Want your thoughts on security of mobile devices

by Volker Weber

I need to speak about security of mobile devices soon and I would be very interested to learn what you have worked out in this space. I am talking about all mobile devices from notebook, Blackberry, PDAs, to smart phones. it's not only about mobile email, but also remote application access, protectopn from virusses and such. I also need to touch on theft or espionage. What are the threats, how do you address them? What kind of standards do you have, which software do you use, which procedures do you follow.

If you have interesting ressources available on the net, just comment. If you have documents, please send them by mail. I will be at CeBIT this week, so I can only read them next week. There is no hurry.

All the documents you send to me will not be published nor forwarded. I want to learn from them.

Comments

Wenn Du eh schon auf der CeBIT bist, F-Secure hat immer phantastische Vorträge. Letztes Jahr die Demos zu Sicherheitslücken in Bluetooth fand ich ziemlich eindrucksvoll; OK, nichts was nicht anderweitig bekannt gewesen wäre, aber das dann in der Praxis zu sehen ist immer noch was anderes als theoretisch drüber bescheid zu wissen.
Aber auch live vorgeführt zu bekommen, wie selbst WPA gehackt werden kann fand ich beeindruckend.

Sebastian Krauß, 2006-03-07

My mobile workhorse is a Windows XP notebook with the latest MS patches. Although I don't "believe" in virii, it runs a very up to date version of McAffee. My main concern is, and has always been, theft or loss. All local replicas of Notes databases are encrypted, and since about two years, I sleep soundly knowing that the whole hard disk is encrypted (which makes the Notes encryption overkill, I know) with SafeBoot. Loss of the notebook now, would be a pain (to reacquire & to rebuild) but otherwise I am quite sure that nobody would get at the data.

I also carry a Nokia cellphone with an up to date address book. I am a bit concerned loss or theft of that, but I'm not aware of any form of encryption for a 6230.

Jan-Piet Mens, 2006-03-07

From a research point of view, there's quite some work published over at the T-Mobile chair for m-commerce held by Prof. Dr. Rannenberg at the University of Frankfurt. The project "Mobile Elektronische Signaturen" have a substantial number of publications on mobile digital signatures and security of mobile operating systems, from technical, business and legal perspectives.

Ragnar Schierholz, 2006-03-07

To prevent data loss, my Powerbook rsyncs with my Linux desktop.

To prevent theft, I carry my Powerbook in an ordinary backpack instead of a laptop case. Sensitive data is encrypted either with GPG or the OSX FileVault. All patches are up to date, firewall is enabled when I am out of my home, no virus scanner installed (I believe I am smart enough so I don't need one).

My Palm m130 doesn't connect to the internet, all I do is password-locking it when not in use.

I feel save with my mobile devices unless some idiot decides to rob me.

Philipp Sury, 2006-03-07

Speaking of security, I do also think about phsyical security. I prefer notebook computers with their harddisks mounted into removable trays. If I leave such a notebook in lab or library alone for a short while or want to give it up at a wardrobe (eg during events), I simply pull out the harddisk and take it with me.

This is likely to reduce the drive's life expectancy, but if the notebook gets lost or stolen, I still own my data and the thief doesn't. Pulling out the HDD even works fine with Suspend to RAM (on W2k and XP), though technically it might be better to use Suspend to Disk instead

Haiko Hebig, 2006-03-07

And speaking of software, encrypted virtual partitions as created by PGPDisk-alikes are fine.)

Haiko Hebig, 2006-03-07

I believe theft is the most dangerous problem of the ones you mentioned. All others can be addresses with software, but theft implies an attacker has physical access to the device itself and thus can circumvent security software.

As for my mobile, I only use Forname Surname as contact-infos. All other meta data (company, position, blah) is stripped. Oh, and no entries like 'Mom&Dad' or 'Sugarpie'. Same for my PDA and notebook. Full entries are only available on my home PC. Regarding other aspects, I try to not to use comfort functions like password-manager. Occasionally it happens anyway, which leads me to go through all my applications and delete all private information, just in case.

About data: no data on my mobile devices. All my data is available online, so I don't really need to have backup copies on other devices than my home PC. Not even on the notebook. After working on it, it gets deleted.

And here comes the crucial point in all this (for me): to be sure deleted data IS deleted, and that the deletion cannot be undone. There are serveral tools out there, personally I use Eraser.

Sascha Carlin, 2006-03-08

Completly forgot to explain why there are no 'Mom&Dad'-style entries on my mobile devices.

Identity theft: by including personal information such as relationships -- who is family, who are my friends, who is my partner, ... -- it gets easy for an attacker to draw a picture of my and using this picture to do whatver evil he is up to. I don't want a criminal to know my account numbers, social security number or employer/customers.

Espionage: I don't like the idea of a criminal reading my SMS, let alone knowing where my family lives. Perhaps by reading a SMS he can tell when my parents/my friends/I/... are on leave and thus break into our homes and offices. Leaving traces of the secret-super-project? Bad idea. So I delete SMS after reading them or replying. And I delete the replies, too ;)

Sascha Carlin, 2006-03-08

Just read this on engadgetmobile.com. Talks about a software called "Eye on Thief", which monitors the SIM card used in your phone. If it is switched to an unauthorized one, your phone sends an SMS home (a number you can configure). Then you have the number of the thief and can locate him if the provider cooperates.

Ragnar Schierholz, 2006-03-08

Sascha, I use pretty much the same strategies you do, but I have one question: how are you able to keep stripped records on your mobile devices and yet conveniently syncronize them with your homecomputer?

Philipp Sury, 2006-03-08

I think you are focussing too much on individual use.

Does your company have policies for mobile devices? What precautions are you takingto secure your network, when mobile devices connect?

Volker Weber, 2006-03-08

Volker, I can answer from a corporate standpoint.

We have about 60 mobile salespeople based out of numerous offices up and down the US East Coast. They only come into their office once a week, at best, so we can't offer much in the way of physical support and/or anti-virus(AV) updates. So, what we've done is provided a laptop that is completely locked down when the user logs in. (We also have an admin account with a non-standard pwd.) The user doesn't have the ability to install any software or hardware, can't browse the internet, and can only print to their office's network printer. We use Notes and replication (dialup or VPN) to give them local replicas (encrypted) of corporate data, but only the "slice" that pertains to their region. The laptop is set to "screen lock" after only about 2 minutes, and the user must enter username and pwd to get back in. Their personal NAB is also encrypted with design hidden, to better hide their dialup or VPN password (which are different than the username & password, and different from each other), so there's no way they could get to know them and use them on some other machine. VPN users we give a specially configured router to provide our laptop a little more protection from their (home ISP) internet connection. We run anti-virus, content filters, and blacklisting on our corporate email servers to try to prevent virus emails getting to their mail, and we also have filters to remove emails containing executables of many kinds. Not that they'd be able to run an executable anyway - they are locked down to only be able to run what they'd need for Notes and printing to our printer. We also don't give them office software, so what do they need attachments for anyway? They can use the Notes viewer if they receive attachments. Most attachment-type work isn't going to be done by the front-end sales guy in our business, anyway. We do have correspondence built into our custom sales application in Notes, so they can send emails, faxes, and letters. (We even provide pre-written letters and 'templates'.)

Someone who had never worked in this way before would think it sounds very restrictive. But we've given them the ability to do everything they need to do in an 'approved' and 'safe' way, yet in a way that is mobile enough that we expect them to use the laptop throughout the day, updating it as they go, and not need to do any work at home at night.

Oh, and as soon as someone reports a laptop stolen or missing, those accounts are locked or deleted, so all a thief gets is whatever portion of this user's "slice" that they can pry from the encrypted Notes databases. Good luck.


Their cellphones, provided by a different department, are a different story. My only consolation there is that I know that most of our salespeople aren't going to take the time to put hundreds of company contact numbers into their phones. Just the ones they use most frequently. And even then, they're most likely to enter them as "Bob Smith" and not put in company data. So, I guess we're counting on "laziness as a form of security" there.

Maria Helm, 2006-03-09

Maria, that's the standard solution of every larger enterprize. I would consider your model the solution of the 90'ies. It is indeed very difficult to find the balance of the attributes "control" vs. "flexibility", "risk" vs. "productivity". And I have no real global solution for it.

Cem Basman, 2006-03-10

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Paypal vowe