Ten Dangerous Beliefs About Smart Phones 49
jcatcw writes "According to Computerworld, lots of assumptions about the security of smart phones are wrong, and any high-value targets, such as political candidates or organizations with valuable data, should treat them carefully. They are not, contrary to common beliefs: just phones with cool features: 'A phone call over a landline used to be an acceptable method for communicating out-of-band administrative information. For example, a system administrator might call you back at your desk to verbally give you a new password (which you then changed, right?), This worked because the desk phone was isolated from the network and system resources to which you were being given access. Not so anymore. If you lose your smart phone and IT calls you back on that mobile number to confirm the trouble ticket, is it a meaningful method of verifying the identity or location of the person who answers?'"
Re:Assumptions, not beliefs (Score:5, Insightful)
http://www.military-information-technology.com/ar
Re: (Score:1)
Duh (Score:2, Offtopic)
No (Score:1)
It's all about secure communication... (Score:3, Insightful)
What are the same solutions? Physical security, for one thing. Access verification. Identity anlysis.
It's certainly not that new a problem.
Re:It's all about secure communication... (Score:4, Insightful)
Re: (Score:3, Insightful)
The reason being that the post-it grants access to the virtual system, while the physical system is seperately secured- the key grants access to the physical system and is a physical thing.
In either case, the secure 'communication' there would be someone from IT walking down and handing you the post-it- hence, a backc
Re: (Score:2)
- phone with bluetooth
- iPaq hx2795
Enable biometric security and encryption, then you can rest assured it is either the authorised individual accessing data, or someone cut that person's finger off and used it to authenticate.
Re: (Score:2)
Re:The First Church of Smartphones (Score:5, Funny)
Nobody expects the Spanish Inquisition!
Re: (Score:1)
Assumption #11 (Score:2)
Re: (Score:2)
I'm not sure what blinking and flashing you're talking about, because I use Adblock Plus with the Filterset.G updater.
don't get mad, get adblock.
Yawn. (Score:5, Insightful)
All things any moderately-savy computer user should be entirely familiar with.
Re: (Score:2)
Thinking is for suckers. Let's just let the smart phones do it.
Re: (Score:3, Insightful)
Re: (Score:2)
Unsubstantiated fearmongering (Score:5, Insightful)
You authenticated yourself to the phone on your desk with building and room access-controls.
You authenticate yourself to your cellphone with a PIN code.
I don't know what's the thing about "smart" phones - the argument in the article works with any normal phone. Anyway, you still authenticate yourself to the phone. Oh, someone is coming in with a leadpipe and steals the phone from you? Well, if someone wants your precious off-band password that bad they'd probably force you to log into the system anyway. Otherwise, if it's just some street junking running off, you'll have plenty of time to call the operator and tell them about the theft.
Sometimes the phone may even request additional PIN numbers when going for more sensitive areas. My company uses mobile phone as an off-band authentication token for signing in to VPN - when you connect, your phone beeps at the same time and asks you to type in (different) PIN number. No more carrying around that SecurID-key. (And no, this doesn't require anything special, it's a service on the SIM card).
Other arguments are also dubious at best:
3. Communications are encrypted from end to end.
BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers.
So who has configured your e-mail client not to use SSL? If you are using webmail, it's encrypted. If you are using IMAP, Pop3, or SyncML, those have encryption options as well.
And bloody well you can also use VPN (yes, latest Nokia E-series phones are quite compatible with Cisco VPN concentrators).
As for their server security...well, WHO IN THEIR BRIGHT MIND would store corporate or state secrets on a Hotmail account?
9. Spying on my smart phone is hard.
Think spying on your activities is hard? Think again. Most smart phones have no equivalent of Bluetooth authentication when plugged in -- they just become slave USB devices and give up all of your data.
Oh phleeze. What does USB and Bluetooth have to do with each other anyway? In anycase, yes, there were phones in the past that didn't include any sort of Bluetooth authentication (such as Nokia 6310i), but that is hardly the case now.
Of all the fearmongering, this is the only even remotely valid argument (with physical access you can of course do almost anything, as with any device, so the USB point is valid), and using a Pointsec or some other file-system encryption in your phone is a good idea.
All the other stuff mostly concern stuff about any backend systems where your precious e-mails are stored. Has nothing to do with phone. If Hotmail leaks my e-mails, it's Hotmail's fault. If I access Hotmail with my phone, it doesn't magically become the phones fault.
Re: (Score:2)
I think what the GP is trying to say is that when you plug it in via
Re: (Score:2)
I was told at one job that I had to replace my Linux PC-based firewall with a 'purpose-built device' like a Cisco ASA because the Linux-based PC was somehow less secure and stable. Like the Cisco ASA, 'smart phones' have usually have some more or less general-purpose OS at their core,
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
And I still prefer OpenBSD pf over PIX or IOS inspect features. And so far the training material has failed to convert me (granted, routing&switching exam's security features are mostly limited to reflexive access-lists...)
Inaccuracy (Score:1)
That's why... (Score:2)
...you have policies in place to prevent the transmission of sensitive material through easily corrupted/tapped systems. For example, where I work, passwords cannot be transmitted via email, IM, or text message. If I need a password for something, I have to write it down on paper, then destroy the paper. Of course you can stick the paper in your pocket, but without any other identifying information, it wouldn't do someone a lot of good.
Some security is user's responsibility (Score:3, Insightful)
Furthermore, If a smartphone is too great a security risk, then choose a different option... I don't understand why people insist on using the latest "security-unknown-or-not-good" device(s) when perfectly good methods of "understood-amount-of-risk" security already exist.
Re: (Score:3, Insightful)
Because the first round of early adopters of the latest bleeding-edge devices are typically the overpaid executives eager to blow the cash on the latest status symbol gadget to prove how advanced and important they are, while the educated nerds will continue using the old perfectly good methods for vital things while waiting for s
Article on one page, not 5! (Score:2)
http://www.computerworld.com/action/article.do?co
Fortunately some are taking this seriously (Score:1, Informative)
First, you start with the library which talks to the Telecommunications chip. And you make absolutely certain that security is the top priority (ala OpenBSD):
http://libgsmc.sourceforge.net/ [sourceforge.net]
Second, you add a completely Open Source effort, for both the hardware and the software.
Desk Phone (Score:2)
Sounds like someone missed the digital PBX, VOIP, convergence etc. - in short almost a decade of telcoms change. Whoever wrote that probably thinks callerID is reliable as well.
For at least the last 7 years _all_ the desk phones I've had at various jobs have been digital (and most have been VOIP). The desk phone system is _not_ isolated from the rest of the network, or in any way relia
Article just plain wrong (Score:2)
BlackBerry and Sidekick users may have heard that their communications are encrypted "end to end," but e-mail and other communications are encrypted only from the phone to the phone company or service provider's servers. Beyond that point, e-mail, instant messages and file transfers may be transmitted unencrypted over the public Internet by default.
I neither know nor care about the Sidekick, but in the Blackberry case "end to end" means between the device and the BES server on the customer's site. Whilst it would be possible to allow web browsing directly from the device, in most cases companies configure them to go via the server, subject to the usual restrictions. It's also possible (but optional) to allow random dodgy downloads to the device, but citing that as a security problem would be like saying that there is a security problem with my car
Roving wire taps (Score:1)