How Apple’s UI Helped Scammers Steal

This week someone I care about very much was scammed out of thousands of pounds.  I am just getting past my anger over it and have spent the past few days trying to work out what I could have done to prevent it happening. I work in security, I believe I have told everyone I care about how to protect from the most basic things but Apple introduced a layer of obfuscation that I hadn’t told anyone to look for, because I hadn’t fully noticed it myself.

So what happened?  This person received an email from someone they knew (let’s say “Gabriella Davis’) with a simple “Good morning” type one liner.  They read the email on their iPad and replied to “Gabriella”.  Several back and forths later this conversation turned into a request to move some money.  In this business situation it wasn’t that unusual a request.  Obviously the “Gabriella” turned out to be a fake email address and the transferred money sent to “Aviva Insurance Ltd” (a valid company) was actually sent to an account owned by someone else and quickly extracted and closed down.

Why didn’t the person who was contacted check that the email they received was from the right Gabriella Davis?   They did.  It is one of the most basic things I teach people, always verify and dig into the email address.  However on iOS the email address was shown incorrectly.  Say the email was from “Gabriella Davis <fakeaddress@gmail.com>” and my real address is “Gabriella  Davis <gabriella.davis@turtleblog.info”> well Apple kindly matched the “Gabriella Davis” phrase part with a contact (me) in his contacts and showed not only my photo on the email as the sender but also – when clicking on it – filled in the gabriella@turtleblog.info address.

Even though the reply actually went to fakeaddress@gmail.com,  there was no way to see that from iOS.  

The person concerned took Apple’s representation of my contact information and my photo on the email as validation that it came from me and he was talking to me.  He wasn’t.  The same email opened in both Notes and Outlook immediately showed the fake address and the fake address was obvious when choosing reply from those clients.  it simply would not have happened if he hadn’t been using iOS.

My instructions to always check the sender address hadn’t been spoofed and always check you are sending to the right person turned out to be the worst possible advice in this case because the contact information Apple prefilled in gave a layer of confidence to the email that otherwise wouldn’t have been there.  “Of course it’s Gab, Apple are even showing me her picture and her email”.

I will probably not open comments on this entry as it isn’t entirely my story to tell and there is lots more information I am not prepared to share publicly.  If you know me and have a specific question you can reach out and I may be able to answer.  Otherwise please warn people you know.

  1. Never reply to important emails on an iOS device
  2. If in doubt , even a tiny bit of doubt, always forward and re-address
  3. Any sense of urgency in an email should be a red flag regardless of anything else
  4. There is no replacement, and always time,  for verbal verification

 

A Plea For 3 Mins Of Your Time To Read This

Recently a friend’s wife was diagnosed with kidney failure. Although she is on dialysis,  she is also on a registry hoping for a donor kidney.  After a few discussions and some internet research, I realised how little I know or understand about donating a kidney. How doing so could add years to a loved ones or a strangers life with little risk to myself.  When someone is on dialysis and waiting for a donor kidney, they need strength and they need hope.

Here’s a few things I didn’t know and I want to share because maybe you didn’t know them either.  I apologise in advance for my ignorance which may be exclusively mine. 

1. It’s not true that the most best match will be from a family member.  Genetic compatability is one aspect but with improved anti rejection medicines it’s very possible and often common for a friend or even a stranger to a donate. 

2. Anonymity is maintained throughout the process if you wish and the recipient may never find out that you tested or if you were a match.  You can start the testing process anonymously and choose not to proceed at any point.

3. The first step in finding out if you’re a match is simply to see if your blood type is a match. If it is you can move onto the next step which is a DNA match test.

4. You can choose to be tested to match for a specific person or to be added to a paired/pooled registry where your kidney will be given to someone you match with and the person you wanted to donate to will get prioritised higher on the match registry or even add your details to a general registry which commits you to nothing.

5. The path for potential donors involves not just ensuring you are physically able to donate a kidney but also emotionally prepared to do so. After you are a match you will often be assigned a counsellor to work with you on the decision to donate and the process itself.  Again if you decide to stop at any point, that is entirely confidential and anonymous

If you want to know more about kidney donation and what’s involved then please take a quick look at these sites http://www.giveakidney.org/ and https://www.kidneyresearchuk.org/health-information/living-donor-transplantation

To register as an organ donor or a living kidney donor in the UK please read this NHS site https://www.organdonation.nhs.uk

An Introduction To Docker From MWLUG 2017

Last week I attended and presented at MWLUG in Alexandria, VA.  This was my third MWLUG event and the biggest so far.    Lots of great and varied content, I even went to a couple of developer sessions, thanks to Richard Moy and the rest of the MWLUG team for putting on another great show.  Next year the conference is getting a new name and a new location in Ann Arbor MI.

This session has been changed from the one I gave previously to reflect changes in Docker storage and networking behaviour.

MWLUG – Sessions upon Sessions (Some From Me)

What are you doing this August?  If you’re interested in ICS technology then then you want to make your way to Washington, DC and MWLUG.  The Midwest User Group conference has once more moved to a new location for 2017 and will be held at the Hilton Mark Center, Alexandria from August 8-10.

Sessions have started to be announced and as well as the usual popular topics there are new Watson Work and Innovation tracks to play in.  Take a look at the list of announced sessions here .

I’ve attended and spoken at MWLUG for the past 3 years and it’s an event I look forward to thanks the the number and breadth of sessions and a chance to meet customers and spend time with the ICS community.  This year I’m speaking again and I’m very pleased to have three brand new sessions and one new speaking partner(!).

In the Best Practices track I’ll be showing you how to architect and configure a hybrid cloud solution for Domino

Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud

Are you looking at Cloud options and wondering how and if you can get there from where you are? If you have Domino on premises and are considering Cloud then a good option is a hybrid architecture which maintains all your on premises configuration managed by your own administrators but adds Cloud client access managed by IBM. We will look at how simple it is to create this hybrid solution using Domino passthru servers and review how things like user and directory maintenance, client access and mail routing will then work. From Domino Admin to Domino Hybrid Admin in a few simple steps.

In the Innovation track I’ll be discussing IoT in the Enterprise, security implications and opportunities

IoT In The Enterprise Brings You Industry 4.0

IoT brings us to the beginning of Industry 4.0 and with the opportunities for improved delivery, services and customer relationships comes challenges of data management, creative process re-engineering and most of all security. IoT devices are arriving through the door each day, meanwhile the introduction of GDPR compliance next year brings additional responsibility for data ownership and privacy. . In this session we will investigate the opportunities for IoT in different business sectors alongside the risks of the IoT experience. We will discuss how to defend and protect against today’s IoT’s vulnerabilities and review how security offerings such as blockchain are evolving. We wil also offer a checklist for how your enterprise can plan for and benefit from the emergence of enterprise IoT.

Finally , in the System Administration track I’ll be joining Linux expert Bill Malchisky  to discuss Docker on Linux and what you need to know

Running Docker and Linux Together

The introduction of docker within IBM’s product strategy as well as the popularity of containers as a solution means it’s time to learn some new tools. Join Gab & Bill as they offer architectural insight for both Linux and Docker along with storage and network isolation tips. Curious about good and bad devops processes, deployment, upgrades and backups? You will receive technical explanations with examples. If Linux is the path ahead, Docker is the depolyment conduit. Let’s get you ready for the journey.

Thank you in advance to the NH / Maine convoy that will help get me from NY to VA,  I’m looking forward to sharing these new sessions and learning some new stuff myself.

Sametime Client Update Breaks Single Sign On

I recently built a new Sametime Complete environment for a customer that included an Advanced and Meeting server.  When I had completed the build I tested a new standalone Sametime client in a VM to confirm that I could login to the new Community server and it would log me into the Advanced and Meeting servers.   Having added the necessary lines to plugin_customization.ini to enable  Sametime Advanced* I was able to login to the Community server successfully and be automatically logged into the Meeting and Advanced servers.   However, when I handed over to the customer for testing I was surprised that they couldn’t actually login to the Meeting server at all through the Sametime client. They got a server unreachable error.

So I did further testing

  1. On my client I was configured to use SSL for both the Meeting server and Sametime Advanced. I could login to the Community server and that logged me in securely to Meetings and Advanced.  That same configuration on a test workstation of theirs failed to login to the Meeting server saying server not responding (although it did successfully log in to Advanced)
  2. If I removed the Sametime Advanced servers from the Sametime workstation client it could suddenly log in to the Meeting server
  3. If I changed the Meeting server configuration in the workstation client to use HTTP (80) instead of HTTP (443) I would be logged in to the Meeting and Advanced server
  4. On the test workstation I could always login to the Meeting server securely through a browser and open a tab to the Advanced server and be automatically logged in there even when the Sametime client claimed it couldn’t reach the server.

So why did it fail on every one of their workstations and not for me? It turns out they were using the latest Sametime client I had downloaded from Fix Central (20170402-0344) for them whereas I was using the 2016 build (20160624-0209).  I took a snapshot of my VM and upgraded my Sametime client to the April 2017 one and I immediately was unable to log in to the Meeting server. I rolled the snapshot back to the 2016 client and everything worked again.

One of the major updates in the 2017 client was SAML functionality and it does seem that the single sign on logic has been broken in some way by that 2017 update.  Everything is working with the 2016 client so for the time being (and whilst IBM investigate the PMR) we are rolling that out.  One to watch out for though – newer is not always better and you might want to avoid the latest 20170402-0344 update.

 

*for Sametime Advanced login to work at all in the client you must ensure “remember password” is checked and the following two lines are in the plugin_customization.ini

com.ibm.collaboration.realtime.bcs/useTokens=false
com.ibm.collaboration.realtime/enableAdvanced=true

The Word For The Decade Is “Disruption”

“Disrupt” “Disruption” we hear those words in conference sessions offered with no context as if the very act of disrupting is by definition a good thing.  We see articles about start ups who promote their ability to disrupt the market as their primary differentiator and it has made its way into common usage which is why it’s stuck in my head and I have developed a twitch everytime I hear someone say it like it’s a magic answer to any and all questions.  However I’ve also been doing a lot of work this year in the IoT space and found myself talking about how IoT devices will completely change how businesses and processes work, in much the same way the arrival of the internet itself did.

So if I find the idea of IoT innovations changing customer relationship models, supply and production and delivery models, if I find all of that interesting, exciting and presenting huge opportunities, what’s my problem with “disruption”.

From the Oxford English Dictionary

Disturbance or problems which interrupt an event, activity, or process.

So yes.  The idea of disrupting established industries, rethinking the very core of how they work sounds on the surface to be just an extension of innovation.  Instead of innovating within industries, you disrupt their existing models to innovate outside of the parameters they are forced to work within.  Some of the most famous disrupters include obviously Uber and AirBnb but you could include media content sites such as Buzzfeed or even vaping products.  All of those things have brought huge benefits to their customers delivering services that are a closer precise fit to their needs.  However all of this was done by benefitting from the other aspect of disruption which is talked about a lot less

Disruptor companies often get to ignore existing regulations that exist for the industries they are disrupting.

That’s why Uber gets to be successful, because they avoided having to abide by the same rules as taxi companies, AirBnb avoided rules around hospitality and Vaping companies avoided rules around health regulations. They all take advantage of gaps in the law.  You may say “good for them. I love what they do” and it’s true many industries have not evolved cleanly, they have more and more outdated regulations and they no longer meet the needs of their customers.  However, by dancing through the gaps in the law the customers and employees remain exposed by the lack of protection those laws were put in place to enforce.

I may choose to book an Uber or an AirBnB , assuring myself I know of the risks I take in doing so and you may do the same but regulations are there to protect everyone, even people who don’t understand what they are giving up in using an unregulated service.

I realise this isn’t news to anyone. You all know this and have your own opinions but for me I had to think it through.  I believe in innovation, I believe in the importance of disrupting existing established and outdated working practices,  but I don’t support slicing through protections that are there for customers and employees in order to achieve a goal.  If regulations need changing, if services need to be different then disruption needs to happen by innovating within those existing parameters or campaigning to change them.

Our company has always worked to deliver innovative systems and rebuild / rethink existing processes and we continue to do that.  So where does this take me? I have more thoughts on that but maybe for another day.