Posts

Apple vs FBI: Why the iPhone Backdoor is a Necessary Fight

Apple vs FBI: Building a backdoor into the iPhone is like burning the haystack… 

I’ve been asked almost 100 times since Apple rejected the FBI’s request to break into the iPhone of the San Bernadino killers which side I support. I am a firm believer that the most complex problems (this is one of them) deserve the simplest explanations. Here is the simplest way that I can walk you through the argument:

  • If your immediate response, like many, is to side with Apple – “Don’t hack into your own operating system, it set’s a bad precedent” – then you have a good strong natural reflex when it comes to privacy. But don’t stop your thinking after your first reaction or thought, as it might be incomplete, because…
  • This is an intricate and nuanced balance between 1) personal privacy (don’t allow Apple or the FBI access into this particular phone), 2) public privacy (once Apple makes an exception for this case, the FBI (or Apple) could potentially open the iPhone in all cases), 3) security (by building in a backdoor for legitimate purposes, you will be opening it for hackers as well) and 4) national security (without access to this info, other terrorists might go undetected).
  • If it were your family member that had been murdered, you would probably agree that law enforcement should have every tool at their disposal to track down the murderers or criminals, and privacy be damned. You would also note that…
  • There are thousands of precedents for the FBI to obtain search warrants into suspects homes, emails, phone calls and the like. Ask yourself why this request is any different.
  • It’s a slippery slope. First the iPhone, then your encrypted password protection software, private Facebook history – you name it. The FBI’s solution is roughly the equivalent of giving the government a key to every home in America and letting them decide when to use it. By applying a broad brush stroke (build a backdoor into the security of every iPhone) when a fine-tipped pencil would be more than adequate (learning more about a single case – the San Bernardino killers and their connections), you forever  lose control of the master key. As was put so eloquently in an article by Wired (I cite this particular article because I agree with it), “Apple is not being asked to unlock an iPhone; it’s being asked to create software that would help the FBI unlock it.” To me, those are two completely different requests.
  • A backdoor would give law enforcement an additional tool to solve tens or hundreds of crimes, but in the meantime endangering the data of nearly a billion users. If Apple complies, what happens when China asks Apple to unlock a phone based on the earlier precedent – does Apple hand over information that could lead to political persecution? In other words…

Building a backdoor into the iPhone is the equivalent of burning the haystack to find a needle. You simply have to ask yourself honestly if the needle is worth the ashes. 

5 Possible Solutions in the Apple vs. FBI iPhone Backdoor Case

  1. Let it go. Sometimes you don’t have all of the evidence in a criminal case. Whether the murder weapon cannot be found or the iPhone data cannot be obtained, the case is resolved in other ways. The NSA (as exposed by Edward Snowden) has done nothing to engender our trust in government organizations collecting and using data on American citizens. They abused their powers of data collection in that case, so we all wonder why it would be any different in this case.
  2. Stop pretending that Apple can build a one-time backdoor. Encryption doesn’t work that way. Security doesn’t work that way. The minute you tinker, the entire house of cards falls and exposure becomes the rule, not the exception. If the information on the phone is important enough, at least admit you are willing to put the data of a billion people at risk.
  3. Upgrade your hackers at the FBI. I’ve had several white-hats hackers suggest that the iPhone can be cracked. Hackers are sometimes a cocky bunch (that’s what makes them good, by the way), but I’ve seen them hack almost every device possible with a creativity that would make Picasso proud, so I wouldn’t put it past them.
  4. Take this conversation off line. Ultimately, I think this question will be decided in back rooms where the public doesn’t get to see the answer (we are, in fact, a representative democracy where much of what happens does so behind closed doors). And frankly, I think it should be. There is too little awareness of the complexities we are dealing with here, and the emotional responses that we all have are only getting in the way.
  5. Do something, Congress! There are thousands of similar cases to be decided in the future and very little in the way of legislation to guide the way. Most of the laws being quoted in this case go back a half a century. Congress should catch up with technology and set some guidelines and oversight on the privacy vs. security question. We are a smart enough society to allow for gray areas in between a media that immortalizes black and white.

I believe that Apple is doing the right thing in standing their ground an not creating a system-wide backdoor into the iPhone. I also believe that the FBI is doing the right thing in trying to obtain every piece of information they can to resolve a past or future crime. This should not include a systemic hack of the iPhone or any computer system. The strength of our democracy is in the tension that exists between those two stances and the system of checks and balances that keep either position from being extreme.

I guarantee you that there is a way to set down the paint brush and pick up the pencil – to create a solution that impacts one phone, not millions – and that it is possible to balance public privacy with national security. It may not pertain to this particular case, but it will to all of those future cases waiting to happen. In the end, isn’t that what we all want? If you agree, write your Congressperson and ask them create laws that address the current privacy/security confusion.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Honeymoon Over: Flashback Trojan Infects Apple

, ,

(and what you can do about it)

For years, Apple Mac users have been able to smugly preach security supremacy over fellow Windows users. Apple computers were less susceptible to viruses because they accounted for such a small share of hack-able devices. With the explosive growth of Mac laptops, iPads and iPhones, that honeymoon is all but a nostalgic memory. Apple’s Mac OS X no longer has impunity from virus infection. For the second time in the last year, Apple’s OS X has been successfully breached by malware. Here are the details, and steps you MUST take to protect yourself:

Flashback Trojan Facts:

  • The Flashback Trojan has currently infected more than 600,000 Macs.
  • Flashback is a ‘drive-by’ virus, meaning users only have to visit a site that exploits the flaw; you don’t have to download anything to be at risk.
  • The flaw exploits weaknesses in Java coding, an fairly essential and widely used web browsing tool.
  • First, the Trojan loads software onto your system that directs victims to additional malware.
  • Once the malware is installed, the Trojan steals passwords and banking info from Safari.

Tips for Protecting Your Mac:

  • Immediately download and install all Apple updates and security patches (the latest of which corrects the Java flaw).
  • Configure your system to download and install security and software updates automatically as they are released.
  • Make sure you are using the Apple version of Java that is patched for this virus (Java 6 update 31 or greater).
  • Consider installing ant-virus software or a security suite on your Apple computer, much like would on your Windows systems.
  • Check to see if your Mac has been infected with the Flashback Trojan.
  • If you suspect that your Mac has been infected, visit F-Secure’s website and follow its removal instructions.
  • For casual users, consider doing away with Java all together. The Web itself provides the processing power previously provided by Java.
  • Don’t fall prey to the belief that as a Mac user, you are immune to viruses, trojans and malware. Actually, you are probably now more exposed than Windows users, who have been building their defenses for years.

The Apple virus-free honeymoon has been long and satisfying. But as with all relationships, it’s time for you move into a more mature, long lasting companionship.

John Sileo is an award-winning author and speaker on protecting the sensitive data that makes your business run (even the data you access on your iPad, iPhone or Macbook). He is the CEO of The Sileo Group, which advises clients on defending privacy and leveraging trust. His clients included the Pentagon, Pfizer & Homeland Security. Sample his keynote presentations or appearances on 60 Minutes, Anderson Cooper & Fox. 1.800.258.8076.

iPhone Location Tracking Leads to Privacy Lawsuit

Apple has been hit with a lawsuit in Florida alleging the company is violating iPhone user’s privacy and committing computer fraud. The case came in response to news that the iPhone maintains a time stamped location log, and that data is also stored on user’s computers.

The lawsuit was filed in Federal court in Tampa Florida on April 25 by two customers who claimed Apple was tracking iPhone owner’s movements without consent, according to Bloomberg.

The case was filed after word that the iPhone and iPad with 3G support maintains an unencrypted log file showing where users are based on cell tower triangulation. That file is transferred to user’s computers during the sync process with iTunes and is maintained as part of the device’s backup file collection.

Location logging has been active in the iPhone and 3G iPad since the release of iOS 4 last June, which means some users have nearly a year’s worth of data stored away. Apple is denying that they are actively tracking user locations.

Click Here to Read More…

Award-winning author and identity theft keynote speaker John Sileo trains executives and employees to respect and protect the data that makes their company profitable. His clients included the Department of Defense, Homeland Security, FDIC, Pfizer, Blue Cross and organizations of all sizes. Contact him directly on 800.258.8076 or watch him deliver an Identity Theft Speech.

iPhone and Droid Want to Be Your Big Brother

, ,

Remember the iconic 1984 Super Bowl ad with Apple shattering Big Brother? How times have changed! Now they are Big Brother.

According to recent Wall Street Journal findings, Apple Inc.’s iPhones and Google Inc.’s Android smartphones regularly transmit your locations back to Apple and Google, respectively. This new information only intensifies the privacy concerns that many people already have regarding smartphones. Essentially, they know where you are anytime your phone is on, and can sell that to advertisers in your area (or will be selling it soon enough).

The actual answer here is for the public to put enough pressure on Apple and Google that they stop the practice of tracking our location-based data and no longer collect, store or transmit it in any way without our consent.

You may ask, “don’t all cell phone carriers know where you are due to cell tower usage?” Yes, but Google and Apple are not cell phone carriers, they are software and hardware designers and should have no real reason (other than information control) to be tracking your every move without your knowledge. Google and Apple are not AT&T or Verizon, therefore they should not be recording, synching and transmitting your location like it appears they are.

Both companies are trying to build huge databases that allow them to pinpoint your exact location. So how are they doing it? By recording the cell phone towers and WiFi hotspots that you pass and that your phone utilizes. This data will ultimately be used to help them market location based services to their audience, which is a market that is expected to rise $6 billion in the next 3 years.

The Wall Street Journal found through research by security analyst Samy Kamkar, the HTC Android phone collected its location every few seconds and transmitted the data to Google at least several times an hour. It transmitted the name, location and signal strength of any nearby WiFi networks, as well as a unique phone identifier. This was not as personal of information like what the Street-View cars collected that Google had to shut down some time ago.

So what do we do now? According to the Wall Street Journal, neither Apple or Google commented when contacted about these findings, so it is hard to know the extent of how they are using the data collected. Right now, there really isn’t much you can do to stop GPS tracing of your location without your consent. Of course you could power down your phone, but we are all way too additcted to these handy little digital Swiss Army Knives to do that. You can turn of GPS services, but again, that makes it impossible to use maps and other location-based apps.

The actual answer here is for the public to put enough pressure on Apple and Google that they stop the practice of tracking our location-based data and no longer collect, store or transmit it in any way without our consent.

While this may be the future of privacy, it is better that we are aware of what may come rather than remain in the dark about the possibilities of technology.

John Sileo is the President of The Sileo Group and the award winning author of four books, including his latest workbook, The Smartphone Survival Guide. He speaks around the world on identity theft, online reputation and influence. His clients include the Department of Defense, Pfizer and Homeland Security. Learn more at www.ThinkLikeASpy.com.

iPad & Tablet Users Asking for Identity Theft

, ,

The identity theft and corporate data risk problem isn’t limited to iPad users – it affects all Tablets – but iPads are leading the way. With the rapid increase in highly powerful tablet computers, including the Motorola Xoon and Samsung Galaxy, a new survey is urging users to beware of the risks. Harris Interactive just released a study showing that tablet users transmit more sensitive information than they do on smartphones and are considerably less confident of the security protecting those tablets.

The survey shows that 48% of tablet users transfer sensitive data using the device while only 30% of smart phone users transfer sensitive information. The types of sensitive data included credit card, financial, personal and even proprietary business information. Many factors contribute to the increased risk:

  • Users initially bought tablets as book readers and web browsers, but have increasingly added to their functionality with new Apps.
  • Tablet computers are in their infancy and haven’t been equipped with the same security features as laptops and desktops.
  • Corporate users haven’t yet been trained on securing the data on tablets.
  • Tablets are more capable than smartphones, making it a natural laptop replacement, but without the robust, time-tested security.
  • Indiscriminate App downloading (covered in detail in the Smartphone Survival Guide) greatly increases chances of accidentally loading malware to your tablet.
  • Many companies buy their employees tablets rather than laptops because they are less expensive, more mobile, and have similar capabilities. Unfortunately, they are failing to consider the increased risk posed by the trendy computers.

If you are using your tablet like a laptop (email, accessing bank accounts, transmitting business documents), take the following minimum steps:

  1. Turn on password protection to get into the device.
  2. Enable remote tracking and wiping capabilities in case the device is lost or stolen.
  3. Utilize secure wireless connections only (not free WiFi hotspots in cafes, airports and hotels) to eliminate signal sniffing.
  4. Limit the data you store and transmit on your tablet until the security features have caught up with the functionality.
  5. Physically lock up the device when not in use. Never leave it on the table at Starbucks like someone did in the photo to the right.

Tablets are a slippery slope – they make computing so user friendly that you start to think it’s a friendly computing world out there. Unfortunately, cyber criminals and your competitors have a different idea. Don’t wait to find out what they can do with your private data.

John Sileo trains organizations to protect sensitive data, including that exposed on tablets, smartphones, laptops and social networking sites. His clients include the Department of Defense, Pfizer, Homeland Security and organizations of all sizes. Learn more about bringing in a Data Security Speaker or contact John directly on 800.258.8076.

Using the iPhone 4 to Spy on Competitors

,

Steve Jobs unveiled Apple’s new iPhone 4 on June 7 in San Francisco. While the new features keep the iPhone at the forefront of technology, they also cause some privacy concerns.

One concern that carries over from previous iPhone models is the Always-on iPhone Apps that track your every move through the GPS navigation system. Back in April, Apple began allowing location-tracking applications to run in the background.  So, for example, companies like FourSquare, Yelp, and Facebook can continuously track your location, providing automatic notifications  to your friends when you are less than 1/2 mile away from them, if you allow them.

For example, I just had a highly confidential client meeting at the client’s corporate headquarters. To the  uninitiated, that means that the company I was visiting is probably having data theft issues (and has brought me in to help). If the media finds out that they are having these issues before the company has had a chance to start the damage control process, their stock will drop far faster than if they have prepared for the news to go public. If Facebook or FourSquare is broadcasting my whereabouts, my followers already know which company is having the problem, their competitors know it (if they are following my GPS broadcasts), and the media sits and waits for me to enter the building. Luckily, I’m not well-known enough for anyone to care, but just in case, I don’t broadcast my whereabouts. Other, far more influential people, do so without thinking twice about it. Which goes to show you that there are ways to utilize all of the cool new technology without letting it control you. With the right knowledge, you can take control of how your information is utilized.

Apple does realize the privacy concerns with location tracking and gives users a way to control how much information is shared.  When you open an app, the top bar will show a little arrow in the right-hand corner, indicating location awareness (pictured to the right). There will also be a dashboard where you can toggle location-tracking permissions on and off for different apps. Regardless, this means that more companies will have access you your location than before.

High-definition video is a second tool that will be used by data spies. What could be easier than for an identity thief to pretend they are on the phone as they are actually filming you typing in your ATM PIN in front of them? Why does iPhone 4 change the game? Because Hi-definition means that they can stand further away and still get high quality video with which to read your data. A simple sweep of an office desk, a client file, etc. with high definition video gives me all of the documents I need to learn more about your company. Think of it as a spy camera that provides thousands of pictures a minute and is hidden as the most ubiquitous device on the planet – a cell phone. It’s a powerful tool both for good and bad.

There is no silver bullet solution to the new problems posed by GPS and Hi-Def video. As we teach in our Privacy Survival Boot Camps, what is required is an integrated privacy plan that implements some of the following steps:

  • Social Networking and GPS proper usage guidelines to make users aware of the consequences of their actions using these tools
  • Classification systems and clean-desk policies (so that a confidential document isn’t left out on the desktop to be filmed in the first place)
  • Access privileges (to keep non-authorized personnel from accessing sensitive areas)
  • Employee fraud training (to make everyone in the company aware of these issues and give them more detailed tools to protect themselves and the company)

The iPhone 4 is a wonderful business tool that will drastically increase the productivity and connectivity of the workforce. But like any powerful tool, it can be used for dishonest purposes. The first step is to educate yourself and your staff on how these tools can be used, for good or evil.

John Sileo is the award-winning author of Stolen Lives and Privacy Means Profit (Wiley, August 2010), a professional Financial Speaker and America’s leading identity theft expert. His clients include the Department of Defense, FTC, FDIC and Pfizer; his recent media appearances include 60 Minutes. Contact him on 800.258.8076.