Slashdot Mirror
Smart Phones "Bigger Security Risk" Than Laptops
CWmike writes "A recent survey of 300 senior IT staff found that 94% fear PDAs present a security risk, surpassing the 88% who highlighted mobile storage devices as a worry. Nearly eight in 10 said laptops were an issue. Only four in 10 had encrypted data on their laptops, and the remainder said the information was 'not worth' protecting. A key danger with PDAs was that over half of IT executives surveyed were 'not bothering' to enter a password when they used their phone. A VP at the company that performed the survey said: 'Companies need to regain control of these devices and the data that they are carrying, or risk finding their investment in securing the enterprise misplaced and woefully inadequate.' Is this just iPhone fear-mongering? Do you think the passwords execs could remember would help with securing PDAs and smart phones?"
or at least use a spell checker before opening oneself to public mockery on the Slashdot.
So this is not just "iPhone" fear mongering
In fact why is it fear mongering at all.
Do all slashdot submissions have to end in a catchy imbalanced question?
On this topic, the thing here is that the web is there to address this problem.
If the execs were forced to go to the website to do anything, then they can do whatever the hell they want with their phone.
NO SIG
iPhones are extremely secure against attack, and most definitely via remote. This article sounds like its by people have never seen an iPhone and assume they are just as insecure as anything else out there. Its simple, if its not the iPhone authorized user, the data on it will not be able to be accessed.
Remember, people want to use these things while they are driving a car, eating fast food, and listening to a book-on-tape. They don't want no stinkin' security features.
The only handhelds allowed to connect to our corporate network are company issued ones, and they come locked down so you have to enter a password after a few minutes of inactivity to do anything except answer the phone. Our laptops come with the whole-disk encryption pre-installed. All external web access goes through the company proxy.
:) )
It's possible to lock it all down instead of live in fear. Of course, there's a fine line between security and stifled innovation. Our company's proxies, by default, blocks blogs, and I have to request that they be unblocked one at a time. Since most of the discussion concerning JSRs for JDK7 development happen through people's blogs, it can seriously slow down the ability to do my job sometimes. But if you want things secure, there are going to be tradeoffs.
(And if a company laptop doesn't contain ANYTHING worth stealing, the employee should probably be fired for not producing anything worthwhile
E pluribus unum
And if you have a blackberry enterprise server, you can:
- force your users to have a password
- force the device to lock after a specified period of inactivity
- force the user to enter the password every x minutes regardless of activity
- prevent users from having a trivial password
- give users a duress password
- set the blackberries to store everything in encrypted from
- if a blackberry is lost, you can remotely lock the blackberry
- if a blackberry is lost, you can remotely wipe it
Blackberries are the best mobile platform, period.
Maybe these things need a small fingerprint scanner or other biometric unlock function? Maybe just voice activation that can recognize the "owner" with a high accuracy would be enough.
And encrypt the bejezzus out of the data stored on them.
The cell phone I have has one level of protection - a PIN number that only needs to be entered when it turns on. As long as it's on, you can do anything you want with it, including modifying content or planting evidence. In addition, you can still access content on the phone by attaching it to a computer (without any need to enter a pin.)
As a result, I'm not storing any sensitive information on the phone.
The Palm Pilot was at least better in this regard, since it allowed seperating public and private information and requiring a pin when you wanted to access private data. However, this was a PDA rather than a cell phone.
The bastard cousin of the sorbet?
It's pretty much a done deal. Keep sensitive data on a small device and if you lose it, assume it's compromised. Password or not.
regards
I've had a Palm Treo 755p Smartphone for a about 9 months. I have a lot of medical data on my unit, including (unfortunately) some patient data. I've tried to use Palm's "Private Records" feature for sensitive data, but it's too complex and unreliable. Some things that I mark as private show up in the regular views anyway, without needing to be unlocked with a password, even after I try to "lock" them or mark them as "private" multiple times. I doubt they're actually encrypted, either - probably just a bit-flag which only some software on the device reads and uses.
So I tried instead to setup an automatic lock on my device - I figure a power-on password should be fine. I set that up - and unfortunately, even though I set it to auto-lock after 1 hour of non-use, it NEVER asks for the power-on password. I've set it up exactly as Palm's site suggests... it still won't auto-lock the unit.
The thing is that the tech seems to need a fix before we can go about blaming the users. I've never lost a patient file or my phone, but obviously it would be a major problem if something like that did happen. Thankfully, the healthcare system I work for is going to electronic records, so nothing will be stored on my Palm anymore; I'll just use my cell plan to connect to the server (SSL encrypted) and access files wirelessly.
Still, there are other things I'd rather not have fall into a criminal's hands... hospital phone numbers, phone numbers of peers, nurses, other physicians, pagers, laboratories, etc. But my model, at least, is simply inadequate in protecting this data. Someone needs to come up with something better than what's currently available - maybe once it's "expected" - much like a password when you log onto Windows - it won't be such a big deal for people to use it.
So what the article says is that they think handhelds are dangerous because they're not bothering to secure them? Seems like an easy fix ...
No sig for you. YOU GET NO SIG!
And honestly, a lot of them could be right in that it wasn't worth protecting. For example, what percentage of documents are really needed to be secret for a company's existence? My guess is about
Taxation is legalized theft, no more, no less.
I can't carry an iPhone, but I can bring home a file folder full of secrets.
I can't have a cameraphone because I can 'steal' data, but you let me bring my 250GB laptop home.
My email is filtered for PPI and dirty words, but you don't filter my Gmail.
I can't FTP, but I can attach 10 MB files to webmails.
Build a better mousetrap, and some management school out there will produce a stupider monkey.
I want to delete my account but Slashdot doesn't allow it.
How secure is your password?
Some examples of common passwords which I saw on multiple occasions on different client boxes:
typewriter
sex
" " (three spaces)
coffee (a college ICT admin favourite)
manu ("Man United", if the desktop was soccer themed or the client wore a red shirt, chances were this was his password)
horses (no prizes)
swordfish (no prizes)
0000 (if it's anything that requires a 4-digit user pin, such as Bluetooth, this'd be it)
0000000000 (the blanket launch code for the US nuclear arsenal)
Dictionary words, names of favourite family members, spouses, dates of birth... the list is obvious and goes on.
I'll stop there before I hit the combination for Bush's overnight case and really piss someone off (incidentally, it's 111-111)
Operation Guillotine is in effect.
I have been wondering about when I would be able to encrypt my cells and pda's the way I encrypt my other data. There is a problem however - the phone must be on in order to get calls... That means the system password is mostly always already in use and thus making it very easy to obtain by cooling down and picking out the RAM and use a card reader.
So I am hoping for a two stage system where call logs, full content of my address book, notes, calendar and so on is stored and encrypted separately from basic parts of the system. Incoming calls logs could then be stored in a temporary mode until I enter my storage password in which moment I would get access to the secure data using a separate password.
There are of course problems here too - notifications of upcoming calendar events, and displaying name/number association for incoming calls, among other issues. It will be necessary to allow personal choice for what should be cached outside of secure memory, but I certainly look forward to having a more secure options for Cells and PDA's!
Chances are, it is more risky to connect to an unencrypted network at a local coffee shop and check your e-mail on your PDA then it is to leave it without a password. I know on my computers the information stored on it is useless to a thief but some e-mails (stored on a remote server) has more confidential information then what is stored on the device (and just about all webmail require you to use a password). So really, for me and most other people, a 1337 H@X0R with Wireshark will do more damage then some guy who steals your PDA/Laptop.
Taxation is legalized theft, no more, no less.
No fortune app. Bummer
Is this just iPhone fear-mongering?
Of course it is, because the iPhone is the only PDA or SmartPhone in the world... (If you live under an Apple or a Rock.)
And the information you carry in your Address Book, Calender and Notes are *that* valuable to warrant more expensive hardware with encryption? Seriously, myself and most people I know have people's names and numbers in the address book and meetings in the calender and really the worst thing that could happen is that they use that info to do a phishing attack to get more information. For you and a handful of other people this might be useful but for the 99% of us that don't, it just adds more bloat/price to an already bloated/expensive platform (mobile phones/PDAs)
Taxation is legalized theft, no more, no less.
one of the local strip clubs has an addition to it's radio ad giving a specific number to call if you've lost a "PDA, iPhone, or Blacknerry" in the VIP room, I'd have to agree.
people are more likely to lose a phone than a laptop.
Is this just iPhone fear-mongering? Do you think the passwords execs could remember would help with securing PDAs and smart phones?
I think we first have to ask the question, are executives actually capable of remembering a password? Doubtful, in my opinion.
The higher the technology, the sharper that two-edged sword.
> Do you think the passwords execs could remember would help with securing PDAs and smart phones? No, because PDA passwords are easily defeated.
Passwords are like any other kind of lock. They're not there to keep dishonest people out, they're there to slow them down. They're there to keep /honest/ people from trying.
Operation Guillotine is in effect.
Come on, now. If the information's on a PDA, anybody with the IT version of a bent paperclip will be able to get it.
What's the first security rule for a PC: If they have physical access to your computer, your data is theirs. I would bet my bottom dollar that 90% of the security problems concerning a PDA result from exactly that: loss of physical control of the device.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
The problem here is that with a desktop, you've got a finite amount of time to crack the password, unless you plan on exiting the building with the tower. Physical theft is much more difficult... as is physical access. With PDAs, you can simply toss the thing in your pocket, and have all the time in the world to hack on it later on. Physical access, I would argue, is also easier. How about a working Bluetooth-based proximity security system that would encrypt/decrypt on the fly, or a *working* remote wipe that actually wipes (unlike Apple's) ?
I've had users laminate their user name and password to their laptop palm rest. Security of information is great and all, but in the end, the user is the weakest link.
How is Debian on my handheld less secure than Debian on my desktop?
I don't trust "smartphones" because they run non free software that I would not trust anywhere and are part owned by companies that are now seeking "retroactive immunity" for violating people's privacy.
In each computer desktop, laptop, and smartphone, we installed hardware encryption and a C4 charge with remote 2 tier authentication for detonation. The two tier authentication was introduced after an unfortunate mishap involving our CFO getting his arm blown off while out golfing; it turns out the detonation frequency was a maritime frequency as well.
The C4 will also detonate if a password is entered incorrectly twice. We encourage employees who are "out of it" or even slightly ill to take the day off, and require them to call IT should they ever type their password in wrong once.
We also use an operating system completely built in house with a semi AI running security diagnostics at all times, and we have live people watching the network traffic to the few systems that are actively connected to the internet. Any systems that manage to get infected (to date, none) would also receive the C4 treatment. A bit draconian, but it gets the job done. Our datacenters also have thermite ceilings designed to completely melt down the facility if it comes under attack (three armed guards 24/7 are at the red button, just in case some new tech decides to think about hitting the button.)
Protecting the world has taught us to take our own security seriously. Hopefully, you can learn from these measures and take the proper safeguards for your own facilities and equipment (remember, the answer is always hardware encryption and C4.)
Thank you,
Ortega Starfire
CTO, Hoffman Institute
For The Advancement of Humanity
---- Liquid was a patriot ----
Security is a minimum of the system's capability and the user's capability. You can have the most secure system, with a moron on the helm it is easily compromised. If nothing else works, you can rest assured that he will simply hand over all the necessary information to his attacker himself.
Security is a matter of improving technology and training your staff. Doing just one of them will not increase your security past the more insecure one of them.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
mod parent WAY UP! I LOVE IT!
Operation Guillotine is in effect.
I have a small encryption app installed on my Windows Mobile device that encrypts files with a password.
I believe it uses 256 bit encryption. I'd like to think it's secure.
What are people's thoughts on these apps?
A real life example of a job I had a while ago. Security guy at an auditing company for banks. One of the things I had to do was ensure that reports can under no circumstances whatsoever get leaked. I spent the better part of two months locking down servers and creating VPN tunnels to pretty much every bank in the country that we deal with. With foolproof interfaces, point 'n click, so even our auditors could understand it. Double checking that the right document reaches the right bank (because, of course, one of the key security requirements was that no bank may UNDER ANY CIRCUMSTANCES get internal information of other banks). Security was the big thing, and nobody questioned any expense I asked for as long as "for increased security" was somewhere on the application.
Then we had a conference at a hotel. And suddenly one of our top chiefs in charge comes out of the hotel management area with a report. Asking what this is about, I got this information:
He forgot to bring this report along so he asked one of our auditors who had the report to send it. From a different bank. Unencrypted. To the hotel. And he asked the hotel manager to print it.
My question whether he wants to end my life prematurely with a heart attack was met with a blank stare.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The iPhone is not the only PDA in the world.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
We were in quite a hurry to post this... No time for spellcheck!
"A VP at the company that performed the surbey..."
kdawson: Its spelled "sorbet".
It's apropos to bring up iPhone because, as far as strictly consumer devices go, the iPhone is the biggest share of the Smartphone market. And, as Apple continues to cannibalize it's iPod market, that share is just getting bigger, bringing people into the market who had not previously owned iPhones.
Now, that's not such a big problem as far as this particular issue (enterprise security) is concerned. What IS a problem is when one of the big mucketty-mucks in the company wants to start using an iPhone instead of a more secure enterprise-quality device, like the Blackberry (#1 device in enterprise messaging). Using an iPhone in the enterprise brings, to use the terminology of a network security expert, a huge shit-storm of security holes.
Feel free to google the subject- bottom line, iPhone has NO security. As the mega-popular "jailbreak" application handily proves. The issue isn't HOW to break an iPhone's security... it's choosing WHICH ONE would be easiest for you to work with.
A skillful hacker can get access to anything and everything on the iPhone. Want to use it as a mobile wiretap? No problem. Look through it's camera? No problem. Download the entire contact list, or install a keylogger, or grab any other information (including credit card numbers) held on the device. Not a problem at all.
And THIS is the kind of thing LUsers want to bring onto the network, and get all whiny when the IT staff tells them no. Personally, I don't care, since my place only gives wireless connections access to the internet (it's completely segregated from the "real" network). However, most places have a network designed by idiots, and those are the places most at risk... and most likely to trash their security in order to accomodate something like iPhone connectivity.
Now as a side point, my workplace is also testing MS ActiveSync, which is supposed to provide connectivity to the iPhone as an enterprise mail client. The tests have been... pretty substandard. We are primarily a Blackberry shop, and if anyone switches from BB to iPhone, they are going to be pretty disappointed if they expect the same level of functionality. Personally, I'll be waiting to get a Blackberry Bold.
It takes but a second to remove an SD card.
Engineering is the art of compromise.
Security?
There is none.
Cell phone users don't seem to care who is around (in listening distance to their conversations) so SECURITY is a moot point!
I have experienced this while working as a cashier at a local "shit and get" store. Most people are so caught up in their 'own little cellphone world' that they forget about anyone around them.
Most people are so jaded about their surroundings while talking on cellphones that IT security does not even enter the picture.
I get so tired of it that I usually toss them out until they finish their conversation.
Basically, have the respect and courtesy to deal with me and your purchase, or get the fsck out. I don't want to be subjected to your phone conversation. Deal with it.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
Smart phones + dumb users. Not a good combination.
Take Nobody's Word For It.
Who has access to the information? The employee.
Who knows what information to get? The employee.
Who has the password? The employee.
Besides the PEBKAC, most company compromises are done.... through the employee.
I personally think the real security risk is not necessarily in the data on the PDA but rather the PDA itself. In the cases where an exec has put a password on his/her PDA there is a good chance the passoword used is the same as the office and home PC. Steal the PDA, crack the password, and then use it to get at the real data on the home and work computer. Good passwords aren't enough; enforcing the unique password per account is critical if you are worried about data theft.
When I was still at ABB we put PDAs in the same category as remote users. The only way to get inside the WAN from the PDA was to log in through a VPN. If you wanted email on a PDA you either had an outside account for the PDA, or you had to bring up the VPN to check your mail. We applied the same policy on the WLAN I set up, but I believe that's been relaxed in exchange for using a supposedly more secure WLAN login.
And that was already a concession... a VPN connection makes your device part of the perimeter security of the WAN. I much prefer specific authenticated application-level gateways for remote access... or at least a virtual proxy like SSH.
As hilarious as this is, there's a good point here. Why not set up laptops or portables with a low level charge that wouldn't necessarily blow anybody up, but could fry platters/flash memory? Couldn't a significant electrical charge do the trick? I think a remote "kill self" code would be pretty secure. For super high security stuff (that would ideally be stored remotely anyway), just make it a daily check-in type thing. Didn't check in at 10:00AM EST? Oh, now your drive is slag. Call IT and explain why you couldn't check in.
People are like slinkies; useless but fun to watch when you push them down the stairs
Blackjacking, or cell phone/pda hacking or hijacking is still a new concept and is not practiced widely, so the risks and mitigation methods are not as widely known as they are for computers. Think of it this way: PDAs are powerful. They are basically miniature computers. They require the same security measures, if not more, than computers.
There are easy ways to fix these problems, but the ignorance of the users is the biggest of them all. Personally, I use a strong password and encrypt traffic. Also, I use Trend Micro's Mobile Security Suite.
-grayn0de
My company relies on 3rd party software to help secure mobile devices. Currently they use OneBridge for secure email and Afaria for device encryption.
Why do we correct our criminals but punish our children?
...in their right mind uses a "smart phone" for actual work related stuff outside of say, calendars and contacts? And if those calendars and contacts are lost without encryption, what kind of damage could it possibly do? Competitor: "Aha! I see they're having a bake sale next week! Maybe we should slip in and undercut their prices so that they will fail! Rar!!"
I'm sorry, but since I've gotten my BlackBerry, here's what I do with it: listen to music while I excercise, take pictures of things that interest me, add the occasional personal contact, read my favorite blogs and news sites, and write book reviews to post in my blog. If I lose any of that stuff, it will merely be annoying. When it comes to the critical stuff I work with on a daily basis (network security, network administration, Unix administration), I don't keep ANY of that stuff on there. The only possible security hole is the SSH client that allows me to connect to home. But I still need to know the password to log in and it's a PITA to use for most "normal" people.
Bunch of paranoid idiots if you ask me.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Biometrics and tamper-resistant ASIC chips would make it difficult for all but the most determined and powerful organizations to get information off of smart phones. This would stymie most of the industrial espionage corporations out there. You'd need to install an exploit that could wait and hide until decrypted information was sitting in memory somewhere. Doing this might take considerable manpower if the system is hardened.
Governments and the largest corporations would still have the wherewithal to do this, however. But the danger isn't any more pronounced than phone taps and document interception were in the 1980's.
Make them enter their banking information as a password. Then they'll be careful.
What's the value of information that you don't know?
The BlackBerry can do exactly what you're looking for. Look into the "Content Protection" feature.
What are we talking about here? Is the OS relevant? Of just the login or not aspect? Encryption on those removable memory SDs? Maybe we should just buy those really cheap phones they hate to sell us......The ones that do voice and txt and not much else?
Only boring people are ever bored.