By Barbara Krasnoff
When was the last time you left your PDA in the conference room or on your plane seat? Yesterday? Last month? Unless you plan to chain your PDA to your belt, the odds of losing your PDA are good. And if you're an IT professional, the whereabouts of corporate-supplied PDAs—and the sensitive information they contain—is now your problem.
According to Prakash Panjwani, senior vice president of business development for Certicom, which develops security software for PDAs, companies are now seeking the same level of security with PDAs that they once sought for laptops. "In the past," says Panjwani, "these were consumer devices that snuck into the enterprise. You got it as a gift, and then you started downloading corporate information, and your IT managers didn't even know about it. Now that has changed because [companies] realize that the ultimate responsibility is the IT managers'."
CNET and TechRepublic
This article first appeared on CNET's Enterprise Business site. TechRepublic is part of the CNET family of Web sites dedicated to educating and empowering people and businesses in the IT field.
Although the financial value of the hardware isn't devastating, the value of the information can be. The idea of a stranger having access to your personal data may be distressing, but the possibility that somebody could access presumably secure corporate information is enough to give any IT professional nightmares.
Secure corporate secrets
The corporate use of PDAs poses two security problems, says Panjwani: controlling data access through remote connections and unauthorized access to the data. The first can be handled in the same way that it has been for remote laptop users: by using a VPN client that will interoperate with the existing VPN on the back end. The second is trickier. "If an employee leaves the PDA at a meeting," he asks, "and somebody just glances over and looks at the information, how do you actually protect that information?"
There are some security methods already built into PDAs. For example, the Palm OS allows you to assign passwords to specific records marked as private; in addition, an Off & Lock feature makes you use a password to reactivate your handheld. The Pocket PC also offers power-on password protection, while the e-mail application includes industry-standard network authentication, password, and SSL for Web-based e-mail. However, because the data itself isn't encrypted, it is generally accepted that somebody who knows the OS well can hack into the information on a PDA that's in his physical possession.
As a result, there are now many software products that can protect valuable data in PDAs that are lost or stolen. They offer varying degrees of protection.
The simpler, and less effective, are all available on a consumer level and implemented on a device-by-device basis. For example, a basic way to protect data is to use a "digital wallet." Originally a term for encryption software that protected e-commerce information, it is now used by a number of inexpensive applets that create encrypted databases where you can store sensitive information, such as passwords or credit card numbers. These include Developer One's CodeWallet, Ilium Software's eWallet, and PassKey from Application Development StudioA.
A more useful way to keep data both safe and separate is to keep it on a storage card. A number of programs, such as Paragon Software's Cryptographer for the Pocket PC, encrypt information that is stored on CompactFlash and PCMCIA cards.
Some applications offer basic data encryption for specific files and/or folders, so that users can protect crucial information without having to encrypt the entire contents. These include Applian PocketLock for the Pocket PC and seNTry 2020 by SoftWinter.
Users who simply want to lock down their PDAs, but who aren't satisfied with the included password protection, may want to check out an interesting security application for the Palm and Pocket PCs by Communication Intelligence Corp. called Sign-On. The program, which allows you to literally sign in to your PDA, measures the pattern of your signature.
128-bit encryption and antivirus software
IT professionals who are responsible for more than a couple PDAs will need to go beyond basic encryption and storage. Certicom's MovianCrypt uses the128-bit Advanced Encryption Standard (AES) to encrypt and decrypt data on the fly. According to Certicom, one advantage of its software is that when you create a password, a key is generated; during synchronization, the password is not transferred to your PC, where it could be accessed.
Another corporate-level security application is Pointsec for Palm OS and Pocket PC. In addition to offering authentication for the entire contents of the Palm, Pointsec also prevents access to passwords during synchronization, or infrared transfer, and demands authentication when the cradle's HotSync button is pressed. The product also includes PointSafe, an application that provides a separate encrypted area for personal information.
Your corporate data also could be compromised by a virus, Trojan horse, or other infection. Luckily, at this point, your chance of catching a PDA-specific infection is very low. While a few viruses for PDAs have actually been created, there are none currently in the wild. For example, there is no record that the Palm.Liberty.A Trojan horse, which was discovered in August 2000, ever actually affected any users; the same goes for Palm.Phage.Dropper, which overwrites all installed Palm OS applications.
"I would say at this point, the threat is fairly minor," agrees Carey Nachenberg, chief researcher at Symantec Security Response. However, he also thinks that PDA viruses may begin propagating soon. "As more of these devices have network capabilities and are connected, I think we will see a surge in the number of infections."
Using the philosophy of one ounce of prevention, some antivirus software vendors are selling applications for PDAs, such as McAfee VirusScan Wireless (for both Palm OS devices and Pocket PCs), Symantec Anti-Virus for Palm OS, F-Secure Anti-Virus for Palm OS, and F-Secure Anti-Virus for Pocket PC. In all cases, the software allows automatic scanning for viruses during synchronization. In addition, McAfee and Symantec offer on-device scanning for Palm OS devices (for any viruses that may be transmitted from PDA to PDA), while F-Secure offers it for both types.
Certainly there are other mobile computing dangers to watch out for. The increased popularity of 802.11b wireless networks—and the availability of add-on cards for Palm, Handspring, and Pocket PC PDAs—means that any security concerns for 802.11b networks now concern enterprise handheld users.
There is some discussion concerning the implementation of Wired Equivalent Privacy (WEP) and whether it is open to compromise; also there is the possibility that PDA users who hook in on public WiFi connections could be vulnerable to attack. Nachenberg sees that as a future possibility, if appropriate safeguards aren't instituted. "You'll be walking down the street," he says, "and you may get a virus just by walking next to somebody who has an infected device, depending on the susceptibility of these machines."
Right now, that threat is only speculation, something to look at in the next few years. However, companies that are issuing PDAs to their employees may want to take actions today that will prevent the theft of sensitive information tomorrow.
This document was originally published by CNET on November 5, 2001.
Barbara Krasnoff has been a technology journalist since 1983. She was on the staffs of PC Magazine, Personal Computing, PC Sources, and Computer Shopper; her last position was as editor of Portable Computing magazine.
Are your PDAs secure?
What steps, if any, does your organization take to ensure that the data stored on employee PDAs is secure? Has your organization ever lost a PDA with sensitive information on it? Is the best idea to avoid placing sensitive information or PDAs altogether? Post a comment to this article and let us know what you think.