Are Apple’s Devices Really More Secure?

front of apple store with apple logo from outside of store. apple's devices

For the better part of four decades, Apple has bragged that their devices are more secure than PCs. Additionally, hackers don’t bother building threats specifically for their operating systems because their security is so superior. For this reason, Apple has routinely refused advances from law enforcement to share workarounds so that police can get into phones. Apple’s rationale for this constant refusal is that it would undermine their ability to keep the most secure personal computing devices, secure. Federal law enforcement officials went ahead and developed their own workaround and the findings may surprise many Apple aficionados. Let’s take a look:

The Discovery

After years of trying to go through Apple to gain access, they finally worked it out in 2020. In 2021, cryptographers published Data Security on Mobile Devices: Current State of the Art, Open Problems, and Proposed Solutions, which is a position paper that looked to answer three questions:

  1. What security measures are currently in place to help deter unauthorized access to user data?
  2. How do modern devices allow unauthorized access?
  3. How can mobile security be improved to prevent unauthorized access?

Researchers analyzed both the newest Android and iOS platforms. They found that neither of them had security preparations that functioned any better than the other. Any person with the right equipment, and the inclination, can in fact, access the OS on either device. This may come as a shock to those people who have been lauding Apple’s devices to be impenetrable.

Before you trash your iPhone, the researchers did “find a powerful and compelling set of security and privacy controls, backed and empowered by strong encryption” in iOS. However, the tools presented were not used frequently enough to ensure security is maintained.

Android’s issues were exacerbated, in comparison to Apple’s, due to the vast amount of manufacturers that make Android-run products. They found that many devices lacked communications with Google, resulting in slowly implemented updates. Also, resulting in inconsistencies in some devices’ security and privacy controls.

These are just the hardware and software vulnerabilities. In the rest of the report, the researchers detailed the specific vulnerabilities for each platform.

Weaknesses: Apple’s Devices

One of the iPhone’s best features is that it allows users to securely store data to iCloud. According to the researchers of this report, that isn’t all the data Apple takes possession of. When initiated, iCloud takes control of a lot of other data that is sent to Apple. There it is accessible by all different types of entities, hackers and law enforcement included.

This problem is exacerbated as the defenses put forth by Apple are less effective than initially thought. Analysis of this relationship led researchers to suppose that a tool that has been around since 2018 allows attackers to bypass integrated protections to guess user passcodes.

Weaknesses: Android’s Devices

On the other hand, researchers found Android had some serious issues with its local data protection. An example of this can be found in Android’s lack of an equivalent to Apple’s Complete Protection encryption, which leaves Android more open to breach. This is why the FBI can effectively access data from either platform without help from developers.

So What’s The End Result?

Ultimately, both mobile OSs are much more open to data breaches than either manufacturer is willing to admit. It’s never a good practice to assume your data is safe; especially with the default data protection developers have in place. It just goes to show that there is no such thing as impenetrable security, and it is on the users (or the organization) to actively accept these results and do what they need to do to secure their data more effectively.

To do this, you will need to manage these devices with a mobile device management platform and have your employees sign onto a Bring Your Own Device policy. This way your organization is covered in ways that individual devices and mobile platforms simply can’t.

If you would like more information about Bring Your Own Device, mobile device management, or any other platform that helps keep your organization’s data secure, give the IT experts at 4Corner IT a call at (954) 474-2204.

Best Password Practices from NIST

Closeup of Password Box in Internet Browser. NIST

When a hacker tries to access one of your accounts, the first challenge they must overcome is the password. This is why industry professionals always encourage you to create them with security in mind. The latest guidelines issued by the National Institute of Standards and Technology, or NIST, are not quite conventional or traditional. However, they do give valuable insights into how to create more secure passwords.

What is the NIST?

The NIST is the authority on all things password-creation, and they are no strangers to issuing various best practices. While these practices do shift over time, due to the unfortunate side-effect of threats adapting to security standards, their advice is trusted and should absolutely be considered by all. Please see below for the recent update on password best practices.

The New Guidelines

Many organizations and Federal agencies have adopted these guidelines. Here are the latest steps to take when building a secure password.

Length Over Complexity

Most security professionals have advocated for password complexity over the past several years, but the guidelines issued by NIST disagree. NIST suggests that the longer the password, the harder it is to decrypt. They even go so far as to say that complex passwords with numbers, symbols, and upper and lower-case letters make passwords even less secure.

The reasoning for this is that the user might make passwords too complicated, leading them to forget them entirely, so when it comes time to replace the password, they will add a “1” or an exclamation point at the end. This makes them easier to predict should the original password be stolen. Users might also be tempted to use the same password for multiple accounts, which is a whole other issue that certainly does not aid in security.

No More Password Resets

Many organizations require their staff to periodically change their passwords, mostly every month or every few months. The idea here is to preemptively change passwords on the off chance that the old passwords have been compromised. Trying to use the same old password multiple times would then lock the hacker out of the account, as the password has since been changed. While this has been an accepted best practice for some time, NIST recommends that this practice be put to the wayside, as it is actually counterproductive to account security.

The reasoning behind this determination is that people will not be as careful with the password creation process if they are always making new ones. Plus, when people do change their passwords, they will use the same pattern to remember them. This means that passwords could potentially be compromised even if they have been changed, as a hacker could recognize the pattern and use it against the user.

Make Passwords Easy to Use

Some network administrators worry that the removal of certain quality-of-life features such as showing a password while the user types it, or allowing for copy/paste, will make the password more likely to be compromised. The truth is the opposite. Ease of use does not compromise security. People are more likely to stick to established password protocol if you make it easier for them to do so.

Don’t Give Out Password Hints

At the same time, you don’t want to make things too easy for your employees, either. One way that administrators help out employees who easily forget passwords is by providing password hints. The system itself is flawed, especially in today’s society of oversharing information across social media and the Internet in general. If Sally makes her password based around the name of her dog, for example, the hacker might be able to find that information on her social media page. Then can try variations of that name until the code is cracked. So, in the interest of network security, it’s better to just forego these hints. There are other ways to make your password system easier to deal with that don’t compromise security.

Limit Password Attempts

When you place a limit on password attempts for your business, what you are essentially doing is giving hackers a limited number of chances to get lucky. NIST suggests that most employees will fall into one of two categories in regard to password remembrance. Either they will remember it, or they will keep it stored somewhere (hopefully in a password management system). Thus, if an employee is likely to do one or the other, a limit on password attempts will not necessarily impact them. However, it will make all the difference against security threats.

Implement Multi-Factor Authentication

COMPANYNAME recommends that your business implement multi-factor authentication or two-factor authentication whenever possible. NIST recommends that users be able to demonstrate at least two of the following methods of authentication before they can access an account. They are the following:

  1. “Something you know” (like a password)
  2. “Something you have” (like a mobile device)
  3. “Something you are” (like a face or a fingerprint)

If two of the above are met, then there is sufficient evidence to suggest that the user is supposed to be accessing that account. Consider how much more difficult this makes things for a hacker. Even if they have a password, it is unlikely that they also have physical access to a mobile device, a face, or a fingerprint.

Make password security a priority for your organization now. That way you don’t have to worry about data breaches later on down the road. WheelHouse IT can help you set up a password manager that makes adhering to these best practices easier. To learn more, reach out to us at (877) 771-2384.

Contact Us Today and Check Out Our Cabling Services!

Tip of the Week: Selecting the Right Productivity Suite

Smiling female programmer working on computer at night, side view.

The productivity suites now available to businesses have come a long way in a relatively very short time. However, when selecting one, it is still crucial to compare your options based on a few key variables. Let’s go over these variables to make sure that the software suite you’re using is the right one for your needs.

Cost of Productivity Softwares

Naturally, we must first discuss costs, as this is perhaps the most pressing variable for most businesses. While it may be tempting to default to the least-expensive option, take a few moments and dig into the features more closely to check for any benefits that may make a slightly more expensive option the most cost-effective productivity suite.

Compatibility With Your Systems

There are a lot of platforms out there—the classic battle between Macs and PCs, and the corresponding Android versus iOS head-butting. On top of these, there are now cloud platforms to consider as well as you decide on the productivity suite you and your team put to use. Consider the headaches that would ensue if half of your team used laptops running ChromeOS, but your productivity suite was only compatible with Windows. As such, you need to make sure your chosen solution has some availability on all (or at least most) of the major computing platforms.

Mobility

On the subject of platform compatibility, it is usually best to select software that has some kind of mobility functionality. There are two reasons for this—first, mobile devices are now used more often than any other kind. Second, with so many people now functioning remotely, the kind of access that mobile options provide contribute a lot of value to the productivity suite’s platform you’re considering.

Security

This is important for obvious reasons, so you will want to check up on the security that each solution features. Today’s two most popular productivity suites, Microsoft Office 365 and Google Workspace, are delivered through cloud technologies. This was once problematic, as you’re effectively handing your data over to an external provider, but nowadays these cloud platforms are built with security at the forefront.

Communications

With communications and collaboration so critical to businesses—especially now—a productivity suite with integrations enabling such dialogues make it easier for teams to accomplish their shared goals. As a result, many of today’s most prevalent options feature some kind of collaboration baked into them, often including an email platform, video conferencing, and/or VoIP.

We can help your business acquire the IT tools such as productivity suites that are needed for modern success. Give us a call at (954) 474-2204 to learn more.

How to Prevent Data Leakage with Microsoft Data Loss Prevention

microsoft data loss protection

Businesses using Microsoft Office 365 have new options to prevent data leakage from their business. Whether a company frequently handles sensitive information like patient information or wants to clamp down on sharing personally identifiable information (PII) via e-mail, the Microsoft Data Loss Prevention (DLP) tools can help. A brief overview of the DLP capabilities will show why businesses that operate in industries with a lot of regulations need to deploy their IT team to shore up their defenses.

Microsoft DLP—Identifying Shared Information

The Microsoft Data Loss Prevention tools are a system within Office 365 that reads the information that you input in the Microsoft cloud software such as OneDrive, SharePoint Online, and Exchange Online. Also, the DLP can be applied to offline sources for added security.

Essentially, an IT team sets up the DLP to process all the data that you send through these systems and flags information that you do not want to be shared. The toolset can identify credit card numbers, social security numbers, and other forms of PII.

The system can be localized to the country in which a company operates as well as those with whom they do business. For example, the system can be set so that Australian ID numbers and American ID numbers can both trigger the security protocols, protecting a wider swath of data without burdening the system with data that would never be used.

Each business is in charge of establishing the parameters that they would like followed as well as the desired results when the information shared does produce a red flag.

The system can be set to remove a file with PII or disallow the communication from going forth. Furthermore, the system will send messages to the appropriate members of management to provide documentation about the attempts to send out information.

DLP is easy to set up with the help of trained IT team members, and it goes into effect in less than an hour after establishing parameters.

Monitoring and Educating Employees

The vast majority of employees do not want to contribute to a leak of personal information for the people they serve or those they work with. However, there are still internal data losses every year where people within a company unwittingly give away valuable data.

As previously mentioned, an IT team can work to establish specific parameters for data sharing. These DLP parameters can identify when PII or other valued information is shared internally and externally in Microsoft software.

Not only will utilizing DLP tools cut down on the frequency of leaks, but they will give management the tools they need to teach workers about their specific vulnerabilities and how to prevent them from happening in the future.

Using Microsoft DLP to prevent data leakage is a step that every business operating with Office 365 should take. Simply identifying the types of information you do not want to be shared and enabling the parameters and alerts for data can prevent many common problems from occurring. The result is your company will identify which employees are responsible for data leaks so they can be properly re-educated and save information from falling into the wrong hands.

The Android Botnet that Victimized Consumers and Advertisers

the android botnet that victimized consumers and advertisers

“If it sounds too good to be true, it probably is.” Unfortunately, over 65,000 users neglected to observe this time-honored adage and proceeded to download a “free” app. It came with the promise of, among other things, a free pair of tennis shoes. Before it was all over, the online criminals had spoofed over 5,000 Android apps. They, in turn, downloaded an ad fraud botnet onto on over 65,000 devices. The botnet was also responsible for more than 2 billion bid requests. Yes, that’s billion, not million.

When Did It All Start?

The attack, now codenamed TERRACOTTA, began in late 2019. A family of apps listed on the Google Play Store offered users an opportunity to download an app in exchange for a free pair of tennis shoes. In some cases they even offered items such as event tickets, coupons, or expensive dental treatments. For those who opted for the tennis shoes as their free gift, all they had to do was fill in their name along with their address details. Then, select the shoes they wanted and in 14 days’ time, the shoes would be mailed to their front door. Incredibly, there were no strings attached. 

Since initially many users gave the apps a glowing 5-star review, others were likely encouraged by such positive feedback and eager to download an app and then part with their personal information. As time passed and not a single user claimed they received free tennis shoes, the 5-star reviews understandably turned negative. 

How Did They Do It?

The ad fraud botnet used in all the apps silently loaded ads in the background. This is what made this family of apps completely different from other apps that have used somewhat similar tactics in that they bombarded users with unwanted, but obvious ads.

The entire family of apps used in the exploit were not reported to the Google Play Store as being supported by ads. Since no users ever reported seeing any unwanted ads, the apps were able to do their work under the radar. Further analysis showed no monetization mechanism and the analysis confirmed that no ads were ever shown to users. Using these clever ploys, the apps were able to deceive users on Google Play Store. That is, until the final week in June 2020.

Exploiting Advertisers

In addition to defrauding the average user, the apps also contained malware that deceived advertisers. Beyond the 14-day window of shoe delivery that of course never occurred, the apps acted as a delivery platform for other functionality that initially remained dormant.  

Eventually it was discovered the other functionality consisted of a customized Android browser. It was packaged beside a control module written in the popular React Native framework. After being loaded on the phone, the customized Android browser was used to create deceitful ad impressions. These were then purchased by advertisers who bought them in the digital advertising ecosystem. 

Expert Exploitation

Those committing the fraud made use of several techniques that allowed their malware to remain undetected for quite some time. Their clever 14-day “waiting period” allowed them to leave an app (that had no real functionality) for an extended period of time on countless phones. By waiting a lengthy period rather than immediately exhibiting bad behavior, it made it much more difficult for users to connect downloading the malware-loaded app with unwanted behavior that occurred much later. The lengthy waiting period also negatively affected cybersecurity analysis. This is because the apps required observation for an extended period of time in order to detect the exploitive behavior. Those in the anti-virus community were not prepared for malware that remained dormant for such a long period of time. 

A Botnet Cautionary Tale

The clever exploitation described above should be a cautionary tale for companies who may not be well-versed in how to effectively train their employees to spot such deceitful malware. If you would like more information on how to protect your company’s portable devices and other hardware and software from exploitation, please contact us.