Security vulnerability found in iOS management of PDF files - at this time only jailbroken devices can be secured

Security vulnerability found in iOS management of PDF files - at this time only jailbroken devices can be secured -

Apple this week pledged to issue a fix for an iOS vulnerability that could let hackers remotely control iPhones, iPads, and iPod Touches.

"Apple takes security very seriously, we're aware of this reported issue and developing a fix that will be available to customers in an upcoming software update," an Apple spokesman said in a statement.

The move comes after the German Federal Office for Information Security (BSI) issued a warning earlier this week about the possibility of attacks via PDF files.
In a translated version of the report, the agency said clicking on an infected PDF via Email or on the Web is enough to infect an iOS device with malicious software and give the attacker administrative privileges on the device.

The BSI said the vulnerability affects the iPhone 3G, iPhone 4, iPad, and iPod Touch running iOS up to version 4.3.3, though officials said they could not rule out the possibility that other versions of iOS were affected.

The warning said there have been no reported attacks, but anyone taking advantage of the vulnerability could potentially access things like passwords, online banking data, calendars, Emails, text, or contact information.
There could also be access to built-in cameras, the interception of telephone conversations, and the GPS localization of the user, BSI said.

Given that more and more professionals are using the iPad and iPhone in a business setting, BSI warned that the security hole could be used for "targeted attacks on leaders ... to get to confidential company information."

Until Apple issues its patch, therefore, BSI suggested that iOS users do not open unknown PDF files, whether they are received via Email or linked on Web sites.
Browser use and link clicking should also be restricted to trusted Web sites.

Apple did not release a timetable for its security update.
Its last update, 4.3.3, was released in early May and solved a controversial "bug" with Apple's location-based services.

The fix comes amidst the release of JailBreakMe, software that will jailbreak an iOS device using the PDF vulnerability.
The program quickly hit 1 million jailbreaks:

"Be sure to share a link with your friends while it's still available," Grant Paul, one of the creators, tweeted earlier this week. 

JailBreakMe developer Comex said on its Web site:

"Along with the jailbreak, I am releasing a patch for the main vulnerability which anyone especially security conscious can install to render themselves immune; due to the nature of iOS, this patch can only be installed on a jailbroken device. Until Apple releases an update, jailbreaking will ironically be the best way to remain secure," .

 

View the original article here

Data management at Teachers Credit Union

How does a business reduce its data holding from 132TB to 8TB without sacrificing reliability, data quality and availability? That's exactly what Colin Thomas, the CIO of the Teachers Credit Union was able to. When the time to embark on scheduled hardware replacements came around for his storage and backup systems, Thomas took the opportunity to redesign his data management strategy.

The process started as part of the normal business cycle of technology refreshes. "We were looking at refreshing storage technologies. I was well aware that advances had been made in areas such as data de-duplication and some of the replication technologies. We were 'kicking tyres' to see what was on the market".

Although the Teachers Credit Union isn't large by banking standards, it's a significant business with about 500 employees and seven offices across the country. There are two data centres with one acting as the production site and the other as a business continuity and development centre. Almost all systems, other than the banking software, are internally hosted. So the data management strategy has to be able to deal with a wide variety of systems, processes and locations.

When the hardware refresh cycle came around, Thomas had the opportunity to look at what the business's needs were and what potential process improvements he could introduce. "The opportunities we were looking for satisfied and provided for our operational lines of business and strategic lines. There were changes in compliance in data management from regulators and the global financial crisis put a greater emphasis on risk management and really knowing in fine details the relationships we had with customers. There's a heavy emphasis on data for mining and intelligence purposes".

"We had a view that we would like to move away from daily tape backups. We had a view that we needed to improve our replication processes because the tolerance for outages is continuing to diminish over time. We're in a generation where people expect data access now from wherever they want it. We were looking at technologies that don't need to be taken offline to have maintenance applied or to have upgrades" said Thomas.

The changing of the banking industry from a transactional base to a 'whole of wallet' view also meant that Teachers Credit Union was creating more diverse product portfolios for customers. That meant that Thomas needs systems and infrastructure that can provide services that are beyond the past delivery model.

In the past, Thomas's team used snapshotting to copy data and replication technologies to move those snapshots to other disk locations on the network. But they would also take tape copies at known points in time such as end of day, end of week, end of month and then store those offsite for good business purposes. "But changes in the market afforded us the opportunity to have more of those point in time copies actually available online rather than near-line or offline" says Thomas. It gave them an opportunity to reflect on the affordability, reliability and other standard issues of the technology that was being used.

After looking around the market, Thomas and his team settled on solutions built around technology from EMC. The Data Domain component from EMC's proposition was core to delivering the significant reduction in retained data. "If you take a copy of your database every day of the week the full copy is hundreds of gigabytes per day. If you keep 30 days worth and then every end of month, each end of quarter then you end up with a massive amount of data on a mountain of tapes." But if you put that into the Data Domain all of the duplicate data and whitespace is managed so that the data is compressed without losing access to the data or any negative impacts whatsoever. It means we can recover from disk and not tape, which is inherently faster. It allows us to replicated between two sites on much smaller data volumes".

In addition to the EMC solution, Thomas and his team also use software from CommVault, replication tools inherent to the Solaris platform that runs the banking database and some Microsoft tools as well. However, the number of different components in the data management systems has been reduced. 

Thomas retains a constant eye over things, looking for opportunities to refine processes and systems. He's also been able to also retire a number of technologies such as an optical storage system. All of the data that was held in the optical system has been moved to the main storage array.

So, Thomas was able to achieve superior delivery against business requirements, a reduction in costs and improved reliability.

View the original article here

Fleet management challenges solved with Kiwi ingenuity

Transport companies build their businesses around a key piece of infrastructure. The more time a truck can stay on the road, the more customers can be serviced and the more revenue can be generated. But keeping the trucks moving isn't just a matter of loading up the fuel tank and finding a licensed driver. We travelled to Auckland and spoke with David Laing, the General Manager of Salter's Cartage about how he solves these problems.

Salters has been working with EROAD, a New Zealand-based hardware and software developer that has created a solution that deals with many of the complex issues Salters needs to overcome. Salters and EROAD first started working together in managing Salter's road usage charges. In New Zealand, freight companies need to purchase, in advance, credits in order to drive large vehicles. The charges are based on both the weight and class of the vehicle. In the past, vouchers were purchased and a sticker was placed on the truck's windscreen. If a truck did not have the appropriate sticker in place the company was subject to fines.

One of the challenges was that a truck's usage could not always be forecast. As a result, Salters purchased excess credits so that they would never be caught without enough credit for the usage charges.

Laing explained what the situation was before he looked for a more effective solution. "A lot of the time we'd be buying the maximum as the truck could be carting light one day and heavy the next". Due to this volatility, Laing was having to purchase excess credit. "The worst was that we had to buy so much in advance so we didn't have to be buying every day. We'd have to go to a testing station and get the sticker. If we'd buy 1000km, the truck could do that in a couple of days and we'd have to return and purchase again. So we'd do is buy 10,000km which would cost several thousand dollars for any one of the trucks and the trailer unit as well. So, we'd spend a lot of money and chip away at the credit over time".

The old system Salter's worked under, administered by the New Zealand Transport Agency, was almost entirely paper-based.

With so much money sitting, potentially unused, in vehicles that weren't being used Salters knew they needed to address the issue. EROAD and Salters worked together to address the issue of managing the road usage charges more efficiently. Salters was also then able to get a better handle on a number of other issues such truck maintenance and driver compliance with road laws.

The NZTA used to issue transport operators with a mechanical meter that measured travel distance independently of the vehicle's odometer. However, the mechanical devices were prone to reliability problems leading to the potential for disputes with the NZTA. Laing said that "When the hub meter broke we'd need to get that road user charge refunded and purchase more credit, in advance again, while you waited for the credit to come back. We saw the concept from EROAD and decided we needed to give it a go".

EROAD's solution replaced the mechanical device with an electronic one. Combined with GPS data, this allowed accurate capture of travel information and the exact, current location of a truck. Bruce Wilson, of EROAD, told us that "We had to replace the mechanical device with an electronic one. This required a number of approvals but the electronic device is far more reliable and accurate. This also displays the voucher information. The box looks very simple but has all the smarts". The NZTA has a defined customer data interface, using XML so that the requisite data can be quickly delivered.

The electronic device that's installed to the vehicles is called the Onboard Unit, or OBU.

This system assists Salters significantly. The interface between the OBU, Salter's internal systems and the NZTA means that automation can be used leading to a substantial reduction in the amount of money held in unused transport approvals. Rather than ordering 10,000km of transport approval in order to avoid frequent visits to the NZTA offices, Salters can now order smaller approval amounts as needed. "I can buy in blocks of 1000km and set them as an automatic purchase. So, when it [the pre-paid amount] comes to 250km, the system automatically buys another one" Laing said.

The smaller pre-paid amounts and automated ordering means that Salters is better able to match expenses and income. Before, a pre-order of 10,000km meant that Salters we're spending significant amounts of money well in advance of earning income. Although the system is still based on pre-payment, the liability is reduced. By Laing's estimate he had "between five to tens times the amount" of pre-purchased credit sitting in the truck-yard compared to now. Laing is also able to easily calculate credit he can claim back from a truck that is off the road - something that was too difficult in the past.

Although Salters is completing many more transactions with the NZTA, there are for lower values and the amount of paperwork is reduced. By Laing's estimate, he's saving about "10% to 15% of his time on administration and a lot of stress about worrying whether all the trucks are compliant".

The other benefit Salters has realised that is an increased understanding of exactly what each truck is doing.

The data delivered by the OBU helps Salters better track maintenance issues. For example, all Salters trucks are fitted with speed limiting devices. By examining travel times Salters can determine if the limiters have been calibrated correctly. A limiter that is set at 90kmh rather than the required 100kmh can cost Salters valuable time. Similarly, if the limiter allows a driver to exceed the speed limit they may be liable for a speeding fine.

Salters now has access to significantly more data than previously, enabling the fleet to be run harder and smarter. For example, when a part is replaced it may have a new warranty. They are now able to track maintenance more rigourously.

When we asked Laing how much smarter this has made him in running his business his answer was simply "A lot".

Links
Salters Cartage - www.salters.co.nz
EROAD - www.eroad.co.nz

Photos:

You can see more images of the Salters and EROAD project at Flickr

This was first published in May 2011

View the original article here

How's your software asset management?

For a long time, the perception has been that the technology CIOs have managed has been physical hardware. Servers, SANs, desktops, laptops, switches, access points - all of these devices can be easily seen, quantified and valued. Explaining the cost of hardware to other C-Level executives and boards has been easy because hardware is tangible.

Software is a different proposition. Back when I started my career in IT, the CIO showed me a CD for the forecasting module of our ERP solution and told me that he was holding $100,000 in his hand. The physical media and the value seemed incongruous. However, that software represented thousands of hours and years of experience of the developers. Any asset with that value needs to be effectively managed.

Clayton Noble is the Co-Chair of the Business Software Alliance. His main responsibility is with enforcement and policy for the software companies that are members of BSA. The BSA has a second co-chair who is responsible for education about piracy.

Piracy does cost software developers money. However, many are becoming more savvy when it comes to combatting the steady leak of money. There's a significant effort in place so that pirated code is removed from online sharing sites quickly. There are also efforts made to prevent illegally distributed programs ever being uploaded. Vendors are also getting smarter about how they sell their software so that purchasing is becoming easier than pirating. Noble said that "Across the BSA, members have a whole heap of different delivery mechanisms including downloads and Software as a Service and subscription models at different price points to meet the market how it wants to be met".

In Noble's view, the big issue for CIOs is the importance of Software Asset Management. "It's important because each of the members of the BSA and other companies rely on he organisations customers to remain compliant. By and large, software is licensed on a trust model where the code is handed over. We rely on organisations to retain control over the deployment of software. SAM is a key issue for organisations".

The BSA supplies tools to assist companies with SAM as well as tips and procedures.

The consequences for not maintaining compliance with software licensing can be quite substantial according to Noble with companies becoming potential liable for copyright infringement. However, that potential issue is only one of the substantial risks that businesses can face.

The BSA recommend a four-step approach to SAM. To start, the BSA suggests that appropriate policies and procedures are put in place. To assist with getting started, the BSA offers some sample documentation. This can cover situations where staff load personal software onto company assets. If that software isn't legal then the owner of the asset can be held responsible for the software under the Copyright Act.

Once the appropriate documentation is in place, an initial audit should be carried out. As well as detecting potential non-compliance, this audit can deliver a tangible benefit. "Often, companies don't know what licenses they've bight and end up double-purchasing and end up with a lot of shelf-ware that they're unaware of" according to Noble.

"A lot of BSA members offer free services where they'll pay for software asset management consultants to go in and asset the customer to determine what they've deployed and what they've licensed so they can get a snapshot of where they;re at so they can plan better and determine what licensing model is most cost effective and efficient" Noble said.

With the audit complete, the CIO is able to then understand what software they have that is legally licensed and what items there are for action. Illegally loaded software can be either removed or licenses can be purchased and a register of software, license keys and license numbers can be created and maintained.

The final step in the process is to move SAM form a project to a process and establish a schedule for regular software audits to ensure that non-compliance doesn't recur and that the business has the right software available for staff to do their jobs. 

Software is an asset that is of value to a company and needs to e managed with the same diligence as other, more tangible, assets. There are positive benefits with extraneous licenses not being purchased and the risk management benefit of avoiding non-compliance with the copyright law.

View the original article here