Jonathan Zdziarski posted an interesting blog last week detailing some of the changes in IOS designed to improve security, and reign in accessibility of data in the new IOS 8 release.
Historically, it’s been possible for legitimate law enforcement groups to pressure Apple into unlocking devices – Much like data requests sent to ISP’s about your browsing and network habits, Apple (and Google et all) were able to unlock “confiscated” devices so detectives could search them for incriminating evidence.
IOS8 makes that somewhat harder and puts Apple (and Google) squarely against what Law Enforcement and Governments want. Read more…
Following on from a failed state-wide “hack” of the Blackberry system, where the state-controlled telco etisalat tried to distribute a “performance enhancing patch” to Blackberry users (which turned out to be a state-controlled back door program), The United Arab Emirates is threatening to block e-mail sending and IM delivery on Blackberries, and Saudi Arabia is threatening to block Blackberry-to-Blackberry IM.
According to BBC News:
Both nations are unhappy that they are unable to monitor such communications via the handsets. This is because the Blackberry handsets automatically send the encrypted data to computer servers outside the two countries.
Just a reminder that tomorrow I will be speaking at the CSO Executive Seminar at the Hilton, Tysons Corner VA – http://public.cxo.com/conferences/index.html?conferenceID=64. The topic will be “5 practical steps for data protection”. I don’t expect it to be a McAfee sales push, I’ll be talking about technologies in general.
If you’re a reader of my blog(s) please come and say hello.
“But if it’s encrypted, why do I need to login?” the customer across the desk asks me with incredulity.
I realise that I’m about to get into a discussion which boarders on theological and raises passion in both security and business leaders alike. A discussion that I’ve had many times over the last two years, and will have many more times in the near future.
“Because, without authentication, there’s no point to encryption”. I reply, knowing full well that this isn’t an answer that’s wanted, or understood.
With a stifled sigh I start to explain.. Read more…
Nov 2015 Update – It seems bitlocker sans pre-boot has been trivially insecure for some time according to Synopsys hacker Ian Hakan, who found a simple way to change the Windows password and thus allow access to data even while Bitlocker was active.
So, with the forthcoming release of Windows 7, the ugly beast known as “Bitlocker” has reared its head again.
For those of you who were around during the original release of Bitlocker, or as it was known then “Secure Startup”, you’ll remember that it was meant to completely eliminate the necessity for third party security software. Yes, Bitlocker was going to secure our machines against all forms of attack and make sure we never lost data again.
This weeks flame war between TrueCrypt and Peter Kleissner had me both upset and laughing at the same time.
For a start, hats off to young Peter (18 years old according to his site), who recently presented at Black Hat his concept for a “universal rootkit” exploit, which, using that older-than-he-is technology of MBR replacement, manages to subvert Windows in such a way as to be able to drop a payload into memory as the computer boots.
I’m not sure, but isn’t that what MBR viruses have done since day one? I guess Peter agrees because his new “Stoned Bootkit” rootkit is named “Stoned” in homage to one of the original MBR Viruses of 1987 Read more…
This weeks (potential) major fail goes to Apple for the iPhone 3GS security. As reported by Wired and others, it seems the new 3GS encryption touted by Apple in their “iPhone Security Overview” isn’t so secure after all.
The offical description of the new feature sounds pretty good:
iPhone 3GS offers hardware-based encryption. iPhone 3GS hardware encryption uses AES 256 bit encoding to protect all data on the device. Encryption is always enabled, and cannot be disabled by users.