This week in Washington, DC, many of computer security's best and brightest minds have gathered to present research and to offer training on the latest attack techniques and network defenses. Patterned after the popular Black Hat Briefings held in Las Vegas every summer, Black Hat Federal is gaining popularity--especially with security professionals in and around the DC beltway. But even though GBM readers are probably more interested in CES than the Black Hat conferences, there's a wealth of information for anyone that's even slightly interested in computer security.

As an information security engineer, I tend to spend a lot of time planning how to prevent bad things from happening to computers and information. In the real world, however, bad things happen all the time and we have to deal with it. One of the bad things that can happen is to your laptop, tablet PC, or UMPC is theft or loss due to negligence. In either situation, all your sensitive data is potentially at risk (this is the kind of scenario we're hearing more and more about in the news). Wouldn't it be great to have some kind of built-in "failsafe" mechanism to protect your data if you knew it had fallen into the wrong hands?

Enter the OmniAccess 3500 Nonstop Laptop Guardian by Alcatel-Lucent. It has the ability to "remotely secure, monitor, manage, and locate mobile computers." When they say "secure," they mean it. If your laptop, tablet PC, or UMPC is reported lost or stolen, the Laptop Guardian can automatically destroy all data held on the device--even if the computer is turned off. How is this possible? The Laptop Guardian relies on a "secure, always on" computing system within a 3G broadband data card. This data card, which includes a completely separate secure operating system and battery, operates over either 3G cellular networks or WiFi networks. Of course, destroying all your data remotely isn't quite so attractive if it means you're going to lose the one and only copy of your files...you have been backing-up your mobile device, right? 

In addition to the remote destruct feature, Alcatel-Lucent is also touting the Laptop Guardian's ability to update your computer's software with security patches, enforce organizational security policies, and access corporate network resources through a built-in VPN.

One final note; the Laptop Guardian is available in North America only...sorry to our international readers. Which makes me wonder...what if your laptop, tablet PC, or UMPC gets stolen and taken to France? I can picture the plot of an upcoming movie where the bad guys (or good guys) are racing to get a Laptop Guardian-protected device out of North America before the information can be erased. On second thought, they might just want to take the laptop to their Faraday cage-protected laboratory.

Have any GBM readers ever remotely destroyed their tablet PC, UMPC, or PDA cell phone? I'd be interested to know how that went.

If you read my weekly GottaBeSecure articles, you'll know that WiFi security is one of my favorite topics. Many people ask me, however, whether cell phone data cards (AKA mobile broadband or air cards) are any more secure? Assuming you're worried about your average black hat hacker or your snooping next door neighbor, the answer is definitely "yes." Air cards beat WiFi for security hands-down. Why? Let me offer a few proofs that hopefully put things into perspective.

Although most modern operating systems come with a built-in software firewall, sometimes it's hard to know for sure whether the thing is turned-on and exactly how many holes ("exceptions") you've opened up. Wouldn't it be nice to have a hardware firewall small enough to put in your pocket? A company called Yoggie is selling two extremely small hardware firewalls that are perfect for mobile users:

Where could you use a tiny mobile firewall?  Here are a few ideas I had:

• On a hotel or other public broadband network
• At your "friendly" neighborhood LAN party
• While connected to a customer's network (enable logging to record exactly what traffic you put on their network)
• Isolated yourself from your students during a hands-on computer training course (especially if it's an "ethical hacking" course)

Being a fairly regular attendee of the Black Hat and DEFCON security conferences, I'd really like to plug into the conference networks with one of these devices and then see the built-in Snort intrusion detection system light-up!

Another nice feature of these tiny mobile firewalls is that they won't impact the performance of your tablet PC or UMPC while providing their security services (a concern mentioned with regard to on-board encryption programs I wrote about last week).

Have any GBM readers tried out these devices? What did you use them for and how did you like them?

Chances are you've heard news stories about lost or stolen laptops that containing volumes of employee or customer social security numbers, credit card numbers, and other personal information. The actions taken against employees or consultants that put sensitive data at risk in this way range from disciplinary action to criminal / civil penalties. Needless to say, no one wants to be the guy (or gal) who loses a laptop chock-full of sensitive customer or corporate information. But what are organizations doing about this problem?

What makes for a good mobile security product? After last week’s onslaught of new products and gadgets at CES, I sat down to think about the qualities that I think go into a great mobile security product.

Remember, you heard it here first...Wi-Fi hacking is on the rise 

Got a Wi-Fi security story to tell? GBM readers can benefit from your experience--write a comment and share your story today!

Despite the appearance of biometric security devices in many new mobile computing platforms, password security still remains the Achilles’ heel of the computer security world. Why, you ask? Because even if you rely on a biometric device for authentication and / or encryption of your data, nearly all biometric security devices rely on a back-up “master password.” So, you may feel extra safe and secure logging into your tablet PC or ultra-mobile computing device by swiping your finger across its built-in fingerprint reader or other biometric gadget, but unless you choose a strong account passwords for your mobile device, the bad guys might be able to bypass your high-tech security measures.

For nearly three months I've been writing a column on what I call "mobile security." In past articles I've examined the dangers of public WiFi networks, tablet PC theft, data seepage, and even the security of using Skype. But all these are really just anecdotes to the larger issue. Today I'd like to take a moment to examine what "mobile security" is and why is it so hard.

Maybe you've heard the acrostic "CIA" used to define computer security. In computer security described as "CIA," "C" stands for confidentiality, keeping you data private from people you haven't authorized to have it. "I" stands for integrity, making sure no one can alter or delete your data without your permission. Finally, "A" stands for availability, which is concerned with ensuring that your computer and its data are able to be accessed and used when you want them. Nearly all computer security measures, from passwords to virus scanners, are working to protect one or more of these three components of computer security. 

As a mobile user, I often use Skype as a cheap, easy replacement for a more costly teleconferencing system. But have you ever wondered how secure Skype is? After all, if you’ve read very many of my past articles, you already know that your network activitiy in a coffee shop or public WiFi hotspot is possible subject to monitoring or interception.

I am normally not overly concerned about privacy. I am the kind of person that gladly signs up for a grocery store rewards program (surrendering all my personal information in exchange for a 3% discount on “club card” sale items). That said, I was a little bit freaked out when I discovered my Dish Network digital video recorder (DVR) had connected to the Internet without any help from me. What’s more, it doesn’t even have an Ethernet cable or a WiFi adapter.

If you’ve been reading my mobile security column over the past several weeks, you know that most everything you do on a public network (email, web surfing, etc.) can be monitored or intercepted. Although you can hide the information you’re sending and receiving by only visiting web sites that use Secure Sockets Layer (SSL), you’re still exposing the names of those web sites and revealing to the web site owners where you’re visiting their site from. There is a solution to this issue, and it’s free.

If you’re a mobile PC user, you probably have a network at home. Maybe you only have one other computer connected to your home network (or maybe you have 5 more, like me), but you’d probably like to be able to share information between your various computers (for instance, sharing MP3 music files from your desktop to your tablet PC). A common way to accomplish the task is to enable file sharing. Both Windows and Mac make it easy to access files on one computer from another using their own flavor of file sharing. The catch, for the mobile user especially, is setting up file sharing securely.

Managing security in a mobile world can be a challenging problem. That is why we've devoted a feature series to it, called GottaBeSecure. Terry Bradley has been writing that series for us, and in this podcast, we talk about various security issues, as well as get to know Terry a little more.

Enjoy!

• Download Podcast #36 here ( MP3, 30:41, 28.8mb )
• Subscribe to our GBM Podcasts in iTunes or via your favorite podcatcher at this link.
• Spread the word by voting for us at Podcast Alley
• Read the GottaBeSecure articles already published

WhirlWind - WiFi Surveying / Mapping Tool discussed from Futures Inc.com

Over the past few weeks, we’ve discussed passive mobile security threats, active hacker threats, and tablet PC theft. In the final installment of this series on mobile security, we’ll be looking at an advanced mobile security issue, data seepage.

As a computer security professional I tend to spend a lot of my time reading about and researching sophisticated attacks against computer systems and high-tech ways to defend against these attacks. The grim reality of mobile computing, however, is that the low-tech crime of tablet PC theft can be committed with devastating results by unsophisticated criminals with no computer knowledge whatsoever. This kind of attack cannot be thwarted by personal firewalls, secure protocols, and or WPA wireless encryption, but there are some steps you can take to minimize your chance of suffering a tablet PC (or ultra-mobile PC) theft.

In Parts 1 & 2 of this series about mobile security, I discussed the dangers of having your data intercepted while using “open” wireless networks and public wired networks (like the ones you’ll find in your average hotel room). While the adversary I’ve previously discussed has been a hidden, passive enemy, I’d like to point out that open wireless networks and public wired networks provide numerous opportunities for active attackers as well.

In Part 1 of this series about mobile security, I described the dangers of having your web connection intercepted through a technique known as wireless “sniffing.” Although I only discussed the problem of web browsing being intercepted, the problem really applies to any network traffic that isn’t encrypted. So, other common applications like email, file transfer, and remote login are also, potentially, vulnerable to interception.

In the expanded chart below, I’ve outlined a growing list of “secure” and “not secure” applications and protocols:

Ahhhh, the joys of the mobile office…checking email on a sunny morning from an outside table while enjoying a steaming cup of fresh coffee. Or maybe you’re squeezing in a little work at the car dealership’s service center, taking advantage of the complimentary WiFi while the mechanics work on your car. Wireless networking combined with laptops and ultra mobile PCs have opened a whole new world of productivity for telecommuter and other road warriors. Unfortunately, they’ve also opened a Pandora’s Box of security issues ready to be exploited by eager hackers and cyber criminals. In this five-part series I’ll examine the basics of mobile network security, active network threats, the very real problem of laptop theft, and finally the growing problem of data seepage.