OUCH! | May 2012 – Safely Disposing of Your Mobile Device

OUCH! | May 2012

IN THIS ISSUE…

• Stored Information
• Wiping Your Device
• SIM Cards / SD Cards
• Options For Disposal
• Special Training Offer
• Recovery

Safely Disposing of Your Mobile Device

GUEST EDITOR

The Ouch! team would like to welcome and thank Mr. Joshua Wright as our guest editor. Mr. Wright is a SANS senior instructor and author of SANS’ wireless security (SEC617) and mobile device security (SEC575) courses. You can follow Mr. Wright on Twitter at @joswr1ght or on his website at http://www.willhackforsushi.com.

OVERVIEW

Mobile devices, such as smartphones and tablets, continue to advance and innovate at an astonishing rate. As a result, many of us replace our mobile devices as often as every 18 months. A key question becomes, What are you doing with your older devices? Many people simply dispose of their older mobile devices with little thought about all the personal data they have accumulated. However, a surprising amount of personal information is stored on these older devices. If your devices are not securely wiped before disposal, this information can easily be recovered, exposing you or your organization to tremendous risk.

STORED INFORMATION

Mobile devices store far more sensitive data then you may realize, perhaps more than your computer. When you dispose of your device you could be exposing the following information:

• The contact details for everyone in your address book, including family, friends, and co-workers

• Call history, including inbound, outbound, and missed calls

• Text messages or logged chat sessions

• Location history based on GPS coordinates or cell tower history

• Web browsing history, cookies, and cached pages

• Personal photos, videos, audio recordings, and emails

• Stored passwords and access to personal accounts, such as your voicemail

WIPING YOUR DEVICE

Before you begin securely wiping your mobile device, consider whether or not you want to back up any of your data, such as photos, videos, or any other information. Once you’ve followed the steps below, you will not be able to recover any of your data. In addition, if your mobile device was issued to you by your employer or has any organizational data stored on it, be sure to check with your supervisor about proper backup and disposal procedures before following the steps below.

Unfortunately, just deleting your data is not enough, it can still be recovered. We recommend that you use the device “factory reset” function to remove all data from the device and return it to the condition it was in when you bought it. We have found that factory reset will provide the most secure method for removing data from your mobile device. The location of the factory reset function varies among devices; listed below are the steps for the most popular devices.

Apple iOS Devices: Settings | General | Reset | Erase All Content and Settings

Android Devices: Settings | Privacy | Factory Data Reset

Windows Phones: Settings | About | Reset Your Phone

BlackBerry Phones: Options | Security Options | Security Wipe

If you still have questions about how to perform a factory reset, check your owner’s manual or the
manufacturer’s website. Another option is to take your mobile device to the store you bought it from and get help resetting it from a trained technician. Remember, simply deleting your personal data is not enough as it can be easily recovered.

SIM CARDS

In addition to the data stored on your device, you also need to consider what to do with your SIM (Subscriber Identity Module) card. Many mobile devices use a SIM card to uniquely identify you and your account information when you place and receive calls on a mobile network. When you perform a factory reset on your device, the SIM card retains information about your account. If you are keeping your phone number and moving to a new phone, talk to the phone salesperson about transferring your SIM card to the new phone. If this is not possible (for example, if your new phone uses a different size SIM card) keep your old SIM card and physically shred or destroy it to prevent someone else from re-using it.

image    image

              SD CARD                                 SIM

 

EXTERNAL STORAGE CARDS

Some mobile devices utilize an external SD (Secure Digital) card for additional storage. These storage cards often contain pictures, smart phone applications, and other sensitive content. Remember to remove any external storage cards from your mobile device prior to disposal (for some devices, your SD cards may be hidden in the battery compartment of your device). These cards can often be reused in new mobile devices or can be used as generic storage on your computer with a USB adapter. If reusing your SD card is not possible, then just like your old SIM card, we recommend you physically destroy it.

OPTIONS FOR DISPOSAL

When it comes to disposing of your old mobile device, instead of throwing it out, consider recycling it
instead. Most carriers offer a discount on your next purchase when you recycle. Another option is to donate your mobile device to the charitable cause of your choice. Below are just some of the many places you can either recycle or donate your mobile device.

Verizon Recycling
http://preview.tinyurl.com/6r398bq

Sprint Recycling
http://preview.tinyurl.com/cdzfcmu

AT&T Recycling
http://preview.tinyurl.com/cm23qgf

Recycling Mobile Phones
http://preview.tinyurl.com/csa3ak7

EPA Mobile Phone Donations Site
http://preview.tinyurl.com/clulu8x

National Coalition Against Domestic Violence
http://preview.tinyurl.com/l48kw4

Operation Gratitude
http://preview.tinyurl.com/7lefuob

RESOURCES

Some of the links shown below have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp

LEARN MORE

Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at http://www.securingthehuman.org

SPECIAL PROMOTION

Does your Small or Medium organization need help with securing the most vulnerable part of your organization? Check out a great program to train up to 750 Users for just $3,000. Program runs only from June 01 to July 31, 2012. Learn more at: http://www.securingthehuman.org/programs/sme

OUCH! is published by the SANS Securing The Human program and is distributed under the Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter as long as you reference the source, the distribution is not modified and it is not used for commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.
 
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Cara Mueller

© The  S A N S  Institute 2012   http://www.securingthehuman.org                                          

 

Blog posted using Windows Live Writer

Posted in device, disposal, mobile, Security, Smartphone | Tagged , , , , | Leave a comment

10 Tools for Blocking Inappropriate Websites for Families

 

If you’re shopping for a reliable product that will make the internet safe for family viewing in your home, we’ve got a list you’re sure to appreciate. The following are 10 tools for blocking inappropriate websites for families:

10 Tools for Blocking Inappropriate Websites for Families

 

Blog posted using Windows Live Writer

Posted in Uncategorized | Leave a comment

OUCH! | March 2012 – E-mail Dos and Don’ts

OUCH! | March 2012

IN THIS ISSUE…

• Auto-complete
• Cc: / Bcc:
• Distribution lists
• Emotion & Privacy

E-mail Dos and Don’ts

GUEST EDITOR

Fred Kerby is the guest editor for this issue. He recently
retired from the position of information assurance manager
at the Naval Surface Warfare Center Dahlgren Division. He
is also a SANS senior instructor and track lead for the Intro
to Information Security course (SEC 301).

 

OVERVIEW

E-mail has become one of the primary ways we communicate, both in our personal and professional lives. However, e-mail can be confusing to use, resulting in mistakes that can hurt you or your organization. Quite often we can be our own worst enemy when using e-mail. In this newsletter we will explain the most common mistakes people make with e-mail and how you can avoid them in your day-to-day life.

AUTO-COMPLETE

When e-mailing a friend or co-worker, you often start by typing their e-mail address. For example, if you wanted to e-mail Fred Smith you would have to remember and type in his e-mail address fsmith@example.com. This can be a lot to remember, especially if the recipient has a complex
e-mail address or if your e-mail directory includes hundreds of people. With auto-complete, as you type the name of the person, your e-mail software automatically selects the e-mail address for you. This way you do not have to remember the e-mail address, just the recipient’s name.
The problem with auto-complete is when you have contacts with similar names. For example, you may think you are sending an e-mail to Fred Smith (your co-worker), but instead auto-complete selects Fred Johnson (your kid’s soccer coach). As a result you end up sending sensitive company information to unauthorized people.

To protect yourself against this common mistake, always verify the name and the e-mail address of the recipient listed before you hit send. In addition, you may want to include the person’s organization in the name displayed with their e-mail.

CC / BCC

When sending an e-mail, the people you directly address it to may not be the only ones that get your e-mail message. Most e-mail clients also have two additional fields: Cc and Bcc. Cc stands for carbon copy. This means that while your e-mail is not directed to the person in the Cc line, you want to keep them informed. For example, if you send an e-mail to a co-worker, you may cc your boss just to keep your boss current. Bcc means blind carbon copy. This is similar to Cc; however, the recipients on the To and Cc lines will not see the people you’ve included under Bcc.

Care should be taken when using Cc and Bcc. When someone sends you an e-mail and has cc’d people on the e-mail, you have to decide if you want to reply to just the sender or reply to everyone that was included on the cc. If your reply is sensitive in nature, you may want to reply only to the sender. If that is the case, be sure not to use the Reply All option, which will address your reply to all visible recipients from the original message. You may choose to use Bcc to copy someone privately, such as your boss. However, if your boss responds using Reply All, then all of the recipients will know that he was bcc’d on the original message -so much for your secret.

DISTRIBUTION LISTS

Distribution lists are a collection of e-mail addresses represented by a single e-mail address, sometimes called a mail list or a group name. For example, you may have a distribution list with the e-mail address group@example.com. When you send an e-mail message to that address, that message is sent to everyone in the group, which could include perhaps hundreds or even thousands of people. Be very careful what you send to a
distribution list. You would never want to accidentally send an e-mail to a group of people that was really only intended for a limited audience. You should also take care that your auto-complete feature doesn’t select a distribution list. Your intent may be to e-mail only a single person, such as your coworker Carl at carl@example.com, but auto-complete might send it instead to the distribution list you subscribed to about cars.

EMOTION

Never send an e-mail when you are emotionally charged. If you are in an emotional state, that e-mail could cause you harm in the future, perhaps even costing you a friendship or a job. Instead, take a moment and calmly organize your thoughts. Get up and walk away from the computer. If you
have to vent your frustration, another option is to open your e-mail client and make sure the To/Cc/Bcc fields are empty. Now go ahead and type exactly what you feel like saying. Then get up and walk away from your computer, perhaps make yourself a cup of tea. When you come back, delete the e-mail, and start over again. As a wise person once observed: “Draft today, send tomorrow.”

PRIVACY

Finally, remember that e-mail has few privacy protections. Just like a postcard sent through the mail, your e-mail can be read by anyone who gains access to it. In addition, unlike a phone call or personal conversation, once you send an e-mail you no longer have control over it. Your e-mail can easily be forwarded to others, posted on public forums, and may remain accessible on the Internet forever. If you have something truly private to communicate, e-mail may not be your best option.

RESOURCES

Some of the links shown below have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

12 Tips For Better Email:
http://preview.tinyurl.com/6j4ferk

Apple iMail:
http://preview.tinyurl.com/6dc6ac4

Preventing Auto-Complete Disasters in Outlook:
http://preview.tinyurl.com/75lvgln

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Security Tip of the Day:
http://preview.tinyurl.com/6s2wrkp

LEARN MORE

Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter as long as you reference the source, the distribution is not modified and it is not used for commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.
 
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Cara Mueller

© The  S A N S  Institute 2012   http://www.securingthehuman.org                                          

 

Blog posted using Windows Live Writer

Technorati Tags: ,,,
Posted in Computer, E-mail, Internet, Security | Tagged , , , | Leave a comment

OUCH! | February 2012 – Securing Your Mobile Device Apps

 

OUCH! | February 2012

IN THIS ISSUE…

• Obtaining Apps
• Configuring & Using Apps
• Updating Apps
• In-App Purchases

Securing Your Mobile Device Apps

GUEST EDITOR

Kevin Johnson is the guest editor for this issue. Kevin is a senior security consultant at Secure Ideas, runs MySecurityScanner.com, and is a senior instructor with the SANS Institute. You can learn more about his work at
http://www.secureideas.net and http://www.mysecurityscanner.com.

 

OVERVIEW

Mobile devices have become one of the primary tools we use in both our personal and professional lives. One of the things that makes mobile devices so powerful is that there are thousands of apps we can select from and use. However, with the tremendous power and flexibility of apps come a number of risks you must be aware of. In this newsletter we cover the dangers of mobile device apps and how you can install, use, and maintain them securely.

OBTAINING APPS

The first step in using apps is making sure you always
download them from a secure, trusted source. Cyber criminals will create malicious apps that look real, but which may be infected with viruses or worms. If you inadvertently install one of these apps, cyber criminals can take control of your mobile device. By downloading apps from only well-known, trusted sources you reduce the chance of installing an infected app. However, even in well-known online app markets, some malicious apps can still be found. This is especially true for devices like the Android where the app markets are not tightly controlled. To reduce your risk, avoid apps that are brand new, that few people have downloaded, or that have very few comments. The longer an app has been available or the more positive comments it has, the more likely that app can be trusted. Finally, install only the apps you need and use. Each additional app brings the potential for new vulnerabilities, so if you stop using an app, remove it from your mobile device.

In addition, you may be tempted to jailbreak or root your own mobile device, the process of hacking into it and installing unapproved apps or changing existing functionality. We highly recommend against this, as jailbreaking not only bypasses or eliminates many of the security controls built into your mobile device but often voids any warranties or support contracts.

CONFIGURING & USING APPS

Once you have installed an app from a trusted source, the next step is making sure it is safely configured and protecting your privacy as well. Installing and/or configuring certain applications requires that you grant certain privileges and permissions. Depending on the device, these applications will prompt you before authorizing. Always think before authorizing any access, does your app really need those permissions? For example, some apps use geo-location services. If you allow an app to know your location, you may be allowing the creator of that app to track your movements. In addition, any public postings you make may include your location, allowing anyone to know where you are or prove where you have been. If you do not like the permissions an app is requesting, simply find another app that better fits your requirements.

Be careful when using apps that request or store sensitive information. Even if the app is legitimate, there is no guarantee that the developer used good coding practices to protect your information while stored on the device or while
transmitted over the Internet. Applications that consolidate sensitive information can be very convenient, but they are also targets for cyber criminals. Read the detailed description about the app and reviews from other users to see if there have been any security issues.

UPDATING APPS

Apps, just like your computer and mobile device operating system, must be updated in order to remain current. Bad guys are constantly searching for and finding weaknesses in apps. They then develop attacks to exploit these weaknesses. The app developers that created your app also create and release updates to fix these weaknesses and protect your devices. The more often you check for and install updates, the better. We recommend that you monitor your app stores and update your apps at least once a month. In addition, some apps can be set to update automatically, but please note that this may also automatically grant additional permissions if requested by that app.

IN-APP PURCHASES

Many applications today allow you to purchase additional features, new content, or the removal of advertising. A common mistake some people make is to store their app store credentials locally on their device, allowing them to easily make future purchases within an application. We highly recommend you do not allow your mobile device to save your app store credentials, log-in information, or payment information. Although convenient, this information may be available to, or misused by, anyone who has access to your mobile device, including the bad guys if your device has been remotely hacked. An alternative is to use gift cards or one-time use virtual credit card numbers instead.

CONCLUSION

We strongly encourage you to follow all the best practices discussed here. Mobile devices and apps are still a relatively new and fast growing field. In addition, one of the challenges we all face is that there are few options available for security
software to help protect you and your apps. You are the best defense for your mobile devices.

RESOURCES

Some of the links shown below have been shortened for greater readability using the TinyURL service. To mitigate security issues, OUCH! always uses TinyURL’s preview feature, which shows you the ultimate destination of the link and asks your permission before proceeding to it.

Sophos Webcast on Android Security:
http://preview.tinyurl.com/73q5u76

5 Ways to Protect Your Mobile Apps:
http://preview.tinyurl.com/5wpghmp

iPhone Security Overview:
http://preview.tinyurl.com/783hg2v

iPhone App Insecurity:
http://preview.tinyurl.com/3w5a5cc

Common Security Terms:
http://preview.tinyurl.com/6wkpae5

SANS Tip of the Day:
http://preview.tinyurl.com/6s2wrkp

LEARN MORE

Subscribe to the monthly OUCH! security awareness newsletter, access the OUCH! archives, and learn more about SANS security awareness solutions by visiting us at
http://www.securingthehuman.org

OUCH! is published by the SANS Securing The Human program and is distributed under the Creative Commons BY­NC-ND 3.0 license. Permission is granted to distribute this newsletter as long as you reference the source, the distribution is not modified and it is not used for commercial purposes. For translating or more information, please contact ouch@securingthehuman.org.
 
Editorial Board: Bill Wyman, Walt Scrivens, Phil Hoffman, Lance Spitzner, Cara Mueller

© The  S A N S  Institute 2012   http://www.securingthehuman.org

Posted in Malware, Security, Smartphone, Technology | Tagged , , , | Leave a comment

Some Timely Reminders from Cyberheist News

 

1) This week, you will see a wave of Whitney Houston malware coming through, all trying to capitalize on her death. Think Before You Click!

2) Miscreants are sending tons of Valentines Day spam, laced with malicious links. Think Before You Click!

* Valentine’s Day Scams: For The Love Of Money

3) Viruses tend to come into end-user’s mailboxes between 8 and 9am EST. I told you three times… Think Before You Click!

E-Mail Viruses Most Likely To Appear In The Morning

 

Cyberheist News

 

Blog posted using Windows Live Writer

Posted in Computer Security, Computers and Internet, Internet, Malware, Scams, Security | Tagged , , , , | Leave a comment

Digeus Registry Cleaner 7.3

 

I’m testing out Digeus Registry Cleaner Version 7.3.

I am receiving a free version as compensation for this entry and evaluation.

Here is brief information about the Product:

Digeus Registry Cleaner speeds up your computer by cleaning errors in your Windows. It removes the junk that accumulates in your Windows Registry, fixes Windows errors which results in speeding up your computer. With Digeus Registry Cleaner you just need a few mouse clicks and your computer will become as good as a brand new one.

Key features:
* Removes unused and invalid entries
* Speeds up boot up time
* Fixes Windows errors which results in speeding up your computer
* Eliminates BSOD (Blue Screen of Death)
* Invaluable when your system starts crashing, hangs, freezes and works slow
* This is one of the most popular registry cleaners on the Internet

Here are links to screenshots of Digeus Registry Cleaner:
http://www.digeus.com/products/regcleaner/images/regcleaner.jpg
http://www.digeus.com/products/regcleaner/images/registrycleaner01.jpg
http://www.digeus.com/products/regcleaner/images/registrycleaner02.jpg
http://www.digeus.com/products/regcleaner/images/registrycleaner03.jpg
http://www.digeus.com/products/regcleaner/images/registrycleaner04.jpg

For more information please visit:
http://www.digeus.com/products/regcleaner/registry-cleaner.html

 

Blog posted using Windows Live Writer

Posted in Uncategorized | Leave a comment