Phone Tracking

Mobile phones (or cell phones or hand phones, depending where you are in the world) can be used to track the location of people. This has always been possible, because of how the cellular network works. But now it’s easier for hackers.

The GSM system (used by most phone companies) has a test mode built in. A recent demonstration by a university showed that anyone can access this test mode and request the location of any phone, if they have the right skills and equipment. The equipment doesn’t cost very much, and the skills can be shared on the internet.

Mobile phones use base towers to handle the communication. The phone network needs to keep track of which towers are closest to you. And by using triangulation, an approximate position can be calculated.

Here is the research paper by University of Minnesota explaining how they tracked phones: Location Leaks on the GSM Air Interface.

What can you do?

Nothing. Law enforcement organisations have always had access to your phone’s location. Hackers now have it as well. If you need to keep your location private then don’t carry a mobile phone. You could also keep it turned off until you need it, but as soon as you turn it on the cell network will know your location.

Fake comments

If you run a website sooner or later you’ll see spam in the comments. Here are some tips for recognising them:

Spam comments are very vague. Instead of discussing your content, it says something very generic, such as “your website is great”. E.g.

naturally like your web-site however you need to take a look at the spelling on several of your posts. A number of them are rife with spelling problems and I to find it very bothersome to inform the reality nevertheless I will surely come again again.

There is nothing useful in this comment, and it could apply to anyone’s website. So obviously it was sent to every website they could find hoping someone clicks on their link.

Another place to look is the sender’s URL. Some website software such as WordPress allow commenters to include their URL (their web page). Look at it closely, if it says something like paydayloansonlinecash.com then it’s spam – they’re trying to make money off your site.

Security Questions

Have a look at the following screenshot and try to guess what’s wrong with it?

preferred internet password

 

This screenshot was captured from the US National Archives’ signup page (click here then click on New User). It asks for a challenge question and challenge answer, in case you forget your password. The problem here is one of the questions, “What is your preferred internet password?“.

Why would you give someone this information?

Challenge questions and answers are a way to recover lost passwords. Unfortunately this information is often not encrypted – it’s less secure. So whatever you set for your challenge question and answer is sometimes vulnerable to hacking. Also, the questions are often things that other people can easily find out about you, like your pet’s name. This is why I don’t like them.

Poll:

Facebook Security Guide

Facebook’s security and privacy have never been perfect but they’re now starting to take it more seriously. Maybe some strong competition from Google+ has something to do with it.

Facebook have published a security guide and it’s quite good. It covers topics like recognising scams, recognising hacked accounts and how to use SSL connections. All good stuff! For example,

The common scams offer prizes like free  virtual objects. Other lures claim that your account has been suspended and provide a link for you to remedy the problem.

If you use Facebook at all I recommend reading through the guide. I also strongly suggest you print it out and lend it to your friends and family – people who might not be able to do their own research on security.

The more people understand security on Facebook the better it will be for everyone. Click here for A Guide to Facebook Security.

 

Sharing Your Location Online

locationThere are many ways now to share your current location, including

  • Foursquare
  • Facebook Places
  • Bing and Google have their location sharing systems

It’s a popular thing to do. But have you ever had a good think about the pros and cons of doing this?

Pros:

  • It’s fun, everyone does it
  • It’s a novel way to share your life with friends and family
  • If you have good locks and security in your home then it might not matter
Cons:
  • You lose some privacy, both for yourself and for those you’re with
  • You could be letting people know that no one is at your home, potentially encouraging intruders 
Poll:
Post comments below, share your thoughts on location sharing sites.

Most Common iPhone Passcodes

Daniel Amitay has been able to collect a sample of over 200,000 passcodes used to lock an iPhone. The most common ones were:

  1. 1234
  2. 0000
  3. 2580 (a vertical row)
  4. 1111
  5. 5555
  6. 5683 (spells LOVE)
  7. 0852 (a vertical row)
  8. 2222
  9. 1212
  10. 1998

This list represents 15% of all PINS (that’s too high). Years starting with 199 were also found to be common. And PINS starting with 1 are also very common.

The information here is relevant to other devices as well, basically anything that uses a 4 digit PIN typed into a keypad.

If you use any of these codes to lock something you consider important you should change it now.

 

Fake URL Shorteners

URL shorteners are so common these days people don’t give them a second thought. Especially on social media sites like Facebook and Twitter. Some common URL shorteners are

  • bit.ly
  • tiny.cc
  • fb.me

The list is endless. You can even make your own service, which is exactly what spammers are now doing.

Spam messages are now being posted on Twitter with these new URL shorteners and it’s difficult to filter them out. E.g. URLs that begin with

  • www.srtu.in/

The best thing you can do is to use a modern web browser that does some URL scanning, such as Chrome, Opera, or IE9 (older versions of IE are vulnerable). Also buy and install a good virus scanner.

More information about URL shorteners here.

 

 

Common Passwords

Security companies sometimes get to analyse real people’s passwords and create interesting reports. Imperva has just done that, analysing 32 million passwords used on the Rockyou.com site (which was recently hacked).

Below is a summary of their findings. Why is this important to you? Because it means that statistically, you probably have a weak password that can be guessed.

  • 41% of passwords only use lower case letters (weak)
  • 15% of passwords only user numerals (even weaker)
  • Nearly 50% of people used names, slang words, dictionary words or trivial words as their passwords. These can be guessed in seconds by a “brute force” program.

The ten most common passwords were:

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123

If you use any of these as your password then change it now, it’s too easy to guess, especially now that everyone can see this list.

For tips on how to choose a good password read our previous article. And here are some tips on testing how good your password is.

Imperva’s complete report is here. It’s full of interesting technical details on what they found and what the risks are.

Inside The Password Stealing Business

McAfee, a large anti-virus company, has published a report called “Inside the Password Stealing Business: the Who and How of Identity Theft”. It goes into the details of password stealing programs and explains the “industry” driving it.

It’s quite detailed and at 17 pages it won’t take too long to read – it’s not very technical.

Password stealing is when a program gets installed on your PC that catches every stroke of your keyboard and sends it back to a criminal. The idea is that it’ll record all your passwords as you type them, no matter how strong they are. It’s a sophisticated piece of technology and a very large problem worldwide. If you’re not constantly upgrading your anti-virus software, web browser and OS then you’re at high risk.

These passwords are then sold off and used to steal money from your bank account or to commit other crimes. Even if you don’t use online banking you still have something to lose – someone can apply for a credit card under your name and use it to make expensive purchases, then you’re left to deal with the credit card company and convince them it wasn’t you (this happens every day).

So click on this link and have a read of the report.