I recently attended the New England Information Security Forum, one of a series of events sponsored by IANS (aka the Institute for Applied Network Security). These are closed, no-press conferences which have a Confidentiality Statement associated with them that generally prohibits discussion of anything one might hear in sessions or elsewhere. This is, BTW, good security practice. Neither I nor anyone else I spoke with discussed the actual solutions they had in place. I recommend this position to everyone. OK, there I am already, talking about what I heard. But I have permission in this case, which I obtained because there was one session I attended that presented truly scary information regarding the security of wireless networks and mobile devices, and this you need to read.

The session in this case was presented by researcher and IANS faculty member Aaron Turner; you may be able to find some info on him on the Web. He had two key messages:

1. Network security is, um, perhaps nonexistent. Aaron noted the case of the tapping of the cell phone of the Prime Minister of Greece during the 2004 Olympics. This is a great story - no one knows how this happened, but it did. Note that all communications infrastructure (in the US, anyway) has a back door for lawful intercept under CALEA, but this facility can be misused as well. According, for example, to ABC News, the National Security Agency has been illegally eavesdropping on plain old US citizens. I always advise clients, that, digital or not, voice is hardly secure. Data can of course be made secure to a great degree, and that's something the enterprise can - and should and must - control. And did I mention that's it's possible for a cellular handset to be powered on and apparently offline, but still connected to an eavesdropper? This is another good reason to insist that cell phones be turned off during meetings (and maybe at lots of other times as well - I turn my handset on only to make a call and check for messages).
2. Device security is, um, perhaps nonexistent. Aaron likes Windows Mobile and the BlackBerry OS as the best of a rather poor crop, but, let's face it, mobile operating systems are following the evolutionary path of their PC and server brethren. Security is an afterthought at best in today's platforms, and, given that (a) they are designed to be remotely updated and (b) applications of unknown origin are allowed to execute, and (c) firewalls and such are rudimentary at best if they exist at all, mobile devices are likely a security disaster waiting to happen. You may be able to find third-party apps that partially address this concern, but I think mobile OSes are no different from any other - security has to be designed in, or we won't have it. Even after zillions of patches, does anyone really think Windows is secure?

And all of this left me with a cold, clammy feeling (the opposite of the proverbial warm, fuzzy feeling) that everything is far from OK in the mobile security world. We're making the same mistakes here that we did in non-mobile IT - platforms and devices that are anything but secure, and networks that, well, are pretty much the same. This is perhaps the biggest challenge facing mobility going forward, and far too little attention is being paid to the problem. All of the security vulnerabilities that exist in wired networks and PCs - bots, viruses, rootkits, you name it - exist in wireless net and mobile devices, and this needs to get fixed. Yes, even scarier than the stock market these days.