Apples, Whistleblowers, and Pigeons

Want to listen instead?

There’s a misconception among some that Apple devices are immune from hackers. That illusion was shattered a few weeks ago when the company released two security reports and the requisite patches for bugs within WebKit, Apple’s browser engine. It’s a misconception that needs to change. As something close to 23% of business product usage is now on the Apple platform, iOS has become an increasingly popular target.

Based on the reports provided by Apple, the vulnerability would allow a hacker access to a user’s device. This remote code vulnerability in the part of the phone that will enable users to run Safari and other web apps was actively being exploited in the wild when it was reported, meaning there were attackers already taking advantage of it. Apple’s contiguous platform, which is typically an advantage, was a downside in this case because if there’s a flaw in one of Apple’s products, it impacts them all. So iPads, iPhones, laptops, and all Mac products are at risk.

Updates and Apples

This is a prime example of why it is critical to update to the latest version of iOs across all devices. Mobile device management (MDM) allows IT professionals to update mobile devices seamlessly for businesses that provide employees with corporate devices. Corporate IT experts don’t control environments where people use personal phones. In those cases, user education is critical. Your IT team should emphasize the importance of installing patches as soon as they come out. While many of us admittedly cringe when that message on our phones says there’s an update, take the time to install it. Most of the time, updates address security flaws rather than just adding new emoticons. This update talks about fixing the ability to execute arbitrary code with kernel privileges. If a user goes to a malicious website or downloads the wrong thing, a hacker can run anything they want on your device.

It also targeted the popup on Macs asking if you want to shut down your computer or restart it. A little checkbox asks if you want to reopen all the apps and web pages that were running. There was a flaw that cybercriminals found they could exploit to get through all the layers of Mac’s security. Kernel rights mean a cybercriminal can run your device with full permissions – seeing all of your files and potentially taking over your webcam. Apple has been vague on the details, not saying how many users could be impacted or what the remote code could do, so it’s best to err on the side of healthy paranoia and get the update.

In all fairness, the Android platform also had some vulnerabilities, particularly around malware for what they call toll fraud. That’s where malware signs you up for premium services you didn’t pay for and hides the password from you. To Apple’s credit, they are pretty stringent with the Apple store, whereas Google is slowly getting there. The Android store is getting more locked down, but it was pretty wide open in the past.

Whistleblowers and Tweets

A report recently came out about a whistleblower within Twitter. It seems that Twitter’s security was not as tight as they let on to even the FTC, which seems like a terrible idea.
Twitter’s former head of security, Peiter “Mudge” Zatko, was a well-known hacker the company recruited in 2020 when several prominent accounts got hacked.

Zatko filed a whistleblower complaint with the U.S. Securities and Exchange Commission, the Federal Trade Commission, and the Justice Department on July 6, saying he witnessed “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.” Although much of the filing is redacted, in essence, he claims that the focus at Twitter was around more users, to the point that executive bonuses were tied to that metric. Several other employees have said that’s not the case, so the jury is still out on whether he was vindictive since he was fired. In any case, they need to tighten security, particularly around public figures’ accounts.

At the same time, Elon Musk has been trying to get out of the purchase of Twitter, and this could be grounds for him to walk away – with how many bots they have on the platform and how many gaping holes they have in security. The other interesting aspect is that Twitter’s former CEO, Jack Dorsey was the past CEO of Square owner Block, Inc. There was some fallout about him shutting out employees. When large tech companies are managed correctly, you can see some pretty amazing things – such as the start of Twitter and all these other social media platforms. Unfortunately, once you get a bad leader, that’s a pretty big ship that they can sink.

Cybersecurity and Pigeons

Getting hacked and losing your data has a direct financial impact since hackers can steal money from you. They can force you to pay with ransomware. That’s one reason cybersecurity is important, but taking security seriously is also critical from a PR perspective. Apple started to up their security, and they’re using that as a selling point. Even small companies could learn from that. You don’t want to brag about your security and put a target on your back, but you should be able to tout the fact that you take security seriously to your customers.

On a side note about bad PR, the next time you think your internet is slow, consider what happened in Johannesburg, South Africa, with the internet service provider Telkom. It’s notoriously slow and expensive but the only primary service provider in South Africa. An MSP out there got a carrier pigeon, strapped a data card to its leg, sent it to an office across town, and then had that office download the data. The total time it took for the carrier pigeon download was 2 hours, 6 minutes, and 57 seconds. That’s how long it took 4% of that same data to be downloaded using Telkom’s service. So a carrier pigeon beat the local internet in South Africa. Technically, this race happened several years ago, and it’s supposedly been fixed in the interim, but the bad PR lingers.

If we can learn anything from these stories, it’s to take cybersecurity seriously. Encourage open communication with your employees so they feel comfortable telling you if they messed up and clicked on a link they shouldn’t have. Implement Multifactor Authentication to keep your networks more secure, and apply patches as soon as they come out. Otherwise, you may rely on some outdated communication methods to function.

This article was written from one of our podcast episodes on Between The Bytes! To learn more about protecting you and your business from cybersecurity threats, check out our Ultimate Guide To Cybersecurity!

Related Insights