What do hackers and people who find phones have in common?
Answer – they try and get into your stuff.
This is from the Archives, but more relevant as the days go by….
Each day $7 million of phones are lost around the globe and if you live in Manchester, England you have the highest probability of losing yours. LookOut has a great site about where, when and how phones are lost.
What happens to phones that are lost was the subject of a recent ‘honey stick’ project by Symantec. On the surface, we should be encouraged by the fact that half of the people who found the planted smartphones tried to return them. But according to the blog, 96% of those finding phones tried to access the data first. 60% tried to get onto social media sites or email, and 80% had a go at accessing files that the folks at Symantec had labeled ‘HR cases’ or similar. The ‘remote admin’ app was also an attraction for far too many.
What this proves is that corporate data kept on smartphones is inherently at risk. To mitigate the risk, corporates should take precautions by enforcing policies that require password-enabled screen locks, education, an up to date inventory of what is connected to the network, a formal process for a lost or stolen phone and a better focus on protecting the data not just the device through better integration with the overall corporate security shield.
While lost phones can fall into the wrong hands, or the over-curious hands, there is always the shadowy world where individuals and companies make a living breaking down sites and systems and selling the information.
It is a tried and tested strategy, now formalized into competitions. Google paid $60,000 each to two hackers who cracked the ‘secure’ Chrome browser. In essence, Google paid to find out how they did it, so that they could strengthen their defences.
However, a third party also penetrated Chrome and will not tell them how they did it, not even for $1 million.
In an age of cyber warfare – yes it is – these companies, like Vupen in France, charge millions of dollars selling their secrets to the highest Government bidders – modern day arms dealers. A customer of Vupen will pay an annual subscription in the hundreds of thousands of dollars just to get access to the information they then sell.
The irony is that once Vupen have broken into something and then sold that information they have no security in place that controls what happens to that information – it could end up anywhere. They, of course, do not care.
In the new cyber arms race, Google and others might want to consider upping the prize money. Oh, and keep your smartphone close.