FBI hack to remain secret from Apple

The FBI has no plans to reveal how they hacked the San Bernardino shooter’s iPhone, not even to Apple.

In March, the FBI announced that they would be dropping their case with Apple after having purchased a hacking tool from a third party to aid in breaking into the phone. Apple had cooperated with the FBI, but would not create new firmware to break their own encryption. The high profile nature of this case brought the debate about privacy and security to the national stage. Although there was a judge assigned to rule on the case, the FBI’s purchasing of a hacking tool put the need for a ruling to bed.

Since then, the FBI has been mum on how this hacking tool was able to be successful and how it works. Prior to purchasing the tool, the FBI insisted that it needed Apple to update the firmware in order for them to do a hack on the shooter’s iPhone. The security on iPhone only allows 10 consecutive attempts to break the passcode before all data is erased on the phone.

Apple has a vested interest in understanding the hack, because the tech company would want to patch any vulnerabilities that allowed the FBI to use this tool to access the iPhone.  Hacking into this iPhone will make all iPhones vulnerable to the same sort of attack, which ultimately puts many iPhones around the world at risk.

An Apple attorney has stated that the company has no plans to sue the government to reveal how the San Bernardino iPhone was unlocked.

The government already has policies in place, called theVulnerabilities Equities Process, which governs disclosure of security problems to companies. This policy is notoriously shrouded in secrecy, but the government is generally supportive of vulnerability disclosure in order to ensure that vulnerabilities are not exploited by malicious hackers.

The FBI has found success with this tool, but it doesn’t mean that they are in a place to support vulnerability disclosure. The agency has already made plans to argue that it does not know enough about the hacking tool that it purchased to substantively explain how it works. FBI director James Comey has revealed that his agency spent more than $1 million to obtain the tool.

Article via TechCrunch, 26 April 2016

Photo El FBI no necesita a Apple para desbloquear un iPhone by iphonedigital [Creative Commons Attribution-NonCommercial-NoDerivs]

 


Facebook exec arrested in WhatsApp case

Facebook is becoming the next tech giant to spar with law enforcement over privacy concerns.

Diego Dzodan, a Facebook executive, was arrested by Brazilian federal police on Tuesday for “repeated non-compliance with court orders”, according to a statement released by police. Brazilian police want information from a WhatsApp account that is linked to a drug trafficking investigation. WhatsApp is a messaging service that is used monthly by more than 1.5 billion people worldwide. Dzodan was taken into what the Brazilian police call preventative prison and could be held for a week or more.

Facebook wants to ensure that it maintains the privacy of its users from government intervention. In WhatsApp’s case, the company may not be able to help Brazilian authorities because it does not store users’ messages. In addition, WhatsApp is undergoing increased end to end encryption, which will make it even harder for the company to turn over user data. WhatsApp said in a statement that it disagreed with the Brazilian authorities on the case. “We are disappointed that law enforcement took this extreme step,” the messaging business said. “WhatsApp cannot provide information we do not have.”

Facebook, which bought WhatsApp in 2014 for $19 billion in 2014, condemned the Brazilian government’s move releasing this statement:

“We’re disappointed with the extreme and disproportionate measure of having a Facebook executive escorted to a police station in connection with a case involving WhatsApp, which operates separately from Facebook,” a spokesman said. “Facebook has always been and will be available to address any questions Brazilian authorities may have.”

This isn’t the first time Brazil has gone head to head with WhatsApp. In December, a judge ordered the shutdown of WhatsApp for the country for two days after not complying with a criminal investigation, but the ruling was overturned the next day.

 

Article via CNET, 1 March 2016; The New York Times, 2 March 2016

Photo: WhatsApp / iOS by Álvaro Ibáñez [Creative Commons Attribution-NonCommercial-NoDerivs]


Apple will make iPhone harder to hack

Apple has plans to make their iPhone harder to hack amid the current controversy with the FBI.

The FBI wants Apple to create new firmware that would allow them to hack into encrypted data on an iPhone that belongs to a San Bernardino terrorist. Apple CEO Tim Cook is fighting the request citing the infringement on digital privacy. He also wrote an open letter to explain Apple’s position. Now the company is thinking of taking further steps and prevent passcode-free recovery mode in future iPhones.

The FBIs current request for backdoor access to the iPhone would require Apple to create software that would allow the FBI to bypass security features that prevent hacking. Specifically, the FBI has already looked at an online backup on iCloud of the phone, but they want Apple to disable a security feature that would allow them to have as many tries as possible to unlock the phone. In order to comply, Apple would have to change their operating system to no longer have this feature, which would make millions of iPhone users vulnerable.

As this issue has escalated, Apple is looking to prevent these types of request in the future. When it comes to iCloud security, Apple encrypts its data on its servers but still owns the decryption keys. So if the FBI asks Apple for iCloud data, Apple can decrypt iPhone backups and hand them to the FBI. Now the company is thinking of changing that.

Instead, Apply may give the private keys to the customer, which would remove Apple from being able to decrypt backups. This would mean that future government request for decrypted data would not be possible, but it also means that Apply would not be able to help customers either, since they would not be able to decrypt their backups.

In the Future Apple wants to find a way to limit or do away with DFU (device firmware update) mode. Apple created DFU mode for troubleshooting purposes, such as when your iPhone doesn’t work anymore because of a broken operating system.  If such a big crash happens, Apple lets you boot your iPhone into DFU mode, so that you can reinstall a fresh version of iOS without having to enter a passcode.

DFU mode is at the center of the debate because its current design makes the FBI requests possible, if Apple chooses to make the software changes. You can currently reinstall a new operating system without having to enter a passcode. In fact this is how many jailbreak the iPhone. But, if Apple requires that you enter your passcode to enter into DFU mode, that all changes. Apple would no longer have the ability to create software that lets the government hack into your phone.

In the wake of increasing government request of user data and the revelation of NSA breaches by Snowden, Apple has make it harder to hack iPhones. The tech giant looks to stay that course and increase security for the protection of its customers and their data.

Article via TechCrunch, 25 February 2016

Photo: Tim Cook explica su postura al FBI del caso San Bernardino by iphonedigital [Creative Commons Attribution-NonCommercial-NoDerivs]

 


Apple refuses to hack into terrorist iPhone

Apple is being criticized by a British solider’s family for refusing to hack into an iPhone linked to December’s terrorist attack in San Bernardino, California.

Apple Chief Executive Tim Cook spoke out against the court order on Wednesday, calling the demand “chilling” and saying that compliance would be a major setback for online privacy. Many digital rights groups agree.  The federal government’s attempts to capture data from tech companies has been met with apprehension and fear. Just a few months ago, several tech companies started standing up to government data requests. But not everyone agrees with Apple’s stance on this issue.

Major tech companies like Facebook, Google, and Apple all want to protect their customers’ data by securing it at the highest levels. But, federal governments like the US and the UK want these companies to find ways to hack into customer hardware and accounts, arguing that privacy should not come at the expense of national security. This ongoing battle over encryption puts tech giants on one side, and law enforcement and intelligence on the other.

Fusilier Lee Rigby was off duty and walking down the street near his barracks in Woolwich, England, in May 2013 when he was the victim of a brutal attack by two men who told witnesses they were avenging the killing of Muslims by British soldiers.  Ray McClure, Rigby’s uncle, believes that Apple is doing nothing more than “protecting a murderer’s privacy at the cost of public safety.”

“Valuable evidence is on that smartphone and Apple is denying the FBI access to that information,” McClure said, arguing that a warrant to search a smartphone should be no different than a warrant used to search a property.

In the court order handed to Apple, the company was told it must assist the FBI in unlocking the iPhone linked to San Bernardino gunman Syed Rizwan Farook. In addition to unlocking the phone, The FBI wants Apple to build a new version of its iOS mobile software that would be able to bypass the iPhone’s security so that the agency could hack any device remotely. In an open letter published on Apple’s website, Tim Cook stated that Apple has been working with the FBI, providing data and advice on how to move forward. But the creation of software that would allow the FBI to bypass Apple’s security simply doesn’t exist. “The US government has asked us for something we simply do not have, and something we consider too dangerous to create,” said Apple CEO Time Cook.

Article via Cnet, 18 February 2016

Photo: Apple CEO Tim Cook by Mike Deerkoski [Creative Commons Attribution-NonCommercial-NoDerivs]


Hackers attacked the IRS

Hackers were recently able to break into the IRS and steal taxpayer identification numbers. The agency was able to detect the attack and shut it down on Tuesday. The breach means that it may be possible for the hackers to file fraudulent tax returns. The attack was done by attempting to obtain e-filing pins from over 450,000 stolen social security numbers. Attempts involving about 100,000 of those social security numbers were successful, the IRS said in a statement.

The IRS stated that the attacks did not originate in their system. It appears as though the social security numbers were stolen outside the IRS, and then used in the attack. They added that “no personal taxpayer data was compromised or disclosed” by its systems. The IRS said it will notify people affected by the attack and will mark their accounts to guard against identity theft.

All of this is part of why President Barack Obama proposed, on Tuesday, to spend $19 billion on more secure technology for the government. If approved, the funds would help in efforts like recruiting cybersecurity experts, reducing reliance on unsafe items like social security numbers. “The caliber of the enemy we’re facing is incredibly sophisticated and global,” IRS Commissioner John Koskinen told the Senate Finance Committee at a hearing Wednesday, in response to a question about the most recent hack. The attackers are professionals that steal sensitive data from their targets, government and financial institutions throughout the world.

Attacks like these have become more prevalent as more tax filing and banking is done online. In the US 150 million tax returns are expected to be filed this season, with 80 percent of them expected to be filed online.

Despite storing a massive trove of data on American citizens, the federal government has struggled to protect it from hackers. That includes the IRS, which hackers attacked last year to steal tax records of perhaps 300,000 people. The agency has even struggled with fraudsters in its ranks; on Monday it successfully prosecuted an employee for identity theft and conspiracy to commit bank fraud.

Article via CNET, 10 February 2016

Photo: Please Insert Coin by arsheffield[Creative Commons Attribution-NonCommercial-NoDerivs]


Cybersecurity is a more serious issue when children start getting hacked

On Black Friday, we learned that someone hacked into the servers of VTech, a Chinese toy-maker. He or she obtained the personal information of nearly 5 million parents and more than 200,000 children. This included home addresses, names, birth dates, e-mail addresses, and passwords. Even more, it had photographs and chat logs between the parents and kids.

Furthermore, Bluebox security discovered vulnerabilities in Mattel’s Hello Barbie, the Internet-connected version of the doll. This raises questions. How many of these toy-making companies have secure databases? How many children will be affected from lax security?

The Internet of Things- devices that are connected to each other and the internet- has no real regulations. This is just toys; it includes appliances, cars, and unconnected digital and semi-analog devices. Companies don’t feel obliged to invest time, money, and effort into keeping securing their devices. There aren’t any international guidelines. On top of that, these companies are not required to tell consumers what information they are gathering and how they will protect it. Fiat Chrysler Automobiles had known about their security vulnerabilities with their touchscreen and Uconnect systems yet they didn’t bother fixing the issue until  Wired Magazine and The Post published articles showing how vehicles can be hijacked while the driver was at the wheel. In other words, hacking can be a life-threatening issue.

Children are especially vulnerable to cyber attacks. It is also an emotionally charged attack because parents feel responsible for their kids. Just last year, Fox 19 reported a man hacked into a baby monitor in a home in Cincinnati, Ohio and started screaming “Wake up baby!” at a 10 month old child. The parents were horrified.

VTech did quickly admit that their security was not up to par. However, they had no real incentive to worry about security. VTech earns about 2 billion dollars in revenue and their Internet-connected toys are among the fastest area of its growth. According to Vivek Wadhwa, fellow at Rock Center for Corporate Governance at Stanford University, a potential solution to prevent breaches from happening is to raise penalties for lax security. Him and his colleagues also researched how they can mandate businesses to create systems that allow the consumer to control their own data. One proposal was that they create a system that allows people to manage their data by connecting their devices to a “personal dashboard”. Similar projects have been implemented such as OpenSensors and Wolfram Connected Devices Project.

Wadhwa concludes that “it is important to set standards now and ensure a safe cyber world for our children and ourselves.”

UPDATE: Police arrested a 21-year-old man on Tuesday as part of the investigation on the hack against Hong Kong-based toy-maker VTech. VTech previously said it is “cooperating with law enforcement worldwide” and that Mandiant is reviewing how the company handles customer information so it can “further strengthen” the security of that data. (Read the full article here)

Article via Washington Post, December 11, 2015

Photo: Vtech Video Painter circuit bent by ASMO via asmo23 [Creative Commons Attribution-NonCommercial-NoDerivs]