FBI’s new iPhone exploit raises old questions about software vulnerability disclosure

It seemed likeAppledodged a bullet.

One day before the technology giant was set to face off with the United States government over a federal court order demanding it help the FBI unlock a dead terrorist’s iPhone, the Department of Justicecalled the whole thing off.

The most high-profile case in a long-brewing war over government access to encrypted technology had just taken an unexpected turn. James Comey, director of the Federal Bureau of Investigation,had recentlytold U.S. lawmakers that it could not unlock the iPhone 5C of San Bernardino shooter Syed Farook without Apple building a custom operating system that would let federal agents flood the device with password guesses. The FBI gaining access to the locked and encrypted phone without Apple’s assistancea move Apple and its supporters in the legal fight said would set a dangerous precedentwas thought to be all but impossible.

Civil-liberties advocates and computer security experts breathed a collective sigh of relief. Apple wouldnt be forced to create software that intentionally weakens the security of its devices, potentially undermining the security of all iPhone users.

When the government sits on (and quietly exploits) flaws in widely used software, it puts its own surveillance needs over the cybersecurity of the American public.

Now, there’s new problem: The fact that the FBI found a way into the supposedly secure iPhone without Apples help means its mobile operating system, iOS, has a weakness that, if it falls into the wrong hands, could wreak havoc on millions of people around the world.

Security experts and Applesay the FBI has an obligation to tell tell the company how it hacked into Farook’s iPhonea move that would run counter to the law-enforcement agency’s investigative offenseso its engineers can fix the now-famous weakness.

If the government knows about vulnerabilities in software used by the general public, it should report the vulnerability to the developers responsible for the software, so that the public and its information can be kept as secure as possible from cyberattackers, Christopher Soghoian, principal technologist and senior policy analyst at the American Civil Liberties Union, told The Daily Dot viaemail. When the government sits on (and quietly exploits) flaws in widely used software, it puts its own surveillance needs over the cybersecurity of the American public.

The FBI finding a security vulnerability, critics say, means criminals, oppressive regimes, and thieves can find and exploit the vulnerability, too. If Apple knew about the flaw in its code, its engineers could patch the vulnerability, preventing anyonepolice or criminals alikefrom using it to hack into iPhone users’ devices.

The FBI contends that access to encrypted communications and devices is necessary to protect the public from criminal and terrorist threats. But patching whatever flaw the bureau found wouldn’t stop the FBI from using the data they uncovered by exploiting the vulnerability, said Susan Landau, a professor of social science and policy studies at Worcester Polytechnic Institute and a former senior privacy analyst at Google.

Once they’ve seen there is a vulnerability that they can use (or in this case, broken into the phone), there is no loss to them in reporting the vulnerability to the vendor, Landau said in an email. Even if the vendor subsequently patches this problem, it will not stop law enforcement from accessing the data in the device they have already hacked.

Its unknown what method the FBI used to gain access to Farook’s phone, or who is helping them do it. The current unconfirmed rumor is that an Israeli forensics contractor, Cellebrite, is behind the hack. Cellebrite has repeatedly declined to confirm or deny their cooperation with the FBI in this case, or if they have a method to extract data from an encrypted iPhone.

The debate over vulnerability disclosures reached the highest levels of the U.S. government in 2014, when Michael Daniel, special assistant to the president and cybersecurity coordinator, wrote a blog post on the White House website effectively defending the government’s right to keep software vulnerabilities secret.

The post followed the discovery of a fatal flaw within OpenSSL, the crucial infrastructure of theInternet that encrypts sensitive data like your bank login or credit card numbers, called Heartbleed. The flaw allowed attackers to snatch passwords and other data from vulnerable servers. In the hands of an extremely powerful agency like the NSA, it would be the ultimate tool for hacking a wide array of targets. The NSA denied having prior knowledge of the bug, and the Office of the Director of National Intelligence said at the time that if the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL.

In his post, Daniel weighed the pros and cons of disclosing software vulnerabilities to technology providers. As with so many national security issues, the answer may seem clear to some, but the reality is much more complicated, Daniel wrote. One thing is clear: This administration takes seriously its commitment to an open and interoperable, secure, and reliable Internet, and in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.

Many would characterize Daniels claim as disingenuous. According to Soghoian, all the available evidence we have regarding the FBI’s use of security exploits suggests that they hoard them for offensive purposes.

Davis goes on to discuss whats known as the vulnerability equities process, a system in which government agencies judge the consequences of disclosing a discovered vulnerability versus exploiting it. This process, Soghoian said, is stacked in favor of offense, and, in my view, fundamentally broken.

Software vulnerabilities are not created equal. It’s possible the FBIs exploit is a highly advanced technique that involves expensive tooling and extensive forensics experience, putting it out of the reach of a petty criminal who snatched an iPhone left on the subway. Does the FBI still have an obligation to expose its technique to Apple?

That DOJ is sitting on an exploit impacting one of the most popular pieces of software in the world … is totally outrageous.

Unequivocally yes, said Amie Stepanovich, U.S policy manager at Access Now, a digital-rights advocacy group.

Everybody will be vulnerable to it, Stepanovich told the Daily Dot via email. Its just a matter of who can actually be targeted by it.

As Stepanovich explained, high-level people all over the world use these devices, from company CEOs to government officials. These are not only used by the layperson, she said. However, even the layperson they could be targeted by bad actors for any number reasons.

Because of the risks at stake for all iPhone users, said Stepanovich, the FBI should report the vulnerability as quickly as possible.

Vulnerabilities are never patched immediately, Stepanovich said. Patches have to be built, and that takes time, so every day that they are not reporting this vulnerability is another they that they are going to require Apple to work to figure out how to patch it.

A failure to report vulnerabilities immediately, Stepanovich argued, is a dangerous proposition and making millions of people vulnerable to attacks.

The question of whether the government should report security vulnerabilities to software manufactures extends beyond Syed Farooks iPhone. Soghoian cited a ruling by a judge requiring the FBI to explain how exactly they were able to exploit the Tor browser, a modified version of Firefox that encrypts user traffic over the specialized Tor network, to hack visitors of a child-exploitation website. The FBI is pushing back against disclosing the exploit to the defense, something Soghoian calls outrageous.

The government used an exploit impacting the Tor browser … in of 2015. They are fighting defense efforts, one year later, to turn over their exploit code (to the defense, not to Mozilla), because they don’t want the vulnerability to be publicly disclosed and fixed by Mozilla/The Tor Project, Soghoian said. That DOJ is sitting on an exploit impacting one of the most popular pieces of software in the world, used by hundreds of millions of law-abiding people, is totally outrageous.

Photo via Michael Himbeault/Flickr (CC BY 2.0) | Remix by Max Fleishman

To read more on this topicFBI’s new iPhone exploit raises old questions about software vulnerability disclosure

FBI raids dental software researcher who discovered private patient data on public server

Someone alerts you to exposed, unencrypted patient information on your FTP server. Is the correct response to thank them profusely or try to have them charged as a criminal hacker?

    It is not a trick question. Once again, a security researcher has found himself facing possible prosecution under a federal statute known as the Computer Fraud and Abuse Act (CFAA). His crime, according to a dental-industry software company, was accessing what had been left publicly available on the open Internet.

    Meet dental computer technician and software security researcher Justin Shafer, 36, of Texas.

    Shafer and his wife were sound asleep at 6:30am local time on Tuesday morning when the doorbell started ringing incessantly, and the family heard a loud banging on their door.

    My first thought was that my dad had died, Shafer told the Daily Dot in a phone interview, but then as I went to the door, I saw all the flashing blue and red lights.

    Justin Shafer

    With the baby crying in fear from the racket, Shafer opened the door to find what he estimated to be 12 to 15 FBI agents. One was pointing a big green assault weapon at me, Shafer told the Daily Dot, and the babys crib was only feet from the door.

    The agents allegedly ordered Shafer to put his hands behind his back. As they handcuffed him, his 9-year-old daughter cried in terror, Shafter said, and his wife tried to tell the agents that there were three young children in the house.

    Once handcuffed, Shafer was taken outside, still in his boxer shorts, still not knowing what was going on or why.

    Over the next few hours, the agents seized all of Shafers computers and devicesand even my Dentrix magazines, Shafer said. The only thing they left was my wifes phone. The seized property list, a copy of which was provided to the Daily Dot, shows that federal agents took 29 items.

    For those who do not recognize his name, Shafer was responsible for exposing the fact that Dentrix software, produced by Henry Schein Dental,was misleading customerswhen it claimed to provide encryption. Incollaboration with DataBreaches.net, a site operated by your author,he exposed that vulnerability and filed anFTCcomplaint that recently resulted inHenry Schein signing a consent order to settle Federal Trade Commission charges.

    8:30am, FBI agents outside Shafers home, as seen through a neighbors window. Courtesy of Shafer’s neighbor

    So why was the FBI raiding Shafer and treating him like a dangerous criminal? The Daily Dot was unable to obtain a copy of the probable cause affidavit by the time of publication, and it may be under seal. But as one agent subsequently informed Shafer, it stemmed from anincident in February, when Shafer discovered another security vulnerability in dental records, this one a publicly available File Transfer Protocol (FTP) server operated by the team behind Eaglesoft, a dental practice management software.

    Eaglesoft is manufactured by Patterson Dental, a division of Patterson Companies. According to Shafer, he was researching an issue with hard-coded database credentials when a search for a password led him to an anonymous FTP server that allowed anyone access. When Shafer looked at the files on the publicly available server and saw a directory with patient data, he took steps to alert Patterson to secure the protected health information.

    The FBI was not, of course, there to commend Shafer for responsible disclosure. The agent told him that Patterson Dental was claiming Shafer had exceeded authorized access in accessing its FTP server, which is illegal under the CFAA. Attempts by the Daily Dot to contact Patterson by email, website contact form, and phone over the past 24 hours produced no responses.

    Shafer discovered the exposed patient data at the beginning of February and contacted DataBreaches.net to request help with the notification and responsible disclosure. Both DataBreaches.net and Shafer began attempting to notify Patterson and clients whose unencrypted patient information had been exposed for an unknown period of time. Over the next few days, we emailed or called Patterson; Timberlea Dental Clinic in Alberta, Canada; Dr. M Stemalschuk in Canada; Massachusetts General Hospital Dental Group; and Dr. Rob McCanon.

    Only after Shafer determined that the patient data had been secured did he and DataBreaches.net disclose the incident publicly. As reported on DataBreaches.net, Shafer found that 22,000 patients had had their unencrypted sensitive health information at risk of access by others. It is not clear how long the publicly accessible FTP server was available, and Patterson Dental did not answer the questions DataBreaches.net asked of it on the matter. Shafer told the Daily Dot, however, that the FTP server had been unsecured for years. In an email statement, he wrote (typos corrected):

    Many IT guys in the dental industry know that the Patterson FTP site has been unsecured for many years. I actually remember them having a passworded FTP site back in 2006. To get the password you would call tech support at Eaglesoft\Patterson Dental and they would just give you the password to the FTP site if you wanted to download anything. It never changed. At some point they made the FTP site anonymous. I think around2010.

    A cached copy of the directory, still available on FileWatcher, shows that the files were originally uploaded in 2009:

    A cached copy of the directory, found on FileWatcher, indicates that some files may have been exposed as early as January 2009. FileWatcher

    Shafer wrote about the exposed patient data on his blog, but he also called attention to a security vulnerability he had found with Eaglesoft itselfa vulnerability that would make it easy for someone to attack a database and steal patient information. Shafer reported the vulnerability to CERT, a division of the Software Engineering Institute at Carnegie Mellon University that is sponsored by the Department of Homeland Security, which issued a Vulnerability Note.

    CERTs records indicate that, since Patterson Dental was first notified on Feb. 19, the company has yet to provide CERT with a plan to patch or address that vulnerability. Patient data may still be at risk, as CERT describes the impact of the vulnerability this way:

    An attacker with knowledge of the hard-coded credentials and with network access to the database may be able to obtain sensitive patient information.

    Knowledge of those hard-coded credentials is fairly widespread, Shafer claimed in a blog post, where he provided the default login for read access.

    To recap: Shafer reported that Patterson Dental had left patient data on an unsecured FTP server, and then he called attention to another vulnerability in one post in February, and then again in a second post in March. And now, according to an FBI agent, Patterson Dental was allegedly claiming that in accessing their unsecured anonymous FTP server, Shafer had accessed it without authorization and should be charged criminally under CFAA.

    Shafer is now left wondering, is this an attempt to silence or discredit him? This would not be the first time a company seemingly attempted to chill Shafers speech about their security issues. And he would certainly not be the first researcher accused of criminal hacking.

    After programmer and open-data activistAaron Swartztook his own lifein 2013 under the pressure of what many described as an overly aggressive prosecution under CFAA, there was public support for reforming the law. In February 2013, Cindy Cohn and Marcia Hofmann of the Electronic Frontier Foundationaddressed the need to reform the law and to protect researchers from criminal prosecution in certain scenarios. They wrote:

    The law needs to protect tinkerers, security researchers, innovators,and people who seek to avoid being tracked and discriminated against. The CFAA not only fails to protect these people, it allows ambitious prosecutors (and unhappy companies) to target them.

    Despite increased support, a bill proposed by Sens. Ron Wyden(D-Ore.),Rand Paul (R-Ky.), and Rep. Zoe Lofgren (D-Calif.) failed to pass last year. More than three years after Swartzs death, CFAA has yet to be reformed, and unhappy companies can still attempt to get security researchers prosecuted as criminals.

    Its weev all over again.

    Prophetically, perhaps, one FBI agent asked Shafer how he knew Andrew weev Auernheimer, a notorious hacker-troll who became famous for leaking the personal information of AT&T iPad users he accessed through the company’s publicly available website. Shafer told him that they didnt know each other, but he had tweeted to him that he was glad he was out of jail (after a courtoverturned Auernheimers conviction in a hacking case over achallenge to venue).

    There are some similarities between Auernheimers prosecution for hacking AT&T and Shafers situation. As George Washington University Law professor and CFAA scholar Orin Kerr explained in 2013, when asked why he was representing Auernheimerpro bono on appeal:

    At bottom, the conduct here was visiting a public website. As the Sixth Circuit stated in Pulte Homes, Inc. v. Laborers International Union Of North America, 648 F.3d 295 (6th Cir. 2011), everyone is authorized to visit an unprotected website that is open to the public.

    The same should be true of FTP servers that have no protection on them and are indexed where anyone can find them via a search engine, legal experts say. When asked for his opinion on Shafers case, Kerr told the Daily Dot:

    This is a troubling development. I hope the government doesn’t think that accessing unsecured files on a public FTP server counts as an unauthorized access under the CFAA. If that turns out to be the government’s theorywhich we don’t know yet, as we only have the warrant so farit will be a significant overreach that raises the same issues as were briefed but notresolved in weev’s case. I’ll be watching this closely.

    For his part, Shafer shared his feelings about Patterson Dental with the Daily Dot, saying that they are the ones who acted irresponsibly.

    I think it is a cowardly thing to do to my family, he said. I think they owe me a thank you, and I think they owe the patients and covered entities an apology. I also feel like they should be heavily fined for storing patient data on an anonymous FTP site for years.

    Asked whether he was nervous about the possibility of being prosecuted, he replied: Yes, only because of how I see how harsh they were to guys like Chelsea Manning and guys like Aaron Swartz. Although I haven’t heard of anyone being prosecuted for downloading files from an anonymous FTP before, I suppose there is a first time for everything.

    Defense attorney Tor Ekeland, who represented Auernheimer in the federal court case in New Jersey, has offered to help Shafer, telling the Daily Dot, Its weev all over again.

    If the government does plan to charge Shafer, which remains undecided, they may find themselves up against some legal heavy-hitters on the CFAA. It will also be forced to confront that, while exposing a company’s inadequate security may not be good for its business, chilling security research could be bad for consumers and all businesses.

    Dissent Doe is the pseudonym of a privacy advocate who reports on privacy issues and data security breaches on PogoWasRight.org and DataBreaches.net.Her research on breaches has fueled resources such asDataLossDB.organd InfoisBeautiful, and it has served as the basis for a number of Federal Trade Commission investigations.

To read more on this topicFBI raids dental software researcher who discovered private patient data on public server

Apple at 40: privacy, software and new device frontiers are key challenges

Pioneering tech firm will be hoping to avoid a midlife crisis, while staying relevant in an ever-evolving industry

Founded on 1 April 1976, Apple celebrates its 40th birthday on Friday and from a garage in Los Altos garage to a new spaceship-shaped HQ in Cupertino, it has come a long way.

It enters its fifth decade with a market cap of $621.8bn and, in CEO Tim Cooks words, the mother of all balance sheets with almost $216bn of cash reserves.

To read more on this topicApple at 40: privacy, software and new device frontiers are key challenges

To read more on this topicclick here

Researchers build software that can predict your lifespan

(CNN)Imagine if a computer could tell you how many days you had left.

You might decide to live your life differently — perhaps spending your money in other ways, or making your health a bigger priority.

DRM on Oculus accidentally made it easier for pirates to play stolen software

An update issued by Oculus for its virtual reality platform was designed to prevent exclusive titles from being played on competitor’s headsets may have inadvertently opened the company’s games up to being even easier to pirate.

On Friday, Oculus released an update to its software that included a new DRM that was designed to perform “platform integrity checks” to ensure that titles designed for Oculus were played specifically on its platform. The patch killedlikely not by accidenta community tool called Revive that enabled users to run Oculus titles on any VR headset, including alternatives like the HTC Vive.

The attempt to squash the popular hack came back to bite the company in record time: the developer responsible for Revive has already circumvented Oculus’ new security measures, and has done so in a way that would enable VR headset owners to pirate titles rather than simply run them on unsupported platforms.

The prior versionof Revive copied functions from Oculus Runtime and translated them to OpenVR, the API that works with with Vive and other headsets, according to a report fromMotherboard. The latest version of Revive bypasses Oculus’ ownership check entirely, meaning the platform can no longer confirm that a user actually owns the title they are attempting to play.

Revive’s developer, who goes by LibreVR on Github and CrossVR on Reddit, told the Daily Dot that it took “no more than a few hours” to bypass the DRM. “I really didn’t want to go down that path,” the developer wrote on Reddit. “I still do not support piracy, do not use this library for pirated copies.”

The developer does note that even though Revive is capable of bypassing the ownership check, it’s still not a foolproof solution. “It’s still not working for a lot of games, so this is still a big blow to Revive compatibility,” CrossVR said on Reddit. “And it’s the start of an arms race with Oculus that I’m not sure I will win or even want to participate in.”

For the time being, Revive supports Unreal Engine games but not titles built on the Unity Engine, a shortcoming that will continue until full compatibility can be implemented over time.

Revive first appeared in April 2016 and instantly presented a challenge to Oculus by allowing users to easily run Oculus-exclusive titles on other platforms. For Oculus, which was already experiencing a rough launch with shipping delays and a dubious and overreaching user agreement, having content that couldn’t be found elsewhere remained a primary selling point for the product.

The company has attempted to protect that, operating more like a gaming console than a PC peripheral. But being a product powered by PC and appealing to a community familiar with modding and hacking, it was unlikely that something like Revive wouldn’t crop up eventually; Oculus founder Palmer Luckey has even expressed an understanding of that in the past, stating“If customers buy a game from us, I don’t care if they mod it to run on whatever they want… our goal is not to profit by locking people to only our hardware.”

Oculus has been considerably less carefree in its response to Revive. “This is a hack, and we dont condone it, a spokesperson for Oculus told the Daily Dot. “Users should expect that hacked games wont work indefinitely, as regular software updates to games, apps, and our platform are likely to break hacked software.”

Future updates to Oculus will surely continue to break Revive and similar hackswhether done so intentionally or in a targeted manner or not. For CrossVR and other developers who may want to hack Oculus, the relationship with the company will likely be like a game of whack-a-mole, with the hammer dropping every time a new workaround pops up.

When asked if Oculus and Revive could coexist, CrossVR expressed his hope that they won’t have to. “It is much better for consumers if they can choose any VR headset without having to use workarounds,” he said.

H/T Engadget

To read more on this topicDRM on Oculus accidentally made it easier for pirates to play stolen software

The Oracle-Google Case Will Decide the Future of Software

The legal battle between Oracle and Google is about to come to an end. And nothing less is as stake than the future of programming. Today lawyers for both companies are set to make their closing arguments in the fight over whether Google’s use of the Java application programming interface (API)an arcane but critically important part of the Android mobile operating systemwas legal. Regardless of how the jury rules, the case has already had a permanent effect on the way developers build software.

To read more on this topicThe Oracle-Google Case Will Decide the Future of Software