[ISN] More people using - and losing - PDAs

From: InfoSec News (isnat_private)
Date: Tue Oct 29 2002 - 03:00:33 PST

  • Next message: InfoSec News: "RE: [ISN] INFOSEC: Certifiably Certified"

    Forwarded from: William Knowles <wkat_private>
    By HIL ANDERSON, United Press International
    LOS ANGELES (October 28, 2002 4:46 p.m. EST) - A chain is only as 
    strong as its weakest link, and one of the weakest links in the 
    sprawling field of information technology these days can be found 
    piling up in the back seats of taxis, airport lost-and-found 
    departments, and hotel rooms. 
    Laptops, cell phones and the burgeoning number of personal desk 
    assistants - also known as PDAs - might make life easier for employees 
    in the field, but short of chaining them to their owners' bodies, 
    these labor-saving devices are being lost and stolen at an alarming 
    rate. And there are growing amounts of sensitive information stored 
    Small wonder that security was a leading issue on the agenda at the 
    recent Pocket PC Summit, a trade show held in Hollywood, Calif. last 
    week that was devoted exclusively to the increasingly popular PDA. 
    "People like to stay in touch wherever they are," said Arlo Halonen, 
    global accounts manager for F-Secure, a San Jose, Calif. company that 
    is developing security specifically for PDAs. "They want to be able to 
    do all things, except become security experts." 
    Vexed for years by non-tech types who were barely functional with 
    Windows and baffled by the concept of hitting "start" to shut down 
    their computers, information technology specialists in government and 
    business are now also finding themselves having to protect their 
    networks from their own equipment. 
    Improvements in wireless communications, digital subscriber line 
    networks and processors have made PDAs and laptops as versatile and 
    capable as desktop computers. They have found users across the 
    spectrum of society from students to sales reps to doctors. 
    The stored information is often mundane, but it can also include 
    lucrative gems such as credit card numbers, computer passwords, 
    intellectual property, and confidential company financial or trade 
    secret product information. 
    In addition, portable devices can also be used to access both the 
    Internet and restricted in-house computer networks. 
    "Hundreds of thousands of these devices are lost and stolen every 
    year," David Elfanbaum of Asynchrony Solutions in St. Louis, Mo. told 
    United Press International. "They can be a gateway to your entire 
    A growing phenomenon at U.S. airports is the steady flow of passengers 
    who run their $2,000 laptops through X-ray scanners and walk off 
    without them, presumably obliviously flying off to their destinations 
    sans their property. 
    Folks who run the lost-and-found departments at major airports 
    attribute the losses to new stresses and security measures implemented 
    since Sept. 11. 
    One frazzled frequent flyer who asked not to be identified told UPI 
    that getting from Point A to Point B often requires passing through a 
    maze of distractions. 
    "I always have my game face on (at airports), scouring the crowds for 
    potential hijackers and I'm focused on security and mentally taking 
    inventory of my purse and carry-on, making sure I left my Swiss Army 
    knife at home," she said. 
    "I really can't concentrate 100 percent on a computer these days when 
    I fly. It would be so easy to forget it." 
    There are also potentially more dangerous types of data that can be 
    lost or stolen as the use of laptops and PDAs becomes more common 
    among intelligence agents, military officials and law enforcement 
    Britain's military and intelligence services have lost more than 200 
    laptops since 1997, many of which were believed to have contained 
    classified information but went missing in restaurants, pubs and on 
    public transportation. 
    And on this side of the pond, a report by the U.S. General Accounting 
    Office released in August concluded that the bean counters from the 
    Internal Revenue Service alone had mislaid 2,300 laptops. 
    "I'm worried that just as clothes dryers have the knack of making 
    socks disappear, the federal government has discovered a core 
    competency of losing computers," Sen. Charles Grassley, R-Iowa, said 
    in a statement released in response to the dismal GAO report. "This 
    inventory control problem is serious and must be addressed. It 
    involves tax dollars and potentially confidential taxpayer information 
    and data related to national security and criminal investigations." 
    American intelligence agencies, of course, also realize the potential 
    value of laptops. 
    The FBI seized scientist Wen Ho Lee's laptop in 1999 while 
    investigating the alleged theft of nuclear secrets downloaded from the 
    computer at the Los Alamos National Laboratory. 
    U.S. officials have also been prowling through computers seized from 
    al Qaida for clues of the terrorist group's plans. 
    Because computer files can be downloaded so quickly, experts are 
    concerned that a skilled spy or terrorist could copy a stolen 
    machine's entire memory in minutes, possibly before the owner even 
    knew it was missing - even an unsophisticated snoop could glean 
    information by reading e-mails on a stolen machine. 
    Companies such as F-Secure and Asynchrony have been developing 
    software solutions in recent years that beef up the security features 
    of the devices by encrypting the information inside or making it more 
    difficult to log in without the right passwords. 
    Elfanbaum said that one of its products would completely overwrite the 
    entire contents of a PDA if the wrong password was entered repeatedly 
    - and even if the machine isn't used as frequently as it should be. 
    "It can't even be recovered electronically," Elfanbaum told UPI. 
    Government agencies dealing in secrets are an obvious target audience. 
    But Elfanbaum said the private sector was fueling the security 
    software market as an improved economy freed up more money in 
    corporate IT budgets for the purchase of PDAs and laptops. 
    At the same time, companies are concerned that their servers could 
    come under attack by hackers or cyber-terrorists, who could 
    conceivably gain access to major computer systems through a stolen 
    As more employees become adept in the use of PDAs, company IT managers 
    have found themselves having to become equally as adept at handling 
    security measures for a variety of PDA models often built by companies 
    that may not have security as a strong point. 
    Halonen said PDAs and laptops were becoming the new "headache" for IT 
    departments and pointed out that even adding security software was not 
    the ultimate answer to the problem of theft and loss. Since companies 
    and other organizations tend to purchase computer supplies in bulk, a 
    weakness found by an enterprising hacker could conceivably place a 
    firm's entire network at risk. 
    "It has been an evolutionary development," said Elfanbaum. 
    "These devises were originally designed for personal use, so security 
    wasn't an issue." 
    There is also the need to balance security sophistication against the 
    skills of the people in the field who will be using the devices. As a 
    result, the most impregnable security software might not necessarily 
    be the one that becomes a commercial success. 
    "Many people find it confusing and don't want to make it too hard to 
    use," Halonen said. "The development all has to be driven by the needs 
    of business." 
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 05:34:47 PST