7.4 C
Friday, November 24, 2017
Home Tags Password Authentication

Tag: Password Authentication

Password Authentication can be considered to be the knowledge factors: Something the user knows (e.g., a password, Partial Password, pass phrase, or personal identification number (PIN), challenge response (the user must answer a question, or pattern), Security question.

ByNeil J. Rubenking Vipre has been a name to conjure with in the antivirus business for quite some time.

The product has changed over the years, bouncing from company to company and, at one point, incorporating spyware protection from the well-regarded CounterSpy. Perhaps all that moving around wasn't the best for its health.

The current incarnation, ThreatTrack Vipre Antivirus 2016, isn't your best choice for comprehensive protection.
It did improve its antiphishing and malicious URL blocking scores significantly over the tests we ran on last year's edition, but it fared poorly in tests by independent antivirus labs. You have plenty of purchase options with Vipre. You can pick one, three, five, or 10 licenses and subscribe for one, two, three, or four years.

There's a discount for more licenses and longer subscriptions, of course. Protecting a single PC for one year costs $39.99, while a 10-license four-year subscription goes for $269.99, quite a bit less than what you'd pay for 40 single licenses (almost $1,600!). Installation is simple, if not precisely quick. You fire up the installer, copy and paste your license key, and click a button labeled Agree & Continue.

That's it.

The installer checks for program updates, performs the installation, downloads the latest virus definitions, and runs a scan for active malware. You don't have to do a thing, except perhaps get some coffee or a snack.
I found the full installation process took about 10 minutes. Vipre's main window retains the look introduced with the previous edition.

Buttons let you launch or schedule a scan.

A status panel reports on the latest scans and updates.

A couple of links let you manage your account or the program's settings.
It's very slick and simple. So-So Malware BlockingA full system scan with Vipre took 46 minutes, just a little longer than the current average.

Clearly the program performs some kind of optimization during that first scan, as a repeat scan completed in just five minutes.

AVG AntiVirus Free (2016) took 27 minutes for an initial scan on this system and two minutes for a repeat scan.

F-Secure Anti-Virus 2016 cut the time even more, with a 15-minute first scan and just over one minute to repeat the scan. Of course, speed means little unless it's coupled with accuracy. My hands-on malware blocking test starts when I open a folder that contains a few dozen known malware samples.
Vipre immediately leapt into the fray, eliminating 79 percent of the samples on sight. When I launched the surviving samples, it detected a few, but didn't completely prevent installation of executable files.
It managed 86 percent detection and an overall score of 8.1 points in this test. Two products share the top overall score.

Avast Pro Antivirus 2016 detected 100 percent of these same samples, and Bitdefender Antivirus Plus 2016 detected 93 percent.

Because Avast didn't completely prevent installation of malware traces, it earned 9.3 points, the same as Bitdefender.
Vipre's score puts it well below the median for this test. Of necessity, my samples in that hands-on test get used for many months. However, in my malicious URL blocking test the samples (provided by MRG-Effitas) are as new as I can manage, typically no more than a day or two old.

The test is simple enough.
I take the sample URLs and launch each in a browser protected by the product under testing.
I note whether it steers the browser away from the dangerous URL, eliminates the executable payload during download, or sits idly, doing nothing to prevent the download.
I continue until I have data for 100 malware-hosting URLs. When I tested Vipre's previous edition, it blocked just 38 percent, all of them during the download process.

This time around, Vipre's Search Guard and new Edge Protection components stepped up to raise the protection level impressively.

Between the two components, Vipre blocked access to 84 percent of the malware-hosting URLs.

Edge Protection did most of the work, though Search Guard (the one place you can still see Vipre's old snake icon) lent a hand. Vipre's 84 percent protection rate is pretty darn good; only five products have done better.

At the top of the heap are McAfee AntiVirus Plus (2016) and Symantec Norton Security Premium, each of which managed 91 percent protection. See How We Test Malware Blocking Improved Phishing Detection Malware-hosting websites are definitely dangerous, but you can also get into serious trouble by voluntarily entering your login credentials on a fraudulent website.
Imagine if a phishing site snagged your Amazon password, or the credentials for your online banking! Last year Vipre tanked this test.

This year's results are much, much better. To start my antiphishing test, I visit a number of sites that track these frauds.
Specifically, I scrape URLs that have been reported as fraudulent but not yet classified and blacklisted.
I open each URL simultaneously in a browser protected by the product under test and by antiphishing veteran Norton.
I also try each URL against the native protection of Chrome, Firefox, and Internet Explorer.

There's a lot of variation in the types of phishing URLs, and in their cleverness, so I report the difference between the detection rate of the various products, rather than hard numbers. Vipre's detection rate was just 6 percentage points behind Norton's, the same score managed by BullGuard Antivirus (2016).
Vipre also handily beat all three browsers. Roughly two-thirds of current products failed to beat at least one of the browsers, and half of those performed worse than all three browsers. See How We Test Antiphishing Sad Lab Results Vipre's scores in my own tests ranged from so-so malware blocking to excellent phishing protection.
It didn't fare as well with the independent testing labs.
ICSA Labs does certify Vipre for malware detection and cleaning, and West Coast Labs certifies it for detection.
It managed VB100 certification in eight of the last 10 tests by Virus Bulletin.

But the scores go downhill from there. In the latest three-part test by AV-Test Institute, Vipre earned 3 points for protection, 3 for performance, and 6 points for usability.

This last figure means that Vipre avoided screwing up by identifying valid apps and URLs as malicious.

But with 6 points possible in the important protection category, a score of 3 points is pretty bad.

Avira Antivirus 2015, Bitdefender, and Kaspersky Anti-Virus (2016) all managed a perfect 18 points in this same test. Vipre's one success with AV-Test involved avoiding false positives, but in tests by AV-Comparatives false positives proved problematic.

This lab tags products with Standard certification as long as they meet all essential capabilities.

Better products can earn Advanced or Advanced+ certification, while those that don't make the grade just rank as Tested.

And whatever the basic rating, enough false positives can drag it down. I follow five tests out of the many performed by this lab.
In latest instances of those tests, Vipre earned Advanced once and Standard twice, but failed the other two tests, both times due to false positives.

That looks especially bad compared with Bitdefender and Kaspersky, which took Advanced+ ratings in all five. See How We Interpret Antivirus Lab Tests Bonus FeaturesThe Email and Privacy settings pages demonstrate that Vipre offers a number of features above and beyond the basics of antivirus.
It checks your incoming and outgoing email for malware, quarantining any problems it finds.

And it quarantines phishing messages—but not spam; antispam is reserved for the Vipre suite.

The email protection works with desktop clients only, not Web-based email, and if your email client uses non-default ports you'll need some technical skills to make it work. Vipre's Social Watch component scans your Facebook page for malicious links. Naturally you have to log in to Facebook in order for it to work. You can stay logged in and set it to scan every so often, or log out for privacy.  When you enable the secure file eraser feature, it adds an item to the right-click menu for files and folders.

After you confirm that you want a particular file or folder gone forever, it overwrites the file's data before deletion, to prevent forensic recovery of sensitive data.
I'm just as happy that it doesn't let you configure this feature, since most users aren't remotely qualified to select between the available algorithms. As you browse the Web and use your computer, you leave behind a trail of clues that a nosy person could use to reconstruct your activities.
If that bothers you, the history cleaner component can help.
It will wipe out browsing traces for many popular browsers, recent file lists for popular applications, and a number of Windows-based traces.

There's a checkbox to show only programs that you actually have installed, but in my testing it did not seem to work.
I definitely don't have Safari, Opera, or ICQ in the test system, yet they remained visible even when I checked the box. Some Ups, Some Downs ThreatTrack Vipre Antivirus 2016 performed significantly better than the 2015 edition in some areas.
It scored quite a bit better in my antiphishing and malicious URL blocking tests, probably thanks to the new Edge Protection.
Its score in my hands-on malware-blocking test was so-so, much the same as last year, but if I see top scores from the labs, I give them more weight than my own test. Unfortunately, Vipre's labs scores aren't good at all. Antivirus is a big field, and I've identified a number of Editors' Choice products.

Bitdefender Antivirus Plus and Kaspersky Anti-Virus routinely take top honors from all of the independent labs. McAfee AntiVirus Plus does well in lab tests and my own tests, and one subscription protects all of your Windows, Mac OS, and mobile devices.

And Webroot SecureAnywhere Antivirus remains the tiniest antivirus around, with an especial focus on ransomware.

Any one of these will be a better choice for your system's antivirus protection.
An out-stretched arm slowly disappears... Response to the critical web-crypto-blasting DROWN vulnerability in SSL/TLS by cloud services has been much slower than the frantic patching witnessed when the Heartbleed vulnerability surfaced two years ago. DROWN (which stands for Decrypting RSA with Obsolete and Weakened eNcryption) is a serious design flaw that affects network services that rely on SSL and TLS.

An attacker can exploit support for the obsolete SSLv2 protocol – which modern clients have phased out but is still supported by many servers – to decrypt TLS connections. Successful attacks would give hackers the ability to intercept encrypted traffic (eg, passwords, credit card numbers, sensitive corporate data, etc) as well as impersonate a trusted cloud provider and modify traffic to and from the service using a man-in-the-middle attack. The Heartbleed bug meant attackers could read the memory of the systems protected by the vulnerable versions of OpenSSL. Pretty much anything in memory – SSL private keys, user passwords, and more – was open to thieves preying on unpatched systems as a result of the flaw, which emerged in April 2014. After one week, the number of cloud services vulnerable to Heartbleed fell from 1,173 to 86 (or a 92.7 per cent reduction).

By comparison, susceptibility to DROWN has only fallen from 653 to 620 (5.1 per cent) in the week since it burst onto the scene on Tuesday 1 March, according to figures from Skyhigh Networks' Cloud Security Labs. Skyhigh reckons 98.9 per cent of enterprises use at least one vulnerable service.

The average organisation uses 56 vulnerable cloud services, it reports. One-third of all HTTPS websites were potentially vulnerable to the DROWN attack at the time it was disclosed last week. Other experts, such as iSight Partners, reckon that DROWN is nowhere near as easy to exploit at Heartbleed because in the case of DROWN, an attacker already needs to be perched on a target network before feeding vulnerable systems attack traffic, among other factors. Heartbleed, by contrast, was much easier to exploit.

Even so, the DROWN vulnerability is a good candidate for prompt triage, particularly by the likes of cloud services, which market themselves as an agile and flexible enterprise computing resource. “Companies are adopting cloud services in record numbers, most of which have gone a long way to prove their worth and security to even the most cloud-sceptic industries such as financial services,” said Nigel Hawthorn, EMEA Marketing Director at Skyhigh Networks. “The cloud service industry acted fantastically in response to Heartbleed, and we need to see the same kind of response to DROWN today, which we haven’t to date.” Skyhigh Networks' technology allows organisations to monitor employee cloud use and lock down banned apps. ® Sponsored: DevOps for Dummies 2nd edition
Fingerprints, rather than passwords, are what more than a million financial services customers at USAA use to get online. Part of a trend toward multi-factor authentication (MFA), there is no stored list of passwords for hackers to steal. REUTERS/Fabri...
Step 1. Simply take over a victim's mobile phone number NatWest is tightening up its internet banking systems after security shortcomings were exposed by journalists. BBC hacks were able to hijack a colleague's NatWest online bank account and transfer money without knowing her password. The UK bank's parent, Royal Bank of Scotland (RBS) Group, is also shoring up its security. Radio 4's You and Yours revealed the security flaw after investigating complaints from the victims of SIM swap fraudsters. The SIM swap scam involves redirecting text messages from someone's mobe to another phone. El Reg covered the swindle three years ago. This is how is typically goes down: using some social engineering, the crook reports a victim's handset as lost or stolen to their mobile network, and asks for the victim's phone number to be swapped over to the crim's SIM. Alternatively, the crook just nicks the phone. Either way, the thief receives texts sent to the victim's number. As the You and Yours team found, the crim can then call NatWest and claim they've forgotten their customer ID number, password, PIN, and everything else needed to log into their online bank account. The bank will then text a code to the victim's number, which can be entered by the crook online to reset and change the password and PIN, and gain control of the bank account. This allowed a BBC reporter to siphon off £1.50 from a producer's account. On the one hand, an attacker must somehow gain control of a victim's phone number, which isn't straightforward. In the Beeb's case, the reporter was handed the producer's mobile and told to do her worst. It's not exactly Kevin Mitnick. On the other hand, simply having control of a person's phone number shouldn't immediately throw open the doors to all their money. So minus 10 points to NatWest. In response to the investigation, a community manager on NatWest's official forum stated that the "specific example put to us by You and Yours required them to know multiple pieces of personal information to generate the activation code and have control of the customer mobile phone," while admitting that its security needs improving and outlining forthcoming changes: We're implementing a number of new measures to further protect customers, including communicating with them using all of their registered methods of contacts with us, such as via email and text, to alert them any time a change is made to their contact details on online banking, in a similar way to Apple and Google. We are also introducing a 'cooling off period' of three days, which prevents payments being made via the mobile app when a reactivation has taken place. NatWest reckons that all manner of extra information would be needed to make a transaction, specifically the customer number, partial PIN and partial password. Crucially, though, the You and Yours team was able to set new passwords and PINs after claiming they had forgotten those login details. There was no email confirming a password change, a shortcoming RBS and NatWest has since addressed. The BBC team did not go through a step-by-step process of how the hack was carried out, due to an understandable concern to not give fraudsters fresh ideas. The community manager made a much better fist of explaining the bank's position than the hapless spokesperson fielded on BBC Radio 4's You and Yours, Chris Popple, manager director of digital at RBS/NatWest, who didn't get much past banalities about taking customer security seriously and repeatedly described the BBC's research as "helpful." In response to queries from El Reg, NatWest supplied a statement partly reiterating what its community manager had said: SIM swap fraud is an emerging issue across the industry, and we're working closely with Financial Fraud Action UK and mobile phone providers to enhance our customer authentication processes as fraudsters become more sophisticated. Our records show that of all the people who enroll in online banking and forget their details, only 0.01 per cent are fraudulent. We encourage all of our customers to protect their phone using a passcode or Touch ID, keep details of their PIN and online banking details secure, and to get in touch with us as soon as possible if they believe they have been a victim of fraud. As stated in our Digital Promise, if a customer does fall victim of fraud in this way, we will refund them. If you spot any security problems with your mobile or online banking, do ping us an email. ® Sponsored: Five essentials for improving endpoint security
Password resets could be brute-forced Facebook has slung US$15,000 in the direction of Anand Prakesh for discovering a serious bug on its beta servers. Late in February, Prakesh writes, he discovered that the company's beta sites didn't rate limit the PINs used for password resets. If you request a password reset via a PIN sent to your phone, after 10 or 12 invalid attempts the attacker is blocked. However, he writes, the same didn't apply to beta.facebook.com or mbasics.beta.facebook.com – and that made it trivial to write a script to brute-force the 6-digit PIN. No terms of service were harmed in the making of the attack though, since Prakash attacked his own account, as shown in this video. Youtube Video Here's the vulnerable request Prakash put in his notification to Facebook. POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com lsd=AVoywo13&n=XXXXX “Brute forcing the "n" successfully allowed me to set [a] new password for any Facebook user”, he writes.

Facebook has now patched the bug. ® Sponsored: DevOps: hidden risks and how to achieve results
IDG.TV | Mar 7, 2016 At the 2016 RSA Conference in San Francisco, CSO chats with SecureAuth about their behavioral biometrics technology, which allows or prevents access depending on a person's keystroke and mousing techniques.

Could this method replac...
The DOJ wants Apple return to security levels present in iOS 7, before default encryption. Two weeks ahead of a scheduled court date, Apple continues to publicly battle the FBI's request to unlock one of its iPhones.
Senior Vice President of Software Engineering Craig Federighi on Sunday penned an opinion piece for the Washington Post, which suggests that compliance will set mobile security back at least three years. The U.S. Justice Department, he said, believes security on iOS 7 was "good enough," so Apple should roll back to the security level of that operating system. "But the security of iOS 7, while cutting-edge at the time, has since been breached by hackers," Federighi wrote. "What's worse, some of their methods have been productized and are now available for sale to attackers who are less skilled by often more malicious." Apple decided to encrypt its mobile operating system by default beginning with iOS 8, meaning device-level data is inaccessible even to Cupertino, so the company cannot turn over things like phone passcodes and iMessage chats to the feds. But following a December terrorist attack in California, the government is itching to access an iPhone 5c issued to one of the shooters, Syed Rizwan Farook, by his employer, the San Bernardino Health Department. The FBI wants Apple to create a new mobile operating system, which could disable a feature that wipes the gadget after 10 incorrect password guesses—"intentionally creating a vulnerability that would let the government force its way into an iPhone," Federighi said. "Once created, this software—which law enforcement has conceded it wants to apply to many iPhones—would become a weakness that hackers and criminals could use to wreak havoc on the privacy and personal safety of us all," he added. The tech titan is even willing to take its fight against the FBI over iPhone backdoors all the way to the Supreme Court, where it would have the support of numerous industry heavyweights. Oral arguments are set for March 22 in federal court.
Canary squeals when domain admin credentials are pinched RSA 2016 Dell SecureWorks duo Joe Stewart and James Bettke have created a free honeypot loaded with fake domain credentials in a bid to help admins trap and block attackers. The researchers built the Domain Controller Enticing Password Tripwire (DCEPT) tool designed to help organisations unmask hackers and shore up defences ahead of attacks. Windows Active Directory credentials are among the most common and handy tools in an attacker's arsenal and the pair hope to foil those who access them with the tool. Network administrators often use domain administrator accounts to access network computers.
If any of those machines are compromised, attackers can swipe the credentials stored in cache using tools like Mimikatz. "With this information, the attacker gains total control of the network," the pair say. "These types of attacks can potentially terminate a company’s ability to do business. "Espionage or advanced-persistent-threat-style attacks have used this technique for years to compromise networks and steal protected data." The pair say the method is as common as it is effective, and has led to fleets of computers being permanently destroyed. "Even with reliable and recent data backups, the manpower it would take to restore an entire enterprise network is daunting." Stewart and Bettke, both seasoned forensic investigators, say solutions that identify anomalies are expensive and must be trained to capture normal behaviour. The DCEPT tool launched at the RSA San Francisco conference last week will identify what credential or honeytoken was stolen and from which machine. It sports an agent that drops honeytoken passwords into memory on endpoints, a network service that generates unique honeytokens at the request of an agent, and a sniffer service that looks at network traffic for signs that credentials are being stolen. The tool can be downloaded from GitHub and is available as a Docker container. ® Sponsored: Why every enterprise needs an Internet Performance Management (IPM) Strategy
Anti-virus engine easily disable. Intel Security has fixed a flaw that made it possible to shut down its McAfee Enterprise virus engine, thereby allowing the installation of malware and pirated software. The hotfix addresses an issue that Agazzini Maurizio, senior security advisor at Rome-based consultancy Mediaservice, first warned about 15 months ago. McAfee acknowledged the bypass in December 2014 and released the patch on 25 February 2016. The flaw requires users or attackers first gain local administrator privileges, a level of access that many organisations lazily afford staff. "McAfee VirusScan Enterprise has a feature to protect the scan engine from local Windows administrators [and] a management password is needed to disable it," Maurizio says. "From our understanding this feature is implemented insecurely: the McAfee VirusScan Console checks the password and requests the engine to unlock the safe registry keys. "No checks are done by the engine itself, so anyone can directly request the engine to stop without knowing the correct management password." All versions are affected. Attackers can either use Maurizio's tool or alter registry keys before opening the McAfee console and choosing 'no password' Removing administrator rights from user accounts goes a long way to helping organisational security postures. In May Manchester-based security firm Avecto reckoned 97 percent of critical Microsoft vulnerabilities released in 2014 would be mitigated by removing admin rights. ® Sponsored: Five essentials for improving endpoint security
The popular TV show's executive producer and actors realize it's edutainment, but they still try to get the facts straight and teach some security lessons. SAN FRANCISCO—Among the most highly anticipated sessions at the RSA Conference 2016 here was the keynote presentation with the producer and cast from the popular CBS TV drama "CSI: Cyber."Among many in the IT security community, "CSI: Cyber" is widely derided as an inaccurate and an over-hyped representation of how IT security works.

That's a claim that the executive producer and actors in the show don't explicitly deny, but that doesn't mean they aren't actually trying to get it right and improve IT security overall."CSI: Cyber," which focuses on cyber-crimes and IT security, is the latest iteration of the popular "CSI: Crime Scene Investigation" series.Anthony Zuiker, creator and executive producer of the CSI franchise, responded to the question about whether "CSI: Cyber" accurately represents the IT security industry. "It's show business." Zuiker points to what is known as the "CSI-effect," regarding how crimes are solved that can set up false expectations.

The effect can give people the false impression that law enforcement just needs to push a button to solve a crime, he added. "The CSI effect is also positive because it does send the announcement that on the worst day of your life, there are CSI agents out there that will find evidence and solve the crime."Zuiker said that with the show he is trying to send a positive message, and tell the best stories possible.
It's also not his direct intention to glamorize black hat hackers, but he reiterated that "CSI: Cyber" is first and foremost a TV drama."We understand perfectly that the people that do the real heavy lifting, the experts in the space, are on that side of the stage with you guys," Zuiker said pointing to the RSA Conference audience. "We're just trying to tell the best stories possible and help inform the world that there is cyber-crime out there and people need to be aware of it."In terms of how stories are developed, Zuiker explained that everything is focused on how relate-able the core of a given story is to the show's target audience. "We're trying to do story lines to cater to the most important part of our audience."The most important part of the CSI audience is women, who make up 60 percent of the CSI TV viewing audience, he said."It's very important that the American public in general understands that cyber-crime affects them almost every day and the devices in their pockets can be used as weapons in the hands of the wrong people," Zuiker said. "That's why our edutainment is as important as our entertainment."Zuiker, who visited various branches of law enforcement as part of his research for "CSI: Cyber," has received the same request to help get a few key messages out. One of them is to use complex passwords, and the other is to encourage people to do regular software updates.The positive impact of the CSI franchise has already been felt in other areas.
In Las Vegas, where the first CSI shows ran, local law enforcement had a Field Services division that performs crime scene investigations, that was getting 10 applications a year a decade ago.

Thanks in part to the visibility and exposure that the CSI shows give to the profession, Zuiker said that Las Vegas law enforcement now gets 55,000 job applications per year to be crime scene investigators.The "CSI: Cyber" show can help improve the chronic talent shortage in IT security by raising awareness, Zuiker said. "The challenge for our industry is to reach the young people that have great skills with computers that can be amazing white hats and do their civic duty to help protect this country."Actor Charley Koontz, who plays white-hat FBI agent Daniel Krumitz on "CSI: Cyber" commented that he's been the target for criticism on Twitter about how real the show is and what his character does. Koontz echoed Zuiker, noting that the goal is to make an entertaining TV show while providing some food for thought about security.Koontz isn't too worried about reality on TV. "We're on a network that shows Supergirl, so where the line lands in terms of how realistic we're supposed to be on TV isn't clear," he said.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.
Steam Store victims can expect an email from Valve. Valve has apologized for a winter Steam Sale breach—more than two months after 34,000 users had personal information exposed to other shoppers. The target of a Christmas Day denial of service attack, the online shop was overwhelmed by 2,000 percent more traffic than usual.
In an effort to counter the assault, a Valve partner deployed new caching rules, one of which incorrectly cached Web traffic for authenticated users, allowing some people to access details generated for others. As a result, those browsing the online shop between 2:50 and 4:20 p.m.

ET that day may have stumbled upon billing addresses, purchase histories, email addresses, and partial Steam Guard phone numbers and credit cards.

Folks were not, however, privy to full financial details, user passwords, or enough data to log in or complete a transaction as another user. Following a temporary shutdown of the Steam Store site, Valve worked with its Web caching partner to identify those whose information was accidentally served to others.

Before the New Year, the company said it would contact affected parties once they were identified. Now, contact has finally been made. "We're sorry this happened and have taken steps to prevent this problem from occurring in the future," Valve wrote in an email to customers, published by The Verge. Valve did not immediately respond to PCMag's request for comment. The message mostly reiterates a December update on the breach, with an explanation that "we want you to be aware of what information could have been seen by another Steam user." If you used the online store during the breach, and are still unsure about the safety of your personal details, email cachingissue@steampowered.com.
The term "cyber pathogen," however, seems to exist only in Harry Potter fan fiction. Does the San Bernardino shooter's iPhone contain anything of value for investigators? They FBI doesn't know, but the San Bernardino District Attorney suggests the county-owned handset could have been used as a weapon of mass cyber destruction. "The iPhone…may have connected to the San Bernardino County computer network," DA Michael Ramos said in a court filing. "The seized iPhone may contain evidence that it was used as a weapon to introduce a lying dormant cyber pathogen that endangers San Bernardino County's infrastructure." Local residents shouldn't be too quick to panic, though: iPhone forensics expert Jonathan Zdziarski debunked the DA's claims. "I quickly Googled the term 'cyber pathogen' to see if anyone had used it in computer science," Zdziarski wrote in a blog post.

The first result: Harry Potter fan fiction. "That's right, a Demigod from Gryffindor is the closest thing Google could find about cyber pathogens." Zdziarski said even CSI: Cyber is not bold enough to use "wildly non-existent terms" like "cyber pathogen" in its TV scripts. "There is absolutely nothing in the universe that knows what a cyber pathogen is," Zdziarski wrote. "Fagan's statements are not only misleading to the court, but amount to blatant fear mongering.

They are designed to manipulate the court into making a ruling for the FBI." The device in question—an iPhone 5c issued to Syed Rizwan Farook as part of his San Bernardino Health Department duties—is currently in the possession of the FBI, which wants Apple to disable a feature that wipes the gadget after 10 incorrect password guesses so that it may use an automated system to guess the phone's passcode and break in. According to Ramos, information contained on the smartphone could provide evidence to help the government identify co-conspirators "who would be prosecuted for murder and attempted murder." But to do that, Cupertino would need to create another mobile operating system that could open the encrypted device—a slippery slope, according to CEO Tim Cook, who is worried the workaround might end up in the wrong hands. Apple is even willing to take its fight against the FBI over iPhone backdoors all the way to the Supreme Court, where it would have the support of numerous industry heavyweights. Oral arguments are set for March 22 in federal court.