SPOTLIGHT ON SECURITY

Couples Can’t Keep Their Hands Off Each Other’s Phones

Worried about the NSA spying on your smartphone? How about online hackers? Truth be told, the greatest threat to your confidential information is a lot closer to you — namely, your partner.

That’s what a recent survey of more than 13,000 people in the United States revealed.

Avast last week reported its findings. Among them: The majority of women snoop on their men’s phones just because they’re curious, but a third of married women peek at their hubby’s mobile to see if he’s faithful.

Paranoia? Maybe not. Seven of 10 women who snooped on their partner’s phone found evidence he was deceiving them. More than half the peeping men found such evidence about their women.

Once they had the goods, women were 20 percent more likely to confront their significant other with the incriminating evidence, Avast researchers discovered.

“It surprised us that people you trust would be checking your phone,” said Jude McColgan, Avast president of mobile.

No Pass Codes

Much is made of elaborate schemes to break into someone’s phone, but that’s typically not a problem for a partner. Almost half the women surveyed (41 percent) and a third of the men (33 percent) said their partner’s phone wasn’t protected by a pass code.

“It’s remarkable that people don’t use their pass codes,” McColgan told TechNewsWorld. “That’s scary if you lose your phone, because you’re essentially carrying a PC in your pocket, and all your information is wildly at risk.”

In Fourth Amendment circles, advocates often refer to a “reasonable expectation of privacy.”

In relationships, the survey suggests, there’s a reasonable expectation of curiosity.

More than half of both men and women who check their partner’s phone accept the likelihood that the same is being done to them.

Those feelings, though, vary with the age of the relationship. Lovebirds in a relatively fresh romance are less likely to believe that their partner is emulating their snooping behavior. That changes as the relationship gets older. Then there’s a mutual acceptance of privacy intrusion.

Celebrity Photo Heist

Apple last week announced it was adding some security measures to its iCloud offering. The service’s security measures drew criticism after the accounts of some celebrities were compromised, and nude photographs were posted to the Internet.

With the new measures, a number of events that could signal an account break-in would trigger push notifications to all of a user’s Apple devices. Those events include changing the password for an iCloud account, downloading a backup to a new device, or logging into an account for the first time from an unknown device.

While Apple’s measures will shore up iCloud’s security, they won’t silence detractors of cloud computing in general, who argue public cloud services like iCloud are inherently insecure. However, even as widely publicized an event as the iCloud break-in isn’t likely to put a crimp in the momentum behind cloud services.

“I don’t believe iCloud’s association with the celebrity photo hack is going to slow down cloud adoption by businesses,” Vijay Basani,president and CEO of EiQ Networks, told TechNewsWorld. “What is going to happen is that cloud providers will increase their efforts on security by adopting, implementing and actively enforcing common sense security controls in the cloud.”

Such common sense controls could include two-factor authentication and password complexity enforcement.

Power of Encryption

Of course, one of the most powerful ways to protect data in the cloud is through encryption. If Jennifer Lawrence’s nude photos had been encrypted on iCloud, then even cracking into her account wouldn’t have done the attackers any good. They’d still not have a way to decrypt the photo files.

While encryption is common in cloud services for businesses, it’s less so for consumers. That will change as cloud providers iron out the kinks in encryption that have kept it from widespread use among the technologically unsophisticated. Even then, consumers will need to be careful about their encryption choices.

For example, a cloud provider may offer to encrypt your data “at rest” in the cloud. In such cases, though, the provider has the keys to the data.

“That opens the data to attacks by insiders who can get access to the keys,” Garry McCracken, vice president of technology partnerships at WinMagic, told TechNewsWorld.

“The solution to a lot of this is basic architecture. Make encryption happen at the endpoint where the data is created, so when it leaves the device to be backed up or copied or synced into the cloud, it’s already encrypted,” he suggested.

“That way, even if there’s a breach in the cloud, [the attackers] can get the data but they can’t do anything with it,” McCracken explained, “because it’s encrypted and the keys are stored someplace else.”

Breach Diary

  • Sept. 2. Home Depot confirms it is investigating the possible theft of customer information in a data breach.
  • Sept. 3. Apple reports theft of photos from celebrity iCloud accounts was result of a targeted attack on user names, passwords and security questions.
  • Sept. 4. Obama administration reports HealthCare.gov website experienced an intrusion on a test server but no personal information on consumers was compromised.
  • Sept. 4. Massachusetts Office of Consumer Affairs and Business Regulation reports 1.2 million people in the Bay State had personal and financial data compromised in data breaches in 2013.
  • Sept. 4. McAfee Labs finds in its August Threats Report that 80 percent of people taking its online Phishing Quiz failed to identify at least one of seven phishing messages in the test.

Upcoming Security Events

  • Sept. 8-12. Android App Security Series. A daily series of videos by the University of New Haven Cyber Forensics Research and Education Group. Free on YouTube.
  • Sept. 9-10. Detroit SecureWorld. Ford Motor Conference & Event Center, 1151 Village Road, Dearborn, Michigan. Registration: US$695, two days; $545, one day.
  • Sept. 9-10. RSA Global Summit. Marriott Marquis, Washington, D.C. Registration: before Sept. 8, $745; online, $895; government, $545.
  • Sept. 11. How To Manage Security-Compromised Endpoints. 2 p.m. ET. Dark Reading Webinar. Free with registration.
  • Sept. 11-12. B-Sides Los Angeles. Dockweiler Youth Center and Dockweiler State Beach, Los Angeles. Free.
  • Sept. 12. Suits and Spooks London. Blue Fin Building, Southwick, London, UK. Registration: Pounds 200.
  • Sept. 13. B-Sides Memphis. Southwest Tennessee Community College, 5983 Macon Cove, Memphis, Tennessee. Free.
  • Sept. 13. B-Sides Augusta. Georgia Regents University, Science Hall, 2500 Walton Way, Augusta, Georgia. Free.
  • Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, California.
  • Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.
  • Sept. 18. Building Secure Web Applications. 2 p.m. ET. Black Hat Webcast. Free.
  • Sept. 22. Cyber Intelligence Europe 2014. Renaissance Brussels Hotel, Rue du Parnasse 15, 19, 1050 Brussels, Belgium. Registration: 600-850 euros, military and public sector; 1,200-1,700 euros, private sector.
  • Sept. 23. Linking Enterprise and Small Business Security to Shore up Cyber Risks in the Supply Chain. 11 a.m. ET. InformationWeek webinar. Free with registration.
  • Sept. 23-24. St. Louis SecureWorld. America’s Center Convention Complex, 701 Convention Plaza, St. Louis. Registration: $695, two days; $545, one day.
  • Sept. 23-24. APWG eCrime Researchers Symposium. DoubleTree by Hilton Hotel Birmingham, 808 South 20th St., Birmingham, Alabama. Registration: before Sept. 2, $400; after Sept. 1, $500.
  • Sept. 26. B-Sides St. John’s. Uptown Kenmount Road, St. John’s Newfoundland and Labrador. Free.
  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
  • Sept. 29-Oct. 2. ASIS 2014. Georgia World Congress Center, Atlanta. Registration: exhibits only, free; before August 30, members $450-$895, non-members $595-$1,150, government $450-$895, spouse $200-$375, student $130-$250; after August 29, member $550-$995, non-member $695-$1,250, government $550-$995, spouse $200-$475, student $180-300; a la carte, $50-$925.
  • Sept. 29-Oct. 3. Interop New York. Jacob Javits Convention Center, New York City. Expo: free. Total Access: early bird (July 1-Aug. 15) $2,899; regular rate (Aug. 16-Sept. 26), $3,099; Sept. 27-Oct. 3, $3,299.
  • Oct. 1. Indianaoplis SecureWorld. Sheraton Indianapolis at Keystone Crossing. Registration: $695, two days; $545, one day.
  • Oct. 3. B-Sides Portland. Refuge PDX, Portland, Oregon. Free.
  • Oct. 10-11. B-Sides Warsaw. Andersa 29, Warsaw, Poland. Free.
  • Oct. 14-17. Black Hat Europe 2014. Amsterdam RAI, Amsterdam, the Netherlands. Registration: before Aug. 30, 1,095 euros; before Oct. 10, 1,295 euros; before Oct. 18, 1,495 euros.
  • Oct. 16. SecureWorld Denver. The Cable Center, Denver. Registration: $695, two days; $545, one day.
  • Oct. 18. B-Sides Raleigh. Raleighwood, Raleigh, North Carolina. Free.
  • Oct. 19-20. B-Sides Washington D.C. Washington Marriott Metro Center, Washington, D.C. Free.
  • Oct. 19-27. SANS Network Security 2014. Caesar’s Palace, Las Vegas, Nevada. Courses: job-based, $3,145-$5,095; skill-based, $1,045-$3,950.
  • Oct. 29-30. Security Industry Association: Securing New Ground. Millennium Broadway Hotel, New York City. Registration: before Oct. 4, $1,095-$1,395; after Oct. 3, $1,495-$1,895.
  • Oct. 29-30. Dallas SecureWorld. Plano Centre, 2000 East Spring Parkway, Plano, Texas. Registration: $695, two days; $545, one day.
  • Dec. 2-4. Gartner Identity & Access Management Summit. Caesers Palace, Las Vegas, Nevada. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Privacy

TechNewsWorld Channels