Blue Line

News
rataj-oct.txt


September 6, 2011
By Tom Rataj

It was an interesting few months this past summer, as the British tabloid “News of the World” itself made headlines around the world.Their apparently widespread practice of hacking the cellphones of royalty, celebrities and even the occasional crime victim had finally caught up with them, ultimately leading to the arrests of several employees and the closure of the 168 year old tabloid.An extra twist to the scandal came when it was alleged that several officers in the Metropolitan London (England) Police were complicit in the hacking scandal by providing confidential information and cellphone numbers to News of the World journalists in exchange for money.While on the surface this story appears to involve was some high-tech spy grade sleuthing, it was actually, fortunately and unfortunately, just some fairly rudimentary password “guessing” and perseverance along facilitated by an understanding of the common weaknesses in users’ passwords.One thing that’s important to remember is that much of this hacking occurred almost 10 years ago and the phones themselves were generally not hacked. The voicemail systems linked to the phone accounts were what was hacked into.In those days, cellular phone companies either didn’t require users to use passwords on their voice mail accounts at all, or they often assigned default passwords such as “0000” or “1234”, expecting customers to change them but not enforcing it.Hacking someone’s voice-mail in this instance was as simple as acquiring the number, and calling in at a time when the user probably didn’t have their phone turned on, such as in the middle of the night. Calling from a blocked number, waiting until the voice-mail system answered, entering “0000” and you were in. Listen to, record, delete at your will, without ever leaving a trace.In addition to this type of hacking, older analogue phones were particularly vulnerable to eavesdropping because their analogue radio signals were relatively easy to intercept and monitor using inexpensive and readily available scanners. This is no longer the case since most cellular networks have long since switched to digital technology making them far more difficult and expensive to eavesdrop on.PasswordsIn our electronic, Internet-centric world, we are all burdened with dozens of passwords and access codes and remembering them all can be difficult. Many systems require only simple four number or letter passwords and users typically chose very simple passwords, such as “0000”, “1234”, or “password” which are very simple to guess through trial and error.Another common problem is that many people use the same password for numerous accounts, so once the password is guessed, it provides access to much of the victim’s personal life. Not changing passwords on a regular basis is also a common problem. Many users keep the same password for years.Many more-secure systems require users to chose passwords according to specifications where the password needs to be a minimum 8 or 9 characters long, and include at least 1 or 2 numbers or other special characters such as: ! @ # $ % ^ & * ~ and at least one capitol letter. On some systems the password also expires after 30, 60, or 90 days.Microsoft recommends that passwords be at least 14 characters long. It offers an on-line Password Checker utility and advice page that is very helpful. Like other sites, it also offers a password strength meter that changes as the password is entered.Password management utilities are also a convenient solution for creating unique passwords for every internet site that you regularly visit. These password utilities record and store all your passwords and enter the information for you when you visit a site. The password utility itself is protected by a master password that you’ll need to remember though.With some of these utilities, strong and unique passwords for each site can also be created by the utility, eliminating the weaknesses of user-created passwords. RoboForm, LastPass and KeePass are some of the more popular password management products on the market. Many of these programs are also available for Blackberry, iPhone, Android and Windows Phone devices.SmartphonesThe incredible growth of the smartphone market has also introduced a whole new threat to the security of people’s data. Since smartphones are essentially pocket-sized computers (with phone capabilities) that may contain a lot of very personal and confidential information.Although phone manufacturers and cellphone companies recommend that people create and use a password to access the devices, it doesn’t often happen.In a recent poll commissioned by Canada’s Privacy Commissioner Jennifer Stoddart, it was found that less than half of Canadian cellphone and tablet users put password locks on their devices or adjusted settings to limit the sharing of personal data on their devices. Interestingly, people in the 18-34 range were more likely to use password, than older people, and women were less likely to use a password lock than men (35% and 42% respectively).The best security implementation on any smartphone to date is the Motorola Atrix which has a fingerprint reader built into the top of the phone. It’s a great, fast and easy to use system…as long as the owner of the phone actually takes a few minutes to set it up and use it.Replacing phones every three years or so also creates problems. Old phones contain a lot of important and potentially valuable information that needs to be erased permanently before the phone gets recycled or disposed of. Complicating it further, most phones store data in the internal memory of the phone, on the SIM card, and on a removable memory card such as a micro-SD.If selling or donating a used phone, it’s crucial to have it properly cleaned of all user data. iErase for iPhones and ShreDroid for Android phones offer basic data erasure, while any removable memory cards can be readily erased on most computers.In the event that a phone gets lost or stolen and is not protected by a password, there is also remote phone wiping software available for most platforms. The software of course has to be acquired, installed and the phone needs to remain on and be connected to the network.If the phone doesn’t work anymore and is not worth fixing, a hard surface and a sledge hammer will also do the trick, (but don’t forget your eye protection).Malware and virusesAgain with the rise in the number and capabilities of smartphones, the malware and virus threats often associated with the personal computer world have started to migrate to smartphones. Malware typically steals data, including usernames and passwords, while viruses generally damage or otherwise disrupt operation of the deviceTo combat this growing problem, several prominent security software vendors have started offering products for smartphones. Most vulnerable at this time are the immensely popular and rapidly growing Android phone market.They are more vulnerable than Blackberrys and iPhones because applications (apps) for them are available directly over the internet or through the lightly controlled Android Marketplace. Apps for the iPhone are generally only available through Apple’s tightly controlled App Store, where every app needs to pass inspection by Apple’s software team.In the first half of 2011, over 1-million people were hit by mobile malware, with the daily detection rate doubling every few months.The old e-mail “phishing” scam (tricking people into visiting bogus sites, so criminals can steal user-names, passwords and other data) apparently works better on smartphones, because the screens are smaller and the user can’t see the entire (bogus) web-address in their browser.Because smartphone users are also always on-line they typically respond faster (and with less consideration) to e-mails than desktop users, and again, because of the smaller screen size, the full extent of the e-mail’s origin might not be seen.AdviceAlways create and use strong passwords everywhere a password is required, and install remote wiping software on your smartphone to protect yourself in the event of a lost or stolen phone.