The closest thing to a secure PDA that I have found is the Blackberry device - we did an evaluation, and they actually came out pretty good.
Connie -----Original Message----- From: Jay D. Dyson [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 01, 2001 7:06 PM To: Security-Basics List Subject: Re: Secure PDAs - an oxymoron? -----BEGIN PGP SIGNED MESSAGE----- On Fri, 30 Nov 2001 [EMAIL PROTECTED] wrote: > I have been tasked with finding a way to supply secure PDAs to a > Marketing Team. These devices will contain extremely sensitive > information and I have recommended that the current state of the PDA art > means that these devices cannot be properly secured but have been > overruled! Sad to say, this tends to be the rule rather than the exception. Those of us who know what the devil is going on are often capriciously overruled in the name of Convenience. But just wait 'til all hell all hell breaks loose and watch where the fingers point. To that end, there's a practice I started long ago that seems to keep this sort of thing to a minimum. Basically, when I put forth recommendations and they are overruled, I follow it up with a piece of paper that the overruling parties *MUST* sign which indicates that they have read and understood my recommendations and have chosen to not follow them. There's something about forcing people to put their John Hancock on a piece of paper that outlines the risks they're apparently willing to take in the name of convenience. For one thing, it gets the security advisor the hook and places them right on it. Tends to make security detractors seriously rethink their position. > Am I right? Yes, you are right. PDAs are not built for security. Never have been. Hell, the folks at @Stake (formerly the l0pht) have practically made it their *hobby* to show the plague of security issues that exist with PDAs (http://www.atstake.com/research/tools/index.html). This isn't to say that PDAs are a bad thing. My Palm Pilot is the digital equivalent of a microwave oven. I got along fine without it before I had it...but now that I have it, I can't imagine a day without the little beastie. Even so, I won't put *anything* I consider remotely sensitive on it. > Can anyone recommend a way of securing these devices out in the field? In a manner of speaking. First, you'll need to disable every wireless networking convenience associated with them (that means no infrared, too); disable the "hotsync" functionality; sync data only to a hardened non-networked system; and keep it locked in a trusted safe when not in use. (Because of their small size, theft is always a major issue.) > Is one make inherently more secure than another? Can anyone recommend > software or hardware add-ons which can help secure these devices? Is > ther any way to prevent the PDA user from making unauthorised changes > (e.g. using policies)? Not that I know of. > The environment they will need to connect to comprises WinNT4 network > with WinNT4 PCs. I hold out little hope for security, but that's my personal bias courtesy of a long history in dealing with the fallout from NT system breaches. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- [EMAIL PROTECTED] -----<) | = |-' `--' `--' `---------- Si vis pacem, para bellum. ----------' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBPAliQLlDRyqRQ2a9AQHwlgP/TGByD7WbH7A2MkspDuEVnJm8ytxhNzrE HGBn4agdpPNI3wkD7E8L5MVzP4lqJYnvSoo+d+pEkKgzGzl7Se+/PpfOcoda5c5A Cp0NaW7Vp3GSZHL/dTpDPlXhLFGwQmSQvvCIPOYI0uQWFAMIgeMStlyYnbhxQvFJ 2HjDFXW4DX4= =yhBO -----END PGP SIGNATURE-----
