PHILIPPINE HEADLINE NEWS ONLINE: Since 1997 © Copyright (PHNO) http://newsflash.org



PHNO SCIENCE & INFOTECH NEWS
(Mini Reads followed by Full Reports)

FBI UNLOCKS SAN BERNARDINO TERROR iPHONE WITHOUT APPLE'S HELP


MARCH 29 -Apple, backed by a broad coalition of technology giants like Google and Facebook, was fiercely opposed to assisting the US government in unlocking the device AFP The FBI has unlocked the iPhone used by one of the San Bernardino attackers, officials said Monday, ending a heated legal standoff with Apple that had pitted U.S. authorities against Silicon Valley. Apple, backed by a broad coalition of technology giants like Google and Facebook, was fiercely opposed to assisting the U.S. government in unlocking the iPhone on grounds it would have wide-reaching implications on digital security and privacy. A key court hearing scheduled earlier this month to hear arguments from both sides in the sensitive case was abruptly cancelled after the FBI said it no longer needed Apple’s help and had found an outside party to unlock the phone. “Our decision to conclude the litigation was based solely on the fact that, with the recent assistance of a third party, we are now able to unlock that iPhone without compromising any information on the phone,” U.S. attorney Eileen Decker said in a statement. “We sought an order compelling Apple to help unlock the phone to fulfill a solemn commitment to the victims of the San Bernardino shooting—that we will not rest until we have fully pursued every investigative lead related to the vicious attack.”  It was unclear who helped the FBI access the phone and what was stored on the device, but news reports have said the FBI may have sought assistance from an Israeli forensics company. READ MORE...

ALSO: US cracked Apple's iPhone, drops legal action; court battle ends but struggle over encryption unresolved.
[In a two-page court filing on Monday, the Justice Department said the government had "successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple." It asked a federal magistrate in Riverside, California, to withdraw the order compelling Apple to assist.]


MARCH 29 -The U.S. Justice Department said on Monday it had succeeded in unlocking an encrypted iPhone used by one of the San Bernardino shooters and dropped its legal case against Apple, ending a high-stakes legal battle but leaving the broader struggle over encryption unresolved.
SAN FRANCISCO: The U.S. Justice Department said on Monday it had succeeded in unlocking an encrypted iPhone used by one of the San Bernardino shooters and dropped its legal case against Apple, ending a high-stakes legal battle but leaving the broader struggle over encryption unresolved. The abrupt end to a confrontation that had transfixed the tech industry was a victory for Apple, which vehemently opposed a court order obtained by the Justice Department that would have required it to write new software to get into the iPhone. But the larger fight over law enforcement access to encrypted information is by no means over. The technology industry is adamant that anything that helps authorities bypass the security features of tech products will undermine security for everyone. Government officials are equally insistent that all manner of criminal investigations will be crippled without access to phone data. At issue in the Apple case was a county-owned iPhone used by Rizwan Farook, one of the husband-and-wife shooters in the December rampage in San Bernardino, California, in which 14 people were killed and 22 wounded. The couple died in a shootout with police after the attack. After saying for weeks in court filings and congressional testimony that Apple possessed the "exclusive technical means" to unlock Farook's phone, the Justice Department unexpectedly announced on the eve of a court hearing last week that an unidentified outside party had presented it with a technique that might open the phone without help from Apple. READ MORE... RELATED, Apple fight on iPhone access extends to other cases
...

ALSO: Feeling vulnerable, Apple unsure how FBI hacked terrorist iPhone but master key not seen


MARCH 30 -An anti-government protester holds his iPhone with a 'No Entry' sign during a March 15 demonstration near the Apple store on Fifth Avenue in New York. The FBI has unlocked the iPhone used by one of the San Bernardino terror attackers, officials said Monday, ending a heated legal standoff with Apple that had pitted U.S. authorities against Silicon Valley. AFP-JIJI BUSINESSTECH
SAN FRANCISCO/WASHINGTON – The FBI's announcement that it mysteriously hacked into an iPhone is a public setback for Apple Inc., as consumers suddenly discover they cant keep their most personal information safe. Meanwhile, Apple remains in the dark about how to restore the security of its flagship product. The government said it was able to break into an iPhone used by a gunman in a mass shooting in California, but it didnt say how. That puzzled Apple software engineers — and outside experts — about how the FBI broke the digital locks on the phone without Apple's help. It also complicated Apple's job repairing flaws that jeopardize its software. The Justice Department's announcement that it was dropping a legal fight to compel Apple to help it access the phone also took away any obvious legal avenues Apple might have used to learn how the FBI did it. The Justice Department declined through a spokeswoman to comment Tuesday. A few clues have emerged. A senior law enforcement official told The Associated Press that the FBI managed to defeat an Apple security feature that threatened to delete the phone's contents if the FBI failed to enter the correct passcode combination after 10 tries. That allowed the government to repeatedly and continuously test passcodes in what is known as a brute-force attack until the right code is entered and the phone is unlocked. It wasn't clear how the FBI dealt with a related Apple security feature that introduces increasing time delays between guesses. The official spoke on condition of anonymity because this person was not authorized to discuss the technique publicly. FBI Director James Comey has said with those features removed, the FBI could break into the phone in 26 minutes. READ MORE...

ALSO: By Tony Perez - Website Security - How Do Websites Get Hacked?
["The first thing I always like to tell website owners is that security is about risk reduction not risk elimination. You must get your head around this simple fact because there is no such thing as a 100% solution to staying secure. Almost all the tools you employ within your environment aim to reduce your overall risk posture, whether it’s continuous scanning or a more proactive approach such as mitigating incoming attacks."]


In 2014 the total number of websites on the internet reached 1 billion, today it’s hovering somewhere in the neighborhood of 944 million due to websites going inactive and it is expected to normalize again at 1 billion sometime in 2015. Let’s take a minute to absorb that number for a moment.
Another surprising statistic is that Google, one of the most popular search engines in the world, quarantines approximately 10,000 websites a day via its Safe Browsing technology. From our own research, of the millions of websites that push through our scanning technology, we often see 2 – 5% of the them have some Indicator of Compromise (IoC) that signifies a hack. Granted, this might be a bit high, as the websites being scanned are often suspected of having an issue, so to be conservative we would extrapolate that to suggest about 1% of the total websites online are hacked or infected. To put that into perspective, we are talking somewhere in the neighborhood of 9 million websites that are currently hacked or infected. With this sort of impact, it’s only natural that people are curious how websites keep getting hacked. The challenge however, is that the answer has been the same for quite some time. In the past month or so I have been writing a series of articles on various aspects of website hacks and infections. First, I explored the Why in Why do Websites get Hacked, where we explored the various motivations behind today’s hacks. I then moved into the What of a hack, The Impacts of a Hacked Website, where we looked at implications of a hack to website owners of all calibers. Today, we’ll take a moment to under the How. READ MORE...

ALSO: How to Keep a Smartphone From Being Hacked


SAMSUNG TIPS: Even if you keep your smartphone safe in your pocket or purse, it's still at risk for picking up a virus or leaking data to thieves. Hackers don't need physical access to your phone to steal your personal information or infect the device with malware. They infiltrate your phone with innocent-looking apps or link to it via unsecured Wi-Fi® networks. You can keep hackers from getting the upper hand by taking steps to secure your smartphone.
Step 1 Lock your phone when you're not using it. Set a password and change it regularly to prevent others from guessing it. Lock patterns are an alternative if you have trouble remembering your password. Your phone may also have a facial-recognition lock feature. If this is on, the device unlocks only when the camera detects your face. Voice recognition is another option; with this turned on, your phone needs to hear your voice say a specific word or phrase to unlock. Step 2 Activate your phone's tracker capability, if it has one. If your phone supports this feature, you can see its location on a map and track the device when it moves. If your phone is stolen or lost, use the tracker app to lock it remotely. This makes it harder for hackers to access your data. Step 3 Update your phone's firmware to the most current version. Many phones do this for you automatically, but if you've turned this option off, you'll need to download the update manually. You can download the latest update directly from your phone. Alternatively, connect your phone to the computer and launch the software that came with the device. The application will connect to the download Web page and install the firmware on your phone. READ MORE...


READ FULL MEDIA REPORTS HERE:

FBI unlocks iPhone of attacker without Apple's help


Apple, backed by a broad coalition of technology giants like Google and Facebook, was fiercely opposed to assisting the US government in unlocking the device AFP

LOS ANGELES, APRIL 4, 2016
(JAPAN TODAY)
MAR. 29, 2016 - The FBI has unlocked the iPhone used by one of the San Bernardino attackers, officials said Monday, ending a heated legal standoff with Apple that had pitted U.S. authorities against Silicon Valley.

Apple, backed by a broad coalition of technology giants like Google and Facebook, was fiercely opposed to assisting the U.S. government in unlocking the iPhone on grounds it would have wide-reaching implications on digital security and privacy.

A key court hearing scheduled earlier this month to hear arguments from both sides in the sensitive case was abruptly cancelled after the FBI said it no longer needed Apple’s help and had found an outside party to unlock the phone.


An anti-government protester holding his iPhone with a sign

“Our decision to conclude the litigation was based solely on the fact that, with the recent assistance of a third party, we are now able to unlock that iPhone without compromising any information on the phone,” U.S. attorney Eileen Decker said in a statement.

“We sought an order compelling Apple to help unlock the phone to fulfill a solemn commitment to the victims of the San Bernardino shooting—that we will not rest until we have fully pursued every investigative lead related to the vicious attack.”

It was unclear who helped the FBI access the phone and what was stored on the device, but news reports have said the FBI may have sought assistance from an Israeli forensics company.

READ MORE...

In a court filing asking that the case be dismissed, federal prosecutors said the U.S. government had “successfully accessed the data stored on (Syed) Farook’s iPhone and therefore no longer requires assistance from Apple Inc.”

Farook and his wife Tashfeen Malik killed 14 people in San Bernardino, California on December 2 before dying in a firefight with police. Two other phones linked to the pair were found destroyed after the attack.

Tech companies, security experts and civil rights advocates had vowed to fight the government, saying it would set a precedent and open the door to companies being forced to hand over customer data.


FBI director James Comey testifies before the House Judiciary Committee on the encryption of the iPhone belonging to one of the San Bernardino attackers on Capitol Hill in Washington, DC, on March 1, 2016

The government had fired back, insisting that Apple was not above the law and that its request for technical assistance concerned only Farook’s work phone from the San Bernardino health department.

Some experts speculated that the government’s fight with Apple was more about gaining wider access to data than unlocking a single phone.

In a recent editorial, The Wall Street Journal said the Justice Department’s legal effort was “reckless” and that the FBI “fibbed by saying the Apple case is about one phone.”

FBI director James Comey said his agency only decided to back down in the court case after it found a third party that could crack the phone.

“You are simply wrong to assert that the FBI and the Justice Department lied about our ability to access the San Bernardino killer’s phone,” Comey said in an open letter. © 2016 AFP

1 Facebook Comment LOGIN TO COMMENT
nandakandamandaMAR. 29, 2016 - 09:37AM JST
The FBI could be a little more diplomatic in their final statement, such as by assuring the public that they got what they wanted, all the while maintaining Apple's integrity, ie it was a win-win for both sides. Still, you never know with the FBI. They could have got Apple's secret cooperation having agreed to release a public announcement that they had used an anonymous 'third party'.


CHANNEL NEWS ASIA

US succeeds in cracking Apple's iPhone, drops legal action Posted 29 Mar 2016 05:55 Updated 29 Mar 2016 09:10 VIDEOSPHOTOS


The U.S. Justice Department said on Monday it had succeeded in unlocking an encrypted iPhone used by one of the San Bernardino shooters and dropped its legal case against Apple, ending a high-stakes legal battle but leaving the broader struggle over encryption unresolved.

SAN FRANCISCO: The U.S. Justice Department said on Monday it had succeeded in unlocking an encrypted iPhone used by one of the San Bernardino shooters and dropped its legal case against Apple, ending a high-stakes legal battle but leaving the broader struggle over encryption unresolved.

The abrupt end to a confrontation that had transfixed the tech industry was a victory for Apple, which vehemently opposed a court order obtained by the Justice Department that would have required it to write new software to get into the iPhone.

But the larger fight over law enforcement access to encrypted information is by no means over. The technology industry is adamant that anything that helps authorities bypass the security features of tech products will undermine security for everyone.

Government officials are equally insistent that all manner of criminal investigations will be crippled without access to phone data.


SAN FRANCISCO — Although the government officially withdrew from its battle against Apple Monday, many observers sense the tech privacy war is just heating up. "This lawsuit may be over, but the Constitutional and privacy questions it raised are not," said Congressman Darrell Issa (R-Calif.), who had criticized the Justice Department's suit against Apple, in a statement Monday.

At issue in the Apple case was a county-owned iPhone used by Rizwan Farook, one of the husband-and-wife shooters in the December rampage in San Bernardino, California, in which 14 people were killed and 22 wounded. The couple died in a shootout with police after the attack.

After saying for weeks in court filings and congressional testimony that Apple possessed the "exclusive technical means" to unlock Farook's phone, the Justice Department unexpectedly announced on the eve of a court hearing last week that an unidentified outside party had presented it with a technique that might open the phone without help from Apple.

READ MORE...

In a two-page court filing on Monday, the Justice Department said the government had "successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance from Apple." It asked a federal magistrate in Riverside, California, to withdraw the order compelling Apple to assist.


THE HUSBAND-AND-WIFE SAN BERNARDINO SHOOTERS

Apple had argued that the government request and resulting court order were a massive overreach that would give courts unlimited authority to force private companies to work as their agents. It argued that Congress had specifically declined to give the government such powers when it comes to electronic surveillance and data collection.

Tech industry leaders including Google, Facebook and Microsoft and more than two dozen other companies filed legal briefs supporting Apple. The Justice Department received support from law enforcement groups and six relatives of San Bernardino victims.

Apple had no immediate comment on Monday.

THORNY ISSUES

The Justice Department's apparent discovery of an iPhone hacking technique presents thorny questions about how that knowledge will be shared.

If the government tells Apple about the details, the company would presumably fix whatever vulnerability was used and thus render the method ineffective. If the government withholds the information, Apple could face a public perception problem about the security of its phones.

There are also a number of pending cases across the country where law enforcement officials are asking for access to iPhones. It is not clear if they will have access to the break-in technique.

In one New York case, Justice Department officials have to respond by Tuesday to an Apple request to delay the proceedings. That could provide clues as to how the government intends to deal with other iPhone cases.

On a conference call for reporters on Monday, a senior U.S. law enforcement official said it was too soon to say whether the government’s technique would work on other iPhones, or if it would share information with Apple or other law enforcement agencies.

The official also declined to elaborate on what party provided the solution, except to say it did not come from within the U.S. government. He also declined to comment on what had been found on the San Bernardino phone.

'ALL AVAILABLE OPTIONS'

The Justice Department suggested on Monday it would keep seeking unorthodox means of getting information, including through the courts when needed.

“It remains a priority for the government to ensure that law enforcement can obtain crucial digital information to protect national security and public safety, either with cooperation from relevant parties, or through the court system when cooperation fails,” Justice Department spokeswoman Melanie Newman said.

“We will continue to pursue all available options for this mission, including seeking the cooperation of manufacturers and relying upon the creativity of both the public and private sectors.”

On Capitol Hill, critics of the Justice Department's efforts called for further vigilance.

"Those worried about our privacy should stay wary - just because the government was able to get into this one phone does not mean that their quest for a secret key into our devices is over," said Representative Darrell Issa, a California Republican who sits on the House Judiciary Committee.

(Reporting by Dan Levine in San Francisco; Additional reporting by Joseph Menn in San Francisco and Eric Beech in Washington; Editing by Jonathan Weber and Peter Cooney) - AFP/jb

----------------------------------------------------------

RELATED FROM PHYS.ORG/NEWS

Apple fight on iPhone access extends to other cases February 23, 2016


Apple provided a list of cases where it is opposing the US Justice Department's requests over accessing locked devices in a letter to a federal judge in Brooklyn

Apple is battling the US government over unlocking devices in at least 10 cases in addition to its high-profile dispute involving the iPhone of one of the San Bernardino attackers, court documents show.

The existence of other court fights supports Apple's argument that the legal case in California is about more than a single iPhone.

Apple provided a list of cases where it is opposing the US Justice Department's requests in a February 17 letter to a federal judge in Brooklyn, where the company is challenging government efforts to access an iPhone in a drug trafficking case.

The letter said the requests sought Apple's assistance under the All Writs Act, a 1789 law which allows the courts broad authority to help law enforcement.

"Apple has not agreed to perform any services on the devices to which those requests are directed," Apple's lawyer Marc Zwillinger said in the letter.

The letter said the cases were "similar in nature" but did not provide specifics about the government's requests.

It said the San Bernardino case was "even more burdensome" than the other requests because it would require the company to create new software to help investigators break into the iPhone.

READ MORE...

Apple has been locked in a legal and public relations battle with the government in the California case, where the FBI is seeking technical assistance in hacking the iPhone of Syed Farook, a US citizen, who with his Pakistani wife Tashfeen Malik in December gunned down 14 people.

'Inconsistent' stand


APPLE CEO TIM COOK

In the Brooklyn case, prosecutors responded to the Apple letter with their own filing, claiming that the company's position has been "inconsistent at best."

"Apple did not file objections to any of the orders, seek an opportunity to be heard from the court, or otherwise seek judicial relief," the letter said.

"In most of the cases, rather than challenge the orders in court, Apple simply deferred complying with them, without seeking appropriate judicial relief."

The letter from US Attorney Robert Capers said that "numerous judges around the nation have found it appropriate, under the All Writs Act, to require Apple to assist in accessing a passcode-locked Apple device where law enforcement agents have obtained a warrant to search that device."

Apple's letter to the Brooklyn judge cited nine additional cases in New York, California, Illinois and Massachusetts where the government was seeking assistance in accessing iPhones or iPads.

The Wall Street Journal, which reported the existence of the cases earlier Tuesday, said those apart from the one in San Bernardino were not terrorism-related.

Apple said Monday it supports the idea of a panel of experts to consider access to encrypted devices if US authorities drop their legal battle.

"Apple would gladly participate in such an effort," the company said.

The Apple response came after FBI Director James Comey explained the government's position, saying it was about "the victims and justice" in the San Bernardino attack, whose perpetrators are believed to have been inspired by the Islamic State group.

"We don't want to break anyone's encryption or set a master key loose on the land," Comey said in a posting that appeared on the Lawfare blog and on the FBI website.

"The San Bernardino litigation isn't about trying to set a precedent or send any kind of message," Comey said. "It is about the victims and justice."

A poll by the Pew Research Center survey found 51 percent of respondents supported the effort to require Apple to help unlock the iPhone, while 38 percent said Apple should not unlock the phone to ensure the security of its other users.

Eleven percent did not offer an opinion.


JAPAN TIMES

Feeling vulnerable, Apple unsure how FBI hacked terrorist iPhone but master key not seen AP MAR 30, 2016 ARTICLE HISTORY PRINT SHARE


An anti-government protester holds his iPhone with a 'No Entry' sign during a March 15 demonstration near the Apple store on Fifth Avenue in New York. The FBI has unlocked the iPhone used by one of the San Bernardino terror attackers, officials said Monday, ending a heated legal standoff with Apple that had pitted U.S. authorities against Silicon Valley. | AFP-JIJI BUSINESS / TECH

SAN FRANCISCO/WASHINGTON – The FBI’s announcement that it mysteriously hacked into an iPhone is a public setback for Apple Inc., as consumers suddenly discover they can’t keep their most personal information safe. Meanwhile, Apple remains in the dark about how to restore the security of its flagship product.

The government said it was able to break into an iPhone used by a gunman in a mass shooting in California, but it didn’t say how. That puzzled Apple software engineers — and outside experts — about how the FBI broke the digital locks on the phone without Apple’s help. It also complicated Apple’s job repairing flaws that jeopardize its software.

The Justice Department’s announcement that it was dropping a legal fight to compel Apple to help it access the phone also took away any obvious legal avenues Apple might have used to learn how the FBI did it. The Justice Department declined through a spokeswoman to comment Tuesday.

A few clues have emerged. A senior law enforcement official told The Associated Press that the FBI managed to defeat an Apple security feature that threatened to delete the phone’s contents if the FBI failed to enter the correct passcode combination after 10 tries. That allowed the government to repeatedly and continuously test passcodes in what’s known as a brute-force attack until the right code is entered and the phone is unlocked.

It wasn’t clear how the FBI dealt with a related Apple security feature that introduces increasing time delays between guesses. The official spoke on condition of anonymity because this person was not authorized to discuss the technique publicly.

FBI Director James Comey has said with those features removed, the FBI could break into the phone in 26 minutes.

READ MORE...

The FBI hacked into the iPhone used by gunman Syed Farook, who died with his wife in a gun battle with police after they killed 14 people in December in San Bernardino. The iPhone, issued to Farook by his employer, the county health department, was found in a vehicle the day after the shooting.

The FBI is reviewing information from the iPhone, and it is unclear whether anything useful can be found.

Apple said in a statement Monday that the legal case to force its cooperation “should never have been brought,” and it promised to increase the security of its products. CEO Tim Cook has said the Cupertino-based company is constantly trying to improve security for its users.

The FBI’s announcement — even without revealing precise details — that it had hacked the iPhone was at odds with the government’s firm recommendations for nearly two decades that security researchers always work cooperatively and confidentially with software manufacturers before revealing that a product might be susceptible to hackers.

The aim is to ensure that American consumers stay as safe online as possible and prevent premature disclosures that might damage a U.S. company or the economy.

As far back as 2002, the Homeland Security Department ran a working group that included leading industry technology industry executives to advise the president on how to keep confidential discoveries by independent researchers that a company’s software could be hacked until it was already fixed.

Even now, the Commerce Department has been trying to fine-tune those rules. The next meeting of a conference on the subject is April 8 in Chicago and it’s unclear how the FBI’s behavior in the current case might influence the government’s fragile relationship with technology companies or researchers.

The industry’s rules are not legally binding, but the government’s top intelligence agency said in 2014 that such vulnerabilities should be reported to companies.

“When federal agencies discover a new vulnerability in commercial and open source software — a so-called ‘zero day’ vulnerability because the developers of the vulnerable software have had zero days to fix it — it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose,” the Office of the Director of National Intelligence said in a statement in April 2014.

The statement recommended generally divulging such flaws to manufacturers “unless there is a clear national security or law enforcement need.”

Last week a team from Johns Hopkins University said they had found a security bug in Apple’s iMessage service that would allow hackers under certain circumstances to decrypt some text messages. The team reported its findings to Apple in November and published an academic paper after Apple fixed it.

“That’s the way the research community handles the situation.

And that’s appropriate,” said Susan Landau, professor of cybersecurity policy at Worcester Polytechnic Institute. She said it was acceptable for the government to find a way to unlock the phone but said it should reveal its method to Apple.

Mobile phones are frequently used to improve cybersecurity, for example, as a place to send a backup code to access a website or authenticate a user.

The chief technologist at the Center for Democracy and Technology, Joseph Lorenzo Hall, said keeping details secret about a flaw affecting millions of iPhone users “is exactly opposite the disclosure practices of the security research community. The FBI and Apple have a common goal here: to keep people safe and secure. This is the FBI prioritizing an investigation over the interests of hundreds of millions of people worldwide.”

The FBI’s discovery of a way to hack into the phone of one of the San Bernardino killers may not be the master key that allows prosecutors across the country to unlock iPhones in hundreds of more ordinary criminal cases.

The FBI may not quickly share the technique it used with local law enforcement agencies, New York City Police Commissioner William Bratton said Tuesday. And even if it does, the hack may be too expensive for district attorneys’ offices, Manhattan District Attorney Cyrus R. Vance Jr. has said.

Also, technology experts said it is not at all certain whether the technique can work with other types of iPhones.

While the San Bernardino case involved an extremist attack Dec. 2 that killed 14 people, investigators across the U.S. are seeking access to iPhones in drug cases and other crimes, arguing that encryption features prevent them from gathering valuable information such as the identity of the person a victim last talked to or texted.

“This is really a victims’ rights issue,” said District Attorney Daniel Conley in Suffolk County, Massachusetts, which includes Boston. “A lot of people view this through a national security lens and that is important, but my job is to serve victims of crime, and a lot of them aren’t going to get the opportunity for justice they deserve.”

Conley said his office has more than 50 phones it has warrants for but can’t crack.

Manhattan officials said they have at least 200 Apple devices inaccessible to prosecutors out of a total of 734 seized between October 2014 and February 2016.

The devices were taken during investigations of attempted murder, child sexual abuse, sex trafficking, child pornography, assault, robbery and identity theft.

“This isn’t just an issue resonating in California or New York. The decision by these companies unilaterally to encrypt these devices and make them warrant-proof is going to have a significant impact on prosecutions around the country,” Vance said in a recent interview.

Vance told Congress earlier this month that other district attorneys are facing similar challenges. He cited Harris County, Texas, saying the district attorney there last year encountered more than 100 encrypted Apple devices in cases involving human trafficking, street crime and sexual assault.

Vance said Chicago’s Cook County cyberlab received 30 encrypted devices in a recent two-month span, and the Connecticut Division of Scientific Services has encountered 46 encrypted Apple devices.

The Justice Department declined through a spokeswoman to comment Tuesday.

But a law enforcement official said the FBI would continue to aid its local and state partners with gaining evidence in cases — implying that the method used in the San Bernardino case would be shared with them. The official spoke on condition of anonymity because he wasn’t authorized to publicly comment.

Vance and other law enforcement officials, though, have called for a federal law governing when a company can be forced to help authorities unlock a phone.

“A workable balance between privacy and public safety can only be set by Congress,” he said in a statement Tuesday.

Bratton, too, said the FBI’s success in breaking into gunman Syed Farook’s iPhone without Apple’s help does not do away with the need for a comprehensive solution.

“They may have dealt with this one,” he said, “but there will be others coming down the pike very quickly.”


FROM https://blog.sucuri.net/2015

Website Security: How Do Websites Get Hacked? By Tony Perez on May 18, 2015 . 5 Comments How Do Wesbsites Get Hacked

In 2014 the total number of websites on the internet reached 1 billion, today it’s hovering somewhere in the neighborhood of 944 million due to websites going inactive and it is expected to normalize again at 1 billion sometime in 2015.

Let’s take a minute to absorb that number for a moment.

Another surprising statistic is that Google, one of the most popular search engines in the world, quarantines approximately 10,000 websites a day via its Safe Browsing technology.

From our own research, of the millions of websites that push through our scanning technology, we often see 2 – 5% of the them have some Indicator of Compromise (IoC) that signifies a hack. Granted, this might be a bit high, as the websites being scanned are often suspected of having an issue, so to be conservative we would extrapolate that to suggest about 1% of the total websites online are hacked or infected.

To put that into perspective, we are talking somewhere in the neighborhood of 9 million websites that are currently hacked or infected.

With this sort of impact, it’s only natural that people are curious how websites keep getting hacked. The challenge however, is that the answer has been the same for quite some time.

In the past month or so I have been writing a series of articles on various aspects of website hacks and infections.

First, I explored the Why in Why do Websites get Hacked, where we explored the various motivations behind today’s hacks.

I then moved into the What of a hack, The Impacts of a Hacked Website, where we looked at implications of a hack to website owners of all calibers. Today, we’ll take a moment to under the How.

READ MORE...

It is the one question that almost every website security professional gets at some point in their career, and in some cases, repeatedly. We have to remember that we take for granted the knowledge we have gained over the years; we forget what it is like not to know.

Interestingly enough, in the 4.5 years that I’ve been doing this, the anatomy of how websites get hacked has not evolved much. The landscape itself can be very complex, but I’ll try to break it down in it’s purest forms.

For those that will undoubtedly find this article too long, today’s websites get hacked because of three things:

1. Access Control
2. Software Vulnerabilities
3. Third-Party Integrations

As of late I have evolved my original list of two to include third-party integrations / service providers and I’ll explain more about that below.

The Website Environment

We cannot have a conversation about how websites get hacked without having an open dialog about everything that makes up a website.

There are various elements that make a website function and these things have to be working in unison. Components like the Domain Name System (DNS) – the thing that tells requests where to go. The web server houses the various website files and infrastructure houses the various web servers. These websites live in a complex ecosystem of interconnected nodes around the internet, but to you however, it is likely something you’ve never given much thought to.

Many of these features are provided to you by a number of service providers that make it very easy for you to create an online presence. These service providers sell you things like domain names, hosting space, and any number of services designed to make operating your website easy.

While I won’t dive into too many details around the threats that these various elements introduce, please understand that every one of the components described above has an impact on your overall security posture and can potentially contribute to how your website gets hacked.

Forensics Versus Remediation

There is a difference between Forensics and Remediation, and it is not as subtle as some might believe it to be.

Forensics has been around a very long time and follows a very stringent process of identifying what happened, but more importantly how it happened, and often includes some form of attribution (i.e., who did it?). Remediation however, is the art of cleaning or removing the infections.

When it comes to everyday infections, forensics isn’t a necessity; in most cases it is quick to ascertain what happened and how to get it to stop. With that in mind, for complex cases, good remediation cannot be achieved without proper forensics. This might be a slightly unfair categorization, but I hope it helps to more clearly illustrate the subtle differences.

When you ask, “How do websites get hacked?” you are essentially asking for forensics. The problem is, true forensics is complex, time consuming and requires a lot of data – data that is often unavailable via most configurations. You can often segment which component is required based on audience; for small business owners on shared hosting environments, forensics is almost impossible – there is limited access. However, for large organizations/enterprises, forensics is a necessity and the necessary data is sometimes more attainable.

A few reasons you might require forensics:

1. You need to understand what happened and have all associated data elements and access.
2. You are an Ecommerce website and have to be PCI compliant.
3. Your are an organization that has IR protocols in the event of a compromise.

You can break this down even further, but for our purposes it is unnecessary.

How Websites Get Hacked

What I find most fascinating about hacks, when it comes to websites, is that they always come down to the same elements regardless of the size of organization. It does not matter if you are a Fortune 500 or a small business selling cupcakes, the only difference is the why.

In large organizations it is often because they dropped the ball. They knew exactly what the threat was, but they never thought it would extend to their websites, with the common response being – “I thought someone else was handling it”.

When it comes to small businesses, it is often – “Why would anyone want to hack me? I never knew it’d be an issue for me, I’m not Target, I don’t have credit card information”.

The three attack vectors we continue to see exploited repeatedly revolve around the following:

•Access Control
•Software Vulnerabilities
•Third Party Integration / Services

Access Control

Access control speaks specifically to the process of authentication and authorization; simply put, how you log in?

When I say log in, I mean more than just your website. Here are a few areas to think about when assessing access control:

•How do you log into your hosting panel?
•How do you log into your server? (i.e., FTP, SFTP, SSH)
•How do you log into your website? (i.e., WordPress, Dreamweaver, Joomla!)
•How do you log into your computer?
•How do you log into your social media forums?

The reality is that access control is much more important than most give it credit.

It is like the person that locks their front door but leaves every window unlatched and the alarm system turned off. This begs the question, why did you even lock the door?

Brute Force Attacks, XSS, CSRT

Exploitation of access control often comes in the form of a Brute Force attack, in which the attacker attempts to guess the possible username and password combinations in an effort to log in as the user.

You can also see various social engineering attempts using phishing pages designed to capture a users username and password combination, or some form of Cross-Site Scripting (XSS) or Cross Site Request Forgery (CSRF) attack in which the attacker attempts to intercept the user credentials via their own browser.

There is also the obvious Man in the Middle (MITM) attack, in which the user intercepts your username and password while working via insecure networks and your credentials are transferred between one point to another via plain text.

Software Vulnerabilities

Software vulnerabilities are not for the faint of heart.

I would argue that 95% of website owners are unable to address today’s software vulnerabilities; even everyday developers are unable to account for the threats their own code introduces.

The problem, as I see it, is in the way we think. It takes a special way of thinking to break things; most of us are designed to see the good and use things as designed and only a few of us have that special skill to truly test and push things beyond their boundaries.

These software vulnerabilities extend beyond the website itself and easily bleed in to the various technologies we discussed above (i.e., web server, infrastructure, etc..).

Anywhere there is a system, there is a potential software vulnerability waiting to be exploited. This can also extend to your browser (i.e., Chrome, Internet Explorer, Firefox, etc…).

Exploitation of software vulnerabilities comes in various forms, but for our sanity we will talk specifically to a website and not the various supporting elements.

When it comes to websites, exploitation of a software vulnerability is achieved through a cleverly malformed Uniform Resource Locator (URL) or POST Headers.

Via these two methods, an attacker is able to enact a number of attacks; things like Remote Code Execution (RCE), Remote / Local File Inclusion (R/LFI), and SQL Injection (SQLi) attacks. There are a number of other attacks, but these are some of the more common attacks we’re seeing affecting today’s websites.

Third Party Integrations / Services

Third party integrations / services are increasingly becoming a problem.

This can be seen in various forms, with the most prominent being the integration of ads via ad networks leading to malvertising attacks and extends beyond that to services you might use, including things like a Content Distribution Network (CDN) – as in the recent Washington Post hack last week.

Third party integrations and services have become common place in today’s website ecosystem, and are especially popular in the highly extensible Content Management Systems (CMS) like WordPress, Joomla! and Drupal.

The problem with the exploitation of third-party integrations and services is that it is beyond the website owners ability to control. We assume when we integrate third party providers that they are doing everything they need to to ensure the service you are consuming is safe, and in most instances it is, but like everything else there is always the chance of compromise and such is the risk we assume.

How to Protect Your Website

It is easy to read this article and feel overwhelmed, but understand that half of the website security battle is awareness and education.

The problem is that it is almost impossible to get in front of enough people to scale awareness and education. Once you get in front of people, the next battle is getting them to care. It is often only after someone feels the pain of a compromise that they begin to care or realize the harsh effects.

The first thing I always like to tell website owners is that security is about risk reduction not risk elimination.

You must get your head around this simple fact because there is no such thing as a 100% solution to staying secure.

Almost all the tools you employ within your environment aim to reduce your overall risk posture, whether it’s continuous scanning or a more proactive approach such as mitigating incoming attacks.

With this in mind, here are the tips I tend to offer everyone that will listen when it comes to managing their websites security:

Employ Defense in Depth Principles – layers like an onion. Leverage best practices like Least Privileged – not everyone needs administrative privileges. Place emphasis on how people access your website, leverage things like Multi-Factor and Two-Factor Authentication. Protect yourself against the exploitation of software vulnerabilities through use of a Website Firewall – focuses on Known and Unknown Attacks. Backups are your friends – think of them as your safety net, try to have at least 60 days available. Register your website with Search Engines – Google and Bing have Webmaster Tools, leverage their infrastructure to tell you the health of your website. Security is not a singular event or action, but rather a series of them. It begins with good posture and the responsibility begins and stops with you. Realize that if you desire to know the How, you will inevitably cross one of the scenarios I describe above, and that’s ok. This is why people in this profession can often say, with some level of certainty that it’s likely attributed to X, Y or Z.

Thanks for reading!

– Your Trusted Security Professionals


About Tony Perez
Tony works at Sucuri. His passion lies in educating and bringing awareness about online threats to business owners. He spends his time giving presentations and writing content that everyday website owners can appreciate. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at PerezBox and you can follow him on Twitter at @perezbox.


SAMSUNG

How to Keep a Smartphone From Being Hacked

Even if you keep your smartphone safe in your pocket or purse, it's still at risk for picking up a virus or leaking data to thieves. Hackers don't need physical access to your phone to steal your personal information or infect the device with malware. They infiltrate your phone with innocent-looking apps or link to it via unsecured Wi-Fi® networks.

You can keep hackers from getting the upper hand by taking steps to secure your smartphone.

Step 1 Lock your phone when you're not using it.
Set a password and change it regularly to prevent others from guessing it.
Lock patterns are an alternative if you have trouble remembering your password.
Your phone may also have a facial-recognition lock feature. If this is on, the device unlocks only when the camera detects your face.
Voice recognition is another option; with this turned on, your phone needs to hear your voice say a specific word or phrase to unlock.

Step 2 Activate your phone's tracker capability, if it has one. If your phone supports this feature, you can see its location on a map and track the device when it moves.
If your phone is stolen or lost, use the tracker app to lock it remotely. This makes it harder for hackers to access your data.

Step 3 Update your phone's firmware to the most current version. Many phones do this for you automatically, but if you've turned this option off, you'll need to download the update manually. You can download the latest update directly from your phone.
Alternatively, connect your phone to the computer and launch the software that came with the device. The application will connect to the download Web page and install the firmware on your phone.

READ MORE...

Step 4 Install apps on your phone only if they come from a trusted source, such as the manufacturer's app store. Most official app stores verify the authenticity of their products, so they're much safer.
Before downloading any app, read the description and reviews so you understand what you're getting.

Step 5 Check an app's permissions before installing it. If an app requests access to your personal information, don't install it or deny the request.

Step 6 Avoid leaving your phone alone in a public place, such as on a restaurant table or on your office desk. If you must leave the phone, keep it locked and hide it somewhere, such as in a drawer, to prevent theft.

Step 7 Delete text messages from unknown senders that ask for your information, and avoid clicking links in messages. Some hackers send messages that appear to be from your bank or another trusted source. If you click the link in the message, the hacker can steal your information or install malware on the phone.
Don't download apps via text message; this is a common way for hackers to infect your device.

Step 8 Access the Internet on your phone only from a secure Wi-Fi network. Wi-Fi networks that aren't secure allow nearby hackers to intercept your data when you get online.
Don't do any shopping or banking on a public Wi-Fi network; hackers can swipe your bank account number or other financial information.
Instant-messaging and other communications apps may contain security holes that allow hackers to snatch your personal data.
If you have access to a cellular network, use it instead of public Wi-Fi.

Step 9 Protect your phone with an anti-virus app. Check your phone's app store to see what's available for your device.

Tip
Your smartphone may have been hacked if you notice apps opening by themselves or if the battery drains much faster than normal. Unusual charges on your wireless bill also indicate a problem.

Sources and Citations ↑ http://www.macworld.co.uk/how-to/iosapps/how-hack-ipad-iphone-passcode-3504927/ ↑ http://www.dreamjb.com/2015/01/how-to-unlock-icloud-dns-using.html


Chief News Editor: Sol Jose Vanzi
© Copyright, 2015 by PHILIPPINE HEADLINE NEWS ONLINE
All rights reserved

Best viewed on IE (On Chrome & Firefox some images may be awry)


PHILIPPINE HEADLINE NEWS ONLINE [PHNO] WEBSITE