Wednesday, March 23, 2016

Well, that explains everything. Maybe.
FBI enlists Israeli firm to unlock encrypted iPhone
Israel’s Cellebrite, a provider of mobile forensic software, is helping the U.S. Federal Bureau of Investigation’s attempt to unlock an iPhone used by one of the San Bernardino, California shooters, the Yedioth Ahronoth newspaper reported on Wednesday.
If Cellebrite succeeds, then the FBI will no longer need the help of Apple Inc, the Israeli daily said, citing unnamed industry sources.
Cellebrite officials declined to comment on the matter.

(Related) Logic, as to what might be happening. Very interesting read!
My Take on FBI’s “Alternative” Method
… All of this paints a pretty clear picture: the leading theory at present, based on all of this, is that an external forensics company, with hardware capabilities, is likely copying the NAND storage off the chip and frequently re-copying all or part of the chip’s contents back to the device in order to brute force the pin – and may or may not also be using older gear from iOS 8 techniques to do it. The two weeks the FBI has asked for are not to develop this technique (it’s most likely already been developed, if FBI is willing to vacate a hearing over it), but rather to demonstrate, and possibly sell, the technique to FBI by means of a field test on some demo units.
… The FBI is rumored to have classified this technique, only 24 hours after requesting a two-week window to give report. If true, FBI wouldn’t classify something that they haven’t validated, which means they validated it too. This suggests the technique *could* also be an exploit, so now we’ve two different possibilities to consider. The classification also suggests a little bit about the company. The company must have engineers capable of holding (or already holding) clearances, suggesting it’s a rather large company.

(Related) I liked some of these too. Perhaps I can get a laser drill for my Ethical Hacking students?
Acid? Laser drill? How the FBI might hack into an iPhone without Apple’s help
… federal officials have been mum about who came forward and what method they’ve proposed. Here are some of the leading options outside experts think the FBI might be exploring.
Another approach, sometimes known as “chip de-capping,” calls for physically removing the casing of the iPhone’s processor chip, using acid or a laser drill. In theory, investigators could then connect electronic probes capable of reading the phone’s unique identification code bit by bit from the location where it is “fused” into the phone’s hardware. This method would also have to read the algorithm that combines that code with the user passcode to unlock the phone.
Once they get that information, investigators could then load it onto another computer, where they can run thousands of attempts at guessing the passcode without worrying about triggering the auto-erase function on the phone itself.

What's in your water?
Attackers Alter Water Treatment Systems in Utility Hack: Report
Verizon’s data breach digest for March 2016 describes several attacks investigated by the company, including one aimed at the systems of an unnamed water utility referred to by Verizon as the Kemuri Water Company (KWC).
The water district had asked Verizon to conduct a proactive assessment as part of its efforts to keep systems and networks healthy, but experts soon discovered clear signs of malicious activity.
They immediately noticed that the organization had a poor security architecture, with Internet-facing systems plagued by high-risk vulnerabilities known to be exploited in the wild, and outdated operation technology (OT) systems that had been more than ten years old.
The water utility’s SCADA platform was powered by an IBM AS/400 system, which was first introduced by the vendor in 1988. This system was used to connect both OT functions, such as the water district’s valve and flow control applications, and IT functions, such as financial systems that stored customer and billing information.
Verizon investigators believe the hackers exploited a vulnerability in the payment application web server. This server stored the internal IP address and admin credentials for the AS/400 system, from which the attackers are believed to have stolen 2.5 million records containing customer and payment information.
Since the compromised AS/400 system also ran valve and flow control applications used to manipulate the utility’s hundreds of programmable logic controllers (PLCs), the hackers managed to access this software and alter settings related to water flow and the amount of chemicals used to treat the water.

Sometimes a sentence just does not seem to fit with the rest of the talk (or article). Does this strike you funny too?
Abraham J. Rein of Post & Schell has a nice recap of some of the recurring themes at last week’s PHI Protection Network conference in Philadelphia. Here’s a snippet of his post from the section about about law enforcement’s message to attendees:
…. Michael Stawasz, Deputy Chief of the U.S. Department of Justice Computer Crime and Intellectual Property Section (“CCIPS”), and Rich Goldberg, Chief of the Economic Crimes Unit for the U.S. Attorney’s Office of the Eastern District of Pennsylvania, both worked to assuage corporate anxiety around reporting a data breach to law enforcement. Such anxiety is reasonable, given the risk of the company finding itself on the wrong end of enforcement scrutiny. But Stawasz and Goldberg both emphasized that, when a company suffers a data breach, “you [the company] are our victim” – indeed, “our goal is to protect you.” Companies need not be concerned, according to Stawasz, about turning information over to the government to assist in its investigation of the breach: “Your information will not be FOIA’d,” Stawasz told the audience; moreover, “it won’t be immediately shared with your regulators,” because “I’m not interested in holding you liable for unreasonable security.”
Read more on Post & Schell.

Interesting. Is this an indication that Privacy is becoming a large part of legal practices or that you can't get anything done on the FTC Board?
FTC commissioner to resign at end of month
The Federal Trade Commission's Julie Brill is slated to leave the agency at the end of the month, opening up the second vacancy on the five-person panel.
Brill, a Democrat, is slated to join Hogan Lovells to help lead the law firm's privacy and security practices. She will also help out with the firm's antitrust work.

Perspective. Well, I find it interesting.
Report: Half of all mobile games revenue comes from only 0.19% of players
Mobile games publishers have to take incredible care when acquiring new users, since the vast majority of them don’t buy anything. In fact, only 0.19 percent of all players contribute 48 percent of revenue, according to a new report from mobile marketing automation and engagement firm Swrve.
Swrve also found that a full 64 percent of players who spend money in games only do so once in the month (up from 49 percent in the original study last year). But it’s not all bad news for publishers. Total volume of spending per month increased by nearly $3 per player to $24.66.

US recorded-music revenues rose slightly in 2015 says RIAA
US music industry body the RIAA has published its figures for 2015, revealing that recorded-music revenues rose by 0.9% last year to $7bn.
That’s estimated retail value: the amount of money people spent on physical music, downloads and streams. The wholesale value – the money flowing back to rightsholders – rose 0.8% to $4.95bn.
Another key point from the RIAA’s announcement: streaming is now the biggest chunk of US recorded-music revenues, rising from 27% in 2014 to 34% in 2015 – overtaking download sales in the process.

Perspective. Anecdotes, not strategy.
Leveraging the Internet of Things for Competitive Advantage
… John Deere offers a case in point. The company has been making steel ploughs since 1837 and the name brand is synonymous with farming and tractors in the U.S. But beginning in 2012, John Deere embedded new sensors in its products and marketed connectivity as a key product benefit. Today, those sensors provide farms with decision-support information on where to plow, what crops to plant and when to plant. That information is potentially more valuable over time than the tractor pulling the plow.

How strange. My students seem to have a problem with class-long learning.
Pew – Lifelong Learning and Technology
by Sabrina I. Pacifici on Mar 22, 2016
A large majority of Americans seek extra knowledge for personal and work-related reasons. Digital technology plays a notable role in these knowledge pursuits, but place-based learning remains vital to many and differences in education and income are a hallmark of people’s learning activities.. Most Americans feel they are lifelong learners, whether that means gathering knowledge for “do it yourself” projects, reading up on a personal interest or improving their job skills. For the most part, these learning activities occur in traditional places–at home, work, conferences or community institutions such as government agencies or libraries. The internet is also an important tool for many adults in the process of lifelong learning. A new Pew Research Center survey shows the extent to which America is a nation of ongoing learners:
  • 73% of adults consider themselves lifelong learners.
  • 74% of adults are what we call personal learners– that is, they have participated in a t least one of a number of possible activities in the past 12 months to advance their knowledge about something that personally interests them. The se activities include reading, taking courses or attending meetings or events tied to learning more about their personal interests.
  • 63% of those who are working (or 36% of all adults) are what we call professional learners – that is, they have taken a course or gotten additional training in the past 12 months to improve their job skills or expertise connected to career advancement.”

No comments: