Interview with Yury Chemerkin — Mobile Applications, Cybersecurity Threats and Data Protection

The second interview we have prepared together with the help of DefCamp team has Yuri Chemerkin as the main guest. Yury Chemerkin is a Security Expert with ten years of experience in information security. He is multi-skilled on security & compliance and mainly focused on privacy and leakage showdown, and his key activities fields are EMM and Mobile Computing, IAM, Cloud Computing, Forensics & Compliance.

Furthermore, Yuri has published many papers on mobile and cloud security, and he regularly appears at conferences such as CyberCrimeForum, HackerHalted, DefCamp, NullCon, OWASP, CONFidence, Hacktivity, Hackfest, DeepSec Intelligence, HackMiami, NotaCon, BalcCon, Intelligence Sec, InfoSec NetSysAdmins, etc.

1. Are people still using the same credentials for their applications, either if they are for Facebook or some shady app that has bad security and can easily get hacked and their data (that can be unencrypted and in plain text) get leaked?

Yes, that’s correct. We can divide applications into several categories:

- Worst Apps — without protection (send or store passwords);

- Bad Apps — with an average protection and a chance it might be broken in certain cases with known tools and services

- Good Apps — is a case when attacker needs to perform much more efforts and a customer can feel secure, and the ‘best apps’ is a case when developers trying to keep the highest security level to prevent any attackers to extract data from device’s storage or network channel. In this case, all mentioned below might lead to the leakage:

- having even one ‘worst’ application and one password for all your application you might get leaked

- falling with ‘bad’ application into a situation, when the place is not trusted

- unexpected cases with ‘good’ and ‘best’ apps when there’s a chance to break into a device (e.g. forensics software to bypass device security mechanisms) It’s also a part of personal risk management and sometimes a reason to avoid using particular apps or uninstalling them. Note, the password is not a big issue, you can change it and keep as many passwords as you want, but if we talk about bank card or passport, then the quantity of ‘values’ is not big, i.e. you can have as many passports as you want, and amount of card might also be limited (having a lot of cards is a bit useless)

2. Should we trust giving personal data to big companies like Facebook, Google, and many others, even though they have good security, they might still sell, give away relevant data to companies looking to target specific people for marketing campaigns or use our data to train their AI?

It does not look possible to avoid giving away our personal data, because “Surveillance is the business model of the internet” Bruce Schneier (с). As much this situation keeps going, as more we’re on a hook. However, I think we could expect in the future a paid feature doesn’t “analyze the content” apart from filtering out spam, malware, and other features.

3. What are some practical tips about protecting our data and privacy while using our beloved smartphones?

First of all, one should definitely keep an eye on the protection level of a given app. Even though the old applications with a history of updates are generally more trustworthy than the newer ones, they still may have security issues. Those arise due to the updates being unreliable in terms of the level of security lower than in the previous release. And though the app may generally have a good protection level, there may be problems arising with information leakages like geo- and device data. This may, for instance, be caused by the issues in the protection of a given OS.

Furthermore, the outdated OS itself may have certain security problems influencing the work of various apps in case their developer only relies on the protection mechanisms of the updated operating system the app is fitted for. The data can be also accessed by the third party with the use of numerous extraction tools from the simplest ones accessible to the public to forensic software for data acquisition. There is a particular danger for the user if he has the same data within two or more apps, one out of which is poorly protected.

4. We know that some phone manufacturers may have pre-installed backdoors or spyware to track their users. Is there any way we can protect against the surveillance that we financed by buying our phones?

It is hard to define in advance what mobile devices have preinstalled spyware or malware. The best advice here is waiting couple months at least before buying device; this time is usually used to fix current issues related to the last OS version and be a chance if someone (IT security pro) finds suspicious software. Another solution is buying mobile devices with a clean OS without preinstalled branded applications. Overall, this explains the necessity for both the professionals of IT security sphere and the users themselves to be informed of the potential app insecurities and methods to avoid data stealing and reduce the risk when using mobile applications.

5. Even if the applications or services are secure, we are still vulnerable to so-called phishing attacks, how can we protect against those threats?

The best solution I could suggest is using Alto email application. This app is designed to turn on email into ‘cards on the dashboard’, however, the coolest idea is behind of it is AI and white lists of email addresses related to your travel, social and other services. This is kind of anti-fishing system in additional. However, this app will be discounted by the end of this year. Unfortunately, there is no real cure for phishing attacks aside from paranoia-level vigilance in the case of the end user. This threat is like the flu — constantly evolving and changing attack approaches.

It is good to follow several tips, such as avoid logging in to online banks and similar services via public Wi-Fi networks. Hotspots are convenient, but it’s better to use a mobile connection or wait to get to a secure network than to lose all of the money on your credit card or in your bank account. Open networks can be created by criminals who, among other things, spoof website addresses over the connection and thereby redirect you to a fake page. It’s better not to follow links from e-mails at all. Instead, you can open a new tab or window and enter the URL of your bank or other destination manually. Even if a message or a letter came from one of your best friends, remember that they could also have been fooled or hacked. That’s why you should remain cautious in any situation. Even if a message seems friendly, treat links and attachments with suspicion.

Meet Yuri Chemerkin, at DefCamp 2017 to hear his presentation about “The rise of security assistants over security audit services.