Thursday, April 14, 2016

One-Time payment To Crack San Bernardino iPhone

There's another new wrinkle in the never-ending FBI vs Apple saga. The Washington Post is claiming that FBI did not require Cellebrite's assistance in hacking San Bernardino iPhone. Instead, the report claims, the government intelligence organization bought a previously unknown security bug from a group of professional hackers. According to the report, the hacker group provided FBI with at least one zero-day flaw in the iPhone 5c's security, which enabled FBI to circumvent the lockscreen and other security features. The bug hasn't been disclosed. FBI has previously noted that the technique it utilized in breaking into the iPhone 5c does not work with any new iPhone models (iPhone 5s or newer).

When you Reboot your PC all your files are gone - Jigsaw Ransomware

Researchers found a new ransomware yesterday called Jigsaw which will first lock your files and ask for a 0.4 Bitcoin ($150 USD) payment. If users don't pay, every hour the ransomware deletes your files. If the user restarts their PC, the ransomware also deletes 1,000 more files. The good news is there's a free Decrypter available to unlock the ransomware. The Decrypter was built by Michael Gillespie, who announced yesterday on Softpedia the ID Ransomware service, which tells infected victims what kind of ransomware infection they have by allowing them to upload an encrypted file and the ransom note.

65-Story Data Center

Two Italian architects have designed a data center that challenges how the structures are built. Instead of constructing a flat, sprawling complex, they are proposing a 65-story data center. From a visual perspective, the circular, futuristic-looking 'Data Tower,' as Marco Merletti and Valeria Mercuri call it, almost seems like something out of Star Trek. But it incorporates sustainable technology for efficiently cooling hundreds of thousands of servers while increasing reliance on automation. The building has a modular, cylindrical design that uses a series of pods to house servers, which are available for service in much the same way automated parking garage move cars. The data tower, as with a radiator, is designed to have the maximum contact surface with the outside. The pods are hooked on to the circular structure of the tower to form a series of vertical blades.

Thursday, April 7, 2016

End to End Key Management

CONIKS is an new easy-to-use transparent key-management system:
CONIKS is a key management system for end users capable of integration in end-to-end secure communication services. The main idea is that users should not have to worry about managing encryption keys when they want to communicate securely, but they also should not have to trust their secure communication service providers to act in their interest.
Here's the academic paper. And here's a good discussion of the protocol and how it works. This is the problem they're trying to solve:
One of the main challenges to building usable end-to-end encrypted communication tools is key management. Services such as Apple's iMessage have made encrypted communication available to the masses with an excellent user experience because Apple manages a directory of public keys in a centralized server on behalf of their users. But this also means users have to trust that Apple's key server won't be compromised or compelled by hackers or nation-state actors to insert spurious keys to intercept and manipulate users' encrypted messages. The alternative, and more secure, approach is to have the service provider delegate key management to the users so they aren't vulnerable to a compromised centralized key server. This is how Google's End-To-End works right now. But decentralized key management means users must "manually" verify each other's keys to be sure that the keys they see for one another are valid, a process that several studies have shown to be cumbersome and error-prone for the vast majority of users. So users must make the choice between strong security and great usability.
And here is CONIKS:
In CONIKS, communication service providers (e.g. Google, Apple) run centralized key servers so that users don't have to worry about encryption keys, but the main difference is CONIKS key servers store the public keys in a tamper-evident directory that is publicly auditable yet privacy-preserving. On a regular basis, CONIKS key servers publish directory summaries, which allow users in the system to verify they are seeing consistent information. To achieve this transparent key management, CONIKS uses various cryptographic mechanisms that leave undeniable evidence if any malicious outsider or insider were to tamper with any key in the directory and present different parties different views of the directory. These consistency checks can be automated and built into the communication apps to minimize user involvement.

Monday, April 4, 2016

From a technology perspective when last your audit department audited ?

When recently heard from a forward-thinking CAE who asked the internal audit team to audit themselves and come back with recommendations on ways to improve performance including, specifically, the ways that technology is applied.
Initially, this seemed to me to be a fairly unusual—but well worthwhile—concept. After a bit of reflection, it struck me that this really should be commonplace. After all, any audit department that adheres to the IIA’s professional practice standards needs to be subject to “ongoing performance monitoring” under the requirements of the Quality Assurance and Improvement Program. The IIA clearly defines the procedures involved in performing a quality assessment and describes the various aspects of an internal audit function that should be assessed. Standards of performance include both the quality and productivity of audit work.
So how often do you look closely at the way that technology supports and improves your internal audit quality and productivity? Arguably, this is something that should be done on an ongoing basis. In practice, though, I suspect it usually only happens when something happens: a new CAE is appointed, or a major version upgrade is required to the software that has been in place for a decade. Yet technology changes constantly—hopefully for the better—and new functionality appears that can make a real improvement in the way that software can be applied.

Why aren’t technology assessments part of ongoing performance monitoring?

Perhaps one issue is that the IIA is fairly vague about the requirements for the use of technology. Standard 1220.A2 states that “In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques.” A requirement solely to “consider” is not exactly very demanding. But, as an increasing number of audit teams can demonstrate, the right technology can do much to transform the quality and productivity of audits.
So why not go beyond the IIA’s directives for the use of technology and really focus on the ways that audit performance can be positively impacted through improved tools and techniques?

Being “too busy to improve” wastes time and money

too-busy-to-improve
Of course, it does take some time and effort to go through a serious technology assessment process, and maybe the idea of doing so just gets ranked in terms of priorities as “a good idea—but now is not a great time.” But, as there is probably never going to be a great time, this really means: “I guess we have to stick with our good old spreadsheet, Word docs, and folder system—or outdated audit software—even though it is clunky and doesn’t really do anything close to all the things we want it to.”
One way out of this impasse that I have seen work effectively, is to task someone with establishing a business case for the use of improved technology. The good thing about a business case is that, if done properly, it causes people to really think about what could be achieved and to do so realistically in terms of benefits and costs. Some of the more qualitative benefits may be harder to quantify—but considering how an audit team currently performs—in terms of both quantity and quality of audits—and how it could perform, seems like a pretty good investment of time. Building a business case also provides a source for goals and measures that can be used in monitoring the success of new technology once it has been implemented.

Analysts Says That Tesla May Need Cash To Deliver On the Model 3

After receiving more than 198,000 Model 3 preorders in the first 24 hours, Tesla may need more cash if it hopes to deliver their new electric vehicle to customers on time, analysts said. Elon Musk plans to launch the Model 3 in late 2017, eventually boosting the company's annual production tenfold to 500,000 by 2020. Many analysts believe some customers making early reservations may not receive their vehicle until 2019 or 2020. Morgan Stanley analyst Adam Jonas, predicted Tesla's sales will hit under 250,000 in 2020. Barclays analyst Brian Johnson, believes the surge of Model 3 reservations could reach 300,000 by the end of June. Some analysts expect the first cars will sell for an average of $50,000-$60,000, but Tesla prices its current models in several "tiers," depending on content and optional features. RBC analyst Joseph Spak said strong initial orders for the Model 3 could help Tesla achieve positive free cash flow. In February, the company said it expected to be cash-flow positive in March. Spak said Tesla may not be able to fulfill many of the early orders before 2019: "Demand was never really our concern, it is more about execution and getting production up to meet demand."

Sunday, April 3, 2016

Method to crack San Bernardino iPhone is close ended

A new method to crack open locked iPhones is so promising that US government officials have classified it. The government now says it may have figured out a way to get into the phone without Apple’s help. But it wants that discovery to remain secret, in an effort to prevent criminals, security researchers and even Apple itself from reengineering smartphones so that the tactic would no longer work.Currently, the Justice Department is still testing to make sure the method doesn’t damage or erase data stored on devices before using it on Farook’s phone.

The technique does successfully allow the government to get inside locked iPhones. Apple has said repeatedly that data stored on locked iPhones shouldn’t be able to be accessed without the user’s passcode, which Apple doesn’t have. Hacking into a locked smartphone requires exploiting a security flaw in its software, and most technology companies fix these flaws once they learn about them.This means that the government likely hasn’t found a usable panacea to getting around iPhone encryption.

Brains behind the tactic is Cellebrite – the provider of mobile forensic software from Israel  is helping the FBI in its attempt to unlock iPhone 5C that belonged to San Bernardino shooter.
The company's website claims that its service allows investigators to unlock Apple devices running iOS 8.x "in a forensically sound manner and without any hardware intervention or risk of device wipe.
The tool which they claim is Universal Forensic Extraction Device (UFED) that claims to help investigators extract all data and passwords from mobile phones but still I'm not sure whether they used this technique to hack into the phone . Although the technique the FBI used to crack the iPhone is not disclosed and likely will not be any time soon, several experts suspect it involved NAND Mirroring

This is a technique used to copy the contents of the phone's NAND memory chip and flash a fresh copy back onto the chip when the max number of attempts is exceeded. The plus is that both sides got what they wanted without setting a precedent and the negative is that the precedent was never actually decided, so we’ll probably get to go through all of this again. The upside of this downside is that it seems likely that the “crack” used by the FBI was a tricky and physical one, perhaps involving disassembling the device and even desoldering or piggybacking its flash storage chips. So, for all that an unintentional backdoor is now known to be available, it’s probably not a simple click and finish matter.