|Get this Security+ CertiGuide for your own computer.|
Use coupon code "certiguide" to save 20%!
|Also available: 300-question Security+ practice test!|
|Get It Here!|
3.1.13 Mobile Devices
Mobile Devices participating in your
network include everything from Pocket PC and Palm Pilot handheld organizers,
to notebook computers, to RF scanners used for managing inventory.
Security Issues with Mobile Devices
The key security vulnerabilities
of mobile devices are that their portability can lead to easier theft
or loss (thus loss of the data stored on the device) and that they usually
communicate with the network via a wireless communication mechanism.
To guard against loss due to the
disappearance of the device, you can take measures such as:
- Ensure that data collected by the mobile device
is uploaded to the network as quickly as possible, to minimize the amount
of data lost if the device goes AWOL.
- Password access to the device, if possible, to
make it more difficult for an unauthorized person to view the data on
- Install encryption software and make sure that
any proprietary information stored on the device is encrypted.
Also, when using a mobile device
over the airwaves, make sure that any sensitive communications are encrypted.
If youre communicating via 802.11 or other technologies that
can be broken by curious attackers, you may want to employ
an additional layer of encryption on the connection as well. Weve
already discussed VPN software for Windows and Linux platforms. VPN
clients are also available for PocketPC 2002 (such as Checkpoints
VPN-1 client) and Palm (such as Mergics PPTP client) based handhelds.
Mobile Device Security Tips
When using a mobile device, keep in mind these guidelines:
1. Always set a password on the device so that if lost, it will at least take a bit of effort to get to the data.
2. Encrypt information stored on the device.
3. Consider encrypted communications when using wireless network technology.
4. Do not store data only on the mobile device; if using the mobile device for data collection, upload it as soon as practical.
Fun (or Trouble) with PocketPC ActiveSync
ActiveSync is the protocol used to synchronize the contents of a PocketPC based PDA with a desktop PC. Pocket PC synchronization can take place via direct serial connections or via network connections. It turns out that both types of connections are vulnerable to security issues that can compromise data on PocketPC devices or cause DoS situations.
ActiveSync serial connection authentication is controlled by a simple 4-digit PIN. If a hostile PC furnishes the correct PIN to the PDA, it can sync that PDA, possibly installing Trojan horses or viruses, and uploading data stored on the PDA. (Brute forcing a 4-digit PIN doesnt take much time. Note that banks are aware of that, and an ATM would probably eat your ATM card after 5 or 10 incorrect tries to prevent compromise due to PIN-guessing.)
ActiveSync over TCP/IP uses port 5679. Anyone with access to port 5679 on a PC running ActiveSync (this includes internal users as well as Internet users) can stage a DoS attack on that ActiveSync server in several different ways.
We dont intend here to single out Microsoft its just that this is a handy illustration of the issues inherent in mobile devices, which people are only now beginning to think about. Mobile devices such as PocketPCs (and the Windows CE OS on which they are based) have only recently begun to be widely deployed in real world scenarios. As a result, the real world security implications of such devices are still being discovered.
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.