PDA Security, the Next Big Hurdle for IT? 108
Jack writes "ITO published an article on a new secure PDA requested by the NSA. 'General Dynamics inked an $18 million contract with the secretive National Security Agency to design and develop a secure mobile personal assistant for defense workers. The PDA will integrate all types of communications including voice, data and web.'" In related news palmtops writes "Insecure Magazine has a great and in-depth article written by Seth Fogie, the VP of Airscanner.com, about Pocket PC security. His summary of PDA attacks states: 'These devices are easy to smuggle into a business and can be used to propagate an attack against network devices. Don't make the mistake of assuming is a PDA is a simple data keeper. As the cliche' goes... it is how you use it that matters.'"
PDA? (Score:4, Funny)
Re:PDA? (Score:1)
Re:PDA? (Score:2)
Can't take them seriously... (Score:5, Funny)
From the (IN)SECURE article: How are we supposed to take this article seriously, when the author can't even spell 'pwn3d' correctly? ^_^
just another ploy (Score:4, Insightful)
Re:just another ploy (Score:4, Interesting)
This was in the times where most software of that kind was written by one-man companies. Now, in the days when AV is a major industry, are you going to bet that no virus authors are employeed by those who benefit the most from virii?
Re:just another ploy (Score:2)
Re:just another ploy (Score:1)
don't know, but he created it to boost business at his parent's computer repair shop
Re:just another ploy (Score:1)
Even if a virus cannot attack the PDA directly, it can sit quietly in an email attachment on the device until the device gets synced to a pc, where it can affect the pc. This is where AV software can be useful now - ensuring the data on the device is clean before syncing it to a pc. Before long there WILL be plenty of malware designed to directly attack PDAs but with the wide variety of PDA platform/versions out there it will be difficult to target a sufficiently large set of users to accomplish whatever go
This is necessary stuff (Score:2)
This is just another reminder of how vigilant we must always be.
Re:This is necessary stuff (Score:2, Insightful)
Either way, AV for the Palm is utterly unnecessary. Spend your money where it makes a difference.
Re:This is necessary stuff (Score:3, Insightful)
More importantly, there are people that he is not friends with who have wireless PDAs right outside his window!! Ok that's tinfoil hat, but really the point is not to secure PDAs but to protect your network from PDAs IMO
Re:This is necessary stuff (Score:1)
Ive just bought an Ipaq with wireless on, so i thought i would have a wander around town on my lunch hour with WiFiFoFum scanning ( Think kismet / netstumbler for pocket pc ).
As i sit back here at my desk i can see it picked up 138 unique networks, and only 27 of those are showing as having WEP / WPA. Many of them even still have SSID's of 'linksys' and 'NETGEAR' etc.
Something such as hitchhiker will even automatically try to associate and get web access through the AP with the zero user
Re:This is necessary stuff (Score:3, Funny)
Re:This is necessary stuff (Score:3, Interesting)
Bottom line - I can
Re:This is necessary stuff (Score:1)
Eeeew! I'm glad my job isn't to refurbish Zaurus units that were sent in due to the buttons sticking.
Links (Score:5, Informative)
It might be a little late mentioning this but the link in this snippet actually points to a 9.1 meg PDF file.
In the future it would be nice if submitters (and especially editors) actually describe the target of a link when it doesn't go to a good old fashioned HTML or XHTML page of content.
Re:Links (Score:1, Funny)
Re:Links (Score:1)
Re:Links [OT] (Score:5, Informative)
Re:Links [OT] (Score:3, Informative)
Re:Links [OT] (Score:2)
Re:Links [OT] (Score:1)
Better yet, use TargetAlert [bolinfest.com], a Firefox extension.
In addition to the great PDF notification feature, it also tells me about those pesky links that open in new windows---which I hate, because I just want them in the same window, or a new tab, or something.
Re:Links (Score:1)
Re:Links (Score:1)
What can you do with $18mln (Score:4, Insightful)
The only hardware change seems to be the Defense access card integration.
Somehow it feels like this device is going to cause a lot of embarrasment later when one gets in the wrong hands and breaks all the security at once.
Re:What can you do with $18mln (Score:2)
Re:What can you do with $18mln (Score:2)
Re:What can you do with $18mln (Score:2)
I thought... (Score:2, Informative)
Re:I thought... (Score:3, Informative)
I am quite often in places where usage of a mobile phone is prohibited completely (for a whole lot of reasons, including security) and have yet to find a phone with good enough PDA functionality but without a camera (again, I have to be at places where carrying any form of camera whatsoever is prohibite
Future of PDA... (Score:5, Interesting)
As for the laptop, it looks like that will be around for a while. At this point, the PDA just doesn't have the display or input capability to make it the all-in-one personal computing tool. In order for a PDA-sized device to displace the laptop, the I/O needs to get way more advanced, something on the order of a combination ocular/cochlear implant and voice (or better yet, thought ) recognition.
What are the security folks gonna do when the day comes that you can look at a document and issue a thought-command " copy "? I'm guessing that will be the end of paper documents; to be replaced entirely by electronic (and encrypted) communications for all purposes, including money.
Re:Future of PDA... (Score:2)
Re:I thought... (Score:2)
Actually GSM phones and PDA's seem to be slowly merging [sonyericsson.com]. My guess is that the winner will be some form of hybrid between GSM phone, PDA and iPod like media player... GPS functionality (complete with maps and routeplanners) wouldn't be bad either.
Re:I thought... (Score:2)
It has to be small enough to play nethack anywhere.
Convergence is a compromise (Score:3, Interesting)
I've done every combination of laptop, pda, phone, and converged device, and none of them are perfect. As I get older, I like fussing with stuff less and less, and value simple functionality more and more. I don't really want PDA functions intruding on my phone -- what I'd appreciate a large, well laid out hardware dial pad. I don't want to fuss with multi-level menus on a tiny phone screen. Making all the
Solving yesterday's problem... (Score:5, Insightful)
Riiight, so its sort of a SMARTPHONE then? Sure PDAs could be a threat, but its probably worth focusing more on something that everyone already has and which is has all this functionality already, as well as a digital camera etc.... the ubiquitous mobile phone.
Developing, and then requiring, a "secure" PDA for all your people and then being "suprised" when information leaks via their mobile phone with the 1GB Flashcard, 2 Mega-pixel camera and Broadband 3G connection doesn't sound like a plan for tomorrow.
Re:Solving yesterday's problem... (Score:3, Insightful)
Don't make the mistake of assuming is a PDA is a simple data keeper. As the cliche' goes... it is how you use it that matters.
There are adaptors for TI Calculators that turn them into serial port terminals. Most digital cameras run some variant of DOS under the hood, and can be programmed to run any script that you would want. GB USB flash drives are small enough to be hidden basically anywhere these days. And anything with bluetooth is 0wnable and can be use
Most of 'em are banned (Score:2)
The problem lies with the fact that it's
Re:Most of 'em are banned (Score:2)
We're not allowed to connect to the internet unless we go through a Citrix session. We can't cut and paste between the Citrix session, but we are allowed to save to the host computer, then use SAMBA to connect to that host and grab the file.
We're not allowed to access the secure LAN from out workstations, but we are allowed to bring data sticks into the office, and use them to take data off the secure lan.
We can
Re:Most of 'em are banned (Score:2)
Bail-out.
Too many standards (Score:5, Insightful)
Bored (Score:2, Funny)
Would someone please post a feed-line so I can post a funny reply and get some karma.
Thanks.
Re:Bored (Score:1)
Re:Bored (Score:1)
Re:Bored (Score:2, Informative)
Re:Bored (Score:2)
Not on slashdot, but it does in real life.
THE PDA THREAT!! Woooh! (Score:3, Insightful)
You can smuggle 1 GB of viral data into a facility in the roof of your mouth (SD Card) SD CARDS ARE THE NEXT THREAT TO WORLD SECURITY!!!
I think you get my point.
PDA's are computer, now a-days they are about the horse power of a full size computer 10 years ago. Thats all we need to know, and address the PHYSICAL and INFRASTRUCTURE security appropriatly for them.
The number 1 hacker method will always be social engineering. A
Steal a mainframe (Score:3, Insightful)
Pimp my forklift (Score:1)
Up to NSA standard (Score:3)
Re:Up to NSA standard (Score:2)
Re:Already done... (Score:1)
Anonymous coward wrote:
"People just need to use it" is the crux of the whole problem. Look at the virus issue. There are steps that can be taken to secure Windows PCs in such a way as to protect them against the majority of threats (all those of you who said "Yes, install Linux" settle down - you'll get your turn later). Nevertheless, as we all know to our cost, there are probably hundreds of thousands if not millions of
Openbsd (Score:4, Informative)
Nuff Said.
What about desktops? (Score:2, Insightful)
PAD cases (Score:2, Insightful)
I have never seen a gaurd stop a person holding a PDA case in their hand.
how to wipe pdas clean... (Score:2)
ostiguy
Re:how to wipe pdas clean... (Score:2)
Unsecure Security (Score:2, Funny)
But wouldn't those still fall for the regulations of the FCC?! The wireless tracking [slashdot.org], VoIP tapping [slashdot.org] and backdoring networks [slashdot.org]
If those PDA's are for gov. use only, that still doesn't prevent gov. agencies from spying on each other! or even prevents black-hats from accessing gov. networks then PDA's
Re:Tablet PC (Score:1)
You're joking right?
Mod parent funny.
My best hacking devices... (Score:4, Interesting)
However, a "secure PDA" by NSA standards somewhat tells me it must have a backdoor of some kind...
Homephone (Score:3, Insightful)
But also, most importantly, because they're so extremely valuable as security devices. People can trust their own phone, if really secured. They can carry it anywhere Especially once phones are <$20 each, they can have several secured phones left around their car, their office, other locations they frequent. A reliable biometric access device, like a thumbprint scanner, makes the "phone" an extension of the person's identity. Appropriate, when it stores both all their personal data, and their contacts with other people - as well as executing access to them. Securing one's phone can make access to the rest of the virtual world secure, at just the persistent device closest to us. If that little gizmo is really going to become our "universal remote" to all worlds both real and virtual, it needs to recognize us exclusively, and vice versa, to represent us there.
Re:Homephone (Score:2)
I would myself rather opt for a PIN or similar scheme (e.g. put pictures in a specific order) to access the device. These kind of devices tend to get used pretty much, so the
My little PDA Security Article... (Score:2)
It briefly surveys a number of key issues, and has some good links/ references at the end.
For anyone interested, you can read it here:
http://iamsam.com/papers/PDA_Security.htm [iamsam.com]
Later-
Sam
Sam Nitzberg
sam @ iamsam . com
http:/// [http] www. iamsam. com
Palm OS 6 Cobalt (Score:3, Interesting)
It's a shame that no Palm OS 6 Cobalt [palmos.com] devices have actually made it to market, because PalmSource has done a lot right in that version of the Palm OS to provide a sound security model.
Not only does the OS provide for digital signing of code, it provides secure databases where only signed applications can access the data. You can control which databases are synchronized to the desktop, and even which applications can access screen buffers (to prevent screen-scraping).
Hopefully either Palm OS 6 Cobalt or its Linux-based successors will make it into actual devices soon. It would be a huge step toward powerful, secure PDAs.
Windows Mobile Attack Illustration (Score:2, Informative)
From buffer overflow to virus and trojan examples, it is all covered.
Plus these links have information of value as well:
Hacking Windows CE - Phrack 63 http://www.phrack.org/show.php?p=63&a=6 [phrack.org]
Pocket PC Phone Shellcode: http://www.mulliner.org/pocketpc/ [mulliner.org]
Blackhat talk by Seth Fogie: http://www.airscanner.com/pubs/BlackHat2004.pdf [airscanner.com]
Next big thing? (Score:2, Funny)
Pocket PC OS vs Windows? (Score:2)
Lost and found (Score:1)
Re:Why even try (Score:2)
Believe me, if the government (especially the NSA, they're not known for wasting money) wants something, they'll get it.
Care to elaborate? (Score:2)
All donuts are defective (Score:4, Funny)
Since the problem is so widespread and since there does not seem to be a regulatory body concerning the properties of a donut, congressional inquiries can almost not be avoided.
In other news: Martha Stewart proposes American Donut Standard Association
Re:All donuts are defective (Score:1)
Not true [krispykreme.com]
Re:All donuts are defective (Score:1)
Re:All donuts are defective (Score:2)
Re:All donuts are defective (Score:1)
Because it's necessary... (Score:5, Informative)
I work for an agency under DoD as ADP R&D Program Manager. I think you'd be amazed at how many people are hollering for connected PDAs - and for the ones who have a real need we usually give them Blackberrys but you can't connect a Blackberry to a trusted network ;-)
Granted, most of these connected PDAs will end up in a desk drawer as soon as the user finds out how unpleasant it can be to send and receive email with a PDA, but they still want the things - and most of the people who want them outrank me. IF the boss wants executive jewelry I guess it's my job to get it for him.
Common access card compatibility will be a good thing - except the resulting PDA will probably be about the size and weight of your average brick. Right now we've got more than enough challenges with PDAs as DoD requires FIPS 140-2 encryption, a firewall feature set and a virus scanner on connected PDAs.
I did send TFA to our local IA department just because I like to watch their heads spin around every once in awhile, though - the last time I did that I sent them a brochure on an NSA-approved 802.11 solution for access to *classified* computer networks.
I love my job ;-)
Re:Because it's necessary... (Score:2, Funny)
Re:Because it's necessary... (Score:2)
Actually my responsibility is research and development, not security. I just have to make sure solutions I implement meet existing security guidelines - and you'd be surprised how much good information I get from /.
Scalding users for bad PINs is probably illegal. Besides, some of them are bigger than me and would probably kick my ass for throwing hot water on them ;-)
Re:Because it's necessary... (Score:1)
The challenge is to have a "persistant ID" that follows the user of the PDA from location to location along a network (typically wireless, from one building to the next). This raises significant concern, how do we verify that the person using the PDA is the authorized person?
Other than that it's just the typical gauntlet of bounds checking, software verification, and automated patching. Oh yea, and tacking on mission-critical hardware.
Doing that while retaining PDA
Re:Because it's necessary... (Score:2)
That's what the Common Access Card (CAC) mentioned in TFA does. My government ID badge is now a smartcard that has among other things a digitized fingerprint and photograph and ID, email and encryption certificates written to the mem
to summarise... (Score:1)
did i miss anything?
Re:to summarise... (Score:2)
Other than a bit of punctuation, no ;-)