CALIFORNIA SECURITY ISSUES OVER MOBILE DEVICES SignOnSanDiego.com > News > Technology -- Portable pilferingPersonal electronic devices could be used to steal sensitive company data
By Jonathan Sidener
UNION-TRIBUNE STAFF WRITER
September 6, 2004

DAVID MOLLERING / Union-Tribune

Stay tuned for this week's episode of "When Technology Attacks."

Watch as the rogue iPod fells the unsuspecting information technology manager. See a swarm of tiny "thumb drive" memory devices slip past the corporate firewall to infect the network with viruses and spyware. Don't miss the camera phone as it steals an image of the company's top-secret research project.

Like nature, personal electronics have a dangerous side.

Information technology managers already have their hands full battling a constant stream of viruses, worms and spyware. Now, many are keeping a wary eye on portable devices such as iPods, USB thumb drives, personal digital assistants and camera phones that can "walk away" with company information.

iPods and other music players, with hard drives of up to 40 gigabytes, have the potential to transport more than music. Employees could use them to haul away massive amounts of sensitive data, network security experts say.

On the move
Some of the devices that may be cause for concern in the workplace:

Flash drives: Flash-memory drives, also known as thumb drives because of their tiny size, plug into a computer's USB port and can hold up to 2 gigabytes of data, pictures and music.

MP3 players: These include Apple's iPod as well as other digital music players that have their own 20-to 40-gigabyte hard drives, such as Creative's Zen Touch and RCA Lyra Jukebox, which connect to computers and can quickly transfer music or other information to the player.

PDAs and smartphones: A growing number of personal digital assistants and smartphones have e-mail and Internet access, and come with removable memory cards for storing information that can be put on the cards via a computer.

Camera phones: They're becoming ubiquitous, and snapping a picture can be done easily and surreptitiously. More phones are also starting to come with video camera capabilities. There are some stand-alone digital and video cameras that are small enough to be worn on a neck chain.

PDAs and "smartphones" can come with 128 megabytes or more of built-in memory, as well as slots for expansion cards and Internet connections capable of sending data from a business without showing up on corporate e-mail logs.

Portable USB thumb drives can pick up contaminated files from home computers and carry them past corporate firewalls and onto company terminals.

In addition to threats from malicious employees and viruses, the devices present a security risk because they can be lost or stolen.

Camera phones can capture details of valuable intellectual property such as schematic drawings or a proprietary manufacturing process.

Though there are no high-profile cases of personal electronic devices being used in corporate espionage, technology analysts at Forrester Research and Gartner Inc. say the growing popularity of such gadgets creates a real and growing threat to corporate security.

In a recent research report, Gartner analyst Ruggero Contu recommended that companies ban the devices.

"Companies are at risk of losing intellectual property and other corporate data," Contu wrote. "Portable storage devices are ideal for anyone intending to steal sensitive and valuable data. Employees may also be responsible for losing data if they inadvertently mislay these devices."

In addition, companies risk penalties for public disclosure of financial and medical information. They also face public-relations problems if they breach privacy laws, Contu said. In states such as California, companies are required to contact individuals when computerized personal information is made public or otherwise compromised.


Preventive steps
There are some steps companies can take to deal with portable devices.

Personal firewalls can be installed on individual computers in the network, Contu said. Other products monitor or prevent personal devices from connecting to the network.

Contu recommends that any sensitive information be encrypted when stored on a portable device.

Forrester analyst David Friedlander said that in a few cases, major financial companies have lost confidential information when laptops were stolen. In another case, a former Morgan Stanley vice president sold a used BlackBerry PDA on eBay.

"There was still confidential information and e-mail on there," Friedlander said. "The device wasn't even password-protected."

Some companies have started banning these types of devices in the workplace.

At Intel, for example, the company forbids all digital cameras, including those integrated into cell phones and laptops, in the "clean rooms" where computer chips are manufactured and in engineering areas where the secrets behind the company's patents are developed and stored.

The company also has a policy covering portable storage devices. Confidential information can only be downloaded onto approved devices that have password and anti-virus protection, spokeswoman Shannon Love said.

"We don't have any major, companywide policy banning MP3 players, PDAs and thumb drives because we haven't seen any problems with them," Love said. "Of course, that could change tomorrow if we saw a problem."

Because companies are often reluctant to discuss security policies, it's difficult to know how many businesses restrict personal electronic devices.

Qualcomm, for example, declined to say whether it prohibits or regulates employees' use of gadgets in the workplace. Kyocera and Sony did not return phone calls for comment.

A spokesman for Carlsbad-based golf equipment maker TaylorMade said the company's research area is not accessible to the public or to non-research employees, so there's no need to restrict camera phones.


Cautionary tale
Chicago-based Pointsec Mobile Technologies demonstrated the risk of accidental loss of information through a project it called "The Life Cycle of a Lost Laptop."

The company, which makes software to encrypt information on portable devices, bought 100 used laptop hard drives from Internet auction sites.

The first drive the company bought on eBay contained passwords and administrative rights to the intranet of a large European financial-services group, Pointsec said.

While the disk had been reformatted, supposedly wiping out all information, Pointsec was able to restore files that had information about pension plans, customer databases, financial information, payroll records and personnel details.

Dozens of Microsoft Excel documents revealed customers' e-mail addresses, dates of birth, home addresses and telephone numbers.

"You can store a lot of valuable information on a laptop, PDA or smart phone," said Peter Larson, Pointsec's chief executive officer. "If that information is unprotected, you've got a problem if you lose that device. The information on mobile devices is often very fresh data."

At San Diego software maker SmartDraw, the company sees ever more aggressive spyware as a more immediate threat than the potential for iPod-based corporate espionage, said Mark Sulzen, vice president for information technology.

Sulzen said he is more concerned about the liability of copyright violations from pirated songs downloaded from music players to the corporate network.

"We have a policy that anything stored locally has to be in compliance with copyright law," he said. "Whether it's music, or even fonts, it has to be licensed or purchased."

The company has no immediate plans to restrict iPods or MP3 players, Sulzen said.

"You have to be able to trust your employees," he said. "That's the best prevention. There are so many ways to rip data off. If someone is out to steal intellectual property, they don't need an iPod. They can burn a CD."

Jonathan Sidener: (619) 293-1239; jonathan.sidener@uniontrib.com