SECURITY IN THE CONNECTED AGE

SECURITY IN THE CONNECTED AGE

Security

The modern world is increasingly connected. Today, the mobile phone is much more than just a phone – it is an internet connected computer, that is connected all the time, in untrusted networks.

Unlike the personal computer, that is almost never used in untrusted networks, and is almost always connected within a home network, behind a fire-walled router, the smart phone is almost always connected to an untrusted network. A smart-phone also contains a wide array of sensors that are constantly monitoring you and reporting data that can be easily collected by any app running on the phone. Needless to say, a lot of the “free” apps running on our phones, report this sensor data to their corporate masters, and we have no idea what this data is used for, how long it is retained, and who this data is shared with. A smart-phone also has an embedded GPS chip providing precise location coordinates to services that wish to collect such data. Compare this to a feature-phone, that doesn't have GPS, and can only supply rough location data through cell-tower triangulation techniques. 

We leave a huge amount of very personal data all over the internet, without really being aware of what is going on. 

The Cloud and Personal Data 

Since the advent of online services like free email services, personal data has begun to shift from local storage on home PCs, to service provider storage – i.e. the Cloud.

The shift has been happening for some time now – it began with emails and online chats. It continued to social media. And now, with the advent of smart phones, it has extended to almost all our data – documents, personal banking, location information, and a whole host of very personal information is constantly being uploaded to the Cloud. Some of it, knowingly, a lot of it, unknowingly. 

The power of network effects means all of us gravitate towards common services, making them even more powerful, and giving them even more data about our lives and our interactions with others in our lives. As an example, if all our friends are on Facebook, we too will tend towards going to Facebook, rather than an alternate service, like Google Hangouts. 

The Snowden revelations should have left no doubt in our minds about what data can be collected – we must proceed with the expectation that all of it will be collected. To presume otherwise would be foolish. 

The State of the Law

 The current state of the law only protects personal data if it is under a physical location controlled by the individual owning the data. This is the protection offered by the search warrant. 

In almost all jurisdictions in the world, democratic and free, or otherwise, the law does not protect the individual from searches that are not effected on the individuals personal property. 

There are various, albeit misguided, precedents in law that allow data shared knowingly and willingly by the data owner with Service Providers (e.g. telephone companies), to be extracted without notice to the data owner. 

This is important. Effectively, this means that all data stored in the Cloud, is extractable without a warrant. The individual can expect no legal protection of the right to privacy, and the right to not be searched without sufficient and justifiable cause. 

This ability to bypass legal due-process, that is there for the sole purpose of protecting the common man from abuse of power by those in power, threatens the very foundations of free and democratic societies. 

In a nutshell, we live in a world where we've given away our data for the convenience of being connected, and we have no laws to protect our data from being sold, stolen or abused by anyone with the ability to access it. 

And there are many people who would like to collect all this data:

  1. Advertisers – for the purpose of profiling us and targetting us with ads based on what we're thinking of at the time.
  2. Companies that we buy from (e.g. Supermarkets, Amazon etc.) - so that they may profile our buying habits and be able to attract us towards buying specific products based on our buying history.
  3. Hackers – there is a lot of financially sensitive information that we give away. Credit card numbers and security codes, online personal banking credentials, online accounts etc. that are prime targets for financial gain.
  4. Governments – mass surveillance is becoming increasingly prevalent across the world under various guises, usually under the pretext of detecting and preventing terrorist attacks.

All of the organisations or individuals who have an interest in getting this data, are technically more sophisticated (or can employ highly technically sophisticated people) than the common man. The common man is therefore at a significant disadvantage in this arena.

Mitigation strategies

So, how does one mitigate these threats to privacy, democracy, or, at a very basic level, the threat to financial and reputational fraud?

There are many ways one can adopt to make it progressively harder for prospective attackers to carry out a successful attack. The rest of this document will be devoted to a few common and highly effective means of protecting one's data. 

The first, and most obvious step to take is to not share (or upload) anything that is sensitive for whatever reasons (financial or reputational), to any Cloud service. This means not sending such material out over emails, or storing these in online data storage areas like the ones offered by Google or Microsoft. 

This is a necessary first step. But it's not enough. The next step should be to adopt encryption across the board:

  • PCs should have full hard-disk encryption. This technology is available across all OS's – Windows, Apple or GNU/Linux. So there really is no excuse for not doing this.
  • Sensitive documents should be sent to specific people who need access to them over an encrypted channel. This can be encrypted email, or WhatsApp, or SFTP, or some such protocol where the material can be transferred with full encryption applied end-to-end.
  • Avoid talking about sensitive topics in online forums. Use encrypted forums like WhatsApp groups and ensure everyone in the group has encryption enabled.
  •  Avoid using intrusive services like Facebook, that can build full personal connection graphs out of who is connected to who, and are able to use face recognition techniques to tag individuals, even in group photographs.
  • Use HTTPS services for any sensitive work on the web. This is especially true for banking, but also generally true for web-based purchases, and any financial interaction on the web. 

Having done this, you can now say that you have effectively contained the threat to your data. 

But security is only as strong as the weakest link. And the weakest link is most often the human link in that chain. No matter how strong the encryption, there is little point in it, if the password for the encrypted volume or file is weak. 

The next step in securing our data is then, to make use of password managers, to generate and manage strong passwords per online site that we use. We shouldn't share passwords as that would mean compromising one account will result in multiple accounts being compromised. 

Where multifactor authentication is provided (as most Banks in the UK do, and also as Google does), one should use multifactor authentication. This usually means setting up or using a one-time access pad system (like Google Authenticator, or a hardware key-fob). Such one-time access pads strengthen security by ensuring that any compromise of that site is only valid for a short time. Once logged off, that authentication token is expired and will not be valid for subsequent login attempts. 

You can as well get hardware tokens like the YubiKey – this device can provide a strong static password, which you can use to unlock your PC and/or password manager software. They also provide one-time pads, but unfortunately don't integrate well with many online services. 

Newer versions of the YubiKey have NFC support and can be used to unlock your smart-phone too.


aman@ziksan.in - Adapted from the ARMeD talks/sessions on cyber security. With expert Insights from Gerard Fernandes.

Avinash Mokashi

INVESTIGATION EXPERT WITH NATIONA; INVESTIGATION AGENCY (NIA) MUNBAI BRANCH

5y

I wonder why people with connected word disconnect themselves with old connections?

Like
Reply

Well articulated BUt whats your view on the recent Whats App Fiasco by using Pegasus !!!

Like
Reply

To view or add a comment, sign in

More articles by Aman Bandvi

Insights from the community

Others also viewed

Explore topics