Posts tagged need

Those “Backdoors” in Apple’s iOS: What You Need To Know

Security researcher Jonathan Zdziarski started a firestorm over the weekend when he presented findings that Apple has—apparently deliberately—created undocumented “backdoors” in its iOS operating system that third parties could use to siphon personal data from iPhones and iPads under certain circumstances without notice, much less consent of the user.

Apple, meanwhile, has taken issue with Zdziarski’s analysis, although its response—such as it is—falls short of a complete denial.

It’s a complicated issue, so here’s a quick FAQ to help you sort through it all.

Should I panic?

No. In a blog post summarizing his work, Zdziarski includes this helpful note: “DON’T PANIC.”

The backdoors he describes aren’t the sort of thing your average cybercriminal can easily exploit. There’s no evidence that they’ve been used for identity theft or any sort of related criminal attack on iPhone or iPad data. At least so far, that is.

See also: The Bugs Are Piling Up In Apple’s iOS 7

On the other hand, if you think the NSA or regular law enforcement might be tracking you, then Zdziarski might have described some of the backdoors by which their agents could be delving into your digital life.

Beyond that, they’re an intriguing mystery—one that Apple has yet to explain.

Hold on a moment. What’s a backdoor?

Like the word suggests, a backdoor is a simple or unguarded route into an otherwise secure system. Think Matthew Broderick’s character in War Games sussing out a way to access WOPR by guessing a backdoor password specific to the system’s creator (his dead son’s name—a classically terrible password, by the way).

How would the NSA (or whoever) make use of these backdoors?

Zdziarski, a forensics expert and one-time iOS jailbreaker who’s written several books about iPhone development, described three iOS services that appear to have an unusual degree of access to raw and potentially sensitive data gathered by or stored on the phone. These services are also apparently designed to collect that information, package it and dump it out upon request, either via USB or wirelessly over Wi-Fi.

These features are undocumented, meaning that they’re not described by Apple in the sort of detail it normally provides to third-party developers who might make use of them. According to Zdziarski, however, they are installed and active on roughly 600 million iOS devices. They provide no indication that they’re operating, and there’s no way for users to turn them off.

Perhaps most ominous, these services can send out unencrypted information even if users have chosen to encrypt the data they back up through iTunes. Zdziarski calls this behavior “bypassing backup encryption” and considers it deceptive at best.

That all sounds pretty panic-worthy. Isn’t it?

Turns out there’s a catch. These services only work when an iPhone or iPad is “paired” to a trusted device, such as the computer you run iTunes on. (Bluetooth pairing with, say, a set of headphones doesn’t count.) That greatly limits the ability of any attacker to exploit these services and rifle through your iPhone.

It is, however, possible to spoof that pairing. Every pairing generates a set of cryptographic keys and certificates designed to identify trusted devices to one another—and on the iPhone side, those keys and certificates are never deleted unless the user does a full restore or a factory reset on the device. Prior to iOS 7—the version used by most iPhones—pairing happened automatically without any user intervention. (iOS 7 now requires the user to approve pairing with a “trusted” device.)

As Zdziarski put it in a March 2014 technical journal article describing his findings: “[E]very desktop that a phone has been plugged into (especially prior to iOS 7) is given a skeleton key to the phone.” And that skeleton key is transportable, because a sufficiently motivated attacker can copy pairing keys and certificates from one computer to another. 

Who would go to all the trouble of tracking down those keys and copying them?

Well, the police might, if they thought you were involved with organized crime. So might the NSA, the FBI or a number of other intelligence agencies. And of course some of these outfits could also create seemingly innocuous “paired” devices such as an alarm clock or charging station that would run malicious code once connected to your phone.

As noted above, though, it’s not the sort of thing your average Belarusan hacker is likely to use to take over your phone any time soon.  

OK, tell me more about these undocumented services. What are they and what do they do?

In a presentation he made at the Hope X hacker conference in New York this past weekend, Zdziarski focused on three particular services known by the technical names com.apple.pcapd, com.apple.mobile.file_relay and com.apple.mobile.house_arrest. (You can see the slides from Zdziarski’s talk—all 58 of them—here.)

The pcapd service starts what security professionals call a “packet sniffer” on an iOS device—basically, software that records all data traffic to and from your iPhone. It’s installed by default on all iOS devices, and operates whether a phone is in “developer mode” or not, suggesting that it’s not a developer-specific feature. And it gives the user no warning when it’s activated.

“This means anyone with a pairing record can connect to a target device via USB or Wi-Fi and listen in on the target’s network traffic,” Zdziarski wrote in his March paper.

The file_relay service, according to Zdziarski, exists to vacuum up large volumes of raw data from particular sources on an iPhone and then to dump it out in unencrypted form. Several years back, file_relay appeared fairly innocuous. In iPhoneOS 2.0 (an early predecessor to iOS), it was only able to access six data sources, including “Apple Support,” “network,” and “CrashReporter.”

By iOS 7, however, file_relay‘s reach had expanded to include 44 data sources, many of which specifically address the owner’s personal information. These include the address book, accounts, GPS logs, maps of the phone’s entire file system, a collection of all words typed into the phone, photos, notes, calendar files, call history, voicemail and other records of personal activity that have been cached in temporary files.

Small wonder Zdziarski calls file_relay “the biggest forensic trove of intelligence on a device’s owner” and a “key ‘backdoor’ service” that provides a significant amount of data that “would only be relevant to law enforcement or spying agencies.”

The third service, house_arrest, originally allowed iTunes to copy documents to and from third-party apps. Now, however, house_arrest has access to a much broader array of app-related data, including photos, databases, screenshots and temporary “cached” information.

Couldn’t these services have legitimate functions?

Maybe, although it’s difficult to understand why they they’d have such apparently untrammeled access to so much information. That’s a pretty major security failing under any circumstance.

Zdziarski also runs through a number of possible explanations—that they might be used in iTunes or Xcode (Apple’s iOS app-development environment), or in developer debugging, or by Apple support, or in Apple engineering debugging—and shoots each one down in turn. 

It’s very difficult to construct an explanation for legitimate, non-surveillance uses of services that aren’t documented, that bypass backup encryption, that have access to otherwise inaccessible user data and that give the user no notification that they’re accessing and dumping out information. Oh, and whose code Apple has maintained and updated across several versions of iOS.

Given Apple’s historical issues with lack of cooperation and infighting between technical teams, it’s also conceivable that these services grew without much direction at all, almost by accident, as engineers struggled to solve other technical problems without writing a whole bunch of new code. Call this the it-ain’t-pretty-but-it-works explanation.

Is it plausible? Your guess is as good as mine. And it’s still a major security fail.

What does Apple have to say about all this?

In classic fashion, not very much. Apple didn’t get back to me when I emailed it for comment, although I’ll keep trying.

Apparently, however, it did email a statement to Tim Bradshaw, a reporter for the Financial Times, who tweeted it:

The statement, of course, is rife with ambiguity. Is Apple referring specifically to pcapd, file_relay and house_arrest here, or just issuing a general statement about its diagnostic functions? 

And it fails to address most of Zdziarski’s basic questions. If these services are diagnostic functions, why aren’t they documented? Why do they operate even if users haven’t agreed to send diagnostic information to Apple? Why can’t users deny their consent to having information taken off their devices this way? Why can’t users turn these services off?

It is certainly interesting that Apple feels compelled to deny that it has even “worked with any government agency from any country” to engineer backdoors into its products or services. Especially since Zdziarski hadn’t accused them of such.

Does Zdziarski have thoughts about Apple’s statement?

Does he ever. In a new blog post Monday night, he summed up his reaction this way:

I understand that every OS has diagnostic functions, however these services break the promise that Apple makes with the consumer when they enter a backup password; that the data on their device will only come off the phone encrypted. The consumer is also not aware of these mechanisms, nor are they prompted in any way by the device. There is simply no way to justify the massive leak of data as a result of these services, and without any explicit consent by the user.

I also contacted Zdziarski for comment, but haven’t heard back.

Lead image by Flickr user Mooganic; swan image by Flickr user blinking idiot, CC 2.0

View full post on ReadWrite

SEO Questions Franchise Owners Need to Ask – Huffington Post

SEO Questions Franchise Owners Need to Ask
Huffington Post
When it comes to SEO and franchises, the same standard rules apply, but the way you go about SEO is different. You have different problems and responsibilities as a franchise company that other companies don't see–multiple managers and locations, …

and more »

View full post on SEO – Google News

BLOG: Your website SEO may need a check-up – Healio

BLOG: Your website SEO may need a check-up
Healio
Recently I received an email from a practice in New York that had let its search engine optimization, or SEO, slip very dramatically during the last few years. I asked if they were still using the same SEO Company and they said they were not because a …

View full post on SEO – Google News

Bing Admits They Need To Do Better With Webmaster Communication

In a blog post today on the Bing Webmaster Blog, Bing’s Igor Rondel, Principal Development Manager of the Index Quality team, said you can expect Bing to do more proactive communication on the Bing Webmaster Blog in the future. Igor said Bing needs “to do a better job of proactively…



Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

International SEO, What Global Companies Need to Know – Business 2 Community


Business 2 Community
International SEO, What Global Companies Need to Know
Business 2 Community
International SEO, What Global Companies Need to Know image seo globe sxch 300×240 If your company does business across borders this post about international SEO (search engine optimization) is an important read. Naturally, a global company will …

View full post on SEO – Google News

New AdWords Quality Score Info: What You Need To Know

By now, you’ve probably seen (or at least heard about) Google’s recent video and new white paper about Quality Score in AdWords. In fact, when I first heard about the updated Hal Varian video, I was a bit surprised, given that Google hasn’t bothered to update it for about five years!…



Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

Everything You Need to Know About @BlogHer ’14: An Interview with BlogHer Founder Elisa Camahort Page by @thebigdebowski

At Search Engine Journal, we take a lot of pride in having a predominantly female team. So, we jumped at the chance to speak with Elisa Camahort Page, one of the founders of BlogHer, Inc., the premium cross-platform media network and publisher for women. We love us some girl power, especially in the tech space, and Elisa has helped pave the way for women in the industry. Elisa is one of the three BlogHer co-founders, along with Lisa Stone and Jory Des Jardins. As COO of the company, Elisa leads the BlogHer conference business, including the BlogHer annual conference, which […]

The post Everything You Need to Know About @BlogHer ’14: An Interview with BlogHer Founder Elisa Camahort Page by @thebigdebowski appeared first on Search Engine Journal.

View full post on Search Engine Journal

SEO Website Audits: Everything You Need to Know Part II – Search Engine Watch


Search Engine Watch
SEO Website Audits: Everything You Need to Know Part II
Search Engine Watch
The term website SEO audit is a very general one that means anything that the auditor wants it to mean. This means I could be spending hours laboring over every detail of your site looking for issues, challenges, and areas of improvement or I could be …

and more »

View full post on SEO – Google News

SEO Website Audits: Everything You Need to Know Part II

An in-depth look at everything you need to know about an SEO website audit, from the differences between tools-based audits and human audits to how much you can expect to pay for the service.

View full post on Search Engine Watch – Latest

Tech Genius Doesn’t Need To Be White, Male And Wearing A Hoodie

When you picture a successful tech CEO, what comes to mind? Probably a white man, maybe one wearing a hoodie. 

Technology is a caucasian male-dominated industry, that’s why getting more diversity in tech has never been more of a priority. In fact, in the last month, a handful of the most well-known tech companies have released data that illustrates this trend, with male employees far outnumbering females, and in the U.S., a white majority rules.

Though these numbers clearly show there’s not enough diversity in the tech workforce, part of the imbalance stems from a lack of diversity in technology education at a young age—many students are unable to access resources that can set them up for a career path in tech.

In 2013, of the 30,000 students that took U.S. high school Advanced Placement computer science exam, less than 20 percent were female, eight percent were Hispanic, and three percent were black. No female, black or Hispanic students took the exam in Mississippi or Montana.

The poorest communities, often the most diverse, have the most limited access to technology. According to a Pew Internet study, just three percent of teachers of the poorest classrooms feel that their students have access to the digital tools they need at home.

#YesWeCode, an ambitious initiative to encourage 100,000 minority and low-income students to learn skills in technology, aims to change that, and provide a resource for students, parents and teachers to find out how best to teach the next generation of entrepreneurs, builders, and makers.

Officially launching July 4 at the Essence Festival in New Orleans, the largest festival celebrating African-American culture and music in the U.S., #YesWeCode will host a hackathon and a “technology village,” making technology a central part of the event for the first time ever.

Prince is headlining the event this year, and the music megastar was partially responsible for the creation of #YesWeCode.

“#YesWeCode came out of a conversation I was having with Prince about Trayvon Martin,” Van Jones, president of Rebuild The Dream Innovation Fund and one of the creators of #YesWeCode, told me in an interview. Martin, a teenager, was shot in a Florida neighborhood in 2012. “Prince said, ‘When an African-American kid is wearing a hoodie, people think he’s a thug, but when a white kid is wearing a hoodie people think he’s the next Mark Zuckerberg.’”

Jones mentioned something about racism to which Prince replied: “No, it’s because we haven’t produced any Mark Zuckerbergs yet.”

Though there are many organizations across the country looking to encourage more minorities to pursue STEM skills—science, technology, engineering and math—resources are still very fragmented. In order to unite these organizations and create a pipeline of underrepresented talent that can equalize the ratio at companies like Google and Facebook, #YesWeCode teamed up with education and career training organizations to provide low-income and minority students with the opportunity to learn technological skills.

Black Girls Code is one of those partner organizations. Founder Kimberly Bryant is in New Orleans this weekend to host a series of events in tandem with the festival that focus on getting young girls excited about coding.

Bryant says getting girls interested in technology and keeping them in the industry through college and into their careers is the key to changing the dynamics in the tech industry overall. Her organization has reached 3,000 students to date.

“The importance of starting early is to give girls the skill set and the confidence for them to go into these male-dominated environments,” Bryant said in an interview. “A lot of the women I’ve seen across generations who have come into the program as students or mentors, we’ve all faced similar challenges—it’s just a different decade.”

Tech Industry Partners Will Help Bridge The Gap

#YesWeCode worked with Facebook to create an online portal that brings together all the organizations working to bridge the gap between low-income and minority students and careers in technology, and give them the tools and resources they need to exponentially grow.

See Also: Google’s Gender-Diversity Push Is Paying Off

The #YesWeCode website will act as a central support database for organizations across the U.S. that work with low-income and minority youth, and partners will work with these organizations to strengthen computer education programs, as well as support and fund workforce development programs like coding boot camps.

For example, a mom of a 13-year-old girl in Atlanta will be able to use the #YesWeCode database to find the best coding courses, camps and resources to send her daughter this summer.

Maxine Williams, Facebook’s head of global diversity, said getting underrepresented students interested in tech is a matter of letting these students know these opportunities actually exist.

“Inspiration comes in so many different forms,” Williams told me. “It was never a question whether people had the ability, but rather people knew this was an opportunity. Having people that have similar experiences to you allows you to feel like you can get there too.”

Of course, companies like Facebook will undoubtedly benefit from such a partnership. Graduates from #YesWeCode programs who pursue technology as a career may find themselves working at a tech corporation like Google or Facebook who have pledged to increase diversity in their workforces since releasing their diversity data in June.

“It’s impossible to quantify the difference it makes when you have people that apply diversity to problems,” she said.

Creating The Next Generation Of Diverse Entrepreneurs

“Genius and talent doesn’t know any age or racial barrier,” Jones said. “Even though we’re starting off at an African-American event, our commitment is to low-opportunity talent.” Included in that group are low-income Asian, Latino, Native American, and Appalachian students.

“We’re letting genius go to waste—there are so many people in communities of color that have the mathematical talent to do this work,” he said. “Some are former veterans, some are moms … some of them are using their math skills as hustlers on the street corner.”

With the help of programs that connect youth through #YesWeCode, the next Mark Zuckerberg could be a technologist from the minority community, giving future generations an entrepreneur to look up to for affirmation that they, too, can build the next billion-dollar company.

Lead image sreencapped from the #YesWeCode YouTube video. 

View full post on ReadWrite

Go to Top
Copyright © 1992-2014, DC2NET All rights reserved