August 2016 – DoGoodSoft's Official Blog

French official begins anti-encryption campaign

This story was delivered to BI Intelligence Apps and Platforms Briefing subscribers. To learn more and subscribe, please click here.

A French official plans to begin mobilizing a global effort — starting with Germany — against tech companies encrypting their messaging apps, according to Reuters.

Messaging apps, such as Telegram and WhatsApp, that promote end-to-end encryption, are used by terrorists to organize attacks in Europe, the minister said. Although individual governments have previously explored seeking mandatory backdoors from tech companies, this is the first attempt to unify the case across countries. If successful, it could make it more difficult for these companies to resist the requests.

The debate over the use of end-to-end encryption in chat apps recently made headlines after it was revealed that terrorists might have used secure chat apps to coordinate a slew of attacks in France. Law-enforcement officials argue that the highly secure tech impedes their ability to carry out investigations relating to crimes that use the chat apps.

Tech companies argue that providing backdoor access to their apps, even to governments, creates a potential vulnerability that can be targeted by malicious players seeking access to users’ personal data. To add weight to this argument, it was revealed last week that a “golden key” built by Microsoft for developers was accidentally leaked. And while the company has sent out patches for a majority of its devices, it’s unlikely to reach those potentially affected.

BI Intelligence, Business Insider’s premium research service, has compiled a detailed report on messaging apps that takes a close look at the size of the messaging app market, how these apps are changing, and the types of opportunities for monetization that have emerged from the growing audience that uses messaging services daily.

Here are some of the key takeaways from the report:

Mobile messaging apps are massive. The largest services have hundreds of millions of monthly active users (MAU). Falling data prices, cheaper devices, and improved features are helping propel their growth.
Messaging apps are about more than messaging. The first stage of the chat app revolution was focused on growth. In the next phase, companies will focus on building out services and monetizing chat apps’ massive user base.
Popular Asian messaging apps like WeChat, KakaoTalk, and LINE have taken the lead in finding innovative ways to keep users engaged. They’ve also built successful strategies for monetizing their services.
Media companies, and marketers are still investing more time and resources into social networks like Facebook and Twitter than they are into messaging services. That will change as messaging companies build out their services and provide more avenues for connecting brands, publishers, and advertisers with users.

In full, this report:

Gives a high-level overview of the messaging market in the US by comparing total monthly active users for the top chat apps.
Examines the user behavior of chat app users, specifically what makes them so attractive to brands, publishers, and advertisers.
Identifies what distinguishes chat apps in the West from their counterparts in the East.
Discusses the potentially lucrative avenues companies are pursuing to monetize their services.
Offers key insights and implications for marketers as they consider interacting with users through these new platforms.

FBI Chief Calls for National Talk Over Encryption vs. Safety

SAN FRANCISCO — The FBI’s director says the agency is collecting data that he will present next year in hopes of sparking a national conversation about law enforcement’s increasing inability to access encrypted electronic devices.

Speaking on Friday at the American Bar Association conference in San Francisco, James Comey says the agency was unable to access 650 of 5,000 electronic devices investigators attempted to search over the last 10 months.

FBI Chief Calls for National Talk Over Encryption vs. Safety

Comey says encryption technology makes it impossible in a growing number of cases to search electronic devices. He says it’s up to U.S. citizens to decide whether to modify the technology.

The FBI earlier this year engaged in a high-profile fight with Apple to access data from a locked iPhone used by a shooter in the San Bernardino, California, terrorist attack.

Google finally adds HSTS encryption to google.com

Google, known for its security practices, has finally brought HTTP Strict Transport Security (HSTS) to google.com to strengthen its data encryption. HSTS helps protect against eavesdroppers, man-in-the-middle attacks, and hijackers who attempt to spoof a trusted website. Chrome, Safari, and Internet Explorer all support HSTS.

“HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs,” said Jay Brown, a senior technical program manager for security at Google, in a blog post. “Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites.”

Typically, implementing HSTS is a fairly simple process, Brown said. But, due to Google’s complex algorithms, the company had to address mixed content, bad HREFs, redirects to HTTP, and other issues like updating legacy services which could cause problems for users as they try to access the core domain.

Brown also noted that the team accidentally broke Google’s Santa Tracker just before Christmas last year during testing.

According to Google, about 80% of requests to its servers today use encrypted connections. The use of HSTS goes a step further by preventing users from mistakenly visiting unsafe URLs.

Certain domains, including Paypal and Twitter, will be automatically configured with HSTS to keep users safe, according to Google’s HSTS Preload List.

Google is now focused on increasing the “max-age,” or the duration that the header is active. The max-age is currently set to one day to help mitigate the risk of any potential problems with the rollout. “By increasing the max-age, however, we reduce the likelihood that an initial request to www.google.com happens over HTTP,” Brown said. “Over the next few months, we will ramp up the max-age of the header to at least one year.”

Increasing encryption

Google is currently working to implement HTTPS across all of its products. In March 2014, the company announced the use of HTTPS-only for Gmail.

Increasing encryption and security around its core products will be key for Google to remain in good standing with enterprise and consumer customers as concerns over cybersecurity ramp up across verticals.

Encryption remains at the forefront of many cybersecurity discussions, especially after last year’s terrorist attack in San Bernardino, CA, and the FBI’s dispute with Apple over access to the shooter’s iPhone.

In March, Google joined Facebook, Microsoft, and others who filed in support of Apple in its refusal of a court order forcing it to unlock the shooter’s iPhone for authorities.

The Federal Bureau of Investigations is holding ongoing talks with technology companies about a range of privacy and encryption issues, according to FBI director James Comey. The agency is also collecting statistics on the effect of encryption on its investigations.

“Encrypting data in transit helps keep our users and their data secure,” Brown said. “We’re excited to be implementing HSTS and will continue to extend it to more domains and Google products in the coming months.”

Hacker finds breach in WhatsApp’s encryption system

A security expert has found a breach in WhatsApp’s supposed ‘end-to-end’ encryption system. On earlier 2016, the Facebook-owned company proudly announced that messages would feature end-to-end encryption, thus giving users the tranquility that their private conversations would remain untouched.

Jonathan Zdziarski, a digital forensic specialist and digital security expert, published an article on Thursday with bold declarations. He stated that WhatsApp does not really delete users’ messages. Zdziarski started several conversations on his WhatsApp account, using an iPhone. After a bit of chit-chat, he deleted, cleared and archived some of the conversations. Finally, he clicked the “Clear All Chats” feature.

The “deleted records” were not actually deleted since the messages still appeared in SQLite, a relational database management system. According to Zdziarski, the chat’s database gets copied every time an iPhone users does a backup, saving it in a desktop backup and iCloud (Zdziarski states that this is “irrelevant to whether or not you use WhatsApp’s built-in iCloud sync”).

Which are the risks?

Zdziarski stated that the “leftover” evidence in SQLite poses some risks. For example, if somebody has physical access to a smartphone, he or she could hack it and create a backup of that information. In the same way, if a hacker has physical access to a computer, he or she could enter an “unencrypted backup” and access messages.

Law enforcement could obtain clear records of conversations by giving Apple a court order. Zdziarski has been very clear in stating that he doesn’t believe WhatsApp is keeping information on purpose. He even offers some advice in the article about how the company could make the service better and safer.

Alternatives

For Zdziarski, the only way to truly delete WhatsApp messages is to remove the app entirely. However, he offered some tips to “minimize” risks. For example, using iTunes to set a very complex backup password could help. Using Configurator to lock the smartphone is also a good idea since it makes harder for someone else to steal the phone’s passwords.

Finally, users would have to disable iCloud backup. If the user still feels uneasy, there are still a few safer alternatives. Telegram, an app available for Android and iOS, promises to have end-to-end encryption. The app is very popular in NGOs for even having a “self-destruct” modality for messages.

Telegram’s founder, Pavel Durov, founded the social networking site VK. He had an argument with Russian authorities and left his country in a self-imposed exile. VK is now owned by Mail.Ru Group, which has the monopoly of social networking market in Russia and is a Putin ally.

After this, he decided to create the instant messaging service with the aim of giving Russians a secure messaging app that would be unbreakable by Russian intelligence services. The BlackBerry Messenger service is also secure since the PIN-to-PIN service uses “Triple Data Encryption Standard”.