Friday, September 19, 2014

Security & Hacking: Apple iOS 8 & Data Extraction

People have been citing a statement on this page http://www.apple.com/privacy/government-information-requests/ as proof that with iOS 8 Apple can't extract data from devices secured with a passcode.

I don't think most people are reading Apple's statement with a critical enough mindset, here is last part of what Apple actually wrote about data extraction:

"So it's not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8."

The key part is "extraction of this data from devices in their [government] possession running iOS 8." Note my bolded emphasis.

What Apple is really saying, I think, is just like iOS 7 Apple needs devices in their possession to extract data, they can't do it remotely and didn't provide government agencies with the tools to do so either.

Here is a snippet from Apple's page Legal Process Guidelines U.S. Law EnforcementImportant Note, the original link "https://www.apple.com/legal/more-resources/law-enforcement/" to this information at Apple gets redirected to "https://www.apple.com/privacy/government-information-requests/" now, so if you don't have a copy of original page you will need to find cached version to verify:
 " I. Extracting Data from Passcode Locked iOS Devices
 Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode (“user generated active files”), can be extracted and provided to law enforcement on external media. Apple can perform this data extraction process on iOS devices running iOS 4 or more recent versions of iOS. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data." 

And from the FAQ section of that page:
"Can Apple provide me with the passcode of an iOS device that is currently locked?
No, Apple does not have access to a user’s passcode but may be able to extract some data from a locked device with a valid search warrant as described in the Guidelines."
So what it seems like to me, is that iOS 8 offers at best same protection as earlier versions, Apple can still extract data from from devices in their possession, though they worked hard to write a factually accurate statement that was misleading.

I also haven't noticed any comments about data from the coprocessor that tracks movement and other data on iPhone 5S and newer, even when phone is sleeping.


Additional Links of Interests:

Thursday, September 11, 2014

Tuesday, August 12, 2014

Nerd News: LastPass Back Up

LastPass has been down for a while, but according to LastPass and other reports it should be back up, though there may still be some issues.

Sounds like they only use 2 datacenters, or maybe even only single primary one with a "backup".
"Update: 1:28 pm EST

Though one of our data centers remains completely down, the service is generally stable and should be available to the majority of users (with the exception of login favicons). Some users may see connection errors but should still be able to access their data. We continue to work as quickly as possible to get the service back to 100%. "
       Source http://blog.lastpass.com/


"Aug 12, 2014 - One of LastPass' datacenters has been down since 3:57am EDT. The service is now running fully off one Herndon VA datacenter and we have been engaged with our provider all morning. Currently favicons/sprites are impacted. We are doing what we can to minimize the impact and apologize for the inconvenience. "

       Source https://lastpass.com/status.php


Also http://www.isitdownrightnow.com/lastpass.com.html 

For LastPass users that want an offline solution to prevent this type of problem in future consider LastPass Pocket

This is LastPass link specifically about offline access https://helpdesk.lastpass.com/password-manager-basics/your-lastpass-vault/offline-access-to-your-lastpass-vault/ 


Monday, August 11, 2014

Def Con 21: "Pentesting with an Army of Low-power Low-cost Devices"





Couldn't go to Def Con 22, waiting for vods to come out, so started watching some of the Def Con 21 Youtubes in the meanwhile.

I like this one about Pen Testing with cheap Arm devices by Dr. Philip Polstra aka Dr. Phil the Hacker his Twitter is ppolstra | https://twitter.com/ppolstra.

He uses the BeagleBoard Black as the starting point for his hardware.

Some useful links:
For new readers of my blog, I have labels at bottom left of every post & selected labels at left side of the blog to help find related posts.

These labels can be booked marked so you can just check topics your interested in, so for more posts like this you could click on:

Security & Hacking: The Matasano Crypto Challenges

Really cool the Matasano Crypto Challenges is "a collection of 48 exercises that demonstrate attacks on real-world crypto."

It's designed to teach real Crypto attacks by doing, great for improving the security of code you write, or to get an idea of what Pen Testing or malicious hacking involves.

Very good review, worth reading in it's own right here https://blog.pinboard.in/2013/04/the_matasano_crypto_challenges/

Note in the Pinboard review the original link for Matasano Crypto Challenges  didn't update for server move, current working link (I have correct link at top of this blog post of mine as well) is http://web.archive.org/web/20140213141638/http://www.matasano.com/articles/crypto-challenges/

Wednesday, June 11, 2014

Hope? Federal Appeals Court ruled Police need Warrant for cell phone location history


"For the first time, a federal appeals court has ruled that law enforcement must obtain a warrant to get people’s phone location histories from their cell service companies."
Source & full article at https://www.aclu.org/technology-and-liberty/first-time-appeals-court-rules-warrant-required-cell-phone-location-tracking

PDF of the ruling itself at https://www.aclu.org/sites/default/files/assets/q_davis_opinion_0.pdf

A little hope, my understanding is that this ruling would only apply to jurisdiction of the court that made the ruling, and I suspect governments (local/state/federal?) will appeal.


Security & Hacking: Windows Patch Tuesday Reminder

In case you forgot, yesterday was patch Tuesday for Windows.

Some critical fixes in this patch, for quick details on Patch Tuesdays I always recommend Brian Krebs posts http://krebsonsecurity.com/2014/06/adobe-microsoft-push-critical-security-fixes-4/