Tag Archive: IT Security

The bug in your Apple

Education Item:

Do you own an iPhone with a damaged screen or damaged Touch ID button – or one repaired by a non-Apple engineer ?  If so, updating your operating system to iOS9 might kill your phone.

When handsets are updated to the latest operating system, iOS 9 runs a series of internal checks.  If certain checks fail the message ‘Error 53’ is displayed and the phone becomes totally inoperative.  In most cases users cannot salvage their handset (or even their data) by rolling back to an earlier version of the operating system or disabling the Touch ID pad.  A non-Apple repair to the screen or Touch pad can trigger this result, as can (occasionally) a cracked, unrepaired screen.

Apple’s initial explanation was that the screen and home button’s fingerprint recognition “pairs” with encrypted data on the handset.  A non-Apple repairer can fit a replacement Touch ID button or screen but cannot fully authorise the handset to accept the new part.  This is a security measure designed to prevent unauthorised access via swapping ID buttons, particularly relevant since the advent of Apple Pay.  The end result is that any repairs to these components must be done by an authorised Apple repairer at premium rates.

After an public outcry, Apple offered an alternative explanation that ‘Error 53’ was in fact a factory test and never intended to impact consumers.  They have released an update to iOS 9.2.1 to correct the error message and restore functionality – instructions can be viewed here.

Now all Apple have to do is fix the bug which breaks iPhones if the date is set to 1 January, 1970.  This is a known bug – online tricksters are spoofing gullible users to alter date settings with promises of  retro themes.  In fact it breaks the handset and requires a trip to the Apple store to rectify.

The bug in your Apple

The 800 million pound cyberattack

Education Item:

Cyber attack “Shady Rat” ran from 2006 until it’s exposure in 2011. It targeted 72 institutions across 30 different industries including the International Olympic Committee and the United Nations.  Unsurprisingly, a 2012 PWC report on data security1 discovered that 76% of UK SMEs had suffered a significant cyber security breach in 2012 – large corporations fared far worse.  Companies are often reluctant to report such attacks for fear of losing public confidence.  Unfortunately this secrecy usually benefits the hacker – timely information sharing might allow others avoid a similar fate.

Whilst delivering the Lord Mayor’s lecture last year Jonathan Evans, head of MI5, revealed that one listed UK company had lost £800m in a recent cyberattack.  Last Sunday, Israel’s second largest mobile phone network was disabled for four hours in what was widely believed to be an online attack from political opponents.  2012 saw both the New York Times and the Wall Street Journal fall victim to sophisticated attacks routed through American universities.  It is suspected that emails containing malicious code were opened by employees, which then stole every single employee password, turned on webcams and microphones and recorded keyboard strokes.  Worryingly, The NYT’s security software only intercepted 1 of the 45 types of malware2.

The EU wants to force European companies to strengthen their online defences.  In a proposed directive on Network and Information Security (NIS), the EU seeks to impose a legal obligation on institutions such as public bodies, financial services, energy, health, e-commerce/payment platforms, cloud computing, search engines, social networks etc to establish minimum standards for risk control.  More controversially, significant breaches would carry a reporting obligation to a national Computer Emergency Response Team.

The European parliament is also concerned about the security of Europe’s data in the cloud.  A recent report highlighted the access granted by the 2008 US Foreign Intelligence Surveillance Amendment Act (FISAA).  This grants US authorities permission to access data stored within the US, even when the data originates from overseas.  When data moves across national boundaries issues of legal jurisdiction can become obscure and practically unenforceable.  Future users of cloud computing might be more choosy about who holds their data, and where.

1      PWC UK Information Security Breaches Survey Results April 2012

2     Sunday Times – New Review – 10/2/2013

The 800 million pound cyberattack