Apple iOS 7 to Include Activation Lock Security Measures

At the keynote address of its Worldwide Developers Conference, Apple said that when the new operating system comes out in Fall of 2013, an ID and password will be needed to turn off a mobile device’s “Find my iPhone/iPad” feature or to erase any data. The same ID and password will be needed to reactivate a device after it has been remotely erased.

This step is being taken to stop the trend of “Apple picking” a growing wave of crime in which thieves target mobile devices, particularly iPhones and iPads. As mobile devices become more popular, stealing them has become a unique sort of crime, requiring some police units to create a special team just for crimes relating to mobile devices.

Read the full story in the news here and here. NBC Washington posted a video showing such a crime occurring on the street in Washington, DC.

There is one misleading bit of information in this article on page 2. It says: “Right now, the find my iPhone app will only display an info screen and have it display a message and send out an annoying sound. It doesn’t stop the iPhone from being used.”

This is not entirely true. You can remotely lock your device (iOS 5) or Lock and Track your device (iOS 6) using Lost Mode in the Find my iPhone feature in iCloud. If your iOS device already has a passcode, you don’t need to enter a passcode, the device locks using the existing passcode.

Learn more about these existing iPhone protections here.

June 13: The IT Partners Conference

This coming Thursday, June 13, IT Partners is holding its annual IT Partners Conference, covering wide-ranging topics in network and computer technology. As every year, one of the tracks focusses on Security. Presentations include:

• Security Changes / Security Policies, covering the latest and upcoming technology and policy changes to secure the MITnet infrastructure
• Sophos, an overview of the new malware protection software replacing McAfee
• Securing the Human, a demo and overview of security awareness training focussed on end-user protection
• The State of MITnet, hosted by Mark Silas, Associate Director of Operations & Infrastructure
• TSM, covering the desktop backup system provided by IS&T

Keynote speaker at the conference is Mike Howard, Vice President of Finance and the closing talk is by Jeff Schiller. Food is provided for registrants. If you want to register, now is the time! Register at rsvp-itpartners at mit.edu.

More information about the conference is here.

STOP Tagging at MIT

STOP tags are a theft deterrent device and can help to return stolen laptops or other mobile devices to their owner.

At MIT, STOP tagging and registration is offered by the MIT Police Crime Prevention Unit. The unit has been working in collaboration with IS&T to make members of the MIT community aware of this service and to provide times and locations.

The service requires a $10 fee, paid in cash, or using an MIT cost object code. Bring your laptop or item to be tagged.

As Sgt. Cheryl Vossmer of the MIT Police has told me, the device is not fail-safe, but can make an item less attractive for thieves and be an aid for returning stolen items. Last week a laptop with a STOP tag attached was stolen off campus and was later found in some bushes off campus. A good samaritan called the STOP phone number on the tag, and before the owner knew the laptop was stolen, he was informed that it was found.

If you or someone you know can benefit from this service, please pass on the following upcoming opportunities:

Wed. 10/26
12:00 – 2:00 pm @ Maseeh Hall

Wed. 11/9
11:30 am – 1:00 pm @ E17, IS&T

Wed. 12/14
11:30 am – 1:00 pm @ E17, IS&T

The full list of scheduled dates is posted in Hermes.

Which AV Product is Better?

The question about which AV (anti-virus) software to use comes up all the time. To date, it has been tricky answering this question to anyone’s satisfaction. The software provided by MIT, McAfee VirusScan (or McAfee Security for Macs), does a pretty good job of keeping the most dangerous of viruses off your system, but it falls short when it comes to spyware protection.

A recent survey and comparison report by PC Antivirus Reviews doesn’t even list McAfee in the top five AV products. At the top of the list are products by Vipre, BitDefender, Kaspersky, AVG and Avast. Their cost is on average $40.

However, for many of us, having a free product is appealing. McAfee is a free download for the MIT community and it’s better than using nothing. Another option, if you run a Windows machine, is to use the free products by Microsoft: Microsoft Security Essentials, Windows Defender and Microsoft Safety Scanner. Will these do as good a job?

The answer, again, is tricky. In the end, experiences may vary and depend on many different factors: The operating system and whether it has the latest updates, the use of protective measures built into the browser one uses, whether ports are open or closed and can limit incoming traffic to the computer, whether spam is caught before reaching one’s inbox, and how AV product settings are configured (which areas it will scan, how often, how often virus definitions are updated, etc).

User behavior can also be a factor. If you use the computer primarily for responsible work-related purposes, you are more likely to avoid dangerous viruses on the Internet, than if you use it for personal use or click on everything and anything.

My suggestion is to buy the best AV product you can afford or take a risk with a free one. But remember, as with anything in this world, you get what you pay for. And do your homework to find the one that best suits your situation.

For next time: An article comparing and contrasting McAfee VirusScan to the Microsoft products mentioned above and other commonly used AV products.

Windows 8 Has ‘Tons’ of Security Features

According to a recent article in the Register, Microsoft’s new operating system Windows 8 (still in Beta) will include several new security features, such as built-in virus protection that scans boot drives for malware. There is also built-in spam filtering.

You can view a video of last week’s presentation at the company’s BUILD conference in Anaheim, California as well as the full article at theregister.co.uk.

Information Security Mitigation Lists

Last week the Australian Department of Defense released a list of 35 mitigations that are the best hope for stopping or mitigating the targeted attacks that are decimating government and industry around the world. US-CERT (United States Computer Emergency Readiness Team) also released a similar list of recommendations intended to “enhance existing security programs.”

I think any organization can implement all or some of these recommendations depending on the type and amount of information they need to protect. Some of the recommendations are strategic, but others are common measures that we’ve been discussing for years, such as using strong passwords and changing them on a regular basis, filtering email, and making sure all systems have up to date patches and are scanning for viruses.

Take a look for yourself and see if you are already doing any of them in your area.

Microsoft and Security

Ok, the above title might make some of us (Apple users) snicker. However, Microsoft has shown several signs of making security a priority for the users of their software.

The company has put out a plea to the world to drop Internet Explorer 6 (IE6) usage. They are now actively discouraging people from using IE6 and have released an official IE6 Countdown Site with graphics, showing the percentage of market share IE6 holds in countries around the world; Microsoft hopes to see usage drop to less than 1 percent worldwide (it currently stands at 12%). IE6 was introduced a decade ago. The next version of IE, version 9, is slated to be released this year. Why the move?

In addition to the above, earlier this month Microsoft pushed an update that disables AutoRun on Windows XP and Vista systems. This Windows feature has been exploited by the computer viruses Confickr and Stuxnet to infect computers. The update was initially released in February; Microsoft said at the time that the patch would be optional, meaning that users would have had to select it manually in Windows Update. Now the patch is being pushed out through the Automatic Updates feature of Windows Update.

Read the story at Computerworld.com.

Security on Mobile Devices

For iPhone, iPad, Android and Blackberry users, the Mobile Devices Team has compiled some platform-specific information regarding setting passwords as well as how to remotely wipe and disable your device if lost or stolen. Access the information on all of these devices from the Mobile Device Ninja page.

Additional security recommendations:

• Make sure your smartphone is running the latest operating system available and is regularly backed up.
• Avoid storing personally identifiable information (PII) on your smartphone.
• Do not store web or application passwords with the smartphone auto-save features.

Read the full article on mobile device security tips and recommendations at IS&T News.

Tip of the Week: Computers in Public Spaces

Computers in Internet cafes, public libraries and other public places constitute a great risk to security. As this news article about a library in the UK illustrates, it is fairly easy to add devices containing keystroke loggers to public computers. These devices can capture any kind of sensitive information you type into the keyboard, such as the log on information for your online accounts, applications for items such as a passport or driver’s license that contain personal information, and bank or credit card information when making online purchases. Because the keystroke logging devices can capture information despite a website’s encryption feature, they can do quite a bit of damage, leading to identity theft and fraud.

What can you do about staying safe when using unsure public computers?

• Be aware of what is plugged into the computer’s ports and connected to the computer’s wires. Are the ports visible? If a USB device is plugged in, don’t use the computer. Also look for anything added between the keyboard’s chord and the port.
• If the ports or wires are not visible and you need to use a public computer, don’t use it for going into any personal accounts, such as Facebook, your bank, or your email.
• If you temporarily don’t have access to your own computer and need to use an unsure public computer for accessing a personal account, change your password using a private computer within a day of last logging into the account.
• Do not use an unsure public computer to enter your debit or credit card information into online forms.

 

Security (or Lack Thereof) of New Gadgets

New gadgets designed to connect to the Internet, such as smartphones and certain HDTV’s, are not always being designed with security in mind. Hackers are shifting their focus to these devices as they become more ubiquitous. As mobile device applications are intended for a single user, there is little to no authentication and authorization built in. Critical security functions such as data encryption and auditing are almost always missing. Protecting the devices from attacks will also require new approaches. A few important steps you can take are:

1. turn off Bluetooth and other services that are not needed,
2. always run some form of security, such as encryption, on your wireless network,
3. put any web enabled devices behind a firewall,
4. change the default administrator password.

Read the full story at NYTimes.com.