Slashdot Mirror
PDA Security, the Next Big Hurdle for IT?
Jack writes "ITO published an article on a new secure PDA requested by the NSA. 'General Dynamics inked an $18 million contract with the secretive National Security Agency to design and develop a secure mobile personal assistant for defense workers. The PDA will integrate all types of communications including voice, data and web.'" In related news palmtops writes "Insecure Magazine has a great and in-depth article written by Seth Fogie, the VP of Airscanner.com, about Pocket PC security. His summary of PDA attacks states: 'These devices are easy to smuggle into a business and can be used to propagate an attack against network devices. Don't make the mistake of assuming is a PDA is a simple data keeper. As the cliche' goes... it is how you use it that matters.'"
I didn't think any one on slashdot had much to worry about when it came to Public Displays of Affection ....
It has yet to be proven that intelligence has any survival value. Arthur C. Clarke (1917 - )
From the (IN)SECURE article: How are we supposed to take this article seriously, when the author can't even spell 'pwn3d' correctly? ^_^
____
~ |rip/\/\aster /\/\onkey
to make companys bend over and grab the ankles for PocketPC AVs, Wouldnt surprise me a bit if the virus development for the various PDA platforms was unofficially sponsored by the big AV companies
It might be a little late mentioning this but the link in this snippet actually points to a 9.1 meg PDF file.
In the future it would be nice if submitters (and especially editors) actually describe the target of a link when it doesn't go to a good old fashioned HTML or XHTML page of content.
Avantslash - View Slashdot cleanly on your mobile phone.
Adjust an excisting MS/Linux/other PDA with the software required to enter the secure network, and rewrite some drivers to bring the software up to date with . the emerging (BUDGETOVERFLOW DETECTED) secure communications standards.
The only hardware change seems to be the Defense access card integration.
Somehow it feels like this device is going to cause a lot of embarrasment later when one gets in the wrong hands and breaks all the security at once.
My wife's sketchblog Blob[p]: Gastrono-me
I thought PDAs were on the downfall as it is. With laptops becoming cheaper and cheaper and cell phones getting more advanced, I wasn't aware that PDAs have much of a future. That being said, I still really want one.
The PDA will integrate all types of communications including voice, data and web
Riiight, so its sort of a SMARTPHONE then? Sure PDAs could be a threat, but its probably worth focusing more on something that everyone already has and which is has all this functionality already, as well as a digital camera etc.... the ubiquitous mobile phone.
Developing, and then requiring, a "secure" PDA for all your people and then being "suprised" when information leaks via their mobile phone with the 1GB Flashcard, 2 Mega-pixel camera and Broadband 3G connection doesn't sound like a plan for tomorrow.
An Eye for an Eye will make the whole world blind - Gandhi
All donuts turn out to be defective is shown by extensive research. The random sample taken (500) in several countries, have shown that all donuts have a hole in the middle.
Since the problem is so widespread and since there does not seem to be a regulatory body concerning the properties of a donut, congressional inquiries can almost not be avoided.
In other news: Martha Stewart proposes American Donut Standard Association
My wife's sketchblog Blob[p]: Gastrono-me
Palm viruses were created as "proof of concept", but haven't been found in the wild frequently, if ever. The Treos might make the exceptions.
Either way, AV for the Palm is utterly unnecessary. Spend your money where it makes a difference.
My Linux - (L)ove (I)s (N)ever (U)tterly eXPensive
But I have a friend with a Zaurus, and this should be a huge consideration for him considering he installed a wireless router in his apartment just to be able to use his Zaurus from the bathroom
More importantly, there are people that he is not friends with who have wireless PDAs right outside his window!! Ok that's tinfoil hat, but really the point is not to secure PDAs but to protect your network from PDAs IMO
I think the biggest problem is every manufacturor makes his own synchronisation software running some weird propietary protocol. It feels like the good old days where you spent half a day setting up your dotmatrix in WP 2.1, and then restarted from zero in Lotus 123. Somebody should set some standards here. A PDA/Phone should be hardware abstracted at the OS level, just like a printer. And on corporate networks, the PC should just be a USB/Bluetooth -to-ethernet router, with the PDA authenticating directly to Exchange/Notes/whatever.
10 ?"Hello World" life was simple then
Would someone please post a feed-line so I can post a funny reply and get some karma.
Thanks.
This makes a PDA sound like something its not and it links a sites physical/personel security to the PDA.
./ artical a while back showed that a guy stold a mainframe and he didn't use a PDA.
You can smuggle 1 GB of viral data into a facility in the roof of your mouth (SD Card) SD CARDS ARE THE NEXT THREAT TO WORLD SECURITY!!!
I think you get my point.
PDA's are computer, now a-days they are about the horse power of a full size computer 10 years ago. Thats all we need to know, and address the PHYSICAL and INFRASTRUCTURE security appropriatly for them.
The number 1 hacker method will always be social engineering. A
-- Disclaimer: I can't really back up anything I post on
Meh, just put OpenBSD on the Zaurus and set your paranoia level accordingly...
I am TheRaven on Soylent News
I work for an agency under DoD as ADP R&D Program Manager. I think you'd be amazed at how many people are hollering for connected PDAs - and for the ones who have a real need we usually give them Blackberrys but you can't connect a Blackberry to a trusted network ;-)
Granted, most of these connected PDAs will end up in a desk drawer as soon as the user finds out how unpleasant it can be to send and receive email with a PDA, but they still want the things - and most of the people who want them outrank me. IF the boss wants executive jewelry I guess it's my job to get it for him.
Common access card compatibility will be a good thing - except the resulting PDA will probably be about the size and weight of your average brick. Right now we've got more than enough challenges with PDAs as DoD requires FIPS 140-2 encryption, a firewall feature set and a virus scanner on connected PDAs.
I did send TFA to our local IA department just because I like to watch their heads spin around every once in awhile, though - the last time I did that I sent them a brochure on an NSA-approved 802.11 solution for access to *classified* computer networks.
I love my job ;-)
we see things not as as they are, but as we are.
-- anais nin
If using Firefox, try this in your [profile]/chrome/userContent.css: /* indicate PDF links */
a[href$=".pdf"]:after {
font-size: smaller;
content: "pdf";
}
Think I got that from another Slashdot post, can't seem to find it now though (thanks anyway, whoever posted it!)
-- Nothing unusual happened today
http://openbsd.org/zaurus.html
Nuff Said.
Chaos is Divine *
Why would we not fix desktop security first? We have not yet helped Microsoft enough.
Politics, Life, and More on my Aspiring for the Future
To steal a mainframe, one usually uses a flatbed truck with a forklift, and ofcourse wirecutters. To steal a mainframe with a PDA that PDA really needs special features....
My wife's sketchblog Blob[p]: Gastrono-me
I just got a (cheap) Zaurus 5500. I've got a wireless router for my wife's laptop, but didn't want to use WPA and the (much) less secure WEP on the same network. So I connected a cheap wireless B PCI card to one of my PC's. Set-up the wireless card in ad-hoc mode on a different channel (well away from the G channel). I then fire-walled all ports on the card except one, and connected and rigged a proxy server listening on that port. I then set up the proxy to NOT access the local LAN.
Bottom line - I can use the Zaurus to access the Web from anywhere in (and around) the house, but my LAN is inaccessible via the wireless B network.
[Insert pithy quote here]
It is just not up to NSA standards, but in general a good software update could do the trick, except for the MoD cardreader demands then.
My wife's sketchblog Blob[p]: Gastrono-me
One thing about a PAD zip case .. it is just abot the same size as a pistol case for a 32 or 308.
I have never seen a gaurd stop a person holding a PDA case in their hand.
I was happy when the pager business finally died. That reduced the number of gizmos that I was carrying around on a daily basis from 4 to 3; the cellphone features became advanced (and cheap) enough to obsolete the pager completely. At one time, I thought that I would probably snarf up the PDA/phone combo, but I haven't yet found one that I really want to buy -- the price/performance just isn't there yet. When the PDA/cellphone combination gets cheap enough (and full-featured enough), then I envision reducing my current gizmo count to 2.
As for the laptop, it looks like that will be around for a while. At this point, the PDA just doesn't have the display or input capability to make it the all-in-one personal computing tool. In order for a PDA-sized device to displace the laptop, the I/O needs to get way more advanced, something on the order of a combination ocular/cochlear implant and voice (or better yet, thought ) recognition.
What are the security folks gonna do when the day comes that you can look at a document and issue a thought-command " copy "? I'm guessing that will be the end of paper documents; to be replaced entirely by electronic (and encrypted) communications for all purposes, including money.
Concealed Handgun License Courses in Plano, Texas
- The NSA PDA phone will provide secure voice and data communications, including e-mail, web access, file viewing and access to the government secure network.
But wouldn't those still fall for the regulations of the FCC?! The wireless tracking, VoIP tapping and backdoring networksIf those PDA's are for gov. use only, that still doesn't prevent gov. agencies from spying on each other! or even prevents black-hats from accessing gov. networks then PDA's
Mod points are a dangerous tool. Abuse them wisely.
Just walking around with the pockets full of computers makes the task done: iPaq 3970 ($100) with Linux, Jornada 690 ($50) with NetBSD. Plus some equipment: 2G CF microdrive and wifi/ethernet CF/pcmcia makes a real computer of both. They have 100x more resources than double mainframe I admined just 22 years ago.
However, a "secure PDA" by NSA standards somewhat tells me it must have a backdoor of some kind...
There you are, staring at me again.
PDAs (and mobile "phones") seem perfect candidates for biometrics. They are easily taken from their owner's physical control. Their UI HW is so limited that passwords are a hassle. They're actually the main storage for many people's "memos", so remembering their password is a catch-22. They have the most personal info of any device, often just a tap away from indicating personal liabilities. They're just a year or two from acting as a universal digital wallet, probably wireless - almost certainly with dynamic IP#s. They'll usually be connecting through a brief relationship with an otherwise unknown LAN segment, like a public WiFi hotspot. And people will just completely trust them, especially because their userbase is among the least tech sophisticated.
But also, most importantly, because they're so extremely valuable as security devices. People can trust their own phone, if really secured. They can carry it anywhere Especially once phones are <$20 each, they can have several secured phones left around their car, their office, other locations they frequent. A reliable biometric access device, like a thumbprint scanner, makes the "phone" an extension of the person's identity. Appropriate, when it stores both all their personal data, and their contacts with other people - as well as executing access to them. Securing one's phone can make access to the rest of the virtual world secure, at just the persistent device closest to us. If that little gizmo is really going to become our "universal remote" to all worlds both real and virtual, it needs to recognize us exclusively, and vice versa, to represent us there.
--
make install -not war
It's a shame that no Palm OS 6 Cobalt devices have actually made it to market, because PalmSource has done a lot right in that version of the Palm OS to provide a sound security model.
Not only does the OS provide for digital signing of code, it provides secure databases where only signed applications can access the data. You can control which databases are synchronized to the desktop, and even which applications can access screen buffers (to prevent screen-scraping).
Hopefully either Palm OS 6 Cobalt or its Linux-based successors will make it into actual devices soon. It would be a huge step toward powerful, secure PDAs.
I use Target Alert - an extention for Firefox that shows icons for links that go to PDFs, zip files... etc. (it's customizable). It's a very nice, simple program.
From buffer overflow to virus and trojan examples, it is all covered.
Plus these links have information of value as well:
Hacking Windows CE - Phrack 63 http://www.phrack.org/show.php?p=63&a=6
Pocket PC Phone Shellcode: http://www.mulliner.org/pocketpc/
Blackhat talk by Seth Fogie: http://www.airscanner.com/pubs/BlackHat2004.pdf
Last I knew, PDA sales were at an all time low compared to recent years more or less due to cell phones dupicating most of their functions. It seems wrong that something that has been said to be near the end of its lifespan is considered the "next big security risk".
In undeveloped countries, the consumer controls the market. In capitalist America, the market controls you.
Well, you can never tell. Even smart people routinely lose lots of money on predicitons like this.
I've done every combination of laptop, pda, phone, and converged device, and none of them are perfect. As I get older, I like fussing with stuff less and less, and value simple functionality more and more. I don't really want PDA functions intruding on my phone -- what I'd appreciate a large, well laid out hardware dial pad. I don't want to fuss with multi-level menus on a tiny phone screen. Making all the stuff they want to cram into a phone work inevitably inflates it into a PDA. And a PDA/phone is inevitably awkward. I know, I use one. It's too big and the persnickity to be a decent phone, it's an OK PDA, but after experimenting with it I don't really want to enter lots of text so I'd prefer a larger screen and no hardware keyboard at all; the overall device could be thinner and smaller and have a larger screen and better battery life.
I also carry a laptop. The thing is the laptop is not something you want to haul out in a restaurant when a meeting alarm goes off. You don't even want the have the laptop there. So that means you need a PDA or a phone with PDA functions.
What we really need are three different devices, a phone, a pda and a laptop, each designed to be as simple and task appropriate as possible and which work together effortlessly without creating security problems. But getting things to work together in a way that is convenient and makes sense to a user seems to be the hardest thing there is for companies to achieve. Virtually no technological barrier cannot be overcome, but usability -- that seems to be beyond what we can expect. I think it is because design is so much harder than technology.
Consequently convergence is naturally easier for companies to achieve than making devices work together. It's a simple problem of technology: squeezing enough features into a given formfactor. And on top of it, you don't have to worry about interoperability standards.
Look at what convergence is giving us: awkward phones with lots of persnickity buttons, or even worse larger PDAs designed to view and edit spreadsheets and other things that you'd always rather go to a laptop for.
In my ideal non-converged but interoperable world. a phone would be just a phone with basic phone number lookup. A PDA would be the size of the old palm M500 series but, say =10mm thick and with a battery life measured in weeks. I wouldn't worry about the utility belt look (not that I would in any case) because it'd be rugged enough to keep in my pants pocket and small enough that I'd hardly know it was th. I'd use the PDA for maintaining the phone # database and other PIM functions, as well as simple forms entry and other appropriate applications where mobility trumps entry ease (MP3s). I'd also like to run presentations off the PDA to a projector or a computer. The laptop would come out for any editing tasks. All three devices would interoperate securely and autodiscover any changes without my need to fuss with "hotsynch" or "activesync". Better no abstractions than leaky ones.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.