Wednesday 30 September 2015

“Hunted” - A technology view

How many of you have been watching Hunted on Channel 4?  I have been an avid viewer since the first episode and have to say it was an eye opener.  I was surprised how much surveillance there is in the UK, allowing people to be traced by mobile phone and ATM usage, number plate recognition, CCTV footage, but more concerning the digital footprint people were leaving, where every step could be traced.

The mobile phone has become the hub of many people’s lives, in a short period of time of being a device to make calls, it could then send text messages and play Snake, to being the hub of all communications, such as work email, personal email, social media, text and picture messages, video calls, tracking our movements for fitness, our music, video and photograph repositories, and we sometimes even use them for telephone calls!

I know that if I misplace my mobile phone, I’m at a loss, but that’s probably the subject of another blog post.  In the show, they talk about phone tapping and triangulation, but more concerning was how people didn’t have any security on their devices, allowing access immediately onto the device.

Smartphones are lost or damaged on a seemingly regular basis, but thankfully there is the option to back up the device’s applications and data to a public cloud service.  This functionality is offered by the main operating system providers, such as Google, Apple and Microsoft, as well as manufacturers such as HTC.  This can only be a good thing, except if someone has access to your password, where the backup can be restored.  This would give access to text messages, browser history, and other private and sensitive information.

Unless you are paranoid or technical, you probably have a web based email account provided by Google, Microsoft, Yahoo, etc, as the convenience of a web based email account outweigh any benefits of running your own mail server for your own domain.

Internet based services are easy to reach offering convenience, but also means that you are open to have your account compromised by a hacker.  On the show, one email account where access was gained immediately as the password was saved by the browser.  

A recent episode showed the use of a phishing attack, where a seemingly legitimate email was sent with a link, which led to a website asking for a password.  As most people use the same password for multiple websites, having one password can open access to many online accounts.

Google searches
In the show, internet searches were used to discover what the user was researching prior to being hunted.

I’ve never been worried about what I’ve been searching for on the internet, but if you are, there are privacy services offered by the major browsers.  Although it will mean that your searches are not cached and no cookies will be stored, the provider and the ISP (Internet Service Provider) you’re using will know, as they have to deliver this service.  

If Internet anonymity is important, the using tools like the TOR network, utilising their software and thousands of routers, there is the ability to hide identity and usage.  This can be great for privacy, but can be a threat to national security. 

Social media
The internet revelation of social media allowed to find our friends and share information.  For people to find you, you have to place a certain amount of information on the internet, but many people over share, leaving a lot of information about themselves on the internet.   

The researchers on the show used internet searches to see what they could find about the subject.  When that wasn't enough they also used the users devices for access to social media accounts, where again passwords were either saved by the browser or written down on a piece of paper nearby.

Location Services
The ability for your apps to have location information improves the app experience.  One of the primary uses is for mapping, allowing the device to be located on a map.  It’s not commonly know that location services are typically switched on for a mobile phone camera.  This has a use if you are taking a photograph to share on social media, telling everyone where the photograph was taken.  The downside, the properties of the photograph shows the location, which many not be useful if you don’t want people knowing where the photograph was taken.

I haven’t seen this used on the show, but would have been useful in locating people beyond the mobile phone triangulation and number plate recognition.

Protecting Mobile Devices 
Smartphones are ubiquitous, but are incredibly powerful devices we have in our pockets.  I met someone recently who didn't trust smartphones so has a non-smart mobile phone.  There are some simple measures that can be used to protect the device.  

Create a PIN or password for the device.  Yes, it can be a pain to have that, but it’s protecting the device and the contents.  You will be able to set the device to wipe itself if the incorrect PIN/password is entered incorrectly a number of times.

Ensure your device is backed up regularly, so even if the device is lost or stolen, the data won’t be.  The password for this cloud storage and cloud backup account must have a strong password, and there is often the option to use two-step verification where a code is sent via SMS to the registered mobile device.  If it’s too easy for you to access the account, it’s too easy for a hack to access it as well.

Protecting Email 
Sounds like simple advice, but harder to execute.  Use different complex passwords for each of your online accounts, don’t allow your browser to remember the passwords, and switch on two step or two factor authentication where possible.  

There are applications to help remember the complex passwords, but a popular one, KeePass was recently discovered to have a security flaw.  Just don't write down your passwords and certainly don't keep them next to your computer or tablet!

As ever, ensure the sites asking for your passwords are legitimate sites, and simply delete anything that looks “fishy”!

Protecting Browser History 
Browsers can be set to delete search either automatically or manually, as the search history is automatically cached.  Most browsers will have a secret search feature, where the history is not stored and neither are cookies, typically created when visiting a website.  The issue with cookies, is that they can be read by other services.  For example if you search for a computer game, you will see on subsequent websites advertisements for that game.  This information is stored on a cookie and being read by advertising services.  Keep in mind that sites visited will be tracked by ISP delivering the content, so the Internet history will never truly be private.

TOR can provide anonymity to the user, but the traffic and content can be seen on the exit node and performance can be poor, due to the bandwidth available.  It certainly won't offer the media and feature rich Internet experience we've come to expect.  If you have something to hide TOR maybe the way forward, but the sacrifice may not be worth it.

Protecting Social Media
Think about what information you want about your out on the internet.  Imagine if anyone could have full access to your profile, what could an unscrupulous person do with that information?  Is your password made up of your favourite team, band, child’s name, mother’s maiden name, pet’s name, etc?  Then think if that information is on your public profile?  Set privacy settings to ensure on the people you want can see the information you want them to.

Protecting Location Information
If you need to hide your location, but want to use Social Media?  Check the location services and whether they are enabled on your applications, especially your mobile/tablet apps.  Check the settings for your camera as well. Even if location services are stopped on Social Media, the properties of the photograph can still have the location of where it was taken, if the feature has not been disabled on the camera.

If you are really being hunted, then this is only basic advice, but much like the IT security adage, “It’s not if, but when you’re hacked”, it may well be; it’s not if they find you, but when!

No comments:

Post a Comment