Chapter 19: Securing Mobile Computers


This chapter is from the Microsoft Windows Security Resource Kit by Ben Smith and Brian Komar with the Microsoft Security Team (Microsoft Press, 2003).

Mobile computers present a special security risk because of their portability and small size. They are at much greater risk of physical compromise and are much more difficult to manage. Often, when people hear the term mobile computers, they think it applies to only laptop computers. But mobile computers also include Microsoft Tablet PCs, PDAs, Microsoft Pocket PCs, and wireless phones. Each of these devices can carry secret information, such as passwords, or information that could be used to break into their respective networks.

Understanding Mobile Computers

Mobile computers face all the threats that desktop computers do, but they also face additional threats. These vulnerabilities include the following:

  • Increase in the possibility of being lost or stolen

  • Difficulty in applying security updates

  • Exposure to untrusted networks

  • Eavesdropping on wireless connectivity

Increase in the Possibility of Being Lost or Stolen

Laptops and other mobile devices have a much greater chance of being stolen because of their mobility and small size. A thief could easily hide a laptop in a briefcase or under a coat. Even organizations that have tight physical security are susceptible to this type of theft. For example, in February 2000, a laptop belonging to a U.S. State Department employee and containing top-secret information was stolen from a conference room inside the State Department. Furthermore, although some laptops will always remain within the boundaries of company facilities, most users will work on their laptops away from the office. Consequently, the network security of such laptop computers is enforced by those organizations corporate security and IT departments. But the users themselves are responsible for the physical security of their laptops. Users take their laptops home, on business and personal trips, and to school, and they sometimes leave their laptops in their cars unattended and in plain view during those stops. In July 2000, a commander in the British Royal Navy had his laptop stolen from his car, which was parked outside his house. His laptop was reported to hold top-secret information.

Thieves target laptops because they are small, high-value items that can easily be sold. If a thief is sufficiently computer-savvy or sells the laptop to an attacker, he can potentially retrieve all the information from the laptop. This information includes cached passwords for network accounts; cached personal information from Microsoft Internet Explorer; personal information, such as names, addresses, and birthdates for people in address books; and the actual company data on the laptop. An attacker can use this information to attack the organization s network or steal the identity of the user or her friends and family. Furthermore, the stolen laptop might contain information that is confidential or secret. An information leak resulting from a stolen laptop could have a tremendous impact on your organization if that information falls into the wrong hands. This might sound alarmist, but several high-profile incidents of laptop theft have occurred in the past few years, including those government incidents mentioned earlier.

The corporate world has not been immune to such incidents of laptop theft. In 2000, the laptop belonging to the CEO of Qualcomm was stolen after he delivered a presentation at an industry conference. According to the media, the CEO was less than 30 feet away when his laptop was stolen from the podium from which he had been speaking. Because the CEO had been using his laptop to give the presentation, it is likely that he left it unlocked when he walked off the podium, rendering many types of data protection, such as encrypting file system (EFS), useless. Although the thieves in the cases we have mentioned so far might not have been targeting the organizations whose laptops they stole or the information on those laptops, no evidence to the contrary exists.

Some organizations face a greater threat of their having laptops stolen. For example, hardware and software companies might be targeted by attackers hoping to steal the companies latest and greatest inventions. And law enforcement and government agencies might be targeted by attackers hoping to gain access to the secret information contained on their networks.

Mobile telephone devices also have a high incidence of theft and loss. At the very least, a thief can use a stolen phone to make long-distance and international phone calls, creating very expensive phone bills for the owner. A thief can also retrieve contact information from a phone s address book, potentially subjecting the phone owner s friends and family to identity theft. A more serious vulnerability, however, is that many mobile phones have Internet access, or even full computing power, such as the Pocket PC Phone Edition devices. Such devices can have confidential information stored on them, such as passwords and private e-mail messages. Other types of devices in this category include handheld e-mail devices such as the BlackBerry, PDA devices such as Palm Pilots, and handheld PCs such as the Compaq iPAQ. Because it is often difficult for users to input data into these devices, perhaps because they must use an onscreen keyboard or handwriting recognition software, users of these devices frequently store network credentials, such as passwords, persistently. An attacker could retrieve these credentials to later attack the network of the device user s organization. These mobile devices also have the capability to store files, which an attacker could retrieve from the device if stolen.

Laptop computers and mobile devices often have accessories and add-ons that might hold confidential information. Such accessories include conventional removable media, such as floppy disks and CDs. Another class of removable media includes high-capacity, solid-state devices, such as CompactFlash cards, Secure Digital (SD) cards, smart cards, and Subscriber Identity Module (SIM) cards for cellular and wireless phones. Smart cards and SIM cards, in particular, can contain data such as private keys and personal information that could be used to attack the network of the device user s organization, if they fall into the wrong hands.

Difficulty in Applying Security Updates

Unlike desktop computers, which have a somewhat static place in the network infrastructure, laptop computers often roam among many subnets and networks, not to mention leaving the local area network (LAN) altogether. The mobility of laptop computers makes them much more difficult to manage centrally, which greatly increases the difficulty in applying security updates, including hotfixes, service packs, and virus definition files. This mobility also increases the difficulty in assessing how current the security updates are. Traditional methods of applying security updates, including manual application and the use of network management software such as Microsoft Systems Management Server (SMS), are often ineffective with laptop computers. This is because these methods depend on computers being in a static physical location as well as a logical one on the network.

This issue is especially problematic for laptop computers that rarely or never are connected to the LAN. When these computers do connect to the network, they often do so through low-bandwidth connections, such as modems. For all intents and purposes, these computers are self-managed by their users, making these users responsible for knowing how to locate and apply security updates themselves. If security updates are not installed, the laptop computer will be vulnerable to known exploits, which is particularly alarming because these computers are often directly connected to untrusted networks.

Exposure to Untrusted Networks

Desktop computers are always connected to the LAN on which their security settings can be managed and are protected from the Internet and other untrusted networks by firewalls. On the other hand, network administrators cannot be sure which networks laptop users will connect to. When at home or in hotels, a laptop user will connect directly to the Internet without any protection and the machine will be exposed to the legions of attackers scanning for vulnerable computers connected to the Internet. A user might also connect her laptop to the networks of her business partners and the semipublic networks at industry conventions, where confidential information can be exposed to anyone who succeeds in breaking into the laptop. Once the user connects her computer to such an untrusted network, a network administrator can do little to protect the machine from attacks that can be launched against it. For example, enabling Internet Connection Firewall (ICF) in Microsoft Windows XP will provide excellent protection against attacks attempted over the organization s network when a user is connected to untrusted networks; however, when the user is connected to the corporate network, ICF will prevent the application of Group Policy.

Eavesdropping on Wireless Connectivity

Many laptops and mobile devices are now equipped with 802.11b or Bluetooth wireless network interfaces. Many users do not realize that connecting their laptop or mobile device to a wireless network that is not secure is similar to having a sensitive conversation in a crowded restaurant or subway anyone who wants to listen in can. Public and private wireless networks are becoming more common in public areas, such as airport terminals and cafes. Users might be temped to connect their laptop or mobile device to these networks for the convenience it affords, not realizing that the information they are sending and receiving might be traveling via an untrusted network.

Many home computer users and businesses are installing 802.11b wireless networks these days. Unfortunately, the built-in security measure of these networks Wired Equivalent Privacy (WEP) has an inherent security vulnerability. When exploited by an attacker, this vulnerability can enable the attacker to connect to the wireless network directly. In addition, many users and administrators are lulled into a false sense of security by the signal strength of their wireless access points. These users and administrators assume that their laptops can achieve this maximum signal strength, but in reality, attackers can build or purchase inexpensive wireless antennas to intercept wireless network transmissions from more than half a mile to a mile away.




Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338
BUY ON AMAZON

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net