Alan Calder on IT Governance, information security & ISO 27001

According to Outlaw, a “global survey of 900 taxi drivers shows thousands of valuable mobile phones, PDAs and laptops are forgotten in taxis every day. Too often the devices are unsecured – and employers are urged to take responsibility.
Businesses are being urged to use the password and encryption facilities available on the recent crop of high memory capacity mobile smartphones to protect the data in the event of leaving the devices in the back of a cab.
In the last six months in London, 63,135 mobile phones, 5,838 PDAs and 4,973 laptops have been left in the city’s 24,000 licensed cabs. British cabbies also found a harp, a throne, £100,000 worth of diamonds, 37 milk bottles, a dog, a hamster, a suitcase from the fraud squad, and a baby.
In the past three and half years since the survey was first carried out there has been a sharp increase in the number of powerful, executive-focused mobile devices being forgotten in London taxis with 71% more laptops and 350% more PDAs being left than in 2001, which in the wrong hands could cause the owner and their company enormous damage.
The survey in London was conducted by TAXI, published by the Licensed Taxi Drivers Association, and mobile security experts Pointsec.”

One sometimes wonders why senior people – people considered mature enough to be issued with laptops, mobile phones and PDAs – are so incapable of looking after valuable data assets – their wilful negligence in relation to data protection and privacy regulation, as well as to confidentiality requirements, suggests the time is coming when people who lose one of these devices should be disciplined.

Thank heavens for the taxi drivers, who apparently re-united 80% of people with their cellphones and 96% of people with their laptops and PDAs. I hope they charged extra!

Wireless insecurity has been in the press during the last week – the Sunday Times (March 6, 2005) spoke of a ‘virus epidemic’ threatening to wipe mobiles’ memories, while SC Magazine and Computing both report the astonishing absence of security in one third of the City’s wireless networks.

Why are there these failures?

OK, Cellphone “virus epidemic” is a bit of journalist panic-mongering; while Cellphone viruses have, indeed, been reported from a number of countries, there still aren’t a great many species (three, I think) and they still aren’t spreading terribly quickly – not 100,000 devices affected in 24 hours, but maybe 100 affected in a number of months. Sure, now’s a good time to be looking at Cellphone level anti-malware products, but it’s not yet time to panic.

Wireless, though, is a different matter. Who in the computer world doesn’t know that WiFi kit, out of the box, has no security configured? Who, in the computer world, thinks that security is important on the fixed network but not on (or for) mobile devices? Who is accountable for employing the computer ‘experts’ (the IT staff) who allow wireless laptops to be issued to staff – or, worse, allow wireless Access Points to be set up, without appropriate security?

You can sympathise with those employees who’ve taken with enthusiasm to the wireless world beyond their organization’s fixed perimeter: it’s great to not have the heavy-handed system administrator telling them what they can and can’t do. What is surprising is that sysadmins allow this state of affairs – or that their managers and executives turn a blind eye to it.

Because they are turning a blind eye, aren’t they? The alternative is that they’re just incompetent simply don’t know that wireless security is an issue, or that they’re supposed to do something about it.

Bluetooth devices, particularly mobile phones, are at risk from two types of attack from nearby or passing devices, bluejacking and bluesnarfing. A bluejacking attack involves sending text messages to the mobile phones of any users who are within range, and it could be used both maliciously and for ‘bluespam’. A bluesnarfing attack is potentially more serious, and involves the theft of all contact information stored in the phones. Not all phones are vulnerable to these sorts of attacks and as manufacturers respond to the discovery of these vulnerabilities, so there will be changes. At the moment (January 2005), it is said that Nokia 6310, 6310i, 8910 and 8910i models are at greatest risk. Apparently, “on some models of phone, you are only vulnerable to attack if you are on visible mode; however, there are other models of phones where you are vulnerable even in non-visible mode”.

The only defence is to turn Bluetooth off.

Gosh.