Clareity Consulting - Publications - Real Estate focused Security Articles

Real Estate Information Technology Consultants

2006 Security Articles

Improving PDA Security

Author: Matt Cohen, Clareity Consulting (www.callclareity.com)

Personal Digital Assistants (PDAs) have been around for more than ten years, and according to the most recent study, conducted by Clareity in cooperation with the National Association of REALTORS^®, more than half of REALTORS^® use them. Using PDAs creates a significant security risk for real estate professionals. They use PDAs to store sensitive data, including email, contacts, documents, spreadsheets, passwords, bank account information, and MLS data. More than a quarter of PDAs are lost, according to a 2003 survey conducted by Pointsec Mobile Technologies. Users leave their PDAs unattended; they may find them stolen or infected by viruses; they may discover that wireless transmissions have been intercepted or that memory cards have been tampered with; and many don't enable secure logins on their devices, allowing anyone who finds or steals their PDA to see their data.

The purpose of this article is to explain the risks accompanying PDA use and how to reduce them. Please note that the product references and links below are for convenience only and are not meant as an endorsement of those products or web sites.

One thing you can do to reduce your risk is to store as little sensitive information as possible on the PDA; if you give away or sell your old PDA, make sure to remove all your information from it. However, it is likely that if you are using your PDA productively, you will need to keep at least some sensitive information on it – so it's important to take steps to secure it.

The most basic step is to reduce the risk of losing the PDA. Keep it locked up in a briefcase, desk drawer, or lockable case when not in use. If you are carrying it on your person, use a zipped or buttoned pocket. Use common sense: do not leave the device unattended in plain sight.

Requiring a password to access the device and applications is also important. If you don't already require a password on startup, there's nothing to stop someone from accessing your information, replacing it with their own, and making the PDA theirs. Remember, these devices all look alike! Use a hard-to-guess password, not a dictionary word or number like "1111," and whatever you do, don't configure your PDA applications to memorize your passwords. Here are some instructions for commonly used PDAs:

If you have a Windows device (e.g., PocketPC or Treo700w) press Start; select Settings; on the Personal tab, select Lock; on the Password tab, check the "Prompt if device is unused" checkbox, select "10 minutes," select a password type, and enter and confirm a password; select the Hint tab to enter a password hint; and press OK. Use the alphanumeric password if your model supports it. If it supports a password hint, make sure the hint doesn't give away the password.
If you have a Blackberry, select the Options icon, scroll to the Security option, change Password to Enable, set the Security Timeout to two minutes, and set Lock Handheld to Yes. Enter password and verification as prompted and save the settings.
If you have a Palm OS device, tap the Home button (m series, Zire) or Applications (Tungsten, TX, Visor, Lifedrive, Treo), tap Prefs (Tungsten, Zire, Lifedrive), tap the Security icon, tap the Password box, enter a password, tap OK, if prompted re-enter password and select OK, select Auto Lock Device (if an option), enter a hint and select Done if prompted. See your Palm manual for more on marking records "private."

Although most people have installed antivirus software on their personal computers, many are not aware that viruses can affect their PDA. If you don't already have antivirus software installed on your PDA, you can download it free for many PDA models from Trend Micro here: http://www.trendmicro.com/download/product.asp?productid=2. Other antivirus vendors include Symantec (www.symantec.com), Computer Associates (www.ca.com), and Network Associates (www.networkassociates.com). If you have a Windows-based device, you may also wish to use firewall software, such as Airscanner Mobile Firewall (www.airscanner.com).

Using a wireless connection poses a substantial risk that your information can be intercepted in transmission. One should only use encrypted wireless access points rather than publicly available ones. If you must use an unencrypted wireless connection, the web sites and email providers you use should provide an SSL encryption option that you can use to reduce the interception risk. If your office or Internet Service Provider offers a Virtual Private Network (VPN), that will provide an even greater degree of protection for all of your network transmissions. Some PDA models have VPN clients built in, while some require third-party tools to connect to a VPN. The risk of someone compromising your PDA's Bluetooth capabilities is currently minimal; most attacks fall into the category of "inconvenience" – undesired messages or temporary Bluetooth disruption.

Most security products for PDAs concern themselves primarily with encrypting the information on the device and its memory cards; they put a password on your data, which you must enter to access the information. Literally dozens of such programs exist, many of them designed for large enterprises, but some of the more popular ones for individuals include:

Kaspersky: Security for PDAs, http://www.kaspersky.com/
Utimaco: SafeGuard PDA, http://www.utimaco.us/products/pda/
Applian: PocketLock (PocketPC only), http://www.applianmobile.com/
Softwinter: Sentry 2020 for PocketPC (PocketPC only), http://www.softwinter.com/
TealPoint Software: TealLock Plus (Palm OS only), http://palmsource.palmgear.com/

Some of the software listed above only encrypts specific application data; make sure that the one you obtain encrypts as much of your sensitive information as possible. On a Blackberry with a password already set, just click Options > Security and set Content Protection to Enabled to encrypt your data. If you have MLS or other software that accesses data stored on your PDA, check with your software provider to make sure that data is stored in encrypted format.

In the future, it is likely that more PDAs will use biometrics (e.g., fingerprints or face, iris, speech and handwriting recognition) to protect the PDA and its data. Hewlett Packard already provides fingerprint recognition on its IPaq 5000 series. Though such biometric technology is still in its infancy, we can look forward to improvements in this and other PDA security mechanisms.

There's no such thing as perfect security. If you run a program from an untrusted source on your PDA, none of the steps mentioned above will be a cure-all for what might happen. But if you've taken the basic steps to secure your PDA and have your email address on the back, you don't have to be quite as worried about the information on a lost PDA – and you may even get lucky and have it returned to you.

About the author: Matt Cohen is Clareity Consulting's Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops and leadership retreats around the country on security related topics, and is a well-regarded real estate industry expert on software design, product management, project management, data center reliability, scalability, and security. Clareity Consulting was founded in 1996 to provide information technology consulting to the real estate industry and its related businesses.