Securing Wireless Devices
Whether hackers are posting shock pages as practical jokes or creating more serious damage to businesses that rely on the Internet for profit, cybercrime is on the rise and with it, an ever-increasing awareness of the need to beef up security. But it is not only the ungoverned Net that's cause for concern. The recent theft of Qualcomm CEO Irwin Jacob's laptop from a hotel conference room dominated headlines and drew attention, once again, to the general lack of concern over security issues in the wireless arena. According to various news reports, Jacob's laptop contained proprietary information valued in the millions, yet its only protection was a password.
While most laptops are stolen for the purpose of reselling the device or the hard drive, approximately 10 to 15 percent are stolen by criminals intent on selling the data, according to William Malik, vice president and information security research director with the GartnerGroup. As valuable enterprise information makes its way from the safety of office firewalls to remote locations frequented by mobile workers, companies can't afford to overlook the importance of implementing security solutions to protect their mobile devices and--more importantly--their businesses.
I Love You, I Love You Not
Few of us were untouched by the "I love you" virus. But what didn't garner much attention in the press was that while the virus infected files, it was also out to steal passwords and send them back to an e-mail account in the Philippines.
The rise in viral outbreaks, especially those that not only threaten to eradicate applications but also steal passwords that could lead to data theft, is not only a concern for desk-bound PCs but is fast becoming a threat for mobile devices as employees continue to store increasing amounts of data on them. McAfee.com, a Sunnyvale, Calif.-based security and anti-virus ASP, responded to this concern with the launch of its Wireless Security Center in June. "A lot of people were using handheld devices--Palms and CE devices--and we started looking at this market to see how we could integrate our technology and protect those devices," says Do Kim, McAfee's project manager for the Wireless Security Center. "Most of these devices need to be synced with your desktop, usually your e-mail client, and what we saw as the biggest threat with these devices was that they are a great way to introduce a virus into the desktop or corporate network. We scan the devices remotely from the PC during the synchronization process."
Recently, McAfee introduced the Guard Dog for Palm, which resides on the handheld and is designed to secure it against malicious code that could change or steal passwords, corrupt or erase files or disable systems. In August, Guard Dog was put to the test when Liberty Crack, the first-ever Trojan horse (a destructive program that masquerades as a benign application) to attack the Palm OS, appeared on the scene and threatened to wipe all applications off of the unsuspecting victim's PalmPilot. Guard Dog caught the malicious behavior and alerted the user before any damage could be done.
Kim admits that it's possible for viruses to "steal" data off handheld devices but says that it would be very difficult to do so as the devices exist in their present form. "Most of these devices are tied to a PC," he explains. "The person writing a virus would have to not only bypass the desktop security but also bypass the handheld security--but as we become more and more wireless and not necessarily tied to a PC, I can see [data theft] happening."
And the Password Is...
Although security is becoming more of a priority in the wireless industry, many feel that we still aren't paying enough attention to it. According to John Pescatore, GartnerGroup research director, less than 10 percent of wireless implementations include the three factors necessary to provide appropriate protection for sensitive data: link encryption, access controls on wireless devices and strong authentication of users.
"If you look at a mobile workforce, these people want to get full access to any application they might have while they're sitting at their desk," says John Worrall, RSA Security's director of product management. "They don't want to be limited based on where they're physically located, and having that information anytime, anywhere requires them to have remote access to the corporate network. When people are accessing the network, it's imperative that the organization know exactly who that person is."
The most common form of user authentication is the password--but how secure is this method? Most people pick passwords that are easy to remember--like their children's names or their birth date--but also easy for someone else to guess. Also, as Worrall points out, password hacking programs are available on the Internet and easy to operate. Once a hacker gains access to an NT or Unix network, says Worrall, they can gain a copy of a password file and run a dictionary attack.
"These programs have dictionaries of, say, the 30,000 most common passwords. You can pick dictionaries with different themes, you can pick the size of the dictionary and the software program runs through that password file until it finds a match." Once the hacker finds a match, that match is written to a log and gives him or her the user ID as well. Now, the hacker can continue to pass through the network and gain access to the data he's looking for. Worrall recommends using passwords that are alphanumeric, contain special characters (like the ampersand and exclamation mark) and are eight to 10 characters long. However, this results in another problem: No one will remember their password, so they'll write it down, and once it's ink on paper, someone else can access it.
But even alphanumeric passwords are susceptible to more sophisticated programs known as brute force attacks. A more secure alternative to the password method of authentication is something called two-factor authentication, which follows the same principle as the ATM card. In order to complete a transaction, you need two factors: both the card and your PIN. RSA Security provides a two-factor solution known as a token. The SecurID token is a device that generates a new number every 60 seconds. In addition to memorizing a PIN, users carry the token with them and enter both the token number and PIN to access data on the corporate network, for example. The number generated by the token will be the same number generated on the back end by the server.
Smartcards are also two-factor authentication solutions requiring both a smartcard reader and a PIN. "The potential upside [of smartcards] is that you have a storage container that can do more than just store your digital identity," says Worrall. "Some of our customers are issuing smartcards to their employees that not only give them access to network resources but also give them access to the building." But, according to Worrall, there are also drawbacks: "You have to have a smartcard reader, and you also have to have the right software drivers on the desktop for that reader and your smartcard."
Biometrics--the identification of physical characteristics such as fingerprint readings, iris scans, voice recognition, recognition of facial features and keystroking pattern recognition--is one method of user authentication that can never be lost or stolen. Although biometrics does not appear to have caught on yet in the industry, some believe that it will offer incredible convenience for mobile workers and consumers alike (see "Sign Here" sidebar). Others cite cost and the "Big Brother" aspect of the technology as prohibitive.
Bringing Security to the Net
Choosing the appropriate method of user authentication depends on which mobile devices your field workers are using, the business they're conducting and their means of accessing the necessary information to perform their jobs. The pervasive use of the Internet as a means of accessing corporate data in the field presents its own security challenge: "Because of its level of interoperability and its ubiquitous nature, people are concerned about doing business on the Internet," says Worrall. "They're concerned about confidentiality of data, and they're concerned about data getting into the wrong hands." Companies whose mobile workers conduct transactions online are using public key infrastructures (PKIs) for strong authentication purposes. PKIs verify the identity of each party involved in an Internet transaction through the use of digital certificates and certificate authorities, and, unlike other authentication methods such as tokens, digital certificates also secure information via encryption.
"I think PKI is essential because you can use it in the wired as well as wireless part of your business," says Steve Kruse, chief evangelist for Baltimore Technologies. "You want your field force to be mobile, but you want to make sure they're the only people getting into your network." Baltimore's Telepathy line of products offers security solutions for wireless devices, such as WAP server certificates that authenticate the WAP server to the wireless device. The company also offers tools to support client-side certificates in the mobile world. "When we get to the mobile world," says Kruse, "we can use digital certificates to authenticate our remote devices, like our cell phones and PDAs." Cell phone manufacturers are starting to make phones that support certificates on the client side. "These can be used not only for identification," says Kruse, "but also for digital signatures, so if I'm at the airport and you need my signature to authorize a transaction, I can give it to you."
Crescendo Technologies, an information technology consulting firm, recently announced its e-Pervasive solution that supports mobile devices, such as PDAs, mobile phones and laptops for secure wireless access to business data. Steve McDonald, senior consultant in charge of e-Pervasive, explains how server certificates can be used to protect WAP devices. Having secured the data in transit from the WAP gateway to the device, he relates, "what you can then do with the WAP gateway is identify every device that's allowed to access your corporate data. Each WAP handset has an ID, and you can even associate that ID with a specific individual. If that device is lost or stolen, the individual can call the WAP server's administrative staff and give them the phone's ID so they can remove it from service. Even if the person who picks up the phone figures out the user ID and password, they cannot access the data because the WAP server denies all requests to the stolen handset."
Encrypt Your Data
Certicom, an encryption technology company that focuses on wireless security, recently launched MobileTrust, a certificate authority that offers digital certificates to mobile users. "The digital certificate gives the end user the ability to write a digital signature," says Bill Anderson, general manager of MobileTrust. With the electronic signature law having gone into effect on October 1, 2000, such signatures will now be legally binding. This should be good news for the mobile workforce as contracts and documents can now be signed on the spot, which translates into savings of both time and money.
MobileTrust is also the first certificate authority for elliptic curve cryptography (ECC), according to the company. While RSA cryptography is the industry standard for data sent over the Internet, "ECC is effective on mobile devices in particular," says Anderson. "ECC does all the same things as RSA," he explains, "but it's based on a different mathematical system. Because it's a more difficult mathematical problem, it allows us to use much smaller keys, which allows the algorithm to be made a lot faster. That's important on these smaller devices. On a PalmPilot, for example, we can do a digital signature in less than a second."
Olaf Gradin, senior security consultant with Crescendo Technologies, feels that encryption is a necessity for companies that are transmitting high-risk data. It appears that most companies have addressed the need for session or line encryption but pay less attention to desktop file encryption to protect the data stored on their laptops or PDAs. "An individual might synchronize data to their PalmPilot or laptop, and once they do that, it's much more available to prying eyes," says McDonald of Crescendo Technologies. "Say I have my highly confidential corporate financials on my laptop or Palm, and my competitor wants to expose them to show my weakness in the stock market by writing a press release about how horribly they think we're doing so their stocks rise and ours decline, that person might steal the device and copy the corporate financials on it--unless I've implemented a high level of security using local file encryption, which commonly doesn't happen."
The obvious solution would be to use file encryption on your notebook. Another solution would be for companies to place limitations on what their employees are allowed to store on their mobile devices. "It's difficult on a PalmPilot to encrypt things...it's not done very regularly," says McDonald. "Companies need to think about what content is allowed to go to a Palm device. If I were a CFO of a company and I caught wind that someone was carrying around a PalmPilot with highly sensitive financials on it, I would be very uncomfortable."
In practice, however, companies cannot monitor their employees' actions 24 hours a day. "As an administrator, you can closely monitor your firewalls, your WAP gateway server, your device ID, but you can't follow a person around with their laptop to make sure they're following rules," says McDonald. Ideally, the mobile device should serve as a portal to access data rather than store it, which is why WAP phones are so popular. "People don't have to carry data around if you give them a very simple, fast way to access it," says McDonald. With a WAP phone, employees have a rapid connection to central resources back at the office.
Whether hackers are out to create havoc or steal valuable secrets to be used against the company, security breaches cost enterprises money, time and sometimes customers' trust. Gradin advises companies to view their security policy as they would an insurance policy: "Companies should develop a risk assessment because that's going to show them what they stand to lose. While security is going to cost companies money, it's for a very good reason, and they need to be shown that there's a return on investment. Like insurance, you can't pinpoint the time in your life that you'll need it, but you want to make sure you have it."
Vendors are heeding the wake-up call and starting to build security solutions into their products. "I think companies are looking into better securing their automation tools and this is an important step. It's definitely a change in direction," says Gradin. When conducting security audits for companies, Gradin makes sure that first and foremost, the company has a security policy in place and has researched local laws and regulations that dictate what the company can and cannot do. Currently, Gradin is working with an insurance company, Atlantic Casualties Group, that has expressed concerns about enforcing their security policy on personal devices. "Local enforcement says that anything given by the company can be recalled or retrieved at any point," relates Gradin. Armed with this knowledge, the company can make the determination that all equipment in use must be loaned by the company so that their policies can be enforced.
In addition to encrypting data and providing some means of authentication, care should be taken to protect the device itself. "Unfortunately for the mobile user, preventing the device from getting stolen is tough," says Robin Jones, director of marketing for Absolute Software. They have to be very conscious that the device needs to be with them at all times. The amount of computer thefts in hotels and airports is mind-boggling" (see "Follow That Laptop!" sidebar).
Invasion of Privacy?
Dr. Stefan Brands, a senior cryptographer speaking at the International Forum on Surveillance by Design in London, warned that digital signatures might lead to widespread government tracing and identity theft. As digital signatures become more pervasive, is this a real cause for concern? "Tracking individuals is a possibility with any kind of electronic technology," says Certicom's Anderson, "but identity theft occurs when it's too easy to pretend to be someone else, and digital certificates allow you to put a stop to that."
Some feel that there are benefits to tracking an individual's whereabouts via their mobile device; for example, being able to pinpoint a person's exact location via their cell phone when used to place a 911 emergency call. Others are opposed to the idea. So is it going to take legislation to preserve our privacy? "The key is making sure the user has control over when and how that technology can be used," says RSA Security's Worrall, "and the best way to achieve this is to have the industry and government work together on how this is best accomplished." While the government has taken a step back in over-regulating with the recent relaxation of export controls on encryption technology, it is only a matter of time before some form of restriction is placed on the Internet. The question is, will control be in the hands of legislators or is the industry capable of self-regulation?
Either way, the consensus seems to be that companies need to assess their security needs and implement the appropriate solution before their mobile devices, and possibly their company secrets, end up in the wrong hands.