More people using - and losing - PDAs

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.nandotimes.com/technology/story/595644p-4624460c.html

By HIL ANDERSON, United Press International
 
LOS ANGELES (October 28, 2002 4:46 p.m. EST) - A chain is only as 
strong as its weakest link, and one of the weakest links in the 
sprawling field of information technology these days can be found 
piling up in the back seats of taxis, airport lost-and-found 
departments, and hotel rooms. 

Laptops, cell phones and the burgeoning number of personal desk 
assistants - also known as PDAs - might make life easier for employees 
in the field, but short of chaining them to their owners' bodies, 
these labor-saving devices are being lost and stolen at an alarming 
rate. And there are growing amounts of sensitive information stored 
inside. 

Small wonder that security was a leading issue on the agenda at the 
recent Pocket PC Summit, a trade show held in Hollywood, Calif. last 
week that was devoted exclusively to the increasingly popular PDA. 

"People like to stay in touch wherever they are," said Arlo Halonen, 
global accounts manager for F-Secure, a San Jose, Calif. company that 
is developing security specifically for PDAs. "They want to be able to 
do all things, except become security experts." 

Vexed for years by non-tech types who were barely functional with 
Windows and baffled by the concept of hitting "start" to shut down 
their computers, information technology specialists in government and 
business are now also finding themselves having to protect their 
networks from their own equipment. 

Improvements in wireless communications, digital subscriber line 
networks and processors have made PDAs and laptops as versatile and 
capable as desktop computers. They have found users across the 
spectrum of society from students to sales reps to doctors. 

The stored information is often mundane, but it can also include 
lucrative gems such as credit card numbers, computer passwords, 
intellectual property, and confidential company financial or trade 
secret product information. 

In addition, portable devices can also be used to access both the 
Internet and restricted in-house computer networks. 

"Hundreds of thousands of these devices are lost and stolen every 
year," David Elfanbaum of Asynchrony Solutions in St. Louis, Mo. told 
United Press International. "They can be a gateway to your entire 
network." 

A growing phenomenon at U.S. airports is the steady flow of passengers 
who run their $2,000 laptops through X-ray scanners and walk off 
without them, presumably obliviously flying off to their destinations 
sans their property. 

Folks who run the lost-and-found departments at major airports 
attribute the losses to new stresses and security measures implemented 
since Sept. 11. 

One frazzled frequent flyer who asked not to be identified told UPI 
that getting from Point A to Point B often requires passing through a 
maze of distractions. 

"I always have my game face on (at airports), scouring the crowds for 
potential hijackers and I'm focused on security and mentally taking 
inventory of my purse and carry-on, making sure I left my Swiss Army 
knife at home," she said. 

"I really can't concentrate 100 percent on a computer these days when 
I fly. It would be so easy to forget it." 

There are also potentially more dangerous types of data that can be 
lost or stolen as the use of laptops and PDAs becomes more common 
among intelligence agents, military officials and law enforcement 
officers. 

Britain's military and intelligence services have lost more than 200 
laptops since 1997, many of which were believed to have contained 
classified information but went missing in restaurants, pubs and on 
public transportation. 

And on this side of the pond, a report by the U.S. General Accounting 
Office released in August concluded that the bean counters from the 
Internal Revenue Service alone had mislaid 2,300 laptops. 

"I'm worried that just as clothes dryers have the knack of making 
socks disappear, the federal government has discovered a core 
competency of losing computers," Sen. Charles Grassley, R-Iowa, said 
in a statement released in response to the dismal GAO report. "This 
inventory control problem is serious and must be addressed. It 
involves tax dollars and potentially confidential taxpayer information 
and data related to national security and criminal investigations." 

American intelligence agencies, of course, also realize the potential 
value of laptops. 

The FBI seized scientist Wen Ho Lee's laptop in 1999 while 
investigating the alleged theft of nuclear secrets downloaded from the 
computer at the Los Alamos National Laboratory. 

U.S. officials have also been prowling through computers seized from 
al Qaida for clues of the terrorist group's plans. 

Because computer files can be downloaded so quickly, experts are 
concerned that a skilled spy or terrorist could copy a stolen 
machine's entire memory in minutes, possibly before the owner even 
knew it was missing - even an unsophisticated snoop could glean 
information by reading e-mails on a stolen machine. 

Companies such as F-Secure and Asynchrony have been developing 
software solutions in recent years that beef up the security features 
of the devices by encrypting the information inside or making it more 
difficult to log in without the right passwords. 

Elfanbaum said that one of its products would completely overwrite the 
entire contents of a PDA if the wrong password was entered repeatedly 
- and even if the machine isn't used as frequently as it should be. 

"It can't even be recovered electronically," Elfanbaum told UPI. 

Government agencies dealing in secrets are an obvious target audience. 
But Elfanbaum said the private sector was fueling the security 
software market as an improved economy freed up more money in 
corporate IT budgets for the purchase of PDAs and laptops. 

At the same time, companies are concerned that their servers could 
come under attack by hackers or cyber-terrorists, who could 
conceivably gain access to major computer systems through a stolen 
laptop. 

As more employees become adept in the use of PDAs, company IT managers 
have found themselves having to become equally as adept at handling 
security measures for a variety of PDA models often built by companies 
that may not have security as a strong point. 

Halonen said PDAs and laptops were becoming the new "headache" for IT 
departments and pointed out that even adding security software was not 
the ultimate answer to the problem of theft and loss. Since companies 
and other organizations tend to purchase computer supplies in bulk, a 
weakness found by an enterprising hacker could conceivably place a 
firm's entire network at risk. 

"It has been an evolutionary development," said Elfanbaum. 

"These devises were originally designed for personal use, so security 
wasn't an issue." 

There is also the need to balance security sophistication against the 
skills of the people in the field who will be using the devices. As a 
result, the most impregnable security software might not necessarily 
be the one that becomes a commercial success. 

"Many people find it confusing and don't want to make it too hard to 
use," Halonen said. "The development all has to be driven by the needs 
of business." 


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.