IACSP

-=-----A -
~ ~
- ~ . . . . , . -
- vr-
Digital
Delense:
When Your Phone Turns
Against You
By David Gewirtz
When it comes to cyber-
security threats, even the lowly
telephone can turn on us. In
this article, I'll discuss how a
misplaced phone can reach
out and hurt someone, how
your phone can be turned into
a remote spying device, and
even how fake phone calls
are breaking down our first
responder infrastructure.
Issues of cyber-security and
information warfare can often
seem more like science fiction
than stark reality. Whether we're
talking about attacks launched
against our infrastructure from
grandma's PC, threats from the
sky built out oflEGO robots, or,
now, attacks against police and
fire responders coming from
simple telephones, it all seems
fairly unreal.
One way 10 understand the reality
ofil all is to think about the mean-
ing behi nd Iwo great sayings. The
great science fiction wri ter Arthur
C. Clarke once said. "Any suf-
ficientl y advanced technology is
indistinguishable from magic:'
Another trui sm: " No batt le pl an
ever survives contact >v ith the ene-
my." There's some di spute whether
i1 was said by Patton, Eisenhower,
Fi eld Marshall Helmuth Carl Ber-
nard Gmt' von Moltkc, or even
Colin Powell , but someone said it,
and il rings true.
"No technology
will remain
uncorrupted if
there's good money
to be made. "
Put those two into a blender. throw
in some eyber-sense, and a healthy
dose of experience and you' ll gCI a
phrase I 've used more times than I
care to count to illustrate the fun
damenwi [nJIh of the cyber-securi ty
threat: "No technology will rcmain
uncorruptcd ifthcrc's good money
to be made."
Like most issues ofcyber-securi ty,
the problem is that the underlying
technology is too wildl y complex
for most consumers to grasp with
any depth, availabi lity of the tech-
nology is 100 wide, too cheap, and
too embedded in the fabri c ofsoci-
ely to bc successfull y controll ed by
any governing body, and securit y
threats seem too far fetched to bc
wort h thc extra cffort that C':lre and
understanding would rcquire.
And there's nothing more ubiqui -
tous or marc taken for granted than
the pl ain 01 ' te lephonc.
Crackberry
Addiction
Lasl April. Rafael Quintero Curi el,
lead press advance pcrson for the
Mexican de legation, was caught
steal ing BlackBerry devices be-
longing to Whi te House staffe rs
who were a tt e ndin g meetings
between U.S. President George W.
Bush and Cmmdian and Mex ican
leaders in New Orleans. Unfortu-
nately, Quintero Curi cl was caught
a rt er thc devices had becn in his
possession for some time.
This was not un expec ted. I ' d
written about the ri sk to security
if BlackBerry devices go mi ssing
when I di scussed how the White
I-louse Deputy Chief of Stair had
lost hi s ( ma rc than once) in Where
Have All The Email s Gone?
Flash Memory,
It's a
Gas-gas-gas
There' s not hing rea ll y surpr is-
ing about losing a phone. What 's
surpri sing is what that loss could
mean to securit y. There arc two key
issues here: what could be galien
o ff mi splaced phones and what
could be put on them.
Let 's look li rst at what an enter-
prising th ie f might discover. To il -
lustrate thi s, let 's li rst visit with the
lomler John McCain campaign. But
before we visit with Mr. McCain 's
campaign. let's take a moment to
di scuss the mind-boggling securi ty
issues that stem from a si mple. littl e
object: the fl ash mcmory carel.
Flash memo!), usuall y comes in two
fonn s: the little cards YOll stick in
phones and cameras, and ill thumb
drives you stick in the US B slots
o f comput ers. The mos t typica l
form of flash memory is the SO
card, and it's aboll t the size o r your
thumbnai l, a little small er than a
postage stamp.
Once you real ize ( a) how much
you can store on thcse things, (b)
how small they are. and (c) how
incredibl y cheap they are, you can
begi n to apprec iat e the threat of
data loss.
Let's pUI thi s into perspecti ve:
Old- sc hool Blac kBe rry phones
(from a year or so ago) can SlOre
about 64 megabytes of data. How
much is 64 megabytes of data'? The
King James Bible is about 1. 120
pages, or about 2.5 megabytes, so
a typical 64 megabyte BlackBerry
coul d hold about 25 Ki ng James
Bible 's wort h o f informat io n.
That's the equi va lent in strategic
U.S. government in format ion of
abollt 28,OOO printed pages o r data,
or seven complete sets of all seven
Harry Potter novels.
But modern ( meaning from th is
year) flash cards hold so very Illuch
more. Amazon.com is curre nt ly
selli ng an 8 gigabyte nash card for
S 13. 1 a and a 2 gigabyte version lor
S 1.54. Put in perspect ive, the $ 1. 54
card has 31 ti mes the capaci ty of
that old 64 megabyte Black Berry
- and the S 13 card can SlOre 125
times thm ca
pac it y.
us buck to John McCain's cam-
pai gn. Aner Mr. McCai n lost hi s
bid for the Presidency, his cam-
paign began the usual dismantling
or operations that occurs once an
election is over. Rented office fur-
niture and equipment is relUmcd,
and items that had been purchased
are o rt en sold off, helping onset
expenses. Among the items sold
o fT by the McCain campaign was
a BlackBerry phone. Thi s one, ac-
cording to an investigation by Fox
News' Tisha Thompson and Rick
Yarborough, cont ained emai l mes-
sages and phone numbers:
" We traced the Blackberry back to
a stalTer who worked for 'Citizens
ror McCain ' ... The email s contain
an insider 's look at how grassroots
operat ions work, full of schedul
ing quest ions and rall yi ng cries ror
support ... But most o r the numbers
were private cell phones for cam-
pai gnleaders. politicians, lobbyists
and j Ollmali sts. ;Solllcbody made
a mis take,' one owner told li S.
' People's numbers and addresses
wcre supposed to bc erased. "
To further illustrate the ease at
which enormous data sets can get
losl when stored on a device the
size or a finger, consider the case of
data lost by a Brit ish traffic cop. !-I e
didn ' t misplace a phone. Instead,
Ho w many
I-larry Poti er
no ve ls C'Bl
you fi t on a
S 13. 10 card
that's smaller
than a post-
age stamp?
Th a t ' d be
about 875
complete sets
o r al l seven
I-l arry Po t-
ter nove ls?
I n terms of
governme nt
information.
one SO card
t he s ize o f
YOll r thumb-
nai l can store
3.5 mill io n
pages o f in-
fo rma t ion.
3.5 milli on.
"We traced the Blackberry back to
a staffer who worked for 'Citizens
for McCain' ... The emails contain
an insider's look at how grassroots
operations work, full of scheduling
questions and rallying cries
for support ... But most of the
numbers were private cell phones
for campaign leaders, politicians.
lobbyists and journalists. 'Somebcdy
made a mistake,' one owner told us.
'People's numbers and addresses
were supposed to be erased."
As YOlll11i ght
imag ine, obj ects
as small as 11 postage
stamp are easy to mi s-
place . . . whi ch bri ngs
www.i acsp. COI11
he misplaced a 4GB thumb drive.
But si nce phoncs also commonly
store nash memory of a similar (or
substant iall y greater) capacit y tll;ll1
the mi ssing thumb drive, thi s story
is cerlnin ly illustrative.
The thumb drive lost by our trou-
blesome bobby contained top-
secret informati on on suspected
Muslim terrori sts operating in the
U.K. According to police sources,
it containcd detail s of every deadl y
terror cell being tracked mthe time
by police in the West Midlands area
of westem, central England (near
Binningham). The reason thi s data
exists is it 's used 10 update police
computers so extremi sts under sur-
veillance aren' t acci dentall y pulled
over by traffi c cops.
Of course, should the daw fall into
the hnnds of the bad guys, they ' d
know they were being watch cd,
and li kely transfer operations some-
place new - setting investigation
and apprehension bnck months or
even, pcrlmps. years.
Herc' s another exampl e. While
we're di scuss ing U. K. securit y
fnil ure stories, there's Ihe one wilh
the spying Chinese temptrcss who
stole a scni or Bri t' s BlackBerry
whil e he was on a trip 10 Chi na
last Jallunry.
Accordi ng to the U.K. 's The Sun-
day Timcs, a senior aide to Briti sh
Prime Minister Gordon Brown had
his BI;lckBerry stolen by Ch inese
intcll igence agellts while on a trip
to Chi n<l back in January.
The slOry gels particu larly j uicy
because the seni or Downing Street
aide got cnught in what 's probnbly
the world 's oldest intelligence
ploy, the "honey trap". No, I'm nOl
talking about the rock band from
Coventry, I' m talki ng about an
intell igence SCUIll where a particu-
larly hot woman is used to lure n
p<lrlicularly homy guy into some
form of compromi sing position.
In the case of Ollr boll ocksed-up
Briti sh homdog. he W<lS approached
by a Chinesc woman whil e in a
Shanghai hotel di sco. I-Ie agreed
to return to hi s hotel wi th the -
62
COUNTER
and thc next thing we know is he
reported the BlackBerry mi ssing
to the Prime Mini ster's Spec inl
Branch protection team the next
morning.
I don'l mcnn to jusl pick on our
friends from across the pond, but
they've been in the ncws a 101. As
a mailer of securi ty, I never write
abo Lit securit y brcaches unl ess
they'vc already been covered pub-
li cl y and some or the best stories
arc coming out of the U. K.
And that brings us to
the story of a 28 ycar
old dcli vc!),lllan from
Hempstead, Hens,
who li ves wi th his
mum. It wasn' t hi s
fflllit. A 11 he did was
buy a Nikoll Coolpi x
camera for 17 pound
sterl ing 011 eBay.
Lillie did he know it
was chock ful l of' spy
data. When he dowll-
loaded pietun.. --s from 11
holiday_ he discovered
there were some othcr
imnges on the cam-
era ' s memory card
<I S well. There were
names, photos, finger-
prints, nnd academic
records of AI Qaeda
terrori st suspects.
There were photos or
rocket launchers and
mi ssi les whi ch MI6
th inks Iran is suppl ying to
Osamn Bin Laden' s boys in
Iraq. There was a hand-drnwil
graphi c thm showed links be-
tween acti ve Al Qncda cel ls,
illong with terrori st names and
occupations. There wns evcn n
document marked "top secret" that
described the encrypted computer
system used by M 16.
When he tried to do the right thi ng,
our poor deliveryman had a rudc
awakening. Initiall y, oOicers inthc
Hemc1 Hempstead Ilolice Stat ion
thought the fell ow was kidding.
Then, as they (and Special Branch)
started to wke it all more seriously,
the deli veryman lost not on ly hi s
Vo1.l 5, No.1
new CllInern, but hi s computer,
which was latcr conli scated.
And so it goes ...
Is somethin!!:
bugging you'?
I could go on abollt gelli ng in-
formation on' thumb drives, earn-
eras, BlackBerry dcvices .lIld other
phones, but the stories gct worse.
What about what could be put on
the device?
COUNTER
Man y smart phones have GPS,
so what if' the locat ion or the
phonc's owncr was dynami ca ll y
relnyed to bad guys in waiting?
What if?
What if, indeed. Thi s sofhvnre
is rea l and it ca n be inSl<llled
on Ill OSt smart phones. Once in-
stalled. it' s compl etely undetect-
able. And il doesn' t require the
user's passwords to instn ll. All a
bnd guy needs is to have hands-
0 11 access to the phone for about
fi ve minutes illld the
so ftware is down

The fA CounIenerlOll$tn and HomeL1nd 5l.OlIy Intem3bDnaI
loaded and installed
from a remotc Web
sit e.
Li ttle did he know it was chock full
of spy data. When he downloaded
pictures from a holiday, he discovered
there were some other images on the
camera's memory card as well. There
were names, photos, fingerprints, and
academic records of AI Qaeda terrorist
suspects.
There is software easily obtain-
able on the Int ernet for about
S250 that cun turn prcll y much
any smartpholl e in to <J remote
bugging device. Think about i l.
The typical phone has a speaker.
so what if evcrythin g sa id in
pr ox i mit y or the phone was
relayed to a re mote listene r?
The typicnl phone has email. so
what if every cmailmessage sent
and received by the phone was
relayed 10 n remote observer?
J
Here's a ti p: don't
ever let anyone else
hold your phone.
Re member Rafne l
Qu int e ro Curi el?
He's th e guy who
sto l e t he White
I-louse BlackBerry
phones I mcnti oned
at the beginning of
thi s arti cle. Curi el
had possession of the
Black Berrys for nt
least 20-25 minutes,
and probably longer.
We know it was a
minimum of 20-25
minutes because we
know he lOok them
at thc hotel and was
forced 10 return them nl
the airport. and it takes 20-25
minutes to get frol11 the hotcllO
the ni rporl.
Yeah, I know.
There ' s ye t more 10 t his ri sk.
beca use virtunlly nil phones.
cameras, and i Pods arc stornge
devices. Th ink abolltthe ri sk to
secure locations. An employee
who brings a phone int o n se-
cure faci lity could be bringing
anything in on the phone. The
memory on a phone ca n store
nn y kind of computer fi les_
including prog rnms, viru ses,
malwa re, worms, and ot her
dangerous threa ts.
TERRORISM Journa l of Countcrte rror is m & Honl c land Sccurity Intcrna tional
www.iacsp.com
COUNTER Firewalls are designed to keep threats of
the Internct out of secure facilities. Some
sites even sever all connections with the
outside world, keeping the internal net-
work pri stine. But one iPod. plugged into
one computer inside the internal network
could let loose all manner of demons (or
daemons, for that matter).
.-------'--TfRRORISM
Al v'Irdo. Texas poli ce. causing them to
roll a response team.
One security strategy coul d be to prevent
all electronic devices from crossing the
threshold into a secured HICility, but then
the devices would all need to be stored
somcwhcre, crcating a security ri sk of a
di Ocrellt sort.
My advice: do not allowemploy<..'Cs to bring
iPods, iPhones, BlackBcrrys, C.lmeras, or
anyt hing cJse into ofil ces. Peri od.
Phishing,
meet "Vishing"
Next up, let 's talk about vishing and
caller ID spoofing. The term "vishing"
is a cont racti on of " voice" and " phi shing:'
where. of course, phishing is the practice of us-
ing social engi neering to get personal identifying
inronmlli on - things like credit card numbers,
bank accounts, PIN numbers. social security
numbers and the li ke.
Phi shing is Il ornlall y done via the Web and email .
Vishing is done ovcr the phone.
At the core ofvishing is call er 10. Back in the
day. when YOllr phone sa id Bank of Americ;:l
(for exmnple) was calling, BofA was c;:llI ing.
But with newer Vo l P (Voi ce over IP) systems,
it 's becoming ridicu lously easy for crimina ls,
crack pots, scammcrs, and bored teenagers to
feed misleading informati on il1lo the ca ll er
10 sys tem.
So. what 's the res ult? For some unfo rtunate
folks. it 's a call that seems 10 be frolll their
bank. telling thelll they need to change their
PI N number or provide a mi ssing socia l secll-
rit y number. Aft er al l, ca ll er 10 does n't lie. so
if the call er ID says the ca ll' s from the b'lIlk,
the c<l1I is obvioll sly fro m the bank. Ri ght?
Nope. Not so Illllch.
Take. for ex ampl e, an incident reccntl y ex-
peri enced by res ident s 1'1'0111 We ld Co unt y.
Colorado. Early in December. many or them
got calls fro m the Colorado Credit Uni on,
the Weld Schools Credit Uni on. Chase, and
Well s Fargo banks.
64
COUNTER
TERRORISM
The .Ioum;I1 01 Counterterrcnsm il l'd fbntUno Secunty Inttma:oonal
There are some other issues.
These tiny electronic nightmares -
phones, cameras, etc. - experience
end-of-life quite rapidly, as newer
and more powerful devices are
avai lable almost constantly. But the
disposition of a used device isn't as
simple as tossing it in the trash or
selling it on eBay. Often, a device
that seems fully erased isn't - or the
internal memory is erased but the
nash card is not.
Each of these call s asked residents to punch in
their debit cnrd and PI N numbers. Victims were
told thei r accollnts will be closed or have been
abused in some way, and if they wallt to keep
thelll opell. they were to call " 2417 number to
reacti ve the accounts.
According to the FBI , visilil1g attacks li ke these
arc 0 11 the ri se. And vishers aren' t just ste;:lling
money, they're maki ng mi schi ef. Potent iall y
deadl y mischief.
Back in 2006. USA Today report ed an early case
of caller 10 spoofing. At the lime, New Bruns-
wick, Ncw Jersey poli ce received a call from a
wOlllan who said she was being held hostage in
her apartlll ent. NBPO roll ed SWAT, only to find
there was no woman in the npartlllent and no call
had cver comc from her address.
The cal l was filked. and even though her caller 10
showed lip on ew I3nmswick poli ce di spatch
computers, it was a compl ete fabri cati on.
In another case. Wired reports tbat one Stuart
Rosoff of Cleveland. Ohi o used ca ll er 10
spoofin g to targctthe father of a fem<ll e crush.
Cal li ng himself a 'swatter" (for his abi lity to get
SWAT to respond), he placed a spoofed call to
Vo1.l5 , No.1
The call ostensibly came from the lather
of the woman and, posing as the father,
Rosofl' cl aimed "he had shot and kill ed
members of the . .. famil y. that he was
holding hostages. that he was using hal-
lucinogeni c dmgs. and that he was ,Inned
with an AK47:
Rosofl', in the gui se of the father, fur-
ther demanded S50.000 and a Mexican
border crossing, and threatened to kill
the remaining hostages if hi s demands
were notlllCI. "
Vishing is a potentially huge cybert er-
rori slll threat. If fa ke calls and social
eng ineer ing can send our emergency
responders to the wrong locati on, the
impli cations arc terrifying. The cvelllS of
September 11, 200 I were horri fying. but
imagine JUSt how mueh worse it could
have been ifemergency responders were
misleadingly sent to the Empi re State l3uilding
instead of the Worl d Trade Center. Yes, some
heroic firefighters might still be ali ve today - but
a lot of thc victims they saved lllightllOt be.
Just in case you think on ly the IllOSt techni call y
capable can accomplish a vishing attack, think
again. There is no skill barrier here. As a simple
test. I typed "call er 10 spooling' inw Google.
Google had paid adverti sing links to II separate
ads claiming everything from "Fake Call er 10 to
Show Anything Elvis, White 1louse. FBI. What-
ever. w "Clmnge Your Voice. Record Call s. Get
Your Instant Spoof Card Now".
Simpl y astonishing.
What can be done?
Several states are enacting or have enacted anti-
caller 10 spoofing laws. While they Illay provide
new statutes with which to prosecute someone
incautioll s enough to be caught , the new laws
cert ain ly won' t prevent any of' the practi ces
discllssed in this art icl e.
As is the c<.Jse with 1Il0st cybersecurity and
eyber-terrorism issues. awareness (and a bit of
paranoia) may well be the best defense.
I am concerned, though, that cal ler 10 spoofin g,
more than anything else. could ha ve an im-
mediate and tangibl e impact 0 11 Oll r emergency
services. Most emergencies are measured in
the prec ious minutes of response and if law
enforcement has to take the exIra time to verify
Journal of Countertcrrorism & H011lciand Security International
an emergency ca1l , or can' t trllst the nature o r
the call, seriolls harm may well befall citizells
legitimately in need.
There arc some other isslles, These tiny elec-
tronic ni ghtmares - phones, cameras, etc, -
experience end-of- life quite nl pidly, as newer
and more powerful devices arc available al most
constantly. But the disposition ofa lIsed device
isn't as simple as tossi ng it in the trash or seIl-
ing it on eBay, orten, a device that seems fu ll y
erased isn' t - or the internal memory is erased
but the nash card is not.
We recently went through that process here,
taking a Pal m phone Ollt of service, Although
we went through the published steps necessary
to zero the device's memory, <J later inspection
found all our cont'acts were still on the phone,
FOl1unately, we double and triple-check these
things and will use a more in-depth dest ruction
process before disposal.
So, what can we do?
Vendors can add va lue here, More vendors
can add fai l-safe features, Although therc arc
a few vendors who offer encrypted SD cards.
Illost do not.
Here's Oll t.: cncouraging example. A Ithough the
iPhonc is t ~ I I ' from secure, it docs have a simple
security feature. It all ows lisers to both enable a
PI N for access to the phone and enable an option
10 completely erase the phone if more than l en
incorrect attempt s have been made to Iype the
PIN in. Of course, thi s minor secllrity feature
won' t swnd up to a nation state determined to
extract information from a device. but will deter
casual thieves.
Of course, we can educate, The more well-
informed we make our law enforcement. mili -
tary, and national securit y personnel. the more
careful most people wi ll be and the less chance
we h,lve of finding our most secret docuillents
for sale on eBay,
For the very same reason, we also need to educate
the gencral public. Although most Joe the Plumber
t)'IX."Sdon t have national sc,.'curi tydocuments, nearly
all ofthclll have personally identifiable infonnation
on their handheld devices, '1l1ey need 10 be aware
that care must be takcn in the disposal ofthcsc de-
vices to prevent identity then and other crimes,
llle bottom line, of course, is the same for all our
cyber-S(.'Cll rity issues: there's risk, but added attention
to securi ty can go a long way toward keeping us 5.'1fe,
Let's j ust hope we can stay focused and stay safe,
In concl usion, let me rcmind you that cybcrwar
is a wi ldl y aSYlll llletric batt lc. The weapons
used by our enemi es are the very same products
bought by om teenagers in \Val - Mart. The cost
to "an11 up" is almost rid icu lollsly inexpensive,
but the cost to defend is almost beyond our abi l-
ity to imagi ne,
Every iPod, every phone, and every camera is a
potent ial threat to our security, That 's not para-
noia - but simply a fact of modem li fe, There's
something to keep you lip at ni ght.
About the Author
For II/Ore fhall 20 years, David Gell'irl:, fhe aUfhor
of Where J./m'e All The Emails GOlle? (md The
Flexible Ellie/prise has (IIw(I':cd Cllrrellf, hiSforical,
ami e mergillg iss lies relafing fO fechllology,
compe fifil'elless, alld policy, David Gell'irl: is fhe
Edifor-ill-Chief of ZATZ Publishillg olld has wriffel1
more fhall 700 arlicles obolll ,ecllllology, DOl'id is a
forlller professor of compllfer sciellce, has lecillred
(If Princefoll, Berkeley, UCLA, (IIld SfanfOl'd, and
has been O\mrded fhe pres figious Sigma Xi Research
;lII'tII'(/ ill Ellgineering and 1\'(lS a cal/didme for
fhe 1008 Pulif:er Pri:e ill Leffel'S, He is fhe
C)'berferrorism A(II'isorfof' lACS?