FBI's secret method of unlocking iPhone may never reach Apple

WASHINGTON - The FBI may be allowed to withhold information about how it broke into an iPhone belonging to a gunman in the December San Bernardino shootings, despite a U.S. government policy of disclosing technology security flaws discovered by federal agencies.

Under the U.S. vulnerabilities equities process, the government is supposed to err in favor of disclosing security issues so companies can devise fixes to protect data. The policy has exceptions for law enforcement, and there are no hard rules about when and how it must be applied.

Apple Inc has said it would like the government to share how it cracked the iPhone security protections. But the Federal Bureau of Investigation, which has been frustrated by its inability to access data on encrypted phones belonging to criminal suspects, might prefer to keep secret the technique it used to gain access to gunman Syed Farook's phone.

The referee is likely to be a White House group formed during the Obama administration to review computer security flaws discovered by federal agencies and decide whether they should be disclosed.

Experts said government policy on such reviews was not clear-cut, so it was hard to predict whether a review would be required. "There are no hard and fast rules," said White House cybersecurity coordinator Michael Daniel, in a 2014 blog post about the process.

If a review is conducted, many security researchers expect that the White House group will not require the FBI to disclose the vulnerability it exploited.

Some experts said the FBI might be able to avoid a review entirely if, for instance, it got past the phone's encryption using a contractor's proprietary technology.

Explaining the policy in 2014, the Office of the Director of National Security said the government should disclose vulnerabilities “unless there is a clear national security or law enforcement need."

The interagency review process also considers whether others are likely to find the vulnerability. It tends to focus on flaws in major networks and software, rather than individual devices.

During a press call, a senior Justice Department official declined to disclose whether the method used on Farook's phone would work on other phones or would be shared with state and local law enforcement.

Apple declined to comment beyond saying it would like the government to provide information about the technique used.

PROTECTING "CRUCIAL INTELLIGENCE"

The government reorganized the review process roughly two years ago and has not disclosed which agencies regularly participate other than the Department of Homeland Security and at least one intelligence agency. A National Security Council spokesman did not respond to a request for comment about agency participation.

In his April 2014 blog post, White House cybersecurity coordinator Daniel, who chairs the review group, said secrecy was sometimes justified.

“Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack stop the theft of our nation’s intellectual property,” Daniel wrote.

On Tuesday, a senior administration official said the vulnerability review process generally applies to flaws detected by any federal agency.

Paul Rosenzweig, a former deputy assistant secretary at the Department of Homeland Security, said he would be “shocked” if the Apple vulnerability is not considered by the group.

“I can’t imagine that on one of this significance that the FBI, even if it tried to, would succeed in avoiding the review process,” said Rosenzweig, founder of Red Branch Consulting, a homeland security consulting firm.

He predicted the FBI would not be forced to disclose the vulnerability because it appears to require physical possession of a targeted phone and therefore poses minimal threat to Internet security more broadly.

Many security researchers have suggested that the phone's content was probably retrieved after mirroring the device's storage chip to allow data duplication onto other chips, effectively bypassing limitations on the number of passcode guesses.

Kevin Bankston, director of the think tank Open Technology Institute, said there is no public documentation of how the review process has worked in recent years. He said Congress should consider legislation to codify and clarify the rules.

Stewart Baker, former general counsel of the NSA and now a lawyer with Steptoe & Johnson, said the review process could be complicated if the cracking method is considered proprietary by the third party that assisted the FBI.

Several security researchers have pointed to the Israel-based mobile forensics firm Cellebrite as the likely third party that helped the FBI. That company has repeatedly declined comment.

If the FBI is not required to disclose information about the vulnerability, Apple might still have a way to pursue details about the iPhone hack.

The Justice Department has asked a New York court to force Apple to unlock an iPhone related to a drug investigation. If the government continues to pursue that case, the technology company could potentially use legal discovery to force the FBI to reveal what technique it used, a source familiar with the situation told Reuters.

At least one expert thinks a government review could require disclosure. Peter Swire, a professor of law at the Georgia Institute of Technology who served on the presidential intelligence review group that recommended the administration disclose most flaws, said there is “a strong case” for informing Apple about the vulnerability under the announced guidelines.

“The process emphasizes the importance of defense for widely used, commercial software,” he said.

source: www.abs-cbnnews.com

Apple v FBI, is my iPhone safe?

NEW YORK — On Wednesday, a federal judge ordered Apple Inc. to help the FBI hack into an encrypted iPhone used by Syed Farook, who along with his wife, Tashfeen Malik, killed 14 people in December. Specifically, the government wants Apple to bypass a self-destruct feature that erases the phone's data after too many unsuccessful attempts to guess the passcode. Apple has helped the government before in this and previous cases, but this time Apple CEO Tim Cook said no and Apple is appealing the order.

What's the big deal? Why isn't Apple cooperating, and what does this mean for ordinary iPhone users? AP explains:

WHY ALL THE FUSS?

The clash brings to a head a long-simmering debate between technology companies whose business relies on protecting digital privacy (except, ahem, where advertising is concerned) and law enforcement agencies who say they need the ability to recover evidence or eavesdrop on the communications of terrorists or criminals to do their job. This is the first major case that requires the two sides to present their arguments in court, so it could ultimately affect millions of smartphone users.

IT'S JUST ONE IPHONE. AND THIS COULD HELP CATCH TERRORISTS. SO WHAT'S THE BIG DEAL?
While the judge on the case says the government is only asking for help unlocking one, single iPhone, Apple says the case is much bigger than that and sets a dangerous precedent. Cook says the company doesn't have a system to bypass the self-destruct one. And if it creates one, the technology it creates could eventually be used to work against other iPhones. Then everyone's iPhone would potentially be less secure. As Apple CEO Cook said, "Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes."


IS MY IPHONE STILL SECURE?

Yes. The technology being debated doesn't even exist yet. So what does this mean for your iPhone? In the short term, nothing. The case is likely to drag on for months — even years, if it works its way through appeals to the Supreme Court. But ultimately, the case could set the standard for just who has access to private data — the private message, photos and other data you store on your phone — and could cause millions of smartphones users to rethink what they store on their phones.

WILL MY DISGRUNTLED EX OR FORMER BOSS BE ABLE TO HACK INTO MY PHONE?

Not likely. Even if the technology is ultimately built and ruled legal, it would only be used by governments, or maybe cybercriminal masterminds. But probably not the average Joe next door — though you might want to watch out for his brilliant, disaffected hacker kid. (Also, all bets are off if you're talking about a phone provided by your employer, who already has the right to any information stored there.)

source: philstar.com

Two suspects dead after 14 killed in shooting rampage in California

SAN BERNARDINO, Calif. - A man and a woman suspected of taking part in a shooting attack that killed 14 people and wounded 17 at a Southern California social services agency on Wednesday died in a shootout with police hours later, authorities said.

One police officer was injured in the gunfight with the two suspects, who were confronted in their getaway vehicle after fleeing the scene of the shooting in San Bernardino, about 60 miles (100 km) east of Los Angeles, according to police.

The shooting rampage marked the deadliest U.S. gun violence since the massacre at Sandy Hook Elementary School in Newtown, Connecticut, in December 2012, in which 27 people, including the gunman, were killed.

Authorities also detained an individual seen running away from the vehicle, but investigators were not immediately sure that person was involved in the case, Police Chief Jarrod Burguan said at a news conference.

The chief said it was possible that a third shooter remained at large and that there were other people "involved in the planning" of the crime.

Burguan said the two suspects who were killed were armed with assault rifles and handguns and were dressed in "assault-style" clothing.

NBC News reported one of the three suspects was identified as Syed Farook by multiple sources, but Reuters was not able to confirm that.

HOLIDAY PARTY

A person by that name was listed on county documents as an employee of the San Bernardino County Environmental Health Department. That department had gathered on Wednesday for a holiday party at the shooting site.

The attack unfolded at 11 a.m. on the campus of the Inland Regional Center, an agency that serves the developmentally disabled, in a building housing a conference center that was being used by the county department.

The Los Angeles Times, citing information from a senior federal official who was monitoring the case, reported that investigators believe one of the shooters left the party after getting into an argument and returned with one or two armed companions.

Burguan said he was aware someone left the party following a dispute but did not know whether that individual returned. The chief said he knew of no possible motive for the shooting spree.

Burguan said the manhunt initially led police to a home in the neighboring town of Redlands, and that police pursued a suspected getaway vehicle that was seen leaving that address back to San Bernardino, where the shootout ensued.

Bomb disposal technicians were examining a number of suspicious items left by the armed assailants at the Inland Regional Center, including one that was "believed to be a potentially explosive device."

David Bowdich, an assistant regional FBI director, said federal agents and local law enforcement were being cautious about entering the house in Redlands because of concerns about explosives that might have been left there.

source: www.abs-cbnnews.com