THE Apple Security Audit: It’s Time Has Come

Apple needs a mega-security audit. As far as I know Apple has not contracted for a security audit from anyone. I’ll be generous and assume Apple has fulfilled it’s PCI DSS obligations, but I don’t have a reference for that.

So why? Why, with all the customer good-will that Apple has accumulated, does Apple need an outsider to come and and perform a security audit?

Well, to establish trust in the Snowden Age, that’s why.

Apple, like any other netizen, has been attacked repeatedly, and sometimes successfully. See

  1. Australian Apple ID
  2. Bypass iOS 7.0.4 – 7 Apple ID Activation Lock iCloud [iPhone 4]
  3. Touch ID hack
  4. Jonathan Zdziarski’s revelations about corporate backdoors in iOS (given a user’s or Apple’s approval)
  5. OS X’s File Vault2 has not been audited so who knows if it’s really secure.
  6. No password, no problem from 2012.
  7. The recent “goto fail” fixed by Apple in 10.9.2.
  8. Have there ever been any penetration tests run against iCloud? Or Apple’s ID page?

So what do the items above have in common? Most of them are recent issues or outstanding issues. They cover every platform or significant web page that Apple deploys including iOS, OS X, iCloud, and Apple’s ID maintenance.

Apple continues to release security fixes regularly, but now we need more assurances than the proverbial ‘trust us’. Now we need audited software and we should expect anything less from a recognized product leader.

iOS Data Security: Jonathan Zdziarski’s Report(s)

According to researcher and iOS security veteran, Jonathan Zdziarski (@jzdziarski) —

Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices.

and

…only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data.

However, there are services present that

give enterprises access to corporate devices. These back doors are in your phone’s firmware, whether it’s company owned or not, and their security mechanisms are likely also within the reach of others, such as government agencies or malicious hackers.

and additionally

with today’s BYOD culture, employees may be unknowingly allowing their personally-owned devices to be forensically accessible to a company’s internal investigations team (as well as law enforcement, with the enterprise’s consent) by simply enrolling it into the corporate MDM policy. Additionally, new employees that are issued devices may be permitted to retain personal information on their corporate device without first being informed that their devices could, at any time, be subject to a thorough search that bypasses security.

The bottom-line is that you should be aware of pairing your device. If you pair your device with an Enterprise MDM you’re personal data has a greater risk of being tapped.

Jonathan makes a great point in conclusion, and that is

Apple would do well to begin separating consumer firmware from enterprise firmware, to offer a hardened version of its operating system to consumers. This (and other enterprise back doors) introduced into iOS over the years threaten to weaken the overall security of the device for the majority of consumers (who never enroll in an enterprise environment).

I can’t agree more.

[Updated, 7/23/14] Apple responds here.

My Comcast Experience

I’ve had Comcast in the Chicago suburbs for years and it’s been great. Recently though, Comcast has been trying to get me to upgrade from a 20Mbps Blast service to something more expensive and I see no reason to upgrade.

Lately, I’ve experienced several hiccups and disconnections.

Coincidence?

Snowden’s Knock Against Dropbox

As the guardian points out from Snowden —

Dropbox is a targeted you know wannabe PRISM partner,” he told the Guardian. “They just put … Condoleezza Rice on their board… who is probably the most anti-privacy official you can imagine. She’s one of the ones who oversaw Stellar Wind and thought it was a great idea. So they’re very hostile to privacy.

I used to love the convenience of Dropbox, but I moved my personal files to SpiderOak long before I finally kicked the Dropbox habit when Condleeza Rice joined their board. My company moved it’s files to our private ownCloud. Both ownCloud and SpiderOak are just as convenient as Dropbox was, and both are much more secure. (the ownCloud free version Mac client doesn’t communicate securely just yet. We’re looking for a fix.)

Net Neutrality

I’ve added my voice to the scream for net neutrality by sending an email to the FCC’s Tom Wheeler. You need to do this prior to July 15th if you want to be heard.

Here’s the ACLU’s required text:

Free speech should not be bought and sold. The proposal to grant ISPs the right to charge for ‘fast lanes’ threatens this celebrated American principle. The company that connects us to the internet should not get to manipulate or control what we do on the internet.

I’m calling on you to reclassify the Internet as a telecommunications service to obligate ISPs to deliver all data on the Internet without discrimination. Please do the right thing: let corporations know that the Internet is not for sale to the highest bidder.

Thank you for preserving a free and open Internet.

Here’s my addition:

As an entrepreneur who has launched several Internet startups I want to lend my voice in support of full support of an evenly distributed network that we call the Internet. Without that, investment, jobs, and our future will be lost.

Imagine a Library that you have to pay to use the index for a ‘faster’ lookup of of materials, or paying for the right to use other public services. I see the Internet as a common utility, and it should be regulated as such.

Facebook Account Nostalgia

I felt nostalgic reading Nick Mediati’s article on TechHive about deleting your Facebook account. But it wasn’t like finding your child’s first piece of pottery in the closet.

If you’re on the fence about deleting your Facebook account, go ahead and delete it and see your friends for lunch or call your Mom and Dad.

IMHO, Facebook is just getting creepier and creepier and their recent experiment proves it. Expect more experiments to be revealed by the way. I suspect this “first” one was just a leak to see how people would react.