Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

iOS 11 crack – should you be worried?

By

(c) DepositPhotos / Gang Liu

There are a number of media reports out that Israeli firm Cellebrite is now able to unlock iPhones even running the latest version of iOS, including the iPhone X.  Should you be worried?  Let’s look at some potential threats.

One rumor, via Bruce Schneier indicates that it only defeats the password limitation mechanism, rather than move the data off the phone to run an offline password cracker.  The defense against that is to use a strong passcode – six digits may be enough, as long as you avoid meaningful patterns (e.g. birthday, anniversary, etc) to force an exhaustive search.  I prefer a full 8-character alpha/numeric/special passcode myself, especially now that it’s used as an actual encryption key rather than just a device unlock code.  I’ve written about why I prefer TouchID over FaceID before – part of the reason is that it makes using a robust passcode more user friendly (less lockouts).  Net is that you can mitigate this threat.

Other speculation is that they’re directly reading the memory chips, and then performing an offline crack.  That makes it an error prone (e.g. frying the phone), expensive, and highly targeted attack.    Again, using a long, robust passcode is a defense against this – and I’d look at using as long a passphrase as iOS allows if you’re in that situation.  Otherwise, this isn’t an scalable option.

The last option is a software bug.  Apple’s been in the news a lot lately for security blunders, and there’s been widespread discussion of the decline in software quality over the past few years.  It appears that message has been heard, as Apple’s now moving towards a ‘when it’s ready’ rather than ‘when it’s scheduled’ model for feature releases.  Part of that includes this year’s releases as focusing on bug swatting – a ‘Snowy High Sierra’ release if you will.  I’ve no doubt that Apple will close any known bugs that allow device bypassing as quickly as they can.

In the end, while this is technically impressive, and certainly of interest, it’s not something the average person needs to worry about.  Use a strong-enough passcode to protect not only the data on the device, but the data that it can access via email or cloud services.  Turn on the escalating timeout lock, and the wipe-after-attempts options.  Make sure you have Find My Phone turned on, so you can remote wipe it, and most importantly, use a robust passphrase (or 1Password random string) for your AppleID.  That’ll keep you safe from all but a deep pocketed threat.

Dead drive? Dispose Securely

By

(c) Dreamstime

I was recently asked how to dispose of an old hard drive in a secure manner.  This comes up all the time, and unfortunately most folks just toss them in the trash or electronics recycle bin without thinking, or worse, sell it on eBay.  The best option is an industrial hard drive shredder, but they’re a tad bit expensive for a small business or individual.  So what to do?

This came up in conversation recently, when someone asked why I had band-aids on a couple of my fingers.  I started to make up a story about finding a lost saber tooth tiger, but that didn’t go very far so I fessed up and admitted that it was wrestling with an external hard drive case so I could destroy the disk.  I’m not sure that was any more believable, but it was true.

The best option of course, is to encrypt the disk when it’s brand new, and then disposal is straightforward – recycle or trash, no destruction needed.  In fact, that’s about all that ‘encryption at rest’ is good against in data centers, unless you have folks walking in and stealing drives out of a running array.  In this case, it was an old disk that I hadn’t bothered encrypting, so really did need to destroy it.  The biggest challenge is opening the ‘techie-proof’ enclosures that pre-built drives come in.  The hard drive manufacturers do that to prevent companies from harvesting inexpensive consumer disks for use in large arrays, but it causes major end of life problems.  Between prying, wedging, and the occasional sawsall to cut through the plastic and glue, I eventually managed to get it open, with the aforementioned digital wounds.

Once open it actually gets easier if you have the right tools.  Torx bits are a must, and you have to hunt for the screws under the labels to get it open.  Once the outer case is open, there’s two options.  If it’s a small laptop drive, the platters can usually be shattered (safety goggles please).  For desktop drives, it’s a continued battle of the screws and bits, but eventually you can get each platter out – then just grab your pliers, bend each one in half.  Unless you’re storing major secrets, that’s likely secure enough for disposal.

If you have someone who doesn’t like to use whole disk encryption, having them do this a few times will cure that quickly.  It’s tedious and occasionally painful.  But far less painful than having your data stolen out of an eRecycling facility.

Securing the Information Supply Chain

By

© Alain Lacroix | Dreamstime.com

It’s no secret that we’re in the information age and the rise of the CIO to prominence in most organizations reflects that.  Google, Facebook, Amazon (?), are all large companies whose entire business model is based on the flow of information from creators to customers.  So if that’s the new supply chain, can we leverage concepts from the physical world to the virtual?

With physical goods we have centuries long patterns for value flow, risk assessment, and optimization strategies.  Those can include everything from accounting for weather along the transportation route, geopolitical disruption of critical goods, regulatory oversight requirements, and criminal activity – from fraud to hijacking to shrinkage.  Companies that operate in the physical world understand very well how to get from materials to goods to customer to cash.

Yet those same companies often neglect the information supply chain that follows the goods. While this is starting to change, as the interest in using blockchain to track products shows, most organizations are only focusing on sections of the overall business process, leaving gaps for attackers (either murphy or malice) to exploit.  The approach harkens back to the 90’s and early 00’s, to the days of business process re-engineering and enterprise architecture.

We first map out the core business processes – from raw materials, through manufacturing, to delivery to customers, and ultimately to cash to the business.  Once we have those processes identified, at each stage, we identify the critical information assets required as part of the step, and conduct a threat and risk assessment for each one.  We often find that a piece of information that’s critical at one stage of the process (and highly secured there), actually originates much earlier in the workflow where it may not be critical and properly secured.  Likewise, information that’s critical at one stage, may later not be important any longer, yet expensive security practices continue beyond the ‘expiration date’, wasting resources that could be more effectively deployed.  We don’t continue to use armed guards after the semi-trailer is empty.

Of course, records retention policies and regulations, litigation, and audit requirements make extend the lifespan of information beyond it’s useful date, but that’ll all come up as part of this process.  Having a good handle on the information lifecycle allows for defensible destruction policies that are often missing from most organizations.  Have you purged your email recently?

The key here is that all this work then drives cybersecurity policies to a new level of maturity – ensuring that there’s complete coverage and appropriate investment based on business risk.   So for a late new year’s resolution, let’s make sure that we take time from the day-to-day headline-driven work, and work with our business stakeholders and CIO’s to document, assess, and secure, the information supply chain.