Saman Rajaee was a salesman for
Design Tech Homes. Design Tech Homes has a BYOD (bring your own device) policy.
This means that their staff will use personal devices for business related
tasks. Rajaee put in his two weeks notice in February 2013. Rajaee’s personal
iPhone was connected to Design Tech Homes’ Microsoft Exchange Server so that he
could access business documents, emails, calendar and other internal data.
Design Tech Homes immediately terminated Rajaee and, as a security measure,
remotely wiped his personal device that stored company documents. Rajaee sued
Design Tech Homes claiming violation of the Computer Fraud and Abuse Act.
Rajaee claimed loss of personal data that he estimated in the tens of thousands of dollars. Rajaee had business and personal contacts, family photos and videos, and passwords stored on his personal device. Design Tech Homes had deleted his personal data by remotely wiping his iPhone. The court in this case found that only 2 kinds of loss can be protected under the civil portion of the CFAA. Only the cost of responding to violations and the cost due to service interruptions could be used towards the $5000 minimum loss needed to sue. Based on this, Rajaee had no claim to loss totaling over $5000, making his case invalid under the CFAA. The court ultimately dismissed the case based on this.
This case highlights the importance for companies to make clear their policies when dealing with their employees’ personal devices. Employees need to be warned that connecting to the business’ servers will give the business access to their devices. This means that the business will implement its security measures on the employee’s device, including wiping it when the employee no longer works for the business. This case also highlights the importance of device owners backing up the data from their devices. Had the business communicated the remote wipe policy, Rajaee could have backed up his personal data before his phone was wiped. Had the business worked with Rajaee while he was being terminated, they could have backed up his personal data for him and assisted him after the wipe in restoring just his personal data. The main lesson here is that businesses need to make their policies clear and work with their employees (current or former) to enforce their policies.
With the release of iOS 12.1 for Apple’s mobile devices came the exciting (and much-desired) ability to have group video calls with their built in app, FaceTime. However, this new addition brought about an exploit that can allow any attacker to easily bypass a device’s lock screen password and view all the contact information stored on it. It was discovered by Jose Rodriguez (Twitter: @VBarraquito), a Spanish security researcher who is well-known for discovering a variety of bypass methods, including one that previously allowed information to be viewed through the photo sharing feature on the lock screen camera.
The exploit is fairly simple to execute once an attacker has the target device in their possession, and if it is set up with certain features. Firstly, the phone number of the target device is needed, which is fairly simple if it has Siri enabled. With a different device of their own, they just need to:
- Call the target device.
- Tap the FaceTime icon on the call screen to have it routed through there instead.
- Go to add contacts once the call begins.
- If the target device happens to have 3D touch enabled, a heavy press on the screen on any contact name will bring up the full list of their contact information.
As of right now, it is not yet known if Apple is working on an update to patch the exploit, given how recent the update itself is. With how easy it is for the average person to use, it should hopefully be high on their priority list. Many users who tend to multitask more on their phones, such as those that work for large companies, will tend to have 3D touch and Siri enabled for their ease of usage, thus making them more likely to fall victim to the exploit, especially given how often they may be in public spaces and could potentially have their device stolen.
★ Post by Allan Sun
Apple has recently released the initial version of a new website that will allow their users to check what personal information has been collected by Apple. This comes after an interview with Tim Cook in March where he said: “We’ve never believed that these detailed profiles of people that have incredibly deep personal information that is patched together from several sources should exist”. This website would add an unprecedented level of transparency for a company of this size. Despite this transparency and their apparent aversion to not making their customers products Apple still collects a wide variety of user information ranging from calendars and contacts to entire documents and photos. The website has already been tested in the EU to make sure it passed all of the privacy regulations that are present there. Their intentions do seem pure at least for right now. As part of the recently released iOS 12, Apple added features which help block targeted ads based on shopping or search history. Apple has continued to be very active in trying to push regulations regarding privacy across the globe. Even though they are making it harder for other companies to get personal information and allowing you to see your own they are continuing to collect and store that same information.
A researcher has found large flaws in the leading Real-Time Operating System, FreeRTOS. This leaves a large number of Internet of Things devices vulnerable to attack. This affects devices from refrigerators to pacemakers. Last year, Amazon took over project management and upgraded the OS for their own Amazon FreeRTOS IoT operating system. They enhanced the OS for use with their own products in the future.
There are a total of 13 vulnerabilities in FreeRTOS’s TCP/IP stack, which affect the Amazon FreeRTOS as well. These issues let hackers do just about anything they want to the target device, from executing their own code to leaking memory information. The technical details of the flaws have not been revealed to the public in order to protect the development of a fix.
RIT is rolling out Multi Factor Authentication very soon. Multi Factor Authentication is adding an extra factor to validate your credentials. For example, when you log into RIT services you are prompted your username and password; with the new multi factor authentication, you will need to provide an extra form of authentication. These methods include: Using the DUO mobile app, text, phone call, office phone call, and email. RIT has been experiencing more attacks than ever before, and this is their attempt at mitigating the risk of attacks. Last year MFA was put into effect for faculty, staff, and student employees. This was because many Ebiz accounts became compromised. The attackers then changed direct deposit numbers to be routed somewhere else. Luckily no one lost money because controllers saw the change in numbers and knew what was happening because another university was attacked in the same manner.
Why does this matter to us?
If we do not enroll in MFA by the 24th of October, there will be a hold on your account and you will not be able to enroll for classes next semester.
With MFA comes the use of another device to authenticate yourself on RIT services. For example, if you signed up and planned on using the DUO app, DO NOT forget your phone. ITS will have to give you a Bypass until you can get access to your phone, which would be unfortunate if you need to log onto something ASAP. I personally don’t see why the students need MFA, but I have no choice but to enroll into it.
By: Alejandro Juarez