ANALYSIS
Before you send me an e-mail message, let me explain I'm well aware that there has never been a documented case of a virus attacking a PDA. This may be because the Windows CE operating system is so simple. When Windows CE was initially designed several years ago, the engineers at Microsoft stripped down the Windows 95 operating system to its core, added a few simple applets, and the finished product became Windows CE. There's a basic rule in computing that says that the more lines of code an application has, the greater the chance the application may be exploited. Because Windows CE was such a simplified operating system, many of the weaknesses that viruses could exploit in other operating systems simply didn't exist. As the years went on, the Windows CE operating system got a little more bloated, but it still lacks most of the features found in elaborate operating systems such as Windows XP. Because of this, virus attacks have never been an issue. Although viruses are not known to attack PDAs, a PDA can act as a carrier for a virus. For example, imagine that a user employs a PDA to check e-mail. Now suppose an e-mail message contains an attachment that's infected with a virus. If the user were to open the attachment, the virus would probably not infect the PDA. However, if the user were later to synchronize the file to a desktop PC and then open the file on the PC, an infection would occur. In this situation, the virus didn't harm the PDA, but the PDA was able to act as a carrier that allowed the virus to be put onto the network. Everyone in your organization who uses a PDA should be running antivirus software, just as they would on a laptop or desktop computer. There are two ways that this antivirus software works. One type of antivirus software stores an auto-protection file and a virus-definition file on the PDA so that virus scanning occurs automatically each time a file is accessed. Another breed of software stores the virus definitions on a network server. Because virus-definition files take up a lot of space that many PDA users simply don't have, storing them on a network server ensures that the definitions can be updated regularly. Any time the PDA user attaches to the network, the antivirus software automatically connects to the virus definition files and scans the PDA before any infections can occur. Compromised data
Whenever a PDA is lost or stolen, there's a risk that the data stored on the device could fall into the wrong hands. When I speak to IT managers about the data that could be compromised if a PDA were stolen, they almost always tell me that the PDAs don't need any real protection because there is no sensitive data on them. However, I feel there's actually quite a bit of sensitive data on the typical PDA. For example, suppose a VP at your company lost a PDA. Fortunately, this particular VP used the PDA as little more than an electronic organizer. So there's no sensitive information on the PDA, right? First of all, the executive probably has an appointment book or a calendar stored on the PDA. And how much sensitive information is stored within the calendar? If you're not sure, ask yourself what your competitor could learn by sneaking a look at the calendar, contact list, etc. Let's say that the executive in question never kept juicy information about top-secret meetings or customer contact information in his PDA. In fact, let's pretend that the PDA was brand new and for all practical purposes was empty. There is still useful information that could be gathered from the PDA. If your company uses a wireless network, someone could steal your company's SSID, channel, and WEP pass phrase from a PDA. Depending on the configuration, someone might even be able to obtain usernames, IP addresses, domain names, or even passwords. Most, if not all, of the information that someone would need to break into your company's network could be stored on the PDA, either in the form of data or as configuration information. I say it could be stored as data, potentially, because an alarming number of people store passwords and PINs on their PDAs. According to one statistic, one in four PDA users store PINs and passwords on their PDA -- but don't protect the PDA itself with a password. Personal PDAs vs. company-issued PDAs
So the real question now is what to do about all of the security threats that face your PDA users. The first thing that I recommend doing is supporting company-issued PDAs only. Although I like giving users as much personal freedom as possible, I strongly recommend banning privately owned PDAs. If employees really want to use their own personal PDAs, my philosophy is that you can't (and probably shouldn't) stop them from using them -- but you can prevent them from connecting them to your network. I'm opposed to privately owned PDAs being attached to the network because it's difficult for a company to control what it doesn't own. If a user owns a PDA, you really have no way of verifying that the user is running the appropriate antivirus software. Likewise, there's no way to really tell if an application installed by a user is legal or pirated. For your users who have company-issued PDAs, you should create a security policy that is fully documented so there are no questions of what will be expected from them. The policy will likely be very similar to the policy for your laptop users. For example, it should address things such as how often passwords should be changed, what applications are allowed, and what types of data may be stored on the PDA. In the following sections, I've outlined more detailed security recommendations that you might consider including as a part of your PDA security policy.
Talkback
Till last night I was believing Windows CE machines can't get viruses.
I was happily surfing - began at CEO Express.com then accessed a couple of newspapers, The Times, The Independant ... suddenly a pop up screen appears along the lines of:
"Would you like to download a program into the current application? If you do not answer "yes' your computer's performance may be below par". The choices were: Yes, No or 'close window'.
I tried 'close window' but nothing happened. I should probably have then done a re-set. Instead I clicked "No'. Immediately, a 2nd, 3rd, copy of the same pop up appeared.
Sometimes I could get one to disappear with the "no", but then two or three more would appeear. Eventually I did a reset & logged back online; into IE again and ... whoops, 1,2, 3 ... pop ups appear. Surfing the net is no longer practicable.
Is anyone out there familiar with this and can suggesty what I can do?
My machine is a H/PC, in fact an Intermec 6651, similar in spec to the MobilePro 790 (MIPS; running Windows for Handhelds 2000, Core System 3.0, IE 4.01).
Grateful any help!!!
ps: I've just posted a similar message on CE City (H/PC) site.
RJ99 in Saudi Arabia
T
I am looking for a PDA security applet that will function like "OnlyMe" only be compatible with a Palm OS or a Win CE platform. Know of any developers that do that?
You have display name. Display name where?
http://www.handango.com/PlatformProductDetail.jsp?siteId=1&jid=59X49332835D53229CF35XF49D35X578&platformId=1&N=96804&productId=174702&R=174702