March 1, 2015

Basic Methods to Secure your Smartphone

By Matt Mosley and Paul Bertolone

A few simple settings and personal habits can drastically increase the security of your smartphone and protect data stored on the device and within cloud storage services.

American media outlets this week cannot turn their attention away from breaches of various celebrities’ cloud storage accounts and subsequent leak of sensitive photos. Early stories pinpointed Apple’s iCloud service as the common factor in the cyber-thefts, but Apple has verified that the system itself was not breached – rather the attackers used basic methods to unlock individual accounts of those targeted.

Here are some practices to protect your data on your mobile device and computer…

Do Not Re-Use Passwords

Using a unique password for each account is recommended to limit damage in event of compromise. Basically, if a malicious party obtains access to one password, they could re-use it to access other accounts. Secure services that store passwords, like LastPass, can be a good option, with proper management. LastPass is specifically recommended because it uses a strong encryption algorithm (AES 256-bit), decrypts locally, and offers multi-factor authentication.

Use Strong Passwords

Passwords become increasingly difficult to ‘guess,’ by either a human or computer, the longer they get. Adding just a few characters to the overall length can add months or years on to how long a computer will take to crack the password. Adding special characters and numbers increases that time-frame.

Ideally, one should use a unique 15 character password made up of seemingly random numbers and mixed-case letters that contains no words.

Lists of the most common passwords abound on the Internet, easily accessible and usable in a brute force attack on your account. Sources vary, but a surprisingly large number of users resort to passwords like:

  • 123456
  • password
  • qwerty
  • abc123

CBS News published a list of the top 25 passwords earlier this year; if any of your accounts have any of these, it would be wise to reset to a stronger option.

But, How Can I Remember That?

We get it; you have twenty accounts at work and another dozen you use in your off-time. Remembering all of those complex passwords can seem impossible, but a simple trick might make it easy: try a mnemonic, or basically a phrase condensed down to abbreviations. It serves as a substitution for something you can easily remember.

For example, the memorable and personalized phrase “My son Thomas was born in 2007 and began Kindergarten in 2013!” becomes MsTwbi07abKi13!.

In this case, at 15 characters, with non-repeating numbers, upper and lower-case letters, and a symbol, it would be tough to guess and extremely time consuming to hack. Any code can ultimately be broken, but if you’re curious, our hypothetical password would take 11 centuries to break and contains 675 quintillion possibilities (hence the importance of length and complexity)! For comparison, a password of all lower-case text and five or six characters can be cracked with publicly available software in under ten minutes. If you want to check a potential pattern for strength, the Open Web Application Security Project (OWASP) offers an analysis tool here.

But it would be inadvisable to type in actual passwords anywhere but a secure service; test it out with a similar (but distinct) faux password to get an idea.

Don’t Write your Password Down

Unless you have a secured physical vault you’re storing your password list in, it would not be advisable to have a password list. The sticky note in your desk drawer or on your monitor is even less advisable. And you’re probably not as clever as you think; social engineers know where to spot a password ‘disguised’ as a phone number or name, or a character off on the keyboard, etc. Your brain is the best vault here.

Many applications offer secure virtual vaults, often via an application and/or cloud service, but keep in mind that, if compromised, this lists all of your access credentials in one place, so be weary. Like the aforementioned LastPass or other solution, ensure you do your research and validate that strong encryption is used.

Phone Habits

Set your phone to ask before joining unknown Wi-Fi networks, and better yet, leave Wi-Fi turned off when outside the range of your preferred networks. If the function is disabled, you’re eliminating a potential pathway in to your device.

Likewise, Bluetooth devices will attempt to pair automatically if set in “discoverable” mode, so turn Bluetooth off and/or adjust your preferences to limit unintentionally establishing a Personal Area Network (PAN) with an untrusted device.

Use Security and Reminder Questions that are Difficult to Guess

To reset a password, many web services require answering pre-determined security questions. While some may seem very obscure, social engineers are very adept at determining the correct answer.

For example, a common ‘verification’ question is, “What was your High School mascot?” Such an answer is easily found via searching for a Facebook profile, which often lists the user’s high school (even via a topical view), which can then be used to reference the school’s website and infer the mascot. Such actions can take less than a few minutes of searching public-facing websites.

The best solution for these password reset questions is to not answer them truthfully or add some detail. If the web site you are using asks for your favorite color, your answer could be “Silver Car.” You’ve answered the question in a way that you remember, but an attacker would never know to add the car to the color answer. What high school did you graduate from? “The fighting bulldogs.” Instead of naming the actual school, you’ve described the mascot. Get creative with your answers, but not too creative because you want to be able to remember them.

These types of safeguards are more common in the full-featured services offered on websites, but many mobile services and applications can be accessed via a desktop or laptop computer, whether or not the machine is associated with the users’ phone.

Two-Factor Authentication

Whenever possible take advantage of two-factor authentication. Two-factor authentication is one of the best things you can do to make sure your accounts aren’t going to be hacked or compromised. Two-factor authentication is something you know, your password, and something you have, your phone. Passwords just aren’t as secure as they used to be. Thankfully two-factor solves the problem and provides added security.

Most popular websites, ecommerce sites, and services offer two-factor authentication. Two-factor authentication typically works by having you enter your username and password to log in to a site (something you know). Then, once you have successfully logged in, the website will validate that you are actually who you say you are by sending you a text to your phone (something you have). Once you have received the secret code you will then enter the secret code into to verify your identity.

Google, LastPass, Apple, Facebook, Dropbox, Twitter, LinkedIn, and many more all offer this feature and we highly recommend you start using it.

Watch ‘Shoulder Surfers’

Always use a passcode or a pattern to access your smartphone.

Keep in mind that sometimes the simplest cons are the most effective. Be aware of your surroundings and don’t let others see you enter your credentials. On an iPhone with a capacitive touch keypad, or an Android device with pattern recognition, phishers can actually recognize your inputs and deduce your access code by your fingerprint smudge marks, so keep your phone close and wipe the screen off regularly.

Apply Smart Privacy Settings

Most applications will let the user decide what level of privilege to grant. Best practice is to configure every application for the least amount of access to still function. It’s also more secure to limit access to location settings, access to your address book, and access to other programs unless absolutely needed.

Bluetooth sharing and collaborative programs like Apple’s AirDrop should also be disabled and only activated when needed.

The bright side of most of these changes is that they will also improve your phone’s battery life.

Much like personal safety, your online security will depend mostly on your habits. It’s hard to be mugged downtown after midnight if you’re smart enough to avoid bad areas at a late hour. Take the same approach to your social media and personal device implementation…use it smartly and make it hard for an attacker to get in, and they’ll likely move on to someone else.

Criminals are opportunists. Don’t give them an easy opportunity.

Matt Mosley is an Adjunct Professor of Offensive Tools at UCLA. He is the Director of Threat Research at Tevora Business Solutions.

Paul Bertolone is a Consultant at Tevora Business Solutions and serves as a Communications Information Systems Officer for the United States Marine Corps.