Geo-Location Security: Issues &        Best Practices
“Her father had taught her about a dogs paws. Whenever her father was alonewith a dog in a house he would lean over and sm...
Getting to Know You • 07774 23X XXX • 07940 47X XXX • 07761 55X XXX • 07459 13X XXX
Where are you?
Value
HowSatellite trackingWeb browsingMobile phoneGPS devicesRFID tagsCredit / debit card transactionsGeo tags photos / posting...
HowA desktop browser is likely to use WiFi(accurate to 20m) or IP Geolocationwhich is accurate to the city or post codedep...
Browser BasedThe Geolocation API is default in the following desktopbrowsers:•Firefox 3.5+•Chrome 5.0+•Safari 5.0+•Opera 1...
App BasedAnd the W3C Geolocation API on mobile devices:•Android 2.0+•iPhone 3.0+•Opera Mobile 10.1+•Symbian (S60 3rd & 5th...
Detailed Of Data Captured
On the Road?
Down Loading It
Hacking It
Where You Live
Business Uses A US-based car rental company started using deployed GPS tracking devices to monitor driving speeds of its c...
Example A French Insurance company used both mobile phone and car GPS data to track sales executive locations and cross re...
Example Earlier this year, a large New York-based charity used geo-location data from Grindr to identify homosexuals worki...
I’ll Be Watching You
Lay of the Land
Every Word You Say •   Tracking customers •   Tracking employees •   Tracking competitors •   Tracking subjects
Every Single Day • Competitive Intelligence   – Location of executives easily disclose activities     such as mergers and ...
Every Claim You Stake
Can Someone OwnYour Whereabouts?
Can’t You See, You Belong To Me?
Every Pound They Make                =
Every Law You Break
Every Arm You Break
Every Snack You Take
Every Move You Make
Every Word You Say• How the app exposes the users is not the problem.• How Google Maps, Facebook and Foursquare expose  th...
I’ll Be Watching You   "If you have something that you dont want    anyone to know, maybe you shouldnt be           doing ...
Industry Response              User beware !
Every Window You Break
Every IP You Fake
Fake Your Location
Industry Location
Understand the Data• Where you go• Where you went• What you do• What you did• Forever
Data Classification      +               = PII
Regulatory ConundrumGeo-location data falls under special categoryof data subject to E-Privacy Directive. Tocomply you mus...
Best Practices?     Information Security Governance Framework           Policies           Identification, Classificatio...
Find the Browser Secrets
Change Defaults
Change Defaults
DIYApple Safari:• Go to the ‘Display a menu of General Safari settings’• Go to ‘Preferences’• Go to ‘Security’• Uncheck ‘A...
DIYGoogle Chrome:• Go to the ‘Customize and control Google Chrome’ icon• Go to ‘Options’• Go to ‘Under the Bonnet’• Choose...
Where are you?
Geo-Location Security
Risk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best Practices
Upcoming SlideShare
Loading in...5
×

Risk Factory Geo-location Security Issues & Best Practices

1,665

Published on

An overview of the security risks associated with geo-location enabled mobile devices and how to address them.

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
1,665
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide
  • “ Her father had taught her about a dog's paws. Whenever her father was alone with a dog in a house he would lean over and smell the skin at the base of its paw. This, he would say, as if coming away from a brandy snifter, is the greatest smell in the world! A bouquet! Great rumours of travel! It's a cathedral! her father had said, so-and-so's garden, that field of grasses, a walk through cyclamen--a concentration of hints of all the paths the animal had taken during the day.” I found this very true – my dogs day could be determined from the way she smelled- laying in the sun, swimming… I got to know my dog this way. These days = we implant GPS chips in our dogs. Is the same true for humans? Can you get to know a person by learning where they have been all day???? © 2005 Orthus Ltd
  • So I found 4 attendees (here in this room today) who participate in social network geo tagging © 2005 Orthus Ltd
  • 0774 - I saw you were in Kensington a few weeks ago coming out of the Olympia the same day as the Adult Erotica Show 2012 I remember because I was in Notting Hill that day and I saw 0794 was there – I thought that was odd because I had just called his office and they said he was out sick. I also noticed 0776 goes to St. Mary’s in Earl’s Court. I take my kids to day school there and noticed that you go there every Monday night. Don’t they hold AA meetings in the basement on Monday nights? And 0745 - Did you loose your phone? Because every night it shows you on Brompton Street in Soho…. By the way, how’s your wife??? Anyway – I think I now know most of you a little bit better. Though you may question that. The question every business is asking itself these days is: Where are you Why???? Two reasons: © 2005 Orthus Ltd
  • What DHL pioneered with the 24/7 tracking of parcels – Businesses are now doing with people Nonetheless, businesses using geo data are struggling © 2005 Orthus Ltd
  • Technology allows real time location of users © 2005 Orthus Ltd
  • Technology allows real time location of users © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Law enforcement favorite © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • © 2005 Orthus Ltd
  • © 2005 Orthus Ltd
  • Every single one of these uses resulted in law suits Judged – in favour of the companies… © 2005 Orthus Ltd
  • Cept this one…. FTC 24.5 million fine = PAID with the proviso that they don’t admit their guilt. Ask yourself: Why is Google interested in mapping? Because if you write the map = you define the reality © 2005 Orthus Ltd
  • Shortest distance between 2 points is a straight line A straight line drawn by Google will take you passed Starbucks. NYC: Nike/Starbucks projects © 2005 Orthus Ltd
  • Can = reduced costs and increased revenue For businesses – it doesn’t get any better than that !!!! © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Businesses selling geo data are not struggling Companies are just taking it - © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Can someone “own” your whereabouts? A: YES ! © 2005 Orthus Ltd
  • Geo data = cash Our lives are being mapped for money. Where you go Where you went What you do What you did THIS IS BIG BUSINESS © 2005 Orthus Ltd
  • On the PII location data valuable for Burglary Stalking ID Theft … Kidnapping © 2005 Orthus Ltd
  • What’s going on here??? © 2005 Orthus Ltd
  • What’s going on here??? © 2005 Orthus Ltd
  • On the personal side – this data is EXTREMELY © 2005 Orthus Ltd
  • iTunes store 1.99 Funny and creepy Provokes laughter & tears Novelty or tool for rapists Dependent on the user… Wake up call about privacy Sonar/radar = depicting pole dancers Standard geo app based on maps app Published publically visible Facebook profiles through Foursquare Find a girl in a pub nearby Tap picture for information © 2005 Orthus Ltd
  • Name: Zoe Looks like my kinda girl. 24 single Likes to party been on vacation in Ibiza Went to Stonebrook high school Then St Johns University Lives in Hammersmith Favorite actress: Keira Knightley Favorite movie Gone with the Wind Favorite Book: 50 Shades of Grey Has weakness for Margaritas…. Loves Lady Gaga Tap her photo album… © 2005 Orthus Ltd
  • Leaving security to the user © 2005 Orthus Ltd
  • Where’s the leadership © 2005 Orthus Ltd
  • Leaving security to the user © 2005 Orthus Ltd
  • Leaving security to the user © 2005 Orthus Ltd
  • Leaving security to the user © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Leaving security to the user © 2005 Orthus Ltd
  • © 2005 Orthus Ltd
  • Once again we are behind the curve on this issue Like wireless, cloud computing, credit card data, medical records etc…. © 2005 Orthus Ltd
  • © 2005 Orthus Ltd
  • Its this simple: Geo data = PII – AND MUST BE PROTECTED AS SUCH 33B Sinclair Gardens - 6:30 – 5 blocks west to Shepard's Bush tube - © 2005 Orthus Ltd
  • © 2005 Orthus Ltd
  • © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • Threats to Business © 2005 Orthus Ltd
  • We’re here as professionals. But this is personal Where you go Where you went What you do What you did It doesn’t get any more personal than that © 2005 Orthus Ltd
  • Risk Factory Geo-location Security Issues & Best Practices

    1. 1. Geo-Location Security: Issues & Best Practices
    2. 2. “Her father had taught her about a dogs paws. Whenever her father was alonewith a dog in a house he would lean over and smell the skin at the base of its paw.This, he would say, as if coming away from a brandy snifter, is the greatest smellin the world! A bouquet! Great rumours of travel! Its a cathedral! her father hadsaid, so-and-sos garden, that field of grasses, a walk through cyclamen--aconcentration of hints of all the paths the animal had taken during the day.” Michael Ondaatje, The English Patient
    3. 3. Getting to Know You • 07774 23X XXX • 07940 47X XXX • 07761 55X XXX • 07459 13X XXX
    4. 4. Where are you?
    5. 5. Value
    6. 6. HowSatellite trackingWeb browsingMobile phoneGPS devicesRFID tagsCredit / debit card transactionsGeo tags photos / postingsProximity readers
    7. 7. HowA desktop browser is likely to use WiFi(accurate to 20m) or IP Geolocationwhich is accurate to the city or post codedepending on your ISP.Mobile devices tend to use triangulationtechniques such as GPS (accurate to 10mand only works outside), WiFi andGSM/CDMA cell IDs (accurate to1000m).
    8. 8. Browser BasedThe Geolocation API is default in the following desktopbrowsers:•Firefox 3.5+•Chrome 5.0+•Safari 5.0+•Opera 10.60+•Internet Explorer 9.0+•And for updates on earlier versions for all of the above
    9. 9. App BasedAnd the W3C Geolocation API on mobile devices:•Android 2.0+•iPhone 3.0+•Opera Mobile 10.1+•Symbian (S60 3rd & 5th generation)•Blackberry OS 6•Maemo
    10. 10. Detailed Of Data Captured
    11. 11. On the Road?
    12. 12. Down Loading It
    13. 13. Hacking It
    14. 14. Where You Live
    15. 15. Business Uses A US-based car rental company started using deployed GPS tracking devices to monitor driving speeds of its customers. If a customers car exceeded 79 miles per hour for 2 continuous minutes, they were charged an additional $150 (without their consent).
    16. 16. Example A French Insurance company used both mobile phone and car GPS data to track sales executive locations and cross reference to their expense accounts. Policy resulted in 21 employee dismissals and the identification of over .5 million euro in false claims.
    17. 17. Example Earlier this year, a large New York-based charity used geo-location data from Grindr to identify homosexuals working in their offices. 4 employees were fired for “inappropriate behavior.”
    18. 18. I’ll Be Watching You
    19. 19. Lay of the Land
    20. 20. Every Word You Say • Tracking customers • Tracking employees • Tracking competitors • Tracking subjects
    21. 21. Every Single Day • Competitive Intelligence – Location of executives easily disclose activities such as mergers and acquisitions or real estate sittings. • Targeting Intelligence – Location of subjects by private detectives – Location of subjects by the media
    22. 22. Every Claim You Stake
    23. 23. Can Someone OwnYour Whereabouts?
    24. 24. Can’t You See, You Belong To Me?
    25. 25. Every Pound They Make =
    26. 26. Every Law You Break
    27. 27. Every Arm You Break
    28. 28. Every Snack You Take
    29. 29. Every Move You Make
    30. 30. Every Word You Say• How the app exposes the users is not the problem.• How Google Maps, Facebook and Foursquare expose the users without their knowledge is the problem.• Opt out is the default not opt in.• Social networking business model = get everyone to share everything• Your personal information (your life) is their product
    31. 31. I’ll Be Watching You "If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the first place," Former Google CEO: Eric Schmidt
    32. 32. Industry Response User beware !
    33. 33. Every Window You Break
    34. 34. Every IP You Fake
    35. 35. Fake Your Location
    36. 36. Industry Location
    37. 37. Understand the Data• Where you go• Where you went• What you do• What you did• Forever
    38. 38. Data Classification + = PII
    39. 39. Regulatory ConundrumGeo-location data falls under special categoryof data subject to E-Privacy Directive. Tocomply you must either: – Obtain prior consent - or: – Process the data anonymously (Good luck as this includes UDID, IMEI, Mac or IP addresses)
    40. 40. Best Practices? Information Security Governance Framework  Policies  Identification, Classification & Marking  Prior Consent  Identifier Sanitisation (UDID, IMEI, IPs)  Privacy Statements  Limited Retention  Testing & Auditing
    41. 41. Find the Browser Secrets
    42. 42. Change Defaults
    43. 43. Change Defaults
    44. 44. DIYApple Safari:• Go to the ‘Display a menu of General Safari settings’• Go to ‘Preferences’• Go to ‘Security’• Uncheck ‘Allow websites to ask for location information’Comodo Dragon:• Go to the ‘Customize and control Comodo Dragon icon• Go to ‘Options’• Go to ‘Under the Bonnet’• Choose ‘Content Settings’• Choose ‘Location’• Check ‘Do not allow any site to track my physical location’Facebook:• Go to Privacy Settings• Click ‘Custom’• Click ‘Custom Settings’• Disable ‘Places I check in’• Disable ‘People here now’• Disable ‘Friends can check me in to places’
    45. 45. DIYGoogle Chrome:• Go to the ‘Customize and control Google Chrome’ icon• Go to ‘Options’• Go to ‘Under the Bonnet’• Choose ‘Content Settings’• Choose ‘Location’• Check ‘Do not allow any site to track my physical location’Google GMail:• Scroll down on your GMail page until your reach Last account activity:• Hit Details• Scroll down• Check Never show an alert for unusual activityGoogle Toolbar:• Go to the ‘Adjust Toolbar options’ icon• Go to Tools• Uncheck ‘My Location’• Hit Save
    46. 46. Where are you?
    47. 47. Geo-Location Security

    ×