A small, handheld system combining in one device multiple computing, Internet, networking, and fax/telephone features. A typical PDA can work as a personal organizer, a cell phone, and, in some cases, an Internet browser. One of the favorite PDAs of executives is the Canada-produced BlackBerry; other popular models are produced by Hewlett-Packard and Palm, Inc. In fact, today’s technology is making it easier for a handheld phone to become what telecommunications expert George Gilder calls a “teleputer”—a wireless device able to perform all of the functions typically associated with a much larger computer. For example, the Nokia N91 has a four-gigabyte hard drive—about ten times more storage than a desktop computer had ten years ago. That provides enough storage for thousands of MP3 files, hundreds of photos, or numerous office documents. Some say that the modern-day cellular phone is the equivalent of a small laptop PC in the user’s pocket.
Though very useful, even the BlackBerry has some security concerns. It is interesting to note that during the week of March 1, 2005, the Canadian military and U.S. security agencies commenced a one-year joint effort to make it and other PDAs more secure in the hopes that one day PDAs can be used for transmitting top-secret information.
Though the Blackberry device allows government officials and executives to make critical decisions using a wireless device in the palm of their hands even when they are away from their worksites, the security of PDAs, in general, came fully into question when in February, 2005, reports indicated that a cracker accessed personal information from Paris Hilton’s PDA (a Sidekick II). The cracker obtained over 500 celebrities’ phone numbers and email addresses from her PDA and then posted on the Net topless photos of the hotel heiress and model.
It is interesting to note that on February 15, 2005, a PDA-cracking cybercriminal was taken to court, and the media questioned whether he was Paris Hilton’s PDA-cracker. In a plea agreement with prosecutors, Nicolas Jacobsen, aged 22, pleaded guilty in U.S. federal court to one felony charge related to his intentionally gaining access to a protected computer and causing damage to it. Jacobsen’s crime spree began in late 2003 and ended when he was arrested in the fall of 2004. Though Jacobsen’s 2003–2004 cyber targets included Paris Hilton’s T-Mobile Sidekick II as well as other T-Mobile users, he was not apparently connected to the late February, 2005, crack attack that resulted in Hilton’s topless photos being shown on the Net.
The intrusion into T-Mobile’s servers by Jacobsen seemed to have resulted from the company’s failure to patch a known security hole in a commercial software package. For example, at least one Internet Website noted that anybody using a service to spoof caller ID could have exploited the flaw. Though T-Mobile agreed that the vulnerability existed, they said that the solution to the problem is a simple one. Users simply need to set their voice mail to require a particular password; by default, clients are not required to do this.
In July, 2003, the vulnerability was discussed in a Black Hat Briefing talk in Las Vegas. An SPI Dynamics researcher talked about how to exploit the Weblogic vulnerability, and, apparently, Jacobsen learned of the hole from an issued advisory. He then created his own 20-line exploit in Visual Basic and searched the Internet for potential targets who failed to install the issued patch. In October, 2003, Jacobsen discovered that T-Mobile was, indeed, one such place.
Ingram, M. Cellphones Becoming ‘Small Laptop in Your Pocket.’ The Globe and Mail, May 18, 2005, p. B.3; Lemos, R. Flaw Threatens T-Mobile Voice Mail Leaks. [Online, February 24, 2005.] CNET Networks Inc. Website. http://news.com.com/Flaw+threatens+ T-Mobile+voice+mail+leaks/2100-1002_3-5589608.html; Poulsen, K. Known Hole Aided T-Mobile Breach. [Online, February 28, 2005.] Lycos, Inc. Website http://www.wired.com/ news/privacy/0,1848,66735,00.html; Thorne, S. Canadian Military, U.S. Agencies Launch Blackberry Security Project. [Online, March 1, 2005.] Attrition.org. Website. http://www .attrition.org/pipermail/isn/2005-March.txt.