Apple’s latest privacy woes – the price to pay for an “always connected” life?

Yesterday, it was revealed that iPhones/iPads (with iOS 4.0 or later) have been logging the location information of the device and store that in a hidden file on the phone or the iPad.

This discovery, presented by researchers Alasdair Allan and Pete Warden, at the O’Reilly Where 2.0 conference this week, has sent shock waves through the high tech community. “What? This file contains my whereabouts for the past year? WTF?” was most people’s first reaction when the news broke.

Many iPhone/iPad apps have access to the geolocation of the device, but most only access it at a given point of time and do not attempt to log or create a history file of this information. The discovery that such logs exist begs the question why Apple was logging this data and whether it has any intention of utilizing the information.

I can imagine a number of reasons why Apple would want to collect this data and how they might use it. Device tracking, for instance, is a popular parental control feature that users want. Think your teenager lied to you about his/her whereabouts yesterday? No problem, just log into MobileMe and verify the location tracking information. Similarly, a credit-protection app can be instructed to report the phone’s general location at the time of a suspicious credit card transaction—if the card is used in England and the credit card owner’s phone is in Alabama, hmm..something could be amiss here.

But none of these scenarios could conveniently justify storing a year’s worth of location data, and even stranger is the fact that the phone automatically syncs this data to the host. Mind you, not all data from the phone is transferred to the host during the synchronization—Apple really intends to keep this data around. But why?

Legal experts are quick to point out that the mere collection of this data isn’t illegal. Sure, other GPS-enabled devices may collect this type of information as well. But on a device like iPhone/iPad where so many other activities can happen at the same time, the risk is different.

The first question we must ask is how this file can be accessed. It’s not immediately clear whether any apps could access the file. Typically, an iPhone app would ask for the user’s permission in order to access system resources such as GPS info. But that is enforced through the operating system APIs. Since what we talk about here is a plain file, which, from the sounds of it, is not in the “protectionComplete” class  (ProtectionComplete means the file remains encrypted as long as the device is locked. The strongest protection class for file system objects on iOS). It’s unclear if the operating system prevents other apps from accessing the information.

Another critical question is that why Apple didn’t present an “opt-out” option to this tracking feature, or better yet, present it as an “opt-in” only feature. It continues to surprise me (well, I guess it shouldn’t  surprise me anymore) how companies always elect the privacy-invasive features as default.  

Some blogs I read yesterday talked about the danger of having this information available on the sync-ing host. If the host is compromised, this data would be available to intruders. True, but if your sync-ing host is compromised, you’ve got a bigger problem to worry about – ever heard of Apple’s “Escrow keybag” concept?

The real danger, in my opinion, isn’t in the existence of these logs. It is in the potential that the information contained within could be misused. Imagine if you are able to correlate this data with the user’s activity stream, you can then determine precisely where I bought a Starbucks coffee, where I gassed up my car, where I looked up a restaurant on the Yelp app, and where I checked into a flight. If this isn’t a complete invasion of privacy, I don’t know what is.

As mobile technologies continue to penetrate our everyday lives, privacy becomes an increasingly elusive notion. Consumers must sometimes make a choice between the loss of privacy and the convenience of the “always connected” lifestyle. But consumers cannot make that choice if they are not given the necessary information. C’mon, Apple, let the consumers decide that they want other apps or services prying into their every move, don’t do it for them.

At the Churchillclub, with Scott McNealy and Ed Zander (and Lady Gaga)

Last Thursday evening I went to a Churchillclub event: Scott McNealy in conversation with Ed Zander. I was attracted to the event because of the two speakers. Scott McNealy, the former CEO of Sun Microsystems, is a Silicon Valley legend. Ed Zander, the former CEO of Motorola and former COO and President of Sun, is another highly influential figure in the high tech industry.

The event turned out to be much larger than the typical Churchuillclub get-togethers–apparently more than half of the attendees were ex-Sun employees. At the cocktail hour, all round people were catching up, embracing, and reminiscing on old times at Sun.  

McNealy walked in around 6:30, looking fit and thin. You know as soon as he is in the room, because practically everyone stood up to greet him. As he moved about, there was a human bubble moved with him around the room. The ex-Sun folks lined up to shake his hands; many had tears in their eyes. “Sun was an institution. You have to be there to understand”, the ex-SUN employee sitting to my right said. 

The evening started with Zander playing a music video of McNealy singing in a “rock band”. The video was clearly taken in the heyday of Sun, which included footages of McNealy and co. kicking two SGI boxes off the roof of a Sun building with McNealy singing the lyrics: “The Sun will always shine”. <Hilarious>. There are clearly some inside jokes in the video, as the room was rolling with laughter’s.

As the evening went on, I learned a great deal about Mr. McNealy and his time as Sun’s chief. But what came across more loud and clear than anything else were his staunch political views. When asked which corporation is the “evil empire” today, McNealy responded: “Big corporations are not the problem, I think the biggest threat to innovation and our economy today is the public sector.”  Later on, he said: “More than 20% of the GDP is tied up in the public sector, and that is what is stifling innovation”. Clearly not a fan of President Obama, when asked to describe Obama in one word, McNealy responded: “Unfortunate”.

McNealy was vocal about Sun’s achievements. He said: “If we didn’t put TCP/IP in the computers we built back in the days, there will not be cloud computing today.” Sun is credited with the phrase: “The network is the computer”, a visionary phrase, perhaps, but to say without Sun computers, there would not be cloud computing is, with all due respect, a bit overreaching. He said the best decision he ever made at Sun was bringing Bill Joy onboard. <No argument there>. McNealy also acknowledged a few mistakes. He said: “If we took Solaris and put it on a commodity Intel chip, and slap together some pizza boxes, Linux would not be around today. Companies like Google and Amazon will be running Solaris.”  Yep. Hindsight is 20-20. On archenemy Microsoft, McNealy said, in a resigned tone: “They clearly won, they are still around.”

At one point in the interview, Zander asked: “I remember we were this close to buying Apple, for $5 or $6 a share, what happened?” Interesting. This was a fact that I had known. McNealy said: “A tough i-banker on Apple’s side spoiled the deal … Heck, there wouldn’t have been any iPhones/iPads if we had bought Apple, ‘coz I would’ve screwed that one up too!” The audience laughed and the Twitterverse heaved a collective sigh: “Ah, we dodged that one”. (For those of you who are counting scores out there, Sun instead bought Cobalt networks. Apple’s share today stood at $350)  

No. McNealy is not a Facebook or Twitter user. When asked about social media, McNealy said: “I just don’t see what you can do with social media that you cannot do with good, old-fashioned email.” <Really?> McNealy compared Twitter to mass mailing, and questioned whether LinkedIn provides anything beyond what emails offer. On the point of user-generated content, he said: “Emails ARE user-generated content”. He later added: “Guess what Facebook’s latest invention is, it’s email!” <Hmm… I’m starting to detect a pattern here… > When Zander asked him to describe Facebook in one word, McNealy replied: “Zucks”. We also learned that McNealy was not a fan of Lady Gaga. When Zander asked him what he thought of the fact that Lady Gaga had 8+ million followers on Twitter, “That’s just unfortunate.” McNealy said.  

A point McNealy went back to over and over again in the course of the evening was that government should not be meddling with the private sector. He contended that corporations are the stewards of innovation, and as such, they should be left alone. Of course McNealy completely failed to mention that the practices of some of the corporations, acting out of greed, nearly collapsed the American financial system and in turn ignited a global economic crisis.

The night closed with one final question from the audience, a former Sun employee. “The dotcom crash was hard on a lot of companies”, the audience member said, “but there were still plenty of opportunities around; e-commerce was growing, commodity computing market was growing, I want to know why we missed the boat. I am not sure that I got a satisfactory answer form tonight’s discussion.” Before McNealy ventured an answer, Zander said, “Let’s not go there. Let’s move on. Tonight is about celebration”

McNealy was clearly a natural leader. He was articulate, passionate about what he believed in, charismatic, occasionally self-deprecating, all qualities of a good leader. It was easy to see why 2/3 of the room respected and revered him. But the man couldn’t be more wrong about social media, and his complete conviction that he was right was simply mindboggling.

At the end of the evening, as the crowd dissipated and I drove west on 237 in the light rain, with a Lady Gaga song appropriately playing on the radio, I thought about my evening at the Churchill club and caught myself saying: “Lady Gaga: 1, Scott McNealy: 0”.

HBGary, Anonymous, WikiLeaks, and the concept of Openness

Recently I’ve been reading the excellent work by Jamais Cascio and thinking about the concept of Openness. Much of Jamais’ work is focused on geoengineering but the concept of openness has profound implications on many fields, including computer security.

For those of you who have been following the unfolding story of HB Gary Federal and the Anonymous Group, this story is what Hollywood movies are made of. In fact, I don’t think a script writer could have penned any better than the real life version. If you haven’t been following the minute details of this story, this Tech Herald article is an excellent read on how the whole thing started.

A condensed version of the events is as follows,

1. A week before RSA 2011, the CEO of HB Gary Federal, Aaron Barr, said in a Financial Times interview that his firm had infiltrated and discovered the identities of the high level operatives for the well known Internet hacktivism group Anonymous, and that he planned to publicly discuss his findings at the RSA conference.
2. Anonymous responded in force and compromised the entire infrastructure of HBGary and HBGary Federal (HGF). They obtained confidential data, erased files, and defaced both companies’ websites.
3. Anonymous subsequently released  4TB worth of confidential company emails. In the emails that have been disclosed to date, Barr was seen engaging in discussions with a major US bank (believed to be Bank of America) to use HGF’s offensive attack tactics to launch a cyber attack against Wikileaks. The rumor mill at RSA had it that the said US bank was going to pay HB Gary $600,000 a month to carry out this attack campaign.

Whola, what seemed like a classic white-vs-black hat story just turned interesting. What’s more interesting is that prior to this whole incident, WikiLeaks had been making noise that they were about to publish data from a major US financial institution (What? Interesting, you say?)  What apparently was also discussed in those emails was that Barr would use, among other techniques, exclusive zero-days for the attack against Wikileaks. This will make the attack extremely dangerous.

No one came off this looking pretty. Not only HBGary, a company that claims malware analysis their business, was unable to properly secure their infrastructure, the “victim” turns out is plotting a cyber war itself. HBGary is now claiming that the leaked data had been tampered with, implying that the discussion between BofA and Barr isn’t authentic, while Anonymous (and other security researchers) is saying that Barr’s initial research (which you can read here in PDF) was flawed in that some of the identities of the individuals that he claimed to be part of Anonymous group had nothing to do with the group. Anonymous argued that if Barr’s research was allowed to continue, it may put innocent individuals in jail (as Barr was supposedly working with the FBI).

At RSA last week, HB Gary was noticeably absent from the conference, their booth instead displayed a sign that reads: “A group of aggressive hackers known as “Anonymous” illegally broke into computer systems and stole proprietary and confidential information from HBGary, Inc. …. In addition to the data theft, HBGary individuals have received numerous threats of violence including threats at our tradeshow booth…”.  

This event ignited an Internet debate storm; is it ethical for security companies to engage in offensive tactics? Traditionally, security’s role is to defend, not offend. But as modern warfare migrates from physical battlefields to the digital frontier, more and more nation states and companies engage in offensive campaigns. Persons with deep security expertise are hot commodities in this game—it can be an extremely lucrative undertaking. But as you go down this road, is there really a difference between the black and the whitehats anymore?

This is where the link to Openness (or the lack of it) comes in: as we all know, and the execs at BofA and HGF reinforce, that zero-days can be powerful weapons. Exclusive knowledge of zero-days gives the possessor incredible power, and in cases such as these, almost always lead to corruption and misuse. It can be argued that we are better off as an industry if openness is employed as a means of elevating collective knowledge and also as a way to enforce checks and balances, so that no one company or individual is significantly more powerful in its knowledge and expertise than others. In such an industry, cyber offense is only a distant possibility as you will be on a level playing ground as your adversaries.

Creating such an open culture for the security community requires a shift in thinking, because this is an industry that thrives on secrecy and obscurity. It requires that we recognize that secrecy, obscurity, and the act to restrict information can ultimately do more harm than good. It requires that we promote open research and build an ecosystem that rewards openness.

How to achieving this open culture is the question on the table. Let’s discuss one specific example how some form of openness is achieved–a bug bounty program. I was a skeptic, in the beginning, of the merits of such bounty programs, but I have come around. Indeed, I’ve come to realize that economic incentives maybe one way we can achieve openness–in a bug bounty program, the researcher is encouraged to share his/her findings, through economic incentives, with the software vendor and ultimately with the entire community.

Economic incentives alone don’t always work, as that is one card the dark side can play as well. Other means, such as increasing collaboration, technological transparency, and … must be explored. But the steps we take today to promote an open culture will shape the course of the industry and help to determine whether we head towards a scenario of digital apocalypse (as Eddie Schwartz of Netwitness calls it on a recent RSA panel) or a more responsible, democratic, and open model for computer security.  

Other sources of note:

-          Jamais Cascio’s Open the future website

-          Threat Post’s Paul Roberts wrote several excellent articles on the HBGary story.

HP misses opportunity with Watercooler

Michael Brzozowski, the creator of Watercooler, the internal social media system for HP, recently left HP for Google.

Talents move around all the time, especially in the bay area where the industry is rife with interesting opportunities. However, in this case, the departure of Mr. Brzozowski has put the fate of the Watercooler system in question.

To understand why this is worth blogging, we need to first understand what the Watercooler system is about. Many of you may not know this, but Watercooler is a social media system that currently has 100,000 users! Brzozowski originally started Watercooler aggregate RSS feeds from across the company. Overtime, it has morphed into a social media aggregation platform that aggregates content from  HP’s internal wikis, microblogs, various discussion forums, and social bookmarks. The system has a documented set of open APIs and supports a powerful and expressive set of content filters across different social media systems. It is also integrated with HP’s user directories.   

Brzozowski wrote a nice paper on a study he conducted with Watercooler data. Published in Group 2009, the study revealed some interesting facts about social media usage inside HP. Perhaps one of the most concrete statistic to date arguing for the value of enterprise social networks, Brzozowski’s paper, points out that 69% of all Watercooler blog users subscribe to content generated by someone outside their business unit. This kind of cross-company instant collaboration is a huge benefit social media system provides its user community.  

Unfortunately, though Watercooler can be considered a success from HP labs, it has not generated the kind of support from HP proper. Brzozowski has been trying for the last 2 years to get the system out of HP labs and into the hands of HP operations. But his efforts proved futile – HP operations were not interested, or at least not interested enough to take actions. After Brzozowsi’s departure, another researcher from HP labs took over the system. But this person is only doing it on a volunteer basis — he’s got his other core tasks. As we all know, researchers are not great maintaining production systems, especially one that requires such scale and performance. Now you might ask why HP would ignore a social media system that’s already got such a large user base? Do you know how many social media start ups would kill to have 100,000 users? Well, perhaps only HP can answer this question.  

This whole thing came to its head a few weeks ago when some of HP’s executives were meeting with SalesForce. The latter mentioned Chatter, the new Social media system SFDC is launching at DreamForce this week. Chatter is a cool system, but is not nearly as developed or as widely used as Watercooler. Especially when you consider Watercooler had supported a documented API for users to modify for their own purposes, pro

The HP executives, after meeting with Salesforce, said about Chatter: “Hmm, that’s a good idea, we should have something like that.” [obviously this is a mock conversation, not the dude’s actual words]. Finally someone in HP said, “Well, we do have something like it, it’s called Watercooler”. The executive then said: “Really? Well, let’s take a look at that. Maybe we can make something out of it”.

As if on cue, Watercooler stopped working because the whole system had been running on one server (what? One server? You asked. Yep. You heard right, one server to support 100,00 users. That’s how Research Labs typically work). The researcher who had been supporting it after Brzozowski left was unable to get it up running again quickly.

HP labs had many top industry talents, but these people are now leaving the organization, for the reason that their work has not been properly respected and utilized. Last year, they lost one of their HP fellows, John Wilkes, to Google. In addition to the recent departure of Michael Brzozowski and Kevin Lai, a game theory specialist, Joe Pato, a noted Computer Security expert, though ostensibly still an HP person, has been spending most of his time at MIT. HP has come a long ways since the garage company days of Hewlett and Packard, but it seems like the company has lost some of its innovative spirit along the way. Yes, it’s difficult to remain innovative when you’ve got 30,000 employees. But people are the greatest asset of any organization, if you lose them, you lose the future of the company. This is why Google recently implemented measures of 10% payraise and bonuses to retain talents against the new-kids-on-the-block competitors like Facebook. Companies like HP should take notice. Innovations like Watercooler should have flourished instead of being left to flounder.

Forrester Security Forum 2010

Many of you may know that Forrester’s US Security Forum 2010 is coming up in September. This year our theme is “Building a high performance IT security organization.” Indeed, as the global economy begins to recover, Security & Risk professionals must transform from a reactive silo of technical security expertise to a true partner of the business and an enabler of forward thinking business strategies.

This forum is all about technical, tactical, and strategic information to increase the maturity and performance of your IT security organization in this fast-changing economic climate. In the two-day forum, we will explore the principles of:

• Aligning your objectives and measures of success with the business;
• Giving business the tools to perform risk management;
• Preparing for the adoption of cloud services, the consumerization of IT, the proliferation of social technologies, and an ever-changing threat landscape.

I will be running three sessions at the forum this year.

• A keynote panel on cloud security and privacy.
• Security for empowered organization
• How to build a mature application security program

My keynote panel, which I will be moderating, is called “The Practical Cloud – Getting Past The Fear Mongering.”  On this panel, we’ll bring together a cloud user, a cloud vendor, and a legal expert, to talk about how real enterprises leverage the cloud to deliver real business benefits, and how user organizations and cloud operators manage the responsibility to protect users, their data, and their privacy. I’m especially excited about this panel, because we will have one of the biggest cloud vendor companies, director of security from a sophisticated cloud user company, and a legal expert specializing in cloud computing’s legal ramifications.

In “Security for Empowered Organization,” I will be co-presenting with Ted Schadler, our resident expert on “Empowered organizations.” We will explore why businesses want to empower their employees with social, mobile, multi-media, and cloud technologies. More importantly, we will discuss how IT professionals can help businesses achieving these objectives without compromising the organization’s security and privacy requirements.

In “How to Build a Mature Application Security Program,” I will explore the concept of an organizational application security program, comprised of intelligent use of tools and technologies, good accountability and incentive structure, and most of all meaningful processes to realize software security across development, infosec, and operations department. A typical organization today has a plethora of security applications, from in-house developed to outsourced, from open source to off-the-shelf software.  Different applications need a different set of processes and technologies to ensure software security. I will present an application security maturity model, with specific steps required to go from one maturity level to the next, and discuss the different types of application security measures for different application types.

This is shaping up to be a very exciting forum, I look forward to seeing all of you in Boson on September 16 -17th.

New Forrester WAVE evaluation: Vulnerability Management Products

Forrester has just completed a comprehensive assessment of vulnerability management products. The Forrester Vulnerability Management WAVE report is now live. If you are subscriber, please see
http://bit.ly/cemRAO
for the full report.

In Forrester’s 53-criteria evaluation of vulnerability management vendors, we found that the market is rife with mature products. In particular, we found that Qualys leads, with Rapid7, McAfee, nCircle, and Lumension following as Leaders.

Qualys showed itself to be the leader of the pack in this evaluation.  Qualys pioneered the SaaS hybrid delivery model of vulnerability management, combining fully-managed scanner applications with a security console hosted in the Qualys cloud.  Once considered radical, this service model is now used by some of the largest organizations in the world.  Qualys delivers vulnerability assessment, application-level scanning, and configuration compliance auditing. It’s worth noting that their offering provides concrete mappings from a wide list of regulations to actual IT controls.

We found several other vendors offering competitive solutions.  Rapid7 is the up-and-comer, with an impressive 50%-plus year-over-year growth over the last two years.  In addition to its solid technology, it is the only vendor in this evaluation whose application-scanning capabilities can handle Ajax and Web 2.0 technologies. Rapid7 recently signed OEM deals with two of the largest security and service vendors in the industry, which should give them a boost in the market. nCircle was another strong vendor.  While its technology struggles with integration and complexity issues, nCircle’s configuration compliance product is among the most sophisticated on the market today. nCircle would be a good choice for enterprises that have advanced compliance and risk analytics needs.  Established vulnerability management vendor McAfee delivers strong risk management capabilities, including one of the most UI-conscious interface designs, and solid support for translating vulnerability knowledge into meaningful risk metrics.  McAfee’s application scanning capability is relatively weak at the time of the evaluation. But upcoming releases may remedy this situation. Finally, Lumension distinguished itself with its unique product portfolio, being the only vendor in this evaluation that has its own endpoint patch management functionality, PatchLink, and its own GRC product.  Lumension’s strategy is to deliver a consolidated platform to manage the life cycle of vulnerabilities — from discovery to analytics to remediation. Because of the expanse of its product portfolio, Lumension has the potential to challenge the top players in the vulnerability management market.

These leaders were followed by several vendors at the “Strong Performers” level.  Tenable Network Security, while lacking enterprise support features such as executive reporting, advanced risk analytics, and integration with related products, nevertheless offers strong vulnerability assessment capabilities for the technology-minded buyer.  eEye’s vulnerability assessment product, Retina, has many desirable features, such as wireless scanning, diverse scan templates, and an extremely flexible reporting portal, and is attractively priced. Despite going through some growing pains as new management overhauls its products, government clients and value-conscious organizations will find it a compelling option.  Critical Watch, a relative newcomer to the market, offers several distinct and innovative features, including a CEM structure that provides a flexible yet powerful organizational framework for managing scans, reports, and analysis.

This market is evolving to meet the maturing needs of clients.  Once concerned only with pure network vulnerability assessment functionality, the market is shifting to include adjacent technology areas, such as risk management and remediation. Today, both vulnerability assessments and endpoint configuration compliance are considered core functionality.  Application-level scanning, targeting Web applications and databases, is quickly becoming a must-have item.  And as buyers start to shift from assessment-only capabilities to advanced risk-based analytics and remediation management, those functionalities are fast becoming the newest differentiators.

An IT security organization should follow these strategies with respect to vulnerability management: a) Consider vulnerability management an essential IT functionality; b) Combine vulnerability assessment with remediation and active protection; and c) Treat Vulnerability Management as part of your greater IT GRC strategy.

iPad infrastructure hacked – iPad owners’ email addresses leaked

On Tuesday, popular tech gossip site Valleywag reported a hack targeting AT&T’s infrastructure that led to the accidental disclosure of 100,000 iPad owners’ email addresses.

As far as we can gather at this point, this is most likely a parameter tampering attack. The hackers attacked AT&T’s iPad support web application, traversed through a range of ICCIDs (Integrated Circuit Card identifiers), and were able to eventually obtain valid iPad owners’ email addresses without proper authentication.

If this is indeed true, AT&T has done a poor job designing their web applications.  Being able to guard against automated parameter traversal attacks is one of the first things you do to secure your web apps. An automatic parameter traversal attack can be launched fairly easily these days – it does not require sophisticated technology or advanced reconnaissance on the victim web application.

Included in the email addresses disclosed were several prominent celebrities, politicians, and high-profile industry figures, including Rahm Emanuel and Michael Bloomberg.

This attack apparently only affects iPad 3G users, not the Wifi-only iPads. AT&T has stated that this particular flaw on their web application has now been remediated.