Zimmer And Associates

A developer published details yesterday of a hidden application that’s  installed on millions of Android phones. The application, written by Carrier IQ, records keystrokes, text messages, location, and data that has been sent over encrypted SSL connections. Carrier IQ says its application is installed by cellular network providers to track dropped calls and other performance issues. I can understand some data being recorded and anonymized for troubleshooting issues, but it seems like most of the data collected by Carrier IQ really isn’t necessary and opens up the provider for huge lawsuits.

http://www.theregister.co.uk/2011/11/30/smartphone_spying_app/

A security hole was announced today in HP LaserJet printers allows attacker to make the printer smoke and shut down, erase the firmware, replace the firmware, and/or use the printer to steal sensitive data. The attack may also work on other manufacturers’ printers as well, but has not been tested.

Unfortunately there aren’t any good technical details in the article or methods of preventing the attack, other than protecting your printer from the Internet. If your printer is attacked it’s possible that there will be no way to fix the firmware. For now it’s a matter of waiting for HP to realize this is a problem and releasing a firmware update, and putting your printers behind a firewall.

http://redtape.msnbc.msn.com/_news/2011/11/29/9076395-exclusive-millions-of-printers-open-to-devastating-hack-attack-researchers-say

http://www.infoworld.com/t/hacking/security-researchers-say-hp-printers-vulnerable-hackers-180253

Many thanks to the California Society of CPAs and Paul Freed for inviting me to talk about IT security and The Cloud. There were a number of great questions and I gained some insight into the world of CPAs and their security needs. Feel free to use our contact form to schedule a similar talk at your organization.

The Office of the National Counterintelligence Executive has released a report to Congress (publicly available below) that details threats US companies face from foreign agencies. I found it interesting that a large percentage of attacks are conducted through seemingly normal requests for information rather than outright hacking. It shows yet again that people can be a weak link not considered in many security programs. Don’t forget that after you invest all that money improving your IT security you also need to educate your users about security threats, both technological and social.

http://www.ncix.gov/publications/reports/fecie_all/

My good friend @dillweed just brought up an excellent point about iCloud and Apple IDs. Everyone needs to be much more careful with their Apple IDs now that they’re tied to their iCloud data. So far people have been lax about protecting their Apple ID passwords, typically sharing them to trade iOS applications. The rationalization is “What’s the worst that could happen, it only allows access to my apps.” Now with iCloud anyone who has your Apple ID password can also do the following:

• Remotely lock and erase your iPhone, iPad, or computer via Find My iPhone.
• See real time iMessages and email, as well as all past iMessages and email.
• Track your location in real time via Find My iPhone.
• Log in to your computer and network via Back To My Mac. This will bypass many corporate and home firewalls.
• Access other iCloud data such as your calendar, notes, documents, and bookmarks.
• Access all data on your iPhone or iPad by restoring from your iCloud backup.

While the risk associated with giving out your password is nothing new, the issue here is that currently people don’t see their Apple ID as a high value account, there’s a large amount of sensitive data an attacker could gain access to, and one password is the only thing protecting access to the data. Sites such as Google and Facebook now allow you to use two factor authentication, where you need both your password and a code sent to your phone to access your account. They also allow you to see what other computers are logged in to your account and let you disconnect them remotely. Customers should pressure Apple into adding the same protection to their accounts sooner rather than later. In the mean time use a strong Apple ID password, don’t share it, and let your friends and customers know about the increased risk of sharing their Apple ID passwords.

About a fifth of the Fortune 500 was hit by the RSA attacks from earlier this year. A total of 760 companies of all sizes are on the list, with possibly more to be found in the future. It’s disconcerting to note that companies whose primary business is security are on the list. No matter how big or small, companies are constantly under attack. Just because your company doesn’t have valuable assets such as Social Security numbers and banking credentials doesn’t mean attackers will leave you alone. They’ll often attack indiscriminately, gather other sensitive data, take your systems offline, or use your network to launch an attack against someone else.

http://krebsonsecurity.com/2011/10/who-else-was-hit-by-the-rsa-attackers/

If you have an iPad 2 you should be aware that the passcode can be bypassed with a magnet. Until Apple releases a fix the workaround is to disable iPad Cover Lock/Unlock in Settings -> General. As always, keep your iPad close so it doesn’t fall into the wrong hands.

http://www.h-online.com/security/news/item/iPad-2-magnet-bypasses-passcode-lock-1364450.html

There’s good news if you’re considering storing sensitive data on virtual servers in Amazon’s cloud. Amazon recently announced that their S3 storage service now offers server side encryption, making integration with your applications and servers much easier. Best of all, it’s free. Well, “free” assuming you’re already paying for virtual servers at Amazon.

http://aws.typepad.com/aws/2011/10/new-amazon-s3-server-side-encryption.html

Sleepy Santa Cruz is in the spotlight for using crime prediction software. The article references Minority Report, the movie where Tom Cruise is on a team that arrests people before they commit crimes. The software being used in Santa Cruz doesn’t predict who will commit the crimes, but the locations and times they’re likely to occur. Police increase their patrols of those areas and times, and so far it seems to be worthwhile.

http://www.newscientist.com/article/mg21128333.400-cops-on-the-trail-of-crimes-that-havent-happened.html

A trojan for OS X has been discovered disguised as a PDF. So far it appears to be fairly toothless and is only in the research stages. This is a good reminder that Macs aren’t immune to viruses, trojans, and other malware. Keep your automatic patches turned on, virus scanners up to date, and most importantly don’t open links or email attachments you aren’t expecting.

http://www.f-secure.com/weblog/archives/00002241.html