In Brief

Automating E-Mail Retention, Industry Forms VoIP Security Alliance

Leading Device Loss Threat: Taxis

Hackers, corporate spies, and taxis?

While taxicabs might not appear to rank among the top information-security threats, when it comes to mobile-device loss, taxis are devastating. For example, in the past six months in London, people in licensed taxicabs left behind 4,973 laptops, 5,838 Pocket PCs, and 63,135 mobile phones.

Now guess how many of those devices had built-in passwords set to prevent unauthorized access, or additional encryption software to guard against corporate secrets getting out.

That’s the question posed by the U.K.-based Licensed Taxi Drivers Association and mobile security vendor Pointsec, which surveyed London taxi drivers about what they found in their back seats. A similar survey targeted 900 licensed taxi drivers in eight other cities, including Chicago, Helsinki, Paris, and Sydney.

Pointsec’s managing director, Magnus Ahlberg, says the study was first conducted in 2001. Comparing those findings with the current ones, he notes a greater number of devices, with greater amounts of memory, now go missing. In addition, “mobile users are in a worse position now, because they are far more reliant on using their mobile devices to store massive amounts of sensitive information, with very few concerned about backing it up or protecting it.”

Other interesting findings: users of London taxis were twice as likely as riders in other cities to leave behind a laptop; Copenhagen cab-goers were seven times more likely to leave their mobile phone in a cab than people in Munich, Oslo, or Stockholm; and in Chicago, the most-forgotten device was the Pocket PC.

While social scientists unravel those findings, the good news is that on average, 96 percent of people who leave their laptops or PDAs in a licensed taxi get them back.

Even so, “my advice to any mobile worker is to talk to their IT department about taking responsibility for security. This way your back is covered if you do lose your mobile device,” says Ahlberg.

Related Article:

Used Laptops Offer Secrets for Sale—Cheap

- - -

Organization to Safeguard VoIP

A group of technology companies has formed the Voice over Internet Protocol (VoIP) Security Alliance to safeguard burgeoning use of the technology.

The group plans to release open source information, tools, and methodologies. According to the organization’s Web site, “until now, no single organization or group has strongly emerged to help organizations understand and mitigate VoIP security risks through discussion lists, white papers, sponsorship of VoIP security research projects, and the development of free tools and methodologies for public use.”

The alliance chairman is David Endler, director of Digital Vaccine at TippingPoint, which was recently acquired by 3Com. Other companies participating in the alliance include Alcatel, Avaya, Columbia University, Insightix, NetCentrex, Qualys, SecureLogix, Siemens, Sourcefire, Spirent, Symantec, the SANS Institute, and Tenable Network Security.

“VoIP has finally arrived, and vulnerabilities in devices and services which enable this technology need to be discovered and mitigated,” says Ron Gula, CTO of Tenable Network Security.

Of course, organizations are already implementing the technology, and “if the technology is not implemented properly and securely, we will likely circumvent existing security controls and expose our networks,” notes Brian Kelly, director of Ernst & Young’s Giuliani Advanced Security Center, which is also part of the alliance.

Gerhard Eschelbeck, vice president of engineering and the chief technology officer of Qualys, says “VoIP is starting to gain momentum in the market, but proactively addressing security concerns will help drive widespread adoption.”

Related Article:

VoIP Growth Brings Focus on Security Holes

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.