PHONE-Y BUSINESS: Your privacy and security is under threat every time you use your phone..and the door keepers often seem to help the thieves.... An IndiaTechOnline Special.
Bangalore, June 29 2015: Omnishambles, a word that the Oxford English Dictionary added to its online edition in 2013, means "a situation that has been comprehensively mismanaged, characterized by a string of blunders and miscalculations." There is no better word to characterize the current state of the privacy and security that millions of mobile device users entrust to their service providers and device makers. The actions of some of the biggest brand names smack of gross incompetence, if not of cynical disregard. Consider these assaults -- all this month --on our right to keep our data or actions on phones, tablets or laptops confidential :
- At the Blackhat Mobile Security Summit in London on June 16, Ray Welton, a researcher with security firm NowSecure showed how a flaw in the software of the Swiftkey virtual keyboard installed in millions of Samsung Galaxy S4, S5 and S6 phones made them vulnerable to attack that could potentially snoop on camera, microphone, incoming and outgoing text messages. In a chilling demo, Welton showed how he could pose as an update to the Swiftkey software and install spyware, bypassing Android's own defences. Samsung was notified by NowSecure, of the security flaw as far back as November 2014, but chose not to go public till forced by the recent disclosures. A patch to repair the flaw has been promised Fortunately, the phone is vulnerable only if you are on an unsecured network so the easy solution is to avoid such public hotspots.
- Researchers at Indiana and Peking Universities and at GeorgiaTech, have released a study which points to a vulnerability in the latest edition of Apple iOS and OSX that allows one app approved by the App store to gain access to data of another app on the same phone. They said this is because of poor levels of security in Apple's password management tool, KeyChain. Potentially one rogue app can steal iCloud , email and bank passwords. Apple was notified back in October 2014 but sought non disclosure for 6 months during which time it did little, not even warning its customers who are in a quandary. If you can't trust an app in the App store which Apple audits before approving, whom do you trust?
- First Post reported that a Bengaluru-based software engineer, who had subscribed to Airtel's 4G data service, found the speeds he was getting very slow at times. His investigation found that the service provider had inserted a piece of Java code into web pages he browsed. When he published the coding that made this happen, he was astonished to receive a legal notice from an Israel-based company that provides tools to help telecom operators make more money from their clients. Airtel denies any wrong doing and says its coding is only meant to keep track of data usage -- but that does not explain why a third party claims to be affected by the disclosure!
- In a report titled "Who has your back?", the Electronic Frontier Foundation rates social media and Internet entities on how diligently they protect your data privacy from government requests. Nine Companies receive top rating of 5 on 5. They include Adobe, Apple, DropBox, Wikimedia, Wordpress.com, and Yahoo.But Whatsup is bottom of the class with 1/5 for its opaque policies when it comes to revealing government demands. Deccan Chronicle's Online edition carried the full score card.
These examples all in June, are disturbing enough. They come on the heels of the revelations in February that 43 models of Lenovo's laptops and tabtops came with a pre-inserted chunk of so-called adware ( euphemism for spyware) that siphoned data back to a US search software player called Superfish. This inserted its own shopping hints into your browser, over and above the ones provided by --say -- Google. Since the adware was inserted by the maker it could not be cleaned by any antivirus software you may have installed. Lenovo agreed to desist only after global outrage -- but the problem is you can't remove the adware since it is part and parcel of the OS. You have to buy your own copy of Windows 8 and replace the pre-installed copy. Who pays for Lenovo's laxity? You!
Government against the people:
What happens when those charged with protecting the rights of citizens, abuse their trust? What a happens when the products we buy are compromised -- with or without the collusion of the makers? Three chilling examples of government as spy:
In February 2015 Russian Net security specialist Kaspersky shared results of a decade long study that showed that an organisation that it codenamed the Equation Group had pulled off arguably the most sophisticated cyber attack ever, on millions of lay users. It had managed to embed its spyware in the "firmware" that sits on hard drives and solid state drives made by 12 of the world's biggest manufacturers including Maxtor, Seagate, Samsung, Toshiba and WD and sold in 30 countries including India. Being part of factory-shipped hardware, the spy software cannot be detected by anti virus tools and in effect the authors can snoop on millions of hard disks the world over. While Kaspersky did not name the suspect, there was broad indication that this was the work of the US National Security Agency. None of the makers admitted to providing any government access to their devices.
Also in February, The Intercept. a publication distributing the revelations of NSA whistleblower Edward Snowden revealed what it called the Great SIM heist: a joint operation of the UK's Government Communications HQ and the US' National Security agency, where they managed to hack the encryption keys of the world's largest maker of phone SIMs -- Gemalto -- whose products used by some 400 plus wireless providers, exceed 2 billion a year. In effect the perpetrators could monitor mobile communications on any of the hacked SIMS without needing approval from telecom companies and governments. Analysts said this was tantamount to a thief getting the master key to every room in a hotel.
In this murky gray world of government-sponsored spying, the most chilling image can be found in Glenn Greenwald's 2014 book " No Place to Hide" ( Hamish Hamilton, Rs 599). where he reproduces material provided by Edward Snowden that show that murky US agencies were intercepting shipments of networking hardware from Cisco to insert spy hardware." “We simply cannot operate this way" CISCO Chairman John Chambers protested to President Obama. The book includes a slide (on page 149 of the book) which purportedly shows operatives intercepting a Cisco consignment.
Introducing intentional vulnerabilities into secure products for the convenience of government -- that is the zenith of customer betrayal. But it is happening even as you read this -- and we the people are largely defenceless.
What can we do? Get proactive!
In this gloom and doom scenario of looming Net threats what can we do? Internet security specialist ESET has some suggestions:
- Ensure that all programs, operating systems, and applications -- even the ones you rarely use --are kept up-to-date.
- There are many steps that can be taken including choosing strong passwords, using anti-virus programs, firewalls and anti-spyware programmes.This applies even to rarely used applications as it makes sure that all the latest security features and fixes are available on your device. Change your password regularly.
- A second layer of protection can also be added on top of passwords using Two Factor Authentication (2FA). 2FA uses a separate device to generate an access token that acts as a one-time only password. By requiring access to a separate password, this makes an attack less feasible.
- Security software can be an inexpensive option: don't depend on built in software when it comes to securing your device.
- It is also worth looking at test scores and/or certificates from testing agencies such as Virus Bulletin and AV-Comparatives. Any good security software should have been listed by most testing agencies.