Three Fast 'Data Privacy Day' Tips

In advance of the annual international Privacy Data Day, please share these three action tips to protect the privacy of consumers and businesses:

• Nothing is truly free, including mobile apps. Be aware of the personal information you give mobile app providers. Many free apps sell your information to a wide range of companies, some of which may have malicious intents. Studies have shown most apps do not have many, or even any, security controls built in. Check privacygrade.org to see if the app you want respects your privacy and has security built in.
   
• Be cautious with new "smart" devices. A wide range of new and unique gadgets -- from socks to smart cars -- connects you directly to other entities (and even to the Internet) to automatically share information about your activities, location and personal characteristics. Before using such devices, make sure you know which data they are collecting, how it will be used and with whom it will be shared.
   
• Only share personal information with trusted sources. Be extra careful not to share sensitive personal information, such as social security numbers, credit card numbers and driver's license numbers. Don't do business with an entity that does not have a posted privacy notice.

iPhone 5S: A Biometrics Turning Point?

Future: Mobile Devices Will Boost Interest in Advanced Authentication

Apple's decision to include a fingerprint scanner in its new iPhone 5S is an important step toward bringing biometrics-based authentication into the mainstream. But there's still a long way to go before biometrics supplant usernames and passwords at the enterprise level.

Owners of the new phone can use a fingerprint to physically unlock their devices instead of using a numeric passcode. Apple will also let users confirm purchases from the iTunes store by swiping a finger on the sensor.

Apple have not yet revealed whether they will allow third-party developers to take advantage of the new TouchID fingerprint technology to build biometrics-based authentication into their apps. While TouchID is an important milestone toward getting users comfortable with using biometrics as an authentication credential, the technology has to expand beyond the Apple universe before it can truly be considered a game-changer or a significant security breakthrough.

Biometrics authentication is not new to the mobile space. Some laptop vendors, including Lenovo, have included fingerprint readers in their devices for several years. Plus, a number of smart phones and tablets already incorporate biometrics to authenticate users. And security vendor McAfee recently introduced an online file storage service that relies on voice recognition to authenticate users. But all of these vendors use closed, proprietary models, which has made it difficult for biometrics to gain traction in the marketplace.

Market penetration for PCs and laptops with fingerprint sensors is about 20 percent, according to the FIDO Alliance, an industry group focused on open standards for authentication. Even if a majority of iPhone users opt for the iPhone 5S, overall smart phone market penetration for fingerprint scanners will remain low, considering that research firm IDC estimates Apple has about 17 percent smart phone market share.

The iPhone's popularity and its reputation as a trendsetter could help more consumers feel comfortable with the idea of using fingerprint scanners on a regular basis. And once they are used to the idea of fingerprint scanners, other types of biometrics won't be far behind. TouchID is the "first example of the potential for large-scale mass-market mobile biometric authentication.

Do You Need an Anti-Virus for MAC?

It's unlikely you'll ever run into malware for the Mac

But you may still want to consider an antivirus tool anyway—if not to protect yourself, but to protect your Windows-using friends from any malware you may inadvertently send their way.

If you agree, Sophos Anti-Virus for Mac maybe the best choice, and it's free.

Many of you may choose to use nothing, but you need to consider that malware is starting to become a bit more prevalent on the Mac, and even the safest browsing habits don't protect you completely. 

Sophos Anti-Virus for Mac

Platform: OS X (10.4+) 
Price: Free
Download: Click here

Features

• Compact, easy-to-use interface that can be used for custom on-demand scans of files, folders, and drives, or scheduled, periodic full scans of your Mac.
  
• Also scans files on your Mac for known Windows malware, trojans, and viruses, and deletes or quarantines them so you don't risk spreading them to someone else via network share, USB drive, or email.
  
• Deletes or quarantines known threats, gives you the option to quarantine anything suspicious that may be a new threat or dangerous file.
  
• Runs quietly in the background, scanning emails, downloads, and any other files on access, stopping you from opening them before they can do any harm.
  
• Light on system resources while running in the background.
  
• Installs like any other Mac application, and uninstalls just as easily—no complicated packages or components to manage or configure.
  
• Sophos' "Live Antivirus" feature updates your app the moment new threats are detected or found in the wild. The feature also performs real-time lookups to see if files accessed are in the SophosLabs database, even if they're unfamiliar to the app.
  
• Supports OS X up to 10.8 and back to 10.4, and is completely free for all versions.

In-House App Stores is MUST for Enterprise?

A Do-it-Yourself Approach to Ensuring Mobile Security

As personal mobile devices become ubiquitous in corporate networks - even in organizations without official bring-your-own-device policies - IT and security personnel are implementing new approaches to prevent malware and ensure data integrity. 

One approach beginning to take root is the creation of in-house corporate app stores, where organizations offer users access to custom-built, secure applications designed specifically for that organization, along with access to approved public apps for smart phones, tablets and other personal devices.

Tackling Application Insecurity

With malware infesting the authorized commercial app stores, including the two largest - Google Play for Android and to a lesser extent, the Apple iOS App Store - corporate security and IT executives are exploring new strategies to limit the use of unauthorized applications on devices connected to corporate networks.

Because of the rapid growth in the use of personal devices for work-related tasks, IT departments generally do not permit users to install any application on corporate computers but many companies still have not yet established similar policies for personal devices. 

Companies that opt for a private app store can minimize much of that risk by requiring users to select only from applications that are certified by their employer as safe.

Any suggestions or ideas?

NIST Drafts Guidance on Securing Smart Phones & Tablets

3 Key Facets of Mobile Device Security

Securing mobile devices - whether employee or enterprise owned - has become vital for many organizations and government agencies as the devices increasingly take the place of PCs and laptops.

The National Institute of Standards and Technology has issued a draft of guidance that defines the fundamental security components and capabilities needed to help mitigate risks involved in using the latest generation of mobile devices.

Andrew Regenschied, one of the co-authors of Special Publication 800-164 (Draft): Guidelines on Hardware-Rooted Security in Mobile Devices, says many mobile devices lack a firm foundation from which to build security and trust. 

These guidelines are intended to help designers of next-generation mobile phones and tablets improve security through the use of highly trustworthy components, called roots of trust, that perform vital security functions.

On laptop and desktop systems, Regenschied explains, roots of trust are implemented in a tamper-proof separate security computer chip. But the power and space constraints in mobile devices have led manufacturers to pursue other approaches, such as leveraging security features built into the processors these products use. NIST says the guidelines focus on three security capabilities to address known mobile device security challenges: device integrity, isolation and protected storage.

According to NIST, a tablet or phone supporting device integrity can provide information about its configuration and operating status that can be verified by the organization whose information is being accessed. Isolation capabilities can keep personal and organization data components and processes separate. That way, NIST says, personal applications should not be able to interfere with the organization's secure operations on the device. Protected storage keeps data safe using cryptography and restricting access to information.

To achieve the security capabilities, the guidelines recommend that each mobile device implement three security components that can be employed by the device's operating system and applications:

• Roots of trust, which combine hardware, firmware and software components to provide critical security functions with a very high degree of assurance that they will behave correctly;
  
• An application programming interface that allows operating systems and applications to use the security functions provided by the roots of trust; and
  
• A policy enforcement engine to enable the processing, maintenance and policy management of the mobile device. NIST is seeking comments on the draft guidance.

Those with suggestions should submit them to 800-164comments@nist.gov by Dec. 14.

How much you care about your privacy?

Apps Come Back to Haunt You

Can you count your apps on one hand? Two? As smartphones have found their way into more pockets and purses, the tendency to become "app happy" has struck more than one consumer.

Often folks will download an app, input their personal information, allow it to track and store their locations, purchase behaviors -- heck, even account numbers -- and then forget all about it. Meanwhile, the application is running in the background gathering (and potentially sharing with third parties) the private and personal details of their lives.

Have you set an app to auto-broadcast your location to a social network? Here's hoping you remember that before you arrive at the amusement park on a "sick day." Does that pizza place auto-fill your credit card number when you order a pie online? That's one lucky thief who gets a hold of your smartphone. Make it a practice to review your apps often.

A good time to do this is now; delete the ones you are not using. A friend of mine was surprised to find she had accumulated over 200! Then, check again whenever you have an app ask you to download an update.

As those notices come in, don't just ask yourself if you'd like to update (which is an important step, as many apps improve their security and privacy standards with these updates); also ask yourself if that's truly an app you need to have on your smartphone, laptop or any other type of computing device you use.

iOS Hardening Configuration Guide

For iPod, iPhone and iPad running IOS 5.1 or higher

Australia's Defence Signals Directorate (DSD) has recently released iOS Hardening Configuration Guide which provides instructions and techniques for Australian government agencies to harden the security of iOS 5 devices.

Implementing the techniques and settings found in this document can affect system functionality, and may not be appropriate for every user or environment. However agencies wishing to differ from the mandatory controls specified in this guide must note that the product will no longer fall under the evaluated configuration.

In these cases, agencies should seek approval for non-compliance from their agency head and/or accreditation authority to allow for the formal acceptance of the risks involved. 

This guide is for users and administrators of iOS 5 or later devices. These devices include the iPod Touch, iPhone and iPad.

For further clarification or assistance, Australian Government IT Security Advisors can consult the Defence Signals Directorate by emailing dsd.assist@defence.gov.au.

You can download this guide from here.

Nothing for Free Especially Mobile Apps

Mobile App Developers Scoop Up Vast Amounts of Data


Many of my friends use a large number of free apps, and I'm vigilant in reminding them: "Nothing in life is free."


I challenge them to consider: What information are you giving in exchange for the "super cool" app? What is the app's owner doing with that information?


Be careful what you freely give away to unknown suppliers who tempt you with tantalizing fun and games.


Here's a good article with a high-level overview that points to some good research on the topic.

Android vs. Apple iOS Security Showdown Slides

What are the security concerns?

 

The Android vs. Apple iOS Security Showdown from Tom Eston

Apple has released IOS Security

Apple IOS Security


Apple normally stays very quiet when it comes to discussing the security mechanisms of its products. Apple has released a document that will make life a little easier for anyone responsible for securing iOS devices.


The document, titled iOS Security, provides details on the system architecture, encryption and data protection, network security features and device access for iOS devices. If you develop policies and/or mechanisms for BYOD security, this is recommended reading. 


From the Apple iOS Security document:


“This document provides details about how security technology and features are implemented within the iOS platform. It also outlines key elements that organizations should understand when evaluating or deploying iOS devices on their networks.”


System architecture: The secure platform and hardware foundations of iPhone, iPad, and iPod touch.


Encryption and Data Protection: The architecture and design that protects the user’s data when the device is lost or stolen, or when an unauthorized person attempts to use or modify it.


Network security: Industry-standard networking protocols that provide secure authentication and encryption of data in transmission.


Device access: Methods that prevent unauthorized use of the device and enable it to be remotely wiped if lost or stolen.”

Is Apple now recognizing the growing threats their products face? Prior to this, security researchers have traditionally had to rely on reverse engineering Apple’s products to better understand their security mechanisms.


Refer here to download the document from Apple website.

Five reasons not to jailbreak your iPhone

Crackers are reported to be making inroads into jailbreaking iOS5

Even though the iPhone 4S jailbreak is on the way - and while many users are excited about the ability to customize and do more with the iPhone 4S - there are a number of reasons you shouldn’t jailbreak your new iPhone.

While an iPhone 4S jailbreak will deliver the iPhone experience many have been looking for, jailbreaking is not for everyone.

1. The biggest issue is that users will be voiding their warranty and, even though the jailbreaking process was ruled legal in 2010, Apple was very clear that doing so voids users’ warranties.
   
   And, whilst there are many times you can restore to a standard Apple iOS version before going in for repair, this is not always going to be the case.
   
   
2. Users will also lose Genius Bar support on the iPhone – in the past some users have been able to get support by not mentioning that their iPhone is jailbroken, but again, if the Genius finds out that the handset is jailbroken, you may lose out on support.
   
   
3. The third issue with jailbreaking is that there are usually no more is fast upgrades to new releases of iOS.
   
   If you are waiting for the jailbreak, you should also avoid installing iOS 5.0.1 to your iPhone 4S. This isn’t as big of an issue for small upgrades like this, and in the case of [earlier versions] a jailbreak was available very quickly.
   
   But, when it comes to major upgrades that bring new features, you may be forced to wait a while, or go back to a stock iPhone experience.
   
   
4. Apple has many controls in place to keep apps from slowing down your iPhone, but jailbroken apps don’t need to stick to these guidelines.
   
   Many users who have gone back from jailbreaking cite a poor user experience and buggy nature of their jailbroken iPhones as a reason for going back to normal. If you know exactly what you are doing, or don’t mind troubleshooting to find out what is causing an issue, you will be OK, but many iPhone owners don’t want to hassle with things like this.
   
   
5. Finally, consider the security risks. If you have a jailbroken iPhone and are installing apps from various sources, one of them could contain malware.
   
   The threat of malware has caused concern for Android users, and so far we haven’t seen a large number of malware infested jailbreak apps, but the threat remains. If you do jailbreak, be vigilant about what you download.

Ultimately, jailbreaking your new iPhone 4S is up to you. If you know what you are doing, you can follow these instructions to jailbreak your iPhone 4, and stay tuned for how to jailbreak the iPhone 4S and iPad 2 as soon as the tools are available.

OS X Lion passwords can be changed by any local user

Any user on the system can modify the passwords of other local accounts

In OSX, user passwords are encrypted and then are stored in files called "shadow files" which are placed in secure locations on the drive. Based on system permissions, the contents of these files can then only be accessed and modified by the user, or by administrators provided they first give appropriate authentication. This means that only the user can change its password, or if needed, then an administrator can do this by first authenticating.

Unfortunately, recent discoveries have shown that in OS X Lion this security structure is not intact, and any user on the system can modify the passwords of other local accounts quite easily. The problem at hand appears to be because of a permissions oversight that allows all users search access to the system's directory services.

Please note: This problem only appears to be a risk if your system is accessed directly by a hacker who has the ability to log in and access the directory services with a tool that can modify the directory services' settings. Setting up a more restrictive environment for accounts on the system should be enough to prevent this latest flaw from being taken advantage of until Apple releases a patch to fix the problem.

Refer here to read more details on CNET.

Fake (Rogue) AV installs on MAC without "PASSWORD"

Securing Your MAC from the new MACGUARD malware variant

A new version of rogue antivirus malware that targets the Macintosh operating system does not need victims to type in their administrator passwords to install and infect the machine, a security company said today.

The latest version of the malware has been overhauled to look like a native Mac OS X application and is using the application name MacGuard, according to an Intego blog post. But particularly concerning is the fact that unlike previous versions, which were dubbed Mac Defender, MacProtector, and MacSecurity, MacGuard installs itself without prompting for the admin password.

If Safari's 'Open safe files after downloading' option is checked, the package will open Apple's Installer, and the user will see a standard installation screen. If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.

Since any user with an administrator's account--the default if there is just one user on a Mac--can install software in the Applications folder, a password is not needed. This package installs an application--the downloader--named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user's Mac, so no traces of the original Installer are left behind.

The MacGuard program is downloaded by the avRunner application from an IP address that is hidden using steganography in an image file in the Resources folder of avRunner.

Web pages that look like a Finder window and appear to be scanning the computer are bogus, Intego said. Users should leave the page, quit the browser, and quit the Installer application immediately if anything has downloaded, as well as delete any associated file from the Downloads folder. Also, users should uncheck the "Open safe files after downloading" option in Safari's General Preferences, Intego advises.

In an Apple support article, the company said "in the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware."

The malware keeps changing names and appearances. It is designed to trick people into paying for supposed antimalware software that they don't need.

More information about how it operates is in this FAQ, and information about how to remove it is here and a comprehensive article about how to secure your computer against MacGuard is here.

Metasploit 3.7 Released

Takes Aim at Apple IOS

The open source Metasploit vulnerability testing framework got a major overhaul this week with the release of Metasploit 3.7.

The Metasploit 3.7 release provides an enhanced session tracking backend that is intended to improve performance. Metasploit 3.7 also provides over 35 new exploit modules for security researchers to test, including new ones designed to test Apple's iOS mobile operating system security. The Apple iOS Backup File Extraction module however is not an attack vector for directly exploiting iOS. Rather it is what is known as a post-exploitation module.

The post-exploitation modules (post for short) are designed to run on systems that were compromised through another vector, whether its social engineering, a guessed password, or an unpatched vulnerability. This module requires iTunes to be installed and for a backend to be accessible that has not been encrypted.

Refer here to read more details

How to secure mobile devices?

Safeguarding Critical Information In Today’s 24/7 Workplace

It has been written regularly in this group that security should be a business enabler but with iPads, SmartPhones and clouds enabling staff to access data from just about anywhere – where do you need to draw the line?

SC magazine have been doing some research with 500 CIOs into this very issue to establish how to secure staff across multiple access points without hampering productivity. They are addressing the findings and offering practical solutions in 2 webcasts going live this Tuesday and Thursday – you can see more details and sign up for both at http://www.scwebcasts.tv/ .

I have also listed some more information below for you to establish the relevance for your teams:

1. Safeguarding Critical Information In Today’s 24/7 Workplace

Goes live on 14th April at 3pm
Sign up for free @ http://www.scwebcasts.tv/

With access points and resultant breaches increasing all the time this webcast will offer ideas to ensure that only the right people gain entry to your critical information. Learnings relate to all platforms from clouds through to social networks and mobile devices to help you sleep easier.

Speakers for this live webcast include:
Mike Moir, Entrust Product Manager, Entrust
Special guest CIO to be confirmed

2. Are Mobile Attacks Undermining Your Business Security?

Goes live 12th April at 3pm
Secure your free place @ http://www.scwebcasts.tv/

This webcast will help you pinpoint specifically the relative vulnerabilities of each mobile device with the help of a recent ‘Top 3 iPhone Attacks’ case study. It will also shed vital light on the progress of international policies relating to data in transit to ensure you always stay on the right side of the law.

The experts featured include:
Tim Mathias, Director of Security, Thomson Reuters
Chris Wysopal, Co-founder and CTO, Veracode

I know thousands of you are now members of SC’s webcast community in which case you need only click attend on each of them at http://www.scwebcasts.tv/ to secure your free attendance. Otherwise you need only follow the one-off sign up process.

Do feel free to feed back to us on the content of these webcasts or with any ideas for the future. We hope that you find them useful.

Android on the iPhone?

Install Android 2.2 on the iPhone 2G and 3G over WiFi

Hackers have come up with a way of rescuing Apple fanboys who have elderly versions of the iPhone.

For a while now Jobs' Mob has been forcing its long suffering customers to upgrade their 2G and 3G phones to the broken iPhone 4 by saddling them with an upgrade which made their gizmos slower. Now Redmond Pie has come up with a method of replacing iOS on iPhone 2G and 3G models with Android 2.2 Froyo without using any tools on a host computer.

The outfit had shown off an Android installation before. This involved running iPhoDroid on a host computer connected to a jailbroken iPhone 2G or 3G. This new process uses Bootlace 2.1 to install Android directly via WiFi. It works on iPhone 2Gs with iOS 3.1.2 and 3.1.3 and iPhone 3Gs with 3.1.2, 3.1.3, 4.0, 4.0.1, 4.0.2 and 4.1.

Refer here to read more details.

How to bypass iPhone’s passcode-protected lock screen?

Circumventing iPhone Security with the Push of A Button

A tech savvy iPhone user has posted a video demonstrating a new finding; there’s an easily executable and potentially serious flaw in the iPhone password security function. Under the right circumstances, a simple press of the iPhone’s lock button will allow a malicious user to bypass the phone’s password protection and enter into the main phone app. Here, anyone can view the phone’s call history and stored contacts and listen to voicemail.

Wired.com’s Threat Level blog reports that Apple has not yet commented on the bug.

For more details refer here.

Bug no iOS 4.1 from Salomão Filho on Vimeo.

IPad's open to attack

Drive-by attack could enslave iPad, iPhone

A newly discovered vulnerability in the software that runs Apple's IPad and IPhone could allow hackers to remotely enslave the popular mobile devices.

The flaw which affects Apple's iOS that also runs the IPod Touch, could allow hackers to take complete control. Attackers could trick a user into visiting a website with a tainted PDF to infect the devices. Apple is now investigating the report.

Apple customers have no privacy under new policy

Apple privacy policy is the latest in a series of privacy related issues

Unexpected new privacy rules give Apple and its associated “partners and licensees” the legal right to track, monitor, and store the whereabouts of its customers in real time. Users who do not agree to these draconian measures are prohibited from downloading from the iTunes store.

Apple says that its customers' consent to tracking improves service, although it leaves questions about privacy, security, and safety unanswered.

In spite of a pledge to keep data anonymous, Apple customers have no reason to believe they have any privacy or anonymity. Studies at the University of Texas have demonstrated that customers can be identified by their behavior even when their names are not explicitly stated. Even worse, Apple customers are not told why they are being tracked or who is tracking them.

Refer here for more details.

iPad security breach

AT&T Confirms iPad Security Breach


AT&T has confirmed an iPad security breach which computer experts say has exposed over 100,000 early iPad adopters to potential malicious hacking and spam, with those vulnerable including dozens of CEOs, military officials, top politicians and media personalities.

The security breach was discovered by a group calling itself Goatse Security, with the specific information exposed in the breach including subscribers' email addresses along with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. AT&T, the sole U.S. provider of wireless service for the iPad , said it had fixed the security hole by Tuesday after being contacted by Goatse Security.

"At this point, there is no evidence that any other customer information was shared," AT&T said in a statement. "We take customer privacy very seriously, and while we have fixed this problem, we apologize to our customers who were impacted."


Please refer here to read more details.