iTunes and the Unexpected Security Threat - Computers - Laptops
While known for its hardware and OSX operating system, Apple also produces software that's used across multiple platforms--not just Macs. One of the most successful examples of this is iTunes, the free media content management system first released in 2001. In 2010, Apple reported that there were over 160 million accounts worldwide with its iTunes store (which sells digital music, TV shows, movies, apps and books); the number of installs of the software likely surpasses that total by a significant amount. If you are an IT professional, you know that iTunes arrives pre-installed on all Apple computers, it's baked into all iOS devices (iPhones, iPods and iPads) and many Windows PC users immediately install iTunes for the management of their iPhones--if not to listen to streaming music. As far as software goes, the IT community has generally looked at iTunes as a ubiquitous program that's relatively benign. If you're looking for security threats, web browsers and e-mail clien ts are probably where you focus your attention.
Unfortunately, the widespread popularity of iTunes hasn't gone unnoticed by cybercriminals and companies that produce gray-area products like surveillance software. As a result, there have been a number of issues related to iTunes that have made news in the past year. While the general public might have taken some notice about a problem with iTunes account scamming, most people likely remain in the dark about FinFisher. However, if you follow computer security trends online, you're no doubt aware of both of these issues and have probably taken appropriate measures already. FinFisher, in particular, illustrates why it is important for IT professionals--especially those who bear responsibility for maintaining an organization's computer and network security--to follow the analysis of online security experts. Finding out about a potential computer security threat by reading about it in a headline may be too late, and questions from management about a virus or malware that you' ve never heard of do not inspire confidence. By the time an issue hits the news, management wants reassurance. They want to know that you're not only aware of the threat, but that you've been tracking it for months, you can explain it in detail and, most importantly of all, that you already have protective measures in place.
Back to iTunes---you might have encountered questions in the hallway about account hacking. There have been a number of issues reported in the past year about the compromising of iTunes accounts, with the victims having their balances emptied. There have been several explanations, from outright hacking of Apple's servers to phishing for account passwords, but no one seems to have definitive answers at this point. One app developer purportedly conducted a scam in which he purchased 400 stolen accounts and used them to buy his own app, thereby boosting his sales numbers. If questioned by staff about the best way to defend against this, your best bet is probably a talk about using effective passwords and how to avoid falling for a phishing e-mail.
FinFisher is another animal altogether and one that poses a far greater threat to corporate and personal computer security for both Mac and Windows PC users. If you are in any way involved with computer security, you need to stay on top of FinFisher. The news broke as part of the Wall Street Journal's story on government surveillance of computer users and became associated with iTunes after discovery of promotional material claiming that FinFisher had used iTunes in the past--notifying an iTunes user of a fake software update that was then downloaded because it was simply assumed that the update was a legitimate one issued by Apple. Since iTunes updates are released multiple times every year (at time of writing, the software is on version 10.5.1), and iTunes hasn't been high on most IT departments' lists of products that could be a security risk, the update didn't trigger any alarm bells.
Although FinFisher is marketed toward security organizations for fighting criminal activity and terrorism, the fact that it is commercially available is cause for concern. Apple subsequently released an iTunes update designed to foil a similar exploit in the future, but cybercriminals can still use FinFisher to fake software updates from other software packages that receive frequent updates, such as Adobe's Flash. The lesson is that IT security pros need to keep on top of the news on security threats, a very active scene that changes daily and sometimes involves the least expected delivery vectors.