New Episode Alert EP122

Apple fights back against law enforcement backdoors 👮

May 25, 2020

Weekly Blaze PodcastEpisode 122May 25, 2020

Apple's Law Enforcement DisputeSignal PINsEasyJet Data Breach

I just received word that Silent Pocket just added two hot new colors (

Military Green

and

Hunter Orange

) of their popular medium sized faraday sleeve which will fit any size smartphone that you may have. Pick one up today to increase your digital privacy by visiting

silentpocket.com

and make sure you use discount code "sharedsecurity" to receive 15% off your order.

Over 90% of individuals show risky behavior in handling potential phishing messages according to Click Armor's free

CanIBePhished.com self-assessment

. This engaging coronavirus edition of CanIBePhished.com can help identify your teams total vulnerability to phishing attacks that exploit the pandemic situation. So test your own vulnerability to phishing attacks for free now at

CanIBePhished.com

Apple Calls FBI Comments on Lack of Help Unlocking Florida Shooter's iPhone an 'Excuse to Weaken Encryption'

Last week the FBI confirmed that back in January they were finally able to access the iPhone of Mohammed Alshamrani who conducted the mass shooting at the Pensacola, Florida Naval Air Station back in December. The FBI is quoted saying that Apple was "effectively no help" and Attorney general William Barr said it was a quote "great disappointment" that Apple refused to help investigators. He went on to say that Apple's decision has dangerous consequences for the public safety and national security and is unacceptable according to his judgement. In response Apple stated that they did cooperate with the FBI by giving them everything they had about the shooter including iCloud backups, account information, transaction data, you know the things that you would expect when a warrant is issued. However, the FBI wanted Apple to unlock and decrypt Alshamrani's device for them. Apple has stated many times in past situations that they do not have the capability to unlock passcode protected devices and will not build a law enforcement "backdoor" into their products. Personally, I like the following quote from Apple in response to Mr. Barr's comments. "It is because we take our responsibility to national security so seriously that we do not believe in the creation of a backdoor -- one which will make every device vulnerable to bad actors who threaten our national security and the data security of our customers. There is no such thing as a backdoor just for the good guys, and the American people do not have to choose between weakening encryption and effective investigations."

In other Apple news, iOS 13.5 was released with the new "Exposure Notification API" framework which will support COVID-19 contact tracing apps from public health authorities. The good news is that this new feature comes disabled by default and will only be used if you happen to install a supported contact tracing app. In previous episodes of the show we've talked about some of the many privacy concerns with contact tracing apps, and it's not Apple's framework that’s the problem, it's the government agencies that will have access to all the personal data collected from these apps. To hear my thoughts on contact tracing apps check out

episode 116

of the weekly show and for a more in depth discussion with co-host Scott Wright, check out

episode 99

of our monthly show.

Signal to move away from using phone numbers as user IDs

Popular end-to-end encrypted messaging app Signal has announced a new feature called

"Signal PINs"

that will allow users to migrate account data between devices and eventually allow users to move away from using phone numbers as their user ID. While there have not been many privacy concerns about Signal, the fact that you need to still use your phone number for your user ID was a common complaint among privacy advocates. Here's how Signal PIN works. You'll first be asked to create a PIN code associated with your account. The PIN can be anything from a four-digit number to a complex alpha-numeric string. The PIN will then encrypt your profile information, account settings, local contacts and store this information on Signal's servers. No conversation data is every backed up. So when you lose your phone or move to a new one, you can now easily move your profile data to your new device. Signal notes that it's really important to remember your PIN as without it, you won't be able to get your profile data back. This is why Signal put a plan in place to remind users to re-enter their PIN at regular and periodic intervals. In addition, Signal PIN can be used as a registration lock of sorts which can prevent an attacker from registering a victim's phone number on another device.

I really like this new update from Signal and it’s a great base for the start of moving away from phone numbers as user identifiers. Do you use Signal? If not, I highly recommend it for secure end-to-end messaging. If you're interested to find out more, check out our show notes

for a link

on how to get started with Signal.

British Airline EasyJet Suffers Data Breach Exposing 9 Million Customers' Data

Low-cost British airline EasyJet announced last week that

they have been a victim of a highly sophisticated data breach

which exposed about 9 million email addresses and travel details of its customers. EasyJet's

official statement

also noted that around 2000 customers also had their credit card details accessed. EasyJet states that there has been no evidence that any compromised personal information has been misused and they would like to reassure customers that they quote "take the safety and security of their information very seriously". EasyJet has said that they will notify affected customers no later than May 26th. EasyJet has also notified the Information Commissioner's office (or ICO), Britain's data protection agency, and they will continue to investigate the breach to further enhance their security.

British based airlines have not fared well with large data breaches in the past. You may remember that the ICO fined British Airways a record £183 million for the 2018 data breach in which 380,000 payment cards were compromised. And this is not the best time to be have a data breach. Because of the COVID-19 pandemic, attackers are capitalizing on data breaches to take advantage of victims through social engineering and phishing related emails. Often, attackers will spam out emails to millions of people hoping that they find just one person who was a victim of this breach. This is why we all need to stay vigilant even more so during this pandemic because attackers are not letting up anytime soon.

AprilMonthly ShowEpisode 99In episode 99 of our April monthly show: Apple and Google’s controversial efforts to create contact tracing technology, fighting COVID-19 criminal activity, and what the new normal means for startup companies!

Watch this episode on our YouTube Channel!

Thank you to our sponsor

Silent Pocket!

Take advantage of this exclusive offer and help support this podcast!

Visit

silent-pocket.com

to shop Silent Pocket's great line of privacy focused products.