Your iPhone’s Achilles Heel

Security Flaw Found in Popular Apple Gadget

Just when you thought it was safe to receive a text message on your iPhone. Picture Source

For decades now, hackers have had the time of the lives systematically exploiting all the vulnerabilities of the Windows platform; and just like a comedian depends on a good political buffoon (we sure have had our share lately), hackers can surely depend on Windows to keep producing garbage operating systems for them to tunnel their way into.

But much to my disappointment, it seems like Apple is starting down the road well traveled, enticed and seduced by the sweet allure of producing parasitic software at the expense of—you, the loyal Apple consumer. The guiles of the Micro-serpent have weighed heavy on the mistress, and she has at last—bitten the Apple (I just couldn’t resist).

According to the San Francisco Chronicle, your iPhone can now be attacked through text messaging. In the April 2009 issue of Flawless Compliance, I wrote about cyber-hackers cracking the code on the US government’s network of computers. I mention in the article that they’re able to pull this off because hackers are very brilliant and largely underestimated. I wasn’t kidding.

Security experts Charlie Miller and Collin Mulliner are two such people. They’ve discovered that if somebody sends the right series of text messages to your iPhone, they can take over the features of your phone including the web browser, microphone, and even your camera!

How is this possible? Apparently, there is vulnerability in the iPhone’s operating system that allows program code (i.e. executables) to make their way into memory by way of a simple text message. Come on Apple, are you serious? Have you not yet heard of email viruses that use the same ammo (or M.O. if you prefer)?

According to Miller and Mulliner, the messages seem innocuous: just a bunch of funny squares. This would appear to be the Generation Y equivalent of the Baby Boomers’ “wrong number.” But these messages are anything but safe. If allowed to continue they will eventually embed a potentially dangerous program in your iPhone’s memory, like a clever alien in a good science fiction movie. After that the iPhone is no longer completely under your control.

The good news is that it is easily detectable. The hacker would need to send hundreds of these messages (512 to be exact) to be successful, and simply deleting any one of them would stop the hack. Better yet, the going advice is if you see any messages with funny squares, just turn off your phone.

Here’s the most alarming part for me which comes straight from The Chronicle:

“[Miller and Mulliner] said they informed Apple of the problem a month ago but the problem has not been patched, according to Forbes, which said Apple has declined to comment on the issue.”

Oh boy. I would decline to comment too. Boys and girls, this is where disappointment turns to irresponsibility.

As I mentioned, the disappointment comes from Apple putting out garbage software. Of course I don’t know the details of how the iPhone operating system works, but for me this is over-engineering a solution to a flaw. Meaning, the vulnerability was probably engineered into the iPhone, not on purpose, but because they refused to keep it simple. Binary code is unreadable to humans, so why allow it in a text messaging client? You have to guard for this on your compliance programs as well. Don’t over-engineer the solution once your compliance targets are met, as you may end up actually compromising your system instead of improving it.

Second, if you find vulnerability fix it. And if somebody else finds that vulnerability for you, fix it fast! Not fixing a known compliance violation is the worst kind of trouble you can get yourself into. Regardless of the situation, it’s interpreted by auditors as disregard, and these kinds of penalties only come in the sizes of huge, enormous, and bankrupt.

So please heed my advice on this one: (1) Know what compliant looks like and when you reach it—stop, (2) Make vulnerability remediation your number one priority and act fast, (3) St‚y aw‚y ‚‚from fun‚y iPh‚ne text ‚mes‚‚ges!

Underwhelming Regulatory Overhaul

US Regulatory Revamp Goes Bust

There’s no doubt that the existing regulatory system is a mess. An interesting Financial Times article on the subject contains a nice depiction (which is actually oversimplified) of the farrago of regulatory bodies that have organically emerged over the years. Just think of the time, effort, and money that’s been poured into this catastrophe since around the time of the Great Depression.

This organic regulatory mess that failed to serve its purpose last year, will now continue to live on, pretty much undisturbed. Click to enlarge image. Picture Source

And to serve what purpose? The economy just collapsed to monumental levels, the level of fraud in this country is egregious, and investigators are incessantly surprised at what’s uncovered when the whistle is blown. Even convicted ponzi-superstar Bernie Madoff, in his first interview with outsiders, flat out stated that he was surprised at how long he was able to operate his scheme.

It doesn’t take a genius to realize that something is terribly wrong here. So coming into the situation, it was an easy target for President Obama. One of very first things President Obama addressed as the incoming Executive Chief was the regulatory system. His initial plans were a complete overhaul of an obviously broken system.

But a lot can happen in six months. From the Financial Times:

“Tim Geithner, the Treasury secretary, will next week unveil revised plans, which are likely to include the creation of two new structures on top of the existing alphabet soup of agencies. These will include a “council of regulators” – likely to comprise the heads of the largest agencies – which will oversee the ¬Federal Reserve’s new uber-regulatory role of overseeing systemic risk. There is also likely to be a new agency to regulate consumer products, such as mortgages and credit cards.”

Overhaul? This doesn’t sound like an overhaul to me. In fact, this is more like an underwhelming attempt to keep things pretty much the same, while at the same time take credit for some kind of motion.

As outrageous as this sounds, there’s really nothing the Obama administration can do about it. This obviously wasn’t President Obama’s original idea, but there are some battles you just can’t win on Capitol Hill. The people there want things to stay the way they are today. They’re comfortable with the way their agencies have been setup, and they will protect their turf.

This “council of regulators” idea is a waste of taxpayer money—guaranteed. I’ve seen feeble attempts like this in Corporate America by way of special boards created “to ensure cohesive movement and alignment with corporate strategy.” It’s all time-wasting rubbish.

If you’re facing a compliance mess like this in your company, I wouldn’t be surprised. It’s quite common as different interests in your company react to different compliance concerns as they present themselves. This creates compliance silos that may be difficult to wrap your arms around when you step back and start thinking about control convergence.

Your instincts are correct. Your controls need to converge at least for the sake of efficiency, and possibly for the sake of effectiveness. However don’t make the same mistake President Obama did, in underestimating the change management effort involved.

Leaders of these compliance factions will not give up their post easily. Expect strong resistance from people that feel their compliance issues are “special,” and that they don’t fit any sort of central compliance model or mold. This is just a red herring for the fact that you have an organizational issue. Just like the politicians on Capitol Hill, the simple reason is that they just want things to stay the same.

If they win the battle, your company will be worse because of it. Although they think they’re “protecting” the company by keeping things the same, they’re actually hurting it, costing your company unnecessary dollars, and leaving your company unnecessarily exposed.

And by all means, please don’t consider a “council” as a good compromise. I’d rather see you spend that money on a good change management expert.

As for Geithner’s new plan, forget it. I’m putting my money under the mattress from now on.

Compliance Program Make-Over

How to Get All the Funding You Need for Your Compliance Program

So let’s get straight to the point. The underlying problem in most cases with compliance funding is perception and alignment. Compliance is perceived to be a necessary evil in the company, and it’s usually aligned within the organization as some sort of cost center.

No company likes paying for compliance. At the same time, no company likes big regulatory fines and the bad press that goes along with them. So your compliance program is probably like a flu shot for the company. Nobody likes getting stuck in the arm with a needle, but it sure beats getting the flu. In fact, one way compliance programs like to justify their existence, is by highlighting all the pain the company could be facing if they didn’t exist.

To be fair, that’s a responsible approach. Your company should know what’s at stake and it’s an effective way to get some money for your program. However if you leave it at that, the company will perceive you as a nuisance. More funding will always be an issue until it’s too late and the auditors are at your doorstep.

To correct this, and get the funding you need, follow these tips:

More Money Tip #1: Align Compliance Programs to Business Units

Unlike cost centers, business units have a revenue component to them that is real and tangible. That way, the company can determine whether or not the business unit is profitable. Most importantly business units are viewed as investments, not costs. Companies try to minimize cost centers, whereas they try to maximize profit for a business unit. Try to move your programs out of the cost structure, and into the business units.

For example, if your company organizes business units by geography, then build your compliance programs to specifically support each geography and attach organizationally to the business unit. This may sound counter-intuitive from a control convergence standpoint, but it’s a smart move if you’re trying to shake off the negative image.

More Money Tip #2: Be the Good Cop, not the Bad Cop

In a lot of cases, compliance organizations give themselves a bad image. They project themselves as the police of the company, which alienates them from rest of the corporate culture. This is a very bad move. You do not want to be perceived as the “bad cops,” because not only will the company withhold funds from your operation in a somewhat clandestine way (it would be way too politically incorrect to be obvious about it), but they’ll try to find ways to beat your game. You don’t want this sort of adversarial relationship with your company.

More Money Tip #3: Seek Positive Outcomes for Compliance Funding

Companies are a lot like people, in that there are three basic motivations that cause companies to fund efforts: (1)They can be forced into action with scare tactics, (2)They can be pressured by the competition, (3)They can see an opportunity that they want to seize. Number 2 is better than 1, and number 3 is better than 2. You are typically funded by motivation number 1, but this is a phantom impetus. If the fear dissipates, so does the funding. It’s best to rally behind motivation number 3. For instance, comply with regulations by installing an efficiency program that will save your company money and boost its throughput. Be inventive. Any compliance program can be turned around to represent a benefit for the company.

No program is fun to be in when it’s under-funded. By aligning your compliance programs with the business units, and partnering with the company to further the company’s goals, you position yourself as an investment instead of a cost. Funding isn’t difficult to procure, once you take the right approach.

Ponzi-Mania

Another Ponzi Scheme Uncovered

John Bravata, Chairman and manager of BBC Equities. Picture Source

Allegedly Bravata was running a real estate investing scheme, promising investors a nice 8 to 12 percent return, even in the 2008 economy. One more time—an 8 to 12 percent return on real estate—Detroit real estate—in 2008. Where did he find these people?

I guess he knew where to look. According to mLive, an online Michigan newspaper:

“The SEC's complaint alleges that Bravata and the other defendants used at least $7 million of the $50 million they raised from investors for ‘expensive lifestyles, paying for luxury homes, watercraft, jewelry, gambling, exotic vacations, and expensive cars. Indeed, John Bravata used money from the first two investors to buy himself a $90,268 Ferrari.’”

Wow.

Well his assets are frozen now, and so are his chances of getting out of this one. A US District Court judge slapped a restraining order on him, and scheduled a hearing in Detroit for August 4th. Bravata isn’t available for comment. It’s hard to talk when you’re standing in boiling soup.

Minor Oversight

Crack Journalism Strikes Again

This is why preventive controls are better than corrective controls:

Shoot for getting it right the first time. It saves a lot of unnecessary embarrassment.