Monday, July 24, 2006

cutting through the mobile malware mess

techdirt, renowned for it's technical acumen (in other words it's signal to noise ratio is just slightly better than the garbage heap of the internet known as slashdot), has a post today that basically roasts f-secure for spreading mobile malware FUD... small problem - i couldn't find the FUD even after following all their links to supposed examples...

let's take a closer look, shall we?

from silicon.com:
Sal Viveros, wireless security evangelist at McAfee, said F-Secure's figures are largely in line with industry figures in terms of the total number of mobile viruses but added such viruses have largely been "proof of concept" to date and pose little threat to users.
ok, so we've got independant verification of f-secure's figures on the total number of mobile malware instances - score 1 for f-secure...

from a different article on silicon.com:
"The number of proof of concept viruses is increasing but that's not to say there has been an increase in the risk of infestation or that there is any need for panic or worry."
the person making this statement (david wood of symbian, the company holding the largest stake in the mobile phone market - aka the microsoft of the mobile phone market) clearly doesn't understand the nature of risk... the more instances of malware out there the greater the chance of a particular user encountering one of them, and therefore the greater the risk...

from the same article:
He added that these viruses will only spread with user permission and conceded that in very rare instances a user could contrive to infect their phone.
which shows that he clearly doesn't understand what's really going on in a mobile infection scenario... the no option doesn't work - you choose no and the prompt just comes back... press no again and the same thing happens... cabir and similar worms will just keep trying and effectively DoS the phone until the user chooses yes... user interaction is a non-issue if the user isn't given a real choice...

(see the video evidence here, it starts about 26 minutes in)

[edit - there's a better view of the video evidence here, starting at about 1 hour and 26 minutes]

from an article at vnunet.com:
"Phone viruses so far have been spreading over Bluetooth, so they only affect phones that are within a few metres. A MMS virus can potentially go global in minutes, just like an email worm," warned F-Secure's antivirus laboratory.
now that is a little troubling that it says minutes - because mikko hypponen, in the video referenced above, says 24 hours (both for mobile phone viruses and for email viruses) and he explains why... it's correct that it has the same potential speed as email worms but minutes seems like an error, either on the f-secure rep's side or (more likely, since they're known for botching these sorts of things) the reporter's side...

at any rate, saying a type of virus has the potential to do X is quite a bit different than saying a particular virus will do X or is likely to do X (which is the implication techdirt makes here)...

and from the a zdnet.co.uk article that triggered the current threat at techdirt:
"F-Secure is saying there's a huge risk of malcode spreading, but they've built this up," said Simon Perry, European vice president of security for CA. "If you look at their behaviour, they've consistently pushed this message. But it's a theoretical, not a real threat," he added.
i don't know where mr. perry is getting this - mikko hypponen (again in the video referenced above) made it seem pretty clear to me that mobile viruses are not anywhere near as problematic as their pc counterparts... susceptible phones are comparatively quite rare, and most of the malware can only spread to other phones that are physically nearby... that doesn't sound like a huge risk to me... he does mention some big total numbers (in the tens of thousands) but considering the law of large numbers as it applies to this situation that doesn't really raise eyebrows...

furthermore, in the same zdnet article an f-secure representative is quoted:
"I have difficulty understanding how this can be bad for [the antivirus] business. This is not a mass problem for all consumers, but our solution is available to those who need it, and there are people who need it today," Impivaara added.
it seems hard to imagine how f-secure could be making mobile malware out to be a huge risk when they're quoted in the media as saying the opposite...

still, techdirt has persisted in laying the FUD spreader charge against f-secure for some time now, not unlike many other community sources (slashdot and digg are the 2 glaring examples) have done to many other vendors... it bears a striking similarity to the reaction you get whenever you suggest there are genuine security risks in mac osx or linux... i thought at first it might just be one site or 2 sites, but the pattern that is emerging seems more widespread - it seems to have something to do with the wisdom of mobs where the wisdom of crowds fails due to the signal to noise ratio being too low... the reality is is that he who yells loudest has the most individual impact on the whole and without sufficient real wisdom to counteract that impact the whole becomes an ignorant mob...

0 comments: