Tag Archives: FBI

Mobile Forensics Firm to Help FBI Hack Shooter’s iPhone

Posted on March 28, 2016 | Leave a comment

Terrorist

Israel-based mobile forensics firm Cellebrite is believed to be the mysterious “outside party” that might be able to help the FBI hack the iPhone belonging to the San Bernardino shooter.

Israeli newspaper Yedioth Ahronoth broke the news, which appears to be confirmed by a $15,000 contract signed by the FBI with Cellebrite on March 21, the day when the agency announced that it may have found a way to crack Islamic Terrorist Syed Rizwan Farook’s iPhone without Apple’s help.

The FBI convinced a judge in mid-February to order Apple to create special software that would allow the law enforcement agency to brute-force the PIN on Farook’s iPhone 5C without the risk of destroying the data stored on it.

Apple, backed by several other technology giants, has been preparing to fight the order, which it believes would set a dangerous precedent.

Just as the US government and Apple were about to face each other in court, the FBI announced on Monday that it may no longer need Apple’s help in cracking the phone. Federal prosecutors later cancelled the hearing set for Tuesday, stating that the FBI will be aided by an unidentified “outside party.”

That “outside party” appears to be Cellebrite, which has been working with the FBI since 2013. The company’s website shows that it has assisted law enforcement investigations in several countries over the past period.

“Cellebrite mobile forensics solutions give access to and unlock the intelligence of mobile data sources to extend investigative capabilities, accelerate investigations, unify investigative teams and produce solid evidence,” the company writes on its official site.

Experts have suggested several methods that could be used to gain access to the data on the San Bernardino shooter’s iPhone, including ones involving acid and lasers, but they didn’t appear to be very practical.

After the FBI announced that it might have found a practical alternative, iOS forensics expert Jonathan Zdziarski published a blog post describing some of the likely methods that might be used to accomplish the task.

The expert believes the technique that will be used has likely already been developed, as the FBI says it only needs two weeks to test the proposed method.

Zdziarski believes the company that will aid the FBI will either use a software exploit or a hardware technique known as NAND mirroring.

“This is where the NAND chip is typically desoldered, dumped into a file (likely by a chip reader/programmer, which is like a cd burner for chips), and then copied so that if the device begins to wipe or delay after five or ten tries, they can just re-write the original image back to the chip,” the researcher explained. “It’s possible they’ve also made hardware modifications to their test devices to add a socket, allowing them to quickly switch chips out, or that they’re using hardware to simulate this chip so that they don’t have to.”

“My gut still tells me this is likely a NAND hardware technique. A software exploit doesn’t scale well. I know this because my older forensics tools used them, and it required slightly different bundles for every hardware and firmware combination. Some also work against certain versions, but not against others,” he noted.

Zdziarski believes that if the technique already exists, it has likely been sold privately for well over $1 million.

Leave a comment

Posted in Cyber Security, Data Breach, eDiscovery, Encryption, Hacking, Law Enforcement

Tagged , ,

7 Tips From The FBI To Prepare Your Firm For A Cyber Attack

Posted on March 15, 2016 | Leave a comment

“In the past, the FBI wanted to operate in the shadows, but today’s Bureau is very different” said Jay F. Kramer, Supervisory Special Agent, Federal Bureau of Investigation, Cyber Division, New York Office. In an effort to make the FBI more approachable, Kramer recently provided an overview of the cybersecurity activities of the FBI at an event before hundreds of attorneys.

How does the FBI operate?

The Bureau investigates violations of federal law and significant threats to national security, making it uniquely situated to deal with today’s cybersecurity issues. In addition to being a law enforcement agency, the FBI is also a member of the US intelligence community. FBI’s mission is primarily domestic with 56 field offices across the United States, but it also has offices in 87 countries and shares intelligence and threats coming from overseas by distilling it down and packaging it at the lowest level classification possible to push it out to victims. These overseas relationships enable the Bureau to quickly respond to cyber threats by gaining access to servers, logs and data to help unravel some of these complicated cyber matters from around the world. “When it comes to cybersecurity, you’re never very far from an FBI office and from an actual person that can speak to you about issues that you’re having” Kramer said.

Here are some of the cybersecurity issues that the FBI is seeing:

    • Hacktivists use computers, beyond lawful means, to make political statements. These statements are typically about business practices they disapprove of. For example, “Anonymous”, a well-known hacktivist group, can shut down websites and social media accounts of targeted firms and individuals.
    • The US and businesses are systematically attacked by hackers sponsored by foreign governments for terrorism or to gain a competitive advantage.
    • Criminal enterprises use cyber to perpetuate old schemes, such as extortion. In the old days, organized crime would threaten the business owner directly, “Hey, listen, you’re either going to pay me or something’s going to happen here. There’s going to be a fire, brick going through your window. You’re going to be hurt personally”. With the advent of encryption technology, criminals can now gain a compromising foothold to lock down your systems. “The bad guy holds the private key to unlock it” said Kramer. Nowadays, the business owner gets an email that says “If you don’t give me 100 bitcoin, I’m going to delete your data.” The FBI doesn’t take a position on whether to pay the money or not, although it’s unlikely that the business will be able to defeat the encryption. So, the choice is to either pay or rely on back up data.
  • There are fraudsters who want to steal your personally identifiable information (PII) to empty out your bank account. More and more however, data has a value all of its own. Bad actors will infiltrate databases of client data with email addresses, home addresses, and phone numbers of your clients, and use that data to fuel billion dollar criminal enterprises such as spam campaigns, such as pop-up ads for bogus Viagra or heart medication or stock manipulation, such as pump and dump campaigns. There’s a whole underground economy of promoters and bad actors, who work in tandem and who need PII as the fuel for those fraudulent campaigns.
  • Industrial espionage for competitive advantage such as stealing product information that requires years of research. “You’d be horrified if you saw how much data is leaving the US every day from scientific firms, research firms, industrial firms, government contractors” said Kramer.

In summary, Kramer provided 7 tips to prepare your firm for a cyber-attack:

  1. Understand what your network looks like, even after all the mergers, acquisitions, and consolidations. Create a map of your networks and prepare a list of devices on the network and users on the network.
  2. Back up your data routinely and store it offsite.
  3. Know where your most important data is being held. Think about where it should be held and the protocols to gain access to that information.
  4. Develop policies for cybersecurity. What policies govern the use of data and networks by employees? Train your employees on use polices. Define where your logs and data are being held. List applications running on the network, including applications developed in house.
  5. Be aware that bad actors could be already be in your system right now and have been for a long time. Make sure your IT departments are aware of updates and are patching vulnerabilities in your systems.
  6. Develop a response plan in the event of an attack. Have a plan to work with your attorneys, PR firm, your Board of Directors. Have a team of forensic experts and outside firms available.
  7. And finally, establish a relationship with your local FBI office today, before there’s a cyber-attack

Joanna Belbey , Contributor

 

Leave a comment

Posted in Cyber Security, Forensic, Hacking, Law Enforcement, Security

Tagged ,

Apple v. FBI: How to Sound Smart about Encryption

Posted on March 8, 2016 | Leave a comment

Encryption

Apple v. FBI has started a serious debate about the line between security and privacy. The FBI says this is a case about the contents of one specific iPhone 5c. Apple says this is a case about securing data for everyone.

No one seems to want to have a civil, Socratic discussion about what it means to evolve the governance of a digital democracy. Instead, most people want to voice their opinions about terrorism, the law, and Apple. People also want to know if this particular iPhone 5c (or any iPhone) can be hacked, and if offers to hack it from white hat hackers, such as John McAfee, are real.

The Apple v. FBI subject device, an iPhone 5c, can be hacked. This is true because of iOS 8 (the operating system running on the subject device) and the way all iPhone 5c’s were manufactured. Current vintage iPhones (5s, 6, 6s) could not be hacked the same way, so we should not be talking about this particular phone; we should be talking about encryption writ large, and how it is used in our daily lives.

What Is Encryption?

Encryption is the process of using algorithms to encode information with the specific goal of preventing unauthorized parties from accessing it. For digital communication, there are two popular methods of encryption: symmetric key and public key.

  • Symmetric key encryption requires both the sending and receiving parties to have the same key – hence the term “symmetric.”
  • Public key encryption is far more popular because the encryption key is publicly available, but only the receiving party has access to the decryption key.

How Can There Be Such a Thing as a “Public” Encryption Key?

One of the most popular ways to create public encryption keys is to use a mathematical problem known as prime factorization (aka integer factorization). You start with two relatively large prime numbers. (Quick 6th Grade Math Refresher: A prime number is only divisible by 1 and itself.) Let’s call them P and P. When you multiply them, the product is a composite number we’ll call “C.”

(P x P = C)

C is a very special number with very special properties. It’s called a semiprime number. Semiprime numbers are only divisible by 1, themselves and the two prime factors that made them. This special property enables the number to be used for public key encryption.

You use C for the public key and you keep P and P as the private key pair. While it is very easy to generate C, if the number is large enough and thoughtfully generated, it can take thousands, millions or even billions or trillions of tries to factor. (There are mathematical strategies to speed up the process, but in practice, prime factoring must be done by trial and error.)

Pretty Good Privacy, the Encryption We Mostly Use

The OpenPGP standard is one of the most popular versions of public key encryption, aka Pretty Good Privacy or PGP. There is a very good chance that your corporate IT department uses some version of PGP to encrypt your files – after all, it’s pretty good.

How good? Using current computer technology, a 2048-bit OpenPGP encrypted file cannot be decrypted. Someday it might be possible with a fully functional quantum computer, but these are still, for all practical purposes, theoretical devices.

Now, you’re going to push back with an argument that goes something like this: “Hey Michael, you may think that a file encoded with 2048-bit OpenPGP encryption is unbreakable, but you don’t know that for sure. You have no idea what the NSA can or cannot do! How do you know that quantum computers don’t exist? Nothing is impossible!”

Yeah … no. 2048-bit OpenPGP encryption can’t be decrypted without a key because of the way computers work today. In the future, with new hardware and processor and bus speeds that are currently undreamt of, the computation may be able to be done in reasonable time – but not today. Without your private key, the computational time required to break a 2048-bit key in a secure SSL certificate would take over 6.4 quadrillion years.

How Can the “Now Famous” iPhone 5c Be Hacked?

For the iPhone 5c in question, you don’t need to hack the encryption key; you need to “make” the encryption key. It is generated from a combination of the user-created PIN or password and a unique key that Apple embeds in each iPhone 5c when it is manufactured. The FBI is asking Apple to create a new operating system with the ability to disable certain security protocols – specifically to defeat the limit on failed passcode attempts and to remove the delay caused by failed attempts. With this new weaker security protocol and forensic software written to try every possible PIN or password combination, the FBI hopes to regenerate the unique key required to open the phone.

It is important to note that this whole idea is only possible on iPhones older than the 5c running iOS 8 or earlier. iPhones with fingerprint scanners such as the 5s, 6 and 6s use a second processor called “secure enclave.” Even Apple can’t hack an iPhone that includes a secure enclave processor – not without creating a “backdoor.”

This is what Apple is worried about. You should be too. If the government served Apple with a lawful writ or subpoena to deliver the key to an iPhone 6s, it would not be able to comply. This case asks the question, should the government be allowed to compel any company that creates a digital security product to create a “backdoor” and make it available for any reason (lawful or other)?

The important thing about an iOS 9 “backdoor” in Apple’s case is that it could not be guessed or randomly generated; it would have to be an actual file – a metaphorical “skeleton key.” There’s a problem with skeleton keys, even digital ones: they can be copied. Importantly, they can be copied or stolen without the owner’s knowledge. The idea of creating a “skeleton key” defeats the purpose of encrypting it in the first place. If a key exists, it will be copied by both good and bad actors – that’s just a fact of digital life.

So again, I find myself begging you to engage in a civil, Socratic discussion about what kind of future we want to live in. Encryption enables banking (commercial and consumer) and commerce. Without it, our digital lives would be very, very different. How do you want to evolve the governance of our digital democracy? Where is the line between security and privacy? What do we want to ask our lawmakers to do? Hopefully this short story will inspire you to learn more about encryption so you can draw your own conclusions and join this techno-political debate.

Leave a comment

Posted in Cyber Security, Data Breach, Encryption, Forensic, Hacking, Security

Tagged , , ,

John McAfee Reveals To FBI, On National TV, How To Crack The iPhone (RT Interview)

Posted on March 6, 2016 | 1 comment

YouTubeYes, it has gotten this bad. In language simple enough for even a child to understand, John McAfee explains for the world and for the FBI how to hack…

Not as easy as John says, but it can be done !!!

Actually about that encryption. What’s the key? Salt of the key depends on unique device ID. Another part of the key must depend either on the fingerprint ID (which is easy enough, you don’t need the guy alive to get his fingerprints, people even leave fingerprints everywhere), or on a 4-digit PIN. Once you have code injection and can hack out the try counter and have a more direct path to inject the PIN numbers into the key generation algorithm, you can brute force them in a matter of minutes.

1 Comment

Posted in Cyber Security, eDiscovery, Encryption, Hacking, Security, Technology

Tagged , ,

This is What the Public Really Thinks About FBI vs. Apple

Posted on March 2, 2016 | 1 comment

Apple_FBI

DOJ v. Data Encryption – Public Perception and Communications Lessons

The heated dispute between Apple and the U.S. Department of Justice (DOJ) over the iPhone used by Syed Rizwan Farook before the San Bernardino, California, mass shooting has captured attention across America and the world. While this debate now focuses on one company’s decision, the implications go well beyond the mobile sector and even the whole technology industry. Companies and other organizations of all kinds responsible for managing personal data are concerned and need to be prepared to deal with the controversy’s impact.




To help deepen understanding about this complex issue, Burson-Marsteller, with their sister research firm Penn Schoen Berland, conducted a national opinion survey from February 23-24, 2016. The survey polled 500 General Population respondents (including 230 iPhone users) and 100 National Elites (individuals earning more than $100,000 per year who have college degrees and follow the news), and the results reveal critical communications issues around the fundamental conflict between privacy on the one hand and national security and safety on the other. Here are the key takeaways:

  • Overall awareness is high. Eighty-two percent of the General Population and 88 percent of National Elites have heard about the dispute. The news has gone viral, with people tweeting and posting on Facebook about it and commenting extensively online about news articles.
  •  The FBI should have access to one phone, not all phones. Respondents say the government should not be given a tool that potentially gives it access to all iPhones. Sixty-three percent of the General Population and 57 percent of National Elites say Apple should only provide the FBI with the data from the phone in question, and the tools to do it should never leave Apple’s premises. It is clear the public wants this decided on a case-by-case basis, and respondents do not trust law enforcement and national security agencies to self-police and protect privacy.
  •  The public expects companies to push back if there is the potential to violate privacy. Respondents say they want companies to protect the privacy of their data fully, even when the government is requesting data in the name of law enforcement or national security. A majority (64 percent of the General Population and 59 percent of Elites) says a company’s top obligation is to protect its customers’ data rather than cooperating with law enforcement or national security interests. However, most (69 percent of the General Population and 63 percent of Elites) see the need to compromise on privacy when terrorist threats are involved.
  • How the issue is framed determines public opinion. If the issue is framed as the FBI asking for access to this one phone, 63 percent of the General Population and 57 percent of Elites agree with the FBI position. If the issue is framed as potentially giving the FBI and other government agencies access to all iPhones, Apple’s position prevails overwhelmingly; 83 percent of the General Population and 78 percent of Elites agree Apple should either only grant access to the particular iPhone or refuse the request entirely.
  • Current laws are outdated. This situation reflects a much broader debate about privacy and security that will need to be resolved. About half (46 percent of the General Population and 52 percent of Elites) say current laws are outdated and need to be revised to reflect the changing role of technology in today’s society.

Regardless of the outcome of this current dispute, there is no question it is raising alarms about the state of data privacy. In the aftermath, companies will have to pay increasing attention to the expectations of their customers and consumers. The survey showed people are overwhelmingly concerned with the security and privacy of their digital data, with 90 percent of the General Population and 96 percent of National Elites saying they are very or somewhat concerned about the security and privacy of their personal information online or on their personal electronic devices. The Apple/DOJ dispute appears to be a turning point for all organizations trying to balance the demands of data privacy with national security and law enforcement considerations. The pressures on them are only going to grow.

 

1 Comment

Posted in Cyber Security, eDiscovery, Encryption, Forensic, Law Enforcement, Security, Technology

Tagged , , ,

Data Breach at UC Berkeley Impacts 80,000

Posted on March 2, 2016 | 1 comment

It’s a New Year !!!

computerkeyboard450

Roughly 80,000 people might have been impacted by cyber attack that hit a UC Berkeley system containing Social Security and bank account numbers, the university warns.

UC Berkeley officials are sending alert notices to current and former faculty, staff, students and vendors after discovering that one of the university’s systems had been breached, but say that there’s no evidence that any personal information has been accessed, acquired, or used following the attack.

However, the university has decided to inform users who are possibly impacted by the breach to stay alert on any misuse of their information and to enroll into a credit protection service the campus is offering free of charge.

Authorities, including the FBI, have already been notified about the incident.

According to a post from Janet Gilmore, Public affairs at UC Berkeley, the attack occurred in late December 2015, when an unauthorized user gained access to portions of computers that are part of the Berkeley Financial System (BFS). The attacker(s) leveraged a security vulnerability that UC Berkeley was in the process of patching, Gilmore states.

The blog post explains that the BFS is a software application used for the management of financial operations such as purchasing and most non-salary payments. Of the 80,000 potentially impacted people, 57,000 are current and former students, about 18,800 are former and current employees, including student workers, and 10,300 are vendors who do business with the campus.

Due to the fact that some individuals belong into more than one category, the breach impacted more than 80,000 entries, and Gilmore explains that this includes approximately 50 percent of current students and 65 percent of active employees. She also explains that many of the people impacted by the breach include individuals who received payments from UC Berkeley through electronic fund transfers.

“For students, this often involved financial aid awards that they elected to receive by electronic fund transfer. For many faculty and staff, this involved reimbursements, such as work-related travel reimbursements. Vendors whose Social Security numbers or personal bank account numbers were in the system in order for payment to be issued are also potentially impacted,” Gilmore says.

UC Berkeley learned of the potential unauthorized access to data within 24 hours of its occurrence, and Gilmore notes that officials took prompt action by removing all potentially impacted servers from the network, thus preventing further access to them. Furthermore, the campus hired a computer investigation firm to assist with the investigation.

Last month, University of Virginia’s HR system was breached and attackers managed to access sensitive information, including W-2s and banking details of University employees. Also in January, a hacker proclaiming allegiance to the Islamic State jihadist group infiltrated the internal network of one of China’s top universities.

1 Comment

Posted in Cyber Security, Data Breach, Hacking, Hacks, Security, Technology

Tagged , ,

Security Predictions 2016: Ransomware will continue to evolve and become increasingly complicated

Posted on February 27, 2016 | 3 comments

26884181_m-750x410

As we start each year, the team at thedigitalageblog looks into the crystal ball and makes predictions for the year.  Sometimes we’re right and sometimes we’re wrong, but we find it useful to look to the future and document what we see.

Our Prediction centers on the ongoing Ransomware attacks:

Ransomware will continue to evolve and become increasingly complicated.  We continue to be shocked at the amount of ransomware attacks where the “victim” actually pays the ransom.  The FBI said it received 992 CryptoWall complaints from April 2014 to June 2015, representing total losses of $18 million—and that is just reported cases. Because criminals are finding this scheme lucrative, hackers will continue to work on producing virus variants that are harder to detect and decrypt. Ransomware depends on human error; it is usually activated by a user clicking on a link in a phishing email. Encryption of sensitive data combined with regular back-ups onto external devices or cloud services are an excellent defense against these schemes. If you have a current copy of your data or web site, business can continue with minimal disruption. Paying the ransom does not, after all, guarantee full restoration of your data or web site. It’s important to note that mobile devices can also be overtaken by ransomware, and often the accompanying threat is to ruin one’s reputation.

3 Comments

Posted in Encryption, Forensic, Hacking, Hacks, Malware, Security

Tagged , , ,

If Amazon were in Apple’s position, would it unlock its cloud for the feds?

Posted on February 24, 2016 | 1 comment
Lock
There’s an easy way to protect your data in the cloud.

As Apple continues to resist FBI demands to unlock a terrorist suspect’s phone, it raises a question: What if Amazon Web Services was ordered to provide access to a customer’s cloud? Would AWS hand the data over to the feds?

+MORE AT NETWORK WORLD: Tim Cook issues internal memo on ongoing FBI/iPhone saga | VMware turns to IBM in the public cloud +

Amazon’s terms of service provide us a clue. AWS says it complies with legally binding orders when compelled to do so. Here’s a statement from Amazon’s FAQ on cloud data privacy (which is not written specifically about the Apple-FBI issue):

“We do not disclose customer content unless we’re required to do so to comply with the law or a valid and binding order of a governmental or regulatory body. Governmental and regulatory bodies need to follow the applicable legal process to obtain valid and binding orders, and we review all orders and object to overbroad or otherwise inappropriate ones.”

Most of the time, when ordered to hand over data, Amazon does so. In 2015 AWS received 1,538 subpoenas from law enforcement officials, according to information the company recently began making public. Just over half the time (in 832 cases, or 54% of the time) AWS complied fully with those orders. Another quarter of the time (in 399 cases) Amazon partially responded to the request for information, while in the remaining 20% of cases AWS did not respond to the subpoena.

amazon-subpoenas-100646389-large_idge

For customers who are concerned about Amazon handing over their data to the government, there are protections that can be put in place. “There’s a huge market focused on encrypting data stored in the cloud, and giving the customers the keys,” explains 451 Research analyst Adrian Sanabria. If customers use a third-party encryption service to scramble their data and manage the keys themselves, then even if Amazon did hand over the data to the feds, it would be useless. “Yes, it does sometimes create some issues with flexibility and breaking functionality, but it is there as an option if you want it, and (if done properly) AWS (or the government) can’t decrypt the data,” Sanabria says.

+ MORE ON APPLE: Apple and the FBI will need to compromise, Cisco’s CEO says +

AWS offers multiple different encryption methods, including ones that are built in automatically to some services – like S3, the Simple Storage Service, and others that customers manage themselves, such as the Hardware Security Module (HSM). AWS’s marketplace offers a variety of additional encryption and security services from independent software vendors.

Amazon says that it notifies customers when there’s been a request for their data to be handed over, unless there’s a compelling reason not to do that; for example if its clear the cloud service is being used for an illegal purpose.

AWS is more stringent about not providing other types of information to the government. In the second half of 2015 alone, AWS received 249 “National security requests” but did not comply with any of them. AWS also received 78 requests from non-U.S. entities, the vast majority of which (60) the company did not respond to.

AWS did not respond to a request to comment on this story.

Microsoft Azure basically has the same policy, according to the company’s website, saying “We do not provide any government with direct or unfettered access to your data except as you direct or where required by law.”

Even with all the concern over providers or the government being able to access data, Sanabria estimates that only a minority of cloud users encrypt data and manage their own keys.

 

 

 

 

1 Comment

Posted in Big Data, Network, Public Cloud, Security, Technology

Tagged , , ,

JOHN MCAFEE: I’ll decrypt the San Bernardino phone free of charge so Apple doesn’t need to place a back door on its product

Posted on February 19, 2016 | Leave a comment

John_McAfeeCybersecurity expert John McAfee is running for president in the US as a member of the Libertarian Party. This is an op-ed article he wrote and gave us permission to run.

Using an obscure law, written in 1789 — the All Writs Act — the US government has ordered Apple to place a back door into its iOS software so the FBI can decrypt information on an iPhone used by one of the San Bernardino shooters.

It has finally come to this. After years of arguments by virtually every industry specialist that back doors will be a bigger boon to hackers and to our nation’s enemies than publishing our nuclear codes and giving the keys to all of our military weapons to the Russians and the Chinese, our government has chosen, once again, not to listen to the minds that have created the glue that holds this world together.

This is a black day and the beginning of the end of the US as a world power. The government has ordered a disarmament of our already ancient cybersecurity and cyberdefense systems, and it is asking us to take a walk into that near horizon where cyberwar is unquestionably waiting, with nothing more than harsh words as a weapon and the hope that our enemies will take pity at our unarmed condition and treat us fairly.

Any student of world history will tell you that this is a dream. Would Hitler have stopped invading Poland if the Polish people had sweetly asked him not to do so? Those who think yes should stand strongly by Hillary Clinton’s side, whose cybersecurity platform includes negotiating with the Chinese so they will no longer launch cyberattacks against us.

The FBI, in a laughable and bizarre twist of logic, said the back door would be used only once and only in the San Bernardino case.

Tim Cook, CEO of Apple, replied:

The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.

The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cybercriminals. The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe.

Tim_Cook

No matter how you slice this pie, if the government succeeds in getting this back door, it will eventually get a back door into all encryption, and our world, as we know it, is over. In spite of the FBI’s claim that it would protect the back door, we all know that’s impossible. There are bad apples everywhere, and there only needs to be in the US government. Then a few million dollars, some beautiful women (or men), and a yacht trip to the Caribbean might be all it takes for our enemies to have full access to our secrets.

Cook said:

The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.

The fundamental question is this: Why can’t the FBI crack the encryption on its own? It has the full resources of the best the US government can provide.

With all due respect to Tim Cook and Apple, I work with a team of the best hackers on the planet. These hackers attend Defcon in Las Vegas, and they are legends in their local hacking groups, such as HackMiami. They are all prodigies, with talents that defy normal human comprehension. About 75% are social engineers. The remainder are hardcore coders. I would eat my shoe on the Neil Cavuto show if we could not break the encryption on the San Bernardino phone. This is a pure and simple fact.

And why do the best hackers on the planet not work for the FBI? Because the FBI will not hire anyone with a 24-inch purple mohawk, 10-gauge ear piercings, and a tattooed face who demands to smoke weed while working and won’t work for less than a half-million dollars a year. But you bet your ass that the Chinese and Russians are hiring similar people with similar demands and have been for many years. It’s why we are decades behind in the cyber race.

gettyimages-136135710

Cyberscience is not just something you can learn. It is an innate talent. The Juilliard School of Music cannot create a Mozart. A Mozart or a Bach, much like our modern hacking community, is genetically created. A room full of Stanford computer science graduates cannot compete with a true hacker without even a high-school education.

So here is my offer to the FBI. I will, free of charge, decrypt the information on the San Bernardino phone, with my team. We will primarily use social engineering, and it will take us three weeks. If you accept my offer, then you will not need to ask Apple to place a back door in its product, which will be the beginning of the end of America.

If you doubt my credentials, Google “cybersecurity legend” and see whose name is the only name that appears in the first 10 results out of more than a quarter of a million.

Leave a comment

Posted in Encryption, Forensic, Hacking, Hacks, Law Enforcement, Network, Security, Technology

Tagged , , , , ,

Edward Snowden defends Apple in fight against FBI

Posted on February 18, 2016 | 2 comments

Edward Snowden — the ex-NSA contractor who started this whole privacy debate — has joined the ranks of Apple defenders.
Snowden

On Tuesday, a federal magistrate-judge ruled that Apple must help the FBI break into the phone of one of the San Bernardino shooters. The FBI was unable to figure out the shooter’s passcode, which is the only way to get inside his iPhone.

Apple CEO Tim Cook is furious, saying that the U.S. government is trying to undermine the security of its flagship product.

“The government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers,” Cook said.

Apple plans to fight the decision, aided by the ACLU.

On Wednesday, the divide was clear: politicians versus engineers.

“The FBI is creating a world where citizens rely on Apple to defend their rights, rather than the other way around,” Snowden said Wednesday morning on Twitter.

Late Wednesday, Silicon Valley’s powerful tech industry trade group came out in support of Apple too.

“We worry about the broader implications … of requiring technology companies to cooperate with governments to disable security features, or introduce security vulnerabilities,” said the Information Technology Industry Council, which represents Dell, Facebook (FB, Tech30), Google, Hewlett Packard (HPE, Tech30), IBM (IBM, Tech30), Microsoft (MSFT, Tech30), Nokia (NOK) and others.

For years, the FBI has demanded special access into smartphones. Tech companies have refused, instead increasing the security of their customers’ data.

Cryptographers, the scholars who build security into technology, have unanimously warned that special access is a dangerous idea. To them, this isn’t about security competing with privacy. It’s just about security.

The San Bernardino shooter, Syed Farook, used an iPhone 5C. The FBI has been trying to guess his passcode to unlock it. If they guess wrong 10 times, Farook’s iPhone will permanently erase all the data stored inside.

Apple doesn’t hold the keys to his device. But the FBI wants Apple to create a special version of its iOS software that will get loaded onto the phone, circumvent Apple’s security features and let agents hack it.

Dan Guido, who runs the cybersecurity firm Trail of Bits, explained in a blog post Wednesday that this hack is possible. He said it would work on any iPhone 5C or older model, putting them “at risk when they’re confiscated by law enforcement around the world.”

Last year, the world’s top cryptographers issued a joint paper saying this is a bad idea. CNNMoney asked them if this particular San Bernardino case changes their mind. All seven who responded said no.

Matthew Green, who teaches cryptography and computer security at Johns Hopkins University, fears it’s a slippery slope. If Apple complies with the government this time, it’ll be forced to in the future.

“I haven’t seen any guiding principle that would prevent this from getting out of hand. It could easily result in every American becoming less secure,” he said.

Columbia University computer science professor Steven M. Bellovin said that if Apple doesn’t resist the FBI, it’ll soon face the same pressure from authoritarian and repressive governments like China.

“This makes it much easier for others — other police departments, other governments — to demand the same thing,” he said.

Bruce Schneier, one of the world’s top cryptographers, warned that criminals could also use this kind of special access to break into people’s phones to steal messages, photographs and other personal information. If Apple creates a weaker version of its operating system, others will get their hands on it.

Most tech industry executives — who normally tout privacy — remained silent Wednesday. WhatsApp cofounder Jan Koum stood out with this message on Facebook: “We must not allow this dangerous precedent to be set.”

U.S. Senator Ron Wyden of Oregon, one of the few politicians to rise to Apple’s defense, said “no company should be forced to deliberately weaken its products.”

(Read more: Manhattan DA says Apple makes terrorism cases ‘go cold’)

Other politicians pushed back on that idea Wednesday. White House Press Secretary Josh Earnest told reporters that the FBI is “not asking Apple to redesign its product or create a new backdoor to one of their products. They’re simply asking for something that would have an impact on this one device.”

Leading Republican presidential candidate Donald Trump weighed in too, saying, “we have to open it up.” Marco Rubio, who is also vying for the Republican presidential nomination, said Apple should give up its fight and be “a good corporate citizen.”

But even those who support the FBI’s demands say it’s a point of no return. Cyrus Walker teaches at the government-funded Cyber Defense Analysis Center, where he trains federal agents and police how to hack smartphones in criminal cases.

“If Apple demonstrates the ability to get around its own security countermeasures, that bell is rung and can’t be un-rung,” said Walker.

2 Comments

Posted in Encryption, Forensic, Hacking, Hacks, Law Enforcement, Security, Technology

Tagged , , , ,