A security researcher is claiming to have found a set of services in iOS that appear to be a firmware-level backdoor in iOS devices. What’s more interesting is that Apple has, in a very non-Apple manner, responded to his claims by posting a support page about it. He claims that these are confirmations of the backdoors that he found in iOS and that Apple claims to use them for diagnostic and enterprise purposes. These backdoors can only be accessed by Apple (or anyone that has access to Apple’s services) so they’re mostly secure backdoors, but they are backdoors nonetheless. Most consumers are completely and wholly unaware that alternative pathways into their devices exist and can be exploited by ANYONE (in this case Apple) other than themselves. This is also why remote bricking and other ‘security’ features being pushed through legislatures are also a problem, but at least we’re aware of their existence unlike these services on iOS.

The services in question, om.apple.mobile.pcapd, com.apple.mobile.file_relay, com.apple.mobile.house_arrest among others have been addressed in Apple’s knowledge base article. Apple does not directly address Jonathan Zdziarski’s claims but instead tries to illuminate their use of these services and what they’re supposed to be used for. Apple claims that some of these services are used for diagnostic purposes internally as well as for iTunes and Apple Care support. However, the fact that these supposed backdoor services exist without users’ or developers’ knowledge is a bit worrisome.

The real truth here is that no matter what happens, or is really happening, customers should be aware of how intrusive some of these services are or can be. Sure, some of them are limited in scope in terms of what they can access, but even so, Apple should notify customers when they use such services or sign up for the operating system that there are services running on their devices that give Apple access to their device. Backdoor systems are not a joke and some of them are open invitations to hackers to try to hack into a backdoor and use it for their own purposes. Backdoors are inherently insecure and consumers should be made aware of them, malicious or not.

The post Security Researcher Claims iOS Devices Have a Backdoor appeared first on VR World.

The Intercept is reporting that the NSA is unsurprisingly spying on countless American citizens without there being any reasonable justification for doing so. This is being reported based on the documents that Edward Snowden gave Glenn Greenwald including a “FISA recap” spreadsheet that details thousands of email addresses being monitored. Out of those email accounts being monitored, 202 addresses were marked as US persons, while 1,782 were marked as non-US persons and 5,501 were marked as unknown or simply left blank. The Intercept identified five Americans on the list from their email addresses and helped build the story that we’re reporting on today.

The NSA is monitoring the emails (and likely more) of multiple Muslim-Americans even though they have never had any ties to any terrorist groups or anti-American sentiment. There was, however, one lawyer involved in the spying on Americans who represented clients in terrorism cases, but that is merely a breach of due process. A breach where the NSA could pass on confidential information to the prosecution and help create a case where there is none. Obviously, such lawyers would probably suspect that they’re already being watched, but not by the NSA. Even so, he is one of five Americans basically put on a ‘watch list’ for who they are and what they do, not a justification for being spied on as an American.

The five Americans that are being spied on were discovered in Edward Snowden’s leaked NSA documents. These five men, that are Americans, Faisal Gill, Asim Ghafoor, Hooshang Amirahmadi, Agha Saeed and Nihad Awad are all obviously people that could easily be considered Muslim Americans. But the fact is that with the exception of Asim Ghafoor, none of these men have ANY remote ties with terrorists in any way, shape, or form. In fact, Asim Ghafoor only does because its part of his job as a lawyer to represent them, which is still an American thing to do in order to ensure due process.

FISA Recap Spreadsheet

These men’s email addresses were found in a FISA recap spreadsheet which basically broke down who was and wasn’t being spied on and whether or not their account owners were American, non-American or unknown. Unfortunately for all of us Americans, it doesn’t really seem to make much of a difference whether or not people are American if the NSA really wants to spy on them. Because the truth is that the FISA courts are basically granting the NSA any and all permissions that they need to ‘do their job’. In the 35 years that the FISA court (FISC) has been in existence, the court has approved 35,434 government requests for surveillance, while rejecting only 12. Giving you merely a small idea of how strictly these requests are really being ‘judged’.

What’s worse is that some of these men have grown up and served their country, like Faisal Gill, who has served in the military and worked for the White House under President George W. Bush. In fact, he was a staunch supporter of the Republican party and their ideals. He also did lots of work under the Department of Homeland security and after he was done working there, the NSA spied on him, while George W. Bush was still president. In fact, after he left the Department of Homeland security, where he had very high level security clearance, the spying on him began.

The Intercept interviewed some of these men to talk about the spying and their experiences, and there are some really powerful words being said, especially towards the end.

The problem with all of this is that our government, The NSA, the FBI and the FISA courts that enable them are really toeing a very dangerous line. If it is okay to spy on American citizens with basically no supporting evidence (as it appears that these men were) then what prevents the NSA, CIA, FBI and other government agencies from monitoring everything we do, waiting until we trip up?

Just because these men are Muslim-Americans should not mean that they are suddenly dangerous to Americans and our freedom. In fact, singling them out because of what religion they are might be one of the most grave transgressions the NSA has committed so far. We already know that the NSA is spying on people that use Tor, so who’s next? Tor Users, American Muslims… Communists? Chinese-American Immigrants? Mexican-Americans? Where does it end?

The post Which Americans The NSA Spies On appeared first on VR World.

During the raid on Kim Dotcom’s property, the NZ Police took countless computers and hard drives from his residence and offices, many of which were fully encrypted. However, there was a lot of data on those drives that the NZ Police had no right in sharing with the FBI or any US authorities. In fact, they had already shared copies of the drives’ encrypted data to the FBI, which by now has probably cracked the encryption without Kim Dotcom’s keys. Kim’s lawyers have been wrangling with the policy negotiating whether or not he would provide the encryption keys to them and under what circumstances.

According to a recent ruling, a judge has ruled that the NZ Police cannot provide the FBI with any of the keys that Kim Dotcom may provide them with in order to access the data on the hard drives. The problem is that all of these assets were effectively seized from Kim Dotcom’s residence and offices without any real evidence of wrong-doing and they still haven’t really provided much of a case against him. Kim Dotcom is still technically under house arrest but he hasn’t really been found guilty of any official charges because the Crown Prosecution has failed on many counts trying to include evidence that would later be thrown out. Realistically, most of what the New Zealand authorities have done to Kim Dotcom has been mostly unfounded and based upon murky charges levied by US authorities, which technically have no jurisdiction over New Zealand. Furthermore, they are still trying to have him extradited to the US where they would try to get him to stand trial, but the possibility that he will be extradited is hopefully low considering all of the mistakes the New Zealand authorities have made.

The justice that ruled against the NZ authorities sharing Dotcom’s keys with the FBI and other agencies ruled this partially because they had already provided the US authorities with harddrives and copies of data that they weren’t supposed to give them to begin with. This once again shows the New Zealand authorities’ incompetence as well as the likelihood of how unfounded the US authorities’ case was when they had initiated the raid on Dotcom’s property and Megaupload.

The post NZ Police Can't Share Kim Dotcom's Encryption Keys with FBI appeared first on VR World.

On Monday, as a follow up to the awareness around the Heartbleed bug and all of the rumors that circulated around it, The Whitehouse posted a blog clarifying their stance on how they approach vulnerabilities such as Heartbleed. In fact, the NSA categorically denied any knowledge of the Heartbleed bug officially on Twitter, even though they have been known to lie to Congress and the American people without hesitation, so their honesty is a little more than at question.

So, what exactly are they going to disclose and when? Well, there’s a nifty little check list that the Whitehouse has provided us with so that we know when an agency should withhold information from the public and when it should make it public.

We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure. This interagency process helps ensure that all of the pros and cons are properly considered and weighed. While there are no hard and fast rules, here are a few things I want to know when an agency proposes temporarily withholding knowledge of a vulnerability:

• How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?

• Does the vulnerability, if left unpatched, impose significant risk?

• How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?

• How likely is it that we would know if someone else was exploiting it?

• How badly do we need the intelligence we think we can get from exploiting the vulnerability?

• Are there other ways we can get it?

• Could we utilize the vulnerability for a short period of time before we disclose it?

• How likely is it that someone else will discover the vulnerability?

• Can the vulnerability be patched or otherwise mitigated?

So, basically, The Whitehouse and the administration of Obama are basically saying that if a vulnerability doesn’t really affect us too much, but can gain us lots of valuable intelligence we should keep our mouths shut. What is interesting about this supposed “rigorous” process for vulnerability disclosure is that there is no time limit set for how long they are allowed to wait until they disclose a vulnerability. There is no limitation on how long they can leave a vulnerability open if it passes all of these checks that they’ve established. They mention utilizing the vulnerability for a short period of time, but that doesn’t actually mean anything because a short period of time could be a day, a week, a month, or a year.

With the Heartbleed bug and the public disclosure around it, there were a lot of companies scrambling to patch the bug and some attacks that utilized it immediately after its disclosure. However, if left unpatched, Heartbleed could have disasterous implications and would give any government with knowledge of it almost unlimited access across the web. As a result, many people simply don’t believe that The Whitehouse and the NSA were unaware of such a bug, especially since the NSA had quietly exploited countless other bugs continually without any concern.

The post The Whitehouse Says They Have Right to Withhold a Security Vulnerability appeared first on VR World.