www.philiphall.com

Recent screenshots from the dev team indicate that an official jailbreak for iPhone 4S and iPad 2 running iOS 5 is coming sooner than later.

Screen shots from MuscleNerd show their jailbreak work in progress. They say that the jailbreak has already been achieved on iOS5, but there are unspecified “hurdles left” before the jailbreak will see a public release.

The jailbreak cat and mouse game as usual between the dev team and Apple… when will this end!?

Share/Bookmark

The sportswear manufacturer Adidas has taken some of its websites offline as a precaution following the discovery of a “sophisticated, criminal cyber-attack” late last week.

Adidas said it decided to take potentially affected websites offline as a precaution, after the discovery of a hack attack on Thursday the 3rd of November 2011.

They have already reassured customers that it had no reason to think consumer data has been exposed as the result of the incident, the causes of which it is continuing to investigate. In a statement (seen below), Adidas announced it plans to increase the security of the affected sites before restoring their availability.

Sites affected include adidas.com, reebok.com and various local e-commerce shops.

On November 3, 2011, the adidas Group found out that it was the target of a sophisticated, criminal cyber-attack. Our preliminary investigation has found no evidence that any consumer data is impacted. But, while we continue our thorough forensic review, we have taken down affected sites, including adidas.com, reebok.com, miCoach.com, adidas-group.com and various local eCommerce shops, in order to protect visitors to our sites. Since learning about the issue, we have put in place a number of additional data security measures. The changes reflect enhancements to the high standards consumers have come to expect from the adidas Group and its brands.
Nothing is more important to us than the privacy and security of our consumers’ personal data. We appreciate your understanding and patience during this time.

There is growing speculation as to the exact cause of the incident and what occurred as part of this cyber attack.

Share/Bookmark

Looks like Apple are having a bad week – as following on from the issues relating to the iPhone 4S &  Siri (allowing someone to issue voice commands whilst the device is locked – and not being able to enforce the setting to prevent this)…. there’s yet another security hole that’s just hitting the press re circumventing the iPad passcode…

How to unlock an iPad 2 using a smart cover…

1.       With an iPad 2 – peel back the smart cover and type in your passcode and open your email – so we can demonstrate how it unlocks to the application you have open.
2.       Using your smart cover, close the smart cover fully so that it locks.
3.       Peel open the smart cover – the device will prompt you to “Enter Passcode”. Don’t enter your passcode but keep following the instructions below…
4.       Close the smart cover fully.
5.       Peel open the smart cover again – and this time press and hold the power button until it prompts you to slide to power off, or to cancel. Don’t choose either of these options…
6.       Close the smart cover.
7.       Open the smart cover and then press ‘cancel’ – your device will then unlock and display the last application open. In this case it will be your email app.

This is demoed on a recent You Tube video…
httpv://www.youtube.com/watch?v=0sa1hRDpJss

• This hack appears to only provide access to the last application that was open. i.e. you can’t access other apps, or other applications in the background. Not so much of an issue, however is of some concern if email was the last app.
• This appears to only work on iOS5.
• To prevent this hack, it is possible to turn off the “iPad Cover Lock / Unlock” however need to do some more work to see if this can be enforced through a device profile, as currently looks like a user config change.

After the bad press relating to Siri security, and this it is anticipated that Apple will release an update to iOS5 to address these issues and restore confidence in their product. How soon will this happen though.

From an enterprise perspective, it’s been a bad week for Apple.

Share/Bookmark

Over the next couple of months, it’s all going to go nuts yet again with Apple frenzy, hype and excitement over the new iPhone 4S  and the release of iOS version 5….  but after all the dust has settled – what will the real impact be from an enterprise & security perspective?

OK… so maybe that’s why I love my job when it comes to situations like these, as I get to play with the new toys and enlighten people about all the cool changes, the business opportunities, and what we can do from a technical perspective to minimise any associated risks. Before we get to the heart of it – if you didn’t already know based on my previous posts – it’s probably worth being up front and mentioning that I am indeed an Apple fan, however never-the-less that doesn’t mean I’m blinkered or oblivious to some of the security problems we will come across from an enterprise perspective when these new devices and changes hit us.

So…. let’s get started…

Huge Uptake of new devices & iOS5 for existing users

Firstly, I think yet again there will be an increased uptake in the new Apple iPhone device, and even more people moving away from Blackberrys (poor RIM) to the new iPhone 4S. Apple Insider recently released some interesting study results indicating 45% of Blackberry users and 24% of Android device owners said they would purchase the upcoming new Apple handset.

Whilst I don’t think there’s going to be a huge quantum shift in terms of the phone or the technology (yes the new CPU will be great, but something I’m already used to on my iPad 2 running the Apple iOS5 beta), the combination of a new device plus all the cool features of iOS5 will draw more people to buy it.

Most people I know are already finding excuses for why they will upgrade their iPhone 4… and it will be the same no doubt in the enterprise.  The C level execs will push to get a brand new phone as soon as they’re available – as we’ve seen a change in the way in which shiny new gadgets find their way from the top down into the enterprise… as the big boys often compete with their peers in the boardroom.

Then we also need to consider how many existing iPhone 4 and iPad 2 devices are already out there in the enterprise – just waiting for all those funky new iOS5 features.

So what?

Well, before the majority of your company have these new devices in their hands or already have existing iPhone 4 or iPad 1 or 2′s, there’s a few things to consider from an enterprise security perspective:

iOS 5 – iCloud and Security in the Enterprise.

iOS 5 introduces many new features, but the most newsworthy is iCloud. I’m not going to cover what it is in detail, or how it works, however I want us to focus on what issues we will see in the enterprise relating to it. It’s not that iCloud is insecure – and I’m sure no doubt there will be hackers out there trying their hardest to break into it. It’s more about the staff member who has this new technology, and what they choose to do with it which is more worrying.

Up until now, enterprises have struggled to control / contain the risks relating to file sharing / syching capabilities already available through services such as Google Docs, SugarSync, Dropbox, Box.net etc. What Apple are about to do though is make this type of cloud based file storage & synchronisation functionality available natively in the iOS, Apple applications, and 3^rd party apps using iCloud… the problem is about to become much bigger, and no doubt just like when the cloud hype hit our shores, governing parties such as APRA will start to take notice, and will start to ask interesting questions, and pushing more expectations onto companies that they govern.

So worst case is that documents created on a device used in the enterprise will be sucked into the cloud, and then replicated automatically onto a number of other devices outside of the enterprise. Many large companies have managed to keep some sort of control by restricting the use of Dropbox etc through web proxies, however the main thing from a security perspective is not necessarily a concern of the strength of security controls, but more so about what the user will do with it.

Most staff who don’t care about security (after all that’s someone else’s job to worry about company risk) so will happily and naively store sensitive documents all over the place… it’s just that the Apple iCloud will make this so much easier to do, and a much much BIGGER problem.

Your Apple ID & Password – Keys to the Apple iCloud Kingdom… your docs, your photos, your music…

One important concept to understand is that with iCloud your Apple ID and password will become much more important …. it will be your ID and keys to your photostreams, synchronised documents, music etc etc –  access to everything will be just an Apple ID and password click away!! Now no one shares their Apple ID’s… do they!!!?!?!? ;-0

Bandwidth & Data Usage Impacts

There are other impacts such as data / bandwidth utilisation – as music streaming, iCloud synching and OTA udpates will surely have an impact. But just how much we will soon find out.

Solving Your Enterprise Security iCloud Concerns

So what to do about it?… Mobile Device Management platforms will obviously help (if you have one!), Microsoft Exchange ActiveSync policies will potentially improve things too, however that depends if you’re willing to lock down on the use of iCloud. Stop users from using the cloud?! Sounds like a hard thing to do.

Hopefully Apple will offer some more granular control for this technology – but maybe by the time most enterprises start to worry about this the horse has already bolted.

User Awareness & Risk Acceptance

The other things you can do is to ensure that end users are made aware of the risks, and that they take accountability and responsibility. Force anyone using your enterprise service to sign an “Acceptable Use” agreement, whereby there are informed of the risks, data considerations, and what responsibilities they take on when using an Apple iOS5 device within the enterprise.

Lastly – make sure your company has done the right thing from a risk management perspective – especially if you are governed from a compliance point of view. Ensure that a full risk review and assessment has been completed, whereby senior execs and CIO level are formally made aware of this risks & concerns, and sign off any risks at an appropriate level with full evidence and traceability back to those that made the decision.

Follow “PhilHall” on twitter, and be sure that you’ll be kept up-to-date from a security perspective.

Share/Bookmark

After lots of rumours it looks as though the news that many an Apple fan boy have been waiting for is finally here… there are numberous invites being sent out by Apple for a “Let’s talk iPhone” event – to be held on the 4th of October:

More than likely this event will obviously include news of  the new iPhones (potentially two models), as well as the release of Apple’s iOS version 5. More rumours are flowing since this date was released – many are talking of an iOS5 release on October the 12th, and the new iPhones on the 14th of October.

With this comes a number of improvements from a security perspective. One of the key changes includes “OTA” – Over The Air updates. iOS software updates to the device will now be possible over the air – rather than through syncing locally via iTunes, and rather than a big download of the entire iOS it will be an incremental change.

Additionally iOS includes iCloud; which if you are familiar with Dropbox, Box.net etc –  is a similar concept but incorporated into native iOS features & Apple apps, as well as provided through an API for other 3rd party use. Word of warning – there may be some changes required in the corporate environment to control this before corporate documents end up on employees home Apple devices!

Stay tuned!

Share/Bookmark

Microsoft has recently released a Security Advisory – providing information of a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0. Others may have seen this vulnerability demonstrated recently – using BEAST:

httpv://www.youtube.com/watch?v=BTqAIDVUvrU

BEAST makes use of an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS traffic. This vulnerability primarily impacts HTTPS traffic, since the browser is the primary attack vector, and all web traffic served via HTTPS or mixed content HTTP/HTTPS is affected.

For further details, view the Microsoft advisory.

Share/Bookmark

For those of you who are beginning your journey of allowing and enabling enterprise use of Apple iPads and iPhones, here’s a quick useful list of resources for your reference:

Apple Enterprise Stuff (config utility download, + other useful references):

http://www.apple.com/support/iphone/enterprise/

iOS Hardening Guide (a useful general reference):

http://www.dsd.gov.au/publications/iOS_Hardening_Guide.pdf

Apple Enterprise Deployment Guide:

http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf

Mobile Device Management Platforms:

For those embarking on MDM reviews, and potential implementations within the enterprise, here’s my suggested list. If you like referring to a Gartner magic quadrant – they released an update in April for Mobile Device Management Platforms- :

• Good Technologies - Has full PIM (sandboxed email capability) for those who require an additional layer of security.
• Mobile Iron - Very popular MDM platform amongst the enterprises.
• AirWatch - Another popular MDM platform.

Share/Bookmark

Apple have recently released details of a new iOS 4.3.4 update which addresses a number of security related issues affecting the Apple iPad, iPhone and iPod touch devices.

This is the same vulnerability which is used by the recently updated  jailbreakme.com web site.

• This release disables the possibility of viewing a maliciously crafted PDF file that may lead to an unexpected application termination or arbitrary code execution
• Disabled a malicious code running as the user may gain system privileges

This is the second time that Apple has had to fix a vulnerability in its PDF-viewing technology.

In August, an earlier version of Jailbreakme.com exploited the way that the PDF viewer loaded fonts to let users gain low-level system access, and install third-party application installers. Unfortunately for Apple – rumours of a jailbreak for 4.3.4 are already surfacing.

Maybe the impending iOS 5 release will hopefully change things, and bring security of Apple devices up to the same level as RIM’s Blackberry platform…. only time wil l tell!

Share/Bookmark

Apple have just released iOS 4.3.3 – yet another iOS update of recent weeks!

This update is said to address recent concerns around user tracking data – whereby devices were storing information about users locations.

It had been reported in the past few weeks that location information stored in iTunes backup files on a computer synched to an iPhone could be used to pinpoint the iPhone’s whereabouts for up to a year afterwards – something which has created some interest from a privacy perspective.

The main issue here is that if someone has access to the PC which holds this iTunes backup – this information could be obtained and used to determine where the iPhone / iPad (and it’s owner) have been!

Apple responded to the media interest, and admitted that devices were infact collecting information about WiFi hotspots and cell towers, giving away location data – even when users had specifically turned off Location Services.

Apple says that the newly-released iOS 4.3.3 update will no longer back up location data cached on iPhones and iPads to users’ computers, and fixes the Location Services bug. If you install the update, the location data stored on your iPhone or iPad will reportedly now only go as far back as seven days, and the cache will be completely deleted if you disable Location Services.

The next thing Apple should hopefully be doing is encrypting this sort of data – which Apple say will potentially be a feature within iOS5.

Time to update your devices, and time for another big download!

Share/Bookmark

Another hack – another potential compromise of customer data….  and this time the target was Sony.  This event is starting to spark calls for the government to legislate mandatory disclosure – but will it ever happen!?

The Sony Hack incident is said to have occurred between the 17th and 19th of April 2011, whereby hackers gained access to Sony’s PlayStation network, potentially gaining access to the account information of a reported 77 million users.  It is understood that this includes names, addresses and…. drum roll please….  customer credit card information. Uhh ooo!

Sony posted details on a Sony blog on the 22nd of April, indicating that there had been an ‘external breach’. They have also reported to have released a further statement today.

What’s more interesting about this story is that it’s sparked some discussions relating to mandatory disclosure. In recent comments on the Sony hack by Rob Forsyth (A/NZ managing director of Sophos), Forsyth is reported to have suggested that the government must legislate for mandatory disclosure, noting that it has been proposed in a large number of privacy recommendations.

If personally identifiable information is lost, companies must notify both the general public and the individuals whose information has been stolen…

“Sony was not quick to notify people that there had been a breach of security,” RMIT lecturer Dr Mark Gregory told the same programme, even though the speed with which the network was shut down demonstrated that Sony was aware of the problem before it went public. Gregory backed Forsyth’s call for a disclosure regime.

Government needs to legislate a proper regime for this – said Gregory.

Your Views Needed!

There’s been talk of the need for changes to disclosure laws for a few years now, but does anyone think this will ever happen in Australia? The majority of security vendors often talk of this happening, but maybe we need to see a few more major data breaches / incidents before people start to take this more seriously and finally do something about it!

What’s your view on mandatory disclosure laws in Australia?

Keen to hear your views – so feel free to comment / reply on this post.

Share/Bookmark