PhoenixDzine

I don’t know about the rest of the world, but in Russia the most popular SMS message is “Where are you?” But very soon that particular question is going to be irrelevant.

A few days ago Gartner published its list of the top 10 mobile applications to watch out for in 2012. First place went to Location-Based Services (LBSs).

Of course, there’s nothing new in technology that can pinpoint a mobile phone user’s location, and the whole range of services that comes with it offering information about individual users has been in the works for some time now.

But the thing is…

A few days ago one of my colleagues, who was in San Francisco listening to Bill Clinton’s keynote session at the RSA Conference, noticed on Facebook that his GPS and mobile services had gone a bit haywire. According to Google Maps, he had managed to visit Berlin, Disneyland in Florida and make it back to San Francisco all in the space of 2 minutes.

Another visitor to RSA also said that his location had been given as Disneyland in Florida for almost the whole week and that it was going to be difficult explaining to his boss what he’d been doing there instead of San Francisco 🙂

But on a more serious note, we are witnessing a very interesting process in human behavior. On one hand, users of mobile devices are increasingly willing to make public their exact whereabouts! I constantly see messages from my colleagues sent via Foursquare, for example, stating that they have arrived home (with a map of the town) or they are currently at some airport or other. This level of information is incomparable with the amount of personal data people used to make public. ‘Location’ used to mean the name of a town or city, but now it’s: “I’m here, right now!” to within a few meters.

On the other hand, monitoring people’s whereabouts is of more and more interest not only for law enforcement agencies but also for employers. Your employer can give you a company mobile and in return can expect to receive information about where you are, especially when you’re on a business trip. This type of tracking could even be used in legal disputes!

The situation is ideal for location-based services – there are people who want to publicize their whereabouts and there are other people who want to use that information. The consequences of this can be catastrophic. Here’s just one recent story about how people can be kidnapped and murdered as a result of information made public from their smartphones and posted on Facebook and Google.

OK, you might say these are exceptions and I’m paranoid. Maybe. But it can’t be hard to imagine a situation where a husband and wife end up having an argument after tracking each other’s movements. Or what about if an employer sees that his worker is in Disneyland like the story above? You can hardly blame it all on Bill Clinton 🙂

The growth in these services will soon lead to such serious problems protecting your personal life that all previous problems will seem like child’s play.

If I created applications for mobile phones, I’d seriously think about an app that didn’t state my real location but a false one!

I’d definitely buy it.

Or at least I’d do everything so that this type of functionality appeared in our Mobile Security product 🙂

Here’s an unusual spam message that turned up today:

If it wasn’t for the official name at the top of the message, you could almost be forgiven for thinking it was just another real estate advert… “Fully furnished. Situated close to retail outlets. Excellent access to public transport and local schools. Contact US Department of Defense for more details…”

But on a more serious note, the aim of this mailing was most probably to check an address database. So, whatever you do, don’t reply to stuff like this. In any case, spammers often fake their return address so that all your emotional outpourings are unlikely to reach the right people. And if the spammers do use their real address, any response from you will confirm your account is active and you’ll end up getting much more unwanted mail.

The story of how HBGary Federal’s network was recently hacked, resulting in the leak of numerous emails belonging to the US cyber-security firm’s employees and bosses has been big news over the last few days.

Leaving the motive as well as the legal and ethical issues to one side, I would like to focus in on another aspect of this incident. What we are currently witnessing here is a shift in the cyber-threat landscape.

As I see it, what happened to HBGary almost exactly echoes some of our main predictions for 2011 which we published in December of last year. We predicted that in the near future we would see:

1. The emergence of new organizers of cyber attacks with new aims; 2. Attacks that aim to steal data of absolutely any type; 3. A rise in attacks targeting corporate users

Of course, those behind the attack on HBGary are not “traditional” cybercriminals and, as far as I can gather, malware was not used. It appears the main tools used by the hackers were vulnerabilities and social engineering techniques.

It’s important to remember that social engineering is always going to be more effective than malicious programs. Human factors can jeopardize any system no matter what level of technological protection it has. Those attacking an organization can achieve so much more with a polite letter than they ever could with the most sophisticated virus.

The HBGary episode is a perfect example of how to organize and carry out a successful attack to steal information. The hackers managed to penetrate the network of an IT security firm that has contracts with government agencies and financial organizations. Anyone with the slightest knowledge of the situation can appreciate the scale and value of the stolen data and the kind of damage it has inflicted on the injured party.

The attack on HBGary only became big news because publicity was the overriding aim of the organizers. It has hit the headlines purely because of the links to WikiLeaks, secret services and so on. However, this is just the tip of the iceberg. Attacks like this are taking place every day and their implications can be far more serious than the HBGary incident.

Once again: Every day. Far more serious.

In fact information about the vast majority of these attacks never makes it into the news at all.

As most travelers know, many airports and VIP lounges offer Wi-Fi connectivity but, unfortunately, these connection are rarely encrypted.   Here’s an example:

  All data sent and received travels in clear text, which means anyone could intercept the data for malicious purposes.  This unencrypted data could include passwords, logins, financial information like PIN codes, etc. Many people also know that it’s always better to use a VPN connection.  However, in many cases,  VPN connection are filtered out and blocked by rules on the network firewall. I tried two different protocols and both were blocked.  Mostly network administrators don’t allow using VPNs from Public WiFi access points only because they want to make sure the network isn’t be used for malicious purposes without any readable network logs.  These policies actually allow to the bad guys to launch really easy  man-in-the-middle  attacks when all traffic pass through a malicious host. The reality is that using a public Wi-Fi service can expose your really sensitive data to cybercriminals. Recently, we saw some famous people lose their Facebook and other social network passwords by using open (insecure) Wi-Fi connections. So what is the solution when your VPN is blocked? Well, in some cases, an SSL (https) connection may help. Please, before going to any Website, type in the address bar https:// and then the domain name. After the page is loaded, please check if the certificate used for encryption is a valid one and issued to the site you’re visiting. If you see something wrong with the certificate, stop using the site. Another solution is to use a cable Ethernet connection instead of a WiFi. Many lounges have such connection as well; it will be much safer for you. In any case if you’re connected from a public place, it’s better not to use eBanking or ePayment services. That data is the main target for criminals. So, travel safe and keep your personal data safe as well!