The TOPECS Blog :: Special Reports

Main Page

Photos

Mobile and Accessory Reviews

Software Reviews

Special Reports

This Month

Month Archive

March 2008
February 2008
January 2008
September 2007
August 2007

Year Archive

2008
2007

Main Page » Special Reports

« Previous 30 days | Next 30 days »

Thursday, January 17

A background to mobile security

by Tim on Thu 17 Jan 2008 23:39 GMT

Fifty years ago personal and valuable information was held on paper. Little if any was stored on magnetic media, and that that was could be easily controlled by physical barriers. Yet banks worked well, taxes collected, medical records retained, and the only information thefts were a relatively few individuals’ details through corrupt employees or break in. Life is pretty much the same but the wider use of information and subsequent advances in technology mean that instead of a few copied or stolen notes, almost half the UK population’s bank details have gone missing on a few pieces of plastic.

It is not as if the technology does not exist to protect digital information. Encryption of many sorts have been with us for centuries, and has steadily improved as the means of breaking encryption became cheaper and faster. So it is difficult to understand how and why sensitive information under government control is not secured by multiple layers of encryption and authentication. Or perhaps it isn’t.

Cost, complexity and perfection are hindrances to widely deployed security. Take the case of the personal pin. It is widely known that with simple tricks pin numbers and card details can be discovered through ATM machines or corrupt retailers. There are systems that will generate rolling unique pins which change in minutes and provide individual transaction security. The cost for mass deployment is less that £10 a user; however the banks wanted a cheaper system that would not, presumably, burden their profits. Yet the banks will be the first point of call for anyone who loses money through the loss of government data.

As systems, and data, becomes increasingly interweaved, and the technology for accessing it more capable and mobile, we have seen that ever more organisations are declaring loss or theft of personal information. A simple mobile phone now has the capability of storing millions of highly detailed records with no obvious control. Data can be transferred simply using a cable or Bluetooth connection from the PC ‘terminal’ and taken home. Who would see anything suspicious in having a mobile phone plugged into, or near to, a laptop? For instance a Nationwide employee downloaded a data base of customers to work on, but the laptop was stolen from their home. It could have just as easily been a USB memory stick, mobile phone or PDA, and who hasn’t lost one or more of those?

Of course any organisation holding sensitive information has or is looking at security. The issue is that a perfect solution is desired yet immediate problems are not tackled. It often takes many years to approve and purchase systems. But the threat is here now. Stables are being bolted too many times after a theft or loss has occurred, yet systems are widely available to provide practical everyday security.

There is a mature range of products which can centrally control, report, encrypt and lock down access to information. Such systems can operate over any fixed or wireless bearer and protect PC’s, laptops, terminals, mobile phones, USB connections, Bluetooth & WiFi and encrypt to the highest levels any information on a device.

For example it is a simple matter to steal a mobile phone and remove the SIM. No SMS command to lock the handset remotely will get through. If the user, or organisation, has not specified a default lock, installing a deactivated SIM will allow access to the content of the handset. Thousand’s of personal details then become available through the phone’s memory. Even worse, the memory cards in the handsets can be flipped out and analysed for interesting information.

Due to the complex nature of the security threat and information leakage a mesh of products are required to provide end point security. By For instance Pointsec (encryption), Condico (mobile device management and consultancy), fSecure (mobile anti virus), SecureWave/PatchLink (access and application control) and Citrix for virtual data access.

Instead of announcing that a stolen laptop had password security, would it not be better to say that it was encrypted and traceable? Or is the loss of information just another sign of penny pinching by organisations that seemingly no longer care about their customers?

Leave Comment | Permanent Link | Cosmos

Syndicate this category

Favourite blogs

All About Symbian

Itproportal

SMS Text News