Category Archives: #pub - Page 3

Apple vs. Innovation

In the absence of Steve Jobs and any new innovative ideas, the tech giant Apple won their patent violation case against Samsung. Apple will be awarded $1 billion dollars and Samsung will be forced to cease production of smartphones which bear a resemblance to previously patented technologies found on Apple devices.

I suppose the jury of Samsung’s “peers” didn’t read the illusionary flier circling around the Earth since the 1800s stating that technology is innovated on the back of pre-existing technology. Instead the court decided that devices that contained features such as pinch-to-zoom were in violation of patents registered by Apple.

Of course all smartphones have those features (HTC included), but this is just Apple’s first step. In the case of pinch-to-zoom, it makes sense for a small device to enable zooming by pulling and pushing your fingers together and apart. Many other similar technologies can be found in the case. But the courts found that Apple’s patents were violated by introducing these features on Samsung Android-based devices. Apple hopes this will deter future smartphone makers from replicating the features in question in the future.

This is Apple’s first attempt to thwart android smartphone leader Google, a company that relies on hardware manufacturers to produce phones with their Android operating system (an open source Linux platform designed by Google to be run on mobile devices). Samsung is Google’s largest mobile hardware designer (makers of the notable Samsung Galaxy Tab and Samsung Galaxy S II). The New York Times article entitled, “Jury Gives Apple Decisive Victory In A Patents Case” by Nick Wingfield* released on 8/25 calls this a “proxy war against Google’s Android.”)

In actuality, this seems a lot like Apple is trying to stifle all forms of mobile competition so that the iPhone and other Apple mobile devices can trump the competition. This landmark decision proves that, in America today, suing is is better than innovating. Equally as unsettling, the integrity of the judicial system in the modern era is at stake as well.

By some sources, Google smartphones sold worldwide trump Apple smartphone sales considerably. As we’ve also seen, Apple has been reluctant to create any new products in recent history with the exception of the iPad 3 (which is an iPad 2 with a better screen, slimmer design and overheating problems). Apple will soon release their new iOS version as well as an a newly revamped Apple TV (much needed considering Roku sales have left the previous incarnation of Apple TV in the dust).

As an Apple customer, I’m appalled by Apple’s stance to innovation and, more specifically, Samsung. Apparently no one at Apple studied game theory and the need for innovative competition in High School economics. If you silence the competition with your complaints and fail to offer anything new you should should be ashamed of yourself. Don’t hide behind patent law as an excuse. Jobs claimed Google’s android OS is a “stolen product”* yet they seemed to have had the same complaint against Microsoft over a decade ago! I believe we’re seeing Apple’s ugly side when dealing with competition and can best be described as “blame it on the other guy.”

This case brings up a number of valid legal concerns technology producers have:

1) Is our current legal system and, specifically juries, effective when dealing with technological matters?

2) What if jurors can’t comprehend the matters at stake?

3) Is our current patent laws reasonable in an inherently innovative world?

4) What role should patent law play in technology today?

5) If you believe our legal system is incapable of dealing with new technological issues, should our legal system be fixed?

While I won’t get into those two “big picture” debates on the blog, people should be considering those questions when reading the news. As it stands, this ruling will disturb the very foundation of mobile innovation in America. Hopefully the appeals will be more successful at stopping Apple’s temper tantrums.

Sources Used Above

* Wingfield, Nick. “Jury Gives Apple Decisive Victory In A Patents Case.” The New York Times, August 25, 2012.

Apple’s Social Engineering Crisis

On 8/08 there was an interesting news article on Bloomberg’s website regarding the Apple password crisis surrounding journalist Mat Honan. Honan’s digital existence was ruined a few days ago when hackers used social engineering tactics against him (for those unfamiliar with the articles, I’ve linked them below).

Anyone who’s ever been to an Apple store knows that convenience is king.

You need help with something? There’s almost always some friendly hipster with a weird haircut to help you. You need your data migrated from one device to another? No problem for these blue shirt gurus! Want your password changed? Sure, answer just a few simple questions that anyone can get…

Wait… what?

Apple previously allowed users to change crucial account details such as one’s password over the phone. Typically most companies handle such changes online and merely talk the customer through a series of secure web pages after confirming their identity by a number of different means. (Recently I had to call Dell and was bumbarded by over 4 different identity-based questions.) Apple’s system allowed for sensitive account changes to be made with a few simple facts about a customer including the last 4 digits of the primary credit card and one’s address!

One with access to another user’s iTunes account, if cloud backups and syncs are enabled, could potentially delete data right out of the air or access important documents which could potentially allow an attacker to access other accounts the user owns.

Other security flaws included the ability to circumvent the AppleID associated with App and iTunes store purchases, compromise iCloud data and more.

That’s exactly what happened to Mat Honan of Wired Magazine. His dilemma is exactly what spawned Apple’s reaction regarding their security flaws: Honan’s entire life was ruined when a hacker – simply interested in taking his Twitter username and causing havoc – gained access to his AppleID, wiped his Apple devices remotely, accessed his other accounts on other services and more.

In response to this crisis, Apple has suspended the option of resetting one’s AppleID password over the telephone as stated in the Bloomberg article linked below. It’s unfortunate that lessons are learned on the backs of paying customers as Honan’s case also dealt with the security failings of Amazon as well as Apple (see links below for further details).

Hopefully these major tech players have learned that sometimes convenience cometh before the fall.

It really is a tragedy that these companies didn’t take security seriously. With more data being stored off-site, on cloud servers, Mat Honan’s story gives us a lot to think about going forward in the digital age.

Sources:
Satariano, Adam. Bloomberg Reporter
Giles, Tom. Bloomberg Editor
Article URL: http://www.bloomberg.com/news/2012-08-08/apple-to-beef-up-security-for-phone-password-resets-after-breach.html

Honan, Mat. Wired Magazine
Article: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

Recap Notes on Infosec VC 2012

Recap: the Pros & Cons

Back in June we had an awesome segment of Infosec VC 2012 entitled, “Hacktivism: What, Why, and How to Protect Against It,” lead by Gregory Nowak, Head Researcher at ISF (Information Security Forum) and ISACA Security Advisory Group and Peter Wood , CEO of First Base Technology and also of ISACA. So I thought I’d attend the bulk of the Infosec VC 2012 conferences now in August. What follows is my notes on some of the presentations for those that are interested…

The Disconnect Between Managers and Technicians

Product managers and corporate executives all seem to view security in a macro sense and often don’t fully grasp or care about the minute details of data security, such was illustrated at the 2012 Infosecurity Virtual Conference. These big shot corporate types and project managers are great for selling security solutions developed by a company’s IT department to the company’s administrators. But their lack of “street level” knowledge leave a lot to be desired.

Take the keynote presentation, Data Security and Compliance in an Evolving Data Center, by Derek Tumulak (VP of Vormetric). He was extremely intelligent and understood a lot of core concepts. A few positives of his presentation included: overview of virtualization and how it’s used in data centers (globally speaking), cloud computing and associated models, the importance of mobile security and how one breach could potentially mean disaster for an insecure organization, encryption management (how and when to use encryption as a last resort) and so on.

But Mr. Tumulak failed to identify actual instances of said compromises or how an organization should safeguard their systems on a technical level.

Instead he said, hackers, by and large, have been “[s]tealing information to sell it on the black market,” which isn’t necessarily true. Corporate espionage is big but it isn’t everything. Given the rise of Hacktivism I believe a strong number of attacks are conducted by those with specific ideological views they wish to convey (Anonymous attacks against Sony to protest the prosecution of a PS3 modder and other similar attacks). Also many wish to highlight security flaws to that company and, some, see what they can get by exploiting such systems (sheer curiosity).

While I can’t claim to know every technology out there, I understand this to be a very large weakness in the corporate environment: the disconnect between the inner workings of data security and the project managers that organize teams to implement the solution. Is the solution to make all corporate executives network technicians? Obviously not but a middle ground must be met in order to appropriately data. Big pictures are wonderful but if you aren’t going to get your hands dirty or at least explain past instances of exploitation and what steps can be made to protect against such problems, you’re just ranting. Good for sales, bad for business.

Unlike conventions such as HOPE, Defcon and Black Hat Briefings (which does have a fair amount of “big picture” talks, as corporations only seem to understand that method), a lot of corporate events are presented in this kind of “dry” way at other sessions. The Infosecurity Magazine US Summer Virtual Conference 2012 was full of this. Some, but not all, of the presentations were like this.

You’d think a lot of these executives were more interested in PowerPoint or Keynote than coding.

“Providing Smart Security for Smart Devices,” by Mike Sapien and Marc Vael) was very dry and the solutions discussed were obvious ones. Anyone with smartphone knowledge would have been eons ahead of these guys. The Program Director of ISACA was a little more informative here as far as how corporate employees need to safeguard their mobile data.

Unfortunately almost 99% of the conference was targeted at CTOs, VPs, and other corporate audiences. A number of presenters stated that things that were “highly technical ” wouldn’t be useful; most people gloss over it. As such the tone of the conference was “business minded” and technology was discussed in general terms. As such it didn’t really serve to impress the tech savvy.

I really liked Theresa Payton’s address. As the Fmr. Whitehouse CIO and head of her own security company she has a warning to companies: focus on the new emerging digital landscape. She spoke about the important role social media plays in computing today.

Companies today must adopt social media, in her opinion, but they must also adopt a strong sense of security if they want to address its inherent security concerns.

So in conclusion of the cons, it wasn’t a conference detailing the finer points of information security such as firewall and network group policies, AD flaws and loopholes, social engineering techniques, encryption standards in depth, code exploits & tightening, wireless security (ARP table monitoring for MITM protection), and a myriad of other technical details. It was mostly by corporate-types for corporate-types.

A forum friend of mine actually did tell me “it’s like this. We just go to these things to get our credits for our CISSP,” after I said I wasn’t really interested in the bulk of the conferences. So I guess I’m over-analyzing the conference.

Onto the pros…

Best Presentation: “How to Protect Your Organization from a DDoS Attack”

Panelists

Michael Singer, VP of Security for AT&T
Prof. David Stupples, CCySS, University of London

At Glance

Prof. David Stupples of the Centre for Cyber Security Sciences (CCySS), City University of London was one of the greatest speakers for me. He discusses malware, DDoS attacks in-depth using past examples of such attacks are conducted. Botnets that harvest data and move through proxy servers to mask the identities of attackers are of significant concern to CCySS.

The professor explained how Botnets work and how they are analyzed before being sent to anti-virus/malware companies for safeguarding their client’s systems. He explained how analysis is conducted using mathematics when analyzing botnets in CCySS-made honeypots and how CCySS has a track record of doing just that.

Prof. David Stupples also discussed the limits of Botnets and possible preventative methods such as:

* Providing security/OS upgrades can mitigate against such malicious code exploitation.
* Vendors using honeypots to analyze known botnets/malware can help.
* IP/DNS filtering is effective to some degree against Botnets (and the Botnets ability to connect “home” to its masters).  Note that I attribute this to the way Alureon/DNSChanger was thwarted by ISPs despite the FBI’s warnings to the general public. ISPs were able to compensate for this at their level and ensure DNS didn’t resolve where they weren’t supposed to.
* Malware companies examing Botnet/malicious code fingerprints for quick identification
* Reverse engineering search engine spiders to identify threats immediately

That panel included other security professionals and their insights into the matter of software attacks, viruses, malware and DDoS attacks. They stress the importance of different countries working together to analyze, spot and thwart such attacks. Prof. David Stupples said that such international efforts have helped catch a number of attackers in the UK. He stressed the need for more international law enforcement support.

Michael Singer, Executive Director of Security for AT&T, was also among my top favorite speakers. He discussed how the safeguarding of the internet is essential but not at the expense of individual freedoms, which many people enjoy. He stressed the importance of the need for a global security organization, like Prof. Stupples, but also warns that such an organization must make sure not to curb individual freedoms.

Interestingly Mr. Singer also discussed mobile security and how Android, in particular, can be used for for such exploitation as it’s an amazing platform with the power of a small computer.

To see the presentation, click here to register and go to the conference page.

Glitches

Poor Audio – There are a lot of problems with audio. The audio was pretty bad. But all of these conferences generally have low quality audio.

Slide/video track bar – When watching older/archived sessions, moving this bar to skip or go back usually requires a refresh of the entire presentation page. Which generally stinks.

Infosec Summer Virtual Conference 2012

On Thursday 8/9/12 Infosecurity Magazine will be hosting their summer Virtual Conference 2012. If you possess a SSCP®/CISSP® you can also earn CPE credits. Although most virtual conferences are hokey ways to sell a company or organizations products, this security conference looks interesting (but may turn into a means of selling magazine subscriptions, you’ve been warned). Noteworthy pieces include a segment on Hacktivism and an address from Theresa Payton, fmr. White House CIO.

You may have also thought of American Express as the card with the most identify theft attempts made against it (or at least that may be your impression from all those fraud warnings you get in the mail). Dismiss it from your mind, Mike Mitchell – director of merchant data security at American Express – will be gracing us with his presence.

If there’s anything interesting worth noting I’ll post it here. Usually I don’t like advertising events that aren’t really amazing (notably Def Con, Black Hat Briefings, HOPE, LayerOne, ShmooCon, ASIS, etc.), but it’s free and online so who cares? If you’re like me and missed the better conventions this year due to Vegas being too expensive in this economy, security+free is always good.

Sign up for free @ http://www.infosecurity-magazine.com/virtualconference/infosecurity-magazine-2012-us-summer-virtual-conference  

IPv6 Security Issues

There’s a lot of talk about IPv6 having a number of security flaws. I thought I’d summarize some of them and address them accordingly. What follows is an enthusiasts’ view of the issues at stake gained by reading up on the issue through various sources.

Security Concerns

1) The argument that federal and state law enforcement will be hard pressed to be able to track criminals over the internet is also a benefit for those preaching anonymity online. Since IPv6 addressing is considerably more complex than their IPv4 counterparts, spanning multiple subnets, some security experts warn users against it entirely.

IPv6, currently being favored for use over on the popular uTorrret Bit Torrent client serves as a proponent to IPv6, saying Teredo tunneling enables a more effective means of sharing data between older operating systems (Teredo = backward compatibility between 6 and 4).

Could the prospect of anonymity have been a driving force in the adoption of IPv6 for torrent use? Possibly but not likely considering there are net tools available for IPv6 (such as SubnetOnline and many others, makes you wonder why the FBI is so concerned if tools are available, even if not so widespread yet).

Source: IPv6 good for criminals, says FBI and DEA | Digital Trends
Source: Teredo tunneling – Wikipedia, the free encyclopedia
Source: IPv6 – Wikipedia, the free encyclopedia

2) IPv6 may or may not be more susceptible to mass DDoS attacks and MITM attacks or at least ones which are not presently protected against by common routers and/or firewalls, the debate is still up in the air. If interested, there is a white paper that I’ve found that discusses the effects of DDoS with IPv6’s new IPSec protection configured and without it (covers TCP, UDP, ICMP flooding and Smurf attacks; check it here).

One exploit toolkit known as THC-IPV6 (THC-IPV6 – attacking the IPV6 protocol suite) has been particularly problematic as it contains ICMP flood tools, network listeners, ARP poisoning tool which actually fakes the network into believing you are a router, MITM traffic redistribution tools, DOS detection, IDS, ICMP6/TCP-SYN traceroute, network fuzzers, smurfers and countless other tools. The only safety users have against this is a really strong modern firewall and/or network policy. (Source of Note: thc-ipv6 Toolkit – Attacking the IPV6 Protocol | Darknet – The Darkside)

To summarize but counter the concerns, ZDNet said the following on their blog:

True, IPv6 incorporates Internet Protocol Security (IPsec), but by itself that doesn’t buy you any more security. IPv6’s header design also lends itself to better security since it can be used to provide to a cleaner division between encryption meta-data and the encrypted payload. In addition IPv6’s huge address space can be deployed to scanning attacks harder by allocating random addresses within subnets. But, those are all matters on how you deploy IPv6. In and of itself, IPv6 won’t make you any more secure than your childhood blue blanket.

First IPv6 Distibuted Denial of Service Attacks Seen, ZDNet

So although attacks can be larger spread if the implementation of IPv6 is handled improperly (across entire subnets), this is a deployment problem not a problem inherent in the protocol itself. Furthermore, on an individual level, as more firewalls support IPv6 so too will we see a decline in the attacks available to those using IPv6 on their network.

3) Route Header Security Concerns – a packet’s route header can be used to specify where and how to strike a particular target. This concern is mentioned in the following presentation: http://meetings.ripe.net/ripe-54/presentations/IPv6_Routing_Header.pdf Possible solutions is better packet routing by ISPs as they become more equipped to handle IPv6 as well as more advanced firewalls and security schemes.

Conclusion

So essentially what we see is a growing technology, still very much in its infancy, becoming more predominant by the day. Hopefully as IPv6 is adopted so to will public awareness of the security risks increase. It’s also my belief that software vendors and internet service providers alike should work together to better address such issues.

IPv6 may have started slow but it may be here to stay.