Archive
How could Apple help bypass an iPhone Pin?
This week BBC news reported that Apple would not help the FBI bypass the pin on one of their phones
The FBI have apparently asked Apple to create two assistive technologies :
“Firstly, it wants the company to alter Farook’s iPhone so that investigators can make unlimited attempts at the passcode without the risk of erasing the data.
Secondly, it wants Apple to help implement a way to rapidly try different passcode combinations, to save tapping in each one manually.”
Ignoring who is right or wrong in this matter – these are not uncommon requests – I’ve been asked by various governments and “three letter agencies” in the past to do exactly the same thing, which I too have politely declined.
Reading between the lines, the FBI requests would indicate an admission that the actual cryptography within the iPhone is robust and correctly implemented – and that there are no discovered back doors which would allow the FBI access to the data without Apple’s help.
So we can assume that the FBI cannot usually access data stored on iPhones. What help can Apple give?
Speaking at “The Security Standard Conference”, NY on 13th September
For those who follow me around, I’ll be speaking at “The Security Standard” on September 13th 2010. It’s only a short spot but I’ll be introducing some new information about McAfee’s unified DLP solution, and talking briefly about data protection regulations.
Two Gulf States to Ban some BlackBerry Functions..
Following on from a failed state-wide “hack” of the Blackberry system, where the state-controlled telco etisalat tried to distribute a “performance enhancing patch” to Blackberry users (which turned out to be a state-controlled back door program), The United Arab Emirates is threatening to block e-mail sending and IM delivery on Blackberries, and Saudi Arabia is threatening to block Blackberry-to-Blackberry IM.
According to BBC News:
Both nations are unhappy that they are unable to monitor such communications via the handsets. This is because the Blackberry handsets automatically send the encrypted data to computer servers outside the two countries.
New China encryption rules won’t pose headaches for U.S Vendors?
This week, Jaikumar Vijayan at Computerworld posted an interesting article about new Chinese rules designed to control the import of non-domestic encryption products.
Many people have infered that these new rules will mean products imported into China will be somehow compromised, or unsafe, because their details will have been released to the Chinese Government.
Nothing could be further from the truth.. Read more…
NIST 800-111. Practical Advice for Data Protection Projects
This week I want to take an opportunity to remind readers of the excellent NIST publication 800-111.
Yes, I know, another complex government sponsored report, but 800-111, for those implementing any kind of data protection project, is one of the best reports on the subject, dealing with technology, practical use of, and risk analysis. It’s really (for NIST publications anyway) a very good read.
The other reason to pay attention to 800-111, is quite simply it’s the document regulations mention when talking about “Good Practice”, “Industry Standard processes”, “Accepted Best Practice” etc. This document contains the advice that you’ll be measured against if you ever end up in court defending your Security Policy against something like Massachusetts 201 CMR 17.00. Read more…
LiveLog – interactive near-real-time Log Monitor
EPE Log Reader for McAfee Endpoint Encryption v6
“Cheap” Secure USB Sticks, you get what you pay for?
Recently a whole slew of news sites announced a newly discovered vulnerability (care of the German Security firm SySS) on a range of “supposedly” secure consumer USB sticks.
These models from SanDisk, Kingston and Verbatim were apparently easy to defeat and retrieve the data from without knowing the users password or having any prior knowledge or touch on the stick.
The exploit was simple – it seems the software tool shipped with the sticks validates the password, not the stick itself, and the sticks use a fixed authentication key. Yes, ALL sticks use the same auth key. By simply sending this known ack key to the stick, you can unlock it, or any other stick.
Interestingly, some of these insecure devices had been through FIPS 140-2 Level 2 security certification, so should really have been immune to this kind of attack.
Evil Maid, another nefarious trojan attack..
Last month Joanna Rutkowska posted a very interesting article showing a practical “Evil Maid” attack against the open-source TrueCrypt FDE product. The attack is reasonably simple, subvert the pre-boot authentication engine of the full-disk encryption product in question to add a password-sniffing routine, then wait for the unsuspecting user to authenticate to their machine and then retrieve the credentials at a later stage.
Evil Maid is simply hooking the pre-boot code of TrueCrypt and adding a routine to store the users password. Because the TrueCrypt code is quite simple, it’s a relatively easy thing to do, but the attack is theoretically valid regardless of this fact, just the effort to make the hook code increases with the sophistication of the pre-boot environment. Read more…
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Simon Says - Musings of a Technology CTO 
Comments