_
Traveling Light in a Time of Digital Thievery
By NICOLE PERLROTH

Published: February 10, 2012

SAN FRANCISCO — When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film.
.

Kenneth G. Lieberthal of the Brookings Institution takes precautions while traveling. He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.” What might have once sounded like the behavior of a paranoid is now standard operating procedure for officials at American government agencies, research groups and companies that do business in China and Russia — like Google, the State Department and the Internet security giant McAfee. Digital espionage in these countries, security experts say, is a real and growing threat — whether in pursuit of confidential government information or corporate trade secrets.

“If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated,” said Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence.

Theft of trade secrets was long the work of insiders — corporate moles or disgruntled employees. But it has become easier to steal information remotely because of the Internet, the proliferation of smartphones and the inclination of employees to plug their personal devices into workplace networks and cart proprietary information around. Hackers’ preferred modus operandi, security experts say, is to break into employees’ portable devices and leapfrog into employers’ networks — stealing secrets while leaving nary a trace.

Targets of hack attacks are reluctant to discuss them and statistics are scarce. Most breaches go unreported, security experts say, because corporate victims fear what disclosure might mean for their stock price, or because those affected never knew they were hacked in the first place. But the scope of the problem is illustrated by an incident at the United States Chamber of Commerce in 2010.

The chamber did not learn that it — and its member organizations — were the victims of a cybertheft that had lasted for months until the Federal Bureau of Investigation told the group that servers in China were stealing information from four of its Asia policy experts, who frequent China. By the time the chamber secured its network, hackers had pilfered at least six weeks worth of e-mails with its member organizations, which include most of the nation’s largest corporations. Later still, the chamber discovered that its office printer and even a thermostat in one of its corporate apartments were still communicating with an Internet address in China.

The chamber did not disclose how hackers had infiltrated its systems, but its first step after the attack was to bar employees from taking devices with them “to certain countries,” notably China, a spokesman said.

The implication, said Jacob Olcott, a cybersecurity expert at Good Harbor Consulting, was that devices brought into China were hacked. “Everybody knows that if you are doing business in China, in the 21st century, you don’t bring anything with you. That’s ‘Business 101’ — at least it should be.”

Neither the Chinese nor Russian embassies in Washington responded to several requests for comment. But after Google accused Chinese hackers of breaking into its systems in 2010, Chinese officials gave this statement: “China is committed to protecting the legitimate rights and interests of foreign companies in our country.”

Still, United States security experts and government officials say they are increasingly concerned about breaches from within these countries into corporate networks — whether through mobile devices or other means.

Last week, James R. Clapper, the director of national intelligence, warned in testimony before the Senate Intelligence Committee about theft of trade secrets by “entities” within China and Russia. And Mike McConnell, a former director of national intelligence, and now a private consultant, said in an interview, “In looking at computer systems of consequence — in government, Congress, at the Department of Defense, aerospace, companies with valuable trade secrets — we’ve not examined one yet that has not been infected by an advanced persistent threat.”

(Page 2 of 2)

Both China and Russia prohibit travelers from entering the country with encrypted devices unless they have government permission. When officials from those countries visit the United States, they take extra precautions to prevent the hacking of their portable devices, according to security experts.

Now, United States companies, government agencies and organizations are doing the same by imposing do-not-carry rules. Representative Mike Rogers, the Michigan Republican who is chairman of the House Intelligence Committee, said its members could bring only “clean” devices to China and were forbidden from connecting to the government’s network while abroad. As for himself, he said he traveled “electronically naked.” At the State Department, employees get specific instruction on how to secure their devices in Russia and China, and are briefed annually on general principles of security. At the Brookings Institution, Mr. Lieberthal advises companies that do business in China. He said that there was no formal policy mandating that employees leave their devices at home, “but they certainly educate employees who travel to China and Russia to do so.”

McAfee, the security company, said that if any employee’s device was inspected at the Chinese border, it could never be plugged into McAfee’s network again. Ever. “We just wouldn’t take the risk,” said Simon Hunt, a vice president.

At AirPatrol, a company based in Columbia, Md., that specializes in wireless security systems, employees take only loaner devices to China and Russia, never enable Bluetooth and always switch off the microphone and camera. “We operate under the assumption that we will inevitably be compromised,” said Tom Kellermann, the company’s chief technology officer and a member of President Obama’s commission on cybersecurity.

Google said it would not comment on its internal travel policies, but employees who spoke on condition of anonymity said the company prohibited them from bringing sensitive data to China, required they bring only loaner laptops or have their devices inspected upon their return.

Federal lawmakers are considering bills aimed at thwarting cybertheft of trade secrets, although it is unclear whether this legislation would directly address problems that arise from business trips overseas.

In the meantime, companies are leaking critical information, often without realizing it.

“The Chinese are very good at covering their tracks,” said Scott Aken, a former F.B.I. agent who specialized in counterintelligence and computer intrusion. “In most cases, companies don’t realize they’ve been burned until years later when a foreign competitor puts out their very same product — only they’re making it 30 percent cheaper.”

“We’ve already lost our manufacturing base,” he said. “Now we’re losing our R.& D. base. If we lose that, what do we fall back on?”

SOURCE

 

_Understanding Mobile Apps


If you have a smart phone or other mobile device, you probably use apps – to play games, get turn-by-turn directions, access news, books, weather, and more. Easy to download and often free, mobile apps can be so much fun and so convenient that you might download them without thinking about some key considerations: how they’re paid for, what information they may gather from your device, or who gets that information.

    Mobile App Basics
    Questions About Your Privacy
    Questions About Advertising
    Malware and Security Concerns
    Mobile App User Reviews

Mobile App Basics
What’s a mobile app?

A mobile app is a software program you can download and access directly using your phone or another mobile device, like a tablet or music player.
What do I need to download and use an app?

You need a smart phone or another mobile device with internet access. Not all apps work on all mobile devices. Once you buy a device, you’re committed to using the operating system and the type of apps that go with it. The Android, Apple, Microsoft and BlackBerry mobile operating systems have app stores online where you can look for, download, and install apps. Some online retailers also offer app stores. You’ll have to use an app store that works with your device’s operating system. To set up an account, you may have to provide a credit card number, especially if you’re going to download an app that isn’t free.

    Data Plans and Wi-Fi: Two ways to access the internet from your phone
    You can access the internet using a data plan tied to your phone service, or through a Wi-Fi hotspot. Phone companies generally charge a monthly fee for a data plan that can connect you to the internet.

    Wi-Fi connections usually are faster, but you have to be in range of a hotspot to use one. Most public Wi-Fi hotspots – like those in coffee shops, airports, and hotels – don't encrypt the information you send over the internet and are not secure. Get tips for using public Wi-Fi.

    To set up a home wireless network, you'll need to pay for internet access and a wireless router, and you’ll want to take steps to secure the network.

Why are some apps free?

Some apps are distributed for free through app stores; the developers make money in a few ways:

    Some sell advertising space within the app. The app developers can earn money from the ads, so they distribute the app for free to reach as many users as possible.
    Some apps offer their basic versions for free. Their developers hope you’ll like the app enough to upgrade to a paid version with more features.
    Some apps allow you to buy more features within the app itself. Usually, you are billed for these in-app purchases through the app store. Many devices have settings that allow you to block in-app purchases.
    Some apps are offered free to interest you in a company’s other products. These apps are a form of advertising.

Questions About Your Privacy
What types of data can apps access?

When you sign up with an app store or download individual apps, you may be asked for permission to let them access information on your device. Some apps may be able to access:

    your phone and email contacts
    call logs
    internet data
    calendar data
    data about the device’s location
    the device’s unique IDs
    information about how you use the app itself

Some apps access only the data they need to function; others access data that’s not related to the purpose of the app.

If you’re providing information when you’re using the device, someone may be collecting it – whether it’s the app developer, the app store, an advertiser, or an ad network. And if they’re collecting your data, they may share it with other companies.
How can I tell what information an app will access or share?

It’s not always easy to know what data a specific app will access, or how it will be used. Before you download an app, consider what you know about who created it and what it does. The app stores may include information about the company that developed the app, if the developer provides it. If the developer doesn’t provide contact information – like a website or an email address – the app may be less than trustworthy.

If you’re using an Android operating system, you will have an opportunity to read the “permissions” just before you install an app. Read them. It’s useful information that tells you what information the app will access on your device. Ask yourself whether the permissions make sense given the purpose of the app; for example, there’s no reason for an e-book or “wallpaper” app to read your text messages.
Why do some apps collect location data?

Some apps use specific location data to give you maps, coupons for nearby stores, or information about who you might know nearby. Some provide location data to ad networks, which may combine it with other information in their databases to target ads based on your interests and your location.

Once an app has your permission to access your location data, it can do so until you change the settings on your phone. If you don’t want to share your location with advertising networks, you can turn off location services in your phone’s settings. But if you do that, apps won’t be able to give you information based on your location unless you enter it yourself.

Your phone uses general data about its location so your phone carrier can efficiently route calls. Even if you turn off location services in your phone’s settings, it may not be possible to completely stop it from broadcasting your location data.

Questions About Advertising

Why does the app I downloaded have ads in it?

Developers want to provide their apps as inexpensively as possible so lots of people will use them. If they sell advertising space in the app, they can offer the app for a lower cost than if it didn’t have ads. Some developers sell space in their apps to ad networks that, in turn, sell the space to advertisers.

Why do I see the ads I do?

Advertisers believe you’re more likely to click on an ad targeted to your specific interests. So ad networks gather the information apps collect, including your location data, and may combine it with the kind of information you provide when you register for a service or buy something online. The combined information allows the mobile ad network to send you targeted ads – ads that may be relevant to someone with your preferences and in your location.
Malware and Security Concerns

Should I update my apps?

Your phone may indicate when updates are available for your apps. It’s a good idea to update the apps you’ve installed on your device and the device’s operating system when new versions are available. Updates often have security patches that protect your information and your device from the latest malware.
Could an app infect my phone with malware?

Some hackers have created apps that can infect phones and mobile devices with malware. If your phone sends email or text messages that you didn’t write, or installs apps that you didn’t download, you could be looking at signs of malware.

If you think you have malware on your device, you have a few options: you can contact customer support for the company that made your device; you can contact your mobile phone carrier for help; or you can install a security app to scan and remove apps if it detects malware. Security apps for phones are relatively new; there are only a few on the market, including some with free versions.

Mobile App User Reviews
Can I trust all the user reviews I read about an app?

Most app stores include user reviews that can help you decide whether to download. But some app developers and their marketers have posed as consumers to post positive comments about their own products. In fact, the Federal Trade Commission recently sued a company for posting fake comments about the apps it was paid to promote.

SOURCE LINK