Apple Will Release a Special iPhone for Security Research Purposes

Apple will release a special modified iPhone for research purposes only. With new software installed within its operating system, this modified iPhone is set to be a part of Apple’s bug-bounty program. While Apple’s bug-bounty program was initially introduced in 2016, this is the first time such iPhones will be used for this service.  

These new iPhones will be included in Apple’s iOS Security Research Device Program and will only available to the security research team. The program supplies security researchers with this uniquely modified iPhone to which these analysts will use to help with making security-related improvements. This would make it easier for ‘experienced bug hunters’ to work on Apple products. 

These modified iPhones will have “advanced debugging capabilities and a root shell, among other modifications designed to make the software more open and accessible for researchers,” says Lisa Eadicicco of Business Insider

In August, Apple announced that the new Research Device Program is one of many updates in their bug-bounty program. They have yet to announce how many applications they will accept into this program. Apple will pay a $1 million reward to researchers who find flaws and to whoever could take control of a device with no user interaction involved. The company will expand their bug-bounty program, so it will include most of Apple’s products, such as the Apple Watch, Mac computers, and their Apple TV, in addition to the current iOS.

Uber Uses Software to Remotely Log Out to Preserve Customer Privacy Data

With 78 or more international offices, you might have to consider some possible opposition with government authorities. In 2015, Uber faced a series of investigations in China and various other countries and were looking to secure their information while being investigated. During these police raids, employees knew the drill: immediately log-off and make it nearly impossible for the police to access the information they had a warrant to retrieve, aka proceed with the “unexpected visitor protocol.”

For fear of sounding a little too suspicious, it’s important to know that Uber was trying to protect the privacy and security of their customers, drivers, and employees – especially abroad. After a lot of searching, Uber discovered a software titled, “Ripley,” which was said to be named after Sigourney Weaver’s character in the 1979 sci-fi movie, Alien. This special software is able to remotely disable, lock, or change the password on employees’ computers and smartphones in the event of a breach or police raid. As quoted in an Bloomberg.com article, “The nickname was inspired by a Ripley line in Aliens, after the acid-blooded extraterrestrials easily best a squad of ground troops. ‘Nuke the entire site from orbit. It’s the only way to be sure.’”

According to Bloomberg, the software was used during a raid in Montreal in May 2015. The  idea behind this was for Uber’s team at the San Francisco headquarters to be able to shut down a device if necessary. At this point in time, the Quebec tax authority arrived at the office unannounced with a warrant. Uber’s on-site managers followed the protocol and alerted company headquarters about what was happening. Fortunately, with the use of Ripley, they were able to not reveal anything to the investigators by logging off from all the devices in the Montreal office immediately.

The employees are trained to alert and follow some simple procedures when someone arrives unannounced at its foreign office to protect their data. If the investigators begin to investigate Uber’s machines, they have a list of Do’s and Don’ts that the employees should follow. Do’s include cooperating with the authorities and disclosing requested documents. Don’ts say not volunteer any information, nor “delete, destroy, and hide any document or data.” It’s unclear though if they used this list when using the software Ripley. Although, it is clear that Uber has allowed authorities to leave the building with company laptops plenty of times before. It all depends on the legal privilege of the situation.

Uber said “Like every company with offices around the world, we have security procedures in place to protect corporate and customer data,” an Uber spokeswoman said. “When it comes to government investigations, it’s our policy to cooperate with all valid searches and requests for data.”

Later, Uber started using off-the-shelf software called Prey and another named uLocker. Uber said that these softwares are able to protect the privacy of the drivers, Uber employees, and the passengers. Last March, the New York Times revealed that the company used secretive software called Greyball in some cities where Uber wasn’t yet allowed to operate. The software let the company target certain people, like the police, and showed them a mock-up version of the app that showed no cars available to hide the fact that they were indeed in operation.

According to the article, Uber is now under investigation by the US Department of Justice for its use of Greyball and is facing at least four other inquiries by the US government. As for the software Ripley, uLocker, and Prey being used by the Uber they have mentioned that there is nothing secretive about it. It’s basically the same software someone would use to track down their lost or stolen smartphones. However, an Uber Spokeswoman has mentioned that these softwares are even good for internal use. For instance, if an employee loses their laptop, we can just log them out of the Uber’s System to prevent the information from leaking and having someone else access private user data.

31 Days of Cybersecurity in October

It’s almost October meaning it’s time for pumpkin spice everything, Halloween preparations, and Cybersecurity Awareness Month! The month of October is designated to educate the public about the importance of cybersecurity.

For 31 days straight, we will be posting a tip a day on our Facebook page, so be sure to “like” us so you don’t miss out!

According to the Department of Homeland Security, the monthly awareness program was  “designed to engage and educate public and private sector partners through events and initiatives to raise awareness about the importance of cybersecurity, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.”

With the direction technology is headed, it’s no secret that cybersecurity is at the top of the concern list for people all over the world. Global Cyberattacks, data breaches, and ransomware attacks have dominated the headlines recently, exposing citizens to an insurmountable amount of cyber problems. While these problems are in fact very real, we believe that a true weapon against cyber-destruction is knowledge.

In some cases, there is a breakout of a phenomenon known as “security fatigue.”

Is security fatigue real?

With the increasing number of cyber problems accumulating on a daily basis, it seems that individuals have been developing a phenomenon known as “security fatigue,” or risky computing behavior in response to too many instructions and ads against such attacks.

Constantly changing passwords, two factor authentication, captcha, and strong passwords are said to potentially add too much of a burden on employees. For those advanced companies, you might start seeing a move towards biometrics rather than counting on ever-changing passwords to act as your security wall.

For those of us who do not have access to biometrics and fingerprint authentication, we’re going to bring an innovative spin to tried-and-true methods all of us should be putting into practice.

Be sure to follow along on our Facebook page for daily tips that are quick to implement and easy to share. Be sure to let us know if you try them out! #Inverselogic #October #CybersecurityAwarenessMonth

New Phishing Scam Warning for American Express Members

Just a few days ago, a well-planned phishing attack has emerged and is targeting American Express cardholders. This email features certain levels of irony within the text and impersonates AmEx so well, it may actually bait even the most aware individual.

This new scam seems to be an improved version of the one we saw earlier this year. Scammers are going after card holders and advising the recipient to protect him or herself against fraud and phishing (ironic, no?) by creating an “American Express Personal Safe Key” or “PSK.” The scammers reference a legitimate security technology offered by AmEx called SafeKey, but add a space in between the two words (reads Safe Key). The email appears to target as AmericanExpress @welcome.aexp.com and is formatted just like an actual AmEx email. There were no mislabeled links, misspellings or poorly written sentences – all which are usually identifying elements of a phishing scam.

The link at the bottom of the email says “Create a PSK” and takes you to a fake, yet believable, AmEx login page: http:// amexcloudcervice.com/login/. Two things to notice: 1) the misspelling is craftily hidden and reads cervice with a c instead of s. 2) It isn’t a secure site (clearly) – the lack of HTTPS should have done the trick in alerting people. If you’re money is involved and they’re legitimate, you best believe there is an HTTPS. Too many people focus solely on the contents of the page instead of the browser infrastructure.

Once you enter your login info (correct or not), you’re taken to a page where you’re then asked to enter personal details. If you think long enough, you’d realize that AmEx doesn’t need to ask you about all these things – once you login, they have your credit card number and info. However, the site asks you for your card number, expiration date, four-digit CVV code, Social Security Number, birthdate, parents maiden names and birthdates and multiple email addresses.

While there are some clues like missing copyright symbols and mistyped words, most people might mistake this as a legitimate email (we’re not all info-security pros). But what we can do is take some easy precautions! Never login to a site where you access confidential info by clicking a link in an email. Always type the web address directly into your browser. If you receive an email from your bank and are unsure of the legitimacy, call the number on the back of your card to clarify. And last but not least, look for the HTTPS at the beginning of a link.

Keeping a watchful eye can help you avoid being the victim of a phishing scam. Unfortunately, scammers are getting better and better at playing the game so we advise you to stay alert.

Internet Explorer Bug

223px-Internet_Explorer_10_logo.svgOn Saturday FireEye Research Labs announced a bug in Internet Explorer versions 6 through11, which allows hackers to compromise computer security using corrupted Adobe Flash files.

The Department of Homeland Security’s United States Computer Emergency Readiness Team states that there is no practical solution for the bug, and advises that if you use Internet Explorer, to switch to a different browser until an update is issued. Another way to avoid the hack is to turn off Adobe Flash Player.

There’s currently no word on whether Microsoft will issue a patch or not before their next scheduled update (May 6).

Edward Snowden Speaks at SXSW

SXSW is in full swing and one of the most anticipated speaker for the event is former CIA employee and NSA contractor Edward  Snowden. The live cast  “A Virtual Conversation with Edward Snowden” started at 11AM CDT. Snowden answered questions from Twitter and the SXSW audience.

Snowden SXSW

Snowden called for developers to create user-friendly and accesible privacy tools and more secure networks

When asked by Tim Berners-Lee, intventor of the World Wide Web, what Snowden would change about the nation’s surveillance system, Snowden replied,

“We need public oversight … some way for trusted public figures to advocate for us. We need a watchdog that watches Congress, because if we’re not informed, we can’t consent to these (government) policies.”

In defense of his actions, Snowden explains,  “I took an oath to support and defend the Constitution. And I saw the Constitution violated on a massive scale…”

watch the Snowden Interview.

 

Social Engineering- The Underestimated Threat to Information Security

When you hear about information security, you might think of viruses or hackers attacking from far far away. While these are legitimate threats, one of the most common causes for security breaches is the victim or their associates simply telling an attacker what they want to know. Even with the most complex security systems, the human social factor can lead to vulnerability.

So how are attackers getting away with this? Rather than using technical knowledge to break into a system, they interact with victims to obtain what they need to commit fraud, steal information, and gain system access.

wolf

It is human nature to trust those who act with confidence, and attackers use social engineering to exploit this tendency. Even large corporations are vulnerable despite security protocol, as proven by recent white hat contests. Here are some examples of social engineering:

Pretexting

Lying about a fake situation, and setting it up so that the victim thinks they must give up information is known as pretexting (it is also illegal after a law was passed in 1999). Modern attackers have even been known to pose at IT support, calling departments and claiming to be returning a service call, and then asking for users’ login credentials to penetrate systems.

Baiting

Investigative journalist, Adam Penenberg, recently challenged modern hackers to obtain information about him. In one attempt, a “spy” was sent to his wife’s yoga studio, posing as a student, and intentionally left a USB drive loaded with malware in hopes that someone would plug it into a computer to find out who it belonged to. This tactic exploits curiosity, using physical media as bait. Malware launched on a computer can collect data like passwords and credit card information and send it to an outsider without the user ever knowing it is there.

Tailgating

People have a habit of assuming that nothing is awry if someone seems to “fit in.” To physically breach security, intruders have been known to tailgate, or follow someone closely enough to slip by and gain access to areas off limits. By acting confident in their actions, sometimes even pretending to swipe an access card, they are able to fool those around them without drawing attention.

Social engineering uses the same tactics long practiced by con artists. Despite the con artist’s many years of existence we haven’t learned how to identify or distrust them. The best way to avoid assisting an attacker is by implementing security protocols and always following security procedures. Always question anyone or anything unfamiliar, and if you feel like you may be inconveniencing someone by refusing to give them information, it might be best to explain that it’s always better to be safe than sorry.

Adobe Hacked

In a blog post today, Adobe Chief Security Officer, Brad Arkin announced a major security breach affecting 2.9 million customers. The attackers accessed customer IDs, encrypted passwords, ancrypted debit and credit card numbers, and other customer-related order information.

Adobe

Adobe has ensured that they have reset relevant customer passwords and are in the process of contacting all customers affected by the attack.

Email Security

Do you know the difference between SPAM, phishing, spoofing, and Trojans? They are all tools and tactics used to transmit viruses or steal information via email. They are also more common than you might think.

Email Threats

How important is email security to you?

Billions of emails are sent every day, and many of these emails are SPAM or even malware. While SPAM filters help eliminate most unwanted messages, no filter is perfect.  To be fully prepared you should be aware of the possible email security threats that you could face. Reacting to unwanted emails properly is necessary to get rid of future unwanted SPAM, and to protect your network and information.

The best thing to do when you receive a suspicious email is to delete it. Simply opening one can compromise your security. Refer to our Email Security Guide to learn how you can protect your inbox.