Security of handhelds far too lax, experts say

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2003/1124comdex.html

By John Cox and Denise Dubie
Network World, 11/24/03

LAS VEGAS - Traversing the carpeted walkways of the Las Vegas 
Convention Center last week, Caleb Sima looked like many other 
programmers at Comdex: young, lean, laid-back and with a taste for 
earth tones. 

What was less apparent is that he also has a penchant for uncovering 
new security threats. 

"I dabble in cell phone security for fun," said the CTO and co-founder 
of Spi Dynamics, an Atlanta company that makes software for uncovering 
vulnerabilities in Web applications. Sima spoke on a panel about the 
growing handheld security threat, a hot topic at a conference where 
dozens of mobile network products were on display. 

What Sima said he has learned dabbling with cell phone security is 
that no one - not software developers, carriers, corporate network 
executives and certainly not end users - appears to have looked 
seriously at this issue. This, despite the fact that millions of cell 
phones are now in the hands of corporate employees. 

Sima recently began playing with Short Message Service (SMS) as a way 
to launch a denial-of-service attack against cell phone users, using 
his own phone and those of co-workers. "I can send 1,000 SMS messages 
to your cell phone in the blink of an eye," he said. "And I can do it 
anonymously." He created an SMS flood, as he terms it, that rendered 
his cell phone unable to make or take calls. 

After the experiment, he contacted his cellular carrier, T-Mobile, and 
asked if it could stop or block an SMS flood. He said the answer was 
"no." 

Rubbing salt into the wound was his subsequent discovery that T-Mobile 
charges the subscriber on the receiving end of the flood for every SMS 
message over a certain limit. Sima paid more than $30 for being 
attacked. 

Two IT professionals from a big aerospace company sat glumly at the 
end of Sima's presentation. They heard him say, "People can attack 
your phones and PDAs very easily. " 

"It's alarming," says Fred Brooks, who heads an IT team supporting 
executives at the aerospace company, which he requested not be named. 

His end users have Research In Motion Blackberries, which sport an 
array of built-in security and data-protection features. But cell 
phones and smart phones are another matter. 

"We forbid cell phones with cameras," Brooks says. "But how do you 
enforce that? We don't have the resources or the mandate to pat people 
down [and physically search them]." 

That could be next, as network executives realize the scope and 
seriousness of the potential security problem.

"One of our enterprise customers stated the problem very clearly," 
says Dave Nagel, chairman and CEO of PalmSource, the recent Palm 
spinoff that has responsibility for the PalmOS operating system. "He 
said, 'I have a $250 device with $250 million worth of corporate data. 
How are you going to help us protect that?' 

"A lot of the problems have to be solved in the network and in the 
device itself," Nagel says.

The next release of PalmOS, due by year-end, will feature protected 
memory and support digitally signed applications. Among other things, 
protected memory can prevent malicious applications from accessing 
data or parts of the operating system, Nagel says. Digital signatures 
will make it easier to block malicious or untrusted applications from 
finding a home on the PalmOS device. 

But security experts, and at least some users, are underwhelmed by 
what vendors and service providers are doing to solve the problem of 
device security. Most of that work falls to network, IT and security 
professionals. 

Jody Patilla, information security manager at the J. Craig Venter 
Science Foundation in Rockland, Md., says she spent about six months 
building security policies into the organization. 

She still struggles to keep those policies enforced across wireless 
LANs (WLAN) and mobile clients. One problem is end users who consider 
themselves exempt from following security policies. Patilla recommends 
getting human resources or upper management backing for wireless and 
mobile security. 

The potential problems are daunting. Tom Goodwin, vice president of 
operations at Bluefire Security, spoke on the handheld security panel 
and ran through a litany of threats: theft and corruption of corporate 
data; unauthorized access; disruption of transactions to and from the 
handheld; loss of data; and malicious code passed to an enterprise 
network from the handheld. If the device is stolen or lost, and 
unprotected, corporate e-mails and other data are exposed, Goodwin 
says. With handheld memory capacities on the rise, the amount of data 
lost could be substantial. 

Worse, Goodwin says, your current tools, which are designed for 
wireline networks over which you have broad control of client PCs 
anchored to desks, don't work. "Conventional [security] techniques 
don't reach out to protect handheld devices," he says. 

Goodwin cites the practice of businesspeople "beaming" their 
electronic business cards to each other, via infrared, Bluetooth or a 
peer-to-peer WLAN connection. "That data could have a Trojan horse," 
he says. "Then when you sync your handheld to your desktop PC, you 
introduce that Trojan horse to the corporate net." 

He recommends in-depth security: policies that spell out the threat to 
users, and their responsibilities; and an analysis of what corporate 
data is on the handhelds or accessed by them, its sensitivity and how 
it's accessed. Then, make use of personal firewalls, create a solid 
anti-virus architecture, and run regular scans of the software 
versions and patches on the handhelds. Use VPNs for connections and 
file encryption on the device, he says. 

Global Hauri, an anti-virus vendor, unveiled at Comdex its PalmOS and 
Microsoft Pocket PC versions of its ViRobot anti-virus scanner. 
Reviewers have lauded the notebook version for its easy-to-use 
interface and extremely fast scanning speed, plus its ability to 
restore infected files to their original condition. It is priced at 
$20. The company has a management application for enterprise users. 

WLANs, PDAs, phones and other handhelds are the rails over which the 
next generation of complex and sophisticated viruses, worms and Trojan 
horses will run, says Larry Bridwell, program manager for content 
security programs with TruSecure, a provider of intelligent risk 
management products and services. 

"It's a dangerous world, and when you go into the jungle, you have to 
be prepared for it," he says.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.