iPhone Passcode Hack

Just a few days ago, Dr Sergei Skorobogatov, who works at the University of Cambridge laboratory, was able to develop a method to crack an unknown pin code on an iPhone 5c.  He did it by removing the Nand chip, which is the main memory of the phone, studying how it communicated with the phone and successfully cloning it.

The purpose of this is to allow for an unlimited number of passcode attempts as usually an iPhone will lock up after a few incorrect tries. This directly contradicts a claim by the FBI that this method (called Name mirroring) would not work during the time they were attempting to access San Bernardino gunman Syed Rizwan Farook’s iPhone 5c.

Dr Skorobogatov made a YouTube video demonstrating his method of removing and replacing the Nand chip and the successful reset of the passcode lockout counter.

Using this method, he was able to crack a 4 digit code in about 40 hours and a 6 digit code could take hundreds of hours. In order to crack newer phones, Dr Skorobogatov said more information was needed about how Apple stored data in memory and he would need a more sophisticated set-up to extract the memory chip.

Apple has not responded to this yet.

Link to original article: http://www.bbc.com/news/technology-37407047

Apple Zero-days Mark a New Era of Mobile Hacking

blog_post_image_08_29_2016

Apple’s head of security engineering and architecture, Ivan Krstic, announced that apple is ready to open up its vulnerability reporting process to researchers. They are launching a bug bounty program that offers rewards for zero-day vulnerabilities that allow vicious code exploits.

This idea came about after an incident involving an activist in the United Arab Emirates, Ahmed Mansoor, where three zero-days were discovered with the ability to spy on his messaging and calls. This incident caused Apple to realize that hackers had shifted their focus from desktops/laptops to mobile phones.

The iOS exploit used to target Mansoor was a three pronged approach that started as a very believable phishing attack that when clicked downloaded two kernel exploits to the device. Now that the malware has been exposed, Citizen’s Labs has discovered that the exploit was the work of an Israel based surveillance software developer group, NSO. Lookout estimates that the exploit has been available for purchase for approximately two years.

Now that the NSO group has been made public and the zero-days have been patched there are now ways to scan if your devices have been compromised and Apple is pushing harder than ever before to find its vulnerabilities.

-Hannah Gallucci

Apple zero-days mark a new era of mobile hacking

The Implications of the Paris Attacks in Respect to Consumer Encrypted Communication Services

It is highly probable that the effects of the recent Paris attacks will be seen throughout all aspects of cyber-security and privacy. In particular it is rather interesting to consider the effects in regards to consumer encrypted messaging services. It is often the case that there is change in security policy and measures that commensurate with a terror attack. Therefore it is reasonable and practical to envisage western governments to express interest and attention in encrypted messaging services.

On the market today there is a significant amount services that offer the consumer end to end encryption. Examples of such services are: What’s App, Silent Circle, and Wickr. What end to end encryption is, in respect to communications, is the ability for users to communicate to both end completely encrypted. The result of this technology is that the only users able to read and interpret data are either the sender or the receiver. The implications of this is that there is no method of which any organization has the ability to read and interpret the communications being sent, even the company hosting the service.

In the wake of these attacks, there will be a greater desire of law enforcement agencies of the western civilizations to have access to intercept these messages. Senator Dianne Feinstein from California is calling for a “back door” into these services, stating that it is a problem that these services can “create a product that allows evil monsters to communicate in this way.” It his highly reasonable to extrapolate that this is only the start of a conversation on consumer encrypted communication services.

These government agencies are calling for these “back doors” in the wake of these attacks because it allows terrorists to communicate and coordinate with the messages being completely encrypted. An organization named Middle East Media Research Institute has released a report stating that a significant number of radical groups are using these services to communicate. However it is important to review these reports with caution, because the institute who released these reports are a not for profit political organization located in Washington.  In addition it is dubious how the information was found, because according to the mechanics of end to end encryption this information is impossible to recover. However regardless of the verisimilitude of these reports, it is important to acknowledge the potential implications of these technologies.

In final it is significantly important to consider the technical implications of creating this “back door”. Creating this back door also creating an additional set of probable problems in regards to this topic. Nickolas Weaver, a senior researcher at the International Computer Science Institute, stated “You cannot hack a back door that lets only the good guys in… If you add one, it becomes usable by Chinese intelligence, Russian intelligence, and criminals.” Therefore if following these calls for an intercept-able encrypted messaging, would also ruin the purpose of using these services for communications.

In conclusion the future of consumer encrypted messaging services is uncertain in the wake of these attacks. The conversation in regards to public safety, in respect to these service is just beginning. It is also important to consider the technical consequences of creating a “back door.” The Paris attacks will a have a wide-reaching effect in the realm of information security, consumer encrypted messaging is only one of the many aspects that may be altered in the wake of these attacks.

Michael Henry Boc

 

http://www.nbcnews.com/storyline/paris-terror-attacks/paris-attack-could-renew-debate-over-encrypted-messaging-apps-n464276

http://www.wired.com/2014/11/hacker-lexicon-end-to-end-encryption/

http://www.memri.org/

 

Smart Watch Security Threats

As with any piece of new technology, the introduction of smart watches come with new threats to security. A recent study was conducted on these watches and to no ones surprise, many vulnerabilities were found. A few of the vulnerabilities listed include, a lack of transport encryption, lack of user authentication, privacy problems, and firmware problems. It was also found that communications were easy to interfere with and intercept. This means that as of right now, if sensitive data is being transmitted over the watches, anyone could get a hold of it.

Experts recommend to protect sensitive information with strong passwords and to make sure you are controlling your communications to avoid middle man attacks. Another suggestion they make is to manage your transport layer security settings and make sure they are in good shape for protecting you. The biggest concern however seems to be the vulnerabilities of the apps rather than the watch itself. Previously there have been attacks on apps for the iPhone and such so the experts say it wouldn’t be surprising to see attacks on the smart watch apps.

The bottom line is to approach these new smart watch products with care and to focus more on the security of the apps than the watch itself. Additionally, as time goes on, more apps for increased security will be released. Apple has already released several since the release of their Apple Watch.

-Thomas Coburn

Security in Healthcare

According to a recent survey, Healthcare is the latest favourite of the hacking community. There’s a shortage of security professionals in the healthcare business, and while many respondents involved in tech are worried about personal records and other data, the ones who aren’t involved in tech, while worried, do not believe their corporations to have been hit.

The tech respondents have a right to be worried. Recently, it’s come to light that Healthcare experiences 340% more security attacks and incidents than any other sector, and advanced malware is suspected in 1 of every 600 attacks, making Healthcare four times more likely to be hit by advanced malware than any other sector.

There are many ways that hackers can get in. With the digitalization of patient records, as well as the addition of wearable technology, such as smart watches and smartphones, hackers are finding many new avenues to break into the system. While security for wearable technology is a separate issue, Jonathan Collins, a principal analyst for ABI Research says that they can pave the way for easier access to Healthcare records.

By Kathleen H. Justen

http://www.technewsworld.com/story/82638.html