Court rules that Apple must assist FBI in bypassing or disabling the auto-erase function in the iPhone 5C used by Syed Rizwan Farook, one of the people accused of killing 14 in San Bernardino, California two months ago

Tuesday February, 16 2016 -- Court Rules that Apple Must Aid FBI in Hacking Phone of San Bernardino Terrorist

U.S. Magistrate Sheri Pym signed a ruling on Tuesday ordering Apple to assist the FBI in bypassing or disabling the auto-erase function in the iPhone 5C used by Syed Rizwan Farook. Farook is one of the people accused of killing 14 in San Bernardino, California two months ago. This ruling would allow the FBI to access the phone recovered in the San Bernardino shooting case.

Tuesday February, 16 2016 -- Apple CEO Tim Cook Opposes Ruling in Open Letter

The ruling on Tuesday triggered a livid response from Apple CEO Tim Cook, who said the government wanted the company to provide a backdoor to its phones. In an open letter, on Tuesday, Apple CEO Tim Cook opposed the court's ruling, stating that:

"Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

"The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control."

Wednesday, February, 17 2016 -- White House Clarifies that a Backdoor is not Being Requested

White House Press Secretary Josh Earnest told reporters Wednesday during a briefing that the Department of Justice is “not asking Apple to redesign its product or to create a new backdoor to one of their products.” It is "simply asking for something that would have an impact on this one device.”

Friday February, 19 2016 -- Government Files Motion in Federal Court for Apple to Comply

Apple had until Feb. 26 to refute the order under the decision reached Tuesday. The government now wants the court to pick up the pace. Friday, the Government, filed a motion in federal court asking a judge to immediately require Apple to assist the FBI in accessing the iPhone 5C used by Syed Rizwan Farook. "Apple's public statement makes clear that Apple will not comply with the Court's Order," the motion by the DOJ said.

Auto-Erase Feature Enabled on Phone in Question

The iPhone was issued to Syed Rizwan Farook by the San Bernardino County Department of Public Health. When the phone was issued for business use, the auto-erase feature was enabled. This is because the security team at the agency believed it to be an important layer of protection to enable.

FBI is Asking Apple to Disable Auto Erase Feature and Delays After Incorrect Passwords.

The FBI wants Apple to write a version of iOS that wouldn’t auto-erase a device after 10 failed passcode guesses and wouldn’t insert delays after each wrong attempt, so the agency can brute force the passcode and get into the shooter Syed Rizwan Farook’s phone.

Opposition to Apple Argues that this is an Isolated Request and Apple is Being Disingenuous

"But Cook is being disingenuous. Apple is not being asked to hand over a backdoor or a master key. It's not being asked to decrypt Farook's iPhone. Rather, Apple is being asked to let FBI technicians decrypt the phone themselves. That's very different," wrote Paul Wagenseil, a senior editor at Tom's Guide.

Other experts have made similar arguments. Robert Graham, of Errata Security, blogged that Apple isn't being ordered to develop a backdoor: "the court order explicitly wants Apple to limit the special software for only this phone, so it wouldn't be something the FBI could use on other phones."

Apple and Supporters Argue that Complying with this Request Sets Dangerous Precedence

Cook added that the government suggests the tool could only be used once, on one phone, and argued that once created, the technique could be used over and over again, on any number of devices.

If Apple were forced to do what the court ordered, would that mean the courts could order other vendors to do the same in the future? Does complying with this court order mean Apple will have to do the same for other devices or even build these bypasses for future iOS devices? If the FBI wins, then the FBI can obtain orders requiring other developers to insert arbitrary code in their products.

Worse still, nothing will prevent foreign governments--including regimes such as China that have dubious human rights records--from demanding the same capabilities. In other words, the FBI is asking a court to endorse a legal theory that could be used to compel backdoors in essentially anything.

The Reason this Case has Received National Attention

Apple has assisted the Justice Department in iPhone data extraction countless times since the iPhone launched. Many have wondered why this case is the one on that Apple chose to take its stance on protection of customer privacy. Especially provided the indefensible actions of Farook. According to the Times, the government decided to make its request public this time, and Apple CEO Tim Cook decided he had to publicly reject the request. Now that the lines are drawn, it’s up to a judge to determine whether the law is on Apple’s side.

NIST Compliant Sample Boilerplate for AC-5

Disclaimer

This language may need tailoring depending on your organization's and system's policies and procedures. Please use this language as a starting point for considering all the components that encompass this control. Please feel free to reach out to us for any specific questions.

Application Component

Within the <application name> application, separation of duties is enforced through various permission mechanisms. The permission level structure is used to define standard roles in the system, and users in a given role are assigned the permissions necessary to perform assigned duties, and no more. For example, a <role> is only granted permission level <permission level>, which allows him/her to <permissible action>, but not <non-permissible action> or perform other administrative actions. <Role> are granted permission level <permission level>, which allows them to <permissible action>. <Role> are typically granted permission level <permission level>, depending on the specific administrative functions associated with their job responsibilities. Individuals are not permitted to <conflict of interest scenario>, which could create a conflict of interest situation.  Access authorizations and separation of duty for the application component are documented in the <document name>.

Infrastructure Component

Mission functions and distinct information system support functions are separated, with <role/designated personnel> performing mission functions, and the Operations Team performing information system support functions. Within the Operations Team, role separation also exists. Individuals responsible for maintaining the servers supporting the application have no access to network security devices such as firewalls, nor do they have database administration privileges. Network and database administrators manage network devices and databases, respectively, but do not manage other system components. The intrusion prevention system is administered by Security Team, separate from system or network administrators. Administration of the audit function is an auditable event, and the identity of the user performing these functions is recorded in the audit trail.

In addition to separation of duties within the Operations Team, other support functions are similarly segregated. System developers can develop software in support of the application, but cannot directly promote and install the code into the production environment. The Configuration Management lead manages the promotion of code to production and audits the contents of software releases, which must be reviewed and approved by the Security Manager (and others) prior to implementation. Implementation of the software build is performed by the Operations team. Access authorizations and separation of duty for the application component are documented in the <document name>.

ALM Announces that it will offer $500,000 reward for hackers of Ashley Madison, as part of Project Unicorn

Avid Life Media (ALM) announced on Monday that it will reward $500,000 for information leading to the identification or conviction of the people behind the attacks on Ashley Madison.

ALM is the parent company of adult sites Ashley Madison, Cougar Life and Established Men. In July a hacktivist group named Impact team said that ALM profits on the pain of others and demanded that ALM sites, specifically Ashley Madison and Established Men, be taken offline. Team Impact vowed that if that did not happen that they would release compromised data for both sites.

ALM elected not to take the sites offline, as Impact Team had demanded, and as a result Impact Team, late Tuesday, released the first of three batches of compromised data sets. The data includes financial records, customer records, payment card information and the CEO's email logs amongst other items.

An ALM spokesperson commented that, "We are confident that the considerable investigative and prosecutorial power that is being brought to bear on this unprecedented crime will lead to arrests and convictions."

Project Unicorn is led by the Toronto Police Services (TPS), with assistance from the U.S. Department of Homeland Security, the Ontario Provincial Police, the Royal Canadian Mounted Police, and the FBI. The task force stated that the investigation is moving in a positive direction, but that outside help was needed – thus they're offering the reward as an incentive.

Based on a recent study, it was found that over 60% of companies consider a move to the cloud as a board level strategic decision. In the same study, over 30% of companies found IT, including security, to be an obstacle in the transition. When it comes to moving to the cloud, as security experts, we can take the approach of a leader, an inhibitor or an observer.  Specifically, we can either lead the effort for a secure cloud strategy, react to and find fault in all the decisions of others, or just get left out of the conversation.

It is easy to look at cloud as another on a list of threats and risk that we have to address. However, moving to the cloud may be a chance to address the important issue, how we protect our data. With the basic responsibilities of managing a system transferred to the cloud service provider, we have more time and resources to focus on the design and acquisition of controls needed to better protect our information.

Many recommendations across the internet say to not keep your information on the cloud. Fair enough, but it's the same as if you asked, "How not to get my house burned down?" and the answer would be, "Do not have a house." The logic is solid, but a better way to translate such advice is, "avoid storing sensitive information on the cloud." So if you have a choice, your cloud strategy can include keeping your non-crucial information in the virtual world, and critical, sensitive and PII data in designated hosting environments.

No credit card data was leaked and the rest was hashed and salted.

At approximately 1pm PDT, on July 1st, video streaming service, Plex, learned that servers hosting their forums and blogs were compromised. Information including, IP addresses, forum private messages, email addresses, and encrypted (hashed and salted) passwords for forum users were exploited. As a precaution, Plex reset user passwords and sent further instructions to users via email.

The hackers asked for 9.5 bitcoins, which is equivalent to about $2,400 but wrote that the ransom would increase to 14.5 bitcoins, which is equivalent to $3,700, if it wasn’t paid in a timely manner. The hackers claimed that the stolen information will be released to the public via torrent networks if the ransom was not paid.

Companies often ignore such extortion attempts as this creates incentives for other hackers to try out the same thing. Plex said the passwords were salted, which is a security measure that makes it more difficult for hackers to convert the passwords to plain text. In a security update provided to users on Plex's website on July 6:

After thorough investigation by a team of forensic specialists, we’ve identified the source of the compromise to the forums server. As we had suspected, the attackers gained entry via exploiting bugs in the forums software, some of which may not be well understood or publicly disclosed, or have patches readily available. The investigation did not turn up any other compromised systems...We’re committed to bringing back the forums as soon as humanly possible.