Security threats Toolkit

Protecting against everyday security risks

Tags:
Mobile Phones,
Security,
Search Engines,
PDA

John McCormick Tech Republic

Published: 19 Sep 2006 13:05 BST

Just because specific threats haven't surfaced doesn't mean you can afford to let down your security guard. In fact, regular business tools can sometimes present the biggest threat. For example, employees' mobile phones and PDAs can pose a gigantic risk to data security, and the use of search engines may compromise your company's privacy.

It seems simple enough: your company permits employees to use PDAs, BlackBerry devices and mobile phones, which they load up with personal and corporate information — including accounting details, private phone numbers of various staff, and (almost certainly) highly confidential information, such as passwords, client names, contract details, and so on. However, while these devices greatly speed up business, they're safe only as long as no one loses or has one of the devices stolen.

In addition, even if that data is secure when in the user's control, what happens when you sell or otherwise dispose of the old models? You don't crush them — you probably either sell or donate them. But surely that's no problem if you just perform a hard reset?

Wrong! Security company Trust Digital decided to test this assumption. The company purchased 10 phones and PDAs on eBay and then started digging into the information still on the devices.

According to its press release, what they discovered was an incredible treasure trove of nearly 27,000 pages of data from nine of the devices. Some of the information was highly sensitive — even from the devices that had been through a hard reset. The problem, of course, is that the devices' Flash memory retains data even after a hard reset.

A few devices now include a hard wipe function, but most require special software to completely remove the information on your PDA or smart phone. Personally, I'd use a hammer — just as I would on any hard drive I was discarding.

Searching for security in all the wrong places?
The recent antics of some AOL employees — now former employees — have highlighted the newest threat to privacy on the Internet. The workers released three months' worth of data on the search patterns of a massive number of users. Consider just how much information one could discover about the average person or company by looking at their search engine activity, and you should understand the level of concern.

A recently developed program for Firefox is the first of what will probably become a flood of products designed to give users an easy way to hide in plain sight by automatically generating fake searches. Designed by New York University computer scientists, TrackMeNot creates and sends randomly combined words in an attempt to bury anyone who searches your records in a flood of confusing and nonsensical data.

Although the most paranoid among you may decide to give this software a try, I doubt it's sophisticated enough to really work. However, if it proves popular at all, you can expect a flood of similar programs.

But let's consider the possible ramifications. What if the random searches generate search strings that bring you to the attention of those automatic scanners almost certainly used by the government? If these programs become popular, will the flood of nonsense searches overload search engines? Could these tools help inflate the number of search hits to increase advertising revenue? Will the flood of nonsense searches cause search engines to generate the relatively simple code necessary to block all search requests from people who use this kind of software?

The possible downside of these programs is pretty obvious, but that probably won't stop millions of people from using them. While the idea has some merit, I'd file this kind of software in the bin labelled "too many possible unintended consequences". If you really don't want people to know what you're researching, try using a search engine that doesn't gather any personal information. One notable example is Clusty.com, which boasts a simple, straightforward privacy statement. (I'm sure there are other sites like this, but Clusty is the one I happen to use.)

Compare this to Google. The most obvious example of what can happen is if you have a Gmail account. If so, then there's a cookie on your computer, and Google can track all your searches. Of course, if you give factual information about your identity to a free email provider, then you probably deserve what you get.

On the other hand, I use a lot of Google features and find the automatic identification useful. It all depends on what you're doing on the Web — and what you feel the need to conceal.

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.