Lock Down Your PDA

Keep your personal information confidential, yet easy to access

The frequency of identity theft increases daily, so protecting your personal information is crucial—especially if you use a PDA. Recently, I met a security consultant who had been a victim of identity theft. The identity thieves used her personal information to obtain several loans and even an equity line of credit on her house. If you're like most people, you have dozens of usernames and passwords for accessing Web sites scattered all over the Internet, in addition to credentials you use to access systems at work. No doubt you also have to keep track of account numbers for insurance policies; bank, credit card, and investment accounts; and hotel and airline frequent customer programs. You need to keep this information confidential but also easy to access. I keep my personal information on my PC so that I can easily copy it when filling in Web forms and conducting other Web business. But I also need this private data to be available to me when I'm away from my PC.

I meet people everywhere who believe that password protection is sufficient to protect the personal information on computers and PDAs. This belief is dangerously naïve. Password protection in Microsoft Word and Palm OS is trivial: A thief who steals your computer or PDA can easily figure out your passwords. For example, if you have a Palm OS device, a thief needs only to steal your PDA, hot-sync it to a PC, and use a hexadecimal editor to view the Palm data files. To guard against such an attack, you need a program that keeps information synchronized and secure on both your PC and PDA.

I'm a Palm user, so I searched for a security program that runs on the Palm OS and has a complementary program for Windows. After extensive research, I settled on Secret! from LinkeSOFT. Secret! provides a simple application that's similar to Memos on the Palm—it lets you store any kind of freeform text. Secret! encrypts my information with a key that the program derives from one master password that I provide. I chose Secret! primarily because LinkeSOFT doesn't believe in security by obscurity—the company fully discloses the type of encryption it uses (128-bit International Data Encryption Algorithm—IDEA). Because programs that use encryption often contain implementation flaws that weaken your protection, LinkeSOFT follows best practice and makes its source code available for hundreds of users to review. This fact boosted my confidence in the Secret! software.

When you install the Secret! software, you choose a master password. You can then create as many Memo-like documents as you want. Each document includes a category heading. You can set up categories for data such as bank account information, travel programs, Web site accounts, and work passwords. Don't put any secret information in the category names. Secret! encrypts only the document contents, not the category names. You can also install Secret! Desktop, a Windows application that maintains on your PC a copy of the information on your Palm device. When you open Secret! on your Palm device or Secret! Desktop on your PC, you must enter your master password before you can access your encrypted information. You can then easily copy information from Secret! into Web pages on your PC or on your PDA's mini-browser. If you leave Secret! open and unattended, the program automatically closes within a few minutes. Secret! also has a useful transaction number (TAN) mode for storing one-time TAN lists. In TAN mode, when you use a number on the list, Secret! automatically copies the number to your clipboard and deletes it from the list.

Non-Windows users can find Linux, Solaris, and OS/2 versions of Secret! Desktop. If your PDA isn't Palm-compatible, Secret! isn't an option, but similar software is available for other PDA platforms. For instance, when I searched http://www.handago.com, I found Ilium Software's eWallet (an option for Windows CE devices and handheld PCs) and Underwater Programming Laboratories' Rim Wallet (for BlackBerry devices). When you're looking for a password-protection application, look for one that uses documented, industry-standard encryption algorithms—the more documentation the vendor provides about how the program stores and encrypts your information, the better. Look for a product that makes its source code available for review. Even if you aren't a programmer, such transparency should increase your confidence in the product. (Matt Curtin explains this point well in his famous FAQ "Snake Oil Warning Signs: Encryption Software to Avoid" at http://www.interhack.net/people/cmcurtin/snake-oil-faq.html.)

Although well-written programs such as Secret! Desktop never store decrypted information on disk, they must hold the decrypted information in memory; thus, the information can be paged out to your swap file. You might consider configuring your computer to clear your pagefile at shutdown. (To learn how to accomplish this configuration, go to http://www.jsiinc.com/suba/tip0300/rh0303.htm.) Don't forget that even when you use a well-written password protection program, your data is only as safe as your password is strong. Always select a long, hard-to-guess password comprising numbers, letters, and symbols.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.