Posts

Trump Russia Investigation Update: Did Campaign HELP Russians Plot Disinformation Strategy?

Honestly, we don’t know yet. There was a time when our voting preferences, our political leanings, our policy choices were our own business. Now they are someone else’s business, quite literally. There are so many stories coming out about Donald Trump’s connections to and collusion with the Russians that it is getting hard to keep these accusations straight. Here’s the latest:

Trump Russia Investigation Update

The key word is help. As in, actively provide information that the Russians may not have been able to discover on their own. “Help” is not a synonym for encourage, appreciate or enjoy.

Without getting too political (because after all, this is a cyber security blog), here are the basics of the Trump-Russia Investigation from a cyber security perspective:

  1. The Trump campaign had possession of a huge amount of information about American voters from Cambridge Analytica, the data mining firm hired to help collect and use social media information to identify and persuade voters to vote (or not vote), through an activity known as political micro-targeting.
  2. Jared Kushner, the president’s son-in-law and now a senior adviser in the White House, was head of digital strategy during the campaign, meaning he was overseeing this effort to micro-target voters.
  3. The Russians unleashed bots, or robotic commands, that swept across the Internet and picked up fake news stories or harshly critical news stories about Hillary Clinton and disseminated them across the United States. By Election Day, these bots had delivered critical and phony news about the Democratic presidential nominee to the Twitter and Facebook accounts of millions of voters.
  4. Some investigators suspect the Russians micro-targeted voters in swing states, even in key precincts where Trump’s digital team and Republican operatives were spotting unexpected weakness in voter support for Hillary Clinton.

So the question is this: Did the Trump campaign, using what we assume to be lawfully-obtained micro-targeted voter intelligence, give access to the Russians so that they could point harmful disinformation campaigns at those vulnerable  jurisdictions?

Many top security analysts doubt Russian operatives could have independently “known where to specifically target … to which high-impact states and districts in those states.” As Virginia Sen. Mark Warner said recently, “I get the fact that the Russian intel services could figure out how to manipulate and use the bots. Whether they could know how to target states and levels of voters that the Democrats weren’t even aware (of) really raises some questions … How did they know to go to that level of detail in those kinds of jurisdictions?”

And that is Senator Mark Warner’s mistake – that the micro-targeting had to be so specific that it only hit potential Trump voters in certain jurisdictions. It did not. The campaigns could have been aimed at every person in that state, let alone the jurisdiction, only touching the opinions of those who were ready to hear the message. A phishing campaign isn’t sent only to those people in an organization most vulnerable to that type of social engineering – it is sent to everyone, and the most vulnerable are the only ones that respond. Similarly, it was good enough for Russia to cast their anti-Hillary message in the general vicinity of the target; there was no need for a bullseye to render the disinformation campaign to be effective. Those who received the message but were slightly outside of the voter profile or geographical jurisdiction simply recognized it for what it was, false news. The rest were unethically influenced.

But we don’t know yet if there is a connection between the micro-targeting big data purchased by the campaign and the Russian botnet disinformation attack.  We do know, however, that Russia attempted to influence the outcome of the election – and that is what we as cyber security experts, must focus on. 

Either way – collusion or not – the implications against our privacy (let alone the political ramifications of foreign entities influencing our election process) are huge. Remember, the Trump campaign had obtained this huge volume of information on every voter, maybe as much as 500 points of data from what kind of food do they eat to what are their attitudes about health care reform or climate change. And yes, I’m sure the Democrats had much of the same information and probably didn’t “play fair” either. The point is that we have gotten so far beyond just accepting that our personal information is readily available and easily manipulated that no one is even bringing up that part of the story.

We, America, have been lulled into allowing everyone else – corporations, our government, even foreign nations – to have more access to our data footprint than even we do. 

John Sileo is an an award-winning author and keynote speaker on cyber security. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Security Expert Hacks In-Flight Entertainment? 5 Cyber Lessons for Leaders

Did security expert Chris Roberts of Denver actually HACK INTO AND STEER AN AIRCRAFT from the inflight entertainment panel at his seat, as reported first by Wired?

Probably not. Though I did meet him at a conference of cybersecurity experts and he appeared to know his stuff. But it almost doesn’t matter, because the lessons we take away from it is the same. Here’s what I do know:

  • I’ve seen ethical white-hat hackers (the good guys) penetrate mission-critical corporate networks through the unlikeliest of devices, including photocopiers, vending machines, surveillance cameras, thermostats and industrial control systems.
  • In most of these cases, the breached organization vehemently (and incorrectly) assert that these devices were not connected to their “real” network. Further analysis shows that they were. Will the airlines claim the same?
  • I’ve seen a driverless car hacked and started from a mobile phone.
  • I’ve seen a pacemaker remotely accessed by a hacker and set to induce a deadly heart rate.
  • I’ve seen home networks breached through a video game console, a baby monitor and a garage door opener.

 Here’ s ultimately what matters: If it’s networked, it’s hackable.

The minute you hook a device to a network (whether that be the internet, an internal intranet, WiFi hotspots or any other network), it becomes hackable. Remote access is a wonderful tool of convenience and efficiency – it lets us work from other locations. But remote access also opens up digital doors to criminals who want to steal from other locations. In other words, the TV at your seat could be connected to the pilot’s controls.

Even if any security expert did execute the hack, we will likely never know. But that doesn’t lessen our responsibility to learn and apply something to our businesses (steps that many airlines are currently reviewing themselves):

  • Compartmentalize your network. Don’t connect non-critical systems (in-flight entertainment, guest WiFi, thermostats, networked appliances) to mission critical data (flight controls, customer information, employee records, sensitive intellectual property). Instead, host them on separate networks with separate usernames, passwords and access controls.
  • Implement User-Level Access. Only a very few authorized individuals should have access to the servers and computers that house your private information. Classify your data into Top Secret, Confidential, Internal and Public (if it’s good enough for James Bond, it’s good enough for you) and apply your user-level access settings to those classifications (e.g., only C-Level executives get Top Secret access.
  • Firewall the bad guys out. A firewall that is configured to Default Deny will restrict all access by default and only allow a few legitimate users who appear on a “white-list” to access the most valuable information). This limits most hackers’ backdoor access (and is when they will turn to social engineering to gain access – another lesson for another time).
  • Utilize communication encryption. Mobile access that is not encrypted (hidden from illegitimate users by scrambling the message) is like broadcasting your bank account number over the radio – everyone else is listening.
  • Closely monitor intrusions. No matter what steps you take, if you organization is being targeted, eventually you will be breached. Therefore, the greatest security is resiliency: detecting the intrusion (a human being has to be watching the monitoring system to do this), expelling the intruder before real damage is done and leaning from and resolving your previous mistakes.

Finally, and most importantly, make sure that you train your humans on the proper usage of the previous 5 steps! This is actually where most security fails, as the WEAKEST LINK IN CYBER SECURITY IS HUMAN ARROGANCE, IGNORANCE AND INACTION.

Right now, you have a chance to keep a hacker from changing the course of your vessel, be it airplane or corporation. If you don’t have the personal knowhow or internal resources to get it done right, hire the right team to do it for you

John Sileo speaks internationally on cyber security and identity defense. He specializes in making security engaging, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Book him for your next conference on 800.258.8076.

Baby Cam Hacked: What You Can Do To Protect Yourself and Your Children

,

The story about the Texas parents who were terrified when their child’s video baby monitor was hacked struck me at first as a minor incident when viewed in the whole scheme of the world of hackers.  After all, it is a rare event, no one was hurt, no threats were overtly made, and the child herself even slept through the event.  But when I read more about it, I became increasingly bothered by the fact that I was not initially bothered by it!  I mean, is that the creepiest of all feelings, to know that a stranger is watching your kids?

Here’s the summary for those who missed the story.  Marc and Lauren Gilbert were in another room when they heard strange sounds coming from their daughter’s monitor.  When they went into her room to investigate, they realized it was a strange man’s voice coming through the monitor and saying disturbing things, even using the child’s name, which could be seen above her bed.  The child, who was born deaf and had her cochlear implants turned off, slept through the entire incident.  Gilbert immediately disconnected the device, which was hooked up to the home’s wireless Internet system.

It is believed the webcam system, Foscam wireless camera, was compromised.  In April, a study was released revealing potential vulnerabilities; in it the researchers said the camera would be susceptible to “remote Internet monitoring from anywhere in the world” and that thousands of Foscam cameras in the U.S. were vulnerable.  A glaring flaw (which has since been “fixed” by a firmware update in June) is that users were not encouraged to have strong passwords and were not prompted to change from the default admin password.  Gilbert said he did take basic security precautions, including passwords for his router and the IP cam, as well as having a firewall enabled.baby cam

For an interview with Fox and Friends, they asked me to consider the following questions.  I’d like to share my answers with you in case you missed it.

How easy is it to hack a baby monitor?

It’s probably an apt cliché to say it’s as easy as taking candy from a baby. Just like with any device, an iPhone, laptop, home Wi-Fi, it’s only as secure as you make it. If you’ve taken no steps, it’s relatively easy to hack. You don’t make the problem go away by ignoring it.

Why would someone do this?

Some do it for the challenge, some for the thrill of controlling other people’s lives, and unfortunately, others do it because they are sick individuals that want to watch what you do in the privacy of your home.

Is this one of the more scary cases of hacking a household device you’ve seen?

This one hits close to home because it takes advantage of our kids, but I’ve seen pacemakers turned off, blood pumps shut down, brakes applied in cars, and all of it done remotely by outsiders who are never even seen. If the device is connected to a network, I guarantee you it can be hacked, and in most cases, you never know the bad guys are in control.

How can we avoid this type of hacking of our personal devices, whether it’s a video baby monitor, an iPhone or a pacemaker?  

The good news is that’s it’s the same steps you probably already take on your other devices, like laptops, smartphones and iPads:

  1. Buy Digital. Only buy a digital monitor that is password protected, not an analog version that operates on an open radio frequency.
  2. Change Default Passwords. During setup, change the factory defaults on the monitor so that the password is long, strong and device specific. This case we are talking about probably had a default password in place, making it easy to hack.
  3. Firewall Your Privacy. Install a firewall between your Internet connection and ALL devices to keep the peeping Toms out. Hire a professional to set it up properly.
  4. Lock Down Wi-Fi. Make sure your Wi-Fi network is locked down properly with WPA2+ encryption and SSID masking so it can’t be hacked.
  5. Turn Devices Off. If you are not using the device, turn it off, as hackers can more easily crack devices that are up 24/7.

John Sileo is a keynote speaker and CEO of The Sileo Group, a privacy think tank that trains organizations to harness the power of their digital footprint. Sileo’s clients include the Pentagon, Visa, Homeland Security and businesses looking to protect the information that makes them profitable.

If You Hacked into Rupert Murdoch's Voicemail…

,

If you hacked into Rupert Murdoch’s voicemail, you would hear the message I just left him:

Thank you , Mr. Murdoch, I owe you one. I’ve spent the past five years trying to convince the world of something you managed to do with one simple scandal. I’m sorry that you will probably lose your reputation and much of your company and wealth because of it (not to mention your self-respect), but the world will be a better place for it. Why? Not just because our phone is ringing non-stop with companies and individuals that want to protect their private information.

It’s because you, Mr. Murdoch, awoke the PRIVACY BEAST! Two weeks ago, no one paid very much attention to voicemails being hacked. The average Facebook user was shrugging off the knowledge that their data was being systematically collected, aggregated and sold to the highest bidder all for Facebook’s financial gain. Android users ignored the warnings that malicious apps disguised as harmless games were funneling their bank account numbers, contact lists and geographic whereabouts to locations in Iran and North Korea. iPhone users continued to load their phones with as much data as a laptop without even password protecting the darn thing. Most of us lived in a comfortable, pitiful, stupor of privacy ignorance. But today, everyone suddenly cares .

Thank you for reminding us why privacy matters. You stole the voicemails of a murdered child, and that we cannot forget. For the sake of a pre-emptive scoop, you bribed officers who should have been focusing on capturing the culprit to feed your profit machine. You tempted the gods by abusing and misusing the Power of Information and now it is that very same power that will destroy you.

The emails of News of the World “reporters” discussing your phone-hacking exploits were backed up, archived, indexed and given a digital half-life of a million years. The smoking trail of digital DNA that you left behind while breaking the law, breaking our trust, breaking your business, will never disappear. And even if you didn’t do it, didn’t authorize it, didn’t know about it, it still happened under your watch.Most sadly of all, it happened under your son’s watch, who it appears more and more, takes after his father.

John Sileo speaks around the world on Privacy and Profitability to clients like the Department of Defense, Blue Cross and Homeland Security.

How Secure is Your Gmail, Hotmail, YahooMail?

I just finished an interview with Esquire magazine about the security of webmail applications like Gmail, Windows Live Hotmail and YahooMail. Rebecca Joy, who interviewed me on behalf of Esquire, wanted to know in the wake of the Rupert Murdoch phone-hacking scandal, how secure our photos and messages are when we choose to use free webmail programs.

The simple answer? Not very secure. Just ask Vanessa Hudgens (nude photos), Sarah Palin (complete takeover of her email account) and the scores of celebrities and power figures who have been victimized by email hacking.

Think of using webmail (or any web-based software, including Facebook, Twitter, Google Docs, etc.) as checking into a hotel room. Unlike a house, where you have tighter control over your possessions, the same is not true of a hotel. While you definitely own the items you bring into a hotel room (laptop, smartphone, wallet, passport, client files), you don’t have nearly as much control as to how they are accessed (maids, managers, social engineers who know how to gain access to your room). In short, by using webmail to communicate, you are exchanging convenience for control.

Here are the five most common ways you lose control:

  1. The password on your email account is easy to guess (less than 13 characters, fail to use alpha-numeric-symbol-upper-lower-case, don’t change it often) and someone easily hacks into your webmail account, giving them access to your mail, photos, contacts, etc.
  2. Someone inside of the webmail company is given a huge incentive to leak your private information (tabloids that want access to a celebrity’s photos and are willing to pay hundreds of thousands for it).
  3. You populate your password reminder questions (What high school did you go to?) with the correct answers instead of using an answer that is not easily found on your Facebook, LinkedIn or Classmates.com profile.
  4. You fail to log out of your webmail while on a public computer (hotel business center, school, library, acquaintances house), allowing them to log back in to your email account using the autosaved username and password (which by default tends to stay on a system for up to two weeks).
  5. You continue to deny the fact that when you store your information in places that you don’t own, you have very little actual control.

If you are sending sensitive information of any sort (text, photos, identity, videos or otherwise), don’t use webmail or social networking to send it. Use a mail program that resides on your own computer and encrypt the sensitive contents using a program like PGP. That gives you a much stronger form of protection than ignorantly exposing your information for all to see.

John Sileo is the award winning author of Privacy Means Profit and a professional speaker on data security, privacy, identity theft and social networking exposure.

 

Smartphone Survival Guide Now Available For The Kindle!

Identity Theft Expert John Sileo has partnered with Amazon.com for a limited time to offer the Smartphone Survival Guide for Kindle at 1/4 of the retail price.

Click Here to Order Today!

The Smartphone Survival Guide: 10 Critical Tips in 10 Minutes

Smartphones are the next wave of data hijacking. Let this Survival Guide help you defend yourself before it’s too late.

Smartphones are quickly becoming the fashionable (and simplest) way for thieves to steal private data. Case in point: Google was recently forced to remove 21 popular Android apps from its official application website, Android Market, because the applications were built to look like useful software but acted like electronic wiretaps. At first glance, apps like Chess appear to be legitimate, but when installed, turn into a data-hijacking machine that siphons private information back to the developer.

The Smartphone Survival Guide gives you extensive background knowledge on many of the safety and privacy issues that plague Smartphones, including iPhone, BlackBerry, Android and Windows Phone. Mobile computing is an indispensable tool in the modern world of constant connectivity, but you must protect these powerful tools. Mobile access to the web is here to stay, but we must learn to harness and control it. So whether you are reading this to help protect your own personal Smartphone, or valuable corporate assets, the Smartphone Survival Guide will start you in the right direction.

John Sileo’s Smartphone Survival Guide was recently mentioned in the New York Times.

John Sileo is the President of The Sileo Group and the award winning author of four books, including his latest workbook, The Smartphone Survival Guide. He speaks around the world on identity theft, online reputation and influence. His clients include the Department of Defense, Pfizer and Homeland Security. Learn more at www.ThinkLikeASpy.com.


Stupid App Usage Makes Your Smartphone a Fraud Magnet

,

With the recent avalanche of digital convenience and mass centralization comes our next greatest privacy threat –  the stupid use of Mobile Apps. As a society, we depend on the latest technology and instant connectivity so desperately that we rarely take the time to vet the application software (Apps) we install on our mobile phones (and with the introduction of the Mac App store, on our Macs). But many of the Apps out there have not been time-tested like the software on our computers. As much as we love to bash Microsoft and Adobe, they do have a track record of patching security concerns.

The ability to have all of your information at your fingertips on one device is breathtakingly convenient. My iPhone, for example, is used daily as an email client, web browser, book, radio, iPod, compass, recording device, address book, word processor, blog editor, calculator, camera, high-definition video recorder, to-do list, GPS, map, remote control, contact manager, Facebook client, backup device, digital filing cabinet, travel agent, newsreader and phone… among others (which is why I minimize my stupidity by following the steps I set out in the Smart Phone Survival Guide).

Anytime that much information is stored in one place, it becomes a fraud magnet. Anytime that many individual software programs make it onto a single device (without proper due diligence, i.e., with stupidity), it becomes an easy target for identity thieves and interns from your competitor who happen to buy their coffee at the same Starbucks as you and get paid to nick your phone while you’re in line. And it’s not just criminals trying to take advantage of you. As we’ve learned by the amount of personal information that Apps like [intlink id=”3968″ type=”post”]Pandora[/intlink] drain from your mobile phone, advertisers are just as hungry for your bits and bytes.

In 2010, the number of individuals hacked through applications on their Smartphone rose drastically. Hacks aren’t just gaining access to usernames and passwords on individual applications, they are betting on the numbers and applying those same credentials to crack your bank accounts, investments and credit cards. Admit it, on how many websites do you use the same password? But the real damage comes when company privacy is compromised (customer data, confidential emails, contact lists, access into corporate systems, etc.). It’s so easy to download a new App without thinking about who created it and what terms you agreed to by downloading it (several months ago, two of the top downloaded game Apps were produced by the North Korean government and focused on collecting and transmitting your data back to Communist Central.

As if Stupid App Use by itself isn’t threatening enough,  It is rumored that the next generation of iPads, iPhones and iPod Touchs will have  Near-Field Communication capabilities. NFC is where the device can beam and receive credit card and payment information within 4 inches. It is very similar to how people can [intlink id=”3848″ type=”post”]electronically pickpocket[/intlink] your credit card information using RFID technology. You would be able to swipe your device – or in this case your Smartphone – and be able to withdraw money from your bank account to pay for purchases, or to transfer some of your wealth to dishonest posers.

So what’s the good news? Simple. If you are taking steps to protect your mobile phone, your Apps and yourself, your risk drops below the panic line. Be careful about what Apps you download onto your phone without knowing anything about them. Use discretion when loading data to your phone and ask yourself if you really need to carry that on your handset. Set up a time-out password, remote tracking and wiping capabilities and consider security software and encryption. These basic steps will convince a would be thief to move on to their next victim.

John Sileo is the award-winning author of the Smartphone Survival Guide: 10 Critical Security Tips in 10 Minutes and four other books. He speaks professionally on playing information offense to avoid identity theft, social media exposure, cyber fraud, data breach and reputation manipulation. Learn more at www.ThinkLikeASpy.com.

Identity Theft Expert Releases Smartphone Survival Guide

, ,

In response to the increasing data theft threat posed by Smartphones, identity theft expert John Sileo has released The Smartphone Survival Guide. Because of their mobility and computing power, smartphones are the next wave of data hijacking. iPhone, BlackBerry and Droid users carry so much sensitive data on their phones, and because they are so easily compromised, it’s disastrous when they fall into the wrong hands.

Denver, CO (PRWEB) March 7, 2011

Smartphone Survival Guide

Smartphones are quickly becoming the fashionable (and simplest) way for thieves to steal private data. Case in point: Google was recently forced to remove 21 popular Android apps from it’s official application website, Android Market, because the applications were built to look like useful software but acted like electronic wiretaps. At first glance, apps like Chess appear to be legitimate, but when installed, turn into a data-hijacking machine that siphons private information back to the developer.

In response to this new threat facing iPhone, BlackBerry, Droid and Windows Phone users, identity theft expert John Sileo has just released “The Smartphone Survival Guide: 10 Critical Security Tips in 10 Minutes.”

“Once you download a Trojan app” says Sileo, “the thief has more control over your phone than you do. Your privacy is an open book… your identity, contact list, files, emails, texts, passwords… all of it. This doesn’t just threaten the individual phone owner, it threatens the organizations they work in and the data they handle every day.”

At the heart of the problem is the breathtaking convenience and efficiency provided by mobile phones that have become “Smart” because they also function as computers, books, GPS devices, payment systems, web browsers, radios, iPods and so much more. Unfortunately, blinded by the thrill and functionality of the latest app, users rarely take the time to vet the software that can be installed in seconds, from anywhere.

“There are no significant barriers to entry, for either us OR the thieves,” says Sileo of the app-based model of acquiring new software. “You can read about an app on a web page, download it and be using it in under a minute. And you probably didn’t even have to pay for it… at least with cash.” You’re paying dearly, Sileo

maintains, by trading away private information, surfing habits, bank account numbers or company financials.

The Smartphone Survival Guide outlines the major threats posed by mobile phones with internet access and gives a range of solutions for drastically lowering risk. Sileo points out that most data stolen off of Smartphones isn’t just a technology problem:

“Despite the intoxicating power of technology, the underlying problem is always a human problem. Don’t waste energy trying to fix the gadget – that’s someone else’s responsibility. Focus on the behaviors that allow employees to maintain a healthy balance between productivity and security. Deliberate, focused training has the highest ROI, not obsessing over the latest data leakage.”

The Smartphone Survival Guide describes a range of solutions in a quick and accessible fashion, such as:

  • Turn on auto-lock password protection and corresponding encryption.
  • Enable remote tracking and remote wipe capabilities in case the phone is lost or stolen.
  • Minimize app spying with security software and smart habits.
  • Customize geo-location and application privacy permissions.
  • Be wary of free apps – users are almost always paying with private data.
  • Before downloading an app, ask a few questions: How long has the app been available – long enough for someone else to detect a problem? Is the publisher of the app reputable? Have they produced other successful smartphone applications, or is this their first? Has the app been reviewed by a reputable tech journal?

Smartphones and the data on them are obviously at risk, but it remains to be seen whether users will alter their behavior before it’s too late. If not, it will be but one more example of human choices leading to technological data hijacking.

John Sileo is the President of The Sileo Group and the award winning author of four books, including his latest workbook, The Smartphone Survival Guide. He speaks around the world on identity theft, online reputation and influence. His clients include the Department of Defense, Pfizer and Homeland Security. Learn more at www.ThinkLikeASpy.com.

Trojan Apps Hijack Android App Store

,

Google removes 20+ Apps from Android Market, signaling that malware distribution has gone mainstream, and not just for Droids.

The Adroid Operating System is open source – meaning that anyone can create applications without Google’s approval. It boosts innovation, and unlike Apple iPhones or Blackberrys, Droid Apps aren’t bound by all of the rules surrounding the Apple App Store. But this leniency can be exploited by hackers, advertisers and malicious apps. And now those apps aren’t just available on some sketchy off-market website, but on the Android Market itself. As smartphones and tablets become one of the primary ways we conduct business, including banking, this development shifts the security conversation into high gear.

A recent discovery forced Google to pull 21 popular and free apps from the Android Market. According to the company, the apps are malware and focused on getting root access to the user’s device (giving them more control over your phone than even you have). Kevin Mahaffey, the CTO of Lookout, a maker of security tools for mobile devices, explained the Android malware discovery in a recent PC World article (emphasis mine):

“DroidDream is packaged inside of seemingly legitimate applications posted to the Android Market in order to trick users into downloading it… Unlike previous instances of malware in the wild… DroidDream was available in the official Android Market, indicating a growing need for mainstream consumers to be aware of the apps they download and to actively protect their smartphones.”

An example of a Trojan App, as I like to call it (because it hides an attack beneath a harmless – or even attractive – exterior), is a Droid app simply called “Chess.” The user downloads it assuming that it will allow them to play chess on their phone. Once downloaded, however, the app assumes root control of the device, transmits highly sensitive user data back to the author and leave a ‘Back Door’ open to allow further malicious code to be added to the phone at any time. Disguising malicious apps as legitimate and popular software is what makes this game so easy and profitable for hackers. That the apps are then available on a well known app site (run by Google), gives them an air of legitimacy.

Here are several tips from The Smartphone Survival Guide to help you begin protecting your mobile phone, whether it is a Droid, iPhone, BlackBerry or Windows Phone:

  • Be wary of free apps – almost all of them, legitimate and otherwise – are siphoning your information to the developers.
  • Before you download an app, perform a bit of due diligence, including but not limited to:
  • If it hasn’t been out for long enough to have been tested, don’t download it (let the marketplace approve it first)
  • Research the publisher of the App to see if they have a clean track record.
  • Perform a Google search for reputable reviews on the app (Macworld, PC Magazine, PC World, Wall Street Journal).
  • Don’t automatically believe the reviews on established App Stores (Apple, Android, BlackBerry, Windows) as they are often written by the developer (or malware author).
  • Realize that legitimate, fully vetted apps like Pandora are siphoning your information too, though in a more benign way.
  • Always check your app permission settings (if available) to see what information they are forwarding back to the creator of the app.
  • Install security software on your phone (if available).

Smartphone Survival GuideRemember, all apps are not malicious, just a small fraction are bad apples. And Android isn’t the only source of this problem, it’s simply the most open of the App platforms and therefore more susceptible. Apple has pretty Draconian rules for getting apps approved, which has helped minimize exposure on iPhones. But if you aren’t taking steps to educate yourself about this latest and greatest fraud source, you’re going to get stung.

John Sileo is the award-winning author of the Smartphone Survival Guide: 10 Critical Security Tips in 10 Minutes and four other books. He speaks professionally on playing information offense to avoid identity theft, social media exposure, cyber fraud, data breach and reputation manipulation. His clients include the Department of Defense, Pfizer and Homeland Security. Learn more at www.ThinkLikeASpy.com.