Guest Post :: AT&T Leak Shows Concern for Their Internal Security Processes

Posted on June 29, 2010 by J. Benjamin Stevens

The following Guest Post is from Daniel Cawrey:

In the past, users connected to the Internet through a broadband connection. But with the advent of personal, mobile devices such as smartphones and tablets like the iPhone and iPad, we have new security concerns—especially with the wireless operators who serve these devices.

Take the recent reports about AT&T’s leak of over 100,000 personal email addresses from iPad owners using the wireless operator’s network. This was done by running a script on a public AT&T website by an underground security group named Goatse Security. Worse, they released these email addresses to the public.

AT&T has had security problems with Apple’s products before, most notably when the first iPhone was released. Shockingly, those using AT&T’s network were receiving bills that could amount to hundreds of pages long, detailing all of their data or web activity; highlighting that the operator was paying close attention to users’ 3G activities.

This new development brings a great question to the forefront – who is responsible for leaks of personal data in this example? Apple or AT&T? While Apple has a duty to keep user information private, the reality is that if you don’t have an iPad connected to AT&T’s 3G service, you simply won't have this problem. It's likely that while both companies will receive backlash because of this story, it’s really AT&T’s problem.

Apple needs to exert its influence on AT&T, however. It’s widely believed that Cupertino has spurred other wireless networks in favor of its exclusive deal with AT&T, to the tune of five years. With that being said, there are clear security issues with AT&T and its servers. In this instance it doesn’t appear to be the wireless network itself, but a flaw in the way that AT&T stores user information.

The fact that AT&T kept user information that is not encrypted is a concern. This data is not for public consumption and should be stored with respect to privacy. In the coming days, it's likely that AT&T will announce they will better obscure user data, and rightly so. Even if their servers are vulnerable, and at this point we know to some degree that they are, encrypting the database that stores user information would be a good step in making sure that outsiders don’t have the ability to swipe data that has any value.

The bottom line is that AT&T may not necessarily have problems with its wireless network, but its internal company servers clearly are not protecting data in case of any sort of loss. Here’s hoping that AT&T learns something from this latest security breach, before it happens again.

Source:  Daniel Cawrey is a technology blogger who writes on a variety of IT topics including Google Chrome and network management software.

Tags: ,

The TRUTH About iPhone Security

Posted on April 6, 2010 by J. Benjamin Stevens

Is the iPhone secure? That question has been hotly debated in legal circles since its release. To date, the loudest replies have been by those shouting “No” (see here, here, and here) but does that make that answer true? Ben Stevens of The Mac Lawyer and Finis Price of TechnoEsq now enter the fray to try to set the record straight.

The anti-iPhone crowd makes the following three types of claims to support their position that the iPhone is the “the most insecure phone we’ve ever seen” and that “the words iPhone and security do not belong in the same sentence”: (1) it’s too easy to jailbreak; (2) there are encryption weaknesses; and (3) it stores screenshots.

Finis is both a practicing lawyer and computer forensics expert, and he recently participated in the Droid v. iPhone debate in the ABA Journal.  With these impressive credentials, he responds to each of those allegations as follows:

  1. The fact is that many so called “smart”phones can be cracked and the data stolen. Of course, the same can be said of laptops, and how many lawyers have theirs encrypted? One key difference with the iPhone is that it allows you to remotely wipe the email in the event that is ever lost. Starting back with the iPhone 2.1, it is possible to have the iPhone wipe its data after ten invalid tries, with each attempt being longer and longer. How many attorneys can do that with their laptops? Further, if your corporate email is set up correctly, your mail disappears if your password expires. While this can be annoying, it is more secure than the BlackBerry, which stores the email on the device itself. Also, the iPhone holds only 150 emails at most, which while annoying is more secure than the BlackBerry, which stores much more. Therefore, even if you use POP email, you are only risking 150 emails. 
  2. The allegation that the iPhone has encryption weaknesses rings hollow. There are about 100 security apps in the App Store which allow you to encrypt the iPhone to protect it in case it is lost or stolen. You will soon be able to add biometric security to the iPhone through apps if you so desire (learn more here). The fact is that since the 3G-S version was introduced two years ago, the iPhone has been as secure, if not more secure, than any laptop – period.
  3. I believe that the argument about storing screenshots is outright silly. Yes, the iPhone gives you the ability to store screenshots in your photo album, but you have to work a little by pressing a couple of buttons every time to make one. Despite the clamoring made by some, this is not done automatically. Moreover, the only way you would not know about this happening was if you never looked at your photos. I will acknowledge that I have accidentally done this on my home page, but I have never done in by accident within an app.

Is anything 100% secure? Of course not. Law offices are subject to being broken into and/or having wandering eyes (such as cleaning crews) access client information. Legal pads and paper files get lost or misplaced, and how secure is a briefcase to someone who wants to get inside of it? One could argue that even the information stored inside the lawyers’ brains is not secure. Give Jack Bauer ten minutes and I guarantee that he would get information out of the most ethical, security conscious attorney in the world.

All of this might make one wonder why iPhones are being targeted and unfairly branded as being “unsafe.” A skilled forensic expert gets physical access to a laptop computer, he can extract all sorts of information, even that which was thought to have been deleted. Yet we find it odd that we don’t hear anyone claiming that it is unethical for an attorney to use a laptop, as some have stated about the iPhone.   One cannot help but wonder whether those are merely the ramblings of fear-mongering PC-centric dinosaurs or those interested in selling us something?

Addendum from Finis:

One of the comments below references a forensics white paper about the screenshot issue.  In that paper, he actually had to use a method called "carving" to get those images. This entails using a program to search for the hexadecimal values for image files in the temporary memory of the device. This results in over 2,000 images – most of which are not screens, being reported. These are then widdled down to whichever screenshot haven't been overwritten. This is not the same kind of screenshot we take with the iPhone, but rather a function of the transition effect the iPhone uses. However, it should be noted these files aren't even stored in an image format, they are simply bits and pieces of temporary memory which can be retrieved using a forensics tool and a LOT of forensics training.  Using a carving tool, a forensics examiner could retrieve ANY image displayed on ANY computer device which outputs to a display. So the terminology used of the iPhone just taking and saving screenshots is misleading. These are not screenshots in the ordinary sense users of the iPhone use or can access.

We invite your input using the Comments section below.

Tags: ,

Fear Not - Viruses, Worms, Etc. Still No Threat for Macs

Posted on February 1, 2010 by J. Benjamin Stevens

PC users are still plagued by security threats from many sources – viruses, worms, and other malware.  Meanwhile, Mac users continue to rest easy because their computers remain safe and secure.

Macworld recently reported "we have yet to see any widespread malware for Macs; your risk of infection is essentially zero."  This information should make even the most paranoid among us more comfortable.  

You can read more about this topic in the Macworld article by clicking here.

Source:  "Mac Security: What You Can Ignore" by Rich Mogull, published at Macworld.com.

Tags:

iPhone Called Out Over Alleged Security Flaws

Posted on September 14, 2009 by J. Benjamin Stevens

"The words iPhone and security do not belong in the same sentence..."  So begins the article from John Simek, one of the premier computer forensic experts in the country.  It gets worse, as he says, "The iPhone encryption is a non-starter and accessing the device is child’s play even if it is password protected."  He concludes by saying "I love the iPhone. Not because of its technical superiority, but because its design gives us access to more electronic evidence than any other phone we’ve ever seen."

I know John and we have actually given presenations together at CLE seminars in the past.  He and I have discussed these alleged iPhone security flaws in the past, and I will be the first to say that I am far from an expert on these issues and I must defer to John's expertise.  Of course, as my readers now, I have an iPhone 3G-S and I love it.  However, I do not store any confidential or client data on it out of an abundance of caution.

John offered to print any responses from any IT / security folks and/or from Apple, and I will be glad to do the same here at The Mac Lawyer.

Source: "iPhone Security? A Complete Misnomer" by John Simek, published at Ride The Lightning.

Tags: ,

Seven Excellent Online Security Blogs Worth Subscribing To

Posted on September 11, 2009 by J. Benjamin Stevens

The issue of privacy, more specifically as it relates to online security, is a hot topic these days. As people use the Internet for more and more of their everyday functions, they want to understand what online security means and how it relates to them. While people fear for the safety of their own information, they can look to some very knowledgeable resources in the blogosphere for help. You can learn most everything within the world of online security by visiting these top blogs:

  1. 1 Raindrop – Written by a software architect, there is a unique and extremely relevant point of view presented on the topic of online security. This blog is written by an individual who understands the topic firsthand and therefore can bring insight on current trends as he is considered to be an expert in the field. Not only does he keep up with informative blog posts but talks about his speaking engagements and the reaction they get from the general public.
  2. Freedom to Tinker - The nice part about this blog is that it offers many different featured authors as part of the following and for whom the actual blog posts come from. Not only does this mean unique points of view, but it also allows for individuals to contribute and keep followers informed on various areas of online security. This is well worth following to keep up with current trends and to see what the latest news is with online security because that is at the core of every contributing author on here.
  3. Exhaustive Research – A very intriguing blog that not only dives into the concept of online security but also how it relates to human behavior and the world in general. If the blog posts weren’t to capture your attention, the comments by those who regularly follow this blog can often keep you on the edge of your seat.
  4. Another Set of Teeth – You can tell that this comes from an IT professional who has a distinct point of view and that’s what keeps people coming back. He represents his views thoughtfully but without apology as he tackles the issues of hacking and online security for the general public. It’s a refreshing point of view as it’s not only informative but very honest too.
  5. Security Buddha – Though online security is at the center of this blog, there are so many other security issues that this blogger delves into. You can learn about everything from hacking to keeping your information safe—even learn about airport security. He takes his security issues very seriously and therefore brings a much respected point of view.
  6. Avi Rubin’s Blog – Sure it’s just one blogger writing about his unique point of view, but it’s rather intriguing. He spells out up front his desire to dive into the specific areas of security evaluators and network security, amidst many other topics that are pertinent. This is one individual who not only knows about the world of online security, but also about how to write in an interesting and relevant manner.
  7. Meta Security – There are a variety of different topics and authors that make this an excellent blog to follow. Though online security is just one of the many topics, including money laundering and fraud, you can learn a little bit about a whole lot of topics within the security world.

More and more we find that the issue of online security is one that needs addressing. Follow along with these top security bloggers and get the information you need to surf and work the web confidently and securely.

This Guest Post was written by Mary Ward, who writes about various legal career topics, including how to obtain an online court reporting degree.

Tags:

Everything You Need to Know to Create, Manage, and Remember Passwords

Posted on August 11, 2009 by J. Benjamin Stevens

There is no way to understate the importance of having appropriate passwords.  No, that doesn't mean using your last name or your dog's name, but rather rock solid passwords that actually protect your confidential information.

Are your passwords as safe as they should be?  Do you have a plan to help manage and remember them?  If you answered "no" or you aren't sure that the answer is "yes," then consider the following helpful resources:

Source:  "Top Password Tips" by Joe Kissell, published at Macworld.com.

Tags:

How to Securely Wipe Your Hard Drive

Posted on August 4, 2009 by J. Benjamin Stevens

If you are an attorney disposing of an old Mac, you should be sure that any confidential information is securely removed before doing so.  The process outlined below can securely erase your hard drive, and the software enabling you to do so is included free as part of Mac OS X.

  • Launch Disk Utility (/Applications/Utilities) and when the application opens select the drive you want to erase in the pane on the left side of the Disk Utility window.
  • Click the Erase tab and then click the Security Options button below.
  • You can choose one of the following four options:
    • Don’t Erase Data :: Doesn’t erase any data but wipes out the directory that tells your Mac where your data is. Unfortunately, several third-party utilities can scour your drive and recover your data after you've employed this option. This option is not secure.
    • Zero Out Data :: Writes zeros over your drive one time.  While it's not up to government standards, recovering data from this drive will be a chore.
    • 7-Pass Erase :: Meets that US Department of Defense 5220-22 M standard, as it writes over your data seven times.
    • 35-Pass Erase :: Goes even further by overwriting your drive 35 times to make your data super-mega-ultra-really gone.

Source: "Securely Wipe Your Hard Drive" by Christopher Breen, published at Macworld.com.

Tags: , ,

How to Wipe Data from an iPhone

Posted on July 28, 2009 by J. Benjamin Stevens

After all my recent posts about the benefits of the iPhone 3G-S, I thought it might be prudent to address the security concerns involved with disposing of your old iPhone after you decide to upgrade. Attorneys should always be concerned about protecting their client's information. Amid reports that it is possible to recover data off old iPhones, everyone should utilize the following steps to minimize the chances of your information being compromised:

  1. Restore the iPhone from within iTunes.
  2. On the "Info" tab, un-check all options so you don't synchronize calendars, email, bookmarks, and contacts.
  3. On the Photos, Podcasts, and Video tabs, uncheck "Sync ...".
  4. Create 3 big playlists at large as the storage capacity of your iPhone.
  5. On the Music tab, select the first of your 3 playlists to sync. Make sure the storage bar at the bottom looks full after syncing.
  6. Sync your iPhone, change to the next playlist, sync again, and repeat one last time.

Source:  "Formatting An iPhone To Wipe Data" by Rich Mogull, published at the Securosis blog.

Tags: , ,

Why Are There No Viruses on Mac OS X?

Posted on July 9, 2009 by J. Benjamin Stevens

As I've previously discussed many times, one of the (many) things that makes Mac OS X such a great operating system is its rock solid security. The ability to work without having to worry about viruses not only saves money, it also provides peace of mind.  But did you ever wonder why there aren't any viruses for Macs?  The following article by Hedi Regaya does a great job of explaining "Why there are no viruses for OS X?"

  • OS X is built on UNIX. UNIX was a multi user system with a security architecture built into it at the beginning. WINDOWS came from a single user architecture with security and multi user capability as an after thought.
  • UNIX had networking built into it from the beginning, again in Windows this was bolted in at a later date.
  • Windows built Internet Explorer into the O/S at a very deep level, and allowed code execution within the browser. In OS X the browser is a completely separate application, its not a integral part of the OS. IMHO, this is the fundamental screw-up Microsoft made, as they created so many hooks into which someone can attack the OS.
  • In earlier Windows everything ran as the system user, so the capability to compromise an entire system was easier. (see reason 1)
  • Microsoft’s backward compatibility mantra doesn’t do them any favours as to run old software they need so many old APIs, all of which can have holes in them.
  • OS X has no registry. IMHO, second fundamental flaw Microsoft made.
  • OS X asks for your password before allowing you to run new software or install something. Not fool proof, but at least fool resistant.
  • Where do viruses usually hang out in Windows:
    1. At the root.
    2. In the user’s local settings temp folder.
    3. In these folders: \windows, \system, \system32 — the most common places where I find viruses.
    4. As registry entries.
  • None of those areas are exposed to the environment in OS X. You can’t see those folders. Virus writers can’t access them. Thus, viruses can’t exploit those areas. Vista’s UAC is MS’s attempt to prevent changes to those totally exposed folders without your being aware of the changes.

Source:  "Why There Are No Viruses for OS X" by Hedi Regaya, published at Mac Amour.

Tags: ,

How to Encrypt Private and Sensitive Data on a Mac

Posted on December 8, 2008 by J. Benjamin Stevens
Guest post Smart lawyers are always looking for ways to keep their data more secure. The following Guest Post by Blair from LaptopLogic -- your premier source for laptop reviews -- gives a simple step-by-step process to do so:

Carrying sensitive data on a laptop is a dangerous, but often necessary aspect of working in the digital age. A stolen laptop is the biggest liability, but forgetting to log off while stepping out of the office gives others of window of opportunity to copy your files onto a thumb drive.

The easiest way to protect data on a Mac is with an encrypted folder. An encrypted folder cannot be opened without entering the correct password, and files within the folder will not be visible to anyone running a Spotlight search. There are encryption programs that can do this - such as TrueCrypt -- but with a Mac, third-party software is unnecessary.

The best method for securing files is an encrypted disc image, which can be created quickly and easily in Mac without having to install anything. 
  • To get started, open Disk Utility, located in Applications > Utilities.
  • Choose New > Blank Disc Image. A dialog box will open; you'll need to choose the options you'd like for your image. Enter a name to save it as -- something entirely uninteresting is ideal. The goal is to make the file as normal-looking as possible; give it a name that is boring, but wouldn't seem out of place on your computer.
  • Once named, specify a saving location in the next drop down box. Choose a disc image size, the recommended encryption setting (AES-128), and choose "sparse disk image" as the format of choice.
  • Click the "create" button, and a password prompt will appear. Enter the password you would like to use for the disc image - make it completely random, using both letters and numbers. If the prompt doesn't feel your password is secure enough, it will offer advice on how to improve it. Note that once a password has been assigned, it is impossible to recover that password should you forget it.
  • If you're sure you entered the password correctly, choose the "ok" button. The disc image will be finished and saved to the location you choose. To open the encrypted image, double-click and enter the password when prompted to access the files.
Tags: ,

How Secure Is Your Computer?

Posted on November 28, 2008 by J. Benjamin Stevens
Secure Mac Have you ever taken your computer onto a "free" wi-fi network?  Odds are, if you're like most people, you have probably done this at one time or another.  If so, you must read "Keeping Safe from the Bad Guys" by Jeffrey Allen, which was published in the Technology eReport published last week by the ABA General Practice, Solo & Small Firm Division.  Your computer may not be as secure as you think, and you should read Mr. Allen's article to make sure that you keep it as safe as possible.
Tags:

Guest Post :: Four Reasons for Archiving Email Correspondence

Posted on August 27, 2008 by J. Benjamin Stevens

Guest_post_2 The following Guest Post is from Jesmond Darmanin, a Web Marketer with GFI Software, and it explains the "Four Reasons for Archiving Email Correspondence":

Email is a primary source of documentation for many organizations and it has taken on an increasingly critical role in corporate court proceedings, regulatory compliance and legal discovery. Companies are realizing the importance of archiving their email correspondence, since being in a position to retrieve an old email could save them thousands of dollars in legal fees and fines, as well as their credibility.

The following are four legal reasons why companies need to archive their email correspondence:

  1. The Securities Exchange Act of 1934 (the '1934 Act') :: requires various entities to maintain records for five years and more. Failure to do so can result in severe fines.
  2. The Commodity Futures Training Commission (CFTC) :: requires futures commission merchants to keep records for five years. Failure to comply can result in hefty fines.
  3. The Sarbanes-Oxley Act ('Sarbanes Oxley') :: accountants must keep all audit or review workpapers for a minimum of five years. Violation of this rule can lead to a fine and imprisonment.
  4. The Financial Industry Regulatory Authority (FINRA) (formerly the National Association of Securities Dealers (NASD)) and the New York Stock Exchange (NYSE) :: members are required to preserve records for no less than six years or they can be imposed with a civil fine.

Email_archive Email archiving can help companies to abide by all four requirements mentioned above, because emails are archived at server level, so no matter if a copy is deleted by the end-user from his/her computer terminal, once an archive exists with all correspondence entered into by the company then the emails are searchable and retrievable and can be presented in court or as requested.  Moreover, one is also able to offer the assurance that the email was not tampered with or altered in any way, thus making it a legal and binding document that could save a company or organization a lot of money in a legal situation. Companies that are unable to provide email documentation that is requested by the courts or other legal body could be subject to hefty fines, as they would be in breach of legal requirements.

A more in depth article on e-mail archiving can be found HERE.

Jesmond Darmanin  ::  Web Marketer  ::  GFI Software

GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale.

Tags: , ,

Do Macs Need Antivirus Software?

Posted on March 28, 2008 by J. Benjamin Stevens

Secure_mac As noted here, one of the topics discussed during my presentations at the ABA TechShow was whether or not Macs need to run antivirus software.  I created somewhat of a stir when I adamantly defended my belief that Macs are so secure that antivirus software is not necessary.  Apple touts the Mac's security as one of it's main features, as shown here.

Security expert Rich Mogull seems to agree with me in his article, "Should Mac Users Run Antivirus Software?" published at TidBITS.  He writes that the average Mac user does not need desktop antivirus software. He does recommend additional protection for those users who engage in risky online behavior, such as visiting questionable websites, installing strange software, failing to filter for spam, etc.

I'm interested in your opinions on this subject.  Do you use anti-virus software on your Mac?  Why or why not?  Please submit your comments on this subject, and I look forward to seeing what my readers think.

Tags:

The Mac Trojan Horse :: How to Avoid It & How to Cure It

Posted on November 1, 2007 by J. Benjamin Stevens

Trojan_horse I want my readers to be aware that there is a Mac security threat (called a "trojan horse") making its rounds across the internet.  This malware, named the OSX.RSPlug.A Trojan Horse, is apparently associated with suggestive photos/videos of pop train-wreck Britney Spears.  Please note that this is not virus -- meaning that it can't self-propagate from one machine to another.

When you believe that you have found the video of Ms. Spears and click to watch it, you receive a message stating that your machine lacks the necessary codec.  A disk image will then start downloading, and it can then mount and launch an installer which asks for your admin password.  If you enter the password, you have allowed the trojan horse to be installed.

Of course, you should NEVER install anything that you receive from an untrusted source.  (Note:  I won't comment or pass judgment on the impropriety of searching for or viewing suggestive videos or photos of scantily clad or nude pop stars.)  If you find your machine is infected, Macworld has outlined the necessary steps to remove the trojan horse from your machine.

While I know that it is somewhat disconcerting to have to remember that malware exists, since it's not something that Mac users face that often, don't forget that this particular threat only poses a problem if you are careless and give your Mac permission to install it.  Even with this threat, Mac OS X is still quite safe and secure, and I don't plan to get any "security software" at this time. 

Source:  "Trojan Horse Warning: What You Need to Know" by Rob Griffiths, published at Macworld.

Tags: , ,