Your SlideShare is downloading. ×
  • Like
  • Save
Risk Factory Geo-location Security Issues & Best Practices
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Risk Factory Geo-location Security Issues & Best Practices

  • 1,528 views
Published

An overview of the security risks associated with geo-location enabled mobile devices and how to address them.

An overview of the security risks associated with geo-location enabled mobile devices and how to address them.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Please identify the company that fired gay employees for associating with other gay people online.
    Are you sure you want to
    Your message goes here
    Be the first to like this
No Downloads

Views

Total Views
1,528
On SlideShare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
0
Comments
1
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • “ Her father had taught her about a dog's paws. Whenever her father was alone with a dog in a house he would lean over and smell the skin at the base of its paw. This, he would say, as if coming away from a brandy snifter, is the greatest smell in the world! A bouquet! Great rumours of travel! It's a cathedral! her father had said, so-and-so's garden, that field of grasses, a walk through cyclamen--a concentration of hints of all the paths the animal had taken during the day.” I found this very true – my dogs day could be determined from the way she smelled- laying in the sun, swimming… I got to know my dog this way. These days = we implant GPS chips in our dogs. Is the same true for humans? Can you get to know a person by learning where they have been all day???? © 2005 Orthus Ltd
  • So I found 4 attendees (here in this room today) who participate in social network geo tagging © 2005 Orthus Ltd
  • 0774 - I saw you were in Kensington a few weeks ago coming out of the Olympia the same day as the Adult Erotica Show 2012 I remember because I was in Notting Hill that day and I saw 0794 was there – I thought that was odd because I had just called his office and they said he was out sick. I also noticed 0776 goes to St. Mary’s in Earl’s Court. I take my kids to day school there and noticed that you go there every Monday night. Don’t they hold AA meetings in the basement on Monday nights? And 0745 - Did you loose your phone? Because every night it shows you on Brompton Street in Soho…. By the way, how’s your wife??? Anyway – I think I now know most of you a little bit better. Though you may question that. The question every business is asking itself these days is: Where are you Why???? Two reasons: © 2005 Orthus Ltd
  • What DHL pioneered with the 24/7 tracking of parcels – Businesses are now doing with people Nonetheless, businesses using geo data are struggling © 2005 Orthus Ltd
  • Technology allows real time location of users © 2005 Orthus Ltd
  • Technology allows real time location of users © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Law enforcement favorite © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • © 2005 Orthus Ltd
  • © 2005 Orthus Ltd
  • Every single one of these uses resulted in law suits Judged – in favour of the companies… © 2005 Orthus Ltd
  • Cept this one…. FTC 24.5 million fine = PAID with the proviso that they don’t admit their guilt. Ask yourself: Why is Google interested in mapping? Because if you write the map = you define the reality © 2005 Orthus Ltd
  • Shortest distance between 2 points is a straight line A straight line drawn by Google will take you passed Starbucks. NYC: Nike/Starbucks projects © 2005 Orthus Ltd
  • Can = reduced costs and increased revenue For businesses – it doesn’t get any better than that !!!! © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Businesses selling geo data are not struggling Companies are just taking it - © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Can someone “own” your whereabouts? A: YES ! © 2005 Orthus Ltd
  • Geo data = cash Our lives are being mapped for money. Where you go Where you went What you do What you did THIS IS BIG BUSINESS © 2005 Orthus Ltd
  • On the PII location data valuable for Burglary Stalking ID Theft … Kidnapping © 2005 Orthus Ltd
  • What’s going on here??? © 2005 Orthus Ltd
  • What’s going on here??? © 2005 Orthus Ltd
  • On the personal side – this data is EXTREMELY © 2005 Orthus Ltd
  • iTunes store 1.99 Funny and creepy Provokes laughter & tears Novelty or tool for rapists Dependent on the user… Wake up call about privacy Sonar/radar = depicting pole dancers Standard geo app based on maps app Published publically visible Facebook profiles through Foursquare Find a girl in a pub nearby Tap picture for information © 2005 Orthus Ltd
  • Name: Zoe Looks like my kinda girl. 24 single Likes to party been on vacation in Ibiza Went to Stonebrook high school Then St Johns University Lives in Hammersmith Favorite actress: Keira Knightley Favorite movie Gone with the Wind Favorite Book: 50 Shades of Grey Has weakness for Margaritas…. Loves Lady Gaga Tap her photo album… © 2005 Orthus Ltd
  • Leaving security to the user © 2005 Orthus Ltd
  • Where’s the leadership © 2005 Orthus Ltd
  • Leaving security to the user © 2005 Orthus Ltd
  • Leaving security to the user © 2005 Orthus Ltd
  • Leaving security to the user © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Leaving security to the user © 2005 Orthus Ltd
  • © 2005 Orthus Ltd
  • Once again we are behind the curve on this issue Like wireless, cloud computing, credit card data, medical records etc…. © 2005 Orthus Ltd
  • © 2005 Orthus Ltd
  • Its this simple: Geo data = PII – AND MUST BE PROTECTED AS SUCH 33B Sinclair Gardens - 6:30 – 5 blocks west to Shepard's Bush tube - © 2005 Orthus Ltd
  • © 2005 Orthus Ltd
  • © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • We’re here as professionals. But this is personal Where you go Where you went What you do What you did It doesn’t get any more personal than that © 2005 Orthus Ltd

Transcript

  • 1. Geo-Location Security: Issues & Best Practices
  • 2. “Her father had taught her about a dogs paws. Whenever her father was alonewith a dog in a house he would lean over and smell the skin at the base of its paw.This, he would say, as if coming away from a brandy snifter, is the greatest smellin the world! A bouquet! Great rumours of travel! Its a cathedral! her father hadsaid, so-and-sos garden, that field of grasses, a walk through cyclamen--aconcentration of hints of all the paths the animal had taken during the day.” Michael Ondaatje, The English Patient
  • 3. Getting to Know You • 07774 23X XXX • 07940 47X XXX • 07761 55X XXX • 07459 13X XXX
  • 4. Where are you?
  • 5. Value
  • 6. HowSatellite trackingWeb browsingMobile phoneGPS devicesRFID tagsCredit / debit card transactionsGeo tags photos / postingsProximity readers
  • 7. HowA desktop browser is likely to use WiFi(accurate to 20m) or IP Geolocationwhich is accurate to the city or post codedepending on your ISP.Mobile devices tend to use triangulationtechniques such as GPS (accurate to 10mand only works outside), WiFi andGSM/CDMA cell IDs (accurate to1000m).
  • 8. Browser BasedThe Geolocation API is default in the following desktopbrowsers:•Firefox 3.5+•Chrome 5.0+•Safari 5.0+•Opera 10.60+•Internet Explorer 9.0+•And for updates on earlier versions for all of the above
  • 9. App BasedAnd the W3C Geolocation API on mobile devices:•Android 2.0+•iPhone 3.0+•Opera Mobile 10.1+•Symbian (S60 3rd & 5th generation)•Blackberry OS 6•Maemo
  • 10. Detailed Of Data Captured
  • 11. On the Road?
  • 12. Down Loading It
  • 13. Hacking It
  • 14. Where You Live
  • 15. Business Uses A US-based car rental company started using deployed GPS tracking devices to monitor driving speeds of its customers. If a customers car exceeded 79 miles per hour for 2 continuous minutes, they were charged an additional $150 (without their consent).
  • 16. Example A French Insurance company used both mobile phone and car GPS data to track sales executive locations and cross reference to their expense accounts. Policy resulted in 21 employee dismissals and the identification of over .5 million euro in false claims.
  • 17. Example Earlier this year, a large New York-based charity used geo-location data from Grindr to identify homosexuals working in their offices. 4 employees were fired for “inappropriate behavior.”
  • 18. I’ll Be Watching You
  • 19. Lay of the Land
  • 20. Every Word You Say • Tracking customers • Tracking employees • Tracking competitors • Tracking subjects
  • 21. Every Single Day • Competitive Intelligence – Location of executives easily disclose activities such as mergers and acquisitions or real estate sittings. • Targeting Intelligence – Location of subjects by private detectives – Location of subjects by the media
  • 22. Every Claim You Stake
  • 23. Can Someone OwnYour Whereabouts?
  • 24. Can’t You See, You Belong To Me?
  • 25. Every Pound They Make =
  • 26. Every Law You Break
  • 27. Every Arm You Break
  • 28. Every Snack You Take
  • 29. Every Move You Make
  • 30. Every Word You Say• How the app exposes the users is not the problem.• How Google Maps, Facebook and Foursquare expose the users without their knowledge is the problem.• Opt out is the default not opt in.• Social networking business model = get everyone to share everything• Your personal information (your life) is their product
  • 31. I’ll Be Watching You "If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the first place," Former Google CEO: Eric Schmidt
  • 32. Industry Response User beware !
  • 33. Every Window You Break
  • 34. Every IP You Fake
  • 35. Fake Your Location
  • 36. Industry Location
  • 37. Understand the Data• Where you go• Where you went• What you do• What you did• Forever
  • 38. Data Classification + = PII
  • 39. Regulatory ConundrumGeo-location data falls under special categoryof data subject to E-Privacy Directive. Tocomply you must either: – Obtain prior consent - or: – Process the data anonymously (Good luck as this includes UDID, IMEI, Mac or IP addresses)
  • 40. Best Practices? Information Security Governance Framework  Policies  Identification, Classification & Marking  Prior Consent  Identifier Sanitisation (UDID, IMEI, IPs)  Privacy Statements  Limited Retention  Testing & Auditing
  • 41. Find the Browser Secrets
  • 42. Change Defaults
  • 43. Change Defaults
  • 44. DIYApple Safari:• Go to the ‘Display a menu of General Safari settings’• Go to ‘Preferences’• Go to ‘Security’• Uncheck ‘Allow websites to ask for location information’Comodo Dragon:• Go to the ‘Customize and control Comodo Dragon icon• Go to ‘Options’• Go to ‘Under the Bonnet’• Choose ‘Content Settings’• Choose ‘Location’• Check ‘Do not allow any site to track my physical location’Facebook:• Go to Privacy Settings• Click ‘Custom’• Click ‘Custom Settings’• Disable ‘Places I check in’• Disable ‘People here now’• Disable ‘Friends can check me in to places’
  • 45. DIYGoogle Chrome:• Go to the ‘Customize and control Google Chrome’ icon• Go to ‘Options’• Go to ‘Under the Bonnet’• Choose ‘Content Settings’• Choose ‘Location’• Check ‘Do not allow any site to track my physical location’Google GMail:• Scroll down on your GMail page until your reach Last account activity:• Hit Details• Scroll down• Check Never show an alert for unusual activityGoogle Toolbar:• Go to the ‘Adjust Toolbar options’ icon• Go to Tools• Uncheck ‘My Location’• Hit Save
  • 46. Where are you?
  • 47. Geo-Location Security