Safe assumptions in an unsafe data age
People are once again getting paranoid about security after the recent iCloud hacks and the revelation that people have been designing kits to go into software to steal photos/data/etc. (this is nothing new). This always leads to companies scrambling to tout that their security measures are the best, or that that can’t happen to them, but here’s the truth: anything that goes on a device you think is private can probably be retrieved by a third party.
This is a very long piece, and basically boils down to this: you should have no assumption of security on a device you didn’t build from silicone to programing language to operating system yourself.
It’s something the government has known for a long time (there is a reason there are physical hard drive shredders), and it’s something software companies have been claiming they can defend you from since the 90’s, but it really doesn’t work particularly flawlessly, as we’ve recently seen.
The best assumption you can have that will protect you is that anything you upload or sync to the cloud can rain down somewhere else at some point.
While cloud services (other than iCloud circa a month ago) generally have extremely good front-end security, and will have even better after this most recent ridiculousness, cloud services also have extensive backups, their data travels from place to place and can theoretically be intercepted, their data travels to you and can be intercepted along the way. They have employees who have access to your data and may wish to profit from it once their employment ends. There are plenty of other potential issues.
The next assumption you can have is that if something gets put into digital form, it will probably somehow end up on the cloud. Recently while trying to debug why a co-worker had maxed out his allocated Drive storage, I found out his Google+ Photo Sync was on. Photo Sync was uploading his movies (home made and downloaded), and everything was now available online on his corporate account.
Another assumption is security software isn’t going to protect you. If you’ve granted an app internet access, it can upload to a server. If you’ve granted it the option to write to the SD card, you’ve probably granted it the right to read anything on the SD card (photos, videos, etc.). Security software works by scanning for known issues. These issues aren’t generally known until after it’s too late for a lot of people.
From this point on the assumptions are more possibilities.
If you install an app that has permission to draw over other apps, you have no assurances that you’re actually doing what you think you’re doing any more. The movie Oculus comes to mind for this – if you haven’t seen it, it’s Amy Pond versus a demon mirror, and is oddly quite enjoyable. You might think you’re just launching your banking app, but a sophisticated attack could pop up a fake keyboard overlay to get your PIN, or draw over portions of the app, or have simply drawn over the malware’s fake banking app icon with your banking app’s icon and changed your banking app’s icon to look like something else. Or I’m grasping at straws here with the overlay possibilities.
Just because there’s no malicious code in an app doesn’t mean there can’t eventually be malicious code in an app. An app with internet access can get a series of commands from anywhere. You’re usually safe on this, because the instructions can’t access more permissions than you gave the app, but if it has internet access in the first place, it could start a DDOS, get you in trouble for accessing and distributing illegal content, or get you a friendly police visit after someone hijacks your IP address.
If your device is capable of being rooted from code you execute on the device only, chances are you’ve got an absurdly unsafe device that may already be compromised. While I love to give companies hell about the hurdles they put between the average user and root access (requiring a computer, erasing the device, install custom bootloader, push superuser), if a device is exploitable it will be exploited.
If your device supports screen recording without elevation, a malicious program could start recording the instant you open your banking or credit card app and upload the video in the background.
64, 128, 258, or 2048 tunneling SSL encryption – none of those matter if you’ve set your password to “Password1”. It also doesn’t matter how complex your password is if you use the same one on another service that gets compromised, it’ll get used on every other site imaginable until the attacker hits paydirt or runs out of places to try.
Even with everything possible done to secure yourself and dealing with the most reputable companies out there, keep in mind national intelligence agencies most likely have access to everything you put in a cloud service’s care, and even the NSA gets compromised sometimes.
Using TOR, Orbot, or other distributed proxy anonymizers may help you evade your ISP while you’re looking at stuff that’s against their TOS, but your actions and browsing history can most likely be reconstructed by a government wishing to come up with a valid reason to flog you.
While Google and Apple attempt to protect users via from malicious apps via verified developer accounts, someone with enough money can usually purchase a throwaway account to post a malicious app.
Anything you transmit over a cell tower is suspect since it’s relatively easy to set up fake cell towers. If you’ve got a fake cell tower you are perfectly positioned for a man in the middle attack.
Even compiling a ROM you’ve looked over every line of the source code can’t quite be trusted as we learned with the Ken Thomson hack.
In summary – if it’s digital, you’re probably best off assuming that whatever you do could somehow be intercepted by someone or that there’s a log of it somehow. The chances are low, and you can minimize the risks, but there’s always a risk.
But what can be done?
If you do get impacted, in this day and age unless you want to live like a kook wearing a tinfoil hat and paying for everything in $2 bills, it’s part of the game. You can get ahead of the game if you really want to learn how security works on the ins and outs, or you can adopt some best practices which include checking your credit card and bank statements pretty regularly from a computer or device you trust, and running a credit report on yourself every now and then to make sure someone’s not stolen your identity.
CreditKarma is actually really good for that last bit. In case you’re wondering, they make their money attempting to sell you extremely targeted home loans and better interest credit cards, not by attempting to sell you some credit monitoring service. However, putting all your information in yet another basket could be asking for it.
You can also disable syncing pictures to the cloud, keep highly sensitive photos and personal information off of any device that’s plugged into the internet unattended, monitor app data usage for anything fishy, and realize the whole system eventually comes down to: do you trust this developer, application, merchant, payment processor, etc with any of your data? Are you willing to watch boring readouts of phone or computer data usage and keep logs of IP connections in the event your devices are compromised? Do you want to carry a wallet full of $2 bills?
My info was compromised in the Target data breach, the Home Depot data breach, the Adobe password data breach, a cloud services breach in 2011, along with at least ten others over the past few years. All these breaches came from places you should be able to trust that we’ve been reassured time and again have been tested, vetted, and are good. They are, until someone breaks the next level of security.
We can only trust these places to make it right when they fail, because fail they will.
Once you think you’ve got application security down ask yourself “how do I know that the good application I’m running isn’t running in a malicious application’s virtual machine with the host recording everything I’m doing and uploading it behind my back?”
Carry on as you have, but realize security when connected to the internet is a comforting illusion. Make adjustments as you see fit.
