US-CERT Cyber Security Tip ST06-007 -- Defending Cell Phones and PDAs Against Attack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                       Cyber Security Tip ST06-007
             Defending Cell Phones and PDAs Against Attack

   As cell phones and PDAs become more technologically advanced,
   attackers are finding new ways to target victims. By using text
   messaging or email, an attacker could lure you to a malicious site or
   convince you to install malicious code on your portable device.

What unique risks do cell phones and PDAs present?

   Most  current  cell  phones  have the ability to send and receive text
   messages.  Some cell phones and PDAs also offer the ability to connect
   to  the  internet.  Although  these  are  features that you might find
   useful and convenient, attackers may try to take advantage of them. As
   a result, an attacker may be able to accomplish the following:
     * abuse  your  service  -  Most cell phone plans limit the number of
       text  messages  you can send and receive. If an attacker spams you
       with  text  messages,  you  may  be  charged  additional  fees. An
       attacker  may  also  be  able  to  infect  your  phone or PDA with
       malicious  code  that will allow them to use your service. Because
       the  contract  is  in  your  name, you will be responsible for the
       charges.
     * lure you to a malicious web site - While PDAs and cell phones that
       give  you  access  to  email  are  targets  for  standard phishing
       attacks,  attackers  are now sending text messages to cell phones.
       These  messages,  supposedly from a legitimate company, may try to
       convince you to visit a malicious site by claiming that there is a
       problem with your account or stating that you have been subscribed
       to  a  service.  Once  you  visit  the site, you may be lured into
       providing  personal  information  or  downloading a malicious file
       (see  Avoiding  Social  Engineering  and Phishing Attacks for more
       information).
     * use  your  cell phone or PDA in an attack - Attackers who can gain
       control  of  your service may use your cell phone or PDA to attack
       others.  Not  only does this hide the real attacker's identity, it
       allows  the  attacker  to  increase  the  number  of  targets (see
       Understanding Denial-of-Service Attacks for more information).
     * gain  access  to  account information - In some areas, cell phones
       are  becoming  capable  of  performing  certain transactions (from
       paying  for  parking  or  groceries to conducting larger financial
       transactions).  An attacker who can gain access to a phone that is
       used  for these types of transactions may be able to discover your
       account information and use or sell it.

What can you do to protect yourself?

     * Follow  general  guidelines for protecting portable devices - Take
       precautions  to  secure  your  cell phone and PDA the same way you
       should  secure  your  computer  (see  Cybersecurity for Electronic
       Devices  and  Protecting  Portable Devices: Data Security for more
       information).
     * Be  careful about posting your cell phone number and email address
       -  Attackers  often  use software that browses web sites for email
       addresses.  These  addresses  then  become targets for attacks and
       spam  (see Reducing Spam for more information). Cell phone numbers
       can  be  collected  automatically,  too. By limiting the number of
       people who have access to your information, you limit your risk of
       becoming a victim.
     * Do not follow links sent in email or text messages - Be suspicious
       of  URLs  sent  in  unsolicited  email or text messages. While the
       links may appear to be legitimate, they may actually direct you to
       a malicious web site.
     * Be wary of downloadable software - There are many sites that offer
       games  and other software you can download onto your cell phone or
       PDA. This software could include malicious code. Avoid downloading
       files  from  sites  that  you do not trust. If you are getting the
       files  from  a  supposedly  secure  site,  look  for  a  web  site
       certificate  (see  Understanding  Web  Site  Certificates for more
       information).  If you do download a file from a web site, consider
       saving  it  to  your  desktop and manually scanning it for viruses
       before opening it.
     * Evaluate  your  security  settings  -  Make  sure  that  you  take
       advantage  of  the  security  features  offered  on  your  device.
       Attackers may take advantage of Bluetooth connections to access or
       download  information  on  your device. Disable Bluetooth when you
       are  not  using it to avoid unauthorized access (see Understanding
       Bluetooth Technology for more information).
     _________________________________________________________________

      Author: Mindi McDowell
     _________________________________________________________________

      Produced 2006 by US-CERT, a government organization.
  
      Terms of use
 
      <http://www.us-cert.gov/legal.html>
  
      This document can also be found at
 
      <http://www.us-cert.gov/cas/tips/ST06-007.html>
 

      For instructions on subscribing to or unsubscribing from this
      mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
     
     
     
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRNpBbOxOF3G+ig+rAQL1vAgAmyw1/NLysRWQV/SXUSaAQpSRtT2MDHPK
CNTwTnCZB5P5lgST6/GUIbuWJ7TJEA5gVMR1jWs8gjbmJAgpYauo3CNM/G6yVP/M
EEi52AhsC951SiTT587SIX4//SZ/u+O6UbRG80dJ+RNOO1oNKnHea5OOxv2jWSG0
T9I3iEoBiTAW52W8qsnPwiZuJ+bymI3Z5BbMYZj3K452N9H15drfmSmz5nHQaD7c
gdOT4rR/k/aea7/ZnFoaQXbfY6c/Tz/xcDdeFKErLZR1AFtUcV7Udwos6hgCOon9
W++xb1Df81g2IaNWX6AOnA57Z9QnbIU1iWeUotVg3CEQuP1+D4RYmg==
=6PyE
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux