Posted in Commentary with tags Box on March 11, 2019 by itnerd
TechCrunch reports that roughly 90 high-profile companies have had corporate data exposed through their Box accounts:
The discoveries were made by Adversis, a cybersecurity firm, which found major tech companies and corporate giants had left data inadvertently exposed. Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found over 90 companies with publicly accessible folders.
Not even Box’s own staff were immune from leaking data.
The company said while much of the data is legitimately public and Box advises users how to minimize risks, many employees may not know the sensitive data they share can be found by others.
Worse, some public folders scraped and indexed by search engines, making the data found more easily.
In a blog post, Adversis said Box administrators should reconfigure the default access for shared links to “people in your company” to reduce accidental exposure of data to the public.
Adversis first reported the issue to Box back in September, and has waited until today to make it public, to give companies time to remove sensitive data. Which is nice of them. But it illustrates the perhaps misplaced trust that companies have in cloud services. I say that because having your stuff “in the cloud” doesn’t remove the responsibility of making sure that the stuff in question is properly secured. Given that companies mentioned in this article include Amadeus, Apple, Box, Discovery, Herbalife, Edelman and Pointcare, this incident should serve as a warning to everyone else who uses services like these to store company data.
According to Resecurity president Charles Yoo, Citrix has been the victim of an absolutely epic hack where as much as 10 TB of data might have been stolen. Apparently the hack was focused on assets related to NASA, aerospace contracts, Saudi Arabia’s state oil company and the FBI. And Citrix CSIO Stan Black has written a blog post confirming the attack. Here’s the kicker, the hackers, who are tied to the Iranian government, used a technique called “password spraying” where attackers guess at weak passwords, and then work their way up to bigger attacks once inside. And speaking of being inside, the hackers might have been inside the Citrix network for as much as a decade before swiping all that data.
Yikes.
The FBI is investigating and I am sure given what is known about this hack, heads inside the IT department should (if there is any decency in the world) be rolling as I type this. I say that because it’s one thing to be pwned by hackers. But it’s another thing entirely to be pwned for a decade without anyone noticing. That my friends illustrates that someone inside the Citrix IT department was truly asleep at the switch.
Posted in Commentary with tags Apple on March 11, 2019 by itnerd
I’ve written about Apple’s quality issues in the past. For example #BatteryGate, #KeyboardGate, #StainGate, or #FlexGate. Not to mention software issues like their epic security #fail that allowed anyone get into a macOS computer and do whatever they want. Or the more recent epic FaceTime bug that allowed you to eavesdrop on conversations. Now I’ve been hit by one of their quality issues. I’ve come across a CarPlay bug that I reported to Apple last year when I discovered it in iOS 12. The process of dealing with Apple has been shambolic to say the least. But before I get to that, let me tell you about the bug.
In previous iterations of CarPlay, all notification noises are with the exception of text messages/iMessages, some calendar notifications, and maybe some other notifications from CarPlay compatible apps. However since iOS 12, mail notifications can be heard. Not only that, if the phone is unlocked, other notifications can be heard as well. Erasing the iPhone and setting it up as new does not fix this. And I have been able to replicate this on numerous iOS 12 devices in numerous CarPlay compatible cars from something as mainstream as a Hyundai to something more upscale as an Audi. Thus this is a bug where they broke something that worked just fine in a previous iteration. Plain and simple.
I reported this via Apple Technical Support shortly after the release of iOS 12 last year. Here’s what happened next:
After reporting this (Apple case 20000015513253 for the record in case someone from Apple is reading this), they originally said that this was normal behavior. Then I called them on that by demonstrating that this bug did not exist on iOS 11.
They then closed the case without warning. That forced me to send them a very terse email to their support group to force them to reopen it as my issue had not been resolved.
They then had me grab diagnostic logs and even record a video for them illustrating the bug.
They had me change numerous settings with no resolution.
They have since gone completely silent.
Since they went silent and they haven’t fixed this issue, I’ve decided to go public with this by putting this story up and posting the video demonstrating the bug that Apple asked me to make. Because after all, Google just did that to get Apple’s attention when Google’s Project Zero group uncovered a serious exploit in macOS last November and were forced to go public with it when Apple couldn’t or wouldn’t fix it within Google’s 90 day window to do so:
I am old enough to remember that if you reported something like this, Apple would go out of their way to fix the issue. They would keep you updated on their progress, and they would not go silent. But clearly this isn’t the case anymore. Now this isn’t the biggest bug in the world. I freely admit that. But the issue and more importantly Apple’s response, or lack of response to this issue clearly illustrates that Apple clearly has lost the plot here when it comes to making quality products. And perhaps doesn’t care as it seems to me that they’re too busy trying to get their iPhone sales up rather than address their quality issues. And I am not the only one that says that. Check out this Tweet that I put up on Sunday where Lewis Hilsenteger who is also known as Unbox Therapy. He is a Toronto based YouTuber with 13 million or so subscribers who happens to be dumping Apple notebooks after using them for over 10 years for a Lenovo Thinkpad Carbon X1 because of Apple’s #KeyboardGate issues. I encourage you to watch the video associated with this tweet as it is very damming when it comes to Apple and the quality of their products:
Apple, you need to get with the program. The quality of your products have dropped to the point where it can’t be ignored either inside or outside the reality distortion field. Your customers are screaming for you to do something and you need to listen to them and respond with something other than the standard silence that you usually respond to issues with. Otherwise you’re going to find that your loyal customers will simply get fed up and abandon your products and never return.
So how about it Apple?
UPDATE: Almost a year later, the bug that I tripped over is fixed. A YEAR LATER.
90+ Companies Have Had Their Company Data Exposed Through Their Box Accounts…. Yikes!
Posted in Commentary with tags Box on March 11, 2019 by itnerdTechCrunch reports that roughly 90 high-profile companies have had corporate data exposed through their Box accounts:
The discoveries were made by Adversis, a cybersecurity firm, which found major tech companies and corporate giants had left data inadvertently exposed. Although data stored in Box enterprise accounts is private by default, users can share files and folders with anyone, making data publicly accessible with a single link. But Adversis said these secret links can be discovered by others. Using a script to scan for and enumerate Box accounts with lists of company names and wildcard searches, Adversis found over 90 companies with publicly accessible folders.
Not even Box’s own staff were immune from leaking data.
The company said while much of the data is legitimately public and Box advises users how to minimize risks, many employees may not know the sensitive data they share can be found by others.
Worse, some public folders scraped and indexed by search engines, making the data found more easily.
In a blog post, Adversis said Box administrators should reconfigure the default access for shared links to “people in your company” to reduce accidental exposure of data to the public.
Adversis first reported the issue to Box back in September, and has waited until today to make it public, to give companies time to remove sensitive data. Which is nice of them. But it illustrates the perhaps misplaced trust that companies have in cloud services. I say that because having your stuff “in the cloud” doesn’t remove the responsibility of making sure that the stuff in question is properly secured. Given that companies mentioned in this article include Amadeus, Apple, Box, Discovery, Herbalife, Edelman and Pointcare, this incident should serve as a warning to everyone else who uses services like these to store company data.
Leave a comment »