Before trading in or selling that old iPhone on eBay or Craig’s List for the latest version of Apple’s handset, you may want to stop and think about how your personal data on the device might be at risk. Sure, you can use iTunes recovery mode, or the iPhone’s built-in “Reset” method, which claims to erase all of your data and settings on your iPhone, but just how extensive is it?

A few years ago an official from the Oregon State Police Department was successfully able to recover email, photos, and other user’s data that contained personal and financial information from a refurbished iPhone, right out of the box. This should be most disturbing for anyone who has traded or sold their iPhone and has not taken the proper measures to securely sanitize their device of all their personal and private data. Depending on what version of the iPhone you have, the factory restore methods will merely do a quick reformat on the device, rendering nearly all of your data easily recoverable by anyone with access to basic forensic recovery tools, which are widely available.

If you have an iPhone 3GS or later, these phones implement hardware-based encryption using AES256 by default. It may appear that your phone would be secure if it were to fall into the wrong hands, but unfortunately, the way Apple has implemented this security feature is completely insecure. This should be a major concern considering this encryption system is what some companies and government agencies are solely relying on for the security of the data on their iPhones. There have been numerous publicly documented ways to bypass these encryption schemes in a matter of minutes.

If you have a 3GS or later phone, the method used to “securely erase” the iPhone is simply deleting and overwriting the encryption key, which takes only a matter of minutes to complete. This method does not delete your data off the device but rather deletes the encryption keys, rendering the data on the device useless to anyone trying to access the information. This, however, is not the best practice for the protection of your “End of Life Data.” For a more secure method of sanitizing the personal data left behind on your iPhone, extra steps are recommended to ensure the destruction of your data. Multiple demonstrations of how to accomplish this task are available online, but they all do essentially the same thing by overwriting all of the data.

One of the easiest ways I researched is to simply restore your iPhone back to factory defaults and then download an app from the iTunes store called iErase. This application was written by Jonathan Zdziarski, an iPhone forensics expert. This app essentially will allow you to zero out all of the free space on your iPhone, where deleted files can still reside. This includes all of the data that was (and still is) on your iPhone before you restored it back to factory defaults. This method alone has been proven to significantly mitigate the risk of data being recovered from the device.

Another important point to keep in mind before disposing of your phone: if you have any apps that allow you to authenticate based on your iPhone’s unique physical hardware ID, you should visit the app’s website to unlink the phone to your account. You can always link your new phone to those accounts after you install the app on the new phone.

Securely sanitizing mobile devices prior to disposal or trade in is a practice that companies and organizations should include within their policy and procedure documentation as well.

Now that you are more security conscious and aware of how personal data resides on mobile devices, you can take the additional steps needed to mitigate the risk of identity theft through the compromise of your sensitive data.

True’s very own Michael Oglesby was recognized within the credit statement of the Oracle January 2012 CPU for identifying specific vulnerabilities addressed in the report. In a future post, Michael will share insights into the vulnerabilities he uncovered.

True consultants are active participants in the security research community, often contributing their expertise by reporting vulnerability findings; providing insight within articles, news stories and white papers; and speaking at local security chapter associations and national security conferences, with the goal of helping security professionals improve their information security practices.

From the what-is-the-world-coming-to department:

Attention parents of teenagers. This story has made the front page of Slashdot: Teens Share Passwords as a Form of Intimacy. First, you had to talk to your teens about alcohol and drugs. Then, the birds and the bees. Now add another item to your list of topics during The Talk: abstinence from pre-marital password sharing!

Oracle dropped a bomb today on DBAs everywhere: the January 2012 CPU addresses 79 vulnerabilities! Affected Oracle products range from the 10g and 11g releases of Oracle Database, to WebLogic, VirtualBox, and even MySQL. One of the Oracle Database patches fixes a vulnerability that is remotely exploitable without authentication. In other words, PATCH NOW! (After testing, of course.)

Hopefully, your Oracle applications are properly secured from general access on the Internet. Generally speaking, databases should be locked down to be only accessible from application servers, which should only be accessible from front-end web servers. If your Oracle DB is accessible from the Internet, you might want to re-think your architecture.

Internal network access to DBs and App Servers is probably less tightly controlled. In many instances, users may connect directly to the Oracle DB to run queries or a desktop application. So now, if one of your users has some malware that is permitting an external attacker to control the machine, your DB server is at risk. Just because your DBs are not exposed to the Internet does not mean you should downplay the threats addressed in this CPU. Remember, many data-loss attacks originate from an internal machine, not via an Internet-accessible machine.

Implementing tokenization is much more about understanding how your organization interacts with payments than it is simply rolling out a device that will tokenize payment card data. Many tokenization solutions in the market today are a “silver bullet” and can remove your environment from PCI scope. Beware though, most solutions address only one piece of the tokenization puzzle. Whether it be token generation or storing the token/credit card association, make sure your solution provider has designed, or can develop, a solution to integrate with your payment channels.

Don’t be fooled. Implementing tokenization may not be as easy as they say. In fact, depending on your environment, implementing tokenization can be quite complex. For instance, if your company is a wholesaler and takes payments through multiple channels, implementing tokenization in all of those channels can be quite challenging. On the contrary, if you’re a smaller merchant with only one POS, tokenization is probably very easy, but may not be the best solution. Similar to implementing any technology, having the right resources to pre-assess your environment and determine how the technology will be implemented is a critical success factor.

How do you know if Tokenization is the right data security solution for your environment? Depending on how sensitive data flows throughout your environment, integrating a tokenization solution may not be the right solution. For instance, tokenizing a very small environment does not make sense if point-to-point encryption can provide the necessary means for data protection. Conversely, tokenization can drastically reduce, if not eliminate, a majority of your environment from PCI Scope.

Determining if tokenization is the right solution for your environment and then determining the right tokenization solution provider are both critical to achieving the correct data security strategy. Experts at True are available to evaluate your cardholder data environment and help you make this determination.

Right now two things keep me from getting a good night’s sleep:

The first – the anticipation of whether we’ll experience another earthquake in Oklahoma.
The second – the explosion of transmittal of electronic medical records (EMR) across the Internet.

There is some regulation governing how EMR must be protected, both at rest and while being transmitted. HIPAA arrived in 1996 and gave guidelines on how to protect the privacy and security of PHI (protected health information). HITECH appeared in 2009 and addressed those same concerns during the transmission of PHI, in addition to codifying the financial penalties for data breaches involving PHI. HITECH defined a breach as “generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual” (read the whole thing at HHS.gov).

But, here’s what scares me.  The payment card industry (PCI) has developed a set of standards, complete with required testing and auditing procedures, dealing with how to protect cardholder data. This was driven by private industry (the banks) since they have a vested interest in preventing breaches (because they are on the hook for fraudulent charges). The industry has refined those standards over the better part of a decade now. Even with those standards, millions of records are stolen each year.

Now I ask you this: if the PCI industry, through multiple iterations, hasn’t been able to completely fix this problem with required testing and auditing standards, what exactly are federal regulations for protecting EMR that are short on specifics and require no testing or auditing going to accomplish? I would posit that the answer is “not enough.” All we can be sure of is that the organizations which lose EMR data are going to incur significant financial penalties.

So, what free advice can TRUE offer to healthcare providers?  Look to ISO for information security best practices, and refer to PCI standards on protecting cardholder data. Just replace “cardholder data” with “PHI” for starters.  Also, keep this Gartner quote top of mind when preparing your 2012 security budget: “The cost of mitigating a data breach is likely to be greater than the cost of preventing the breach beforehand – perhaps by a 70-1 margin.”

On the morning on November 7, while folks in my part of the country (Oklahoma) were still trying to come to grips with being rocked by two damage-causing earthquakes in less than 24 hours (that’s unheard of for OK), a previously unknown software bug in the BGP function of Juniper routers caused a major hiccup in the Internet. Details on what exactly the problem was are very thin, but Juniper acknowledged that “a small percentage of customers” was affected. Unfortunately, that small percentage happened to be companies that run routers in the core of the Internet (like Level 3). The outage was widespread, but short.

A CNN story leads with a sentence beginning “The seemingly indestructible Internet…” Seemingly indestructible? For years I have been of the opinion that the Internet is extremely fragile and has only been able to survive this long because of sheer momentum. Here’s my analogy: The Internet is like a runner stumbling over a hurdle. While it may still be on its feet, the inevitable outcome is that its momentum will bring it to a spectacular, smashing conclusion.

So, if the Internet is so fragile, you may ask, why has it not crashed yet as a result of terrorism, nation-state attack, or simple accident? Allow me to present my theories.

• The terrorists want to cause terror, not boredom, which is exactly what most of the developed world would experience if the Internet failed.  Large numbers of dead bodies get more media attention than 5 billion people bored to tears, not to mention that the media wouldn’t be able to distribute images of the terrorism without the Internet, and the terrorists wouldn’t be able to take credit without it.  So no, they won’t take down the Internet.

• The nation-state attackers would love to take down the Internet because of the economic damage it would do to their adversary, but they realize this: their nation and its economy is in the same boat as who they would be attacking.  If the Internet core failed, the world would end up with several dozen very small and useless Internets.  E-commerce would cease to exist until everything was put back together.  You can’t wage war if you can’t fund it, or communicate to your troops, or schedule the movement of supplies.  Nope, these guys aren’t that dumb either.  (Although a leader like the one the North Koreans had might just be crazy enough to do it anyway.)

• That leaves us with a simple accident.  Why has this not happened yet?  Good question.  We’ve gotten close, although I think some of the close calls may have been made to look like accidents.  Some very smart people watch the core of the Internet, though, and so far they’ve been able to stem the damage of these accidents very quickly.

I will tell you who is going to take down the Internet: it’s going to be some crazy, over-worked, computer nerd at a small regional ISP who’s just going to snap one day and unleash hell upon the Tubes.  Sure, the Feds will label this nerd a “terrorist,” but he/she will really be nothing more than a nut job.  Mark my words.

Many of my friends call me a cynic.  I believe I am a realist.

True was recognized as one of Journal Record’s Tulsa’s Fast 40 honorees last night at a special awards banquet and dinner designed to recognize the 40 fastest-growing privately held companies in the Tulsa metropolitan area.

Among those honored, True placed 8th. Results were determined based on percentage of revenue growth from 2008 – 2010. The overall winner was Cherokee Services Group with 10,112.5% growth! View the complete list of honorees.

The Tulsa Metro Chamber was the presenting sponsor for the event along with Bank of Oklahoma, Cox Business, Ernst & Young and McAfee & Taft. Mayor Dewey Bartlett even made a speaking appearance.


True would like to express our thanks to the Journal Record and sponsors for making the award program possible and congratulate each Fast 40 company, including some of our very own clients and partners, recognized at the event!