Palm Pilots PDAs Cell Phones Wireless Security

1
Palm Pilots / PDAs / Cell Phones/ Wireless
Security
2
Dont Compromise Your PDA!

• What information on the device can be compromised
• Everything! Contacts/clients meetings patient
  data legal and financial information

3
Confidentiality Solutions

• Passwords good first line defense
• User ID/Power passwords
• Alphanumeric
• Non alphanumeric
• 8 Character
• Problems data not encrypted
• Security specific software

4
Some Common Sense

• The lonely PDAnot for long
• Left on a desk
• Left on an airplane
• Dropped from a pocket or bag
• Stolen!
• The PDA and all its contents immediately are
  released to another individual unless protected
• SECURITY IS PARAMOUNT!

5
Are You Protected?

• Policies
• Infrastructure/Network
• Encryption software
• Awareness

6
Mobile and Wireless Security Issues

• Handhelds, being small, portable devices, are
  easily lost or stolen. About 250K PDAs were lost
  in US airports during 2002.(Gartner report)
• Handhelds are frequently used in hostile
  environments like hotspots, customer sites,
  business partner offices, and industry
  conferences.
• Attackers are drawn to locations where business
  travelers gather, because targets are more
  plentiful and it is easier to go unnoticed.

7

• Security features limited - Handheld devices have
  simpler user interfaces and less CPU, storage,
  memory, and network bandwidth than desktops or
  laptops.
• Inherently harder to manage.
• Not continuously connected
• More difficult to enforce security policies and
  monitor security events.
• Handhelds often ship with security features
  disabled by default.

8
Threats

• Handhelds are also potentially vulnerable to
  viruses, worms, trojans, and spyware.
• Most are Win32 viruses that can be spread from
  unprotected handhelds to desktops through
  synchronization, email, or file shares.
• Self-replicating worms like Bugbear, Klez, and
  Spida flood email and file servers, delete
  registry keys, kill processes, disable software,
  and carry trojans.
• Trojans can log keystrokes, launch denial of
  service (DoS) zombies, or let attackers assume
  remote control of infected hosts.
• Spyware in cookies and programs like Kazaa are
  not overtly malicious, but leak potentially
  sensitive information about your computing
  behavior.

9
Threats

• Mobile phones that can download games, ring
  tones, and other software have opened a new
  avenue for hackers to exploit.
• Compact flash and PCMCIA cards supported by
  handhelds can store 5 GB or more. These removable
  cards (and their contents) are easily borrowed
  or stolen.
• According to CERIAS, networked handhelds are less
  resistant to common TCP denial of service attacks
  because their limited resources are easily
  exhausted.

10
Practical Security Strategies for Pocket PCs

• Set power-on passwords. According to Gartner, the
  biggest risk associated with Pocket PCs is that
  no power-on password is required by default.
• Use mobile firewall to block unauthorized
  handheld network activity
• Defends against port scans, unauthorized
  requests, unwanted peer-to-peer connections,
  denial of service floods, and other network-borne
  attacks.

11
Practical Security Strategies for Pocket PCs

• Encrypt sensitive values, database records, key
  files and folders, or entire compact flash
  cards..
• Protect traffic sent and received by handhelds.
  Consider encrypted, authenticated VPN tunnels to
  ensure the privacy and integrity of communication
  between handhelds and connected networks.
• If credentials must be saved on a handheld,
  encrypt them.
• Detect and eradicate viruses.
• Backup handheld data regularly. Frequent backups
  can reduce loss of data and downtime when a
  Pocket PC is lost, stolen, wiped clean, or
  damaged beyond repair.

12
How Data Is Stored

• Digitally as tiny magnetized regions, called bits
• Hard drives store this on a platter, like a CD
• Data can be extracted from ANY electronic/digital
  source (floppy, cd, dvd, zip disks, removable
  media, hard drives, flash memory, thumb drive,
  usb drives, printer memory, blackberry, pda,
  XBOX, tivo, etc.)
• Once data is written, it remains until disk is
  wiped or overwritten by other information

13
25 August 2003 - Used Blackberry Contained
Proprietary Information

• A man who bought a BlackBerry on eBay for 15.50
  found that
• the wireless device contained a database of over
  1,000 names,
• e-mail addresses and phone numbers of Morgan
  Stanley
• executives, as well as more than 200 internal
  Morgan Stanley
• e-mails.
• The seller is a former VP of mergers and
  acquisitions who had left
• the company. He said he had removed the battery
  months before
• selling the BlackBerry and assumed the data had
  been erased.

14
Controls

• Information that is placed on device
• Security configuration including software used to
  protect the information
• Does the device synchronize with others - Admin
  rights?
• Modes of operation
• Wireless
• Infrared

15
Controls

• No upload/download via infrared or wireless while
  connected to desktop networked PC
• Use infrared only for authorized data transfers
• PDAS not to be left unattended while attached to
  a computer
• PDAs secured with password protection while not
  in use
• User takes responsible steps to prevent loss or
  theft of device
• Regularly sync device so that appropriate
  security files (virus signature) are updated

16
Awareness

• Physical security of device
• A strong password (eight characters, mixture of
  numbers, letters and special characters)
• Information to be stored on device
• Procedure to follow if device is lost or stolen
• Firewall
• Record, in the event PDA is lost or stolen
• Serial number
• Make and model

17
Wireless Security
WIRELESS DATA CONNECTIVITY GUIDELINE http//www.te
lcom.arizona.edu/WLAN-Guide.html
18
(No Transcript)
19
What Is This Phenomenon of Drive-by Hacking?

• Hacker taps into a network using a wireless
  device.
• Got its name because a hacker can literally
  construct a device, that will allow them to park
  in front of a building and gain access to a
  network while sitting in the car.
• Relative ease of uncovering this vulnerability
  and gaining access to a company's unsecured
  network can be likened to installing a wireless
  LAN jack in your parking lot (access to everyone).

20
What Does It Mean to Do "War Driving"?

• Need a device capable of receiving an 802.11b
  signal (the wireless standard)
• A device capable of locating itself on a map
• Software that will log data from the second when
  a network is detected by the first.
• You then move these devices from place to place,
  letting them do their job.
• Over time, you build up a database comprised of
  the network name, signal strength, location, and
  ip/namespace in use. You may even log packet
  samples and probe the access point for data
  available via SNMP.

21
Is This a New Security Vulnerability?

• The security community has known about this
  vulnerability for a couple of years, but only
  recently has it become more widely known and
  popular.
• Freeware programs can be downloaded that automate
  finding and cracking wireless networks combining
  this with the rapidly increasing use of 802.11
  due to low cost components hitting the market
  makes it a big issue today.

22
Why Is It Easy to Get Into a Wireless Network?

• The most common wireless local area network is
  built based on a standard known as 802.11.
• The security function of this technology has been
  demonstrated to be inadequate when challenged by
  simple hacking attempts.
• In addition, products sold with this technology
  are often delivered with security functionality
  disabled.

23
Does the WEP Encryption Option Built Into 802.11
Make Me Secure?

• Not really. The 802.11 standards include a
  security component called Wired Equivalent
  Privacy, or WEP, and a second standard called
  Shared Key Authentication.
• WEP defines how clients and access points
  identify each other and communicate securely
  using secret keys and encryption algorithms.
• Although the algorithms used are well understood
  and not considered weak, the way in which they
  are used, in particular the way keys are managed,
  has resulted in a number of easily exploitable
  weaknesses.
• On top of this, it is estimated that
  approximately only 30 of 802.11 networks use WEP
  encryption or have turned on the option to enable
  WEP encryption-this is based on anecdotal
  evidence of war driving experiences that people
  have posted on the Internet.

24
Will Banning Wireless Devices From Our Network
Make Us More Secure?

• Wireless access points are now so affordable that
  people are using them for convenience everywhere.
  
• For example, someone may have a wireless device
  connected to their home computer, and that
  computer may also be dialed into the university
  network.
• This introduces a rogue access point to the
  corporate network that was not part of the
  original architecture and is likely unknown to
  network administrators.
• Another scenario may be that an individual or
  department may set up a wireless network inside
  the university firewallagain establishing rogue
  access points that you do not know about.

25
What Can I Do to Make Our Network More Secure?

• You need to layer more security on top of any
  wireless 802.11 system.
• By having security conscious mindset and
  following a few policy guidelines, a wireless
  network can be secure.
• By implementing a sound security policy and
  following with thorough enforcement of that
  policy, we are better equipped to face the
  security challenges that wireless technology
  presents.

26
Possible Solutions Include

• Using a VPN (virtual private network).
• VPNs are used with digital IDs to achieve strong
  user identification.
• VPN also provides the added benefit of
  establishing an encrypted tunnel from a client
  machine right through to the server.
• The use of encryption as an added security
  measure can be considered.
• Requires user knowledge and use of an assigned
  key that must be changed periodically by central
  IT staff.
• Users must be notified of each key change.
• Nothing prevents a user from sharing the
  encryption key with an outsider.
• Research indicates wireless encryption methods
  are easily broken.
• Regardless of security measures, data transmitted
  via a wireless network can be intercepted. Users
  are advised to avoid the transmission of
  sensitive data across this network.

27
Wireless Security Data Connectivity Guideline

• Describes how wireless technologies are to be
• implemented
• administered,
• and supported at the University of Arizona
  campus.
• Supplements the guidelines in the CCIT Computer
  and Network Usage Policy
• by adding specific content addressing wireless
  data connectivity
• the resolution of interference issues that might
  arise during use of specific frequencies.
• Desire for campus constituencies to
• deploy wireless technologies with a central
  administrative
• encourage all constituents to deploy such systems
  with an acceptable level of service quality and
  security.

28
Scope of Service

• Guideline defines the roles of the
• campus units and Telecommunications
• for deploying and administering the
• wireless infrastructure for the campus.
•  

29
Network Reliability

• Function both of the level of user congestion
  (traffic loads) and service availability
  (interference and coverage).
• Guideline establishes a method for resolving
  conflicts that may arise from the use of the
  wireless spectrum.
• Approaches the shared use of the wireless radio
  frequencies in the same way that it manages the
  shared use of the wired network.
• CCIT will respond to reports of specific devices
  that are suspected of causing interference and
  disrupting the campus network.
• Where interference between the campus network and
  other devices cannot be resolved,
  Telecommunications reserves the right to restrict
  the use of all wireless devices in
  university-owned buildings and all outdoor spaces.

30
Security

• The maintenance of the security and integrity of
  the campus network requires adequate means of
  ensuring that only authorized users are able to
  use the network.
• Wireless devices utilizing the campus wired
  infrastructure must meet certain standards to
  insure only authorized and authenticated users
  connect to the campus network and that
  institutional data used by campus users and
  systems not be exposed to unauthorized viewers.

31
Campus Units Responsibilities

• Responsible for adhering to Wireless
  Communications Guidelines.
• Responsible for managing access points within
  departmental space and assuring proper network
  security is implemented.
• Responsible for registering wireless access point
  hardware, software deployments with
  Telecommunications.
• Responsible for informing wireless users of
  security and privacy guidelines procedures
  related to the use of wireless communications.
• Responsible for monitoring performance and
  security of all wireless networks within
  departmental control as required to prevent
  unauthorized access to the campus network.

32
Draft Wireless Security Standards

• Due to the lack of privacy of network
• communication over existing wireless network
• technology, all wireless traffic is presumed to
  be
• insecure and susceptible to unauthorized
• examination.
• Authentication
• Security Awareness
• Monitoring and Reporting

33
Authentication

• Access to wireless network connectivity should be
  limited to
• authenticated users and authorized wireless
  client devices.
• Authentication may be performed based on the
  following
• requirements
• All authorized wireless network users will be
  required to be authenticated and operate through
  the campus VPN.
• All authorized wireless network users must
  register the MAC address of the wireless network
  interface card (NIC) to the local or campus
  Dynamic Host Configuration Protocol (DHCP)
  service.
• Wireless NICs and user accounts are not to be
  shared. (See Network Usage policy)
•   Users are prohibited from using wireless
  network technology to access critical and
  essential applications without the wireless
  network connections being appropriately
  encrypted.

34
Security Awareness

• All wireless network managers should be aware of
  the following issues
• Authentication for wireless network access
  protection of passwords
• Authorized use of wireless network technology
• wireless interference issues
• Privacy limitations of wireless technology
• Report wireless network service problems
• Respond to a suspected privacy violation
• Revoke DHCP registration due to termination of
  affiliation with University.

35
Monitoring and Reporting

• The use of wireless network technology is to be
  monitored on a
• regular basis for security and performance.
• Authentication, authorization and usage and
  wireless network
• performance reports are to be made on an
  individual basis
•   
• Any unusual wireless network event that may
  reflect unauthorized
• use of wireless network services will be
  immediately reported by
• the wireless system administrator to the
  campus Security Incident
• Response Team (SIRT) for review and, if
  appropriate, investigation.

36
The key to security awareness is embedded in the
word security.
SEC- -Y
U - R - IT
If not you, who? If not now, when?
37
Resources at the University of Arizona

• Kerio Firewall
• https//sitelicense.arizona.edu/kerio/kerio.shtml
• Sophos Anti Virus
• https//sitelicense.arizona.edu/sophos/sophos.html
  
• VPN client software
• https//sitelicense.arizona.edu/vpn/vpn.shtml
• Policies, Procedures and Guidelines
• http//w3.arizona.edu/policy/
• Security Awareness http//security.arizona.edu/awa
  reness.html

38

• University Information Security Office
• Bob Lancaster
• University Information Security Officer
• Co-Director CCIT, Telecommunications
• Lancaster_at_arizona.edu
• 621-4482
• Security Incident Response Team (SIRT)
• sirt_at_arizona.edu
• 626-0100
• Kelley Bogart
• Information Security Office Analyst
• Bogartk_at_u.arizona.edu
• 626-8232