iOS 6.1 hack lets users see your phone app, place calls

Some sleight of hand will allow iOS 6.1 hackers to access your phone application, listen to your voice mails, and place calls.

A YouTube video showing users how to “bypass iPhone 5 passcode” on Apple’s latest iOS releases, including iOS 6.1, has been published. The person who uploaded the video shows how anyone can access the phone application on a passcode-protected iPhone.

In order to achieve the hack, users must come close to turning off the iPhone, place an emergency call, and keep their finger on the power button. We were able to re-create the hack with ease, and the YouTube user who uploaded the video provided step-by-step directions.

“For prank[ing] your friends, for a magic show. Use it as you want, at your own risk, but…please…do not use this trick to do evil,” “videosdebarraquito” posted on the YouTube page.

Apple said it is at work on a fix to the issue, but that it will require a software update.

Security Update Bulletin – Information on lastest threats

Here’s a quick round-up of information we think you should know about –

  • New Ransomware and Phishing Variants Detected (January 31, 2013) Ransomware known as Police Virus carries more strength that previous versions of the malware as it actually has the capacity to encrypt all data on infected machines. This variant disables regedit, task manager, and msconfig to further confound users. The malware tells users that because of a criminal offense, they must pay money or their computers will be encrypted. It spreads through malicious links, infected files, or drive-by downloads.
  • There has also been a surge in phishing emails that appear to come from FedEx. The messages tell recipients that because FedEx was unable to deliver a package, they must click a provided link to print a receipt to bring to their local FedEx office to retrieve the package. The link instead leads to a malicious site that infects their computers with a Trojan horse program. FedEx has posted a statement online warning of the scam and reminding people that the company “does not send unsolicited emails to customers requesting information regarding packages, invoices, account numbers, passwords, or personal information.”
  • A new nasty turn in the psychology the criminals are using in this campaign in Germany is to accuse the victim of having a system containing pictures of child pornography and then subsequently displaying such material on the victim’s computer.
  • Mozilla says it will automatically disable all Firefox plug-ins with the exception of the most current version of Adobe Flash. Mozilla says the decision was prompted by security and stability concerns, particularly the risk of drive-by attacks. Blocked plug-ins will include up-to-date versions of Silverlight and Java. Currently, Firefox turns on click-to-play only for those plug-ins that are deemed unsafe or seriously out-of-date. Chrome and Opera offer click-to-play, but users must enable the feature themselves. [We think this is a gutsy move by Mozilla, hopefully the user base will not rebel. Users need some help with the silliness of allow-everything by default: Average people are their own system administrators and the complexity of updating even legitimate third-party apps (insecure by negligence, not malice) is ridiculous.]
  • PayPal has fixed a SQL injection vulnerability in its e-commerce website application that could have been exploited to compromise company databases and steal sensitive information. PayPal awarded a US $3,000 bounty to the organization that discovered the flaw and alerted the company to its existence in August 2012.(January 30, 2013)
  • Universal Plug-and-Play Security Vulnerabilities Prompt
    Recommendation to Disable the Technology (January 29, 2013) Researchers have found three sets of vulnerabilities in the universal plug-and-play (UPnP) component that allows devices to detect and communicate with each other over networks. The flaws could be exploited to steal passwords and documents and to hijack webcams, printers, and other Internet-connected devices. The US Department of Homeland Security’s (DHS) US-CERT has issued an advisory on the matter. UPnP is most used in SOHO configurations. While it may be used internally by enterprises, it is rarely exposed to the Internet by enterprises.  This feature is a hole in firewalls and has been associated with vulnerabilities for a long time.  While the vulnerability is pervasive, the threat and risk have been low.
  • More Headaches for Java (January 30, 31, & February 1, 2013)
    Apple has blocked Java completely in OS X 10.6 and above. Other companies are taking steps to protect their users from Java as well; virtually all plug-ins will be blocked in Firefox (see above).
    Oracle admits that there are serious problems with Java, but says that those problems lie with the Java browser plug-ins and that server-side, desktop, and embedded Java are not vulnerable to the same attacks.

Finally, some good news:

The FBI has arrested a California man in connection with numerous instances of cyberextortion in which he threatened to post compromising pictures of women whose social networking accounts he had hacked hijacked. Investigators believe that Karen “Gary” Kazaryan had more than 350 victims between 2009 and 2011. A recently unsealed indictment charges Kazaryan with 15 counts of computer intrusion and 15 counts of aggravated identity theft.

BYOD Risks & Rewards

Whether you’re an end user or an IT administrator, Bring Your Own Device (BYOD) is becoming the rule rather than the exception in today’s workplace. Although BYOD may be a convenience to your employees, you need to think about its impact on corporate security models.

What BYOD means for business

Today’s IT leaders face many security challenges and rapid changes, all while having to do more with less. They must provide end users with the latest, most advanced technologies to remain competitive. And they have to protect company, customer and employee data while thwarting attacks from cybercriminals.

New technology brings more ways to access data, new types of devices and alternatives to the traditional PC platform. Apple CEO Tim Cook appropriately called this the “post-PC era.”

These dynamics have created a shift toward BYOD, a trend in the workplace that’s rapidly becoming the rule rather than the exception.

BYOD encompasses more than personal computers. It means employees using smartphones, tablets, BlackBerrys, ultralight books and more for their work. The concept of BYOD broadens to include software and services, as employees use cloud services and other tools on the web.

The shortcomings of technology which made BYOD unrealistic a few years ago have given way to broad popularity and use of these tools.

These include: 1.Web: Today’s web is the singular way to access any application—business, financial, customer support, sales or technology. 2.Wireless: No matter where you are or what device you’re using, you have access to the back office infrastructure through extensive Wi-Fi networks. 3.Mobile devices: Device form factors have become more sophisticated, cheaper and more portable, with more robust memory and battery life.

Implemented properly, a BYOD program can reduce cost while increasing productivity and revenue. As BYOD goes mainstream in IT departments, security should be front and center for users and IT administrators alike.

What BYOD means for security

It’s risky to assume that prohibiting personal devices solves the problem, because employees end up using their own devices anyway, unmonitored and undeterred by your security policies.

Whatever you think of BYOD and however you choose to implement it, IT managers should treat it the same way as any introduction of new technology: with a controlled and predictable deployment.

Ask yourself: 1.Who owns the device? That’s a question that has changed over time. In the past, the company owned the devices. With BYOD the devices are owned by the user. 2.Who manages the device? Previously this was an easy question to answer. Today it could be either the company or the end user. 3.Who secures the device? Accountability is not something that goes away for a user just because they personally own the device. After all, the data carried on it is company-owned.

Answering these questions is fundamental to both understanding the risks and taking advantage of the rewards of BYOD.

All organizations have the flexibility, based on their corporate culture and regulatory requirements, to embrace BYOD as much as they deem reasonable. For example, there are companies who have decided the risk is too great and choose not to implement a BYOD program.

In May 2012, IBM banned its 400,000 employees from using two popular consumer applications over concerns about data security. The company banned cloud storage service Dropbox, as well as Apple’s personal assistant for the iPhone, Siri. Siri listens to spoken requests and sends the queries to Apple’s servers where they are deciphered into text. Siri can also create text messages and emails on voice command, but some of these messages could contain sensitive, proprietary information.

Ultimately, the success of your BYOD program is measured by your employees’ willingness to use their personal devices within the rules you set for them. Your organization’s security procedures and policies should determine whether and how you adopt BYOD.

You need to have the ability to enforce security policies on a device level and protect your intellectual property if that device is ever lost or stolen.

What is BYOS

The same technologies driving the turn to BYOD also allow users to access non-company software. This effect is known as Bring Your Own Software (BYOS).

End users may be using free public cloud storage providers as way to collaborate on and transfer large documents. Those documents, however, could contain data that falls into scope of regulatory guidelines, which could place your data at risk.

You should evaluate how cloud storage providers transport and store your company’s files.

Consider these questions: 1.How are they encrypting the data? 2.Are they using a single key for all of their customers? 3.Who has access to the key to decrypt the data? 4.Will they surrender the data to authorities if it is subpoenaed? 5.In which countries are the servers located that are housing the data? 6.Does your organization have an agreement with customers that their data won’t be stored in certain countries?

How to secure BYODs

The first and best defense in securing BYODs begins with the same requirements you apply to devices that are already on your network. These security measures include: 1.Enforcing strong passcodes on all devices 2.Antivirus protection and data loss prevention (DLP) 3.Full-disk encryption for disk, removable media and cloud storage 4.Mobile device management (MDM) to wipe sensitive data when devices are lost or stolen 5.Application control

You should always extend encryption to both data in transit and data at rest. Protecting your devices with strong passwords means you make it incredibly difficult for someone to break in and steal data. But if somehow your device-level password is compromised, encrypting the data stored on the device provides a second level of security a hacker must get through in order to steal your data.

You should encourage users to think of the extra layers of security as helpful tools that give them the ability to use their own devices within the workplace. By password protecting devices, a user acknowledges accountability and responsibility for protecting their data.

In addition to applying passcodes and antivirus prevention to your devices, you should apply a custom level of application control to BYODs. If applications are available to employees on the internal network, they should be able to access them offsite through a VPN or email software.

A successful BYOD program allows your users to be productive outside of their scheduled work hours while also giving them the flexibility to do the things they like to do when they’re not working—like update their status or enjoy playing an interactive game.

Whatever decision you make for your BYOD policy, be sure that it’s enforceable and enables IT to deploy software remotely.

How to set policy and compliance standards

You need to formalize policies specifically around BYOD. For example, will your policy include any and all devices currently available? Or will you limit use of personal devices to specific hardware and software platforms? What about devices that aren’t yet available but could reach consumer markets in the next few years?

The handheld mobile device market is evolving rapidly with new versions and new manufacturers. Keeping that in mind, your BYOD policy should be adaptable. You should maintain written strategic policies based on what you know today and what you think will generally be available tomorrow. And you must apply technology that enforces your written policies to provide management, audit proof modeling, control and security.

Implementing a solution designed to verify that devices can be remotely managed can help you in the ongoing battle to keep security policies relevant and reliable, especially if you’re in an industry with strict compliance and auditing standards.

Additionally, being aware of the service plans your employees have can help you offer the best services while reducing cost. Using a data plan’s hotspot or tethered options can result in an overall better experience for end users. Consider data-only plans for personal Wi-Fi devices in place of maintaining a home office long distance and ISP service plans.

7 steps to a BYOD security plan

Your company’s security and BYOD can co-exist. And it starts with planning. Here’s how:

1. Identify the risk elements that BYOD introduces Measure how the risk can impact your business Map the risk elements to regulations, where applicable

2. Form a committee to embrace BYOD and understand the risks, including: Business stakeholders IT stakeholders Information security stakeholders

3. Decide how to enforce policies for devices connecting to your network Mobile devices (smartphones) Tablets (e.g., iPad, Surface, Android) Portable computers (laptops, netbooks, ultrabooks)

4. Build a project plan to include these capabilities: Remote device management Application control Policy compliance and audit reports Data and device encryption Augmenting cloud storage security Wiping devices when retired Revoking access to devices when end-user relationship changes from employee to guest Revoking access to devices when employees are terminated by the company

5. Evaluate solutions Consider the impact on your existing network Consider how to enhance existing technologies prior to next step

6. Implement solutions Begin with a pilot group from each of the stakeholders departments Expand pilot to departments based on your organizational criteria Open BYOD program to all employees

7. Periodically reassess solutions Include vendors and trusted advisors Look at roadmaps entering your next assessment period Consider cost-saving group plans if practical

Implemented properly, a BYOD program can reduce cost while increasing productivity and revenue. As BYOD goes mainstream in IT departments, security should be front and center for users and IT administrators alike.

ITunes 11 – First Look

First, we’d like to say we had a very busy November 2012 and subsequently did not post many blogs these last couple weeks. This does not mean we have not been working hard to present you with additiional information – we have (gulp!) plenty to say. Look for a robust posting of information these next couple of weeks. Now on to our post . . .

Whatever you think of Apple’s venerable iTunes software — and even folks who don’t always love it certainly spent a lot of the time in the joint — you probably agree it was due for a refresh.

Apple’s remodeling job arrived today, somewhat later than expected. As promised, iTunes 11 brings a cleaner, more modern look that makes it simpler to search, browse, and create and modify playlists.

Features are more closely tied to Apple’s iCloud online service. Assuming you have an Internet connection, you can play any of your music, movies and TV shows right from iCloud. You can obviously download the media to sync to a device or play when you’re offline. iCloud also remembers your place in a movie or TV show so you can resume watching from where you left off, even if you started viewing it say on an iPhone, iPad or Apple TV and now want to finish on a computer.

The new iTunes features what Apple likes to refer to as an edge-to-edge design that eliminates the familiar source list sidebar, at least from the default view. You can bring it back from one of the menus in iTunes. When it is visible, you can click the + button at the bottom of the screen to create a new playlist. But even if it is out of sight, you can display your playlists just by merely dragging a song in your library.

There’s a new Up Next feature which, as its name suggests, lets you know the next song that will play. From within the list, you can remove or change the order of things. You can summon the feature from a new MiniPlayer as well.

And there’s a hook to get you to part with more of your money in the iTunes store. Even as you’re listening to a song, you can browse related music in the store.

Obviously, I’ll need to spend more time with iTunes 11 to come to a true evaluation of the upgrade. But on the surface it appears that many of the changes will bring music to your ears.

BlueToad Was Source of Leaked Apple Data, not FBI Laptop

The little-known app company that lost at least a million Apple Inc. iPhone and iPad identification numbers gathered the data from devices without protecting it and was still sending the data as of Monday.

The information was sent by the company, BlueToad Inc., in “cleartext”—without encryption to hide it—violating widely accepted computer-security practices. The identification numbers, device names and other information were then stored in a database that the company said was recently stolen by hackers.

The BlueToad breach is the latest in a series of events that have raised questions about the security and privacy of the fast-growing app economy. Many apps have been found taking data that users didn’t know about. In 2010, the Journal tested 100 iPhone and Android apps and found that more than half were transmitting identifying details without the user’s knowledge, and some were sending more personal information such as contact lists and location information. Since then, several other apps have been caught transmitting details about users without their knowledge.

The device ID number can allow a hacker to gain access to a user’s social networking accounts and other apps. As a result, Apple has long told developers that “for user security and privacy” they “must not publicly associate a device’s unique identifier with a user account.” And Apple last year began telling developers that it was going to phase out the use of UDIDs, in part because of these concerns.

Apple Plans Web Radio

Recently, a number of rumours have ciruclated concerning a new streaming media project. In a move that could shake up the growing field of Internet radio, Apple plans to develop a service that would compete with Pandora Media by sending streams of music customized to users’ tastes.

Apple, which has already dominated the field of digital music with its iTunes store, is in the early stages of negotiating with the major record labels for the service.

Apple’s service would probably take the form of a preinstalled app on devices like iPhones and iPads and might be able to connect to users’ iTunes accounts to judge their tastes.

By offering streams customized to each user, Apple’s program would compete with Internet radio services like Pandora, Slacker and iHeartRadio, which is offered by the radio giant Clear Channel Communications.

FBI Agent’s Laptop ‘Hacked’ To Grab 12 Million Apple IDs

Three years ago special agent Christopher Stangl appeared in a video calling on people with computer science degrees to join the Federal Bureau of Investigation, saying they were needed “more than ever.” Last night, hackers with subversive online networks Anonymous and Antisec answered that call with nothing short of irreverence: they published what they claimed were more than 1 milion unique device identifier numbers, (UDID) for Apple devices, stolen from Stangl’s own laptop.

In total, the hackers say they were able to steal more than 12 million of these strings of numbers and letters, but, “we decided a million would be enough to release.” They announced the hack through the widely-watched Twitter feed, @AnonymousIRC last night.

The incident raises many questions, not only about the security of federal devices, but of why an agent might have (allegedly) been carrying a database of Apple UDIDs, which the hackers said also contained “user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.” of iPhone and iPad users.