Mobile Technology Security Considerations

As laptops become more portable and handheld devices more powerful, it's easier than ever to take your computing environment to go. Fast Internet connections are also easier to find when you have wireless connectivity. But with this enhanced mobility comes additional information security risks. By understanding these risks and implementing tools to help minimize them, you can keep your mobile computing safe and convenient.

The Pitfalls of Wireless Networks

For road warriors, wireless network technology, often referred to as Wifi, offers a readily accessible and speedy on-ramp to the Internet. WiFi hotspots are becoming increasingly common in the U.S., found everywhere from coffee shops to hotels, even baseball stadiums like SBC Park in San Francisco. Community-based upstarts such as SF Wireless and NYCWireless together are building publicly-accessible WiFi networks in their hometowns. Gartner market research estimates 30 million people will connect to the Internet via public WiFi hot spots in 2004.

However, this proliferation of public wireless networks has evolved with ease of use in mind -- data security has been a secondary concern. Standard WiFi security mechanisms such as Wired Equivalent Privacy (WEP) and the newer WiFi Protected Access (WPA) -- can be cumbersome to configure.

As a result (with a few exceptions) Wireless Internet Service Providers (WISPs) such as T-Mobile HotSpot  and Wayport have chosen not to implement the kind of security that protects data transmission on their networks. Simply put, they would rather make their networks easy to use than complicate them with security configurations, which could be a potential turn-off for their customers.

Similarly, in a frenetic rush to lure customers, mobile technology manufacturers have rapidly put products on retail shelves that lack proper safety measures. Laptop computers, personal digital assistants (such as Palm devices), Pocket PCs, and powerful mobile phones with wireless networking capabilities usually don't require security to operate and most come with these features turned off by default. Again, securing devices and explaining how to implement security requires an investment in time, and often it's just easier to forget about security -- that is, until something disastrous happens as a result.

Eight Hotspot Dangers and Ways to Protect Yourself

Because of this emphasis on ease of use, wireless networking has a number of vulnerabilities. People connected to an unsecured WiFi network could eavesdrop on your data transmissions (the practice is commonly known as sniffing), and hackers could launch viruses and other attacks. When you connect to a hotspot, you should assume that it is a network environment that you can't trust and that there are pitfalls that could make your wireless experience painful.

A good defense involves layers of security, each designed to thwart certain threats. Anticipate the following hazards and apply some safeguards against them.

1. Viruses and worms:

   Keep the nasties out with anti-virus software. It's not enough to be cautious just with e-mail anymore, either. Two recently unleashed worms, Sasser and Korgo, infect one computer and then start looking for other networked computers close by to attack. This is especially dangerous when you're connected to a hotspot. If one hotspot user catches this kind of bug, it may try to get you next. So keep your anti-virus software up-to-date with the latest definitions. Better yet, configure your software to check automatically for updates on a regular basis.

2. Another closely related and increasingly common threat is spyware and malware. The steps outlined here will protect you from most of this harmful software, but you can also install utilities like the freeware title Spybot Search & Destroy and Lavasoft's Adaware.

3. Flaws in software:

   Be diligent about updating key pieces of software -- particularly Microsoft Windows, Outlook, and Internet Explorer -- to close vulnerabilities in them. Take advantage of Microsoft's Windows Update service and Apple's Software Update utility to patch newly found security vulnerabilities. Like virus protection, you can set your computer to automatically check for and download updates. You may have to take further action to install them after they have downloaded.

4. Intrusions:

   A personal firewall will help prevent active attacks, such as attempts to search through your computer for interesting information or deliver a damaging piece of software to your system. Windows XP and Macintosh OS X have basic firewall capabilities built-in. Read about other personal firewalls and their more advanced features in "Firewalls and You ." Like anti-virus protection, a firewall also needs to stay up-to-date and be configured correctly in order to be effective against the latest attacks.

   Software publishers like Symantec and McAfee now bundle their personal firewalls with their anti-virus offering. This is often cheaper than buying the two pieces separately, and there is more integration between them, which offers the ability to update both parts with a single click.

5. Snoops:

   Secure the transmission of your data over the wireless network by encrypting it. In basic terms, encryption makes the data you transmit incomprehensible and therefore useless to snoops. If your organization has a VPN, use it to make it virtually impossible to decipher the data you transmit in case someone is listening in. You can also purchase VPN service from a provider. Some WISPs, such as Boingo, offer VPN to Windows customers (for an additional charge), while VPN service providers such as AT&T (see AT&T: Enterprise Business: Products & Services) and MCI (see MCI: Enterprise: VPNs ) have partnerships with WISPs to provide wireless VPN access. You might also want to check out hotspotvpn.com , which offers a low-cost subscription.

   If VPN is too expensive, at least don't send sensitive information such as passwords, credit card details, or other personal information without securing it first. All widely-used Web browsers support Secure Sockets Layer (SSL) connections, which is the standard way of temporarily establishing a secure connection with online retailers and other Web sites with whom you might exchange sensitive data.

   Also, e-mail is particularly vulnerable to snooping if you are not using encryption. In most cases, e-mail is sent "in the clear" -- there's nothing to scramble the messages or even your usernames and passwords. When you log on to Yahoo! Mail for example, unless you specify an SSL connection before sending your password, there is no security applied to obscure the e-mails you send and receive. Popular e-mail applications such as Microsoft Outlook, Outlook Express, and Eudora offer ways to establish a secure communications link with e-mail service providers that support secure connections.

   Finally, don't discount the old-fashioned, over-the-shoulder snoop. In a bustling publicly-accessible space, it's not hard for someone to spy on your keystrokes while you enter the username and password to your online banking account, for example. The same precautions apply to kiosk computers, ATMs, and other machines on which you might enter sensitive information.

6. Strong passwords:

   Of course, it makes it much harder to steal passwords if they are complex. A password such as "R#atg09\f" is hard to remember and crack because it has all the elements of a good password -- a mixture of capital and lowercase letters, numbers, and special characters. But, how do you remember a password that is by design difficult to recall? Check outAn Introduction to Internet Security in the Workplace for a more detailed look at strong passwords.

7. Unrestricted wireless networking configurations:

   The wireless adapter on your laptop or handheld is capable of operating in two modes, infrastructure and ad-hoc (also called peer-to-peer). At a hotspot, you should disable the ad-hoc mode, which could allow another user to piggyback onto your connection. In Windows XP, depending on which service packs and updates you've applied, these options reside within the advanced properties of the wireless network connection configuration, If you are using OS X, deselect "Allow this computer to create networks" in your Network System Preferences, or don't choose "Create Network" from your AirPort drop-down menu.

   Also, if your device is powered on and you have your networking set to automatically connect to available wireless networks, you could be associating with wireless access points without even knowing it. To prevent this, turn off any features that automatically connect you to available wireless networks.

8. Ignorance of risks:

   Give yourself the advantage by knowing what to watch out for. By reading this article and other information about security, you're already taking an important step towards protecting your computer. Be familiar with the latest news about security threats. If, for example, you hear on the morning news that there is a virus rapidly making the rounds, update your anti-virus program and have a basic understanding of the mechanism the virus uses to propagate (for example, by e-mail attachments, file sharing, etc.). A bit of knowledge about computer security will help you take the appropriate steps to protect yourself.

Security at Home

Most likely, you'll want to put your mobile technology to work at home too. If you happen to share a wireless connection to the Internet with others in your household or apartment building, the security precautions outlined above will go a long way to protect you. As well, if you set up your own wireless network at home, it's a good idea to implement the security features on your wireless access point.

Enabling WEP or WPA, disabling service set identifier ( SSID) broadcast and turning on Media Access Control ( MAC) filtering will make it harder for malicious users to connect.

In an organizational setting, the same rules apply, but it may become harder to implement some of these security measures -- the more users you accommodate on a network, the more difficult it is to administer some of these steps. But with more users come more vulnerable entry points for bad things to happen, so it becomes increasingly important to secure the network.

Loss and Theft

Of course, no firewall or software update is going to protect you from the loss or theft of your equipment. Your information is valuable, but so is the hardware itself. Use cable locks and other devices to secure your equipment where appropriate.

Also, in the event that you do lose your device, password protection will at least slow down a thief or other prying eyes from pilfering information such as credit card numbers and other important data that you may have stored on your machines. It may just buy you the needed time to cancel your accounts or make other arrangements.

Time to Get to Work

Now it's time to implement these precautions. There are handy guides on TechSoup (linked throughout this article) to help you with the hands-on work, as well as links to other resources below. Also, go to TechSoup Stock to see the anti-virus and other security software on offer.

Keep in mind that there is an element of cooperative effort when it comes to security. For instance, if more computer users installed anti-virus protection and kept it up-to-date, it would make it much harder for viruses and worms to propagate. A firewall on every computer would slow the spread of spyware. Increasing security on your mobile technology ultimately helps everyone, especially those who may not know how to apply the same security.

At the same time, all this talk about security may seem a bit seem daunting and cryptic. Implementing good security requires diligence. When you consider the other work you could be doing for your organization, the benefits of mitigating security risks may seem small. In reality, only a small portion of the population has the ability, the will, and the time to concoct a virulent virus or hack into a laptop you're using in a café.

Also, no matter which security measures you incorporate, nothing is perfect, and there is no way to protect against every conceivable threat.

But understanding the risks and having an informed sense of which ones may be the most threatening to you will allow you to take the appropriate steps now and in the future as new threats emerge.

Resources

• Wi-Fi Planet's article Securing your Wi-Fi Connection on the Road
• PC Magazine's article Hot-Spot Hazards
• Security Focus' comprehensive, two-part series on protecting mobile computing users:Part one: http://www.securityfocus.com/infocus/1777 Part two: http://www.securityfocus.com/infocus/1781 Technical white papers on wireless standards and security:
  http://www.drizzle.com/~aboba/IEEE/