Unsecured Handhelds a Risk to Businesses and Individuals

[Steve]

A recent survey showed that many people store information on their handhelds that they, or their company, wouldn't want to fall into the wrong hands, But less than half take the steps necessary to properly protect this valuable data.

Read about it at http://www.brighthand.com/article/Un...ndhelds_A_Risk

[imported_dazz]

Companies should REALLY look at our software. DDH makes HanDBase which works on both the Palm and PocketPC and you can password protect AND encrypt data.

If companies were to provide the software and limit the sync options they would go a long way to keeping things tighter.

Sorry to advertise but if these companies bought HanDBase the user could have price lists, expense reports, contacts, internal memos, passwords and just about any other proprietary info encrypted on the unit.

Darren

[Sweetlu]

Losing or having my Palm stolen is a great concern to me and is always in the back of my mind. I keep all my senstive information in my adress book, PINs, passwords, account numbers, you name it. My concerns were addressed when I purchased PDA Defense. It's a pretty good and flexible program that enables you to encrypt and password protect any application you choose. It also closes a lot of the backdoor security issues that are present on OS 4.0. Still even with this application, they're too many clever people and applications available on the internet that I feel can somehow crack the code. That is why you have to stay ahead of the game and investing $20 is worth it if it is going to prevent someone from stealing your identity and clearing out your bank accounts. I got to take a look at some of these programs.

[Don't Panic!]

I like Nice Start the password enhancement for Pocket PC's. I keep it set for Always so that everytime I turn my 2215 off You need a password to turn it back on. It can even be set to Lock or Hardreset after a number of password attempts. Now what I need is something to encrypt individual files... Anyone use that encryption tool that comes with the latest iPAQ's?

Don't Panic!
Bobby

[EdH]

Quote:

Both Palm OS and Pocket PC devices have basic password protection. What's an open secret in the industry is that this can be broken with relative ease.

Do you have more info on this? I've not yet heard of the built in device security on a Pocket PC 2000, 2002 or 2003 being broken through anything but repetitive entry, which under 2002 and 2003, takes forever as with each incorrect entry, your device locks up for a few seconds, then minutes, then hours trying to ward off the brute force attack. There is more info at http://www.microsoft.com/windowsmobi.../security.mspx but specifically:

Quote:

Pocket PC 2002 supports both 4-digit and strong alphanumeric power-on passwords (see Figure 2) for protecting access to a device. Each time an incorrect password is attempted, a time delay that increases exponentially is enforced.

That holds true for 2003 as well.

[Gekko]

i love CryptoPad 3.64

1. just like memo-pad - free-form data entry, user-friendly.
2. strong encryption.
3. FREEWARE!!!!!!


http://www.palmgear.com/index.cfm?fu...CD&prodID=8225

[Applian]

For encrypting individual files on the Pocket PC, check out PocketLock from Applian Technologies here:

www.applian.com

This program makes it easy and convenient to encrypt any data file, automatically displays it, and then re-encrypts it again when you're through editing or viewing it.

Quote:

Originally posted by Don't Panic!
Now what I need is something to encrypt individual files...

Bill Dettering
Applian Technologies Inc.
www.applian.com

[PlasticMan]

Quote:

Originally posted by EdH
Do you have more info on this? I've not yet heard of the built in device security on a Pocket PC 2000, 2002 or 2003 being broken through anything but repetitive entry, which under 2002 and 2003, takes forever as with each incorrect entry, your device locks up for a few seconds, then minutes, then hours trying to ward off the brute force attack. There is more info at http://www.microsoft.com/windowsmobi.../security.mspx but specifically: That holds true for 2003 as well.

certicom says about its ppc software:

Quote:

Q. Why was movianCrypt developed?
A.Even when the device is turned off and locked, data remains in the clear, and a sufficiently motivated attacker may recover itUser data remains in the clear, available to an attacker. movianCrypt was developed to extend the built-in security features that ship with Pocket PC devices. While these built-in security features might be fine for some, users that store sensitive data on their devices should be aware of the potential risks:
*User data remains in the clear, available to an attacker.
*Even when the device is turned off and locked, data remains in the clear, and a sufficiently motivated attacker may recover it.

[EdH]

Quote:

Originally posted by PlasticMan
certicom says about its ppc software:

Quote:

Q. Why was movianCrypt developed?
A.Even when the device is turned off and locked, data remains in the clear, and a sufficiently motivated attacker may recover itUser data remains in the clear, available to an attacker. movianCrypt was developed to extend the built-in security features that ship with Pocket PC devices. While these built-in security features might be fine for some, users that store sensitive data on their devices should be aware of the potential risks:
*User data remains in the clear, available to an attacker.
*Even when the device is turned off and locked, data remains in the clear, and a sufficiently motivated attacker may recover it.

What does "sufficiently motivated" mean? Someone willing to sit there for days or weeks guessing a 4 digit code? That is an advertisement. I would really like to know the answer abouit comment in the article. Someone sufficiently motivated can also break movianCrypt. Nothing is unbreakable.

That is not to say Movian is incorrect. I know the data is clear and I am a huge eWallet fan and keep all of my sensitive data in there, but I am not worried about my plain text data in Contacts, appointments and other places unless someone can show me that the PPC built in security is not secure, not these vague comments that about being "sufficiently motivated" or "broken with relative ease."

[Ed Hardy]

"Relative ease" means just that. It's easier to break the password protection on a Pocket PC than on one of the other products I mentioned, which use 128-bit encryption.

Apparently the people at Microsoft agree. When I was researching this article, I ran across this Microsoft TechNet discussion on Pocket PC security in the enterprise. In it, when someone asks about how to strongly secure the contents of the handhelds in their control, the marketing manager for Enterprise Strategy in Microsoft's Mobility Group suggests that the person look at the third-party applications on the Security category of Microsoft's Enterprise Solutions list. Seems obvious to me that he doesn't believe the security built in to Pocket PC was strong enough for an enterprise.

If you are willing to live with a lower level of security for your info, that's your decision. And it may be the right one if what you carry around isn't that sensitive. But it is a lower level of security.

I ran across one other relevant (and interesting) thing while doing the research: a company called Password Crackers, Inc. They specialize in breaking password protection on various files and systems. These people aren't crooks. Lots of employees quit or get fired and only later do their companies realize they can't get into their locked files. Password Crackers' site doesn't list either Palm OS or Pocket PC as one of the operating systems they will do this for or I'd have mentioned it in the article. But it is still an indication that just putting a password on something isn't a panacea for security.