[ISN] Pocket PC doesn't make security grade, Gartner says

From: InfoSec News (isnat_private)
Date: Mon Sep 23 2002 - 23:20:55 PDT

  • Next message: InfoSec News: "[ISN] When is hacking a crime?"

    By Sumner Lemon
    IDG News Service, 09/23/02 
    Microsoft's Pocket PC 2002 software does not address critical security
    issues and could make sensitive corporate data stored on PDAs and
    desktop PCs vulnerable to theft and loss, market analyst Gartner
    warned in a recent research note.
    Companies that use Pocket PC-based devices should turn to third-party
    products to protect their data, the research note said.
    Microsoft officials contested the accuracy of Gartner's analysis of
    Pocket PC's security. "Gartner mistakenly blames the Pocket PC for
    potential security breaches that are in reality related to insecure
    usage of desktop PCs," said Microsoft spokeswoman Bridget Yau, in an
    Improving security has been a major focus for Microsoft since January,
    when the Redmond, Wash., company's chairman and chief software
    architect, Bill Gates, said building an environment of "trustworthy
    computing" should be Microsoft's top priority, eclipsing the addition
    of new features to its product line.
    But while Microsoft has put the security of many of its flagship
    products, such as the Windows operating system, Office and Visual
    Studio .Net, under the microscope, Pocket PC is not yet part of its
    Trustworthy Computing initiative and ignores critical security issues
    which will not be addressed until the release of the next version of
    the software, expected in 18 months to 24 months from now, Gartner
    Security shortcomings associated with Pocket PC are slowing adoption
    of handhelds based on the software by many companies, the research
    note said.
    Among the vulnerabilities that Gartner's research note identified with
    Pocket PC, the default setting does not require a password and
    passwords and the password policy cannot be synchronized with a
    desktop PC. In addition, configuration settings of Pocket PC-based
    devices cannot be secured and when the system is reset all settings
    are lost.
    Other areas of vulnerability include:
    * The ability to install a Pocket PC device on a desktop PC without
      requiring a password, which gives the device the ability to access
      data in Outlook, as well as other applications.
    * Users cannot encrypt files with the Crypto API that is included in
      Pocket PC.
    * No security is provided for removable storage devices, such as
      memory cards.
    * The software lacks policy features that could be used to restrict a
      user's ability to run applications on a Pocket PC-based device.
    Microsoft's Yau disputed whether a Pocket PC device can be easily
    installed on a computer and used to download data from applications
    such as Outlook, calling Gartner's claim "incorrect."
    "A Pocket PC cannot be installed onto a password-protected PC without
    using the PC's password to secure access," she said. "A PC without
    password protection is at a much greater risk of data loss to
    high-capacity storage cards than with a Pocket PC."
    For other areas of concern, both Microsoft and Gartner agreed that
    third-party applications can be used to address many of the security
    vulnerabilities identified in the research note. But Gartner said that
    relying on third-party products was not a sufficient answer for many
    corporate users and urged Microsoft to take steps to improve the
    security of Pocket PC.
    "These (third-party) solutions come at additional cost and are
    sometimes not available in local languages," the research note said.
    "Many larger enterprises, such as banking and financial institutions,
    have very strict policies when it comes to acquiring software,
    requiring extensive audits of the software, vendor viability and
    support options - often taking more than three months to be approved,"  
    it said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 02:38:05 PDT