Think your smartphone is safer than your PC? Think again!

People believe that their smartphone is more secure than their PC, and therefore
less likely to be compromised by a hacker. The truth is that any device with a
connection to the Internet is vulnerable to compromise, and a wireless device is
easier to hack than a wired device. Here is why.
1. Password. Most smartphones use a 4-6 digit code, entered on the screen
keyboard. Someone can take a video (using their own smartphone) of you
typing in your password, from the side or rear view of your phone, without
seeing your screen. Then they send the video to an app that decodes your
password by analysing your finger movements, and gets the answer right
about 90% of the time. The password on your PC is likely much more resistant
to guessing.
2. Fingerprint unlock. Biometrics are convenient, but you leave that “password” in
lots of public places, such as drinks glasses in a bar. A sophisticated individual
can make a copy of that fingerprint and then render it in a form that unlocks
your phone, or makes a payment (like Apple Pay).
3. Intentional malware download. If someone borrows your cell phone to make
an emergency call, they can use the App Store to download a malicious app
in seconds. That app then acts as a keystroke logger, transmitting IDs and
passwords (for mobile banking?) to the hacker’s website. Worse still, the app
can activate your microphone in private meetings without your knowledge,
and transmit your location coordinates 7×24.
4. Accidental malware download. When you install an app from the App Store, do
you carefully check the default settings? Some apps give permission to activate
the microphone, the GPS, even the camera without your knowledge. Your PC
will almost certainly have anti-virus software to prevent “drive by downloads”
of executable files, but smartphones don’t. 97% of the top, paid Android apps
and 87% of the top, paid Apple iOS apps have been hacked.
5. Phishing. Whereas you might spot a fake website or a spoof URL on your large

PC screen, it is much harder to detect these tricks on your small smartphone
screen.
6. Wireless eavesdropping. Wi-Fi nodes in public places like cafes, airports etc. are
notoriously insecure, and hackers can easily monitor all your web traffic. You
are more secure using your cellular provider’s network.
Once your smartphone has been hacked, you are much more vulnerable than your
home PC being hacked. The intruder has your keystrokes, text messages, voice calls,
location, video, and almost certainly access to business assets like company email.
My advice? Regularly go into the settings and look at data usage – it will show you
all the applications and how much data they’re using.

Do Your Business Partner Companies Pose a Threat to Your Cyber Security?

“Out of sight, out of mind” – companies give far too little attention to business
partners that have privileged access to your sensitive data. Your company is more
like a permeable membrane than a fortress, and your business partners are probably
soft targets for the attackers. You need to apply a “trust but verify” principle to all of
your vendors.
Some security pundits talk about TNO-Trust No One. Others talk about “zero trust”.
Still others say “trust but verify”. In order to carry out business, we have to trust
businesses we are partnering with. On the Internet, handshakes don’t validate
trust, so what does for third party service providers? As more digital collaborative
partnerships are implemented we can expect that firms will experience more risks
for loss of confidential business information.
One of the best compendium’s of security management essential practices is the
ISO series of international security standards. These can be used by an organization
internally either to pursue certification or just as a best practice manual. The
recently issued ISO 27001 (2013) International Security Standard has been updated
to include issues concerning outside parties.
A good first step is to survey all of the authentication data in your organization.
This will include Active Directory, Google Apps Directory, standalone application
directories and any other directories you may be using. Then you need to compare
this information with employee lists from HR. The difference will be access records
from third parties, contractors and vendors. You need to document who these
people are, what organizations they are from, who requested their access, what
they have access to and what the level of risk is expected to be. A process needs
to be set up to grant access and remove access, with quarterly reviews for those
having any type of sensitive access. While you are doing this, you can commence

putting into place your strategic vendor information security framework.
Information security firm Bit Sight is offering an information security rating system
reminiscent of financial rating systems such as Moody’s, Standard & Poor’s etc. Their
approach is to automatically provide the ratings on a continuous basis. Bit Sight
will rate a firm on the basis of external data such as botnets, spam, malware, DDOS
attacks, news feeds, social media and other inputs. Through analysis, the company
then evaluates a firm’s security on a scale of 0-1000, and a low score might prompt
you to look more closely at how that company is handling your sensitive data.

What if your company computer were held to ransom?

A sophisticated and determined hacker can almost certainly gain access to your
company network, whether by a phishing attack, or by social engineering, or by
cracking the password of your wireless network or……
Over the last few years, the motives of the attackers have changed significantly.
Initially groups like Anonymous would deface websites because they wanted
publicity for political purposes. Then they grew greedier and started to steal digital
assets for financial gain, such as bulk credit card data. Then they stole trade secrets
and offered them for sale to competitors. But all these brute force mechanisms bring
significant risk of being tracked down and prosecuted. So the attackers copied the
modus operando of guerrilla groups, by taking hostages. This is a low risk / high
reward strategy for bad guys around the world (think oil tankers off the Sudan).
The attackers will introduce malware (a.k.a. Ransomware) into the weakest point
in your defences, often by delivering the payload while one of your employees
browses an infected website. The malware then installs itself on as many machines
as possible, evading discovery by anti-virus software by embedding itself deeply
in the operating system. Once that process reaches critical mass, all the executable
files are all activated simultaneously. The malware locks the operating systems and
freezes all workstations on your company network. At the same time the malware
on servers applies an overarching lock on machine processes and data, blocking
all attempts by an IT system administrator to regain control. Then the blackmail
demand appears on the screens of all your machines “We have taken control of all
computers on your network. We will release them only on receipt of a 30 Lakh wire
transfer to our account. Please call our Support Helpline on ….”
Most companies cannot afford the business disruption caused by an inability of
their staff to perform their work, and so the usual response is to pay promptly
once their IT systems administrators tell management that they are incapable of
regaining control.

What would you pay to insure against a 30 Lakh loss? That’s the criterion that the
bad guys are exploiting – they assume it costs you less to pay up than to put in
proper defences. Instead you should take all reasonable precautions, not simply to
defend against ransomware, but also to strengthen your defences against intruders
of all kinds. The behaviour you should detect is the tremors before the earthquake.
No hacker will launch a sophisticated attack without doing their homework. That
normally involves probes to ascertain the weaknesses in the victim’s architecture.
These probes are the tremors which portend the attack, but they usually go
undetected.