Showing posts from July 2011

H4cked Off: I hate to say I told you so...

07 Jul 2011

Last month, I quoted security firm Kasperky's CTO Nikolay Grebennikov as he explained why he feels that Apple can't keep its iOS platform secure all by itself.

It's a fairly bold statement, but he went further, stating that Apple would be forced to open up the iOS within a year.

Apple keeps a firm grip on its mobile operating system, only allowing applications and services to be downloaded from its own store. And it, presumably painstakingly, vets these apps and their developers first, ensuring that they're free of malware and other nasties.

Android, a far more open platform, has no such restrictions.

Both operating systems are doing well, although Android is the faster growing, perhaps partly because it's easier for developers to get involved.

Having said that, Android has the worse security record, with DroidDream and other malware bursting out from seemingly innocuous apps once in a while.

Hell hath no fury like an Apple customer spurned. My article was quickly swamped with outraged comments from Apple devotees.

"Currently, iOS is completely immune from viruses and malware," shrieked one.

Another addressed Grebennikov directly with some career advice: "Dude, go get a new job, your business model is going bye-bye!"

Leaving aside the disconcerting and cultish fervour with which some Apple customers exalt the company, their unshakable belief that the platform is safe could be their undoing.

McAfee put it well in its 2011 Threat Predictions report:

"The popularity of iPads and iPhones in business environments and the easy portability of malicious code between them could put many users and businesses at risk. The lack of user understanding regarding exposure on these platforms and the lack of deployed security solutions make a fertile landscape for cyber criminals."

I realise I'm quoting security companies with something to gain from identifying a need for additional security in the iOS, but that doesn't mean the need isn't there.

This week, elite hacker Comex released a jailbreak service for the latest iOS version. In so doing, he revealed a zero-day flaw in the platform, managing to skirt around its security counter-measures. That flaw is now in the public domain. By the time you read this, malware will be out there in the ecosystem, exploiting this vulnerability.

And as a closed system, there's little iOS users can do to protect themselves until Apple releases a patch. Actually that's not true. You can jailbreak your device using Comex's service, then download his own patch which fixes the problem. Irony?

OK. So I lied. In fact I love to say I told you so.

Anything can be hacked, it just has to be worth the effort. Apple products are no exception. And I say this as an Apple user myself, just one who has yet to be initiated into the cult.

Stuart Sumner, chief reporter and security geek

Permalink

H4cked Off: How the hell did the RSA hack cost EMC £40m?

29 Jul 2011

Computing reporter Stuart Sumner Storage company EMC has admitted that the cyber attack on its security division RSA Security has cost it £40m, both in investigating the hack, and in tightening security to make sure it doesn't happen again.

I'm not entirely sure how you manage to spend that amount of money in those ways. How much does it cost to check your log files, scan your network for malware or oddities, and go through all your documents to see what has been accessed, when and by whom?

There's quite a bit of work there, so let's say you hire in some incredibly expensive external talent and it takes them a month. I still don't see how that can possible come to more than £1m tops.

And then you have to improve your security in the hope that someone somewhere might actually trust you enough to use your products again.

As part of this drive, RSA created a new CSO role, which it gave to Eddie Schwartz, who was already working at EMC, and originally at NetWitness, which EMC bought in April.

If they're paying him £39m, then that would both explain where the money went, and prompt an immediate change of career direction for myself, and probably most of you too.

Unless they're factoring in loss of sales, which is possible and would certainly come close to explaining the figure.

Companies are understandably reluctant to reveal their losses as a result of security breaches. They'd rather brush the whole thing under the carpet as soon as possible, and hope their customers suffer from amnesia.

Sony has probably lost far more as a result of its encyclopaedia of security mishaps, but it isn't telling us, besides to say that it has lost something (besides all credibility).

So had EMC properly secured RSA's network in the first place, what else could that £40m have bought?

Well for a start it's what the US military paid recently for the manufacture and delivery of the new XM-25 computer smart-rifles, complete with explosive shells and thermal imager sighting.

Are your competitors' sales teams all armed with smartphones? They're no match for the smart-rifles, and the thermal imaging should help track them down even in the comfort of their air-conditioned BMWs.

Or, how about Manchester City striker Carlos Tevez? £40m should be enough to prize him away, then simply install him in the foyer of your headquarters and make him do keepy-ups. That'll be more interesting than a few potted plants and a drinks dispenser.

Personally I'd plump for the Meamina, a luxury 200 foot boat available from Burgess Yachts. It lists one of its features as ‘teak decks'. And it leaves a cool million in loose change for important things like gin and helicopters.

So EMC, those are just a few things to reflect on as you eye the hole in your profits this quarter. For everyone else, go spend £50,000 upgrading your security then blow the rest on a teak-floored yacht.

Stuart Sumner, chief reporter and security geek