Tag Archive for iPhone

| August 11, 2015
Comments Off on SmartWatches – Not Ready for Primetime

SmartWatches – Not Ready for Primetime

SmartWatches - Not Ready for PrimetimePundits predict that Apple iWatch sales will surpass iPad first-year sales. The experts expect Apple to sell 21 million watches in fiscal 2015. Many believe that the iWatch will drive wearable tech into the enterprise. With this kind of hype, security vendors have started to take a look at iWatch and other smartwatches.

wearable techFierceMobileIT reports that just in time for BlackHat, MobileIron released a report looking at the security risks smartwatches pose to corporate data. According to the enterprise mobility management firm, workers are increasingly using smartwatches to connect wirelessly to their smartphones and access corporate email, calendar, contacts, and apps.

MobileIron looked at the security of smartwatches that can be paired with iOS and Android smartphones accessing enterprise resources as well as the pairing apps on the smartphones. The author says the EMM vendor analyzed the Apple (AAPL) Watch, Motorola Moto 360, Samsung (005930) Gear 2 Neo, and Shenzhen Qini U8.

MobileIron logoThe Qini U8 had a pairing app that displayed some “suspicious behaviors” that could pose a risk to personally identifiable data such as access to downloaded and cached content and phone hardware data, judged MobileIron. The pairing app was downloaded from an unknown IP address in China and not the relative safety of the official Google Play store, which scans apps from malicious traits.

Another security concern noted in the article is the implementation of passcodes on smartwatches. Smartphone passcodes are usually time-based so that if the device is not used within a certain time period, the device is locked and access requires entering the passcode.

SmartDisck Tracywatch passcodes examined by MobileIron are proximity-based so that the device is locked when the smartwatch loses wireless connection with the smartphone. However, only the Apple Watch prompted the user to set up a passcode, suggesting that many users of the other smartwatches do not enable the passcode option.

In addition, smartwatches do not have enterprise mobility application programming interfaces to do policy enforcement on the devices. The Apple Watch stood out in terms of security by wiping enterprise apps from the device when its companion iPhone is quarantined or retired and the enterprise apps are removed from the phone.

smartwatches do not have enterprise mobility application programming interfacesIn terms of data encryption, there is no encryption on the Shenzhen Qini U8, while it is optional at the app level for the Motorola Mobility Moto 360 and the Samsung Gear 2 Neo. For the Apple Watch, encryption is enabled for the data on the watch and optional at the app level. The MobileIron report concluded, “As enterprises embrace these devices for enterprise applications …  we expect smartwatch vendors to place an even stronger emphasis on security.”

Not only has MobileIron recently scrutinized smartwatches so has HP. HP’s Fortify security unit tested 10 different smartwatches and found that all of them were vulnerable to cyberattacks.

HP (HPQ) did not say which brand of smartwatches it tested. However, FierceITSecurity reports that HP did test the devices and their Android and iOS cloud and mobile app components, indicating that the Apple Watch was one of those tested.

HP Fortify found that all the smartwatches they tested were insecure. Jason Schmitt, general manager of HP security at Fortify said

HP logo[Smartwatches] … will become vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks 

HP combined manual testing and automated tools to check the devices against the open web application security project’s Internet of Things Top 10 security risks. HP found that data collected on the smartwatch was often sent to multiple backend destinations (often including third parties). The researchers used HP’s Fortify on Demand to find many more smartwatch vulnerabilities (PDF, reg. req).

  • Broken watch100% tested were paired with a mobile interface that lacked two-factor authentication and the ability to lock out accounts after 3-5 failed password attempts.
  • 90% allowed watch communications to be easily intercepted.
    • 70% of the time firmware was transmitted without encryption.
    • Only 50% of tested devices offered the ability to add a screen lock (PIN or Pattern), which could hinder access if lost or stolen.
    •40% of the cloud connections were vulnerable to the POODLE attack, allow the use of weak ciphers, or still used SSL v2. Transport encryption is critical because personal information is being moved to multiple locations in the cloud.

HP offered recommendations for consumers looking to use smartwatches more securely:

  1. Do not enable sensitive access control functions (e.g., car or home access) unless strong authentication is offered (two-factor, etc).
  2. Enable passcodes to prevent unauthorized access to your data, the opening of doors, or payments on your behalf.
  3. Enable security functionality (passcodes, screen locks, two-factor, and encryption).
  4. Use strong passwords for any interface such as mobile or cloud applications associated with your watch.
  5. Do not approve any unknown pairing requests to the watch.

These security measures are also critical as smartwatches enter the workplace and are connected to corporate networks. HP recommends that enterprise technical teams:

  1. Ensure TLS implementations are configured and implemented properly.
  2. Require strong passwords to protect user accounts and sensitive data.
  3. Implement controls to prevent man-in-the-middle attacks.

rb-

As smartwatches become more mainstream, they will increasingly store more sensitive information such as health data, and enable physical access functions including unlocking cars and homes. HP’s Schmitt warns that,

Smartwatches … open the door to new threats to sensitive information and activities … vastly more attractive to those who would abuse that access, making it critical that we take precautions when transmitting personal data or connecting smartwatches into corporate networks.

All smartwatches collected some form of personal information, such as name, address, weight, gender, heart rate, and other health information. Given the account issues and weak passwords identified by MobileIron and HP, the exposure of this personal information is a concern. I am calling smartwatches not ready for prime-time.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
| July 21, 2015
Comments Off on Apple favors IPv6 as IPv4 Dries Up

Apple favors IPv6 as IPv4 Dries Up

Apple favors IPv6 as IPv4 Dries UpThe American Registry for Internet Numbers (ARIN) has reported that the IPv4 well is just about dry in North America. On 01 July 2015, ARIN had to refuse a request for a block of IPv4 addresses. The ARIN statement says that there are still a few IPv4 numbers available in smaller block sizes. But for all intents and purposes, there are no more unassigned public IPv4 addresses. As of July 18, 2015, the ARIN IPv4 Deletion page reports only 335 /24 IPv4 address ranges are available. It is time to start looking at IPv6.

Will have an impact on the large enterprisesThe good news, according to FierceEnterpriseCommunications, is the IPv4 drought isn’t yet affecting most of the internal networks of enterprises. But it’s just a matter of time before it starts to have a greater impact on the largest of enterprises. Microsoft (MSFT), for instance, found it was out of IPv4 addresses a few weeks ago. And for the first time in ARIN’s history, they denied a company that requested a large block of IPv4 addresses. Tom Coffeen, chief IPv6 evangelist at Infoblox, in a statement to FierceEnterpriseCommunications explained:

Though the IPv4 well has run dry and threatens service providers, the sky hasn’t yet landed on enterprise networks … Most enterprises still rely on private IPv4 for their internal networks. The small number of public, routable IPv4 addresses required to connect enterprise networks to the Internet is typically provided by the ISP, making IPv4 much more critical for Internet services providers.

IPv6One company that is reacting to IPv4 scarcity is Apple (AAPL). Apple’s latest operating systems – iOS 9 for iPhones and iPads and OS X El Capitan for Macs are designed to take advantage of IPv6. The new operating systems select the fastest connection with the lowest latency, whether IPv4 or IPv6, using the Happy Eyeballs algorithm, explained David Schinazi, the CoreOS networking engineer at Apple. Devices use the Happy Eyeballs algorithm to decide which protocol to use, as many applications use a “dual-stack” approach to networking, making available both IPv4 and IPv6 connections.

FierceMobileIT says this worked out to be a 50/50 split between IPv4 and iPv6 in iOS 8 and OS X Yosemite, but for the new OSes, IPv6 will be chosen by the algorithm around 99 percent of the time, according to Apple beta testing. Apple’s Schinazi wrote in a post on the Internet Engineering Task Force mailing list that Apple considers IPv6 mainstream.

IPv6 is now mainstream instead of being an exception, there are less broken IPv6 tunnels, IPv4 carrier-grade NATs [network address translations] are increasing in numbers, and throughput may even be better on average over IPv6

The author reports that testing performed by Apple shows that the new OSes should use IPv6 addresses around 99 percent of the time. Apple operating systems have supported IPv6 by default for Mac users as part of the OS X 10.2 Jaguar release in May 2002.

Mr, Schinazi cautioned that both OSes are in beta so things might change for the final versions. “If this behavior proves successful during the beta period, you should expect more IPv6 traffic from Apple products in the future,” he added.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| May 26, 2015
Comments Off on Mobile Malware FUD?

Mobile Malware FUD?

Mobile Malware FUD?Just last week, I wondered out loud from my Bach Seat if all the hype around mobile malware was real or just more FUD. Looks like I am not alone, TechCo recently asked a similar question, “Are We Overstating the Threats from Mobile Devices?

mobile threatsThe author cites several recent reports that back up the claim that the actual mobile threats that mobile devices introduce into the enterprise are overstated. The data indicates that the mobile malware threat is statistically small and has even decreased since 2012.

• A McAfee report shows out of all the malware now out there, only 1.9% of it is mobile malware. The author equates the mobile threat to 4 million / 195 million McAfee knows about.
• Another report (PDF) from Verizon (VZ) shows even lower numbers, with only 0.03 percent of smartphones being infected with what is called “higher grade malicious code.”
hit by lighting• But some numbers go even lower than that. Damballa, a mobile security vendor that monitors roughly half of mobile data traffic, recently released a report that claims you have a better chance of getting hit by lightning than by mobile malware. Dramballa found only 9,688 smartphones out of more than 150 million showed signs of malware infection. If you do the math, that comes out to an infection rate of 0.0064 percent.

Even more interesting is that despite the increase in mobile devices, Damballa found the infection rate had declined by half compared to 2012.

Walled gardenThese reports may show mobile threats aren’t as big of a problem as previously thought, but the author asks, why the numbers are so low at all. After all, cybercriminals like to target new platforms and exploit security weaknesses. Why do they seem to be avoiding mobile devices?

The truth of the matter is that mobile users tend to get their apps from high-quality app stores. The stores from Google (GOOG) and Apple (AAPL) work to filter out suspicious apps. If malware is found in apps after they’ve already been on the market for a while, app stores can also execute a kill switch, which takes the app off the store and the devices where they were downloaded. This limits malware’s ability to spread.

remotely wipe devicesThe article concludes that companies that adopt BYOD should just ignore BYOD security; they just don’t have to go all-out as many businesses have done. Most mobile security experts say a mobile device management system remains a good investment to make sure mobile devices are handled appropriately. MDM systems also allow an organization to remotely wipe devices, thus keeping sensitive data safe in the event a device is lost or stolen. But malware really isn’t a factor in those cases, so the overall message from these recent reports is that getting worked up over mobile threats is not necessary. A company can still gain all the benefits of BYOD without having to worry incessantly over what they’re doing to protect every device that connects to their network.

rb-

What do you think?

Is mobile malware over-hyped FUD?

View Results

Loading ... Loading ...

 

Related articles
  • Your BYOD implementation checklist (powermore.dell.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , , , ,
| March 17, 2015
Comments Off on Banks Scramble to Fight Apple Pay Fraud

Banks Scramble to Fight Apple Pay Fraud

Banks Scramble to Fight Apple Pay FraudSearchFinancialSecurity reports that Apple Pay fraud is on the rise and banks are rushing to fix sloppy authentication processes. Sloppy bank authentication processes are at the heart of growing Apple Pay fraud and experts worry about potential fraud with other mobile payment systems.

Apple Pay logoWhen Apple Pay was first unveiled by Apple (AAPL) in October 2014, it was touted for its increased security thanks to tokenized Device Account Numbers and the Touch ID fingerprint system. eWeek.com provided a good overview of how Apple Pay’s approval process works:

  • The camera of an iPhone 6 or 6 Plus takes a photo of the credit or debit card
  • Apple Passbook software extracts the name and expiration date, then encrypts and transmits the data to Apple
  • If the photo doesn’t allow for extraction (poor quality or card is too worn), users are allowed to manually enter the card number
  • Apple checks to see if the card is already on file in iTunes, verifying it through a match
  • But most cards aren’t already in iTunes – so Apple sends card data, phone data, and iTunes account info to the card-issuing bank
  • If verified by the bank and approved, it’s added to Apple Pay and the Apple Passbook, and it’s ready to be used for purchasing

If this provisioning is successful, the bank will automatically accept (Green Path) the info and then beam an encrypted version of the card details to be stored.

criminals have set up iPhones with stolen cardl info from Target and Home Depot hacksAccording to reports, criminals have set up iPhones with stolen personal information, which has been tracked back to accounts compromised in Target’s big data breach at the end of 2013, the Home Depot hacking in 2014, and likely the Anthem breach of 2015. The criminals take the stolen PII and call banks to authenticate a victim’s card on the new device. This is so-called “Yellow Path” authentication, where a card isn’t or rejected (Red Path), but requires more provisioning by the bank to be added to Apple Pay.

When Yellow Path authentication is required, the bank may send a one-time authorization code to the customer’s email or mobile phone that must be entered into the Apple Pay set-up.  Other banks may ask the customer to call a toll-free number where a customer service representative will try to verify the person’s identity with a series of questions about recent purchases or a home address according to the WSJ.

If this provisioning is successful, the bank will then beam an encrypted version of the card details to be stored on the Secure Element of the phone (PDF). The author contends that the heart of the problem is that some banks have lax Yellow Path processes, only asking for the last four digits of a Social Security number, leading to criminals using stolen identities and credit/debit cards to buy high-priced goods, often from Apple Stores.

Avivah Litan, a VP at Gartner (IT) said that this kind of fraud is a fundamental flaw that will affect all mobile payment services. “This isn’t necessarily an Apple Pay problem. The responsibility ultimately lies with the card issuer who must be able to prove the Apple Pay cardholder is indeed a legitimate customer with a valid card,” Ms. Litan wrote in a blog post. “That always appeared to me to be the weakest link in mobile commerce — making sure you provide the app to the right person instead of a crook.”

rb-

With the iPhone 6’s NFC capabilities, the physical card may not be required for such “purchases.” Maybe someday this will keep merchants from holding card data but for now, seems like the banks need to get their act together.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| February 17, 2015
Comments Off on Scary PII Numbers

Scary PII Numbers

Scary PII NumbersAs you may have heard by now, the second-largest health insurer Anthem gave away at least 80 million of their customers’ PII records to hackers. I say at least because these always grow as the experts dig through the wreckage. The WSJ reports the Indianapolis-based insured did not encrypt this data (I covered encryption here and here). That means customers’ social security numbers, phone numbers, and other PII were easy targets for Chinese hackers according to CNBC.

did not encrypt data

Anthem is just the latest. There are even larger targets out there. The Business Insider published some pretty scary numbers. BI reports that somehow the biggest tech companies have done a great job at convincing people that their services for sending/receiving payments and purchasing goods are trustworthy and worthwhile. The article estimates that Apple has somewhere around a billion iTunes accounts (with plenty of PII and credit cards) on file.

This chart from BI IntelligenceApple (AAPL) is nearing a billion iTunes accounts on file, and that number is likely to surge immensely. Customers in China can now link their UnionPay payment cards to their Apple IDs: For context, UnionPay is the largest card network in the world with more cards in circulation than Visa and MasterCard combined.

Amazon (AMZN) has approx. 300 million payment cards on file while PayPal has around 200 million payment cards on record.

Apple, Amazon, PayPal Payment Cards on File - Business Insider

A second BI article indicates that based on leaked Uber data charted analyzed by BI Intelligence, the ride-sharing firm has well over 12 million payment cards on file. Their closest competitor Hailo has 4.4 million payment cards on file.

Ride-Sharing Payment Cards on File - Business Insider

rb-

You have been warned. The next mega data breach could come from a tech firm like Apple or Amazon.

Data theftThe WSJ article argues that companies can use many techniques to secure their data, but those things slow companies down, sometimes to a degree they find unacceptable.

I think most victims of identity theft or credit fraud find that unacceptable.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »