Mobile workers create pocket-sized security problems

Nick Marlow

Thursday 06 April 2000 12:00

The demand for mobile networks and home working is bringing a new breed of security problems. What steps can be taken to protect data outside the network fortress? Nick Marlow investigates

The number of security breaches caused by mobile users is on the increase. A few weeks ago a MI5 agent had his laptop, containing secret information, stolen from a busy train station. A simple opportunistic theft sparked a national security threat.

Six months ago a bank sold an old notebook to an IT security company - unfortunately forgetting to wipe it beforehand. The laptop contained all the banking details of some of the bank's key customers, including the former Beatle Paul McCartney. Fortunately, the data was returned rather than being sold to a newspaper.

There are tales, confirmed by the Metropolitan Police's Computer Crime Unit, of a black market in computer data where foreign powers are key customers.

A police spokesman also confirmed that hackers frustrated by corporate firewalls were making attacks on softer targets like company PCs based in home offices, where access can be gained by finding user passwords. "I couldn't work out why my home modem number kept ringing," New York-based publishing agent, Sandra Sisco told Computer Weekly. "When I installed a firewall, I discovered that whenever I was online, I was being attacked by a hacker - the mysterious calls were to establish if I was online".

Remote chance

Internet consultant Thomas Wang, of Saw IT, has seen security breaches dealt with by his company, which involve mobile devices, double in the past 12 months as more companies farm their users outside corporate buildings. And he predicts things will get worse. "Too many IT managers operate an out-of-sight, out-of-mind policy when it comes to remote users and, as a result, they are going to get burnt," Wang says.

Dr Neil Barrett, technical director at Information Risk Management says the most obvious security risk is that a notebook or a PC installed in a home is going to be stolen.

"If you are going to have a notebook, it should be stored in a conventional case. I am always surprised when I see people walking down the street with their speciality note-book cases practically asking to be nicked.

"To be fair, many of the thieves are not going to be concerned about the data and are more likely to sell the notebook in a pub somewhere. But, if they can get data out of the machine, they have information that they can sell at a far greater price," Barrett says. IT managers should treat every unit as if it is going to be stolen and pass into the hands of a hacker, he adds.

With this security standard, it is clear that ordinary password protection is not enough. "Passwords are too easy to by-pass. You need to make sure that all files are safely encrypted," Barrett says.

Some care is needed here, as some security programs do not encrypt a lot of interesting information like temp files or back-ups. "The best sort of program is something like Stop Lock that prevents access to the hard drive," he says.

Barratt also suggests that managers should recommends a software-based firewall to counter attacks on modem-based users. It is also vital that each unit has the latest in anti-virus checking software. Home PCs are more likely to be used for games or home surfing and catch viruses that could be drawn into the main network.

Smartcard - smart move

One of the crucial issues is ensuring the network correctly identifies the mobile user. Having ruled out passwords as being too vulnerable, Barrett likes the concept of dial-back one-time only passwords. Using this system, a smartcard generates a network password that matches another created simultaneously by the network. The card is protected by a password of its own.

"This system is nearly impossible to crack - unless someone loses the smartcard, and even then the thief has to work out the card password," Barrett says.

More recently, there has been a drive for biometric passwords and some companies have equipped laptops and home units with thumbprint readers. According to Grant Morgan, managing director of biometric security company Impleo, thumbprint readers created peace of mind for network managers who got sick of users losing or forgetting passwords.

"According to our survey, more than 63% of IT managers, get asked password-related queries on a daily basis. Maintaining passwords is costly - we estimate it costs £80 per user annually," says Morgan.

Impleo makes the MT Digit, which Morgan claims has a 99.8% reliability rate. "At a recent show it only had trouble reading the thumbprint of one person who had extreme eczema," claims Morgan.

Barrett is less sure of the effectiveness of biometric systems. "The problem with biometrics is that they need to have a fairly wide range of error because people will not always get a perfect reading - for example, their hands might be dirty. A hole in identification is one that can be exploited, whereas a secure password system does not have that problem."

But Morgan rebuts this saying that passwords can be forgotten, written down, or smartcards lost and this represents a substantially bigger security threat.

The rise of wireless application protocol (Wap) systems, such as phones and notepads, has created another problem for network security. These units are easy to lose and usually have access to company networks. This is coupled with the fact that the latest versions of the Wap protocol cannot provide end-to-end security.

Wap security

Wap security expert Paul Turton, associate manager of advanced telecommunications services for the Computer Science Group, points out that the finance company Deutsche Bank keeps its Wap gateways in-house because it fears external telephone company Wap gateways are too easily compromised. "Generally, Wap devices are as secure as any other form of dial-up deviceÉ but you do need to take precautions such as encryption and hard-to-crack PIN numbers," Turton says.

Turton does not believe there will be much call on biometrics and smartcards for Wap devices as these will push the cost up too far.

Wang says that if companies have a proper security policy, the difficulties of Wap and other mobile devices will be solved by commonsense solutions.

"However, with more than 60% of British companies not having a proper security policy, or, at best, having an ad-hoc one, the introduction of mobile devices is going to make life extremely dangerous for them."

Top five mobile security threats