" iphone Archives - LuxSci

Posts Tagged ‘iphone’

Enhanced Security: AES-256 Encryption for SSL and TLS

Tuesday, December 1st, 2020

AES-256 EncryptionSSL and TLS play critical roles in securing data transmission over the internet, and AES-256 is integral in their most secure configurations. The original standard was known as Secure Sockets Layer (SSL). Although it was replaced by Transport Layer Security (TLS), many in the industry still refer to TLS by its predecessor’s acronym. While TLS can be relied on for securing information at a high level—such as US Government TOP SECRET data—improper or outdated implementations of the standard may not provide much security at all.

Variations in which cipher is used in TLS impact how secure TLS ultimately is. Some ciphers are fast but insecure, while others are slower, require a greater amount of computational resources, and can provide a higher degree of security. Weaker ciphers—such as the early export-grade ciphers—still exist, but they should no longer be used.

The Advanced Encryption Standard (AES), is an encryption specification that succeeded the Data Encryption Standard (DES). AES was standardized in 2001 after a 5 year review, and is currently one of the most popular algorithms used in symmetric-key cryptography. It is often seen as the gold standard symmetric-key encryption technique, with many security-conscious organizations requiring their employees to use AES-256 for all communications. It is also used prominently in TLS.

Read the rest of this post »

Securing your iPhone’s Email – Best Practices

Wednesday, November 4th, 2020

Apple offers an array of configuration options for securing your iPhone email. However, there are a number of steps that you will have to take before your device and its emails are actually protected.

Securing your iPhone Email 

Securing your iPhone email: Protect the iPhone itself first

The best place to start securing your iPhone email is by making sure the phone itself is protected. If the phone isn’t secure, then not only could someone access your email, but they could get your documents, pictures, contacts, and everything else you have on it. They could even take over your accounts.

This first step is pretty basic, and it applies to everyone, regardless of whether you have an iPhone or an Android device. Set up a passcode or password, and Touch ID or Face ID if you prefer these methods for unlocking your device.

A strong password will be harder to crack than a shorter passcode, at the sake of convenience. Your choice will depend on how sensitive the data on your phone is. At the lower end, a 6-digit passcode should be fine as long as it isn’t too easy to guess.  Why? Because after several failed attempts, Apple begins to lock the phone for longer periods before a user can make further guesses. There’s even an option that users can set so that the iPhone will erase its data after 10 failed attempts (enable that if the data on your phone is very, very sensitive).

Apple encrypts iPhone data by default, so as long as you have a sufficiently strong locking mechanism in place, attackers cannot access any of your data through the device, including your email.

In addition to these measures, you may also want to:

  • Set your screen to lock after 30 seconds or so.
  • Change your notification settings so that no email details appear on your lock screen, visible to anyone looking at your phone.
  • Make sure you still have USB Restricted Mode on. After iOS 11.4, iPhones needed to be unlocked before they could connect to a USB accessory. While this is a great feature for preventing attackers from connecting to your device when you are away from it, some users may have turned it off without realizing its significance.  USB accessories are notorious being able to exploit security issues to gain unauthorized access to phones, laptops, and other devices.

Update your iPhone and its Apps

This is another general security tip that everyone needs to take heed of. Software is never perfect, and over time, security vulnerabilities are discovered. When good developers find them, they then rush out a patch to fix the vulnerability in the next update.  Although some updates can certainly be frustrating, it’s important to install them as soon as possible to prevent your device from being wide open to these old attacks. This applies to iOS, and all of the apps that you run on the device.

It’s an important step for securing your iPhone email, because otherwise attackers can use the old vulnerabilities to install malware, which can then send them all of your sensitive data.

A good example of this is the Apple Mail bug discovered in 2020, which allowed remote code execution. ZecOps, the firm that discovered it, suspected that it had been used to target Fortune 500 companies, journalists, executives and others.

Other vulnerabilities have allowed attackers to break into phones simply by sending carefully crafted text messages — even if you never explicitly opened the message!

Remove unneeded Apps 

Old Apps can have security issues, as just discussed.  However, even updated Apps can (a) contain unpatched security issues, and (b) contain malware that was purposefully placed there by the app designers.  It is a best practice to:

  1. Delete any Apps from your iPhone that you do not need or that you never use.  You can always re-download it later if you chane your mind.
  2. Carefully consider what Apps you do install.  Is the manufacturer reputable? Is the the one you really wanted, or one that just “looks really similar.”  App designers often name their Apps and create their logos to create confusion, hoping that you will download their App instead of the one you actually want.  Just search for “Zoom” in the App store.  Confusing.

Securing your iPhone Email Backups

Things go wrong. iPhones break and get stolen, so it’s important to have backups of your data, including your emails. A good rule of thumb is to have three copies of everything important. One on your iPhone, one in the cloud, and another physical backup, ideally stored in a separate location to your phone (i.e., your laptop).

If you need to save all of your sent and received email messages in Apple Mail, you can archive them automatically by creating Rules. Otherwise, you can just select the important emails to archive manually.

Part of securing your iPhone email involves securing all of the backups. Presuming you use iCloud, you will need a strong password for your Apple account, and to set up two-factor authentication.

While this may be enough to protect your email backups in many circumstances, according to Apple and the iCloud Security overview:

All traffic between your devices and iCloud Mail is encrypted with TLS 1.2. Consistent with standard industry practice, iCloud does not encrypt data stored on IMAP mail servers. All Apple email clients support optional S/MIME encryption.

This means that  by default, Apple is capable of accessing your iCloud Mail. As Reuters reported in January 2020, Apple routinely hands this and other data over to US Government agencies, while only offering end-to-end encryption that it can’t touch for certain types of sensitive data.

Fully securing your iPhone email backups on iCloud Mail will require S/MIME encryption for your messages, which is not reasonable.

An easy way to set up physical backups is to save your Mailbox on your Mac, or set up iCloud on Windows and save your Mailbox data. Whether you choose to keep the data on the computer or an external hard drive, the device will need to be encrypted with a strong password to secure your iPhone email backups.

Securing the Apple Mail App

Apple may have a better privacy reputation than the other tech companies, but it’s not unscathed. Unencrypted emails are also inherently insecure. While individual Apple Mail messages can be encrypted with S/MIME as mentioned above, many users may prefer to send and store their email through a service that offers a greater range of configuration and compliance options.

One solution is to use a third-party secure email provider, like LuxSci, so that:

  1. Your email messages are stored outside of Apple’s ecosystem
  2. You can have a greater range of security, archival, and backup options
  3. You can still send and receive email through your iPhone Mail App (or other third party Apps).

If you do not like or trust the Apple Mail App, iOS 14 allows you to change the default email App on your iPhone.   After all, even Apple’s Mail App has had its share of security vulnerabilities.  A google search will show you a lot of email application alternatives.

HIPAA Compliance and Apple.

If you are using your iPhone for work and your job requires HIPAA compliance,  you should be aware that Apple’s iCloud email is not HIPAA compliant.  Your organization will need to use a third-party email solution that does provide appropriate HIPAA compliant email, security, and a HIPAA Business Associate Agreement.  And it goes without saying that you should not be texting or sending ePHI through Apple iMessage, either.

LuxSci offers a variety of options that are great for meeting your security and compliance needs.

Talk with our team to see how our solutions can help your organization keep its data safe and navigate the regulatory minefield.

HIPAA Alert: Contacts, Calendar Events and Tasks may contain ePHI!

Monday, February 3rd, 2014

When health care organizations review their operations to see where electronic protected health information (ePHI) is being saved, transmitted, and viewed, a great deal of time is spent on the obvious candidates: email, chat, stored files, and health records, etc.

Many overlook the fact that ePHI can be embedded in Contacts, Calendars, and Tasks.  Consider for example:

Read the rest of this post »

HIPAA Compliant Calendars, Contacts and Reminders – Tasks for your iPhone and Android

Wednesday, April 3rd, 2013

While use of mobile devices and tablets in medical situations is pervasive; HIPAA compliant synchronization and storage of such information is often seriously lacking.  Everyone knows email can contain ePHI, but calendar appointments, address books, and task lists can and do contain just as much ePHI and their secure use must be strictly enforced.

LuxSci’s WebAide collaboration tools, combined with MobileSync for real-time synchronization with mobile phone and tablets (and Outlook 2013), provide a simple and effective HIPAA compliant solution for synchronized mobile accessible calendars, contacts and reminders or tasks (oh ya, and email).

Read the rest of this post »

DuoSecurity: Advanced Two-Factor Login for LuxSci’s Web Interface

Friday, December 30th, 2011

Two-Factor logins require users to

  1. Enter their username and password properly (the 1st factor)
  2. Authenticate a second way (e.g. by entering a code delivered to their mobile phones).
Use of two-factor authentication ensures that even if a user’s password is discovered, guessed, or captured, a malicious user still cannot gain access to the user’s account … at least not without also having access to the second factor.
Two-factor authentication significantly enhances the security of any system:
  • LuxSci staff use it for all administrative actions both through our web interface and at the server command line.
  • It is required for PCI compliance
  • It is good for HIPAA compliance
LuxSci has long offered a simple and effective Two-factor option for its web interface.  Now, LuxSci also supports DuoSecurity Two-Factor authentication with its web interface.  This option provides many advanced user and administration features and is very cost-effective (usually free) for small organizations.
LUXSCI