http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9086798 By Matt Hamblen May 19, 2008 Computerworld Cameras are available on just about every kind of wireless handheld device, from inexpensive cell phones to high-end smart phones, putting pressure on IT managers to reconsider corporate security policies banning cameras. In 2004, when cameras first became widely available for devices, many companies that purchase devices for their employees dug in their heels and asked their wireless carriers to provide models with no cameras. Four years later, however, that hard-line approach appears to be softening, at least in the private sector. "Some companies are still avoiding [devices with cameras], but that's a minority," said Gartner Inc. analyst Ken Dulaney in a recent interview. Dulaney works with many Fortune 500 companies on their mobile device purchases and policies. "Many companies have now relaxed their rules, as most are resigned to the notion that virtually all phones include cameras built-in," added Jack Gold, an analyst at J.Gold Associates LLC. At one large U.S. corporation that provides BlackBerry wireless devices to 30,000 users, the camera ban was recently lifted for new device purchases. "Even the low-end phones are coming out with Bluetooth and cameras, so we've ended up adding cameras to the mix of devices allowed," said a senior IT manager at the company who asked not to be named because of corporate policies. However, the IT manager said that when the IT shop can disable the camera via management tools over the network, it will do so. There are network management tools that curtail camera use. Research In Motion Ltd., maker of the BlackBerry, makes models that enable the IT staff to turn off the camera through the BlackBerry Enterprise Server, so an employee can't surreptitiously photograph proprietary information or inappropriate material. Similar photo-blocking is available with Windows Mobile Exchange synchronization functions, the manager noted. But the manager said there's no similar way to control photos that are taken on some devices and sent over Bluetooth wireless. Because of such loopholes, there are questions about how any organization can control camera usage. "We want to minimize the potential risk, but there's minimal risk anyway, we've decided," the IT manager added. Some models of the latest cell phones and smart phones are available without a camera, to satisfy strict business buyers. Verizon Wireless spokeswoman Brenda Raney said some models are sold that don't have a camera, including the BlackBerry 8830 smart phone, out of an inventory of about 30 models from various manufacturers. "Some companies don't see the camera as an issue, but some still prefer employees not have them in phones," Raney said. Some industries, and many government agencies, have tougher standards than others, she noted. Gold, who advises corporations on wireless use, said he used to tell clients to buy phones without cameras to avoid security issues. "However, the truth is, most phones today have cameras built in, and if you search for a good-feature phone, you will likely not be able to find one without the camera," he said. Instead, he urges companies to educate their users about the security risks of cell phone cameras and to consider turning off the cameras over the network. The anti-camera policies were designed to prevent employees from taking photos of information on computer screens or a company's new internal technology and then using the photos to compromise the company. But a camera lens can be the size of a pinhole and easily hidden, so it can be extremely difficult for a security guard to detect a camera carried by a visitor, analysts noted. Even proving that a device has its camera turned off would be difficult, since the guard would need to carefully read the device's interface to determine whether a camera was turned off. Security guards sometimes confiscate phones suspected of having cameras, or even resort to putting tape over the lens. Dulaney said he first wrote about cameras as a security threat in early 2004, after seeing a flood of camera phones at the Consumer Electronics Show. He said then that camera bans were "an overreaction" by business users, since there are many ways consumer devices, such as USB flash drives, can be used to grab information. Blanket bans on cameras are "a stupid position," Dulaney said recently. "If you are a spy, you won't have a camera that people can see." Four years after writing his initial report, Dulaney said having a camera on a handheld device can actually be valuable for an employee in some situations, such as photographing a crime in an employee parking lot or other location. Many companies deploy cell phones with cameras that are used for business purposes. Repairmen use them to take photos of defective parts, while real estate agents use them to grab a quick photo of the interior of a home for sale, analysts noted. Dulaney urged companies to set up secure zones where restrictions on cameras are tightest because of the greatest risks involved. That might mean, for example, that a company would show off its latest product only in a secure zone and would search visitors and confiscate cameras at that location, he said. "Usage guidelines are far more effective than outright bans," Dulaney said. At the Los Angeles Community College District, camera phones are not banned, although there are plenty of locations where security is important, such as the school's finance offices, where student payment records are displayed on computer monitors and laptops, said CIO Jorge Mata. To limit the risk of someone outside the school passing by a terminal and seeing and photographing private information, the college district has installed "hundreds" of privacy filters on laptop and PC screens, which prevent anyone but the user from seeing the information, Mata said. The filters range in price from $45 to $200 apiece, he said. "We don't want to risk privacy," he said. As for the more general issue of cameras used to take photos of secure information, Mata said common sense by users and general guidelines make the most sense instead of a strict ban on phones with embedded cameras. "Some things do not come down to a technology solution," he said. _______________________________________________ Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue May 20 2008 - 01:42:59 PDT