by Felicien | Feb 13, 2019 | Education
Apple is yet to disclose how much it is going to reward a 14-year-old U.S. teenager for discovering a massive security breach on its FaceTime video call system. It is believed that part of the reward money will be set aside for his high school education fund.
On Thursday, Grant Thompson noticed the group FaceTime bug while on a video call with his friends. Apparently, they were discussing different strategies they could implement on Fortnite, a 3D video game which is widely popular among the teenage demographic.
Upon contacting Apple, necessary action was taken and the iOS 12.1.4 iPhone update was then released on Thursday. Prior to the discovery, an unknown security researcher noticed the presence of the FaceTime bug but was unwilling to come out with it, since Apple had not put a bounty on offer.
Missed Opportunity
Towards the end of January 2019, details of a suspicious bug on FaceTime emerged. A couple of users noticed suspicious activity on the widely used video call system among iPhone users.
Sometimes when they contacted friends and family, they could distinctly hear what was happening on the recipient’s end (regardless of whether they answered the call or not). Apple got word of the bug and immediately disabled the recently-launched group Facetime feature on iOS phones.
Earlier that same month, the teenager and his mother phoned the trillion-dollar company with a similar potential security threat. As expected, Apple considered the 14-year-old’s discovery a hoax and thought the boy was craving attention.
The problem was uncovered by Grant on one of his group FaceTime video calls. When Thompson’s plea was given a deaf ear, his mother, Michele Thompson stepped in and repeatedly reached out to Apple via social media and emails. For some reason, Apple was adamant to heed to the vulnerability in their FaceTime feature.
Ever since other users of the video call system came out with a similar bug issue, Apple has credited Grant, who hails from Catalina, Arizona, with this major finding. Grant’s name went viral hours after Apple released a software update to counter the bug’s detrimental effects.
About the Update
The iOS 12.1.4 is the latest update from Apple for all iPhone 5S phones, iPad Air devices and the 6th generation iPod Touch. A week ago, Apple disabled Group FaceTime when news about the bug emerged.
Apple noted in turn that it solved a similar unknown issue some time ago in FaceTime’s Live Photos feature. On Friday, Apple reported that it solved the major security flaw on its servers. It would also release an advanced software update to re-activate Group FaceTime.
iOS 12.1.4 release notes state that there was an existence of a logic issue in Group FaceTime. It was also emphasized that the bug was fixed with “improved state management”. On Thursday, as of 10 a.m., the system status page of the massive tech company noted that Group FaceTime’s restoration was successful.
iPhone users can update their gadgets by doing the following:
Open settings
Tap on ‘General’.
Select Software Update
Download the update
Once the download is complete, your iPhone will automatically install the new software.
Swift Security Measures
A representative for Apple had this to say in regards to the update and the reported bug: “In regards to the bug that has noticeably established its presence in the FaceTime feature, a security audit has been conducted by our team. Additional updates have been made to not only the Group FaceTime app, but its Live Photos feature as a whole in a bid to enhance our security. This will go a long way in securing our customers who are yet to upgrade to the latest software”.
The representative also revealed a major server upgrade to block older versions of macOS and iOS from making use of FaceTime’s Live Photos feature.
For a global company that is keen on preserving users’ personal information, the bug was a huge misstep. Tim Cook, Apple’s CEO, has often advocated for increased regulation of privacy. In the recent past, he has subtly called out companies that utilize their customer’s vital data for the creation of personalized ads. In this case, it’s safe to say that Apple is not so perfect either.
Apple’s bug bounty program
Apple missed a massive opportunity to solve the FaceTime bug problem soon enough. Based on reports from The Wall Street Journal, as early as the start of January, Apple received warnings from a concerned teen but decided to do nothing about it.
Fortunately enough, before the issue escalated to something even more serious, more and more users noticed the flaw and issued a public outcry to the company.
Apple has offered its sincerest apologies to the teen and his family and is yet to fully reward them for their vocal assistance on the bug issue. The company is not willing to share the exact amount they will pay, but it will be substantial enough to see Grant through high school, according to a report by Reuters.
In regards to this incident, Apple developed the ‘bug bounty program’ in late 2016. In most cases, researchers can receive more than a hundred thousand dollars for reporting bugs early enough. One of the first people to receive substantial compensation from the program was 19-year old Luca Todesco.
In that same year, Facebook followed suit and rewarded a 10-year-old Finnish youngster a whopping $10,000 in bug bounty. The boy allegedly figured out how to delete anonymous users’ comments from all Instagram servers.
Aside from Grant Thompson, a 27-year-old software developer from Texas by the name of Daven Morris was also credited. Unlike Grant, Mr. Morris reported the problem several days after it was already made known.
Either way, Apple rewarded the young man for noticing the problem soon enough.
by Felicien | Feb 13, 2019 | Education
In early December 2018, the Australian Parliament passed into law a bill called the “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018.” Australian and international technology companies immediately voiced intense opposition to the new law. Amazon, Apple, Digi, Facebook, Google, LinkedIn, Microsoft, Snap, Twitter and many more have already raised serious objections saying that the law is overly broad, deeply flawed, and lacks sufficient judicial oversight.
The law was passed in such a rush that it had to be stripped of 173 proposed amendments to the bill that were attached to it. The legislators approved the bill on the very last day of legislative sessions before going on their summer break. Like most things done in a hurry, the chances here of making major mistakes are very high.
Legislators agreed to the law as long as they can continue with the debate over adding amendments when they return from summer break. In the meantime, the structure of the law is defined sufficiently to create a global uproar over the law’s focus and major negative impact on encryption.
What Can Happen Under the New Law?
Senior officials of the Australian government (the Director-Generals of Security, the Secret Intelligence Service, and Australian Signals) and the chief officer of intelligence agencies may request companies that are considered a “designated communication provider” to give technical assistance in order to get private data on individuals and organisations.
Technical Assistance Request
Compliance with a technical assistance request is voluntary. Requests may be made in writing or given verbally in the case of an emergency. The idea is to inform the companies of what the needs are so that they can take voluntary steps to be able to comply with future requests about things that are deemed to impact Australia’s national security and the interests of Australia’s foreign relations.
Australia already has a security cooperation agreement with four other countries including the US, UK, New Zealand, and Canada. This means the new Australian law extends beyond the bounds of Australia to include the interests of these and potentially other countries. An Australian interception agency may use this new law to enforce Australian criminal laws and also foreign criminal laws if the offense has the possibility of a three-year sentence, or more, for a conviction.
Technical Assistance Notice
The procedures and the extent of an assistance request and a technical assistance notice are the same. The difference between a request and a notice is that a notice requires compliance. A technical assistance notice requires a communications provider to do acts or things, as required, to help Australian Security, the Australian Security Intelligence Organisation (ASIO), and an interception agency with issues of national security and enforcing criminal laws for serious offenses.
These notices, under the new law, come with an enforcement warrant that includes a confidentiality provision. Failure to comply may result in a fine of up to AUS$10 million (about US$7.2 million) for each incidence.
Technical Capability Notice
Under this new law, Australia’s Attorney General can give a communications provider a technical capability notice. The notice requires compliance. It forces the provider to be capable of doing things that will allow it to be able to give certain kinds of help to Australian Security, the ASIO, and other interception agencies. This capability gives the Australian government what it needs for national security issues and to enforce the criminal laws of Australia and other foreign countries related to serious offenses.
This is the part of the new law that made the CEOs of major technology communication providers nearly lose their minds because it immediately brings up problems with the almost certainty of introducing systemic vulnerabilities and systemic weaknesses. This provision of the new law can force a company to introduce a “backdoor” into their technology, which makes it extremely vulnerable to exploitation.
Systemic Vulnerability
For the purposes of the new law, a systemic vulnerability is something that impacts a whole set of technologies used by a large class of persons, such as instant messages, online banking, text messaging, and real-time chats. It does not include a vulnerability that is introduced when it is selectively applied to a target of just a particular person, even if unidentified.
To understand this concept, it means if a vulnerability is able to be limited to a targeted person and does not affect the entire class of persons it is not to be considered a “systemic” vulnerability. Although the concept is clear, achieving such a targeted vulnerability, which is limited to a single person in a system with widespread use, is extremely challenging, if not impossible.
Consider this example. If there is a need to be able to hack into a device of an individual at the Australian government’s request that is not identified, it means the entire system must have this capability as part of its design.
On close examination, this provision in the law is absurd. Communication providers must have the capability to target any particular person in the group of people using the technology. At the same time, they are not forced to use a systemic vulnerability that impacts the entire group. If a target person is unidentified then it could be anyone in the group! The only way to target them is with a systemic vulnerability; otherwise, it is not possible to find their communications.
Systemic Weakness
A systemic weakness means something that impacts the entire group of users of the technology. If the technology introduced, selectively targets a particular person it is not considered a systemic weakness. A targeted weakness is possible to achieve. However, this is normally something done by the ASIO or other intelligence groups, not by a communications provider or a technology company.
An example would be to surreptitiously gain access to a targeted person’s device and install a key logger to capture information entered on that device. It is possible but it is ludicrous to require a communication provider to do something like that to one of its customers.
Under this new law, communication providers can be forced to do things that violate a particular person’s privacy but cannot be forced to do things that create systemic vulnerabilities or systemic weaknesses. Again, the problem is that needs to have the capability to target any individual out of a group of millions or up to billions of people, means needing to have the capability to target any single person in that group. The mere existence of this capability is, by definition, a systemic weakness.
Designated Communications Provider
The definition, under the new law, of a designated communications provider is immensely broad. Besides the obvious impact on Australian-based companies and those having physical operations in Australia, it also includes any telecommunication carrier, system, intermediaries, service providers, equipment, and any electronic services, including any websites, used by one or more persons in Australia.
By this definition, the investigation of any global system by an officer of the ASIO automatically means that at least one person in Australia is using the system. This provision of the law already caused a global reaction that generated statements from many companies domiciled in other countries besides Australia, saying that Australian laws do not apply to them.
The Technical Paradox of Encryption
Encryption only works if there is no backdoor capability to get around it. In a seminal academic white paper entitled “Key Under Doormats,” published on July 7, 2015, by Professor Harold Abelson of MIT along with the input of 14 peers, the strong evidence-based case against forcing an insecure vulnerability into encryption schemes is clearly presented. Giving the Australian government access to private conversations is the same as, by design, creating an invitation to exploit this access, which makes the entire encryption scheme vulnerable.
Conclusion
The new Australian legislation makes the Australian government seem like wanting to join the ranks of totalitarian governments like Russia, China, and North Korea that have made the use of encryption illegal in those countries. The unintended result may be a global backlash against Australia. This may leave the country in technological isolation from the rest of the world.
It is not only criminals that use encryption. Many find that unbreakable encryption is useful for all kinds of important private transactions such as online banking and financial exchanges. People have the fundamental right to secured communications for many valid reasons. For example, encryption can prevent the loss of many billions due to cybersecurity breaches, protect private medical records, and prevent the theft of intellectual property.
Allowing any government the ability to get around encryption means that criminals will likely find a way to get around it as well. It is quite possible that there are criminals working for the government too. In other words, the new Australian law might actually help criminals when considering the total impact.
The trend in most of the rest of the world is to use more robust encryption, not less. Hopefully, when the Australian legislators come back into session they will have time to give these issues a much more detailed evaluation and add many amendments to improve this seriously-flawed bill.
by Felicien | Feb 12, 2019 | Education
Microsoft’s Visio Visual and Power BI are two extremely useful software tools that help business owners store, organize, and interpret data with easy-to-understand visual representations.
Using these tools can take your business to the next level. Still, many business owners don’t know about Visio Visual or Power BI. Moreover, many are skeptical as to why data interpretation is important at all.
Why is data interpretation so crucial to your business?
As a business owner, it is vital that you understand the “big picture” of your company’s data. Any given company will have a plethora of diverse data at any given time. This may include:
Sales records, recorded by the hour, day, week, month, and year
Sales records by location
Sales records by department
Floor plans of stores, warehouses, offices, and more
Employee information
Subscriber or client information
Inventory data
And more
Storing all of this data and never looking at it will inevitably hurt your business. Doing this almost certainly means missing the “big picture” and subsequent opportunities for growth and improvement.
How can Visio Visual and Power BI help?
Here are the biggest reasons companies don’t examine, analyze, and interpret their data more often (or at all):
1. They have too much of it.
2. It’s difficult to organize and understand.
This is where tools like Visio Visual and Power BI step in. Both tools create easy-to-see and understand visual representations of your data, with the goal of targeting what’s working and what’s not.
What is Microsoft Visio?
From flow charts and 3D graphs to network schemas and floorplans, Microsoft Visio Visual is one of the most capable pieces of software for creating and manipulating diagrams of all kinds.
What is Microsoft Power BI?
Power BI is another indispensable Microsoft tool that allows businesses to analyze their data in a variety of ways and see and share insights via the dashboard. Everything on Power BI is updated in real time and can be accessed from anywhere in the world via the cloud. This software includes a myriad of invaluable features for analyzing, fixing, and understanding data.
What can you learn from your data with Visio Visual and Power BI?
We know that Visio Visual and Power BI allow you to see your data clearly and concisely. This starts with using Visio Visual creating the necessary charts and diagrams that pertain to your industry.
From this data, the goal is to learn what’s going wrong and why, what’s going right and why, and where you need improvement. For example:
If you own a retail establishment, what’s selling and what’s not?
If you own a restaurant, what ingredients are you constantly running out of?
If you own a transportation business, why are your trucks stocked to the brim one month and empty the next?
This is largely Power BI’s job.
Power BI layers the base data organized by Visio Visual with analytic tools that share insights about how your business is doing across numerous benchmarks.
Empowered with the information and data-based insights both Microsoft Visio Visual and Power BI provide, you can make impactful changes in how you run your business. Try these tools today and see what you think for yourself!
by Felicien | Feb 12, 2019 | Education
Cybersecurity threats have shown no signs of slowing down, and small and mid-sized organizations are expected to be more heavily targeted going forward. Although splashy headlines about Fortune 500 companies suffering breaches may lead some business leaders to think that hackers are after big corporations, cybercriminals are just as likely to steal data or infect your system with ransomware.
It’s important to keep in mind that these nefarious people are nothing short of petty crooks, and they look for systems that can be breached at every level. That’s why it’s in every business’s best interest to have a high-caliber cybersecurity specialist in place.
If you own or operate a local small or mid-sized outfit, you may be mulling over the cost-to-benefit ratio of outsourcing your cybersecurity defenses. Consider these key reasons why outsourcing to a locally-based cybersecurity specialist makes sense.
Hiring A Talented, Full-Time Expert Proves Difficult
There is a school of thought in business that having your own team in place would be more beneficial than outsourcing. The arguments for that position include having control over work-hours, in-house supervision, and the ability to review performance. The clincher is often that decision-makers know the person managing the tasks.
This old school thinking is often tried-and-true when hiring for profit-driving positions. It’s difficult to imagine outsourcing a sales team or other critical positions, but cybersecurity is not necessarily an old school job. It remains highly unlikely that a small or mid-sized organization has a supervisor in place to train cybersecurity specialists like they would a salesperson or other full-time posts.
A cybersecurity expert has years of education and training under their belt. They also are tasked with keeping up-to-date on the latest hacker methodologies and tools. It’s just impractical to have an in-house professional stay abreast of the fast-changing threats and keep your systems secure. Even if your company invested heavily in a full-time cybersecurity specialist, in all likelihood, they would be wooed away by other opportunities resulting in turnover.
The difficulties associated with filling a cybersecurity position and keeping that person does not make good business sense. It’s far better to outsource the cyber defense work to a local company staffed by experts. Why pay for a full-time person with benefits when you can contract with a local expert?
Benefit From Real-Time Industry Intel
Along with keeping a stable expert to protect your systems, local cybersecurity outfits are tasked with keeping tabs on real-time cyber attack methods. Outsourcing your technology and data protection to a cybersecurity specialist allows small and mid-sized organizations to have a critical risk assessment performed by a consultant that has hands-on experience.
Cybersecurity experts offer business leaders an opportunity to protect and defend critical data and communications in ways that might not occur to even the best in-house IT staff member. Enhanced knowledge and training can help identify cracks in your cyber defenses, inconsistencies in the password or login protocols, and advise you about forward-thinking employee policies.
It is not uncommon for hackers to target employee email and devices as a way to infiltrate a company’s data and personnel files. Given the fact that the methods hackers use change quickly, it’s imperative to an organization’s survival that a vigilant line of cybersecurity defense remains in place. Working with a local company that specializes in cybersecurity brings expertise to the table many outfits might not be able to afford otherwise.
BYOD Is Becoming Commonplace
The line between employees using company devices and personal ones has increasingly been blurred. Millennials tend to be of a mind that their device is just as, if not more suitable for professional tasks. In many cases, that probably holds true.
This new era of “Bring Your Own Device” poses a more significant challenge to organizations that merely have team members on fixed in-house desktops. These days, valuable staff members prefer to use their own mobile device, laptop and work from home options. This emerging tech reality inherently increases potential entry points for cybercriminals. In the BYOD business world, cybersecurity requires employees to be more educated about protocols and have a working knowledge of how and why they are being implemented and routinely changed.
Hackers are not necessarily working night and day to skip off with a big criminal payday. They are more prone to identify outfits with poor or low-level defenses. While cybercrime profit can be gained by breaching a major corporation with a strong defense, it may be a lot easier and more lucrative to knock off small and mid-sized organizations that are ripe for the picking. Outsourcing to a specialist can prevent you from becoming the low hanging fruit.
Data Breaches And Lawsuits
Captains of industry often think of cybersecurity as a way to protect their trade secrets, critical data and avoid costly work stoppages. While all of those ideas have merit, there’s another level of cybersecurity that CEOs and other decision-makers do ordinarily understand. You could face civil litigation if a hacker breaches your system.
That idea seems incredibly counterintuitive. Why would you — the victim — be sued? The simple reality is that businesses use technology for company-to-company communications and file transfers on a regular basis. When one system suffers a breach, access to others in the network may become available to the cybercriminal.
Just as your organization is responsible for bringing a safe product to market or shoveling snow off your doorstep, you could be held liable for not adequately securing critical data and access. Along with your business reputation taking a significant hit, previous clients and associates may be looking to recoup their losses from you. Civil litigation can prove costly unless you have taken industry standard measures to protect your system.
Hire A Local Expert Cybersecurity Specialist
Cyber attacks are an ongoing reality of living and working in the technology era. Organizations of all sizes and sectors are routinely tested by hackers to see if their cybersecurity defenses can withstand an assault. Cybercriminals are not going away any time soon and unless you want to risk shuttering, it’s time to contract with a cybersecurity specialist to protect your vital business interests.
by Felicien | Feb 11, 2019 | Education
Advanced Data Governance (or ADG) is a tool from Microsoft. Available to be used within Office 365, this tool assists businesses in meeting compliance requirements and managing risk. Most of all, it helps organize the massive amounts of data that companies are now dealing with.
Each quarter, the data owned by a given business grows by exponential rates. Over time, organizations are met with the challenge of organizing this unstructured data. Moreover, they are challenged to be able to find pertinent data, retain sensitive and important data, and safely destroy or archive obsolete or otherwise useless data. These are the pain points that Advanced Data Governance aims to handle.
According to Microsoft, the goal of ADG is to help companies:
Assess their current compliance status
Protect their current and future data
Respond to requests
Other goals include:
Reducing costs across the board
Maintaining business continuity
What is the Advanced Data Governance dashboard?
The dashboard of ADG is where most of the magic happens. Here, companies can clearly see a visualization of their data, along with helpful widgets, which explain key features about data status. This is useful as it can help companies decide what data or cross-sections of data to keep and which to discard.
How does ADG help companies meet compliance?
A particularly useful element of ADG is that cloud intelligence assists in recommending policies. All companies have their own rules and regulations to comply with. For EU businesses, for example, GDPR rules need to be observed. According to whatever rules and regulations a business must comply with, Advanced Data Governance is able to quickly filter through everything in order to detect the appropriate data. In doing so, any policies set up by the company can be applied to the pertinent data in one easy action.
Applying a given policy may mean retaining all data that meets that policy’s criteria, or it may mean automatic removal of a given set of data. When detecting data via a policy, any type of criteria can be used. Most of the time, keywords are used to search and sift through data; however, some companies may choose to use financial, healthcare, or PII related information to conduct searches.
An added feature of ADG is its ability to apply policies to all Microsoft Office 365 services, including Exchange, OneDrive, and SharePoint. This streamlines all enforcement of policies.
What are ADG labels and event tags?
Labels can be created and applied easily in ADG. Each label denotes specific data retention actions. For example, you may create a label that retains all employee record data for a select period of time. You can choose to apply these label policies to all Microsoft services or only to select services.
Event tags allow companies to start certain policies on specific dates as it’s not uncommon for policies to only need compliance during certain periods of time (during specific employment periods, mergers, events, and more).
How Can Advanced Data Governance Help Your Company?
Allow Microsoft’s Advanced Data Governance to help your company regulate and meet compliance, manage risk, improve data organization and understanding, operate more efficiently, and increase revenue. It’s an excellent tool for businesses who are noticing an upsurge in data volume and structural issues.
