Slashdot Mirror
PDA Security, the Next Big Hurdle for IT?
Jack writes "ITO published an article on a new secure PDA requested by the NSA. 'General Dynamics inked an $18 million contract with the secretive National Security Agency to design and develop a secure mobile personal assistant for defense workers. The PDA will integrate all types of communications including voice, data and web.'" In related news palmtops writes "Insecure Magazine has a great and in-depth article written by Seth Fogie, the VP of Airscanner.com, about Pocket PC security. His summary of PDA attacks states: 'These devices are easy to smuggle into a business and can be used to propagate an attack against network devices. Don't make the mistake of assuming is a PDA is a simple data keeper. As the cliche' goes... it is how you use it that matters.'"
I didn't think any one on slashdot had much to worry about when it came to Public Displays of Affection ....
It has yet to be proven that intelligence has any survival value. Arthur C. Clarke (1917 - )
From the (IN)SECURE article: How are we supposed to take this article seriously, when the author can't even spell 'pwn3d' correctly? ^_^
____
~ |rip/\/\aster /\/\onkey
to make companys bend over and grab the ankles for PocketPC AVs, Wouldnt surprise me a bit if the virus development for the various PDA platforms was unofficially sponsored by the big AV companies
My Palm is never hooked to a network, so I never really considered the need for securing it. But I have a friend with a Zaurus, and this should be a huge consideration for him considering he installed a wireless router in his apartment just to be able to use his Zaurus from the bathroom. :-)
This is just another reminder of how vigilant we must always be.
Ignore Alien Orders
It might be a little late mentioning this but the link in this snippet actually points to a 9.1 meg PDF file.
In the future it would be nice if submitters (and especially editors) actually describe the target of a link when it doesn't go to a good old fashioned HTML or XHTML page of content.
Avantslash - View Slashdot cleanly on your mobile phone.
Adjust an excisting MS/Linux/other PDA with the software required to enter the secure network, and rewrite some drivers to bring the software up to date with . the emerging (BUDGETOVERFLOW DETECTED) secure communications standards.
The only hardware change seems to be the Defense access card integration.
Somehow it feels like this device is going to cause a lot of embarrasment later when one gets in the wrong hands and breaks all the security at once.
My wife's sketchblog Blob[p]: Gastrono-me
I thought PDAs were on the downfall as it is. With laptops becoming cheaper and cheaper and cell phones getting more advanced, I wasn't aware that PDAs have much of a future. That being said, I still really want one.
You're assuming that is only one PDA (TM) and that it can't be modified. The contract is to design and build a secure device from the ground up, not slap some bells and whistles on your Treo.
Believe me, if the government (especially the NSA, they're not known for wasting money) wants something, they'll get it.
I did not understand if you were trying to be humourous (and failing) or if you actually have a point (and what is it)...
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
The PDA will integrate all types of communications including voice, data and web
Riiight, so its sort of a SMARTPHONE then? Sure PDAs could be a threat, but its probably worth focusing more on something that everyone already has and which is has all this functionality already, as well as a digital camera etc.... the ubiquitous mobile phone.
Developing, and then requiring, a "secure" PDA for all your people and then being "suprised" when information leaks via their mobile phone with the 1GB Flashcard, 2 Mega-pixel camera and Broadband 3G connection doesn't sound like a plan for tomorrow.
An Eye for an Eye will make the whole world blind - Gandhi
All donuts turn out to be defective is shown by extensive research. The random sample taken (500) in several countries, have shown that all donuts have a hole in the middle.
Since the problem is so widespread and since there does not seem to be a regulatory body concerning the properties of a donut, congressional inquiries can almost not be avoided.
In other news: Martha Stewart proposes American Donut Standard Association
My wife's sketchblog Blob[p]: Gastrono-me
I think the biggest problem is every manufacturor makes his own synchronisation software running some weird propietary protocol. It feels like the good old days where you spent half a day setting up your dotmatrix in WP 2.1, and then restarted from zero in Lotus 123. Somebody should set some standards here. A PDA/Phone should be hardware abstracted at the OS level, just like a printer. And on corporate networks, the PC should just be a USB/Bluetooth -to-ethernet router, with the PDA authenticating directly to Exchange/Notes/whatever.
10 ?"Hello World" life was simple then
Would someone please post a feed-line so I can post a funny reply and get some karma.
Thanks.
This makes a PDA sound like something its not and it links a sites physical/personel security to the PDA.
./ artical a while back showed that a guy stold a mainframe and he didn't use a PDA.
You can smuggle 1 GB of viral data into a facility in the roof of your mouth (SD Card) SD CARDS ARE THE NEXT THREAT TO WORLD SECURITY!!!
I think you get my point.
PDA's are computer, now a-days they are about the horse power of a full size computer 10 years ago. Thats all we need to know, and address the PHYSICAL and INFRASTRUCTURE security appropriatly for them.
The number 1 hacker method will always be social engineering. A
-- Disclaimer: I can't really back up anything I post on
They want something that has already been done. All pda's have add on software for security already. People just have to use them. In the case of Blackberry security is already built in. People just need to use it.
I work for an agency under DoD as ADP R&D Program Manager. I think you'd be amazed at how many people are hollering for connected PDAs - and for the ones who have a real need we usually give them Blackberrys but you can't connect a Blackberry to a trusted network ;-)
Granted, most of these connected PDAs will end up in a desk drawer as soon as the user finds out how unpleasant it can be to send and receive email with a PDA, but they still want the things - and most of the people who want them outrank me. IF the boss wants executive jewelry I guess it's my job to get it for him.
Common access card compatibility will be a good thing - except the resulting PDA will probably be about the size and weight of your average brick. Right now we've got more than enough challenges with PDAs as DoD requires FIPS 140-2 encryption, a firewall feature set and a virus scanner on connected PDAs.
I did send TFA to our local IA department just because I like to watch their heads spin around every once in awhile, though - the last time I did that I sent them a brochure on an NSA-approved 802.11 solution for access to *classified* computer networks.
I love my job ;-)
we see things not as as they are, but as we are.
-- anais nin
If using Firefox, try this in your [profile]/chrome/userContent.css: /* indicate PDF links */
a[href$=".pdf"]:after {
font-size: smaller;
content: "pdf";
}
Think I got that from another Slashdot post, can't seem to find it now though (thanks anyway, whoever posted it!)
-- Nothing unusual happened today
http://openbsd.org/zaurus.html
Nuff Said.
Chaos is Divine *
Why would we not fix desktop security first? We have not yet helped Microsoft enough.
Politics, Life, and More on my Aspiring for the Future
To steal a mainframe, one usually uses a flatbed truck with a forklift, and ofcourse wirecutters. To steal a mainframe with a PDA that PDA really needs special features....
My wife's sketchblog Blob[p]: Gastrono-me
It is just not up to NSA standards, but in general a good software update could do the trick, except for the MoD cardreader demands then.
My wife's sketchblog Blob[p]: Gastrono-me
A PDA running OSX86?
One thing about a PAD zip case .. it is just abot the same size as a pistol case for a 32 or 308.
I have never seen a gaurd stop a person holding a PDA case in their hand.
... would seem to be a key problem for the NSA. Blackberry servers allow admins to erase lost devices remotely, but I tend to think that "erase" is similar to a MS DOS format - i.e, barely touch the actual filesystem. To scrub a PDA's flash disk with numerous overwrites of random data would seem to be a good trick. Similarly, having a PDA render its flash permanently unreadable would also be a good trick, given the battery constraints.
ostiguy
I was happy when the pager business finally died. That reduced the number of gizmos that I was carrying around on a daily basis from 4 to 3; the cellphone features became advanced (and cheap) enough to obsolete the pager completely. At one time, I thought that I would probably snarf up the PDA/phone combo, but I haven't yet found one that I really want to buy -- the price/performance just isn't there yet. When the PDA/cellphone combination gets cheap enough (and full-featured enough), then I envision reducing my current gizmo count to 2.
As for the laptop, it looks like that will be around for a while. At this point, the PDA just doesn't have the display or input capability to make it the all-in-one personal computing tool. In order for a PDA-sized device to displace the laptop, the I/O needs to get way more advanced, something on the order of a combination ocular/cochlear implant and voice (or better yet, thought ) recognition.
What are the security folks gonna do when the day comes that you can look at a document and issue a thought-command " copy "? I'm guessing that will be the end of paper documents; to be replaced entirely by electronic (and encrypted) communications for all purposes, including money.
Concealed Handgun License Courses in Plano, Texas
- The NSA PDA phone will provide secure voice and data communications, including e-mail, web access, file viewing and access to the government secure network.
But wouldn't those still fall for the regulations of the FCC?! The wireless tracking, VoIP tapping and backdoring networksIf those PDA's are for gov. use only, that still doesn't prevent gov. agencies from spying on each other! or even prevents black-hats from accessing gov. networks then PDA's
Mod points are a dangerous tool. Abuse them wisely.
Why are they going to try and reinvent the Tablet PC? It's there for a reason folks!!
Just walking around with the pockets full of computers makes the task done: iPaq 3970 ($100) with Linux, Jornada 690 ($50) with NetBSD. Plus some equipment: 2G CF microdrive and wifi/ethernet CF/pcmcia makes a real computer of both. They have 100x more resources than double mainframe I admined just 22 years ago.
However, a "secure PDA" by NSA standards somewhat tells me it must have a backdoor of some kind...
There you are, staring at me again.
I work for a General Dynamics subsidiary (Electric Boat) and we're currently forbidden to bring in any form of a camera, even on a cell phone or PDA. Most of the time you're trusted, but they check on occasion. You'd be lucky if you didn't get canned for bringing one in, so most people aren't willing to risk it. We're also forbidden to connect anything to the computers, even though there's nothing classified on the user desktops. Again, they log everything and check.
The problem lies with the fact that it's getting harder and harder to find PDAs and mobile phones that do not have camera/video capability. And for the folks who travel or move around a lot for business, it's a lot more convenient if the company can provide you with a useful gadget. It's either that, or I just stick to writing stuff down on a notepad, and using a 4 year old cell phone.
"No fair, you changed the outcome by measuring it!" - Professor Hubert J. Farnsworth
PDAs (and mobile "phones") seem perfect candidates for biometrics. They are easily taken from their owner's physical control. Their UI HW is so limited that passwords are a hassle. They're actually the main storage for many people's "memos", so remembering their password is a catch-22. They have the most personal info of any device, often just a tap away from indicating personal liabilities. They're just a year or two from acting as a universal digital wallet, probably wireless - almost certainly with dynamic IP#s. They'll usually be connecting through a brief relationship with an otherwise unknown LAN segment, like a public WiFi hotspot. And people will just completely trust them, especially because their userbase is among the least tech sophisticated.
But also, most importantly, because they're so extremely valuable as security devices. People can trust their own phone, if really secured. They can carry it anywhere Especially once phones are <$20 each, they can have several secured phones left around their car, their office, other locations they frequent. A reliable biometric access device, like a thumbprint scanner, makes the "phone" an extension of the person's identity. Appropriate, when it stores both all their personal data, and their contacts with other people - as well as executing access to them. Securing one's phone can make access to the rest of the virtual world secure, at just the persistent device closest to us. If that little gizmo is really going to become our "universal remote" to all worlds both real and virtual, it needs to recognize us exclusively, and vice versa, to represent us there.
--
make install -not war
I did a little PDA Security article a while back that was published in BlackListed 411! magazine.
It briefly surveys a number of key issues, and has some good links/ references at the end.
For anyone interested, you can read it here:
http://iamsam.com/papers/PDA_Security.htm
Later-
Sam
Sam Nitzberg
sam @ iamsam . com
http:/// www. iamsam. com
It's a shame that no Palm OS 6 Cobalt devices have actually made it to market, because PalmSource has done a lot right in that version of the Palm OS to provide a sound security model.
Not only does the OS provide for digital signing of code, it provides secure databases where only signed applications can access the data. You can control which databases are synchronized to the desktop, and even which applications can access screen buffers (to prevent screen-scraping).
Hopefully either Palm OS 6 Cobalt or its Linux-based successors will make it into actual devices soon. It would be a huge step toward powerful, secure PDAs.
So instead of pimp my ride, we need a pimp my forklift. Will you be controlling the forklift through the PDA though to make the challenge complete? Else it is just a forklift with a PDA attached to it, without the PDA adding anything except strain on the batteries
My wife's sketchblog Blob[p]: Gastrono-me
I use Target Alert - an extention for Firefox that shows icons for links that go to PDFs, zip files... etc. (it's customizable). It's a very nice, simple program.
From buffer overflow to virus and trojan examples, it is all covered.
Plus these links have information of value as well:
Hacking Windows CE - Phrack 63 http://www.phrack.org/show.php?p=63&a=6
Pocket PC Phone Shellcode: http://www.mulliner.org/pocketpc/
Blackhat talk by Seth Fogie: http://www.airscanner.com/pubs/BlackHat2004.pdf
Illuminati
pwned by illuminati secret services and black budget orgz
Last I knew, PDA sales were at an all time low compared to recent years more or less due to cell phones dupicating most of their functions. It seems wrong that something that has been said to be near the end of its lifespan is considered the "next big security risk".
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
Better yet, use TargetAlert, a Firefox extension.
In addition to the great PDF notification feature, it also tells me about those pesky links that open in new windows---which I hate, because I just want them in the same window, or a new tab, or something.
"May the days be aimless. Let the seasons drift. Do not advance the action according to a plan."
Well, you can never tell. Even smart people routinely lose lots of money on predicitons like this.
I've done every combination of laptop, pda, phone, and converged device, and none of them are perfect. As I get older, I like fussing with stuff less and less, and value simple functionality more and more. I don't really want PDA functions intruding on my phone -- what I'd appreciate a large, well laid out hardware dial pad. I don't want to fuss with multi-level menus on a tiny phone screen. Making all the stuff they want to cram into a phone work inevitably inflates it into a PDA. And a PDA/phone is inevitably awkward. I know, I use one. It's too big and the persnickity to be a decent phone, it's an OK PDA, but after experimenting with it I don't really want to enter lots of text so I'd prefer a larger screen and no hardware keyboard at all; the overall device could be thinner and smaller and have a larger screen and better battery life.
I also carry a laptop. The thing is the laptop is not something you want to haul out in a restaurant when a meeting alarm goes off. You don't even want the have the laptop there. So that means you need a PDA or a phone with PDA functions.
What we really need are three different devices, a phone, a pda and a laptop, each designed to be as simple and task appropriate as possible and which work together effortlessly without creating security problems. But getting things to work together in a way that is convenient and makes sense to a user seems to be the hardest thing there is for companies to achieve. Virtually no technological barrier cannot be overcome, but usability -- that seems to be beyond what we can expect. I think it is because design is so much harder than technology.
Consequently convergence is naturally easier for companies to achieve than making devices work together. It's a simple problem of technology: squeezing enough features into a given formfactor. And on top of it, you don't have to worry about interoperability standards.
Look at what convergence is giving us: awkward phones with lots of persnickity buttons, or even worse larger PDAs designed to view and edit spreadsheets and other things that you'd always rather go to a laptop for.
In my ideal non-converged but interoperable world. a phone would be just a phone with basic phone number lookup. A PDA would be the size of the old palm M500 series but, say =10mm thick and with a battery life measured in weeks. I wouldn't worry about the utility belt look (not that I would in any case) because it'd be rugged enough to keep in my pants pocket and small enough that I'd hardly know it was th. I'd use the PDA for maintaining the phone # database and other PIM functions, as well as simple forms entry and other appropriate applications where mobility trumps entry ease (MP3s). I'd also like to run presentations off the PDA to a projector or a computer. The laptop would come out for any editing tasks. All three devices would interoperate securely and autodiscover any changes without my need to fuss with "hotsynch" or "activesync". Better no abstractions than leaky ones.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
So you're a DoD ADP R&D PM who owns a PDA with FIPS 140-2 and you sent TFA to the IA... who you had previously sent a brochure on NSA's 802.11
:)
did i miss anything?
The mouse over feature does not seem to work on my computer. Before uninstalling, disable it using the options of the extension, and see if you like the effect.
There are plenty of criticisms of Windows architecture shortcomings, but what about PocketPC OS? I haven't paid much attention to this market. Was it designed from scratch, or is it a cut-down windows kernel? Does it share any of Window's vulnerabilities (mixing of app & os code, security issues, etc.), or is it inherently more secure than Windows by virtue of different architecture?
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
You have a secure pda, thats great. Let's say a gov employ (possibly from homeland sec.) takes the train/subway/airplane home and the pda slips out of his pocket.(I have lost enough cellphones this way.) Now you have a goverment information, stored passwords, encryption keys sitting there for the less scrupulous of us to scoup up. At least laptop cases are harder to forget.
Beware the observant.