![]() Apple has released iOS 10.3.3 for the iPhone, iPad and iPod touch to the public today. Six betas of iOS 10.3.3 were rolled out to developers and the public before the final version launched. The previous iOS update — iOS 10.3.2 — was released on May 15th. Like iOS 10.3.2, iOS 10.3.3 is also a minor point release update with bug fixes and security improvements for iOS 10.3. And the larger iOS 10.3 update contained noteworthy features like a revamping of the file system, a Find My AirPods feature, Wi-Fi Calling on iCloud devices with Verizon, an Apple ID Settings menu, a Podcasts app widget, weather forecasts in the Maps app, an iCloud storage meter and new app animations. iOS 11 Coming This Fall And in early June, Apple hosted the Worldwide Developers Conference (WWDC) where iOS 11 was announced. So Apple is unlikely going to be adding any major features to iOS until iOS 11 arrives in the fall. While iOS 10 emphasized improvements on Apple’s stock apps and the Lock Screen, iOS 11 will be known for productivity features, especially for the iPad. The iPad will support more app icons in the dock, a new slide over feature, drag-and-drop, a new App Switcher interface and a Files App. ADVERTISINGiOS 11 features also include a redesigned App Drawer and Control Center, action syncing for Messages across all devices, the ability to make payments through Messages, real-time language translation through Siri, editable Live Photos, indoor mall and airport maps in the Maps app, a Do Not Disturb feature that can be automatically activated while you are driving, speaker support in the Home app, an AirPlay update for multi-room audio streaming, revamped Apple Music profiles, an App Store app overhaul, a document scanner feature in the Notes app, a one-handed keyboard mode, a screen recording feature, an automatic setup for new devices, ARKit for facilitating augmented reality apps by developers and much more. What Is Included In The iOS 10.3.3 Update? Apple did not provide much information in its release notes. However, the iOS 10.3.3 betas revealed some of the details. iOS 10.3.3 has only one visible change: new wallpapers for the 12.9-inch iPad Pro. There will likely be one more minor iOS 10 update with bug fixes before iOS 11 arrives. The release notes of iOS 10.3.3 simply say: "iOS 10.3.3 includes bug fixes and improves the security of your iPhone or iPad." Once I find out more specific details about the update, I will update this article. Apple iOS 10.3.3 update The download size of iOS 10.3.3 update will vary based on the device and carrier you have. But it appears to be between 80-100MB You can install iOS 10.3.3 by connecting your device to iTunes or downloading it by going to the Settings app > General > Software Update. The iOS 10.3.3 update is available for the following devices: iPhone 5 and later, iPad 4th generation and later, iPad mini 2 and later and iPod touch 6th generation and later. macOS, watchOS and tvOS Updates Apple also released macOS Sierra 10.12.6 for Mac computers, watchOS 3.2.3 for the Apple Watch and tvOS 10.2.2 for the Apple TV today, all of which have minor bug fixes as well. You can update the Apple Watch with a connected iPhone while the smartwatch is plugged into the charger with over 50% battery remaining. macOS 10.12.6 is available as a download on the Mac App Store. And you can update the Apple TV through the System menu and tap on Software Update.
1 Comment
A few weeks ago, Google announced a new Google Drive feature that will let users back up and sync more data and ever. Called Backup and Sync, the service will let you backup up practically any file you desire, not just your beloved photos. The service is now available and you can try it on Mac and PC.
Google explains that the new tool will replace the existing Google Photos desktop uploader and Drive for Mac or PC. “It’s a simpler, speedier and more reliable way to protect the files and photos that mean the most to you,” Google says. Backup and Sync works with both Google Photos and Google Drive. You just have to select which folders to backup, and the service will do everything else. You can even set up the new app to automatically upload the files on devices you connect to your computer, including cameras, phones, SD cards, and others. Once the backup is complete, you’ll be able to access the files from any device that has Google Drive installed, whether it’s a computer or a smartphone. Photos and videos, meanwhile, will be found inside Google Photos apps. Backup and sync is available for free to users who have Google accounts. However, you’ll want to make sure you have enough cloud storage available before you start backing up your entire computer — read more about Google’s new service and download the new apps you need at this link. If you’re a G Suite customer, Backup and Sync will work a little differently, here’s all the information you need. The data was exposed by a Nice Systems engineer based in Israel who forgot to secure Verizon's customer data stored in the cloud
Another day, another unsecured data storage system reveals millions of customer records. This time it's Verizon customers in the US who were at risk, and the exposure is due to a misconfigured cloud-based file repository owned by Nice Systems. According to UpGuard, who discovered the unsecured data, up to 14 million Verizon customer details were available to download by anyone who could guess a web address. Verizon has since clarified it was 6 million. UpGuard traced the data back to a Nice Systems engineer based in the company's Ra'anana, Israel headquarters. Nice Systems provides both back-office and call center operations systems for Verizon. The Nice engineer had setup an Amazon Web Service S3 data store which was then used to log Verizon customer call data. That data included names, addresses, phone numbers, and account PIN codes. Used together, they would give a scammer everything required to pose as a Verizon customer on a call. According to ZDNet, the data is collected from customer calls and stored by Nice Systems so that it can be analyzed to help improve the customer service experience. The log files created contain the last six months of customer call data. But why was it unsecured, and why was it the responsibility of a single engineer at Nice? What's also worrying beyond the lack of security is the slow response by Verizon to the threat. UpGuard informed Verizon of the security risk on June 13, but it wasn't fixed until June 22. In a press release, Verizon responded to the data exposure discovery by stating, "We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information." The release goes on to state that, "The overwhelming majority of information in the data set had no external value, although there was a limited amount of personal information included, and in particular, there were no Social Security numbers or Verizon voice recordings in the cloud storage area." UpGuard’s Cyber Risk Team can now report that a misconfigured cloud-based file repository exposed the names, addresses, account details, and account personal identification numbers (PINs)of as many as 14 million US customers of telecommunications carrier Verizon, per analysis of the average number of accounts exposed per day in the sample that was downloaded. The cloud server was owned and operated by telephonic software and data firm NICE Systems, a third-party vendor for Verizon. (UPDATE: 3 PM PST - Both NICE Systems and Verizon have since confirmed the veracity of the exposure, while a Verizon spokesperson has claimed that only 6 million customers had data exposed). The UpGuard Cyber Risk Team is a unit devoted to discovering data exposures where they exist, helping to secure them and raising awareness about the issues of cyber risk driving data insecurity across the digital landscape. The data repository, an Amazon Web Services S3 bucket administered by a NICE Systems engineer based at their Ra’anana, Israel headquarters, appears to have been created to log customer call data for unknown purposes; Verizon, the nation’s largest wireless carrier, uses NICE Systems technology in its back-office and call center operations. In addition, French-language text files stored in the server show internal data from Paris-based telecommunications corporation Orange S.A.—another NICE Systems partner that services customers across Europe and Africa. Beyond the risks of exposed names, addresses, and account information being made accessible via the S3 bucket’s URL, the exposure of Verizon account PIN codes used to verify customers, listed alongside their associated phone numbers, is particularly concerning. Possession of these account PIN codes could allow scammers to successfully pose as customers in calls to Verizon, enabling them to gain access to accounts—an especially threatening prospect, given the increasing reliance upon mobile communications for purposes of two-factor authentication. Finally, this exposure is a potent example of the risks of third-party vendors handling sensitive data. The long duration of time between the initial June 13th notification to Verizon by UpGuard of this data exposure, and the ultimate closure of the breach on June 22nd, is troubling. Third-party vendor risk is business risk; sharing access to sensitive business data does not offload this risk, but merely extends it to the contracted partner, enabling cloud leaks to stretch across several continents and involve multiple enterprises. NICE Systems’ history of supplying technology for use in intrusive, state-sponsored surveillance is an unsettling indicator of the severity of this breach of privacy. This offshore logging of Verizon customer information in a downloadable repository should be alarming to all consumers who entrust their private data to major US companies, only to see it shared with unknown parties. The Discovery On June 8th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered a cloud-based Amazon S3 data repository that was fully downloadable and configured to allow public access. The database and its many terabytes of contents could thus be accessed simply by entering the S3 URL. The repository’s subdomain, “verizon-sftp,” is an indication of the files’ corporate origins. Viewing the repository, there are six folders titled “Jan-2017” through “June-2017,” as well as a number of files formatted with .zip, among them “VoiceSessionFiltered.zip” and “WebMobileContainment.zip.” These files, inaccessible via .zip extraction, could be decompressed once the format was changed to .gzip, another file compression program. The “verizon-sftp” repository. Each month-named folder contains directories corresponding to each day of the month. Within each of these day folders are a couple dozen or so compressed files. By every indication, this is a repository for the automated daily logging of files. The folder for “June-2017” records a halt to logging on June 22nd. The daily log folders in the “Apr-2017” folder. Once unzipped, the contents of these daily logging folders are revealed to be sizable text files, some as large as 23 GB. Analyzing them, the general structure becomes apparent: the large text blocks appear to be composed of voice recognition log files, the records of an individual’s call to a customer support line, including fields like “TimeInQueue” and “TransferToAgent.” Pings to various subdomains of https://voiceportalfh.verizon.com further indicate the voice-activated technology producing this data. This is not all, however. A great many Verizon account details are also included in the logs, such as customer names, addresses, and phone numbers, as well as information fields indicating customer satisfaction tracking, such as “FrustrationLevel,” and service purchases, such as “HasFiosPendingOrders.” Values including number ratings, “True,” “False,” “Y,” and “N” are assigned to each field. For a large amount of these logged calls, however, the most sensitive data—such as “PIN” and “CustCode”—is masked. A call log, with the most sensitive data masked. But not all of the records have these details “masked” in this manner. For a smaller amount of these logged calls, there is no such masking at all—revealing such details as unmasked “PIN” codes. Such account PINs are a crucial part of verifying callers as legitimate customers, ensuring impersonators cannot access and change Verizon account settings. Other fields and their answers, such as “CallCenterPassword,” indicate which account-holders have requested a higher standard of security for customer service calls to change account settings, allowing any potential scammers in possession of the logs to determine which customers would be easier to victimize. In one such text file, there were six thousand such unmasked PIN codes. A call log, with the most sensitive data exposed (here redacted by UpGuard). Less immediately explicable is the presence in the S3 server of data originating from French telecoms provider Orange, another partner of Nice Systems and one with which Verizon competes in the European data market. French-language data originating from Paris-based telecom Orange S.A. While it appears this internal Orange data is less sensitive, it is noteworthy to see such information included in a repository otherwise devoted to Verizon. The SignificanceThe critical data repository in question was exposed not by the enterprise holding primary responsibility for the information, but by a third-party vendor to the enterprise. It was a publicly accessible AWS S3 bucket owned by third-party vendor NICE Systems that revealed the sensitive personal details of Verizon customers. To judge by much of its website copy and marketing material, NICE Systems is indeed a company that provides technology of particular use to call centers, a crucial component of the Verizon business chain. SEC filings reveal NICE Systems to call Verizon a “main partner,” providing the telecom carrier with such software as a workforce management tracker to monitor how efficiently call center operators are using their time. Other programs offered within the suite of NICE Enterprise software include data and voice analytics software, technology in which NICE has made significant investments as crucial to call center customers. Beyond such direct business, a series of high-profile US acquisitions by the Israeli firm have given them an even closer business relationship with Verizon’s North America operations than might be immediately apparent. In 2016, NICE acquired inContact and VPI, both firms that have in the past supplied Verizon with software for its back-office and call center operations. In short, NICE Systems is a trusted Verizon partner, but one that few Americans may realize has any access to their data. Such third-party vendors are entrusted every day with the sensitive personal information of consumers unaware of these arrangements. There is no difference between cyber risk for an enterprise and cyber risk for a third-party vendor of that enterprise. Any breaches of data on the vendor’s side will affect customers as badly and cost the business stakeholders as dearly as if it had been leaked by the enterprise. Beyond the sensitive details of customer names, addresses, and phone numbers—all of use to scammers and direct marketers—the prospect of such information being used in combination with internal Verizon account PINs to takeover customer accounts is hardly implausible. To do so would enable impersonators to tell Verizon call center operators to do whatever was wished of them—enabling, perhaps, costly “SIM Swap” scams of customer SIM cards, or, as reported by The Verge, the breaching of two-factor authentication: “Two-factor’s trickiest weak point? Wireless carriers. If you can compromise the AT&T, Verizon, or T-Mobile account that supports a person’s phone number, you can usually hijack any call or text that’s sent to them. For mobile apps like Signal, which are tied entirely to a given phone number, it can be enough to hijack the entire account. At the same time, carriers have been among the slowest to adopt two-factor, with most preferring easily bypassed PINs or even flimsier security questions. With two networks controlling the bulk of the market, there’s been little incentive to compete on security.”The prospect of a host of your applications and digital accounts being compromised from one third-party vendor’s exposure of data is not science fiction, but the unfortunate reality of cyber risk today. The data exposed in the Verizon/NICE Systems cloud leak is, indeed, a testament to how profoundly every aspect of life today is touched by those systems to which we impart so much knowledge. |
Archives
May 2021
Legal Disclaimer:
Thecomputerheale.com makes no claims about the efficacy of the information contained in the documents and related graphics published on this website for any purpose. All information, documents and graphics are provided "as is" without any kind of guarantee of effectiveness. Thecomputerhealer.com hereby disclaims all responsibility for the manner in which the information offered on this website is used by you. In no event shall Thecomputerhealeronline.com be liable for any special, indirect or consequential damages or any damages whatsoever resulting from the loss of use, data or profits arising out of or in connection with the use or performance of information available from this website. The documents and related graphics published on this website may include technical inaccuracies or typographical errors. Changes are periodically added to the information on this website. Thecomputerhealer.com reserves the right, at its discretion, to change or modify all or any part of this agreement and the content on website at any time, effective immediately upon publication of this notice. Your continued use of this website constitutes your binding acceptance of these terms and conditions, including any changes or modifications made by Thecomputerhealer.com as permitted above. If, at any time, the terms and conditions of this agreement are no longer acceptable to you, you should immediately cease using this website. |