Author: Miranda

Despite end-to-end encryption, your WhatsApp and Telegram chats can be spied on

end-to-end-encryptionEven though WhatsApp promises end-to-end encryption on all of its chats, and Telegram offers end-to-end encryption on secret chats, the truth is that messages on these platforms can still be hacked. The reason is because the messaging apps still rely on phone networks that use Signalling System No. 7, better known as SS7.

You might recall that back in April, we told you about SS7 when we passed along a story shown on 60 Minutes about hacking. SS7 is a protocol used to connect carriers around the world and affects all smartphone users regardless of the device they use. While SS7 can’t break the encryption employed by the two aforementioned messaging apps, it can be used to fool a wireless operator into helping the hacker open a duplicate WhatsApp and Telegram account in the name of the target.

The first step that a hacker employing SS7 does is trick the target’s carrier into believing that his phone number is the same as the target’s mobile number. Once that is accomplished, the hacker installs WhatsApp and Telegram on his phone, and uses the target’s number to set up new accounts. This will allow them to receive the secret code falsely proving that the hacker is the legitimate user of these accounts. Once all this is accomplished, the ruse is on as the hacker can send and receive messages pretending to be the target.

You can see how this all works by watching the pair of videos below. Most security firms still prefer WhatsApp and Telegram for their end-to-end encryption, which prevents “man-in-the-middle” hacks that redirect messages to a hacker’s phone. But obviously, opening a duplicate account can allow hackers to read messages not intended for their prying eyes.

​Symantec warns encryption and privacy are not the same

“Encryption and privacy is not the same thing,” said Nick Savvides, Symantec APAC cybersecurity strategy manager.

Encryption is a privacy “enhancing tool”, Savvides went on to explain, while privacy is more about handling what information is collected, how the collected information is handled, and what other data can be derived from it. The two are often confused because they are related: Encryption is used to maintain privacy.

Savvides said that unfortunately most websites do not use encryption, highlighting the company’s most recent Internet Threat Security Report, which revealed that 97 percent of active websites do not have any basic security and 75 percent have unpatched vulnerabilities, with 16 percent of those being critical.

Meanwhile, the remaining 3 percent of active websites with security are banks and corporate businesses, according to Savvides.

He said the IT security community often blames “lazy” users for the lack of encryption. However, he said the real hindrance is the complexity that is involved with encryption, and it’s often something that users expect to be provided with.

“They don’t do [encryption] because it’s hard; they only do it when they absolutely have to,” he said.

He pointed out that iMessage, Apple’s built-in instant messaging service, and more recently mobile messaging app Whatsapp, are two examples of where end-to-end encryption is provided, and not something that users have to actively go seek.

In turn, the security company has extended its partnership program, Encryption Everywhere to Australia, which is already live in North America and Europe. The program falls under Symantec’s goal to achieve 100 percent encryption for all websites globally by 2018.

Under the Encryption Everywhere program, Symantec has initially partnered with WHMCS and cPanel to hand out domain-validated TLS/SSL certificates for free, before taking a multi-tier paid model approach.

“We’d like to see broader base encryption utilised across the world, across the internet. Whether it’s ours or somebody else’s, we’d like to see it adopted because it will make the internet a safer place, free from prying eyes,” Savvides said.

Survey findings from Norton by Symantec released on Tuesday indicated that online threats will not be slowing, particularly with the proliferation of the Internet of Things.

The survey showed that while almost two thirds of Australians use at least one mobile app to manage their finances or control other connected devices, 66 percent do not have security software on their smartphones, and 33 percent choose not to have a password or PIN on these devices.

Despite this, 61 percent of Australians admitted that they would be upset if their financial information was compromised.

According to Mark Gorrie, Norton by Symantec APAC director, as the smartphone becomes a central control hub and a “gateway” to other devices, the onus is on both the vendor and the user to ensure security is top of mind. Gorrie, however, pointed out that historically, vendors have always seen security as an afterthought, but indicated that it has improved more recently.

“Vendors should be taking seriously because it is such a big issue. We see the threats just keep growing every year, and just won’t give up because it’s a profitable business for a lot of people. There is definitely a responsibility security should rank highly on the devices vendors are releasing, but equally people have to be proactive to help themselves,” he said.

Allo doesn’t offer default end-to-end encryption setting because it would disable Google Assistant

When Google unveiled Allo — their smart messaging app coming soon to Android and iOS — one of the more interesting features they revealed was end-to-end encryption. As we later learned, the technology powering Allo’s end-to-end encryption was built upon Signal Protocol, the same open-source protocol from Open Whisper Systems that WhatsApp currently uses.

We’ve known since the announcement that E2E encryption was a feature of Allo’s Incognito mode, but now Ars Technica has confirmed exactly why this is the case. Because Google Assistant is such a huge part of Allo, it simply wouldn’t be possible for Google to listen in on conversations and provide smart suggestions for restaurants, or quick replies.

This is after Thai Duong, the co-leader on Google’s product security team, made it known in a blog post that he wished Allo’s E2E encryption was enabled by default (outside of Incognito Mode) — not an option left up to the user. The sentiment was further echoed by Edward Snowden in a Twitter post, advising users to avoid using it for now.

It didn’t take long for Duong’s higher-uppers to get word and the blog post was promptly revised (several times, actually). Duong did mention that it would be possible for Google to add a default encryption option where Google Assistant would only work when messaged directly, but there’s currently no plans to add such a feature.

In the end, what it comes down to is whether the user values Google Assistant over the privacy of Incognito Mode. It’d be nice to have both, but for now it’s just one or the other.

Google engineer says he’ll push for default end-to-end encryption in Allo

Google engineer says he'll push for default end-to-end encryption in Allo

After Google’s decision not to provide end-to-end encryption by default in its new chat app, Allo, raised questions about the balance of security and effective artificial intelligence, one of the company’s top security engineers said he’d push for end-to-end encryption to become the default in future versions of Allo.

Allo debuted with an option to turn on end-to-end encryption, dubbed “incognito mode.” Google obviously takes security seriously, but had to compromise on strong encryption in Allo in order for its AI to work. (Allo messages are encrypted in transit and at rest.)

Thai Duong, an engineer who co-leads Google’s product security team, wrote in a blog post today that he’d push for end-to-end encryption in Allo — then quietly deleted two key paragraphs from his post. In the version he originally published, Duong wrote:

Google engineer says he'll push for default end-to-end encryption in Allo

These two paragraphs have been erased from the version of Duong’s post that is currently live.

This edit probably doesn’t mean that Duong won’t continue to lobby internally for end-to-end encryption — his job is to make Google’s products as secure as possible. But Google, like most major companies, is pretty cagey about revealing its plans for future products and likely didn’t want Duong to reveal on his personal blog what’s next for Allo.

Even without the paragraphs on end-to-end encryption, Duong’s post offers interesting insight into Google’s thinking as it planned to launch Allo. For users who care about the security of their messaging apps, Duong highlights that it’s not encryption that matters most to Allo, but rather the disappearing message feature.

“Most people focus on end-to-end encryption, but I think the best privacy feature of Allo is disappearing messaging,” Duong wrote. “This is what users actually need when it comes to privacy. Snapchat is popular because they know exactly what users want.”

Duong also confirmed the likely reason Google didn’t choose to enable end-to-end encryption in Allo by default: doing so would interfere with some of the cool AI features Allo offers. For users who don’t choose to enable end-to-end encryption, Allo will run AI that offers suggestions, books dinner reservations and buys movie tickets. But the AI won’t work if it can’t scan a user’s messages, and it gets locked out if the user enables end-to-end encryption.

We reached out to Google to ask if the company asked Duong to edit to his blog post and will update if we hear back. Duong stressed that the post only reflected his personal beliefs, not those of Google — and we hope his advocacy for a default incognito mode comes to fruition.

OSGP custom RC4 encryption cracked yet again

OSGP custom RC4 encryption cracked yet again

The Open Smart Grid Protocol’s (OSGP) home-grown RC4 encryption has been cracked once again. The easy-to-break custom RC4 was cracked last year.

A year ago, the OSGP Alliance advised that better security would be implemented, but the RC4 still remains according to German researchers Linus Feiten and Matthias Sauer.

Feiten and Sauer claim to have the ability to extract the secret key used in the OSGP’s RC4 stream cipher. “Our new method comprises the modification of a known attack exploiting biases in the RC4 cipher stream output to effectively calculate the secret encryption key. Once this secret key is obtained, it can be used to decrypt all intercepted data sent in an OSCP smart grid,” Sauer and Feiten explained in their research.

Decrypting the secret key can expose the energy consumption of an individual customer thus an attacker could create messages reporting incorrect information to the grid operator.

Grid operators waited on vendor support to protect their networks with the alliance’s OSGP-AES-128-PSK specification bit encryption released in July as it was described as a “new work proposal for standardisation purposes”.

John McAfee claims to have hacked WhatsApp’s encrypted messages, but the real story could be different

John McAfee claims to have hacked WhatsApp’s encrypted messages, but the real story could be different

Last month, WhatsApp enabled end-to-end encryption for its billion users to secure all the communications made between users — be it a group chat, voice calls, personal chats or the photos and videos that are being shared. While WhatsApp says it is difficult even for them to access the conversations, cybersecurity expert John McAfee and his team of four hackers claim to successfully read an encrypted WhatsApp message, Cybersecurity Ventures reports. While it sounds like a bold claim, the real story could be completely different.

John McAfee, the creator of one of the popular anti-virus software, apparently tried to trick the media in believing that he hacked the encryption used by WhatsApp, Gizmodo reports. To convince the reporters that he could read the encrypted conversations, McAfee is said to have sent two phones preinstalled with malware containing a keylogger.

According to Dan Guido, a cybersecurity expert who was contacted to verify the claim, McAfee sent two Samsung phones in sealed boxes to the reporter. The experts then took the phones out and exchanged a text on WhatsApp, which McAfee was able to read over a Skype call. Citing sources, the publication also reports that McAfee offered his story to a couple of big publications as well, which includes Russia Today and the International Business Times.

“John McAfee was offering to a different couple of news organizations to mail them some phones, have people show up, and then demonstrate with those two phones that [McAfee] in a remote location would be able to read the message as it was sent across the phones. I advised the reporter to go out and buy their own phones, because even though they come in a box it’s very easy to get some saran wrap and a hair dryer to rebox them,” Guido told the publication.

McAfee has a long history of being shifty, especially when it comes to his alleged cybersecurity exploits. For instance, earlier this year in March, he claimed to hack into San Bernadino terrorist Syed Farook’s phone, but he never managed to prove his claims right. Later on, McAfee admitted that he lied to get the public attention.

This time too McAfee seems to have lied to reporters to buy his story, but when reporters asked to verify the claim, he changed the story. Moxie Marlinspike, who developed and implemented the encryption tool in WhatsApp told the publication about McAfee admitting his plan.

“I talked to McAfee on the phone, he reluctantly told me that it was a malware thing with pre-cooked phones, and all the outlets he’d contacted decided not to cover it after he gave them details about how it’d work,” he said.

With McAfee’s claims turn out to be false, WhatsApp saying that it does not have the ‘key’ to decrypt communications sounds good so far. However, if at all, someday, someone manages to hack into the conversations, it could turn into havoc. While it will give the ability to monitor the conversations between terrorists, it could also breach the privacy of the users.

Legal effects of encryption bills discussed at dark web event

1

An attorney who has worked for the U.S. Army and the Central Intelligence Agency discussed attempts to regulate encryption technologies at the Inside Dark Web conference in New York City on Thursday.

“State legislative response may be un-Constitutional, because it would place a burden on interstate commerce,” said Blackstone Law Group partner Alexander Urbeis. “So they may, in fact, be a way to encourage the federal government to enact encryption legislation.” Several states, including California, Louisiana, and New York, have introduced encryption legislation recently.

California’s “Assembly Bill 1681,” which would have created a $2,500 penalty of phone manufacturers and operating system providers that leased or sold smartphones in the state for each instance in which they did not obey a court order to decrypt a phone, was defeated last month. A similar bill proposed in New York is currently in committee.

“The economic implications would outstrip the privacy implications,” Urbeis said, discussing the effects of the encryption bill sponsored by Sen. Dianne Feinstein (D-Calif.) and Senate Intelligence Committee Chairman Richard Burr (R-N.C.). “The economic implications of these legislation have not been fully thought through. They are obviously going to become very attractive targets for hackers, criminal groups.”

Urbeis also heads Black Chambers, an information security firm that protects legal privilege. Many law firms “have lost the confidence of clients to protect their data,” he said, discussing the reaction to the Panama Papers. “Law firms have been for a long time the soft underbelly of their clients,” he said.

American ISIS Recruits Down, but Encryption Is Helping Terrorists’Online Efforts, Says FBI Director

American ISIS Recruits Down, but Encryption Is Helping Terrorists'Online Efforts, Says FBI Director

The number of Americans traveling to the Middle East to fight alongside Islamic State has dropped, but the terrorist group’s efforts to radicalize people online is getting a major boost from encryption technology, FBI Director James Comey said Wednesday.

Since August, just one American a month has traveled or attempted to travel to the Middle East to join the group, compared with around six to 10 a month in the preceding year and a half, Mr. Comey told reporters in a round table meeting at FBI headquarters.

However, federal authorities have their hands full trying to counter Islamic State’s social media appeal. Of around 1,000 open FBI investigations into people who may have been radicalized across the U.S., about 80% are related to Islamic State, Mr. Comey said.

The increasing use of encrypted communications is complicating law enforcement’s efforts to protect national security, said Mr. Comey, calling the technology a “huge feature of terrorist tradecraft.”

The FBI director cited Facebook Inc.’s WhatsApp texting service, which last month launched end-to-end encryption in which only the sender and receiver are able to read the contents of messages.

“WhatsApp has over a billion customers—overwhelmingly good people but in that billion customers are terrorists and criminals,” Mr. Comey said. He predicted an inevitable “collision” between law enforcement and technology companies offering such services.

Silicon Valley leaders argue that stronger encryption is necessary to protect consumers from a variety of threats.

“While we recognize the important work of law enforcement in keeping people safe, efforts to weaken encryption risk exposing people’s information to abuse from cybercriminals, hackers and rogue states,” WhatsApp CEO Jan Koum wrote last month in a blog post accompanying the rollout of the stronger encryption technology. The company Wednesday declined to comment on Mr. Comey’s remarks.

The FBI also continues to face major challenges in unlocking phones used by criminals including terrorists, Mr. Comey said. Investigators have been unable to unlock around 500 of the 4,000 or so devices the FBI has examined in the first six month of this fiscal year, which began Oct. 1, he said.

“I expect that number just to grow as the prevalence of the technology grows with newer models,” Mr. Comey added.

A terrorist’s locked iPhone recently sparked a high-stakes legal battle between the Justice Department and Apple Inc.
After Syed Rizwan Farook and his wife killed 14 people and wounded 22 in a December shooting rampage in San Bernardino, Calif., FBI agents couldn’t unlock the phone of Mr. Farook—who, along with his wife, was killed later that day in a shootout with police.

The government tried to force Apple to write software to open the device, but the technology company resisted, saying that such an action could compromise the security of millions of other phones.

That court case came to an abrupt end in March, when the FBI said it no longer needed Apple’s help because an unidentified third party had shown it a way to bypass the phone’s security features.

Users’interest should drive encryption policy: IAMAI

Users'interest should drive encryption policy: IAMAI

Encryption is a fundamental and necessary tool to safeguard digital communication infrastructure but the interests of Internet users should be foremost in framing any policy, the Internet and Mobile Association of India (IAMAI) said here on Tuesday.

“Trust, convenience and confidence of users are the keywords to designing an ideal encryption policy that will help in getting more people online with safe and secured internet platforms,” said IAMAI president Subho Ray.

The association, which has published a discussion paper on encryption policy, suggests that a broad-based public consultation with all stakeholders including users groups should precede making of an encryption policy.

According to the paper, the foundation of a user centric encryption policy consists of freedom of encryption, strong encryption base standard, no plaintext storage and mandatory legal monitoring or no backdoor entry.

An essential element in the suggestion that support for strong encryption is critical to counter cyber security issues around the globe, but also pitches for the importance of freedom of encryption for the users, organisations and business entities.

Encryption; Friend of Freedom, Guardian of Privacy

The issue of government access to private encrypted data has been in the public eye since the San Bernardino shootings in December, 2015. When an iPhone was found the FBI requested that Apple write code to override the phone’s security features. The FBI was ultimately able to decrypt the phone without Apple’s assistance. However, the ensuing debate over encryption has just begun.

High profile criminal and national security issues serve to shed light on an issue which is pervasive throughout the country. Local governments presumably have thousands of devices they would like to decrypt for investigatory purposes as New York City alone has hundreds. Seeking a resolution and remembering the horrific terror attacks of September 11, 2001 New York State Assembly Bill A8093A is in committee and seeks to outlaw the sale of phones in the state which have encryption not by passable to law enforcement.

Encryption allows for the safe keeping and targeting dissemination of private thoughts and information without worry off judgment, retaliation or mistreatment. On a grander scale encryption prevents unchecked government oversight. It can be argued that encryption technology is a hedge against current and future totalitarian regimes. With a history of occupation and abuse of power it is no surprise that Germany and France are not pushing for encryption backdoors.

Backdoors in encrypted devises and software provide another avenue for unwelcome parties to gain access. Hackers are often intelligent, well-funded and act on their own, in groups and most harmfully with foreign entities. Holes have a way of being found and master keys have a way of being lost.

Senators Richard Burr and Diane Feinstein are undoubtedly well intended with their draft law entitled the Compliance with Court Orders Act of 2016. The act calls for providers of communication services including software publishers to decrypt data when served with a court order. The data would have to be provided in an intelligible format or alternatively technical assistance for its retrieval. Prosecutors have a need to gather evidence. Governments have a duty to prevent crime and acts of terror.

However, experts question the feasibility of building backdoors into all types of encryption as it comes in many forms and from a host of global providers. Further, there is concern that the measure, if adopted, will backfire as the targeting of backdoors by our adversaries is assured. Cyberwar in the form of illicit data collection, theft of trade secrets and access to infrastructure is all too common and may escalate as tensions rise between adversaries. Ransomware and cyber extortion have been spreading, most recently at hospitals, and the knowledge of the existence of backdoors will motivate those who seek unseemly profits.

Efforts to prosecute the accused, fight crime and terror are noble causes. However, government should be wise in the approach lest we weaken our shared defenses in the process. The big corporate names of Silicon Valley recognize the dangers of backdoors and are speaking out and lobbying against Senator Burr and Feinstein’s efforts. The draft legislation does ensure that the monetary cost of decrypting is paid to the, “covered entity.” However, the costs to society at large remain up for discussion.