Privacy

SPOTLIGHT ON SECURITY

Apple, FBI Tussle Puts Bull’s-Eye on iPhone

The battle between the FBI and Apple over access to the iPhone of San Bernardino, California, killer Syed Farook came to an abrupt end last week when the agency announced it no longer needed the company’s assistance to crack the device.

Since the U.S. Department of Justice delayed a hearing on an order to force Apple to assist the FBI in brute-forcing the password on Farook’s phone, speculation has spread about how the agency planned to access the data on the device without the help of the iPhone’s maker.

A number of news reports identifiedCellebrite as a likely ally of the FBI in breaking the phone’s password.

That guess is a good one, said Stephen Coty, the chief security evangelist atAlert Logic. Cellebrite has a team of mobile forensic experts who have developed processes to unlock iPhones for their customer base.

“Cellebrite has many proprietary tools that they use for forensics investigations,” he told TechNewsWorld.

In Hackers’ Crosshairs

Most forensic tools make a snapshot of a phone and then attempt to crack the copy so as to not tamper with the actual evidence, Coty said. “Making a copy of the phone would allow you to have as many tries to unlock it without worry of a data wipe.”

In its litigation, the FBI wanted Apple to disable a feature on Farook’s iPhone that would erase all data on it after 10 erroneous password attempts.

Now that the FBI has found a way to crack Farook’s iPhone, Apple may want the courts to do some compelling on its behalf. Apple attorneys are huddling to find a way to force the FBI to reveal how it broke the password, according to the Los Angeles Times.

What’s more, all the publicity generated by Apple’s squabble with the FBI may create more worry for the company down the road, according to Coty.

“I’ve been following some of the stuff that’s being posted on the underground, and more and more people are coming up with techniques to unlock the iPhone,” he said.

“This case has put a target on the iPhone,” Coty added.

API Security

Mobile APIs, or application programming interfaces, have become a critical component of the Internet’s infrastructure. With the growth of the Internet of Things, which will add millions of new devices to the Net, they will become even more important.

As their importance increases, though, so too does the concern over their vulnerability to attack by cyberbandits.

While APIs are no less or more insecure than other parts of the Net’s infrastructure, developer ignorance can make them more insecure.

“What people have to realize is when you build an application that talks to a service over the Internet, you’ve created an API,” explained Greg Brail, chief architect atApigee.

“If we look at a lot of the things that have gone wrong with API security recently, it’s because someone built a mobile app, and they didn’t realize they created an API, and they failed to use some of the security practices that you expect to have on an API,” he told TechNewsWorld.

“As a result,” Brail continued, “not only did they create an insecure mobile app, but they created an insecure API.”

Bad ID Management

Some of the most common attacks on APIs involve flaws in authentication.

For example, the IRS had a service accessible through an API for taxpayers to obtain tax account transactions or line-by-line tax return information for a specific tax year. To request that data, a visitor to the IRS website needed three pieces of information: address, Social Security number and date of birth.

“Millions of Americans have had that information stolen from them, so attackers were able to use that information to get access to people’s private tax data,” Brail said.

“The biggest things we’ve seen go wrong is people either not putting any authentication on the API at all or tying it to an identity management solution that doesn’t handle all the security aspects correctly,” he added.

How safe are APIs for private data?

“Compared to the alternatives to APIs, they can be made very secure, if you follow the right techniques — and arguably more secure than some other things, like Web apps,” Brail said.

Behavioral Biometrics Redux

We’vewritten before about how keyboard strokes, mouse movements and hardware details can be used to fingerprint a person and authenticate identity online.

Those solutions typically require monitoring a user’s behavior from the cloud, but a company calledTeleSign has taken a slightly different slant on the technology to help developers create more secure applications.

Traditional biometrics, which uses body parts — fingers, eyes and faces — doesn’t work very well with online commerce. Not only does it create a privacy nightmare, but it also creates the nemesis of all e-commerce companies: friction.

“Behavioral biometrics are more suitable for an online consumer account,” said Sergi Isasi, director of product management at TeleSign.

“It’s easier to enroll the user because the user doesn’t do anything different when they enroll,” he told TechNewsWorld, “and you’re not asking the user to do anything they would feel uncomfortable with, like taking a picture of their eye on their phone.”

Privacy Concerns

Depending on the application, TeleSign’s behavioral biometrics solution is offered as JavaScript (Web application) or an SDK (mobile application).

“The developers would integrate our application into their application, and it would track the user’s behavior across activities — logging in, navigation, entering text and purchasing an item,” Isasi said.

TeleSign’s app sends the user-behavior data to its cloud where the information is analyzed and scored. The score tells a merchant how similar the actions are to the user’s previous actions.

Scores can be generated at various decision points during a user’s session, so there are multiple opportunities to detect hinky behavior.

While TeleSign’s solution is frictionless to users, it’s also invisible to them. That means it’s collecting information about them, in most cases, without their knowledge.

That’s not a problem because the information isn’t linked to a user by name, Isasi maintained. Nevertheless, some TeleSign users aren’t taking any chances about potential misunderstandings about data collection.

“Some of our customers are asking for consent permissions from their users,” Isasi said, “but that’s up to the customer.”

Breach Diary

  • March 28. FBI says it has cracked iPhone of Syed Farook, one of two shooters who killed 14 people in San Bernardino, California, in December.
  • March 28. MedStar Health, a health care provider in the Washington, D.C., area, takes its computer systems offline after discovering a virus preventing some of its users from logging on to their systems.
  • March 28. Akram Aleeming acknowledges an error at a website he was developing for Thai police leaked the personal details of more than 2,000 foreign nationals living in southern Thailand onto the Internet.
  • March 28. Doritex, an industrial launderer in western New York, and Kallus Opraments, a website developer, are fined US$95,000 by state Attorney General’s Office for a website error that exposed more than 500 employment applications on the Internet.
  • March 28. University of Central Florida reports expenditure of $109,364 for notifying 63,000 students and former employees that their confidential information was compromised in a data breach in February.
  • March 28. CardHub releases a survey finding 42 percent of retailers have not installed payment terminals that accept chip-enabled payment cards, and 56 percent of consumers say they don’t care if a retailer has chip-enabled terminals.
  • March 29. National Consumers League launches redesigned Fraud.com website, which includes a portal on data breaches.
  • March 29. Ryman Hospitality Properties, parent of the Grand Ole Opry, states tax information of anyone who received a W-2 form from the company in 2015 is at risk after the information was emailed to a scammer posing as a corporate officer.
  • March 29. Kentucky State University alerts current and former employees their tax information for 2015 is at risk after their W-2 forms were emailed to a scammer posing as a university official.
  • March 30. The Guardian reports that the U.S. and the UK will simulate a cyberattack on a nuclear power plant sometime this year.
  • March 30. Norfolk Admirals hockey team in Virginia says names, addresses and email addresses of some 250 customers were posted to the Internet after a data breach of its computer systems.
  • March 30. Law firm Cravath Swaine & Moore states its computer systems were breached last summer and that it is unaware of any of the affected information was used improperly.
  • March 31. The Sydney (Australia) Morning Herald reports a database containing private information for more than a million customers of Menulog, an online takeout service, has been exposed to the Internet because of an access control flaw.
  • March 31. Amherst, Ohio, police say they posted online for several weeks the Social Security numbers of 30 people while they were learning a new records-management system.

Upcoming Security Events

  • April 7. Every Organization of Every Size in Every Industry: What Are Your Breach Risks and Gaps? 2 p.m. ET. Webinar by ID Experts. Free with registration.
  • April 8-10. inNOVAtion! Hackathon. Northern Virginia Community College, 2645 College Drive, Woodbridge, Virginia. Free with registration.
  • April 9. B-Sides Oklahoma. Hard Rock Cafe Casino, 777 West Cherokee St., Catoosa, Oklahoma. Free.
  • April 12. 3 Key Considerations for Securing Your Data in the Cloud. 1 p.m. ET. BrightTalk webinar. Free with registration.
  • April 13. A Better Way to Securely Share Enterprise Apps Without Losing Performance. 11 a.m. ET. BrightTalk webinar. Free with registration.
  • April 15-16. B-Sides Canberra. ANU Union Conference Centre, Canberra, Australia. Fee: AU$50.
  • April 16. B-Sides Nashville. Lipscomb University, Nashville, Tennessee. Fee: $10.
  • April 16. B-Sides Tampa. Stetson College of Law, Tampa Center, 1700 N. Tampa St., Tampa, Florida. Free.
  • April 16. B-Sides NOLA. Hilton Garden Inn, New Orleans Convention Center, 1001 S. Peters St., New Orleans. Fee: $15.
  • April 20-21. SecureWorld Philadelphia. Sheraton Valley Forge Hotel, 480 N. Guelph Road, King of Prussia, Pennsylvania. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • April 20-22. CSA Summit 2016. Lichtstr. 43i, first floor, Cologne, Germany. Registration: 500 euros.
  • April 23. B-Sides ROC. B. Thomas Golisano College of Computing and Information Sciences, Rochester Institute of Technology, 20 Lomb Memorial Drive, Rochester, New York. Free with registration.
  • April 23-24. B-Sides Charm City. Baltimore Convention Center, One West Pratt St., Baltimore. Tickets: $15 to $60.
  • April 25. “Some Musings on Cyber Security by a Cyber Iconoclast.” 1:30-3 p.m. ET. University of New Haven, Tagliatela College of Engineering, Buckman Hall, Schumann Auditorium, room B120, 300 Boston Post Road, New Haven, Connecticut. Presentation by Professor Gene Spafford, Purdue University. Free with registration.
  • April 26. 3 Key Considerations for Securing Your Data in the Cloud. 1 p.m. ET. Webinar sponsored by BrightTalk. Free with registration.
  • April 28-29. B-Sides Calgary. SAIT Polytechnic (Orpheus Theater), 1301 16 Ave. NW, Calgary, Alberta. Tickets: students, CA$20; professional, CA$50; VIP, CA$150.
  • May 3. Dallas Cyber Security Summit. Omni Dallas Hotel, 555 S. Lamar, Dallas, Texas. Registration: $250.
  • May 4. SecureWorld Kansas City. Overland Park Convention Center, 6000 College Blvd., Overland Park, Kansas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • May 7. B-Sides Chicago. Concord Music Hall, 2047 N. Milwaukee Ave., Chicago. Free.
  • May 11. SecureWorld Houston. Norris Conference Centre, 816 Town and Country Blvd., Houston. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • May 18-19. DCOI|INSS USA-Israel Cyber Security Summit. The Marvin Center, 800 21st St. NW, Washington, D.C. Hosted by George Washington University. Free.
  • June 1-2. SecureWorld Atlanta. Cobb Galleria Centre (Ballroom), Atlanta. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
  • June 9. SecureWorld Portland. Oregon Convention Center. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
  • June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Privacy

Technewsworld Channels