//Kevin Anderson /May 29 / 2013
How to keep you and your sources safe from smartphone attacks
With the high-profile campaign against news organisations by the Syrian Electronic Army, journalists and media managers are waking up to the importance of digital security. But as politically motivated digital attacks increase, journalists must remember that attacks are not just targeting their computers but also their mobile phones.
In April, security researchers uncovered two separate digital attacks targeting Tibetan and Uyghur activists and their Android smartphones. The first Android attack would be familiar to most internet users. Victims were sent email messages about a human rights conference, and their smartphones were compromised once they opened an attachment. The second attack went one step further, distributing a fake version of the KakaoTalk instant-messaging application popular in the region, according to McAfee mobile malware researcher Carlos Castillo.
With the attacks by the Syrian Electronic Army, they mostly have stolen Twitter and WordPress logins from news organisations and posted messages meant to discredit the news groups to create mischief, such as when they posted to an Associated Press Twitter account that US President Barack Obama had been assassinated. That tweet caused a frightening, but very brief, drop in the US stock market.
These smartphone attacks threaten much more than your credibility. Security researchers at the University of Toronto found that the fake KakaoTalk application captured the “the user’s contacts, call history, SMS messages and cellular network configuration”. This information was written to an encrypted file and uploaded to a remote site that looked like a rather innocuous site hosted by Chinese search engine Baidu. The phone could also be triggered via a special SMS message hidden to the user to divulge information about the location of the phone. This attack was extremely sophisticated.
But the malware could do even more, with some features not currently in use but possibly being prepared for future versions of the malicious software. For instance, it requests the GPS location, access to the Bluetooth radio and even the phone sleep state. If the GPS location was reported, the attacker could physically track the owner of the phone. If two phones were compromised, the attacker would know where targets were and possibly even when they met.
Have you left your wifi on?
I recently attended a Hacks/Hackers event in London. It’s a global effort to bring together journalists (sometimes called ‘hacks’) and developers and technologists (the hackers). In this instance, ‘hacker’ is not being used to mean people who break into computers, but rather in the positive sense to mean a technically capable person.
The talks included a demonstration by Daniel Cuthbert, the chief operating officer of security firm Sensepost, in which he showed off how a fake wifi hotspot running on a Nokia N900 could collect a wealth of information from those in the room.
The software pretended to be a hotspot that your smartphone, tablet or other wifi-enabled device had connected to before, such as a hotspot at Starbucks. If you had connected to the hotspot before, your device would automatically get an address and connect to the rogue hotspot. Using a piece of software the company had developed called Snoopy, Cuthbert was then able to harvest all kinds of information. As a proof of concept, Cuthbert showed Google Streetview images of where some of the attendees lived as well as Facebook pages and contacts.
It was a sobering demonstration, and had he been willing to throw caution and respect for the law to the wind, he could have found out much more.
How to protect yourself and your contacts
Be aware – The first step in digital security is awareness. As we’ve seen with other digital security issues, most of the attacks do not involve complicated technical knowledge but rather rely on simple and sophisticated ways of tricking you out of your information. The first Android attack would looked very similar to a host of phishing attacks that most people are familiar with in terms of trying to trick you into downloading an infected attachment or link. The biggest challenge for you, your editors, your journalists and other staff is that it is very easy to create fake emails that appear to come from someone you know.
Don’t leave wifi on – These cases also highlight new types of increasingly sophisticated technical attacks against mobile devices. How to protect yourself against rogue hotspots? Cuthbert advised journalists to turn off the wifi on their smartphones when you aren’t using it. Besides being more secure, this will use less power and give you longer battery life.
Use virtual private networking – I use a global wifi service, Boingo, which has a very inexpensive global plan for mobile devices, including tablets. Boingo provides a virtual private networking, VPN, service, which will encrypt data that travels over their hotspots. This won’t prevent the kind of attacks that Cuthbert demonstrated, but using VPN is one step you can take to protect yourself when using a hotspot.
Pay attention when installing software – Make sure that you don’t install data that asks for too much access to your information. If it is a mapping app, it is reasonable to expect the app to want to know your location, but what about a chat or messaging app? Does it really need to know your location? The key difference between the legitimate KakaoTalk app and the rogue one was the level of access it wanted to the handset. Do not simply automatically accept all of the data terms for apps. If it wants too much access to your phone and your data, don’t install it.
Encrypt your Android phone’s data – You can also encrypt the data on your Android phone. The feature has been available since version 2.3.4, known more commonly as Gingerbread. The process is relatively straightforward, but you’ll want to make sure to remember your PIN because otherwise you might lock yourself out of your own data. Encrypting the data on your phone might make it a bit slower because the phone has to decrypt the data on your phone. On newer phones with multi-core chips, encryption will add little if any delay to common functions.
Again, security researchers cannot stress often enough that all of the technical precautions available to you are pointless if you don’t take common sense precautions when opening attachments or clicking on links in emails. You are the first line of defence, and awareness and common sense precautions can prevent you and your news organisation from becoming the next victim in this rising wave of digital attacks.
Article by Kevin Anderson
Leave your comment