Sunday, February 21, 2016

Not the clearest reporting I've ever read… I need to run this by my iPhone toting students. As I read it, the FBI forced a password change to the iCloud because that let them read all the backups. But the backups stopped back in October. If they could access the iPhone (a different password?) they could turn the backup system on again and the iPhone would send data to the iCloud where they already have access. Am I right in assuming that the iPhone password is not part of the encryption kerfuffle? Or will ten bad tries to unlock the iPhone result in erasing everything? (Not 10 failed attempts to enter the encryption key)
FBI rebuts reports that county reset San Bernardino shooter's iCloud password without consent
The FBI on Saturday rebutted media reports that San Bernardino County technicians acted without the agency’s consent [So, FBI “consent” or insistence? Bob] when they reset the password for the Apple iCloud account belonging to one of the shooters involved in the Dec. 2 terror attack at a county facility that killed 14 people.
… Apple said that in early January it provided four alternatives to access data from the iPhone besides the controversial method the FBI is now proposing.
But one of the most encouraging options was ruled out after the phone’s owner – Farook’s employer, the San Bernardino County Public Health Department – reset the password to his iCloud account in order to access data from the backup, according to Apple officials.
That means the iCloud password on the iPhone itself is now wrong, and it won’t back up unless someone can get past the phone’s passcode and change it. [Not if backup is turned off. Bob]
… When iCloud is enabled, iPhones automatically sync with the cloud if they are charging and are connected to a familiar Wi-Fi network.
Had there been no reset on the iCloud password, investigators may have been able to get a more updated backup of Farook's iPhone without any need to unlock the device itself. [I don't see how that would work. Bob]
Federal prosecutors wrote in court filings Friday that the reset by the phone’s “owner” took place “in the hours after the attack,” and an Apple executive later said it occurred within 24 hours.
But the FBI said in its statement Saturday that agents worked with San Bernardino County technicians to reset Farook’s password on Dec. 6 – four days later – because “the county owned the account and was able to reset the password in order to provide immediate access to the iCloud back up data.
… Prosecutors still contend that unlocking the iPhone is crucial because some data does not sync to iCloud. They said the FBI has retrieved Farook’s iCloud backups up to Oct. 19, about six weeks before the attack, and an FBI affidavit suggested that Farook deliberately disabled the sync feature.

(Related) But don't take my word for it…
On FBI’s Interference with iCloud Backups
In a letter emailed from FBI Press Relations in the Los Angeles Field Office, the FBI admitted to performing a reckless and forensically unsound password change that they acknowledge interfered with Apple’s attempts to re-connect Farook’s iCloud backup service.
… This statement has only one of two possible outcomes:
FBI is Wrong, and was Reckless:
FBI will Compel More Assistance, and mislead the courts:
… FBI must clarify which of these two meanings their letter had. Either the FBI has recklessly interfered with the processing of evidence OR FBI has mislead the courts on the amount and the nature of assistance required by Apple under the All Writs Act.

Would Apple's encryption be “reasonable?”
I’ve previously posted a link to a report by the California Attorney General on breaches in California and recommendations, but I like that this post by Hunton & Williams focuses on the how the recommendations relate to “reasonable security:”
Importantly, the Report states that, “[t]he failure to implement all the [Center for Internet Security’s Critical Security] Controls that apply to an organization’s environment constitutes a lack of reasonable security” under California’s information security statute. Cal. Civ. Code § 1798.81.5(b) requires that “[a] business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
You can read the rest of their post here, but I want to pull out one part of their summary of the recommendations:
Organizations, particularly in the health care industry, should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers.
So even though HIPAA doesn’t require encryption, if you are not using strong encryption, you might be running afoul of California’s law (even though it’s a “should” and not “shall”). And this is where state attorney generals may have a significant role to play in privacy enforcement, as Danielle Citron argues in her new paper.

This should be interesting. I hope to learn lots from whatever leaks in court.
Judge Rules FBI Must Reveal Malware It Used to Hack Over 1,000 Computers
On Wednesday, a judge ruled that defense lawyers in an FBI child pornography case must be provided with all of the code used to hack their client's computer.
When asked whether the code would include the exploit used to bypass the security features of the Tor Browser, Colin Fieman, a federal public defender working on the case, told Motherboard in an email, simply, “Everything.”
… The case has drawn widespread attention from civil liberties activists because, from all accounts, one warrant was used to hack the computers of unknown suspects all over the world. On top of this, the defense has argued that because the FBI kept the dark web site running in order to deploy the NIT, that the agency, in effect, distributed child pornography. Last month, a judge ruled that the FBI’s actions did not constitute “outrageous conduct.”

Perspective. Unlikely to replace thumbdrives soon.
'Five-dimensional' glass discs can store data for up to 13.8 billion years
… Scientists from the University of Southampton in the UK have created a new data format that encodes information in tiny nanostructures in glass . A standard-sized disc can store around 360 terabytes of data, with an estimated lifespan of up to 13.8 billion years even at temperatures of 190°C.

Not clear how this works, but it makes great campaign fodder.
DOJ ends probe of utility over IT replacements; no charges filed
… About 500 IT workers at SCE were cut, mostly through a layoff. Some of the IT workers complained of having to train foreign replacements on an H-1B visa to remain eligible for a severance package.
… The cuts followed a decision by the utility to hire Infosys and Tata Consultancy Services to take over some its IT work. Both firms are major users of visa workers.

Sen. Blumenthal demands lifting of IT 'gag' order
… Approximately 200 IT workers at Northeast Utilities (now called Eversource Energy) lost their jobs in 2014.

No comments: