Apple vs FBI image

The Case of the Department of Justice vs. Apple

In case you’ve been living on an island, there is a case with enormous repercussions brewing in the courts right now… it’s a showdown between the Department of Justice vs. Apple on iPhone privacy.

The Story – FBI vs Apple

For those with an interest in privacy/encryption as well as the role of private industry in supporting law enforcement, there is a potentially precedent-setting case being fought right now in federal court and in the court of public opinion. The issue? Whether the United States Government can compel Apple to “hack” its own iPhones. Well, specifically one iPhone: the iPhone 5c in question was used by Syed Rizwan Farook, one of two shooters in the Dec. 2 San Bernadino attacks that killed 14 people and wounded 22.

You may remember one Edward Snowden, who in 2013 revealed the extent of the US Government’s spying on technology users. Pursuant to the consumer/industry reaction to this, in 2014, Apple released iOS 9 for its mobile devices (iPhones, iPads), which is arguably their most secure and was designed from the ground up to provide unparalleled security and privacy to the owner. This version of the iOS “marries” the user’s chosen password with a hardware key built into the device, creating a key that is stored only on the iOS device. There is no known way, even for Apple, to obtain that key without guessing.

But guessing has its limitations. Apple is fighting a recent federal court order compelling it to design software that would disable a feature on the phone that wipes all the data after 10 incorrect tries at guessing the password. The court order further orders that Apple modify the phone’s software to allow passwords to be attempted through an electronic connection, rather than through the keypad, so that the FBI can more easily “brute-force” the process of guessing the password (there are potentially 1 million combinations of letters and numbers).

For you nostalgia fans, the DOJ actually used the All Writs Act, a law relating to law enforcement searches passed in 1789, to compel Apple.

A Very Public Fight

The fight has gone “public,” with Apple claiming in an open letter that they should not be required to weaken their own device security and that, although this request is for one phone only, that this potentially opens a “backdoor” for other spying activities. The FBI responded that they have no interest in “breaking anyone’s encryption” and that Apple is putting its marketing in front of law enforcement concerns. There was another volley when it was revealed that the Government changed Farook’s iCloud password in order to access the data in it, which may have inadvertently prevented Farook’s iPhone from syncing its data to the cloud (something iPhones can be configured to do). Apple took the Government to task on this, and the Government responded by saying that there is even more data on the iPhone than is ever backed up to iCloud.

One to Watch

The case could set enormous precedents and is evolving day-by-day, minute-by-minute. It’s possible that Congress could pass emergency legislation to further compel Apple. Battle lines have been drawn, with privacy advocates taking Apple’s side and law enforcement/antiterrorism personnel supporting the Government’s side. Of course, politicians and aspiring presidential candidates are weighing in as well. What side are you on? An informal survey taken by InfoStructures among industry colleagues and clients indicates that this issue elicits strong responses on both sides. Keep an eye out for this as it evolves.

Google logo

Six Things That Google Knows about You

Google gathers a huge amount of data about its users. Find out what the tech giant knows about you and see what it is doing with this information.

Have you ever visited a shopping site followed by a news site and found that most of the ads you see are from that shopping site? That did not happen by accident. Google has been tracking your activities and using the data it collects to make money.

Google has one of the largest collections of consumer data on the planet. Besides capturing the information that users freely give when they sign up for a Google account, Google tracks its users’ web activity so it can display ads that better match their interests. Even users without Google accounts have their web activity tracked, though Google is unable to connect it to a specific person.

Google uses the data it collects to develop profiles about its users. Many people do not realize just how shockingly detailed these profiles can be.

If you are a Google user, here are six things that Google knows about you:

1. Your Account Details

Google knows your name, phone number, and all the other information you provided when you signed up for a Google account.

2. Your Usage of Google’s Tools

Google provides users with many tools, including a word processor, web browser, and contact list. The tech giant keeps track of how you use these tools. This means that it knows how many documents you have in Google Docs, how many bookmarks you have in Chrome and what they are, and how many people you have in your contact list.

3. Your Gmail Inbox Contents

If you have a Gmail account, Google knows how many messages are in your inbox. It also scans your messages for keywords. It uses this information to tailor the ads and search results it shows you.

4. Your Searches

Besides tracking your web browsing activity, Google keeps tabs on your web search history. This is one of the main ways in which it develops an advertising profile about you. By knowing what you are searching for, Google can determine what types of products and services you are likely to buy.

5. The Videos You Watch

Google owns YouTube, so it is able to track your activity on that site as well. The information about your YouTube activity is used for advertising purposes.

6. Your Location

It is likely that Google knows where you live. It might even know where you are located right this minute. If you have used Google Maps to get directions from your home to somewhere, Google knows where you live based on that information and your IP address. If you have an Android phone and have not disabled the Google Location History feature, Google knows where you are located right this minute. Location tracking lets the company offer you geographically specific results when you search for something.

Check Your Profiles

There are several ways you can find out the types of information that Google is collecting about you:

  • You can review your Google account profile by going to the My Account web page. There you can see what personal information you gave Google when you signed up. Plus, if you click the Account History option, you can see if Google is tracking your location, web search history, YouTube search history, or browser activity.
  • Google has developed a dashboard designed to increase transparency about the data it collects about you. The Google Dashboard summarizes the data collected for each Google tool that you use.
  • Google’s advertising profiles include guesses about its users’ ages, genders, and interests. You can see your advertising profile on the Control Your Google Ads web page and find out just how right (or wrong) the tech giant is about you. You can also use this website to stop Google from tracking your web activity by opting out of its interest-based advertising program.
Secure computing image

Three Myths about Data Breaches Debunked

Most data breaches are the result of cyberattacks, right? Well, not really. A researcher has debunked this common myth and several others.

When it comes to data breaches, it can be hard to sort fact from fiction. Fortunately, a Trend Micro researcher scrutinized a decade’s worth of data breach information in an effort to debunk the myths. Knowing the facts about data breaches can help you develop better strategies to defend against them.

Here are three common myths that have been debunked:

1. Most Data Breaches Are the Result of Cyberattacks

The Myth: If you were to ask people about the leading cause of data breaches, they would likely tell you that cyberattacks are to blame. After all, the news is full of stories about cybercriminals stealing millions of data records from the U.S. Office of Personnel Management, Anthem, Premera Blue, and other organizations.

The Truth: Most data breaches are not due to cyberattacks. The leading cause of data breaches is the loss or theft of portable devices (e.g., thumb drives, laptops), physical records (e.g., files, receipts), and stationary devices (e.g., desktop computers, servers). They account for 41 percent of all reported data breaches between 2005 and 2015. In comparison, cyberattacks are to blame for only 25 percent of the data breaches during this timeframe. Other causes include sensitive data being accidentally exposed through mistakes or negligence (17.4 percent), insider leaks (12.0 percent), and payment card data stolen with physical skimming devices (1.4 percent). The cause was unknown in the remaining 3.2 percent of the data breaches.

The Takeaway: While defending against cyberattacks is important, you need to implement other types of security measures as well. Creating policies that govern how employees should handle sensitive data and educating employees about those policies can go a long way in preventing data breaches caused by lost or stolen devices, mistakes, and negligence. It is also a good idea to take advantage of data encryption software, remote wiping technologies, Global Positioning System (GPS) tracking, and other tools to protect data on mobile devices.

2. Most Cybercriminals Seek Personal Information Because It Is in High Demand

The Myth: Cybercriminals mainly try to steal personal information because it pays the most in the underground markets where criminals purchase breached data.

The Truth: In the underground markets, personal information is commonly sold on a per-record basis, where each line contains a victim’s name, address, birthdate, identification number (e.g., Social Security number), and other information. Criminals often purchase these lines to commit identity fraud. Cybercriminals are not getting much money for this personal information anymore. The price has dropped significantly, from $4 a record in 2014 to $1 a record in 2015. A big surplus of this type of data is responsible for the drop in price.

Bank account credentials command some of the highest prices in the underground markets. The credentials for one bank account can cost between $200 and $500 if they come with the account’s balance. The larger the available balance in an account, the higher the selling price. Other account credentials are also desirable, including those for PayPal, FedEx, and Google Voice.

The Takeaway: While protecting personal information is crucial, you also need to protect the credentials you use to access systems, services, and bank accounts. For maximum security, you and your staff should use strong account passwords and change them periodically. Using a password manager will help everyone avoid the temptation of writing them down.

3. Retailers Are at the Highest Risk for Data Breaches

The Myth: Retailers experience the most data breaches because they handle a lot of credit and debit card transactions.

The Truth: Between 2005 and 2015, many prominent retailers have experienced data breaches, including Target, Neiman Marcus, Home Depot, Staples, and eBay. However, it is the healthcare sector and not the retail industry that has experienced the most data breaches during this time. Here is the breakdown of the data breaches by sector:

  • Healthcare (26.9 percent)
  • Education (16.8 percent)
  • Government (15.9 percent)
  • Retail (12.5 percent)
  • Financial (9.2 percent)
  • Service (3.5 percent)
  • Banking (2.8 percent)
  • Technology (2.6 percent)
  • Insurance (1.6 percent)
  • Media (1.4 percent)
  • Other industries (6.8 percent)

The Takeaway: Organizations in just about every sector are susceptible to data breaches. Thus, you need to take data breaches seriously and develop strategies to defend against them.

More Myths Debunked

Learn about other data breach myths in the Trend Micro researcher’s report “Follow the Data: Dissecting Data Breaches and Debunking the Myths.” The researcher analyzed data breach incidents that occurred between January 2005 and April 2015. Information about these incidents came from the Privacy Rights Clearinghouse. This nonprofit group compiles this data from a variety of sources, including media coverage, Office of the U.S. Attorney General press releases, company press releases, and privacy websites.