in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

July 2018 - Posts

  • FBI Director Says Legislation Possibly A Way Into Encrypted Devices

    Last week, FBI Director Christopher Wray said that legislation may be one option for tackling the problem of "criminals going dark," a term that refers to law enforcement's inability to access suspects' data on encrypted devices. The implication is that, in the interest of justice and national security, the FBI will press for a law that will guarantee "exceptional access" to encrypted information. This most likely will require an encryption backdoor to be built on all smartphones, possibly on all digital devices that store data.
    It should be noted that the FBI emphatically denies that they want an encryption backdoor. One hopes they have taken this position because they're aware of the security problems backdoors represent; however, it's hard to ignore the possibility that the FBI is in spin-doctor mode. Their Remote Operations Unit, charged with hacking into phones and computers of suspects, uses terms like "remote access searches" or "network investigative techniques" for what everyone else would call "hacking" and "planting malware." Mind you, their actions are legally sanctioned, so why use euphemisms if not to mask what they're doing?
    If turning to legislation smells of déjà vu to old-timers, it's because this circus has been in town before. It set up its tent about 20 years ago and skipped town a couple of years later. And while many things have changed in that time, the fundamental reasons why you don't want encryption backdoors has not.  

    A Classic Example of Why You Don't Want a Backdoor

    The FBI has implied time and again that they are in talks with a number of security experts that supposedly claim the ability to build "encryption with a backdoor" that cannot be abused by the wrong people. These security experts are not, the FBI notes, charlatans. Perhaps it is because of these experts that the FBI has not desisted from pursuing backdoors. This, despite the overwhelming security community's proclamation that it cannot be done.
    It should be noted that Wray was asked by a Senator at the beginning of this year to provide a list of cryptographers that the FBI had consulted in pushing forth their agenda. To date, such a list has not been produced.
    (As an aside, according to wired.com, Ray Ozzie, arguably one of today's greatest minds in computing, has recently and independently proposed a way to securely install a backdoor without compromising the security of encryption. Here's one of the world's leading security expert's take on it: the conclusion, in a nutshell, is that it's flawed and mimics unsuccessful solutions proposed in the past).
    What is it about backdoors that their mention result in knee-jerk reactions by the security community? The answer lies in the fact that they have been looking into this for a long, long time. In the end, it's the unknown unknowns that are the problem: Encryption solutions run into surprises (bad ones) all the time. No matter how well-designed, it's impossible to prevent stuff like this or something like this from happening.
    In June 2017, it was reported that over 700 million iPhones were in use. Not sold; in use. It can also be assumed that there are at least an equal number of Android devices in use as well. That would be a lot of compromised devices if a backdoor was in effect and a bug was introduced.
    These issues cannot be legislated away. Furthermore, bugs merely represent one situation where a backdoor can lead to disaster. Others include the deliberate release of how to access the backdoor (think Snowden or Manning or the leak of CIA hacking tools); the phishing, scamming, conning, or blackmailing of the custodians of the backdoor; and the possibility of stumbling across the backdoor. Granted, the last one is highly unlikely, even more so than the others…but so are the chances of winning the lottery. And there have been hundreds, maybe thousands, of them across the world.
    The point is that the chances of the backdoor being compromised are higher than one would expect.  

    Moral Hazard = FBI's Pursuit of the Impossible?

    One has to wonder why the FBI is so insistent on pursuing the impossible dream of an encryption backdoor that doesn't compromise on security. It would be easy to dismiss it as a case of legal eggheads not knowing math and science, or not having the imagination to ponder how badly things could go wrong.
    But perhaps it's an issue of moral hazard. Basically, there is very little downside for the FBI if a backdoor is implemented. Everyone knows that, if the FBI gets what it wants, they won't have direct access to the backdoor; it wouldn't be politically feasible. For example, prior to suing Apple in 2016, they suggested that Apple develop a backdoor and guard access to it. When the FBI presents an iPhone and a warrant, Apple unlocks the device. The FBI is nowhere near the backdoor; they're by the water-cooler in the lobby.
    The arrangement sounds reasonable until you realize that the FBI doesn't take responsibility for anything while reaping the benefits. The FBI does not have to develop, test, and implement the backdoor. Once implemented, it doesn't have to secure and monitor it. If there is a flaw in the backdoor's design, the FBI dodges direct criticism: they didn't design it, don't control it, etc. Last but not least, the onus is on the tech companies to resist foreign governments' insistence on being given access to encrypted data. Which you know will happen because they know the capability is there.
    It's a classic case of heads, I win; tails, I don't lose much.
     
    Related Articles and Sites:
    https://www.cyberscoop.com/fbi-director-without-compromise-encryption-legislation-may-remedy/
    https://www.theregister.co.uk/2017/10/05/apple_patches_password_hint_bug_that_revealed_password/
    https://www.ecfr.eu/page/-/no_middle_ground_moving_on_from_the_crypto_wars.pdf
     
  • Most of the Used Memory Cards Bought Online Are Not Properly Wiped

    According to tests carried out by researchers at the University of Hertfordshire (UK), nearly two-thirds of memory cards bought used from eBay, offline auctions, and second-hand shops were improperly wiped. That is, the researchers were able to access images or footage that were once saved to these electronic storage units… even if they were deleted.

     

    Free and Easy to Use Software

    Popular media would have you believe that extracting such information requires advanced degrees in computers as well as specialized knowledge and equipment. These would certainly help; however, the truth is that an elementary school student would be able to do the same. The researchers used "freely available software" (that is, programs downloadable from the internet) to "see if they could recover any data," and operating such software is a matter of pointing and clicking.
    In this particular case, the recovered data included "intimate photos, selfies, passport copies, contact lists, navigation files, pornography, resumes, browsing history, identification numbers, and other personal documents." According to bleepingcomputer.com, of the one hundred memory cards collected:
    • 36 were not wiped at all, neither the original owner nor the seller took any steps to remove the data.
    • 29 appeared to have been formatted, but data could still be recovered "with minimal effort."
    • 2 cards had their data deleted, but it was easily recoverable
    • 25 appeared to have been properly wiped using a data erasing tool that overwrites the storage area, so nothing could be recovered.
    • 4 could not be accessed (read: were broken).
    • 4 had no data present, but the reason could not be determined
     

    Deleting, Erasing Wiping… Not The Same

    Thankfully, it appears that most people are not being blasé about their data. They do make an effort to delete the files before putting up their memory cards for sale. The problem is, deleting files doesn't actually delete files. (This terminology morass is the doing of computer software designers. Why label an action as "Delete file" when it doesn't actually do that?)

    The proper way to wipe data on any digital data medium is to overwrite it. For example, if you have a hard drive filled with selfies, you can "delete" all of it by saving to the disk as many cat pictures you can find on the internet (after having moved all of the selfies to the trash/recycle bin on your desktop). This is analogous to painting over a canvas that already has a picture on it, although the analogy breaks down somewhat if one delves into technical minutiae.

    Incidentally, this is why encryption can be used to "wipe" your drive: Encryption modifies data so that the data's natural state is scrambled / randomized. When an encryption key is provided, the data descrambles so that humans can read it. Once the computer is turned off, the data returns to its scrambled state. So, if you end up selling a memory card with encrypted data but without the encryption key, then it's tantamount to offering for sale a memory card that's been properly wiped.

     

    More of the Same

    This is not the first time an investigation has been conducted into data found on second-hand digital storage devices. As the bleepingcomputer.com article notes, similar research was conducted in the past:
    A study conducted in 2010 revealed that 50% of the second-hand mobile phones sold on eBay contained data from previous owners. A 2012 report from the UK's Information Commissioner's Office (ICO) revealed that one in ten second-hand hard drives still contained data from previous owners. A similar study from 2015 found that three-quarters of used hard drives contained data from previous owners.
    And these are but a small sample of the overall number of similar inquiries over the years. The world has seen more than its fair share of privacy snafus, be it a data breach or otherwise. Despite the increased awareness on data security and its importance, the fact that we're still treading water when it comes to securing data in our own devices could signify many things:
    • People don't really care, even if they say they do.
      • No surprises there.
    • We are too focused on spotlighting the problem and failing in highlighting the solution.
      • News anchor: "Yadda yadda yadda…This is how they hacked your data. Be safe out there. And now, the weather." Be safe how? What do I do to be safe?
    • People interested in preserving their privacy do not sell their data storage devices; hence, studies like the above are statistically biased to begin with.
      • Essentially, researchers are testing the inclinations of people who don't really care about privacy or don't care enough to really look into it (a quick search on the internet will show you how to properly wipe your data).
    • Devices sold were stolen or lost to begin with, so the sellers do not have any incentive to properly wipe data.

    Whatever the reasons may be for the continued presence of personal data on memory storage devices, regardless of how much more aware we are of privacy issues, one thing's for certain: It's not going away.

     

    Related Articles and Sites:
    https://www.bleepingcomputer.com/news/security/two-thirds-of-second-hand-memory-cards-contain-data-from-previous-owners/