Tag Archives: Apple

3GPP Long Term Evolution – new threats or not?

3GPP Long Term Evolution (LTE), is the latest standard in the mobile network technology tree that produced the GSM/EDGE and UMTS/HSPA network technologies. It is a project of the 3rd Generation Partnership Project (3GPP), operating under a name trademarked by one of the associations within the partnership, the European Telecommunications Standards Institute.

The question is, what will be the data security  impact of LTE deployments? As LTE is IP based and IPv6 becomes more common in the marketplace, will the security requirements of mobile devices become similar to traditional networked devices?  There is already a huge trend  for BYOD or Bring Your Own Device to work, which certainly causes a lot of headaches for information security staffs. Will more bandwidth and flat IP networks of LTE increase the threat surface for corporate IT?

Other than higher performance, LTE features a flat IP network, but I don’t see how that increases the threat surface in any particular way.  The security requirements for mobile networked devices are similar to traditional wired devices but the vulnerabilities are different, namely the potential of unmanaged BYOD tablet/smartphone to be an attack vector back into the enterprise network and to be a channel for data leakage.  The introduction of Facebook smart phones is far more interesting as a new vulnerability to corporate networks than smart phones with a 100MB download and 20MB upload afforded by LTE.

I am not optimistic about the capability of a company to manage employee owned mobile devices centrally and trying to rein in smartphones and tablets with awareness programs.  Instead of trying to do the impossible or the dubious, I submit that enterprise that are serious about mobile data security must take 3 basic steps after accepting that BYOD is a fact of life and security awareness has limited utility as a security countermeasure.

  1. Reorganize physical, phones and information security into a single group with one manager.  This group must handle all data, software IT, physical (facilities) and communications issues with a single threat model driven by the business and updated quarterly. There is no point in pretending that the only phones used by employees are phones installed and operated by the companies telecom and facilities group. That functionality went out the door 10 years ago.
  2. Develop a threat model for the business – this is  key to being able to keep up with rapidly growing threats posed by BYOD.  Update that model quarterly, not yearly.
  3. CEO must take an uncompromising stance on data leaks and ethical employee behavior. It should be part of the company’s objectives, measurable in monetary terms just like increasing sales by 10% etc.

 

Tell your friends and colleagues about us. Thanks!
Share this

The emotional content of security

I think in the security space, we spend too much time on the business justification and functional part of security (reducing risk, detection data breach violations, complying with HIPAA,  writing secure Web 2.0 applications, securing cloud services, security information management etc…).

I think we’re ignoring the emotional content of security and I don’t necessarily mean FUD (fear uncertainty and doubt).

Perhaps it’s time to reconstruct market boundaries of the security industry.

At the beginning, there was the notion of “selling security with FUD“, starting with anti-virus and peaking in the early 90s with the outbreak of RPC worms on Wall Street. It was pretty easy to sell security with FUD tactics. Then we had 9/11.   You couldn’t frighten people anymore.   Security FUD doesn’t work when the customer thinks he might be killed by an Al Qaeda or Hamas or Fatah terrorist.

Then there was the “selling security as an enabler” play, sponsored by Gartner, ISACA and a bunch of other people.  This sort of made sense – but the number of real use cases where security actually enables new business (VPN, secure ecommerce sites) is rather limited and besides, the big IT vendors can build (or at least purport to build) security into their products. Educating customers on “security as a business enabler” is a wonderful example of how market education  pays off at the beginning of a new product life-cycle launch, but low or no benefits at all when the product has mainstreamed into general market acceptance and everyone is selling and buying.

A good example of a product that mainstreamed extremely quickly is the Apple iPad,  Now after CES  we have dozens of mobile tablets, Android tablets, Windows Mobile tablets, Ubuntu tablets alternatives of all shapes, sizes and qualities. No one is questioning that a tablet is a great thing – Apple already did the market education for the other vendors.

Market education of  CEOs to the business  advantages of data security is like motherhood and apple pie, it’s a good thing. Similar to the tablet PC case, however, this sort of market education has zero or low ROI – because the CEO has already decided to buy or not buy security based on what someone else said – whether its’ Perot Outsourcing services, IBM, Oracle or his golf-partner.

Consultants explaining to a CEO that security is a business enabler are selling the same security coolade as Oracle, IBM, ISACA and SAP. The only problem is that a security  consultant doesn’t sell a product, but bolt-on/after sale services – and generally doesn’t get compensated for his deep security insights over coffee.

Let’s note that the information security industry is an industry like most other industries:

  • They define their industry similarly, focusing on being the best.
  • They look at accepted strategic groups of buyer and market segments, for example CSOs and firewalls
  • They focus on the same buyer groups – e.g influencers (security officers, CIOs, analysts and thought leaders)
  • They define the scope of products similarly- data security, firewalls, DLP, software security assessments etc..
  • They focus on the same point in time and current competitive threats in formulating strategy; now it’s cloud, last year was DLP etc…

But there is one factor we are missing and that is emotion:

Does the security industry accept the functional/emotional orientation of their buyers?

I’m not sure.  And that – will be the topic for the next post

Tell your friends and colleagues about us. Thanks!
Share this

Data availability and integrity – the Apple/Microsoft version

I have over 2,300 contacts on my iPhone and like any reasonable person, I wanted to backup  my contacts. I figure my iPhone wont last forever. Like a fool, I thought it might be a good idea to test the restore process also.

The Ubunutu One service based on Funambol doesn’t really work so that pretty much left me with the iTunes and Windows option.

It seems that the combination of two closed-source software companies intent on preventing users from seeing what’s going on and convinced that users are incompetent and low double digit IQ is a killer combination. As you will see from the events described below – it appears that both Microsoft and Apple believe firmly that users should backup their iPhone contacts but they will never really want to restore the data.

At 14:00 this afternoon – I started my exercise in backing up my iPhone contacts.

14:00 – Plugged in my iPhone to a new Windows 7 Pro PC.  Took iTunes forever to initialize and then I had to wait another 2 minutes for the iTunes software to discover the iPhone on a USB 2.0 connection.  In the meantime – Windows 7 was complaining that I should use a faster USB port – and offered a list of ports, none of which work. Go away. Zusu!

14:15 – Finally the iPhone and iTunes talk. I elected to sync the contacts to Google Contacts as I use Google Apps.   Interestingly enough – the task of transferring 2350 contacts to Google took about 30s on my 10MB/512k ADSL line. The only catch was – that no phone numbers were transferred – only email addresses.  Seems there is a bug. I don’t have time for this.

14:30 – Back into iTunes. This time, I choose to sync my iPhone contacts with the Windows Contacts – since I don’t use Outlook.  No dialogs about replacing or merging – and it worked.  Minor problem – the Windows Contacts sync with iPhone contacts wipes out the entire iPhone contacts since the Windows Contacts was empty (I imagine hardly anyone actually uses Windows contacts – a kludgy, slow and incredibly stupid way of storing one contact per file).  Well Dorothy, we are not in Kansas anymore, your iPhone Contacts is now empty.

15:00 – After a bit of thinking about where my contacts might have gone. I realize that I have 3 alternatives, (1) restore my contacts from our CRM system (which runs in the cloud and doesn’t have an iPhone Contacts sync option) and a bunch of other places I’ve cunningly stored contacts  (2) try and figure out where Apple has hidden their backup files or (3) ssh into the iPhone and try and restore manually with sqlite.  I choose option 2.

15:30 – After some googling, I discover that the iTunes backup files are hidden in a %AppsData% something path – which is impossible to find in Windows 7 using Windows Explorer.   But – if you type %AppsData% in the run program line you get access to the file path. Google is your best friend.

15:45 – iTunes backups into a file format that looks like an import to sqlite (the open source database that iOS uses to store the Contacts records – that is at least a step ahead of Windows Contacts, storing 1 contact per file…perhaps Microsoft Windows 7 team has not heard of SQL yet).  I pull up the data into a text/hex editor and of course, the phone numbers are encoded in some proprietary Apple format – so forget about pulling out the data and massaging it into a format suitable for another circuitous import into iPhone contacts.  More googling- if you have a mac there is a command line utility or you can pay $25 and get a Windows application that decodes the proprietary Apple backup file format into a CSV file or series of VCF files.

16:00 – My PayPal account is not up to date since the card linked to the account expired end of November and I haven’t reverified yet.   Got the software with my Visa and jumped through a few hoops to give a couple of identifiers and finally get a registration number, activate the application and I finally have my original iPhone contacts file, but we’re not out of the woods yet – we still have to restore.

16:05 – Uploaded the csv file to Google contacts. But – for some bizarre and inconceivably cruel reason – iTunes sync refuses to actually load data into the iPhone.

16:15 – After several more attempts, including rebooting both Windows 7, restarting iTunes and rebooting the iPhone I give up – iTunes refuses to sync from Google contacts.

16:30 – Plan B – use Windows Contacts – I attempt to import, but after 10′ and 1200 records, the import process fails on an error with no indication of what caused the error.  Must be a data problem, so I try and improve the quality of data by reducing the number of fields I import and making the phone numbers look more uniform. I make 7 more (abortive) attempts at importing to Windows Contacts, and every time, it imports fewer records. When it stops on the anonymous error message at 150 contacts, I break for supper.

17:30 – Plan C – use Outlook.  Here’s a gotcha, Outlook won’t import from the CSV file, claims it’s open by another application or insufficient permissions.  Too bad the programmers didn’t look at open file hooks and tell the user the name of the Windows application that is holding the file handle open.  Of course – it must be the Windows Contacts Import process, (which is not running if you look at the task manager) but after a few minutes I identify a hidden process related to Windows Contact import and I kill it.

18:00 – Outlook is slow as molasses on import but the same CSV file that was poison to Windows Contacts gets imported with flying colors to Outlook.  I try to run quick search to find the last contact I entered this morning (my 10am meeting in Tel Aviv), but the Outlook 2003 application claims that the indexing process is running and it cannot find the records (the indexing process never actually ran….) Forget it, I don’t have time to sing and play games with Outlook 2003.

18:05 – Back to iTunes.  And this time, ladies and gentlemen, adults and adulteresses, we are going to sync from Outlook to the iPhone contacts.  It works. But verrryyy verrryyyyy slowwwwwllyyyyyy. I have time. I have to babysit Carmel (who is fast asleep down the hall after a tough day in pre-school) as the wife and daughter are out shopping. Do what any man would do on a baby-sitting gig – fall asleep on the sofa.

20:00 – Wife and daughter back from shopping and the iTunes sync from Outlook process has finished in the meantime, in between dreams about user-unfriendly software.

23:55 – Conclusions

1. The iPhone backup process is slow and buggy on all versions of iOS, Just google for “iphone contacts backup problems” and you will get over 3 million hits.

2. Apple does not have a data restore from backup strategy.  Otherwise, iTunes would have a “Backup iPhone Contacts” and “Restore iPhone Contacts” menu.  Entertainment is more important than data.  This is why Apple stock is at 321.

3. The usability and reliability of Windows 7 Contacts is beyond contempt.  No entertainment either. This is why Microsoft stock is at 23.

4. My next smart phone will be an Android.

Enjoy.

Tell your friends and colleagues about us. Thanks!
Share this