Tag Archives: mobile phone security

Anat kamm

Procedures are not a substitute for ethical behavior

Are procedures  a substitute for responsible and ethical behavior?

The  behavior of former secretary  of  State (and Presidential race loser) Hilary Clinton is an important example of how feeling entitled is not the exclusive domain of under 20-somethings. When we do a threat analysis of medical devices, we try to look beyond the technical security countermeasures and dive into the human factors of employees and managers of the organization.

Leadership from the front trumps security technology.

President Obama’s notion of leading from behind is problematic in the data security and governance space – leadership is about leading from the front.

President Obama’s weak position on enforcing data security and privacy in his administration (Snowden, Clinton and NSA) set a poor example that will take years to undo and probably cost Hilary Clinton the election.

In the business environment,  management leadership from the front on data security and privacy is a more effective (as in cheaper and stronger) countermeasure than technology when it comes to mitigating trusted insider threats.

In the family environment, we traditionally see parents as responsible for taking a leadership position on issues of ethics and responsible behavior.

Has mobile changed this?

Sprint  announced new services that  will allow parents to set phone use limits by time of day or week, see daily calls, text messaging and application activity of their children.  Sprint Mobile Controls powered by Safely, a division of Location Labs,  allows parents to see rich graphical representations of how their family calls, texts and use applications and to lock phones remotely at specific times.

For example:

  • Seeing who your son or daughter has been calling or texting recently – and how often.
  • Establishing an allowed list of phone numbers from which your child can receive a call or text.
  • Seeing a list of your child’s contacts with an associated picture ranked by overall texting and calling activity.
  • Viewing what apps your child is downloading to their phone.
  • Choosing up to three anytime apps that your child can use when their device is locked.
  • Allowing your child to override phone restrictions in case of an emergency.
  • Setting alert notifications for new contacts, or School Hours and Late Night time periods.
  • Setting Watchlist contacts: Receive alert notifications when your child communicates with a Watchlist contact.

This seems like a similar play to product and marketing initiatives by credit card companies to control usage of credit card by children using prepaid cards like the Visa Buxx – except in the case of Visa the marketing message is education in addition to parental control:  Visa Buxx benefits for parents and teens include:

  • Powerful tool to encourage financial responsibility
  • Convenient and flexible way to pay
  • Safer than cash
  • Parental control and peace of mind
  • Wide acceptance—everywhere Visa debit cards are welcome

Visa Buxx was introduced almost 10 years ago. I don’t have any data on how much business the product generates for card issuers but fast forward to December 2011, the message of responsibility has given way to parental control in the mobile market:

In the case of mobile phones, I can see the advantage of a home privacy and security product. From Sprint’s perspective; controlling teens is a big untapped market. Trefis. (the online site that analyzes stock behavior by product lines) has aptly called it “Sprint Targets Burgeoning Teen Market with Parents Playing Big Brother

The teen market, consisting of those in the 12 to 17 year age group, is plugged into cellular devices and plans to a much greater extent than you might imagine. According to a Pew Internet Research study, more than 75% of this group owns a wireless phone. This isn’t news to Sprint Nextel (NYSE: S) or mobile phone competitors such as Nokia (NYSE:NOK), AT&T (NYSE:T) and Verizon (NYSE:VZ).

I do not believe that technology is a replacement for education.

It will be interesting to track how well Sprint does with their teen privacy and security product and if parents buy the marketing concept of privacy controls as a proxy for responsible behavior.

Tell your friends and colleagues about us. Thanks!
Share this
Courtesy of firstpost.com

Mobile security: Risks of 2014 and beyond

Mobile security: Risks of 2014 and beyond

These days the vast majority of us own mobile phones with some of us owning more than one, not to mention all of the PCs, laptops, tablets and watches that keep us connected to the wide world on a daily basis; we live our lives online, we chat online, meet new friends online and, more importantly, we bank and shop online. 

We do all of these things without much of a second thought, but how safe are we and well protected is our personal data?

With more and more of our lives being controlled by the internet and mobile phones, are we right to rely on technology and to assume that what we do is safe and protected, or our we putting our fortunes, our safety and our livelihoods at risk?

Preventing theft and accidental loss of your mobile phone

One of the biggest risks mobile phone owners face is losing their phone or having it stolen, putting all of their internet activity, emails, phone data and even financial information in the hands of a stranger or a thief. But the phone manufactures have recognised this risk and have gone some way to reducing it. Apple recently installed kill switches on all of their phones and tablets, which allows the user to “kill” the device if it is stolen or lost, removing all of the data and giving the user an idea of where their device is. This was done at a time when muggings and phone thefts were on the rise, and since then these figures have fallen drastically, proving it to be an effective safeguarding technology as well as a deterrent.

The Filipino company MyPhone have developed a similar technology called Theft Apprehension and Asset Recovery, or TARA for short which renders a mobile phone useless in the event of a theft and can be installed on a range of devices.

Taking a slightly more futuristic look into mobile security, you may have noticed an increase in talk about wireless smartphone charging and power stations popping up in the likes of cafes and waiting rooms. This could be a bigger risk than we are currently aware of.  Although the resonant inductive power technology is still somewhat in it’s infancy, wireless charging will undoubtedly only increase the use of hand held and mobile devices on a regular bases. This would naturally increases the likeliehood of theft and opportunity on all levels.

Cyber security considerations

These advances are promising and statistics show that they are working, but thieves don’t need to have your phone in their possession in order to ruin your day, hackers can also infiltrate you device. If you regularly connect to an unsecured Wi-Fi, such as those available in high-streets shops, hotels and restaurants, then you’re exposing yourself and your data to everyone else on that network. The same also applies if you have Bluetooth on your phone and leave this open at all times. Hackers can connect to your device through this unsecured network, or through Bluetooth, and extract bank account information, passwords, emails and more without you knowing. There is no way effective way to stop this from happening, other than to make sure you only connect to private and/or secure networks at all times.

Software exploits – mobile malicious code and you

Viruses, which have attacked personal computers for over 20 years, have evolved into malicious mobile code that attacks mobile phones.

Malware that attacks mobile phones is here and something that not only consumers have to contend with but also hospitals and commercial organizations that are struggling with the challenge of BYOD – bring your own device to work.

As our lives turn to our phones, the criminals are doing the same. They see a market in our private information and online activity, and are trying to exploit this by infecting mobile phones. For now many of these infections are the same viruses that have infected our PCs for many years – often no more than minor annoyances that serve to frustrate us when we browse or spam our friends without our knowledge – but the viruses are getting smarter and the big software developers have yet to create a reliable antivirus that works reliably for mobile phones.

Is your mobile browsing safe?

The future is bright, and in the world of technology it has never been brighter, but where there is opportunity for advancement and for improved devices that help us with every aspect of our lives, there is also opportunity for exploitation.

Robert Kramers is a freelance journalist from New Zealand.

Tell your friends and colleagues about us. Thanks!
Share this
Protecting your blackberry

How to Save Your Data and Reputation if You Lose Your BlackBerry

5 years ago, an analysis we did of 150 data breach events showed that over 40% of the data breach events were due to stolen or lost hardware devices (Download the free research article on data breach here Business Threat Modeling Study).

Stolen or lost devices were in a close second place to data being stolen from systems by hackers who exploit system and application software defects (49%).

5 years ago – it was your PC.  Now it is your smart phone.

Your bank account is emptied. Photos of your weekend clubbing showed up on some “drunk and stupid” website. Your contacts are gone and your Facebook friends hate you due to the nasty status updates you appear to be posting from your account. Yes, the world has pretty much ended all because you lost your phone.

But if your device happens to be one of the cell phones from BlackBerry, you just happen to be in luck. BlackBerry offers a host of preventative measures you can take as well as a number of apps and gadgets that can help protect your data and even retrieve your phone. Here are some smart and slick preventative measures to keep in mind before this scenario happens to you.

Password Protection

Protecting your phone with a password is a wise idea. Like most devices, BlackBerry lets you create a password to gain access to your phone’s functions and data, making your phone useless to whomever finds it. If it’s useless to them, they may as well return it, right?

While password protection may seem obvious, Investopedia reports that a Javelin Strategy & Research study says only 38 percent of cell phone users enact it.

Logging out

Log out of your apps when you’re done using them. Leaving access open to anything, even Facebook, is inviting trouble.

BlackBerry Protect

Installing BlackBerry Protect software is another wise move. This free software locates the last known location of your phone if the phone is on and the SIM card is still inserted. The BlackBerry website also notes the software can do a remote backup of the data, wipe your phone clean if you didn’t protect it with a password and even send a “return me for a reward” message to your phone’s screen, wherever it may be.

BlackBerry Protect lets you do regular backups even without a lost phone, as does Desktop BlackBerry Software. You can then restore your backed-up data to your new BlackBerry phone.

Wireless Leash

ZOMM. ZOMM is a handy protection gadget in the form of a wireless leash for your phone. Pair the device with your BlackBerry and you have an automatic alert system that lets you know if you and your phone are ever separated. The ZOMM website recommends taking the wireless leash protection up a notch by downloading the ZOMM app to your PC. The app lets you keep track of the leash itself, the last paired location of your BlackBerry and allows you change audible settings.

Creepy or Useful?

Even though Mashable.com calls this software “potentially creepy,” it doubles as a potential life saver. StealthGenie quietly hangs out in the background of your BlackBerry, secretly collecting data on your phone activity and sending the info to a secure web account. This way you can keep tabs on any texts, calls or other activity that happens after your phone goes missing. Opt for the gold subscription and you can delete phone information remotely and find out if the SIM has been changed.

Not losing your BlackBerry in the first place is, of course, the best option. But if your phone does get lost, your bank account, friends and reputation certainly doesn’t have to go with it.

Guest post courtesy of  Bobby Charles. Bobby is a mobile app designer and tech wizard from the East Coast. He loves writing, Web designing and jogging with his dogs.

Tell your friends and colleagues about us. Thanks!
Share this

Android 2.2 supports mobile cloud security

Courtesy of Cloud Computing Topics – Olafur Ingthorsson

Android 2.2 is now fulfilling the minimum enterprise security requirements, i.e. device locking and remote wiping – amidst a long list of other enterprise cloud computing must-haves.

It seems that with the latest Android release, v. 2.2, Google is stepping into the enterprise mobile cloud computing realm with its mobile platform. Android 2.2 is supposed to support many of the required security policies enforced in enterprises, especially concerning enterprise email. These include automatic handset lock due to inactivity and administrator remote wiping in the case of lost or stolen handset. More information is given on Google’s Enterprise blogmobile cloud security

Another very interesting feature is the latest support for Android, and many other major platforms,  through Google Apps, enabling users to administer security features on their handsets from a browser and by installing the Google Apps Device Policy, that will soon be available from the Android Market. Google is clearly taking a big step in providing a multi-platform support for its Google App suite on mobile phones for enterprises. This service is free of charge for customers that have the Google App Premier Edition subscription ($50 pr. user/year). The Google Apps Device Policy can be used to synchronize data (email, contacts, calendar, and Picasa photos) between the supported device and a Google Apps domain.

Furthermore, with Andriod 2.2. handsets;

Google Apps Premier and Education Edition administrators can manage their users’ Android devices with a set of mobile device management policies designed to let users access their data while keeping organizational information secure. These policies include the ability remotely wipe data from lost or stolen devices, require a device password, set password complexity, and more.

With this development, Google is strengthening its position in enterprise class mobile cloud computing. Previously, Android users could of course access their Gmail and Google Apps remotely on their handsets, but enterprises generally haven’t been willing to accept the platforms due to its lack of control and security mechanisms. Now, Android 2.2 is fulfilling the minimum security demands required by enterprises, i.e. device locking and remote wiping. Then there are additional features, similar to what the MS Exchange Server Active Sync can enforce, like:

  • Require a device password on each phone
  • Set minimum lengths for more secure passwords
  • Require passwords to include letters and numbers

These policies can be enforced on devices that have installed the Google Apps Device Policy application. So far, enterprise mobile cloud computing has been somewhat exclusive to Blackberry and platforms that support MS Exchange Active Sync policies, like Nokia E-series. However, it now seems that Google is entering this domain as well with its latest Android version and the Google Apps Device Policy application. It certainly will be exciting to continue to follow this progress and monitor Google’s success in the mobile cloud computing domain.

Tell your friends and colleagues about us. Thanks!
Share this

Data availability and integrity – the Apple/Microsoft version

I have over 2,300 contacts on my iPhone and like any reasonable person, I wanted to backup  my contacts. I figure my iPhone wont last forever. Like a fool, I thought it might be a good idea to test the restore process also.

The Ubunutu One service based on Funambol doesn’t really work so that pretty much left me with the iTunes and Windows option.

It seems that the combination of two closed-source software companies intent on preventing users from seeing what’s going on and convinced that users are incompetent and low double digit IQ is a killer combination. As you will see from the events described below – it appears that both Microsoft and Apple believe firmly that users should backup their iPhone contacts but they will never really want to restore the data.

At 14:00 this afternoon – I started my exercise in backing up my iPhone contacts.

14:00 – Plugged in my iPhone to a new Windows 7 Pro PC.  Took iTunes forever to initialize and then I had to wait another 2 minutes for the iTunes software to discover the iPhone on a USB 2.0 connection.  In the meantime – Windows 7 was complaining that I should use a faster USB port – and offered a list of ports, none of which work. Go away. Zusu!

14:15 – Finally the iPhone and iTunes talk. I elected to sync the contacts to Google Contacts as I use Google Apps.   Interestingly enough – the task of transferring 2350 contacts to Google took about 30s on my 10MB/512k ADSL line. The only catch was – that no phone numbers were transferred – only email addresses.  Seems there is a bug. I don’t have time for this.

14:30 – Back into iTunes. This time, I choose to sync my iPhone contacts with the Windows Contacts – since I don’t use Outlook.  No dialogs about replacing or merging – and it worked.  Minor problem – the Windows Contacts sync with iPhone contacts wipes out the entire iPhone contacts since the Windows Contacts was empty (I imagine hardly anyone actually uses Windows contacts – a kludgy, slow and incredibly stupid way of storing one contact per file).  Well Dorothy, we are not in Kansas anymore, your iPhone Contacts is now empty.

15:00 – After a bit of thinking about where my contacts might have gone. I realize that I have 3 alternatives, (1) restore my contacts from our CRM system (which runs in the cloud and doesn’t have an iPhone Contacts sync option) and a bunch of other places I’ve cunningly stored contacts  (2) try and figure out where Apple has hidden their backup files or (3) ssh into the iPhone and try and restore manually with sqlite.  I choose option 2.

15:30 – After some googling, I discover that the iTunes backup files are hidden in a %AppsData% something path – which is impossible to find in Windows 7 using Windows Explorer.   But – if you type %AppsData% in the run program line you get access to the file path. Google is your best friend.

15:45 – iTunes backups into a file format that looks like an import to sqlite (the open source database that iOS uses to store the Contacts records – that is at least a step ahead of Windows Contacts, storing 1 contact per file…perhaps Microsoft Windows 7 team has not heard of SQL yet).  I pull up the data into a text/hex editor and of course, the phone numbers are encoded in some proprietary Apple format – so forget about pulling out the data and massaging it into a format suitable for another circuitous import into iPhone contacts.  More googling- if you have a mac there is a command line utility or you can pay $25 and get a Windows application that decodes the proprietary Apple backup file format into a CSV file or series of VCF files.

16:00 – My PayPal account is not up to date since the card linked to the account expired end of November and I haven’t reverified yet.   Got the software with my Visa and jumped through a few hoops to give a couple of identifiers and finally get a registration number, activate the application and I finally have my original iPhone contacts file, but we’re not out of the woods yet – we still have to restore.

16:05 – Uploaded the csv file to Google contacts. But – for some bizarre and inconceivably cruel reason – iTunes sync refuses to actually load data into the iPhone.

16:15 – After several more attempts, including rebooting both Windows 7, restarting iTunes and rebooting the iPhone I give up – iTunes refuses to sync from Google contacts.

16:30 – Plan B – use Windows Contacts – I attempt to import, but after 10′ and 1200 records, the import process fails on an error with no indication of what caused the error.  Must be a data problem, so I try and improve the quality of data by reducing the number of fields I import and making the phone numbers look more uniform. I make 7 more (abortive) attempts at importing to Windows Contacts, and every time, it imports fewer records. When it stops on the anonymous error message at 150 contacts, I break for supper.

17:30 – Plan C – use Outlook.  Here’s a gotcha, Outlook won’t import from the CSV file, claims it’s open by another application or insufficient permissions.  Too bad the programmers didn’t look at open file hooks and tell the user the name of the Windows application that is holding the file handle open.  Of course – it must be the Windows Contacts Import process, (which is not running if you look at the task manager) but after a few minutes I identify a hidden process related to Windows Contact import and I kill it.

18:00 – Outlook is slow as molasses on import but the same CSV file that was poison to Windows Contacts gets imported with flying colors to Outlook.  I try to run quick search to find the last contact I entered this morning (my 10am meeting in Tel Aviv), but the Outlook 2003 application claims that the indexing process is running and it cannot find the records (the indexing process never actually ran….) Forget it, I don’t have time to sing and play games with Outlook 2003.

18:05 – Back to iTunes.  And this time, ladies and gentlemen, adults and adulteresses, we are going to sync from Outlook to the iPhone contacts.  It works. But verrryyy verrryyyyy slowwwwwllyyyyyy. I have time. I have to babysit Carmel (who is fast asleep down the hall after a tough day in pre-school) as the wife and daughter are out shopping. Do what any man would do on a baby-sitting gig – fall asleep on the sofa.

20:00 – Wife and daughter back from shopping and the iTunes sync from Outlook process has finished in the meantime, in between dreams about user-unfriendly software.

23:55 – Conclusions

1. The iPhone backup process is slow and buggy on all versions of iOS, Just google for “iphone contacts backup problems” and you will get over 3 million hits.

2. Apple does not have a data restore from backup strategy.  Otherwise, iTunes would have a “Backup iPhone Contacts” and “Restore iPhone Contacts” menu.  Entertainment is more important than data.  This is why Apple stock is at 321.

3. The usability and reliability of Windows 7 Contacts is beyond contempt.  No entertainment either. This is why Microsoft stock is at 23.

4. My next smart phone will be an Android.

Enjoy.

Tell your friends and colleagues about us. Thanks!
Share this

Will smart phones replace credit cards?

A recent post “Can smartphones replace credit cards” wonders whether or not consumers are ready to  trade in their plastic for their cell-phone.

Mobile payment technology has been around for about 10 years and it has not really taken off in a big way – although there are niche applications.  In Tel Aviv for example, you can buy drinks in vending machines with your cell phone and pay for parking.

Clearly it’s not a technology barrier to entry but a cultural barrier to entry.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Worst executive behavior of the month award

For my Israeli readers – הדבר היחיד שיותר גרוע מלהיות לא רציני זה לצאת פרייר.

I’m collecting data for a couple of articles on data security in social networks and ad-hoc mobile networks so I’ve been a little slow on blogging lately – so I’m down to general management and risk management stuff.

I think that cutting and running as soon as possible from unreliable business partners is an exercise in sound risk management.  Let me know if you agree after reading the following story.

I have an acquaintance, Eran Lasser who is co-founder and joint GM of John Bryce Training.  Back when I ran Bynet Software (a Microsoft distributor and ACS – Authorized Support Center), we did some training projects with Eran as we were launching Windows NT and later Microsoft Backoffice.

I reached out to Eran last week with some ideas for management level training courses in areas where I have some personal expertise – data security and more recently using social software for B2B sales. He asked their VP Business development, Ori Lapid to meet with me – and within a day or two a secretary made an appointment.  The morning of the appointment – the secretary called to confirm – I came in a few minutes early and waited patiently for Ori to start the meeting.

After 5, 10 and 15 minutes went by with the secretary giving me the usual disclaimer of “he will be with you in a few minutes” – I told the secretary that Ori’s 15 minute academic grace period had expired and I left.  I thought it was significant and also a vindication of my decision to walk out that neither the secretary nor Ori Lapid bothered to contact me and apologize for wasting my time.

This is  the epitome of what Israelis call “not being serious” or as they say in Israel.

הדבר היחיד שיותר גרוע מלהיות לא רציני זה לצאת פרייר.

Tell your friends and colleagues about us. Thanks!
Share this

Data loss by cellphone

Is your 50-something IT manager the last one to know about the company getting acquired?

An extremely obvious yet perhaps unpleasant observation for over-40 IT managers is that under 30 employees know a lot more about technology and ways to bypass the company security safeguards than they do.

A young, hip, mobile and techology-facile workforce may be a significant, yet unacknowledged vulnerability for companies.   Your information security group is doing  security awareness training  and evaluating DLP solutions from companies like Symantec and Fidelis Security to block blogging and Facebook but the action has moved to Twitter.

Your physical security officer has installed security cameras to deter theft of equipment but how are they going to block smart cell phones with 16GB memory, cameras and modern Unix-based operating systems like OS/X (the OS on the Apple iPhone) that can run any nix* application.    How about this exploit – download some data to your phone from the PC and then ssh to a private sshd server somewhere on a virtual host.  Don’t want to be tracked down ?  No problem – just take down the virtual host after your’e finished – don’t neeed more than an hour or so.

What about data loss by text messaging?   True – it’s limited by the quantity – but not by the quality.

I’m waiting for commercial applications of cell-phone blocking technology to the workplace – in this down market – it might be critical for the guys and gals in the board room.

Tell your friends and colleagues about us. Thanks!
Share this

Operational risk is not a bad business decision

I was looking at the CSI 2008 security survey recently and noticed that the top three loss categories are fraud (number 1), viruses (number 2) and data loss (number 3).

I’m a little dubious about viruses landing up in the number 2 slot.  We haven’t even installed anti-virus software on our office workstations in the past 4 years and we haven’t had a single event.  It might be Symantec and McAfee gaming the numbers in order to prop up flagging anti-virus sales from people like me who use Google Applications and practice safe email and safe surfing.

However fraud and data loss are classic mainstream categories of operational risks.

I like the definitions in the Basel II regulation, which defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

Although originally designed for banks and protection of of the banking system and economy from large scale failure; a systematic approach to operational risk management is important for any kind of organization.  Operational risk is not about damage to the business from a bad strategic decision (like getting into a new market segment and losing your pants).

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this