<div class='os_post_top_link'><a href='http://www.msnbc.msn.com/id/14588433/' target='_blank'>http://www.msnbc.msn.com/id/14588433/</a><br /><br /></div><i>"Selling your old phone once you upgrade to a fancier model can be like handing over your diaries. All sorts of sensitive information pile up inside our cell phones, and deleting it may be more difficult than you think. A popular practice among sellers, resetting the phone, often means sensitive information appears to have been erased. But it can be resurrected using specialized yet inexpensive software found on the Internet....Peiter "Mudge" Zatko, a respected computer security expert, said phone owners should decide whether to auction their used equipment for a few hundred dollars — and risk revealing their secrets — or effectively toss their old phones under a large truck to dispose of them. What about a case like the Lothario whose affair Trust Digital discovered? "I'd run over the phone," Zatko said. "Maybe give it an acid bath.""</i><br /><br />Straight from the "Scaring you to death about selling your old devices" column comes this piece from MSNBC. The warnings given and the (rather extreme) advice will go far in protecting you. What will go even farther is a sound security policy (i.e. mandatory encryption) and device sanitization process for corporate-provided devices (Whereby the company would take appropriate measures to remove all traces of data before the phone could be sold). Anyone now worried that their former phones may be telling secrets?

Does re-loading the ROM (or upgrading to a brand new ROM) completely sanitize the device? I have started making sure I do that every time I sell a device but I really don't know if that solves the problem for sure.

I happened to catch part of that report of TV the other day. What got me was that the "expert" they were interviewing said that he never gives away, sells or recycles his mobile phones because "there's no way of knowing what information the recipient could get about me."

If he's such an "expert," why the heck doesn't he know how to reset or purge his old phone?

You must go to his website jonwestfall.com, and I think you will gain a better understanding of why he says the things he says.

I dont worry about scare mongering stuff like this.

And what information do people have on their phones that is really so top-secret anyway? For me, any information such as passwords, log-ins etc. is usually kept in a secure encrypted e-wallet or similar file, so it isn't accessible using the methods described.

Does anyone really care if some random person finds out the phone numbers of their friends, or who you had appointments with 2 years ago? This sounds a lot like typical fear mongering from the media to me. The only time this would seem to have relevance is if one was trying to find information regarding a cheating spouse or the like.

And what information do people have on their phones that is really so top-secret anyway?
That's a very good question. I'd love to know just how often an organization has become significantly compromised because one of its employees lost his/her PDA or DayTimer. Other than creating fodder for a few third-rate movies, has the fear of losing this kind of information ever actually materialized?

Granted, today's PDAs have the potential to contain all kinds of data that has never been possible with yesterday's paper-based organizers. But in reality it doesn't seem to me that phones or PDAs represent any greater risk than older organizers?

jonwestfall.com

8O :D 8)

lol!!! G E E E E E E E E K!!!

For the life of me I don't know why this came up in a post on device security, but heck, why not? Doesn't everyone own a pair of Morpheus-style sunglasses?

jonwestfall.com

8O :D 8)

lol!!! G E E E E E E E E K!!!

For the life of me I don't know why this came up in a post on device security, but heck, why not? Doesn't everyone own a pair of Morpheus-style sunglasses?

sorry mate, its a friday and was having some fun. :devilboy: I can delete my post if its too offensive or you can make some sheep joke directed at me :lol:

What Me worry?? 8O

No, not eaven close 8)

Just because some ubergeek is able to stamp up a few leftowers on a old smartphone, doesn't mean that every script kiddie wil do the same, with every phone bought at e-bay :roll:

no worries here, i have every phone i've ever owned in a box in the closet :)

one day they will learn to communicate and plot to take over, of that i have no doubt.

I've been intending to donate my 1st phone, as I'm keeping my second as a spare and got my 3rd in June, but I haven't gotten around to it, yet. When I find it, I'll do what I can to clear it and give it away. It's an old Sanyo 3500, so it won't have a heck of a lot (if it still has stuff on it).

As a result of media attention to, and bad-guy awareness of personal data that can or could be stored on portable devices (read: laptops), legislation has been enacted to try to safeguard consumer privacy. So far, legislation in the US is sector-specific: GLBA (financial services), FACTA (credit card processing), HIPAA (health care), etc... In Europe, the DPA 1998 covers all sectors, as well as universities and other situations in which personal data might be stored or processed.

As PDA (PERSONAL Digital Assistant) devices become more ubiquitous, and as storage requirement and use of these devices increases, the risk of compromising someone else's personal data increases proportionately.

Having a comprehensive view of Information Security and / or Information Privacy requires that the Point of View must include corporate context, common practice, and personal use.

So, today, disclosing information about your Mom's birthday might put you or your mom at risk of identitiy theft. Tomorrow, consultants could be using PDAs to store detailed consumer information containing personal data on every bank account holder for a particular financial institution. Even temporary storage (on laptops OR PDAs) means that the information is subject to potential future disclosure unless the data is stored encrypted, and then securely erased.

Here is a quick list of mitigating security precautions considered to be "standard" in a regulatory context for laptops (portable devices) for which no standards, guideance, nor regulation currently exist in the "mobile" (PDA / PMD) world:
- Virus protection
- Firewall
- VPN
- Encryption
- Secure data deletion
- Password / console timeout policies

This is not to say that such technologies do not exist in the mobile world, because they do. The problem is that not all platforms have options for the above, and there are no de-facto standards out there (again, in a mobile context) for the technologies listed above.

As mobile devices mature, and as the technology becomes more ubiquitous, attention will turn to PDAs and PMDs (Don't forget iPods and memory sticks!) accordingly. Just wait for someone to lose an iPod or a cell phone that was used to "temporarily" store a database with 200,000 records containing personal data.

The PDA and PMD hardware and software vendors need to focus on and provide industry-standardization of enterprise management facilities that should include:
- remote wipe capability (could be via deadman's code)
- "phone home" locator technology
- storage policies ("This device does not allow storage of xyz-type files. Please contact your System Administrator.")
- encryption policies
- device-level security capabilities (password access, firewall, virus protection)

As laptops and PDAs/PMDs converge over time, enterprise management facilities must evolve accordingly. We see the fledgling attempt at this through products like BES (hate it) and Exchange 2003 SP2.

I have said this in other posts, but I think there are a lot of lessons to be learned by mobile devices from laptops, and vice-versa.

OK, at the risk of being long-winded....

I think part of the problem of data security on mobile devices is that today's "portable" device security vendors, who focus on Laptop and Desktop enterprises don't fully understand what "mobile" security really means.

Case in point: None of these products address Over The Air (OTA) threats. All of them are signature based. All of them have a HUGE footprint, making them both unfriendly and unwieldy for mobile devices. Some security products do not do "interactive" scanning, meaning a scan task must be scheduled through the operating system.

Another point: Many "mobile security" vendors think that universal support means running in Java. This means you are only as secure as your Java (J2ME/MIDP) stack.

This is a paradigm that's 15 years old in the PC world, and would be considered totally unacceptable.

As a final consideration, note that laptop ("portable") security is now being considered as a function of hardware, but neither Windows Mobile nor the hardware on which it runs has any such hooks yet.