Cheat sheet: Mobile and wireless security

OK, let's start with mobile security. Why should I care? I mean there's very little I can do with my phone at the moment except call my wife to record the football.
Trust me, that's changing. I mean look at the Finns! They're already banking with their mobiles. As more and more handhelds and PDAs will be connected to the corporate network, storing critical information, every IT professional worth their job should be interested in securing the little devils.

And don't forget wireless local area networks (WLANs) especially the Wi-Fi or 802.11x standard. They are easy to set up - pretty much anywhere - but they are not terribly secure.

What do you mean by that? Can't the Finns fix it?
Some surveys say there are masses of WLANs waiting to be eavesdropped using drive-by hack attacks, also known as war driving. And no, even the Finns are a bit baffled by this.

What's all this war driving about? Sounds scary. Is it something to do with terrorism?
No silly. War driving is the same as wireless hacking or dive-by hacking. It basically means a bunch of hackers are driving around in densely WLANed areas with home made hacking kits looking for vulnerable wireless networks.

How do they do it?
Most WLANs can secure data using the Wired Equivalent Privacy (WEP) protocol. But it has been proven that simply modifying several settings on a wireless LAN-equipped mobile device can crack WEP. You have been warned.

So is there an alternative to the insecure wireless stuff?
You could be using your WAP mobile phone/PDA hybrid to connect to the corporate network remotely. That means you need something called WTSL. You've heard of SSL - secure socket layer over the internet - right? As you might expect the wacky wireless guys have made up their own security mechanism, named Wireless Transport Layer Security (WTLS).

WTLS resembles SSL because they both rely on certificates on the client and server to verify the identity of participants involved. Makes sure a WAP connection to your network is safe.

Ooh, WAP. I thought it was dead. I thought no one cared. What about stuff in my palmtop?
All critical PDA files should be encrypted in the first place. Plus all handhelds should have a minimum of password protection for access control. And if connecting to PCs at work make sure the connection is safe - do not turn off the encryption! Most pundits recommend wireless network traffic should be encrypted but people are a bit lazy.

Is there encryption software available for palmtops then?
Sure. The capacity and memory of these devices increases all the time allowing most files to be stored in an encrypted format. Plus information can be sent using a basic public/private key (PKI) system. PKI relies on the exchange of a set of keys, which is just actually a bunch of numbers. PKI is mostly used by banks but wise folk claim we'll all be using it to secure all our digital traffic soon.

Zzzzzzzzzz... sorry... seem to have dozed off there. Hit me with the encryption stuff one more time.
Most SSL implementations generally rely on an RSA algorithm. WTLS supports RSA, Diffie-Hellman and Elliptic Curve encryption. Like it?

Sounds fascinating. Can't get enough of this stuff in the future.
Never mind the future. Think about the past. Encryption is one of the oldest sciences known to man. It relies on age-old mathematics. And the best of all - it will be around for some time to come!

For a complete list of Cheat Sheets type 'CS1' into the silicon.com Search

**Essential Links**
From the silicon.com archive:
Cheat Sheet: Microsoft Passport
http://www.silicon.com/a49043
Wireless LAN easy meat for hackers
http://www.silicon.com/a46872
Wireless LAN hole leaves corporate networks at risk
http://www.silicon.com/a46306

External Links:
RSA Security
http://www.rsasecurity.com
Wireless security bulletin
http://www.cnp-wireless.com/wsp.html
Security alerts
http://www.securitynewsportal.com
WLAN Networking News
http://80211b.weblogger.com/
WLAN Standards
http://grouper.ieee.org/groups/802/11/
WAP Forum
http://www.wapforum.com