Cyber “Emergency” Order Nets No Culprits, Reports FAS

“In April 2015, President Obama issued Executive Order 13694 declaring a national emergency to deal with the threat of hostile cyber activity against the United States. But six months later, the emergency powers that he invoked to punish offenders had still not been used because no qualifying targets were identified, according to a newly released Treasury Department report.”  That is the bottom line of a blog post by Steven Aftergood over at the Federation of American Scientists.  You can read his whole post by following this link.

Share:

Tags:

Cyber Round Up: Israel’s Cyber-City Development, Future Generations Need to Think Like Hackers, NIST offers up to $1M in Cybersecurity Education Grants

  • Israel’s Desert Blooms with Cyber-City Development (Breitbart): according to this article in the middle of the Negev desert, Israel is building a cyber-city which has placed Israel second only to the US in terms of cyber-expertise.  $500 million in private investments pour into Israeli cybersecurity firms annually and Israel seems to have fully embraced the idea that the next war will be in cyberspace, according to the article.  Furthermore, the Israeli’s view cybersecurity as not merely threat mitigation but also as an economic driver, and the cyber-city in Negev is living-proof of that, according to the article.  The article states that the cyber-city includes elements of the Israeli Defense Forces (“IDF”), as well as private industry, multinational corporations, and also Ben-Gurion University, Israel’s top cybersecurity university.  The full text of the article can be found here.
  • Future Generations of Cybersecurity Experts Need to Think Like A Hacker (TheMerkle.com):  this article theorizes that developing a new mindset where cyber-sleuths think like hacker’s is enabling a new generation of digital detectives.  The article states that New York University’s (“NYU”) Brooklyn campus hosted a Cybersecurity Awareness Week with competitions open to high school and university students and where prizes ranged from $450,000 (scholarships) for high schoolers to $11,000 in cash for university students.  Sponsors of the event included the Department of Homeland Security, Facebook, and IBM, according to the article.  The full text of the article can be found here.
  • NIST ‘RAMPS’ Up Cybersecurity Education and Workforce Development with New Grants (NIST): In a recent press release, the National Institute of Standards and Technology indicates that they are offering up to $1 million in grants to establish up to eight Regional Allicance Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development. The release cites a Global Information Security Workforce Study that estimates an international shortfall of 1.5 million people over the next five years due to a lack of trained professionals and the National Initiative for Cybersecurity Education (“NICE”) is designed to address that need.  According to the release, RAMPS will help encourage greater employer engagement in local communities which will help influence education and training providers to develop job-driven training that provides cybersecurity skills.  The release states that NIST plans to fund five to eight awards of up to $200,000, and the deadline to apply is July 12, 2016.  The press release can be found here.
Share:

Tags: , ,

Cyber Round Up: Higher Ed. Establishes foothold in Cybersecurity

  • Illinois State Meets Growing Need for Cybersecurity Professionals (ISU News): According to this news release, Illinois State University (“ISU”) is trying to prepare students to fill the projected 18 percent growth in Information Security jobs over the next ten years.  ISUs School of Information Technology’s Information Assurance and Security has 125 students and their new cybersecurity program slated to launch in the fall of 2017 has room for even more, according to this release.  To help drive interest and maintain relevance in a dynamic industry, ISU has supported an annual cyberdefense competition which is open to Illinois high school students and is currently in its fifth year, according to the release.  Given the anticipated rate of job growth within this sector one can expect to see more and more educators exploring training options in this burgeoning field.  The full text of the article is here.
  • University of Oregon: Cybersecurity Looks for Students to Counter the Dark Art of Hacking (The Register-Guard): According to Diane Dietz’s article, the University of Oregon (“UO”)  is holding its sixth annual Oregon cybersecurity day to bring in top cybersecurity experts for key sessions on the current state of cybersecurity.  Associate Professor Jun Li created the UO Center for Cybersecurity and Privacy last year and began to draft plans for an advanced UO degree in the field of cybersecurity, according to the article. The article states that thus far Li has received a $507,000 grant from the National Science Foundation to examine fraud and attacks on social networks and OU at the same time received $1.5M from the US Department of Energy to examine cyberattacks in the context of the nation’s grid infrastructure.  Demonstrating that cybersecurity is being taken seriously and early adopters in higher education seem to be gaining a foothold.  The full text of the article is here.
  • UC Recognized as Cybersecurity Leader in Education (UC News): According to a University of Cincinnati (“UC”) press release, UC has been designated by the National Security Agency and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education through 2021.  UC launched a Cybersecurity track within the undergraduate Information Technology program, followed by a Master’s level program launched a year later, according to the release.  The release indicates that UC is now the ninth institution in the US to contain both NSA Centers of Academic Excellence in both Cyber Op and Cyber Defense and this solidifies UC’s position as a national leader in cybersecurity education.  The full release is here.
Share:

Tags: ,

Apple vs. FBI Session Today

While it was interesting to observe the session, I would have liked to see more technologists involved. The legal portion was quite interesting, but was limited by a limited understanding of the technology. So here are some observations from a non-lawyer technologist:
1. Where is the issue of government responsibility? While there was much discussion that the phone belonged to the San Bernardino government, there was no discussion of their role in the information on the phone being unavailable. There were four technical restrictions that I found in a cursory Google search that would have allowed them to maintain control of the phone (http://www.enterpriseios.com/forum/topic/prevent_adding_passcode). There are possibly more, but the existence of four leads me to believe that it is technically possible. The government could have also chosen a different device if they were concerned with accessing their employees’ information.
2. CALEA specifically applies to telecommunications companies and their backbones. An individually owned and operated device is not the same as a fiber cable carrying thousands of data streams. While as an individual you need a device to use the data provided by the backbone, the device is not an extension of the backbone itself. The New York Telephone case applied to tapping the backbone line, not the physical phone (device-equivalent). In this particular case, the phone is no longer being used for data to be captured in motion.
3. The issue has been raised before that All Writs should not apply when there is adequate law that addresses the issue. In this case, the government has explicitly decided not to legislate personal encryption. (http://www.computerworld.com/article/2991273/encryption/us-wont-seek-law-to-ban-encryption.html) While that does not have the same strength as the government explicitly supporting personal encryption, it should definitely be taken into consideration that they have not written legislation to legally compel manufacturers to create backdoors or assist in investigations.
4. While the national security/terrorism arguments were in full force, that was not where the case began. It began with a drug dealer, who was not accused of killing anyone. The court rejected the FBI’s argument to open his phone (https://www.theguardian.com/technology/2016/feb/29/apple-fbi-case-drug-dealer-iphone-jun-feng-san-Bernardino). So, as one “judge” today kept asking, what is the dividing line for being able to bypass encryption for a phone?
5. From a policy standpoint, there will be a chilling effect on companies developing encryption. Must everyone design software with a backdoor in mind. Will it lead to unsecure hardware and software?
6. While the discussion today centered on the government reimbursing Apple for its engineers’ time in developing the software requested, but there was no mention of reimbursing Apple for a decrease in sales due to their platform no longer being secure.
7. Icloud and physical device security is different because a user has the ability to opt out of storing their data in the icloud. They are under no obligation to upload their information to the icloud and can choose to keep it all locally stored.
8. I am not a legal scholar by any stretch of the imagination, but I would like to see someone make a compelled commercial speech argument. If I get some time this week, I may make a feeble attempt, but I think there is something there, even if only as a supplemental argument. (Zauderer and Central Hudson)

Share:

Tags:

Commission on Enhancing National Cybersecurity

Here is the text of the White House news release:

The White House
Office of the Press Secretary
For Immediate Release

President Obama Announces More Key Administration Posts

WASHINGTON, DC – Today, President Barack Obama announced his intent to appoint the following individuals to key Administration posts:

  • General Keith Alexander, USA (Ret) – Member, Commission on Enhancing National Cybersecurity
  • Annie I. Antón – Member, Commission on Enhancing National Cybersecurity
  • Ajay Banga – Member, Commission on Enhancing National Cybersecurity
  • Steven Chabinsky – Member, Commission on Enhancing National Cybersecurity
  • Patrick Gallagher – Member, Commission on Enhancing National Cybersecurity
  • Peter Lee – Member, Commission on Enhancing National Cybersecurity
  • Herbert Lin – Member, Commission on Enhancing National Cybersecurity
  • Heather Murren – Member, Commission on Enhancing National Cybersecurity
  • Joe Sullivan – Member, Commission on Enhancing National Cybersecurity
  • Maggie Wilderotter – Member, Commission on Enhancing National Cybersecurity

President Obama said, “I have charged the Commission on Enhancing National Cybersecurity with the critically-important task of identifying the steps that our nation must take to ensure our cybersecurity in an increasingly digital world.  These dedicated individuals bring a wealth of experience and talent to this important role, and I look forward to receiving the Commission’s recommendations.”

Continue reading

Share:

Tags: , , , ,

Cyber Round Up: FBI, DHS Run Nationwide Cyber Campaign, Iranians Indicted on Cyber Crimes, Chinese Cyber Spying Decreased Since Agreement with U.S.

  • FBI, DHS Run Nationwide Cyber Campaign (Washington Free Beacon): The FBI and DHS began a nationwide campaign warning companies running electrical infrastructure in the country of the dangers posed by cyber threats, according to the Washington Free Beacon. The program began on March 31, and include webinars in eight U.S. states of an “unclassified briefing” called “Ukraine Cyber Attack: Implications for U.S. Stakeholders,” the article explained. Specifically, according to the article, those who watch the webinar briefings will learn details of past cyber attacks, including the techniques and strategies used by hackers who target infrastructure. The full article can be found here.
  • Iranians Indicted on Cyber Crimes: The U.S. Department of Justice has indicted seven Iranians for cyber crimes under 18 U.S.C. 1USvFathi030. The seven defendants are: Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan (“Nitr0jen26”), Omid Ghaffarinia (“PLuS”), Sina Keissar, and Nader Saedi (“Turk Server”). According to the court document, Fathi, Firoozi, and Shokohi were, at times relevant to the indictment, were employees of ITSec Team. The remaining defendants, Nitr0jen26, PLuS, Keissar, and Turk Server were employees of Mersad Co. (“Mersad”). ITSec Team and Mersad were private computer security companies based in Iran and actually performed work on behalf of the Islamic Revolutionary Guard Corps (“IRGC”), according to the indictment. The defendants are alleged to have violated 18 U.S.C. 1030(a)(5)(A) — the “Computer Damage statute” — as well as 18 U.S.C. 1030(a)(2) — the “Anti-hacking statute.” The unsealed indictment can be found here.
  • Chinese Cyber Spying Decreased Since Agreement with U.S. (Financial Times): According to the Financial Times, government and private sector experts are claiming that Chinese cyber espionage activities have decreased since September 2015 when China agreed with the U.S. to refrain from conducting such activities to boost domestic businesses. The Director of the National Security Agency, Admiral Michael Rogers, appeared earlier this month in front of the Senate Armed Services Committee, and testified that Chinese hacking continues, however, at a lower level, the article continued. The question remains, though, of whether the hacking currently being perpetrated is for government use or for commercial purposes, Admiral Rogers reportedly testified to the committee. The full article can be found here.
Share:

Tags: , ,

Data Privacy and Law Firms

BigLaw In Crosshairs As Firm Plans Data Breach Litigation (Law360): A recent article in Law360 by Aebra Coe indicates that two large law firms, Swaine & Moore LLP, and Weil Goshal & Manges LLP may be facing class action malpractice litigation as a result of their recent data breaches.  In this article, Coe reports that Jay Edelson’s law firm, Edelson PC, assembled a team of forensic engineers and attorneys with technology and privacy expertise to build a lab designed to identify key vulnerabilities in the corporate world.[1]  According to the article, based on the team’s research, Edelson’s firm reportedly told law firms that they are attractive targets to hackers for the following reasons:  (1) law firms often have critical and confidential client information on their internal systems; (2) law firms are often behind the curve on technology, and therefore have relatively insecure data security and network protocols and processes; (3) even where firms have security measures in place, getting the more-seasoned partners to follow these practices is often a non-starter.  The full text of the article is here.


 

Commentary:

As society in general and the legal sector specifically continues to adopt, and embrace technology, privacy issues will continue to be an important concern.  While this article specifically addresses BigLaw firms, this problem faces firms of all sizes including the solo practitioners.  When we lived in the purely physical world of paper and files, we could touch and feel information and it was almost intuitive to address security.  A locked briefcase, a locked filing cabinet, a document retention policy coupled with a secure shredding service and a lawyer was good to go.  As we move to an increasingly virtual world with the ability to store thousands of pages of documents on miniature thumb drives, or in the cloud, on our laptops, our smartphones, suddenly sensitive client data has gone from a piece of paper and perhaps a copy or two to documents seemingly everywhere.

Having worked previously in the technology sector I would argue that only the very biggest Law firms can, or should have the in-house expertise to handle data privacy and to manage their information security.  However, even for the largest law firms this is still going to represent a cost-center which is somewhat antithetical to the whole concept of billable-hours and viewing things in a binary fashion (is this a source of revenue for the firm?  If not, it is a cost).  That being said, until attorneys begin to view cybersecurity and data privacy as necessities, no different from liability insurance or any other recurring overhead expense, they will continue to put their clients and themselves at risk.  Attorneys need to consider the ethical considerations related to the retention and use of confidential client data and if they fail to do so they risk the loss of trust as well as potential litigation.  Here, I would argue that outsourcing makes a great deal of sense for all but the largest law-firms. Let the specialists perform an audit, create a baseline and then move your firm to a state of “reasonable” data security and overall cybersecurity.


 

[1] Edelson is founder and CEO of the law firm, Edelson PC.  For several months, Edelson’s firm has been looking into potential class action litigation against unnamed firms with respect to data breaches.  Edelson’s lab arrived at the conclusion that the legal industry and the health care sectors are some of the most likely to be targeted by hackers, according to the Law360 article.

Share:

Tags: ,

Apple Encryption Debate: What about iCloud?

 Mossberg: The iCloud loophole (TheVerge): Walt Mossberg’s article highlights the fact that Apple has the ability to decrypt the bulk of data that is uploaded via iCloud backups.  Furthermore, Apple has unencrypted and provided iCloud backup data to both the FBI as well as other law enforcement agencies on numerous occasions (once a valid warrant has been issued), according to this article.  This article indicates that Apple views iCloud data differently from the iPhone for a variety of reasons:

  • Apple claims that the security policies for the phone relate to a physical object which can, therefore, be lost or misappropriated and consequently the physical device requires heightened security protocols;
  • Apple indicates that the iCloud requires strong security, however, Apple retains the ability to access and restore backups to user devices since this is a feature that users desire. Additionally, Apple states that sensitive data such as, network passwords, Apple keychains (which holds passwords), is not decrypted from iCloud backups.
  • Apple’s position is similar to other providers, such as Google (Gmail, Drive, Docs, and Calendar), and Dropbox. Both of these services indicate that they comply with valid, lawful orders for decrypting and providing data to law enforcement.

The full text of the article is here.


Commentary [Editor’s Opinion]

This article raises some interesting questions concerning exactly what Apple was doing when it launched its media blitz decrying the government’s efforts to compel Apple to bypass some iOS security features that would allow the FBI to launch a brute-force attack on an iPhone 5c.  If Apple’s primary motivators surround data privacy and protection for its customers, then why does it retain the ability to decrypt iPhone backups?  Did Apple choose this battle merely to highlight what it deems to be a larger privacy issue or does Apple truly believe that data on an iPhone is more sensitive than data from an iPhone backed up to iCloud?

Before proceeding, I should say that on a personal level, irrespective of the position I may have extolled in previous blog posts I think that data privacy and encryption, in particular, are valuable tools that should be available to citizens within the digital realm.  Specifically, I am not in favor of encryption backdoors, master keys, or “clipper-style” chips that would allow government intrusion into electronic communications.  I use encryption at the volume and file-level, and I believe that just because the government has a search warrant giving them the right to access information doesn’t mean that they necessarily have (or should have) the ability to access encrypted information.

That being said, it seems a bit disingenuous to argue that modifying the iOS code to remove the timing delay between successive passcode unlock attempts, and to bypass the auto-delete functionality so the Government could launch a brute-force attack against an iPhone somehow places user data in greater jeopardy than putting a bow around a decrypted iCloud backup and delivering it to the Government.  Frankly, it seems shocking that more users aren’t distraught by Apple’s past and seemingly future compliance with requests for decryption of iCloud backups.

A number of arguments have been raised with respect to why the Apple vs. FBI issues are so important and far-reaching.  Here are some points that appeared in recent comments to a previous post:

  • There may be valid reasons for the Government to request access to an iPhone, but how is that threshold discerned?
  • The actual number of phones that could be affected, number in the millions with presumably any model 5c or earlier able to be brute-force attacked had Apple developed this iOS code;
  • Initial compliance will lead to later compliance and companies such as Apple will be compelled to comply, especially in countries such as China;
  • Once Apple writes the software the government can reverse-engineer it and they will be able to use it to unlock other phones;
  • FBI and DOJ have both suffered breaches so if they have the iOS software it is likely to attract hackers and they will effect a breach and abscond with the iOS code

With respect to the first point, that is and will continue to be a matter for the Judiciary. Once an application has been made and issued by the court, it becomes a lawful mandate and yes, Apple or any other entity, or person is required to comply.  There is no distinction between encrypted or unencrypted data or between levels of encryption, or the use of bit shifting, or steganography, it is simply a lawful order that gives Law enforcement the ability to get X from Y.  Additionally, many search warrants have ex ante restrictions that limit law enforcement’s processes, procedures, and/or timelines within which they can execute a search. Thus, there are already mechanisms in place to ensure that Law enforcement has valid reasons to request access to data.

The second point, while valid still overlooks the fact that the iOS changes being touted would be purpose-built to load on this specific iPhone, not just the specific model, but, in fact, the specific device associated with a unique device identifier.

The third point is little more than a slippery slope argument. The mere fact that a company is forced to comply with a lawful order does not render any future arguments against a DOJ request to be moot.  These inquiries are very fact-specific and as such one would anticipate that court’s are going to make the requisite searching inquiries before compelling any action under the All Writs Act.  Additionally, under the All Writs Act, the following conditions must be examined [1]:

  • Is Apple either a party to the underlying case or if a non-party are they in a position to either thwart or effect the implementation of the court order? Here, Apple does not own the phone, however, it did manufacture the device.  Furthermore, Apple owns the proprietary design elements to include hardware and software and is, therefore, a party.  Even if one were to argue that Apple’s non-possessory interest in the specific device was at issue, the fact that Apple does own the iOS running on the device and it is a combination of the iOS and the underlying hardware that is preventing the DOJ’s brute-force attack without modifications by Apple, then they are a non-party to whom it would be appropriate to direct the writ;
  • Does Apple have a substantial interest in not assisting the government? The stated interest appears to be Apple’s strong beliefs in privacy rights and at face value that does seem to be compelling. However, when taken in the context of Apple’s position on iCloud backup files which it readily decrypts when provided lawful mandates, the argument weakens.  The fact that Apple views device security differently than the security of files backed up to the iCloud lends credence to the theory that Apple’s desire to “seem” focused on security and privacy really isn’t the case in their day-to-day operations.  The fact that Apple does decrypt customer data indicates that the idea of doing so is not patently offensive, nor does it violate the company’s actual beliefs or policies (irrespective of which beliefs Apple chooses to assert with the media).
  • Is the order burdensome? If this code change requires two weeks of coding by a team of developers, then certainly there is the opportunity cost associated with this.  This team of developers could have spent two weeks working on any number of issues or building the greatest iOS the world has ever seen.  However, since the government is willing to compensate for the time devoted to this endeavor, one can also argue that while the time and potential products in the Software development life cycle (“SDLC”) may be impacted, this is a burden which can be shifted through the allocation of government funds to offset the time and expense.  In reality, this is probably Apple’s strongest point, yet it also seems to be the one they are putting the least amount of focus on.  If you think of the SDLC in terms of the butterfly effect, where the flapping of the butterfly wings at Time N causes the breeze that causes the ripple that cascades to Time N+n into a hurricane, then you get a sense of the argument Apple might make.  If you assume that iOS runs on a 6 month SDLC, then the devotion of two weeks of core development resources to assist the government then the entire life-cycle shifts and now software is out of sync with hardware and the new release slated to be rolled out in two more development cycles suddenly gets pushed back and it extends the time to market and allows someone else to gain a competitive advantage and suddenly you can demonstrate the enormity of the potential burden of shifting development resources to an outside project while in the midst of the SDLC.
  • Is there a way for the government to obtain what it needs without Apple’s assistance? Well up until Sunday this answer seemed pretty straightforward.  According to Apple, their iPhone was secure, and according to the DOJ, they could not bypass the lock code security.  Of course, once an outside party was able to bypass this and unlock the iPhone this task was not dependent upon Apple’s acquiescence.

With respect to the fourth point, this is actually somewhat counterintuitive.  Here it is being asserted that once Apple modified the iOS to change the timeout value and bypass the auto delete then if the government gets the device back they can reverse-engineer the iOS and use it to allow them to brute-force attack other iPhones. The problem being, if the government could reverse-engineer this “special” iOS then why can’t they reverse-engineer the proposed iOS?  Does changing a timeout value and circumventing a block of code that performs the auto delete somehow make the code easier to reverse engineer?  Apple may be overstating the resources it would take to build this new code, but either way, if the government can reverse engineer iOS then all bets are off and they can hire some script kiddies to make some modifications and let it run amok to access iPhones everywhere (with valid court orders, of course).  Unless there is some reason that the new iOS is going to be inherently insecure or if the update will only work with raw source code, the propensity of the government to reverse engineer the new code is no greater than their ability to do the same with the current iOS versions.

Finally, the last point with respect to making the FBI and DOJ a target for hackers once they have this new iOS is also rebuttable.  As I write this, presumably iOS is sitting on servers in Cupertino, if it really is that attractive why isn’t Apple a target for this sole reason?  Furthermore, while I won’t argue that the government has a handle on cybersecurity, in all fairness can we assume that the FBI and the DOJ already have some sensitive data on their servers that hackers the world over would love to get access to, so aren’t they already targets as well?  Some of this then comes back to Apple’s assertion that iCloud and iPhones aren’t really the same.  Here, if either the FBI, or any other three-letter agency was able to get this iOS, reverse engineer it, and have it waiting, and ready for use, they would still need the physical phone to make this work.  So too would any hacker, having the ability to brute-force attack a phone to get it to unlock without erasing the data is somewhat predicated on actually having a phone to perform this on.  In the absence of a physical device, this would not be a very useful exercise.

Is it scary that the government could access our phone data and our encrypted communications? Yes, of course, that raises a number of concerns with respect to privacy as well as potential freedom of speech issues.  However, if you consider the movement towards the Internet of Things, and the sheer volume of devices and data, is this really a looming concern for most of us?  Perhaps, this is the result of the participation-generation where everyone that shows up gets a trophy.  Perhaps these same people think that their dog and cat pictures or their status updates “OMG, eating a real hot dog from a street vendor while on Spring Break” are somehow of interest to the federal government who wants nothing more to break their encrypted communications to find out how many cats they say they have vs. how many they actually have.  However, in the real world, and having spent some time with Big Data firms, one realizes that trying to amass all of that information and then taking the time to decrypt communications and then sorting through them (even if automated based on keyword) is an enormous undertaking and would be both technically infeasible and an inordinate drain on government resources.  Sorry to disappoint, but for most of us, Big Brother is more akin to Rhett Butler than George Orwell and when it comes to most of our information “frankly my dear, [the government does not] give a damn.”

[1] United States v. N.Y. Tel. Co., 434 U.S. 159, 174 (1977).

Share:

Tags: ,

DOJ Drops Lawsuit Against Apple

Justice Department Drops Lawsuit Against Apple as FBI has now Unlocked Farook’s iPhone (TechCrunch): Apple’s magnificent marketing campaign, which was playing out in the court of public opinion along with its case in the Central District of California may have backfired, according to this article.  The court filing, which is included here, says rather succinctly “The government has now successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance of Apple Inc. .”  The full article is here.

FBI_apple_20160328

 

[Editor’s Opinion]

I may not have an MBA from Harvard, but from my time at Northeastern, I seem to recall that a key element of any marketing strategy is to provide messaging that actually supports your product’s abilities in the short term and will lead to increased sales in the mid to long term.  Here, Apple CEO, Tim Cook chose to spend a few weeks fighting the government’s request to assist the DOJ by creating a specific iOS update that could be installed on a specific iPhone 5c that would allow the DOJ to employ brute-force hacking methods to unlock the phone and access the data therein.  Had Cook merely acquiesced and used his marketing machine to explain that Apple would assist the DOJ by creating a special iOS version that could be uploaded on this specific iPhone 5c phone to allow the DOJ to bypass the timeout features, as well as the data-erase functions, they may have managed to maintain the illusion that their hardware and software is “unbreakable.”  However, Apple’s CEO chose a different strategy and decried this government intrusion on privacy rights grounds and even extended the argument to suggest that requesting that Apple developers spend two weeks writing this code was a free speech infringement since code is speech and ergo forcing someone to write specific code is analogous to forcing someone to say something.  That position is very bizarre and seemingly non-sensical although Apple and its extensive legal staff decided to push this narrative during their media offensive against the big, bad government.

Now Apple will need to figure out how to spin the narrative that no, they would not comply with the DOJ order unless they were forced to do so in order to uphold the privacy rights of everyone in the world.  Meanwhile, a company (rumored to be Israeli tech company Cellebrite) rolled in, accepted the challenge and now can presumably unlock not just the single iPhone in question, but any iPhone5 running this same iOS version.  This seems to be a larger privacy issue than Apple creating a specific iOS version that would only update a specific iPhone 5c.  So I guess that privacy advocates and those who were hoping to pick up cheap iPhone 5c’s in order to lurk in the shadows may want to rethink those purchases now that these are seemingly ripe for the picking.

Apple took a gamble and tried to rally the world with them to stand against oppression and government intrusion on privacy.  Now, the government has the lawful access to this iPhone that they sought following their valid court order and now Apple is left trying to explain exactly how secure their iOS software and Apple hardware truly is (or isn’t) as the case may be.  I suppose if Apple had unveiled a new iPhone that was incapable of being broken in this manner then one could view this marketing strategy as a long game; however given the fact that none of the current marketing literature seems to say that, this seems more like a marketing fail.

Share:

Tags: ,

Cyber Round Up: U.S. Charges Iran-linked hackers, Biggest Threat: Insider Breaches, Ukraine Attacks Issue Wake-up Call to U.S. Critical Infrastructure

  • Fathi-et-al-IndictmentU.S. Charges Iran-linked Hackers with Targeting Banks and a N.Y. Dam (The Washington Post): According to this article, the Justice Department indicted seven hackers with ties to Iran for cybercrimes which included disrupting U.S. bank websites and hacking into a dam in Upstate N.Y.  The article states that this is the first time the DOJ has charged people linked to a national government with attempting to disrupt critical U.S. infrastructure (note: In 2014 five Chinese military hackers were indicted by the DOJ for cyber espionage activities).  In the 18-page indictment, the seven indicted were allegedly working for two Iranian companies, ITSec Team and Mersad Co., and they were allegedly doing so at the behest of the Iranian government, according to the article.  The full article can be found here.  Whereas a previous post related to the N.Y. dam is here.

 

  • WGL03038USEN Biggest Threat: Insider Breaches? (IBM white paper): In a white paper released in Sept. 2013, the most significant security breaches were insider misuse (at 36%), followed by loss/theft of data-bearing assets (35%).  This paper goes on to extoll the virtues of a zero trust model (Forrester) that looks at threats holistically rather than focusing on internal vs. external threats.  To that end, this paper pushes three concepts as being critical, (1) secure all resources, (2) implement restricted access controls, and (3) all network traffic is logged and inspected. The white paper is available here.

[Editor’s note: this paper is admittedly dated; however the fact that it identifies the high incidence of insider threats while at the same time advocating for across the board security protocols that operate independently of whether or not a threat vector is external or internal is interesting.  For a more current perspective, one might advance the notion of taking a data-centric approach where the data is viewed as the most important asset and in so doing you can safeguard the data which effectively obviates the need for evaluating whether a vulnerability is external or internal to an organization.]

  • Meet the Ex-Army Hackers Trying to Save America from Blackouts (Forbes): In this article, Robert M. Lee, a former Air Force cyberwarfare officer discusses the Ukraine grid attack and notes that one of the alarming takeaways was that it appeared to be highly coordinated and thus Lee theorizes that this was performed by a military force.  Lee goes on to say that the Ukraine attack should be an eye-opener for the U.S. which experienced nearly 300 intrusion events against critical infrastructure between October 2014 and September 2015, according to the article.  The full article is here.
Share:

Tags: , ,

Next Page »

Authors

Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Anna Maria Castillo

is a third year law student at Syracuse College of Law. She is also pursuing a Master of Arts in International Relations at Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She currently serves as an executive editor in the Syracuse Law Review. Full biography

Christopher w. FolkChristopher W. Folk

is a second year student at SU College of Law. Christopher is a non-traditional student, returning to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering and in addition to being a full-time student, Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a third year student at Syracuse College of Law. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She is a member of the Syracuse National Trial Team and was recently awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She has served as a law clerk in the United States Attorney's Office for the Western District of New York and the Public Defender Service for the District of Columbia and as an extern in the United States District Court for the Western District of Washington. Full biography

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography

Categories