July 2016 – DoGoodSoft's Official Blog

Do anti-encryption Democrats see the importance of encryption now?

One would certainly hope so after the turmoil that has followed the release of thousands of DNC emails by Wikileaks. But Democratic lawmakers in the past have worked to weaken encryption standards, demanding backdoors that they say can be used by law enforcement authorities to track terrorists, but also leave computers vulnerable to hackers.
Consider CISA, a bill introduced to the Senate by California Democrat Dianne Feinstein. Despite near-unanimous expert testimony opposing the bill, along with a vocal public outcry, 30 Democratic senators voted in favor of passing the bill last year. This year, Feinstein coauthored the “Compliance with Court Orders Act of 2016” with Republican Senator Richard Burr, in the name of protecting America from terrorism following the FBI’s battle with Apple over decrypting the San Bernardino shooter’s iPhone.

As encryption expert Jonathan Zdziarski wrote following the announcement of the Feinstein-Burr bill, “The reality is that there is no possible way to comply with it without intentionally backdooring the encryption in every product that may be used in the United States.” While it’s still unclear how, exactly, hackers got into the DNC’s servers, Democrats now know, in the most personal way, the kinds of embarrassments that can result from encryption vulnerabilities.

The Democrats can blame Russia all they want. The fact of the matter is that stronger encryption, like the end-to-end encryption now standard in everything from iMessage to Whatsapp, continues to be the best defense against hackers.

Facebook to add end-to-end encryption to Messenger app

Facebook has started to introduce a setting to its “Messenger” app that provides users with end-to-end encryption, meaning messages can only be read on the device to which they were sent.

The encrypted feature is currently only available in a beta form to a small number of users for testing, but it will become available to all of its estimated 900-million users by late summer or in the fall, the social media giant said.

The feature will be called “secret conversations”.

“That means the messages are intended just for you and the other person – not anyone else, including us,” Facebook announced in a blog post.

The feature will also allow users to set a timer, causing messages to expire after the allotted amount of time passes.

Facebook is the latest to join an ongoing trend of encryption among apps.

Back in April, Whatsapp, which is owned by Facebook and has more than a billion users, strengthened encryption settings so that messages were only visible on the sending and recipient devices.

Whatsapp had been providing limited encryption services since 2014.

The company says it is now using a powerful form of encryption to protect the security of photos, videos, group chats and voice calls in addition to the text messages sent by more than a billion users around the globe.

Controversy

Encryption has become a hotly debated subject, with some US authorities warning that criminals and armed groups can use it to hide their tracks.

“WhatsApp has always prioritised making your data and communication as secure as possible,” a blog post by WhatsApp co-founders Jan Koum and Brian Acton said, announcing the change at the time.

Like Facebook has until now, Google and Yahoo use less extensive encryption to protect emails and messages while they are in transit, to prevent outsiders from eavesdropping.

Apple uses end-to-end encryption for its iMessage service, but some experts say WhatsApp’s method may be more secure because it provides a security code that senders and recipients can use to verify a message came from someone they know – and not from a hacker posing as a friend.

Full disk encryption flaw could affect millions of Android users

When it comes to vulnerabilities and security, Google’s Android has never been in the good books of security experts or even its users to a great extent. Now, another vulnerability has surfaced that claims to leave millions of devices affected. Security expert Gal Beniamini has now revealed another flaw in Android encryption.

According to the DailyMail, the security researcher has said that Android devices with full disk encryption and powered by Qualcomm processors are at risk of brute force attacks wherein hackers can use persistent trial and error approach. Full disk encryption is on all devices running Android 5.0 onwards. It generates a 128-bit master key for a user’s password. The report adds that the key is stored in the device and can be cracked by malicious minds.

“Android FDE is only as strong as the TrustZone kernel or KeyMaster. Finding a TrustZone kernel vulnerability or a vulnerability in the KeyMaster trustlet, directly leads to the disclosure of the KeyMaster keys, thus enabling off-device attacks on Android FDE,” Beniamini explains.

A combination of things like Qualcomm processors verifying security and Android kernels are causing the vulnerability. Google along with Qualcomm is working at releasing security patches, but Beniamini said hat fixing the issue may require hardware upgrade.

“Full disk encryption is used world-wide, and can sometimes be instrumental to ensuring the privacy of people’s most intimate pieces of information. As such, I believe the encryption scheme should be designed to be as “bullet-proof” as possible, against all types of adversaries. As we’ve seen, the current encryption scheme is far from bullet-proof, and can be hacked by an adversary or even broken by the OEMs themselves (if they are coerced to comply with law enforcement),” he adds.

Lately, encryption debate had taken centre stage when Apple refused to unlock an iPhone belonging to a terrorist involved in San Bernardino shooting. The FBI reportedly managed to break into the device without Apple’s help and is believed to have paid a whopping $13 million to do so.

US wiretap operations encountering encryption fell in 2015

The US government has been very vocal recently about how the increase in encryption on user devices is hampering their investigations. The reality is that according to a report from the Administrative Office of U.S. Courts, law enforcement with court-ordered wiretaps encountered fewer encrypted devices in 2015 than in 2014.

In regards to encrypted devices, the reports states: “The number of state wiretaps in which encryption was encountered decreased from 22 in 2014 to seven in 2015. In all of these wiretaps, officials were unable to decipher the plain text of the messages. Six federal wiretaps were reported as being encrypted in 2015, of which four could not be decrypted.”

This is out of 2,745 state and 1,403 federal for a grand total of 4,148 wiretaps, an increase of 17 percent over 2014. So while surveillance increased, the amount of times law enforcement encountered encryption decreased.

Earlier this year the Department of Justice and FBI were locked in a court battle with Apple over an encrypted iPhone used by San Bernardino shooter Syed Rizwan Farook. The government eventually dropped the case after finding a third party to help it bypass the phone’s security.

But it started a national debate about personal devices and encryption. Tech companies want their customers to be secure while law enforcement want backdoors or keys to encrypted devices for investigations. But it looks like when it comes to wiretaps, encryption isn’t as big a problem as many would suspect.