RSA 2014: Bruce Schneier champions encryption in \'golden age\' of government surveillance

Cryptography expert Bruce Schneier, now CTO of Co3 Systems, continued his criticism of the National Security Agency's surveillance during his well-attended talk at the RSA Conference in San Francisco today.

Schneier has been a fierce critic of the NSA ever since the details of this surveillance were first revealed by former CIA contractor Edward Snowden last summer. And following on from an interview with CNN this week where he argued for the NSA to be split up, he took the opportunity to champion for stronger encryption in front of a packed audience at the RSA Conference.

Schneier, who left BT - also reportedly offering back doors in products - to join Co3 Systems in December, mused from the beginning that the talk was going to be a prickly and hotly-contested subject. “This will be a fun topic."

His talk was entitled ‘NSA Surveillance: What we know and what to do about it' and he first ran into the attack techniques - sometimes obscured by odd codenames - being used by the NSA and GCHQ to carry out mass surveillance. Some of the attacks, he said, included DNS injection, while other NSA programs were able to deanonymise  cookies and identify users and their internet browsing habits. He continued that the NSA revelations show that AirGap - where PCs are disconnected from the Internet - “doesn't work” and paid particular attention to ‘Project Bullrun', the clandestine, highly-classified decryption NSA program.

He even joked - perhaps with an element of seriousness -  that the NSA is probably making malware too, something other analysts have hinted at recently: “They're not doing malware, but it's a really good idea - they're probably going to do that right now.”

“Fundamentally the NSA's mission is to collect everything, it's that collect everything mentally that was born out of a voyeuristic interest in the Soviet Union in the Cold War,” he said, adding that the agency's surveillance became significantly ‘unbalanced' after the 9/11 attacks.

“NSA is continuing to lie about its capabilities, and that's something we have got to get used to. This is the golden age of surveillance and it's not just metadata.

"Encryption works"

But Schneier didn't just direct his ire at the NSA, pointing to activity in China, Russia and other well-funded countries.

“It's not just about the US or NSA. What the Snowden documents are really about is what any well-funded nation can do. The same technologies are spreading in Syria and Iran and there's the 3-5 year window of what cyber criminals are next going to do. [They're] next day hacker tools.

Part of this problem, says the cryptography expert, is that the internet is now not secure and that encryption has been undermined. That said, Schneier was keen to stress continually that “encryption works”, something Snowden himself mentioned when he first revealed his leaks.

“We have built an insecure internet for everyone. When you think of the NSA surveillance, it breaks political systems, legal systems, commercial systems - and the technology protocols we rely on are now not trusted.”

“Encryption works. Most cryptography gives the NSA trouble, and that's important. Most are broken by exploiting bad implementation, bad keys or by deliberately inserting back door on products. We need to look at redesigning protocols, and redesigning products and services.”

“But most products rely on streams of unencrypted data - cell phone data, metadata, and third party data.”

Schneier added that, in cases like these, users should be looking to use encryption formats like PCP, OTR (off-the-record) - “great for chat”, and the Leap program, and also urged attendees to encrypt their hard disk drives, and use anonymity tools like Tor.

The industry veteran's comments echo Christopher Soghoian of the American Civil Liberties Union's presentation at the B-sides event condemning the undermining of encryption by the NSA.



RSA 2014: Experts discuss the state of security education

Hord Tipton, executive director of (ISC)2, Ernest McDuffie, lead of National Initiative for Cybersecurity Education (NICE) NIST, and Michael Murray, a hacker and security expert, sat down to discuss the state of security education at the RSA Conference in San Francisco on Monday.

Tipton and McDuffie took a stance that the industry is not doing enough to support youth that are interested in cyber security. On the other end of the spectrum, school guidance counselors do not recognize information security as a viable field, Tipton added.

Tipton said the industry has to target people at a young age, “who have a knack for this stuff,” and get them on a career path that puts the right components in place and offers them opportunities. 

McDuffie agreed, and added that getting to people at a young age allows more opportunities to shape them. But it is a challenge, he said, because school curriculums are typically developed on the state or county level, and not the federal level.

Murray took an opposite stance. He explained that he would not implore high potential students to enter the industry because it is very challenging and dynamic. They need unprompted passion for the material if they want to succeed, he said.

As far as adult education is concerned - particularly with regard to employee use of technology in an organization - Tipton said companies are missing the boat. McDuffie said that 15 minutes per month of specific training could help modify unsafe behaviors, but Murray said there is no cure for a staffer who simply is not motivated.


This article was originally published on SCMagazine.com.

Supporters Urge Renewal of State Trade and Export Promotion Program

cantwell

The STEP (State Trade and Export Promotion Program) offered by the Small Business Administration aims to offer small businesses in the U.S. a way to reach a global market. And right now, supporters of the program are in position in Washington, D.C., to get the program renewed.

STEP grabbed some attention last week during the confirmation hearing (pictured above) for new SBA Administrator Maria Contreras-Sweet. At the hearing, U.S. Sen. Maria Cantwell, (D-Wash.), who has since taken over as chair of the Senate Committee on Small Business and Entrepreneurship, asked Contreras-Sweet if she would support reinstating the STEP Program at the SBA.

STEP was created as a 3-year pilot program through the Small Business Jobs Act of 2010. The program was designed to award federal grant money that was matched by a small business’s home state. According to the SBA website, the goal of STEP was to give small businesses tools to reach a global market so they can begin exporting their products. It was also intended to raise the value of exports for companies that already sold globally.

Some of the services offered through STEP include website translation, support for small business participation in foreign trade missions and foreign market sales trips, and design for international marketing media.

There program made $30 million available to small businesses each year through STEP Program grants during its pilot program.

Cantwell pushed the issue of renewing the program during Contreras-Sweet’s nomination hearing. She said in her home state of Washington, STEP has helped secure at least $136 million in foreign sales for small businesses. Those businesses have largely used STEP assistance in reaching Asian markets. During the nomination hearing, Cantwell said:

“We have huge opportunities to the Asian market in the Pacific Northwest and we certainly want to see us use these promotions to help meet the agenda that the administration has on doubling the number of exports out of the United States - certainly small businesses can play a very big role in that.”

The SBA Administrator nominee said she liked the STEP Program and would support its renewal. During her confirmation hearing, Contreras-Sweet said:

“I appreciate that it provides for introductions, in many instances internationally. And so there’s so many good components around STEP and in a globalized economy, we have to find ways to make sure that small businesses, too, can compete in that. There is currently in my view, with technology and all the other tools that are available to us, the lowest barrier to entry for a small business opportunity.”

Image: Cantwell.Senate.gov



Supporters Urge Renewal of State Trade and Export Promotion Program

cantwell

The STEP (State Trade and Export Promotion Program) offered by the Small Business Administration aims to offer small businesses in the U.S. a way to reach a global market. And right now, supporters of the program are in position in Washington, D.C., to get the program renewed.

STEP grabbed some attention last week during the confirmation hearing (pictured above) for new SBA Administrator Maria Contreras-Sweet. At the hearing, U.S. Sen. Maria Cantwell, (D-Wash.), who has since taken over as chair of the Senate Committee on Small Business and Entrepreneurship, asked Contreras-Sweet if she would support reinstating the STEP Program at the SBA.

STEP was created as a 3-year pilot program through the Small Business Jobs Act of 2010. The program was designed to award federal grant money that was matched by a small business’s home state. According to the SBA website, the goal of STEP was to give small businesses tools to reach a global market so they can begin exporting their products. It was also intended to raise the value of exports for companies that already sold globally.

Some of the services offered through STEP include website translation, support for small business participation in foreign trade missions and foreign market sales trips, and design for international marketing media.

There program made $30 million available to small businesses each year through STEP Program grants during its pilot program.

Cantwell pushed the issue of renewing the program during Contreras-Sweet’s nomination hearing. She said in her home state of Washington, STEP has helped secure at least $136 million in foreign sales for small businesses. Those businesses have largely used STEP assistance in reaching Asian markets. During the nomination hearing, Cantwell said:

“We have huge opportunities to the Asian market in the Pacific Northwest and we certainly want to see us use these promotions to help meet the agenda that the administration has on doubling the number of exports out of the United States - certainly small businesses can play a very big role in that.”

The SBA Administrator nominee said she liked the STEP Program and would support its renewal. During her confirmation hearing, Contreras-Sweet said:

“I appreciate that it provides for introductions, in many instances internationally. And so there’s so many good components around STEP and in a globalized economy, we have to find ways to make sure that small businesses, too, can compete in that. There is currently in my view, with technology and all the other tools that are available to us, the lowest barrier to entry for a small business opportunity.”

Image: Cantwell.Senate.gov



RSA 2014: Security exec talks cyber warfare and industry\'s breaking point

A security executive pushed the community to think hard, but not too long, about their “breaking point,” as it pertains to the growing threat landscape.

According to Nawaf Bitar, senior vice president and general manager for the security business unit at Juniper Networks, the industry must muster up real outrage to respond to the many revelations that threaten the cyber, and potential physical security, of Americans.

During a Tuesday morning keynote at RSA Conference 2014 in San Francisco, Bitar referenced nation state threats, both domestic and from abroad, as well as attacks “occurring everyday” that expose the public's data.

Throughout his talk, called “The Next World War Will be Fought in Silicon Valley,” he also pushed attendees to challenge their notion of “outrage” concerning these events.

“I'm fed up about talking about outrage,” Bitar said, before comparing the actions of late activists Nelson Mandela, Dr. Martin Luther King and Gandhi to more tepid acts of protest, which he called “first world outrage.”

“Liking a cause on Facebook is not outrage. Retweeting a link is not outrage…not showing up at a conference is not outrage,” Bitar said.

The later remark stirred applause from some in the audience - and was undoubtedly a reference to the backlash that occurred in the industry after a December Reuters article reported of an alleged shady deal between the National Security Agency (NSA) and security firm RSA that caused the company's BSAFE software to be compromised.

Soon after the news broke, respected researchers and security experts canceled their appearances at the annual RSA Conference.

To respond to growing threats from diverse actors, Bitar said that, instead of “hacking back” sophisticated cyber criminals or government-backed groups targeting sensitive data, the industry should go the offensive by pursuing innovation that “challenges convention.”

Without taking action, Bitar warned that cyber attacks against critical infrastructure (or processes that could endanger the public's physical safety if interrupted or attacked), could take place.

“What will happen when one of these attacks jumps the firewall and real people die?” Bitar said, during his keynote.

The options are either to embrace and vet sound innovation, or to be ill prepared for the next-level attacker poised to strike, he continued.

“We can turn the other cheek and we can passively wait for the next world war to begin in Silicon Valley,” Bitar warned.


This article was originally published on SCMagazine.com.

RSA 2014: Security exec talks cyber warfare and industry\'s breaking point

A security executive pushed the community to think hard, but not too long, about their “breaking point,” as it pertains to the growing threat landscape.

According to Nawaf Bitar, senior vice president and general manager for the security business unit at Juniper Networks, the industry must muster up real outrage to respond to the many revelations that threaten the cyber, and potential physical security, of Americans.

During a Tuesday morning keynote at RSA Conference 2014 in San Francisco, Bitar referenced nation state threats, both domestic and from abroad, as well as attacks “occurring everyday” that expose the public's data.

Throughout his talk, called “The Next World War Will be Fought in Silicon Valley,” he also pushed attendees to challenge their notion of “outrage” concerning these events.

“I'm fed up about talking about outrage,” Bitar said, before comparing the actions of late activists Nelson Mandela, Dr. Martin Luther King and Gandhi to more tepid acts of protest, which he called “first world outrage.”

“Liking a cause on Facebook is not outrage. Retweeting a link is not outrage…not showing up at a conference is not outrage,” Bitar said.

The later remark stirred applause from some in the audience - and was undoubtedly a reference to the backlash that occurred in the industry after a December Reuters article reported of an alleged shady deal between the National Security Agency (NSA) and security firm RSA that caused the company's BSAFE software to be compromised.

Soon after the news broke, respected researchers and security experts canceled their appearances at the annual RSA Conference.

To respond to growing threats from diverse actors, Bitar said that, instead of “hacking back” sophisticated cyber criminals or government-backed groups targeting sensitive data, the industry should go the offensive by pursuing innovation that “challenges convention.”

Without taking action, Bitar warned that cyber attacks against critical infrastructure (or processes that could endanger the public's physical safety if interrupted or attacked), could take place.

“What will happen when one of these attacks jumps the firewall and real people die?” Bitar said, during his keynote.

The options are either to embrace and vet sound innovation, or to be ill prepared for the next-level attacker poised to strike, he continued.

“We can turn the other cheek and we can passively wait for the next world war to begin in Silicon Valley,” Bitar warned.


This article was originally published on SCMagazine.com.

MtGox closure hits 1 million investors and sends Bitcoin value tumbling

Digital currency faces "life-or-death" moment, says BBC's Robert Peston.

An estimated 1 million investors have been left fearing the worst and the value of the Bitcoin digital currency has tumbled after the MtGox bitcoin exchange stopped trading on 25 February, amid claims that hackers had stolen hundreds of millions of pounds from the business and that it may now be acquired and re-launched.

In a rapidly changing picture, Tokyo-based MtGox (Mount Gox) suspended all customer withdrawals earlier this month after spotting what it described as a “transaction malleability” bug in its software that made it liable to being defrauded. Then on Sunday, 23 February, under-fire MtGox CEO Mark Karpeles resigned from the board of the Bitcoin Foundation, which oversees and develops bitcoin software.

MtGox removed its entire Twitter feed on Monday, abruptly stopped trading at 01.59 GMT on Tuesday and hours later took its website offline.

In a further twist, a document purporting to be a MtGox ‘Crisis Strategy Draft' was posted online on 24 February by blogger Ryan Galt (aka twobitidiot). The document - which can be viewed at http://www.scribd.com/doc/209050732/MtGox-Situation-Crisis-Strategy-Draft and whose authenticity is unconfirmed - suggests the exchange will close down for a month and then re-launch as simply ‘Gox'.

The document claims that “744,408 bitcoins are missing due to malleability-related theft which went unnoticed for several years”. That loss was equivalent to just over £200 million at the time of writing, using the exchange rate published by Coindesk.com.

In a bid to shore up confidence in the digital currency - which fell in value by over 20% in just one 24-hour period this week - the leaders of six major bitcoin businesses issued a joint statement following Karpeles' resignation from the Bitcoin Foundation.

The statement from the founders of Coinbase and the CEOs of Kraken, BitStamp, BTC China, Blockchain.info and Circle said: “This tragic violation of the trust of users of MtGox was the result of one company's actions and does not reflect the resilience or value of bitcoin and the digital currency industry. In order to re-establish the trust squandered by the failings of MtGox, responsible Bitcoin exchanges are working together and are committed to the future of bitcoin and the security of all customer funds.”

But the future is highly uncertain for MtGox's estimated 1 million or more investors.

BBC business editor Robert Peston, writing on the corporation's website on 25 February, called it “Bitcoin's life-or-death moment”.

He added: “There is no central authority to step in and give any kind of guidance to MtGox customers whether their money is safe or gone. And there's no compensation safety net.”

Tax expert Cameron Keng, writing on Forbes.com on 25 February, agreed: “Over 1 million people were MtGox customers and they need to know what their immediate options are to deal with their financial losses. First, it's important to understand that MtGox is not a bank and it does not protect its users. Unfortunately, MtGox does not provide insurance or any assurances for a user's account. Thus, we're left in the wind - cold and unprotected.”

But Keng insisted: “MtGox's failure is not the end of Bitcoin. It is a single company failing in a large ecosystem.”

Security expert Adrian Culley, a global technical consultant with Damballa, believes Bitcoin and other digital currencies will only survive if those involved can protect themselves and investors from cyber-attacks.

He told SCMagazineUK.com via email: “All currencies are vulnerable to attempts to undermine and/or subvert them. Conventional currencies are tied to nation states, which have specialist teams to deal with such things as counterfeiting. One distinguishing feature of the new cyber currencies is that are not explicitly aligned with any specific nation state. It is not at all clear who is responsible for policing and protecting such currencies.

“As recent events have shown cyber currencies are just as vulnerable, if not more so, than established conventional currencies. Confidence is a key element of any financial transaction system, and if they are to survive they need to figure out how to protect themselves, and most importantly those who use them, from advanced threats and targeted attacks.”

MtGox has had a chequered past. It was reported to have been hacked in 2011 at a loss of 400,000 Bitcoins, while last year it had $5 million of its assets seized by the US authorities. Other Bitcoin businesses have been targeted by cyber criminals. Around £2.7 million in bitcoins was stolen earlier this month from the Silk Road 2 website whilst Bitcoinia lost over 40,000 bitcoins in an attack in 2012 and MyBitcoin lost over 150,000 Bitcoins in a 2011 attack.

Meanwhile in a further bitcoin blow, researchers from Trustwave this week discovered that criminals using the ‘Pony' botnet had hacked the credentials of around 700,000 digital currency accounts and relieved them of over 700 Bitcoins and related currencies, at the time valued at over $200,000 (£120,000).



B-Sides SF: \'Sexism can be security vulnerability\'

Security researcher - and white hat hacker - Raven Alder addressed sexism in the InfoSec world at the B-Sides San Francisco event on Monday, and said - perhaps surprisingly - that it can help and hinder attackers and defenders in equal measure.

Alder, the first woman to deliver a technical presentation at the famed DefCon hacker conference a decade ago, was talking about how sexuality in InfoSec in her talk ‘Trinity Crowbar: explanations of presumptions of gender', where she mused on the benefits and disadvantages of being a woman in a largely male-dominated industry.

She admitted that most of the pen testers and vulnerability testers she work with ‘are dudes' and said that her appearance  - dark brown hair with heavy eyeliner - may carry credibility in hacker communities, but attracts suspicion, surprise and doubt with corporate entities.

“Expectations change on appearance. I look like someone who is scary. My appearance- funny hair color and eyeliner- carries credibility in hacker circles, but not in traditional business circles.”

But while she noted that she is often subject to “unconscious sexism” and date requests - “even after I've broke into their network” -  she stressed that gender can also be as an advantage, mainly because most people have their own idea of what a security threat looks like.

“People don't assume you're dropping off a USB [stick], seeded with malware, at a car parking lot even when you are,” she told conference attendees.

As a result, Alder notes that sexism need not necessarily always be a hindrance, and added that it can be used, from the attacker's perspective, as a tool for carrying out social engineering attacks, or even gaining trust with other women as part of some sort of “solidarity pitch”.

And in addition, she said that gender also acts as a huge distraction when carrying out an attack, with IT teams too preoccupied with the details of the sole attackers to notice the others sneaking in the back door.

“You can act like the dumbest pen tester, create noise and get attention, while other team members slip under the radar.”

Furthermore, Raven said that the sensitivity around gender - especially with physical security checks at the airport - can also be exploited, and noted one example where she was able to sneak into the server room to audit by telling security staff that she was “going to the toilet”.

“People are sensitive on physical security. Sexism can be a security vulnerability…if audited poorly,” she added.

Alder's views come shortly after the (ISC)2 found late last year that just 7 percent of security professionals in Europe are women, with this figure rising slightly to 11 percent worldwide. “The profession as a whole has been slow in tapping into the pool of talent represented by women,” the firm's report said at the time.

The group launched the Women in Security mentoring scheme last July.



Language of Leadership: Constructive Versus Destructive

On February 3rd Jeremy Kinsley was a guest on Entrepreneur’s Insight radio show. He talked about how inspired leaders produce results. I had the pleasure of being the follow up guest.

The host, Kip Marlow and I spent some time exploring how leaders communicate. While many people are given the title of leader, a lot of them don’t elicit results because they don’t communicate in a way that inspires action and results.

Having studied leaders for several years there are three distinct behaviors that I see real, impactful leaders engage in.

1. Constructive Versus Destructive Communication

Constructive Communication:

Good leaders communicate in a way that elevates people instead of tearing others down. These leaders seek to solve problems and create long term solutions. When their focus is on improvement they speak openly, honestly, and consistently. They always have their eye on progress and success.

Constructive communication drives performance. It’s foundation is that the employee is capable and driven but has run into a snag. Working with them on that snag with a goal of removing it leads to greater results.

When someone is guided to identifying why something has happened and how they can change, they are likely to embrace the lessons and grow as an impactful member of the team.

Destructive Communication:

People who communicate destructively have changed the goal. Whether they realize it or not, their focus is on making someone else feel small.

When people feel small - they don’t perform to the height of their ability. They are not motivated to succeed.

2. Seek Input

True leaders seek the input of others. They understand that they don’t have all of the answers; that leadership isn’t about having all of the answers, it’s about finding the answers. Leaders also understand that one of the ways they grow their staff is to ask for their input.

When you include others in the conversation you are telling them you trust them and believe in them. Leaders understand that not all input will be actionable. That’s not the point. The point is to get everyone thinking about growth, solutions, and success.

Better to solicit their input - than to always be telling them. People respond to being communicated with more than being talked to. They are also more likely to follow through with a plan they have had a role in creating.

3. Engage in Difficult Conversations

There are times when a staff member is unable to meet the requirements and goals of the organization no matter how hard they try. And, truly, there are times when an employee isn’t a fit or is behaving in a way that is contrary to the goals of the company.

A true leader addresses this situation directly with the employee. A true leader doesn’t emotionally react to the issue by sending a blast email to all of the team members. A true leader also doesn’t avoid dealing with it.

A true leader engages in difficult conversations right away and directly with the person involved. Leaders realize that difficult conversations aren’t mean or unpleasant conversations. There are unemotional, fact-based ways to communicate seemingly difficult topics. Leaders also understand that their responsibility is to deal with issues as soon as they present themselves.

This is how they tell the rest of the staff that the goals of the company are paramount.

Example of a Non-Leader: Destructive | No Input | Emotion Filled

A sales manager calls a member of the sales team into their office and begins to berate him for a lack of sales. Everyone in the department can hear the sales manager even though the door is closed. Besides the fact that the sales manager is emotional and yelling at the salesman, he/she is also criticizing him and using negative pejorative labels like “lazy,” “inept” and “stupid.” He/she ends the diatribe with a threat to the salesman’s employment status.

The result: The salesman is not only unmotivated to proceed but doesn’t know what to do to improve. The salesman hasn’t learned anything and he wasn’t brought into the conversation. Actually, there was no conversation - it was a one sided push. The salesman is no further along the problem solving road than he was when he entered the office.

Moreover, the rest of the sales staff has been negatively impacted by the event. So, the sales manager has created more problems while not solving the lack of sales issue.

Example of a Leader: Constructive | Seeks Input | Unemotional

A sales manager calls a member of the sales team into their office to discuss the salesman’s lack of sales. The first thing the sales manager does is ask the sales person to share his experience. How is he approaching the process? Where is he running into a disconnect? How is he communicating with prospects and clients?

The sales manager then starts a collaborative conversation around alternative processes. The goal is to help the salesman create a different process that should bring greater results.

The result: Together they create a process the salesman can implement. The entire conversation is focused on problem solving. The salesman leaves the conversation with a plan and a belief that he can succeed at the plan.

The rest of the sales staff understands that the goal is for everyone to be successful; that when the salespeople are successful the company will be.

The difference matters because of the outcomes. When someone behaves like example 2, they are leading the organization and realize positive results. When they behave like example 1, the organization struggles to grow.

Anyone in a leadership role is better off communicating in a constructive, unemotional way that elicits involvement and buy-in. Then they will be a leader who others want to follow.

Anger Photo via Shutterstock



Apple \"security reputation in tatters\" after iOS and OS X flaws

Apple has run into heavy criticism after research firm FireEye found a flaw that leaves users of its latest iPhones and iPads open to covert 'keylogging' malware - while Apple left out users of its Mac OS X desktops and laptops when it issued a fix to another problem.

The keylogging flaw, revealed by FireEye in a 24 February blog post, means hackers can capture and record every keystroke made by users of any Apple device running the latest iOS 7 operating system, as well as those devices on iOS 6.1. 

This includes the most secure ‘non-jailbroken' devices - last month Trustwave senior security consultant Neal Hindocha found the same problem on jailbroken Apple iOS systems and was due to demonstrate it at this week's RSA security conference in the US.

Meanwhile, on 21 February, Apple rushed out a patch that prevents hackers from accessing supposedly secure communications between iPhone and iPad users and SSL-protected websites -caused by a duplicated line of operating system source code accidently being left in.

But the company has not provided the same fix to users of Mac OS X computers, leaving them exposed to online attackers stealing their passwords or other personal data as they connect to popular websites.

An Apple spokesperson told SCMagazineUK.com: "We are aware of this issue and already have a software fix that will be released very soon." But this has not been enough to prevent the company being strongly criticised.

Kevin O'Reilly, senior consultant at UK security research firm Context Information Security, said Apple's reputation for security is “in tatters” while Clive Longbottom, service director at IT research firm Quocirca, added that “Apple has answers to give in both cases”.

O'Reilly told SCMagazineUK.com via email: “It's been a miserable week for Apple. On the one hand, it seems iPhones and iPads are susceptible to malicious key-logging apps - security measures implemented by Apple to prevent malicious background activity can be bypassed, and key-logging Trojan apps are a real possibility for iOS users today.

“But perhaps even more damaging to Apple's reputation for security is the recent revelation that a simple duplication of a line of source code has slipped through the net of security auditing, with huge implications.”

O'Reilly said this flaw means attackers can “sniff or even modify supposedly secure traffic such as that to online banking websites or similar. To make matters worse, the true extent of the problem is still unfolding, with Mac users being left unprotected and a patch still in the making.”

O'Reilly told us: “Apple has long been buoyed by the public perception that its devices and software are far less susceptible to malware and security flaws; this may not have been entirely accurate but this week as realisation dawns this image has surely been shattered, leaving users questioning the wisdom of their previous faith, and Apple's reputation for security in tatters.”

Clive Longbottom at Quocirca agreed, telling SCMagazineUK.com: “The SSL issue seems to have been caused by a piece of code - actually, a single line of code - put in place by an Apple developer to make their life easier during testing. This was not removed before moving the code into run-time. This is a case of very poor project management and code testing by Apple.”

Longbottom said the keylogging problem is more of a software design issue, adding: “Apple has answers to give in both cases - effective code testing and basic project management should be a core part of the development of what is such a major system.”

FireEye said in its blog that it has demonstrated the keylogging problem on the latest 7.0.4 version of iOS on a non-jailbroken iPhone 5s, and has verified that the same vulnerability exists in iOS versions 7.0.5, 7.0.6 and 6.1.x.

It described the implications of the bug for users: “Potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app and then conduct background monitoring. The only way for iOS users to avoid the security risk, before Apple fixes the issue, is to use the iOS task manager to stop the apps from running in the background to prevent potential background monitoring.”

Clive Longbottom said: “BYOD will continue to stress the IT department attempting to safeguard the organisation. Only through careful monitoring of what is happening on an end-to-end basis from device to data centre can IT hope to keep control of what is happening.”



Microsoft Finally Launches New OneDrive With More Features

After some delay, Microsoft finally introduced the newly renamed OneDrive this week. But the renaming of the company’s cloud storage service once called SkyDrive has proven to be more than that. Microsoft is also taking the opportunity to turn an embarrassing legal defeat into a big marketing campaign with new features.

Topping the features list is the huge amount of free space that Microsoft is literally throwing at you. First off, there’s 3GB of storage that comes with the automatic camera upload feature. Then there’s another 20GB for users who follow a special bonus link, valid within the first year. Then there’s 500MB for every person you successfully refer to OneDrive.

Those of you who had SkyDrive installed on your phones don’t need to uninstall or reinstall anything. Your phones will silently update and the app will change without any input from you.

Other features include video sharing and viewing, automatic camera roll backup for Android phone owners, and real-time collaboration with Office Web apps Word, Excel, and Powerpoint.

OneDrive is baked directly into Windows 8.1 and Office. You can even set OneDrive as the default save location for your files. In doing so, Microsoft is sending a clear signal that the days of the PC are numbered, and that cloud computing is the future.

Watch this video overview from Microsoft outlining some of the features of the new OneDrive cloud storage platform:

OneDrive is currently beating rival cloud storage services with its prices. 100GB with Skydrive comes to $50 a year, while its nearest rival, Google Drive, comes in at $60 a year for the same amount of storage. Box and Dropbox trail far behind at $120 a year for 100GB.

Image: OneDrive