Categories
computer security Computers and the Internet Cyberattacks and Hackers Cyberwarfare and Defense Espionage and Intelligence Services Microsoft Corp National Security Agency North Korea russia Shadow Brokers Software Uncategorized Windows (Operating System)

N.S.A. Takes Step Toward Protecting World’s Computers, Not Just Hacking Them

WASHINGTON — The National Security Agency has taken a significant step toward protecting the world’s computer systems, announcing Tuesday that it alerted Microsoft to a vulnerability in its Windows operating system rather than following the agency’s typical approach of keeping quiet and exploiting the flaw to develop cyberweapons.

The warning allowed Microsoft to develop a patch for the problem and gave the government an early start on fixing the vulnerability. In years past, the National Security Agency has collected all manner of computer vulnerabilities to gain access to digital networks to gather intelligence and generate hacking tools to use against American adversaries.

But that policy was heavily criticized in recent years when the agency lost control of some of those tools, which fell into the hands of cybercriminals and other malicious actors, including North Korean and Russian hackers.

By taking credit for spotting a critical vulnerability and leading the call to update computer systems, the National Security Agency appeared to adopt a shift in strategy and took on an unusually public role for one of the most secretive arms of the American government. The move shows the degree to which the agency was bruised by accusations that it caused hundreds of millions of dollars in preventable damage by allowing vulnerabilities to circulate.

“We wanted to take a new approach to sharing and also really work to build trust with the cybersecurity community,” Anne Neuberger, the agency’s cybersecurity director, told reporters.

The vulnerability exists in Windows 10, Microsoft’s flagship operating system, as well as some versions of its server software. It allows hackers to insert malicious code into a target computer and make it appear to be from a safe and trusted source. The vulnerability could also allow hackers to decrypt secret communications.

The vulnerability was serious, officials said. The National Security Agency warned government officials who oversee classified systems about the flaw and the coming Microsoft patch before discussing it publicly, Ms. Neuberger said.

The agency has in the past privately shared vulnerabilities it found with Microsoft and other technology companies. During the Obama administration, officials said, they shared about 90 percent of the flaws they discovered.

But the agency never allowed those firms to publicly identify the agency as the source of those discoveries, Ms. Neuberger said. The agency wanted the public acknowledgment of its role in finding the new defect to demonstrate the importance of patching the flaw, she said.

“Ensuring vulnerabilities can be mitigated is an absolute priority,” Ms. Neuberger said.

The National Security Agency’s action suggests the vulnerability for American government systems likely outweighed its usefulness as a tool for the agency to gather intelligence.

Experts and technology companies praised the agency. But some noted that even as one arm of the government was moving to protect the public’s ability to encrypt its communications, another was taking the opposite tack. A day earlier, the Justice Department called on Apple to break the encryption on its phones, and it has pushed for so-called back doors on Facebook’s encrypted message services.

The Washington Post earlier reported on the agency’s warning to Microsoft, which released a patch for the vulnerability on Tuesday.

Customers who automatically update their operating systems or applied Tuesday’s patch “are already protected,” said Jeff Jones, a senior director at Microsoft.

Microsoft said no evidence had emerged that malicious actors had exploited the vulnerability and said its security software could detect malware trying to do so.

The National Security Agency’s decision to reveal the flaw to Microsoft — and then to publicly announce its move — is in sharp contrast to how it handled another flaw that it discovered but told Microsoft about too late to prevent global damage.

In early 2017, agency officials told Microsoft’s president, Brad Smith, that it had found a flaw in its operating systems but lost it to a group called the Shadow Brokers, which somehow obtained hacking tools that the United States had used to spy on other countries. The agency had known about the flaw for some time but held on to it, believing that one day it might be useful for surveillance or the development of a cyberweapon.

But when the agency’s arsenal of flaws leaked out — presumably through insiders, though the National Security Agency has never said — among it was code nicknamed “Eternal Blue.” While Microsoft had raced to get people to patch the erroneous code, many systems remained unprotected.

Soon North Korean hackers used the code to develop “WannaCry,” software that crippled the British health care system, which used an outdated version of Microsoft Windows. And Russian hackers used it in the NotPetya attacks, among the most damaging cyberattacks in history, costing hundreds of million of dollars to companies including FedEx and Maersk, the shipping giant.

The agency dismissed the idea that it was responsible for the malicious use of the code — arguing that the responsibility lay with North Korea and Russia, which mounted the attacks. But privately, many agency officials acknowledged that the tendency to hoard such flaws in hopes of developing weapons had come at a huge price and that the United States bore some responsibility for the damage caused by Eternal Blue and other tools.

Some experts believe Eternal Blue is continuing to cause problems, allowing hackers to disrupt computer systems.

The White House often decides whether to hold on to a flaw for future use or reveal it to the manufacturer. Obama administration officials set up a system to make the decision. Trump administration officials say a similar process still exists, but they have stopped publishing information about the percentage of vulnerabilities they make public.

The National Security Council reviewed the latest decision to share information about the new flaw with Microsoft, Ms. Neuberger said.

The vulnerability involves Windows’ digital signature system, according to one of the people familiar with the issue. Microsoft, and other companies, use digital signatures to identify software and updates as authentic.

The vulnerability unearthed by the National Security Agency could potentially allow a hacker to add a fake signature that could allow malware to be inserted onto a vulnerable computer. Because the vulnerability was not yet public, no known malware has taken advantage of it.

Criminal hackers or nation states typically take weeks to exploit a new vulnerability, so businesses, governments and individuals may have a little time to install the security patch developed by Microsoft. Experts urged them to move quickly nonetheless.

It was not clear how much of a strategic shift the agency’s announcement amounted to. The agency presumably is still hunting for vulnerabilities and flaws that could allow them to infiltrate Iranian computer systems, as well as those used by Russia, China and other adversarial countries.

But if the agency continues to follow the example set Tuesday, future vulnerabilities that affect not just one critical computer system but instead millions of users or more across the world, its experts could help fix the problem rather than exploit it.

Categories
Apple Inc Barr, William P computer security Computers and the Internet Cook, Timothy D Corporate Social Responsibility iPhone Justice Department Naval Air Station Pensacola Shooting (2019) privacy Software Uncategorized United States Politics and Government

Apple Takes a (Cautious) Stand Against Opening a Killer’s iPhones

SAN FRANCISCO — Apple is privately preparing for a legal fight with the Justice Department to defend encryption on its iPhones while publicly trying to defuse the dispute, as the technology giant navigates an increasingly tricky line between its customers and the Trump administration.

Timothy D. Cook, Apple’s chief executive, has marshaled a handful of top advisers, while Attorney General William P. Barr has taken aim at the company and asked it to help penetrate two phones used by a gunman in a deadly shooting last month at a naval air station in Pensacola, Fla.

Executives at Apple have been surprised by the case’s quick escalation, said people familiar with the company who were not authorized to speak publicly. And there is frustration and skepticism among some on the Apple team working on the issue that the Justice Department hasn’t spent enough time trying to get into the iPhones with third-party tools, said one person with knowledge of the matter.

The situation has become a sudden crisis at Apple that pits Mr. Cook’s longstanding commitment to protecting people’s privacy against accusations from the United States government that it is putting the public at risk. The case resembles Apple’s clash with the F.B.I. in 2016 over another dead gunman’s phone, which dragged on for months.

This time, Apple is facing off against the Trump administration, which has been unpredictable. The stakes are high for Mr. Cook, who has built an unusual alliance with President Trump that has helped Apple largely avoid damaging tariffs in the trade war with China. That relationship will now be tested as Mr. Cook confronts Mr. Barr, one of the president’s closest allies.

“We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements,” Mr. Trump said Tuesday in a post on Twitter. “They will have to step up to the plate and help our great Country.”

Apple declined to comment on the issue on Tuesday. Late Monday, after Mr. Barr had complained that the company had provided no “substantive assistance” in gaining access to the phones used in the Pensacola shooting, Apple said it rejected that characterization. It added that “encryption is vital to protecting our country and our users’ data.”

But Apple also offered conciliatory language, in a sign that it did not want the showdown to intensify. The company said it was working with the F.B.I. on the Pensacola case, with its engineers recently holding a call to provide technical assistance.

“We will work tirelessly to help them investigate this tragic attack on our nation,” Apple said.

At the heart of the tussle is a debate between Apple and the government over whether security or privacy trumps the other. Apple has said it chooses not to build a “backdoor” way for governments to get into iPhones and to bypass encryption because that would create a slippery slope that could damage people’s privacy.

The government has argued it is not up to Apple to choose whether to provide help, as the Fourth Amendment allows the government to violate individual privacy in the interest of public safety. Privacy has never been an absolute right under the Constitution, Mr. Barr said in a speech in October.

Mr. Cook publicly took a stand on privacy in 2016 when Apple fought a court order from the F.B.I. to open the iPhone of a gunman involved in a San Bernardino, Calif., mass shooting. The company said it could open the phone in a month, using a team of six to 10 engineers. But in a blistering, 1,100-word letter to Apple customers at the time, Mr. Cook warned that creating a way for the authorities to gain access to someone’s iPhone “would undermine the very freedoms and liberty our government is meant to protect.”

Bruce Sewell, Apple’s former general counsel who helped lead the company’s response in the San Bernardino case, said in an interview last year that Mr. Cook had staked his reputation on the stance. Had Apple’s board not agreed with the position, Mr. Cook was prepared to resign, Mr. Sewell said.

The San Bernardino case was bitterly contested by the government and Apple until a private company came forward with a way to break into the phone. Since then, Mr. Cook has made privacy one of Apple’s core values. That has set Apple apart from tech giants like Facebook and Google, which have faced scrutiny for vacuuming up people’s data to sell ads.

“It’s brilliant marketing,” Scott Galloway, a New York University marketing professor who has written a book on the tech giants, said of Apple. “They’re so concerned with your privacy that they’re willing to wave the finger at the F.B.I.”

Mr. Cook’s small team at Apple is now aiming to steer the current situation toward an outside resolution that doesn’t involve the company breaking its own security, even as it prepares for a potential legal battle over the issue, said the people with knowledge of the thinking.

Some of the frustration within Apple over the Justice Department is rooted in how police have previously exploited software flaws to break into iPhones. The Pensacola gunman’s phones were an iPhone 5 and an iPhone 7 Plus, according to a person familiar with the investigation who declined to be named because the detail was confidential.

Those phones, released in 2012 and 2016, lack Apple’s most sophisticated encryption. The iPhone 5 is even older than the device in the San Bernardino case, which was an iPhone 5C.

Security researchers and a former senior Apple executive who spoke on the condition of anonymity said tools from at least two companies, Cellebrite and Grayshift, have long been able to bypass the encryption on those iPhone models.

Cellebrite said in an email that it helps “thousands of organizations globally to lawfully access and analyze” digital information; it declined to comment on an active investigation. Grayshift declined to comment.

Cellebrite’s and Grayshift’s tools exploit flaws in iPhone software that let them remove limits on how many passwords can be tried before the device erases its data, the researchers said. Typically, iPhones allow 10 password attempts. The tools then use a so-called brute-force attack, or repeated automated attempts of thousands of passcodes, until one works.

“The iPhone 5 is so old, you are guaranteed that Grayshift and Cellebrite can break into those every bit as easily as Apple could,” said Nicholas Weaver, a lecturer at the University of California, Berkeley, who has taught iPhone security.

Chuck Cohen, who recently retired as head of the Indiana State Police’s efforts to break into encrypted devices, said his team used a $15,000 device from Grayshift that enabled it to regularly get into iPhones, particularly older ones, though the tool didn’t always work.

In the San Bernardino case, the Justice Department’s Office of Inspector General later found the F.B.I. had not tried all possible solutions before trying to force Apple to unlock the phone. In the current case, Mr. Barr and other Justice Department officials have said they have exhausted all options, though they declined to detail exactly why third-party tools have failed on these phones as the authorities seek to learn if the gunman acted alone or coordinated with others.

“The F.B.I.’s technical experts — as well as those consulted outside of the organization — have played an integral role in this investigation,” an F.B.I. spokeswoman said. “The consensus was reached, after all efforts to access the shooter’s phones had been unsuccessful, that the next step was to reach out to start a conversation with Apple.”

Security researchers speculated that in the Pensacola case, the F.B.I. might still be trying a brute-force attack to get into the phones. They said major physical damage may have impeded any third-party tools from opening the devices. The Pensacola gunman had shot the iPhone 7 Plus once and tried destroying the iPhone 5, according to F.B.I. photos.

The F.B.I. said it fixed the iPhones in a lab so that they would turn on, but the authorities still couldn’t bypass their encryption. Security researchers and the former Apple executive said any damage that prevented third-party tools from working would also preclude a solution from Apple.

A Justice Department spokeswoman said in an email: “Apple designed these phones and implemented their encryption. It’s a simple, ‘front-door’ request: Will Apple help us get into the shooter’s phones or not?”

While Apple has closed loopholes that police have used to break into its devices and resisted some law enforcement requests for access, it has also routinely helped police get information from phones in cases that don’t require it to break its encryption. Apple has held seminars for police departments on how to quickly get into a suspect’s phone, and it has a hotline and dedicated team to aid police in time-sensitive cases.

In the past seven years, Apple has also complied with roughly 127,000 requests from American law enforcement agencies for data stored on its computer servers. Such data is unencrypted and access is possible without a customer’s passcode.

In 2016, when the standoff between Apple and the government was at its most acrimonious, Mr. Cook said Congress should pass a law to decide the boundaries between public safety and technological security. In court filings, Apple even identified an applicable law, the Communications Assistance for Law Enforcement Act.

On Monday, Mr. Barr said the Trump administration had revived talks with Congress to come up with such a law.

Jack Nicas reported from San Francisco, and Katie Benner from Washington.

Categories
Alshamrani, Mohammed Saeed Apple Inc Barr, William P computer security Federal Bureau of Investigation Justice Department Mass Shootings Naval Air Station Pensacola Shooting (2019) privacy San Bernardino, Calif, Shooting (2015) Uncategorized United States Defense and Military Forces United States Politics and Government

Barr Asks Apple to Unlock Pensacola Killer’s Phones, Setting Up Clash

WASHINGTON — Attorney General William P. Barr declared on Monday that a deadly shooting last month at a naval air station in Pensacola, Fla., was an act of terrorism, and he asked Apple in an unusually high-profile request to provide access to two phones used by the gunman.

Mr. Barr’s appeal was an escalation of a continuing fight between the Justice Department and Apple pitting personal privacy against public safety.

“This situation perfectly illustrates why it is critical that the public be able to get access to digital evidence,” Mr. Barr said. He called on technology companies to find a solution and complained that Apple had provided no “substantive assistance,” a charge that the company strongly denied on Monday night, saying it had been working with the F.B.I. since the day of the shooting.

Detailing the results of the investigation into the Dec. 6 shooting that killed three sailors and wounded eight others, Mr. Barr said the gunman, Second Lt. Mohammed Saeed Alshamrani — a Saudi Air Force cadet training with the American military — had displayed extremist leanings.

Mr. Alshamrani warned on last year’s anniversary of the Sept. 11, 2001, attacks that “the countdown has begun” and posted other anti-American, anti-Israeli and jihadist social media messages, some within hours of attacking the base, Mr. Barr said. “The evidence shows that the shooter was motivated by jihadist ideology,” the attorney general said.

The government has also removed from the country some 21 Saudi students who trained with the American military, Mr. Barr said. He stressed that investigators found no connection to the shooting among the cadets, but said that some had links to extremist movements or possessed child pornography. Mr. Barr said the cases were too weak to prosecute but that Saudi Arabia kicked the trainees out of the program.

The battle between the government and technology companies over advanced encryption and other digital security measures has simmered for years. Apple, which stopped routinely helping the government unlock phones in late 2014 as it adopted a more combative stance and unveiled a more secure operating system, has argued that data privacy is a human rights issue. If Apple developed a way to allow the American government into its phones, its executives argued, hackers or foreign governments like China would exploit the tool.

But frustrated law enforcement officials accuse Apple of providing a haven for criminals. They have long pushed for a legislative solution to the problem of “going dark,” their term for how increasingly secure phones have made it harder to solve crimes, and the Pensacola investigation gives them a prominent chance to make their case.

In a statement Monday night, Apple said the substantive aid it had provided law enforcement agencies included giving investigators access to the gunman’s iCloud account and transaction data for multiple accounts.

The company’s statement did not say whether Apple engineers would help the government get into the phones themselves. It said that “Americans do not have to choose between weakening encryption and solving investigations” because there are now so many ways for the government to obtain data from Apple’s devices — many of which Apple routinely helps the government execute.

It will not back down from its unequivocal support of encryption that is impossible to crack, people close to the company said.

Justice Department officials said that they needed access to Mr. Alshamrani’s phones to see data and messages from encrypted apps like Signal or WhatsApp to determine whether he had discussed his plans with others at the base and whether he was acting alone or with help.

“We don’t want to get into a world where we have to spend months and even years exhausting efforts when lives are in the balance,” Mr. Barr said. “We should be able to get in when we have a warrant that establishes that criminal activity is underway.”

The confrontation echoed the legal standoff over an iPhone used by a gunman who killed 14 people in a terrorist attack in San Bernardino, Calif., in late 2015. Apple defied a court order to assist the F.B.I. in its efforts to search his device, setting off a fight over whether privacy enabled by impossible-to-crack encryption harmed public safety.

The San Bernardino dispute was resolved when the F.B.I. found a private company to bypass the iPhone’s encryption. Tensions between the two sides, however, remained, and Apple worked to ensure that neither the government nor private contractors could open its phones.

Image
Credit…Robyn Beck/Agence France-Presse — Getty Images

Mr. Barr said that Trump administration officials have again begun discussing a legislative fix.

But the F.B.I. has been bruised by Mr. Trump’s unsubstantiated complaints that former officials plotted to undercut his presidency and by a major inspector general’s report last month that revealed serious errors with aspects of the Russia investigation. A broad bipartisan consensus among lawmakers allowing the bureau to broaden its surveillance authorities is most likely elusive, though some lawmakers singled out Apple for its refusal to change its stance.

“Companies shouldn’t be allowed to shield criminals and terrorists from lawful efforts to solve crimes and protect our citizens,” Senator Tom Cotton, Republican of Arkansas, said in a statement. “Apple has a notorious history of siding with terrorists over law enforcement. I hope in this case they’ll change course and actually work with the F.B.I.”

Apple typically complies with court orders to turn over information on its servers. But said that it would turn over only the data it had, implying that it would not work to unlock the phones.

Investigators secured a court order within a day of the shooting, allowing them to search the phones, Mr. Barr said. He turned up the pressure on Apple a week after the F.B.I.’s top lawyer, Dana Boente, asked the company for help searching Mr. Alshamrani’s iPhones.

Officials said that the F.B.I. was still trying to gain access to the phones on its own and approached Apple only after asking other government agencies, foreign governments and third-party technology vendors for help, to no avail.

The devices were older models: an iPhone 7 with a fingerprint reader and an iPhone 5, according to a person familiar with the investigation.

Justice Department officials said that investigators have yet to make a final determination about whether Mr. Alshamrani conspired with others. They said that the Saudi government was offering “unprecedented” cooperation but that “we need to get into those phones.”

Mr. Barr and other law enforcement officials described a 15-minute shootout before security officers shot and killed Mr. Alshamrani. During the firefight, Mr. Alshamrani paused at one point to shoot one of his phones once, Mr. Barr said, adding that his other phone was also damaged but that the F.B.I. was able to repair them well enough to be searched.

Mr. Alshamrani also shot at photographs of President Trump and one of his predecessors, said David Bowdich, the deputy director of the F.B.I. A person familiar with the investigation identified the unnamed president as George W. Bush.

Mr. Alshamrani’s weapon was lawfully purchased in Florida under an exemption that allows nonimmigrant visa holders to buy firearms if they have a valid hunting license or permit, officials said.

Law enforcement officials have continued to discuss Mr. Alshamrani’s phones with Apple, they said.

“We’re not trying to weaken encryption, to be clear,” Mr. Bowdich said at a news conference, noting that the issue has come up with thousands of devices that investigators want to see in other cases.

“We talk about this on a daily basis,” he said. Mr. Bowdich was the bureau’s top agent overseeing the San Bernardino investigation and was part of the effort to push Apple to crack into the phone in that case.

But much has also changed for Apple in the years since Tim Cook, its chief executive, excoriated the Obama administration publicly and privately in 2014 for attacking strong encryption. Obama officials who were upset by Apple’s stance on privacy, along with its decision to shelter billions of dollars in offshore accounts and make its products almost exclusively in China, aired those grievances quietly.

Now Apple is fighting the Trump administration, and Mr. Trump has shown far more willingness to publicly criticize companies and public figures. When he recently claimed falsely that Apple had opened a manufacturing plant in Texas at his behest, the company remained silent rather than correct him.

At the same time, Apple has financially benefited more under Mr. Trump than under President Barack Obama. It reaped a windfall from the Trump administration’s tax cuts, and Mr. Trump said he might shield Apple from the country’s tariff war with China.

He had said last month that finding a way for law enforcement to gain access to encrypted technology was one of the Justice Department’s “highest priorities.”

Mr. Alshamrani, who was killed at the scene of the attack, came to the United States in 2017 and soon started strike-fighter training in Florida. Investigators believe he may have been influenced by extremists as early as 2015.

Mr. Barr rejected reports that other Saudi trainees had known of and recorded video of the shooting. Mr. Alshamrani arrived at the scene by himself, and others in the area began recording the commotion only after he had opened fire, Mr. Barr said. They and other Saudi cadets cooperated with the inquiry, he added.

Jack Nicas contributed reporting from San Francisco.

Categories
Check Point china computer security Cyberattacks and Hackers Mobile Applications TikTok (ByteDance) Uncategorized Video Recordings, Downloads and Streaming

Major TikTok Security Flaws Found

TEL AVIV — TikTok, the smartphone app beloved by teenagers and used by hundreds of millions of people around the world, had serious vulnerabilities that would have allowed hackers to manipulate user data and reveal personal information, according to research published Wednesday by Check Point, a cybersecurity company in Israel.

The weaknesses would have allowed attackers to send TikTok users messages that carried malicious links. Once users clicked on the links, attackers would have been able to take control of their accounts, including uploading videos or gaining access to private videos. A separate flaw allowed Check Point researchers to retrieve personal information from TikTok user accounts through the company’s website.

“The vulnerabilities we found were all core to TikTok’s systems,” said Oded Vanunu, Check Point’s head of product vulnerability research.

TikTok learned about the conclusions of Check Point’s research on Nov. 20 and said it had fixed all of the vulnerabilities by Dec. 15.

The app, whose parent company is based in Beijing, has been called “the last sunny corner on the internet.” It allows users to post short, creative videos, which can easily be shared on various apps.

It has also become a target of lawmakers and regulators who are suspicious of Chinese technology. Several branches of the United States military have barred personnel from having the app on government-issued smartphones. The vulnerabilities discovered by Check Point are likely to compound those concerns.

TikTok has exploded in popularity over the past two years, becoming a rare Chinese internet success story in the West. It has been downloaded more than 1.5 billion times, according to the data firm Sensor Tower. Near the end of 2019, the research firm said TikTok appeared to be on its way to more downloads for the year than better-known apps from Facebook, Instagram, YouTube and Snap.

But new apps like TikTok offer opportunities for hackers looking to target services that haven’t been tested through years of security research and real-world attacks. And many of its users are young and perhaps not mindful of security updates.

“TikTok is committed to protecting user data,” said Luke Deshotels, the head of TikTok’s security team.

“Like many organizations, we encourage responsible security researchers to privately disclose zero day vulnerabilities to us,” he added. “Before public disclosure, Check Point agreed that all reported issues were patched in the latest version of our app. We hope that this successful resolution will encourage future collaboration with security researchers.”

Mr. Deshotels said there was no indication in customer records that a breach or an attack had occurred.

TikTok’s parent company, ByteDance, is one of the world’s most valuable tech start-ups. But TikTok’s popularity and its roots in China, where no large corporation can thrive outside the good graces of the government, have prompted intense scrutiny of the app’s content policies and data practices.

American lawmakers have expressed concern that TikTok censors material that the Chinese government does not like and allows Beijing to collect user data. TikTok has denied both accusations. The company also says that although ByteDance’s headquarters are in Beijing, regional managers for TikTok have significant autonomy over operations.

Check Point’s intelligence unit examined how easy it would be to hack into TikTok user accounts. It found that various functions of the app, including sending video files, had security issues.

“I would expect these types of vulnerabilities in a company like TikTok, which is probably more focused on tremendous growth, and on building new features for their users, rather than security,” said Christoph Hebeisen, the head of research at Lookout, another cybersecurity company.

One vulnerability allowed attackers to use a link in TikTok’s messaging system to send users messages that appeared to come from TikTok. The Check Point researchers tested the weakness by sending themselves links with malware that let them take control of accounts, uploading content, deleting videos and making private videos public.

The researchers also found that TikTok’s site was vulnerable to a type of attack that injects malicious code into trusted websites. Check Point researchers were able to retrieve users’ personal information, including names and birth dates.

Check Point sent a summary of its findings to the Department of Homeland Security in the United States.

The Committee on Foreign Investment in the United States, a panel that reviews investment deals on national security grounds, is also looking into ByteDance’s 2017 acquisition of Musical.ly, a lip-syncing app that the company later merged into TikTok. That deal set the stage for TikTok’s rapid rise in the United States and Europe.

There are also concerns about the company’s data privacy practices. In February, the Federal Trade Commission filed a complaint against TikTok, saying it illegally collected personal information from minors. The complaint claimed that Musical.ly had violated the Children’s Online Privacy Protection Act, which requires websites and online companies to direct children under 13 to get parental consent before the companies collect personal information.

TikTok agreed to pay $5.7 million to settle the complaint and said it would abide by COPPA. TikTok is still being investigated by the British Information Commissioner’s Office to determine if it violated European privacy laws that offer special protections to minors and their data.

Ronen Bergman reported from Tel Aviv, Sheera Frenkel from San Francisco, and Raymond Zhong from Hong Kong.

Categories
Alshamrani, Mohammed Saeed Apple Inc Barr, William P computer security Federal Bureau of Investigation Smartphones Uncategorized

F.B.I. Asks Apple to Help Unlock Two iPhones

SAN FRANCISCO — The encryption debate between Apple and the F.B.I. might have found its new test case.

The F.B.I. said on Tuesday that it had asked Apple for the data on two iPhones that belonged to the gunman in the shooting last month at a naval base in Pensacola, Fla., possibly setting up another showdown over law enforcement’s access to smartphones.

Dana Boente, the F.B.I.’s general counsel, said in a letter to Apple that federal investigators could not gain access to the iPhones because they were locked and encrypted and their owner, Second Lt. Mohammed Saeed Alshamrani of the Saudi Royal Air Force, is dead. Two people who had seen the letter described it to The New York Times on the condition of anonymity because the government’s investigation into the shooting is still active.

The F.B.I. has a search warrant for the devices and is seeking Apple’s assistance executing it, the people said.

Lieutenant Alshamrani is the Saudi Air Force trainee who federal authorities believe shot and killed three sailors at Naval Air Station Pensacola in December.

The case could become a new point of contention in a long-running dispute between Apple and the F.B.I. over what digital information should be accessible to law enforcement. In 2014, Apple started building encryption into iPhones that can be unlocked only with a given device’s password, meaning even Apple cannot bypass the security. The technology has frustrated law enforcement authorities, who say Apple has given criminals a safe haven.

Apple said in a statement that it had given the F.B.I. all the data “in our possession” related to the Pensacola case when it was asked a month ago. “We will continue to support them with the data we have available,” the company said. Apple regularly complies with court orders to turn over information it has on its servers, such as iCloud data, but it has long argued that it does not have access to material stored only on a locked, encrypted iPhone.

An F.B.I. spokeswoman confirmed the existence of the letter, which was first reported by NBC News, but declined to comment further.

Before sending the letter, the F.B.I. checked with other government agencies and its national security allies to see if they had a way into the devices — but they did not, according to one of the people familiar with the investigation.

The official said the F.B.I. was not asking Apple to create a so-called backdoor or technological solution to get past its encryption that must be shared with the government. Instead, the government is seeking the data that is on the two phones, the official said.

Apple has argued in the past that obtaining such data would require it to build a backdoor, which it said would set a dangerous precedent for user privacy and cybersecurity.

The Pensacola case resembles the 2016 dispute between Apple and the F.B.I. over the iPhone of the man who, along with his wife, shot and killed 14 people in San Bernardino, Calif. As in that case, there is a dead gunman, a court authorization to gain entry to a phone, and an early stalemate between law enforcement and Apple.

But the San Bernardino investigation turned into a high-stakes showdown after a federal judge ordered Apple to help the authorities gain entry to the phone. Such a court order has not been issued in the Pensacola case, and it is does not appear that the F.B.I. has yet sought such a ruling.

The letter could be the first step toward such an order, as the F.B.I. would likely need to show a judge that Apple had refused to assist in executing a warrant. Apple did not respond to a question about whether it would comply with the F.B.I.’s request in the Pensacola investigation.

After the federal judge ordered Apple to create a way to open the San Bernardino gunman’s phone in 2016, Tim Cook, Apple’s chief executive, responded with a 1,100-word letter in which he said that creating such a backdoor would compromise the security of every iPhone.

“The government suggests this tool could only be used once, on one phone,” he said. “But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices.”

Mr. Cook made an aggressive argument to the public that the Obama administration’s actions would undermine people’s privacy and security. But he may find it more difficult to attack the Trump administration, which has long dangled the threat of tariffs on Apple’s products.

Mr. Cook has become an ally of President Trump, visiting him regularly in Washington and recently hosting him at a Mac computer factory in Texas, where the president claimed he had helped spur its construction when it had actually been open for six years.

The dispute over the San Bernardino case was resolved when the F.B.I. found a private company that was able to bypass the iPhone’s encryption. The Justice Department’s Office of Inspector General later found that the F.B.I. had not exhausted all possible solutions to unlock the phone before it tried to force Apple to build a way past the encryption.

Both sides have since doubled down on their stances. Apple has made its encryption even tougher, closing gaps that law enforcement had exploited to gain entry to iPhones.

And Attorney General William P. Barr has recently turned up his criticism of encryption. He said last month that finding a way for law enforcement to gain access to encrypted technology was one of the Justice Department’s “highest priorities.”

In several speeches last year, he noted that drug cartels, human trafficking rings and child pornographers depended on consumer products with strong encryption, such as WhatsApp and Signal, and he has singled out Facebook’s efforts to wrap all of its products in virtually unbreakable encryption as a scourge for law enforcement.

“We’re talking about when you have a warrant and probable cause and you cannot get the information,” Mr. Barr said at a Wall Street Journal conference in Washington last month.

Companies like Facebook are selling the idea that “no matter what you do, you’re completely impervious to government surveillance,” Mr. Barr said. “Do we want to live in a society like that? I don’t think we do.”

Jack Nicas reported from San Francisco, and Katie Benner from Washington.

Categories
computer security computing cryptography cybercrime data management Enterprise Funding Fundings & Exits information Security Startups TC YL Ventures

Satori Cyber raises $5.25M to help businesses protect their data flows

The amount of data that most companies now store — and the places they store it — continues to increase rapidly. With that, the risk of the wrong people managing to get access to this data also increases, so it’s no surprise that we’re now seeing a number of startups that focus on protecting this data and how it flows between clouds and on-premises servers. Satori Cyber, which focuses on data protecting and governance, today announced that it has raised a $5.25 million seed round led by YL Ventures.

“We believe in the transformative power of data to drive innovation and competitive advantage for businesses,” the company says. “We are also aware of the security, privacy and operational challenges data-driven organizations face in their journey to enable broad and optimized data access for their teams, partners and customers. This is especially true for companies leveraging cloud data technologies.”

Satori is officially coming out of stealth mode today and launching its first product, the Satori Cyber Secure Data Access Cloud. This service provides enterprises with the tools to provide access controls for their data, but maybe just as importantly, it also offers these companies and their security teams visibility into their data flows across cloud and hybrid environments. The company argues that data is “a moving target” because it’s often hard to know how exactly it moves between services and who actually has access to it. With most companies now splitting their data between lots of different data stores, that problem only becomes more prevalent over time and continuous visibility becomes harder to come by.

“Until now, security teams have relied on a combination of highly segregated and restrictive data access and one-off technology-specific access controls within each data store, which has only slowed enterprises down,” said Satori Cyber CEO and Co-founder Eldad Chai. “The Satori Cyber platform streamlines this process, accelerates data access and provides a holistic view across all organizational data flows, data stores and access, as well as granular access controls, to accelerate an organization’s data strategy without those constraints.”

Both co-founders previously spent nine years building security solutions at Imperva and Incapsula (which acquired Imperva in 2014). Based on this experience, they understood that onboarding had to be as easy as possible and that operations would have to be transparent to the users. “We built Satori’s Secure Data Access Cloud with that in mind, and have designed the onboarding process to be just as quick, easy and painless. On-boarding Satori involves a simple host name change and does not require any changes in how your organizational data is accessed or used,” they explain.