If you want a good chill down the back, hang out with security experts. I mean the top-notch guys, the ones who, were they
to go “black-hat,” could imperil entire networks or even whole industries.
One of their collective
roosts each year is CanSecWest, a major Canadian security conference. Every year, the organization holds its “Pwn2Own
contest,” which is hacker-speak for “gotcha!” Experts attempt to crack into various devices, including phones
and browsers. Manufacturers are there, too, to see what they have to work on in their next versions. There are even money
prizes.
There’s bad news if you’re running Safari on a Mac; it went down literally in a few seconds.
It wasn’t just Safari that was taken over, either, but the entire Mac computer. Microsoft’s Internet Explorer
and Mozilla’s Firefox lasted a good deal longer, but by the end of the day they, too, were wide open.
Interestingly,
Google’s under-marketed browser, Chrome, was untouched by the end of the conference. Nobody could defeat it. This is
real progress, because the original version of Chrome was widely known to be unsecure. I still wouldn’t recommend going
with Chrome for various reasons, but its fortitude while under attack is encouraging.
Even more interesting were
the results from the cell-phone cracking competition. Any guesses as to which smartphone yielded itself up by the end of the
competition and became, as gamers say, “pwned”? (Pronounced any way you like—it’s usually just written
out.)
Trick question. Not one did. This is notable, because security flaws have been found before in these phones,
and many security gurus still point them out from time to time. A popular theory for why the phones were still uncracked at
day’s end is because even experts need time to get familiar with the systems they’re attacking. Give ’em
time, they said. The FBI reportedly has already used a technique for activating a cell phone microphone remotely and listening
in on conversations.
But the fact remains that, for the foreseeable future, it’s unlikely your smartphone
will be taken over by any kind of malware. The major security leaks in smartphones, as in every other kind of technology,
aren’t in the device, but in the human brain.
It’s remarkable how many people don’t bother setting
security features on their expensive smartphones. Because they keep the phone somewhere close to them most of the time, they
believe it’s secure, but that’s not true. To start with, there’s a constant danger of dropping the darned
thing or forgetting it somewhere. A goofy teen-ager might just use it to text his girlfriend, but a seasoned crook could extract
all sorts of dangerous information out of it. He could even draw out all its secrets, then call you up to innocently return
the phone to you.
To start with, set the password function, so if the phone is stolen the thief won’t get
access to all your data. I know it can be a hassle to enter a password when you want to use the phone, but a thief should
have to, also.
Security professionals also advise turning off your Bluetooth connectivity when it’s not in
use, as well as switching it to “non-discoverable” mode, which tells the device to alert you if another device
wants to talk to your device. Unnecessary Bluetooth uses up additional battery power for one thing, but it can also be a security
hole, with older phones being particularly vulnerable.
Bluetooth has built-in security, so it’s not easy
to get in through the Bluetooth channel, but it can be done, through a process inelegantly known as “bluesnarfing.”
“Snarfing” is slang for “making unauthorized copies of data.” There is even a name for sending unsolicited
messages to a Bluetooth-enabled phone: “bluejacking.” A persistent attacker can be at work at the next table,
draining your battery and perhaps stealing contacts, schedules and anything else you have stored on the phone.
Authorities
also recommend encrypting your data, if the phone permits it, and not allowing your browser to retain IDs or passwords. Lots
of us use our phones to check online accounts at banks, investment companies and other sensitive places, and it wouldn’t
take a thief long to discover the keys to your kingdom when he launches the browser.
They also recommend clearing
out data, such as unencrypted e-mails, certificates (used for Web application security), user names, passwords and cookies.
On most newer phones, you can set this to happen automatically. There is even an outside chance your phone could pick up a
virus from the Web when you use your browser. The traditional antivirus companies such as Norton (www.symantec.com) and McAfee
(www.mcafee.com) offer protective packages that, in effect, make the smartphone even smarter.•
__________
Altom is an independent local technology consultant. His column appears every other week. He can be reached at
taltom@ibj.com.
Please enable JavaScript to view this content.