'Security not just about user education'

Education is not a viable solution for preventing security issues, according to Patrik Runald, F-Secure's senior security specialist.

Runald said systems are often compromised in spite of the user practising safe computing. "Even if the user is doing all the right things - making sure the page is encrypted, not opening attachments, for example - they [still] get infected. Education can only go so far," he noted.

Runald said the rising occurrence of "drive-by" downloads is "most worrying", referring to the situation whereby a Trojan, embedded in a website, surreptitiously downloads itself onto a user's system when the page is visited.

He said: "It doesn't have to be a dodgy site. It could be anywhere. You visit the site - bang - you get hit."

A Trojan could be sitting undetected in a user's system until it gets activated, for example when a user logs into a banking website.

The only solution, the security expert said, is vigilance in ensuring all security software is constantly updated, so the user can be protected from threats they do not see.

He said: "Even if people have been educated on safe surfing, they either forget or don't care."

Runald also noted that the technology is available to cause serious damage on mobile devices: "All the pieces are in place for a mobile malware outbreak."

According to the security expert, 99 per cent of mobile malware is targeted at the Symbian operating system because it is the market leader and its source code is open, making it easier to examine the OS for vulnerabilities.

Malware can also be spread quickly via Bluetooth or MMS, making its proliferation easier, Runald said.

But closed operating systems are not necessarily safer. Referring to Apple's iPhone, Runald said: "In theory, by having a closed OS, it should be safer. But remember that it didn't take long after its release for people to crack it and run third-party applications. Its file system was also made accessible through cracking, and this opened the system to a lot of danger."

Offering an explanation as to why a mobile malware pandemic has not yet occurred, Runald said there has not been a concerted effort by mobile virus coders because they tend to be "kids" who are interested in "a bit of fame and mischief", rather than being motivated by profit like those who code for PCs.

However, Runald cautioned that this does not rule out the possibility of a mobile malware outbreak. "The end game is money. Phones have a built-in billing system by being connected to a user's account. We're certain something will eventually happen," he said.

Victoria Ho writes for ZDNet Asia