Handheld devices are a security risk
Workers' remote wireless access to documents lets hackers grab data
January 6, 2008
By WAILIN WONG
CHICAGO TRIBUNE
Smart phones are poised to become the next major security challenge for businesses.
For now, a good rule of thumb for on-the-go workers is: "If you don't need to do it, don't do it," said Aaron Cohen, chief executive of the Hacker Academy, a Chicago-based firm that provides security training for companies and government agencies. Cohen warned against idly checking e-mail or opening sensitive documents on a handheld device unless it's absolutely necessary.
Security experts say that, in general, business-oriented smart phones come from the manufacturer with decent built-in safeguards, such as encryption and firewalls.
But consumer-oriented mobile phones, which have far fewer safety features, are increasingly taking on such PC-like characteristics as Wi-Fi connectivity, making them attractive to people who want to use them for work.
In a Computing Technology Industry Association survey conducted this year of 1,070 small businesses in North America, 60% of firms said they've seen an increase in the past year in security issues related to the use of handheld computing devices.
Chris Nickerson, a Denver-based security specialist at Alternative Technology, said the concern for businesses is whether these phones "will cause so much of a risk that they will eventually ... just be banned from corporate environments."
Laptops, smart phones and PDAs give employees the ability to work from home or travel far from the office, all while transporting the information they need on their mobile devices. But the increasing ease of working remotely is creating a growing set of security concerns for companies.
Workers on the go "still want access to the same data applications that they have if they're sitting at their desk in their office," said Steven Ostrowski, spokesman for the Computing Technology Industry Association. "Mobility is a great thing ..." but "every one of those individuals that's accessing the network remotely is a security risk."
So far, there haven't been any high-profile epidemics of mobile viruses like the "I love you" worm for PCs that spread rapidly around the world in 2000. But developers have demonstrated the destructive potential of such worms.
The "Cabir" virus, which first appeared in 2004, used Bluetooth technology to jump from phone to phone. Another virus, known as "Commwarrior.A," replicated itself by sending a picture or text message to people in the infected device's contacts list.
Theft is a bigger issue now.
Nickerson said he walked through an airport carrying a suitcase that contained a device that sucked up hundreds of megabytes of contact information and other personal data through unprotected Bluetooth connections.
Nickerson has used the same machine in the offices of his corporate clients. The gadget searches for Bluetooth devices for which users haven't changed the manufacturer-provided default passwords. The machine enters the default password and accesses information through the open Bluetooth connection.
"You'll be amazed," said Nickerson, who is featured in a cable TV program that follows his team as it infiltrates corporate security systems. "You'll look at this hard drive when you're done, and you'll see everything from pictures of people's families to user names and passwords and financial data."
Someone using a company laptop to send data from a nonsecure Wi-Fi hotspot could unwittingly have that information monitored. Neglecting to set new passwords on phones and other devices leaves them vulnerable. Companies also face the headache of theft or misplacement of phones, external hard drives and pen-size flash drives.
While hacking once was about bragging rights or cyber vandalism, security industry officials say profit now largely drives attacks, as the kind of information traveling over wireless networks grows in volume and value.
Terry Kurzynski, CEO at Chicago-based Halock Security Labs, said a stolen credit card with an accompanying security code can fetch at least $9, compared with $1.50 for just the number and its expiration date.
Ostrowski, of the CompTIA, said a greater emphasis on training will help companies communicate to their employees that there's a trade-off between convenience and security risks.
"Security has to come out of the IT department," Ostrowski said. "It can't be relegated to the geeks anymore. It has to be part of the corporate culture."
January 6, 2008
By WAILIN WONG
CHICAGO TRIBUNE
Smart phones are poised to become the next major security challenge for businesses.
For now, a good rule of thumb for on-the-go workers is: "If you don't need to do it, don't do it," said Aaron Cohen, chief executive of the Hacker Academy, a Chicago-based firm that provides security training for companies and government agencies. Cohen warned against idly checking e-mail or opening sensitive documents on a handheld device unless it's absolutely necessary.
Security experts say that, in general, business-oriented smart phones come from the manufacturer with decent built-in safeguards, such as encryption and firewalls.
But consumer-oriented mobile phones, which have far fewer safety features, are increasingly taking on such PC-like characteristics as Wi-Fi connectivity, making them attractive to people who want to use them for work.
In a Computing Technology Industry Association survey conducted this year of 1,070 small businesses in North America, 60% of firms said they've seen an increase in the past year in security issues related to the use of handheld computing devices.
Chris Nickerson, a Denver-based security specialist at Alternative Technology, said the concern for businesses is whether these phones "will cause so much of a risk that they will eventually ... just be banned from corporate environments."
Laptops, smart phones and PDAs give employees the ability to work from home or travel far from the office, all while transporting the information they need on their mobile devices. But the increasing ease of working remotely is creating a growing set of security concerns for companies.
Workers on the go "still want access to the same data applications that they have if they're sitting at their desk in their office," said Steven Ostrowski, spokesman for the Computing Technology Industry Association. "Mobility is a great thing ..." but "every one of those individuals that's accessing the network remotely is a security risk."
So far, there haven't been any high-profile epidemics of mobile viruses like the "I love you" worm for PCs that spread rapidly around the world in 2000. But developers have demonstrated the destructive potential of such worms.
The "Cabir" virus, which first appeared in 2004, used Bluetooth technology to jump from phone to phone. Another virus, known as "Commwarrior.A," replicated itself by sending a picture or text message to people in the infected device's contacts list.
Theft is a bigger issue now.
Nickerson said he walked through an airport carrying a suitcase that contained a device that sucked up hundreds of megabytes of contact information and other personal data through unprotected Bluetooth connections.
Nickerson has used the same machine in the offices of his corporate clients. The gadget searches for Bluetooth devices for which users haven't changed the manufacturer-provided default passwords. The machine enters the default password and accesses information through the open Bluetooth connection.
"You'll be amazed," said Nickerson, who is featured in a cable TV program that follows his team as it infiltrates corporate security systems. "You'll look at this hard drive when you're done, and you'll see everything from pictures of people's families to user names and passwords and financial data."
Someone using a company laptop to send data from a nonsecure Wi-Fi hotspot could unwittingly have that information monitored. Neglecting to set new passwords on phones and other devices leaves them vulnerable. Companies also face the headache of theft or misplacement of phones, external hard drives and pen-size flash drives.
While hacking once was about bragging rights or cyber vandalism, security industry officials say profit now largely drives attacks, as the kind of information traveling over wireless networks grows in volume and value.
Terry Kurzynski, CEO at Chicago-based Halock Security Labs, said a stolen credit card with an accompanying security code can fetch at least $9, compared with $1.50 for just the number and its expiration date.
Ostrowski, of the CompTIA, said a greater emphasis on training will help companies communicate to their employees that there's a trade-off between convenience and security risks.
"Security has to come out of the IT department," Ostrowski said. "It can't be relegated to the geeks anymore. It has to be part of the corporate culture."
No comments:
Post a Comment