Monthly Archives: February 2016

FBI head insists that Apple hack request be complied with

apple logo white on black-image www.intelagencies.com usa country flag image www.intelagencies.com

fbi_logo-blue-image www.intelagencies.com

The director of the US Federal Bureau of Investigation has defended his legal fight with Apple over encryption, saying the case involving the San Bernardino shooter’s iPhone was “quite narrow” and not intended to set a precedent.

In the latest volley of an escalating war of words between the US authorities and the world’s most valuable company, James Comey made an emotional appeal to Apple and the US public in a blog post on specialist legal site Lawfare.

More

On this story

On this topic

IN US Politics & Policy

“We can’t look the survivors in the eye, or ourselves in the mirror, if we don’t follow this lead,” he said. “We don’t want to break anyone’s encryption or set a master key loose on the land.”

The FBI director wrote that the tension between privacy and safety “should not be resolved by corporations that sell stuff for a living. It also should not be resolved by the FBI, which investigates for a living.”

Instead, he continued, the matter should be settled “by the American people” and called for a “long conversation” on the matter.

Mr Comey’s blog post comes ahead of Apple’s legal response later this week to a case that began last Tuesday when a judge in California ordered the iPhone maker to create tools that would help the FBI unlock a device used by Syed Rizwan Farook before he killed 14 people in December.

Tim Cook, Apple’s chief executive, has refused to comply with the order, calling the demand for what he called a “back door” into the iPhone an “over-reach” by the authorities that has “chilling implications” for its customers’ privacy. Several other Silicon Valley companies, including Google and Facebook, have supported Apple’s position.

On Friday the US Department of Justice and Apple traded blows over both the intent behind the order and the handling of the investigation. The DoJ accused Apple of putting concerns about its “marketing strategy” ahead of its legal obligations and said Mr Cook had made “numerous mischaracterisations” of the government’s case.

Apple executives denied that allegation and implied that the FBI had bungled an opportunity to gain access to data stored on Farook’s iPhone, by changing the iCloud password in the hours after he was killed in a shootout with officers.

That password reset prevented the iPhone from sending its data to Apple’s servers through an automatic back-up, where it could be accessed by the company and the FBI through a standard legal process.

You need JavaScript active on your browser in order to see this video.

No video

The FBI on Saturday denied wrongdoing in that situation, saying the iCloud reset was a “logical next step” in its investigation and “does not impact Apple’s ability to assist with the court order”.

“It is unknown whether an additional iCloud back-up of the phone after that date — if one had been technically possible — would have yielded any data,” the FBI said.

Mr Comey on Sunday night attempted to step over the row about the iCloud back-up and appealed to the broader principles at stake in what he called a “heartbreaking” case of terrorism.

“The San Bernardino litigation isn’t about trying to set a precedent or send any kind of message. It is about the victims and justice,” he wrote in his post, which does not directly mention Apple or the iPhone by name.

Apple must file its legal response to the judicial order by Friday, which is also the day the company holds its annual shareholder meeting at its Cupertino headquarters.

One survey late last week showed that US public opinion is finely balanced on the issue. An online poll of 1,093 US adults by SurveyMonkey found that 51 per cent agreed with the FBI while 49 per cent took Apple’s side. Even among iPhone owners, a narrow majority backed the FBI in the dispute.

dfi7v

Henry Sapiecha

Internet Firms Advise UK Against ‘Dangerous’ Changes To I T Law

ouser password screen shot image symbol image www.intelagencies.com

Tech giant Apple will resist the British government’s efforts to get access to encrypted data through a new spying law, CEO Tim Cook said Wednesday.

Last week, Britain published a draft law that seeks to ensure that telecommunication companies “provide wider assistance to law enforcement and the security and intelligence agencies in the interests of national security.”

That worries firms like Apple, whose iMessage service offers “end-to-end” encryption, meaning the company doesn’t have the ability to read messages sent over the app.

Cook told students at Trinity College Dublin that Apple didn’t plan to introduce a “back door” ability to decrypt the messages.

“We will productively work with the governments to try to convince them that’s also in their best interests in the national security sense,” he said.

Cook said weakening encryption would be bad for online security, because “if you leave a back door in the software then there’s no such thing as a back door for the good guys only.”

“If there’s a back door anybody can come in,” he said.

British Home Secretary Theresa May said last week that the draft Investigatory Powers Bill “will not ban encryption or do anything to undermine the security of people’s data.”

But civil liberties and privacy groups have expressed alarm at its provisions, which include requiring communications companies to hold onto customers’ web traffic records for up to a year. The draft bill also says service providers will be legally obliged to assist the authorities in getting access to customers’ devices.

The bill has yet to be approved by Parliament.

j6g89

Henry Sapiecha

Apple Boss Tim Cook Says He’ll Defy Britain’s Government Spy Law Data Access Plan

Italy Apple Cook_image www.intelagencies.com

Apple CEO Tim Cook, right, listens to former Italian premier and President of Bocconi University Mario Monti as they attend the inauguration of the academic year at the Bocconi, in Milan, Italy, Tuesday, Nov.10, 2015. (AP Photo/Luca Bruno)

Tech giant Apple will resist the British government’s efforts to get access to encrypted data through a new spying law, CEO Tim Cook said Wednesday.

Last week, Britain published a draft law that seeks to ensure that telecommunication companies “provide wider assistance to law enforcement and the security and intelligence agencies in the interests of national security.”

That worries firms like Apple, whose iMessage service offers “end-to-end” encryption, meaning the company doesn’t have the ability to read messages sent over the app.

Cook told students at Trinity College Dublin that Apple didn’t plan to introduce a “back door” ability to decrypt the messages.

“We will productively work with the governments to try to convince them that’s also in their best interests in the national security sense,” he said.

Cook said weakening encryption would be bad for online security, because “if you leave a back door in the software then there’s no such thing as a back door for the good guys only.”

“If there’s a back door anybody can come in,” he said.

British Home Secretary Theresa May said last week that the draft Investigatory Powers Bill “will not ban encryption or do anything to undermine the security of people’s data.”

But civil liberties and privacy groups have expressed alarm at its provisions, which include requiring communications companies to hold onto customers’ web traffic records for up to a year. The draft bill also says service providers will be legally obliged to assist the authorities in getting access to customers’ devices.

The bill has yet to be approved by Parliament.

ig

Henry Sapiecha

GOOGLE’S CHALLENGE TO KEEP HACKERS AWAY

An illustration picture shows a projection of binary code on a man holding a laptop computer, in an office in Warsaw June 24, 2013. REUTERS/Kacper Pempel

An illustration picture shows a projection of binary code on a man holding a laptop computer, in an office in Warsaw June 24, 2013. REUTERS/Kacper Pempel

Google’s security check list can help keep your data safe from prying eyes. Photo: Reuters

Along with an extra 2GB of free storage, taking Google’s security challenge offers a great safety checklist for all your online accounts.

These days most of us have the sense to take a few security precautions when creating a new online account, but security isn’t a set ‘n’ forget process. It pays to regularly update your accounts to ensure the security settings are up to scratch and you’re happy with the emergency contact details.

The years sneak up on you, it could be a decade or more since you created some of your webmail, cloud storage and social media accounts. That’s why Google is offering a quick security safety check to coincide with Safer Internet Day, rewarding you with an extra 2GB of cloud storage if you complete the checklist.

Whether or not you have a Gmail account, Google’s safety checklist is a great starting point for conducting a quick security check on all your online accounts.
Advertisement

Check your recovery information

It’s important to ensure your phone number, recovery email address and security question are up-to-date to help you recover control of your account should something go wrong.

It’s convenient to forward all your email addresses to the one inbox, so you can stay on top of things, but you don’t want your recovery email address forwarding to your Gmail inbox. In the event that your Gmail account is compromised, there’s no point in Google sending password recovery details and other sensitive information to your recovery email address if it will be forwarded to your Gmail address so the hackers can see it.

If you’re particularly concerned about security it might be worth setting up another email account that you only use for receiving security confirmations. Webmail services encourage you to link your accounts, but keep this one separate and secret.

Use an alias

Better yet, use an email service that lets you create aliases and use the alias as your recovery email address. For example, create an email address like John@youremail.com and then go to the advanced settings and create Paul@youremail.com as an alias which forwards to John@youremail.com.

Now use the alias Paul@youremail.com as your recovery email address. You’ll get messages at John@youremail.com but hackers won’t have any luck breaking into Paul@youremail.com because it’s not a real email account. It sounds complicated but it’s pretty simple to do and it makes life harder for hackers.

Email aliases are also useful for protecting sensitive accounts such as your Amazon account. If your public email address is George@youremail.com then create an alias like George-shopping@youremail.com for logging into your Amazon account. Hackers won’t get any joy trying to break into your account using George-shopping@youremail.com because that account doesn’t exist. It also helps foils social engineering attacks on Amazon’s support team.

It’s also worth reassessing your security questions. For example, the answer to a question like “What was your first phone number?” might have seemed obvious at the time, but is it referring to the house you grew up in, your first landline number when you moved out of home or your first mobile number? If you’re not sure then change the question to something less ambiguous

Don’t make your security questions too easy for people who know you well, considering that a disgruntled friend or relative might be the one who tries to break into your account. If you’re going through a messy breakup it’s definitely worth overhauling your online security.

Check your connected devices

Run your eye down this list to see if there are any devices you don’t recognise. You can click on the dropdown arrow to see more details about where and when they accessed your account.

If something jumps out at you, Google offers a “Something looks wrong” button. Regardless of which service you’re using, the first steps would be to change your password to something more secure and consider enabling two-factor authentication as an extra layer of security.

Also remove devices that you recognise but haven’t used for a long time, especially if you’ve handed them down to someone else. When in doubt, boot it out. You can always add the device to your account again if you realise you need it.

Check your account permissions

This list can grow surprisingly long over the years as you jump between online services which want access to your Gmail account, including a wide range of mobile apps. It can be a trip down memory lane as you discover old online services which bit the dust long ago.

The same as connected devices, look for anything you don’t remember adding or you no longer use and boot them out.

Check your app passwords

Entries in this list are one-off passwords generated for devices and services which don’t support two-factor authentication.

They’re most likely to be your computer and mobile devices accessing your contact and calendar information. You might also find devices like your printer, broadband modem or network storage drive which needs email access to send you alerts.

You definitely want to boot anything that shouldn’t be here. Also delete devices and services you no longer use, such as your previous smartphone, to close potential security loopholes.

Check your 2-Step Verification settings

Another name for two-factor authentication, this stops someone logging into your account from a new device unless they know your password and a one-time code which is usually sent to you as an SMS or generated by a mobile app.

It’s a good idea to enable two-factor authentication for all your services which support it. You can tell them to remember your devices, so you don’t need a two-factor code every time you log in from your own computer, smartphone or tablet (but make sure these devices are locked with a password).

Even two-factor authentication isn’t 100 per cent foolproof, there are reports of hackers hijacking and porting mobile phone accounts in order to intercept text messages authorising access to online banking business accounts. If you’re concerned about this, consider using a mobile app to generate your two-factor code.

While you’re conducting your security audit it’s worth checking all your accounts, here are links to the security preferences pages for a few other popular services;

Google: https://myaccount.google.com/security

Hotmail/Outlook.com: https://account.microsoft.com/privacy

Yahoo: https://login.yahoo.com/account/security

Dropbox: https://www.dropbox.com/account#security

Facebook: https://www.facebook.com/settings?tab=security

Twitter: https://twitter.com/settings/security

When was the last time you conducted a personal security audit? Which other security threats did you deal with?

ooo

Henry Sapiecha

Here’s how absurdly easy it is for attackers to destroy your website in just ten minutes

You might be amazed at how accessible hacking tools have become. Your site can be p0wn3d and an entire library of hacking tools downloaded and installed in just a few short minutes. Read this article and be prepared.

lock-hacked-security-image www.intelagencies.com

Every week, we read about another massive breach due to cyberattack. These breaches can cost organizations millions of dollars, subject them to lawsuits, and ruin thousands of lives.

The key to how an attacker gains a foothold inside an organization’s network is by being able to — somehow — gain access to accounts and computers inside the firewall. This often happens with malware that’s inadvertently brought inside the firewall by unsuspecting employees.

That malware can be delivered in a wide variety of ways, from phishing attacks where an insufficiently trained or careless user accidentally opens and runs an email attachment, to visiting a website that downloads information onto an insider’s computer.

It’s that second mechanism we’re going to talk about today. When most of us think about malware-infested websites, we usually think about users who visit inadvisable websites, sites that, frankly, most of us should know better than to visit. Someone visiting a porn site or a smartphone jailbreaking site is, almost by definition, visiting a site that is likely to be operated for nefarious purposes.

But it turns out that a great many innocent websites can be carriers for malware. All it takes is an insufficiently protected directory, an unpatched exploit, a poorly chosen FTP password, or even installing a free (but corrupted) site theme, and your website can become an entry point for a massive malware infection.

What most people don’t realize is how sophisticated and, frankly, user-friendly the tools used for cyberattacks can be. In this article, I’ve included a 10-minute video by the fine folks at Wordfence (a WordPress security firm) that shows how a typical WordPress site can be infected by just two lines of scripting code.

Once those two lines of code execute, they install a complete hacking toolkit that contains 43 separate hacking tools that the hackers can use to further compromise the server. As the video shows, these tools are often browser-based, and work like any other browser-based app.

According to a blog post by Wordfence, after analyzing a recently hacked site, they found what they called a hacking platform, which contained the following tools:

  • Complete attack shells that let [hackers] manage the filesystem, access the database through a well designed SQL client, view system information, mass infect the system, DoS other systems, find and infect all CMS’s, view and manage user accounts both on CMS’s and the local operating system and much more.
  • An FTP brute force attack tool
  • A Facebook brute force attacker
  • A WordPress brute force attack script
  • Tools to scan for config files or sensitive information
  • Tools to download the entire site or parts thereof
  • The ability to scan for other attackers shells
  • Tools targeting specific CMS’s that let [hackers] change their configuration to host [their] own malicious code

The following video is only ten minutes long, but it shows you just how accessible hacking tools have become. With tools and hacking platforms like these, it might take attackers no more than about ten minutes to gain a complete hold on your site.

This video illustrates why it’s just so important to update your sites, plugins, and themes frequently. Hackers who discover vulnerabilities can use them to get inside your site. Once they do, they can use your site as a malware delivery platform that can help them breach other sites and organizations.

See also

VIDEO BELOW SHOWS HOW TO BEST PROTECT WORDPRESS SITES

ooo

Henry Sapiecha

Apple asks widow to get court order to access her iPad, locked after her husband’s death

ipad image www.intelagencies.com

Your iPad and all your apps could be inaccessible if you don’t know the password. Photo: Bloomberg

After Peggy Bush’s husband, David, succumbed to lung cancer in August, she liked to play card games on their iPad to pass the time. The 72-year-old resident of British Columbia was on an app one day when it suddenly stopped working and she was unable to reload the device without providing a password for their Apple ID account.

Bush’s husband never told her the password, and she hadn’t thought to ask. Unlike so many of the things David had left for Bush in his will — car ownership, the title of the house, basically everything he owned — this digital asset followed him to the grave.

According to reporting by the Canadian Broadcasting Corp., the journey to procure the password proved more difficult than any other process involved in David’s passing.

“I thought it was ridiculous,” Bush told CBC. “I could get the pensions, I could get benefits, I could get all kinds of things from the federal government and the other government. But from Apple, I couldn’t even get a silly password.”

At first, they thought the solution would be simple. Bush’s daughter, Donna, called Apple to ask about having the password retrieved and the account reset. The company then requested David’s will and death certificate.

When they got these documents together and called a second time, Apple said they had never heard of the case. Donna told CBC that it took several phone calls and two months of waiting for Apple to accept a notarised death certificate, her father’s will and the serial numbers for the iPad and Mac computer to which Bush also wanted access.

But this was not enough. Over the phone, a representative told Donna the next step: “You need a court order.”

“I was just completely flummoxed,” Donna told CBC. “What do you mean a court order?”

Obtaining one could cost thousands of dollars, depending on the need for a lawyer, so Donna decided to take her complaint straight to the top.

“I then wrote a letter to Tim Cook, the head of Apple, saying this is ridiculous,” she said. “All I want to do is download a card game for my mother on the iPad. I don’t want to have to go to court to do that, and I finally got a call from customer relations who confirmed, yes, that is their policy.”

While Bush had the option of setting up a new Apple ID account, that would have meant losing all the app purchases that she and her husband had made on the original one.

Bush ended up buying a new laptop (not a Mac). Her mission to gain access to her husband’s Apple ID seemed futile until CBC’s “Go Public” wing contacted the company on Bush’s behalf.

Apple apologised for the “misunderstanding” and has since started working with Bush to solve the issue without a court order, CBC reported this week.

For the Bushes, the overdue response feels like putting a Band-Aid on a larger problem.

“We certainly don’t want other people to have to go through the hassle that we’ve gone through,” Donna told CBC. “We’d really like Apple to develop a policy that is far more understanding of what people go through, especially at this very difficult time in our family’s life, having just lost my dad.”

Toronto estate lawyer Daniel Nelson told CBC that online access is controlled by service providers such as Apple, even if users own their digital material. He described the court order demand as “heavy-handed” but also said Canadian digital property laws are “murky.”

The question of whether digital assets should be treated the same as material possessions where inheritance is concerned has emerged naturally with the growing ubiquity of social media usage, but few concrete answers have been offered by lawmakers and legal authorities. Most nations and states place digital and physical property in different categories, and tech companies themselves prohibit password-sharing. This means that often a person’s virtual trail continues to float in cyberspace following their death, adding to the grief felt by surviving family.

The Washington Post

ooo

Henry Sapiecha