FBI-Apple showdown ends

Just before a court hearing schedule for Tuesday, the FBI decided to pursue and attack method that would not require Apple’s assistance. This effectively put the FBI’s case on pause, and created an anti-climactic end to the battle between the government and the tech giant over hacking into the San Bernardino shooters iPhone. A U.S. District Court in California ruled that good cause had been shown by the government for the delay and ordered it to file a status report with the court on April 5.

Originally the FBI had wanted Apple to write software that would change the amount of password attempts that could be made before the phone erased itself. Currently, an iPhone will be erased after 10 unsuccessful attempts with the wrong passcode. The FBI stated that it would need Apple’s help to get around this hurdle, but apparently that has changed. This leave many to wonder how to agency might defeat the phone’s security.

“You can always attack the phone while it’s running. There are hundreds of people in the world, if not more, who can do that,” said Rod Schultz, vice president of product at Rubicon Labs.”They can attach a debugger to the device, and modify the instructions that are doing the policy check,” he told TechNewsWorld.

The password also could be recovered through a technique known as NAND mirroring. It requires making a copy of the iPhone’s memory. Then, after 10 wrong password guesses erased the phone’s contents, the memory would be reloaded into the phone and the FBI could take 10 more tries at cracking it. That process would be repeated several times until the FBI was able to hack into the phone. The downside is that it takes a long time, and that is most why the FBI didn’t want to do it.

The is some skepticism about the reasons why the FBI asked for the delay. “Those of us who are watching both the technology arguments and the legal arguments are somewhat skeptical of the claim that the FBI suddenly discovered they could get into the phone,” said Mike Godwin, general counsel and director of innovation policy at the R Street Institute.

“The legal arguments that Apple produced were quite strong,” Godwin told TechNewsWorld. “I think the FBI was worried it was going to lose based on the legal arguments.”

As for Apple, its public stance is that the issue must be settled outside the courts. “Tim Cook has never said Apple will never cooperate with the FBI,” observed R Street’s Godwin.

Article via TechNewsWorld, 23 March 2016

Photo: The Apple – FBI Electronic Encryption Fight RGB Triptych v1.3 by Surian Soosay [Creative Commons Attribution-NonCommercial-NoDerivs]


Hackers attacked the IRS

Hackers were recently able to break into the IRS and steal taxpayer identification numbers. The agency was able to detect the attack and shut it down on Tuesday. The breach means that it may be possible for the hackers to file fraudulent tax returns. The attack was done by attempting to obtain e-filing pins from over 450,000 stolen social security numbers. Attempts involving about 100,000 of those social security numbers were successful, the IRS said in a statement.

The IRS stated that the attacks did not originate in their system. It appears as though the social security numbers were stolen outside the IRS, and then used in the attack. They added that “no personal taxpayer data was compromised or disclosed” by its systems. The IRS said it will notify people affected by the attack and will mark their accounts to guard against identity theft.

All of this is part of why President Barack Obama proposed, on Tuesday, to spend $19 billion on more secure technology for the government. If approved, the funds would help in efforts like recruiting cybersecurity experts, reducing reliance on unsafe items like social security numbers. “The caliber of the enemy we’re facing is incredibly sophisticated and global,” IRS Commissioner John Koskinen told the Senate Finance Committee at a hearing Wednesday, in response to a question about the most recent hack. The attackers are professionals that steal sensitive data from their targets, government and financial institutions throughout the world.

Attacks like these have become more prevalent as more tax filing and banking is done online. In the US 150 million tax returns are expected to be filed this season, with 80 percent of them expected to be filed online.

Despite storing a massive trove of data on American citizens, the federal government has struggled to protect it from hackers. That includes the IRS, which hackers attacked last year to steal tax records of perhaps 300,000 people. The agency has even struggled with fraudsters in its ranks; on Monday it successfully prosecuted an employee for identity theft and conspiracy to commit bank fraud.

Article via CNET, 10 February 2016

Photo: Please Insert Coin by arsheffield[Creative Commons Attribution-NonCommercial-NoDerivs]


Nuclear facilities unprotected against cyber attacks

A new report by the Nuclear Threat Initiative found that twenty countries with either nuclear weapon materials or power plants “do not even have basic requirements to protect nuclear facilities from cyber attacks.”

The report draws relevance from a recent cyber attack that caused a power outage in Ukraine—the first blackout ever induced by hackers. The event created international concern about the industrial sector’s susceptibility to cyber attacks.

According to Page Stoutland, NTI’s vice president for scientific and technical affairs, countries with developed nuclear programs have established safeguards against hackings whereas nations with burgeoning programs have greater gaps in their regulatory policies. “What we have observed is what I call enormous unevenness on the global stage to address this issue,” he said.

The United States, for example, takes several precautions to keep nuclear power plants secure. Plant systems are disconnected from the Internet and specialized hardware separates business computer systems from nuclear operation computer systems to prevent hackers from infiltrating operations through the Web.

“Nothing suggests that a cyber attack executed through the Internet could cause a nuclear reactor to malfunction and breach containment,” stated a 2015 report by the Department of Homeland Security.

Other groups disagree. According to a 2013 CNN report, command and control systems of nuclear power plants could be navigated online. Moreover, a 2015 report by the London-based think tank Chatham House stated that there was an “element of denial” among nuclear power plant operators about the likelihood of cyber attacks.

“Often, nuclear facilities will have undocumented connections to the internet” that hackers can use to infiltrate nuclear systems, said Chatham House.

Article via The Washington Post, 15 January 2016

Photo: Central nuclear de Trillo by Tonymadrid Photography [Creative Commons Attribution-NonCommercial-NoDerivs]


Cybersecurity is a more serious issue when children start getting hacked

On Black Friday, we learned that someone hacked into the servers of VTech, a Chinese toy-maker. He or she obtained the personal information of nearly 5 million parents and more than 200,000 children. This included home addresses, names, birth dates, e-mail addresses, and passwords. Even more, it had photographs and chat logs between the parents and kids.

Furthermore, Bluebox security discovered vulnerabilities in Mattel’s Hello Barbie, the Internet-connected version of the doll. This raises questions. How many of these toy-making companies have secure databases? How many children will be affected from lax security?

The Internet of Things- devices that are connected to each other and the internet- has no real regulations. This is just toys; it includes appliances, cars, and unconnected digital and semi-analog devices. Companies don’t feel obliged to invest time, money, and effort into keeping securing their devices. There aren’t any international guidelines. On top of that, these companies are not required to tell consumers what information they are gathering and how they will protect it. Fiat Chrysler Automobiles had known about their security vulnerabilities with their touchscreen and Uconnect systems yet they didn’t bother fixing the issue until  Wired Magazine and The Post published articles showing how vehicles can be hijacked while the driver was at the wheel. In other words, hacking can be a life-threatening issue.

Children are especially vulnerable to cyber attacks. It is also an emotionally charged attack because parents feel responsible for their kids. Just last year, Fox 19 reported a man hacked into a baby monitor in a home in Cincinnati, Ohio and started screaming “Wake up baby!” at a 10 month old child. The parents were horrified.

VTech did quickly admit that their security was not up to par. However, they had no real incentive to worry about security. VTech earns about 2 billion dollars in revenue and their Internet-connected toys are among the fastest area of its growth. According to Vivek Wadhwa, fellow at Rock Center for Corporate Governance at Stanford University, a potential solution to prevent breaches from happening is to raise penalties for lax security. Him and his colleagues also researched how they can mandate businesses to create systems that allow the consumer to control their own data. One proposal was that they create a system that allows people to manage their data by connecting their devices to a “personal dashboard”. Similar projects have been implemented such as OpenSensors and Wolfram Connected Devices Project.

Wadhwa concludes that “it is important to set standards now and ensure a safe cyber world for our children and ourselves.”

UPDATE: Police arrested a 21-year-old man on Tuesday as part of the investigation on the hack against Hong Kong-based toy-maker VTech. VTech previously said it is “cooperating with law enforcement worldwide” and that Mandiant is reviewing how the company handles customer information so it can “further strengthen” the security of that data. (Read the full article here)

Article via Washington Post, December 11, 2015

Photo: Vtech Video Painter circuit bent by ASMO via asmo23 [Creative Commons Attribution-NonCommercial-NoDerivs]


France wants to ban use of Tor network for public wi-fi

In the wake of the recent terrorist attacks in Paris, French law enforcement is considering banning public wi-fi. According to leaked documents by the French Ministry of the Interior, law enforcement wants to secure the Tor network when a state of emergency is declared by banning the use of the public wi-fi all together. The French newspaper La Monde  is said to have leaked the documents.

The city of Paris currently has over 300 locations that are serviced by public wi-fi and the Tor network. French law enforcement believes that public networks makes it harder to catch suspected terrorists who might be using the network to communicate to each other. The Tor network allows anonymity online and has also been used as a secure network for a drug marketplace. It is currently unclear if the Tor network was used during the Paris attacks and French law enforcement authorities are cautious about its possible use for ISIS communication in the future.

Blocking the Tor network completely would present a challenge for the French government. China is the only country that blocks Tor outright. To achieve this, the Chinese government has to block public entry nodes to the Tor network. In addition, China has to lookout for secret entry nodes. Unlike China, France promotes online freedom for its citizens. Therefore blocking the Tor network would infringe on the rights of French citizens. Since French law enforcement does not know if blocking Tor will have an effect on the ability for terrorist groups to communicate, it is a big risk. Encrypted social media chat apps like WhatsApp, in theory, are easier ways for terrorist groups to communicate without worrying about interference from the government.

The debate over privacy and national security seems to have just gotten started. New legislation that includes these stipulations may be presented to the French Parliament as early as January 2016. 

Article via Mashable, 8 December 2015

Photo: Paris November 2015 via Roberto Maldeno [Creative Commons Attribution-NonCommercial-NoDerivs]


NSA ceases bulk data collection

The National Security Agency has been collecting metadata, which is information such as phone numbers and duration of calls, since shortly after the attacks of September 11. The collection of this metadata has ceased as of November 28th. So what changed?

There is a new law in place, known as the USA Freedom Act of 2015. This law is being seen as a victory for privacy activists and tech companies looking to protect their user data. The USA Freedom Act of 2015 came about as a response to the revelations of Edward Snowden, a former NSA contractor that revealed the deep surveillance of the NSA on the American people. This new law prohibits the bulk collection of phone data previously done by the NSA. Although the agency won’t keep the bulk data, investigators will still have access to these types of records when they are investigating a particular person, or targeting specific groups. The existing metadata that has been captured during the last 5 years will be kept until next February 29th in order to ensure a smooth transition.

National Security Council spokesperson Ned Price stated that this new law, “struck a reasonable compromise which allows us to protect the country while implementing various reforms”.

Some have concerns, since the new law is going into effect so soon after the terrorist attacks in Paris. At a time when America is scaling back its surveillance, countries like England and France are considering new bills to enhance surveillance. Since American companies like Verizon would be involved, it may mean the creation of new treaties between Great Britain and the United States.  It is likely that this type of confounding circumstance will present itself more in the future due to the international nature of terrorism.

Article via ABAJournal, 30 November 2015

Photo: National Security Agency Seal via Donkey Hotey [Creative Commons Attribution-NonCommercial-NoDerivs]