Smart Phones "Bigger Security Risk" Than Laptops 174
CWmike writes "A recent survey of 300 senior IT staff found that 94% fear PDAs present a security risk, surpassing the 88% who highlighted mobile storage devices as a worry. Nearly eight in 10 said laptops were an issue. Only four in 10 had encrypted data on their laptops, and the remainder said the information was 'not worth' protecting. A key danger with PDAs was that over half of IT executives surveyed were 'not bothering' to enter a password when they used their phone. A VP at the company that performed the survey said: 'Companies need to regain control of these devices and the data that they are carrying, or risk finding their investment in securing the enterprise misplaced and woefully inadequate.' Is this just iPhone fear-mongering? Do you think the passwords execs could remember would help with securing PDAs and smart phones?"
Surbey (Score:5, Funny)
Re: (Score:2)
So prepare now by going to Surbeys.com ! it's not too late !
You could still lead a fruitful life !
Re: (Score:2)
Can you please hand over your Grammar Nazi Nazi card?
Re: (Score:2)
> So prepare now by going to Surbeys.com ! it's not too late !
Apparently surbeys.com is already a cyber-squatter of the type that preys on misspellings (I already forget the name coined for this some 39 seconds ago).
This assumes that there is a surveys.com (I didn't bother to check). I wonder what it's for... but it doesn't really matter.
I shouldn't be surprised that somebody actually registered this but I suppose surceys, surgeys and pretty much any variation with nearby key is registered.
And I also presume that those domains only host a content free website that only has braindead ads, and that they actually make a pretty good living from that.
This is so sick. Domain squatters are the lowest of the network lowlifes.
Re: (Score:2, Funny)
no carrier.
I can check-y teh spellz? (Score:1, Offtopic)
Re: (Score:1, Funny)
Re: (Score:2, Funny)
There are other PDAs besides the iPhone (Score:4, Interesting)
In fact why is it fear mongering at all.
Do all slashdot submissions have to end in a catchy imbalanced question?
Re: (Score:2, Informative)
Re: (Score:3, Funny)
Tags (experimental): {Yes, Definitely, Sadly, Slashdot+has+become+digg}
Re: (Score:2)
Re: (Score:2)
And mine?
iPhone, because... (Score:3, Interesting)
Now, that's not such a big problem as far as this particular issue (enterprise security) is concerned. What IS a problem is when one of the big mucketty-mucks in the company wants to start using an iPhone inste
Re: (Score:2)
because it is pretty much the only strictly consumer smartphone. the rest is also good enough for business and the story is about business anyway.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
When I worked at Comcast the It department was THREATENED with retaliation and firings if we did not set certain executives blackberry's to not have any passwords. They hated to have to enter passwords and even complained and forced their way to even have their laptops not auto lock the login.
It's these immature executives that are the biggest security hole. And it's not getting better.
They demand to have it their way and will bully everyone in
Re: (Score:2)
Well. (Score:4, Interesting)
If the execs were forced to go to the website to do anything, then they can do whatever the hell they want with their phone.
Not surprising (Score:5, Insightful)
Remember, people want to use these things while they are driving a car, eating fast food, and listening to a book-on-tape. They don't want no stinkin' security features.
Re: (Score:2, Insightful)
Re:Not surprising (Score:5, Insightful)
The entire content of their inboxes doesn't count as data worth stealing? What about the potential for shorting the company's stock and then using their device to send an email from their account that will make the value drop (if only briefly)?
Re:Not surprising (Score:4, Interesting)
He's got the entire customer contact list. Our competition would pay at least $2500.00 for that.
He's got his email on there, Competition would love that as well.
Also 2 gigs worth of one note files on specific projects being bid on, internal documents
I'm betting to the right buyer his phone unlocked is worth at least $10,000.00 as it can generate at least a quarter million in additional sales and revenue.
Oh I know of at least 4 companies around here that would love to get their hands on that info.
gamemaster_bm seems to not know anything about business and the value of insider information. It's worth a crapload to that companies competition.
Re: (Score:2)
Biometrics and ASIC chips (Score:2)
Governments and the largest corporations would still have the wherewithal to do
Re:Not surprising (Score:5, Insightful)
Re: (Score:3, Insightful)
"all. And NO, sheer size of a company does not yield "competent" IT staff, trust me on this one..."
Jesus H.
If only life were simpler
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
That's an easy one, when was the last time your heard of a workstation being accidentally left in a taxi? Or left at a pub? Or being stolen from someone's handbag? Your handheld is much more likely to go 'missing' than your workstation. All other things being equal, a device that easier to steal or more likely to be misplaced is less secure than one that is harder to steal.
By how much it is less secure is a different matter of course. If you
Re: (Score:2)
Re: (Score:2)
IT departments securing handhelds (Score:5, Insightful)
It's possible to lock it all down instead of live in fear. Of course, there's a fine line between security and stifled innovation. Our company's proxies, by default, blocks blogs, and I have to request that they be unblocked one at a time. Since most of the discussion concerning JSRs for JDK7 development happen through people's blogs, it can seriously slow down the ability to do my job sometimes. But if you want things secure, there are going to be tradeoffs.
(And if a company laptop doesn't contain ANYTHING worth stealing, the employee should probably be fired for not producing anything worthwhile
Re:IT departments securing handhelds (Score:5, Informative)
Re:IT departments securing handhelds (Score:4, Interesting)
That is the default position here on
For example, it is important in my job to keep abreast of news and blogs in my field. Now I can spend a couple of hours per day manually checking various sources, or I can set up RSS feeds, scan headlines, read deeper where needed and take care of this in 15 minutes. IT had disabled the RSS feed reader in Outlook, so I have to circumvent the way that IT apparently wants me to work. I use an offsite feed aggregator to avoid having to install unauthorized software. My having to circumvent IT to work means that there is dissonance between how IT sees my role and I (and my boss) see my role.
I tend to view new security measures as productivity killers because they are not accompanied by contextual interviews to see how I work.
Re: (Score:3, Insightful)
I'm on IT and I have to tell you some two things:
1) I'm a user as much as a sysadmin, or what did you think? So please consider I do see it from both perspectives: that of the sysadmin I am and that of the user I am too so it might be, just from this assertion only that I'm on a more relevant position regarding this issue than you.
2) More often
No password to pull the SD card (Score:2)
It takes but a second to remove an SD card.
Re: (Score:2)
Fortunately, we use blackberries! (Score:4, Informative)
- force your users to have a password
- force the device to lock after a specified period of inactivity
- force the user to enter the password every x minutes regardless of activity
- prevent users from having a trivial password
- give users a duress password
- set the blackberries to store everything in encrypted from
- if a blackberry is lost, you can remotely lock the blackberry
- if a blackberry is lost, you can remotely wipe it
Blackberries are the best mobile platform, period.
Re:Fortunately, we use blackberries! (Score:5, Informative)
Other PDA's don't, and in most cases you can't even add it. With the BB, you can essentially set them up so that all data is end-to-end encrypted to YOUR server, and from their it can go out to retreive web pages, access address books, download documents, run applications, etc, etc. You can apply corporate filters to the web, limit applications, etc, etc all very easily.
All other PDA platforms require you to trust the carrier and the user for a significant chunk of the security. They give you exchange and imap support for example so email can be reasonably secure, but its much harder to lockdown EVERYTHING else... like blocking it so the pad web browser can't reach facebook or myspace or so poker can't be installed... blackberries make it as easy to manage PDA's as it is to manage desktops... which is to say... its a hassle. But on other platforms its not even really doable.
How easy is it to get an iphone to run through a 'VPN' so it can access an intranet site and have no or extremely limited access to the public WWW? This is a pretty common scenario for the PC's staff are provided by enterprises, but smartphones in general do no make this sort of configuration easy; in many cases its simply not possible.
Re:Fortunately, we use blackberries! (Score:5, Informative)
-ActiveSync (with SSL..)
-Remote administration with remote wipe of a lost device
-Cisco VPN with RSA SecurID
And as far as the VPN question, it is pretty straight forward, just another pane in the settings menu. PPTP and IPSec.
So iPhone's release featureset wouldn't have satisfied your needs, but tune back in in a few days and see if it floats your boat.
Re: (Score:2)
Not any more: http://www.microsoft.com/systemcenter/mobile/default.mspx [microsoft.com]
Re: (Score:2)
Re: (Score:2)
On the iPod Touch (on the the iPhone is probably the same) Settings -> General -> Network -> VPN
(The wording might be different, I have another language.) It supports L2TP and PPTP with RSA SecureID or pre-shared secrets authentication (no certificate support though), and you can configure it to route all traffic through the VPN. I'm guessing that, with
Re: (Score:2)
Re: (Score:2)
BB has been security and lockdown friendly for YEARS. The other devices are playing catchup. They are getting better, and are reaching parity now, but BB has been secure for YEARS.
With a simple downloaded program, you can telnet anywhere inside your network that your Enterprise Server can see from the screen of your phone. That one makes me not sleep at night.
1) Good thing you can EASILY disable the install of downloaded programs by end
Re: (Score:2)
Re:Fortunately, we use blackberries! (Score:4, Informative)
Some models do.
I thought emails and all that went through Blackberry's central servers before being passed on to the organization's or corporation's servers.
Depends. If you have a blackberry enterprise server, you manage the encryption entirely in-house. The company (RIM) is only carrying the encrypted message, and RIM doesn't have the keys, you do. The government of India was in the news recently, threatening to cut off blackberry service, since they can't decrypt the messages.
If you don't have a blackberry enterprise server, RIM manages the encryption on your behalf. In this case RIM has the keys.
I know this data is encrypted, but does it meet the encryption requirements laid down for electronic medical records in HIPAA?
Absolutely. They have a sales division dedicated to health care [blackberry.com].
I also wonder about Blackberry service coverage. In many of the buildings where I work, I don't get cell service (Sprint) and my peers do not either (AT&T, T-Mobile, Verizon, etc).
That really depends on your local provider, and how much concrete & steel you have in your building. If you really want to, you can buy a cellular repeater to carry cell phone signals through the building. Expensive though.
There is local wifi available, but can Blackberry use that?
Some blackberries can do wifi.
Just wondering what the limitations of the seemingly "perfect" Blackberry platform really are.
I never said it's perfect, just that it is the best of what is available.
The thing I found most annoying is that you can't make the phone ring & vibrate at the same time. It can ring only, vibrate only, vibrate then ring, but not both simultaneously.
If you have a headset plugged in to the blackberry, when the phone rings, the ringing sound is made by the regular ringer, not through the headset.
Re: (Score:2)
Do they support traditional wifi (802.11a/b/g/n?)
No. They support Bluetooth for connections to a local PC, but all networking protocols are cellphone-style networks. The only possible exception is MDS, but I think that has to go over a cell tower, too.
The anonymous cowardly replier before you said: "Some models do." From RIM's BlackBerry Wi-Fi info page [blackberry.com]:
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
Now, let's see who uses Blackberries. Managers. Who makes security guidelines? Managers. Who have usually little to no technical skills and loathe everything that keeps them from "just using" stuff? Managers.
I wish you all the luck in the world to convince your managers that those security features are a good idea.
Re: (Score:2)
- be forced to not have passwords
- be threatened if the device locks
- be fired if they have to enter the password a lot
- be told to use 1234 as his password
- not be informed they lost the blackberry in barbados until 3-4 weeks later.
Many executives force their hand and make IT not have any security on their devices. I dont care if you have the best device on the planet all it takes is one under educated and immature executive with a power trip to undo it a
Re: (Score:2)
Also, you can only use the remote wipe through a BES (enterprise) connected BB, but regular users get everything else you mentioned.
Cell phone security (Score:3, Insightful)
As a result, I'm not storing any sensitive information on the phone.
The Palm Pilot was at least better in this regard, since it allowed seperating public and private information and requiring a pin when you wanted to access private data. However, this was a PDA rather than a cell phone.
Re: (Score:2, Informative)
If you're using the built-in Palm password feature for your security, you might want to have a look at this:
No Security [geocities.com]
Basically, the Palm security program has a tragically weak flaw which this handy little program exploits easily. All you have to do is load No Security into the palm install queue and hotsync. It immediately deletes the password, even if the device is locked, giving you full access to any private data hidden by the Palm security program.
I use a couple of different solutions to this prob
A surbey? (Score:3, Informative)
If you have physical access (Score:4, Insightful)
regards
Make the tech better, not the people using it (Score:5, Interesting)
So I tried instead to setup an automatic lock on my device - I figure a power-on password should be fine. I set that up - and unfortunately, even though I set it to auto-lock after 1 hour of non-use, it NEVER asks for the power-on password. I've set it up exactly as Palm's site suggests... it still won't auto-lock the unit.
The thing is that the tech seems to need a fix before we can go about blaming the users. I've never lost a patient file or my phone, but obviously it would be a major problem if something like that did happen. Thankfully, the healthcare system I work for is going to electronic records, so nothing will be stored on my Palm anymore; I'll just use my cell plan to connect to the server (SSL encrypted) and access files wirelessly.
Still, there are other things I'd rather not have fall into a criminal's hands... hospital phone numbers, phone numbers of peers, nurses, other physicians, pagers, laboratories, etc. But my model, at least, is simply inadequate in protecting this data. Someone needs to come up with something better than what's currently available - maybe once it's "expected" - much like a password when you log onto Windows - it won't be such a big deal for people to use it.
Re: (Score:1)
Re: (Score:2)
You state: "The thing is that the tech seems to need a fix before we can go about blaming the users." then keep data there ANYWAY?
Re: (Score:3, Insightful)
The point here is that healthcare records are going electronic. I'm required to have OB/GYN
Re: (Score:2)
Re: (Score:2)
It goes hand in hand (Score:3, Insightful)
Security is a matter of improving technology and training your staff. Doing just one of them will not increase your security past the more insecure one of them.
Re: (Score:2)
Re: (Score:2)
Don't use the PalmOS security stuff; it doesn't work well (as you've found).
Instead, install a free 3d party app like "Secret!". It simply keeps memos in encrypted format with a configurable timeout. Simple and effective.
Admittedly it's a bit awkward for phone numbers; you have to do copy/paste to dial the number. I prefer to just use the normal phonebook but have very little information attached to the number itself.
If you're really paranoid, there are also third party apps that support a "poiso
So, secure them? (Score:2)
Re: (Score:2)
Hah!
You clearly haven't dealt with directors and the like.
The only security they are interested in, even tangentially, is financial security.
Re: (Score:2)
High level managers (read: The ones that will actually be the ones using those tools the most, and also have the most to lose should their tool be compromised) have no problem requiring insane passwords and password changing policies from their underlings (worst I've seen was requiring a 10 letter PW with at least 4 non-alphas and at least one number and one "special character", changed every 2 weeks) but when it comes to themselves, they usually want to be left out of that ted
Not worth protecting (Score:3, Insightful)
And honestly, a lot of them could be right in that it wasn't worth protecting. For example, what percentage of documents are really needed to be secret for a company's existence? My guess is about
Re: (Score:2)
Take the phone list of a company. The internal extensions. Now, not really a highly secure document. Everyone in the company has it. And from a cursory glance, the most dangerous about it is that an external caller could directly connect to some manager and waste his time with a complaint.
This company solved its door access through an extension. Which should only be callable
analog hole (Score:5, Insightful)
I can't have a cameraphone because I can 'steal' data, but you let me bring my 250GB laptop home.
My email is filtered for PPI and dirty words, but you don't filter my Gmail.
I can't FTP, but I can attach 10 MB files to webmails.
Build a better mousetrap, and some management school out there will produce a stupider monkey.
Passwords? (Score:2, Funny)
Some examples of common passwords which I saw on multiple occasions on different client boxes:
typewriter
sex
" " (three spaces)
coffee (a college ICT admin favourite)
manu ("Man United", if the desktop was soccer themed or the client wore a red shirt, chances were this was his password)
horses (no prizes)
swordfish (no prizes)
0000 (if it's anything that requires a 4-digit user pin, such as Bluetooth, this'd be it)
0000000000 (the blanket launch code for the US nuclear arsenal)
Dictiona
Re:Passwords? (Score:5, Funny)
I've got a really good password for my bank account. It's: L;WMc6HC
Nobody will ever break that!
Re: (Score:2)
*sigh*
I yearn for the good old days when password storage involved a sticky note and a monitor...
[badum-ching]
Re: (Score:2)
No one will ever guess !
Looking forward to two stage Cell/PDA encryption (Score:3, Insightful)
So I am hoping for a two stage system where call logs, full content of my address book, notes, calendar and so on is stored and encrypted separately from basic parts of the system. Incoming calls logs could then be stored in a temporary mode until I enter my storage password in which moment I would get access to the secure data using a separate password.
There are of course problems here too - notifications of upcoming calendar events, and displaying name/number association for incoming calls, among other issues. It will be necessary to allow personal choice for what should be cached outside of secure memory, but I certainly look forward to having a more secure options for Cells and PDA's!
Re: (Score:2)
Packet Sniffer (Score:4, Informative)
Well of Course... (Score:4, Funny)
Of course it is, because the iPhone is the only PDA or SmartPhone in the world... (If you live under an Apple or a Rock.)
Look deeper ... (Score:2)
I think we first have to ask the question, are executives actually capable of remembering a password? Doubtful, in my opinion.
Re: (Score:2)
Of course, possible is another scenario entirely, but that would seem to me to be a reasonable policy.
PDAvailable (Score:3, Insightful)
Come on, now. If the information's on a PDA, anybody with the IT version of a bent paperclip will be able to get it.
What's the first security rule for a PC: If they have physical access to your computer, your data is theirs. I would bet my bottom dollar that 90% of the security problems concerning a PDA result from exactly that: loss of physical control of the device.
No cure for human stupidity. (Score:2, Funny)
At my company, we had a simple solution to this... (Score:5, Funny)
The C4 will also detonate if a password is entered incorrectly twice. We encourage employees who are "out of it" or even slightly ill to take the day off, and require them to call IT should they ever type their password in wrong once.
We also use an operating system completely built in house with a semi AI running security diagnostics at all times, and we have live people watching the network traffic to the few systems that are actively connected to the internet. Any systems that manage to get infected (to date, none) would also receive the C4 treatment. A bit draconian, but it gets the job done. Our datacenters also have thermite ceilings designed to completely melt down the facility if it comes under attack (three armed guards 24/7 are at the red button, just in case some new tech decides to think about hitting the button.)
Protecting the world has taught us to take our own security seriously. Hopefully, you can learn from these measures and take the proper safeguards for your own facilities and equipment (remember, the answer is always hardware encryption and C4.)
Thank you,
Ortega Starfire
CTO, Hoffman Institute
For The Advancement of Humanity
Manager types just don't get security (Score:3, Interesting)
Then we had a conference at a hotel. And suddenly one of our top chiefs in charge comes out of the hotel management area with a report. Asking what this is about, I got this information:
He forgot to bring this report along so he asked one of our auditors who had the report to send it. From a different bank. Unencrypted. To the hotel. And he asked the hotel manager to print it.
My question whether he wants to end my life prematurely with a heart attack was met with a blank stare.
Ha!HA!Ha! (Score:3, Insightful)
There is none.
Cell phone users don't seem to care who is around (in listening distance to their conversations) so SECURITY is a moot point!
I have experienced this while working as a cashier at a local "shit and get" store. Most people are so caught up in their 'own little cellphone world' that they forget about anyone around them.
Most people are so jaded about their surroundings while talking on cellphones that IT security does not even enter the picture.
I get so tired of it that I usually toss them out until they finish their conversation.
Basically, have the respect and courtesy to deal with me and your purchase, or get the fsck out. I don't want to be subjected to your phone conversation. Deal with it.
Where the real security hole is.. (Score:2)
We treated PDAs as untrusted... (Score:2)
And that was already a concession... a VPN connection makes your device part of the perimeter
Who the Fuck... (Score:2)
I'm sorry, but since I've gotten my BlackBerry, here's what I do with it: listen to music while I excercise, take pictures of things that inter
Re:Nothing to fear from iPhones (Score:5, Interesting)
Re: (Score:2)
I'm not betting money on that. The fact that the iPhone will connect to any network with the same SSID as the users [securosis.com] doesn't seem to be what I'd call secure...
Anyone else have thoughts on this?
Re:Nothing to fear from iPhones (Score:5, Insightful)
How is the iPhone magically invulnerable to wireless issues, as the sister post describes.
Another fanboy, "Oh no! Someone's perhaps saying something potentially negative about an Apple product! Must rush to defense!"
Re: (Score:2)
Unless something has changed radically, Blackberries are thing to compromise, loads of sensitive emails, connection into the corporate network.
But really, any portable should be suspect. There isn't a computer made that can't be compromised by somebody with physical access to it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)