Monday, August 4, 2003
Handheld Devices Lack Security?
Posted by Ed Hansberry in "THOUGHT" @ 11:00 AM
http://story.news.yahoo.com/news?tmpl=story&cid=581&ncid=581&e=1&u=/nm/20030802/tc_nm/tech_handhelds_dc
There have been a number of news articles over the past few days spurred by comments at DefCon last week. "Don't put any secure information on your PocketPC or your Palm," Glancey warned after a speech on the subject at DefCon, the largest annual computer security conference in the world. "They don't have any security features built in," he said."
They go on to speak of specific vulnerabilities in the PalmOS but don't really mention anything about the Pocket PC. I'm not sure how much of Glancey's comments are real and how much is sensationalist. Pocket PCs don't have any encryption built in, and if that is what he is referring to, it is a fair statement. To my knowledge though, you can't just sniff out a Pocket PC on your LAN and suck all of the information off of it. If you have a PIN on your Pocket PC, you can't even dock it with your PC and get the data via ActiveSync unless you know the PIN.
A PIN is a good security measure, especially the one on the Pocket PC. Time increases exponentially between guesses so after 15 guesses, you are having to wait 7-8 minutes before you can make another guess. After 24 guesses, you are having to wait days between guesses. Given there are 10,000 possible combinations using just a simple 4 digit PIN, unless you do something stupid like make it your year of birth, chances of someone getting your 4 digit PIN in 24 guesses are 1 in 417. Given it takes days to get there, I'll take those odds. It isn't like I have the nuclear launch codes or anything. If you have the strong alphanumeric PIN, it is close to impossible to guess.
Still, you need to encrypt some data. I keep my encrypted data in Ilium Software's eWallet for a few reasons. First, my PIN isn't always active. For convenience sake, I keep my PIN set to activate at one hour. Another reason is my eWallet file is synchronized to my PC, then my domain file shares and backed up on tape. I want to make sure that data is secure through all of those transmissions and on the various forms of media it is stored on. You can also use applications like Resco's File Explorer to encrypt specific files. For seamless encryption, you can use apps like Softwinter's Sentry 2020 for Pocket PC, which encrypts and decrypts on the fly as you use documents.
I think it is a bit chicken little to say you shouldn't put any confidential information on your Pocket PC, but you do need to take measures to ensure the data is safe, just as you do on your PC and corporate servers.
There are some other security related threads from June 2002 and September 2002. (All product links are affiliate links)
There have been a number of news articles over the past few days spurred by comments at DefCon last week. "Don't put any secure information on your PocketPC or your Palm," Glancey warned after a speech on the subject at DefCon, the largest annual computer security conference in the world. "They don't have any security features built in," he said."
They go on to speak of specific vulnerabilities in the PalmOS but don't really mention anything about the Pocket PC. I'm not sure how much of Glancey's comments are real and how much is sensationalist. Pocket PCs don't have any encryption built in, and if that is what he is referring to, it is a fair statement. To my knowledge though, you can't just sniff out a Pocket PC on your LAN and suck all of the information off of it. If you have a PIN on your Pocket PC, you can't even dock it with your PC and get the data via ActiveSync unless you know the PIN.
A PIN is a good security measure, especially the one on the Pocket PC. Time increases exponentially between guesses so after 15 guesses, you are having to wait 7-8 minutes before you can make another guess. After 24 guesses, you are having to wait days between guesses. Given there are 10,000 possible combinations using just a simple 4 digit PIN, unless you do something stupid like make it your year of birth, chances of someone getting your 4 digit PIN in 24 guesses are 1 in 417. Given it takes days to get there, I'll take those odds. It isn't like I have the nuclear launch codes or anything. If you have the strong alphanumeric PIN, it is close to impossible to guess.
Still, you need to encrypt some data. I keep my encrypted data in Ilium Software's eWallet for a few reasons. First, my PIN isn't always active. For convenience sake, I keep my PIN set to activate at one hour. Another reason is my eWallet file is synchronized to my PC, then my domain file shares and backed up on tape. I want to make sure that data is secure through all of those transmissions and on the various forms of media it is stored on. You can also use applications like Resco's File Explorer to encrypt specific files. For seamless encryption, you can use apps like Softwinter's Sentry 2020 for Pocket PC, which encrypts and decrypts on the fly as you use documents.
I think it is a bit chicken little to say you shouldn't put any confidential information on your Pocket PC, but you do need to take measures to ensure the data is safe, just as you do on your PC and corporate servers.
There are some other security related threads from June 2002 and September 2002. (All product links are affiliate links)
