Mobile Security: Where are We Headed?
The web is ever evolving and millions of people are logging in every day. With so many people using the web and more specifically its mobile aspect, people are becoming more vulnerable to security risks. Across the world, mobile media is used as a means for activism and human rights. As new media are developed and new ways of implementing and accessing that media the risks are growing, and the security is not growing as fast as the rest of the web. Small business need to be especially alert.
On April 27, 2011 the Human Rights Center of UC Berkeley held a panel with Nathan Freitas, Jeff Klingner, Chris Palmer, and Doug Tygar to discuss security threats with emerging technologies. As mobile technologies have become a powerful tool for activism and human rights, security for such individuals is tantamount to their success and personal welfare. These four panelists discussed different software and tech that will help these individuals, and all people who wish to use them a more secure, anonymous mobile experience. However, even outside of this niche group, new tech security is important to everyone, especially mobile tech as it is the fastest growing platform in the world.
Doug Tygar is a Professor of Computer Science and Information Management at UC Berkeley. He has won awards for teach from Carnegie Mellon, a National Science Foundation Presidential Young Investigator Award, and an Okawa Foundation Fellowship. Tygar mediated the panel and discussed the overall issues with human rights and the safety of activists and their use of mobile technology.
Nathan Freitas is a long time coder and has worked in all forms of tech, including groundbreaking technology for activism. Freitas speaks at length about location based apps and the superfluous outside apps that many of them use, specifically location based apps, and the sort of apps that will allow you to circumvent them, and remain anonymous.
Chris Palmer is the Technology Director at the Electronic Frontier Foundation and a long time software and security engineer. Chris covers the area off app security and the sort of realistic security measures that can be expected and to mitigate paranoia. Palmer discussed how software is realistically untrustworthy and what you can reasonably expect from it.
Jeff Klingner is a consultant for HRDAG (the Human Rights Data Analysis Group) with a Ph.D. in Computer Science from Stanford. Klingner’s work has been used for HRDAG across the world, including Colombia, El Salvador, Liberia, and Sierra Leone. Klingner discussed MARTUS which is a human rights bulletin system that assists non-governmental organizations in collecting information on human right abuses. One of the main issues they have found and had to work hard at with the platform is finding the right balance of security and usability.
As companies look for more and more ways to reach their target audience, the internet is fast becoming a lucrative venture. Not only are more people spending more time online, but the internet provides the easiest way to locate and target specific demographics and get the most return for your marketing investments. Not only do we live in an instant gratification-led society, but it is also increasingly mobile. When before you had to hack into an employees work computer to get a company’s data, it became that you could hack into an employee’s laptop to get a company’s data. Now, not only can you do the preceding, but you can hack into an employee’s phone. More and more phones are being used to access company data, including being able to VPN into the company network. So far people do not take the security of their mobile phones as seriously as they do the rest of their computers.
There are a number of methods hackers use to gain entry into cell phones, many of which the users to not even recognize as being a possible security threat.
- Text Messages
- QR Codes
- Malicious Mobile App Downloads
- Social Networks
- Wi-Fi Connections
- Application Exploits
- Mobile Browsing
- Mobile Payments and Banking
Some of list above should be obvious, such as cracking passwords, or simply not having one. But hackers can also take advantage of users by using open Wi-Fi systems, or offering a download of a seemingly innocuous app. A QR Code can easily lead a user to a website where they can immediately become infected. With the increasing use of social media websites via mobile browser, users can leave themselves open to numerous exploits.
With Web 2.0 applications like FourSquare, Google Latitude, Buddy Beacon, etc. Criminals can now even find out where you are and when you are not home. Linking these applications to your Facebook account will offer more opportunity for people to see your whereabouts and take advantage of it. Pictures uploaded online are usually tagged with a code noting where it was uploaded and often where it was taken. This can allow criminals to find where you live as well. Now that they have your address to go along with your whereabouts they can easily go about their business with less fear of detection.
The black side of the internet is a booming business. Billions of dollars are gained and lost every year due to various means of data theft and loss. They have been under fire many times for their security issues and have generally put a Band-Aid over the problem. Now with data mining from Facebook, Google, and even the US Government, the black-hatters will put their heft into trying to get the most information from the easiest places. Your internet activities are always being recorded. This information is all stored somewhere. If someone can get to a major amount of data like the government or companies like Google and Facebook have it makes their “job” much easier.
In 2006, hackers took advantage of a security flaw in the wireless LAN of TKJ Maxx. By cracking the WEP protocol the store used for data transmission between hand held scanners and cash registers, the hackers were able to set up their own accounts within the system. Once there, they were able to install their own software which collected employee logins, passwords, and customer credit card numbers. With the complexity and capability of smart phones now, a hacker could easily utilize the same thing using their own phone without ever leaving the store.
Unless a company has devised an iron clad method of allowing its employees to access their data via Wi-Fi or mobile device, the best thing for them to do is to not allow it. However, that will not happen. In the meantime, only allowing certain high level must need users to access the data from their mobile devices, or using Wi-Fi on their system should be implemented. The users will also need very clear training and education on what is acceptable and what is not when using these devices. Only company owned devices that receive regular IT and Security Specialist scrutiny should be allowed. No unapproved usage, or downloads will be allowed, and any applications deemed superfluous by the company should be removed.
Going forward, mobile browsing will continue to grow. The best possible scenario would be for people not to put personal information on the internet and to be better informed about what the possibilities and ramifications are with everything they post. Hopefully the mobile platforms will slow enough for the security portion of it to catch up or there will be new advances in cyber security that will allow the white-hatters to gain a foothold in the war that they are losing. White hatters are outmanned and the more doors and windows that keep opening up, often by social media and other mobile outlets the harder it is for them to keep up.