Monday, January 27, 2014

Apple Sheds Light On Law Enforcement Data Collections

Government inquiry reports are nothing new, after all Google, Verizon, AT&T and others have published 'transparency reports' for awhile now. Today however, marks one of the few times ever that we have seen Apple disclose their NSA and law enforcement data numbers.

The report, which can be viewed here as a PDF file, comes on the heels of several tech companies reaching a deal with the U.S. Department of Justice over disclosing national security information requests. A deal which will enable more tech firms to report more detail about security requests.

According to the report Apple responded to fewer than 250 national security requests and roughly 927 law enforcement request nationally from the period between January 1, 2013 to June 30, 2013 disclosing data for 747 accounts, Apple objected to 102 requests and disclosed no data in 254 requests, for a total disclosure rate of 81 percent.

Apple said the numbers reported are "the actual number of requests for information related to law enforcement investigations and all of the national security orders received under FISA and NSLs guidelines."

This data represents every U.S. national security order for data about Apple's customers regardless of geography. The report also reiterates previous statements the company has made that unlike some other tech companies during the time from they did not receive any orders for bulk data.

Apple believes the number of accounts affected in comparison to the sheer volume of accounts the registered with the company is "infinitesimal". Yes I'd say so! So much so that I'd be skeptical of how accurate these numbers are and call into question the results. In comparison to the numbers we generally see these seem minute.

One reason may be is that perhaps the government agencies are circumventing the need for a direct order and obtaining the data needed in other ways. According to a new report from The New York Times and corroborated by other news agencies, the NSA can obtain data from iOS and Android apps as it travels over the Internet, in real time.

FBI Warns Retailers of The Likelihood of More Credit Card Attacks

Following reports of targeted attacks on retailers and the theft of personal information from customers, the FBI has released a statement warning retailers of the potential for future attacks, as well as the increased trend in malware affecting POS (Point of Sale) machines such as cash registers and credit card swiping devices.

According to Reuters, which initially obtained the report, there have been about 20 hacking cases in the past year that involved the same kind of malicious software similar to that used against Target stores over the past holiday shopping season. This high number of reported attacks not only has the FBI on alert and leads them to believe that "POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it".

In their 3 page report they also made note of the availability of malware on "underground forums" as well as the large potential for profits to be made from POS attacks, as warnings to the retailers in an attempt to get them to tighten up security. The report was dated January 17 and entitled "Recent Cyber Intrusion Events Directed Toward Retail Firms." A spokeswoman for the FBI confirmed the agency had issued the report as part of efforts to share information about threats with the private sector.

The vice president of the National Retail Federation, the world's largest retail trade association, stated that "Retailers have been and remain vigilant in their efforts to provide the highest level of security for their data systems in order to protect against malicious and criminal acts. As the criminal investigation continues and more information becomes available, you can be sure that the retail industry will be responsive and engaged to ensure this particular cyber-attack does not happen again."

Only time will tell, however, exactly how proactive these retailers will be in protecting their customers' personal information. One thing is clear: retailers need to move quickly to get better tools in their networks that can analyze traffic patterns on the fly and identify any unusual activity, said another expert in retail security, who has audited POS systems to find vulnerabilities that hackers can exploit.

Tuesday, January 14, 2014

Your Banking App May Be Putting Your Money At Risk

With several recent high profile data breaches making big headlines more and more consumers are questioning the security of not only the retailers they use but the websites they shop and apps the use on their mobile device. We often fall victim to a false sense of security believing that official apps are more secure than they really are. Security is undoubtedly very important in every app, of course, but if there is one group of mobile apps that we tend to believe should be secure more secure than any others we use it would probably mobile banking apps. 

Earlier this month security researcher Ariel Sanchez of IOActive published a rather shocking report that indicates that 90% of mobile banking apps from top banks around the world may have serious security vulnerabilities that could potentially compromise sensitive user data. Ariel Sanchez took a close hard look at mobile banking apps for the iPhone and iPad from 40 of the 60 top banks in the world and discovered serious security flaws in almost all of them. Here is a small sampling of his discoveries:
  • “A few apps (less than 20%) did not have Position Independent Executable (PIE) and Stack Smashing Protection enabled. This could help to mitigate the risk of memory corruption attacks.”
  • “40% of the audited apps did not validate the authenticity of SSL certificates presented. This makes them susceptible to Man in The Middle (MiTM) attacks.”
  • “50% of the apps are vulnerable to JavaScript injections via insecure UIWebView implementations. In some cases, the native iOS functionality was exposed, allowing actions such as sending SMS or emails from the victim’s device.”
  • “90% [of the apps] contained several non-SSL links throughout the application. This allows an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam.”
This incredibly troubling study should open the eyes of the consumer as it lifts the veil on that false sense of security that we all have. The research brings to light a few very serious problems for the banking industry — and for consumers that utilize these apps — that will only become more severe over time as mobile banking app usage grows. Sanchez notes in his report that the various security vulnerabilities he identified could allow malicious hackers to intercept sensitive data, install malware or even seize control of a victim’s device handing over full account access and control.

“Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms,” Sanchez stated in his conclusion. “As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions.”

Tuesday, January 07, 2014

Intel To Dish Out $1.3 Million To Inventors Who 'Make It Wearable'

Intel is making a major leap into the 'wearable computing' market and they are looking for developers to help them make it happen. In his CES keynote address, Intel CEO Brian Krzanich issued a challenge to the smartest and most creative minds to participate in the Intel "Make It Wearable" challenge (PDF).




Intel will award $1.3 million in cash awards to winners and will connect contenders with industry luminaries to help realize their ideas. Winners will create wearable devices that will help computing evolve to become ever more personal and connected. The inventors are encouraged to consider areas of importance for the proliferation of wearable devices and ubiquitous computing, such as meaningful usages, aesthetics, battery life, security and privacy.

 Guidelines for submissions are as follows:
  • The challenge will begin in summer 2014 and is open to individuals in selected countries to submit ideas via a website (makeit.intel.com) for new wearable products. 
  • Winners will be announced by January 2015 
  • The grand prize winner will receive US$500,000. The second and third place winners will receive $200,000 and S$100,000, respectively.
  • The ten finalists will receive $50,000 to help get their ideas off the ground Each will be provided with more than 70 hours of intensive mentoring over two months
  •  The product must be based on Intel technology and be a sensor or computing device that is attached, embedded or worn on the body. 
  • Categories include fashion, wellness, social, education, environment, security and healthcare. 
  • Judges and mentors will be luminaries in various fields related to wearables such as technology, entrepreneurship and design. 
Visit makeit.intel.com for more details, additional eligibility requirements and official rules, to be posted before submission opening.