At this point it should come as no surprise to anyone that regardless of what Facebook says about security and privacy, you can almost guarantee they will be caught in a lie, or at the very least, avoiding the truth. The latest boondoggle comes courtesy of a Freedom of Information Act finding made by an organization called Property of the People, a non-profit transparency group who has shared a document from the Federal Bureau of Investigation that details “Lawful Access” to your supposedly private and secure messaging on Facebook’s WhatsApp and Apple’s iMessage platforms, as well as several others.
What this means to you
In a nutshell, the document does indicate that in all cases, Facebook and Apple are true to their word that your conversations – as they happen – are encrypted, and the FBI cannot read them. What’s telling is what Apple and Facebook omitted in all of their marketing and soapboxing about privacy and security. According to the FBI document, which appears to be designed more as an executive summary, WhatsApp seems to be designed to give near real-time access to everything but the content of the user’s messages if they are served with a search warrant. Though not nearly as transparent in real time as WhatsApp, Apple’s iMessage will provide metadata surrounding a targeted user’s messages for up to 25 days.
The real cherry-on-top of this privacy-nightmare sundae is actually Apple’s to own: If the targeted user happens to be backing up their messages (both iMessage and WhatsApp apparently) to iCloud, a search warrant can also return the encryption keys to that supposed secure backup, which will allow authorities to decrypt and reveal the actual contents of the messages.
Of course, if you aren’t doing anything wrong, you should have nothing to worry about if the Feds are reading your messages, right? Let me point you to an article written in 2013 and published by the ACLU:
On top of the privacy issues this latest surprise reveals, I also want to make sure you note my other point: regardless of how much Apple and Facebook preach from their bully pulpits about protecting your privacy, it should be painfully clear this is more marketing ploy than protection of your rights. If a company is for profit, they are not looking out for you, they are looking out for their shareholders whose top priority is staying in business and cooperating with the authorities to make sure those dollars don’t stop. In the end it’s your choice whether you use these platforms, but don’t fool yourself into thinking you are choosing a “secure” platform that “protects your privacy.” At best, Facebook and Apple are being disingenuous about their privacy stances while behind the scenes they are laying the foundations for an Orwellian Nightmare.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
It had all the trappings of a Hollywood blockbuster: a massive data breach, hackers hired by Russian spies, and a secret operation that went on for years undetected. Except for one rather pedestrian and crucial element. According to indictments handed down by the US Federal Bureau of Investigation, the hackers penetrated Yahoo’s security not through some sophisticated cyber-tango of caffeine-fueled hacker artistry. There weren’t any high-tech micro computers covertly implanted into neon-lit server racks following a series of cleverly choreographed hi-jinks. No, the largest single leak of Personally Identifying Information was enabled by a Yahoo employee falling for a spear phishing attack.
Here comes the email security soapbox again!
What’s a spear phishing attack and what makes it different from the rest of the spam you get in your email? Typical spam and phishing emails are sent to as many people as possible in the hopes that a small percentage will click the link or open the attachment, whereas spear phishing is designed to target a very specific audience or even a particular individual. They are typically several levels more sophisticated than the usual garbage clogging our email as the content is custom-tailored to appear believable to the target. While I’m sure many of you are scratching your heads at how a single click on a fake email could lead to the largest breach in history against a storied dot-com darling, keep in mind that in the ongoing plate-spinning war of internet security, the good guys only win if they can keep all the plates spinning, and the bad guys win if even a single plate falls.
There are many lessons to be learned from this incident, but perhaps the most important one of all still remains: all security systems are only as strong as the weakest link, and many times that weakest link is a human. Given enough resources, time and determination, any security system can be hacked, and any company or organization can be breached. What’s a business owner to do in light of a seemingly unstoppable force? Just like preparing for two other famously unavoidable eventualities, planning for security breach will prepare you to react properly and deliberately rather than a mad scramble for recovery. Not sure how to get started? Pick up the phone and let C2 give you a leg up on getting ready.
This particular story could be one of dozens (or even hundreds) of these types of incidents that occur in any given week: “government official gets social media and email accounts hacked” which then leads to highly confidential data being leaked on the internet. Except in this case it was the current US Central Intelligence Agency director John Brennan, and several other highly-ranked government officials, and the data that was leaked was data from nearly 30k Federal Bureau of Investigation and Department of Homeland Security employees. Also unusual was that the hackers charged in this breach aren’t Russian or Chinese or North Korean. Nope, at least one of the responsible parties hails from North Carolina. And the real reason I’m bringing this story to your attention was this most important facet of the attack: Brennan and the other victims in this incident weren’t compromised through sophisticated malware and technology – the attackers fooled people associated with the victims – usually service providers – through simple tools like emails and phone calls, under the guise of providing technical assistance.
What this means for you:
“Social engineering” is the digital-age equivalent of con artistry, and it is becoming trivially easy to perpetrate given our reliance on tools like email and large, impersonal corporations. In the case of the above, one of the cons included the hacker actually posing as a Verizon technician in order to fool another Verizon employee into resetting Brennan’s email password, and they just worked their way inward from there. As you should know by now, once a hacker is in your email, it’s all over but the crying. Sadly, there’s not much you can personally do to improve poor security practices at companies like Verizon, and despite impersonation being one of the oldest cons in the book, people still regularly fall for it.
It’s only a matter of time before anyone gets hacked – we are human after all, and despite what you might want to believe, there is always someone more clever than you out there, and if you are unlucky, that person is out to get you. You can practice something that is well known to outfits like the CIA and FBI: compartmentalization. Since none of us are intelligence agents (that I know of!), for our purposes this means keeping personal and work activities separate. You can execute this concept in a number of different ways:
- Keeping work and personal emails in separate accounts
- Use separate devices for social networking and financial activities like online banking
- Use unique passwords for all your important accounts
- Exchange confidential information through appropriate secure channels
- Store confidential information in properly secured and backed up locations
- Require two-factor security for your most important accounts
The key to proper execution of this practice is discipline and vigilance. It may be inconvenient and seem inefficient, but weighed against the alternatives, it will be worth the effort.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
In the latest dramatic chapter of the ongoing encryption battle between the FBI and Apple, the feds have admitted that they worsened their chances of ever finding out the contents of the San Bernardino shooter’s iPhone when they reset its associated iCloud password in a misguided attempt to access the locked device. According to Apple, prior to that reset, the FBI may have been able to gain access to the device without Apple having to provide a controversial backdoor to its otherwise very secure smartphones. On top of the FBI’s blunder and lack of understanding of Apple’s iPhone security, it’s also clear that several members of the House Judiciary Committee leading the hearings on this controversy are also poorly versed in how smartphone security works. To be fair to everyone, Apple’s iCloud system is arcane even to me, so it’s easy to see how someone unfamiliar with the system could make this mistake.
What this means for you:
Making fun of government officials being ignorant about high tech subjects is like shooting fish in a barrel. The “series of tubes” analogy used by Senator Ted Stevens is just one of many examples of US lawmakers struggling to understand admittedly complex technologies like the internet and encryption. Back then (10 years ago!) it might have been acceptable to dismiss their technology naivety as understandable – after all they are congress people, not IT consultants. But now, in an increasingly technology-permeated society, their ignorance or willful disregard of technology can lead to very bad decisions that have widespread and long-lasting consequences. This is just as applicable to your personal and workplace tech. While it’s impossible to be an expert on everything, if you rely on technology for critical business operations, you should have more than a basic understanding of how to turn it on and off. At minimum you should know what risks come with that technology, and if you cannot claim to be an expert in the technology in question, you should always consult with an experienced technology professional before making game-changing decisions.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Apple made a big splash last week when CEO Tim Cook published an open letter in response to the FBI’s request and subsequent court order to hack the iPhone of the primary assailant in December 2015’s San Bernadino mass shooting. As one might expect, Mr. Cook basically told the government that they would not comply, and fortunately, they might be the one company that could afford to fight this battle in the courts. Though the tech industry has typically maintained a similar stance on device encryption, even the most staunch champions of digital privacy such as Google and Twitter have had suprisingly muted responses to the growing battle. Also revealing is a recent Pew poll that suggests while the tech industry may be largely united on device encryption and government backdoors, the American public isn’t quite sure what to think about this complex issue.
What this means for you:
Late model iPhones ship with encryption enabled by default, and as long as you enable some form of authentication on your device, the data on that device will only be accessible if you unlock it. Law enforcement can’t break the encryption, and Apple, by it’s own admission, cannot decrypt your phone’s contents with out the proper authentication, even if the phone owner asks them to do so. If someone tries too many times to guess your pin, the device will be automatically wiped – no intervention from Apple or your carrier is required. The FBI is demanding Apple create a way for them to unlock the iPhone of the San Bernadino shooter, which if Apple were to actually accomplish such a feat, could theoretically allow anyone with possession of this backdoor to decrypt any iPhone protected by similar technology. Like the atomic bomb, the development of this backdoor cannot be unmade, nor will it remain only in the hands of the “righteous”. While the data on the SB shooter’s phone may prove useful in providing some closure to the incident and may even help further other domestic terror investigations, it’s easy to see that the FBI means for this case to set a precedent that will give them unfettered access to an area that has traditionally been protected, both by law and by technology.
A little over two years ago, I wrote about a hacker who was able to demonstrate hacking and takeover of an airplane’s flight control system, and suggested that it may be awhile before someone was able to execute this same type of hack “in the wild.” Unfortunately for everyone, it’s happened sooner than we might hope: notorious hacker Chris Roberts of One World Labs has claimed that he managed to penetrate an airplane’s flight control system while it was in flight and was able to temporarily alter the plane’s trajectory by overriding controls on a wing engine, forcing the plane to fly sideways for an short period. After joking via Twitter about his hacking activities on an April flight, Roberts was detained by the FBI and his equipment seized. According to affadavits published of the FBI interviews with Roberts, it appears as if the FBI believes Roberts is in fact capable of hacking planes while in flight.
What this means for you:
I’m actually quite surprised this hasn’t happened sooner, and with much more horrifying results. On the scale of expertise on technology security, I consider myself to be only moderately well-trained and informed, but it doesn’t take a expert to comprehend why this is going to be an increasingly dangerous problem. Because all security systems are essentially designed by humans, they will inherently be flawed. Hackers count on this weakness and are able to exploit it over and over again. In the case of the above alleged hacking incidents (yes, there was more than one), Roberts exploited a hardware weakness – he was able to physically connect his equipment to the plane by cracking the inflight entertainment box under his seat – and a software weakness – he used default passwords to circumvent the security of the plane’s control systems. In both cases he would have been foiled if the people who designed and implemented the systems had taken more care in their work. According to Roberts, his actions are meant to goad the industry into taking security more seriously, and maybe now that the FBI seems be backing his claims, something might get done.
Overall, security is an uphill battle, and requires more energy, money and expertise than most companies can field at any given time. Like insurance, many folks have a hard time spending money to secure against something that might happen. In this case, like the other inevitabilities we insure against, accepting the fact that you will be hacked (even if you already have been) at some point in the near future, will help you frame your investments in security in a more realistic and practical perspective, and doing something proactive will often put you ahead of your competition. Embattled industries like airlines should definitely keep this in mind.
Apparently, even the (former) head of the CIA can fall victim to a security breach. General David Petraeus recently handed in his resignation as the leader of the US’s Central Intelligence Agency when his extra-marital affair surfaced through an investigation led by the CIA’s own sister agency, the Federal Bureau of Investigation. What’s interesting is that the FBI didn’t use exotic technology or Hollywood-esque espionage to gain access to Petraeus’ “anonymous” email account – in the end, it boiled down to a simple, lawful, court-order through the Electronic Communications Privacy Act. Once the FBI had covert access, they were easily able to track the account usage and trace it to the General himself.
What this means for you:
What undid Petraeus – aside from lack of integrity and fidelity – wasn’t his extremely clever usage of Gmail. Once again, the subterfuge was ruined by a person – in this case, by his own mistress, Paula Broadwell, who sent threatening emails to Petraeus family friend, Jill Kelley who then got the FBI on the case. In the course of any criminal investigation, the ECPA grants the government authority to access any electronic communication without a warrant if it’s under 180 days old, and if it’s older than 180 days, then all that is needed is a court order. Even if you think you’ve set up an anonymous email account, all email travels through the internet by virtue of metadata attached to the digital envelope that is impossible to hide. Think of it as a digital postmark. And because all data must come from somewhere and go somewhere, IP addresses (and logs) make it possible to pinpoint those locations with ruthless precision. The next time you send an email that you need to be completely confidential, think carefully about the implications of it appearing on the front page of every news website in the world. Obviously, the government doesn’t have the time (or the justification) to watch everyone in America, but they certainly have the means, and will to use it, even if it undermines one of their own sacred cows.
Image courtesy of renjith krishnan / FreeDigitalPhotos.net