Thoughts about the Apple vs FBI iPhone firmware case

Not trying to provide the full story here, just a few thoughts and directions as to security, privacy and civil rights. (for the backdrop – Apple’s Tim Cook letter explains it best: https://www.apple.com/customer-letter/)

From a technical perspective, Apple is fully capable to alleviating a lot of the barriers the FBI is currently facing with unlocking the phone (evidence) in question. It is an iPhone 5C, which does not have the enhanced security features implemented in iPhones from version 5S and above (security enclave – see Dan Guido’s technical writeup here: http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/).

Additionally, when dealing with more modern versions, it is also feasible for Apple to provide updates to the security enclave firmware without erasing the content of the phone.

But from a legal perspective we are facing not only a slippery slope, but a cliff as someone eloquently noted on twitter. Abiding by a legal claim based on an archaic law (All Writs act – originally part of the Judiciary act of 1789) coupled with just as shaky probably cause claim, basically opens up the door for further requests that will build up on the precedent set here if Apple complies with the court’s order.
One can easily imagine how “national security” (see how well that worked out in the PATRIOT ACT) will be used to trump civil rights and provide access to anyone’s private information.

We have finally reached a time where technology, which was an easy crutch for law enforcement to rely on, is no longer there to enable spying (legal, or otherwise) on citizens. We are back to a time now where actual hard work needs to be done in order to act on suspicions and real investigations have to take place. Where HUMINT is back on the table, and law enforcement (and non-LE forces) have to step up their game, and again – do proper investigative work.

Security is obviously a passion for me, and supporting (and sometimes helping) it advance in order to provide everyone with privacy and comfort has been my ethics since I can remember myself dealing with it (technology, security, and privacy). So is national security and the pursuit of anything that threatens it, and I don’t need to show any credentials for either.

This is an interesting case, where these two allegedly face each other. But it’s a clear cut from where I’m standing. I’ve said it before, and I’ll say it again: Tim Cook and Apple drew a line in the sand. A very clear line. It is a critical time now to understand which side of the line everybody stands on. Smaller companies that lack Apple’s legal and market forces, which have bent over so far to similar “requests” from the government can find solace in a market leader drawing such a clear line. Large companies (I’m looking at you Google!) should also make their stand very clear – to support that line. Crossing that line means taking a step further towards being one of the regimes we protect ourselves from. Dark and dangerous ones, who do not value life, who treat people based on their social, financial, racial, gender, or belief standing differently. That’s not where or who we want to be.

Or at least I’d like to think so.

Update: Apparently Google is standing on the right side of the line:

Update 2 (2/20/16): Seems like the story is developing more rapidly, so figured I’d add a couple more elements here.

First – a good review from a forensic perspective on the FBI’s request puts the entire thing in even shadier legal standings if the data from the phone would be used in such a way: http://www.zdziarski.com/blog/?p=5645

Second – Apple today (2/20) updated that while the phone was in the FBI’s custody, it’s iCloud ID has been reset, basically eliminating one of the easier paths to recover data from the phone (http://abcnews.go.com/US/san-bernardino-shooters-apple-id-passcode-changed-government/story?id=37066070). This would have been a major oversight by the FBI, who would have failed to establish a clear “hands-off” policy on anything related to the terrorists assets – including it’s employer’s digitally controlled assets. Later in the day, and probably after getting under scrutiny for allegedly performing the iCloud account reset “on their own accord”, the San Bernardino County’s official account notified that it essentially tampered with the evidence based on the FBI’s request.

If this indeed is the case, we are looking at a much more problematic practice that exceeds incompetence, and moves into malpractice.

line-in-the-sand1

p.s. additional reading on this, from a couple of different authors who I wholeheartedly agree with:

http://www.macworld.com/article/3034355/ios/why-the-fbis-request-to-apple-will-affect-civil-rights-for-a-generation.html

And the EFF’s stand: https://www.eff.org/deeplinks/2016/02/eff-support-apple-encryption-battle

An obituary to pentesting?

I just saw a blog post in which Mike Kemp discovers the realities of 2010 (linkedin). (disclaimer – I know Mike and love him as a person, and this is my way of poking at him a bit – no disrespect here, but pretty much the opposite)

Now, go read that post (yes, I know, it’s long, but trust me).
This isn’t new (albeit very honest, direct and true),but here are a couple of comments I have:

  1. Penetration Testing is dead. Overrated, and abused by fancy vulnerability scanning, it died a few years ago. If you are still paying for one – check carefully what you are actually getting…
  2. Automation is king. I actually argue that 80% of what’s sold as a pentest by the major providers can/should be automated. All those scanner monkeys should be fired or forced to step up their game and actually do some work.
  3. Compliance? Really? Do you really want to go there? It’s got nothing to do with security, and if you thought so for a second I want to have what you were on when you did.
  4. Standards. This is where Mike touches on a sensitive topic for me (yes, PTES…). I’d actually challenge Mike to show me how PTES (which he mentions in the post – but you already know that because you read it, right?!) restricts providers by providing the engagement steps – which they should follow. There’s no restriction to scope, and I have personally used PTES in red team engagements. Full scope, no bars held. But still with a standard to follow, and something the client can also keep track of and know what to expect (and demand).
  5. I fully agree on the “pass the wealth” point where you should call in someone else who’s an expert to deal with a specific client request. Done that many times, and have never lost a customer that way.

Last but not least – yes, I do think that most pentesters can be replaced with a script. As they should. I do however have a solid advice to Mike and others who are still valuable professionals that have skills which are not replaceable by automation: demand a proper engagement model. And yes – I’m referring to the PTES again. You’d notice that threat modeling is part of it. Done properly threat modeling achieves multiple goals:

  • Forces the discussion to be around security rather than compliance, price or other factors that have nothing to do with security.
  • Scope goes out the window as threat models focus on the BUSINESS and not the TECHNOLOGY.
  • Enables the organization to test itself against its adversaries (threat actors/communities) rather than against pentesters. Much more rewarding, and correct.
  • Enables the provider (if it can muster to perform a decent threat model with the client) to charge decent rates for its services. You can clearly show how this isn’t some automated software running and spitting out reports, but skills and experience playing. It’s then your responsibility to follow through on it and make sure the final deliverable also looks like that (otherwise you are looking at a very short success rate for trying to adopt only part of this approach).

I actually welcome the hordes of scanner monkeys and tool-jockeys. They make the real professionals look even better. And although professionals don’t often have the marketing/sales power of the big-[number], trust me – they are busy, and doing work that the “big” and “trusted” suppliers can’t even start to put on their canned proposal templates.

Amazonian Trojans and Marketing Fear-Mongering

Hello there, welcome back to our scheduled programming on how to drum up clicks and views on your website “Powered by Fear Uncertainty and Doubt”.

As most marketing organizations know, sometimes you need to be a little creative when coming up with news and research. You draw a target for your security researchers to hit, and hope they come back with meaningful data that’ll make it to the next news cycle. And sometimes it actually works.

This time it didn’t. Recently, when reviewing my Twitter/Facebook feeds, I ran across “news” that state that Amazon (OMG – our trusted Amazon) are selling Rooted Android tablets, preinstalled with Trojans. Most of the public probably goes: “Hide your Nexus and shoot your Kindles!” in response. How dare Amazon sell us trojaned tablets?

But worry not, only after actually reading the details of the article (http://www.net-security.org/malware_news.php?id=3152) and the original research report (http://www.cmcm.com/blog/en/security/2015-11-09/842.html) you’ll understand that:

  1. Amazon has nothing to do with this. Just like you and I can set up shop on Amazon and start selling backdoored laptops, Amazon wouldn’t have anything to do with said backdoored laptops.
  2. It’s not about your usual tablet. So you can pull back your Nexus, brush up your Kindle, and keep using your Asus/Samsung/LG/[brand] Android tablet.
  3. It’s not even really an Android issue. One could have jailbroken an iPad, install a backdoor/trojan on it, and sell it online. The Android part is relates more to the price point and the ability to sell really cheap tablets.
  4. I dare you to recognize any of the “brands” of tablets sold with these trojans. Funny, the top “brand” is actually, wait for it, “NO BRAND”. I kid you not.

brands

So after sorting out the FUD, we are left with no much of a scare. Suspiciously cheap tablets, marketed mostly as “no brand” (or other brands which at least I’ve never heard of), are filled with questionable software. Kind’a reminds me of even “big name” manufacturers who load their phones/tablets/laptops with assorted unwanted software (officially dubbed “bloatware”). Wow. How did this not make headline news across the nation?

Bottom line – it’s pretty sad that we end up running research on the fringe areas of consumer devices and shopping behaviors. Yes, there’s a technical merit to analyzing a Chinese backdoor, but marketing it as “OMGWTFBBQ!” by sprinkling in Amazon and Android in the headline is pure marketing alchemy. Let’s get back to two things:

  1. Educating that when the deal seems too good, it probably is.
  2. Focusing our research efforts on more meaningful things. Yes, this also applies to stunt hacking, or junk hacking of sorts. There’s a lot of brainpower that could be diverted to solving problems that we have been dealing with for ages, yet would probably yield less media buzz.

Debunking the “8200”, “81” and other #### ex-Israeli Army Intelligence myth

I’m a known and pretty vocal advocate of self learning, self starting, and inquisitive entrepreneurial spirit. As such, I’ve witnessed over my years in the security industry, a lot of occasions where the halo or myth surrounding some so-called “elite” units in the Israeli Army Intelligence has blinded people.
Such blindness comes from a very small percentage of people who capitalized on what used to be highly selective knowledge and experience in a narrow field of practice. But that was almost 20 years ago. Companies like Checkpoint, Nice, and Amdocs, were all started by alumni of such intelligence units, who basically applied their specific experience from the army signals intelligence unites to building firewall systems, telecom and spy/monitoring technologies.

Nowadays, the reality could not be further from this. What used to be a very specific skill-set and knowledge, is mostly open, and freely accessible to anyone with the right aptitude to pick up and master. Back in the days you had to earn your “hacker cred” in order to get access to the forums where people were sharing knowledge, today most of that “exclusive/unique” knowledge is wide open and available.

And today I ran across an article that infuriated me because of its ignorance. Enter: “The cyber labor market in Israel, the cyber guild“. In this article, the author claims, again, that the “ex-#” alumni phenomenon is filling the Israeli market and basically owning it to a point where non-guild members are shunned out. It claims that whereas information and knowledge should (or is?) open, in the guild market it matters more where you came from than what you actually know and have experience with.

I respectfully call BS on this. It’s just not the reality anymore. Yes, there is an obvious alumni network effect, but such that is just as common with other alumni organizations (think Ivy-league Universities, local schools, or any other melting-pot where people get to know one another). But the “guild” part is just wrong. It’s actually the complete opposite. After the initial success of the early founders, the “Ex-#” units basked in the glow and enjoyed a fairly long streak of alumni that only had to mention their unit’s name (or even not that – just to keep things more hush-hush) in order to nail a high-paying job. However, with such high expectations, the failures became more apparent. And then the realization – that 8200, which is the largest unit (people-wise) in the Army, does not actually employ thousands of talented programmers and hackers. That a huge percentage of it are grunt workers, pushing papers, poring over analyst reports, and operating the collection and dissemination processes and technologies. Glorified IT support in most cases. And with that, the sham evolved. The “friend brings friend” system worked most of the time when the initial friend was one of the actually few talented alumni, who brought their few talented friends. The rest ended up blowing the bubble out of proportion, and infusing the industry with the glorified IT technicians. And the industry balked fairly quickly. I have personally witnessed companies hurting and buckling under the cost of incompetent alumni recruitment, and eventually realize their mistake and quietly ditch those. I have personally interviewed tens (if not hundreds) of people, and very quickly realized (again – after making a few trust mistakes myself) that my gut feeling and personal assessment of ones personality is more consistent than their alleged history in a “famous” unit.

I have personally mentored extremely talented people who had to fight for their place, had to learn programming languages and platforms, gain their experience in the real world, and become some of the more sought after talents out there. At the same time I’ve seen the “ex-#” alumni stagnate at dead-end jobs because they could not scale beyond their alleged field of expertise. The market is highly capitalistic out there. It won’t tolerate too much of the halo effect, and albeit huge efforts in fueling that effect through several alumni organizations, and alumnus in executive positions, this doesn’t really hold. If you are looking for innovation and “thinking outside the box” maybe try to look for people who have not been indoctrinated in a very strict environment to perform a very narrow task. Look for people with broad experience, from different paths of life, who share core traits – curiosity, innovation, drive, and the ability to say “I don’t know”. That’s how the modern market operates. There is no guild. And if you are led to believe so – try to see who/what is it that gave you that impression. You’ll be quick to learn that it is mostly self-serving marketing created to favor the less talented who need to rely on riding the coattails of the successful few. Who by the way – were mostly self-taught and would have made it without having the “ex-#” experience 😉