SolutionBase: Supporting and securing new pocket PC devices

Pocket PCs may be cool little devices, but they introduce a whole new layer of security vulnerabilities to your organization. Here are the steps you need to take to lock them down.

Whether you are a busy executive or someone like myself who has a near fetish for cool, high tech, toys, you probably feel lost without your Pocket PC. I for one, use my Pocket PC so frequently that I can't imagine how I ever got by without one. As indispensable as a Pocket PC might be, they do have a dark side. Whether you use your Pocket PC for company business or for personal use, a Pocket PC can be a major threat to your data's security. In this article, I will explain why this is the case and what you can do about it.

Why a Pocket PC is risky

When you think of Pocket PCs being a risk to security, thoughts may come to mind of giant corporations who issue Pocket PCs to their executives so that they can connect to the company through a VPN. Although there are certainly security risks associated with connecting a Pocket PC to a corporate network, you can usually prevent these types of security breaches by securing your device (and your network) in the same way that you would secure a laptop. Rather than rehashing tired laptop security techniques, I want to talk about some security risks that you might not have thought about.

Everyone uses their Pocket PC differently, but generally speaking, the biggest threats to Pocket PC related security are theft of your information, and theft of your identity. Even if you don't have your Pocket PC configured to connect to a network, the information that's stored locally on the device can be dangerous in the wrong hands.

Imagine that someone were to steal your Pocket PC. What could they do with the information stored on it? Well, for starters, the main screen contains the device's owner information. If you have filled out the owner information, then the thief will have your address and phone number. Microsoft allows you to enter owner information so that if your device can be returned to you if it is ever lost. At the same time though, having your address and phone number is a great starting point for anyone who wants to pull off an identity theft scam.

What if the thief isn't interested in identity theft, but rather in the value of the device itself? Well, in that case, the thief now knows where you live. The thief also knows that you are the type to walk around with an expensive toy in your pocket. Furthermore, the thief can simply look at your calendar and your task list and see exactly when you are and are not planning on being at home. This is a dream come true for a thief.

So what else is in your Pocket PC that some unscrupulous person might use against you? How about your e-mail? There are a few different ways that e-mail can be exploited. For starters, someone could read through any messages in your inbox looking for anything confidential or juicy. More importantly, though, if someone has your Pocket PC, they can send e-mail messages in your name. Imagine the havoc that a thief could cause if they were to start replying to your e-mail. They could send a phony letter of resignation to your boss, send obscene messages to your mother, or something much worse. In any case, it's better to prevent such an incident than to have to try to explain all those e-mail messages.

Some Pocket PCs, such as the one that I use, have an integrated cell phone. If your Pocket PC has a phone, and someone steals it, not only is your voicemail compromised, a mischievous thief could change your voice mail greeting to something humiliating. Never mind the fact that the thief could pump up your phone bill with all those calls to countries that no one has ever heard of.

Hopefully, you are starting to get the idea about just how badly someone could wreck your life if they stole your Pocket PC. There is at least one more thing that a thief could use against you, and that's your contact list. Imagine for a moment that the thief was a competitor or a rival co-worker. If you had your customer's contact information stored in the Pocket PC, then the person who stole the device can start trying to take sales away from you.

What do you do about the threats?

Since locking your Pocket PC up in a vault and never using it again isn't really a practical solution for most of us, I want to spend the rest of the article discussing ways that you can avoid becoming a victim of PDA theft. There are really two ways that you should protect your Pocket PC. First, you should physically protect the device. This means protecting the device against being lost or stolen. Second, you should protect the data stored on the device. Essentially, this means assuming that sooner or later your Pocket PC will be lost or stolen, and taking steps to prevent a thief from gaining access to any of your data.

Physical security

While researching this article, I read a post on a Web site from someone who suggested that the way to prevent your Pocket PC from being stolen was to always carry it in your front pocket (It is a Pocket PC after all). Personally, I think that this sounds a little uncomfortable, and it might be a little hard on the device. There are other things that you can do to prevent your Pocket PC from disappearing though.

The best way to protect your Pocket PC really depends on your environment and what you use your Pocket PC for. I have been in offices and seen people leave Pocket PCs in the cradle while they are away from their desk. In my opinion, this is just asking for trouble. There is nothing stopping a thief from simply taking the device out of the cradle and disappearing. Your Pocket PC is generally much safer either with you or in a locked drawer.

If you travel with your Pocket PC, then pretty much the worst thing that you can do is to put it in your back pocket or to have it hanging out of an outside pouch on your laptop bag. An ideal solution is to place the device inside a locked laptop bag or into a locked briefcase. If this isn't an option, then consider getting a holster that attaches securely to your belt. Holsters aren't perfect, but they are more secure than a back pocket and they provide you with easy access to the device.

Data security

Now that I have talked about some ways that you can prevent your Pocket PC from being stolen, I want to discuss some things that you can do to prevent your data from being compromised if the device is stolen. The first technique that I want to share with you could also be classified as a physical security technique.

As you probably know, most newer Pocket PCs contain a slot for an extra memory card. Most people that I know who use this slot do so as a way of gaining extra storage space. However, a memory card can also be used as a security device. You can store your data on the memory card rather than within the device's built in memory. You can then remove the memory card whenever you aren't using your device. That way, if your device is ever stolen, no data will be compromised.

Another essential element to securing your device is to use a power on password. That way, you won't just be handing a thief your data, you are making them work for it. There are techniques for beating a power on password, but a novice might make the mistake of performing a full reset on the device, which would erase the password and everything else that's stored on the device.

While I'm on the subject of passwords, I should mention that although older Pocket PCs only supported a four digit numerical PIN, newer devices allow you to enter long, alphanumeric passwords. The longer the password that you use, the less chance that someone will be able to gain access to your data.

Destruction of data

If you were to lose all of the data that's stored on your laptop, you would probably be pretty upset. One of the things that makes a Pocket PC unique though is that it is frequently synchronized with your desktop machine. This means that unless you happen to have created a new file since the last time that the device was synchronized, the data stored on your Pocket PC is simply a copy of some of the data that exists on your desktop PC. This means that although most people would prefer not to lose the data that's stored on their Pocket PC, the data is technically expendable since it is merely a copy of the "real data".

This being the case, some third party software manufacturers have started using a security technique known as bombing. Bombing is basically a self-destruct mechanism for a Pocket PC. If a certain condition occurs, then the bombing begins and all data is destroyed.

One company who includes a bomb in their PDA security products is PDA Defense . PDA Defense makes a self-titled application that is one of the most comprehensive PDA security applications available. PDA Defense makes use of bombing in two different ways.

One way that PDA Defense uses bombing is in the event of an attempted brute force password crack. PDA Defense can be configured so that if invalid passwords are attempted a specific number of times then a bombing sequence will initiate.

The other way that PDA Defense uses bombing is in a time bomb mechanism. As I explained earlier, most Pocket PC users occasionally synchronize their Pocket PC with their desktop computer through the use of a docking cradle. If you are in the habit of frequently synchronizing your Pocket PC, then you can plant a time bomb that tells PDA Defense to bomb the device if it has not been synchronized for a specific number of days. The assumption here is that if the device hasn't been synchronized in a couple of weeks then the device has probably been misplaced or stolen, and the data should therefore be removed.

In my opinion, the time bomb is a neat feature, but it is one that you will have to be careful with. Sure, you will never lose your data because it exists on your desktop PC. However, if you ever take a long business trip or a long vacation, you will want to be sure to disable the time bomb or change the counter before you go. It would be awful to have your data self destruct just because you are away from the office on a trip.

PDA Defense offers much more than just data bombing though. The Pocket PC version features full 128 bit encryption, combined with on demand decryption. This means that data is decrypted as you need it. This saves a considerable amount of time over decrypting all of your data at once. The encryption feature can even be applied to data stored on a memory card.

Some other cool PDA Defense features are the ability to automatically lock the Pocket PC after a specific amount of time, and the ability to remain active even after a soft reset. Normally, a soft reset will terminate anything that might be running. It is basically the Pocket PC equivalent to a reboot. A hard reset will remove PDA Defense, but it will also remove everything else that might be on the device as well, returning the device to the state that it was in when you bought it.

I simply don't have enough space to tell you about all of the cool features that PDA Defense offers. What I can tell you is that the software has received excellent reviews and only costs about $40. If you are serious about keeping your Pocket PC secure, then you should order a copy.

As vulnerable as laptops

Pocket PCs are subject to many of the same security threats as laptops. In fact, there are even viruses that are designed to attack Pocket PCs. Fortunately, it's very easy to protect a Pocket PC against viruses. In fact, Trend Micro is currently offering a Pocket PC anti virus program for free at its Web site.