The UK news establishment is in full retreat with news suggesting reporters hacked officials cell phones to extract private data about a range of personal issues. Even if you are not a government official being targeted by tabloid news, criminals, competitors and other bad people, these folks may have or now will leverage these same techniques to take advantage of you. Before everyone gets all worked up about downloading some new anti-virus software or such for your cell phones, here are some key tips you should take right now:
Basic Security (Average User)
- Never, ever, ever leave a detailed voice main about a sensitive issue.
- Implement a password/pin to access your cell phone/smart phone – the type that requires you to log into your cell phone if left unattended. Use the longest password you can. Use the longest PIN that you can.
- Set your voicemail so that you must enter a pin number even if you are calling in from your cell phone.
- Check your cell phone plan to be sure the “Forward Messages” function has not been turned on somehow, redirecting your messages to some bad guy.
- Assume everything you say or do on a cell phone is being recorded.
- Keep your OS up-to-date and apply latest patches as soon as they are available. In both iphone tracking and DroidDream malware an OS issue was exploited. Both Apple and Google quickly fixed the issues and released patches.
Advanced (Business user with liability for protecting data)
- On your business related phone, go a step further and say in your voice mail message “Please do not leave any sensitive information in your voice mail”.
- Use Secure protocols when setting up your POP/IMAP on your Smartphone (often referred to as TLS). This encrypts the data moving from your phone to the server.
- If you use GMAIL, turn on 2-Factor authentication. This creates a specific password for each of your devices. If your smart phone goes missing, you can kill access just for that device without disrupting everything else.
- Set your smartphone data security encryption (the data stored on your data cards/phone) to high. If someone steals your phone they may try to take out the memory card to get at your data, encryption slows them down.
- Do not download applications unless you are absolutely sure of their origin (i.e. they come from a name brand company whose reputation will be destroyed if they steal data)
- For companies with multiple cell phones or enterprise tools, limit users ability to load software (one thing that blackberry does better than anyone else is to lock down cell phone functions through its policy engine)
- Turn off the location based functions. Turn them back on only when you need them (which frankly is not that often).
- Have two cell phones – one for general use, and the other for important/secure matters.
- Get a google voice or other voip type account that lets you automatically forward calls to you cell phone. Then only give out your google voice number. If a hacker knows your cell phone number they can hack your online account or call the cell phone provider, and sometimes change parameters of your account to give them access to your data.
- Be sure you have setup remote find/remote wipe on your cell phone/PDA. Backup your cell phone. Then test the remote wipe function so you are sure the remote wipe function works. Reload your phone from the backup.
- Use the designated application for accessing your email – either an email client, or an application from that specific vendor. Do not log on to a web page to get mail via a smartphone. It is very easy for the bad guys to create a site that looks like google mail/yahoo mail to trick you into providing your user name/password.
Paranoid (Under major attack/threat)
- If you are outside the US, everything you say on your smartphone, transmit wireless via email, text, or view on a web page is being tracked by the host government. Everything.
- Understand that there are a range of simple “Snoopware” programs that can be downloaded onto your cell phone, sometimes even remotely. These programs can record you even when you are not on the phone.
- Disable “password save” function on your cell phone applications (Facebook, Twitter, etc). Type them in when you need them. Better yet, if totally under attack, delete all these applications