PDA Security, the Next Big Hurdle for IT?

Jack writes "ITO published an article on a new secure PDA requested by the NSA. 'General Dynamics inked an $18 million contract with the secretive National Security Agency to design and develop a secure mobile personal assistant for defense workers. The PDA will integrate all types of communications including voice, data and web.'" In related news palmtops writes "Insecure Magazine has a great and in-depth article written by Seth Fogie, the VP of Airscanner.com, about Pocket PC security. His summary of PDA attacks states: 'These devices are easy to smuggle into a business and can be used to propagate an attack against network devices. Don't make the mistake of assuming is a PDA is a simple data keeper. As the cliche' goes... it is how you use it that matters.'"

just another ploy

[a_greer2005]

to make companys bend over and grab the ankles for PocketPC AVs, Wouldnt surprise me a bit if the virus development for the various PDA platforms was unofficially sponsored by the big AV companies

What can you do with $18mln

[jurt1235]

Adjust an excisting MS/Linux/other PDA with the software required to enter the secure network, and rewrite some drivers to bring the software up to date with . the emerging (BUDGETOVERFLOW DETECTED) secure communications standards.
The only hardware change seems to be the Defense access card integration.

Somehow it feels like this device is going to cause a lot of embarrasment later when one gets in the wrong hands and breaks all the security at once.

Solving yesterday's problem...

[MosesJones]

The PDA will integrate all types of communications including voice, data and web

Riiight, so its sort of a SMARTPHONE then? Sure PDAs could be a threat, but its probably worth focusing more on something that everyone already has and which is has all this functionality already, as well as a digital camera etc.... the ubiquitous mobile phone.

Developing, and then requiring, a "secure" PDA for all your people and then being "suprised" when information leaks via their mobile phone with the 1GB Flashcard, 2 Mega-pixel camera and Broadband 3G connection doesn't sound like a plan for tomorrow.

Re:Solving yesterday's problem...

[cgenman]

The whole thing is a terribly simplistic view.

Don't make the mistake of assuming is a PDA is a simple data keeper. As the cliche' goes... it is how you use it that matters.

There are adaptors for TI Calculators that turn them into serial port terminals. Most digital cameras run some variant of DOS under the hood, and can be programmed to run any script that you would want. GB USB flash drives are small enough to be hidden basically anywhere these days. And anything with bluetooth is 0wnable and can be used to control other devices.

An in-your-network attack can come from basically anywhere these days. If security for your facility means only allowing approved devices into your building, you're screwed. You'll have to ban all digital devices to achieve any kind of security, and that tends to be inefficient.

On the other hand, from the article it sounds like the government just wants a PDA mobile that doesn't suck... a program I can certainly get behind.

Re:This is necessary stuff

[schestowitz]

Palm viruses were created as "proof of concept", but haven't been found in the wild frequently, if ever. The Treos might make the exceptions.

Either way, AV for the Palm is utterly unnecessary. Spend your money where it makes a difference.

Re:This is necessary stuff

[mr_z_beeblebrox]

But I have a friend with a Zaurus, and this should be a huge consideration for him considering he installed a wireless router in his apartment just to be able to use his Zaurus from the bathroom

More importantly, there are people that he is not friends with who have wireless PDAs right outside his window!! Ok that's tinfoil hat, but really the point is not to secure PDAs but to protect your network from PDAs IMO

Too many standards

[spectrokid]

I think the biggest problem is every manufacturor makes his own synchronisation software running some weird propietary protocol. It feels like the good old days where you spent half a day setting up your dotmatrix in WP 2.1, and then restarted from zero in Lotus 123. Somebody should set some standards here. A PDA/Phone should be hardware abstracted at the OS level, just like a printer. And on corporate networks, the PC should just be a USB/Bluetooth -to-ethernet router, with the PDA authenticating directly to Exchange/Notes/whatever.

THE PDA THREAT!! Woooh!

[Voltas]

This makes a PDA sound like something its not and it links a sites physical/personel security to the PDA.

You can smuggle 1 GB of viral data into a facility in the roof of your mouth (SD Card) SD CARDS ARE THE NEXT THREAT TO WORLD SECURITY!!!

I think you get my point.

PDA's are computer, now a-days they are about the horse power of a full size computer 10 years ago. Thats all we need to know, and address the PHYSICAL and INFRASTRUCTURE security appropriatly for them.

The number 1 hacker method will always be social engineering. A ./ artical a while back showed that a guy stold a mainframe and he didn't use a PDA.

What about desktops?

[Wicked187]

Why would we not fix desktop security first? We have not yet helped Microsoft enough.

Steal a mainframe

[jurt1235]

To steal a mainframe, one usually uses a flatbed truck with a forklift, and ofcourse wirecutters. To steal a mainframe with a PDA that PDA really needs special features....

PAD cases

[Ozric]

One thing about a PAD zip case .. it is just abot the same size as a pistol case for a 32 or 308.

I have never seen a gaurd stop a person holding a PDA case in their hand.

Homephone

[Doc+Ruby]

PDAs (and mobile "phones") seem perfect candidates for biometrics. They are easily taken from their owner's physical control. Their UI HW is so limited that passwords are a hassle. They're actually the main storage for many people's "memos", so remembering their password is a catch-22. They have the most personal info of any device, often just a tap away from indicating personal liabilities. They're just a year or two from acting as a universal digital wallet, probably wireless - almost certainly with dynamic IP#s. They'll usually be connecting through a brief relationship with an otherwise unknown LAN segment, like a public WiFi hotspot. And people will just completely trust them, especially because their userbase is among the least tech sophisticated.

But also, most importantly, because they're so extremely valuable as security devices. People can trust their own phone, if really secured. They can carry it anywhere Especially once phones are <$20 each, they can have several secured phones left around their car, their office, other locations they frequent. A reliable biometric access device, like a thumbprint scanner, makes the "phone" an extension of the person's identity. Appropriate, when it stores both all their personal data, and their contacts with other people - as well as executing access to them. Securing one's phone can make access to the rest of the virtual world secure, at just the persistent device closest to us. If that little gizmo is really going to become our "universal remote" to all worlds both real and virtual, it needs to recognize us exclusively, and vice versa, to represent us there.