Ulistic Projects Blog

Apple is yet to disclose how much it is going to reward a 14-year-old U.S. teenager for discovering a massive security breach on its FaceTime video call system. It is believed that part of the reward money will be set aside for his high school education fund.

On Thursday, Grant Thompson noticed the group FaceTime bug while on a video call with his friends. Apparently, they were discussing different strategies they could implement on Fortnite, a 3D video game which is widely popular among the teenage demographic.

Upon contacting Apple, necessary action was taken and the iOS 12.1.4 iPhone update was then released on Thursday. Prior to the discovery, an unknown security researcher noticed the presence of the FaceTime bug but was unwilling to come out with it, since Apple had not put a bounty on offer.

Missed Opportunity

Towards the end of January 2019, details of a suspicious bug on FaceTime emerged. A couple of users noticed suspicious activity on the widely used video call system among iPhone users.

Sometimes when they contacted friends and family, they could distinctly hear what was happening on the recipient’s end (regardless of whether they answered the call or not). Apple got word of the bug and immediately disabled the recently-launched group Facetime feature on iOS phones.

Earlier that same month, the teenager and his mother phoned the trillion-dollar company with a similar potential security threat. As expected, Apple considered the 14-year-old’s discovery a hoax and thought the boy was craving attention.

The problem was uncovered by Grant on one of his group FaceTime video calls. When Thompson’s plea was given a deaf ear, his mother, Michele Thompson stepped in and repeatedly reached out to Apple via social media and emails. For some reason, Apple was adamant to heed to the vulnerability in their FaceTime feature.

Ever since other users of the video call system came out with a similar bug issue, Apple has credited Grant, who hails from Catalina, Arizona, with this major finding. Grant’s name went viral hours after Apple released a software update to counter the bug’s detrimental effects.

About the Update

The iOS 12.1.4 is the latest update from Apple for all iPhone 5S phones, iPad Air devices and the 6^th generation iPod Touch. A week ago, Apple disabled Group FaceTime when news about the bug emerged.

Apple noted in turn that it solved a similar unknown issue some time ago in FaceTime’s Live Photos feature. On Friday, Apple reported that it solved the major security flaw on its servers. It would also release an advanced software update to re-activate Group FaceTime.

iOS 12.1.4 release notes state that there was an existence of a logic issue in Group FaceTime. It was also emphasized that the bug was fixed with “improved state management”. On Thursday, as of 10 a.m., the system status page of the massive tech company noted that Group FaceTime’s restoration was successful.

iPhone users can update their gadgets by doing the following:

• Open settings
• Tap on ‘General’.
• Select Software Update
• Download the update

Once the download is complete, your iPhone will automatically install the new software.

Swift Security Measures

A representative for Apple had this to say in regards to the update and the reported bug: “In regards to the bug that has noticeably established its presence in the FaceTime feature, a security audit has been conducted by our team. Additional updates have been made to not only the Group FaceTime app, but its Live Photos feature as a whole in a bid to enhance our security. This will go a long way in securing our customers who are yet to upgrade to the latest software”.

The representative also revealed a major server upgrade to block older versions of macOS and iOS from making use of FaceTime’s Live Photos feature.

For a global company that is keen on preserving users’ personal information, the bug was a huge misstep. Tim Cook, Apple’s CEO, has often advocated for increased regulation of privacy. In the recent past, he has subtly called out companies that utilize their customer’s vital data for the creation of personalized ads. In this case, it’s safe to say that Apple is not so perfect either.

Apple’s bug bounty program

Apple missed a massive opportunity to solve the FaceTime bug problem soon enough. Based on reports from The Wall Street Journal, as early as the start of January, Apple received warnings from a concerned teen but decided to do nothing about it.

Fortunately enough, before the issue escalated to something even more serious, more and more users noticed the flaw and issued a public outcry to the company.

Apple has offered its sincerest apologies to the teen and his family and is yet to fully reward them for their vocal assistance on the bug issue. The company is not willing to share the exact amount they will pay, but it will be substantial enough to see Grant through high school, according to a report by Reuters.

In regards to this incident, Apple developed the ‘bug bounty program’ in late 2016. In most cases, researchers can receive more than a hundred thousand dollars for reporting bugs early enough. One of the first people to receive substantial compensation from the program was 19-year old Luca Todesco.

In that same year, Facebook followed suit and rewarded a 10-year-old Finnish youngster a whopping $10,000 in bug bounty. The boy allegedly figured out how to delete anonymous users’ comments from all Instagram servers.

Aside from Grant Thompson, a 27-year-old software developer from Texas by the name of Daven Morris was also credited. Unlike Grant, Mr. Morris reported the problem several days after it was already made known.

Either way, Apple rewarded the young man for noticing the problem soon enough.

Cybersecurity threats have shown no signs of slowing down, and small and mid-sized organizations are expected to be more heavily targeted going forward. Although splashy headlines about Fortune 500 companies suffering breaches may lead some business leaders to think that hackers are after big corporations, cybercriminals are just as likely to steal data or infect your system with ransomware.

It’s important to keep in mind that these nefarious people are nothing short of petty crooks, and they look for systems that can be breached at every level. That’s why it’s in every business’s best interest to have a high-caliber cybersecurity specialist in place.

If you own or operate a local small or mid-sized outfit, you may be mulling over the cost-to-benefit ratio of outsourcing your cybersecurity defenses. Consider these key reasons why outsourcing to a locally-based cybersecurity specialist makes sense.

Hiring A Talented, Full-Time Expert Proves Difficult

There is a school of thought in business that having your own team in place would be more beneficial than outsourcing. The arguments for that position include having control over work-hours, in-house supervision, and the ability to review performance. The clincher is often that decision-makers know the person managing the tasks.

This old school thinking is often tried-and-true when hiring for profit-driving positions. It’s difficult to imagine outsourcing a sales team or other critical positions, but cybersecurity is not necessarily an old school job. It remains highly unlikely that a small or mid-sized organization has a supervisor in place to train cybersecurity specialists like they would a salesperson or other full-time posts.

A cybersecurity expert has years of education and training under their belt. They also are tasked with keeping up-to-date on the latest hacker methodologies and tools. It’s just impractical to have an in-house professional stay abreast of the fast-changing threats and keep your systems secure. Even if your company invested heavily in a full-time cybersecurity specialist, in all likelihood, they would be wooed away by other opportunities resulting in turnover.

The difficulties associated with filling a cybersecurity position and keeping that person does not make good business sense. It’s far better to outsource the cyber defense work to a local company staffed by experts. Why pay for a full-time person with benefits when you can contract with a local expert?

Benefit From Real-Time Industry Intel

Along with keeping a stable expert to protect your systems, local cybersecurity outfits are tasked with keeping tabs on real-time cyber attack methods. Outsourcing your technology and data protection to a cybersecurity specialist allows small and mid-sized organizations to have a critical risk assessment performed by a consultant that has hands-on experience.

Cybersecurity experts offer business leaders an opportunity to protect and defend critical data and communications in ways that might not occur to even the best in-house IT staff member. Enhanced knowledge and training can help identify cracks in your cyber defenses, inconsistencies in the password or login protocols, and advise you about forward-thinking employee policies.

It is not uncommon for hackers to target employee email and devices as a way to infiltrate a company’s data and personnel files. Given the fact that the methods hackers use change quickly, it’s imperative to an organization’s survival that a vigilant line of cybersecurity defense remains in place. Working with a local company that specializes in cybersecurity brings expertise to the table many outfits might not be able to afford otherwise.

BYOD Is Becoming Commonplace

The line between employees using company devices and personal ones has increasingly been blurred. Millennials tend to be of a mind that their device is just as, if not more suitable for professional tasks. In many cases, that probably holds true.

This new era of “Bring Your Own Device” poses a more significant challenge to organizations that merely have team members on fixed in-house desktops. These days, valuable staff members prefer to use their own mobile device, laptop and work from home options. This emerging tech reality inherently increases potential entry points for cybercriminals. In the BYOD business world, cybersecurity requires employees to be more educated about protocols and have a working knowledge of how and why they are being implemented and routinely changed.

Hackers are not necessarily working night and day to skip off with a big criminal payday. They are more prone to identify outfits with poor or low-level defenses. While cybercrime profit can be gained by breaching a major corporation with a strong defense, it may be a lot easier and more lucrative to knock off small and mid-sized organizations that are ripe for the picking. Outsourcing to a specialist can prevent you from becoming the low hanging fruit.

Data Breaches And Lawsuits

Captains of industry often think of cybersecurity as a way to protect their trade secrets, critical data and avoid costly work stoppages. While all of those ideas have merit, there’s another level of cybersecurity that CEOs and other decision-makers do ordinarily understand. You could face civil litigation if a hacker breaches your system.

That idea seems incredibly counterintuitive. Why would you — the victim — be sued? The simple reality is that businesses use technology for company-to-company communications and file transfers on a regular basis. When one system suffers a breach, access to others in the network may become available to the cybercriminal.

Just as your organization is responsible for bringing a safe product to market or shoveling snow off your doorstep, you could be held liable for not adequately securing critical data and access. Along with your business reputation taking a significant hit, previous clients and associates may be looking to recoup their losses from you. Civil litigation can prove costly unless you have taken industry standard measures to protect your system.

Hire A Local Expert Cybersecurity Specialist

Cyber attacks are an ongoing reality of living and working in the technology era. Organizations of all sizes and sectors are routinely tested by hackers to see if their cybersecurity defenses can withstand an assault. Cybercriminals are not going away any time soon and unless you want to risk shuttering, it’s time to contract with a cybersecurity specialist to protect your vital business interests.

Advanced Data Governance (or ADG) is a tool from Microsoft. Available to be used within Office 365, this tool assists businesses in meeting compliance requirements and managing risk. Most of all, it helps organize the massive amounts of data that companies are now dealing with.

Each quarter, the data owned by a given business grows by exponential rates. Over time, organizations are met with the challenge of organizing this unstructured data. Moreover, they are challenged to be able to find pertinent data, retain sensitive and important data, and safely destroy or archive obsolete or otherwise useless data. These are the pain points that Advanced Data Governance aims to handle.

According to Microsoft, the goal of ADG is to help companies:

• Assess their current compliance status
• Protect their current and future data
• Respond to requests

Other goals include:

• Reducing costs across the board
• Maintaining business continuity

What is the Advanced Data Governance dashboard?

The dashboard of ADG is where most of the magic happens. Here, companies can clearly see a visualization of their data, along with helpful widgets, which explain key features about data status. This is useful as it can help companies decide what data or cross-sections of data to keep and which to discard.

How does ADG help companies meet compliance?

A particularly useful element of ADG is that cloud intelligence assists in recommending policies. All companies have their own rules and regulations to comply with. For EU businesses, for example, GDPR rules need to be observed. According to whatever rules and regulations a business must comply with, Advanced Data Governance is able to quickly filter through everything in order to detect the appropriate data. In doing so, any policies set up by the company can be applied to the pertinent data in one easy action.

Applying a given policy may mean retaining all data that meets that policy’s criteria, or it may mean automatic removal of a given set of data. When detecting data via a policy, any type of criteria can be used. Most of the time, keywords are used to search and sift through data; however, some companies may choose to use financial, healthcare, or PII related information to conduct searches.

An added feature of ADG is its ability to apply policies to all Microsoft Office 365 services, including Exchange, OneDrive, and SharePoint. This streamlines all enforcement of policies.

What are ADG labels and event tags?

Labels can be created and applied easily in ADG. Each label denotes specific data retention actions. For example, you may create a label that retains all employee record data for a select period of time. You can choose to apply these label policies to all Microsoft services or only to select services.

Event tags allow companies to start certain policies on specific dates as it’s not uncommon for policies to only need compliance during certain periods of time (during specific employment periods, mergers, events, and more).

How Can Advanced Data Governance Help Your Company?

Allow Microsoft’s Advanced Data Governance to help your company regulate and meet compliance, manage risk, improve data organization and understanding, operate more efficiently, and increase revenue. It’s an excellent tool for businesses who are noticing an upsurge in data volume and structural issues.

If you own or manage a company and are considering outsourcing your IT services, you’re on your way to markedly reduced expenditures and greatly improved cybersecurity and technology.

Still wondering about the benefits of outsourcing IT? Not sure how to go about hiring a managed IT service provider?

We’ve got you covered. Let’s start with what IT services are and why you need them.

What are IT services?

When it comes to virtually any type of business in the world, technology is a critical part of operations.

First, you must be online with a top-quality website and a consistent social media presence. Next, you need technology for your employees and daily operations: computers, printers, copiers, adequate data storage and backup, unique software programs, and more. Finally, everything must be protected with excellent cybersecurity.

All of these things encompass your business’s IT services or information technology services.

Why should you outsource IT?

Most businessmen and women start their businesses with the mind that they can do anything they set their mind to.

While this is an excellent mentality to have and provides the necessary motivation to start a booming business, it’s also important to know when to ask for help. Nowhere is this more pertinent than with information technology, or IT.

Unless you are specifically in the business of providing information technology yourself, this means you’ll have to have a strong team of IT specialists on your side.

In-house IT departments are generally only a viable option for expansive businesses who will have enough work for the IT staff to do on a daily basis. Therefore, the better solution for most companies is to hire a managed service provider or MSP.

These companies provide all different levels of IT support to their customers (businesses and organizations like yours). Their main goals are to make your life easier and to help your business grow and thrive.

What are the benefits of outsourcing IT?

1. You’ll have access to the best talent pool and technology.

Professional IT companies handle technology all day. All specialists working at MSPs are trained in their specific area of tech, and they stay updated on the latest in cybersecurity, technological hardware and software advances, updates to data cabling practices, and more. Moreover, whenever you need updated software or hardware, MSPs know the most effective and affordable options.

2. You can choose your level of service.

Most MSPs offer different tiers of service. You choose your level of service and pay a flat, monthly, quarterly, or yearly fee for them to provide whatever services are in that tier. Sometimes, businesses simply hire MSPs to be “on-call” when they need them. MSPs cater to you.

Because of this, you can basically pay for exactly what your business needs. If you own a large business and constantly need IT service assistance, choose a more hands-on level of service. If you only occasionally need help with an IT problem and generally just need someone to help you hook up new computers, networks, or equipment from time to time, choose a lower tier of service. You can also change levels of service, based on your changing needs.

3. You’ll reduce costs across the board.

MSPs only work when you need them, so you’re paying for what you need and not for downtime.

It can be expensive to hire, train, and consistently employ an in-house IT team. Moreover, in small and mid-sized businesses, these staff members generally have a lot of downtime. Hiring an MSP makes more fiscal sense in the long run, and you’ll undoubtedly get better service.

4. You won’t have to micro-manage an IT team.

MSPs take care of you; that’s their job. Unfortunately, in many cases involving an in-house IT department, it’s the manager or director who is taking care of the tech team and micro-managing their day-to-day tasks. This leaves little time to actually run the business.

The whole point of hiring an MSP is to lessen your workload and anxiety. You should be able to hand over the “tech reigns” to an MSP and let them keep your business in a continuous flow of utility, without hitch or interruption. This is what they’re trained to do without your involvement.

5. You’ll improve your compliance.

Meeting compliance is a major pain point in many industries. Government rules and other regulations are complicated and always changing. An MSP can take on this burden for you and set you up with the software you’ll need for perfect compliance and greatly improved risk management.

6. You can stop worrying about security risks.

A large part of an MSP’s role is to be aware of current cybersecurity threats. With many businesses and organizations, personal and private data is being stored. In the event of a security breach, this data could be stolen, destroyed, held for ransom, or otherwise tampered with.

If it is employee data, a breach like this could mean loss of faith in the company and even lawsuits. The same goes for loss of client and customer data — or patient data in the case of health care providers. In these situations, whole businesses can collapse.

Fortunately, cybersecurity is best handled by professional MSPs. These experts know the current strategies hackers are using to obtain login information and sensitive data. They will construct a thick barrier between you and any potential threats. Moreover, they’ll be monitoring your security 24/7, so if something does happen, they can nip it in the bud as soon as possible.

Should you simply manage IT yourself?

We don’t recommend that. Again, entrepreneurs and leaders in business are unique creatures in that they genuinely feel that they can accomplish anything they set their minds to. We’ve already covered why this is absolutely excellent for getting great business ideas, bringing them to fruition, and creating businesses that thrive and grow. But at certain times, it is critical that you release the mentality that you should handle it all.

As an owner or manager, you simply don’t have time, and your talents and abilities should be put to better use than managing IT. While we will assert time and again that information technology is absolutely essential to your business, it is crucial that you find the best-managed service provider to assist you in handling your IT. Do what you’re best at and leave the IT to MSPs.

How do you find an IT services company?

There are high-end, professional managed service providers all over the nation, so simply search for MSPs in your area. Many urban areas will have a long list of MSPs, but they’ll cover a big swath of rural towns in their service area. Once you find a few MSPs that you like the look of, set up appointments with each one to find an MSP that meets your unique needs.

When people go to their doctors, they assume their information is protected. They freely and willingly provide personal information, like social security numbers. Their primary concern is their health and so they literally trust their lives in the hands of medical professionals and providers. This assumption that patient data is protected may be derived from the assumption that medical facilities are all aligned and in compliance with Health Insurance Portability and Accountability (HIPAA). Everyone signs the HIPAA forms and so everyone assumes — even without thinking it — that they are protected and that the medical facility and/or medical providers are in compliance. Indeed, medical providers may believe they are in compliance and their patient data is protected until it happens: the data breach. Instantly, hundreds and thousands and even millions of patients’ information is compromised. Not to mention: the medical entity where the breach occurred may be held liable for it.

Breach of Patient Data Already Making Waves in 2019: The Example of Valley Hope Association

Just recently, a data breach was investigated and confirmed at Valley Hope Association. It’s a Kansas-based nonprofit organization that treats patients with drug and alcohol addictions. They have 16 facilities located in seven states:

1. Arizona
2. Colorado
3. Kansas
4. Missouri
5. Nebraska
6. Oklahoma
7. Texas.

Patients number in the thousands across these seven states. As of the last week of January 2019, the organization has been notifying these patients — former and current — that there was a data breach and their information may have been accessed.

It all started in October 2018. An employee’s email account had suspicious activity. The investigation commenced with this employee’s email account. On November 23, 2018, it was confirmed: a cybercriminal hacked into the employee’s email account, and from there, was able to access patient information. The information compromised includes:

• Social security numbers
• Dates of birth
• Financial account information
• Patient claim or billing information
• Driver’s license or state identification card numbers
• Health insurance
• Medical records
• Medications, and
• More.

These kinds of breaches are the beginning of identity theft. When it happens in medical facilities, it is all the more stressful because these are patients dealing with health issues. Identity theft is not a matter they want to deal with on top of their health issues. Following the breach, Valley Hope has taken two steps:

1. It has provided its patients with free credit monitoring and identity protection services; and
2. It has added additional security measures designed to secure patient data.

Unfortunately, the Valley Hope Association’s breach of patient data is not an isolated event. Many other medical facilities across the country have experienced data breaches. Examples of patient data breaches that occurred in 2018 include:

• Catawba Valley patient records were breached by three phishing hacks.
• Centers for Medicare & Medicaid Services (CMS) confirmed 75,000 people were affected by a data breach in the ACA portal.
• Minnesota Department of Human Services was the victim of two phishing attacks affecting 21,000 patient records.
• Fetal Diagnostic Institute in Hawaii was the victim of ransomware attacks resulting in data breaches of 40,800 patient records.
• Legacy Health, an Oregon-based health system, experienced phishing attacks that led to 38,000 patient record breaches.
• Augusta University Health confirmed in 2018 that 417,000 patient records had been breached.
• UnityPoint Health experienced two large data breaches in 2018, exposing 1.4 million patient accounts to hackers.
• LabCorp confirmed millions of records have been compromised and are at risk due to the hacking that forced a network shutdown.
• A Missouri-based Blue Spring Family Care facility was the victim of ransomware malware, which put 45,000 patient records at risk.
• Banner Health breach in Arizona compromised around 3.7 million patient records.

These are just a few of the many security breaches of patient data that occurred in 2018. As can be understood from these examples, healthcare is a lucrative target for hackers, and as technology advances, so do the hackers’ capabilities. That’s why it is imperative that medical facilities, providers, and professionals take steps to ensure their outsourced IT services providers offer all the latest technology to secure patient information.

What does HIPAA say about patient data protection, responsibility, and consequences?

The HIPAA Privacy Rule sets out to protect “individually identifiable health information” in the possession of a covered entity or its business association regardless if this health information is in electronic or paper form or transmitted orally. Covered entities include:

• Health plans
• Health care clearinghouses
• Health care providers “who electronically transmit any health information in connection with transactions for which the [U.S. Department of Health and Human Services (HHS)] has adopted standards.”

The individually identifiable health information is known as protected health information or PHI. According to HHS, PHI includes demographic information relating to:

• “an individual’s past, present, or future physical or mental health or condition
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.”

Covered entities must take measures to protect PHI. Traditionally, a covered entity breached HIPAA regulations when PHI was accessed by an unauthorized person due to unsecured PHI. When this happens, the covered entity is responsible for a breach in HIPAA regulations. But this responsibility is not as straightforward when the breach is made by ransomware or other malware activity. If the covered entity is found to be in violation of HIPAA due to these data breaches, then heavy financial fines may be imposed along with other required corrective action. Depending on the size of the entity and the amount of the fine and other imposed penalties, a data breach could be detrimental not only to the patients whose information was compromised but to the survival and existence of the facility, provider, or professional.

What can medical facilities do to safeguard their patient data?

Medical facilities or any covered entity and their business associates have options when safeguarding their patient data. These options should be interpreted into a plan of action.

• First and foremost, these facilities must comply with HIPAA regulations.
• Second, they must comply with HIPAA regulations by ensuring they are using the most advanced technologies to safeguard patient data. New technologies develop on a regular basis. You should hire an IT team or outsource your IT needs to an IT services provider who regularly keeps up to date with advancements in technology and consistently implements the technology into their services. If you hire such a team, you can rest assured that data is being protected to the best of technologies’ capabilities.
• Third, covered entities and their business associates must thoroughly vet their IT Team and/or third-party IT services provider. There have been cases in 2018 where breaches were made by tech vendors and other third-party IT services providers, e.g., the case of MedCall Advisors in North Carolina.
• Fourth, policies and procedures should be in place to ensure that on an ongoing basis, best practices are honored to safeguard PHI. These policies and procedures should apply to all staff, employees, medical professionals, and the IT team — even if IT services are outsourced.

Ultimately the responsibility comes down to the party in possession of the patient data and covered by HIPAA regulations. Don’t let what happened to Valley Hope Association happen to you. Start the new year off right: make sure your PHI is secure and safe.