Hacking

SPOTLIGHT ON SECURITY

Potential for Abuse Stalls Cellphone Kill Switch Debate

Law enforcement officials and mobile phone makers last week knocked heads with wireless carriers over planting “kill switches” in smartphones.

Led by a district attorney in San Francisco and attorney general in New York, law enforcement would like all smartphones to contain firmware that allows a consumer to “brick” a mobile that’s lost or stolen.

The largest mobile phone maker in the world, Samsung, is on board with the program, and a developer of kill-switch software has offered its program to Samsung for free.

Problem is, the wireless carriers are cool to the idea. One possible reason is that carriers make good money from replacement of lost and stolen phones, but there are some less cynical explanations for their balking.

For example, if hackers should gain control of a phone’s kill switch, they could deny the owner access. They might be able to disable the phones of government employees, such as those working for the FBI or Department of Homeland Security.

NSA’s Shadow

“There is definitely a concern that hackers might be able to use this feature, which not only puts our citizens’ privacy at risk, but also our government agencies,” Tom Kemp, CEO of Centrify, told TechNewsWorld.

“But there is more to it. Given the recent issues with the NSA phone taps and companies like Facebook and Google being asked to hand over their users’ private information, I think that the carriers are working to keep themselves as independent from government control as possible,” he observed.

“I’ve said before that if we grant carriers more controls, the government will step in and want access to that control, and I just don’t see carriers willingly allowing that to happen,” added Kemp.

Kill Good, Recover Better

Nevertheless, there are those who argue that kill switches can go a long way toward reducing cellphone thefts, which, according to the Federal Communications Commission, account for 30 to 40 percent of all robberies in the nation.

“A kill switch can protect consumers against theft and will act as a deterrence in the market and reduce the theft epidemic,” said John Livingston, CEO of Absolute Software, which makes software kill switches.

Absolute also has a LoJack-like recovery service for stolen phones, which can be an even greater deterrent to cellphone thieves, according to Livingston.

“If you catch a thief, then they’re deterred from ever stealing a phone again,” he explained. “A kill switch is a good first step, but having the option to also recover is even better.”

Breach Cover-Ups

Despite movement in some states to require data breaches be reported to the public, large numbers of companies are still covering up their information sins, according to a study released by ThreatTrack.

The survey of 200 malware analysts at U.S.-based enterprises revealed that more than half of them (57 percent) confessed they’d investigated a data breach that their company ultimately did not disclose.

“That’s pretty shocking in today’s day and age,” Dodi Glenn, senior director of ThreatTrack’s Security Intelligence and Research Labs, told TechNewsWorld.

“Some companies want to brush these things under the carpet because they want to avoid any penalties that might come down the line,” he added. That could result in “a financial hit or damage to their brand.”

Large companies were more likely to cover up data breaches than small companies, according to the survey. Sixty-six percent of malware analysts at companies with 500 employees or more said they hadn’t disclosed a data breach, compared to 18 percent at businesses with 50 employees or less.

“Of course, larger companies pose a bigger target to malware creators than do smaller companies because of their larger presence in the market and more information they possess,” the report notes.

Breach Diary

  • Nov. 18. Six more alleged thieves are arrested by federal prosecutors in New York in connection with US$45 million worldwide ATM robbery.
  • Nov. 19. Google agrees to pay $17 million to settle lawsuit resulting from discovery that the company installed tracking cookies in Apple’s Safari Web browser without user permission.
  • Nov. 19. MegaPath Corporation announces release of data breach calculator to assess the risk to a company of a data breach.
  • Nov. 20. Brian Krebs reports data breach in January at online dating site Cupid Media exposed information on 42 million consumers, including names, email addresses, unencrypted passwords and birthdays.
  • Nov. 20. Sachem Central School District on Long Island in New York informs parents and students that 15,000 student records containing names, school IDs and lunch designations were posted online after a data breach.
  • Nov. 20. Anthem Blue Cross of California notifies an unspecified number of physicians that their names, business addresses and Taxpayer ID/Social Security numbers were in documents posted at the company’s website from Oct. 23-24. Anthem is offering the affected physicians one year of ID protection services.
  • Nov. 21. IT consultant Jason Huntley blogs that his smart TV made by LG transmitted data about his personal viewing habits as well as names of files on a hard drive connected to his TV despite his activation of privacy controls for the device.
  • Nov. 21. Milwaukee Alderman Michael Murphy says city is pursuing all its options in connection of the theft of a USB drive from an employee of Dynacare, which manages the burg’s wellness program. Drive contained sensitive information on flash drive with the personal information of 9,414 city employees, their spouses or domestic partners.

Upcoming Security Events

  • Dec. 4. How To Solve Your Cloud Security Challenges. 8:15 a.m. ET. Virtual conference sponsored by ISACA and TechTarget. Free with registration.
  • Dec. 4. Operationalize Threat Intelligence. 11 a.m. Webinar with Forrester Research Principal Analyst Rick Holland and Lookingglass CEO Chris Coleman. Free with registration.
  • Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit (Risk Management and Security Intelligence for companies in the Middle East and North Africa). Dubai.
  • Dec. 4-5. Cloud Security Alliance Conference. Rosen Centre Hotel, Orlando Florida. Registration: $1,695; government, $1,526.
  • Dec. 5. Mobile Network Security Strategies (MNSS) 2013. Westin Times Square, New York City. Sponsored by LightReading. Registration free but limited.
  • Dec. 9-12. Black Hat Training Sessions. Washington State Convention Center, Seattle, Wash. “The Art of Exploiting Injection Flaws,” $1,800 by Oct. 24; $2,000 by Dec. 6; $2,300 thereafter. “The Black Art of Malware Analysis,” $3,800 by Oct. 24; $4,000 by Dec. 5; $4,300 thereafter. “CNSS-4016-I Risk Analysis Course,” $3,800 by Oct. 24; $4,000 by Dec. 5; $4,300 thereafter.
  • Dec. 9-12. World Congress on Internet Security. Thistle Hotel London Heathrow, London. Registration: IEEE, BCS, IET or IAP members, Pounds 500; Non-IEEE, BCS, IET or IAP Members, Pounds 600; IEEE, BCS, IET or IAP student members: Pounds 350;other students, Pounds 380.
  • Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.
  • Jan. 20-21, 2014. Suits and Spooks. Waterview Conference Center, Washington, D.C. Registration: Sept. 20-Oct. 20, $415; Oct. 21-Dec. 1, $575; after Dec. 1, $725.
  • Feb. 17-20, 2014. 30th General Meeting of Messaging, Malware and Mobile Anti-Abuse Working Group. Westin Market Street, San Francisco. Members only.
  • March 25-28, 2014. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels