Mobile Security Guide 1/10 – Close the Doors

Whether it was nicked out of your bag by the office kleptomaniac, fell out of your pocket while climbing off the train, or was taken at gunpoint by a street thug, it doesn’t change the fact that losing a mobile phone really sucks. For some, the loss is financial, especially if the device was purchased on credit and not yet paid off. For others, losing the information that was stored on the phone is far more devastating than losing the device itself.

This series of articles deals with mobile device and data security, identifying the types of threats that exist, the attack vectors that are used and vulnerabilities that are commonly exploited. It also highlights the various countermeasures and preventative measures that can be employed by any person who values their mobile device and the private information stored on, or accessible through, that device.

Mobile SecurityClose the doors (and the windows too)

The act of closing a door doesn’t provide as much protection as locking it, but it is a necessary first step. Locking a door while it is still open usually prevents the door from closing at all and that is arguably a worse position to be in. A closed door looks virtually the same as a locked door from the outside, and the perception that the door is locked is often a powerful enough deterrant. An open door, on the other hand, looks more like an open invitation to an opportunistic criminal. In cyberspace as in the real-world, it is only a matter of time before a vulnerability (open door) is discovered and exploited. In the real-world, someone would need to pass by or be in the vicinity to notice the open door, and would then need to stick around until an opportunity presents itself or return at a later time and seize the moment. In either case, the would-be-burglar is personally at risk of being detected and caught. In cyberspace, your adversary doesn’t need to be near you at all, not even on the same continent as you, to be able to detect open doors and windows, gain entry and steal whatever is available. Like his real-world counterpart, the cybercriminal cannot immediately differentiate between a closed door and a locked one without a closer inspection, and given the vast number of open doors to be found online, by simply closing yours you stand a good chance of avoiding closer scrutiny. We call this security through obscurity and it is your first line of defense. Lets start closing those doors, shall we?

WI-FI

Turn off your device’s Wi-Fi facility when you’re not using it. Apart from the power saving benefits, this will reduce your exposure to a range of wireless threats. Cybercrooks can access your information relatively easily (and without your knowledge) if your connection is not secure. To ensure your connection is secure you should always connect to wireless networks using the highest level of security available (which is probably WPA2 on most modern devices). Connecting to unknown, open wireless networks is incredibly risky, and will increase your susceptibility to attack. By limiting your use of unsecured hot-spots to web surfing or online activities that don’t involve you having to provide confidential information, you will probably evade any identity theft attempts, but you will still be vulnerable to a hoard of other malicious threats. You should definitely not make purchases, conduct online banking transactions or engage in any communication that conveys a password, account number or credit card number unless you are connected to a secure network. This type of information is exactly what cybercriminals are after and they’ll be able to pick it out of the air on an unsecured connection. When you’re away from your home or work network, rather use your 3G or 4G data connection instead because the traffic is usually encrypted by the network operator and is far more complicated and costly for a cybercriminal to intercept. It took me no longer than 30 minutes to find 24 Wi-Fi hacking and Wi-Fi password cracking apps from the internet – all of which were free, seem easy to use and at the time of writing they all seemed to do the trick. Here are screenshots of those apps: WiFi Hacking App Screenshots
To close the Wi-Fi door you should do the following:
  • On many devices you can ensure that you only connect to approved wireless access points by disabling the “automatically connect to non-preferred networks” setting.
  • Turn off file and printer sharing if this feature is offered on your device.
  • As already mentioned, turn off your wireless connection when it is not in use.
  • For business use you should only use VPS or other encrypted tunnels to safeguard sensitive company information.
  • For personal use you should use a web proxy or private VPN (see here for a review of various VPS services we recommend).

BLUETOOTH

As with wireless connectivity, your phone’s Bluetooth functionality should also be turned off when you’re not using it. Many devices are preset to use default settings that allow other users with a little knowledge to connect to your device, even without your knowledge. Cybercriminals could potentially access your device and copy files, or gain access to other devices that are attached to your Bluetooth device. Additionally, hackers could potentially identify what networks you’ve previously connected to, and with that information could quite easily spoof (masquerade as) those networks and fool your device into connecting to them. Once connected, your device is “pwned” – a hacker could deploy malware, steal your data or monitor your communications and location. You wouldn’t know.
To close the Bluetooth door you should:
  • Turn off Bluetooth when you’re not using it.
  • Disable any Bluetooth feature that allows devices to connect to you automatically.
  • Set Bluetooth to be undiscoverable, that is, not to broadcast your device details so that other Bluetooth devices can detect your presence.
  • Disable any automatic scanning or discovery of other Bluetooth devices in your proximity.
  • Delete any Bluetooth profiles you no longer use, do not leave a back door to any hacker
  • Always use a pass code when connecting to other devices – even if you trust them – you don’t know who else is watching.
  • Never attempt to pair with any device or cell phone you do not know.
  • Set Bluetooth to use a pass code that is longer than 4 digits.
  • Always choose your own passcode instead of the default setting which is inevitably something like 1234.
  • Change the code frequently and do not use obvious codes.

NFC

NFC or near field communication is a relatively new technology that enables devices to communicate with one another (or transfer data and files) simply by having the two devices in close proximity to one another. According to McAfee “it’s possible for attackers to use technologies that allow them to eavesdrop on your payments or steal and transmit your credentials by extending the range of the wireless signal. Your data may also be manipulated or corrupted by an attacker” (for more see How to Keep Crooks Out of Your ‘Mobile Wallet’).
Closing the NFC door is as simple as keeping NFC turned off until you need to use it and ensure that no other devices are in proximity if using NFC to affect payment.

DOWNLOADS

Downloading software to your device is a potentially dangerous exercise (from a device security point of view) unless you can ensure that the software in question is safe. How often have you been told about (or read about) a new app that you really want, and without further consideration you point your device’s web browser to the website mentioned and click on a download link? If the answer is ‘never’ then you’re on the right track. If ‘all the time’ comes to mind then you’re at great risk and your device may already be infected with some form of malicious software and you might want to consider debugging your device.
To close the Downloads door you should:
  • Only download software from reputable app stores like Google Play™, the Apple App Store, etc. Not that this guarantees your safety, but it will significantly reduce your risk.
  • If you are an Android user then you should always avoid installing non-Play Store applications and can enforce this choice by disabling (unchecking) the “unknown sources” option in your device’s Applications Settings menu. While you’re there you should also enable (check) the “verify apps” option which adds an extra level of protection against questionable apps.
  • Before downloading any app you should research the app and its publishers. You can do this by searching the web for the app’s name or publisher’s name to see whether any complaints or compliments have been posted on websites or forums, and whether the app itself has been submitted to websites such as virustotal.com to test them for malicious code.
  • Check the publisher’s website and see what other apps they’ve produced in the past and check them out too. If past apps have been problematic then perhaps their latest app might follow suit.
  • Check other users’ reviews and ratings to see if an application is safe. Bear in mind that any testimonials or reviews published on the publisher’s website could be fabricated, so place more emphasis on ratings and reviews you find on independent websites.
  • Check what permissions are being granted to the app (this will indicate what data the app would have access to and what sorts of capabilities it would have). If you’re supposedly downloading a neat new game then you should beware if the app is able to read your messages and phonebook for example.
  • Read the app’s privacy policy and end-user license agreement thoroughly. Know what information the publisher will have access to and how it will be used.
  • If you have installed an app then make a note to determine whether the app is using any of your mobile data or airtime, and if so, how often and what volume of data is being sent and received. Any app that uses considerable mobile data should be investigated further.

LINKS

If you really think about it, which is more efficient…trying to remotely identify each individual target, bypass their security measures and hack their devices or create a number of basic websites featuring products or offering content that appeals to a wide range of users and sit back while those users click on links that download malicious software onto the host device and give a person remote access? To me, the latter seems preferable for many reasons. If you treat links with caution and check where they lead before clicking them then you’re that much more secure. It makes no difference whether they’re sent to you in an email, in an SMS message, or if you encounter them on a web page, think before you click. Many mobile antivirus and security apps can verify link destinations and will warn of potential threats. You should consider enabling any such feature if it exists. The next best thing is to manually check the link destination (try hover over the link and look in the status bar at the bottom of the page or change the mode of your browser to text-only so that you can see the actual link on screen).
  • As a rule of thumb, never click on a link that is sent to you via email or SMS by any person that you do not know. This is a favourite method of criminals and identity thieves because it is cost effective and low risk.
  • If you receive a message from a trusted friend or family member that contains a link then first check that they did indeed send the link to you. Email and text message sender details can be easily spoofed so just because it appears to come from your best mate or BFF doesn’t necessarily mean that they sent it. Apart from spoofing sender details, some malware will use the phonebook contacts of a host phone to send these types of messages to other potential victims as most people don’t think twice when opening things from people they know. If you want to stay safer then you really should think twice.
  • If you are going to click a link then check that link first. You can either copy and paste it into the web search bar and see whether it is flagged and you can check it on websites like virustotal.com. If there are any red flags then its probably best to stay clear of it.
  • Beware of links that point directly to files other than webpages when there is no indication that the link is to download an app. Webpages will normally end with html, htm, shtml, asp, php, pl, jsp and should not end with apk, cod, jad, jar, dmg, sis, sisx, app, exe, bat or zip.
  • Beware of links that point to numerical domain names (IP Addresses) especially if you’re clicking the link to login to an online account. For example, if you’re asked to click a link to login to your paypal account (not that you ever should click such links) and the link points to http://196.22.43.102/paypal/login.php then press the back button. The use of the IP address is deliberate – this link is almost certainly pointing towards a webserver hosting a fake login screen.
  • Beware of links that contain the @ sign – hackers and phishers use this syntax to trick people into visiting fake login pages so that they can steal your access details. How it works is that the browser will ignore the content on the left of the @ sign and will treat the right-side content as the destination. For example, http://www.absa.co.za/login.asp@192.168.43.102/login.pl will take you to the login.pl page on the webserver with IP 192.168.43.102 and not to Absa Bank’s login page.
  • Beware of links that sport a URL that is so long it can not be completely displayed in the status bar – this is usually to confuse the user or is used in combination with the @ sign trick to conceal the true destination of the URL. An example might be http://www.standardbank.co.za/login.shtml:UserSession= 2f6q9uuu88312264trzzz55884495&usersoption= SecurityUpdate&StateLevel= GetFrom&anotherthing&andyetanotherthing@ 61.252.126.191/fake-page.asp. Links should be descriptive and uncomplicated. A reputable website will link to pages in as simple a manner as possible, e.g. http://www.domain.com/category/sub-category/page.html.

ATTACHMENTS

Attachments to emails or other electronic messages can be used to send you malicious software with the hope that you will open the attachment and activate whatever payload was included. Reasonably safe attachments such as images, video, spreadsheets and documents one might expect from work colleagues, suppliers, customers, friends and family and are generally ok to open. I’ve used the words “reasonably” safe and “generally” ok to open because it is possilbe to include scripts or macros in documents, for example, that can exploit vulnerabilities in the applications that are commonly used to open such documents. Other methods of deploying malicious software as an attachment include compressing executable files into archives that typically have the file extension .zip or .rar. For a comprehensive list of file extensions see this page of archived file formats and executable file formats

Part 2 deals with Locking the doors and ensuring proper access control to your device and the data that is physically stored on it or in the cloud. Part 3 will look into guarding the doors and measures to deter, delay and detect attempted breaches. For now, keep safe and take care.

Related Posts

About The Author

LiveZilla Live Chat Software