There’s a commonly misquoted phrase that’s taken wildly out of context in liberty and security circles that “those who would trade privacy for a bit of security deserve neither privacy nor security”.

Well, Ben Franklin didn’t quite say that, but in the interest of butchering the quote further perhaps a modern-day Franklin could have said “those who would trade privacy and security for a bit of convenience may lose everything”.

That device in your pocket is the epitome of modern convenience, and sadly there are many, many opportunities to trade away privacy and security in an effort to protect or enhance our daily conveniences.

The Goldmine

Think for a minute of all the valuable data that a typical mobile phone contains: 

  • Deeply personal information including where you live, work and play, photos and videos, browsing history, medical information
  • An entire picture of your social connections
  • Virtually all your personal and business digital communications
  • Saved passwords
  • Mobile banking apps, PayWave, PayPal
  • 2-factor authentication
  • … and so much more!

There’s no denying it, your device is a veritable goldmine of data.  Thankfully devices these days are pretty well protected out of the box (as you’d hope they would be), but given how many vectors of attack there are and the value that could be gained from compromising them, mobile devices are becoming more of a target than ever before.

Remember that the threat landscape is changing constantly and subtly. The fact you’re reading this and interested means you at least have a heightened awareness of the risks.  I’m under no illusion: there’s no such thing as perfect security in a connected world, it’s all about taking well-informed, calculated risks that minimise the chance of becoming a casualty. Let’s take a look at a few ways you can avoid becoming “low-hanging fruit”:

App Responsibly

Arguably the number one attack vector on mobile devices is apps: if someone can convince you to install a malicious app (and perhaps blindly accept the often broad permissions that might be required), then it’s pretty much game over.

  • If you really care about the data on your phone or tablet, don’t download apps from an untrusted developer. Who can you trust? A big name that you recognise, and whose reputation rests on the integrity of their software.  If it’s a small, indie, fly-by-night developer, be wary. But also don’t be fooled by the number of downloads or positive reviews. One app that had over 100M downloads started installing malware in 2019.
  • Check what permissions an app requires before you install it.  And when an app asks for a new permission, carefully consider if it actually needs that permission.
  • If you need to install apps that might be risky (eg. games for the kids, an obscure app for your no-name WiFi coffee machine, etc), you could isolate them by either installing on a separate device, or if you have an Android device you can set up a separate user account.
  • Avoid sideloaded apps (ie. downloading and installing apps outside the official store), and don’t root or jailbreak your device.  This removes many built-in protections.
  • As always, be careful where you browse and what you click on.

Keep up with the Joneses

The sad reality of modern mobile technology is that they quickly go out of date and are no longer supported.  “Perfectly good” older hardware is no longer viable to support or update, so software goes out of date, new apps can’t be installed, insecurities aren’t patched, and security certificates become outdated.  It means that in a sense you really do have to keep up with the Joneses to remain secure.

  • Choose reputable manufacturers with long term security update support. My personal favourites are Google Pixel phones and OnePlus. Sadly neither is widely available in NZ, but they can still be found.
  • Avoid the lowest cost Android devices: performance will almost certainly disappoint you, they often have lots of bundled “crapware”, and may see very few (if any) security updates. This goes for devices given to employees too.
  • In the Android world, it’s often best to choose something that’s as close to “vanilla Android” as possible.  The more customised the operating system, the longer it may take for updates and patches to be pushed out.
  • Use old devices to install less trusted apps and for kids’ play, BUT – it’s not a free-for-all: be wary of apps with malware that could use your internet connection, CPU/GPU & local network to their advantage, say for crypto mining.
  • Be a responsible citizen and recycle your old devices when they’re out of life. But don’t forget to factory reset them first.

Do Mobile Devices Need Antivirus?

In this series some of you might be surprised that I haven’t mentioned much about antivirus software. I have long been of the opinion that antivirus should be carefully applied and managed where necessary, and that overkill in the antivirus space is a waste of consumers’ money and can frequently cause more problems than it solves. Being security-minded is more important than antivirus software, but they definitely have their place

So let’s break this down a bit more:

  • If you’re knowingly engaging in risky online behaviour then that’s your own business – but you should definitely install and pay for a quality 3rd-party antivirus solution. And keep it updated daily.  And … well, good luck.
  • If you’re not engaging in risky online behaviour, then antivirus can be a good solution to protect you from innocent mistakes, but it’s probably overkill on mobile devices if you follow the advice I’ve given above.

Social engineering

I’ve already spoken about scams and bad actors, but how do they manage to sometimes convince even the careful and technically savvy to do things they wouldn’t normally do? It’s all to do with social engineering.

Social engineering is the psychological manipulation of people into doing something they wouldn’t otherwise have done. It’s all around us every day – it’s actually part of our social fabric, we’re all engineering others and being engineered (hopefully in non-malicious ways) all the time.

The job of marketing is to convince us to spend our attention (and ultimately our money) when we otherwise might not.

Parenting can involve a high degree of social engineering in teaching our children to be socially adept, responsible, law-abiding, kind citizens. I mean, most kids will grow up to be decent people anyway, but as parents we feel responsible to praise the good and discourage the bad, use positive distractions to diffuse situations, and ask children to trust us before they are old enough to understand us. Likewise, kids are constantly trying to engineer their parents into getting what they want!

Social engineering isn’t necessarily bad, but it can be used against us with surprising ease in all sorts of situations by dishonest people. They’ll typically appeal to either our fears or virtues to engineer us to do something we wouldn’t normally do.

Fears

Fear is a strong motivator: fear of reprimand, fear of missing out, fear of losing your job or being demoted, fear of losing a promotion, missing a deadline or appearing incompetent are all things that an experienced social engineer can prey on to get what they want.

If a bad actor can craft an email that looks authentic, appears to be from someone with authority and creates a sense of urgency, they can appeal to all the above fears at once. Consider this Krebs on Security article which describes successful whaling attacks using social engineering.

Virtues

Maybe it’s not a negative engineering attack: some social engineers prey on peoples’ general disposition to be nice, to do the right thing, to help out, to make someone’s life a little easier. Think about people who hold a door open for you: that’s a really nice gesture, especially if you’re a social engineer trying to get into a building that you’re not authorised to enter.

One attack that has almost been around as long as email itself is the “Nigerian Prince” (or variations on that theme): someone who has a lot of money and offers to give you some if you can just help him out.

More often than not, though, the email will just kindly ask you to do something that you wouldn’t normally do: bend the rules a little, if you will.  Just this once, to help a co-worker out.

Tips:

  • Remember the mantra: Don’t trust, always verify!  If an unexpected request hits your inbox, verify it using some other means.
  • Don’t be afraid to speak up if something doesn’t look quite right.
  • Create a culture of verification in your company: ensure that matters of material nature must be authorised by two people, preferably in person.

Handling Sensitive Information

Are you destroying sensitive documents properly? What about data on retired computers, phones and tablets? Is your business leaking information out your rubbish bins that could help an attacker craft a more effective attack?

Do you have support staff?  How do they verify the identity of people they talk to?  Consider this story from some years ago about tech journalist Mat Honan who lost access to his GMail, Amazon, Apple and Twitter accounts and had all his devices remotely wiped within a very short period of time by an opportunist hacker who just wanted to deface his three-letter twitter account. It was a horrific attack where, aside from the laborious cleanup, he almost lost years of precious photos and videos. One of the factors in the attack was lax customer verification at both Amazon and Apple. Another was his lack of two-factor authentication on any of his accounts.

Guarding Against the Social Engineer

Just this week there was another great post on Krebs On Security about fraud that is increasing in complexity to the point where a bad actor becomes a man-in-the-middle in a call between a victim and their bank in an attack that is very easy to fall for. All it took was a little bit of information about the victim and a spoofed caller ID. As I’ve already mentioned in this series, if you ever get a call from the bank out of the blue, the best advice is to just hang up, look up their number and call them back.

So it follows that the more information an attacker can get, and the more legitimate they can sound, and the more likely a social engineering attack is to happen. It’s important to consider every aspect of your business’s security when defending against such an attack:

  • Ensure proper handling of sensitive information, including proper document destruction.
  • Use the “Principle of Least Privilege”: only give access to exactly what someone needs to do their job, and no more.
  • Ensure adequate physical security to your building.
  • Security educator Troy Hunt encourages that people “design systems for compromised humans”, in other words design systems as if people are the weakest link – because in many cases they are.
  • Two-factor authentication is a very important protection, I can’t emphasise this enough. Set it up on all accounts you can.
  • Ensure that all computer systems have logging, auditing, monitoring and secure backups. Did I mention secure backups?
  • Staff need to be conditioned to act defensively: actually test your staff! Training alone is not enough and may actually reduce compliance.  A security mindset needs to be developed through practise. Consider using services such as Phish5 to test how staff respond to phishing attacks.

Conclusion

I hope that this has been insightful.  I’m going to shout out to Troy Hunt here once again: his training materials are top notch, and have had a big influence on me. Subscribe to his newsletters and check out his podcasts and Pluralsight courses.  You won’t be disappointed.

I’m going to dedicate the last post of the series to one of the best things you can do to keep your online accounts safe: I call it the Seven Habits for Effective Password Management (sorry Covey). Until then, stay safe!

Paul Hutchison