Archive for Arik Hesseldahl

Apple Denies Working with NSA on iPhone Backdoor

iPhone5S_trioApple just responded to newly released documents claiming that the U.S. National Security Agency has a method for gaining backdoor access to its iPhone. It says it has never worked with the agency, and is unaware of the alleged program targeting the iPhone known as DROPOUTJEEP.

The program was disclosed in a trove of documents leaked yesterday and shared by the security researcher Jacob Appelbaum and the German news magazine Der Spiegel.

Here’s Apple’s statement in full:

Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products. We care deeply about our customers’ privacy and security. Our team is continuously working to make our products even more secure, and we make it easy for customers to keep their software up to date with the latest advancements. Whenever we hear about attempts to undermine Apple’s industry-leading security, we thoroughly investigate and take appropriate steps to protect our customers. We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.

According to the Der Spiegel documents, DROPOUTJEEP is software that can be implanted on an iPhone. It provides SIGINT or signals intelligence including the ability to push and pull files from the phone, retrieve text messages, contact lists, voice mail messages, the phone’s location, and turn on the internal microphone and activate the camera. Data can be removed or “exfiltrated” as the slide reads, over wireless data connections.

Here’s another interesting line, which you can read in the original slide below. The initial version requires “close access methods,” which means you have to have physical access to the phone. This would suggest that there’s no way the NSA could be readily installing this on the millions of iPhones around the world and thus spying on them all.

However: The slide goes on to say that future versions of DROPOUTJEEP might be installed remotely, which implies over the air, without physical access.

Also important: The slide dates from October, 2008, back when the iPhone was still relatively new and running on iOS 5 an much earlier version of iOS*. There’s no indication as yet about any efforts by the NSA’s specialized teams in the Access Network Technology, or ANT division about later phones or later operating systems.

Here’s the original DROPOUTJEEPSLIDE from the NSA’s catalog.

dropoutjeepslide

*A few readers have reminded me that iOS 5 didn’t come on the scene until about 2011. I’ve asked Apple to clarify exactly which version of iOS was in use in the fall of 2008.

You Won’t Believe All the Crazy Hardware the NSA Uses for Spying

nsa_candygramOver the weekend we learned a lot about the National Security Agency’s Access Network Technology, or ANT, division, that, in the words of Der Spiegel, the German news magazine that first disclosed it based on leaked documents from Edward Snowden, can break pretty much any lock on any computing or network hardware you can think of.

Now we can see the catalog itself. Courtesy this post on Leaksource, you can flip through the numerous single-page descriptions of the NSA’s specialized hardware.

For example, there’s FEEDTHROUGH, a method for gaining access to firewalls from Juniper Network’s Netscreen product line. There’s also JETPLOW, which burrows into firewalls from Cisco Systems. In a stroke of irony that will not be lost on anyone, there’s HEADWATER, which is used on routers from China’s Huawei.

Here are a few more that caught my eye: NIGHTSTAND, a mobile Wi-Fi exploitation and insertion device “typically used where wired access to a target is not possible.” PICASSO is an otherwise typical, if outdated, GSM wireless phone (including two models from Samsung) that “collects user data, location information and room audio” and allows data to be collected via a laptop or via SMS “without alerting the target.”

And this one blows my mind: COTTONMOUTH-I. To the untrained eye, it looks like a typical USB plug at the end of an otherwise unremarkable USB cord. Inside there is a motherboard that provides a “wireless bridge into a target network as well as the ability to load exploit software onto target PCs.”

Here’s where to find it, if you want to look for yourself.

HP Is Negotiating to Settle Bribery Charges

hp_logo_darkComputing giant Hewlett-Packard said today that it is in “advanced discussions” to settle investigations brought by two U.S. regulators concerning allegations of bribery.

The company said it is under investigation by the U.S. Department of Justice and by the SEC for allegations that some former and current employees paid millions of dollars to win an IT contract with a Russian government agency. The investigations center on a 35-million-euro deal between a former HP subsidiary in Germany and the Russian General Prosecutors Office, and cover a time period beginning in 2001 and ending in 2006. The deal called for the HP subsidiary to install a new IT network at the Russian agency. The disclosure came in HP’s annual 10-K filing with the U.S. Securities and Exchange Commission.

German authorities have indicted four people involved in the deal, including two former and one current HP employee, on charges of bribery, breach of trust and tax evasion. In the U.S., the DOJ has been investigating the deal under the Foreign Corrupt Practices Act. In the filing, HP also said that U.S. regulators, as well as those in Mexico and Poland, are investigating other bribery allegations relating to deals with certain public sector agencies in those countries.

HP said in the filing that it is cooperating with all the agencies probing the Russian deal, and is in talks with U.S. authorities to resolve the matter. The investigations first surfaced in 2010.

It has been a tough couple of years for U.S. tech companies coping with bribery cases. Last year, Oracle paid $2 million to settle a case in India. And IBM ran into difficulties with a U.S. judge reviewing its proposed $10 million settlement with the SEC of bribery allegations surrounding dealings in China and South Korea. Earlier this year, authorities in the U.S. launched an investigation into alleged kickbacks by a Microsoft representative in China, and its relationship with resellers in Italy and Romania.

CIOs Brand Enterprise Social Tools as Most Overhyped Technology of the Year

survey-says-tshirtIt’s the end of the year, and that means a plethora of stories and lists with a lot of hyperbolic words like “hottest” or “greatest” in the headline rendering some kind of judgment on the prior 12 months.

Usually I tend to avoid these stories because there are too many of them. But I was attracted to this one in part because of its balance of the cynical and the not-cynical, and by the source of the survey data: The CIOs of large corporations.

It comes by way of Sierra Ventures, the enterprise-focused venture capital firm based in Palo Alto, Calif. For years that firm has maintained a network of about 70 CIOs at some of the world’s biggest companies, and has routinely sought their input on their needs from directly in the corporate IT trenches. Sierra has in turn allowed that advice to help guide its investment decisions and how it helps its portfolio companies grow.

Recently it held its annual CIO Summit, and the time came to ask about 40 of those CIOs what was on their minds. The result was a simple survey with one key question: What were the most overhyped and underhyped technologies being hawked to large enterprises during the year? The answers were pretty clear and, at least in the overhyped category, close to unanimous.

The most overhyped, in their view, were social tools aimed at the enterprise. This would include products like Jive, Microsoft’s Yammer, Salesforce.com’s Chatter, Moxie, VMWare’s Socialcast and a host of others.

Their reasoning, as Al Campa, a partner at Sierra Ventures put it, was equally simple: “They don’t feel there’s any evidence for a return on investment or ROI,” he said. “It just didn’t move the needle for them when compared to other technologies they looked at.”

It’s a kind of predictable answer where CIOs are concerned, but not chief marketing officers, or CMOs, said Tim Guleri, a managing partner at Sierra Ventures. “CIOs are all about controlling spending and driving down their costs and finding money to fund innovation elsewhere,” he said. “That’s different than CMOs, who are trying to drive branding and reach. They feel differently about the social tools” and are therefore more willing to experiment with their growing tech budgets.

Okay then. So what was underhyped? There were two answers, both of them kind of intertwined: Mobile and security.

Mobile technology was underhyped, the survey’s respondents said, because of the way it can change business processes that are specific to a given industry. If you’re a hotel chain, how you use smartphones and tablets in your day-to-day operation will differ from how a manufacturing or logistics company does it. The CIOs who took part in the survey, Guleri says, were united in saying that understanding this “vertical context” is incredibly important to their business. Once you establish that, the ROI is usually pretty clear.

But going mobile raises a lot of security questions, which brings us to the second underhyped technology of the year. All those mobile devices fundamentally change the security landscape. “The perimeter that you used to be protected is gone,” Guleri said. Mobile devices open up the possibility for a lot of methods for attacking corporate systems. “There’s a lot of pain and potential for innovation around security,” he said.

Of course much of this is pretty intuitive if you’ve been paying attention to the overarching trends in the corporate IT environment of the last few years. CIOs are often surveyed about their opinions, but it’s a little bit unusual for them to show quite so much unanimity as they appear to have done here.