Keeping Your Palm Closed Tightly
By Jeff Green
You know the Palm has gone mainstream when it starts showing up as a national security risk. In February, U.S. Secretary of State Colin Powell was asked not to synchronize his Palm handheld computer with his work computers because of potential security flaws in the Palm operating system. More recently, the FBI revealed that accused master spy Robert Hanssen allegedly suggested to his Russian handlers that he use his Palm VII to leak secrets. The espionage angle has even infiltrated Hollywood: In last year's movie remake of '70s tube fave Charlie's Angels, the Angels download the contents of their chief suspect's Palm to pry into his private life.
Not just diplomats and sleuths are worrying about Palm infiltration. Corporate spies now consider handheld computers a good target, too. "You can secure data in your vaults. But then you have salespeople running around with the unprotected client list on their Palms," says Tom Welch, vice-president for enterprise-security solutions at information-security company Jawz in Fairfield, N.J.
So how can a regular Joe or Josephine expect to keep Palm secrets secure? Actually, it's not all that grim. Most people aren't up against foreign intelligence agencies or corporate spies. They just want to make sure their business rivals or the guy who steals their briefcase can't pilfer client names or credit-card numbers willy-nilly. Palm security experts insist that it's possible to store data on a handheld without fear -- but you may need some extra software to do it.
All handhelds using the Palm operating system (OS) come with a password function that rightful owners can activate to prevent snoops from accessing data. If eavesdroppers don't know the password, they can turn the device on, but they won't be able to access any of the programs.
Alas, the password isn't that difficult to crack for an experienced hacker with decoding programs. On Mar. 1, security outfit @stake revealed a backdoor hole in the Palm OS. This flaw allows anyone running standard Palm OS debugging software tools on a laptop computer to break into any password-protected Palm handheld. Palm says it's aware of the problem and will fix it in the next version of the OS.
Even so, most security experts recommend an added level of security beyond simple passwords to cloak any sensitive information on a Palm. The best solution is to encrypt your data with third-party software. These programs set a password for your data that is independent of the Palm OS and not vulnerable to backdoor hacking. Then they use complex algorithms to scramble the data on your Palm, making it unreadable.
About the only way to crack these programs is the so-called "brute-force" attack. That means someone would have to sit down and physically try all possible password combinations until they get it right. With new encryption, that could literally take thousands of years.
Plenty of programs offer data encryption. Password Vault ($5 to download at www.palmblvd.com), which I use to store all my passwords on my Palm, is a simple and cheap way to keep a lot of data secure. It acts like an encryption vault for passwords I might use for ATM cards or anything else. Programs with names such as Secret, CryptInfo, and TopSecretMobile also offer an encrypted area to store information. A good rundown can be found at palmtops.about.com.
Programs such as Jawz's DataGator ($39, www.jawzinc.com) take encryption one step further by allowing users to protect all the applications on the Palm, rather than just the stored data. That means everything on your Palm is chicken scratch unless you punch in the password. But if you forget the password, you lose everything on your handheld, because you will have to reset the device and reinstall the encryption software. Jawz doesn't encrypt the Palm Desktop information stored on your PC. But if you added anything new on the Palm since the last time you synced up, it won't appear on the desktop. That's the price you pay for security.
There's a downside to saddling your Palm with security mechanisms. Encryption and decryption sap processor speed and memory. That's particularly true in the more heavy-duty encryption products that corporations might want. The result is often noticeably slower response time on your handheld. But those problems should go away in the near future, as encryption algorithms get streamlined and handhelds add processing power and memory. Right now, for some people, a slow Palm is better than a wide-open Palm.
These security steps are quickly becoming standard practice in many government and corporate entities. For example, the police force in Manchester, Britain, recently added encryption to its fleet of handheld computers to prevent the wrong people from finding out what the officers in its social-services department are up to, says Ahmed Mohamed of Britain's Planet Wireless.
And in due time, Palm security concerns could trickle down to personal users. Mohamed recounts the story of a friend who left his unprotected Palm with a nosey girlfriend -- who had plenty of very personal questions for the fellow when he returned. So even if details of the U.S. spy network aren't likely to be exposed on your handheld, you might still want to consider encrypting some of that data from prying eyes at the office -- or at home.
Green , BusinessWeek correspondent based in Detroit, is crazy about handhelds. Follow his perspectives on Palm-based technologies, only on BW Online
Edited by Alex Salkever