Least surprising note of the day: I am a huge geek. See my picture up there? Nerd beard. Enough said.
My current geek obsession is focused on mobile devices. I just upgraded my fantastic and near-new Google Nexus 6P to a Google Pixel XL. Why? Because NEW PHONE. And Google AI Assistant. But mostly, NEW PHONE. And if you’re wondering, it is indeed a fantastic device, and of course it’s secured by Centrify.
I had the new phone shipped to me here at work, so I could “move in” right away. As I compared the new and old devices, and generally waxed romantic about how far we have all come, and how much power I now had in the palm of my hand, a coworker popped up over the cubes, and glared at me. He reminded me that with great phone power, comes great phone responsibility.
He did so in a lovely and musical English accent. Here’s basically what he said, British-ness included (or at least, attempted):
“You’ve been staring into that phone for hours. You’ve become the modern Narcissus! He who espies his reflection in a pool after having being lured there by Nemesis, the goddess of revenge. He was so mesmerized by the reflection, he gazed at it till he met his end.
That’s us! We’ve all become mesmerized by the reflections we see on the shiny glass screens of our mobile devices, as they purport to reflect ourselves back to us. While we consume the content, connect with people, or gawp (Yup, he DEFINITELY said “gawp”) at the news cycle, we ignore the underlying perils associated with this intimacy.
We are blithely unaware, most of the time, about what the apps are doing under the surface — what information the apps are mining from us, who they are sending it to and what is being done with our data. Mobile phones are just computers in our pockets, and if we hew to the overarching premise that everything is hackable, we are all at risk.”
He went on, quite articulately:
“Think for a moment about social engineering. There are no safeguards against human gullibility. A malicious actor can leverage social engineering to force us to accept an app download, or to click spurious (Spurious!) download links in emails or texts, or use bluetooth to connect to our phones unbeknownst to us. Through these mechanisms, and aided by guileless credulity we place our trust in apps, and cede control of our devices for malicious apps to be installed, and for the data to be sucked out.”
I promise he said guileless credulity, and I absolutely didn’t laugh – in fact, I was entranced at this point. He was on a roll…
“Mobile devices are becoming increasingly targeted to steal credentials and act as a setup for authentication. Gartner noted recently that through 2017, 75% of mobile security breaches will be through apps and not attacks on the OS. As we share more of our data to the cloud, a mobile phone becomes a primary vector to access and control information about our associated identity in the cloud.
Furthermore, we ignore the relationships we set up between apps and services, where we allow services to access one another. We allow app authorizations, and promptly forgot about it — leaving the side-door wide open for someone to wander in. Recently, some eminent people, including some tech cognoscenti, were hacked through a particular service that had been compromised. Due to the breach at this service, a number of people who had set up relationships with other social networking services — a process called app authing — found their Twitter and related social media accounts fully compromised.
Through one vulnerability, users were exposed across a number of other connected services. As we move to greater connectivity through our phones, our cars, tablets, cameras and home security systems — all being connected, all being accessible — we enter a new era of ‘hackability’ — the ability to be hacked.”
It was at this point that he digressed. He discussed the nature of pwnability – the ability to hack or pwn another person. We laughed about the etymology of the word “pwn,” stemming from “own” stemming from online video gaming… I’ll spare you that, and skip to the end:
What, dear coworker, can we do, in this newly-minted mobile age?
- Work a little harder at security: By this stage, it is fairly obvious to most people that two-factor authentication is an absolute must. There is no doubt that multiple layers of security create an effective barrier to illegal access. In addition, every app or service needs its own strong, unique password. Tying the two together — strong, unique passwords and multi-factor authentication — will deliver a high security threshold across your devices and services. Any lesser approach is open to being compromised.
- Consistently tend the garden: If an app hasn’t been used in a few months, and the reason for its existence seems hard to recall, it is wise to weed if from the garden. As the leading expert in de-cluttering, Marie Kondo points out in the “The Life-Changing Magic of Tidying” — if it does not spark joy, it does not get to stay. By that sage advice, declutter the app garden regularly.
- Examine all side doors: Delve deeper into the level of access apps and services have been granted to each other. Revisit key services like Google and examine app authorizations. Applying the de-cluttering mindset, revoke access for integrations that no longer create value or joy.
- Share less, better yet — not at all: Even within a family or organization, sharing passwords (and secrets) is a perilous venture, often with unintended consequences. On the wi-fi front, join only trusted Wi-Fi networks to avoid joining spoof networks that may be malicious.
- Spend your clicks wisely: Phishing as a luring mechanism takes many forms and is now found in all available channels — from ubiquitous emails asking for money transfers, to fake followers and dubious text messages. A primary adage used to be caveat emptor, and perhaps for the digital age, it is caveat clicker.
This guy really is articulate. He had five points and everything. And you know what? He’s right! If we put these these simple approaches in place, we do a better job securing ourselves, our families and our businesses. This coworker entreated me to work under the covenant that cybersecurity is everyone’s concern — individuals and organization alike. And then he went back to work, silently and efficiently, and left me to gaze upon my new phone…
Learn what the top five application security risks are here.