News You Need to Know – Page 49

The Busses Have Ears

Surveillance is pervasive in our society. You can hardly walk down a street without some nosey camera recording your movements or ride public transportation without some snoopy microphone recording your conversation:

MTA began using recording devices inside some of its buses in 2012, without seeking legislative approval. Nearly 500 of its fleet of 750 buses now have audio recording capabilities. Officials say the devices can capture important information in cases of driver error or an attack or altercation on a bus.

They can also record conversations so they can later be requested by law enforcers looking to nail somebody to a cross. The dangers of pervasive surveillance are almost always understated by statists. Surveillance fetishists always justify their spying by claiming it’ll protect the children, thwart terrorism, or otherwise help combat some overblown concern. What they leave out is that the data is also available to prosecute nonviolent individuals.

Imagine if two people were making a peaceful drug transaction on one of these surveillance buses. Without the microphones in place the transaction would probably go unnoticed. But because the data exists it would only take one law enforcer or concerned citizen to listen to it to turn that previously peaceful transaction into a violent home raid.

Surveillance is dangerous precisely because law enforcers are willing to use any collected data to ruthlessly enforce victimless crimes. That’s a reality that is never mentioned by the surveillance state’s proponents.

Argh, Pirates Be A Hackin’ The High Seas

The biggest threat to computer security may be the average person’s lack of creativity. Imagine if you asked a random person on the streets what the possible ramifications of poor computer security at a shipping company could be. I would wager a bet that you’d get a lot of blank stares and variations of, “Uh, nothing.” But if you ask a creative person, say a pirate, the same question you will likely hear some pretty interesting ideas:

Tech-savvy pirates once breached the servers of a global shipping company to locate the exact vessel and cargo containers they wanted to plunder, according to a new report from Verizon’s cybersecurity team.

“They’d board the vessel, locate by bar code specific sought-after crates containing valuables, steal the contents of that crate — and that crate only — and then depart the vessel without further incident,” says the report, Verizon’s Data Breach Digest.

Just because you can’t think of a reason security is important doesn’t mean somebody else can’t. This is especially important to keep in mind if you’re one of those “I’ve got nothing to hide,” people. You might not be able to think of any reason but somebody who means you ill almost certain can.

When you’re assessing your own security, whether it be on a person or organizational level, it’s wise to bring in some outsiders, perhaps people with experience in breaching networks for malicious purposes, and pay them a little something to provide you with ideas you haven’t thought of yet. You will likely be surprised at how many things you simply failed to think of.

New York Judge Rules Feds Can’t Coerce Apple Into Unlocking An iPhone

In a rare positive judicial ruling, a judge in New York has ruled against the feds who were demanding the power to coerce Apple into unlocking an iPhone:

A US magistrate judge in New York has ruled that the government can’t force Apple to help law enforcement unlock an iPhone using the All Writs Act.

[…]

In the brief, the judge concluded that this is an issue that should be handled by congress. If the government wants to use All Writs or CALEA to force companies to circumvent encryption, there needs to a clear law granting it that power.

It should be noted that this case separate from the San Bernardino one but the ruling could give Apple’s lawyers some judicial precedence to strengthen their argument in that case.

Unfortunately, but not surprisingly, the judge rule that Congress needs to make a law to resolve this debate. What would have been better is a ruling that said the State doesn’t have the power to coerce people into performing labor against their will. Of course such a precedence would effectively invalidate the State itself so I understand why it wasn’t made.

This issue will likely continue to come up until the Supreme Court rules on it. Having the authority to coerce companies into creating backdoors is just too enticing for the feds to roll over on. That being the case, companies should start focusing their efforts on creating software and devices that they are unable to crack. If devices are effectively secured by default it won’t matter what laws are passed or what rulings are made.

When Idiots Write About Computer Security

People trying to justify the Federal Bureau of Investigation’s (FBI) demands of Apple are possibly the most amusing thing about the agency’s recent battle with Apple. Siding with the FBI requires either being completely ignorant of security or being so worshipful of the State that you believe any compromise made in the name empowering it is justified.

A friend of mine posted an article that tries to justify the FBI’s demands by claiming Apple is spreading fear, uncertainty, and disinformation (FUD). Ironically, the article is FUD. In fact it’s quite clear that the author has little to no understanding of security:

In its campaign, Apple is mustering all the fear, uncertainty and doubt it can. In an open letter to its customers, it states that “the government would have us write an entirely new operating system for their use. They are asking Apple to remove security features and add a new ability to the operating system to attack iPhone encryption, allowing a passcode to be input electronically. … It would be wrong to intentionally weaken our products with a government-ordered backdoor.” The FUD factor in that statement is “weaken our products.” It is grossly misleading, the plural suggesting that the FBI wants Apple to make this back door a standard part of iPhones. That’s flat-out false. What the government has asked is that Apple modify software to remove a feature that was not present in earlier versions of the software, and then install that new software on the single phone used by the terrorist. Apple can then destroy the software.

Apple’s statement is entirely accurate. The FBI is demanding a signed version of iOS that removes security features and includes a mechanism to brute force the password used to encrypt the contents of the device. Because the firmware would be signed it could be loaded onto other iPhones. We also know the FBI has about a dozen more phones it wants Apple to unlock so this case isn’t about a single phone. This case is about setting a precedence that will make it easier for the State to coerce companies into bypassing the security features of their own products.

The claim that Apple can destroy the software is also naive. In order to unlock the device the software must be loaded onto the phone. Since the phone is evidence it must be returned to the FBI. That means the FBI will have a signed copy of the custom firmware sitting on the phone and the phone will be unlocked so it would be feasible for the FBI to extract the firmware. Furthermore, the process involved in writing software for a court case will likely involve several third parties receiving access to the firmware:

Once the tool is ready, it must be tested and validated by a third party. In this case, it would be NIST/NIJ (which is where my own tools were validated). NIST has a mobile forensics testing and validation process by which Apple would need to provide a copy of the tool (which would have to work on all of their test devices) for NIST to verify.

[…]

During trial, the court will want to see what kind of scientific peer review the tool has had; if it is not validated by NIST or some other third party, or has no acceptance in the scientific community, the tool and any evidence gathered by it could be rejected.

[…]

If evidence from a device ever leads to a case in a court room, the defense attorney will (and should) request a copy of the tool to have independent third party verification performed, at which point the software will need to be made to work on another set of test devices. Apple will need to work with defense experts to instruct them on how to use the tool to provide predictable and consistent results.

It will likely be impossible for Apple to maintain exclusive control over the firmware.

Once the genie is out of the bottle it can’t be put back in. This is especially true with software since it can be reproduced almost infinitely for costs so small they’re practically free. If Apple produces this firmware it will not be able to make it not exist afterward. Let’s continue with the article in question:

More contradictory to Apple’s claims is that the FBI has specifically stated that it does not intend to cause a weakening of the consumer product, so this case cannot be used as a precedent. Should the government at any time attempt to do that so that back doors to be embedded in products, its own words would be the most compelling argument to counter that.

The FBI claims a lot of things. That doesn’t make those claims true. By merely existing this firmware would make consumer products less secure. Currently the iPhone’s security is quite strong as noted by the fact that the FBI has been unable to break into about a dozen phones in its possession. If Apple releases a firmware that can bypass security features on iPhones it necessarily means the overall security of iPhones, which are consumer products, is weakened. There is no way to logically argue otherwise. When something that couldn’t be broken into can be broken into it is less secure than it was. The fact that I felt the need to write the previous sentence causes me great pain because it speaks so ill of the education of the author.

The FUD continues, with Apple saying, “Law enforcement agents around the country have already said they have hundreds of iPhones they want Apple to unlock if the FBI wins this case.” That might very well be the case. But it has zero relevance. Each of those cases could be resolved only with a court order of its own, regardless of what happens with the San Bernardino iPhone. Even if this case were not in front of the court at the moment, any state, local or federal law enforcement agency could bring a similar case forward.

Actually, it’s entirely relevant. The FBI wants the court precedence so prosecutors in other cases can compel companies to bypass security features on their products. Apple isn’t simply fighting the creation of a purposely broken firmware, it’s fighting a precedence that would allow other courts to coerce companies into performing labor against their will. Obviously the author’s understanding of the legal system, specifically how precedence works, is as lacking as his understanding of security.

Gaining access to locked data is a legitimate law enforcement issue, and whatever your personal beliefs, all law enforcement officers have a responsibility to attempt to collect all information that is legally possible to collect.

While law enforcers may have a responsibility to attempt to collect all information within their power to collect that doesn’t mean they should be able to compel others to assist them at the point of a gun.

In other forums, Apple has been claiming that if the U.S. requires Apple to cooperate in providing access to the phone, all other governments around the world will then expect the same sort of cooperation. It is a bogus claim — more FUD. Do Apple’s lawyers really not know that the law of one country does not apply to another? Apple’s winning its case in the U.S. would do nothing to stop another country from initiating a similar action. Its losing its case should have no influence on whether other countries decide to pursue such matters.

I see the author doesn’t pay attention to world events. Oftentimes when a government sees another government get away with something nasty it decides it can also get away with it. Take Blackberry, for example. India demanded that Blackberry give it access to a backdoor and Blackberry complied. Seeing India getting what it wanted the government of Pakistan demanded the same. Monkey see, monkey do. It should be noted that Blackberry actually left Pakistan but it was obviously for reasons other than the backdoor demands.

Apple knows that if it rolls over it will encourage other governments to demand the same as the FBI. If, however, it digs its heels in it knows that it will discourage other governments from demanding the same. This is the same principle as not negotiating with terrorists. If you give in once it will encourage others to pull the same shit against you.

But of all of Apple’s arguments, the one that is most ludicrous, or perhaps the most damning of its much-touted security prowess, is revealed in this response to the government’s request for a key that could unlock one phone:

“Of course, Apple would do our best to protect that key, but in a world where all of our data is under constant threat, it would be relentlessly attacked by hackers and cybercriminals. As recent attacks on the IRS systems and countless other data breaches have shown, no one is immune to cyberattacks.”

First, Apple is already relentlessly attacked by hackers and criminals. I would like to hope that Apple has better security practices than the IRS. But when you unpack this statement, you are left with the impression that we should not trust any of Apple’s software or products. You have to assume that, should Apple write the software that the FBI wants, it would be among the most protected software in the company. If Apple is concerned about this software being compromised, what does that say about all of its other software?

This is another claim that can only be made by somebody who doesn’t understand security. This firmware wouldn’t be entirely in Apple’s hands. As noted above, the FBI would possess a phone with the firmware installed on it. And anybody who has paid attention to the various congressional hearings on the numerous federal network breaches knows the federal government’s network is incapable of protecting anything of value.

This firmware isn’t like a private key, which can serve its purpose even if you keep it within your exclusive control. It’s a piece of software that must be loaded onto a device that is evidence in a crime, which necessarily means it must leave your exclusive control. So Apple’s security isn’t the only cause for concern here.

Even assuming that a bad guy gets hold of just the software that law enforcement wants created, it would have to be signed by Apple’s security certificate to load on any phone.

Which the copy on the phone and any copies sent out for independent testing would be.

If the criminal gets a copy of the software and it has already been signed with the certificate, Apple could revoke the certificate.

If the author read the Electronic Frontier Foundation’s (EFF) excellent technical overview of this case he would know that the public key is built into the hardware of the iPhone. This is actually a smart security practice because it prevents malware from replacing the public key. If the public key was replaced it would allow malware to load its own code. The downside to this is that Apple can’t revoke the public key to prevent software signed with the corresponding private key from loading.

But if a bad guy gets hold of Apple’s digital certificate, then the whole Apple software base is at risk, and this feature that the FBI wants bypassed is irrelevant. After all, Apple has stated that it is not immune from attack, and it has implied it is a reasonable concern that its most protected software can be compromised.

I’m going to take this opportunity to write about a specific feature of public key cryptography that is relevant here. Public key cryptography relies on two keys: a private key and a public key. The private key, as the name implies, can be kept private. Anything signed with the private key can be verified by the public key. Because of this you only need to hand out the public key.

I have a Pretty Good Privacy (PGP) key that I use to encrypt and sign e-mails. Anybody with my public key can validate my signature but they cannot sign an e-mail as me. If, however, they had my private key they could sign e-mails as me. Because of this I keep my private key very secure. Apple likely keeps its software signing key in a vault on storage media that is only ever connected to a secure computer that has no network connectivity. Under such circumstances an attacker with access to Apple’s network would still be unable to access the company’s software signing key. For reasons I stated earlier, that’s not a model Apple can follow with the firmware the FBI is demanding. Apple’s security concerns in this case are entirely unrelated to the security practices of its private key.

In addition to his technical incompetence, the author decided to display his argumentative incompetence by closing his article with a pretty pathetic ad hominid:

But Apple, seeming to take a page from Donald Trump’s presidential campaign, is using the situation to promote its brand with free advertising.

If all else fails in your argument just compare your opponent to Trump.

It’s Not Just Once iPhone The FBI Wants Unlocked

There are people siding with the Federal Bureau of Investigations (FBI) in its current court battle with Apple. These misguided souls are claiming, amongst other nonsensical things, that the FBI only wants a single iPhone unlocked. They believe that it’s somehow OK for Apple to open Pandora’s box by releasing a signed firmware with a backdoor in it so long as it’s only for unlocking a single iPhone. Unfortunately, as those of us siding with Apple have been pointing out, this case isn’t about a single iPhone. The FBI wants a court precedence so it can coerce Apple into unlocking other iPhones:

In addition to the iPhone used by one of the San Bernardino shooters, the US government is pursuing court orders to force Apple to help bypass the security passcodes of “about a dozen” other iPhones, the Wall Street Journal reports. The other cases don’t involve terror charges, the Journal’s sources say, but prosecutors involved have also sought to use the same 220-year-old law — the All Writs Act of 1789 — to access the phones in question.

By setting a precedence in the San Bernardino case the FBI would have grounds to coerce Apple, and other device manufacturers, to unlock other devices. We know the FBI already has a dozen or so phones in the pipeline and it will certainly have more in the coming years.

Besides the precedence there is also the problem of the firmware itself. If Apple creates a signed firmware that disables iOS security features and automates brute forcing passwords it could be installed on other iPhones (at least other iPhone 5Cs but possibly other iPhone). With this firmware in hand the FBI wouldn’t even need to coerce Apple into helping each time, the agency could simply install the firmware on any compatible devices itself. This is why Apple believes creating such a firmware is too dangerous.

You can never believe the government when it claims to be taking an exceptional measure just once. Those exceptional measures always become standard practice.

The Abysmal State Of Credit Card Security

Credit card fraud is a major problem. This isn’t surprising since until recently, at least here in the United States, credit cards included no security. Hoping to reduce fraud the credit card companies developed the Europay, Mastercard, and Visa (EMV) standard. Cards that comply with the EMV standard include a chip, which offers some security. But here in the United States two setbacks have prevent EMV from delivering better credit card security. First, the United States is adopting chip and signature, not chip and PIN. Secondly, most merchants still aren’t equipped to process EMV credit cards:

This week a management consulting company called The Strawhecker Group (TSG) released the results of a study that found that only 37 percent of US retailers were ready to process chip-embedded credit and debit cards. The slow adoption of chip-embedded cards leaves merchants open to accepting liability for fraud perpetrated with traditional, less-secure magnetic stripe cards.

I attribute this low adoption rate to the credit card companies failing to set a hard cutoff date for magnetic strips. Even if you get an EMV card it will contain an insecure magnetic strip so it can be used at merchants that aren’t setup to process EMV cards. Since all EMV cards are equipped with magnetic strips merchants aren’t motivated to get setup to process EMV cards.

When it comes to security hard cutoff dates are necessary. Without them users of the old insecure standard see no reason to upgrade. With them users grumble about having to upgrade but will begrudgingly do it out of necessity. Credit card companies need to set a date and tell merchants that after that date magnetic swipe transactions will be declined otherwise we’ll never get over this financial fraud fuckery.

Bill Gates Sides With The FBI

Microsoft has always enjoy a cozy relationship with the State. This isn’t surprising to anybody who has paid attention to Bill Gates and his ongoing love affair with the State. It’s also not surprising that he is siding with the Federal Bureau of Investigations (FBI) against Apple:

Technology companies should be forced to cooperate with law enforcement in terrorism investigations, Gates said, according to a Financial Times story posted late Monday.

“This is a specific case where the government is asking for access to information. They are not asking for some general thing, they are asking for a particular case,” he said.

This statement by Gates is laughable. The FBI is demanding Apple create a custom signed version of iOS that doesn’t include several security features and includes builtin software to brute force the decryption key set by the user. That is not a general thing for a particular case, that’s a general tool that can used on many iPhones.

What is funny about this though is that Bill Gates tried to backpedal but in so doing only said exactly the same thing over again:

In an interview with Bloomberg, Bill Gates says he was “disappointed” by reports that he supported the FBI in its legal battle with Apple, saying “that doesn’t state my view on this.”

Still, Gates took a more moderate stance than some of his counterparts in the tech industry, not fully backing either the FBI or Apple but calling for a broader “discussion” on the issues. “I do believe that with the right safeguards, there are cases where the government, on our behalf — like stopping terrorism, which could get worse in the future — that that is valuable.” But he called for “striking [a] balance” between safeguards against government power and security.

Any “balance” would require Apple to create firmware that includes a backdoor for government use. In other words, it would require exactly what the FBI is demanding of Apple.

Cryptography is math and math belongs to that very small category of things that are either black or white. Either the cryptography you’re using is effective and only allows authorized parties to access the unencrypted content or it is ineffective. There is no middle ground. You cannot break cryptography just a little bit.

Although the existence of a version of iOS with a backdoor is frightening in of itself, the idea that a single judge can enslave software developers by issuing a writ is terrifying. That’s an aspect of this case that is getting glossed over a lot. Apple has already publicly stated it has no desire to write a weakened version of iOS. If the court sides with the FBI it will try to force Apple to write software against its will. Why should any individual have the power to legally do that?

The Public-Private Surveillance Partnership Strike Again

As a history buff Ancestry.com has always interested me. I’d love to trace back my family lineage. But the public-private surveillance partnership has held me back.

I figured it was only a matter of time until government agents began demanding genetic records from services like Ancestry.com and 23andMe. Once again my paranoia turned out to be prophetic (not because I’m so smart but because it was so bloody obvious):

Now, five years later, when 23andMe and Ancestry both have over a million customers, those warnings are looking prescient. “Your relative’s DNA could turn you into a suspect,” warns Wired, writing about a case from earlier this year, in which New Orleans filmmaker Michael Usry became a suspect in an unsolved murder case after cops did a familial genetic search using semen collected in 1996. The cops searched an Ancestry.com database and got a familial match to a saliva sample Usry’s father had given years earlier. Usry was ultimately determined to be innocent and the Electronic Frontier Foundation called it a “wild goose chase” that demonstrated “the very real threats to privacy and civil liberties posed by law enforcement access to private genetic databases.”

[…]

Both Ancestry.com and 23andMe stipulate in their privacy policies that they will turn information over to law enforcement if served with a court order. 23andMe says it’s received a couple of requests from both state law enforcement and the FBI, but that it has “successfully resisted them.”

As a general rule I’m wary of any service that collects information the State wouldn’t normally have. I know any personal information collected on me by a service provider is a single court order away from being in the hands of the State.

This is a problem many libertarians fail to fully realize. They make a stark distinction between corporate and government surveillance and fail to realize the former becomes the latter at the whim of a judge. If it wasn’t for the State’s power to obtain private records I wouldn’t be as concerned with corporate surveillance since companies aren’t in a habit of sending armed goons to my door to shoot my dog and kidnap me.

Is That A Bitcoin In Your Pocket

Considering the Transportation Security Administration (TSA) achieved a 95 percent failure rate it’s not surprising this happened:

The TSA attempted to “screen” airline passenger Davi Barker for the virtual currency Bitcoin.

Barker is co-founder of BitcoinNotBombs, a Bitcoin advocacy group that gets donation-based organizations and social entrepreneurs set up to handle the currency. He’s written a very detailed telling of what happened right here. After going through security (he opted out of the body scanner but was successfully cleared through the checkpoint), two people stopped him, and it got uncomfortable quickly.

What next? Will some random TSA goon demand to see the Transportation Layer Security (TLS) certificate in your briefcase?

The agency’s 95 percent failure rate makes a lot of sense when stories like this keep popping up in the news. When your agents are so clueless that they harass passengers after seeing something entirely imaginary there’s little hope that they’ll catch any of the real dangers.

Invest In Security Now Or Pay Later

Security is a difficult thing to pitch. To summon Bastiat from beyond the grave, the costs of implementing security are seen but the costs of not implementing security are unseen. Making the pitch even more difficult is the fact most people think, “It’ll never happen to me.” But a breach can happen to anybody and the associated costs are often tremendous:

Hollywood Presbyterian Medical Center, the Los Angeles hospital held hostage by crypto-ransomware, has opted to pay a ransom of 40 bitcoins—the equivalent of $17,000—to the group that locked down access to the hospital’s electronic medical records system and other computer systems. The decision came 10 days after the hospital lost access to patient records.

$17,000 is already a decent chunk of change and 10 days of network downtime for a hospital is a very serious expense. This disaster could have been greatly mitigated with proper security practices. First of all, based on what we know so far about the breach, e-mail should never have been accessible on a computer with direct access to a mission critical system:

Stefanek did not say how the malware was introduced into the hospital’s EMR system. But the leading suspect, according to sources familiar with the investigation, is a phishing attack—likely a link in an e-mail that was clicked by a hospital employee on a computer with access to the EMR system.

E-mail is the source of a lot of malware and phishing attacks, specifically targeted ones, have become surprisingly effective. Knowing this, mission critical systems should be isolated from likely malware vectors (although I would argue those systems shouldn’t be connected to the Internet at all). Mission critical data should also be available redundantly so if one system goes down another can be made immediately while the down one is repaired. Frequent backups should also be part of any security plan in case something like this happens the machine can be quickly restored.

If you’re in a position that oversees budgeting give serious consideration to the unseen consequences of not providing funds for security and realize that an attack can happen to your organization.