Despite the fact that everyone (including me) has been telling you that encryption makes the data stored on your smartphone safer, it would seem that is not necessarily the case for iOS devices. Renowned iPhone hacker, developer and author Jonathan Zdziarski presented a large body of research and evidence that Apple has built backdoor data access into its devices for some time, and not just the kind required by law enforcement for warranted search or for troubleshooting and debugging. Also damning was the fact that these processes and services aren’t documented at all by Apple, but are apparently well-known by various law enforcement agencies and forensic data specialists. And the cherry on top? The encryption on your iPhone can easily be bypassed by these backdoor tools through USB connections, wifi and possibly even cellular connections.
What this means for you:
According to Mr. Zdziarski’s findings, iPhone encryption is essentially bypassed because iOS maintains a base state of authentication even if your phone is “locked” with a pin or password. The tools and services running quietly in the background of your device have direct access to your data, and not just the “anonymous” or “non-identifying” data that Apple collects for performance and troubleshooting purposes. Apple has yet to comment on Mr. Zdziarski’s findings, but the growing media attention on this issue will likely force a response from the Cupertino company. Unfortunately, there is not much you can do about this, as these backdoors are so deeply embedded in the operating system of iOS that removing or disabling them is impossible. You can, of course, demonstrate your displeasure by contacting your local congress-critter, providing feedback to Apple, as well as restraining yourself from buying Apple products until they address everyone’s privacy concerns. Given Apple’s strangle-hold on the smartphone market, they have very little incentive to change anything unless consumer sentiment starts to sway against them on this issue.
If you had asked me 10 years ago whether something like this would ever happen, I’d have had a good laugh and then asked you to share whatever it was you had been drinking. But here we are, 2014, and strange bedfellows Apple and IBM have announced a “landmark” partnership in pursuit of enterprise business. And just like a Disney fairytale or the famously delicious chocolate-peanut butter confection, it turns out the mis-matched pair were made for each other after all.
Let me ‘splain:
You may have noticed that Apple, despite the proliferation of iOS devices throughout the business world, has, up until now, remained staunchly consumer focused. The primary plank in its branding was to demonstrate just how “not corporate” its devices were. Conversely, can anyone remember a time when IBM was ever viewed as anything but the epitome of big business? You can bet Apple is painfully aware of how much money it’s leaving on the table by not playing in the corporate and enterprise space, and IBM is just as painfully aware of how “not sexy” its current service offerings are. If you’ve ever used enterprise software (SAP, Oracle, Peoplesoft, etc.) then you know just how awful the experience is. Now imagine Apple lending its design sensibilities to a UI that interfaces with IBM’s monstrously powerful back office software – and oh, by the way, you can use it on this shiny iPad? Move over Brangelina, here comes the new “power couple” of the decade!
A new battle front just opened up in the corporate espionage cyberwar. Security firm TrapX has released information on a new attack that appears to be focused on shipping and logistics firms, and is being delivered via hand-held inventory scanners made by a specific manufacturer in China. The wireless devices appear to contain malware that once connected to a company’s corporate network targets enterprise resource planning (ERP) servers and attempts to compromise them through a variety of known weaknesses. If successful it then facilitates the installation of command-and-control malware that provides a backdoor on the compromised server to an unidentified location in China. The manufacturer of the scanners has denied the devices were intentionally shipped with the malware, but their close proximity to the Lanxiang Vocational School (allegedly tied to other infamous hacking incidents) has raised security eyebrows everywhere.
What this means for you:
It’s a safe bet that you probably won’t be directly affected by this particular hacking vector unless you are one of the handful of firms who bought and used the devices before the manufacturer rectified the issue. However, this is just another crack in the dangerously swollen dike that is technology security, and the white hats are rapidly running out of fingers and toes with which to plug the holes. The fact that the Chinese have targeted supply chain technologies means they are fishing for big data to steal, and the amount of money (and power) at stake is enough for the bad guys to continually search out new ways to compromise and breach businesses. They know they have the good guys over a barrel, as we have to continually try to guess where the next mole will pop up in a playing grid with an infinite number of holes. Will we get to a point that we have to run a malware scan on anything with electronics and a means to transmit data? It’s starting to look that way.
Ahead of a court order that is still pending, Google has blocked delivery of a single email mistakenly sent to a wrong address at the request of the sender’s employer. As most of you can attest, doing something like this, while technically possible within certain parameters, is usually not done for a variety of reasons, not the least of which is opening the Pandora’s box of requests for Google to do the same thing for every email sent to the wrong address or for the wrong reasons. In this particular instance, the sender was a contractor for Goldman Sachs, and the email in question contained significant sensitive customer data sent to the wrong address. Rather than risking a signficant exposure for the customers whose data was contained in the email, on top of saving Goldman Sachs from considerable liability, Google acquiesced to the request, which normally requires a court order.
What this means for you:
The only reason this was even possible in the first place was because the unintended recipient hadn’t actually accessed the account since the email was sent, and therefore Google knew for certain that the email wouldn’t have been read, and there could be “un-sent.” You may have experienced both the relief and disappointment of attempting to “unsend” emails via your own company’s Exchange server, which can call back unread emails, but once the email has been opened by the recipient, intended or not, there’s no way to unsend it. What you should really be taking away from this was why someone was using email to send a report with such sensitive information in the first place. In this case, convenience and ease of use led to a near-catastrophic breach. Do you use email to exchange confidential information with other parties? If you do, you should carefully consider the consequences of a mis-delivered email, and what it might cost your organization.
Canadian lawmakers have finally had enough spam in their email boxes and just passed legislation which essentially outlaws all unsolicited commercial emails. If you want to send commercial email to a Canadian, you must have their express consent, regardless of where your company is in the world. At first blush, you may be tempted to say, “Good for them. Fight the good fight, Canada!” and you’d be counted sane to believe this was enacted with good intentions, but we know where those types of roads sometimes lead. As many others have pointed out, this will likely negatively impact the businesses and organizations we do want to hear from, and will have little to no impact on spammers who already ignore laws, ethics, logic, spelling and common sense. Rather than having an inbox filled with all sorts of email, Canadians can look forward to only getting spam from scofflaws. Oh, and a ton of emails from companies asking for their permission to keep their addresses on their lists.
What this means for you:
If you send commercial email to your clients or customers, and some of them happen to be Canadian, you now have to sort them out and get a positive confirmation from them, regardless of whether they had actively or tacitly agreed to be on your mailing list. In other words, you have to send out what is likely to be viewed as an unwanted email to someone who already has too much email, asking if they are OK with you sending emails to them in the future. The fines for violating CASL are quite stiff (up to $1M for individuals), so you can be sure businesses with Canadian customers are taking this very seriously. And this law isn’t just limited to advertisement emails. This newsletter is technically an email with commercial intent, and if I were to send it to Canadians without their express consent, I could be held liable. Is a law similar to CASL likely to be considered in the US? Seeing as our politicians have trouble agreeing on just about anything lately, I’d say we’d only have to worry about the Spam Mounties for the moment.
Image courtesy of renjith krishnan / FreeDigitalPhotos.net
Hacktivist group Anonymous is at it again, this time targeting Brazilian websites apparently in protest of Brazil’s costly hosting of the FIFA World Cup. While more traditional protests had been going on for many months with only nominal impact and attention, Anonymous immediately gained the media spotlight after claiming through Twitter to have hacked over 100 websites, including Brazil’s federal police website. Many of the website attacks consisted of Denial of Service assaults or simple defacements, but Anonymous sharply made their point by posting a list of logins and passwords purportedly from the police website, as well as claiming to also have harvested numerous operations documents and email exchanges.
What this means for you:
Just like any hot media item, hackers will be leveraging the globe’s enthusiasm for the World Cup, and it’s likely you will see spam and phishing attempts based around news, events and celebrities of the sport. As always, avoid clicking links in emails unless you can verify they lead to legitimate websites. Cybercriminals will also be counting on plenty of people searching for news about World Cup matches, so make sure you examine your search results carefully and only visit websites you know and trust. Don’t rely just on your antivirus software to protect you – use your common sense laced with a healthy dose of skepticism to avoid hackers scoring a goal on you.











