These Are Your Must-Have Secure Mobile Messaging App Features

 

dirty_text_message

When you send a text or MMS from your phone the normal way, you can’t control what happens to the information once it leaves your device. Wireless carriers are required to save messages for a certain length of time to assist authorities in criminal investigations. The recipient can save the message indefinitely, or send it to someone else without your knowledge or permission.

That means those risqué photos, videos or texts you sent to your significant other could come back to haunt you in the future. There are web sites where people post pictures and messages of a private nature sent by their exes as a form of revenge. Relatively innocuous business-related messages could prove damaging if taken out of context later. Even if you don’t have a disgruntled ex or business partner, the recipient’s device could be lost or stolen, or their cloud accounts hacked.

Several messaging and social media apps have sprung up in response to these security concerns. But how secure are they? Let’s examine the features you should look for in a messaging app that will keep your private messages under wraps.

End-to-End Encryption

Encryption uses a public and private key to encode and decode the messages. A secure messaging app should generate and store the keys on the user’s device, not on a server. The keys should only leave the device by action of the user, such as creating a backup or transmitting them to a new device. This means that even if a company is subpoenaed or required to deliver your private messages to the authorities, they technically cannot.

In-Transit Encryption

Encryption during transmission is important because these apps use a data connection instead of the phone connection. If you or the recipient is on WiFi, the messages could be intercepted and read by a third party. The app should also encrypt stored messages, in case the device is hacked or falls into the wrong hands.

Permanent Deletion

The digital storage on a smartphone works much like a PC’s hard drive. By default when you delete something, the operating system marks the space as available, but doesn’t actually remove the data until something overwrites the space. A secure messaging app should either remove the information completely, or only store the messages in RAM. Some messaging apps automatically delete the messages once they are read or after a specific length of time.

User Friendliness

While this isn’t a security feature in itself, it’s still important. Most secure messaging apps require both parties to be using the same app. If you choose one that isn’t user-friendly, it will be difficult to convince others to join and they may not stay. If you’re choosing a messaging app for business purposes, your employees may be tempted to find their own solution and resort to easier to use but less secure apps instead.

Which Messaging App Should I Use?

Most mass market messaging apps were not designed with security in mind. Apps like Yahoo! Messenger, AIM, Google Hangouts, SnapChat and Viber encrypt messages during transit, but leave them vulnerable to being read at other points.

Of the more popular messaging apps, iMessage and FaceTime are the most secure but are limited to Apple products. On the Android exclusive side, users concerned about security can use TextSecure. Other secure messaging apps such as Cyber Dust, Silent Text and ChatSecure support both platforms.

The best way to decide which app is right for you is to ask your contacts or employees and find out if there is a secure messaging app they are already using. If they are using an app without robust privacy protection, try out a few different apps and determine which one has the features you need the most.

Learn more about texting security features. Subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube. Visit www.CyberSecurityDictionary.com for more terms and definitions.

How Easy Is It For Hackers To Jack The Tower?

air_tower_hacked

Earlier this month the Government Accountability Office issued a 46-page report outlining security vulnerabilities in critical Federal Aviation Administration (FAA) systems. The report concerns the national airspace system (NAS) used to track and direct public and private aircraft. Many of these issues are common in all types of organizations, so look over the FAA’s list of shortcomings and see how many might be affecting your company.

Interconnectivity: The NAS is not connected to the Internet, but it is connected to outside networks. The report indicates there are too many unnecessary connections between the NAS and these other networks. Security shortcomings in the connected networks could open access points into the NAS, leaving it vulnerable to attack.

Passwords: The report found some servers did not have sufficiently strict password requirements. The password requirements are actually less strict than I usually recommend.The FAA’s minimum number of characters in a password is eight. For maximum security your organization should require a minimum of twelve characters. Passwords should have at least one upper and lower case letter, and should contain numbers and special characters. The passwords should also automatically expire after a certain length of time.

User Authentication: Regulations state only authorized users can have access to the system, and users should have the minimum number of permissions required to perform their duties. The investigators found users with excessive permissions and improper security documentation.

Encryption: Another alarming detail is the FAA did not always ensure sensitive data was encrypted during storage and/or transmission. The investigation found network devices supporting certain systems did not encrypt authentication data, and some systems used weak encryption to store passwords.

Auditing & Monitoring: The report also indicated the FAA did not have adequate systems in place to monitor network traffic or ensure the NAS was logging security-related events. If an attack were to occur, the administrators may not be able to detect and respond to malicious activities in time.

Patching: Investigators found the FAA did not always take steps to ensure key systems were fully patched or kept up-to-date. Some systems were missing patches dating back more than three years, and some servers supporting key systems were so old they had reached end-of-life and were no longer supported. This leaves the systems vulnerable to security loopholes and exploits that have been fixed under newer software releases.

Unlike the FAA, lives may not depend on your network security. That doesn’t mean your organization can afford to relax. Ensuring your network is hardened against hackers is an essential part of running a business.

The Hidden Privacy Upside of Net Neutrality

 

net_neutrality

On February 26th the Federal Communications Commission voted in favor of stronger net neutrality rules. The vote reclassifies both wired and wireless broadband internet service providers (ISPs) as utilities under Title II of the Communications Act of 1934. Most of the media attention has focused on the ruling barring ISPs from blocking or prioritizing internet traffic and forcing companies running services that require a lot of bandwidth to pay extra for faster speeds. While these provisions are important, the act also includes regulations that could increase consumer privacy and help unsatisfied customers file complaints against broadband service providers.

Wireless Consumer Privacy Under Current Regulations

Wireless service providers were already classified under Title II, but only for voice service. Cellular companies have long used their man-in-the-middle status to track users’ mobile browsing habits and the apps they use. Because the carrier has personal information about account holders, the device’s location data and can identify each device at the network level, they can assemble detailed demographics lists to sell to mobile advertising networks.

This allows ad companies to target consumers with a level of precision that worries consumer privacy advocates. For example, if a mobile advertiser wants to target Latino families with pets in northern Los Angeles, the carrier could probably assemble such a list based on the account and browsing information available only to them.

Wireless Consumer Privacy Under Title II

Under the new ruling, Title II Section 222 requires broadband providers to “protect the confidentiality of proprietary information” of “other telecommunications carriers, equipment manufacturers, and customers.” The law was originally written to protect consumers and businesses against AT&T’s monopoly on landline services and telephone directories.

If “proprietary information” applies to data such as user account information, browsing records and location data, carriers would be required to protect the data and could not sell it to third parties without the customer’s consent. Until now, these protections have been severely lacking. In a talk that took place in Boulder, CO on the 9th, FCC Chairman Tom Wheeler shared a story of an unnamed telecommunications carrier that put sensitive customer information on the web with no encryption or password. Anyone could find a customer’s information with just a simple Google search.[1]

Broadband Consumers Finally Get an Ally with Some Clout

Another important but often overlooked feature of the ruling allows consumers to complain about their ISP directly to the FCC. Telecommunications and cable companies have some of the lowest customer approval scores of any industry. Until now, the FCC could only take action if the complaint involved misleading or deceptive claims. Unsatisfied broadband consumers could only take other complaints to the company directly or to advocacy groups with no powers of enforcement. Title II Sections 206-209 and 216-217 allow the FCC to investigate complaints and take action if necessary.

Even though the ruling passed 3 to 2, this isn’t the end of the net neutrality debate. The FCC vote was divided on party lines and some politicians are already vowing to fight the regulations. At least one carrier has already promised a lawsuit. If the ruling is challenged, any replacement regulations should keep the consumer protection parts intact.

[1] http://www.twice.com/blog/executive-insight/fcc-chairman-wheeler-justifies-net-neutrality/55968

Billion Dollar Bank Hackers Use Old Phishing Technique

spear_phishing

Last week the internet security firm Kaspersky Lab released a report on a highly-successful group of cybercriminals who targeted banks and may have stolen up to a billion across 100 financial institutions worldwide. While Kaspersky Labs did not name the victimized organizations, the report indicates they were mostly located in China, Russia and the United States. The attacks included a lengthy reconnaissance phase, with the criminals masquerading as legitimate users for long periods of time. The FBI and Secret Service said the U.S. financial system has not been affected, so perhaps the criminals were uncovered before they could strike.[1]

The malware the cyber criminals used, opened a back door into the company’s computer networks, allowing them access to learn the organizations’ systems. It even gave the hackers the ability to monitor webcams and embedded cameras in laptops to conduct long-term observation of employees. Once the criminals were familiar with the network, they were able to steal money in a variety of different ways depending on the organization. With some banks, they manipulated ATM machines to dispense cash at predetermined times, which were then picked up by money mules. At others, they artificially inflated the balance on legitimate accounts, then transferred the money to other banks in a different country.

As sophisticated and patient as they were, the hackers relied on email spear phishing to launch the initial phase of their attack. It’s an old-school technique favored by hackers because it works.

What is Spear Phishing?

Have you ever gotten an email asking you to “verify” your bank, eBay or PayPal account? Those emails are a form of phishing. When you click on a link in the email, it takes you to a web page that looks very much like the real thing, but is run by criminals attempting to steal your information.

Spear phishing works much the same way, except the emails are targeted toward a specific person or small group of people instead of broadcast to thousands. In today’s world of social media, it’s not difficult for criminals to find the names and email addresses of people within an organization. Once they have the person’s name and email address, the criminals simply write a convincing email that supposedly came from their boss or the company CEO. They attach the malware and instruct the employee to open the attachment in the message.

In this case, some of the emails were sent from compromised employee accounts. Once the bank employee opened the attachment, the embedded malware used a vulnerability in certain versions of Microsoft Office or Microsoft Word to infect the users’ computer.

How Can You Prevent Spear Phishing in Your Organization?

Instruct employees not to open email attachments they were not expecting, no matter who the message comes from. If an employee receives an email with a suspicious attachment from someone they know, have them double-check with the supposed sender before they open it.

Always install security updates and patches to computer operating systems and the programs your organization uses as soon as possible. In many cases, your IT staff can push updates out to computers on the network remotely.

Learn more about internet scams and security. Subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube. Visit www.CyberSecurityDictionary.com for more terms and definitions.

[1] http://uk.reuters.com/article/2015/02/18/uk-cybersecurity-banks-idUKKBN0LM26120150218

Android & PC Tie For First Place In Malware

malwaremarathon

A report published last week by Alcatel-Lucent revealed malware on mobile devices has caught up to the infection rate on traditional PCs. The report was created by the telecommunications company’s Motive Security Labs and used data compiled from fixed and mobile networks using their Motive Security Guardian software. The software is deployed in networks around the world, and monitored traffic from nearly 100 million individual devices.

The report revealed 0.68% of mobile devices were infected with some type of malware. This may not sound like much, but with 2.3 billion mobile broadband subscriptions this estimate puts the number of infected smartphones and tablets at approximately 16 million. The report notes the estimate is probably conservative due to lack of coverage in China and Russia, where mobile malware infections are higher than average.

Android Makes Up Over 99% of Mobile Malware Infections

That the Android operating system makes up most mobile malware infections should come as no surprise. Its open source environment and the ability for users to install apps from third-party sources makes it easier for cyber criminals to distribute their malware. Apple and BlackBerry mobile devices have a more restricted app environment, and Windows Phone simply lacks the numbers to make a dent.

Another part of the problem is Android devices receive updates less frequently than PCs. In the United States, most Android devices run a version of the OS that is customized for each manufacturer, model and carrier. When Google releases a new version of the stock OS, the device manufacturer must test and tweak the OS for each supported device and carrier.

Top 20 Mobile Malware Infections of 2014

The report also gave information on the top 20 malware programs installed on Android devices. Six of the top 20 list consists of spyware apps that can monitor phone calls, SMS/MMS messages and track the user’s location via GPS data. Three spots went to adware programs. The rest of the list is made up of a wide variety of malicious apps.

Some apps open back doors into the device and allow the attacker to steal data for identity theft. A few are apps that send SMS messages to premium numbers to charge users on their phone bill. Others allow attackers to use the device as a proxy for illicit internet activity. There’s even a bot app that makes the mobile device part of a botnet, a type of malware usually targeted at PCs. New on the list this year are two ransomware programs, which claim to encrypt the information on the device and attempt to extort money from the user.

Mobile Malware is Growing in Sophistication

In the past mobile malware mainly consisted of adware, but some of the malware on the list have features previously targeted exclusively toward traditional computers. As the number of mobile devices grows and the device become more powerful, they will become an increasingly attractive target for hackers.

What Are Drone Operators All Waiting For?

Drone_Crime_Scene

Last week I talked about drone operators who don’t follow the rules. This week I’ll talk about legal drones, existing regulations and the new rules that are due out soon.

Commercial Use

Current FAA regulations prohibit the commercial use of drones, but companies can apply for a special permit. According to Reuters, as of February 3rd the FAA has received 342 requests but only granted 24. The most recent batch of approvals include companies that use aerial drones for filming movie and television footage, taking aerial photographs and surveys, monitoring flare stacks on oil rigs and checking farmers’ fields.

Companies are also interested in using drones to make deliveries. Amazon has applied for a commercial permit to test a drone delivery system, but has yet to receive approval. Online retailer Alibaba conducted a trial delivery program in China last week, using drones to deliver 450 packages of tea to volunteer customers in three cities.

Personal Use

The regulations that currently cover personal drones were created for model aircraft. Hobbyist operators can use them for non-commercial purposes. For example, an operator can use their drones to take pictures for their own enjoyment. If they plan on selling the pictures, they must apply for a permit.

They cannot fly higher than 400 feet above ground level, must remain at least 5 miles from an airport unless the operator notifies the control tower in advance and they must stay out of restricted zones. Restricted zones can be permanent such as around government buildings and military bases or temporary like the 30-mile radius no-fly zone around the stadium during the Super Bowl. Open stadiums often have temporary no-fly zones around them during events.

New Regulations Overdue

The slow pace of FAA approvals and prohibition of wider commercial use has frustrated many companies and private owners, but relief may be coming soon. The FAA turned a draft of their newly-revised rules over to the White House on October 23rd. The new rules were expected in 2014, but Transportation Secretary Anthony Foxx told reporters last month the new rules would be released soon. It’s not certain if the drone crash on the White House lawn has affected the release date.

One thing is certain… With more relaxed regulations, drones will become more common in the United States airspace. But not everyone wants drones flying overhead. When drones fly into restricted zones, organizations will need a reliable method to detect them and recognize the operator. The Berkeley’s Yellowjacket®-Tablet civilian drone detection system gives authorities the tools they need to identify unauthorized drones and the devices used to control them.

CW_Drone_Detection

On February 22-23, we will be taking part in many cybersecurity presentations at Connected World CyberSecurity Conference in Birmingham, AL. BVS is both a sponsor and presenter at this event and we will be flying a drone for a live drone detection presentation using Our Yellowjacket®-Tablet with direction finding antenna. Please join us.

How Can We Prevent The Next White House Drone Crash?

White-House_Drone

Current Federal Aviation Administration regulations require civilian drones to stay under 400 feet in altitude and at least five miles from airports and other restricted areas. Unfortunately, not all drone operators follow the regulations.

Drones at the White House

On Monday, January 26th at 3:02 AM a Secret Service officer on duty at the White House spotted a drone flying overhead without setting off alarms. The drone crashed on the edge of the property, triggering a security lockdown and search. The operator turned out to be an undisclosed inebriated off-duty government employee flying a personal drone. He turned himself in several hours later,claiming he lost control of the drone and did not mean to fly it into a restricted area. His actions led DJI (the manufacturer of that particular drone model) to initiate a 15 mile radius no-fly zone around the White House to be included as a mandatory firmware update for all DJI drones.

He is not the first drone operator caught near the White House. On August 19th a drone operator was arrested after he crashed it into a tree just outside the White House grounds. Another was detained on July 3rd after Secret Service agents caught him flying a drone a block away.

Identification Difficulties

One of the major issues with drones is lack of traceability. There are no registration requirements, so finding the operator of a crashed drone is nearly impossible. Even when the drone is in the air, Finding the operator is difficult. If the operator is concealed inside a building or vehicle, locating them without using the right tools is like looking for a needle in a haystack. Fortunately, wireless threat detection tools such as Berkeley’s Yellowjacket-Tablet Wi-Fi Analyzer can catch a drone pilot red-handed by using realtime RSSI measurements and MAC address identification.

Drones Pose Air Safety Hazard

Even more alarming are reports of close encounters between civilian drones and low-flying aircraft. In November 2014, the FAA released list of 25 incidents that occurred starting June 1st. The incidents were reported by pilots and several involved passenger aircraft where the drone was spotted less than 200 feet away during takeoff or landing. The pilots reported seeing drones as high as 4,000 feet.

Drones are small and most weigh under 10 pounds, but the aircraft’s speed and the delicate construction of propellers and jet engines make a drone strike very dangerous. Impacts with birds of similar size have caused airplane crashes, including the U.S. Airways flight that landed in the Hudson River in 2009. According to wildlife organization Bird Strike Committee USA, a 12 pound bird striking an aircraft traveling at 150 MPH generates the same force as a 1,000 pound weight dropped from 10 feet. A drone of similar size would have the same effect and could easily set off a chain of events resulting in a crash.

Drone Payload Concerns

Some civilian drones have payload capacities up to 30 pounds, easily enough to carry contraband and even explosives or chemical weapons. In 2013 German police recovered a drone and bomb-making materials from right-wing terrorist groups. Just last week Mexican police in Tijuana recovered a crashed drone attempting to fly a load of drugs into the U.S. Here in the United States, criminals have used drones to fly drugs and prohibited cell phones into prisons.

Drones have the potential to improve our lives, but they also pose risks to security and public safety that should be addressed. Shutting down drone operators who disobey the law and put others at risk should be a top priority.

Source Links:

http://www.livescience.com/3239-birds-jet-airplane.html

http://www.washingtonpost.com/world/national-security/near-collisions-between-drones-airliners-surge-new-faa-reports-show/2014/11/26/9a8c1716-758c-11e4-bd1b-03009bd3e984_story.html

http://www.washingtonpost.com/wp-srv/special/national/faa-drones/

Deep Dark Web Of The Internet Iceberg

darkweb

The World Wide Web is a vast and always changing network of web pages. In the early days of the web there were no search engines, and people relied on finding information using pages with long lists of HTML links. It was cumbersome and links were often outdated.

The development of automated search engines made it much easier for users to find information. Modern search engines like Google, Yahoo and Bing use programs called spiders that crawl the web and find links between the main page on a site and its linked subpages. These publically viewable pages are part of the Surface Web, but they’re just the tip of an iceberg.

What’s Below the Surface Web?

While the web is growing constantly, cybersecurity experts know the vast majority of web pages are inaccessible to search engines. Hidden pages include unpublished blog posts, forums that force users to log in before they can view the contents and news sites that archive their stories for paid subscribers only after a specific amount of time. Subpages on public web servers that are not linked to other pages do not show up in search results, but if someone knows the page URL they can access the page directly by typing it into their browser’s address bar. Collectively these resources hidden from search engines are called the Deep Web.

The information locked away in the Deep Web is valuable. Doctors could access information currently hidden in archived databases about new research and medical procedures. Aerospace engineers could find data on how to build safer airplanes. Unfortunately, cyber criminals also use the Deep Web for communication and to hide their illicit activities. The Deep Web contains pages where criminals use a type of digital currency called Bitcoin to trade and sell everything from stolen credit card numbers to illegal drugs.

Navigating the Deep Web

So if the Deep Web isn’t indexed by normal search engines, how do users navigate it? The answer lies in browser software called The Onion Router, or Tor for short. Tor allows users to access .onion sites. It also anonymizes users by bouncing their web traffic through a randomized series of encrypted servers located around the world. This makes Tor users much more difficult to track online.

Like the Deep Web itself, Tor does have legitimate uses. The software was developed by the United States government to protect whistleblowers, dissidents who live under repressive political regimes and others who would be in danger if their identities were compromised.

Some governments censor the Surface Web, blocking certain web sites and monitoring their citizens’ online activities. Facebook recently established a direct connection to Tor, allowing users in these areas anonymous access to their site. It also protects those who simply value their privacy and aren’t doing anything illegal but don’t want their browsing habits tracked.

To learn more about the Deep, Dark Web, subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube. Visit www.CyberSecurityDictionary.com for more terms and definitions.

My Phone Is Held Hostage By Ransomware, Now What?

ransomware

Ransomware is a type of malware that holds your data hostage. It has been a problem with computers for many years, but it’s only recently started showing up on mobile devices. When you activate the program or app, it blocks you from accessing the data on the device and displays a message demanding payment by untraceable methods like Bitcoin or MoneyPak.

How does it spread?

On mobile devices, ransomware usually spreads via email, from visiting malicious web sites that host pornography or installing pirated apps. Recently malware developers have gotten smarter. Some ransomware apps can now spread via text message. When a device is infected, the malicious app will send an SMS to everyone in the device’s contact list with a message tricking the recipients into clicking on a link. When the reader opens the link, they are directed to install the malware on their devices, thus repeating the process with a new round of victims.

What should you do if you do if your device is infected?

First of all, don’t pay the ransom. If you do send money all you’re doing is rewarding criminals, and there are no guarantees you’ll get your information back anyway.

Reboot the device into safe mode. Just like a computer, safe mode boots the Android device with just the bare minimum operating system. This prevents the malicious software from running at startup and allows you to remove it. The instructions on activating safe mode vary from device to device, so check the manual and the manufacturer’s web page for specific instructions.

Once you have access to the operating system, you can uninstall the malware or run an antivirus app that will remove it for you.

How do you prevent malware from attacking your Android device?

Do not click on any links you were not expecting in emails or text messages. If the message comes from someone you know, contact them before opening the link.

Make sure the “Unknown sources” check box is left blank. The option is usually disabled by default, but sometimes users enable it to install legitimate apps that are not available from Google. The location can vary, but it is usually found under Settings > Security. Disabling this option will prevent the device from installing apps from sources other than Google’s Play Store.

Keep backups of your local data. With many apps, the data is stored on a remote server instead of your device. When you open the app, it downloads the information it needs through your data connection. If you do have applications that store data on the device or memory card, make sure to keep a backup of the information on your computer.

For rooted Androids, there are applications that will create an image of everything on the device and save it in a file you can transfer to your computer or upload to cloud storage.

To learn more about ransomware, subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube. Visit www.CyberSecurityDictionary.com for more terms and definitions.

Can The FBI Attract Ethical Hackers?

FBI_Wants_You

In today’s online world, cyber attacks can be nearly as devastating as traditional warfare. In addition to cyber terrorism, hackers have stolen identification and credit card information from millions of Americans in cyber attacks on large businesses. Local law enforcement often doesn’t have the skills or manpower to handle these cyber crimes, and jurisdiction becomes a problem when the victimized organization has locations in several areas. When the scale of the problem is too big or too complex for the target organization or local law enforcement to handle, they often turn to the Federal Bureau of Investigation for help.

The FBI has recognized the increased demand for agents trained in cybersecurity and has posted a job listing on usajobs.gov. The listing is open until January 20th, and while it doesn’t specify the number of positions open, a statement released alongside the listing stated there were “many.”

Why is the FBI seeking cyber special agents?

Tracking down sophisticated cyber criminals and terrorists with foreign government backing requires totally different skills than solving the offline crimes the FBI has always handled in the past. For example, if a gang of criminals robs a bank the agents might interview witnesses, review surveillance footage and look for physical evidence. But what if the gang of criminals stole the money electronically using a computer in another country? No one stuck a gun in a teller’s face, but the bank still lost money and the criminals need catching.

What kind of people is the FBI looking for?

The job listing gives a long list of experience requirements related to cybersecurity, including network administration, ethical hacking or white hat, computer programming, database administration and digital forensics. The applicant must have a minimum four-year degree from an accredited college or university or foreign equivalent. It lists degrees relating to computers, mechanical engineering or information security but does not bar applicants with non-technical degrees as long as they can demonstrate technical work experience.

In addition to the computer-related skills and background, applicants must be eligible for Top Secret security clearance and be between the age of 23 and 37, though some military veterans are exempt from the age restriction. The applicant must meet the same physical requirements and pass the fitness tests required of all FBI Special Agents.

What does this mean for us?

It’s a positive move for the businesses, organizations and local law enforcement agencies that rely on the FBI’s assistance for solving cyber crimes. More agents with better training and a wider pool of specialized skills to draw on means faster resolutions and a greater chance of cyber criminals and terrorists being brought to justice.

To learn more about FBI’s relationship with hackers, subscribe to our weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube.