Tipping the Data Breach Odds in Your Favor
I did a Web search on “Apple security” this morning after a couple of headlines on some news sites caught my eye. I was surprised at the amount of information that came up.
There was innovative news: Apple’s HomeKit will feature home security controlled via an iPhone. Not exactly network security, but it is security news.
Then, there was the news of Apple CEO Tim Cook’s passionate speech on encryption and privacy. According to TechCrunch, Cook’s speech to the Electronic Privacy Information Center (EPIC) Champions of Freedom event focused on privacy and encryption. It began like this:
Like many of you, we at Apple reject the idea that our customers should have to make tradeoffs between privacy and security. We can, and we must provide both in equal measure. We believe that people have a fundamental right to privacy. The American people demand it, the constitution demands it, morality demands it.
And off it went from there. Cook said some very wise things in his speech about the need to take privacy seriously and the need for encryption tools. In all, I think it was a necessary conversation starter and a very good speech, except for one tiny detail: Apple continues to struggle with security in its own products. There are two particular issues in the news right now.
According to eSecurity Planet, a bug written in Arabic text is designed to crash primarily devices running iOS, although it can also affect Twitter and Snapchat:
When the incoming text message is displayed as a notification on the device’s lock screen, iOS shortens the text with an ellipsis. If the ellipsis is in the middle of a specific series of non-Latin characters rendered in unicode, the system crashes and the iOS device reboots.
The article goes on to discuss how malicious hackers can take advantage of this bug. Apple’s response is that a fix is on the way. But, as we’ve learned over the years, Apple tends to be slow in applying fixes, and this one will be released in a software upgrade, according to the article.
The other big security news regarding Apple products is a flaw in OS X sleep mode. The flaw is found in Macs released before mid-2014. The zero-day vulnerability is buried so deep that it is almost impossible to find or remove, and as a CNN Money article said, it wouldn’t just put your Mac to sleep; it could put it into a coma. The article added:
This isn’t an easy hack. An attacker first needs administrative access to a machine. But what this means is that if a Mac gets hacked with a low-level computer virus, it can bury so deep you’ll never find it.
That’s the real problem here. It gives hackers more time to plot a massive bank heist or a huge corporate takedown, like the Sony Pictures hack.
Security experts say that this isn’t a hack that the average Mac user has to worry about, but it can be a serious headache for IT departments who handle the administration for corporate Mac machines. I haven’t seen any word about a fix for this vulnerability.
As for Apple, it is all well and good to introduce home security and to talk about other people’s problems with privacy and encryption, but the company needs to worry about the growing number of vulnerabilities and attacks against its own operating systems, too.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba
