-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST06-007
Defending Cell Phones and PDAs Against Attack
As cell phones and PDAs become more technologically advanced,
attackers are finding new ways to target victims. By using text
messaging or email, an attacker could lure you to a malicious site or
convince you to install malicious code on your portable device.
What unique risks do cell phones and PDAs present?
Most current cell phones have the ability to send and receive text
messages. Some cell phones and PDAs also offer the ability to connect
to the internet. Although these are features that you might find
useful and convenient, attackers may try to take advantage of them. As
a result, an attacker may be able to accomplish the following:
* abuse your service - Most cell phone plans limit the number of
text messages you can send and receive. If an attacker spams you
with text messages, you may be charged additional fees. An
attacker may also be able to infect your phone or PDA with
malicious code that will allow them to use your service. Because
the contract is in your name, you will be responsible for the
charges.
* lure you to a malicious web site - While PDAs and cell phones that
give you access to email are targets for standard phishing
attacks, attackers are now sending text messages to cell phones.
These messages, supposedly from a legitimate company, may try to
convince you to visit a malicious site by claiming that there is a
problem with your account or stating that you have been subscribed
to a service. Once you visit the site, you may be lured into
providing personal information or downloading a malicious file
(see Avoiding Social Engineering and Phishing Attacks for more
information).
* use your cell phone or PDA in an attack - Attackers who can gain
control of your service may use your cell phone or PDA to attack
others. Not only does this hide the real attacker's identity, it
allows the attacker to increase the number of targets (see
Understanding Denial-of-Service Attacks for more information).
* gain access to account information - In some areas, cell phones
are becoming capable of performing certain transactions (from
paying for parking or groceries to conducting larger financial
transactions). An attacker who can gain access to a phone that is
used for these types of transactions may be able to discover your
account information and use or sell it.
What can you do to protect yourself?
* Follow general guidelines for protecting portable devices - Take
precautions to secure your cell phone and PDA the same way you
should secure your computer (see Cybersecurity for Electronic
Devices and Protecting Portable Devices: Data Security for more
information).
* Be careful about posting your cell phone number and email address
- Attackers often use software that browses web sites for email
addresses. These addresses then become targets for attacks and
spam (see Reducing Spam for more information). Cell phone numbers
can be collected automatically, too. By limiting the number of
people who have access to your information, you limit your risk of
becoming a victim.
* Do not follow links sent in email or text messages - Be suspicious
of URLs sent in unsolicited email or text messages. While the
links may appear to be legitimate, they may actually direct you to
a malicious web site.
* Be wary of downloadable software - There are many sites that offer
games and other software you can download onto your cell phone or
PDA. This software could include malicious code. Avoid downloading
files from sites that you do not trust. If you are getting the
files from a supposedly secure site, look for a web site
certificate (see Understanding Web Site Certificates for more
information). If you do download a file from a web site, consider
saving it to your desktop and manually scanning it for viruses
before opening it.
* Evaluate your security settings - Make sure that you take
advantage of the security features offered on your device.
Attackers may take advantage of Bluetooth connections to access or
download information on your device. Disable Bluetooth when you
are not using it to avoid unauthorized access (see Understanding
Bluetooth Technology for more information).
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use
<http://www.us-cert.gov/legal.html>
This document can also be found at
<http://www.us-cert.gov/cas/tips/ST06-007.html>
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRNpBbOxOF3G+ig+rAQL1vAgAmyw1/NLysRWQV/SXUSaAQpSRtT2MDHPK
CNTwTnCZB5P5lgST6/GUIbuWJ7TJEA5gVMR1jWs8gjbmJAgpYauo3CNM/G6yVP/M
EEi52AhsC951SiTT587SIX4//SZ/u+O6UbRG80dJ+RNOO1oNKnHea5OOxv2jWSG0
T9I3iEoBiTAW52W8qsnPwiZuJ+bymI3Z5BbMYZj3K452N9H15drfmSmz5nHQaD7c
gdOT4rR/k/aea7/ZnFoaQXbfY6c/Tz/xcDdeFKErLZR1AFtUcV7Udwos6hgCOon9
W++xb1Df81g2IaNWX6AOnA57Z9QnbIU1iWeUotVg3CEQuP1+D4RYmg==
=6PyE
-----END PGP SIGNATURE-----
