Free Windows Help Tutorials sponsored by inkjet printer cartridges dot org /title> <META HTTP-EQUIV="imagetoolbar" CONTENT="no"> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=ISO 8859-1"> <META name="description" Content="Hundreds of downloadable Windows help tutorials, articles and how-to guides sponsored by inkjet printer cartridges dot org."><style type="text/css">  </style> </head> <body bgcolor=#999999 vlink=blue link=blue> <span name = "INTRA" class="pg" style="top:0px; left:5px; width:714px; height:1010px"></span> <span name = "INTRA" style='top:0px; left:5px; height:1010px; width:714px' class='img'> <img src="pg0002im.png" height = "1010 width = "714" border="0"> </span> <span class='nav' style='left: 10px; top: 10px'><pre></pre></span><span name = "INTRA" style='top:48px; left:532px' class="ft3"><pre><font face='Helvetica'>Understanding WAP Security</font></pre></span> <span name = "INTRA" style='top:88px; left:247px' class="ft0"><pre><font face='Arial'>at the hardware level, even when they nominally conform to a standard, and may</font></pre></span> <span name = "INTRA" style='top:101px; left:247px' class="ft0"><pre><font face='Arial'>contain hard to test and buggy code. At the same time, the mobile phone industry</font></pre></span> <span name = "INTRA" style='top:114px; left:247px' class="ft0"><pre><font face='Arial'>is driven by fashion, and time to market is king, so there is a real incentive not to</font></pre></span> <span name = "INTRA" style='top:127px; left:247px' class="ft0"><pre><font face='Arial'> waste time on testing. And mobile phones are expected to interoperate freely</font></pre></span> <span name = "INTRA" style='top:139px; left:247px' class="ft0"><pre><font face='Arial'>regardless of vendor. This reads like a recipe for disaster: how can you claim that a</font></pre></span> <span name = "INTRA" style='top:152px; left:247px' class="ft0"><pre><font face='Arial'>system is secure if inadequate testing means that you can't be sure that it is working</font></pre></span> <span name = "INTRA" style='top:165px; left:247px' class="ft0"><pre><font face='Arial'>as its designer intended, especially when it is working in conjunction with software</font></pre></span> <span name = "INTRA" style='top:177px; left:247px' class="ft0"><pre><font face='Arial'>and hardware from another vendor?</font></pre></span> <span name = "INTRA" style='top:198px; left:247px' class="ft0"><pre><font face='Arial'>Of course, WAP security issues don't end with the phone. A WAP enabled Web site</font></pre></span> <span name = "INTRA" style='top:211px; left:247px' class="ft0"><pre><font face='Arial'>is a key part of a WAP solution, and all the security issues associated with Web sites</font></pre></span> <span name = "INTRA" style='top:223px; left:247px' class="ft0"><pre><font face='Arial'>still apply (probably more so, in practice, because of the fashion hype and time to </font></pre></span> <span name = "INTRA" style='top:236px; left:247px' class="ft0"><pre><font face='Arial'>market issues around WAP). Badly written CGI programs, for example, provide a</font></pre></span> <span name = "INTRA" style='top:249px; left:247px' class="ft0"><pre><font face='Arial'>classic way in for Internet hackers and will probably be behind some exposures</font></pre></span> <span name = "INTRA" style='top:261px; left:247px' class="ft0"><pre><font face='Arial'>for WAP Internet access too.</font></pre></span> <span name = "INTRA" style='top:288px; left:247px' class="ft1"><pre><font face='Arial'><i><b>The</b></i> <i><b>Weakest</b></i> <i><b>Link</b></i></font></pre></span> <span name = "INTRA" style='top:310px; left:247px' class="ft0"><pre><font face='Arial'>Nevertheless, the phone is, and will probably always be, the weakest link. It is easily</font></pre></span> <span name = "INTRA" style='top:323px; left:247px' class="ft0"><pre><font face='Arial'>lost or stolen, and the capabilities of WAP (and broadband third generation mobile</font></pre></span> <span name = "INTRA" style='top:335px; left:247px' class="ft0"><pre><font face='Arial'>phone technologies) mean that it is increasingly likely to be used for the storage of</font></pre></span> <span name = "INTRA" style='top:348px; left:247px' class="ft0"><pre><font face='Arial'>valuable data of varying degrees of importance such as a list of customers, their</font></pre></span> <span name = "INTRA" style='top:361px; left:247px' class="ft0"><pre><font face='Arial'>phone numbers and even what you expect to sell them. Phone PIN numbers are</font></pre></span> <span name = "INTRA" style='top:374px; left:247px' class="ft0"><pre><font face='Arial'>some protection but these only consist of four numerics and many users don't</font></pre></span> <span name = "INTRA" style='top:386px; left:247px' class="ft0"><pre><font face='Arial'>bother to use a PIN anyway. There is also the risk of industrial sabotage if your</font></pre></span> <span name = "INTRA" style='top:399px; left:247px' class="ft0"><pre><font face='Arial'>competitor depends on a WAP enabled sales force, how effective will its salesperson</font></pre></span> <span name = "INTRA" style='top:412px; left:247px' class="ft0"><pre><font face='Arial'>in your area be once you've nicked his phone? Don't get too hung up on WAP</font></pre></span> <span name = "INTRA" style='top:424px; left:247px' class="ft0"><pre><font face='Arial'>security until you've done a proper risk/threat assessment for the system as a whole,</font></pre></span> <span name = "INTRA" style='top:437px; left:247px' class="ft0"><pre><font face='Arial'>and, as usual, made sure that your security policy (and security awareness classes)</font></pre></span> <span name = "INTRA" style='top:450px; left:247px' class="ft0"><pre><font face='Arial'>are WAP aware.</font></pre></span> <span name = "INTRA" style='top:470px; left:247px' class="ft0"><pre><font face='Arial'>Nevertheless, physical WAP security is a factor in the threats facing you and you</font></pre></span> <span name = "INTRA" style='top:483px; left:247px' class="ft0"><pre><font face='Arial'>have to prioritise these threats. The real issues with WAP security today are bad</font></pre></span> <span name = "INTRA" style='top:496px; left:247px' class="ft0"><pre><font face='Arial'>enough, but experts like Chris Rouland, who is head of the ISS X Force security team</font></pre></span> <span name = "INTRA" style='top:508px; left:247px' class="ft0"><pre><font face='Arial'>(see</font></pre></span> <span name = "INTRA" style='top:508px; left:268px' class="ft2"><pre><font face='Helvetica'><b>www.iss.net</b></font></pre></span> <span name = "INTRA" style='top:508px; left:334px' class="ft0"><pre><font face='Arial'>), think the potential for security exposure is far worse. He worries</font></pre></span> <span name = "INTRA" style='top:521px; left:247px' class="ft0"><pre><font face='Arial'>about the intrinsic trust model in WAP, which means that if you compromise one</font></pre></span> <span name = "INTRA" style='top:534px; left:247px' class="ft0"><pre><font face='Arial'>part of the distributed system then security as a whole is compromised, and he isn't</font></pre></span> <span name = "INTRA" style='top:546px; left:247px' class="ft0"><pre><font face='Arial'>happy with the design of the WML language. As is so often the case, security appears</font></pre></span> <span name = "INTRA" style='top:559px; left:247px' class="ft0"><pre><font face='Arial'>not to have been considered fully enough or early enough in the design but at least</font></pre></span> <span name = "INTRA" style='top:572px; left:247px' class="ft0"><pre><font face='Arial'>security was considered in the design of WAP, which is a considerable advance on</font></pre></span> <span name = "INTRA" style='top:585px; left:247px' class="ft0"><pre><font face='Arial'>the state of the art a few years ago.</font></pre></span> <span name = "INTRA" style='top:611px; left:247px' class="ft1"><pre><font face='Arial'><i><b>Potential</b></i> <i><b>For</b></i> <i><b>Viruses</b></i></font></pre></span> <span name = "INTRA" style='top:633px; left:247px' class="ft0"><pre><font face='Arial'>However, many of the threats associated with WAP remain potential threats for</font></pre></span> <span name = "INTRA" style='top:646px; left:247px' class="ft0"><pre><font face='Arial'>now. Phone viruses are feasible, but space and processing power in a phone is</font></pre></span> <span name = "INTRA" style='top:659px; left:247px' class="ft0"><pre><font face='Arial'>limited, and it will probably be hard to get them to reproduce efficiently there isn't</font></pre></span> <span name = "INTRA" style='top:671px; left:247px' class="ft0"><pre><font face='Arial'>room in phones for bloatware with macro autorun facilities. Nevertheless, we</font></pre></span> <span name = "INTRA" style='top:684px; left:247px' class="ft0"><pre><font face='Arial'>mustn't be too complacent there isn't room in a phone for sophisticated anti virus</font></pre></span> <span name = "INTRA" style='top:697px; left:247px' class="ft0"><pre><font face='Arial'>scanners either. Companies are already talking about anti virus products for mobile</font></pre></span> <span name = "INTRA" style='top:710px; left:247px' class="ft0"><pre><font face='Arial'>phones F Secure's Anti Virus for WAP Gateways Release 5.0 (see</font></pre></span> <span name = "INTRA" style='top:710px; left:609px' class="ft2"><pre><font face='Helvetica'><b>www.fse </b></font></pre></span> <span name = "INTRA" style='top:722px; left:247px' class="ft2"><pre><font face='Helvetica'><b>cure.com/news/2000/20000215.html</b></font></pre></span> <span name = "INTRA" style='top:722px; left:438px' class="ft0"><pre><font face='Arial'>) apparently shipped early in 2001 but many</font></pre></span> <span name = "INTRA" style='top:726px; left:63px' class="ft4"><pre><font face='Arial'><i> Phone</i> <i>viruses</i> <i>are</i></font></pre></span> <span name = "INTRA" style='top:735px; left:247px' class="ft0"><pre><font face='Arial'>experts think this is a bit premature. F Secure itself (on the page referenced) admits</font></pre></span> <span name = "INTRA" style='top:748px; left:247px' class="ft0"><pre><font face='Arial'>that there are no known instances of in the wild malicious code for WAP based</font></pre></span> <span name = "INTRA" style='top:750px; left:63px' class="ft4"><pre><font face='Arial'><i>feasible,</i> <i>but</i> <i>space</i> <i>and</i></font></pre></span> <span name = "INTRA" style='top:760px; left:247px' class="ft0"><pre><font face='Arial'>devices , but claims it is important to get the infrastructure prepared for when they</font></pre></span> <span name = "INTRA" style='top:773px; left:247px' class="ft0"><pre><font face='Arial'>appear. F Secure's product sits on the WAP Gateway and monitors material being</font></pre></span> <span name = "INTRA" style='top:774px; left:63px' class="ft4"><pre><font face='Arial'><i>processing</i> <i>power</i> <i>in</i> <i>a</i></font></pre></span> <span name = "INTRA" style='top:786px; left:247px' class="ft0"><pre><font face='Arial'>downloaded to the WAP devices.</font></pre></span> <span name = "INTRA" style='top:798px; left:63px' class="ft4"><pre><font face='Arial'><i>phone</i> <i>is</i> <i>limited,</i> <i>and</i> <i>it</i></font></pre></span> <span name = "INTRA" style='top:806px; left:247px' class="ft0"><pre><font face='Arial'>Rouland also thinks that WML (Wireless Mark up Language), which is the WAP</font></pre></span> <span name = "INTRA" style='top:819px; left:247px' class="ft0"><pre><font face='Arial'>equivalent of HTML, may be a problem, as it works differently to HTML and</font></pre></span> <span name = "INTRA" style='top:822px; left:63px' class="ft4"><pre><font face='Arial'><i>will</i> <i>probably</i> <i>be</i> <i>hard</i> <i>to</i></font></pre></span> <span name = "INTRA" style='top:832px; left:247px' class="ft0"><pre><font face='Arial'>programmers may not allow for this. For instance, he points out that it handles the</font></pre></span> <span name = "INTRA" style='top:844px; left:247px' class="ft0"><pre><font face='Arial'>user interface by assigning variables in the telephone and then putting them in the</font></pre></span> <span name = "INTRA" style='top:846px; left:63px' class="ft4"><pre><font face='Arial'><i>get</i> <i>them</i> <i>to</i> <i>reproduce</i></font></pre></span> <span name = "INTRA" style='top:857px; left:247px' class="ft0"><pre><font face='Arial'>right place on the screen. The phones themselves, in current implementations,</font></pre></span> <span name = "INTRA" style='top:870px; left:247px' class="ft0"><pre><font face='Arial'>cannot differentiate between public and private variables, and rely on the server to</font></pre></span> <span name = "INTRA" style='top:870px; left:63px' class="ft4"><pre><font face='Arial'><i>efficiently. </i></font></pre></span> <span name = "INTRA" style='top:882px; left:247px' class="ft0"><pre><font face='Arial'>clear variables in memory; if they don't, passwords etc can stick around in memory</font></pre></span> <span name = "INTRA" style='top:895px; left:247px' class="ft0"><pre><font face='Arial'>where they can potentially be compromised.</font></pre></span> <span name = "INTRA" style='top:950px; left:52px' class="ft3"><pre><font face='Helvetica'>Issue 131:June 2001</font></pre></span> <span name = "INTRA" style='top:943px; left:260px' class="ft5"><pre><font face='Arial'><b>PC</b> <b>Network</b> <b>Advisor</b></font></pre></span> <span name = "INTRA" style='top:950px; left:612px' class="ft3"><pre><font face='Helvetica'>File: B1423.2</font></pre></span> <span name = "INTRA" style='top:962px; left:52px' class="ft3"><pre><font face='Helvetica'>page 10</font></pre></span> <span name = "INTRA" style='top:962px; left:519px' class="ft3"><pre><font face='Helvetica'>Buying and Evaluating:Hardware</font></pre></span> <span name = "INTRA" style='top:967px; left:283px' class="ft2"><pre><font face='Helvetica'><b>www.pcnetworkadvisor.com</b></font></pre></span> <span name = "INTRA" class='nav' style='left: 357px; top: 1010px'><pre><a href='page0001.htm'><</a> Next page <a href='page0003.htm'>></a></pre></span> <span name = "INTRA" style='top:1050px; left:50px' class="ft4"><pre><b><font color="#FF0000" size="3" face="Arial">New!</font><font color="#FF0000" size="3" face="Arial Narrow"> </font><font size="2" face="Arial">The best sites for quality <a href="http://www.inkjet-printer-cartridges.org">inkjet printer cartridges</a> and the best sites for <a href="http://www.cheap-inkjet-cartridges.com">cheap inkjet cartridges</a></font></b></pre></span></body> <span name = "INTRA" style='top:1100px; left:300px' class="ft4"><pre><b><font color="#FF0000" size="3" face="Arial"><a href="../index.html">Windows Help Desk Home</a> </font></b></pre></span></body></html>