September 2014

Israel Lifshitz

If you thought Heartbleed was the queen bee of all security bugs, then you’re in for quite the “Shell Shock”. Late last week, it was discovered that the security vulnerability Shellshock can be made wormable and grant hackers the ability to run arbitrary codes on Bash, the most widely-used command processor which serves as the default shell for Unix, Linux and Mac OS X, and is also ported to run and automate tasks on Microsoft Windows and Android operating systems.

CGI scripts, which have been attacked the most so far by this bug, and are being exploited to send malicious commands to servers. If you’re actually still running these scripts within your organization, then this bug essentially could give attackers access to your entire operating system.

If you consider the fact that network services are most prone to these threats then it’s especially critical to grasp the vast reach and impact Shellshock poses to enterprise mobility and BYOD programs.Therefore the ensuing panic in the cyber and enterprise communities is no shock at all.

Why? Because in typical BYOD program, users access various corporate network resources via multiple applications, each of which transfer data from employee owned devices to the desired network service. Multiple apps equal multiple network services, which leaves more pathways vulnerable to attackers.

You may have thought that you need not protect your internal network resources and only need to patch internet resources. But in BYOD programs each user’s device has access to those endless corporate services. In this particularly weak link in security, hackers can easily exploit your organization’s network services by planting Trojans and worms. You need to carefully secure and patch each network resource. If some of your systems are Legacy systems then you’re even more vulnerable as such systems are even harder to apply patches.

The writing is on the security wall, and it’s important to heed the wake up call: Giving hackers a foothold on your apps and network services which are connected to your employees’ personal devices means that Shellshock quite realistically is the largest security vulnerability ever faced by BYOD. And like Heartbleed, it isn’t the first nor will it be the last major security bug to threaten your corporate network resources.

You can say that your BYOD devices are protected by MDM and it also protects your network with VPN connections. But in truth this isn’t nearly sufficient enough.

It’s precisely the BYOD devices which are the weakest link in your corporate security, and can be easily hacked and allow such attackers access to your corporate VPN connection and to a large number of unprotected internal network services.

For security infrastructures that store their apps directly on devices, Shellshock could be the security nightmare they’ve always dreaded and potentially take years to eradicate. Fortunately, the solution to this problem – Virtual Mobile Infrastructure (VMI) – already exists. VMI is the silver bullet to precisely such a threat because there is no direct link from devices to network services. This relatively new framework virtualizes a mobile platform remotely as a display onto devices, leaving all apps and data on a remote server. This makes just one secured protocol necessary to transfer back to the data center, instead of the multiple pathways required by all other security infrastructures to service each and every app added to the device. One protocol means security teams can effectively focus on securing just one network service, making the Shellshock ordeal much more manageable, and much less terrifying. Nubo Software was the first to introduce VMI to the security industry worldwide, and its mobile platform can enable app-based firewalls from virtual devices, which permits only specific selected apps to access network services.

Looking ahead, it seems like a foregone conclusion that major security threats like Heartbleed and Shellshock are going to surface again and again, which makes it that much more imperative that organizations in our BYOD generation are proactive in setting up the infrastructure that can best solve these vulnerabilities now and into the future. VMI gives organizations the safe and remote platform to do just that.

David Abbou

The infamous “Celebgate” a few weeks ago is still all over the mainstream press, mainly as fodder for the likes of TMZ and Entertainment Tonight to gossip about how the likes of Jennifer Lawrence, Kate Upton and Vanessa Hudgens have been exposed in their birthday suits. Apple has responded by extending their two-step verification process to iCloud, which should make it more difficult for hackers to breach and acquire their backed up data – that is if the user actually activates this measure.

Apple’s security was put through the ringer by the security community for lacking specific security features needed to fend off brute force password guessing attacks on phone backups stored within its iCloud. But it has since responded, by additionally adding a rate limit to how many times a user can guess their password before being granted access to the backup.

But as organizations recognized the value in using technology that complements our behavior in the mobile age, they began accommodating employees by letting them access work resources and information on their personal devices. The Bring-Your-Own-Device (BYOD) revolution had arrived.

However, even if Apple had already implemented these features before, they wouldn’t be enough to prevent these attacks if the user’s passwords and security questions, as is often the case, are weak and predictable. That’s because attackers can exploit such weaknesses and gain entry to your network as an authorized user. From there they can discover more sensitive passwords to your personal accounts and exploit leads from your contact list on who to target next.

This realization quite justifiably lobs the ball back in the consumer’s court. And using more robust passwords is just one of several security steps that users need to be more diligent in applying. If there’s one constructive and very critical lesson users need to take away from Celebgate, it’s that if you want to enjoy playing with your fun and shiny internet connected toy du jour without handing the keys to your private details – which could hurt your bank account as much as it can harm your reputation – you need to get with the security program.

In our increasingly cyber world, our cyber toys come with cyber responsibilities that users can’t keep ignoring if they want to avert their own personal disaster.

You don’t need to be an A-list sex symbol to learn this lesson the hard way. Recently a high school teacher in Israel conducted a pilot program by distributing shared tablets amongst her students. Little did she forget that the tablets were synched by default to her smartphone by virtue of her logging into her Gmail… which you guessed it, contained nude photos of herself. The high schoolers, reacted like, well, high schoolers. One student snapped photos of the pics from the tablet and in no time shared them with the class and beyond via WhatsApp. Asked to resign, the teacher has refused and instead is attempting to sue the child. She’s also blaming the school for not informing teachers about the potential security hazards of logging into your own email on shared tablets.

You can’t blame people for feeling for the teacher and her bad luck on one hand, but on the other hand this is a prime example of a self-inflicted privacy violation. And while many of us coast by and click right on by the fine details because we can’t start using our gadgets, apps and widgets fast enough, stories like these should be blinking in our brains like a bright pink neon sign that we’re no longer able to plead ignorance of the security policies so critical to our own protection.

Auto-syncing files, whether it be onto iCloud, Google Drive or any of the other cloud-based storage services all have options you can turn on or off via your account from any of your devices.

The vast majority of users are going to remain relatively technologically unsavvy, but that doesn’t mean you have to make yourself easy prey for attackers. There’s only so much spoon-fed protection we can demand from the services we use every day. If you don’t want hackers to mark you with a security tramp stamp, then putting a little bit of effort into your own security will help prevent from making you an easy target.

David Abbou

Nothing elicits attention to a cause like celebrity endorsement – or in the case of Apple and its iCloud storage – celebrity outrage over their private nude photos being hacked and exposed all over the internet.

Private nude photos of more than 100 celebrities were stolen from their respective iCloud accounts and leaked online on August 30, putting Apple and its security protocols on the hot seat, just a few weeks before the release of iOS 8.

So who’s to blame for this infamous celebrity unveiling (pun intended)?

It took less than 48 hours for Apple to release a statement ensuring the public that none of these privacy violations were in fact a successful breach of their security systems, and that they were working with the FBI and other law enforcement to hunt down the as yet unknown assailants.

Problem solved? If only it were that simple for Apple. It’s been anything but ever since. In the case of iCloud, the truth seems much cloudier than their original synopsis.

Apple’s original statement would lead you to believe that iCloud’s security infrastructure is pristine, citing users that choose weak passwords and forego using two-step verification as the main culprit. Granted, many users are generally annoyed at having to go through an additional step just to retrieve a code from their phone and end up neglecting this feature. And episodes like this make it blatantly clear that the days we could get by using simplistic passwords and security answers to set up accounts containing our sensitive information are over. You may as well leave your front door unlocked and post signs to the whereabouts of your most valuable and personal possessions.

But in appearing to blame its rather prominent victims, Apple invited a well-warranted media storm of negative PR and celebrity backlash. It also motivated industry experts and pundits to hold Apple’s security up to intense scrutiny. What has been turned up by security experts and researchers so far is pretty alarming.

First, iCloud’s popularity in this case makes it one of the prime targets for attackers, and their “Picture Roll” backups are enabled by default. Comparatively, Windows Phone backups are turned off by default, while Android’s are mainly indirectly opened by third-party applications.

Noted hacker and tech blogger Nik Cubrilovic’s exceptional post on the issue reveals the relative ease with which someone can detect a user’s email address via iCloud’s recovery process which leads to several main bugs that can be exploited to access an account.

Another eye-opening wrinkle to the story is Elcomsoft Phone Password Breaker (EPPB), a Moscow-based forensics program originally created for use by police and government agency clients. This software – available online for anywhere from $79.99 to $400 – has shown it can easily download data from iCloud backups onto a computer, even with two-factor authentication enabled.

Apple has since acknowledged the need to improve this security measure as well as communicate it more effectively to their customers. On Friday, Apple CEO Tim Cook announced that from now on users will be sent an alert when there is an attempt to log in, change the password, or connect a new device to their iCloud account.

So where does Apple go from here? If it compiles the lessons learned from these security holes and bolsters its password set up and recovery processes that would be a step in the right direction towards preventing future breaches and gaining back some customer confidence. Another equally important lesson that should not get lost in the shuffle is one of customer accountability. Most of us who are not cyber-security conscious will continue our bad habits until we get caught with our pants down. Which is why in the end, whether you’re an ordinary Joe or Jennifer Lawrence, it is ultimately still iCloud’s responsibility to save us from ourselves.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	Google analytics
_gid	24 hours	Google analytics