<div class='os_post_top_link'><a href='http://www.brighthand.com/article/Unsecured_Handhelds_A_Risk' target='_blank'>http://www.brighthand.com/article/U...andhelds_A_Risk</a><br /><br /></div>"Though personal handhelds have long been used in offices, a recent survey shows that a large majority of them contain a significant amount of business-related information. What makes IT managers break out into a cold sweat is the thought that most handheld users simply do not secure the information on their device, despite numerous applications being available to do this. <br /><br />The second annual PDA Usage Survey, which was conducted in the U.K. for Pointsec Mobile Technologies by Infosecurity Europe and Computer Weekly, revealed that 85% of handheld users keep company-related events on their handheld's calendar. And 80% keep business names and addresses in it. This is a higher percentage than enter their friends and family into their handheld's address book."

Still no answer to this. Both Palm OS and Pocket PC devices have basic password protection. What's an open secret in the industry is that this can be broken with relative ease.
Maybe someone here can define "relative ease" when it comes to breaking the device lock on PPC devices. This must be an easy one, as it is an open secret.

What's even scarier is that one does not need to steal the device anymore. With all those new bluetooth and wifi enabled devices, it's a child's play to intercept or steal sensitive data (kind of like when Apple implemented Airport into its computers)

Still no answer to this. Both Palm OS and Pocket PC devices have basic password protection. What's an open secret in the industry is that this can be broken with relative ease.
Maybe someone here can define "relative ease" when it comes to breaking the device lock on PPC devices. This must be an easy one, as it is an open secret.

I think the answer to that is simple - the research is carried out by a security company. They are unlikely to substantiate this claim but will happily sell you their security software to plug this alleged gap...

Well, there is this thread (http://www.pocketpcthoughts.com/forums/viewtopic.php?t=14865).

Well, there is this thread (http://www.pocketpcthoughts.com/forums/viewtopic.php?t=14865).Well, let me clarify. What is "relatively simple" besides tricking a user into installing a non-supported piece of software that bypasses security? I think Peter nailed it.

I find this very interesting since the daytimer and address book as been around much longer and no one has complained about these items in such a way. People have always carried such information around with them. Now IT personnel get the shakes over PDAs with business information in it. I'd be more worried about losing my phonebook, and notes than my PDA. If a PDA is lost the average person won't know what to do with it anyway. Plus without a way to recharge it will just run out of power and become useless.

Did they take account that no two people keep notes and info in the same way or even in a logical way that some one else will automatically understand by just looking at the file name. Even with Bluetooth and Wifi a person would have to know exactly what they are looking for, who's device they are looking at and have the time to find it. Surveys like this just amaze me.

I find this very interesting since the daytimer and address book as been around much longer and no one has complained about these items in such a way. People have always carried such information around with them. Now IT personnel get the shakes over PDAs with business information in it. I'd be more worried about losing my phonebook, and notes than my PDA. If a PDA is lost the average person won't know what to do with it anyway. Plus without a way to recharge it will just run out of power and become useless.

Did they take account that no two people keep notes and info in the same way or even in a logical way that some one else will automatically understand by just looking at the file name. Even with Bluetooth and Wifi a person would have to know exactly what they are looking for, who's device they are looking at and have the time to find it. Surveys like this just amaze me.

Good points all. It made me think of that movie a ways back with (I think) Jim Belushi and Charles Grodin where an executives' identity was stolen when his Daytimer was lifted. At least PDA's have some level of protection.

As someone who used to work in IT Support, I'd rather see these folks in a huff over people who leave their passwords on sticky's on their monitor or give it to a co-worker so they can log in if they need to while on vacation.

Crazy...

In other news, allowing physical access to any important data (PCs, laptops, PDAs) usually means you = screwed.

Agreed

WyattEarp makes some very good points. There has never really been many barriers to taking proprietary info with you. At least with the PDA there may be some type of audit track.

Also, most people would not at all be interested in the information on a PDA and would probably just delete it. Unless it is a case of Corporate Espionage most people would have no way of quantifying the value of the information on the PDA and therefore would not know how to exploit it.

dazz

I find this very interesting since the daytimer and address book as been around much longer and no one has complained about these items in such a way. People have always carried such information around with them. Now IT personnel get the shakes over PDAs with business information in it. I'd be more worried about losing my phonebook, and notes than my PDA. If a PDA is lost the average person won't know what to do with it anyway. Plus without a way to recharge it will just run out of power and become useless.

Did they take account that no two people keep notes and info in the same way or even in a logical way that some one else will automatically understand by just looking at the file name. Even with Bluetooth and Wifi a person would have to know exactly what they are looking for, who's device they are looking at and have the time to find it. Surveys like this just amaze me.

Good points all. It made me think of that movie a ways back with (I think) Jim Belushi and Charles Grodin where an executives' identity was stolen when his Daytimer was lifted. At least PDA's have some level of protection.

As someone who used to work in IT Support, I'd rather see these folks in a huff over people who leave their passwords on sticky's on their monitor or give it to a co-worker so they can log in if they need to while on vacation.

Crazy...

No one seems to truely enforce the "protection" of login codes and passwords. Or even educate people on proper protection of passwords. Yet everyone claims to be security minded. It's a big joke.

At least if a PDA is lost or stolen who ever gets will not only have to get past the login screen if it's on, but also decipher every entry in the thing to figure out what it is. By that time the battery will be well drained especially if it wasn't fully charged from jump start.

In any case this will continue to be an issue until companies and employees take security seriously and realise that it is everyones responsibility not just the IT or Security Depts. problem.

That battery argument is so silly. Just walk into a radioshack, pick up a brick and plug it in the stolen PDA.

That battery argument is so silly. Just walk into a radioshack, pick up a brick and plug it in the stolen PDA.

The battery really isn't an issue it's the time limit it places on the device that is. Just walking into Radio Shack won't get you an AC adapter and the Adpater for an iPAQ for example. Especially since Radio Shack pushes Palms not Pocket PCs. But that isn't the point I'm making. It's the fact that the average Joe who finds a PDA (be it a PPC or Palm) will more than likely cause it to run our of power before they actually figure out what the information on it means. And probably won't go looking for and adapter until they get the time to do so which won't be the moment they find it. And adapters cost money (and people are generally cheap). :D

We here are not the average Joes, we are the exception to the rule, nuff said. :D

:wink:

On a 2002+ device, your PIN will keep your device RAM secure for over a day between allowed guesses after just 24 tries. It is over 3 X 10^20 years for the first one hundred tries (well after our sun burns out) if the timeout continues to double. I extrapolated that from 17 actual attempts, after which I decided over 17 minutes on this was enough. :D my 18th attempt would have taken over 17 minutes, and I've got other things to do.

You should encrypt data that is in some way not protected by the PIN, which is pretty much 100% of it as it is all copied to insecure Outlook PST files or open data files on your hard drive, but in the Pocket PC itself, unless you move something to the file store (survives a hard reset) or a storage card, the PIN will protect your RAM.

That is, unless someone can point to where the timeouts have been circumvented or can show another back door.

...
You should encrypt data that is in some way not protected by the PIN, which is pretty much 100% of it as it is all copied to insecure Outlook PST files or open data files on your hard drive, but in the Pocket PC itself, unless you move something to the file store (survives a hard reset) or a storage card, the PIN will protect your RAM.
...


Exactly. And i have 1 word for all the people storing credit-card info, and other "identity" info in the Notes app - FlexWallet. (or eWallet, though I've never used it).

I used to worry, somewhere in the back of my mind, about my iPaq being stolen, but ever since PPCthoughts (yes!) had that inside scoop on the FlexWallet deal for $3 or so (including the desktop version, to which it syncs), I've used it for all my sensitive stuff, and client info, server IP addresses, admin passwords, SQL Server Database connection strings, paypal accounts and everything.

I feel much safer with my stuff in FlexWallet, and especially since I have client's like Microsoft, who could sue me into oblivion if I accidentally let somebody get one of their website URLs that i have access to (god knows I can't afford to fend off a suit by the local homeless shelter, much less Gates Inc.)

I think eventually, the encryption will be part of the whole system, and use something like the HP IPaq's Biometric reader or whatever, and automatically encrypt/decrypt all your data on the fly.....

How many of us reading this thread actually carry information that would be of substantive competitive benefit to another company on our Pocket PCs? I like to think that my work is terribly important to civilization, democracy and the long-term viability of the human race, but the truth is that anybody hacking into my Pocket PC would get little more than a listing of my electro-shock therapy appointments and Diamond Mine high scores.

the truth is that anybody hacking into my Pocket PC would get little more than a listing of my electro-shock therapy appointments and Diamond Mine high scores.

What? No listing of all your tattoos and their locations? Or is that Ed I'm thinking of?

:wink:

What? No listing of all your tattoos and their locations? Or is that Ed I'm thinking of?
Must be Ed. My big thing is body piercing...;)