Apple's Biggest Hack Ever

Over 225,000 valid Apple accounts and thousands of certificates, private keys, and purchasing receipts were stolen from jailbroken iOS devices. The malware, KeyRaider, was distributed through third-party Cydia repositories in China and appears to have impacted users from 18 countries including China, France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea.

The malware steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device and disables local and remote unlocking functionalities on iPhones and iPads. The malware then uploads the stolen data to its command and control (C2) server, which has been found to contain vulnerabilities that expose the stolen user information to other hackers.

According to Paloalto Networks the purpose of the attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying. Jailbreaking is the process of removing hardware restrictions on iOS, Apple's operating system, on devices running it through the use of software exploits; such devices include the iPhone, iPod touch, iPad, and second-generation Apple TV. Jailbreaking permits root access to the iOS file system and manager, allowing the download of additional applications, extensions, and themes that are unavailable through the official Apple App Store. (Wikipedia)

Are Employees Putting Organizations at Risk?

According to a recent report released by Forrester Research, the global public cloud market is expected to hit $191 billion by 2020, based on Forrester's last forecast (published in 2011), this represents a 20% increase over the same time period. It also represents a significant increase from where the market is currently, Forrester estimates that the market was public cloud market was $58 billion at the end of 2013.

However, the challenge facing enterprises with cloud adoption is quite concerning. According a recent article published by Computerworld, "There's a tug-of-war tension in the enterprise right now," said Gartner analyst Lydia Leong. "IT administrators very rarely voluntarily want to go with the public cloud. I call this the 'turkeys don't vote for thanksgiving' theory. The people who are pushing for these services are not IT operations people but business people."

There is no doubt that the business owner is making this selection to drive their business and sees little to no risk with their decision. However, IT security and the lack of oversight, digital loss prevention techniques and audit requirements can leave a company in precarious situation.

The question is, how does IT and the business user coexist as a partners and not as roadblocks to business growth? The key is a common product and sales technique. Understanding the business requirements is critical to forming the right partnership. IT needs to focus on delivering products that help the business become more efficient and meet their needs to facilitate business. The business needs to be the buyer, but IT needs to be there to make sure the corporation remains well protected.

One of the very real risks that corporations are facing today is cloud based file sharing, the reality is that these applications can be acquired very easily by the business, unfortunately, there is no way to control what is actually being store outside the firewall or if the service provider even meets corporate standards. Many companies have blocked the most popular URLs to prevent internal use, but Gartner lists over 100+ competitors, many approaching file sharing from a different industry focus, so it is unrealistic to expect an IT department to be able to prevent all files sharing solutions.

This is just one example of the risk that the business faces when they acquire technology without going through the correct process. But IT must also understand, they are not the business, nor must they decided what is best for the business, rather they must learn to deliver the business requirements, while ensuring that the product or service meets with the Corporate Security Standards. Only then wll the risk of Rouge IT applications subside!

Why International Organizations don’t want to do business with US Cloud providers

While you would need to have been vacationing in the Rockies for the last year or so to have missed the stories outlining the US Government’s legal right to obtain data, most people have just come to accept that we have no choice in the matter. Court papers released on Monday show that Microsoft is fighting a US warrant for customer data stored overseas.

The US is pursuing criminal matters against an individual and has requested emails stored in Dublin Ireland. Microsoft’s theme for their objection to the US warrant is that allowing the obtuse nature of the warrant would "violate international laws and treaties, and reduce the privacy protection of everyone on the planet," as well as "have a significant negative impact on Microsoft's business, and the competitiveness of US cloud providers in general".

In support of this, both Apple and Cisco have filed a friend-of-the-court brief backing Microsoft's position, this is in addition to ones submitted earlier in the week by Verizon and AT&T. Many international organizations recognize the fact that the US government has the right to ask and obtain data from a US company or subsidiary customer data no matter where it resides in the world. The problem is that many International companies feel this is a serious risk to doing business with US companies, I guess only in America do we teach of a global economy. Yes it is true that the law exists, and it is true that companies may not do business with a US company because of it, however, if you build a product that they want, they will use it.

Let’s face facts, data in the cloud is subject to risk (so by the way is data behind the firewall, just ask Target), if it were not, you would see considerably more data stored in the cloud. Having worked both cloud solutions and enterprise software, it is very easy to see the distinction; however it is far more complex when trying to run a business.

We often talk about Salesforce.com (SFDC), as being a major cloud platform that companies heavily rely on. I mean after all, if your entire customer database is on SFDC, you would really need to trust the cloud, right? Well truth be told, the average sales person will probably do more damage leaving an organization with his contact list than losing data from the use of SFDC.

As companies consume homogenized data, it becomes a commodity; you purchase the integration value, not the protection of the data. Don’t misunderstand, the data must be protected, however, no one believes that a cloud provider could deliver better protection than keeping the data encrypted behind their own firewall. Organizations traditionally move data that would not jeopardize the organization to the cloud. This may also include data that extends beyond the firewall.

The debate will rage on for several more years, our society is very fickle, when bad things happen, we want the government to do their job, when things are okay, we want the government to stay away. But how do you balance this? At some level we must realize that the ability to communicate across thousands of miles in milliseconds puts us all at risk, where do we draw the line? I am not advocating government censorship and I am a firm believer that power corrupts, but is profiling patterns, which is typically what happens with most of our data, the worse thing to give up for our protection?

Do we really believe that the US government is doing anything more than other governments, just because their Snowden hasn't gone public? I remember as a child my father saying to me after I got caught doing something I shouldn't have been doing, “The difference between you and me, is that I did not get caught”, I was about to challenge him on that statement, but having thought about this for a brief second, I realized, to defend myself, would mean I would have to tell him about the other 100 times I got away with it. Do we really believe that spying is a US government anomaly?

Is Big Data secure enough?

Most people have heard the concept of Big Data, but few understand how it impacts our lives on a daily basis. The news outlets will sensationalize the government (particularly the NSA) for using Big Data techniques on public data in order to spy on people. For example, selfies are now used by the NSA for facial recognition, but should any of this surprise people? The data we put on the web is viewable by almost anyone and you must realize that companies like Facebook, twitter, LinkedIn are in the business to make money. So let’s face it their data is priceless to the right audience, this includes governments, and don’t think for a second that the US is the only government doing this, however we are the only ones where it makes an interesting news story.To level set, here are some interesting data points from Wikipedia

Government

• In 2012, the Obama administration announced the Big Data Research and Development Initiative, which explored how big data could be used to address important problems faced by the government. The initiative was composed of 84 different big data programs spread across six departments.
• Big data analysis played a large role in Barack Obama's successful 2012 re-election campaign.
• The United States Federal Government owns six of the ten most powerful supercomputers in the world.
• The Utah Data Center is a data center currently being constructed by the United States National Security Agency. When finished, the facility will be able to handle a large amount of information collected by the NSA over the Internet. The exact amount of storage space is unknown, but more recent sources claim it will be on the order of a few Exabytes.

Private sector

• eBay.com uses two data warehouses at 7.5 petabytes and 40PB as well as a 40PB Hadoop cluster for search, consumer recommendations, and merchandising. Inside eBay’s 90PB data warehouse
• Amazon.com handles millions of back-end operations every day, as well as queries from more than half a million third-party sellers. The core technology that keeps Amazon running is Linux-based and as of 2005 they had the world’s three largest Linux databases, with capacities of 7.8 TB, 18.5 TB, and 24.7 TB.
• Walmart handles more than 1 million customer transactions every hour, which are imported into databases estimated to contain more than 2.5 petabytes (2560 terabytes) of data – the equivalent of 167 times the information contained in all the books in the US Library of Congress.
• Facebook handles 50 billion photos from its user base.[36]
• FICO Falcon Credit Card Fraud Detection System protects 2.1 billion active accounts world-wide.
• The volume of business data worldwide, across all companies, doubles every 1.2 years, according to estimates.
• Windermere Real Estate uses anonymous GPS signals from nearly 100 million drivers to help new home buyers determine their typical drive times to and from work throughout various times of the day.

The amount of data we create daily is mind boggling and the amount of data we put on the web unsecured should be of great concern, but we often do not think twice of posting photos of our children on Facebook to share with friends, or writing on our timeline that we are on vacation (this is invaluable information if you are a thief), then we get upset because the NSA is collecting and using this information to “spy” on American citizens.

The truth of the matter is that the US Government is not spying on anyone; they, like all private sector companies, use the data to form patterns and then target high profile individuals. Is the US Government really doing anything different than Google? Google looks at your browsing history to serve up targeted ads that you are more likely to click on to generate revenue. Amazon serves up potential items for you to impulse purchase based on your previous buying history and items you have looked at, all of this is an invasion of privacy, but some we accept as helpful, even cool, and others we deem as violations of our civil rights. Let’s face it, if you don’t want someone spying on you, don’t put it out on public display!

Big Data security is finally becoming an important topic, many companies are bringing in large amounts of data purchased from Twitter, Facebook and other public sites to develop buying profiles to increase the target rates of their marketing spend, however at what point does a bunch of public data start to become private information. For example, let’s say on Facebook, you always put down that you are at the local Starbucks getting coffee, you go to work and then Tweet about your favorite sports team acquiring a new star player, after work you use Google maps to find a restaurant and you run into an old friend and post a selfie on SnapChat. You go home and then browse a few of your favorite sites. By themselves they mean very little, but combined a company now has a very strong profile of your behavior, what you like, what you may buy, political views, how to increase the chance you will buy from them and so on.
So what happens when these profiles are hacked and the wrong person acquires a bunch of data that seems worthless until it is combined with all the other data they have collected? Is this any better than Target losing 40 Million credit card numbers?

Interestingly both Hortonworks and Cloudera (both Big Data software companies) acquired security companies to enhance their offerings. From my perspective, it is about time. But protecting the data in storage is not the only risk, if you are going to move large subsets of data that do not have strong relevancy on its own, but when combined build very sensitive profiles, then you must secure the transport of the data at all times. Many companies feel that public data does not need to be moved securely since it is already public, but the real risk is the selection of data these companies are collecting and how they eventually assemble the profiles, both components must be secured.

Big Data is a part of our lives now and will not go away, it will evolve and become even more invasive, it is time that companies collecting data secure all transmissions, even public information!

Hey MAC - It’s time to grow up

Ever notice how most Mac users are skinny? It's because of all the calories they burn because they can't stop talking about how great their Macs are. OK that is probably not accurate but I did find it comical when I read it. But you know the people I am referring to, the really smart guys that cannot get enough MAC speak, My favorite line that they often throw out is that Mac’s just work, well in reality, one would beg to differ, otherwise why would you have macfixitforums.com (on the net for over 10 years and is now part of CNET).

OK enough picking on the guys who are going to take over the world, we will need them someday soon the way things are going. But I digress; my real topic today is that it is high time that Apple grow up. If you look back at the old days, Apple created a unique buzz about being your own person, that their technology, although ubiquitous, could be used by the buyer to be as individualistic as they were. One of my favorite commercial sequences was the ongoing debate between the corporate pitchman from Microsoft and the really hip Apple pitchman. These commercials tried to show how Apple was the hip up and coming product offering that would create disruption in the business world and Microsoft was the old stagnant way to do business, just throw money at it and raise prices. I am sure plenty will debate that Apple did in fact accomplish a disruption in the market place, especially if you ask your company IT administrator.

In fact the debate continues to this very day. Tim Cook pointed out at the Worldwide Developers Conference this week that OS X Mavericks, which he said accounted for 51% of all Macs in use "Is the fastest adoption ever of any PC operating system in history. Now, you may wonder how that compares to Windows. I knew somebody was going to ask, so I made a chart."

According to Computerworld  the pie chart showed that Windows 8, which Microsoft launched in October 2012, owned a small sliver of Windows overall. "It's at 14%. Need I say more?" Cook continued, to applause and laughter from the very pro-Apple crowd.

Needless to say, it was not mentioned that the overall numbers of Mac users still dwarf PC users and the fact that OS X Mavericks was free, unlike Windows 8. However Windows 8.1 release which also was provided at no charge was trending the same as OS X Mavericks.

In the end though does any of this really matter? People should be tired of the gimmicks, Microsoft and Apple should be focusing on building technology that improves the life of its users and integrates with different technologies. One should not have to be forced to use a PC or Mac to gain ubiquitous access to the overall suite of services. What made these companies great is that they changed the way we viewed how technology could improve our lives, it seems that it has moved towards who can drive the bigger profit and maintain the greatest market share through marketing and empty promises. It is time that both Apple and Microsoft get back to the basics and improve their software and delvier the next breakthrough in computer performance.

Do File Sharing Sites Provide Enough Security?

Whether you are a consumer or a business you must carefully consider what you are willing to put out in the public arena. Even if you believe your data is encrypted or protected by the provider, once it leaves your control, you have to accept the fact that you are relying on someone else to deliver the same level of care to your documents. On May 6th this year, ARS Technica published the following article, “Dropbox disables old shared links after tax returns end up on Google, Vulnerability that may also affect Box sent shared documents to Google AdWords.”

For most consumers, these file sharing sites are an easy way to share pictures with friends and families, but, more and more users are using these sites to store personal data. In fact, file sharing sites are expected to host more than 36% of personal data by 2016. While Dropbox did resolve the aforementioned issue, the question is not whether it is good enough, but rather when will the next vulnerability occur?

As more and more businesses move to increase collaborative efforts between their employees and trading partners and utilize public File Sharing Sites, the Security Team has to be concerned with what data is leaving the firewall. Even with encryption at rest and encryption during transit, vulnerabilities will always be identified. Sometimes they are even trivialized until it becomes wide spread. Box.com, one of the larger file sharing sites for businesses posted the following on their Box.Com blog: “Once someone has access to the user's auth-token they are able use that for browser login. This is a known issue and was a product decision to leave in for Box Sync.”

Is it fair to ask a company to protect data the same way for all customers? Does a large Enterprise require more security than a Small Enterprise and does a consumer need the same level of security? More security means more complexity and greater overhead for systems and bandwidth transfers. In reality each person and business needs to decide what data is relevant for file sharing services versus on premise solutions. If you are not comfortable with the data being exposed then you must look long and hard with keeping your sensitive data on someone else’s “secure” environment.

Are You Maximizing Facebook for Your Business?

Many businesses understand that they must have a social media strategy, but many companies do not fully understand how to accomplish this. In order to be successful, let’s first understand the demographics of Facebook. According to a recent report on Pingdom the average age for a Facebook user is 40.5 years old. Here are some additional stats that may alter your way of thinking about Facebook, 65% of Facebook users are 35 or older and Facebook and Twitter have the same gender distribution: 40% male, 60% female.

Here is what is truly interesting about the age trend for Facebook and Twitter. Compared to a previous survey Pingdom did 2.5 years ago, the age of the average Facebook user has gone up two years, while the age of the average Twitter user has gone down two years. In other words, Twitter’s user base is getting younger, while Facebook’s is getting older.

So now that you understand who is using Facebook, let’s start to figure out how you maximize your exposure. The first thing you need to consider is how to build a strong fan base. Your Facebook page can drive traffic to your website, increase sales and build customer loyalty, but like anything else you have to carefully create your presence. Make sure your page is using your company name and any specialized keywords that your business is typically found under.

You want your page to stand out from competitors, to do this, you need to engage your fan base, for example, you can customize the tabs of your page to highlight your business, including photos, videos, hot items and genera discussions. You also need to keep the content fresh, there is nothing like going back to a website several times to see no updates, so while it may take you some time each day, make sure you stay current with your content, otherwise your fan base will go elsewhere. If you want to grow your fan base quickly, Host contests or giveaways, according to Facebook, research by Forrester shows that contests, giveaways and promotions are the fastest ways to build fans to your page.

Another great way to increase your exposure is to collaborate and connect with Facebook Applications, they are a great way to network and do business through your Page. Facebook has over 50,000 applications on its platform. There are Facebook apps available for everything, including Twitter, Wordpress, Google Reader, and many others. To get your business moving start with the following, and build from there, Add the RSS Feed application to incorporate your blog , add the LinkedIn Profile application to promote your LinkedIn account by posting a badge on your Page, add the Twitter application to incorporate your Tweets.

Once you have built your page you need to gain exposure by getting everyone involved, don’t just put up a Business Page and forget about it. Monitor the feeds, make updates and discuss industry trends, product reviews and relevant events. Encourage employees to be active and participate on your Page. The more people involved on Facebook, the more exposure your company will receive With fresh content and lots of activity, your Page will build in strength and become successful — no one will follow a stagnate page. You should also join other Facebook groups and become fans of other Business Pages to build a network of conversations

Frank Toscano is a 15+ year specialist in cloud based services focusing on Product Management, Marketing and Security within the Cloud. He has worked for EasyLink Services and Premiere Global Services in a global role providing hosted services to Fortune 1000 clients. He is currently seeking employment with a cloud based provider in a senior level Product/Marketing role.

.