Synology Urges You To Be On Guard Against Ransomware

Ransomware is some of the nastiest pieces of software in existence and in theory, it could hit anyone. Some people naturally have a greater risk, through the kind of work and tasks they do with their systems. But in theory, anyone can be unlucky enough to be hit with this kind of evil doing through security holes in the software being used.

This warning and reminder isn’t based on a specific new kind of ransomware, it is more to raise awareness of this kind of threats. Encryption-based ransomware such as CryptoWall, CryptoLocker, or TorrentLocker are on the rise, and they don’t just target Windows-based systems as many belief, they have also begun targeting network-based storage devices. Because of its stealthy nature and disastrous effects, ransomware is commonly perceived as a sophisticated, highly destructive, and unstoppable malware threat.

An advanced user isn’t really afraid of ransomware as they usually make backups of everything onto their network connected devices – or work directly from there via permanent shares and iSCSI setups. In the case of an infection, they simply wipe their system and install it again, and that would be the end of that story. Creators of this kind of nasty software know that and they want a piece of that pie too, which is why they have started to attack other systems besides workstations.

Where there is a threat, there is a way to defend yourself against it, at least in 99.9 percent of situations.

  • Update your operating system. Most people are up-to-date on their Windows and OS X updates simply because you’re being told when they’re available. But when was the last time you updated your NAS OS? Most NAS systems have automatic update features available and you should at the very least enable this for critical updates.
  • Install security software. A good anti-virus software is a good place to start and you’ll find solutions such as Avast or Intel security in your NAS’ app features. It will take up some resources to have it running, but those are resources that you should be happy to give up. Especially if you use the automatic download features found in all NAS units.
  • Disable Remote Desktop Protocol. Remote Desktop Protocol (RDP) is a very common target for malware, which is why you should disable it if you don’t absolutely need it.
  • Install Mobile Apps and use Push Notifications. Applications for your smartphone and tablet are another great way to stay on top of your headless systems. Together with the push notifications feature you get up-to-date statuses from your system right into your pocket.
  • Beware of your actions. The golden rule is as it always has been, beware of what you do. Take the one second extra to hover a link and check the destination in the status bar before you click it, turn off features such as Hide file extensions for known file types, and don’t trust anything until you have verified the authenticity.

This time, the warning came from Synology, but in theory, it could have come from any of the big manufacturers. The bigger a company and brand gets, the more likely it is that their systems will be actively searched for vulnerabilities. Luckily Synology and other NAS’ have even more features that will help you in case that you get hit by this kind of malware.

A multi-version backup of all your files is naturally the best defense. If everything is backed up, then the evil ones can take their ransom demand and stick it where the sun doesn’t shine. Backup all your vital files from your system and onto your NAS is the first step and from there on you should have at least one more backup step – this could be a cloud solution, another NAS, or external drives, for example. Synology’s new Cloud Station Backup app can do all this for you through a single app, so it is as easy as it’s ever been. Hyper Backup is another awesome tool that lets you enjoy a full range of multi-version backup destinations from local shared folders, expansion units, and external hard drives, to network shared folders, Rsync server, and public cloud services. It can also isolate data for further protection from internet threats.

If your system supports Snapshot Replication through Btrfs file system, then you got another level of protection right there. Snapshot Replication allows you to replicate data from a primary site to an offsite location up to every 5 minutes and 15 minutes for LUNs, ensuring all your critical data in shared folders or virtual machines in iSCSI LUNs can be recovered quickly in the event of a disaster.

Synology also put up a mini-site that summarizes all these information along with the step to follow if you should have been effected. The fact that this site even was made, speaks for the severity of these attacks and how far they’re spreading. So be aware, practice safe surfing, and show an evolved behavior.

Apple Denies Handing Over Source Code to China

During an Energy and Commerce Committee hearing earlier this week, entitled “Deciphering the Debate Over Encryption: Industry and Law Enforcement Perspectives,” which discussed the feud between Apple and the FBI over an iPhone tied to the San Bernardino shootings, Indiana State Police Captain Charles Cohen, Commander of the Office of Intelligence and Investigative Technologies, accused the Cupertino company of releasing its iOS source code and user data to China, while refusing to do the same thing for the US.

“I saw several news stories that said Apple provided the source code for the iOS [operating system for iPhone and iPads] to China,” Cohen said.

Following Cohen’s claims, for which he provided no evidence, Bruce Sewell, Apple’s General Counsel, confirmed that the company had “been asked by the Chinese government” for the source code, but that “we refused.”

Apple was also accused of possessing a key to access encrypted user messages and data – which would mean the company’s claims of end-to-end encryption were fraudulent – which it disposed of at the end of 2014.

“We have not provided source code to the Chinese government,” Sewell countered. “We did not have a key 19 months ago that we threw away. Those allegations are without merit.”

Image courtesy of Shelley Palmer.

San Bernardino iPhone Proves Useless Following Decryption

After a lengthy court battle, lasting months, that sought to compel Apple to compromise the security on an iPhone belonging to San Bernardino shooting suspect Syed Rizwan Farook, the FBI finally achieved the feat on its own. The result? Absolutely nothing of use was gleaned from the device, according to an anonymous source within US law enforcement.

“A law enforcement source tells CBS News that so far nothing of real significance has been found on the San Bernardino terrorist’s iPhone, which was unlocked by the FBI last month without the help of Apple,” CBS News reports. “It was stressed that the FBI continues to analyze the information on the cellphone seized in the investigation.”

It is still unclear who was responsible for bypassing the encryption of Farook’s iPhone 5c, nor the mean by which it was achieved. Multiple sources, however, suggest that the FBI enlisted the help of a private group of “grey hat” hackers to help crack the device.

“The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter,” according to the Washington Post. “[…] The people who helped the U.S. government come from the sometimes shadowy world of hackers and security researchers who profit from finding flaws in companies’ software or systems.”

“The company that helped the FBI unlock a San Bernardino shooter’s iPhone to get data has sole legal ownership of the method, making it highly unlikely the technique will be disclosed by the government to Apple or any other entity, Obama administration sources said this week,” Reuters revealed. “[…]The sources said the technology used to get into the phone was supplied by a non-U.S. company that they declined to identify.”

Regardless, FBI Director James Comey has suggested that the FBI will likely keep the exploit it used to access the iPhone to themselves, lest Apple attempt to patch the vulnerability. “If we tell Apple, they’re going to fix it and we’re back where we started,” Comey said. “As silly as it may sound, we may end up there. We just haven’t decided yet.”

Apple Claims ‘Most Effective Security Organization in the World’

In a recent press conference with some of Apple’s engineers, the company stated that they had the ‘most effective security organization in the world’. It wasn’t just an idle statement either, with them revealing a number of the security features that are packed into their iPhone both on the hardware and software levels.

The conference itself was a highly technical affair, with the attending engineers going to great lengths to detail the security protocols they have in place. More than just being a podium for Apple to  grandstand, this conference was a show of clear defiance against the revived effort by the US government to unlock the iPhones of criminals with them restating the point that making the popular smartphone less secure for them would risk compromising the privacy and security of their customers.

Unlike Android and the numerous companies developing Android devices, Apple control all aspects of their phone’s development which allows them to bake security into every level of their device, from hardware to firmware to software. The features employed in order to make the device so secure include a number of both industry-standard and Apple-specific features, which, when employed together secure the device at all levels, making it impossible to even flash the device with a hacked version of iOS or similar super-low-level attacks. They also believe that the chance of a bug occurring at a low enough level to cause a major compromise is small.

Getting users to ensure their phones run the latest version of iOS is another important step to keep devices secure, as each new iteration of the mobile operating system includes new security improvements and bugfixes. Some of the ways that Apple have employed to increase the adoption rate of the newest versions of their software include shrinking the size of the operating system from 4.6GB in iOS 8 to just 1.3GB in iOS 9 and also offering “while you were sleeping” update options, both of which seem to be effectual, with iOS 9 having an adoption rate of 80% so far.

It is plain to see how important Apple believe that security and encryption are to our future by the effort they put into ensuring their devices are secure. Their struggle to convince governments that slackening of security and precedents to force companies to unlock devices would have long-term damage is likely far from over, but we can be assured that Apple (and many other tech firms) will continue to struggle against these demands and ensure a safer and more secure digital future.

Apple & FBI Heading Back to Congress to Debate Encryption

When Apple and the FBI first appeared in front of congress the debate was if Apple could be ordered to unlock an iPhone, and if so should they then create a method where they could easily access future devices for law enforcement? While the case revolving around the San Bernardino phone is over, with the FBI gaining access with help from an external group, the debate is still far from over with both the FBI and Apple looking to appear before a congressional committee to debate encryption yet again.

The debate over encryption will see several people join the committee as witnesses, including Bruce Sewell (General Counsel, Apple Inc), Amy Hess (Executive Assistance Directory for Science and Technology, FBI) and Amit Yoran (President, RSA Security). Other witnesses include Ron Hickman representing the National Sheriffs Association and two police officers, Captain Charles Cohen and Chief Thomas Galati (Indiana state police and New York City Police respectively). With two university representatives Daniel Weitzner (MIT) and Matthew Blaze (University of Pennsylvania) appearing as well, it would appear that congress want to hear the debate from research, implementation and law enforcements points of views in an attempt to fully understand the debate that is raging on in countries all over the world about privacy vs protection.

With countries all over looking to this court case as an example of how technology has advanced while the law remains unclear, the congressional hearing could have a big impact on companies throughout America. The hearing will take place on April 19th and will be streamed on their site for ease of access.

Obama to Appoint Execs From Uber, Mastercard & Microsoft to Cybersecurity Panel

Cybersecurity is a big issue this year, with people becoming more and more aware of the steps that both governments and companies are making to gain access to or stop others accessing their data. After its recent attempt to get Apple to help bypass the security features on an iPhone, the FBI rather embarrassingly revealed that government systems had been accessed by an unknown party since 2011. In a move to help combat cybersecurity issues, President Obama intends to appoint executives from several major technology companies to a new cybersecurity panel to help act on these matters.

As part of a $19 billion proposal, the Commission on Enhancing National Cybersecurity will see people who are described by President Obama as being “dedicated individuals [who will] bring a wealth of experience and talent to this important role, and I look forward to receiving the Commission’s recommendations.”.

Among the names appear the likes of General Keith Alexander, director of the NSA from 2005 till 2014; Ubers Chief Security Officer Joe Sullivan; the CEO of MasterCard Ajay Banga and corporate vice president of Microsoft Research, Peter Lee. With these being just a few of the names listed, the list seems to be focused on gathering the support of those who have experience within the industry, and while the released statement may be an announcement of his intent, any of the members on the list could provide valuable insight into cybersecurity.

Security Flaw Allowed The FBI To Create The iPhone Cracking Software

Apple vs the FBI looks liked it would never end, originally starting with the FBI requesting (and then a federal judge ordering) Apple’s support in unlocking and gaining access to an iPhone in a court case. Apple looked to defend itself and ultimately the FBI recalled its actions when it received support from an outside party. It has now been revealed how the tool used by the FBI gained access to the iPhone through the use of a security flaw.

The security flaw, one that was previously unknown to Apple, allowed the creation of a tool to crack the four digit pin used to protect the phone from 10 failed attempts to gain access to a phone. The group that provided the tool to the government was a group of “grey hat” hackers who actively seek out flaws in software to then sell on to groups such as the government.

The exposed flaw affects both the iPhone 5 and iOS 9 iPhones, and may not affect work on newer versions of both iPhones and the iOS operating system. With FBI director James B. Comey saying that they may or may not disclose the security flaw to Apple, but with the latest leak revealing where they need to focus, Apple may now fix the problem before others are able to exploit it.

US Congress Bill Plans to Make Effective Encryption Illegal

In the wake of the FBI’s feud with Apple over bypassing the encryption of San Bernardino shooting suspect Syed Rizwan Farook’s iPhone, the US Congress is proposing a new bill that aims to outlaw effective encryption, what is termed “technical assistance”, requiring any company or entity to build in backdoors to its security systems for law enforcement to exploit.

In a draft of the proposed bill, written by a committee led by Senators Dianne Feinstein (D-California) and Richard Burr (R-North Carolina) and leaked by politics news outlet The Hill, businesses are required to release “information or data” if served with a court order – meaning that they are legally obligated to have access to that data in the first place – or provide law enforcement agencies with “technical assistance as is necessary to obtain such information in an intelligible format or to achieve the purpose of the court order.”

While talk suggests that the leaked draft of the bill is close to its final iteration, its final draft could still change, especially since it does not have the support of President Obama. It is not yet known if this version of the bill has been submitted to Congress.

“While the bill claims that it in no way is designed to force companies to redesign their products, this is a subtle hypocrisy,” Jonathan Zdziarski , a computer forensics and encryption expert, wrote in a blog post. “The reality is that there is no possible way to comply with it without intentionally backdooring the encryption in every product that may be used in the United States.”

“This bill would not only be surrendering America’s cybersecurity but also its tech economy, as foreign competitors would continue to offer—and bad guys would still be able to easily use!–more secure products and services,” Kevin Bankston, Director of the New America Foundation’s Open Technology Institute, told Vice Motherboard. “The fact that this lose-lose proposal is coming from the leaders of our Senate’s intelligence committee, when former heads of the NSA, DHS, the CIA and more are all saying that we are more secure with strong encryption than without it, would be embarrassing if it weren’t so frightening.”

WordPress Enables Free HTTPS Connections to Custom Domains

WordPress is a free, open source content management system, typically used for blogs and quick makeshift websites. While it’s nice to have your own content, you want to make sure that its safe and secure, something which the “Lets Encrypt” project hopes to improve upon, a project that WordPress have now joined.

The Lets Encrypt Project announced on March 9th that it would soon take on a new name as it transitioned to its new home at the Electronic Frontier Foundation (EFF) a group specialising in the law, security and technology.

WordPress has now announced that it has joined the program, offering the green lock symbol everyone loves to see when travelling through the internet, with any custom domains (those that don’t have .wordpress.com in their address) now gaining the benefits of the free SSL certificate issues by the program automatically with little to no effort on their owners behalf. You can find the steps to give your website access to HTTPS certificates here, giving everyone the benefit of free and reinforced security for their websites.

Not only is it free but you get a more secure connection for minimal effort, something that has been hard to do for website up until now. What is not to like about this program? Especially those with WordPress blogs.

The FBI Have Started Briefing People About How They Broke Into The iPhone

After the recent court battle people, the FBI have been rather quiet regarding how they managed to get into an encrypted iPhone. That was until recently when the FBI started briefing senior officials about the methods they used, so it’s likely we won’t hear about it anytime soon.

The FBI have already given a briefing to senator Dianne Feinstein (Vice chairman of the Senate Select Committee on Intelligence) about the technique they used to get into the iPhone 5C. Although no real details were given, it would seem that this may be the first of many with senator Richard Burr (the chairman of the Senate Intelligence Committee) was also offered a briefing, something that he has not accepted yet.

Feinstein and Burr are currently supporting a bill that would see companies required to help the government gain access to encrypted technologies that companies create. This new bill would see Apple and other companies compelled to help bypass or remove encryption on their hardware and software, something which the White House has yet to support.

With the new bill in sight, Feinstein and Burr also believe that companies like Apple shouldn’t be informed about the techniques the FBI used to gain access to their device, with Feinstein saying, “I don’t believe the government has any obligation to Apple. No com­pany or in­di­vidu­al is above the law, and I’m dis­mayed that any­one would re­fuse to help the gov­ern­ment in a ma­jor ter­ror­ism in­vest­ig­a­tion.”.

With encryption now one of many technological advances that governments and law enforcement now struggle with dealing with, it should be interesting to see how governments address this and if they choose to work with or against companies in dealing with the dangers this technology possesses if used in the wrong hands.

WhatsApp Turns on Encryption for All Platforms

In a move that is sure to rile the FBI, following the law enforcement agency’s feud with Apple over its refusal to unlock the iPhone of a suspect in the San Bernardino shooting, instant messaging app WhatsApp has added end-to-end encryption to every iteration of its software on every platform, providing added security to an additional one billion users.

“Building secure products actually makes for a safer world, (though) many people in law enforcement may not agree with that,” WhatsApp co-founder Brian Acton told WIRED.

“We’re somewhat lucky here in the United States, where we hope that the checks and balances hold out for many years to come and decades to come. But in a lot of countries you don’t have these checks and balances,” added Jan Koum, the second co-founder of the company. “The argument can be made: Maybe you want to trust the government, but you shouldn’t because you don’t know where things are going to go in the future.”

Mark Zuckerberg, Chief Executive of WhatsApp’s parent company Facebook, was a vocal supporter of Apple during its court struggle against the FBI. “We’re sympathetic with Apple,” Zuckerberg said during a technology conference in February. “I don’t think requiring back doors into encryption is either going to be an effective way to increase security or is really the right thing to do.”

The FBI Are Already Helping Others Unlock iPhones

In the recent Apple vs the FBI case, the concern was raised about what would happen if the FBI managed to get Apple to unlock the device. People were worried that this one high-profile phone could open the floodgates to requests to unlock the hundreds of iPhones that are in police custody. Initially, we were told that this wouldn’t be the case but as events unfolded this clarification seemed to fade away and we were left with the answer we had expected from the start, an answer that seems to be confirmed by the FBI already helping others unlock iPhones.

In a letter to local authorities, the FBI promise that “we are in this together” and that they would help local authorities unlock iPhones and even iPods where they can legally. In fact, they already have, in a case for Arkansas prosecutors, the FBI have already agreed to unlock both an iPhone and an iPod.

It doesn’t stop there, according to the Washington post, the FBI are looking at if it would be possible to share the tool with local law enforcement. With the firm that helped the FBI create the tool charging only a one-time flat fee, the FBI could offer the tool as long as it retains its classified tool, an issue which has already hampered and raised issues with devices such as the Stingray.

The full letter can be found below courtesy of Buzzfeed:

Since recovering an iPhone from one of the San Bernardino shooters on December 3, 2015, the FBI sought methods to gain access to the data stored on it. As the FBI continued to conduct its own research, and as a result of the worldwide publicity and attention generated by the litigation with Apple, others outside the U.S. government continued to contact the U.S. government offering avenues of possible research. In mid-March, an outside party demonstrated to the FBI a possible method for unlocking the iPhone. That method for unlocking that specific iPhone proved successful.

We know that the absence of lawful, critical investigative tools due to the “Going Dark” problem is a substantial state and local law enforcement challenge that you face daily. As has been our longstanding policy, the FBI will of course consider any tool that might be helpful to our partners. Please know that we will continue to do everything we can to help you consistent with our legal and policy constraints. You have our commitment that we will maintain an open dialogue with you. We are in this together.

Kerry Sleeper
Assistant Director
Office of Partner Engagement
FBI

Suspect In The UK Told To Decrypt His Devices For The US

Apple vs the FBI may be over but that doesn’t mean the question about decryption and the law is over. In the most recent case to catch our ears a suspect from the UK being asked to decrypt his devices for the US authorities.

Lauri Love is a British computer scientist, who is a suspect in the breach of US government networks, which are claimed to have caused “millions of dollars in damage”. After being initially arrested in 2013, and then released, Love was re-arrested back in 2015 and is facing extradition to the US for the suspected crime. While he has not been charged with any crimes, Love has been asked as part of a Section 49 RIPA notice (doesn’t sound that bad does it?) to decrypt his devices by providing them with the passwords and keys required to unlock his devices.

With his devices confiscated, something that Love is now fighting in a counter-sue in civil court, the authorities want to access the data on his devices which include, a Samsung Laptop, a Fujitsu Siemens laptop, a Compaq computer tower, an SD card and a Western Digital hard drive. Alongside this, the National Crime Authority, the UK branch that has demanded the devices be decrypted, are interested in files located on the SD card and external drive that are encrypted using TrueCrypt.

What is most worrying is that if Love was to provide the keys, and this evidence is used against him in the US, then it would breach his fifth amendment rights within the US. The fifth amendment can be described as allowing someone to present evidence against themselves, meaning that you can’t be forced to prove your guilt, by unlocking a computer for example.

In his argument, Love states that “the NCA are effectively arguing that any information that cannot be read and comprehended by the police has a presumption of guilt”. An argument that if extended to other circumstances, could be seen as worrying for any groups that share information and protect journalists, whistleblowers and anyone within the legal profession.

FBI Reveals Reason for Asking Apple to Unlock Their iPhones

In the recent case of Apple vs the FBI, the FBI requested Apple’s assistance in unlocking an iPhone, a request that caused legal worries and issues for a number of technology companies. We may finally know the reason for why the FBI pushing so hard on Apple to unlock their iPhones.

In an email, it was revealed that the reason Apple needed to help the FBI was a little more personal than some might expect. The email reveals that James Comey, Director of the FBI , likes iPhones and is actually quite a big fan of Apple altogether, or, at least, was until he forgot his passcode.

After forgetting his passcode, Comey tried to recover access to his device by resetting the passcode and once that failed, by using his password to attempt to gain access. When all this failed, Comey had no option but to reach out for help to gain access to his phone.

With Apple refusing to unlock his iPhone the FBI were forced to use alternative means to gain access to the device, which turns out to be as simple as removing the battery and forcing a hard reset. Apple has since revealed that it fixed the problem in subsequent versions of the iPhone, but in a generation of secure devices being able to reset passwords by forcing a hard reset worrying, simply turning it off and back on again seems a little low-tech solution to a problem.

For more information you can read the full email here.

Apple Vs The FBI is Over!

The legal case of the year is over already. Apple vs the FBI is over in a court case that saw the question of security vs privacy raised on a national, and even global, level. After cancelling a court hearing with Apple, the FBI have officially closed the court case.

It would seem that even without their assistance, the FBI claim to have managed to break into and access the data required on the iPhone in question. In their response, the FBI stated that the new hack was “sufficiently plausible” to a point where they could stop pursuing Apple’s assistance.

Currently, there is no information about who performed the hack or how many iPhones the hack works against. With so little information about the hack, it’s hard to tell if the court case could reemerge in the future with over a hundred phones in government control still locked.

In their response the Department of Justice reminded us that they would continue to gather information from encrypted devices, saying that “It remains a priority for the government to ensure that law enforcement can obtain crucial digital information to protect national security and public safety”, and then there is a small reminder that with or without help, “either with cooperation from relevant parties or through the court system”.

Petya – The Ransomware That Deletes Your Master Boot Record

Ransomware is getting nastier and nastier. Initially just an attempt to turn malicious software (malware) into something that is financially rewarding, ransomware works by encrypting your files and asking that you pay them (normally in bitcoins) in order to get the keys required to unencrypt the files. The latest one looks to make it even harder for you to bypass it by deleting master boot records on infected computers.

Named Petya, the new ransomware overwrites master boot records of affected PC’s meaning that your computer, next time it’s turned on, doesn’t even know where to go find our operating system, resulting in a computer that can’t even find the OS, let alone load it. Trend Micro report that the email seems to be hidden in emails that are advertising themselves as a job advert, with an email linking to a dropbox folder. Within the folder is a self-extracting archive, apparently the applicants CV and photo only once extracted the ransomware is installed.

The system is then tricked into a critical error, resulting in everyone’s favourite blue screen of death. During reboot the false master boot record (MBR) that was put in place by Petya will encrypt the master file table, this is the record of every file, location and where and how to get it to it on your system. By encrypting this file, you don’t need to go near the actual files, as any operating system will be unable to find the files. Encrypting one file instead of hundreds reduces the speed, meaning that people are often left with no choice but to pay the 0.99BTC (£296 roughly) fee that they request.

With ransomware getting even more aggressive in its tactics, it’s all that more important to ensure you check emails because you receive them and keep your anti-virus and anti-malware software up to date.

Gmail Says Use of Encrypted Emails Has Risen 25%

We use email every day, be it sending them for work or personal reasons or getting a thousand and one emails advertising everything from something you are interested in helping a foreign prince distribute their wealth. One way that you can be protected when sending emails is to send encrypted emails, something which has risen in use by 25% for Gmail users.

What caused this spur of encrypted emails? Google stated last year that they would start flagging up emails which were unencrypted, warning users which providers and emails were being sent from services that supported TLS encryption. This change came into effect in February this year, the end result of which was the 25% increase in encrypted emails that Gmail has reported in the last month.

Google isn’t acting alone on this, with Comcast, Microsoft, Yahoo and other companies in the industry looking to create SMTP, a new standard that could be used to help protect emails from man-in-the-middle attacks.

Combining all these with their recent push on security updates in Chrome and Android, including their use of two-factor authentication encryption and warning people about state-sponsored attacks on accounts, it’s becoming more and more clear that even in the digital world, companies want your private information to remain private.

FBI Calls Off Court Hearing With Apple Because They Might Have Another Solution

The battle between Apple and the FBI could soon be over with the FBI calling off a court hearing.

After several hearings with Congress, the story may finally be over with the latest meeting between Apple and the FBI being canceled after FBI received another party has come forward offering their support. In a document filing with the court the Department of Justice (DoJ) stated:

On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone. Testing is required to determine whether it is available method that will not compromise data on Farook’s iPhone. If the method is viable, it should eliminate the need for the assistance from Apple Inc. (“Apple”) set forthin the All Writs Act Order in this case.

As much as the FBI would love to think that they came up with the solution, but it was Snowden criticizing the FBI’s claims about unlocking the phone that seems to have been the tipping point. With numerous groups claiming to have ways to unlock the iPhone, the FBI pushing for Apple to create a way for them to unlock an iPhone has long been suspected of being an entry to the encrypted software.

If the FBI had this alternative available since the start, it would appear suspicions about the FBI using this an attempt to make future requests easier were true. If this is the case, trust in the FBI could be damaged even more with people questioning why the FBI wanted easy access to everyone’s iPhones.

New SMTP STS Email Security Standard Published by Industry Leaders

A number of engineers from some of today’s top tech firms have come together to provide a new standard of security for the sending and receiving of emails. Google, Microsoft, Yahoo, Comcast, LinkedIn and 1&1 Mail & Media Development & Technology are all part of this new standard that is named SMTP Strict Transport Security (SMTP STS). The new standard will allow email providers to define policies and rules that control the sending and receipt of encrypted email communications, which is a vast improvement over current email security.

When SMTP (Simple Mail Transfer Protocol) was envisioned back in 1982, it included no facilities for encryption or security. This same protocol has been in use to this day, and despite additions over the years, such as  STARTTLS that have added support for TLS (Transport Layer Security) to SMTP connections, its adoption rate has been low and the majority of email traffic is as unencrypted as in the 80s. Between May and August 2014, in the wake of Edward Snowdon’s leaks, Facebook saw adoption for STARTTLS jump from 58% to a whopping 95%. STARTTLS is not without flaws, though, as it does not validate the digital certificates and is vulnerable to both man-in-the-middle attacks and simple stripping of the encryption.

The newly proposed SMTP STS addresses both of the main flaws that exist in STARTTLS. Firstly, it informs connecting clients that TLS is available and recommended for use as well as how the certificate should be validated and the consequence of failure to establish a TLS connection. SMTP STS policies are set via special DNS records added to the email for the server’s domain name, providing ways for clients to validate the policies and report failure. Man-in-the-middle attacks can be foiled by a mail server telling a client to cache its SMTP STS policies for a set duration, to prevent false policies being injected.

Whether this new standard will catch on the wider world of the internet remains to be seen, but with so many key companies involved in its development and security being such a key topic in the modern-day, we can only hope that it allows us to keep our emails that much secure and private.

Terrorists Used Burner Phones Not Encryption To Evade Detection

In light of the recent discussions regarding privacy vs security, such as those being discussed by Apple and the FBI in congress, the discussion often comes back to the encryption and whether groups or government agencies should be able to break it when it comes to security. It could perhaps be damaging to groups like the FBI to learn that it wasn’t encryption that stopped the people responsible for the terrorist attacks in Paris from being detected earlier on but it was instead burner phones.

Burner phones is a term used to describe phones that are used only briefly before being disposed or burned. The concept being that the longer you hold onto a device the easier it is to track and monitor your actions with it. Several phones linked to the terrorists involved in the Paris attacks only activated their phones the day before, or even minutes before the events occurred.

Currently, all the burner phones involved had sent no online chat messages or emails, throwing more doubt over if terrorists use methods which federal agencies are often targeting and claim they need access to monitor and track.

With little to no evidence that encryption played any part in their communications, recent calls to unlock encryption communication because of these events could struggle to hold the sway they did before while traditional methods of burner phones and “dead drops” (where you leave a package or message at a specific location for picking up at a later date) could require more old-fashioned work to catch early on.

Apple’s Tim Cook Describes FBI Fight as a “Bad Dream”

Apple CEO Tim Cook has spoken candidly to TIME about his on-going battle against the FBI – with the US law enforcement agency putting him and his company under immense pressure to bypass the iPhone encryption of San Bernardino shooting suspect Syed Rizwan Farook – comparing the ordeal to a “bad dream”. Cook also expressed his dismay that the US government should be the one to stand up for the civil liberties of US citizens, not him.

“I never expected to be in this position,” Cook confessed in the interview with TIME magazine. “The government should always be the one defending civil liberties. And there’s a role reversal here. I mean I still feel like I’m in another world a bit, that I’m in this bad dream in some wise.”

“But at the end of the day, we’re going to fight the good fight not only for our customers but for the country,” he said. “We’re in this bizarre position where we’re defending the civil liberties of the country against the government. Who would have ever thought this would happen?”

Cook took the opportunity to stress that, despite reluctance – “Fighting the government is not a thing we choose to do,” he laments – his fight against the FBI’s efforts to bypass Apple’s encryption will continue, because, “at the end of the day—and none of us would have been able to sleep at night” if Apple caved.

Image courtesy of Mashable.

FBI Hacking Case Judge Doesn’t Understand Computing

A US Judge, during a case regarding the FBI’s use of Network Investigative Technique (NIT) – effectively a form of hacking – was found to have little knowledge or understanding of the concepts being discussed.

During a hearing in Seattle on Friday (15th March), Judge Robert J. Bryan presided over the case of Jay Michaud, a public school administrator in Vancouver, Washington, who was charged with possession of child pornography. Michaud was caught in a sting operation by the FBI, during with the law enforcement agency seized a hidden Tor service called Playpen, hosted it from its own server, and used NIT to bypass the Tor encryption to obtain his real IP address. The use of NIT in the case is being contested.

During the hearing, Judge Bryan appeared confused as to how NIT works: “I am trying to understand,” he told the court. Below is a transcript from the hearing (via Vice Motherboard), during which Judge Bryan fails grasp how NIT is implemented:

Judge Bryan: “Do the FBI experts have any way to look at the NIT information other than going to the server?”

Colin Fieman (Michaud’s public defender): “Your Honor, they don’t go to the server.”

JB: “Where do they go? How do they get the information?”

CF: “They get it from Mr. Michaud’s computer.”

JB: “They don’t have his computer.”

CF: “That’s what the NIT is for.”

Struggling to wrap his head around NIT, Judge Bryan later said, “I suppose there is somebody sitting in a cubicle somewhere with a keyboard doing this stuff. I don’t know that. It may be they seed the clouds, and the clouds rain information. I don’t know.”

While, on the face of it, Judge Bryan’s comments are amusing – though, to be fair, the ideas being conveyed during the case can be impenetrable to people without an inclination toward technology and computing – it is worrying that someone without a grasp of the subject being discussed is then expected to make a ruling on the matter, and that Judge Bryan’s ignorance, though not necessarily his fault, does not automatically recuse him from presiding over the case.

Or, as Vice Motherboard puts it:

““If a smart federal judge still has trouble understanding after hours of expert testimony what is actually going on,” then the average judge signing warrant applications has little hope of truly understanding what the FBI is proposing, Nate Wessler, staff attorney at the American Civil Liberties Union (ACLU), told Motherboard in a phone interview.”

Image courtesy of HackRead.

Obama Weighs In On Apple Vs FBI

Recently the news has been flooded by the events of Apple and the FBI, both of whom are arguing in regards to encryption and companies being made to remove or bypass security features on government orders. Each side has arguments that are fair and it doesn’t look like the discussions will end anytime soon as each side makes point after point, for now though it would seem that President Obama weighs in with the FBI.

Answering a question in his keynote speech at the South by Southwest conference, President Obama started with “I can’t comment on that specific case” only to then follow-up by reminding people that law enforcement agencies can obtain a warrant then “rifle through your underwear to see if there’s evidence of wrongdoing”.

Obama carried on by saying that “we don’t want [the] government looking through phones willy-nilly”, a core concept at the heart of the Apple FBI argument, but re-enforced that we are looking at future where we will need “strong encryption” but in some cases, we may need to bypass that encryption. Raising the question around what would happen if we created technology that was so strongly encrypted, how would we catch people who are acting illegally.

Obama seems to be a fan of the master key scenario, in which a special key (or series of keys) could be used to gain access through robust encryption. In order to reduce the risk in this scenario though he would have the key “accessible by the smallest number of people possible for a subset of issues that we agree are important.”

Obama did accept that “how we design [such a system] is not something I have the expertise to do”, effectively stating that he wants to get support and backing from the companies that use this technology to help negotiate an acceptable answer for all to this solution.

France to Punish Companies for Refusing to Decrypt Devices

France has been keen on getting ahead of technology when it comes to their laws. From their environmental stances of requiring solar panels on their roofs to making sure that large companies like Facebook protect people’s data sufficiently. In light of recent security concerns though they have moved to punish companies for refusing to decrypt devices.

France recently looked into banning the anonymous network Tor and blocking Wifi during special situations. The latest step in security was to accept an amendment to a bill that would make companies like Apple, who are activly fighting the FBI on modifying their software to break into an iPhone, either pay a fine or face five years in jail if they refused  to hand over encrypted data.

While this is only the bills first reading, if the amendment went ahead companies may feel uneasy doing business in France for fear of either giving out personal information or face a fine. It should be noted though that while Amendment 90 is being considered, it could be worse with amendment 221 going so far as to increase the fine by over 5 times and requesting “all relevant” information, that means more than just the message they are looking for.

Amendment 51 went so far as to state that companies who refused to help authorities would be considered “accomplices to terrorism”, a far stretch from the truth by any imagination. With public support seeming to increase for Apple’s case in the US and companies and figures alike coming out in support of them, accepting such a controversial bill couldn’t help the French government when trying to enlist technology companies help.

Snowden Speaks Out Regarding FBI’s Claim It Needs Apple To Unlock iPhone

Apple is currently under a lot of pressure from the US government, with the FBI looking to “request” their help in unlocking an iPhone. The problem people find is that the FBI are requesting Apple do something that Apple are not comfortable with, and as a result, have been ordered to do so under a very old and rather vague act. One of the most famous faces regarding the US Governments digital behaviour,  Edward Snowden, has now spoken out regarding the FBI’s claim it needs Apple to unlock the iPhone in question.

Speaking at a Conference via Video chat, Snowden stated the while the FBI say they need Apple’s ‘exclusive technical means’ to unlock the iPhone in question, he believes that claim is nothing more than lies.

The reason he says the FBI’s claim is rubbish is simply because several people have come forward with alternative methods for the FBI to gain access to the phone. It should be noted that Apple has already said they would have handed over the data if the FBI hadn’t tried to reset the iCloud password for the iPhone.

With the alternative methods not being mentioned at the congressional hearing regarding the FBI’s case for bypassing Apple’s security features, it would appear to many that the FBI are looking for a precedent to force companies to unlock their devices, something which they originally stated would not happen (but now appears to be the case).

You can view the conversation on surveillance, democracy and civil society in which Snowden spoke below.

DOJ Appealing Order Found in Favor of Apple

Apple is everywhere in the news these days. From the rumoured features of their next generation of phones to the courtrooms. In a case that recently came to light in New York, the judge ruled that Apple could not be forced to unlock an iPhone by the All Writs Act. This didn’t sit well with the DOJ who are now appealing the order.

The case in New York features another iPhone, again locked by a passcode. Repeatedly trying different passcode risks the data on the phone, thanks to a security measure put in place that states when you fail to put in the passcode 10 times, it will erase the phone. With so many combinations, the FBI are looking to enlist Apple’s help to type in passcodes through software, without the data being erased.

I say looking to enlist, but the act used (the All Writs Act) has been deemed as some as an order from a judge where no legal precedent is available for the request. A judge in New York recently ruled that Apple couldn’t be forced to remove these settings or extract the data by use of the All Writs Act.

The DOJ don’t seem happy though with this ruling, asking the court to review the decision by the Magistrate Judge, with the hopes that they can get the iPhone unlocked and the continued in a similar fashion to the one currently taking place in California.