• United States



Be careful in putting your cybertrust in Google, Microsoft and Apple

Sep 24, 20153 mins
AppleApplication SecurityData and Information Security

We have the natural tendency to believe that our data is safe with one of the "tech giants" - after all, they are the leaders in the field. But is that trust warranted?

Security professionals and consumers often feel that they understand cybersecurity just by using words and technical descriptions of product labels, vendors’ marketing campaigns, and manuals. Especially when knowing that we bet on the “right horse” and entrusted our data to well-known companies, including Google, Apple, Microsoft, and others. Right?

Not exactly. While there are many arguably great benefits that come with using technology and services from tech giants such as the ones mentioned above, some common issues tend to plague complex systems. The complexity of the system in and of itself generally makes it more difficult to secure every aspect of it. There might be more resources available for increasing the security of the system, but the belief that the infrastructure tech giants offer is more secure is simply a false perception of security. Even giants have security holes.

Take, for example, the tool called iDict, a simple hacking tool that allows practically anyone to attempt to gain unauthorized access to any Apple iCloud account. If you think that you would be safe because you have the two-factor authentication enabled, I have some bad news for you. This tool was able to circumvent that two-factor authentication altogether. It then used a simple dictionary of a mere 500 most common passwords to “brute-force” its way in. It could seem like a foolish idea, but the tool was highly effective.

A number of celebrities could talk about their password habits and intellectual wisdom of technology – including Jennifer Lawrence, and others. Nothing is better than some Hollywood wisdom — no price is low for such cybersecurity advice.

Here are two quick observations:

  • Security professionals often use strong claims about security, such as: “it has two-factor and biometric features, and it cannot be exploited.” Surely, Apple could tell if its two-factor authentication is vulnerable and broken, but, believing that any technology is completely secure is simply naïve.
  • We like to believe that hacking is a sophisticated, highly-talented dark art. In some cases, that is surely true. Looking at this brilliant idea of PHP code run in your local browser with a 500-word dictionary, however, one can only agree that hackers release security code with such pride that security companies can hardly ever match. Most of the code from security companies is proprietary, and we can only hope they are proud of developing it, and one day even clients could see it.

ICSA Labs, an independent security testing organization, provides insight into security product testing. Nearly 80 percent of security products fail to perform as intended and do not pass the tests needed to obtain the certification on the first try. We don’t need to pick on Microsoft Windows’ weak security shadow, because other tech giant companies follow, including Apple and Samsung’s recently implemented biometric vulnerabilities.

We like to pretend that we understand cybersecurity and the various connections between systems, falsely believing that we master it. A simple test can prove us wrong: where it is not arrogance, just a false perception of cybersecurity maturity level and posture that brings empires like Sony to its knees. And yes, it was not that sophisticated.

Ondrej Krehel is the Founder of LIFARS, a global cybersecurity and digital forensics firm founded in 2014 with offices in New York City, Bratislava, London, Geneva, and Hong Kong. Mr. Krehel holds multiple professional designations and certifications, including that of Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Ethical Hacker (CEH) and Certified Ethical Hacker Instructor (CEI) for which Mr. Krehel is one of ten people in the United States to hold such professional status. In addition, in 2012 to 2013, Mr. Krehel served as Adjunct Professor, St. Johns University, teaching a broad spectrum of cyber security issues and solutions.

Mr. Krehel anchors and directs LIFARS' multi-faceted global team providing tailored cyber and digital security solutions ranging from emergency response, to assessment, to monitoring, to re-architecture, and re-building of multiple systems and networks.

Previously, Mr. Krehel served as the Chief Information Security Officer of Identity Theft 911 LLC from October 2009 until 2013. He has over a decade of network and computer security experience investigating intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. Mr. Krehel has served as digital forensic examiner in the New York office of Stroz Friedberg, where he led computer security and forensics projects internationally and in the U.S., and was instrumental in detecting, investigating and combating intrusions and data breaches. Mr. Krehel also served as an IT technical security project leader at Loews Corporation, where he implemented technical security solutions, and was responsible for providing the first line of response for all cases involving the compromise of networking equipment, servers and end user machines. He began his career as a computer analyst at the government-owned utility company Slovenske Elektrarne A.S., in Bratislava, Slovakia, where he focused on information security and emergency security incident response for their nuclear, water energy and coal power plants.

Mr. Krehel is a member of the High Technology Crime Investigation Association (HTCIA), the Information Systems Security Certification Consortium (ISC) and the International Council of Electronic Commerce (EC Council). He has an M.S. degree in Mathematical Physics from Comenius University in Bratislava, and an Engineering Diploma from Technical University in Zvolen, Slovakia. He has also completed multiple courses in intrusion and forensics training, including Access Data Boot Camp and Niksun forensics training.

His professional work in cybersecurity and digital forensics has received media attention from CNN, Reuters, CNBC, Forbes, Bloomberg, The Wall Street Journal and The New York Times.

Mr. Krehel is a Speaker at the world's leading cybersecurity events for many years, including RSA in San Francisco, CEIC, HTCIA, RIMS, QuBit Prague, ICS South Africa, and is the author of numerous cyber industry articles.

The opinions expressed in this blog are those of Ondrej Krejel and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.