Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Smart Phones "Bigger Security Risk" Than Laptops

kdawson posted more than 6 years ago | from the low-hanging-fruit dept.

Security 174

CWmike writes "A recent survey of 300 senior IT staff found that 94% fear PDAs present a security risk, surpassing the 88% who highlighted mobile storage devices as a worry. Nearly eight in 10 said laptops were an issue. Only four in 10 had encrypted data on their laptops, and the remainder said the information was 'not worth' protecting. A key danger with PDAs was that over half of IT executives surveyed were 'not bothering' to enter a password when they used their phone. A VP at the company that performed the survey said: 'Companies need to regain control of these devices and the data that they are carrying, or risk finding their investment in securing the enterprise misplaced and woefully inadequate.' Is this just iPhone fear-mongering? Do you think the passwords execs could remember would help with securing PDAs and smart phones?"

Sorry! There are no comments related to the filter you selected.

Surbey (5, Funny)

Anonymous Coward | more than 6 years ago | (#23633503)

password when they used their phone. A VP at the company that performed the surbey said:
Surbeys, we should learn how to take them

Re:Surbey (1)

Fred_A (10934) | more than 6 years ago | (#23633545)

Because if something people aren't accustomed to it's surbeys.

So prepare now by going to Surbeys.com ! it's not too late !
You could still lead a fruitful life !

Re:Surbey (0)

Anonymous Coward | more than 6 years ago | (#23634629)

You misused it's where its should have been.

Hand over your Grammar Nazi card at the entrance.

I can check-y teh spellz? (0, Offtopic)

Obliterous (466068) | more than 6 years ago | (#23633527)

or at least use a spell checker before opening oneself to public mockery on the Slashdot.

Re:I can check-y teh spellz? (2, Funny)

Bubba (11258) | more than 6 years ago | (#23633679)

surbey sez know.

Re:I can check-y teh spellz? (0)

Anonymous Coward | more than 6 years ago | (#23633691)

We mock mis-spelled posts. We mock properly spelled posts. Either way, /. is not a Dale Carnegie course.

Re:I can check-y teh spellz? (0)

Anonymous Coward | more than 6 years ago | (#23633807)

/. is not a Dale Carnegie course.
It's more like Chip'n Dale.

Re:I can check-y teh spellz? (2, Funny)

SiegeTank (582725) | more than 6 years ago | (#23634171)

Spelldot - Spelling for nerds, grammar that matters.

There are other PDAs besides the iPhone (4, Interesting)

Anonymous Coward | more than 6 years ago | (#23633535)

So this is not just "iPhone" fear mongering

In fact why is it fear mongering at all.

Do all slashdot submissions have to end in a catchy imbalanced question?

Re:There are other PDAs besides the iPhone (2, Informative)

Anonymous Coward | more than 6 years ago | (#23633727)

Yes. Most of these idiotic questions should be answered with "mu [wikipedia.org] ." However, that's not a normal answer, so we flood the comments with ridiculous arguments about the stupid question stuck to the submission.

Re:There are other PDAs besides the iPhone (1)

NosTROLLdamus (979044) | more than 6 years ago | (#23633763)

You beautiful bastard!

Re:There are other PDAs besides the iPhone (0)

Anonymous Coward | more than 6 years ago | (#23633831)

You're right iPhones are not the only PDAs. But certainly, their users are the most dangerous (blindly trusted) users. After all they blindly followed Jobs into buying something that would lower its price after 2 days.

Re:There are other PDAs besides the iPhone (2, Funny)

Gary W. Longsine (124661) | more than 6 years ago | (#23634179)

Did I stop submitting when the editors started rephrasing all submissions in the form of catchy imbalanced questions?

Tags (experimental): {Yes, Definitely, Sadly, Slashdot+has+become+digg}

Re:There are other PDAs besides the iPhone (0)

Anonymous Coward | more than 6 years ago | (#23634373)

I thought the iphone was just being singled out here. I've never used a blackberry, or really any other smartphone, but don't they have some way to wipe all data if the phone is stolen? My iphone sure doesn't have that feature.

Re:There are other PDAs besides the iPhone (1)

Vexorian (959249) | more than 6 years ago | (#23634477)

If you want them to get to the main page, yeah.

Re:There are other PDAs besides the iPhone (1)

TheVelvetFlamebait (986083) | more than 6 years ago | (#23634621)

What, just like your comments?

And mine? ;)

Well. (3, Interesting)

alexborges (313924) | more than 6 years ago | (#23633541)

On this topic, the thing here is that the web is there to address this problem.

If the execs were forced to go to the website to do anything, then they can do whatever the hell they want with their phone.

Nothing to fear from iPhones (0, Insightful)

Anonymous Coward | more than 6 years ago | (#23633557)

iPhones are extremely secure against attack, and most definitely via remote. This article sounds like its by people have never seen an iPhone and assume they are just as insecure as anything else out there. Its simple, if its not the iPhone authorized user, the data on it will not be able to be accessed.

Re:Nothing to fear from iPhones (4, Interesting)

Idbar (1034346) | more than 6 years ago | (#23633881)

People with PDAs (I don't know if particularly iPhones), fail to realize that the PDA security is not the problem but the confidence they have that their PDAs can't fall into wrong hands. It doesn't really matter if your PDA is the most secure device against attacks, if something like a phone can be easily lost or stolen and you only have to "slide" your finger to unlock sensitive information.

Re:Nothing to fear from iPhones (1)

UncleTogie (1004853) | more than 6 years ago | (#23633939)

iPhones are extremely secure against attack, and most definitely via remote.

I'm not betting money on that. The fact that the iPhone will connect to any network with the same SSID as the users [securosis.com] doesn't seem to be what I'd call secure...

Anyone else have thoughts on this?

Re:Nothing to fear from iPhones (4, Insightful)

Achromatic1978 (916097) | more than 6 years ago | (#23634531)

What a complete and total arse you are. How is the iPhone magically more secure than any other phone if it is stolen (a large part of what the article is about).

How is the iPhone magically invulnerable to wireless issues, as the sister post describes.

Another fanboy, "Oh no! Someone's perhaps saying something potentially negative about an Apple product! Must rush to defense!"

Re:Nothing to fear from iPhones (1)

hedwards (940851) | more than 6 years ago | (#23635001)

I thought that iPhones couldn't connect properly to most corporate nets. Or has Apple decided to magnanimously add support for exchange.

Unless something has changed radically, Blackberries are thing to compromise, loads of sensitive emails, connection into the corporate network.

But really, any portable should be suspect. There isn't a computer made that can't be compromised by somebody with physical access to it.

Not surprising (5, Insightful)

grizdog (1224414) | more than 6 years ago | (#23633565)

Usually there is a tension between security and convenience/ease of use. Convenience is going to be paramount for most users of mobile phones, PDAs, etc. So security will typically take a hit.

Remember, people want to use these things while they are driving a car, eating fast food, and listening to a book-on-tape. They don't want no stinkin' security features.

Re:Not surprising (2, Insightful)

gamemaster_bm (591638) | more than 6 years ago | (#23633757)

In addition to this point, very few companies (i.e. not Fortune 500's) either have data or IP worth stealing on executive's mobile phones or PDA's. Laptops I can understand needing additional security if it is used as a workstation, but convenience for the average executive outweighs the potential security risk. What it comes down to is those companies that do have sensitive data on their mobile devices probably are large enough to have a competent IT staff capable of locking the device down properly.

Re:Not surprising (5, Insightful)

blincoln (592401) | more than 6 years ago | (#23633923)

In addition to this point, very few companies (i.e. not Fortune 500's) either have data or IP worth stealing on executive's mobile phones or PDA's.

The entire content of their inboxes doesn't count as data worth stealing? What about the potential for shorting the company's stock and then using their device to send an email from their account that will make the value drop (if only briefly)?

Re:Not surprising (5, Insightful)

geekmux (1040042) | more than 6 years ago | (#23633947)

In addition to this point, very few companies (i.e. not Fortune 500's) either have data or IP worth stealing on executive's mobile phones... What it comes down to is those companies that do have sensitive data on their mobile devices probably are large enough to have a competent IT staff capable of locking the device down properly.
Er, contacts, sensitive emails, HR data, IP, financial data, contracts, just what exactly does your average CxO NOT deal in? Give me a break man, I mean hell, would YOU hand over YOUR smart phone to a stranger and not think twice about it? Your opinion on the value of data pretty much says it all. And NO, sheer size of a company does not yield "competent" IT staff, trust me on this one...

Re:Not surprising (2, Insightful)

garett_spencley (193892) | more than 6 years ago | (#23634915)

"What it comes down to is those companies that do have sensitive data on their mobile devices probably are large enough to have a competent IT staff capable of locking the device down properly."

"all. And NO, sheer size of a company does not yield "competent" IT staff, trust me on this one..."

Jesus H. ... who to trust ? On the one hand GP makes a good point and on the other P makes a good one.

If only life were simpler ...

Free and owned. (1)

freenix (1294222) | more than 6 years ago | (#23634049)

How is Debian on my handheld less secure than Debian on my desktop?

I don't trust "smartphones" because they run non free software that I would not trust anywhere and are part owned by companies that are now seeking "retroactive immunity" for violating people's privacy.

Re:Free and owned. (2, Informative)

jamesh (87723) | more than 6 years ago | (#23634095)

How is Debian on my handheld less secure than Debian on my desktop?

That's an easy one, when was the last time your heard of a workstation being accidentally left in a taxi? Or left at a pub? Or being stolen from someone's handbag? Your handheld is much more likely to go 'missing' than your workstation. All other things being equal, a device that easier to steal or more likely to be misplaced is less secure than one that is harder to steal.

By how much it is less secure is a different matter of course. If you use whole disk encryption on both and your passphrases are 'unguessable' then the difference is probably going to be negligible.

Re:Free and owned. (1)

freenix (1294222) | more than 6 years ago | (#23634269)

If you use whole disk encryption on both and your passphrases are 'unguessable' then the difference is probably going to be negligible.

Well, exactly. My point was to compare that to some kind of phone company issued device which will leak all of the information while it's still in your pocket.

Re:Free and owned. (1)

icegreentea (974342) | more than 6 years ago | (#23634283)

Unless you left it ON when it was stolen. Cold Boot Attack. It will make your head spin.

IT departments securing handhelds (5, Insightful)

samkass (174571) | more than 6 years ago | (#23633571)

The only handhelds allowed to connect to our corporate network are company issued ones, and they come locked down so you have to enter a password after a few minutes of inactivity to do anything except answer the phone. Our laptops come with the whole-disk encryption pre-installed. All external web access goes through the company proxy.

It's possible to lock it all down instead of live in fear. Of course, there's a fine line between security and stifled innovation. Our company's proxies, by default, blocks blogs, and I have to request that they be unblocked one at a time. Since most of the discussion concerning JSRs for JDK7 development happen through people's blogs, it can seriously slow down the ability to do my job sometimes. But if you want things secure, there are going to be tradeoffs.

(And if a company laptop doesn't contain ANYTHING worth stealing, the employee should probably be fired for not producing anything worthwhile :) )

Re:IT departments securing handhelds (0)

Anonymous Coward | more than 6 years ago | (#23633709)

unless of course said company laptop is issued merely for the convenience of connecting to a remote desktop session on which all the data is stored.....

oh wait.....

Re:IT departments securing handhelds (4, Informative)

bigstrat2003 (1058574) | more than 6 years ago | (#23634687)

(And if a company laptop doesn't contain ANYTHING worth stealing, the employee should probably be fired for not producing anything worthwhile :) )
That, or they're (God bless them!) putting their data on network drives, not on their PC. Harder, but still doable, with a laptop, even on the go, as long as you have VPN access. It's always tragic/amusing when someone loses all their data, when they knew damn well they should've been keeping it in a location that's backed up regularly. :/

Re:IT departments securing handhelds (3, Interesting)

dave1791 (315728) | more than 6 years ago | (#23635009)

> It's possible to lock it all down instead of live in fear.

That is the default position here on /.; that of a sysadmin. My perspective is that of a user. IT is often too insular and unresponsive to the needs of its users. It tends to be bureaucratic and sees everything through the prism of security risks and administration. User workflows are not often adequately addressed. The popularity of Microsoft's sharepoint server is often attributed to departments circumventing central IT. Why would people do this?

For example, it is important in my job to keep abreast of news and blogs in my field. Now I can spend a couple of hours per day manually checking various sources, or I can set up RSS feeds, scan headlines, read deeper where needed and take care of this in 15 minutes. IT had disabled the RSS feed reader in Outlook, so I have to circumvent the way that IT apparently wants me to work. I use an offsite feed aggregator to avoid having to install unauthorized software. My having to circumvent IT to work means that there is dissonance between how IT sees my role and I (and my boss) see my role.

I tend to view new security measures as productivity killers because they are not accompanied by contextual interviews to see how I work.

Fortunately, we use blackberries! (4, Informative)

Anonymous Coward | more than 6 years ago | (#23633595)

And if you have a blackberry enterprise server, you can:

- force your users to have a password
- force the device to lock after a specified period of inactivity
- force the user to enter the password every x minutes regardless of activity
- prevent users from having a trivial password
- give users a duress password
- set the blackberries to store everything in encrypted from
- if a blackberry is lost, you can remotely lock the blackberry
- if a blackberry is lost, you can remotely wipe it

Blackberries are the best mobile platform, period.

Re:Fortunately, we use blackberries! (5, Informative)

vux984 (928602) | more than 6 years ago | (#23633741)

Mod parent up. Blackberries ARE better than the other PDA platforms in terms of security, because they do support this level of security 'out of the box'.

Other PDA's don't, and in most cases you can't even add it. With the BB, you can essentially set them up so that all data is end-to-end encrypted to YOUR server, and from their it can go out to retreive web pages, access address books, download documents, run applications, etc, etc. You can apply corporate filters to the web, limit applications, etc, etc all very easily.

All other PDA platforms require you to trust the carrier and the user for a significant chunk of the security. They give you exchange and imap support for example so email can be reasonably secure, but its much harder to lockdown EVERYTHING else... like blocking it so the pad web browser can't reach facebook or myspace or so poker can't be installed... blackberries make it as easy to manage PDA's as it is to manage desktops... which is to say... its a hassle. But on other platforms its not even really doable.

How easy is it to get an iphone to run through a 'VPN' so it can access an intranet site and have no or extremely limited access to the public WWW? This is a pretty common scenario for the PC's staff are provided by enterprises, but smartphones in general do no make this sort of configuration easy; in many cases its simply not possible.

Re:Fortunately, we use blackberries! (5, Informative)

ohcrapitssteve (1185821) | more than 6 years ago | (#23634029)

In just a few days, Apple is set to release iPhone Software 2.0 (as well as maybe Hardware 2.0...) but sw 2.0 is slated to have many of the enterprise features listed above. Not to sound like an Apple commercial, but features will include:

-ActiveSync (with SSL..)
-Remote administration with remote wipe of a lost device
-Cisco VPN with RSA SecurID

And as far as the VPN question, it is pretty straight forward, just another pane in the settings menu. PPTP and IPSec.

So iPhone's release featureset wouldn't have satisfied your needs, but tune back in in a few days and see if it floats your boat.

Re:Fortunately, we use blackberries! (1)

op12 (830015) | more than 6 years ago | (#23634961)

For Windows Mobile devices, an application called Sprite Terminator has been around for a long time which allows you to track your phone via GPS, send an SMS message to wipe or lock the phone contents, get the recent call log remotely, etc. It's $15, but if you lost your phone and you use it for lots of personal info, it would be well worth it.

Re:Fortunately, we use blackberries! (1)

CorporalKlinger (871715) | more than 6 years ago | (#23633799)

I have no experience with Blackberries. Do they support traditional wifi (802.11a/b/g/n?) I thought emails and all that went through Blackberry's central servers before being passed on to the organization's or corporation's servers. I know this data is encrypted, but does it meet the encryption requirements laid down for electronic medical records in HIPAA? I also wonder about Blackberry service coverage. In many of the buildings where I work, I don't get cell service (Sprint) and my peers do not either (AT&T, T-Mobile, Verizon, etc). There is local wifi available, but can Blackberry use that? I know some of the phones from AT&T (I think one is called the Flip or something) and the iPhone do both cell-data network wireless internet and have 802.11a/b/g/n wireless, so they could be used within our facilities. Just wondering what the limitations of the seemingly "perfect" Blackberry platform really are.

Re:Fortunately, we use blackberries! (4, Informative)

Anonymous Coward | more than 6 years ago | (#23633945)

I have no experience with Blackberries. Do they support traditional wifi (802.11a/b/g/n?)

Some models do.

I thought emails and all that went through Blackberry's central servers before being passed on to the organization's or corporation's servers.

Depends. If you have a blackberry enterprise server, you manage the encryption entirely in-house. The company (RIM) is only carrying the encrypted message, and RIM doesn't have the keys, you do. The government of India was in the news recently, threatening to cut off blackberry service, since they can't decrypt the messages.

If you don't have a blackberry enterprise server, RIM manages the encryption on your behalf. In this case RIM has the keys.

I know this data is encrypted, but does it meet the encryption requirements laid down for electronic medical records in HIPAA?

Absolutely. They have a sales division dedicated to health care [blackberry.com] .

I also wonder about Blackberry service coverage. In many of the buildings where I work, I don't get cell service (Sprint) and my peers do not either (AT&T, T-Mobile, Verizon, etc).

That really depends on your local provider, and how much concrete & steel you have in your building. If you really want to, you can buy a cellular repeater to carry cell phone signals through the building. Expensive though.

There is local wifi available, but can Blackberry use that?

Some blackberries can do wifi.

Just wondering what the limitations of the seemingly "perfect" Blackberry platform really are.

I never said it's perfect, just that it is the best of what is available.

The thing I found most annoying is that you can't make the phone ring & vibrate at the same time. It can ring only, vibrate only, vibrate then ring, but not both simultaneously.

If you have a headset plugged in to the blackberry, when the phone rings, the ringing sound is made by the regular ringer, not through the headset.

Re:Fortunately, we use blackberries! (0)

jeiler (1106393) | more than 6 years ago | (#23633991)

Do they support traditional wifi (802.11a/b/g/n?)

No. They support Bluetooth for connections to a local PC, but all networking protocols are cellphone-style networks. The only possible exception is MDS, but I think that has to go over a cell tower, too.

I know this data is encrypted, but does it meet the encryption requirements laid down for electronic medical records in HIPAA?

Triple DES--more recently AES. Either of which satisfies HIPAA regulations. Hell, DES satisfies HIPAA, so that's not a very high barrier there.

Re:Fortunately, we use blackberries! (1)

MojoStan (776183) | more than 6 years ago | (#23634837)

Do they support traditional wifi (802.11a/b/g/n?)
No. They support Bluetooth for connections to a local PC, but all networking protocols are cellphone-style networks. The only possible exception is MDS, but I think that has to go over a cell tower, too.
The anonymous cowardly replier before you said: "Some models do." From RIM's BlackBerry Wi-Fi info page [blackberry.com] :

Re:Fortunately, we use blackberries! (1)

jeiler (1106393) | more than 6 years ago | (#23634861)

Ah! Thanks for the correction.

Re:Fortunately, we use blackberries! (1)

SCHecklerX (229973) | more than 6 years ago | (#23633921)

In addition, everything sent to the BES is encrypted (3des, I believe?), with options for VPN to the office. I don't know much about it, but I do have one for personal use with BIS, and the encryption is there too. With BIS, however, you are trusting blackberry's servers with your mail and internet proxying.

Re:Fortunately, we use blackberries! (3, Informative)

mdboyd (969169) | more than 6 years ago | (#23633983)

I believe that most of the major Smartphone players have begun to do things like this. For example, Microsoft Exchange 2007 allows users and administrators to remotely wipe devices. Combining Exchange 2007 with WM6 brings additional security features: http://technet.microsoft.com/en-us/library/cc182299(TechNet.10).aspx [microsoft.com] . Bottom line: If you Smartphone makers want to reach Enterprises, they need to take both security and device management into consideration.

Re:Fortunately, we use blackberries! (0)

Anonymous Coward | more than 6 years ago | (#23634023)

And Good Technology's GoodLink software had all those features years before RIMM's Blackberry.

Re:Fortunately, we use blackberries! (1)

darth dickinson (169021) | more than 6 years ago | (#23634899)

Who?

Re:Fortunately, we use blackberries! (2, Insightful)

Opportunist (166417) | more than 6 years ago | (#23634711)

So far the theory.

Now, let's see who uses Blackberries. Managers. Who makes security guidelines? Managers. Who have usually little to no technical skills and loathe everything that keeps them from "just using" stuff? Managers.

I wish you all the luck in the world to convince your managers that those security features are a good idea.

Re:Fortunately, we use blackberries! (1)

Growlor (772763) | more than 6 years ago | (#23634773)

Blackberries are great, but I don't think you get local data encryption without paying extra. IIRC the guys from PGP said that their encryption software was installed by default but not available (until you pay for the license.) So you get encrypted transmission and the ability to "remote destruct" known stolen and "self-destruct" on X number of failed password attempts, but need to pay extra to protect the data from someone prying it out one its arrived. The thing is, I don't know how big a risk this is (can you just plug-in the USB port and slurp it or does the password prevent this too?)

Biometric? (0)

Anonymous Coward | more than 6 years ago | (#23633643)

Maybe these things need a small fingerprint scanner or other biometric unlock function? Maybe just voice activation that can recognize the "owner" with a high accuracy would be enough.

And encrypt the bejezzus out of the data stored on them.

blick (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23633647)

happy birthday, fuck you jellybean

Cell phone security (2, Insightful)

Sigma 7 (266129) | more than 6 years ago | (#23633687)

The cell phone I have has one level of protection - a PIN number that only needs to be entered when it turns on. As long as it's on, you can do anything you want with it, including modifying content or planting evidence. In addition, you can still access content on the phone by attaching it to a computer (without any need to enter a pin.)

As a result, I'm not storing any sensitive information on the phone.

The Palm Pilot was at least better in this regard, since it allowed seperating public and private information and requiring a pin when you wanted to access private data. However, this was a PDA rather than a cell phone.

A surbey? (3, Informative)

Cala (1134197) | more than 6 years ago | (#23633717)

The bastard cousin of the sorbet?

If you have physical access (3, Insightful)

s4ltyd0g (452701) | more than 6 years ago | (#23633735)

It's pretty much a done deal. Keep sensitive data on a small device and if you lose it, assume it's compromised. Password or not.

regards

Re:If you have physical access (0)

Anonymous Coward | more than 6 years ago | (#23634081)

It's pretty much a done deal. Keep sensitive data on a small device and if you lose it, assume it's compromised. Password or not.


How about you encrypt the damn thing and don't store the plain text key / pass phrase when it is not in use? Yes it isn't foolproof, but in many cases it adds a lot without excessively increasing costs.

Re:If you have physical access (0)

Anonymous Coward | more than 6 years ago | (#23634193)

I could hand you my phone, or my memory card, or my key ring memory stick and you couldn't get much more than my GFs birthday out any of it.

Thank you truecrypt.

Yet I can still connect to my company and do anything I can do from my desk.

With proper care, anything can be secured, even against physical attack.

Make the tech better, not the people using it (4, Interesting)

CorporalKlinger (871715) | more than 6 years ago | (#23633767)

I've had a Palm Treo 755p Smartphone for a about 9 months. I have a lot of medical data on my unit, including (unfortunately) some patient data. I've tried to use Palm's "Private Records" feature for sensitive data, but it's too complex and unreliable. Some things that I mark as private show up in the regular views anyway, without needing to be unlocked with a password, even after I try to "lock" them or mark them as "private" multiple times. I doubt they're actually encrypted, either - probably just a bit-flag which only some software on the device reads and uses.

So I tried instead to setup an automatic lock on my device - I figure a power-on password should be fine. I set that up - and unfortunately, even though I set it to auto-lock after 1 hour of non-use, it NEVER asks for the power-on password. I've set it up exactly as Palm's site suggests... it still won't auto-lock the unit.

The thing is that the tech seems to need a fix before we can go about blaming the users. I've never lost a patient file or my phone, but obviously it would be a major problem if something like that did happen. Thankfully, the healthcare system I work for is going to electronic records, so nothing will be stored on my Palm anymore; I'll just use my cell plan to connect to the server (SSL encrypted) and access files wirelessly.

Still, there are other things I'd rather not have fall into a criminal's hands... hospital phone numbers, phone numbers of peers, nurses, other physicians, pagers, laboratories, etc. But my model, at least, is simply inadequate in protecting this data. Someone needs to come up with something better than what's currently available - maybe once it's "expected" - much like a password when you log onto Windows - it won't be such a big deal for people to use it.

Re:Make the tech better, not the people using it (1)

areusche (1297613) | more than 6 years ago | (#23633847)

I haven't owned a Palm handheld in a while, but I recall that you can set the Memo application to mask private information. I personally would much rather have a biometric thumb slide to access my PDA then to try and type in a password. I know there was an Ipaq that did this way back when, but it appears that it was a fad and no one has been implementing this since then.

Re:Make the tech better, not the people using it (1)

pilgrim23 (716938) | more than 6 years ago | (#23634465)

Anyone who keeps med records on a phone..... do you have a similar attitude in other endeavors? Seriously, I find that reprehensibly lax. I trust you are not my med provider...
You state: "The thing is that the tech seems to need a fix before we can go about blaming the users." then keep data there ANYWAY?

Re:Make the tech better, not the people using it (2, Insightful)

CorporalKlinger (871715) | more than 6 years ago | (#23634679)

Reprehensibly lax? You'd be surprised how insufficient most healthcare systems are when it comes to securing patient privacy. The extent of HIPAA at some hospitals involves ensuring that the clipboard cover of a patient's chart is closed when visitors or guests walk past - though there's nothing to stop those visitors from picking up the file and looking in it while nobody at the clerk station is paying attention.

The point here is that healthcare records are going electronic. I'm required to have OB/GYN notes for patients on me at the drop of a hat in case a delivery comes through the ER doors at 2 in the morning. When I'm heading to a patient's home for a visit (yes, some of us still do visit patients' homes!), it's far more convenient - and safer - for me to have their phone number and chart on my Smartphone than to print out their chart and bring a paper copy to their house. What happens if I am in a car accident and the file is stolen in the mix of the accident? What happens if someone breaks into my vehicle and I have other patient files kept there for other visits that I plan to do during the day (which I can't bring into the home and expose to the patient I'm seeing - again, HIPAA).

It's far more simple to have records stored in one SECURE place, but not every component of that device is secure. I haven't heard of any HanDBase hacks yet - I'm sure they're out there in the wild - but I haven't heard of them. Still, that leaves other information open to use an exploitation. HanDBase doesn't integrate well with the phone system; you can't even copy and paste a phone number for a patient from HanDBase into the phone application on my SmartPhone - so do I write it down? Do I try to remember the phone number and risk dialing a wrong number and giving my patient's name to some unknown person on the other end of the line when I ask for them (especially since I'm usually doing about 2 dozen things at a time) - or do I store the numbers of the patients I call most often in the address book and simply tap "call" next to their name when I need to contact them?

You lack a basic understanding of the workload placed on healthcare professionals and the impracticality of using a centralized computer system for everything. Thank goodness our health network is going wireless so docs can continue using their phones - which have become invaluable in improving patient care - and use them safely through encrypted data connections back to the hospital data center. You act as though storing a few patient files on a phone is some sort of sin; you give me a better way to have the exact prescriptions, doses, surgical and medical histories, etc. on every patient at my fingertips when I'm called to the ER to see one of my patients and the hospital's computer system is down or the record can't be found in the system because of reason X, Y, or Z. FIX THE TECH. The people want to USE the tech and use it responsibly, but if the technology isn't repaired FIRST, then the expectations placed on practitioners to go paperless are placing everyone at risk.

I'm describing the problem - it needs a solution. If you don't have one, I suggest you put your fingers in your ears instead of on your keyboard.

Re:Make the tech better, not the people using it (0)

Anonymous Coward | more than 6 years ago | (#23634519)

Still, there are other things I'd rather not have fall into a criminal's hands... hospital phone numbers, phone numbers of peers, nurses, other physicians, pagers, laboratories, etc. But my model, at least, is simply inadequate in protecting this data.
Try this, if you haven't already: http://gnukeyring.sourceforge.net/ [sourceforge.net]

I use it for storing passwords, credit card numbers, etc. It seems to have the basic features you're looking for. (Password access, encrypted data, automatically locks access after timeout, etc.)

It goes hand in hand (2, Insightful)

Opportunist (166417) | more than 6 years ago | (#23634725)

Security is a minimum of the system's capability and the user's capability. You can have the most secure system, with a moron on the helm it is easily compromised. If nothing else works, you can rest assured that he will simply hand over all the necessary information to his attacker himself.

Security is a matter of improving technology and training your staff. Doing just one of them will not increase your security past the more insecure one of them.

So, secure them? (1)

LoudMusic (199347) | more than 6 years ago | (#23633775)

So what the article says is that they think handhelds are dangerous because they're not bothering to secure them? Seems like an easy fix ...

Re:So, secure them? (1)

myowntrueself (607117) | more than 6 years ago | (#23634235)

So what the article says is that they think handhelds are dangerous because they're not bothering to secure them? Seems like an easy fix

Hah!

You clearly haven't dealt with directors and the like.

The only security they are interested in, even tangentially, is financial security.

Re:So, secure them? (1)

Opportunist (166417) | more than 6 years ago | (#23634749)

I elaborate on that, if I may.

High level managers (read: The ones that will actually be the ones using those tools the most, and also have the most to lose should their tool be compromised) have no problem requiring insane passwords and password changing policies from their underlings (worst I've seen was requiring a 10 letter PW with at least 4 non-alphas and at least one number and one "special character", changed every 2 weeks) but when it comes to themselves, they usually want to be left out of that tedious "waste of (their precious) time".

You can argue however you want. That their tools are the most sensitive due to their access levels, both on a technical level (which are invariably higher than they have to be, since he needs the feeling to be "in control", despite having no clue what to do with his system administrator powers) and of course on the information level (they usually have access to highly sensitive financial data, past present and most of all future plannings). But they "really won't let their tool lie around somewhere". Arguing that this game they have on it wasn't quite part of the standard package and that there's a policy against non-canon software might threaten your job security rather than his.

And so on.

I have so far not met a single manager who actually agrees that all the restrictions and security measures imposed on his workers (especially the ones that should ensure they don't play some games in their work time) should apply to him, too.

Not worth protecting (2, Insightful)

Darkness404 (1287218) | more than 6 years ago | (#23633839)

Only four in 10 had encrypted data on their laptops, and the remainder said the information was 'not worth' protecting


And honestly, a lot of them could be right in that it wasn't worth protecting. For example, what percentage of documents are really needed to be secret for a company's existence? My guess is about .001% is. From where I have worked and what I have seen most of the documents are simply letters, forms, etc. and not Our_Credit_Card_Numbers.doc or All_Employee_SSN.xls. So for most people, most small businesses, most employees, the information isn't really worth protecting. Now, if you are say, a bank, the information is more valuable then say a restaurant or a factory's info, but for the average employee with a laptop, most of the documents if not all of the documents are free of personal information or company secrets. Chances are some guy with a packet sniffer will get more information off of a laptop then a thief taking it and reading the documents.

Re:Not worth protecting (1)

Opportunist (166417) | more than 6 years ago | (#23634775)

You would be surprised what a clever hacker can gain out of trivial documents. If I may offer you an example of an audit I did lately.

Take the phone list of a company. The internal extensions. Now, not really a highly secure document. Everyone in the company has it. And from a cursory glance, the most dangerous about it is that an external caller could directly connect to some manager and waste his time with a complaint.

This company solved its door access through an extension. Which should only be callable from the inside, but you'd be surprised how many phone computers allow you to call the door extension with an outside call. And open the door that way.

And once you're inside a company, especially one with a high fluctation of interns, nobody asks you anymore what you're doing here.

analog hole (5, Insightful)

Gothmolly (148874) | more than 6 years ago | (#23633843)

I can't carry an iPhone, but I can bring home a file folder full of secrets.
I can't have a cameraphone because I can 'steal' data, but you let me bring my 250GB laptop home.
My email is filtered for PPI and dirty words, but you don't filter my Gmail.
I can't FTP, but I can attach 10 MB files to webmails.

Build a better mousetrap, and some management school out there will produce a stupider monkey.

Re:analog hole (0)

Anonymous Coward | more than 6 years ago | (#23634219)

My email is filtered for PPI and dirty words, but you don't filter my Gmail.

Yes, but many companies block access to gmail and other webmail providers.

I can't FTP, but I can attach 10 MB files to webmails.

Email is tracked, logged and scanned for compliance. FTP isn't.

Re:analog hole (1)

Perf (14203) | more than 6 years ago | (#23634765)

If the potential employee is not honest - don't hire him.

I once toured a mint. (The kind that manufactures coins.) The question came up about security. The guide answered that all employees pass thru a metal detector to get to the work areas. The pay and benefits are good, so employees tend to stay long term. Oh, and if an employee is caught for small crimes, even stealing a can of soda, he/she is terminated immediately.

It is sad how little value modern culture places on personal integrity. Why not bring it back? Security companies demand it from employees 24/7. One of my college profs once worked as a bonded security person. He said that if you ever breached security, you were marked for life.

Given the public reaction to the Clinton/Lewinsky affair - is it any wonder the global economy is falling apart.

Passwords? (2, Funny)

Tastecicles (1153671) | more than 6 years ago | (#23633849)

How secure is your password?

Some examples of common passwords which I saw on multiple occasions on different client boxes:

typewriter
sex
" " (three spaces)
coffee (a college ICT admin favourite)
manu ("Man United", if the desktop was soccer themed or the client wore a red shirt, chances were this was his password)
horses (no prizes)
swordfish (no prizes)
0000 (if it's anything that requires a 4-digit user pin, such as Bluetooth, this'd be it)
0000000000 (the blanket launch code for the US nuclear arsenal)

Dictionary words, names of favourite family members, spouses, dates of birth... the list is obvious and goes on.

I'll stop there before I hit the combination for Bush's overnight case and really piss someone off (incidentally, it's 111-111)

Re:Passwords? (5, Funny)

robo_mojo (997193) | more than 6 years ago | (#23633953)

Yeah, people who make such weak passwords are really dumb.

I've got a really good password for my bank account. It's: L;WMc6HC

Nobody will ever break that!

Re:Passwords? (1)

grassy_knoll (412409) | more than 6 years ago | (#23634959)

And with such an, erm, easy to remember password you post it to /. so we can all help you remember it?

*sigh*

I yearn for the good old days when password storage involved a sticky note and a monitor...

[badum-ching]

Re:Passwords? (1)

maxume (22995) | more than 6 years ago | (#23634059)

A login system really shouldn't be susceptible to a dictionary attack. If there is important data sitting behind a password, it should start throwing red flags after about 5 failed attempts (5 at the outside, maybe log every failure and trigger biscuits for 2 in a row).

That doesn't protect you against easily guessable passwords, but it makes something like passw0rd a lot stronger than it would be in a dictionary situation.

Looking forward to two stage Cell/PDA encryption (2, Insightful)

kandresen (712861) | more than 6 years ago | (#23633855)

I have been wondering about when I would be able to encrypt my cells and pda's the way I encrypt my other data. There is a problem however - the phone must be on in order to get calls... That means the system password is mostly always already in use and thus making it very easy to obtain by cooling down and picking out the RAM and use a card reader.

So I am hoping for a two stage system where call logs, full content of my address book, notes, calendar and so on is stored and encrypted separately from basic parts of the system. Incoming calls logs could then be stored in a temporary mode until I enter my storage password in which moment I would get access to the secure data using a separate password.

There are of course problems here too - notifications of upcoming calendar events, and displaying name/number association for incoming calls, among other issues. It will be necessary to allow personal choice for what should be cached outside of secure memory, but I certainly look forward to having a more secure options for Cells and PDA's!

Re:Looking forward to two stage Cell/PDA encryptio (1)

Darkness404 (1287218) | more than 6 years ago | (#23633915)

And the information you carry in your Address Book, Calender and Notes are *that* valuable to warrant more expensive hardware with encryption? Seriously, myself and most people I know have people's names and numbers in the address book and meetings in the calender and really the worst thing that could happen is that they use that info to do a phishing attack to get more information. For you and a handful of other people this might be useful but for the 99% of us that don't, it just adds more bloat/price to an already bloated/expensive platform (mobile phones/PDAs)

Packet Sniffer (3, Informative)

Darkness404 (1287218) | more than 6 years ago | (#23633873)

Chances are, it is more risky to connect to an unencrypted network at a local coffee shop and check your e-mail on your PDA then it is to leave it without a password. I know on my computers the information stored on it is useless to a thief but some e-mails (stored on a remote server) has more confidential information then what is stored on the device (and just about all webmail require you to use a password). So really, for me and most other people, a 1337 H@X0R with Wireshark will do more damage then some guy who steals your PDA/Laptop.

Re:Packet Sniffer (0)

Anonymous Coward | more than 6 years ago | (#23634157)

And you're not using SSL or TLS connections to your mail server(s) because...?

Re:Packet Sniffer (0)

Anonymous Coward | more than 6 years ago | (#23634271)

If an organization is running POP or IMAP without SSL, they have far bigger problems than security of PDAs.

Fortune? (1)

tgetzoya (827201) | more than 6 years ago | (#23633883)

No fortune app. Bummer

Well of Course... (3, Funny)

TheNetAvenger (624455) | more than 6 years ago | (#23633909)

Is this just iPhone fear-mongering?

Of course it is, because the iPhone is the only PDA or SmartPhone in the world... (If you live under an Apple or a Rock.)

Re:Well of Course... (0)

Anonymous Coward | more than 6 years ago | (#23634051)

So everything else is just a StupidPhone?

Re:Well of Course... (1)

Xenious (24845) | more than 6 years ago | (#23634411)

umm yes?

Re:Well of Course... (1)

LoganDzwon (1170459) | more than 6 years ago | (#23634853)

thats iRock...

considering..... (0)

Anonymous Coward | more than 6 years ago | (#23633927)

one of the local strip clubs has an addition to it's radio ad giving a specific number to call if you've lost a "PDA, iPhone, or Blacknerry" in the VIP room, I'd have to agree.

people are more likely to lose a phone than a laptop.

Look deeper ... (1)

ScrewMaster (602015) | more than 6 years ago | (#23633951)

Is this just iPhone fear-mongering? Do you think the passwords execs could remember would help with securing PDAs and smart phones?

I think we first have to ask the question, are executives actually capable of remembering a password? Doubtful, in my opinion.

Re:Look deeper ... (1)

bigstrat2003 (1058574) | more than 6 years ago | (#23634707)

Wouldn't it be reasonable, then, to tell them that until they can remember (not have written down!) a strong password, they can't have any mobile devices, because it's too big of a liability to the company otherwise?

Of course, possible is another scenario entirely, but that would seem to me to be a reasonable policy.

What use are passwords if you can circumvent them? (2, Interesting)

Nuclear Elephant (700938) | more than 6 years ago | (#23633961)

> Do you think the passwords execs could remember would help with securing PDAs and smart phones? No, because PDA passwords are easily defeated [zdziarski.com] .

Re:What use are passwords if you can circumvent th (1)

Tastecicles (1153671) | more than 6 years ago | (#23633997)

Passwords are like any other kind of lock. They're not there to keep dishonest people out, they're there to slow them down. They're there to keep /honest/ people from trying.

Re:What use are passwords if you can circumvent th (1)

Nuclear Elephant (700938) | more than 6 years ago | (#23634009)

The problem here is that with a desktop, you've got a finite amount of time to crack the password, unless you plan on exiting the building with the tower. Physical theft is much more difficult... as is physical access. With PDAs, you can simply toss the thing in your pocket, and have all the time in the world to hack on it later on. Physical access, I would argue, is also easier. How about a working Bluetooth-based proximity security system that would encrypt/decrypt on the fly, or a *working* remote wipe that actually wipes (unlike Apple's) ?

Re:What use are passwords if you can circumvent th (1)

Kalriath (849904) | more than 6 years ago | (#23634845)

The iPhone is not the only PDA in the world.

PDAvailable (2, Insightful)

hyades1 (1149581) | more than 6 years ago | (#23634001)

Come on, now. If the information's on a PDA, anybody with the IT version of a bent paperclip will be able to get it.

What's the first security rule for a PC: If they have physical access to your computer, your data is theirs. I would bet my bottom dollar that 90% of the security problems concerning a PDA result from exactly that: loss of physical control of the device.

No cure for human stupidity. (2, Funny)

barry99705 (895337) | more than 6 years ago | (#23634035)

I've had users laminate their user name and password to their laptop palm rest. Security of information is great and all, but in the end, the user is the weakest link.

At my company, we had a simple solution to this... (5, Funny)

Ortega-Starfire (930563) | more than 6 years ago | (#23634499)

In each computer desktop, laptop, and smartphone, we installed hardware encryption and a C4 charge with remote 2 tier authentication for detonation. The two tier authentication was introduced after an unfortunate mishap involving our CFO getting his arm blown off while out golfing; it turns out the detonation frequency was a maritime frequency as well.

The C4 will also detonate if a password is entered incorrectly twice. We encourage employees who are "out of it" or even slightly ill to take the day off, and require them to call IT should they ever type their password in wrong once.

We also use an operating system completely built in house with a semi AI running security diagnostics at all times, and we have live people watching the network traffic to the few systems that are actively connected to the internet. Any systems that manage to get infected (to date, none) would also receive the C4 treatment. A bit draconian, but it gets the job done. Our datacenters also have thermite ceilings designed to completely melt down the facility if it comes under attack (three armed guards 24/7 are at the red button, just in case some new tech decides to think about hitting the button.)

Protecting the world has taught us to take our own security seriously. Hopefully, you can learn from these measures and take the proper safeguards for your own facilities and equipment (remember, the answer is always hardware encryption and C4.)

Thank you,
Ortega Starfire
CTO, Hoffman Institute
For The Advancement of Humanity

Re:At my company, we had a simple solution to this (1)

Tastecicles (1153671) | more than 6 years ago | (#23634735)

mod parent WAY UP! I LOVE IT!

Encrypted "partitions" (1)

skegg (666571) | more than 6 years ago | (#23634799)

I have a small encryption app installed on my Windows Mobile device that encrypts files with a password.

I believe it uses 256 bit encryption. I'd like to think it's secure.

What are people's thoughts on these apps?

Manager types just don't get security (2, Interesting)

Opportunist (166417) | more than 6 years ago | (#23634827)

A real life example of a job I had a while ago. Security guy at an auditing company for banks. One of the things I had to do was ensure that reports can under no circumstances whatsoever get leaked. I spent the better part of two months locking down servers and creating VPN tunnels to pretty much every bank in the country that we deal with. With foolproof interfaces, point 'n click, so even our auditors could understand it. Double checking that the right document reaches the right bank (because, of course, one of the key security requirements was that no bank may UNDER ANY CIRCUMSTANCES get internal information of other banks). Security was the big thing, and nobody questioned any expense I asked for as long as "for increased security" was somewhere on the application.

Then we had a conference at a hotel. And suddenly one of our top chiefs in charge comes out of the hotel management area with a report. Asking what this is about, I got this information:

He forgot to bring this report along so he asked one of our auditors who had the report to send it. From a different bank. Unencrypted. To the hotel. And he asked the hotel manager to print it.

My question whether he wants to end my life prematurely with a heart attack was met with a blank stare.

spelling nazi (1, Funny)

Anonymous Coward | more than 6 years ago | (#23634881)


We were in quite a hurry to post this... No time for spellcheck!

"A VP at the company that performed the surbey..."

kdawson: Its spelled "sorbet".
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?