Posts

Mobile Apps Turn Smartphone Into Weapon

, ,

You and I have come to think of our Smartphones as indispensable tools. Flaws recently discovered in mobile apps for Facebook, Linkedin and Dropbox could turn our tools into weapons by exposing us to data theft at many levels, including personal identity theft and corporate data loss.

Taking  extra precautions now will protect not only your Smartphone but other devices, too, as the flaw may well be present in other mobile applications including many iOS games.

Apparently, Facebook’s iOS and Android apps don’t encrypt their users’ login credentials. These flaws expose users to identity theft by saving user authentication keys (usernames and passwords) in easily accessible, plain text files. These unencrypted files may be stolen, transferred to another device in a matter of minutes, and used to access the victim’s accounts without ever having to enter any user login credentials.

Security researcher Gareth Wright reported discovering the flaw in the mobile Facebook application for iOS late last week. Wright sent his Facebook .plist to an associate — Scoopz blogger Neil Cooper — who copied the file onto his own device, opened up the Facebook app, and had immediate, full access to Wright’s Facebook account.”

Facebook is working on closing the gap in security according to Wright  but the app developers must start encrypting the 60-day access token that Facebook supplies. Otherwise, there’s a world of private information just waiting to be tapped. Think of the chaos in trying to recover from identity theft of that magnitude.

In the meantime, here are some actions you can take to protect yourself:

  1. Don’t plug your Smartphone into a shared PC, public dock or charging station.
  2. If you do use a PC for charging, lock your device for the charge, and don’t unlock it until you remove it from the PC.
  3. Use strong passwords including letters, numbers, symbols, upper and lower case. Don’t rely on a four-digit password.
  4. Turn on the ‘Find My iPhone’ function.

The potential for criminals to exploit this flaw is enormous. You’ll be well served to take every precaution before you feel the nauseating pit of your stomach once you’ve been hacked. Further Resources on Mobile App Hacking.

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and its polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

Smartphone Survival Guide Now Available For The Kindle!

Identity Theft Expert John Sileo has partnered with Amazon.com for a limited time to offer the Smartphone Survival Guide for Kindle at 1/4 of the retail price.

Click Here to Order Today!

The Smartphone Survival Guide: 10 Critical Tips in 10 Minutes

Smartphones are the next wave of data hijacking. Let this Survival Guide help you defend yourself before it’s too late.

Smartphones are quickly becoming the fashionable (and simplest) way for thieves to steal private data. Case in point: Google was recently forced to remove 21 popular Android apps from its official application website, Android Market, because the applications were built to look like useful software but acted like electronic wiretaps. At first glance, apps like Chess appear to be legitimate, but when installed, turn into a data-hijacking machine that siphons private information back to the developer.

The Smartphone Survival Guide gives you extensive background knowledge on many of the safety and privacy issues that plague Smartphones, including iPhone, BlackBerry, Android and Windows Phone. Mobile computing is an indispensable tool in the modern world of constant connectivity, but you must protect these powerful tools. Mobile access to the web is here to stay, but we must learn to harness and control it. So whether you are reading this to help protect your own personal Smartphone, or valuable corporate assets, the Smartphone Survival Guide will start you in the right direction.

John Sileo’s Smartphone Survival Guide was recently mentioned in the New York Times.

John Sileo is the President of The Sileo Group and the award winning author of four books, including his latest workbook, The Smartphone Survival Guide. He speaks around the world on identity theft, online reputation and influence. His clients include the Department of Defense, Pfizer and Homeland Security. Learn more at www.ThinkLikeASpy.com.


Stupid App Usage Makes Your Smartphone a Fraud Magnet

,

With the recent avalanche of digital convenience and mass centralization comes our next greatest privacy threat –  the stupid use of Mobile Apps. As a society, we depend on the latest technology and instant connectivity so desperately that we rarely take the time to vet the application software (Apps) we install on our mobile phones (and with the introduction of the Mac App store, on our Macs). But many of the Apps out there have not been time-tested like the software on our computers. As much as we love to bash Microsoft and Adobe, they do have a track record of patching security concerns.

The ability to have all of your information at your fingertips on one device is breathtakingly convenient. My iPhone, for example, is used daily as an email client, web browser, book, radio, iPod, compass, recording device, address book, word processor, blog editor, calculator, camera, high-definition video recorder, to-do list, GPS, map, remote control, contact manager, Facebook client, backup device, digital filing cabinet, travel agent, newsreader and phone… among others (which is why I minimize my stupidity by following the steps I set out in the Smart Phone Survival Guide).

Anytime that much information is stored in one place, it becomes a fraud magnet. Anytime that many individual software programs make it onto a single device (without proper due diligence, i.e., with stupidity), it becomes an easy target for identity thieves and interns from your competitor who happen to buy their coffee at the same Starbucks as you and get paid to nick your phone while you’re in line. And it’s not just criminals trying to take advantage of you. As we’ve learned by the amount of personal information that Apps like [intlink id=”3968″ type=”post”]Pandora[/intlink] drain from your mobile phone, advertisers are just as hungry for your bits and bytes.

In 2010, the number of individuals hacked through applications on their Smartphone rose drastically. Hacks aren’t just gaining access to usernames and passwords on individual applications, they are betting on the numbers and applying those same credentials to crack your bank accounts, investments and credit cards. Admit it, on how many websites do you use the same password? But the real damage comes when company privacy is compromised (customer data, confidential emails, contact lists, access into corporate systems, etc.). It’s so easy to download a new App without thinking about who created it and what terms you agreed to by downloading it (several months ago, two of the top downloaded game Apps were produced by the North Korean government and focused on collecting and transmitting your data back to Communist Central.

As if Stupid App Use by itself isn’t threatening enough,  It is rumored that the next generation of iPads, iPhones and iPod Touchs will have  Near-Field Communication capabilities. NFC is where the device can beam and receive credit card and payment information within 4 inches. It is very similar to how people can [intlink id=”3848″ type=”post”]electronically pickpocket[/intlink] your credit card information using RFID technology. You would be able to swipe your device – or in this case your Smartphone – and be able to withdraw money from your bank account to pay for purchases, or to transfer some of your wealth to dishonest posers.

So what’s the good news? Simple. If you are taking steps to protect your mobile phone, your Apps and yourself, your risk drops below the panic line. Be careful about what Apps you download onto your phone without knowing anything about them. Use discretion when loading data to your phone and ask yourself if you really need to carry that on your handset. Set up a time-out password, remote tracking and wiping capabilities and consider security software and encryption. These basic steps will convince a would be thief to move on to their next victim.

John Sileo is the award-winning author of the Smartphone Survival Guide: 10 Critical Security Tips in 10 Minutes and four other books. He speaks professionally on playing information offense to avoid identity theft, social media exposure, cyber fraud, data breach and reputation manipulation. Learn more at www.ThinkLikeASpy.com.

Identity Theft Expert Releases Smartphone Survival Guide

, ,

In response to the increasing data theft threat posed by Smartphones, identity theft expert John Sileo has released The Smartphone Survival Guide. Because of their mobility and computing power, smartphones are the next wave of data hijacking. iPhone, BlackBerry and Droid users carry so much sensitive data on their phones, and because they are so easily compromised, it’s disastrous when they fall into the wrong hands.

Denver, CO (PRWEB) March 7, 2011

Smartphone Survival Guide

Smartphones are quickly becoming the fashionable (and simplest) way for thieves to steal private data. Case in point: Google was recently forced to remove 21 popular Android apps from it’s official application website, Android Market, because the applications were built to look like useful software but acted like electronic wiretaps. At first glance, apps like Chess appear to be legitimate, but when installed, turn into a data-hijacking machine that siphons private information back to the developer.

In response to this new threat facing iPhone, BlackBerry, Droid and Windows Phone users, identity theft expert John Sileo has just released “The Smartphone Survival Guide: 10 Critical Security Tips in 10 Minutes.”

“Once you download a Trojan app” says Sileo, “the thief has more control over your phone than you do. Your privacy is an open book… your identity, contact list, files, emails, texts, passwords… all of it. This doesn’t just threaten the individual phone owner, it threatens the organizations they work in and the data they handle every day.”

At the heart of the problem is the breathtaking convenience and efficiency provided by mobile phones that have become “Smart” because they also function as computers, books, GPS devices, payment systems, web browsers, radios, iPods and so much more. Unfortunately, blinded by the thrill and functionality of the latest app, users rarely take the time to vet the software that can be installed in seconds, from anywhere.

“There are no significant barriers to entry, for either us OR the thieves,” says Sileo of the app-based model of acquiring new software. “You can read about an app on a web page, download it and be using it in under a minute. And you probably didn’t even have to pay for it… at least with cash.” You’re paying dearly, Sileo

maintains, by trading away private information, surfing habits, bank account numbers or company financials.

The Smartphone Survival Guide outlines the major threats posed by mobile phones with internet access and gives a range of solutions for drastically lowering risk. Sileo points out that most data stolen off of Smartphones isn’t just a technology problem:

“Despite the intoxicating power of technology, the underlying problem is always a human problem. Don’t waste energy trying to fix the gadget – that’s someone else’s responsibility. Focus on the behaviors that allow employees to maintain a healthy balance between productivity and security. Deliberate, focused training has the highest ROI, not obsessing over the latest data leakage.”

The Smartphone Survival Guide describes a range of solutions in a quick and accessible fashion, such as:

  • Turn on auto-lock password protection and corresponding encryption.
  • Enable remote tracking and remote wipe capabilities in case the phone is lost or stolen.
  • Minimize app spying with security software and smart habits.
  • Customize geo-location and application privacy permissions.
  • Be wary of free apps – users are almost always paying with private data.
  • Before downloading an app, ask a few questions: How long has the app been available – long enough for someone else to detect a problem? Is the publisher of the app reputable? Have they produced other successful smartphone applications, or is this their first? Has the app been reviewed by a reputable tech journal?

Smartphones and the data on them are obviously at risk, but it remains to be seen whether users will alter their behavior before it’s too late. If not, it will be but one more example of human choices leading to technological data hijacking.

John Sileo is the President of The Sileo Group and the award winning author of four books, including his latest workbook, The Smartphone Survival Guide. He speaks around the world on identity theft, online reputation and influence. His clients include the Department of Defense, Pfizer and Homeland Security. Learn more at www.ThinkLikeASpy.com.

Trojan Apps Hijack Android App Store

,

Google removes 20+ Apps from Android Market, signaling that malware distribution has gone mainstream, and not just for Droids.

The Adroid Operating System is open source – meaning that anyone can create applications without Google’s approval. It boosts innovation, and unlike Apple iPhones or Blackberrys, Droid Apps aren’t bound by all of the rules surrounding the Apple App Store. But this leniency can be exploited by hackers, advertisers and malicious apps. And now those apps aren’t just available on some sketchy off-market website, but on the Android Market itself. As smartphones and tablets become one of the primary ways we conduct business, including banking, this development shifts the security conversation into high gear.

A recent discovery forced Google to pull 21 popular and free apps from the Android Market. According to the company, the apps are malware and focused on getting root access to the user’s device (giving them more control over your phone than even you have). Kevin Mahaffey, the CTO of Lookout, a maker of security tools for mobile devices, explained the Android malware discovery in a recent PC World article (emphasis mine):

“DroidDream is packaged inside of seemingly legitimate applications posted to the Android Market in order to trick users into downloading it… Unlike previous instances of malware in the wild… DroidDream was available in the official Android Market, indicating a growing need for mainstream consumers to be aware of the apps they download and to actively protect their smartphones.”

An example of a Trojan App, as I like to call it (because it hides an attack beneath a harmless – or even attractive – exterior), is a Droid app simply called “Chess.” The user downloads it assuming that it will allow them to play chess on their phone. Once downloaded, however, the app assumes root control of the device, transmits highly sensitive user data back to the author and leave a ‘Back Door’ open to allow further malicious code to be added to the phone at any time. Disguising malicious apps as legitimate and popular software is what makes this game so easy and profitable for hackers. That the apps are then available on a well known app site (run by Google), gives them an air of legitimacy.

Here are several tips from The Smartphone Survival Guide to help you begin protecting your mobile phone, whether it is a Droid, iPhone, BlackBerry or Windows Phone:

  • Be wary of free apps – almost all of them, legitimate and otherwise – are siphoning your information to the developers.
  • Before you download an app, perform a bit of due diligence, including but not limited to:
  • If it hasn’t been out for long enough to have been tested, don’t download it (let the marketplace approve it first)
  • Research the publisher of the App to see if they have a clean track record.
  • Perform a Google search for reputable reviews on the app (Macworld, PC Magazine, PC World, Wall Street Journal).
  • Don’t automatically believe the reviews on established App Stores (Apple, Android, BlackBerry, Windows) as they are often written by the developer (or malware author).
  • Realize that legitimate, fully vetted apps like Pandora are siphoning your information too, though in a more benign way.
  • Always check your app permission settings (if available) to see what information they are forwarding back to the creator of the app.
  • Install security software on your phone (if available).

Smartphone Survival GuideRemember, all apps are not malicious, just a small fraction are bad apples. And Android isn’t the only source of this problem, it’s simply the most open of the App platforms and therefore more susceptible. Apple has pretty Draconian rules for getting apps approved, which has helped minimize exposure on iPhones. But if you aren’t taking steps to educate yourself about this latest and greatest fraud source, you’re going to get stung.

John Sileo is the award-winning author of the Smartphone Survival Guide: 10 Critical Security Tips in 10 Minutes and four other books. He speaks professionally on playing information offense to avoid identity theft, social media exposure, cyber fraud, data breach and reputation manipulation. His clients include the Department of Defense, Pfizer and Homeland Security. Learn more at www.ThinkLikeASpy.com.

Your Apps Are Watching You

,

Statistics say 1 in 2 Americans will have a smart-phone by December 2011. Many people keep their address, bank account numbers, passwords, PIN numbers and more stored in their phone. The mounds of information kept in smart-phones is more than enough to steal one’s identity with ease.

What most people don’t consider are the applications that they are using on a daily basis. What information is stored there? According to a recent Wall Street Journal article, more than you think.

After examining over 100 popular apps, they found that 56 transmit the phone’s unique device ID to companies without the user’s knowledge. Forty-seven of the applications transmitted the phone’s actual location, while five sent other personal information such as age and gender.  This shows how many times your privacy is potentially compromised without your knowledge, just by playing music on Pandora.

Here are a few of the culprits:

  • Textplus 4 is a popular text messaging app. It sent the unique phone ID to over 7 different ad companies.
  • Pandora, a popular music application for both smart-phones and computers sends age, gender, location and phone ID to many advertisers.
  • Paper Toss sends your phone ID to 5 different advertisers.
Smartphone providers such as Apple and Google state that they make sure applications get approval from users in order to transmit this type of information. Apple declined to comment after it was found that a popular pumpkin carving app was sending location information without gaining permission first.  Although it is written in Apple’s privacy policy that apps must obtain permission, this clearly is not happening. On the other hand, Google, creator of the Android, does not monitor their apps and what they are transmitting at all. Neither company requires their apps to have privacy policies and 45 of the 100 apps examined didn’t have one.
Here’s what you need to know in a nutshell:
  • Apps are capturing and transmitting a variety of your personal information. If you are using smart-phone apps, your information is being transmitted.
  • Paid apps tend to transmit less personal data than free apps. After all, the free apps have to make money somehow!
  • Get rid of any applications you don’t use.
  • If an app gives you the option to opt out of information sharing, take it.
Even if the application you are downloading and accessing does ask for your permission to gather location information, they don’t disclose who they are sending it to or how they are using it. With so many loop-holes, inconsistencies, and a lack of policing applications, it is clear your information will continue to be transmitted without your knowledge or permission.

Facebook, Cigarettes and Information Addiction

Facebook AddictionFacebook is a cigarette, information is the nicotine, and you are the addict. And it is time to stop blaming Facebook if you get privacy cancer.

Years ago, after a long and drawn out fight, the tobacco industry was forced to put labels on their cigarette packs warning smokers that these nicotine delivery devices caused cancer, birth defects and premature death. The warnings did little to slow down sales of cigarettes, though they might have helped the tobacco companies avoid some costly lawsuits because, after all, they had clearly warned users about the dangers.

With the latest iteration of privacy settings being introduced this week on Facebook, Mark Zuckerberg (or more likely the brilliant Chief Operating Officer Sheryl Sandberg) has discovered a similar truth – you are either too addicted to the information drug, or too indifferent to the privacy consequences, to care.

I applaud Facebook for giving users more visibility and a bit more control over how much personal information third party applications can access. They deserve credit for moving the application controls into the privacy section of the website, acknowledging, albeit quietly, that third-party data-mining is a significant source of non-consensual information leakage.

If Facebook would go one step further and demand that third-party apps give us a choice of how much information is shared, along with letting us know how much of our personal information is being shared through the apps that our friends install, we information survivalists would be that much happier. For example, even if you don’t allow your third-party apps to share personal information, your friends’ third-party apps could  be sharing it anyway. But as it stands now, we would never know it.

The good news for Facebook privacy doesn’t end there. Facebook has also redesigned the Groups feature, which theoretically gives you a greater level of control over subsets of friends and how much information they can access. For example, you could choose to share your vacation pictures with family and close friends, but not with co-workers who thought you were out sick. Dishonesty aside, group differentiation makes communication within your social network much more like that of the real world – acknowledging that you don’t share all things with all people equally.

Here’s where the news gets really good for Facebook – they have done their job (or at least have taken steps in the right privacy direction), and they can still bank on you ignoring the very controls they have given you! Sure, those of us who write about social networking professionally will make the changes, but ninety-nine percent of the people who read this article will do nothing with the knowledge. This claim isn’t grounded in bitter cynicism, but statistical fact. I hope that 500 million of you will prove me wrong. When the Facebook changes are live for everyone (they are in beta as I type), we’ll put up a new video showing you how to make them.

Granted, Facebook hasn’t done everything they should do to make THEIR use of OUR data completely transparent to US; but most of US have done nothing to utilize the tools THEY already built to protect OUR privacy anyway, so the point is mute. Facebook is banking billions on our indifference and inaction.

Facebook executives should roll this strategy out to its logical conclusion: give all of us privacy professionals (the Electronic Frontier Foundation, EPIC, the World Privacy Forum, me) exactly what we want, because your Facebook addicts are already too high on info-voyerism to kick the habit. Your product is too good and too necessary to too many people to be hindered by a bit more transparency and a little more control. You have nothing to lose but our complaints.

John Sileo speaks professionally about social media exposure, identity theft and cyber crime for the Department of Defense, Fortune 1000 companies and any organization that wants to protect the profitability of their private information. Contact him directly on 800.258.8076 or visit his speaker’s website at www.ThinkLikeASpy.com.