Mobile phones: An ear full of worms

"It's really important to defend the network at the edge and not let spam viruses in the front door," said David Staas, director of the antivirus team at Openwave Systems, which provides mobile phone software and messaging technology. "But some will still trickle through. Here is where a second line of defense is necessary."

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

Openwave, for instance, has developed a new system that secures a messaging network at the instance of an attack, preventing spammers from exploiting vulnerabilities while they are being eliminated.

Nokia's infrastructure arm also provides a range of security equipment to operators beyond basic firewall systems. Its Message Protection Server, for instance, filters out potentially harmful e-mail, while its Operator Delivery Server inspects all downloaded content. The Finnish manufacturer is also offering additional security through its mobile VPN (virtual private network) client and SSL (Secure Sockets Layer) encryption for Web-based applications.

As for downloads -- a prime source of viruses -- two new application certification programs aim to ensure quality and, above all, trustworthiness. The Java Verified program was launched earlier this year by several vendors, including Motorola, Nokia, Siemens, Sony Ericsson Mobile Communications, and Sun Microsystems to provide a unified process for testing and certifying Java-based applications for mobile phones. Two of Europe's largest mobile phone operators, Orange and T-Mobile International, have since adopted the plan.

The Symbian Signed program provides a service for testing and certifying Symbian OS-based applications that meet a set of criteria. The initiative, which includes Nokia, Sendo International, and Sony Ericsson, aims, among other things, to ensure a thriving market for trusted applications.

In addition to these initiatives several other organizations are developing standards for security systems in mobile devices, including the Trusted Computing Group, the Open Mobile Alliance, and the European Telecommunications Standards Institute (ETSI).

How effective these security efforts will be remains to be seen, however. For one, users will need to cooperate and should be given the tools to do so. "They should have the ability to set preferences, like their own block list, for instance," said Staas. "They should also be able to set their sensitivity level for spam, say, for high, medium and low control."

For another, operators shouldn't wait for a virus to bring down their network or, as was the case recently in the U.S., allow abusive spam to potentially scare away lucrative customers.

"The CEO of a big mobile operator with many businesses customers got a call from the chief executive officer of one of his customers," said Staas. "The night before, this business customer received a text message at 2 a.m. His wife thought it was urgent so she got up and read what turned out to be a sexually explicit text. He was furious."

What's encouraging, from a security perspective, is that "the mobile phone executive turned around the very next day and told his team to make security a top priority," Staas said.

Sometimes, a little spam can go a long way.