Encryption , Privacy , Technology

FBI Versus Apple: A Lose-Lose Situation Reputations of Both Come Under Fire Eric Chabrow (GovInfoSecurity) • March 25, 2016     FBI Director James Comey and Apple CEO Tim Cook

Neither Apple nor the FBI looks good in the days following the postponement of a hearing on whether Apple should be forced to help the bureau crack open the iPhone of one of the San Bernardino shooters. It's a lose-lose situation.

See Also: Unlocking Software Innovation with Secure Data as a Service

A federal magistrate in Riverside, Calif., scheduled a hearing for March 22 on a Justice Department motion to compel Apple to help the FBI bypass the password to access the iPhone 5C issued to the assailant Syed Rizwan Farook by his employer, San Bernardino County government. But the FBI was granted a delay in the proceedings until April 5, saying it may have found a way to unlock the phone without Apple's assistance (see Feds Obtain Delay in Apple Hearing.)

The rationale for the delay makes the FBI look bad because leading up to the hearing date, it insisted it needed Apple's assistance, promoting the illusion that only Apple could create the software to unlock the iPhone.

Impact of the Delay

Apple, in opposing the Justice Department filing that it cooperate with the FBI to crack the password on the iPhone, positioned itself as the defender of users' security and privacy by providing safeguards on its devices that not even it could circumvent, and reinforcing the image of the unassailability of its security functions.

"We believe strongly that we have a responsibility to help you protect your data and protect your privacy," Apple CEO Tim Cook said at a March 21 press conference introducing new company products. "We owe it to our customers and we owe it to our country. This is an issue that affects all of us, and we will not shrink from our responsibility."

Despite Cook's strong words, the illusion of invincibility has been cracked. "The representations of Apple about their unbreakable security were very endearing, but naïve," says Philip Lieberman, CEO at Lieberman Software, a privilege management solutions provider.

Comey on the Defense

Ever since the FBI revealed that it may have discovered a way to circumvent the password safeguards without the help of Apple, FBI Director James Comey has sounded a bit defensive. Responding to a Wall Street Journal editorial questioning the FBI's veracity, Comey, in a letter to the editor, wrote:

"You are simply wrong to assert that the FBI and the Justice Department lied about our ability to access the San Bernardino killer's phone. I would have thought that you, as advocates of market forces, would realize the impact of the San Bernardino litigation. It stimulated creative people around the world to see what they might be able to do. And I'm not embarrassed to admit that all technical creativity does not reside in government. Lots of folks came to us with ideas. It looks like one of those ideas may work and that is a very good thing, because the San Bernardino case was not about trying to send a message or set a precedent; it was and is about fully investigating a terrorist attack."

Who's providing the FBI with the critical know-how to crack Farook's iPhone? The FBI isn't saying, but the Israeli newspaper Yedioth Ahronoth identified the Israeli mobile forensics software provide Cellebrite as the company coming to the bureau's rescue. Cellebrite declined to comment on the report (see Legal Issues Persist as FBI Backs Off in iPhone Case).

A Mere Coincidence?

On March 21, the day the government sought a delay of the hearing, the FBI issued a

purchase order for $15,278 to Cellebrite's U.S. unit for information technology software.

But cryptographer and author Bruce Schneier raises doubts that the purchase order is linked to having Cellebrite help the FBI crack the code, telling the online site Re/code the timing is mere coincidence: "Why would it show up in the 11th hour? It makes little sense."

If the FBI discovers a way to crack the iPhone password - with the help of outsiders, whether Cellebrite or someone else - will it classify that method as top secret? That wouldn't make Apple happy, would it? After all, shouldn't the FBI share the process to bypass the password with Apple so the iPhone maker can patch the vulnerability?

If not, iPhone users would remain vulnerable, and Apple's image as a maker of unbreakable encryption would be tarnished as the government's credibility remains suspect. There seems to be no winner here.

Encryption , Privacy , Risk Management

Silicon Valley: Crypto Debate Continues Highlights from ISMG's San Francisco Fraud and Breach Prevention Summit Mathew J. Schwartz (euroinfosec) • March 25, 2016    

Despite the recent move to put the FBI-obtained court order against Apple on hold, the crypto debate is far from over. So said a panel of experts at Information Security Media Group's Fraud and Breach Prevention Summit, held March 22-23 in San Francisco (see Feds Obtain Delay in Apple Hearing).

See Also: Rethinking Endpoint Security

Sessions at the summit focused on a number of topics, ranging from the fight against malware and fraud to new trends in spotting and stopping network intrusions and data exfiltration.

But one of the hottest sessions was the closing panel on the Apple versus FBI debate, which I moderated. The discussion didn't seem blunted at all by Judge Shari Pym granting a Department of Justice request to delay - and potentially dismiss - her order for Apple to assist the FBI in unlocking an iPhone 5C issued to San Bernardino shooter Syed Rizwan Farook. Federal officials requested the delay because the FBI says it may have found a way to unlock the phone without Apple's assistance.

Supervisory Special Agent Elvis Chan, who's part of the FBI's San Francisco division, emphasized early in the panel how his bureau training began: by literally swearing to uphold the Constitution, including Fourth Amendment protections against "unreasonable searches and seizures." Speaking as a front-line investigator, he noted that complex, cybercrime-related search warrants may take months to complete. And he said it was in everyone's interest to know what type of information can - or cannot - be the subject of a search warrant or court order so that agents can follow the rules as well as focus their energy appropriately. "We're human beings, we're not Big Brother," he said.

Similarly, Scott Swantner, director for global security at Western Union Digital Ventures, urged greater cooperation between the private sector and law enforcement agencies, for example, via the FBI's InfraGard. Swantner, who until recently was a U.S. Secret Service agent, also spoke of investigators' frustration when faced with encrypted data during the course of an investigation and worried about the hit to productivity if more and more data was to become encrypted.

'Extraordinary Access' Problems

In contrast to the investigators' experience, attorney Mark Mao, a Troutman Sanders partner who co-chairs the firm's data privacy practice, said that related crime-fighting crypto proposals offered by FBI Director James Comey and some members of Congress involve seeking a backdoor - a.k.a. "extraordinary access" capability - or else keeping copies of cryptographic keys, via what's known as key escrow, which would be obtainable with a warrant.

But Mao said that so-called backdoors create vulnerabilities that anyone could - and likely would - target. In a nutshell, that's because cryptography works by multiplying together two incredibly large prime numbers, he said. Using less-long numbers to make a cryptographic key easier to crack for law enforcement agencies would mean it would be just as easy for cybercriminals to crack, thus imperiling communications, intellectual property, as well as e-commerce and banking transactions. Meanwhile, key escrow, many panelists agreed, would great a "single point of failure" that attackers would obviously target.

Backdoors could also be bad for the U.S. technology sector, panelists warned. Representing Silicon Valley, Jim Pflaging, the global lead for the technology sector and business strategy practice at the Chertoff Group, referenced an encryption white paper his firm released in time for this year's RSA Conference. The paper concludes "that an extraordinary access requirement is likely to have a negative impact on technological development, the United States' international standing, and the competitiveness of the U.S. economy and will have adverse long-term effects on the security, privacy and civil liberties of citizens" (see Crypto Review: Backdoors Won't Help).

Panel participants also discussed the question of whether a court could order Apple to create a special, backdoored version of iOS - dubbed FBiOS by some - that would allow it to get access to any device. But panelist Joseph Burton, a partner at the law firm Duane Morris who specializes in information security law, said there was no legal precedent for the U.S. government being able to force a technology company to write code of the government's choosing, whatever the time or cost involved. He added that attempting to do so would, in fact, seem to violate the 1994 Communications Assistance for Law Enforcement Act, known as CALEA (see Apple Accuses DOJ of Constitutional, Technical Ignorance).

'Going Dark' Alarmism

Everyone on the panel agreed that U.S. firms want to help U.S. law enforcement agencies stop bad guys. But Mao said that the debate needs to be framed in a different way. Indeed, many panelists noted that the "going dark" alarmism about terrorist risks advanced by some law enforcement agency chiefs isn't conducive to fostering a closer working relationship between private businesses and law enforcement agencies.

"There's been lots of focus on what Apple won't do, and what the technology community doesn't want to do," Chertoff Group's Pflaging told me following the panel. But the more constructive approach, he argued, would be to ask of industry: "What can they do?"

While the Justice Department may no longer attempt to force Apple to help it bypass security features built into one of its devices, the related questions still remain unanswered, the panelists agreed (see Legal Issues Persist as FBI Backs Off in iPhone Case).

"It's disappointing that the can has been kicked down the road," the FBI's Chan said.

Litigation , Mobility , Privacy

Justice Department Won't Characterize Data Retrieved from Shooter's Smartphone Eric Chabrow (GovInfoSecurity) • March 28, 2016    

The FBI has successfully retrieved data off the iPhone used by one of the San Bernardino shooters and is withdrawing its motion to have a federal court order Apple to help the government unlock the phone, according to the Department of Justice (see: Feds Obtain Delay in Apple Hearing).

See Also: Secure, Agile Mobile Banking: Keeping Pace with Last Best User Experience

A federal law enforcement official, briefing reporters on March 28, said the FBI is reviewing the information on the phone, "consistent with standard investigatory procedures." He declined to characterize the information discovered on the iPhone.

But the law enforcement official, who requested anonymity, didn't rule out future court actions to compel technology companies to cooperate with law enforcement. "It remains a priority for the government to ensure that law enforcement can obtain crucial digital information to protect national security and public safety, either with cooperation from relevant parties, or through the court system when cooperation fails," the law enforcement official said. "We will continue to pursue all available options for this mission, including seeking the cooperation of manufacturers and relying upon the creativity of both the public and private sectors."

The Apple-FBI dispute has resulted in a national debate that pitted the needs of law enforcement to gain access to data for a criminal investigation, voiced by FBI Director James Comey, against the security and privacy rights of users of technologies such as the iPhone, championed by Apple's CEO, Tim Cook, and many others in the IT sector (see FBI Versus Apple: A Lose-Lose Situation).

Retrieval Method Tailored for iPhone 5c

The law enforcement official would not describe how the iPhone was unlocked with the help of a third party, although he said the technique was designed specifically for an Apple iPhone 5c running iOS 9, the type of device used by Syed Rizwan Farook. In a Dec. 2 workplace rampage, Farook and his wife, Tashfeen Malik, shot and killed 14 of his coworkers at a San Bernardino County Department of Public Health event. Later that day, authorities recovered the iPhone after police killed Farook and Malik in a shootout. The official said it was premature to speculate whether the method used to unlock the iPhone in this case could be used on other smartphones.

The official said it's too early to decide whether the FBI would share the technique with Apple so it could patch the vulnerability in its iPhone 5c. "Right now, we're focused on the San Bernardino case," he said. "We can't comment on the possibility of future disclosures at this time."

Sharing Technique with Apple Urged

Andrew Crocker, a staff attorney for the advocacy group Electronic Frontier Foundation, says the FBI should disclose the technique with Apple, citing a recent revision in a government policy known as the Vulnerabilities Equities Process, or VEP. VEP establishes a process that allows the government to keep secret software vulnerabilities in national security matters, but encourages their dissemination in other instances. "If the FBI used a vulnerability to get into the iPhone in the San Bernardino case, the VEP must apply, meaning that there should be a very strong bias in favor of informing Apple of the vulnerability," Crocker writes in a blog. "That would allow Apple to fix the flaw and protect the security of all its users."

In a 2014 blog, following revelations that the National Security Agency had known about the Heartbleed vulnerability before it was made public, White House Cybersecurity Coordinator Michael Daniel unveiled an interagency process aimed to limit the government from keeping software bugs secret (see White House Policy on Disclosing Cyberflaws). The process, Daniel explained, "helps ensure that all of the pros and cons are properly considered and weighed. ... We weigh these considerations through a deliberate process that is biased toward responsibly disclosing the vulnerability, and by sharing this list we want everyone to understand what is at stake."

Apple did not immediately reply to Information Security Media Group's request for comment.

The law enforcement official said he hopes this case doesn't preclude Apple and government authorities from cooperating in other cases.

Help Came from Outside Government

The law enforcement official said the FBI was aided in retrieving the data by a non-government organization but declined to say whether that organization was based in the United States. The Israeli newspaper Yedioth Ahronoth last week identified the Israeli mobile forensics software provider Cellebrite as the company coming to the bureau's rescue. Cellebrite declined to comment on the report.

On Feb. 16, a federal magistrate granted a motion by the Justice Department to compel Apple to help unlock Farook's iPhone, which was owned by the county government. A day later, Apple CEO Tim Cook blasted the order, saying the company would oppose it (see Apple Blasts Judge's iPhone Backdoor Order ).

Last week, the Justice Department filed a motion to delay ordering Apple to cooperate, revealing a third party had come forward to help it unlock the password-protected phone. The court delayed a hearing on the case to April 5. The government's March 28 filing seeks to end the case.

Watch for updates on this developing story

Cybersecurity , Risk Management

GAO: Taxpayer Data 'Unnecessarily Vulnerable' to Inappropriate Use Eric Chabrow (GovInfoSecurity) • March 28, 2016     IRS Commissioner John Koskinen: Agency is vulnerable to cyberattacks.

The Internal Revenue Service continues to struggle to implement proper security controls to protect taxpayers' data, a new audit from the Government Accountability Office reveals.

See Also: Rethinking Endpoint Security

Until the IRS takes appropriate steps to resolve control deficiencies, taxpayer data will remain "unnecessarily vulnerable" to inappropriate use, says Gregory Wilshusen, GAO director of information security issues and co-author of the audit report, which was published March 28.

The audit uncovered IRS's failure to perform comprehensive tests and evaluations of its information security controls. "This is vitally important because this control helps IRS to identify vulnerabilities that they can take action on," Wilshusen says. "But in comparing our test and the result from our procedures, we found a number of vulnerabilities to IRS systems that IRS did not identify and was unaware of."

Some Signs of Progress

GAO acknowledges in the audit that the IRS has made progress in restricting access privileges for key financial applications and expanding multifactor authentication across the agency, a point IRS Commissioner John Koskinen accentuated in his written response to the report.

"The security and privacy of all taxpayer information is of the utmost importance to us, and the integrity of our financial systems continues to be sound," Koskinen says. The IRS chief says GAO recommendations in the latest audit "provided more specificity" than earlier reports; GAO sent 44 recommendations to the IRS in a private addendum to the audit. "While the increased level of detail has likely resulted in more recommendations, it will allow the IRS to better address cybersecurity risk," Koskinen says.

Auditors note, however, that the tax-collection agency has not fully implemented unique user identification and authentication that complies with a presidential directive.

The GAO report also notes that as the IRS expands the use of encryption, weak cryptography controls persist. GAO says it identified 11 systems that had not been configured to encrypt sensitive user authentication data. Such failures, the auditors say, increased the risk that unauthorized individuals could view and then use the data to gain unwarranted access to its system or sensitive information.

Koskinen concedes IRS information systems are vulnerable to attack. "We have to recognize that this is going to be an ongoing problem," Koskinen testified at a Feb. 10 Senate Financial Services Committee hearing, adding that IRS systems are attacked or pinged 1 million times a day (see Tax Commissioner Expects More IRS Cyberattacks). "The caliber of the enemy we are facing is increasingly more sophisticated and more global. We're dealing with organized crime syndicates all around the world."

Recent IRS Security Issues

Earlier this month, the IRS said it was temporarily deactivating an online security feature after it discovered that it was being abused by identity thieves attempting to profit from tax return fraud. The IRS said it had discovered and blocked at least 800 cases that appear to involve criminals who were able to obtain legitimate identity protection PINs tied to tax filers' accounts, and it warned that it's facing up to 130,000 fraudulent returns (see IRS Disables Hacked PIN Tool).

The IRS also recently revised upward the number of accounts victimized in its Get Transcript breach, originally discovered last May, with the tax agency saying the personal information from as many as 724,000 taxpayers' accounts may have been stolen (see IRS Doubles Number of Get Transcript Victims). At first, the IRS believed that 114,000 accounts had been breached (see IRS: 100,000 Taxpayer Accounts Breached). Then, last August, the IRS revised that tally to 334,000 accounts (see IRS: Hack Much Wider Than First Thought).

Past Weaknesses Not 'Effectively Corrected'

In its new audit, GAO says the IRS claimed it had corrected previously identified control weaknesses in 28 cases, but in nine of those instances, auditors determined they were not "effectively corrected."

GAO, in the audit, also points out weaknesses in IRS password controls. The auditors say the tax agency used passwords on a number of servers that could be easily guessed. On some servers, password expiration dates were not set. None of the 112 mainframe service accounts was configured to require a password change. As a result of these weaknesses, GAO says the IRS had reduced ability to control who was accessing its systems and data.

The audit also reveals that unpatched and outdated software exposed IRS to known vulnerabilities.

Wilshusen says some of the IRS's policies and procedures no longer reflected its current computing environment and systems security plans. "So, this increases the risk that the controls in place may not be appropriate, given the current environment."