Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[ISN] Security of handhelds far too lax, experts say
From: InfoSec News (isnc4i.org)
Date: Fri Nov 28 2003 - 03:33:50 CST
By John Cox and Denise Dubie
Network World, 11/24/03
LAS VEGAS - Traversing the carpeted walkways of the Las Vegas
Convention Center last week, Caleb Sima looked like many other
programmers at Comdex: young, lean, laid-back and with a taste for
What was less apparent is that he also has a penchant for uncovering
new security threats.
"I dabble in cell phone security for fun," said the CTO and co-founder
of Spi Dynamics, an Atlanta company that makes software for uncovering
vulnerabilities in Web applications. Sima spoke on a panel about the
growing handheld security threat, a hot topic at a conference where
dozens of mobile network products were on display.
What Sima said he has learned dabbling with cell phone security is
that no one - not software developers, carriers, corporate network
executives and certainly not end users - appears to have looked
seriously at this issue. This, despite the fact that millions of cell
phones are now in the hands of corporate employees.
Sima recently began playing with Short Message Service (SMS) as a way
to launch a denial-of-service attack against cell phone users, using
his own phone and those of co-workers. "I can send 1,000 SMS messages
to your cell phone in the blink of an eye," he said. "And I can do it
anonymously." He created an SMS flood, as he terms it, that rendered
his cell phone unable to make or take calls.
After the experiment, he contacted his cellular carrier, T-Mobile, and
asked if it could stop or block an SMS flood. He said the answer was
Rubbing salt into the wound was his subsequent discovery that T-Mobile
charges the subscriber on the receiving end of the flood for every SMS
message over a certain limit. Sima paid more than $30 for being
Two IT professionals from a big aerospace company sat glumly at the
end of Sima's presentation. They heard him say, "People can attack
your phones and PDAs very easily. "
"It's alarming," says Fred Brooks, who heads an IT team supporting
executives at the aerospace company, which he requested not be named.
His end users have Research In Motion Blackberries, which sport an
array of built-in security and data-protection features. But cell
phones and smart phones are another matter.
"We forbid cell phones with cameras," Brooks says. "But how do you
enforce that? We don't have the resources or the mandate to pat people
down [and physically search them]."
That could be next, as network executives realize the scope and
seriousness of the potential security problem.
"One of our enterprise customers stated the problem very clearly,"
says Dave Nagel, chairman and CEO of PalmSource, the recent Palm
spinoff that has responsibility for the PalmOS operating system. "He
said, 'I have a $250 device with $250 million worth of corporate data.
How are you going to help us protect that?'
"A lot of the problems have to be solved in the network and in the
device itself," Nagel says.
The next release of PalmOS, due by year-end, will feature protected
memory and support digitally signed applications. Among other things,
protected memory can prevent malicious applications from accessing
data or parts of the operating system, Nagel says. Digital signatures
will make it easier to block malicious or untrusted applications from
finding a home on the PalmOS device.
But security experts, and at least some users, are underwhelmed by
what vendors and service providers are doing to solve the problem of
device security. Most of that work falls to network, IT and security
Jody Patilla, information security manager at the J. Craig Venter
Science Foundation in Rockland, Md., says she spent about six months
building security policies into the organization.
She still struggles to keep those policies enforced across wireless
LANs (WLAN) and mobile clients. One problem is end users who consider
themselves exempt from following security policies. Patilla recommends
getting human resources or upper management backing for wireless and
The potential problems are daunting. Tom Goodwin, vice president of
operations at Bluefire Security, spoke on the handheld security panel
and ran through a litany of threats: theft and corruption of corporate
data; unauthorized access; disruption of transactions to and from the
handheld; loss of data; and malicious code passed to an enterprise
network from the handheld. If the device is stolen or lost, and
unprotected, corporate e-mails and other data are exposed, Goodwin
says. With handheld memory capacities on the rise, the amount of data
lost could be substantial.
Worse, Goodwin says, your current tools, which are designed for
wireline networks over which you have broad control of client PCs
anchored to desks, don't work. "Conventional [security] techniques
don't reach out to protect handheld devices," he says.
Goodwin cites the practice of businesspeople "beaming" their
electronic business cards to each other, via infrared, Bluetooth or a
peer-to-peer WLAN connection. "That data could have a Trojan horse,"
he says. "Then when you sync your handheld to your desktop PC, you
introduce that Trojan horse to the corporate net."
He recommends in-depth security: policies that spell out the threat to
users, and their responsibilities; and an analysis of what corporate
data is on the handhelds or accessed by them, its sensitivity and how
it's accessed. Then, make use of personal firewalls, create a solid
anti-virus architecture, and run regular scans of the software
versions and patches on the handhelds. Use VPNs for connections and
file encryption on the device, he says.
Global Hauri, an anti-virus vendor, unveiled at Comdex its PalmOS and
Microsoft Pocket PC versions of its ViRobot anti-virus scanner.
Reviewers have lauded the notebook version for its easy-to-use
interface and extremely fast scanning speed, plus its ability to
restore infected files to their original condition. It is priced at
$20. The company has a management application for enterprise users.
WLANs, PDAs, phones and other handhelds are the rails over which the
next generation of complex and sophisticated viruses, worms and Trojan
horses will run, says Larry Bridwell, program manager for content
security programs with TruSecure, a provider of intelligent risk
management products and services.
"It's a dangerous world, and when you go into the jungle, you have to
be prepared for it," he says.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.