SULAIR HOME | ACOMP HOME | SU HOME

October 5, 2005
Issue No. 69

Table of Contents

• Highlights and Features
  • Stanford iTunes on Campus
    
  • Spyware Adware Beware
    
  • IT Self Help Web Site
    
  • How to Fight Spam
    
  • IT Open House October 27
    
  • SU Computing Web Site Update
    
  • Find It at SU in Google
    
  • New SULAIR Digital Sites
    
  • What's New for SU Grokker
    
  • ReportMart3 Is Here
    
  • Kronos System Upgrade
    
  • ITSS Client Services Reviews
    
  • Student Telecom Changes
    
  • Scholarly Commmunication
    
  • SULAIR at IT Open House
    
  • Stanford ESS News
    
  • Mobile Computer Security
    

• Library Resources
  • Medieval Works on Web
    
  • Fall Scholars Workshops
    
  • New Online Research Resources
    
  • Off-Campus Access to SU Resources
    
  • Project MUSE and Google
    
  • Access to Digital Art Works
    
  • New Humanities Resources
    
  • SKIL Tutorial Enhanced
    
  • DocXpress at Lane Library
    
  • Virtual Reference Library
    
  • SPE eLibrary Access Change
    
  • SSRC Digital Collections
    
  • SSDS Services
    
  • New Geoscience World
    
  • Century of Science Here
    
  • Chronicle of Philanthropy
    
  • HighWire Press New Journals
    
  • NGDA Taking Shape
    

• Computing News
  • Assistive Technology Software
    
  • Software Licensing News
    
  • Wireless Access on Campus
    
  • Academic Computing Update
    
  • Recent ATS Projects
    
  • TeamSpace in Meyer Library
    
  • SU Webmaster Resources
    
  • Academic Technology Lab
    
  • ITSS Technology Training
    
  • SU Windows Infrastructure
    
  • ITSS Metrics Online Weekly
    
  • Videoconference Service Ends
    
  • Stanford eCommerce Update
    
  • Bookstore Computer Store
    
  • ALTeC Lab Moved
    
  • Meyer Classrooms Update
    

Almost all of us use at least one Mobile Computing Device (MCD), and many people use more than one. MCDs include laptop computers, Portable Digital Assistants (PDAs: Palm Pilots, Pocket PCs) Smart phones, USB flash memory, iPods and other devices that can sync with and/or store data from personal computers. In many respects, these devices have made our lives much easier.

The Risks of Mobile Computing

MCDs contain "lots" of memory (often several gigabytes or more) and they are highly portable and frequently unprotected. In other words, they are relatively easy to steal or lose, and, unless precautionary measures are taken, an unauthorized person can gain access to all the information that is stored on them. You don't even need to have your device lost or stolen for an intruder to access it. An unauthorized person can quickly and silently copy the data from an unprotected device left in an office or a hotel room. A network intruder could silently invade and steal, expose, or damage data and/or interfere with the operating system. The result can be a crippled device, one infected with a virus, and/or a device whose data has been invisibly downloaded by an intruder. In the worse case, an intruder can install a spyware program that surreptitiously captures the owner's keystrokes (e.g., credit card numbers, passwords) and other sensitive information.

What's on Your Mobile Computing Device

The risks of using a MCD are dependent on what kinds of data are stored on them. If a device contains Category A data (the highest, most sensitive data) and that device is lost or stolen and/or if the confidential data is publicly exposed, the legal and financial consequences can be quite significant. (See Stanford data classification information, including what consists of Category A data. (The cost of replacing the device itself may not be inconsequential either.)

Therefore, the most important question becomes, "What data is stored on your Mobile Computing Device?" Confidential financial information? Account names and passwords? Social Security and/or credit card numbers? Unpublished research drafts? Sponsor names and contract details? Proprietary designs or undisclosed inventions? Personal Health Information? Benefactor names? Course grade reports? Staff member reviews? Personal contact names and phone numbers? Decryption keys or passphrases?

If you're storing any of this information on your MCDs, you should reevaluate whether this is a business requirement or merely a convenience. If you absolutely need to carry confidential data on a portable device, the rest of this article will help you protect it.

The Critical Questions

The critical questions that you, as a mobile device user, need to ask are: What would happen if an unauthorized person gained control of this? What if the device data were lost, altered, stolen, or publicly exposed?

While it can be difficult to know the exact consequences of a future loss or theft, it's pretty safe to assume that if confidential data (especially Category A data) were stored on the device, an internal investigation would need to occur. In addition, Stanford may be required to contact each individual person whose personal data was lost or disclosed, and to contact law enforcement agencies. Stanford may be also exposed to legal action. These consequences can make dealing with the pain of a lost or stolen device seem especially severe.

Best Practices

The good news is that there are some relatively simple best practices that can help you minimize these risks. The following best practices, which are relatively inexpensive and easy to implement and use, can help you better protect data that is stored on MCDs.

• If the device is a laptop computer, keep the patches up to date. This reduces the possibility that a system can be compromised by an attacker, or some kind of malware (computer virus, worm or Trojan horse program). Stanford provides an automated patch update service for Microsoft Windows computers, called BigFix. PC users should download the BigFix client from: http://www.stanford.edu/dept/itss/ess/pc/index.html. In addition, most vendors (e.g., Microsoft, Apple, Red Hat) provide simple notification and update procedures.
• Use a password to lock the system. The system should require that a password be provided when you log in, or when the system is accessed after a period of inactivity (e.g., 15 minutes). Enable the password locking feature of the screensaver on laptops and PDAs and choose a strong password, appropriate for the device (i.e., a PC should have a stronger password than a smart phone). Note: A password is not guaranteed to stop a determined attacker from gaining access. But it will make it more difficult (i.e., it will require a level of skill that many intruders will simply not have).
• Use locking devices on portable computers. A laptop computer should always be locked to a large heavy object when it's not being transported or otherwise protected. Locking cables that fit most computers are usually available for under $30. Some Stanford departments may provide these to staff on request.
• Use a "personal firewall" on computers. A personal firewall is a complex but inexpensive program that can be installed on PC or Mac systems. (Unix/Linux systems also generally include some firewall capabilities.) Both Microsoft and Apple provide simple firewalls on their latest operating systems.
  
  Windows XP SP2 automatically enables the firewall. Windows XP SP2 users may access the firewall in the Control Panel item, Security Center. Mac OS X users may access and enable the firewall by opening the System Preferences menu and selecting the "Sharing" item, then clicking on the Firewall tab.
  
  Users of older versions of Windows, Mac, and Linux users should consult with HelpSU staff for details on setting up vendor-provided firewalls. Several third party vendors (e.g., Symantec, Zone Labs, Sygate) also provide easy-to-configure free and inexpensive firewalls. Use of a personal firewall is strongly recommended. It will effectively defend a computer from many of the most pervasive and dangerous network attacks.

• When using wireless connectivity features (e.g., 802.11, Bluetooth) make sure the device's security settings are set "as strong as possible". Even though the state of wireless security has improved significantly in the last few years, it is recommended that this technology still be regarded with suspicion. Thus, never send or receive sensitive data over a wireless link unless another more secure end-to-end encryption technology is also being used. Examples of more secure technology include: SSL, SSH, and VPNs. All modern web browsers support SSL. Macs include some SSH tools. More SSH tools for Macs and PCs are available at the Stanford Essential Software site.
• The most reliable way to prevent people from viewing confidential data is to encrypt it. If your devices store Category A data, you need to make sure that this data is encrypted. The two basic approaches are: 1) to encrypt individual files and/or folders that contain confidential information, or 2) to encrypt the entire disk or device. Each of these approaches has some advantages and disadvantages.
  
  The main advantage to approach (1) is that it's relatively easy and straightforward. Microsoft and Apple provide OS-level support for this and several third-party vendors do as well. Third-parties also provide encryption software for Palm and Pocket PC devices.
  
  The main disadvantage to approach (1) is that it can require some discipline to ensure that all confidential data is created and stored only in encrypted locations (including when it is backed up).
  
  Full disk encryption can be more complicated to set up and generally requires a third-party solution. Stanford is investigating some of these approaches. In the meantime, most users should use vendor-provided file/folder encryption. See Appendix 1 in this article for details. More technical users may wish to try some of the products listed in Appendix 2.

Keep in Mind

• All the encryption in the world won't help if your laptop briefcase gets stolen and it contains plain text (unencrypted) copies of confidential data on CDs or hardcopy.
• Locking devices are useless when mobile computers aren't actually locked to them.
• The strongest password is almost useless when it is written down next to the computer.
• All encrypted data can be permanently lost if you lose its key (or passphrase). Decryption keys locked in safes, safety deposit boxes, or otherwise stored (escrowed) in a safe location can help prevent a data loss catastrophe.
• Mobile device users should never download free software from the Internet without a high level of assurance that the product is safe, i.e., that it contains no adware, no spyware, no Trojans, viruses or worms.

What to Do If "The Worst" Happens

If any device containing Category A data is lost, stolen or appears to have been accessed without permission, report this to appropriate University staff. It's important to do this, even if the equipment is not University-issued, because it allows Stanford to comply with applicable state, federal and international laws.

Appendix 1: Setting Up Vendor Encryption on PCs and Macs

Folder encryption on PCs will encrypt a selected folder, including all its files and (optionally) all sub-folders. This capability is only available on Windows XP Professional with an NTFS filesystem.

To enable folder encryption on a PC, right click on the folder you want to enable for encryption and select Properties. In the General tab, click Advanced. Under "Compress or Encrypt attributes", select "Encrypt contents to secure data" and click OK. Click OK a second time and you will see a dialog box that reads, "Confirm attribute changes". Select "Apply changes to this folder, subfolders and files" and click OK.

If you have a PC that does not run Windows XP Professional, you may want to consider some of the free or commercial encryption alternatives listed in Appendix 2.

To enable encryption for a Mac running OS X, start the System Preferences application and select Security. If you haven't set a Master Password, select that option and choose a password that you will not forget (and/or have stored in a safe place, e.g., locked drawer). Next select "Turn on FileVault..." This will result in all of your user files being encrypted. Your user files are all those in your home directory (generally /Users/your_login_name) and below. FileVault does not allow you to encrypt arbitrary folders that are not in your user space. Therefore, all confidential data needs to remain in your "user area".

Appendix 2: Commercial Encryption Tools for PCs and Macs

Some of these products may be worth exploring if the vendor-provided encryption is not available on your system, or if you want a more flexible alternative.

• PGP desktop - for Macs and PCs
• Truecrypt - whole disk, device or file/folder encryption for PCs.
• SecureDoc - for PCs and Pocket PCs
• PointSec - for PCc, Pocket PCs, Palms, and Smart phones
• DESlock+ - for PCs