[ISN] How secure is your handheld?

From: InfoSec News (isn@private)
Date: Mon Apr 19 2004 - 02:07:14 PDT

  • Next message: InfoSec News: "[ISN] Hackers introduce colourful new players to Indonesia's elections"

    by Joel Strauch
    APRIL 16, 2004 
    The No. 1 threat to the sensitive data stored on your handheld device
    or smart phone remains physically losing the device, but other threats
    are looming on the handheld horizon.
    "When you send a defective PDA to the manufacturer for tech support,
    they usually give you a new one and then resell the old one," said
    John Girard, vice president and research director at Gartner Inc.  
    "Buying dead machines is an ideal method of pursuing identity theft."
    What's more, 90% of mobile devices lack the protection necessary to
    ward off hackers, according to a recent strategic planning assumption
    conducted by Stamford, Conn.-based Gartner.
    "Most devices have IrDA, Bluetooth and wireless connections, and many
    of them aren't set up properly. You can just walk around with a
    connected device of your own and see what you can find," Girard said.
    Even if there are security settings activated by default on a device,
    users will often turn them off if they find them unintuitive to use,
    he said. "Security needs to be as transparent as possible to users,"  
    Girard said.
    Malicious Code
    While security researchers have developed "proof of concept" viruses
    for handheld devices and smart phones, nothing has been seen yet "in
    the wild," said David Perry, global director of education at antivirus
    developer Trend Micro Inc. in Cupertino, Calif. "E-mail is easier.  
    It's universal, and PDAs aren't."
    Since handheld device users can still choose from several operating
    systems, they face a lower risk that a widespread virus will hit
    mobile devices.
    "As long as it's really easy to do Windows and e-mail, why should
    people bend themselves out of shape to hit something else?" Perry
    But the possibility of always-on wireless connectivity of smart phones
    and handhelds opens the door to malicious code.
    "There was a screen saver being passed around in Europe that would put
    your phone into a loop and lock it up," Girard said. "And worms on a
    Web site that you visit with your PDA could switch on Bluetooth. But
    we don't see viruses or malicious code being a significant threat for
    mobile devices until the end of 2005."
    Protect Your PDA
    That doesn't mean you should consider the information on your mobile
    device completely safe. There are still ways to lose it -- and ways to
    protect yourself from data loss.
    "You shouldn't keep things on a PDA that you can't afford to lose. And
    be vigilant -- don't let it get lost or stolen," Girard said.
    Also, use the "power-on" password settings in your device, he added.  
    That way, a thief can't even activate your handheld device without
    your password. "And don't store important stuff on peripheral storage,
    where the power-on password might not protect it," he added.
    Third-party applications from vendors such as BlueFire Security
    Technologies, Asynchrony Solutions and others afford additional
    protections. "BlueFire has a PDA firewall, and you might ask whether
    you'd need a PDA firewall," Girard said. "But it shuts down Bluetooth,
    which closes a port where hackers could get in."
    Data encryption products from some of the same players are also a
    consideration, so even if the device does fall into the wrong hands,
    the data will be much harder to extract.
    Handheld devices are still much safer than desktops or laptops from
    virus and hacker attacks, but that won't always be the case.
    "What you'll find on a PDA today is what you'd find on a laptop five
    years ago. What you'll find on a PDA five years from now is what
    you'll find on a laptop today," Girard said. That power and operating
    system ubiquity will bring a greater potential for harmful intrusions.
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Mon Apr 19 2004 - 05:29:14 PDT