Trust No One Device (Part 2)
My advice from the first Trust No One (Device) hasn’t sunk in. Levels of end user compromise are far too high, complacency reigns about mobile phone security and the risks of social networks and cloud-based storage are becoming more insidious. There’s even suggestions that mobile phones should be implicitly trusted as “secure” endpoints.
Michelle Atagana’s “you’re not your iPhone article” on the Memeburn Tech-Savvy Insight and Analysis wrote, in summary: “Is the ‘i’ in your iPhone a mark of your identity? The way we use our mobile devices today suggests our lives are inextricably bound to them. Most of us are inseparable from our mobile devices. So shouldn’t we just accept that our mobile devices represent who we are, serving as a single completely trustworthy authenticating mechanism?”
I don’t think so. I’m ever so much more in tune with Atagana’s other question: “Or do we need to have some degree of separation from our phones and tablets, such as through personae?” But the fact that someone needs to ask this question in the first place is a bad sign. Yes, we need separation from a human perspective, or else what are we? The Borg of Star Trek? Seriously, just from a security perspective – yes again. As I wrote in my first “trust no device” post documented levels of infection are too high onWindows, Androids and OS/X. IOS, while better, isn’t immune to phishing or physical compromise. Check this lovely Federal statistic: 7% of U.S. households reported some type of identity theft in 2012.
While closely binding security functionality to a single device may seem convenient, it aggregates risk. Any device can be compromised. Susceptibility by OS to compromise is a tricky subject but somehow levels of assurance, evidentiary/signing use and at least dynamic risk algorithms should acknowledge that all devices are vulnerable and some are very vulnerable.
A Single, Secure Device – Scary!
In the Memeburn article, Atagana and my former colleague Robin Wilton found the idea that you are your phone “scary.” But whereas they focus on a rather metaphysical concern about oversimplyfing “the complexities of identity” I’m just scared of aggregating risk in any single machine, however closely we hug it to our “persona.”
We’ve gotten accustomed to trusting smartphones to be somewhat more secure than PCs because they weren’t a priority target for cybercrime early on. We may also have gotten the idea that smartphones were more secure as we employed them in two factor authentication solutions to receive one time password (OTP) codes for logging into or from PCs. But what was secure about that was not so much the phone itself but its use as a second factor (so that an attacker would have to compromise both it and the PC). As people increasingly store all their data on the phone or use it to access all their data, it is no longer a second factor – it’s a single factor, sometimes the only factor.
That businesses and governments would base security and evidentiary decisions (making you liable for something your compromised phone does) on such a thin reed as endpoint security – that’s what’s scary. Earth to Judge Dredd – I’m not my phone!
“Convenient Cloud Storage” – Even Scarier?
Another risk aggregation issue is our growing dependence on “secure” cloud storage. Endpoints are increasing wired to cloud-based storage solutions such as Apple’s iCloud or Microsoft’s Skydrive. Also, users with multiple devices can’t manage their data without one of those cloud solutions, or a service such as Dropbox or Google Drive to keep a single, synchronized copy of their data across devices. Many people trust a lot of data to those cloud services and then put the credentials to access the data on all their devices. But even if a cloud service itself is secure, your data on it is only as secure as your weakest link, which may be your mobile device, your PC or even your account recovery process.
Call to action
Note that the following advice applies equally on an individual level, or for the cloud security and mobile security architecture of an enterprise. Don’t let your digital life be an open door to cybercriminals and other potential adversaries. Don’t become one of the 7% experiencing identity theft or worse. It’s not hard to take some or all of the following steps and greatly improve your safety online.
- Reduce the target profile: Tend to your privacy settings on social networks; see Mastering Facebook’s Convoluted Security and Privacy Settings
- Protect your device: Use a passcode and regularly accept security updates. Follow OS dependent best practices regarding which app stores to use, security configuration options, anti-virus…
- Avoid social login, or at least don’t use it for any sensitive accounts
- Set up two factor authentication on primary email and social network accounts which not only aggregate a lot of reputation risk, but may be used for account recovery on other sites
- Set up two factor authentication on your cloud storage accounts (click here for a discussion of two factor authentication solutions from Google, Apple, Facebook and other popular sites)
- Set up two factor authentication on financial accounts and use a unique, complex password for each one
- Keep super-sensitive information like your financial account passwords or family member social security numbers in your head and/or in locked physical files, not on any computer or in the cloud.
Note that I’ve tried to avoid suggesting anything really hard, like using a long alphanumeric password on the mobile device or abstaining from social networking completely. You can do that also and be the more secure for it. But in general, you don’t need to make heroic efforts or live in complete electronic isolation to significantly enhance protection. Just recognize that you may have multiple single points of failure (e.g. device, cloud storage, password manager) and embrace separation as a way of thinking.