Cell Phone Security Issues

In general, the communication between your cell phone and the cell phone provider tower is relatively safe from cyber-attack.  But I read a blog entry from Lookout, a cell phone security firm, that has some interesting information in it.  Note the part at the end where government employees use cell phones behind government firewalls.  In general, you should be aware that cell phones, through their wifi interface, are a very unique and ubiquitous way to gain access and breach the security of your home and all the companies that have your personal information.  Here is the important part of the blog entry:

Cyber war is a term the U.S. government is intimately familiar with, but woefully unprepared for when it comes to mobile.

Government employee mobile devices are a relatively new attack surface, and a particularly valuable one for espionage missions and other criminal intent. Mobile devices access confidential, classified, and other protected data classes. At this point, that’s just a fact. Both CSIS and the Presidential Cyber Commision acknowledge that mobile is no longer a fringe technology, but a central instrument that allows employees to get their jobs done.

Protecting data on mobile is non-negotiable and the responsibility of federal technology and security leaders across the entire government.

There are five principles any federal agency or organization must use to build a mobile security strategy. To forego such a strategy directly puts sensitive government data at risk.


Defense in depth is a necessary standard in protecting mobile

Agencies should look for mobile security solutions that defend data beyond the surface. Wrapping a mobile device in a management solution may let an IT manager set blacklists or whitelists, but it is not a solution that provides actionable data regarding apps on the device, network threats, exploits of known vulnerabilities, or employee actions that may cause data leakage. A security solution should be holistic.

Don’t fool yourself into thinking mobile security is a “one-and-done”

“Checkbox mentality,” or the belief that deploying a solution relieves a technology or security leader of the burden of protecting data, is a pitfall that should be avoided. Instead, this requires leaders to take inventory of their technology status asking themselves the following questions:

• What kind of data are we handling?
• What types of data would be crippling to my organization if they were leaked?
• How many devices access data? What types of devices?
• Which employees need to access what kinds of data?
• What kinds of threats to this data exist out there?
• Who in my organization could be targeted?

Then, the technology or security department can properly vet solutions the appropriate solutions and choose one to engage.

Treat “hygiene” as a four-letter word

The term “hygiene” needs to be deleted from the security dictionary. It’s not about cleaning up issues every once in a while; it’s about having an always-on strategy and technology solution that provides continuous and automated operations, maintenance, and security.

“Hygiene” makes you think about brushing your teeth three times a day to stay safe from cavities. You don’t set your alarm three times at night to alert you to burglars. Instead, you rely on the alarm to stay on, working in the background.

Security technology should not hinge on the lowest bidder

Agencies must treat IT infrastructure, which includes mobile devices, as a critical component of the agency, seeking out the best technology to support security aims. In cases like these, settling for the lowest bidder is not the best strategy.

Keep it simple

Make your strategy short, concise, and achievable.

Agencies have specific needs, but these principles transcend even those nuances

Today, the U.S. government is divided into three very different communities that have very different aims:

Civilian agencies that have citizen-facing functions, such as the IRS, Department of Education, and the Department of Commerce.
Homeland defense agencies that focus on the protection of our country at home, including law enforcement, DHS, FBI, and the Secret Service.
National security organizations, that protect us from adversaries abroad, such as the Department of Defense, and the Intelligence community.
Each of these agencies and organizations require different standards as it comes to securing data, but they all have two things in common: they must regulate who can access what and they must protect sensitive data from unauthorized consumption.

According to the Presidential Commission on Enhancing National Cybersecurity, “Mobile technologies are heavily used by almost every organization’s employees, yet security for mobile devices is often not considered as high a priority as security for other computing platforms.”

While each agency might have specific security needs, it’s critical that all prioritize mobile security and act to protect data now.

You’re up against more than you think

We’ve known for years that cyber war is real, but the risk extends to mobile devices as well.

Threats like Pegasus, one of the largest threat discoveries in mobile security to date, are highly sophisticated and targeted. Pegasus specifically was capable of accessing messages, calls, emails, logs, and more from apps. This could be extremely damaging to a government agency.

No federal organization or agency is exempt. Yet employee mobile devices are flying under the radar when 40 percent of employees at agencies with rules prohibiting personal smartphone use at work say the rules have little to no impact on their behavior.

Read more: 5 non-negotiable principles to combat cyber war on mobile (https://blog.lookout.com/blog/2017/02/16/principles-cyber-war-mobile/)

Fingerprint ID for your smartphone: what an advantage!

Following up with the last post, I discussed that I had to get a new phone and it was a hassle dealing with two factor authentication.  Well, I discovered that the fingerprint feature on the new phone more than makes up for the hassle.  The phone security itself and some apps, particularly the password manager I use, Lastpass, can use your fingerprint for security verification.  No more signing in to Lastpass.  (Lastpass provides userid and password for all my apps and internet browsing, but it even when I sign in, that sign in only lasts for a few minutes; then I have to do it all over again.  My password is very difficult to type using the phone, so it takes time and do-overs.)  I put my finger over the fingerprint reader and I'm in to Lastpass.  Same thing for other fingerprint reader enabled apps plus my phone itself.

I know, you see all the crime shows where the crook gets a plastic cast of your finger print and uses it.  If your are one of those who will be exposed to this kind of fraud, then you should probably not use this feature.  Ditto if you have a job or hobby where you are likely to lose that digit.  But then, the backup for the fingerprint reader is to use your pins and passwords.  So you aren't completely locked out.

The circular firing squad of two factor authentication

Yesterday I dropped my phone and the screen broke.  Today I went to the phone store and got a new phone, one with a supposedly shatterproof screen...  We'll see.  BUT... I am a "believer" in two factor authentication AND in using a password manager to give me random passwords for all my logons.  All good except when you buy a new phone.  So you have to go to the phone's "Store" to download the password manager.  For google, you have to sign on to get anything.  Both of these require a password.  Dah... I don't know my password:  it's in the password manager.  Which I can't download unless I have the google password and the store password (one and the same on Android).  Furthermore, even if I have my password, with 2 factor, you have to have the appropriate 2 factor application (Google Authenticator) downloaded and configured.  Which requires passwords and interaction with the application's 2 factor process.

Therefore, I have to wait to configure the phone until I get home and can look up the passwords on my computer plus configure the Authenticator.    So... this day's hint is to write down your store password and your google password before you go to the store.  Then the store people will be able to completely configure your phone for you.  When you get home, you can download your entire set of applications plus the contents of your old phone using wifi and your service provider's backup cloud + store backup.  Did you know that, at least for the Google Playstore, it backs up a list of all your applications so that, if you have to replace your phone, you can log on to the Playstore (with your phone's primary Google user id and password) and recover all the applications?   This is a big deal for someone like mean who is so dependent on a smart cell phone just to go through a normal day.

Google let scammers post a perfectly spoofed Amazon ad in its search results

There is a new way to get you to click on a link that leads to ransomware:  A legitimate looking Google search result posted to the results of your search for "Amazon" or similar.  This could be a future common way to get you to click on a link that invokes a ransomware "infection."

This article explains:  http://www.zdnet.com/article/malicious-google-ad-pointed-millions-to-fake-windows-support-scam/?loc=newsletter_large_thumb_featured&ftag=TRE17cfd61&bhid=22449904719690284461257671316617

If you get infected with ransomware that looks anything like what is shown in the article, then go to the Task Manager (ctrl-alt-del) and kill all the processes related to the browser you are using.  Then, immediately clear the cache and all history for all browsers, plus clean out your registry.

CCleaner works best for this.    You can get CCleaner at http://www.piriform.com.  Patently wade through the screens to get to the free edition.  You'll be redirected to a download page.  Careful on that page to click on the green box to the right, not the big box right under the "Download."  That big box tricks you into downloading something else.  Unfortunately, even "good" sites have tricks these days.

There are some subtle things you have to do with CCleaner to configure it.  Best you call me and I can quickly get it configured for you.  

Once done with CCleaner, restart your computer.

What is the best router?

I recently received the following question:

I recently read an article from PC magazine depicting issues with the Time Warner/Charter routers. Specifically relative to not being able in many cases to support the through put and rental costs over an extended period of time. Was wondering if you had researched routers and perhaps have a recommendation or two. Speed and streaming and coverage being the most important.

Thank you for that question.  

First, here is a 2017 review of routers from PCMag:  http://www.pcmag.com/article2/0,2817,2398080,00.asp

I encourage that you read this article, not only for the reviews but for the tutorial on router features.  I also encourage searching for "2017 router reviews"  for similar articles. 

The article doesn't mention the capability you will need in the future:  protecting all your wifi-connected devices from botnet invasion.  Plus, 

• I have seen some other routers not included in this review that seem to work well.  
• If you have electronic obstacles in your house, or you have a large house, and you don't have ethernet service to the nether regions of your house or property, you will need one or more or both of either a "repeater" or a "wifi extender."  As you increase your household use of streaming video, especially the 4K video, you will need to know how to set up your router to use multiple bands to service the signal, plus you will need to reconsider running ethernet to some areas of your house.  (The latter usually isn't as bad as it sounds, assuming you have attic and/or basement or crawlspace access.)

The router that is best for you depends on 

• your sensitivity to price + sales (careful on sales:  the routers that are deeply discounted are the ones that are likely "old technology.")
• the electronic barriers in your house
• the number and kind of network-connected devices you currently have
• your future plans for adding network-connected devices (routers can last 5 years or more, assuming you have them properly protected against electrical surge)
• your technical capability, or your access to someone with that capability  (Installation and/or upgrade of your network communication can cost many times the cost of the router(s) themselves)
• Your ability to understand the foreign support people- most are difficult to understand and have only freshman technical skills.  (At times I have had good experiences with both Cisco (Linksys) and Netgear, but it varies with each call.)

So, at the end of this blog, I haven't answered the question, have I?  What is the best router?  When I look for a new router I will look for full botnet protection, something that will cover the area it needs to cover, considering that I have 4 other access points served by ethernet in the house, and then price.  Support will not be an issue for me, and it shouldn't be for anyone in the communities I service.  It will have 1 2.4 signal, 2 5 signals, and a guest channel.  I don't have the problem of supplying a 4K video signal over wifi:  I have my 4K set ethernet-connected.  But that might be a consideration for you.  

Finally, with respect to Charter, I doubt that the Charter router rental will be the best for price/performance for you.  I suggest you purchase a router that suits your needs based on the above discussion and the referenced article.  If you have a credit card or a store that automatically extends warranty service, then take advantage of it.