Friday, July 29, 2016

Do your data retention policies match reality?

In a 2009-2010 drug trafficking case, Yahoo was able to produce email that their retention policy stated should not be available. The culprits were convicted in part through email they had written and subsequently deleted. Naturally they would like to know how they surfaced. A US court has now ordered that Yahoo explain how they recovered the email.


Why does that matter to me?


From an information security perspective, data in our possession is both an asset and a liability. An asset in that is can support business operations and enable servicing our customers; a liability in that data that has value to us, may also have value to a third party (whether a public official or someone with criminal intent).

Retention policies serve to manage risk by defining how long an organization believes the value (or regulatory obligations) of data outweighs the risk of that data being compromised. If data remains recoverable beyond the retention policy, it represents an unmanaged and perhaps unrecognized risk.

As an extreme example I once came across a database of customer names, addresses, and credit cards, left exposed on a web server. Incredibly, the database belonged to a company that had stopped using that web hosting business years earlier. There was simply no reason for that database to still exist on those servers. Had the company deleted the no-longer-needed information, there would never have been a breach.

Define retention policies - and then ensure those policies are carried out.


So what? I'm not an information security person


The same principal holds true for personal life. Clean up your data every once in a while.

Pictures may have a lifetime of value. Tax records should be kept for several years (for US readers, the IRS has some guidelines). Credit card records generally can be disposed of once you get your monthly statement (though I personally keep receipts for high-value items until the warranty expires). To grossly paraphrase a quote by Albert Einstein, keep information for as long as it is useful, but no longer.

Thursday, July 21, 2016

iOS 9.3.3 for iPhone and iPad: update sooner rather than later

Update 24-July: to date I am not aware of any public exploits for these vulnerabilities. The only exploits I am aware of reside with the discoverer at Talos, and will not be publicly released. Still, the damage that could be done if a criminal hacker worked out an exploit is significant enough that this is a must-install update. 

Apple released software updates for many of its products this week - iOS iPhones, iPads and iPods; OS X for Mac laptops, watchOS for Apple Watch; tvOS for Apple TV; iTunes for Windows; and Safari web browser. This is a case where you might want to update sooner rather than later, at least if you use an iPhone or iPad.

About a year ago, an Austin researcher found a flaw in a core component of Android, which became known as the StageFright vulnerability. This component was responsible for processing images and videos, and could be exploited by merely sending a maliciously-designed MMS message. The recipient did not have to view the message - the phone would process the image automatically once it was received.

This Spring, a researcher with Cisco's Talos team found a very similar flaw in ImageIO, a component of the operating system that is used for all image handling. Just like StageFright, ImageIO has what the security profession calls a Remote Code Execution, or RCE flaw. A hacker can design a malicious image file that exploits this flaw to run any program or instructions they want. All they have to do is get you to open the image - which is as easy as sending the image via MMS message so that your phone automatically loads the image and has it ready for you to see.