11 May 2013
Apple's iPhone has proven a hit with the general public, but the company's strong security protections are making the device less than popular with law enforcement agencies.
It seems that the encryption on the handset is proving to be so hard for authorities to crack that they have to petition Apple to manually unlock the handset by manually overriding the security controls and decrypting data needed for criminal prosecution.
Unfortunately, there are so many police asking for iPhone decryption that Apple has found itself with a backlog of requests. According to Cnet, law enforcement officials are being told that they must wait as long as two months to gain access to iPhone units that are connected to criminal investigations.
This is not the first time Apple's security protections have caught the eye of law enforcement agencies. Earlier this year the US Drug Enforcement Administration issued a warning to agents that messages delivered over Apple's Messages App – which sends data over secured HTTP connections – was all but impossible to eavesdrop in the course of investigations.
The issue rehashes an ongoing battle that has erupted between the need for law enforcement agencies to access data and the right for users to have their data protected from intrusion. Apple is not alone in being caught up in the crossfire. Blackberry has found itself in the crosshairs of government authorities over its strong security protections that can prevent government eavesdropping.
06 May 2013
The Syrian Electronic Army has hacked the Twitter account of satirical news website the Onion.
Early reports had the hack pegged as a bit of satirical comedy from the site. However, a picture from the Syrian Electronic Army seems to validate reports that the Onion was indeed hacked.
Among the villainy performed by the hackers was a picture of the group's logo posted on the Onions Twitter page. The Syrian Electronic Army also tweeted out a slew of tweets displaying Onion articles before their actual posting.
The Onion being the comedy site that it is took the hack in good fun. Following the hack, the site posted stories recommending the best practices to avoid getting hacked and a reminder that the firm had changed its password.
"Reduce interest in your website by cutting down on stories about very popular subjects, such as Syria," read one of the websites anti-hacking tips.
Hacks on Twitter have led to calls for two-factor authentication on the social networking site. Following the requests, Twitter has been said to be working towards bringing the feature into the fold later this year.
While two-factor authentication is a good option, we don't think the Onion will mind going without for a few months. The satirical news site seems like a terrible company to go after with a hack. The Onion, more than any other site, seems capable of turning a cyber attack to its advantage.
Following the high-profile compromise of the Associated Press Twitter account, the microblogging service is said to be mulling some major security changes.
According to a Wired report citing company sources, Twitter is now working to introduce a two-factor authentication option which can help to prevent account theft from phishing attacks. After hearing how the AP incident occurred, such protections are more than welcome.
In the aftermath of the breach, which resulted in fraudulent claims that the White House had been bombed and president Obama had been injured, staffers reported receiving some suspicious emails which were later found to be connected to a phishing attack.
It seems that the Syrian Electronic Army used a series of targeted phishing emails to harvest the credentials of AP staffers and eventually gain access to the company's main Twitter account. The stolen password was then used to access the account and launch a hoax that managed to temporarily disrupt the stock market.
If the reported series of events is true, then the AP hack could have been easily thwarted, and if reports on new developments are to be believed, it soon will be.
Wired has posted a report which claims that Twitter will soon be launching a two-factor authentication platform. The site uncovered a job report from earlier this year which would suggest that additional protections would soon be arriving.
Why is that so important? Two-factor authentication ties the account credentials and log-in to actual holder. The platform not only requires a username and login, but also a numerical code which is randomly generated and then sent to a user's mobile phone for one-time use.
It's not easy to see how this can help to protect users. Even when a username and password are harvested, the attacker would have to steal the mobile device of a user in order to access an account. This can dramatically reduce the number of attacks, especially high profile breaches, which result from phishing.
Of course, in order to be effective, these efforts have to be put in place. Corporate accounts will have to identify a single manager who can receive and provide the one-time credentials for protected accounts, and that may prove to be another headache for corporate marketing and public relations teams who share an 'official' Twitter feed.
What would anger you more? A few phone calls that were silent when you answered and then went dead or your medical records being leaked online, or left in a skip, or stored on an unencrypted CD that disappears, never to be recovered?
Fair to say it is probably the latter, the type of incidents that regularly force the Information Commissioner’s Office (ICO) to issue fines of anywhere between £70,000 and £375,000 to NHS Trusts, police forces, councils, and the occasional private sector firms.
On many, many occasions it has been argued that while, obviously, no organisation wants to lose money for data protection lapses, the fines on offer are just not high enough to really act as a strong enough incentive to force the issues to the top of the agenda.
This argument took on further merit when communications regulator Ofcom was able to levy a fine of a staggering £750,000 against telecoms firm TalkTalk for making a few nuisance calls.
Ok, not a few, actually 9,000, but while this is no doubt annoying for those affected, it is clearly ridiculous that bugging a few people with some cold calls should land you with a bigger fine than losing personal, sensitive data entrusted by a customers or patient.
No doubt Christopher Graham, huddled in newspaper and warming his hands over a bin of burning debris, watched on in despair as he learnt the folks at Ofcom, in their glass-fronted waterside offices were issuing such a large fine for, by comparison, such a menial offences.
If businesses are to take data protection seriously they are going to have to fear the wrath of the ICO far more. The ability for higher fines – as set out in the draft Data Protection Directive that’s currently being debated, and watered down, in Europe – is a must.
McAfee recently announced that it has begun to work with the National Institute of Standards and Technology (NIST) to strengthen cybersecurity infrastructure. The move is another reminder of public and private groups' efforts to shore up cybersecurity together.
The partnership along with enterprise support of the revised CISPA bill is another sign that private industry is willing to work with the government to slow cyber attacks.
Over the last few years, it has become clear that cyber security isn't just an enterprise issue. With news of the Chinese military perpetrating a variety of attacks on private industry, it is now obvious that many cyber threats effect both governments and corporations.
Both hackers large and small are now using the same methods for hacks. The recent Mandiant report on Chinese military hackings outlined the fact that military actors were using the same tactics as cyber criminals.
Through social engineering and patience Chinese military hackers were able to get inside over 140 private enterprise systems. Those sorts of tactics are also used by independent cyber crooks.
The widespread use of advanced tactics is a key reason why companies and the government are finding it necessary to begin working together on the issue of cyber security. By partnering on the issue they can share information and work together to decipher potential threats.
However, the cross-industry work may also cause some privacy concerns for end users. Privacy advocates have continuously questioned CISPA because of its ability to let personal data get into the hands of government agencies without proper oversight.
According to advocates, the ability for companies to hand over data to government officials without any sort of oversight could cause problems on the privacy front.
On one hand, the unfiltered sharing of data between government and enterprise would drastically help the fight against cyber security. However, on the other hand, the open sharing could lead to data being used for the wrong reasons.
Both sides share fair points on the issue. And overtime, hopefully, they will be able to come to a compromise that increases cyber security while addressing potential privacy concerns.
Unfortunately, the cyber attacks don't look like they will go away anytime soon. Cyber-espionage is only expected to grow over the years and hackers will continue to get more sophisticated over time.
Something will need to change to promote a stronger sense of information sharing. At the same time, hopefully, advocates will continue to fight for online privacy and stand their ground in the face of growing support in Silicon Valley.
17 Apr 2013
Twitter hacking is a serious issue. Take for instance, the recent hack of National Public Radio's (NPR) Twitter account. NPR's account was hacked and erroneous tweets were sent out following the attack.
The slew of hacks makes it obvious that something needs to be done. Twitter called on its users to create stronger passwords in February, but that isn't enough. The company needs to take action and implement two-factor authentication for those that want to use it.
It's not a ground-breaking idea. Security experts have called on the firm to implement authentication for the last couple of years. Other companies like Microsoft even plan to use multi-factor authentication later this year.
Yet, Twitter has failed to get the memo (tweet?). At a time when more and more businesses begin to use Twitter for PR, something has got to be done. Enterprise can't have hackers getting a hold of their feeds and sullying their names. It's bad for business, both Twitters and the users.
It's becoming clear that something is wrong. Even the words "#IveBeenHacked" have become something of a meme on the micro-blogger site.
Luckily, something may be on the horizon. Earlier this year, a Twitter job posting popped-up calling for a software engineer to build multi-factor authentication.
The job posting looks to be leading to some sort of security update. Hopefully, it comes sooner rather than later.
12 Apr 2013
The Cyber Intelligence Sharing and Protection Act (CISPA) is back again. Rising from the ashes of a failed Senate vote, the bill has found renewed life thanks to the House Intelligence Committee.
Committee members approved the bill by an 18 to two vote. This go-around includes amendments which supporters say resolve issues with the bill.
Of course, opponents once again disagree. Advocacy groups and the White House continue to express alarm over the bill's failure to address privacy concerns.
Opponents' issues with the bill are the same ones they had last year when the original CISPA bill died on the Senate floor. They fear that a lack of governmental oversight will cause defence agencies to use personal user data for the wrong reasons.
The issues remained unresolved because of proponents of CISPA who say the government needs to be able to handle whatever data they do receive with as little bureaucratic interference as possible.
Both sides have their points and both sides will be fighting for a compromise. CISPA, or something like it, will keep cropping up because both the government and private enterprise have too much riding on some sort of data-sharing initiative.
With reports of state-sponsored cyber-attacks on the rise and the constant threat of local hackers, CISPA is an important piece of legislation for the tech lobby.
Unlike SOPA, which didn't have the support of Silicon Valley, CISPA is technology company approved. SOPA was made for the entertainment industry and its bid to fight piracy. CISPA (and new-CISPA) isn't really about piracy. It's about cyber attacks.
The bill lays the ground work so private industry can share cyber-threat intelligence without the possibility of getting sued. With CISPA, Facebook can send data about a local cyber-attack to the DOD so it can be informed and alert other tech companies of the threat.
In its current form, the DOD can also use that data in broad strokes. For example, it can pick up personal information that was received from a Facebook security data dump and use it for non-cyber threat purposes.
New-CISPA discourages that sort of tactic. However, what exactly constitutes a cyber-threat is currently an expansive definition.
The bill is making its rounds to Congress next week. It may get passed their but will most likely fail in the Senate. From that point it will either revive itself with amendments or its ideas will be reinterpreted in another bill.
Some sort of data-sharing act will keep coming and with the right opponents may come out with stronger privacy protections. How a data-sharing bill turns out will be determined by who ends up fighting for and against it.
Over the course of the coming year it will be interesting to see how bills like CISPA evolve. It will be interesting to see how the public debate grows and changes. Theirs no telling how it's going to turn out, but its becoming obvious that it isn't going away.
06 Apr 2013
Earlier this week word surfaced that the US Drug Enforcement Administration warned its employees that gathering intelligence on Apple devices would be difficult.
It seems Apple's use of encrypted connections for iMessages transmissions easily thwarts the eavesdropping methods normally used for investigations.
While the DEA gave no indication of any efforts to thwart the technology or force Apple to build in a back door for law enforcement, the use of encryption technologies has long been a complicated and contentious issue for governments.
Encryption, of course, played a huge role in the emergence of the computing space. The heroic efforts of engineers at Bletchley Park saved countless lives in World War II and brought about the emergence of the electronic computer as a tool for codebreaking.
As the post-war period turned to the Cold War, encryption evolved into an essential tool for the booming espionage sectors. With surveillance teams intent on gathering vital strategic information, both sides invested heavily in encryption tools.
As a result, encryption platforms became a closely-guarded secret, and the mathematicians and engineers who came up with the standards were themselves subject to strict government surveillance and control. Encryption icons such as Whit Diffie and Adi Shamir still joke about the intense and sometimes strange protections placed on early encryption platforms.
When the war ended and the PC emerged as a business tool, those restrictions became an issue. The tight restrictions hampered the export of technologies and lead to an outcry from businesses and developers alike. Only in 2000 did the US fully repeal most of its controls over the distribution of encryption.
Even today, however, the spread and use of encryption remains an international issue. Many regimes who want tighter control over surveillance activities are asking vendors to dial back their use of encrypted connections.
This will only become a bigger concern as the threat landscape is reshaped by APTs and industrial espionage. Worries over loss of trade secrets will increase the demand for better encryption in the private sector, something which may become a major issue in emerging regions where tight authoritarian control from the state is still going strong.