Smartphone Kill Switch Could Become Federal Law

There is no doubt that mobile devices are an integral part of our daily lives, making their potential loss all the more detrimental. Aside from using smartphones to communicate with friends and family, find restaurants, and check email, they serve as repositories for more and more sensitive, personal information.

The thought of losing one to the wild is enough to make your stomach drop. Device theft today not only puts users at risk for physical harm, but also puts their personal and digital identity in danger. Mobile device theft is becoming a huge problem, accounting for approximately 30% to 40% of all robberies in major cities nationwide. And notably, the desire for these stolen items is leading overseas where many devices and a large amount of data are ending up. Our recent McAfee Mobile Security Report found that the apps on your phone also prove to be bountiful when it comes to information about you and your device. Most Android apps collect information, including wireless carriers, unique device ID, and global positioning system (GPS) data—so imagine if that information ended up in the hands of phone thieves!

With this challenge in mind, state and federal legislators have been coming together to push through a new initiative that would require mobile phone manufacturers to install a default smartphone kill switch—allowing users to disable functionality remotely. Last summer, San Francisco District Attorney George Gascon and New York Attorney General Eric Schneiderman launched a “Secure Our Smartphones” initiative, encouraging the mobile communications industry to adopt this technology in order to eliminate the incentives for criminals to target and sell stolen smartphones. Apple has already added their own technology that mimics a kill switch to devices running on iOS 7, but users must choose to switch it on rather than the other way around. More than 100 U.S. officials have joined the kill switch effort so far, and this push comes on the heels of a surge in phone thefts coupled with the inability of other initiatives—like stolen phone blacklists—from stemming the tide.

However, despite the mounting pressure from law enforcement and government organizations, major U.S. mobile phone carriers have been hesitant to embrace a kill switch requirement. Some telecom industry groups like the CTIA (The Wireless Association) cite the potential risk for hackers to take advantage of kill switch technology. Mainly, if all devices were made with this capability, there is the possibility that it could be used maliciously to disable devices for spite or targeting specific groups of users—like government employees. Additionally, they warn that for this technology to be effective, it would also have to be reversible in the event of an error, which means that criminals could figure out how to undo the kill switch on stolen devices.

Regardless of the arguments on either side, the fact is that device theft is a mounting safety issue that shows no signs of slowing down. Remote locking and data wiping features are key for protecting personal information stored on mobile devices, but a larger initiative to dissuade mobile phone-related crimes is also crucial. Until this proposed kill switch law or another is actually put into place, users must take on the task of keeping their information private, protect their identity and finances, and making their phones as unappealing to thieves as possible.

Below are some ways that you can better protect your devices now:

  • Be aware of your surroundings. Device theft is often a crime of opportunity and criminals are always looking for victims who are distracted. When using your mobile devices in public try to be more aware of what and who is around you, avoid bringing out your device in certain places, and keep a tight grip on them when in crowded areas.
  • Put a PIN on it. Always protect your mobile devices with a PIN or passcode. While it may not stop devices from being stolen in some situations, it will certainly make it more difficult for thieves to get access to the information on them. In the event your device is just misplaced temporarily, a PIN code will also keep out any potential snoopers from getting in.
  • Know what you keep on your device. The possibility of mobile theft happening to you may seem farfetched, but it is important to think about what you currently have stored on your devices. Your smartphone may be the conduit for everything in your life, but linking it to bank accounts, personal and work emails, and home systems may put you at increased risk in the event your device is lost or stolen.
  • Forgo auto-login and secure your mobile apps. While it may be convenient to be able to one-tap your way into banking, chat, and other important mobile apps, the instant availability also puts you at risk in the event your device is lost or stolen. Taking the extra step to log in each time as well as putting additional security on certain apps—which you can get with McAfee Mobile Security for Android—can help keep data private even in the worst case scenarios.
  • Protect your device with mobile security software. While almost nothing can bring your device back after it has been stolen, installing security software with remote lock and wipe capabilities will at least give you piece of mind that the information on it is secure. McAfee Mobile Security for iOS and Android is totally free and offers these services and much more to mobile device users.

To keep up with the latest security threats, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.

lianne-caetano

The post Smartphone Kill Switch Could Become Federal Law appeared first on McAfee Blogs.

Tackling insider cyber threats requires a credible digital forensic strategy

As organisations brace themselves for another year of heightened cyber security threats, a risk much closer to home may pose a greater challenge. Insiders – in the guise of disgruntled employees, “bad leavers” (those dismissed under gross misconduct and other negative or damaging circumstances) or contractors with short-term access to sensitive data and corporate systems – could turn out to be a company’s achilles heel, proving more harmful than external threats.

The risks have been underscored by Carnegie Mellon University, which found that malicious insider activity goes undetected for, on average, 32 months (pdf). Incidents can be costly, time consuming and damaging to corporate reputations, and insider threats such as fraud, theft of intellectual property and sabotage must be tackled alongside those posed by external perpetrators.

One area that requires particular attention is the management of staff exits. Because the process is often regarded as an operational HR issue, the risk of losing digital information in the wake of bad leavers is frequently nothing more than an afterthought. However, services such as iCloud, Google Drive and Dropbox allow staff to easily move vast quantities of data off work devices.

At the same time, instant messaging apps, including iMessage and Snapchat, offer the means to communicate semi-covertly, even while using corporate computers. The reality of this highly connected workplace means employers must take steps to understand whether a departing member of staff represents a risk of data theft and if so, be prepared to investigate that possibility before key evidence is lost.

Establishing proof of the actions of a bad leaver or rogue employee can rapidly remove any doubt about their motivations, and claims of innocence or of a simple misunderstanding. We regularly find that an individual leaver or entire teams have been communicating with their new employer and each other, well ahead of the move. Such communications are typically accompanied by the theft of documents, trade secrets, contact and price lists, alongside the tools required to easily replicate and harm their employer’s business. Even emails are becoming antiquated, with teams using online filesharing services to share documents, as well as social media to plan their movements and defection.

This is where digital forensics comes into play. When a user accesses the internet, copies files to the cloud or a memory stick, sends webmails, burns DVDs or prints documents, he or she leaves a forensic trail for the experienced investigator to follow. Even highly computer literate users often have little idea of the digital traces their actions leave behind. This is especially true with smartphones, tablets and even specialised encryption and deletion tools, which are often used by those attempting to cover their tracks.

If possible, the investigation to identify telltale traces of data exfiltration or a planned defection should start before a suspect is aware he or she is under scrutiny. Take, for example, the case of one individual who used a company mobile phone for communicating about a forthcoming defection. The employer did not want to alert the member of staff by taking the phone for analysis for fear that suspect would then destroy other relevant information. Instead, the investigators analysed the phone’s data by retrieving a copy of the phone’s synchronisation on to the employee’s computer, which could be examined without alerting the individual. The incriminating SMS messages found as a result of this analysis then led to other sources of information, which were preserved before the employee knew he was under suspicion.

In our experience, a business’ awareness and a readiness to tackle data theft or staff poaching are directly linked to its experience of such an event. With often potentially serious long-term financial and commercial consequences, the decision-making and management behind this process will be key to limiting the fallout.

Mitigating the risk of becoming a victim of malicious insiders requires an appropriate balance to be struck between deterrence, technology, security, culture and management accountability. However, the implementation of a digital forensic investigation strategy that can withstand external scrutiny will help to reduce the risk of drawn-out and costly litigation.

Julian Parker is a managing director in the London office of Stroz Friedberg

Get more articles like this sent direct to your inbox by signing up for free membership to the Guardian Media Network – this content is brought to you by Guardian Professional.

10 Tips to Protect Yourself on Social Networks

With the prevalence of mobile devices, more than ever, it’s easy for us to share our lives with the world. And yes, social networks are all about staying in touch with friends and family, and sharing events in your life, but perhaps it’s too easy to share information?

With just a few clicks, posts and messages, you could give away enough personal information to compromise your privacy and even open yourself up to identity theft. So that’s why it’s critical that you know how to protect yourself when using these sites. Here’s my top 10 list:

  1. Remember the Internet is permanent: Assume that once you put information on the site, it stays there forever. Even if you delete the account, you don’t know if someone has already printed/copied your text or photos off of it.
  2. Be selective when accepting a friend: Do you really know that their profile is real and not fake? Only “friend” people you know in the real world.
  3. Exercise caution when clicking on links: Even if they’re from friends. Hackers prey on social networks because you are more likely to click on something from your friends. Also be wary of offers with the word “free” in them, or ones that sound too good to be true, as they usually are.
  4. Manage your privacy settings: Make sure that you are only sharing information with friends and family and check them regularly in case there are any changes.
  5. Be aware of the fact that the information you share on one social network may be linked to another: For instance, a photo you post to Twitter may automatically post to your Facebook profile.
  6. Don’t reveal personal information: Be suspicious of anyone who asks for your personal information online and never share your home address, phone number, Social Security number, or other personal identifying information.
  7. Turn off the GPS function on your smartphone camera: If you plan to share images online, make sure that you turn off the GPS on your device to keep your exact location private.
  8. Don’t enable auto login: Make sure that you don’t have your apps set to automatically log you in and that you don’t have your computer’s browser “remember” your login and password. That way if someone does get access to your devices, they can’t automatically access your social sites.
  9. Change your passwords frequently: Choose hard-to-guess passwords that are at least eight characters long and a combination of letters, numbers, and symbols, and change them regularly. Also make sure you use different passwords for each account.
  10. Close old accounts that you don’t use anymore: Don’t risk leaving personal data in an old account, such as a MySpace page you haven’t used in years, or on an online dating site you no longer need. Instead, close the accounts you don’t use and delete as much personal information from them as possible.

 

Social networking is meant to be fun…let’s keep it that way by staying safe online.

 

RobertSicilianoRobert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!  Disclosures.

The post 10 Tips to Protect Yourself on Social Networks appeared first on McAfee Blogs.

RIP Flappy Bird, Hello Malware

Every year brings with it a new app craze. 2011 was the year of Angry Birds; 2012 was the year of Temple Run; 2013 was the year of Candy Crush—and 2014 is definitely on track to be the year of Flappy Bird. Flappy Bird was initially released in May of 2013, but really only gained popularity at the beginning of 2014 thanks to a few viral videos—and a feature on the Apple App Store. In what seemed like no time at all, the app climbed to the top of both the Apple App Store and Google Play Store charts.

Overall, it seemed that the app was in a win-win situation, for both players and the developer, Dong Nguyen. However, things changed in the beginning of February when Nguyen announced on Twitter that he would be taking down the app in 22 hours saying that he never meant for the game to be so addictive and that it had taken over his life as the developer. By the next day, Flappy Bird was gone from all app stores, with only people who had downloaded the app before it was taken down still able to access the app and play.

Even with the app’s untimely demise, the demand for the game showed no signs of diminishing and many developers stepped up to create alternatives. Within a few weeks of the deletion of Flappy Bird, knockoff apps appeared everywhere and many quickly climbed to the top of app store charts. In fact, it was reported that across all platforms, one in every three games posted since the app was deleted are actually Flappy Bird clones. For the most part, these new apps are harmless and offer a reasonable replacement for those who didn’t get the chance to download the original. However, it seems that there are Flappy Bird wannabe apps out there that are just as malicious as they are addictive.

Recent reports found that some Flappy Bird look-a-likes were taking advantage of the original app’s popularity and using it to spread malware and phishing scams. As always, clever cybercriminals never miss an opportunity to capitalize on current events or hot news topics, and this targeting of mobile gamers’ desperate desire to get in on the Flappy Bird trend has been no different. Thankfully, both major app stores—Apple and Google Play—are now keeping a special watch for suspicious Flappy Bird clones. The swift action by these app stores around the Flappy Bird phenomenon shows that user safety is becoming a bigger focus.. However, not every app can be vetted and once the fervor around this app dies down, others will surely rise up to take its place.

While there will always be Flappy Bird-like app crazes, it is crucial for individuals to take the safety of their devices and information seriously, regardless of company involvement. Here are some steps that you can take to always be prepared for the potential scams that will inevitably come in their wake.

  • Know before you download. It’s important to do your research before you install an app on your smartphone or tablet and give it permissions. A good way to vet the legitimacy of apps is to read reviews. Most app stores have this capability, and so if you see that an app you want to download has bad reviews—or even overly positive reviews—you may want to steer clear.
  • Limit app access. In the hurry to start playing a new game, it can be easy to simply click “Allow” for permissions that an app asks for—even if it’s asking for things it shouldn’t need. As a smartphone user, be skeptical of an app that asks for too much information, like GPS data, or contacts and photos. McAfee® Mobile Security will scan your apps and report on any that may be exposing your data without your permission or knowledge.
  • Protect your device… completely. When it comes to security, it is always better to be safe than sorry. Now that McAfee Mobile Security is free for iOS and Android users, there’s no excuse not to take the proper precautions when it comes to the safety of your mobile device and data.

To keep up with the latest security threats, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.

lianne-caetano

The post RIP Flappy Bird, Hello Malware appeared first on McAfee Blogs.

Top tips to stop cyber criminals from targeting your small business

Security breaches by cyber criminals can cause huge financial damage to small businesses. Research published last May by the Federation of Small Businesses found that cyber crime costs its members around £785m per year in total. As well as the financial cost, there’s also the potential damage to a company’s reputation. However SMEs can increase their online security with a few straightforward steps and without spending a fortune. We asked seven experts for their advice on how SMEs can protect their business and customers online, and make sure they’ve complied with data protection requirements:

Tor Macleod is director at Via Resource Group

Business security can be broken into three main areas; physical, technical and personnel. Awareness of how these three can be targeted is key. You can have all the IT protection in the world but if someone can have physical access to a PC, laptop or your server room (it has happened) it is not worth anything. Beware of strangers and people behaving suspiciously around you. Make sure you have the basics; antivirus, screen lock, and that sensitive data is stored in an ISO 27001 secure environment. Ensure that staff know about phishing scams, identity theft, and realise the risks of behaving inappropriately online. With the increasing sophistication of phishing attacks and attacks via social media – employees are increasingly the largest cause of a security breach.

Amanda Finch is general manager at Institute of Information Security Professionals

It’s about understanding what it is you have to lose and taking measures to protect yourself. It can be easier for a small business to get a third party to look after some aspects, but you still need to understand the risks – you’re not outsourcing the problem. Get advice about security, and make sure you have confidence in the people you’re going to for advice. You may need a security consultant to make sure you’ve got the correct controls in place. If so check they are accredited professionals, and take references from the people they’ve worked with. At the Institute of Information Security Professionals we accredit experience and knowledge of information security professionals for this reason. The Iasme Consortium (Information Assurance for SMEs) is another organisation that can help review your policies, check you have controls in place, and give you an improvement plan.

Robert Hadfield is head of content at Get Safe Online

Even if you only do the fundamentals, such as making sure everyone is using their own password, simple things are very effective at improving your online security. A lot of small businesses are running their IT on home devices. Make sure those devices have internet security software, which is cheap if not free. If you allow use of personal devices, make sure people are protecting them adequately. If people are working out of the office, limit the amount of information that can be taken off the premises. This means staff can access information but it isn’t kept on the device. If you’re doing nothing at the moment, you can improve security by 95% just by taking some simple steps.

Denise Gamboa is director of marketing and business development at SmugMug

Don’t duplicate passwords across different sites. Once someone figures out one password, they instantly have access to any other site that uses the same password. Don’t create passwords that contain personal information like names, addresses or your birthday. This makes them easier to guess and more susceptible to social-hacking attempts. Change passwords every four to six months. We all hate doing this at the office, but it’s a good preventive measure.

Don’t click suspicious links. Not sure the email you received is from your web service? Don’t click the links. Instead, go directly to the website by typing the main URL into your browser. Watermark your images. If your images are stolen, your information goes with it, allowing you to assert ownership if you ever need to issue a takedown notice.

Torben Anderson is chief commercial officer at SMS Passcode

People are often the weakest link in any “security assessment”. Small- to mid-size enterprises need to make sure that their security methods are simple and user-friendly. Otherwise, people will become frustrated and try to work around them, placing the company at risk. For example, if you make it too difficult to securely share files with customers and partners outside the company, your employees will share them through other means (including free consumer services) that are outside the company’s ability to secure or control.

Jonathan Lewis is director of product marketing for SSH Communications Security which develops security solutions

First, outsource where possible. Small and medium sized businesses should use well established providers of cloud and hosting services for email, web, CRM and records management. Second, not everything can go to the cloud so SMEs need to secure their own infrastructure. Use consulting services to design and implement a plan to address the most serious vulnerabilities. Depending on the specifics of the business, it might involve simple things like ensuring that all PCs have active and running antivirus, using disk encryption and strong authentication. Use established consultants with expertise in your particular business -the needs of law firms, restaurants and healthcare providers differ from each other.

Simon Ewing is an associate solicitor at Russell-Cooke LLP

You need to make sure you have complied with the statutory requirements for data protection. In the worst case scenario, if you are hacked, the information commissioner should look on you more kindly if you’ve got adequate security measures. A new business needs to put in place a privacy policy and made sure it has let customers and clients know how their information will be used.

Employees need to be familiar with what they can and can’t do with personal information. The information commissioner hopefully understands that a small business can’t afford the security big businesses have, but would expect it to have in place security measures proportionate to the damage that might be done if that personal information is disclosed.

Sign up to become a member of the Guardian Small Business Network here for more advice, insight and best practice direct to your inbox.