Sign in with
Sign up | Sign in

Security In The Enterprise

Charlie Miller On Hacked Batteries, Cloud Security, And The iPad

Alan: How could Apple have prevented this?

Charlie: Have fewer bugs I suppose! This particular bug would have required a code audit, I think. Fuzzing probably would not have found it. Also, it could have reduced the attack surface available for the second, escape-the-sandbox vulnerability. Everything else, it did right. ASLR, DEP, sandboxing. The iOS security model is pretty good, but this just goes to show that there are always potentially attacks that can work.

Alan: The mainstream media often talks about "jailbreaking," but the term really downplays the underlying issue that this is a remote exploit that allows arbitrary code to be run. As I see more and more enterprises using iPads, I can’t help but be paranoid about the security issues. We know that over 114 000 email addresses of early iPad owners were stolen from AT&T. These early adopters included high-level executives at major technology and finance/banking firms as well as government agencies. Given that it’s trivial to remotely execute code via PDF engine, and the documented sophistication of the hacks of companies like Lockheed Martin, it seems almost naïve to think that no one has attempted to compromise sensitive data via targeted attacks on the iPad. How should we deal with this issue?

Charlie: Well the problem is that all devices are susceptible to attacks of this nature, and an iPhone/iPad is a device. iOS-based devices are more secure than Mac OS X-based devices due to the code signing and sandboxing of applications. They are probably more secure than desktops running Windows 7. The biggest risk is you'll physically lose them and lose your data that way. But, despite the fact we've seen attacks against iOS devices, such as, it is pretty rare and malware is very rare too. I think iOS is about as good as we can do for now. There is always risk your device will be compromised. What you need to focus on is limiting access to data at any one time, detecting attacks quickly, etc.

Alan: Along the same lines as the earlier cloud computing question, are organizations better off adopting a heterogeneous computing environment or a homogeneous one? That is, if I only have one platform to support (say, an iPad), a security officer can really focus all of the efforts on securing one platform. If I have to support multiple platforms, my efforts to secure the network will be diluted across systems and the sieve will be twice as big with more potential holes and vulnerabilities. On the other hand, the argument for heterogeneous computing is that if I do lose against the bad guys and one of my platforms is compromised, I can quickly switch/rollover the company to the still uncompromised platform (and make the bad guys work twice as hard).

Charlie: This is a great question and the same answer might not fit for everyone. I used to recommend homogeneous environments to ease burden on patching systems. If your enterprise can't really keep up on patches, this is probably for you. However, for the best defense, heterogeneous networks are superior. You must design your network knowing that machines on it will be compromised. Desktops will get malware, your CMS will get SQL injected, etc. Just like you shouldn't use the same passwords in multiple places, you shouldn't use the same operating systems or devices in different places. That way, it will be much harder if an attacker needs exploits against different platforms to make any progress. In fact, most attackers won't have the skills to attack two or three different up-to-date systems, which raises the overall bar for security. You don't want every single computer in your network exploited because of a single Windows kernel remote.

Ask a Category Expert

Create a new thread in the Reviews comments forum about this subject

Example: Notebook, Android, SSD hard drive

Display all 16 comments.
This thread is closed for comments
  • 0 Hide
    Darkerson , August 2, 2011 4:38 AM
    Pretty interesting read. Keep up the good work!
  • 2 Hide
    pepe2907 , August 2, 2011 5:53 AM
    Good call, but whoever actualy read the license agreements knows software manufacturers refuse any possible liability for any damages.
    If something is going to change, this should be the first. With these license agreements you can't claim anithing. But this change will not be easy.
  • 0 Hide
    DavC , August 2, 2011 7:53 AM
    interesting read!
  • 0 Hide
    mayankleoboy1 , August 2, 2011 3:34 PM
    No matter how much security you build into a system, if the user really wants to run a piece of malware they think will show them some naked pictures, they're going to figure out a way to run that program.

  • 1 Hide
    mayankleoboy1 , August 2, 2011 3:40 PM
    if only software could be people-proof.
  • 2 Hide
    jacobdrj , August 2, 2011 5:05 PM
    mayankleoboy1if only software could be people-proof.

    "A farmer notices his chickens are getting sick, he calls in a physicist to help him. The physicist takes a good look at the chickens and does some calculations, he suddenly stops and says "Ive got it, but it would only work if the chickens were spherical and in a vacuum."" - Big Bang Theory...
  • -1 Hide
    slicedtoad , August 2, 2011 5:46 PM
    So is it safe to say that as an end user we shouldn't be over concerned about personal computer security?
    Here's my checklist. Don't download unknowns, don't password reuse (for the important stuff anyway), get a decent av (like eset) and keep your computer up to date.
    Multi-layered security on a home pc doesn't make sense, nor does 15 character alpha-numeric passwords (in most cases). No one is going to specifically target you or your pc.
  • -5 Hide
    weaselsmasher , August 2, 2011 6:17 PM
    An awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.

    What's this article really about, security or celebrity?
  • -3 Hide
    christop , August 2, 2011 7:20 PM
    Enjoyed this..Wish I had a few 0days sitting around to sell..
  • 0 Hide
    PreferLinux , August 2, 2011 9:25 PM
    pepe2907Good call, but whoever actualy read the license agreements knows software manufacturers refuse any possible liability for any damages.If something is going to change, this should be the first. With these license agreements you can't claim anithing. But this change will not be easy.

    Yes, but whether that is fully legal or not is another story.
  • 4 Hide
    cangelini , August 3, 2011 1:54 AM
    weaselsmasherAn awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.What's this article really about, security or celebrity?

    I'm inclined to answer "security" and a guy who knows an awful lot about it ;-)
  • 3 Hide
    AlanDang , August 3, 2011 2:28 AM
    weaselsmasherAn awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.What's this article really about, security or celebrity?

    Nothing wrong with both, right? The people I invite to interview are people who do a good job of explaining complex technical things in a straightforward manner. At some point though, if you get to keynote an international NATO conference on cyber security, you deserve a little bit of bragging rights. But truthfully, Charlie is still a normal, down-to-earth-guy when doing an interview... and that's a win for everyone. You guys get access to cool content that's rarely discussed at other websites, and it's not too boring to read... and it's free. I can tell you it's way more fun talking with engineers as opposed to PR people...
  • 0 Hide
    Anonymous , August 3, 2011 4:29 PM
    @Alan Dang, you wrote: "But it seems like in today's world, the end-user is playing a less important role. The end-user with the latest software updates who is also savvy to social engineering cannot protect himself against hackers who steal credit card data from Sony."
    This is incorrect: many banks sell "virtual" credit cards services: these CC number work only for one purchase, so users *can* protect themselves.
    But the sad part in this case is that it's the security conscious users who pay the cost of the protection against hackers, not Sony and the other stupid companies storing credit card numbers on unsecured servers..
  • 0 Hide
    dndhatcher , August 3, 2011 10:29 PM
    The article is very interesting. I tried to listen to the keynote and my eyes glazed over. He's obviously got expertise with the subject matter, but could use some presentation training before he starts on the lecture circuit.

  • 0 Hide
    slicedtoad , August 4, 2011 12:53 AM
    really? i delayed watching it for a while cause it was long but damn was it interesting. He certainly isn't in PR but he's not bad at speaking. Certainly better than mr. facebook.
  • 0 Hide
    Anonymous , August 10, 2011 10:01 AM
    Battery as an attack vector is at least (almost) as old as the original PSP. One way to install custom firmware to it is to modify the battery. Search for "pandoras battery" if you want to know more.