child protection

Master of the House? Who Controls the Home in the Internet of Things?

mobilephonesecurity936843331Leave a comment

I had an interesting conversation with an American friend recently about how the AT&T Digital Life product had helped him take control of the temperature in his house…. from his wife!

I’ve experienced air conditioning wars at a company I used to work at – the thermostat was at the end of the office near the door. At various points, certain people would go and turn it up to full heat, whilst others would go and turn it fully down to cold. It was a mess. In the end facilities resolved it by taking control away entirely and nobody was happy.

Whilst slightly amusing, it does raise interesting questions for the future home internet-of-things (IoT) solutions.

Is the administrator or ‘Master’ of the house IoT system de facto the most tech-savvy person in the house? Statistics on technical career choices would dictate that is probably usually a man. Does that put women in an unfair or weak position when it comes to privacy?
What rights do other family members have to privacy and control?
What about visitors?

Rental Homes and Holiday Lets

What about rented homes? In the future home automation, monitoring and other IoT solutions are likely to be built in to new homes. What rights do people who are leasing homes have when it comes to ensuring that the Landlord cannot monitor or control such a system?

Abusive and Controlling Relationships

What happens in cases of domestic violence, controlling behaviour and abuse? Spyware applications are often used by jealous partners so there is nothing to say that such people wouldn’t also use IoT technology as part of their controlling behaviour.

The Good Side

On the flip-side, there are plenty of examples of cameras being used by home owners which have caught thieves, discovered abuse by child minders and by carers for the elderly. For some vulnerable people, door cameras have been helpful to deter and detect cold callers who would take financial advantage of them.

These new social realities are happening now. Whilst home IoT solutions are generally fantastic, for some people, even being at home may become a problem.

Cyberbullying: Victims to unmask public perpetrators, but what about bullying in private?

mobilephonesecurity936843331Leave a comment

I invited Matt Williams to write a guest post on cyber bullying. Thanks for a great article Matt!

Cyberbullying is a topic of discussion that is becoming increasingly mentioned in today’s electronic world. In a time where the Internet is a staple part of our everyday lives, the ability to communicate one’s feelings by the click of a button is often taken for granted. This is particularly the case when referring to the mobile arena, as thoughts and ideas can translate to an SMS, Tweet or Facebook post almost instantly. Whilst many welcome the advancement with open arms, such steps forward naturally arrive with significant disadvantages. Cyberbullying is one of the most profound, and after a recent case of the practice came to light in the media, the UK Government is now being put under pressure to increase its efforts in a bid to address the matter.

Unmasking trolls and cyberbullies

The consistent rise in pressure began to escalate last week, when a British woman successfully won a court order allowing the identities of the individualsharassing her online to be revealed. Nicola Brookes had suffered a barrage of abuse from other users of the popular social media website, Facebook. Having achieved the court order, the users who posted defamatory comments against Mrs Brookes will now have a select amount of their personal details made known. This includes the IP addresses of the devices used by the cyberbullies. It is hoped that the added threat of having parts of a person’s personal profile revealed will help in the fight to combat the ever-growing threat of cyberbullying.

However, some organisations have expressed great concern about having the ability to reveal the proposed information. Privacy International states its position on the matter, claiming that on an international scale, certain operators may become too lax on the ability given to them. They fear that such organisations are at risk of exposing personal details, even in the event that only an allegation has been made. Therefore, the appearance of this ability in the social media market comes with new considerations, in many other aspects and on a much wider scale. But how would this tie in to mobile devices?

Image by Adam Clarke

Well, the clear advantage of the portability of mobiles phones poses as a threat in itself, as it presents one of the best methods of allowing cyberbullying to take place. These days, it is difficult to find a person in the UK without some form of mobile device. For many, the simplicity of being able to communicate with another individual has never been greater, thanks to the mobile phone. It is for this reason that mobile devices can more easily act as a catalyst to such an act as cyberbullying.

Cyberbullying in Private via Mobile

Another reason why cyberbullies prefer to use mobile to carry out their attacks is because phones often come with a lack of parental interference. Considering that the issue is most common within the teenage demographic, parents of younger phone users tend to distance themselves from their child’s mobile communications and online lives. Likewise, it is common for adolescents to find a means of preventing their parents from accessing their messages. It is this separation that can pave the way for cyberbullying to take place on a more private scale. In many aspects, this is more significant than a public example of online harassment, as the issue can steadily manifest itself and worsen with time.

But it is important to remember that cyberbullying isn’t only exclusive to text communications. Photos, videos and audio recordings, that demonstrate offensive behavior, also contribute to the problem. In many situations offensive material of any form is deleted soon after having being sent, especially on mobiles. This is often the case for both the architect of such material and the victim themselves. As a result, a record of the exchange becomes difficult for parents, teachers and the Police to trace, as the evidence is no longer present on the front end.

Government pressure on cyberbullying should continue

However, this recent development enabling victims to unmask cyberbullies can ultimately be considered to be a significant step forward, when attempting to tackle online perpetrators. Consequently, it is a move by the Government that will be well received. But it is important to remember that the private side of cyberbullying will continue to take place, and the Government must maintain its interest in combating the matter in the long run.

Last night’s Channel 4 News in the UK carried a piece on cyberbullying and guidance on what to do if you are being bullied: http://www.channel4.com/news/cyberbullying-what-should-i-do 

About Matt Williams

Matt Williams has just completed his second year as a student at the University of Derby, pursuing an undergraduate degree in Computer Forensics and Security. He has a keen interest in up-and-coming mobile technologies, particularly in reference to mobile security.

Manufacturers, Developers and Device Privacy

mobilephonesecurity936843331Leave a comment

I‘m involved in the IAPP’s privacy event this afternoon, talking in the session: “Is There an App for That? Privacy in Social, Local and Mobile Services” with a view from mobile manufacturers and developers. Here is my talk and some ideas about how some of the current problems can be solved. I’d be interested in your views:

image“Privacy isn’t something that mobile manufacturers have had to get involved with. Beyond a basic device PIN lock, the furthest some manufacturers got ten years ago was to put PIN protection on mailboxes.”
 
These days, it is often a question of what does the manufacturer own? The hardware? The access control of the device? there are a vast amount of stakeholders in the mobile industry and it is difficult to see who has responsibility. When something goes wrong, the blame often goes all over the place. The manufacturer often doesn’t have control over the operating system these days, but they do have control over security in the hardware, including features such as trusted secure storage and trusted execution which can be opened up via APIs (interfaces) to the operating system and applications above that. This means that privacy sensitive information such as credentials could be stored in what is in effect a safe on the device. Other features such as full-device encryption give peace of mind if a device is stolen, but there are more fundamental things that are not fixed in some devices such as also locking down USB ports when the key-lock is in use. Often this comes down to individual engineers and it is important to note that privacy does not feature in software engineering syllabuses and there is still a problem in educating future engineers including a lack of mandatory security components.
 
As manufacturers, information sharing and disclosure of security vulnerabilities, particularly where there are privacy implications, should be encouraged and improved. This is an area that is still lacking in industry.
 
The device is our life-diary. We must all acknowledge that there are situations where the Police need to intervene and legally get access to data on devices whether the owner is the perpetrator of crime or a victim. The evidence aspect of mobile phones is incredibly important and the discipline of mobile device forensics is still emerging and developing. These needs are clearly counter to the needs of everyday security and privacy and this highlights the complexity of context, for as a user who then becomes a victim, the privacy need then turns into a need to disclose.
 
Developers
“just because you can, doesn’t mean you should” is probably the most important point when it comes to developing new services that involve the user. We have the capabilities in technology now to do almost anything. Proportionate and responsible usage by companies is a moral responsibility that is sometimes negated by the desire to make money. This is something that self-regulation is never going to be able to solve. Public exposure and the risk of public exposure by hacktivists or the media is what seems to be driving the protection of privacy rather than a genuine desire to be responsible in the majority of cases.
 
Users don’t necessarily realise that their data is being misused, because they can’t see it. This could be through profiling tools and so on. When these things become publicly exposed, such as with the Carrier IQ issue in 2011, users immediately reject the service in the most extreme ways without really realising what is going on or if indeed, the service did in fact breach their privacy. Some developers don’t know that the services they’re including in their apps breach their users’ privacy (e.g. advertising etc).
 
Some short points now on problems and solutions for manufacturers, developers and users of mobile devices around privacy:

Problems with privacy

·     Technically, we don’t have the screen real estate on mobile devices to display privacy policies and besides, no-one ever reads them anyway. This is a huge issue that has not been adequately addressed (the proposed Mozilla privacy icons are interesting..) User experience is mostly – accept these privacy settings (or permissions) or don’t use the application. This is not really acceptable. Human behaviour… Your user wants their privacy protected but is quite happy to breach others’ Privacy is contextual and often the privacy need is after the event. Here are some very brief (but extreme) examples:

1.      A user who is very open and has no privacy concerns has their social media settings set such that all their photos are available. They are murdered in unrelated events. Media across the country descend on the open site and use the images in reports, to the extreme distress of the family of the victim.
2.      A newspaper finds out that a woman has slept with a well-known celebrity. They leverage the woman through her connections on a social networking site and essentially force her to “tell her side of the story”.
3.      Employees working for a company are involved in a labour dispute. There is a division between union members and “loyalist”staff. Friends become enemies overnight without realising it. The context of privacy has changed significantly. Postings that were previously posted in a private environment are printed off and taken to management. The company takes advantag
e of the situation and goes further, even to the extent that they search for profile updates and public data on social media sites to identify “troublemakers” and discipline them.
4.      A child is befriended by another child through a social application because they both like the same band. Location data and lots of private information including pictures are happily shared, but only privately. The 2nd child is in fact an adult who has initially used the public information about the child’s interests in order to groom them.
 
Some solutions for operating system vendors and developers

·     Architecture of device operating systems needs to change – current mechanisms are more advanced than before (e.g. view privileges) but need to go to the next level. One possibility is to create the ability to “negotiate” in APIs.. – e.g. “I won’t give you fine-grained location but you can have the town I’m in” (existing example: protocol negotiation in computer systems) More fine-grained mechanisms for revoking permissions – “I don’t trust this anymore” or “I no longer want to share location” Support in APIs for saying “the user does not allow you to do this” – allows developers to gracefully fallback to something without the app breaking. Remember that human behaviour means that people will do whatever they can to get over hurdles i.e. the “Dancing Pigs” problem User must always be in control (this is not the case now) Advanced permissions architectures that allow delegation to a third party that the user trusts (e.g. children’s charities, Which? Etc.)”

Mobile Security Week

mobilephonesecurity9368433312 Comments

This week is Carphone Warehouse’s Mobile Security Week. I worked with the guys there to create some advice on security for users which you can find on their site. An extended version is on this page. As part of their research, Carphone Warehouse conducted a survey of over 2000 people which highlighted a lack of awareness amongst users about the importance of protecting personal data. It is interesting that only about 54% of those surveyed think that data on their phone is secure. That is lower than I expected and shows that people are at least concerned about mobile phone security, but maybe aren’t sure what to do. The National Mobile Phone Crime Unit (NMPCU) have done some great work in the past few years behind the scenes to help prevent mobile phone theft and one of those is to create a database of property which you the user can use by registering at the link in the first tip. If your phone turns up, the Police can then easily identify it as yours. A lot of my readers are tech people, but most mobile users aren’t and they don’t necessarily want to be. Probably one of the most important messages I’d like to get across is for people to use their handset PIN lock – if you don’t want people getting access to your personal data, this is a simple way of preventing that.

It’s great to be able to get the message out this week to people to think about mobile security, so have a look at the tips and see if you and your family are safe and secure?

David’s Mobile Security Tips

As phones become more and more sophisticated, mobile security becomes increasingly important for users. Here are some tips on how to keep you safe and secure when using a mobile phone.

Record your phone’s identity number in case it is stolen

The International Mobile Equipment Identity (IMEI) is what identifies your phone to the network and is located on the back of your phone underneath the battery. Another way to get your IMEI number is to type *#06# into your phone keypad to display it. When you get your new phone, it should be also on the side of the box. Keep the box label in a drawer just in case you need it. If your phone is lost, report the IMEI number to your service provider and they can block your phone so it can’t be used to make calls. If it is stolen, you should also give the IMEI number to the Police.

You can also register your phone’s details and IMEI number on the UK National Property Register at: http://www.immobilise.com/. This helps the Police to return lost or stolen property to its correct owner.

Secure access to your device and voicemail

PINs and passwords can be a pain as they put a barrier in the way of things you do repeatedly. These days it can be difficult to remember all your different PINs and passwords or be very tempting to use the same password for everything. Firstly, voicemail. The recent phone hacking scandal in the UK showed how important it is to have a PIN on your voicemail to prevent people listening into your private messages. Ring your operator and make sure you have one setup, or alternatively have the service switched off entirely. Don’t choose obvious PINs e.g. 1111, 1234, dates of birth etc.

Make use of the handset locks to protect your data and messages. With touch-screen phones, these are often gesture based, meaning that a convenient swipe is all that is needed to unlock your phone, whilst still keeping your phone safe.

Learn how to manage your passwords without having to remember lots of complex details. You can do this by using password safes which can store lots and lots of different passwords and generate random ones for you. Make sure these are also backed up in a safe place.

Learn how to remotely lock and wipe your phone if you lose it

Losing your phone or having it stolen does happen and when it does, what do you do to prevent someone getting access to your work or personal data? This is where lock and wipe services come in. Many handsets are now capable of running applications which you can stop someone getting access to your data and if you’re sure you can’t recover it, to delete your data. It is a service that can give you invaluable peace of mind if the worst happens. Some services can even help you locate your lost phone by using the GPS function of the device to work out where it is.

Be very wary of WiFi hotspots

However tempting it may be to connect to free WiFi when you’re out and about, take a moment to consider who is providing that service and why. If they’re charging, who are you giving your credit card details to?

By connecting to an untrusted network, you could potentially allow an attacker to get into your accounts for social networking sites, your email and banking details. In general if you are connected to a public WiFi network, don’t do anything sensitive such as internet banking or making purchases.

Know what you are giving applications permission to do

Always think about what an application is supposed to be doing, where it came from and who made it. Simple internet searches can often verify the validity of an application if you suspect all is not well. Inspect the permissions that an application requests. Does this application really need access to your phonebook? Does it really need to send SMSs? If not, just don’t install it. It should be said that some phone permissions aren’t very well done and can be difficult to understand, so even a legitimate application can give a misleading impression of what it actually does. There are some tools available to help you manage your permissions, for example only giving one application the permission to get to your location.

A common practice amongst hackers is to create a fake copy of a genuine application. This might be free, to entice people to download it. Sadly, the free version is a “Trojan horse” and will do nasty things. Mobile malware is still at a very low level in comparison with the PC world, but is definitely on the rise in 2011 and you should be extremely careful with applications you download. Many hackers see mobiles as an increasingly juicy targe
t because your whole life is stored on there. You are putting yourself at increased risk if you ‘jailbreak’ your device or if you install untrusted applications. Anti-virus applications are now available for those people who want an added level of protection.

Be careful when clicking on web links and scanning 2D barcodes

Don’t be lured into clicking on an unknown link to a web page. A phone’s screen is much smaller and it is often more difficult to see a full link to a website and verify that it is what it says it is. Not only this, but links are often shortened so you can’t actually read the proper website it goes to. If you get messages or posts on facebook and twitter with links, stop and think. Do you know the sender? If you do, is this something that they would send you? If you do click, it is often too late once you realise that there is a problem. Don’t react to or reply to spam messages you may get over SMS or Bluetooth.

New technology allows barcode scanner applications to read 2D or Quick Response (QR) codes (kind of like square barcodes). These are often put in newspapers and on advertising boards. Be very careful – do you know and trust the source. Could the poster have been tampered with or be fake? The problem here is that you often can’t verify that the link is genuine or not, because you can’t decipher the barcodes with your own eyes. It could be linking to some very nasty stuff.

Always backup your data

This is something that is always on the to-do list but never quite gets done. Take a little time to think about what would happen if you lost your phone and phone numbers and how it would affect you. Then think about what you can do to mitigate that. There are lots of services and tools out there to help you do this on a regular basis without thinking about it. Choose one you trust, or if you decide to backup your data yourself, make sure you do it regularly and store it in more than one place just in case your backup fails.

Be careful when charging your phone on someone else’s computer or at a charge point

Be extra careful if you desperately need to charge your phone while out and about. A lot of phones combine a data connection with the charger so you could end up having your data stolen without realising it. Who is providing the service? Do you have to handover your phone to have it charged? Do you really need to connect to your friend’s laptop? At a recent hacking conference, a fake battery charging booth was setup offering free phone charge but then stole the data of the phones connected.

Protect your children whilst surfing

Kids often know more than their parents when it comes to new technology. Whilst a phone can give you peace of mind that your child is safe when out and about, it also has access to lots of functionality and content that you might not want to allow your child access to at home. There are some applications available that can be installed on mobiles to help you manage what your child can access or download. You can get a shop to set these up for you and set a password so that your settings can only be changed by you. Some great information on protecting your children online in The Carphone Warehouse’s Guide to Mobile Web Safety at: http://www.carphonewarehouse.com/mobilewebsafety  and also CEOP’s website: http://www.thinkuknow.co.uk/

Be aware of your surroundings when using your phone

Phones are an attractive target to thieves and whilst they’re with us all the time, they can be snatched or stolen easily. Think about your surroundings when you’re about to use your phone. Do you really want to turn your phone on, just as you walk out of the tube, or can you do it further down the street? If you’re sat in a café or bar, don’t leave your phone on the table. It is a prime target for snatching or a distraction theft. Of course, make sure that any handbags or rucksacks are secured too; trapping a chair leg around a handle is a good way to prevent a bag being stolen.

When you’re walking along and browsing such that you haven’t noticed if someone is near you? You are particularly vulnerable if you’re tied up doing something else. Rather than walking home at night on the phone to a loved one, put the phone away so that you’re aware of everything going on around you.