There have been many conversations lately on how location data can be used to protect us from various threats: from Covid-positive citizens to marketing opportunities for companies but there is a dark side to location data: There always seems to be a dark side. A recent article from Reuters shows how Russian hackers were able to track Ukrainian artillery positions through position data. (See Here) This is not the first time that location data was used against military operations. In 2018, Wired magazine detailed how the fitness app Strava was used to locate secret military bases. (See Here) Sadly, location data is considered metadata and not legally protected. The military has been working on improving its internal security and what can be posted and social media companies like Strava have been trying to secure their data as well but there seems to always be a new vulnerability and once again the weakest link in any security posture are the people. Metadata and its use are rapidly becoming even more important, and lucrative, then the data itself. Many companies are looking at how they can use this data for marketing and IT security companies are looking for new ways to secure this new workflow.
So how do we control this? Any security program has to begin with awareness and end-user training. The Wired article brings up the old maxim, “Loose Lips Sink Ships” which was a World War Two quip used to help secure convoy’s and their plans. I can remember in my military training the term “Essential Elements of Friendly Information (EEFI’s)” and how little tidbits of data could be pieced together and used to determine our war plans. Wired detailed how end users could be identified and exploited. Another important fact about the Russian targeting of Ukrainian is that the malicious implant was placed in an Android app that had been developed by a Ukrainian officer to improve targeting information. If this does not highlight the need for proper application development security, I am not sure what does. Many companies use mobile apps to make the customer/employee experience better and I would question if these apps have been tested properly. Applications are often rushed into use in order to improve the companies exposure but thousands of apps are found to have vulnerabilities and are often exploited by malicious actors. If you are deploying these apps, take the extra time to get their security tested because “Convenience and Security are Often Divergent” and a rush to deploy these apps may result in your customers data being exploited.