PDAs
A PDA is a small, handheld computer that allows you to store and access data. Most PDAs work on either the Palm operating system, a Windows-based one, or on the RIM Blackberry device. Most PDAs allow you to do basic things such as store names, addresses, phone numbers, schedules, and appointments. The more sophisticated ones also run applications like word processors and spreadsheets. Some devices are even wireless, allowing remote access to things like e-mail, stock quotes, and news alerts.
Handhelds carry a wealth of sensitive data. Typically, a user's entire electronic phone book—complete with names, addresses, phone numbers, and e-mails—can be found on the device. The user's calendar—along with notes, comments, and to-do lists—are also all on that handheld. Medical doctors and others also use these devices to store sensitive information about other individuals. Doctors frequently store a patient's medical information as well as medical reference material on PDAs. Many users have come to completely rely on these pocket-sized devices. Those same small devices are relatively easy to lose and steal. How does one keep these devices from falling into the wrong hands? Even if they do fall into the wrong hands, what can be done to minimize the impact upon the user's privacy?
The greatest risk probably comes from the loss of the device. Any device the size of a handheld can easily fall out of a pocket or bag. If basic password protection is not set up on the device, all of its data is then disclosed to the individual who has taken possession of the device. It is more likely that your data will be stolen because your PDA was stolen. It is less likely that your data will be stolen as it travels through the air. The easy solution is to simply encrypt the data. As we have discussed in previous chapters, software encryption for personal computers has been around for years. But Pretty Good Privacy (PGP) is not available for the handheld device. Weaker encryption schemes that are used on PDAs can be decrypted.
Palm OS
The popularity of the family of PDAs produced by Palm Computing has led the Palm OS to be a widely accepted PDA platform. Many manufacturers (Palm Pilot, Sony, and Handspring Visor) have adopted the Palm OS for their systems. Although this might be changing as the Pocket PC (discussed later) rises in popularity, the Palm OS is still widely seen in the corporate environment. Palm also offers wireless connectivity built into its Palm VII and other models. Each of the other manufacturers just mentioned also provides the same wireless connectivity with the purchase of additional components and add-ons.
The Palm OS system, as shipped from the factory, is relatively insecure when compared to other computing devices such as the PC. It does provide basic security features with its Security Application. The Security Application allows users to mark records as “private.” Records marked as such are invisible to users who do not have the appropriate password. The other feature of the Security Application is that it allows the user to “lock” the PDA so that only a user with knowledge of the password can unlock it. Although these security features might appear to be adequate, a few shortcomings still exist.
Another developing weakness of the Palm OS is its susceptibility to viruses. Like the Windows operating systems are vulnerable to various types of viruses, the Palm OS, with the ability of developers to write applications, allows hackers to write viruses for the Palm platform. Antiviruses such as Computer Associates, F-Secure, and Symantec provide virus protection for the Palm OS.
The most important weakness is that data is not encrypted on the device. We have stressed the importance of encrypting data on a hard drive. It is even more important to encrypt the data on a handheld because of the handheld's physical dimensions and the ease with which it can be misplaced or stolen. Although it is possible to encrypt data on a handheld, most people do not. Marking records or data as “private” only sets an internal flag in the device about whether to display the record. When the flag is set to “private,” the application won't display it without the appropriate password. However, this assumes that the application will actually pay attention to these flags. Rouge applications installed by an attacker or unauthorized individual need not adhere to these markings.
Another shortcoming of the Palm OS is that the user must explicitly lock the device. Operating systems such as Unix and Windows 2000 require login passwords. With the Palm OS, the user must explicitly lock the device so that a password is required before it can be turned on. If you don't lock the device, someone could turn it on without using a password.
Certicom's movianCrypt
Certicom's movianCrypt (http://www.certicom.com) product extends the basic functionality provided by the Palm OS. It locks and encrypts all of the data that is on the device to help achieve stronger security. movianCrypt functions by placing itself between Palm's data storage area and the applications that access it. Data is encrypted as it is stored by movianCrypt. Data is decrypted only as it is accessed by applications that need it. A login system protects data if the device is lost or stolen. movianCrypt encrypts all data in user databases on the device. This includes the Address Book, Memo Pad, and third-party applications.
movianCrypt functions as shown in Figure 14.1. It inserts itself between Palm applications and user database. All data is encrypted before it is stored, and data is decrypted only when it is needed. You can relate this to SSL encryption that we discussed in previous chapters. All data is encrypted between the database and the application.
Figure 14.1. movianCrypt security measure.
Encryption settings are also configurable on an application basis. For example, it's unnecessary to encrypt large databases such as maps and restaurant listings. movianCrypt allows you to avoid unnecessary encryption of these large databases that are not sensitive.
F-Secure's FileCrypto
F-Secure produces a similar product, FileCrypto (http://www.fsecure.com), shown in Figure 14.2. It, too, provides for encryption of data that is stored on the device. It automatically encrypts the data of all record-based applications when the device is shut off. Data is decrypted when the files are opened.
Figure 14.2. F-Secure's FileCrypto can provide additional security for Palm devices.
The difference between FileCrypto and movianCrypt and the many products that are available via shareware is the fact that these encrypt data on the device and don't just require passwords to turn the device on.
Pocket PC/Windows CE
As the popularity of PDAs increases, many corporate professionals are turning to the Windows CE-based Pocket PC. Manufacturers such as Casio, Hewlett Packard, and Compaq are now producing these devices. These devices are more than a calendar and address book. Like the Palm OS, the Windows CE PDA operating system allows developers to write applications and hardware vendors to make devices that use this operating system. These devices are application compatible—they run versions of Microsoft Office that are similar in features and functionality to their desktop counterparts.
Pocket PCs also offer a power-on password capability that locks the device until you enter your chosen password. Turning this feature on requires some navigation. Go to the Settings command, click the Personal tab, and select Password. Enter a password and check Require Password When Device Is Turned On.
Windows CE handheld PDAs have a system-level password application that can be accessed via the Control Panel. The application requires a user to enter a password when turning on the device. To advance past the first screen—which can include owner contact information to help with the return of lost devices—the proper password must be entered. Without the password, the only way a thief can use a protected Windows CE device is to remove the primary and backup batteries. But if this happens, all the data on the device is also erased!
To set the password on a Windows CE device, select Start, Settings, Control Panel, Password or Start, Settings, Password depending on your PDA and version of software. You are then asked to enter a password twice to confirm it. From there, you can click on a box to enable power-on password protection. After the password is set up, you can change or reset it at any time by re-entering the existing password.
In terms of third-party software, F-Secure also produces a version of FileCrypto for the PocketPC. Microsoft recommends a variety of third-party products in the white paper “Pocket PC Security,” available at its Web site (http://www.microsoft.com/MOBILE/enterprise/papers/security.asp). Several security products available for the Pocket PC include those shown in Table 14.1.
| Company | Product | Web Site |
|---|---|---|
| DATA ENCRYPTION | ||
| Applian Technologies | PocketLock | www.applian.com |
| Application Development Studio | PassKey | www.appstudio.com |
| SoftWinter | seNTry 2020 | www.softwinter.com |
| Softwarebüro Müller | The Safe | www.sbm.nu |
| V-One | SmartPass for CE | www.v-one.com |
| Paragon Software | CryptoGrapher for Windows CE | www.penreader.com |
| ANTIVIRUS | ||
| McAfee | VirusScan for Pocket PC | www.mcafee.com |
| Computer Associates | InoculateIT for CE | www.cai.com/innoculateit.htm |
| ACCESS RIGHTS AND AUTHENTICATION | ||
| Applied Biometrics | Pocket PCPINprint from Applied Biometrics | www.appliedbiometrics.net |
| CIC/A2000 | Sign-On for Pocket PC | www.a2000d.com www.audata.co.uk |