Link

Cellebrite can unlock any iPhone (for some values of “any”)

An update by Ars Technica on Cellebrite’s ability to access the content on otherwise secured iOS devices:

Cellebrite is not revealing the nature of the Advanced Unlocking Services’ approach. However, it is likely software based, according to Dan Guido, CEO of the security firm Trail of Bits. Guido told Ars that he had heard Cellebrite’s attack method may be blocked by an upcoming iOS update, 11.3.

“That leads me to believe [Cellebrite] have a power/timing attack that lets them bypass arbitrary delays and avoid device lockouts,” Guido wrote in a message to Ars. “That method would rely on specific characteristics of the software, which explains how Apple could patch what appears to be a hardware issue.”

Regardless of the approach, Cellebrite’s method almost certainly is dependent on a brute-force attack to discover the PIN. And the easiest way to protect against that is to use a longer, alphanumeric password—something Apple has been attempting to encourage with TouchID and FaceID, since the biometric security methods reduce the number of times an iPhone owner has to enter a password.

This once again confirms the importance of establishing strong, long, passwords for iOS devices. Sure they’re less convenient but they provide measurably better security.

Link

What’s the big deal about Hillary using her personal email at work?

What’s the big deal about Hillary using her personal email at work?

Christopher Parsons, a Toronto-based cybersecurity expert with the think tank Citizen Lab, explained the security difference between a personal and official government email.

“The core security advantage is that the U.S. government will be attuned to the risk of her communications being deliberately targeted and, as such, would have a chance to maximize protections afforded to her communications,” Parsons said. “Moreover, data sent and received in U.S. government systems could be protected according to the sensitivity of the communications. So when sending classified or secret documents, a higher standard of care could have been provided.”

I would note that I don’t work at a think tank: I work at the University of Toronto, within the Munk School of Global Affairs.

Link

Potholes abound on the road to car-to-car communication

Oh yes, please: let’s build a mass communications network dependent on a (largely) creaky Certificate system, deploy the devices to the attackers (i.e. car owners), and just trust that no one’s gonna hack a mass, nation-wide, Vehicle-to-Vehicle communications network.

Also: taking bets on it being an escrowed certificate system. For public safety and all that good stuff.

Aside

What Sophisticated Security Tests Should Look Like

Facebook and a few other large corporations understand just how serious contemporary data intrusions and exfiltrations are. They spend a lot of money preparing for attacks. Why, if private companies, are taking collected data so seriously do our governments seem to remain so cavalier with their data collection, retention, and security practices?

Quote

It’s not good to be on Power’s bad side, however. When you are on that side, Power piles on charges rather than shrugging off felonies as simple mistakes. Especially if what you do falls into the gray area of enforcing the letter as opposed to the principles of the law.

You can file all the petitions you like with the powers that be. You can try to make Power –whether in the form of wiretapping without warrants or violating international conventions against torture — follow its own laws. But Power is, as you might suspect, on the side of Power. Which is to say, Power never pleads guilty.

Link

The Problems With Smartphone Password Managers

In today’s era of hyperbolic security warnings one of the easiest things that people can do to ‘protect’ themselves online is select super hard passwords to crack, stuff them in a centralized password manager, and then only have to remember a single password to access the rest in the manager. I’ve used a password manager for some time and there are real security benefits: specifically, if a single service that I’ve registered with is hacked then my entire online life isn’t compromised, just that one service.

Password manager companies recognize the first concern that most people have surrounding their services: how do the managers protect the sensitive information they’re entrusted with? The standard response from vendors tends to reference ‘strong security models and usage of cryptography. Perhaps unsurprisingly, it is now quite apparent that the standard responses really can’t be trusted.

In a recent paper (.pdf), researchers interrogated the security status of password managers. What they found is, quite frankly, shocking and shameful. They also demonstrate the incredible need for third-party vetting of stated security capabilities.

The abstract for the paper is below but you should really just go read the whole paper (.pdf). It’s worth your time and if you’re not a math person you can largely skim over the hard math: the authors have provided a convenient series of tables and special notes that indicate the core deficiencies in various managers’ security stance. Don’t use a password manager that is clearly incompetently designed and, perhaps in the future, you will be more skeptical of the claims companies make around security.

Abstract:

In this paper we will analyze applications designed to facilitate storing and management of passwords on mobile platforms, such as Apple iOS and BlackBerry. We will specifically focus our attention on the security of data at rest. We will show that many password keeper apps fail to provide claimed level of protection

Access the paper (.pdf)

The Problems With Smartphone Password Managers

Link

How to hack a smartphone via radio

Network World:

Encryption keys on smartphones can be stolen via a technique using radio waves, says one of the world’s foremost crypto experts, Paul Kocher, whose firm Cryptography Research will demonstrate the hacking stunt with several types of smartphones at the upcoming RSA Conference in San Francisco next month.

“You tune to the right frequency,” says Kocher, who described the hacking procedure as involving use of a radio device much like a common AM radio that will be set up within about 10 feet from the smartphone. The radio-based device will pick up electromagnetic waves occurring when the crypto libraries inside the smartphone are used, and computations can reveal the private key. “We’re stealing the key as it’s being used,” he says, adding, “It’s independent of key length.”

Kocher says the goal of the hacking demo, which Cryptography Research will demonstrate throughout the RSA Conference at its booth, is not to disparage any particular smartphone manufacturer but to point out that the way crypto is used on devices can be improved.

“This is a problem that can be fixed,” he says, noting Cryptography Research is working with at least one of the major smartphone makers, which he declined to name, on the issues around these types of radio-based attacks.

This is a high level of awesome. I wonder who the major smartphone maker is; Microsoft? Apple?