Pocket PC doesn't make security grade, Gartner says

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2002/0923pocketpcsec.html

By Sumner Lemon
IDG News Service, 09/23/02 

Microsoft's Pocket PC 2002 software does not address critical security
issues and could make sensitive corporate data stored on PDAs and
desktop PCs vulnerable to theft and loss, market analyst Gartner
warned in a recent research note.

Companies that use Pocket PC-based devices should turn to third-party
products to protect their data, the research note said.

Microsoft officials contested the accuracy of Gartner's analysis of
Pocket PC's security. "Gartner mistakenly blames the Pocket PC for
potential security breaches that are in reality related to insecure
usage of desktop PCs," said Microsoft spokeswoman Bridget Yau, in an
e-mail.

Improving security has been a major focus for Microsoft since January,
when the Redmond, Wash., company's chairman and chief software
architect, Bill Gates, said building an environment of "trustworthy
computing" should be Microsoft's top priority, eclipsing the addition
of new features to its product line.

But while Microsoft has put the security of many of its flagship
products, such as the Windows operating system, Office and Visual
Studio .Net, under the microscope, Pocket PC is not yet part of its
Trustworthy Computing initiative and ignores critical security issues
which will not be addressed until the release of the next version of
the software, expected in 18 months to 24 months from now, Gartner
said.

Security shortcomings associated with Pocket PC are slowing adoption
of handhelds based on the software by many companies, the research
note said.

Among the vulnerabilities that Gartner's research note identified with
Pocket PC, the default setting does not require a password and
passwords and the password policy cannot be synchronized with a
desktop PC. In addition, configuration settings of Pocket PC-based
devices cannot be secured and when the system is reset all settings
are lost.

Other areas of vulnerability include:


* The ability to install a Pocket PC device on a desktop PC without
  requiring a password, which gives the device the ability to access
  data in Outlook, as well as other applications.

* Users cannot encrypt files with the Crypto API that is included in
  Pocket PC.

* No security is provided for removable storage devices, such as
  memory cards.

* The software lacks policy features that could be used to restrict a
  user's ability to run applications on a Pocket PC-based device.

Microsoft's Yau disputed whether a Pocket PC device can be easily
installed on a computer and used to download data from applications
such as Outlook, calling Gartner's claim "incorrect."

"A Pocket PC cannot be installed onto a password-protected PC without
using the PC's password to secure access," she said. "A PC without
password protection is at a much greater risk of data loss to
high-capacity storage cards than with a Pocket PC."

For other areas of concern, both Microsoft and Gartner agreed that
third-party applications can be used to address many of the security
vulnerabilities identified in the research note. But Gartner said that
relying on third-party products was not a sufficient answer for many
corporate users and urged Microsoft to take steps to improve the
security of Pocket PC.

"These (third-party) solutions come at additional cost and are
sometimes not available in local languages," the research note said.

"Many larger enterprises, such as banking and financial institutions,
have very strict policies when it comes to acquiring software,
requiring extensive audits of the software, vendor viability and
support options - often taking more than three months to be approved,"  
it said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.