Category Archives: Forensic

Microsoft sues U.S. government over data requests

Posted on April 15, 2016 | Leave a comment

Microsoft

An important case to pay attention to:

SAN FRANCISCO (Reuters) – Microsoft Corp (MSFT.O) has sued the U.S. government for the right to tell its customers when a federal agency is looking at their emails, the latest in a series of clashes over privacy between the technology industry and Washington.

The lawsuit, filed on Thursday in federal court in Seattle, argues that the government is violating the U.S. Constitution by preventing Microsoft from notifying thousands of customers about government requests for their emails and other documents.

The government’s actions contravene the Fourth Amendment, which establishes the right for people and businesses to know if the government searches or seizes their property, the suit argues, and Microsoft’s First Amendment right to free speech.

The Department of Justice is reviewing the filing, spokeswoman Emily Pierce said.

Microsoft’s suit focuses on the storage of data on remote servers, rather than locally on people’s computers, which Microsoft says has provided a new opening for the government to access electronic data.

Using the Electronic Communications Privacy Act (ECPA), the government is increasingly directing investigations at the parties that store data in the so-called cloud, Microsoft says in the lawsuit. The 30-year-old law has long drawn scrutiny from technology companies and privacy advocates who say it was written before the rise of the commercial Internet and is therefore outdated.

“People do not give up their rights when they move their private information from physical storage to the cloud,” Microsoft says in the lawsuit. It adds that the government “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”

SURVEILLANCE BATTLE

The lawsuit represents the newest front in the battle between technology companies and the U.S. government over how much private businesses should assist government surveillance.

By filing the suit, Microsoft is taking a more prominent role in that battle, dominated by Apple Inc (AAPL.O) in recent months due to the government’s efforts to get the company to write software to unlock an iPhone used by one of the shooters in a December massacre in San Bernardino, California.

Apple, backed by big technology companies including Microsoft, had complained that cooperating would turn businesses into arms of the state.

“Just as Apple was the company in the last case and we stood with Apple, we expect other tech companies to stand with us,” Microsoft’s Chief Legal Officer Brad Smith said in a phone interview after the suit was filed.

One security expert questioned Microsoft’s motivation and timing. Its lawsuit was “one hundred percent motivated by business interests” and timed to capitalize on new interest in customer privacy issues spurred in part by Apple’s dispute, said D.J. Rosenthal, a former White House cyber security official in the Obama administration.

As Microsoft’s Windows and other legacy software products are losing some traction in an increasingly mobile and Internet-centric computing environment, the company’s cloud-based business is taking on more importance. Chief Executive Satya Nadella’s describes Microsoft’s efforts as “mobile first, cloud first.”

Its customers have been asking the company about government surveillance, Smith said, suggesting that the issue could hurt Microsoft’s ability to win or keep cloud customers.

In its complaint, Microsoft says over the past 18 months it has received 5,624 legal orders under the ECPA, of which 2,576 prevented Microsoft from disclosing that the government is seeking customer data through warrants, subpoenas and other requests. Most of the ECPA requests apply to individuals, not companies, and provide no fixed end date to the secrecy provision, Microsoft said.

Microsoft and other companies won the right two years ago to disclose the number of government demands for data they receive. This case goes farther, requesting that it be allowed to notify individual businesses and people that the government is seeking information about them.

Increasingly, U.S. companies are under pressure to prove they are helping protect consumer privacy. The campaign gained momentum in the wake of revelations by former government contractor Edward Snowden in 2013 that the government routinely conducted extensive phone and Internet surveillance to a much greater degree than believed.

Late last year, after Reuters reported that Microsoft had not alerted customers, including leaders of China’s Tibetan and Uigher minorities, that their email was compromised by hackers operating from China, Microsoft said publicly it would adopt a policy of telling email customers when it believed their email had been hacked by a government.

The company’s lawsuit on Thursday comes a day after a U.S. congressional panel voted unanimously to advance a package of reforms to the ECPA.

Last-minute changes to the legislation removed an obligation for the government to notify a targeted user whose communications are being sought. Instead, the bill would require disclosure of a warrant only to a service provider, which retains the right to voluntarily notify users, unless a court grants a gag order.

It is unclear if the bill will advance through the Senate and become law this year.

Separately, Microsoft is fighting a U.S. government warrant to turn over data held in a server in Ireland, which the government argues is lawful under another part of the ECPA. Microsoft argues the government needs to go through a procedure outlined in a legal-assistance treaty between the U.S. and Ireland.

Twitter Inc (TWTR.N) is fighting a separate battle in federal court in Northern California over public disclosure of government requests for information on users.

The case is Microsoft Corp v United States Department of Justice et al in the United States District Court, Western District of Washington, No. 2:16-cv-00537.

Leave a comment

Posted in Big Data, Cyber Security, eDiscovery, Forensic, Law Enforcement, Public Cloud, Security

Tagged , ,

FBI investigating attack against computer networks at U.S. law firms

Posted on March 31, 2016 | Leave a comment

thinkstockphotos450270251sma_763723The Federal Bureau of Investigation (FBI) and the Manhattan U.S. attorney’s office are investigating an attack in which hackers accessed the computer networks at U.S. law firms, including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, according to a Wall Street Journal report.

An individual familiar with the investigation told the Journal that investigators are looking into whether the hackers accessed the networks for insider trading or other purposes.

It is also likely that employee and client records were accessed in order to facilitate spearphishing and social engineering attacks, said Adam Levin, chairman and founder of IDT911 and author of “Swiped” in comments emailed to SCMagazine.com. “The bad guys gained privileged access by way of stolen credentials, infected computers with malware, monitor activity, collect information and then use it for their financial gain,” he noted.

The attackers have reportedly posted threats of similar attacks against other laws firms.

Darren Hayes, director of cybersecurity at Pace University’s Seidenberg School of Computer Science and Information Systems, noted that law firms have been a target for hackers because they possess large quantities of intellectual property. “The recent slew of attacks on Wall Street law firms is a new phenomenon, but makes sense given their access to sensitive information.”

Seclore Technology CEO Vishal Gupta said in an email to SCMagazine.com that financial institutions and Fortune 500 companies have improved their security preparedness, but he noted that “hackers are finding loopholes – and in this case, it’s through the top US law firms.”

Hayes also acts as a consultant on legal cases involving digital evidence. He said law firms “are not known to generally possess the best network security defenses.”

Forget the hospitals, it now appears that the world’s cyber hyenas have found an endless source of fat and slow moving wildebeests to prey on the digital savanna. Cash “cows” as it were for ransomware attacks.

Can you think of a slower, less well-defended beast with more cash that would be so highly motivated to pay the ransom to protect their reputation?

The ransomware challenge simply cannot be solved by playing defense alone. We need to de-monetize this exploit by either holding the perpetrators at risk of arrest — or disrupting their ability collect the ransom.

No matter what the security-industrial complex technologists try to sell you to allay your fears and let you play a losing rope-a-dope defense a bit longer — the only successful solution is to pursue and challenge these ransomware teams directly.

Leave a comment

Posted in Cyber Security, Data Breach, Forensic, Hacking, Security

Tagged ,

The end of the iPhone encryption case and the questions we must ask

Posted on March 29, 2016 | Leave a comment

Apple_FBI

It is official. The FBI has accessed the San Bernardino iPhone, and they didn’t need Apple’s help. To quote the court document, found at:

https://assets.documentcloud.org/documents/2778264/Apple-Status-Report.pdf

“Applicant United States of America, by and through its counsel of record, the United States Attorney for the Central District of California, hereby files this status report called for by the Court’s order issued on March 21, 2016. (CR 199.) The government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple Inc. mandated by Court’s Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016. Accordingly, the government hereby requests that
the Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016 be vacated. ”

More questions than I can put down here come to mind, but here are a few:

Was the FBI genuine when it filed initially, claiming they had no way to access the San Bernardino iPhone without Apple’s help?

If they were not genuine, and that seems to be the prevailing view in the technical field, was this behaviour becoming, or acceptable, from law enforcement? The simplified timeline of this case was that the FBI sought their court order, Apple said they would fight it, public opinion turned on the FBI, it appeared the legal argument may not stand up to challenge, the FBI sought a stay in the case while they tested a new way to get into the phone themselves, they then came out with the above statement claiming they have accessed the phone and requested the order be vacated. At face value the fact that the stay was sought when it was seems very convenient.

Since the net result of this exercise has been nothing and worked out as if the FBI never went to court at all, Apple did not render assistance, the FBI got into the phone anyway, no legal precedent was set, was this a good use of taxpayer funds?

Will the FBI tell Apple how they got into the phone? If they won’t on national security grounds, is it acceptable that Apple customers are vulnerable to attacks that can happen in the wild due to some intangible threat that cannot be measured?

Did the FBI find anything of value?

What do dormant cyber pathogens look like?

http://arstechnica.com/tech-policy/2016/03/what-is-a-lying-dormant-cyber-pathogen-san-bernardino-da-wont-say/

It’s important we ask these questions, because if we don’t we run the risk of setting our own precedent, normalising dishonesty, vexatious use of the court system, wasting of taxpayer funds, leaving of the general public unsafe, and the utterance of wild claims, all in the name of national security.

National security should not be doing this to us.

Leave a comment

Posted in Cyber Security, Encryption, Forensic, Hacking, Law Enforcement

Tagged , ,

5 Ways to Keep your Domain Name Safe from Being Hacked

Posted on March 23, 2016 | Leave a comment

http_Hack

The proliferation in the number of people using the internet had led to a significant number of new websites and blogs popping up every day. The huge platform for sharing views and personal opinion about anything or host content that one deems suitable to share, casual users today have understood how good a business owning a website or even a personal blog can be.

However, although many people easily set up their own website or blog, there are hardly any who are knowledgeable enough in protecting their domains from hackers once they become the legal registrants of domains. Today, we discuss this issue to help owners of personal blogs and small websites.

How to protect your domain from hackers

The following methods can be used to protect your domain from the attacks of hackers:

1. Activity alerts

This is similar to receiving notifications about your Facebook activity. Whenever an activity is performed using your domain account, you can get a notification. Many good domain registrars provide this feature free of cost. This is a good way to keep track of any unauthorized activity on your domain account.

2. Make sure writeable and executable files and directories are not in web root

Not doing so basically means that any unauthorized user can access readable and/or writeable directories or archives. This is as easy as it can get for hackers to exploit non-secured scripts to run or place data on your web hosting account.

3. Keep your domain locked

Enabling your domain registrar’s lock is a simple yet effective way to prevent illicit third-party domain transfer request. Such domain transfer requests are frequently used to steal domains. Simply enabling domain registrar lock can prevent your domain from falling prey to this malicious practice.

4. Do away with unwanted Directories, Scripts, and Subdomains

It is a common mistake by website owners to leave old and less used directories and scripts on their website. The gravity of this mistake cannot be emphasized on enough. This is because hackers can use this information for the purpose of hacking into your website. Therefore, it is important that you routinely chunk out files and directories that you no longer need or use.

5. Use strong and complex passwords

All accounts that require security are secured by passwords, but users can be so naïve as to use passwords that can be guessed easily to protect their sensitive information. This is a textbook mistake, one which hackers never get tired of exploiting. Always, ALWAYS, use passwords that are a combination of letters and numbers and are not short in length. Also, make it a practice not to use common English words as your passwords, for there are a lot of password cracking tools that crack passwords quickly because the password includes common words.

Conclusion

A lot of people are victimized by hackers by stealing or hacking their domain names. It is most important to pay close attention to your domain’s security, especially when your blog or website becomes really popular. With the help of this article and perhaps a little more research on the matter, you will be much more secure than you previously were (if not using these methods already) against hackers.

Leave a comment

Posted in Data Breach, Encryption, Forensic, Hacks

Tagged , ,

7 Tips From The FBI To Prepare Your Firm For A Cyber Attack

Posted on March 15, 2016 | Leave a comment

“In the past, the FBI wanted to operate in the shadows, but today’s Bureau is very different” said Jay F. Kramer, Supervisory Special Agent, Federal Bureau of Investigation, Cyber Division, New York Office. In an effort to make the FBI more approachable, Kramer recently provided an overview of the cybersecurity activities of the FBI at an event before hundreds of attorneys.

How does the FBI operate?

The Bureau investigates violations of federal law and significant threats to national security, making it uniquely situated to deal with today’s cybersecurity issues. In addition to being a law enforcement agency, the FBI is also a member of the US intelligence community. FBI’s mission is primarily domestic with 56 field offices across the United States, but it also has offices in 87 countries and shares intelligence and threats coming from overseas by distilling it down and packaging it at the lowest level classification possible to push it out to victims. These overseas relationships enable the Bureau to quickly respond to cyber threats by gaining access to servers, logs and data to help unravel some of these complicated cyber matters from around the world. “When it comes to cybersecurity, you’re never very far from an FBI office and from an actual person that can speak to you about issues that you’re having” Kramer said.

Here are some of the cybersecurity issues that the FBI is seeing:

    • Hacktivists use computers, beyond lawful means, to make political statements. These statements are typically about business practices they disapprove of. For example, “Anonymous”, a well-known hacktivist group, can shut down websites and social media accounts of targeted firms and individuals.
    • The US and businesses are systematically attacked by hackers sponsored by foreign governments for terrorism or to gain a competitive advantage.
    • Criminal enterprises use cyber to perpetuate old schemes, such as extortion. In the old days, organized crime would threaten the business owner directly, “Hey, listen, you’re either going to pay me or something’s going to happen here. There’s going to be a fire, brick going through your window. You’re going to be hurt personally”. With the advent of encryption technology, criminals can now gain a compromising foothold to lock down your systems. “The bad guy holds the private key to unlock it” said Kramer. Nowadays, the business owner gets an email that says “If you don’t give me 100 bitcoin, I’m going to delete your data.” The FBI doesn’t take a position on whether to pay the money or not, although it’s unlikely that the business will be able to defeat the encryption. So, the choice is to either pay or rely on back up data.
  • There are fraudsters who want to steal your personally identifiable information (PII) to empty out your bank account. More and more however, data has a value all of its own. Bad actors will infiltrate databases of client data with email addresses, home addresses, and phone numbers of your clients, and use that data to fuel billion dollar criminal enterprises such as spam campaigns, such as pop-up ads for bogus Viagra or heart medication or stock manipulation, such as pump and dump campaigns. There’s a whole underground economy of promoters and bad actors, who work in tandem and who need PII as the fuel for those fraudulent campaigns.
  • Industrial espionage for competitive advantage such as stealing product information that requires years of research. “You’d be horrified if you saw how much data is leaving the US every day from scientific firms, research firms, industrial firms, government contractors” said Kramer.

In summary, Kramer provided 7 tips to prepare your firm for a cyber-attack:

  1. Understand what your network looks like, even after all the mergers, acquisitions, and consolidations. Create a map of your networks and prepare a list of devices on the network and users on the network.
  2. Back up your data routinely and store it offsite.
  3. Know where your most important data is being held. Think about where it should be held and the protocols to gain access to that information.
  4. Develop policies for cybersecurity. What policies govern the use of data and networks by employees? Train your employees on use polices. Define where your logs and data are being held. List applications running on the network, including applications developed in house.
  5. Be aware that bad actors could be already be in your system right now and have been for a long time. Make sure your IT departments are aware of updates and are patching vulnerabilities in your systems.
  6. Develop a response plan in the event of an attack. Have a plan to work with your attorneys, PR firm, your Board of Directors. Have a team of forensic experts and outside firms available.
  7. And finally, establish a relationship with your local FBI office today, before there’s a cyber-attack

Joanna Belbey , Contributor

 

Leave a comment

Posted in Cyber Security, Forensic, Hacking, Law Enforcement, Security

Tagged ,

Rise of the CISO: Why the C suite needs a security chief

Posted on March 9, 2016 | Leave a comment

The CISO role is growing in popularity, but what does it actually mean for your business? Here’s what the role is responsible for and why CISOs are multiplying in the enterprise.

Businessman Showing A Shield Symbol

The latest c-suite executive role to step into the spotlight is the chief information security officer, or CISO. Even more focus was put on the CISO role when, in February, President Obama announced that the US government was planning to hire its first ever Federal CISO.

Obama’s announcement further justified what many organizations were already doing, which was assigning a specialized executive over security issues, instead of leaving them to be handled by the CIO or CTO, whose top priorities are typically a mix of innovation and operations. And, while the CISO is not a new role, it is still gaining popularity in the enterprise.

So, we’re going to break down what it is and why you might need one. Let’s start with defining the role.

What is a CISO?

Simply put, the goal of the CISO is to protect the business at all costs against present and future digital security threats.

Andrew Hay, CISO at DataGravity, said, “The CISO role is a true hybrid role that is responsible for implementing, defending, measuring, and communicating the security and privacy strategy of the organization to all of its stakeholders.”

And that “all stakeholders” bit is key—the CISO isn’t going to hold court with the executive team only. True CISOs will be working with employees, customers, and other partners as well, Hay said.

Additionally, the CISO role isn’t the typical “vision caster” most people associate with a CXO title. The CISO role is a mixture of strategy/big picture thinking and tactical skills. Most CISOs are coming from an IT security background, so they know how to directly implement and work with the systems they are recommending.

 In terms of who they report to, Entertainment Partners CISO John Tooley said that he believes the majority report to specific executives, and not just the CEO. In his tenure, he said he has reported to the CIO and CTO. Other CISOs may report to the COO or the CFO.

What does a CISO do?

In a broad sense, the CISO’s functions revolve around risk—identifying risk, assessing risk, presenting risk, and implementing programs to combat it. The difficulty in the role, Tooley said, is doing these things in a way that makes sense to the business, but is also effective in driving real change.

Identifying and assessing risk are skills that are typically developed as a combination of the training a CISO has received throughout his or her career and the sense of intuition that develops over a long time spent in the industry. Presenting the risk becomes a bigger challenge in that it requires specific communications and sales skills to get other leaders on board with a solution.

“As opposed to other C-level executives, I think there is more of a communication challenge, taking highly technical language and translating it into business value and need. There is also the balance that needs to be struck between empowering employees and securing the enterprise, since insider threats represent one of the biggest security concerns,” said Ari Lightman, director of the CISO Program at Carnegie Mellon University’s Heinz College.

The CISO must champion the organization’s security in all that he or she does, setting security goals and milestones to help measure the success of that strategy. Lightman said some of the day to day functions that comprise the role may include the following:

  1. Secure the enterprise’s digital assets
  2. Educate and train employees and the extended ecosystem on security best practices and procedures
  3. Define and monitor access and permissions
  4. Hire and train security personnel
  5. Define budgets for security equipment and training
  6. Work with other C-level executives to ensure compliance with security procedures

And, that above list is not exhaustive. Ultimately, a CISO’s role will also be shaped, in part, by the needs of the industry they operate in and the needs of their employer.

The rise of the CISO

So, why are we seeing the CISO rise to prominence now? For starters, security is no longer purely a technological issue, and can no longer be constrained solely to IT.

“So there is awareness among senior management now that information security is really a risk issue, and risk is a business challenge that needs broader solutions.,” Tooley said.

Another big issue is growth—there’s just more technology in the workplace than there has ever been before and it’s affecting organizations in new and interesting ways. The addition of DevOps, cloud, IoT, BYOD, and big data mean that the attackable surface is growing as well, and it needs a guardian.

“As a result, industry guidance, regulatory compliance standards, and the realization that security is a key component in business continuity and operational excellence, has led to the realization that the safety, security, and compliance of a company’s IT and information assets require an advocate at the highest level,” Hay said.

The 3 big takeaways for TheDigitalAgeBlog readers

  1. The CISO is an executive role that combines technical expertise with strategic vision to champion a security strategy for an organization.
  2. The CISO is responsible for acknowledging, analysing, and presenting risk. The communication of risk requires specific skills to help “sell” the solutions to mitigate against potential threats.
  3. The role itself is growing because the breadth of technology being implemented in business continues to grow. A CISO must understand how security risks affect the bottom line as well how they impact IT operations.

Leave a comment

Posted in Cyber Security, Encryption, Forensic, Security, Technology

Tagged , ,

Why Accidental Disclosure of PII Can Be Disastrous

Posted on March 9, 2016 | Leave a comment

Dollars

We focus a lot on finding and redacting PII while data is being prepared for opposing counsel, but what are the consequences of sensitive data being produced and ending up in the wrong hands?

Federal Rule of Civil Procedure 5.2 stipulates four categories of information to be protected: Social Security numbers, names of minors, birth dates, and financial account numbers. Let’s say you work for Corporation A, which is being sued by Corporation B for work performed by a specific team at Corporation A. Each individual on that team at Corporation A becomes a relevant custodian in discovery. In compliance with Rule 5.2, you cull all the HR documents of the team members for PII to redact. What you don’t realize is that one of the team members has saved a tax document on their desktop to fax to their accountant during work hours. That information is stored on your servers, so it becomes part of the case, and you’ve missed it. You send your documents to opposing counsel for review.  They won’t spend their time looking for information to redact on your behalf, so the information makes it through discovery and is brought in as a court document. Now it’s a part of the trial record, which is publicly accessible, and that individual’s information has been compromised.

So what happens when there’s a data breach? Well, that depends on which state you’re in, which federal statute the case falls under, and what the existing data breach laws are. For example, in a case regulated by the strict rules of HIPAA and in a state as diligent as Connecticut, where any information that can potentially have an association with a particular individual is considered private, PII leaks during litigation are subject to data breach notification requirements, meaning you must disclose your mistake to anyone affected, explain to them what they can do to protect themselves, and offer a solution to fix the breach. Beyond notification requirements, you can also be subject to monetary penalties, sanctions, and/or disciplinary actions against the litigators. That would mean Corporation A is subject to a wide range of possible repercussions. In one scenario, Corporation A might have to sue the contract review firm they hired to ensure that they go back to re-review their data, securing any compromised sensitive information. Perhaps there are no punitive sanctions on Corporation A in this instance, but you’ve just lost a lot of time and money in re-review.

In another scenario, the case may be ruled a mistrial because of negligence or non-compliance. Again, Corporation A has lost a lot of time and money, but now you’ve also sullied your reputation because of a mistake in basic litigation processes, risking the loss of future clients and future revenue. But let’s also say that over the course of litigation, the employee whose information has been compromised has left Corporation A. When you notify the former employee of the data breach, they sue you for leaking their private information. Now Corporation A has lost a lot of time and money, your case was thrown out as a mistrial, your reputation is damaged, and you’re caught up in yet another lawsuit. There might be penalties to pay out to the client and possible ethics sanctions handed down from the judge with monetary fines attached. Corporation A decides to sue the review firm for their litigation costs. Now two extra lawsuits have come out of what was supposed to be just one. A tangled legal web has been woven because of Corporation A’s lack of precaution at the onset of the lawsuit with Corporation B.

A data breach can have considerable fallout for firms and clients alike, so ensuring that proper measures are taken to secure sensitive data is a crucial first step in the discovery process. There are technologies that can automate and expedite the process of identifying and removing sensitive data to ensure that nothing falls through the cracks. By incorporating the right legal technologies, money is saved rather than wasted, and reputations remain sterling.

For further reading on this topic, check out the following resources:

http://www.insidecounsel.com/2013/07/18/litigation-sanctions-for-spoliation-of-evidence

http://www.theediscoveryblog.com/2015/09/18/a-light-in-the-dark-protecting-pii-in-ediscovery/

http://searchsecurity.techtarget.com/news/4500247249/IRS-breach-shows-the-importance-of-PII-security

https://www.altep.com/blog/preventing-disclosure-of-pii

http://blog.kcura.com/relativity/blog/not-so-peachy-pii-a-cautionary-tale-of-sensitive-e-discovery-data

http://www.attorney-myers.com/2014/04/privacy-and-security-in-court/

Leave a comment

Posted in Data Breach, eDiscovery, Forensic, Security

Tagged , ,

Apple v. FBI: How to Sound Smart about Encryption

Posted on March 8, 2016 | Leave a comment

Encryption

Apple v. FBI has started a serious debate about the line between security and privacy. The FBI says this is a case about the contents of one specific iPhone 5c. Apple says this is a case about securing data for everyone.

No one seems to want to have a civil, Socratic discussion about what it means to evolve the governance of a digital democracy. Instead, most people want to voice their opinions about terrorism, the law, and Apple. People also want to know if this particular iPhone 5c (or any iPhone) can be hacked, and if offers to hack it from white hat hackers, such as John McAfee, are real.

The Apple v. FBI subject device, an iPhone 5c, can be hacked. This is true because of iOS 8 (the operating system running on the subject device) and the way all iPhone 5c’s were manufactured. Current vintage iPhones (5s, 6, 6s) could not be hacked the same way, so we should not be talking about this particular phone; we should be talking about encryption writ large, and how it is used in our daily lives.

What Is Encryption?

Encryption is the process of using algorithms to encode information with the specific goal of preventing unauthorized parties from accessing it. For digital communication, there are two popular methods of encryption: symmetric key and public key.

  • Symmetric key encryption requires both the sending and receiving parties to have the same key – hence the term “symmetric.”
  • Public key encryption is far more popular because the encryption key is publicly available, but only the receiving party has access to the decryption key.

How Can There Be Such a Thing as a “Public” Encryption Key?

One of the most popular ways to create public encryption keys is to use a mathematical problem known as prime factorization (aka integer factorization). You start with two relatively large prime numbers. (Quick 6th Grade Math Refresher: A prime number is only divisible by 1 and itself.) Let’s call them P and P. When you multiply them, the product is a composite number we’ll call “C.”

(P x P = C)

C is a very special number with very special properties. It’s called a semiprime number. Semiprime numbers are only divisible by 1, themselves and the two prime factors that made them. This special property enables the number to be used for public key encryption.

You use C for the public key and you keep P and P as the private key pair. While it is very easy to generate C, if the number is large enough and thoughtfully generated, it can take thousands, millions or even billions or trillions of tries to factor. (There are mathematical strategies to speed up the process, but in practice, prime factoring must be done by trial and error.)

Pretty Good Privacy, the Encryption We Mostly Use

The OpenPGP standard is one of the most popular versions of public key encryption, aka Pretty Good Privacy or PGP. There is a very good chance that your corporate IT department uses some version of PGP to encrypt your files – after all, it’s pretty good.

How good? Using current computer technology, a 2048-bit OpenPGP encrypted file cannot be decrypted. Someday it might be possible with a fully functional quantum computer, but these are still, for all practical purposes, theoretical devices.

Now, you’re going to push back with an argument that goes something like this: “Hey Michael, you may think that a file encoded with 2048-bit OpenPGP encryption is unbreakable, but you don’t know that for sure. You have no idea what the NSA can or cannot do! How do you know that quantum computers don’t exist? Nothing is impossible!”

Yeah … no. 2048-bit OpenPGP encryption can’t be decrypted without a key because of the way computers work today. In the future, with new hardware and processor and bus speeds that are currently undreamt of, the computation may be able to be done in reasonable time – but not today. Without your private key, the computational time required to break a 2048-bit key in a secure SSL certificate would take over 6.4 quadrillion years.

How Can the “Now Famous” iPhone 5c Be Hacked?

For the iPhone 5c in question, you don’t need to hack the encryption key; you need to “make” the encryption key. It is generated from a combination of the user-created PIN or password and a unique key that Apple embeds in each iPhone 5c when it is manufactured. The FBI is asking Apple to create a new operating system with the ability to disable certain security protocols – specifically to defeat the limit on failed passcode attempts and to remove the delay caused by failed attempts. With this new weaker security protocol and forensic software written to try every possible PIN or password combination, the FBI hopes to regenerate the unique key required to open the phone.

It is important to note that this whole idea is only possible on iPhones older than the 5c running iOS 8 or earlier. iPhones with fingerprint scanners such as the 5s, 6 and 6s use a second processor called “secure enclave.” Even Apple can’t hack an iPhone that includes a secure enclave processor – not without creating a “backdoor.”

This is what Apple is worried about. You should be too. If the government served Apple with a lawful writ or subpoena to deliver the key to an iPhone 6s, it would not be able to comply. This case asks the question, should the government be allowed to compel any company that creates a digital security product to create a “backdoor” and make it available for any reason (lawful or other)?

The important thing about an iOS 9 “backdoor” in Apple’s case is that it could not be guessed or randomly generated; it would have to be an actual file – a metaphorical “skeleton key.” There’s a problem with skeleton keys, even digital ones: they can be copied. Importantly, they can be copied or stolen without the owner’s knowledge. The idea of creating a “skeleton key” defeats the purpose of encrypting it in the first place. If a key exists, it will be copied by both good and bad actors – that’s just a fact of digital life.

So again, I find myself begging you to engage in a civil, Socratic discussion about what kind of future we want to live in. Encryption enables banking (commercial and consumer) and commerce. Without it, our digital lives would be very, very different. How do you want to evolve the governance of our digital democracy? Where is the line between security and privacy? What do we want to ask our lawmakers to do? Hopefully this short story will inspire you to learn more about encryption so you can draw your own conclusions and join this techno-political debate.

Leave a comment

Posted in Cyber Security, Data Breach, Encryption, Forensic, Hacking, Security

Tagged , , ,

This is What the Public Really Thinks About FBI vs. Apple

Posted on March 2, 2016 | 1 comment

Apple_FBI

DOJ v. Data Encryption – Public Perception and Communications Lessons

The heated dispute between Apple and the U.S. Department of Justice (DOJ) over the iPhone used by Syed Rizwan Farook before the San Bernardino, California, mass shooting has captured attention across America and the world. While this debate now focuses on one company’s decision, the implications go well beyond the mobile sector and even the whole technology industry. Companies and other organizations of all kinds responsible for managing personal data are concerned and need to be prepared to deal with the controversy’s impact.




To help deepen understanding about this complex issue, Burson-Marsteller, with their sister research firm Penn Schoen Berland, conducted a national opinion survey from February 23-24, 2016. The survey polled 500 General Population respondents (including 230 iPhone users) and 100 National Elites (individuals earning more than $100,000 per year who have college degrees and follow the news), and the results reveal critical communications issues around the fundamental conflict between privacy on the one hand and national security and safety on the other. Here are the key takeaways:

  • Overall awareness is high. Eighty-two percent of the General Population and 88 percent of National Elites have heard about the dispute. The news has gone viral, with people tweeting and posting on Facebook about it and commenting extensively online about news articles.
  •  The FBI should have access to one phone, not all phones. Respondents say the government should not be given a tool that potentially gives it access to all iPhones. Sixty-three percent of the General Population and 57 percent of National Elites say Apple should only provide the FBI with the data from the phone in question, and the tools to do it should never leave Apple’s premises. It is clear the public wants this decided on a case-by-case basis, and respondents do not trust law enforcement and national security agencies to self-police and protect privacy.
  •  The public expects companies to push back if there is the potential to violate privacy. Respondents say they want companies to protect the privacy of their data fully, even when the government is requesting data in the name of law enforcement or national security. A majority (64 percent of the General Population and 59 percent of Elites) says a company’s top obligation is to protect its customers’ data rather than cooperating with law enforcement or national security interests. However, most (69 percent of the General Population and 63 percent of Elites) see the need to compromise on privacy when terrorist threats are involved.
  • How the issue is framed determines public opinion. If the issue is framed as the FBI asking for access to this one phone, 63 percent of the General Population and 57 percent of Elites agree with the FBI position. If the issue is framed as potentially giving the FBI and other government agencies access to all iPhones, Apple’s position prevails overwhelmingly; 83 percent of the General Population and 78 percent of Elites agree Apple should either only grant access to the particular iPhone or refuse the request entirely.
  • Current laws are outdated. This situation reflects a much broader debate about privacy and security that will need to be resolved. About half (46 percent of the General Population and 52 percent of Elites) say current laws are outdated and need to be revised to reflect the changing role of technology in today’s society.

Regardless of the outcome of this current dispute, there is no question it is raising alarms about the state of data privacy. In the aftermath, companies will have to pay increasing attention to the expectations of their customers and consumers. The survey showed people are overwhelmingly concerned with the security and privacy of their digital data, with 90 percent of the General Population and 96 percent of National Elites saying they are very or somewhat concerned about the security and privacy of their personal information online or on their personal electronic devices. The Apple/DOJ dispute appears to be a turning point for all organizations trying to balance the demands of data privacy with national security and law enforcement considerations. The pressures on them are only going to grow.

 

1 Comment

Posted in Cyber Security, eDiscovery, Encryption, Forensic, Law Enforcement, Security, Technology

Tagged , , ,

5 techniques to creating an invincible password

Posted on February 29, 2016 | 11 comments

Passwords

One of the most important aspects of an IT security professional is being able to not only have a strong password, but also teach others in your company to follow this same password making process as well. You are only as strong as your weakest link, and we all know that most cyber-attacks start from human error. The dos and don’ts of making a secure password may seem tedious at first, but in the long run it is the best option to stay protected.

First step, we will get rid of idiom “passwords” because now we will be creating “passphrases”. You don’t want to just use one of two words as the main part of your passphrase. Dictionary and brute force attacks are become more advanced, cracking single word passwords in minutes. What you want to do instead is take a phrase that you can remember, but not something too relatable to yourself. Some examples would be like the chorus from your favorite song or the first sentence in your favorite book. Use my example below for now:

“She had them apple bottom jeans, boots with the fur”

You will now want to take the first or last letter from each word and cram them together, this will be the base of your passphrase:

“shtabjbwtf”

Next, you want to make a few of the letters capital:

“ShTaBjBwTf”

Try to have at least two letters capitalized. Now take your phrase and add a number or special character on the beginning/end of the phrase.

“7ShTaBjBwTf@”

The last step is to make sure it is 14 characters long of more. My example has only 12 so I would want to go back and add 2 more characters to the phrase:

“67ShTaBjBwTf@!”

There you have it, simple as that. Now you have a password that meets the length criteria and is well out of the scope of any dictionary attack. You will also have an easy time remember this one because the base phrase is something that you have memorized anyway (a song or phrase). The idea is to find something that is easy for you and only you to remember for your base phrase, then the rest will fall in place after a few times using the password.

Creating a strong passphrase is very important, but do not ever write down your phrases. It doesn’t matter if they are in a safe, creating a super secure password will do you no good if it cannot be memorized. Now let’s say that you have a lot of accounts with different passwords, what you can do to solve this is get a password locker. It is a tool that holds all of your passwords on your computer, with one master password to unlock the others. This way you only have to memorize one secure password. Congrats, you can now train passphrase creation. Take what you have learned and spread this knowledge to your company. The employees are the first line of defense and need to be well prepared for it.

11 Comments

Posted in Cyber Security, Forensic, Hacking, Hacks, Security, Technology

Tagged ,