind, I forgot, cell companies NEED that kind of OS because everyone and their mom has to have a camera/minicamcorder/flashlight/mp3 player in their damned phone now. Hey, there's a thought - The more the
  • These scare tactics have a wider scope in the mobile market; see Microsoft's new application security model. Now, every binary you install on a smartphone has to be signed by a certificate authority (Verisign or GetTrust I think). Developers get the shaft since they don't allow you to purchase your own certificate, you have to purchase blocks of "signing events" that us use for the authority to sign your binaries for you. The events are individually cheap, but if you have to resign every installer and up
  • "...undermining the relationship of trust that has been established between the industry and vendors."

    What trust?

  • by sm62704 (957197)
    When I hear about somebody getting a real, actual virus on a Linux machine I'll buy some Linux anti-virus.

    Same thing with the phone.

To downgrade the human mind is bad theology. - C. K. Chesterton

Working...