Protect against these two everyday security risks

Just because specific threats haven't surfaced doesn't mean you can afford to let down your security guard. In fact, regular business tools can sometimes present the biggest threat. In this edition of the IT Locksmith, John McCormick discusses two mundane activities that can put your corporate data at risk.

A security company highlights the gigantic security risk posed by employees' cell phones and PDAs with a recent experiment. Meanwhile, AOL antics bring home the issue of privacy and search engines.


It seems simple enough: Your company permits employees to use PDAs, BlackBerries, and cell phones, which they load up with personal and corporate information—including accounting details, private phone numbers of various staff, and (almost certainly) highly confidential information, such as passwords, client names, contract details, etc. However, while these devices greatly speed up business, they're safe only as long as no one loses or has one of the devices stolen.

In addition, even if that data is secure when in the user's control, what happens when you sell or otherwise dispose of the old models? You don't crush them, do you? No, you probably either sell or donate them. But that's no problem, is it? Just perform a hard reset, and everything is gone, right?

Wrong! McLean, Virginia-based security company Trust Digital decided to test this assumption. The company purchased 10 phones and PDAs on eBay and then started digging into the information still on the devices.

According to its press release, what they discovered was an incredible treasure trove of nearly 27,000 pages of data from nine of the devices. Some of the information was highly sensitive data—even from the devices that had been through a hard reset. The problem, of course, is that the devices' Flash memory retains data even after a hard reset.

A few devices now include a hard wipe function, but most require special software to completely remove the information on your PDA or smart phone. Personally, I'd use a hammer—just as I would on any hard drive I was discarding.

Searching for security in all the wrong places?

The recent antics of some AOL employees—now former employees—have highlighted the newest threat to privacy on the Internet. The workers released three months' worth of data on the search patterns of a massive number of users. Consider just how much information one could discover about the average person or company by looking at their search engine activity, and you should understand the level of concern.

A recently developed program for Firefox is the first of what will probably become a flood of products designed to give users an easy way to hide in plain sight by automatically generating fake searches. Designed by New York University computer scientists, TrackMeNot creates and sends randomly combined words in an attempt to bury anyone who searches your records in a flood of confusing and nonsensical data.

Although the most paranoid among you may decide to give this software a try, I doubt it's sophisticated enough to really work. However, if it proves popular at all, you can expect a flood of similar programs.

But let's consider the possible ramifications. What if the random searches generate search strings that bring you to the attention of those automatic scanners almost certainly used by the government? If these programs become popular, will the flood of nonsense searches overload search engines? Could these tools help inflate the number of search hits to increase advertising revenue? Will the flood of nonsense searches cause search engines to generate the relatively simple code necessary to block all search requests from people who use this kind of software?

The possible downside of these programs is pretty obvious, but that probably won't stop millions of people from using them. While the idea has some merit, I'd file this kind of software in the trash bin labeled "too many possible unintended consequences."

If you really don't want people to know what you're researching, try using a search engine that doesn't gather any personal information. One notable example is Clusty.com, which boasts a simple, straightforward privacy statement. (I'm sure there are other sites like this, but Clusty is the one I happen to use.)

Compare this to Google. The most obvious example of what can happen is if you have a Gmail e-mail account. If so, then there's a cookie on your computer, and Google can track all of your searches. Of course, if you actually give factual information about your identity to a free e-mail provider, then you probably deserve what you get.

On the other hand, I use a lot of Google features and find the automatic identification useful. It all depends on what you're doing on the Web—and what you feel the need to conceal.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

Editor's Picks

Free Newsletters, In your Inbox