Smart Phones "Bigger Security Risk" Than Laptops

CWmike writes "A recent survey of 300 senior IT staff found that 94% fear PDAs present a security risk, surpassing the 88% who highlighted mobile storage devices as a worry. Nearly eight in 10 said laptops were an issue. Only four in 10 had encrypted data on their laptops, and the remainder said the information was 'not worth' protecting. A key danger with PDAs was that over half of IT executives surveyed were 'not bothering' to enter a password when they used their phone. A VP at the company that performed the survey said: 'Companies need to regain control of these devices and the data that they are carrying, or risk finding their investment in securing the enterprise misplaced and woefully inadequate.' Is this just iPhone fear-mongering? Do you think the passwords execs could remember would help with securing PDAs and smart phones?"

Surbey

password when they used their phone. A VP at the company that performed the surbey said:

Surbeys, we should learn how to take them

There are other PDAs besides the iPhone

So this is not just "iPhone" fear mongering

In fact why is it fear mongering at all.

Do all slashdot submissions have to end in a catchy imbalanced question?

Well.

On this topic, the thing here is that the web is there to address this problem.

If the execs were forced to go to the website to do anything, then they can do whatever the hell they want with their phone.

Not surprising

Usually there is a tension between security and convenience/ease of use. Convenience is going to be paramount for most users of mobile phones, PDAs, etc. So security will typically take a hit.

Remember, people want to use these things while they are driving a car, eating fast food, and listening to a book-on-tape. They don't want no stinkin' security features.

Re:Not surprising

In addition to this point, very few companies (i.e. not Fortune 500's) either have data or IP worth stealing on executive's mobile phones or PDA's.

The entire content of their inboxes doesn't count as data worth stealing? What about the potential for shorting the company's stock and then using their device to send an email from their account that will make the value drop (if only briefly)?

Re:Not surprising

How about the content of my CEO's phone? We are a 10 man shop. we are worthless then right....

He's got the entire customer contact list. Our competition would pay at least $2500.00 for that.

He's got his email on there, Competition would love that as well.

Also 2 gigs worth of one note files on specific projects being bid on, internal documents ,etc...

I'm betting to the right buyer his phone unlocked is worth at least $10,000.00 as it can generate at least a quarter million in additional sales and revenue.

Oh I know of at least 4 companies around here that would love to get their hands on that info.

gamemaster_bm seems to not know anything about business and the value of insider information. It's worth a crapload to that companies competition.

Re:Not surprising

In addition to this point, very few companies (i.e. not Fortune 500's) either have data or IP worth stealing on executive's mobile phones... What it comes down to is those companies that do have sensitive data on their mobile devices probably are large enough to have a competent IT staff capable of locking the device down properly.

Er, contacts, sensitive emails, HR data, IP, financial data, contracts, just what exactly does your average CxO NOT deal in? Give me a break man, I mean hell, would YOU hand over YOUR smart phone to a stranger and not think twice about it? Your opinion on the value of data pretty much says it all. And NO, sheer size of a company does not yield "competent" IT staff, trust me on this one...

IT departments securing handhelds

The only handhelds allowed to connect to our corporate network are company issued ones, and they come locked down so you have to enter a password after a few minutes of inactivity to do anything except answer the phone. Our laptops come with the whole-disk encryption pre-installed. All external web access goes through the company proxy.

It's possible to lock it all down instead of live in fear. Of course, there's a fine line between security and stifled innovation. Our company's proxies, by default, blocks blogs, and I have to request that they be unblocked one at a time. Since most of the discussion concerning JSRs for JDK7 development happen through people's blogs, it can seriously slow down the ability to do my job sometimes. But if you want things secure, there are going to be tradeoffs.

(And if a company laptop doesn't contain ANYTHING worth stealing, the employee should probably be fired for not producing anything worthwhile :) )

Re:IT departments securing handhelds

(And if a company laptop doesn't contain ANYTHING worth stealing, the employee should probably be fired for not producing anything worthwhile :) )

That, or they're (God bless them!) putting their data on network drives, not on their PC. Harder, but still doable, with a laptop, even on the go, as long as you have VPN access. It's always tragic/amusing when someone loses all their data, when they knew damn well they should've been keeping it in a location that's backed up regularly. :/

Re:IT departments securing handhelds

> It's possible to lock it all down instead of live in fear.

That is the default position here on /.; that of a sysadmin. My perspective is that of a user. IT is often too insular and unresponsive to the needs of its users. It tends to be bureaucratic and sees everything through the prism of security risks and administration. User workflows are not often adequately addressed. The popularity of Microsoft's sharepoint server is often attributed to departments circumventing central IT. Why would people do this?

For example, it is important in my job to keep abreast of news and blogs in my field. Now I can spend a couple of hours per day manually checking various sources, or I can set up RSS feeds, scan headlines, read deeper where needed and take care of this in 15 minutes. IT had disabled the RSS feed reader in Outlook, so I have to circumvent the way that IT apparently wants me to work. I use an offsite feed aggregator to avoid having to install unauthorized software. My having to circumvent IT to work means that there is dissonance between how IT sees my role and I (and my boss) see my role.

I tend to view new security measures as productivity killers because they are not accompanied by contextual interviews to see how I work.

Fortunately, we use blackberries!

And if you have a blackberry enterprise server, you can:

- force your users to have a password
- force the device to lock after a specified period of inactivity
- force the user to enter the password every x minutes regardless of activity
- prevent users from having a trivial password
- give users a duress password
- set the blackberries to store everything in encrypted from
- if a blackberry is lost, you can remotely lock the blackberry
- if a blackberry is lost, you can remotely wipe it

Blackberries are the best mobile platform, period.

Re:Fortunately, we use blackberries!

Mod parent up. Blackberries ARE better than the other PDA platforms in terms of security, because they do support this level of security 'out of the box'.

Other PDA's don't, and in most cases you can't even add it. With the BB, you can essentially set them up so that all data is end-to-end encrypted to YOUR server, and from their it can go out to retreive web pages, access address books, download documents, run applications, etc, etc. You can apply corporate filters to the web, limit applications, etc, etc all very easily.

All other PDA platforms require you to trust the carrier and the user for a significant chunk of the security. They give you exchange and imap support for example so email can be reasonably secure, but its much harder to lockdown EVERYTHING else... like blocking it so the pad web browser can't reach facebook or myspace or so poker can't be installed... blackberries make it as easy to manage PDA's as it is to manage desktops... which is to say... its a hassle. But on other platforms its not even really doable.

How easy is it to get an iphone to run through a 'VPN' so it can access an intranet site and have no or extremely limited access to the public WWW? This is a pretty common scenario for the PC's staff are provided by enterprises, but smartphones in general do no make this sort of configuration easy; in many cases its simply not possible.

Re:Fortunately, we use blackberries!

In just a few days, Apple is set to release iPhone Software 2.0 (as well as maybe Hardware 2.0...) but sw 2.0 is slated to have many of the enterprise features listed above. Not to sound like an Apple commercial, but features will include:

-ActiveSync (with SSL..)
-Remote administration with remote wipe of a lost device
-Cisco VPN with RSA SecurID

And as far as the VPN question, it is pretty straight forward, just another pane in the settings menu. PPTP and IPSec.

So iPhone's release featureset wouldn't have satisfied your needs, but tune back in in a few days and see if it floats your boat.

Re:Fortunately, we use blackberries!

I have no experience with Blackberries. Do they support traditional wifi (802.11a/b/g/n?)

Some models do.

I thought emails and all that went through Blackberry's central servers before being passed on to the organization's or corporation's servers.

Depends. If you have a blackberry enterprise server, you manage the encryption entirely in-house. The company (RIM) is only carrying the encrypted message, and RIM doesn't have the keys, you do. The government of India was in the news recently, threatening to cut off blackberry service, since they can't decrypt the messages.

If you don't have a blackberry enterprise server, RIM manages the encryption on your behalf. In this case RIM has the keys.

I know this data is encrypted, but does it meet the encryption requirements laid down for electronic medical records in HIPAA?

Absolutely. They have a sales division dedicated to health care [blackberry.com].

I also wonder about Blackberry service coverage. In many of the buildings where I work, I don't get cell service (Sprint) and my peers do not either (AT&T, T-Mobile, Verizon, etc).

That really depends on your local provider, and how much concrete & steel you have in your building. If you really want to, you can buy a cellular repeater to carry cell phone signals through the building. Expensive though.

There is local wifi available, but can Blackberry use that?

Some blackberries can do wifi.

Just wondering what the limitations of the seemingly "perfect" Blackberry platform really are.

I never said it's perfect, just that it is the best of what is available.

The thing I found most annoying is that you can't make the phone ring & vibrate at the same time. It can ring only, vibrate only, vibrate then ring, but not both simultaneously.

If you have a headset plugged in to the blackberry, when the phone rings, the ringing sound is made by the regular ringer, not through the headset.

Cell phone security

The cell phone I have has one level of protection - a PIN number that only needs to be entered when it turns on. As long as it's on, you can do anything you want with it, including modifying content or planting evidence. In addition, you can still access content on the phone by attaching it to a computer (without any need to enter a pin.)

As a result, I'm not storing any sensitive information on the phone.

The Palm Pilot was at least better in this regard, since it allowed seperating public and private information and requiring a pin when you wanted to access private data. However, this was a PDA rather than a cell phone.

A surbey?

The bastard cousin of the sorbet?

If you have physical access

It's pretty much a done deal. Keep sensitive data on a small device and if you lose it, assume it's compromised. Password or not.

regards

Make the tech better, not the people using it

I've had a Palm Treo 755p Smartphone for a about 9 months. I have a lot of medical data on my unit, including (unfortunately) some patient data. I've tried to use Palm's "Private Records" feature for sensitive data, but it's too complex and unreliable. Some things that I mark as private show up in the regular views anyway, without needing to be unlocked with a password, even after I try to "lock" them or mark them as "private" multiple times. I doubt they're actually encrypted, either - probably just a bit-flag which only some software on the device reads and uses.

So I tried instead to setup an automatic lock on my device - I figure a power-on password should be fine. I set that up - and unfortunately, even though I set it to auto-lock after 1 hour of non-use, it NEVER asks for the power-on password. I've set it up exactly as Palm's site suggests... it still won't auto-lock the unit.

The thing is that the tech seems to need a fix before we can go about blaming the users. I've never lost a patient file or my phone, but obviously it would be a major problem if something like that did happen. Thankfully, the healthcare system I work for is going to electronic records, so nothing will be stored on my Palm anymore; I'll just use my cell plan to connect to the server (SSL encrypted) and access files wirelessly.

Still, there are other things I'd rather not have fall into a criminal's hands... hospital phone numbers, phone numbers of peers, nurses, other physicians, pagers, laboratories, etc. But my model, at least, is simply inadequate in protecting this data. Someone needs to come up with something better than what's currently available - maybe once it's "expected" - much like a password when you log onto Windows - it won't be such a big deal for people to use it.

analog hole

I can't carry an iPhone, but I can bring home a file folder full of secrets.
I can't have a cameraphone because I can 'steal' data, but you let me bring my 250GB laptop home.
My email is filtered for PPI and dirty words, but you don't filter my Gmail.
I can't FTP, but I can attach 10 MB files to webmails.

Build a better mousetrap, and some management school out there will produce a stupider monkey.

Packet Sniffer

Chances are, it is more risky to connect to an unencrypted network at a local coffee shop and check your e-mail on your PDA then it is to leave it without a password. I know on my computers the information stored on it is useless to a thief but some e-mails (stored on a remote server) has more confidential information then what is stored on the device (and just about all webmail require you to use a password). So really, for me and most other people, a 1337 H@X0R with Wireshark will do more damage then some guy who steals your PDA/Laptop.

Well of Course...

Is this just iPhone fear-mongering?

Of course it is, because the iPhone is the only PDA or SmartPhone in the world... (If you live under an Apple or a Rock.)

At my company, we had a simple solution to this...

In each computer desktop, laptop, and smartphone, we installed hardware encryption and a C4 charge with remote 2 tier authentication for detonation. The two tier authentication was introduced after an unfortunate mishap involving our CFO getting his arm blown off while out golfing; it turns out the detonation frequency was a maritime frequency as well.

The C4 will also detonate if a password is entered incorrectly twice. We encourage employees who are "out of it" or even slightly ill to take the day off, and require them to call IT should they ever type their password in wrong once.

We also use an operating system completely built in house with a semi AI running security diagnostics at all times, and we have live people watching the network traffic to the few systems that are actively connected to the internet. Any systems that manage to get infected (to date, none) would also receive the C4 treatment. A bit draconian, but it gets the job done. Our datacenters also have thermite ceilings designed to completely melt down the facility if it comes under attack (three armed guards 24/7 are at the red button, just in case some new tech decides to think about hitting the button.)

Protecting the world has taught us to take our own security seriously. Hopefully, you can learn from these measures and take the proper safeguards for your own facilities and equipment (remember, the answer is always hardware encryption and C4.)

Thank you,
Ortega Starfire
CTO, Hoffman Institute
For The Advancement of Humanity

Re:Nothing to fear from iPhones

People with PDAs (I don't know if particularly iPhones), fail to realize that the PDA security is not the problem but the confidence they have that their PDAs can't fall into wrong hands. It doesn't really matter if your PDA is the most secure device against attacks, if something like a phone can be easily lost or stolen and you only have to "slide" your finger to unlock sensitive information.

Re:Nothing to fear from iPhones

What a complete and total arse you are. How is the iPhone magically more secure than any other phone if it is stolen (a large part of what the article is about).

How is the iPhone magically invulnerable to wireless issues, as the sister post describes.

Another fanboy, "Oh no! Someone's perhaps saying something potentially negative about an Apple product! Must rush to defense!"

Re:Passwords?

Yeah, people who make such weak passwords are really dumb.

I've got a really good password for my bank account. It's: L;WMc6HC

Nobody will ever break that!