On February 16, DOJ Got a Warrant to Open an iPhone 6 Using Cellebrite

/3 Comments/in /by

As a number of outlets are reporting, the Israeli security firm Cellebrite is the source the FBI is using to attempt to break into Syed Rizwan Farook’s phone.

Israel’s Cellebrite, a provider of mobile forensic software, is helping the U.S. Federal Bureau of Investigation’s attempt to unlock an iPhone used by one of the San Bernardino, California shooters, theYedioth Ahronoth newspaper reported on Wednesday.

If Cellebrite succeeds, then the FBI will no longer need the help of Apple Inc, the Israeli daily said, citing unnamed industry sources.

Cellebrite officials declined to comment on the matter.

According to the narrative the government is currently telling, it means 33 days after DOJ obtained an All Writs Act on February 16 ordering Apple to help unlock Farook’s phone, and 108 days after FBI first seized the phone on December 3 — during which entire period the FBI now claims they were diligently researching how to crack the phone — on March 20, Cellebrite contacted the FBI out of the blue and told them they can help.

That’s interesting, especially given this search warrant, approved (as coinkydink would have it) on February 16, the very same day DOJ got its AWA in California.

Among the phones DEA obtained a warrant to search was an iPhone 6, a later model than Farook’s phone with default encryption (though running unknown iOS). Here’s what DEA Task Force Officer Shane Lettau had to say about how he (might) access the contents of this iPhone 6.

Screen Shot 2016-03-23 at 10.40.36 AM

To be sure, these phones aren’t the same, nor is the agency. Farook’s is a 5C running iOS 9, this is a 6, and we don’t know what iOS it is running. But if Cellebrite can break into a 6 they presumably can break into a 5C. FBI is seeking access in CA, whereas this MD phone is in DEA’s possession.

The point is, however, that it is inconceivable to claim, as DOJ did 19 times, that the only way they could get into Farook’s phone was with Apple’s help when DOJ was at the same time participating in DEA’s discussions with Cellebrite about whether they could crack a later model phone. It may be that Cellebrite only perfected their technique with iOS 8 and later model phones in recent weeks, or that they could not crack an iOS 9 in December or February but have since perfected that, but DOJ still shouldn’t have been submitting sworn declarations pretending that Cellebrite was not a possible option.

Update: I originally said Farook’s phone was a 5S. I’ve corrected the post to say it is a 5C, h/t JC.

Update: FBI signed a contract with Cellebrite on the same day it announced it had found a solution, though I think it’s for license renewals for 7 machines in Cook County.

 

Wednesday Morning: Wicked Weary World

/42 Comments/in , , /by

Let’s have a brunch-time salute to Belgium, which produced this fine young artist Loic Nottet. Too bad there’s not much well-produced content in YouTube yet by this youngster. He has incredible upper range reach with great potential because of the power behind his voice. Hope to hear more by him soon; he’s a sweet antidote to bitter wickedness.

All in the family
Hope you’ve read Marcy’s piece already this morning on the relevance of nuclear family units to terrorism. In addition to suicide bombers El Bakraoui brothers Marcy mentioned, it’s worth examining the other links between the November 13 attacks in Paris and the attacks in Belgium yesterday. Note the familial relationships and their first-degree network:

Brahim Abdelslam — older brother of Salah, blew himself up in Paris during the November 15 attacks. (Dead)
Salah Abdelslam — captured last Friday March 18, has admitted he ‘had planned to target Brussels.’ His location was flagged by an unusual number of pizzas delivered to an apartment where power and water had been shut off. (In custody)

Abaid Aberkan — characterized as a relation of the Abdelslams, carried Brahim’s casket at the funeral last week. (NOT a terror suspect Edit: Le Monde indicates Aberkan was arrested during Friday’s raid, but name spelled ‘Abid.’) (In custody)
Aberkan’s mother — renter/owner of Molenbeek apartment in which Salah was hiding when captured last week. (NOT a terror suspect)

Mohamed Belkaid — killed in a raid last Tuesday at an apartment in Forest district; Salah fled the apartment. (Dead)

Mohamed Abrini — A childhood friend and neighbor of Salah, his younger brother Suleymane died fighting in an Islamist militia under the direction of Abdelhamid Abaaoud. Abaaoud, the leader of the Paris attacks, died on November 18 during a police raid. Abrini had traveled with both of the Abdelslam brothers the week before the attacks in Paris. He is now on the run and sought in relation to yesterday’s attack. (Suspect)

Najim Laachraoui — traveled with Salah and Belkaid last September, under the name Soufiane Kayal. His DNA was found in three different locations: on explosives in Paris, and at two other hide-outs used by attackers. He is now sought in relation to yesterday’s attack. (Suspect)

Though we’ll hear arguments for increased internet surveillance, it’s easy to see that traditional police work could identify a terrorist network of family and friends in the same way members of an organized crime syndicate centered around a family are revealed. (Sources for the above: The Guardian and The Australian)

Other stuff going on…

  • ‘Flash Crash’ trader to be extradited to the U.S., rule British judges (France24)
  • Sextortionist Michael Ford, who ran a criminal enterprise from his work computer while employed at U.S. embassy, sentenced to four years and nine months in prison (Ars Technica) — BoingBoing notes the hypocrisy of a government demanding backdoors while failing to note such a massive misuse of its own network.
  • Another hospital held hostage by ransomware, this time in Kentucky (Krebs on Security) — STOP OPENING LINKS IN EMAIL at work, for starters. Isolating email systems from all other networked operations would be better.
  • 24 car models by 19 automakers vulnerable to keyless entry hack (WIRED–mind the ad-block hate) — Mostly foreign models affected due to the radio frequency used.

Better luck tomorrow, gang. See you in the morning.

How to Protect against Terrorism: Eliminate the Valuable Terrorist Technology, the Nuclear Family

/22 Comments/in , /by

In addition to catching the third Brussels airport bomber,Najim Laachraoui, a known Salah Abdelslam associate, authorities in Europe have also revealed that the other two airport bombers were brothers, Khalid and Ibrahim El Bakraoui.

 

Police sources earlier told NBC News that Khalid El Bakraoui, 27, and 30-year-old sibling Ibrahim blew themselves up. Both had been convicted of violent crimes in the past and had links to one of the Paris attackers.

The El Bakraouis join an increasingly long list of recent terrorists who partner within their nuclear family (the Boston Marathon attack, Charlie Hebdo attack, and Paris attack were all carried out by brothers, and the San Bernardino attack was carried out by spouses). As New America noted in November (that is before several more family launched attacks), 30% of the fighters they’ve identified had family ties to jihad.

One-third of Western fighters have a familial connection to jihad, whether through relatives currently fighting in Syria or Iraq, marriage, or some other link to jihadists from prior conflicts or attacks. Of those with a familial link, almost two-thirds have a relative fighting in this conflict and almost one-third are connected through marriage, many of them new marriages conducted after arriving in Syria.

There has been less attention (though there has been some) about the operational advantages organizing attacks among family members offers. Not only would there be far more face-to-face conversations in any case (which you’d need a physical bug to collect), but even electronic communications metadata might not attract any attention, except insofar as helping to geolocate the parties. It’d be hard to distinguish, from metadata, between brothers or spouses discussing taking care of their kids from the same family members plotting to blow something up.

Family ties then, along with a reportedly difficult Moroccan dialect, may function to provide as much security as any (limited, given the reports) use of encryption. And all that’s on top of the cell’s extensive use of burner phones.

Using Jim Comey, um, logic, we might consider eliminating this threat by eliminating the nuclear family. Sure, the overwhelming majority of people who use it are law-abiding people obtaining valuable benefit from nuclear family. Sure, for the most vulnerable, family ties provide the most valuable kind of support to keep someone healthy. But bad guys exploit it too, and we can’t have that.

I mean, perhaps there should be an honest public discussion about the proportional value the nuclear family gives to terrorists and to others. But why would we have that discussion for the nuclear family and not for encryption?

Update: as soon as I posted this I saw notice that Belgian press (and with them NBC, apparently) got the identity of the third hijacker wrong, so I’ve crossed out and/or taken out those references.

DOJ’s Pre-Ass-Handing Capitulation

/6 Comments/in , /by

In its February 16 application for an All Writs Act to force Apple to help crack Syed Rizwan Farook’s phone, DOJ asserted,

Apple has the exclusive technical means which would assist the government in completing its search, but has declined to provide that assistance voluntarily.

[snip]

2. The government requires Apple’s assistance to access the SUBJECT DEVICE to determine, among other things, who Farook and Malik may have communicated with to plan and carry out the IRC shootings, where Farook and Malik may have traveled to and from before and after the incident, and other pertinent information that would provide more information about their and others’ involvement in the deadly shooting.

[snip]

3. As an initial matter, the assistance sought can only be provided by Apple.

[snip]

4. Because iOS software must be cryptographically signed by Apple, only Apple is able to modify the iOS software to change the setting or prevent execution of the function.

[snip]

5. Apple’s assistance is necessary to effectuate the warrant.

[snip]

6. This indicates to the FBI that Farook may have disabled the automatic iCloud backup function to hide evidence, and demonstrates that there may be relevant, critical communications and data around the time of the shooting that has thus far not been accessed, may reside solely on the SUBJECT DEVICE, and cannot be accessed by any other means known to either the government or Apple.

FBI’s forensics guy Christopher Pluhar claimed,

7. I have explored other means of obtaining this information with employees of Apple and with technical experts at the FBI, and we have been unable to identify any other methods feasible for gaining access to the currently inaccessible data stored within the SUBJECT DEVICE.

On February 19, DOJ claimed,

8. The phone may contain critical communications and data prior to and around the time of the shooting that, thus far: (1) has not been accessed; (2) may reside solely on the phone; and (3) cannot be accessed by any other means known to either the government or Apple.

[snip]

9. Apple left the government with no option other than to apply to this Court for the Order issued on February 16, 2016.

[snip]

10. Accordingly, there may be critical communications and data prior to and around the time of the shooting that thus far has not been accessed, may reside solely on the SUBJECT DEVICE; and cannot be accessed by any other means known to either the government or Apple.

[snip]

11. Especially but not only because iPhones will only run software cryptographically signed by Apple, and because Apple restricts access to the source code of the software that creates these obstacles, no other party has the ability to assist the government in preventing these features from obstructing the search ordered by the Court pursuant to the warrant.

[snip]

12. Apple’s close relationship to the iPhone and its software, both legally and technically – which are the produce of Apple’s own design – makes compelling assistance from Apple a permissible and indispensable means of executing the warrant.

[snip]

13. Apple’s assistance is also necessary to effectuate the warrant.

[snip]

14. Moreover, as discussed above, Apple’s assistance is necessary because without the access to Apple’s software code and ability to cryptographically sign code for the SUBJECT DEVICE that only Apple has, the FBI cannot attempt to determine the passcode without fear of permanent loss of access to the data or excessive time delay. Indeed, after reviewing a number of other suggestions to obtain the data from the SUBJECT DEVICE with Apple, technicians from both Apple and the FBI agreed that they were unable to identify any other methods – besides that which is now ordered by this Court – that are feasible for gaining access to the currently inaccessible data on the SUBJECT DEVICE. There can thus be no question that Apple’s assistance is necessary, and that the Order was therefore properly issued.

Almost immediately after the government made these claims, a number of security researchers I follow not only described ways FBI might be able to get into the phone, but revealed that FBI had not returned calls with suggestions.

On February 25, Apple pointed out the government hadn’t exhausted possible of means of getting into the phone.

Moreover, the government has not made any showing that it sought or received technical assistance from other federal agencies with expertise in digital forensics, which assistance might obviate the need to conscript Apple to create the back door it now seeks. See Hanna Decl. Ex. DD at 34–36 [October 26, 2015 Transcript] (Judge Orenstein asking the government “to make a representation for purposes of the All Writs Act” as to whether the “entire Government,” including the “intelligence community,” did or did not have the capability to decrypt an iPhone, and the government responding that “federal prosecutors don’t have an obligation to consult the intelligence community in order to investigate crime”). As such, the government has not demonstrated that “there is no conceivable way” to extract data from the phone.

On March 1, members of Congress and House Judiciary Committee witness Susan Landau suggested there were other ways to get into the phone (indeed, Darrell Issa, who was one who made that point, is doing a bit of a victory lap). During the hearing, as Jim Comey insisted that if people had ways to get into the phone, they should call FBI, researchers noted they had done so and gotten no response.

Issa: Is the burden so high on you that you could not defeat this product, either through getting the source code and changing it or some other means? Are you testifying to that?

Comey: I see. We wouldn’t be litigating if we could. We have engaged all parts of the U.S. Government to see does anybody that has a way, short of asking Apple to do it, with a 5C running iOS 9 to do this, and we don not.

[snip]

a) Comey: I have reasonable confidence, in fact, I have high confidence that all elements of the US government have focused on this problem and have had great conversations with Apple. Apple has never suggested to us that there’s another way to do it other than what they’ve been asked to do in the All Writs Act.

[snip]

b) Comey [in response to Chu]: We’ve talked to anybody who will talk to us about it, and I welcome additional suggestions. Again, you have to be very specific: 5C running iOS 9, what are the capabilities against that phone. There are versions of different phone manufacturers and combinations of models and operating system that it is possible to break a phone without having to ask the manufacturer to do it. We have not found a way to break the 5C running iOS 9.

[snip]

c) Comey [in response to Bass]: There are actually 16 other members of the US intelligence community. It pains me to say this, because I — in a way, we benefit from the myth that is the product of maybe too much television. The only thing that’s true on television is we remain very attractive people, but we don’t have the capabilities that people sometimes on TV imagine us to have. If we could have done this quietly and privately we would have done it.

[snip]

Cicilline: I think this is a very important question for me. If, in fact — is it in fact the case that the government doesn’t have the ability, including the Department of Homeland Security Investigations, and all of the other intelligence agencies to do what it is that you claim is necessary to access this information?

d) Comey: Yes.

While Comey’s statements were not so absolutist as to suggest that only Apple could break into this phone, Comey repeatedly said the government could not do it.

On March 10, DOJ claimed,

15. The government and the community need to know what is on the terrorist’s phone, and the government needs Apple’s assistance to find out.

[snip]

16. Apple alone can remove those barriers so that the FBI can search the phone, and it can do so without undue burden.

[snip]

17. Without Apple’s assistance, the government cannot carry out the search of Farook’s iPhone authorized by the search warrant. Apple has ensured that its assistance is necessary by requiring its electronic signature to run any program on the iPhone. Even if the Court ordered Apple to provide the government with Apple’s cryptographic keys and source code, Apple itself has implied that the government could not disable the requisite features because it “would have insufficient knowledge of Apple’s software and design protocols to be effective.”

[snip]

18. Regardless, even if absolute necessity were required, the undisputed evidence is that the FBI cannot unlock Farook’s phone without Apple’s assistance.

[snip]

19. Apple deliberately established a security paradigm that keeps Apple intimately connected to its iPhones. This same paradigm makes Apple’s assistance necessary for executing the lawful warrant to search Farook’s iPhone.

On March 15, SSCI Member Ron Wyden thrice suggested someone should ask NSA if they could hack into this phone.

On March 21, DOJ wrote this:

Specifically, since recovering Farook’s iPhone on December 3, 2015, the FBI has continued to research methods to gain access to the data stored on it. The FBI did not cease its efforts after this litigation began. As the FBI continued to conduct its own research, and as a result of the worldwide publicity and attention on this case, others outside the U.S. government have continued to contact the U.S. government offering avenues of possible research.

On Sunday, March 20, 2016, an outside party demonstrated to the FBI a possible method for unlocking Farook’s iPhone

You might think that FBI really did suddenly find a way to hack the phone, after insisting over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over and over they could only get into it with Apple’s help. Indeed, the described timing coincides remarkably well with the announcement that some Johns Hopkins researchers had found a flaw in iMessage’s encryption (which shouldn’t relate at all to breaking into such phones, though it is possible FBI is really after iMessages they think will be on the phone). Indeed, in describing the iMessage vulnerability, Johns Hopkins prof Matthew Green ties the discovery to the Apple fight.

Now before I go further, it’s worth noting that the security of a text messaging protocol may not seem like the most important problem in computer security. And under normal circumstances I might agree with you. But today the circumstances are anything but normal: encryption systems like iMessage are at the center of a critical national debate over the role of technology companies in assisting law enforcement.

A particularly unfortunate aspect of this controversy has been the repeated call for U.S. technology companies to add “backdoors” to end-to-end encryption systems such as iMessage. I’ve always felt that one of the most compelling arguments against this approach — an argument I’ve made along with other colleagues — is that we just don’t know how to construct such backdoors securely. But lately I’ve come to believe that this position doesn’t go far enough — in the sense that it is woefully optimistic. The fact of the matter is that forget backdoors: webarely know how to make encryption workat all. If anything, this work makes me much gloomier about the subject.

Plus, as Rayne noted to me earlier, Ellen Nakashima’s first report on this went up just after midnight on what would be the morning of March 21, suggesting she had an embargo (though that may be tied to Apple’s fix for the vulnerability). [Update: Correction — her story accidentally got posted then unposted earlier than that.]

But that would require ignoring the 19 plus times (ignoring Jim Comey’s March 1 testimony) that DOJ insisted the only way they could get into the phone was by having Apple’s help hacking it (though note most of those claims only considered the ways that Apple might crack the phone, not ways that, say, NSA might). You’d have to ignore the problems even within these statements. You’d have to ignore the conflicting sworn testimony from FBI’s witnesses (including Jim Comey).

It turns out FBI’s public argument went to shit fast. Considering the likelihood they screwed up with the forensics on this phone and that there’s absolutely nothing of interest on the phone, I take this as an easy retreat for them.

But that doesn’t mean this is over. Remember, FBI has already moved to unlock this iPhone, of similar vintage to Farook’s, which seems more central to an actual investigation (even if FBI won’t be able to scream terrorterrorterror). There are two more encrypted phones FBI has asked Apple to break open.

But for now, I take this as FBI’s attempt to take its claims back into the shadows, where it’s not so easy to expose the giant holes in their claims.

Updated with Comey testimony.

Tuesday Morning: Été Frappé

/31 Comments/in , , /by

[graphic: Map of Belgian attacks 22MAR2016 for Le Monde via Eric Beziat]

[graphic: Map of Belgian attacks 22MAR2016 for Le Monde via Eric Beziat]

Whatever I was going to write today has been beaten into submission by current events.

Woke up to news about alleged terror attacks in Belgium — social media was a mess, a deluge of information with little organization. Best I can tell from French language news outlets including Le Monde, the first attack was at 8:00 a.m. local time at the Zaventem Airport just outside Brussels. The second attack occurred at the metro station Maelbeek at 9:11 a.m. Both attacks appeared use bombs, unlike the Paris attack this past year — two at the airport, one at the metro. Reports indicate 15 deaths and 55 seriously injured so far.

A third explosion reported in the city at a different location in the city of Brussels has been attributed to the controlled detonation of a suspicious package after the second attack.

In the time gap between the two attacks, one might suppose many law enforcement and military would have gone to the airport to respond to the first attack. Was there synchronization by planned schedule, or was there coordination by communication?

However, communications may have been difficult as telecom networks were quickly flooded. How soon were the telecom networks overloaded? Or were the networks throttled for observation? We may not ever know.

It’s worth reexamining what Marcy wrote about the communications found after Paris attack (here and here). It may be relevant if the same practices were used by the attackers in Brussels.

Important to note that Paris terror attack suspect Salah Abdeslam was arrested March 18 in a raid in Brussels. He is believed to have transported several of the attackers to the Stade de France just before the November 13 attack. Abdeslam may have been one of several suspects who fled from another earlier raid during which another suspect was killed.

Still working on the order issued late yesterday vacating today’s planned hearing on #AppleVsFBI. The order is here.

UPDATE — 9:30 a.m. EST — Marcy will be posting in a bit about the #AppleVsFBI hearing that wasn’t.

Another interesting story that broke in France today: French Supreme Court affirmed a previous lower court decision which ruled legal the wiretapping of former president Nicolas Sarkozy. Sarkozy has been under investigation for various forms of influence peddling since 2010, including receipt of campaign funds from Libya’s Muammar Gaddafi in 2007.

UPDATE — 1:00 p.m. EST/5:00 p.m. London/6:00 p.m. Brussels, Paris —

Now into the post-emergency recovery stage — all manner of political functionaries and talking heads have offered their two bits on this morning’s attacks. Three days of mourning have been declared in Belgium. Pictures of the alleged bombers at the airport taken by security video camera have now been published. The airport attackers detonated their weapons in the pre-security check-in area. 34 deaths have now been reported as a result of the attacks for which ISIS has now claimed responsibility. Across the Channel, the UK remains on alert for multiple attacks after last week’s raid in Brussels; UK travelers have been discouraged from traveling to Brussels.

Timeline (via Agence France-Presse)

22 mars Peu après 09h00/22 March Shortly after 9:00 a.m.
Explosion dans la station de métro Maelbeek.
Explosion in the Maelbeek metro station.

22 mars 08h00/22 March 8:00 a.m.
Deux explosions a l’aeroport. Possible kamikaze.
Two explosions at the airport. Possible suicide bomber.

21 mars/21 March
[Suspect] Najim Laachraoui, dont l’ADN a été retrouvé sur des explosifs, identifié et activement recherché.
Najim Laachraoui, whose DNA was found on explosives, identified and actively sought.

18 mars/18 March
Salah Abdeslam arête à Molenbeek.
Abdeslam Salah arrested in Molenbeek.

15 mars/15 March
Fusillade, quartier Forest – Mohammed Belkaid, lié aux auteurs de attentats de Paris du 13 novembre est tué. Empreintes de Salah Abdeslam retrouvées.
Shooting, Forest district – Mohamed Belkaid, linked to Paris attack planners of November 13, killed. Footprints of Salah Abdeslam found.

Are the Authorities Confusing a PRISM Problem with an Encryption Problem?

/6 Comments/in , /by

CNN has its own version of updated reporting from the Paris attack. It provides a completely predictable detail inexplicably not included in the weekend’s big NYT story: that the one phone with any content on it — as distinct from a pure burner — had Telegram loaded on it.

Several hours earlier, at 2:14 p.m., while they were still at the Alfortville hotel, the Bataclan attackers had downloaded the encryption messaging app Telegram onto their Samsung smart phone, according to police reports. No recovered content from the messaging app is mentioned in the French police documents, suggesting there were likely communications by the Bataclan attackers that will never be recovered.

As well as offering end-to-end encryption, the Telegram messaging app offers an option for users to “self-destruct” messages. At 4:39 p.m. on November 13, one of the attackers downloaded detailed floor plans of the Bataclan venue onto the Samsung phone and conducted online searches for the American rock band playing there that night, the Eagles of Death Metal.

I predicted as much in my post on that NYT story.

My suspicion is that, as had been reported, rather than emails ISIS relied on Telegram, but used in such a fashion that would make it less useful on burner phones (“secret” Telegram chat are device specific, meaning you’d need a persistent phone number to use that function). But if these terrorists did use Telegram, they probably eluded authorities not because of encryption, but because it’s fairly easy to make such chats temporary (again, using the secret function). Without Telegram being part of PRISM, the NSA would have had to obtain the metadata for chats via other means, and by the time they IDed the phones of interest, there may have been no metadata left.

If ISIS’ use of Telegram (which was publicly acknowledged when Telegram shut down a bunch of ISIS channels in the wake of the attack) is what anonymous sources keep insisting is an encryption problem, then it suggests the problem is being misportrayed as an encryption one.

True, Telegram does offer the option of end to end encryption for its messaging. There are questions about its encryption (though thus far it hasn’t been broken publicly). So it does offer users the ability to carry out secret chats and to then destroy them, which may be where the concern about all the “scoured” “email” in the NYT piece comes from, the assumption these terrorists have used Telegram but deleted those messages.

But as the Grugq points out, it’s a noisy app in other ways that the NSA should be able to exploit.

Contact Theft

When registering an account with Telegram, the app helpfully uploads the entire Contacts database to Telegram’s servers (optional on iOS). This allows Telegram to build a huge social network map of all the users and how they know each other. It is extremely difficult to remain anonymous while using Telegram because the social network of everyone you communicate with is known to them (and whomever has pwned their servers).

Contact books are extremely valuable information. We know that the NSA went to great lengths to steal them from instant messenger services. On mobile the contact lists are even more important because they are very frequently linked to real world identities.

Voluminous Metadata

Anything using a mobile phone exposes a wide range of metadata. In addition to all the notification flows through Apple and Google’s messaging services, there is the IP traffic flows to/from those servers, and the data on the Telegram servers. If I were a gambling man, I’d bet those servers have been compromised by nation state intelligence services and all that data is being dumped regularly.

This metadata would expose who talked with who, at what time, where they were located (via IP address), how much was said, etc. There is a huge amount of information in those flows that would more than compensate for lacking access to the content (even if, big assumption, the crypto is solid).

He spends particular time on Telegram’s Secret chat function (the one that allows a person to destroy a chat). But he doesn’t talk about how that might play into the extensive use of burners that we’ve seen from ISIS. Secret chats are device specific (that is, they can be sent only to a numbered device, not an account). That would make the function very hard to integrate with disciplined burner use, because the whole point of burners is not to have persistent telephone numbers. How will a terrorist remember the new number he wants to associate with a Telegram secret chat? Write it on a piece of paper?

In other words, it seems you could use one (disciplined burners) or another (full use of Telegram with persistent phones), the latter of which would provide its own kind of intelligence. It may well be ISIS does merge these two uses, but if so we shouldn’t expect to see Telegram on their true burner phones. Plus, assuming the bearer of the phone speaks that dialect the Belgians were struggling to translate, voice calls on burners would be just as useful as transient use of Telegram.

But that’s probably not the real problem for authorities. In fact, if known terrorists had been using, say, WhatsApp rather than Telegram for such encrypted chats, authorities might have had more information on their network than they do now. That’s because WhatsApp metadata would be available under PRISM, whereas to get Telegram data, non-German authorities are going to have to go steal it.

If that supposition is correct, it would suggest that the US should drop all efforts to make Apple phones’ encryption weaker. So long as it has the presumed best security (notwithstanding the iMessage vulnerability just identified by researchers at Johns Hopkins), people from around the world will choose it, ensuring that the world’s best SIGINT agency could have ready access. If Telegram is perceived as being better — or even being close, given the location — people of all sorts will prefer that.

That won’t give you the content, in either case (even if you had the Moroccan translators you needed to translate, if that indeed remained a problem for authorities). But you’re better off having readily accessible metadata than losing it entirely.

SWIFT and the Bangladeshi Bank Heist

/7 Comments/in , /by

I’ve been following the story of how what are described to be criminal hackers tried to steal $1 billion from Bangladesh’s national bank, in part because of the tie to SWIFT, the financial transfer company (as of now, $81 million are still missing, but Sri Lanka and the Fed managed to reverse or prevent the remainder of the theft attempt). As part of the hack, the thieves stole Bangladesh’s SWIFT credentials (it appears they did this after Bangladesh connected the server running SWIFT transactions to 3 other servers).

“Malware was specifically designed for a targeted attack on Bangladesh Bank to operate on SWIFT Alliance Access servers,” the interim report said. Those servers are operated by the bank but run the SWIFT interface, and the report makes it clear the breach stretches into other parts of the bank’s network as well. “The security breach of the SWIFT environment is part of a much larger breach that is currently under investigation.”

SWIFT is a member-owned cooperative that provides international codes to facilitate payments between banks globally. It can’t comment on the investigation, according to Charlie Booth from Brunswick Group, a corporate advisory firm that represents SWIFT.

“We reiterate that the SWIFT network itself was not breached,” Booth said in an e-mail. “There is a full investigation underway, on what appears to be a specific and targeted attack on the victim’s local systems.” SWIFT said last week its “core messaging services were not impacted by the issue and continued to work as normal.”

Dedicated servers running the SWIFT system are located in the back office of the Accounts and Budgeting Department of Bangladesh Bank. They are connected with three terminals for payment communications.

While SWIFT insists it has not been breached, the hackers used a name making it clear they were targeting the SWIFT system.

On Jan. 29, attackers installed “SysMon in SWIFTLIVE” in what was interpreted as reconnaissance activity, and appeared to operate exclusively with “local administrator accounts.”

SWIFT is sending out a security advisors to its members, advising them to shore up their local operating environments.

On Jan. 29, attackers installed “SysMon in SWIFTLIVE” in what was interpreted as reconnaissance activity, and appeared to operate exclusively with “local administrator accounts.”

In separate news, a local security researcher who had been working on the hack disappeared last week.

In a weird turn of events, one of the security researchers who voiced their criticism at the central bank’s security measures disappeared on Wednesday night.

Family members are saying that Zoha met with a friend at 11:30 PM on Wednesday night, March 16. While coming home, a jeep pulled in front of their auto-rickshaw, and men separated the two, putting them in two different cars.

Zoha’s friend was dumped somewhere in the city (Dhaka) and was able to get home by 02:00 AM, the next day. He then contacted Zoha’s family, who said the security researcher never came home.

The next day, family members tried to report the researcher missing, but police officers just kept redirecting them from one police station to another until the family gave up and contacted the media for help.

[snip]

According to BDNews24, Zoha was a former collaborator of Bangladesh’s ICT (Information and Communication Technology) Division and worked with various government agencies in the past. It appears that his comments about the Bangladesh central bank cyber-heist were made working as a “shadow investigator” for a security company that family members declined to name.

Answering questions about his own investigation into the central bank’s cyber-heist, Zoha said that the “database administrator of the [Bangladesh Bank] server cannot avoid responsibility for such hacking” and that he “noticed apathy about the [server’s] security system.”

From this description and those based on the FireEye report, it seems like Bangladeshi authorities, and not SWIFT, would be the powerful people who might want to make this guy disappear. But I find it interesting that someone who was presumably mirroring FireEye’s work has apparently been kidnapped.

Remember: NSA’s TAO hackers hacked into SWIFT (even though the US has access to SWIFT to obtain counterterrorism information via an intelligence agreement anyway), apparently by accessing printer traffic from what sounds like member banks.

The NSA’s Tracfin data bank also contained data from the Brussels-based Society for Worldwide Interbank Financial Telecommunication (SWIFT), a network used by thousands of banks to send transaction information securely. SWIFT was named as a “target,” according to the documents, which also show that the NSA spied on the organization on several levels, involving, among others, the agency’s “tailored access operations” division. One of the ways the agency accessed the data included reading “SWIFT printer traffic from numerous banks,” the documents show.

While we don’t have enough detail to assess, it does sound like the NSA got in through vulnerabilities at the member bank level, like these thieves did.

Again, I assume the kidnapping is best explained by Bangladeshi efforts to cover up their own incompetence. But I do find the possibility that SWIFT might be vulnerable due to vulnerabilities at its member banks, too.

Monday Morning: Synthesized Brain

/6 Comments/in , /by

When you need a break this hectic Monday morning, take five minutes and watch ANA from Factory Fifteen. I’m intrigued by the props and set — how much is CGI, and how much is actual production line? What company allowed this production company access to their equipment?

Though snappy and visually engaging, the story’s not realistic — yet. But much of the equipment on the production line is very close to that used in manufacturing today. And just as depicted in this short film, the weakest link is the human.

Worth keeping in mind this week as we plow deeper into the conflict at the intersection of humans and devices. Speaking of which…

Apple-heavy week ahead

  • Hearing in California tomorrow in front of Judge Sheri Pym over the San Bernardino’s shooter’s iPhone. Be sure to read Marcy’s take on the hearing and witnesses.
  • WLTX of Columbia SC posted a timeline of #AppleVsFBI events — unfortunately, it starts on February 16 with Judge Pym’s order to Apple.
  • NYT reported last week that Apple employees may quit if Apple is ordered to cooperate and write security-undermining code. But is this a deliverable in itself? The article offered an incredible amount of detail about Apple’s operations; if employees quit, any entities observing the technology company will know even more. Has this shakedown been designed to yield information about Apple’s operations, while risking corporate and personal security?
  • Apple will release information about new products today at a media event. The buzz may be less about the new products than the hearing tomorrow.
  • An iPhone 6 bursting into flames during a flight to Hawaii didn’t help Apple. One might wonder why this particular phone flamed out so spectacularly as it’s a relatively new device.

HEADS UP TECH USERS

  • Kindle users: Amazon is forcing a mandatory update across all its older Kindle reader devices. Deadline: TOMORROW MARCH 22 — after that date, users will have to manually update devices and download books via PC and not over the internet.
  • Tweetdeck users: Owner Twitter will kill the Windows app on April 15th. After that time, Windows-based users will need to use a browser. Can’t blame Twitter–it’s ridiculously expensive to write and service so many apps when the same devices usually have a browser.
  • Android users: 1) Protect your privacy and security by checking these settings; 2) Check this setting, stat, to prevent unauthorized access.
  • Nexus users: Make sure you have the latest patch issued last week. All other Android users should nag their equipment makers for their version of the same patch.

Before the machines complete their occupation of our world…

  • Nice read on law emerging with the rise of robots. Too bad none of them really incorporate Asimov’s Three Laws of Robotics. (The Atlantic)
  • Want to bet the overlords will argue workers should be paid less because they don’t have to work as hard wearing an exoskeleton — like these at Panasonic? (By the way, DARPA, that’s yet another commercially-developed exoskeleton near release; where’s yours/ours?) (Mashable)
  • Artificial intelligence already pitted against humans by those bloody banksters. Watch this video and ask yourself if this guy from Global Capital Acquisitions realizes there are humans at the nodes of the investment network whose lives are affected by his blah-blah-blah-babbling about artificial intelligence. STG he could be a machine himself. (Bloomberg)
  • Myths about AI busted – another solid read. Combined with the preceding Bloomberg bankster video it reinforces AI threat awareness. (Gizmodo)

After watching that video at Bloomberg, I think we’re a lot closer to ANA than we realized. Watch your backs — Monday is certainly gaining on you, if robots aren’t.

Coming Soon to Apple vs FBI: Live Witnesses and Dead Terrorists

/13 Comments/in /by

Screen Shot 2016-03-18 at 1.31.47 PMApple today revealed that the FBI intends to call two witnesses in the March 22 hearing regarding the All Writs Act order to help crack Syed Rizwan Farook’s phone: what I understand to be Privacy Manager Erik Neuenschwander and its Law Enforcement Compliance lawyer Lisa Olle. The tech company declined to say whether it will call the FBI personnel who made sworn statements in the case.

Things could get interesting fast, especially if Apple calls FBI’s forensics guy, Christopher Pluhar — or even better, FBI Director Jim Comey — as there’s an apparent discrepancy between their sworn testimony.

Here’s what Jim Comey had to say in response to a Jerry Nadler question in the March 1 House Judiciary Committee hearing.

As I understand from the experts, there was a mistake made in the, that 24 hours after the attack where the County at the FBI’s request took steps that made it hard later — impossible later to cause the phone to back up again to the iCloud. The experts have told me I’d still be sitting here, I was going to say unfortunately[?], I’m glad I’m here, but we would still be in litigation because — the experts tell me — there’s no way we would have gotten everything off the phone from a backup, I have to take them at their word.

Comey’s comments appear to conflict with this sworn declaration of FBI Christopher Pluhar.

To add further detail, on December 3, 2015, the same day the Subject Device was seized from the Lexus IS300, I supervised my Orange County Regional Computer Forensics Laboratory (“OCRCFL”) team who performed the initial triage of the Subject Device, and observed that the device was powered off, and had to be powered up, or booted, to conduct the triage.

[snip]

I learned from SBCDPH IT personnel that SBCDPH also owned the iCloud account associated with the Subject Device, that SBCDPH did not have the current user password associated with the iCloud account, but that SBCDPH did have the ability to reset the iCloud account password.

Without the Subject Device’s passcode to gain access to the data on the Subject Device, accessing the information stored in the iCloud account associated with the Subject Device was the best and most expedient option to obtain at least some data associated with the Subject Device. With control of the iCloud account, the iCloud back-ups of the Subject Device could be restored onto different, exemplar iPhones, which could then be processed and analyzed.

[snip]

After that conversation with Ms. Olle, and after discussions with my colleagues, on December 6, 2015, SBCDPH IT personnel, under my direction, changed the password to the iCloud account that had been linked to the Subject Device. Once that was complete, SBCDPH provided exemplar iPhones that were used as restore targets for two iCloud back-ups in the Subject Device’s iCloud account. Changing the iCloud password allowed the FBI and SBCDPH IT to restore the contents of the oldest and most recent back-ups of the Subject Device to the exemplar iPhones on December 6, 2015. Once back-ups were restored, OCRCFL examiners processed the exemplar iPhones and provided the extracted data to the investigative team. Because not all of the data on an iPhone is captured in an iCloud back-up (as discussed further below), the exemplar iPhones contained only that subset of data as previously backed-up from the Subject Device to the iCloud account, not all data that would be available by extracting data directly from the Subject Device (a “physical device extraction”).

That’s true for several reasons. First, as I understand it, once the phone was turned off, such a backup would no longer be possible, so it would have not been a mistake to change the password. And while Pluhar’s assertion that you can’t get everything from an iCloud backup is consistent with Comey’s claim (presumably Pluhar is one of the experts Comey relied on), Neuenschwander explained that that was false in his own supplemental declaration.

Note, this passage is also the first confirmation that the FBI had already told Apple this phone was part of the investigation by December 6, meaning it must have been one of the ones Apple provided metadata for on December 5.

There is just one way that Pluhar’s declaration and Comey’s statement (again, both were sworn) can be true: if the FBI turned off the phone themselves [update: or let it drain, h/t Some Guy]. That would also mean Comey’s claim that “a mistake was made in that 24 hours after the attack” would make more sense, as it would refer to the decision to turn off the phone, rather than FBI’s direction to San Bernardino County to change the password.

That said, I wonder whether FBI isn’t trying something else by calling Olle and Neuenschwander to testify.

As part of its reply, Apple had Senior Vice President for Software Engineering Craig Federighi submit a declaration to rebut government claims Apple has made special concessions to China. After making some absolute statements — such as that “Apple has also not provided any government with its proprietary iOS source code,” Federighi stated, “It is my understanding that Apple has never worked with any government agency from any country to create a “backdoor” in any of our products or services.”

I was struck at the time that the statement was not as absolute as the others. Federighi relies on what he knows, without, as elsewhere, making absolute assurances.

Which got me wondering. If any country had demanded a back door (or, for that matter, Apple’s source code) would Federighi really need to know? From Neuenschwander’s declaration, it sounded like a smallish team could make the back door the FBI is currently demanding, meaning he might be as high as such knowledge would rise.

So I wonder whether, in an attempt to be dickish, the government intends to ask Neuenschwander and Olle, who would be involved in such compliance issues, if they also back Federighi’s statement.

We shall see. For now, I just bet myself a quarter that Apple will call Comey.

Friday Morning: F for Free and Favorite

/28 Comments/in , , /by

Congratulations! You made it to another Friday! The end of the week means jazz here, until I run out of genres. This Friday I’m not covering a genre, though. I’m pointing you to one of the most surprising and utterly awesome gifts jazz lovers and historians could get.

1,000 hours of free jazz, ready to download.

Holy mackerel! I almost fainted when @OpenCulture tweeted last week about David W. Niven’s collection shared with the public at Archive.org. Just as amazing is Niven’s commentary, providing context we would never otherwise have about each piece.

I’ll embed some Louis Armstrong at the bottom of this post to get your weekend started. Mark this collection as one of my favorite things ever.

Malware discovered, targeting non-jailbroken Apple iOS devices in China
This is the second China-specific malware that researchers at Palo Alto Networks have found this year. Gee, why China?

UK’s Labour Party wankers want ‘Snoopers’ Charter’ because Snowden
Just the wankers, mind you, though it’s hard to tell which MPs were the wankers as Labour and SNP sat on their hands during the vote for the Investigatory Powers Bill (IPB), not wanting to appear obstructive. Fondly called the ‘Snoopers’ Charter,’ the bill replaces Regulation of Investigatory Powers Act (RIPA) and passed in the House of Commons on its second reading. The bill allows the UK government to amass all Internet Connection Records (ICRs) for a year’s time, including telecommunications connections. Restrictions on which government entities have access to these records and for what purpose is muddy at best, and the cost of collecting and storing these records will be borne by the network service providers who in turn will need to raise their rates. Sane people understand the IPB as passed is atrocious. The bill would not have passed the second reading at all had all of Labour and the SNP voted against it, but a number of wankers argue Edward Snowden is reason enough to dragnet the entire UK’s internet activity — which makes no sense whatsoever, based on the bill’s current formulation. The ‘Snoopers’ Charter’ now enters the Committee Stage, where it’s hoped somebody catches a cluestick and puts the brakes on this current iteration of government panopticon.

U.S. National Highway Traffic Safety Administration and FBI warn about automobile hacking
Hmm. A little late to the party after at least four different vulnerabilities were revealed over the last year, but better late than never. Rather annoying the public needs to be on guard against automakers’ naiveté/stupidity/hubris.

Google’s parent Alphabet selling its robot division Boston Dynamics
Remember the creepy four-legged robot ‘Big Dog’? It and its developer are up for grabs. Google (before it became Alphabet) bought Boston Dynamics in 2013, but now finds the firm doesn’t fit its strategy. Worth noting differences in reaction to the news:

The tone of the MIT Review piece — technology’s coolness is sufficient rationale for its creation and existence — offers interesting insight, explaining how awful technology ends up commercialized in spite of its lack of fitness.

Let’s call it a week and get on with our weekend. Have a good one!