Posts under tag: Security
Apple released a follow-up response to CEO Tim Cook’s open letter to customers this week. This release seeks to clarify Apple’s intentions behind their rationale for object the U.S. government’s request (via the FBI) to unlock the phone used by one of the shooters in San Bernadino last December.
Specifically, the government is asking Apple to:
“The government asked a court to order Apple to create a unique version of iOS that would bypass security protections on the iPhone Lock screen. It would also add a completely new capability so that passcode tries could be entered electronically.”
Apple objected to the order due to what it calls “two important and dangerous implications.”
“First, the government would have us write an entirely new operating system for their use. They are asking Apple to remove security features and add a new ability to the operating system to attack iPhone encryption, allowing a passcode to be input electronically. This would make it easier to unlock an iPhone by “brute force,” trying thousands or millions of combinations with the speed of a modern computer.”
“Second, the order would set a legal precedent that would expand the powers of the government and we simply don’t know where that would lead us. Should the government be allowed to order us to create other capabilities for surveillance purposes, such as recording conversations or location tracking? This would set a very dangerous precedent.”
For more information and for a list of the other questions addressed in the press release, check out this link from Apple.
Tim Cook, CEO of Apple, released a letter to his customers today following the request by the Federal Bureau of Investigation (FBI) to have data decrypted from an iPhone formerly belonging to the gunman who instigated a shooting spree in San Bernadino, California last December.
In response to the request by the FBI, Cook asserts that Apple complied with the subpoenas and search warrants issued in the investigation process for this case. Cook goes further:
We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.
Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.
The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control.
Cook goes on to say that the FBI is circumventing Congressional action by invoking the All Writs Act “in an unprecedented use” to justify its request to expand its authority on future matters of similar nature. Apple will oppose the order due to what Cook sees as “an overreach by the U.S. government” citing its purpose is with “the deepest respect for American democracy and a love for our country” in mind.
For the full letter to Apple customers, click here.
Google’s Security Team revealed on Tuesday that the long obsolete, but still all too used, Secure Sockets Layer (SSL) 3.0 cryptographic protocol has a major security flaw.
According to the team’s Bodo Möller: “This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.”
While SSL 3.0 has been succeeded by Transport Layer Security (TLS) 1.0, TLS 1.1, and TLS 1.2, many TLS implementations have continued to be backwards compatible with SSL 3.0 to work with legacy systems for a smoother user experience.
For more information, check out this article posted on ZDNet.com
For information on how to fix the issue, check out this information from ZMAP.io
Last week, I reported on the Shellshock bug found within the Unix shell, bash. As of today, Apple has released new patches for the Mac OS X distributions Lion (10.7), Mountain Lion (10.8), and Mavericks (10.9). For more information, click on the corresponding link for your system:
To install the patch, download the patch file from the link, open the software package, then follow the instructions in the dialog box. This install will require your system username and password.
In yesterday’s post, I reported there is a vulnerability within the bash shell commonly used in Mac OS X, Unix, and some Linux distributions.
Today, CNET.com–citing a statement from Apple–stated that this vulnerability is only a major concern if your machine runs programs that then run bash to perform certain tasks and that most casual Mac users will have little to worry about:
“Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems,” it continues. “With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.”
If your system does require a patch, there is progress on an advanced workflow methodology by using a combination of Apple’s Xcode (if installed on your iMac) with step-by-step instructions available through the collaboration site, StackExchange. Currently, Network Services here on campus are already working on a fix for any outward-facing servers.
For more information, check on this article from CNET.com
There have been reports of a security bug–named Shellshock–discovered within the shell program Bash. Bash is used on several distributions of the Linux OS, Unix, and Apple OS X to execute different system commands and scripts and from a local command line user interface. The bug–identified also as CVE-2014-6271 and CVE-2014-7169–is regarded as a severe security issue since it would add extra code to common gateway interface (CGI) scripts which are used to generate content on webpages and web applications as well as HTTP requests.
At the time of this post, Ars Technica is reporting there are patches available for Red Hat Enterprise, CentOS, Ubuntu, and Debian Linux distributions. Apple did not specify an official patch for OS X but did release a software update yesterday.
For more information on this, check out this Ars Technica article.
A current web feature seen on authentication required websites is CAPTCHA, an image or pair of words that require the user to type in or speak what they see or hear. With the ever-increasing sophistication of bot programs that can read or speak, researchers at the University of Alabama at Birmingham have been conducting studies on new authentication methods going beyond the established CAPTCHA method specifically through dynamic cognitive gaming (DCG).
One method of DCG being researched is to present a user with an interactive module that uses simple matching techniques like giving the user is given several objects to choose from and they have to associate it with another piece. An example of this is: picking a boat out of a series of objects and dragging and dropping the boat next to a dock. This methodology is still being tested but early results are positive.
For more details on the study, check out this article from Science Daily.
Oregon Security Day
Friday April 5, 2013
The third annual Oregon Security Day will be held at the Jaqua Auditorium on Friday April 5, 2013. This one-day event features distinguished speakers from academia, industry, and government, discussing current challenges and future opportunities in cybersecurity. Topics range from future trends in computer security to governmental cybersecurity, to cutting edge research in authentication and methods of securing systems and data.
This year’s slate of distinguished guests includes Dr. Stephen L. Squires, former vice president and chief science officer for Hewlett-Packard; Professor David Evans, University of Virginia; Professor Somesh Jha, University of Wisconsin; Sanjay Sawhney, Symantec Research Labs; and Dr. John Launchbury, Galois, Inc. This year’s program will also include CIS faculty research presentations and a student poster session.
You should read Mat Honan’s heartbreaking tale of a hack attack and the ensuing discussion on Techmeme. Much of the story is about Amazon or Apple’s security practices, but I would still advise everyone to turn on Google’s two-factor authentication to make your Gmail account safer and less likely to get hacked.
Read more at Lifehacker.
Internet Explorer takes second place while Firefox comes in third