Million dollar hack

Hacking is becoming big business, so does your business need to react?

Apple iOS, like all operating systems, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple’s iOS is currently the most secure mobile OS. But don’t be fooled, secure does not mean unbreakable, it just means that iOS currently has the highest cost and complexity of vulnerability exploitation and here’s where the Million Dollar iOS 9 Bug Bounty comes into play.” Said the firm Zerodium on their website last year!

A few months ago, this announcement created a tremendous buzz inside the hacking community. Being paid one million dollars to make a browser-based hack on Apple iOS9 can be interpreted either as a very interesting challenge or, once again, as obvious evidence that hacking has now officially become big business - whether you’re looking from the white or the black hat perspective.

Indeed, the iPhone and iPad iOS9 is today considered to be the most secure mobile platform out there. But, one million dollars is an awful lot of money, and because the potential bounty is so significant, hacking is now attracting some of the smartest talent from IT and development, particularly when their current salaries are pretty low…

So, as a business, how should you react to the increasing threat level? How should you react to an attack?

Obviously, you (or your security service provider) aren't going to immediately detect everything that happens during an attack - but as long as you detect (and crucially correctly identify) enough of an attack to stop it in its tracks, that counts as success. Detection is the most costly internal activity, followed by recovery*.- That’s one of the main reasons why I encourage companies to rely on a specialist security services provider, who will offer 24x7x365 security operations, using a dedicated Security Operations Centre (SOC).

Based on various conversations I’ve had with enterprise customers, organisations are increasingly looking to automate the protection process, along with implementing continuous vulnerability detection and network surveillance. Security is moving from being akin to an old fortified castle to being more like an airport, with a traffic control tower constantly monitoring the comings and goings; ensuring your security never sleeps.

Toll fraud management is another example of how security is changing. We often proactively encourage our customers to adhere to our ‘rules of engagement’, performing a vulnerability assessment and implementing a telephony estate lockdown. The purpose is to assess the vulnerability of the customer’s IP telephony estate regarding unauthorised access or weak security parameters over their network. Our procedures are designed to be non-intrusive and are intended to validate security configuration controls that protect systems that are aligned with current industry best practice. And you wouldn’t believe how many people still use terrible passwords, like '123456' or 'password,' to safeguard their most sensitive data or protect access to their phone device, despite countless warnings!

Oh, and by the way, the million dollar bug bounty has now expired! It took just over a one month for a team to find and exploit a (first…) IOS9 Zero-Day vulnerability, and thus win the prize. The whole exploitation/jailbreak process was achieved remotely, reliably, silently, and without requiring any user interaction, except visiting a web page or reading a SMS/MMS! How interesting (or worrying) is that?


*Ponemon Institute, 2015 Cost of Cyber Crime Study, Global.