Is Your Mobile Device Secure?

by Darren Miller

Published on this site: January 9th, 2006 - See more articles from this month

Do you own a keychain USB jump-drive, a PDA, or an all-in-one mobile communications device? If you do, what type of information do you store on it? Many people would say there is nothing important stored on their mobile device. Many of our customers initially state there is nothing on the computer network that hackers would want or a virus could irreparably damage.

I want to start out this article with a couple real-life stories about why it is so important to make sure your mobile devices are secure.

Panic Over Lost Jump-Drive

About a year ago, a business acquaintance contacted me in a panic. Apparently, he was onsite performing an internal security audit for a rather large company, and had lost or misplaced his keychain USB Jump-Drive. At first, I was not sure of why he was in such a panic. That is, until he told me the drive contained approximately 300Mb of security information minded from a previous security audit he performed. He was scared out of his wits that this information would fall into the wrong hands, not to mention the hands of his new client. What would his new client think if they found he was walking around with this information on a device that anyone4 could gain access too. Would he do the same thing with their information? Lucky, after retracing his steps in the building, he found on the floor of the men's room. He apparently pulled out his keys and the jump-drive came off the keychain. He no longer carries his jump-drive around with him.

Confidential Client Information Lost in Snow Storm

On another occasion, someone quite close to me, dropped his Toshiba PDA somewhere between his car and food store. Not to big of a deal, except for the fact that there was about one foot of snow on the ground. He spent the next three hours drudging through the snow looking for the PDA. Besides the fact that it was not an inexpensive PDA, it contained his entire client list, personal online accounts with user-id's and passwords, and several other categories of highly confidential information.

In both the cases above, neither of these people had given much thought to the loss of these devices. Why should they? They were both experienced professionals in the information technology business and very careful and conscious about keeping information secure. The problem is, their both human. And humans make mistakes an erroneous judgment calls.

How to Secure Mobile Devices

Because there a so many types of mobile storage and communications devices, there are many ways to secure them. So, I will stick to what I do to secure the above mentioned devices since I happen to use both types.

I use 1GB USB 2.0 Jump Drive to store and transfer many types of information. Sometimes, this includes confidential information. For instance, when I travel, I have a copy of my account database on the device. However, the device file-system itself is heavily encrypted, and the database stored on the encrypted file-system, is encrypted. If I happen to misplace this device, I am more than confident (at least at this point time) that the data is protected and not easily accessible. Now, nothing substitutes for not carrying around this type of information to begin with, but it is safer than carrying around a printout of the excel spreadsheet you keep you passwords in.

As far mobile communications. I don't know what I would do without my mobile phone. It has replaced my PDA, has unlimited internet access, a VPN client so I can retrieve my mail without having to use a separate service (more $), a 1GB storage card, camera and so on. The primary thing that this device stores that is confidential, is my contact list. There are other items I don't want just anyone to have access too as well. Not to mention using my phone (more $). So, the storage card is encrypted, and that is where my important data is kept. The device itself is password protected with and eight character key that meets or exceeds standard complexity rules. And, the mail client itself requires authentication in order to use it.

Conclusion

If you use mobile devices on a regular basis, I suggest you sit down and think about exactly what you store on them. It is sometimes easy to overlook these things or under estimate exactly how private or confidential certain information is or should be. Make sure you take reasonable steps to keep the information stored on mobile devices secure and private. It is definitely a balancing act between security and easy of use.

And, what ever you do, don't leave your mobile device in the men's room.

Darren Miller is an Information Security Consultant with over seventeen years experience. He has written many technology & security articles, some of which have been published in nationally circulated magazines & periodicals. If you would like to contact Darren you can e-mail him at [email protected]. If you would like to know more about computer security please visit us at http://www.defendingthenet.com