Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

The Cell Phone Wiping Conundrum

By

(C) www.depositphotos.com / @ baloon111

A colleague of mine recently lost their cell phone while in airplane mode.  They triggered the remote wipe function, figuring that it if was turned on, it would trigger and erase the device.  They use a password manager, so figured all their data was safe.  But they didn’t call the cell phone carrier and disable the SIM, because that would prevent the wipe from working.

A month later, a cell phone bill for several hundred dollars shows up – the person that had found the phone, didn’t try to resell it or steal the data, they simply extracted the SIM card and put it into another phone, then made a bunch of overseas calls.  We saw that years ago with stolen calling card numbers and conference call passcodes, so it’s just a modern version of an old scam.

But she had a good point – the smart phone manufacturers are highlighting the ‘wipe’ function as a key security feature, but if the device is offline, it doesn’t work.  Even the cell carrier’s own sites will tell you to send the wiping commands, without an acknowledgement that reporting the device lost or stolen will disable data connectivity.  Don’t get me wrong, it’s still work sending the command (especially if it wasn’t in airplane mode), but you can’t rely on remote wipe.

Not a good tradeoff, but there’s some things we can do to help.  Let’s start with some before the device is lost.

  • Make sure you have the device set to wipe on 10 failed attempts, and lock out any biometrics after only a few (iPhone does the latter automatically)
  • Only use robust biometrics – post on that coming soon. Tons of snake oil out there – avoid iris and photo at the moment.  Bonus points for fingerprint readers if you don’t use index or thumb prints.
  • Only use airplane mode when required – otherwise leave cellular service on*
  • Be cautious about what you enable on the lock screen
  • Limit how much email you leave on your server. IMAP or exchange via a real email client allows you to move all your mail to a trusted local data store (drag from INBOX to On My Mac folders for example).  This will replicate and remove email from your device, so if someone does gain access to it, there’s limited email history available to them.  Good reason to avoid cloud-only email services by the way.
  • Put a sticker on the back of the phone with contact info, in case the device is found by an honest person and returned.
  • Back up the device regularly. I prefer local to the cloud because of the restore times (more on consumer cloud and it’s risks another time).
  • Have a quick response plan ready to go in case it’s lost with steps below

And when it is lost:

  • Call the device – if you’re lucky, an honest soul will answer and you can get it back. Also try ‘find my device’ to see if it’s locatable.  If not, move on to the next steps:
  • Immediately send wipe command / put in lost mode
  • Immediately change your email passwords. If the device is somehow unlocked, email is how other password resets are validated.
  • Notify the cell phone carrier the device has been lost.  This prevents the phone from being used for SMS or voice multi-factor authentication.
  • Buy a new phone.

The ecosystem is training people to not disable the SIM card, and the cell phone carriers aren’t doing any form of device authentication when SIM cards are moved.  I understand the convenience factor there, but at least it should trigger a higher level of fraud detection.  New device, no notification from the customer, well, if you see a bunch of calls to Europe happening, maybe the carrier should do some level of validation that it’s legit traffic?  Fraud detection algorithms like that are relatively straightforward to put in place.

Right now we’re given a choice between preventing calling fraud and providing a window for wiping the device.  Tough situation.

 

* Note:  This is why ‘find my mac’ type of functionality is essentially useless – it has to connect to a known, trusted network before activating.

Friday Photo Post – Sunset over Faux Falls

By

I’m still working through my recent workshop and shoot in Moab, processing the files, and discovering some new gems.  Often at sunset you only have a few minutes of the perfect light, and this was no exception.  If I’d have taken a couple of steps father forward, I’d have missed the branches encroaching on the bottom left edge, but might have missed the shot.   I bracketed the scene, then processed this as an HDR to capture the broad range of like that I saw.

WannaCry – Who’s to blame?

By

(C) 2009 Andrew Lewis / istockphoto.com

The latest strain of ransomware has been in the news, accompanied by somewhat sensationalistic news coverage.  Yes, it’s a big deal, but not unexpected – ransomware is only going to get worse.  Right now it’s focused on availability, next it’ll be integrity (more on that in the next post).  One question that’s just starting to be asked is, who’s fault is it?  I’m looking beyond the cyber criminals who released it, and towards the IT ecosystem that enables this to happen.

The NSA is a target for a lot of pundits.  From media reports, there was an internal debate about disclosing the vulnerability to Microsoft, but ultimately the agency decided against it.  It’s easy to take an absolute position on this – we should horde vulnerabilities for intelligence purposes, or we should always disclose.  Unfortunately, we live in a grey world and such black and white absolutes are hard to come by.  As the agency realized that the tools had been exposed, they privately notified Microsoft, who quickly issued a patch, and they’re to be commended for that.  They’re in a tough position, and it’s not an easy answer.  I’ll have more thoughts on policy options in the future.

End users certainly share some of the responsibility.  Patching is often stated as the first and most important defense against attacks.  I’d argue that running a supported operating system is even more important.  Folks still running XP need to either isolate the machine (physically offline), or upgrade.  That may mean spending money to update industrial systems, or to change procedures to run them disconnected from other networks.  There are no other viable options.  Consumers need to turn on automatic updates on their personal machines, and apply them regularly.  What they don’t need is to spend more money on consumer antivirus.

Businesses are in a tougher position – they may have thousands of machines that need updating, including both servers and laptops/desktops.  There are tools available (for example, IBM BigFix) that make this straightforward, but often it’s not the actual patching that’s the issue, it’s compatibility with enterprise systems.  Corporate development needs to remove as many platform dependencies as they can, to make applying patches less risky.  But we can’t even get rid of Flash, Silverlight, and Java, so OS linkages are likely to take even longer to fix.   They need to build processes to test and apply security patches quickly – it’s just hygiene, but it needs to have a higher priority than it currently does.

Which brings us to Microsoft.  They have been making this harder by changing how patches are provided (combining security and feature patches, and drastically reducing the information about what’s in a patch).  Both of those need to change to make it easier to assess and test updates.  On Windows 10, they also force-download and install patches – something that’s controversial.  That’s hit me with high mobile data usage, but probably keeps the vast majority of people far safer than the Windows 7 approach.  Are they responsible for the bug?  Sure, but I can’t beat them up over it – all software has bugs, and Windows 10 is a major improvement over previous editions.  By comparison their major competition is having a growing problem with defects.

So who’s to blame?  At some level, we all are.  Security professionals for making easy-to-say statements like ‘upgrade and patch immediately’ without regard to system stability or upgrade cost, pundits who say ‘disclose all vulnerabilities’ without regard to legitimate national intelligence needs, vendors who focus on rapid release of features at the expense of system stability, businesses who fail to invest in keeping their IT infrastructure current, and end users who blindly assume that all the others will take care of it for them.

Not an easy fix.