Case Study One
Read the following case and answer questions below.
How Secure Is Your Smartphone?
Have you ever purchased antivirus software for your iPhone, Android, or cell phone? Probably not. Many users believe that their iPhones and Androids are unlikely to be hacked into because they think Apple and Google are protecting them from malware apps, and that the carriers like Verizon and AT&T can keep the cellphone network clean from malware just as they do the land phone line system. (Telephone systems are “closed” and therefore not subject to the kinds of the attacks that occur on the open Internet.)
Phishing is also a growing smartphone problem. Mobile users are believed to be three times more likely to fall for scams luring them to bogus Web sites where they reveal personal data: Why? Because mobile devices are activated all the time, and small-screen formatting makes the fraud more difficult to detect.
So far there has not been a major smartphone hack resulting in millions of dollars in losses, or the breach of millions of credit cards, or the breach of national security. But with 74 million smartphone users in the United States, 91 million people accessing the Internet from mobile devices, business firms increasingly switching their employees to the mobile platform, consumers using their phones for financial transactions and even paying bills, the size and richness of the smartphone target for hackers is growing.
In December 2010, one of the first Android botnets, called “Gemini,” was discovered. The code was wrapped inside a legitimate Android app whose developers did not realize they were spreading malware. IPhones worldwide were hacked by a worm called “Rick Roll” used to create a botnet for stealing online banking information. In March 2011, Google discovered a botnet called DroidDream, code for which was found in 50 infected apps. Apple iPhones had a known security issue with PDF files. When an iPhone user opened PDF files, there was a possibility the files contained code that could take over the user's iPhone completely.
Apps are one avenue for potential security breaches. Apple, Google, and RIM (BlackBerry) offer over 700,000 apps collectively. Apple claims that it examines each and every app to ensure that it com- plies with Apple’s iTunes rules, but risks remain. In April 2008, Apple pulled a popular game from its iTunes Store when the program was discovered harvesting users’ contact lists (names, telephone numbers, e-mail and postal mail addresses) and sending them to the firm’s own servers without the user's knowledge. Later, Apple announced it had removed hundreds of other apps because of similar security concerns.
Apple iTunes app rules make some user information available to all app programs by default, including the user’s GPS position and name. However, a rogue app could easily do much more. A Swiss researcher named Nicolas Seriot built a test app called “SpyPhone” that was capable of tracking users and all their activities, then transmitting this data to remote servers, all without user knowledge. The app harvested geolocation data, passwords, address book entries, and e-mail account information. Apple removed the app once it was identified. The fact that this proof-of-concept app was accepted by the iTunes staff of reviewers suggests that Apple cannot effectively review new apps prior to their use. Thousands of apps arrive each week. Apple’s iPhone does not inform users what information apps are using, but does restrict the information that can be collected by any app.
Security on the Android platform is much less under Google’s control because it has an open app model. Google does not review any of the apps for the Android platform, but instead relies on technical hurdles to limit the impact of malicious code, as well as user and security expert feedback. Google apps run in a “sandbox,” where they cannot affect one another or manipulate device features without user permission. Android apps can use any personal information found on an Android phone but they must also inform the user what each app is capable of doing, and what personal data it requires. Google removes from its official Android Market any apps that break its rules against malicious activity. One problem: users may not pay attention to permission requests and simply click “Yes” when asked to grant permissions.
Google can perform a remote wipe of offending apps from all Android phones without user intervention. A wonderful capability, but itself a security threat if hackers gain access to the remote wipe capability at Google. Google does take preventive steps to reduce malware apps such as vetting the backgrounds of developers, and requiring developers to register with its Checkout payment service (both to encourage users to pay for apps using their service but also to force developers to reveal their identities and financial information).
Beyond the threat of rogue apps, smartphones of all stripes are susceptible to browser-based malware that takes advantage of vulnerabilities in all browsers. In addition, most smartphones, including the iPhone, permit the manufacturers to remotely download configuration files to update operating systems and security protections. Unfortunately, cryptologists in 2010 discovered a flaw in the public key encryption procedures that permit remote server access to iPhones. The result: “There is absolutely no reason for an iPhone/ iPod to trust root Certificate Authorities which are the foundation for public key encryption of files for over- the-air mobile configuration downloads.”
So far there have been few publicly identified, large-scale, smartphone security breaches. In 2011, the biggest security danger facing smartphone users is that they will lose their phone. In reality, all of the personal and corporate data stored on the device, as well as access to corporate data on remote servers, are at risk.
For security analysts, large-scale smartphone attacks are just disasters waiting to happen.

Sources: Byron Achoido, “Android, Apple Face Growing Cyberattacks,” USA Today, June 3, 2011; John Stankey, “AT&T Plans Smartphone Security Service for 2012,” AT&T Enterprise CTO, interview May 16, 2011; Brad Reed, “Smartphone Security Follies: A Brief History,” Network World, April 18, 2011; Jesus Diaz, “Apple Security Breach Gives Complete Access to Your iPhone,” Gizmodo.com, August 3, 2010; and Cryptopath.com, “iPhone Certificate Flaws, iPhone PKI Kandling flaws,” by Cryptopath.com, January 2010.

Questions
1. It has been said that a smartphone is “a microcomputer in your hand.” Discuss the security implications of this statement. 5 marks
2. What people, organizational, and technology issues must be addressed by smartphone security? 5 marks
3. What problems do smartphone security weaknesses cause for businesses? 5 marks
4. What steps can individuals and businesses take in order to make their smartphones more secure? 5 marks

Smartphones have many of the same computing features and capabilities as any laptop, desktop, or client/server computing network, making them as vulnerable to malware. Hardly anyone would consider not protecting the typical computer from security threats but dont think about doing the same for a smartphone. With 74 million smartphone users in the United States, 91 million people accessing the Internet from mobile devices, business firms increasingly switching their employees to the mobile platform, consumers using their phones for financial transactions, paying bills, and shopping, the size and richness of the smartphone target for hackers is growing

Case Study Two
Read the following case and answer questions below.
The Battle Over Net Neutrality
What kind of Internet user are you? Do you primarily use the Net to do a little e-mail and look up phone numbers? Or are you online all day, watching YouTube videos, downloading music files, or playing online games? If you have a smartphone, do you use it to make calls and check the Web every so often, or do you stream TV shows and movies on a regular basis? If you’re a power Internet or smartphone user, you are consuming a great deal of bandwidth, and hundreds of millions of people like you might start to slow the Internet down. YouTube consumed as much bandwidth in 2007 as the entire Internet did in 2000, and AT&T’s mobile network will carry more data in the first two months of 2015 than in all of 2010.
If user demand for the Internet overwhelms network capacity, the Internet might not come to a screeching halt, but users would be faced with very sluggish download speeds and slow performance of Netflix, Spotify, YouTube, and other data-heavy services. Heavy use of iPhones in urban areas such as New York and San Francisco has already degraded service on the AT&T wireless network. AT&T reports that 3 percent of its subscriber base accounts for 40 percent of its data traffic.
Some analysts believe that as digital traffic on the Internet grows, even at a rate of 50 percent per year, the technology for handling all this traffic is advancing at an equally rapid pace. But regardless of what happens with Internet infrastructure, costs for Internet providers will continue to increase, and prominent media companies are searching for new revenue streams to meet those costs. One solution is to make Internet users pay for the amount of bandwidth they use. But metering Internet use is not universally accepted, because of an ongoing debate about network neutrality.
Network neutrality is the idea that Internet service providers must allow customers equal access to content and applications, regardless of the source or nature of the content. Presently, the Internet is indeed neutral: all Internet traffic is treated equally on a first-come, first- served basis by Internet backbone owners. However, this arrangement prevents telecommunications and cable companies from charging differentiated prices based on the amount of bandwidth consumed by content being delivered over the Internet. These companies believe that differentiated pricing is “the fairest way” to finance necessary investments in their network infrastructures.
Internet service providers point to the upsurge in piracy of copyrighted materials over the Internet. Comcast, the second largest U.S. Internet service provider, reported that illegal file sharing of copyrighted material was consuming 50 percent of its network capacity. In 2008, the company slowed down trans- mission of BitTorrent files used extensively for piracy and illegal sharing of copyrighted materials, including video. The Federal Communications Commission (FCC) ruled that Comcast had to stop slowing peer-to-peer traffic in the name of network management. Comcast then filed a lawsuit challenging the FCC’s authority to enforce network neutrality. In April 2010, a federal appeals court ruled in favor of Comcast that the FCC did not have the authority to regulate how an Internet provider manages its network. This was a considerable blow to net neutrality. In late 2010, Comcast reportedly began charging Level 3 Communications, which helps stream Netflix’s movies, an additional fee for continued normal service. Level 3 asked the FCC to investigate the action.
Groups favoring net neutrality are pushing Congress to find ways to regulate the industry to pre- vent network providers from adopting Comcast-like practices. The strange alliance of net neutrality advocates includes MoveOn.org, the Christian Coalition, the American Library Association, every major consumer group, and a host of bloggers and small businesses.
Net neutrality advocates argue that the risk of censorship increases when network operators can selectively block or slow access to certain content such as Netflix video streams or access to competing low-cost services such as Skype. Proponents of net neutrality also argue that a neutral Internet encourages everyone to innovate without permission from the phone and cable companies or other authorities, and this level playing field has spawned countless new businesses. Allowing unrestricted information flow becomes essential to free markets and democracy as commerce and society increasingly move online.
Network owners believe regulation to enforce net neutrality will impede U.S. competitiveness by stifling innovation, discouraging capital expenditures for new networks, and curbing their networks’ ability to cope with the exploding demand for Internet and wireless traffic. U.S. Internet service lags behind many other nations in overall speed, cost, and quality of service, adding credibility to this argument.
And with enough options for Internet access, regulation would not be essential for promoting net neutrality. Dissatisfied consumers could simply switch to providers who enforce net neutrality and allow unlimited Internet use.
In December 2010, the FCC approved measures that would allow the federal government to regulate Internet traffic. Broadband providers will be required to provide information regarding Internet speeds and service to their subscribers, and they cannot block access to sites or products that compete against their own products. However, the regulations did not officially safeguard net neutrality, and wireless providers may block applications that use too much bandwidth. Wireless providers have already moved to develop tiered plans that charge heavy bandwidth users larger service fees, and online content providers like Amazon and Netflix have increased lobbying efforts to persuade Congress to allow them to do the same. Internet- and content-providers are both pushing hard for tiered systems where those that pay the most get the best service.

Sources: John Eggerton, “Net Neutrality Rules Signed Off On By OMB,” Broadcasting & Cable, September 13, 2011; Jenna Wortham, “As Networks Speed Up, Data Hits a Wall,” New York Times, August 14, 2011; “FCC Approves Net Neutrality But With Concessions,” eWeek, December 22, 2010; Brian Stelter, “Comcast Fee Ignites Fight Over Videos on Internet,” New York Times, November 30, 2010; Roger Cheng, “AT&T Sees Hope on Web Rules,” Wall Street Journal, August 12, 2010; Amy Schatz, “New U.S. Push to Regulate Internet Access,” Wall Street Journal, May 5, 2010; and Claire Cain Miller, “Web Plan is Dividing Companies,” New York Times, August 11, 2010.

Questions
1. What is network neutrality? Why has the Internet operated under net neutrality up to this point in time? 5 marks
2. Who’s in favor of net neutrality? Who’s opposed? Why? 5 marks
3. What would be the impact on individual users, businesses, and government if Internet providers switched to a tiered service model? 5 marks
4. Are you in favor of legislation enforcing network neutrality? Why or why not? 5 marks