Trying my best to enable secure partying.
Macworld’s excellent reporting on the recent Mac-oriented Flashback trojan. The attack exploits a vulnerability in Java, which isn’t installed by default on Macs running Snow Leopard. However, many Macs still run Java, and most are probably still vulnerable due to the fact that Apple has only recently released the required patch for Java.
One takeaway:
Apple clearly needs to start patching software that’s known to be vulnerable more quickly. After the success of Flashback, we can only assume the bad guys will move more quickly the next time they are given this window of opportunity
Developer Marco Arment:
Apple needs to change the Address Book API to require user permission first, like Core Location and Push Notifications do. I don’t care how many applications break as a result. Not requiring user permission to date should be treated as a security hole and patched promptly.
Couldn’t agree more.
Obviously an “open” platform is going to have more malware.
One of the things I love about smart phones is the ability to install apps. From a corporate perspective, it seems one is able to give users the freedom to do so with far less risk to your corporate data on iPhone than — from what I’ve seen so far — any other platform.
Amazing work from Apple on this, really, when you consider that they’re so new in the market.
UN Information (In)Security
Found this blog post randomly, but it made me chuckle. A person at a UN conference (ironically, on breaking down administrative and procedural firewalls) discovered an Apple TimeCapsule that had been configured to allow guest access to the backups of a well-known UN staff member’s work information.
I like to dream up root causes when I see things like this. What I imagine is going on here is a little self-service IT. Probably, the staff member in question, who is likely of rank and has assistants, was mistrustful of the integrity or the confidentiality of the IT-provide backups — or there weren’t any. So, in an effort to “do the right thing” and get the information backed up, he either self-configured or had somebody configure a store-bought wireless router with integrated backup capability (the Apple TimeCapsule, which is a great product, BTW).
Eventually, they discovered the ability to use it to share files and it was easier and faster than relying on the IT group to set up a solution, so a working group began collaborating on documents using the time capsule. Because the IT system likely had rigidly enforced access controls, the group was only able to make it work by allowing everybody to log into the shared area as a guest. Either that, or they were unable or unwilling to configure accounts on the shared storage.
In the end, they also exposed the thing to a public network and — there you have it — a visitor to the UN has access to a bunch of privileged-access information.
The lesson here isn’t that users are stupid, either. It’s that IT departments, and especially security people, need to learn to deliver the tools that people want, and not the tools that IT managers want to buy. And, of course, the biggest lesson of all is that security people and the leaders of organizations must make security awareness one of the ingrained principles by which all staff members operate.
A lot of people are talking about the “consumerization” of IT. The trend being spotted is that, in the near future, IT innovation will be driven by consumer devices and that corporate IT will have to play catch up or allow such innovative devices to interact with traditionally stodgy corporate IT systems. The whole idea is largely driven by the phenomenal success of the Apple iPhone, which everybody wanted and no IT department was initially willing to provide.
I have a lot of thoughts on the consumerization trend. These thoughts relate also very nicely with my thought on the Advanced Persistent Threat. And while I actually admire and respect a lot of Microsoft’s software and services work, I believe that the near decade-long stagnation in IT system innovation, as well as the myriad security issues that have been realized at unprecedented scale, are a direct result of corporate IT’s failure to adequately protect itself from a software monoculture.
Cool! All-new FileVault for Mac OS X Lion. Can’t wait to get my hands on it and test it out, but it looks like it adds a lot of previously-missing features like external drive encryption.
If you’re a fanboi like me, go check out the preview site for Lion at Apple.com.
