US wiretap operations encountering encryption fell in 2015

US wiretap operations encountering encryption fell in 2015

The US government has been very vocal recently about how the increase in encryption on user devices is hampering their investigations. The reality is that according to a report from the Administrative Office of U.S. Courts, law enforcement with court-ordered wiretaps encountered fewer encrypted devices in 2015 than in 2014.

In regards to encrypted devices, the reports states: “The number of state wiretaps in which encryption was encountered decreased from 22 in 2014 to seven in 2015. In all of these wiretaps, officials were unable to decipher the plain text of the messages. Six federal wiretaps were reported as being encrypted in 2015, of which four could not be decrypted.”

This is out of 2,745 state and 1,403 federal for a grand total of 4,148 wiretaps, an increase of 17 percent over 2014. So while surveillance increased, the amount of times law enforcement encountered encryption decreased.

Earlier this year the Department of Justice and FBI were locked in a court battle with Apple over an encrypted iPhone used by San Bernardino shooter Syed Rizwan Farook. The government eventually dropped the case after finding a third party to help it bypass the phone’s security.

But it started a national debate about personal devices and encryption. Tech companies want their customers to be secure while law enforcement want backdoors or keys to encrypted devices for investigations. But it looks like when it comes to wiretaps, encryption isn’t as big a problem as many would suspect.

Supreme Court rejects PIL for WhatsApp ban, but encryption debate is just beginning

Supreme Court rejects PIL for WhatsApp ban, but encryption debate is just beginning

WhatsApp’s end-to-end encryption might still be a contentious issue, but on Wednesday the Supreme Court refused to allow a PIL seeking a ban on the popular app and similar messenger services.

The PIL, filed by Gurugram-based RTI activist Sudhir Yadav, said these apps have complete encryption, which poses a threat to the country’s security.

A bench of Chief Justice T S Thakur and Justice A M Khanwilkar rejected the PIL, suggesting Yadav could approach the government or Telecom Regulatory Authority of India (TRAI) with his plea.
But Yadav said his application to the department of telecommunication and the government got the response that they did not possess information in this regard. The petitioner contended that end-to-end 256-bit encryption introduced by WhatsApp in April made all messages, chat, call, video, images and documents end-to-end encrypted, and thus it was impossible for security agencies to decode these.

According to him, this could be national security threat for India, as agencies will not be able to track terrorists, who can plan attacks without worrying that the government can access their messages. The RTI petitioner sought to maintain a balance where police agencies can get lawful access to data while keeping information private.

Supreme Court rejects PIL for WhatsApp ban, but encryption debate is just beginning

So what is WhatsApp’s end-to-end encryption and why has it become such an issue? For starters, WhatsApp’s end-to-end encryption ensures that a user’s messages, videos, photos sent over the app, can’t be read by anyone else — not WhatsApp, not cyber-criminals, not law-enforcement agencies. Even calls and group chats are end-to-end encrypted.

End-to-end encryption means encryption at the device level and thus your chats, messages, videos are not stored on WhatsApp’s servers at all. The only way to access this data is if your device is compromised and the messages have not been deleted. This encryption is designed to keep out man-in-the-middle attacks.

Given WhatsApp has over a billion users, this end-to-end encryption is a big deal. Let’s not forget that in Brazil, a senior WhatsApp executive was jailed because the company did not hand over data in a court case. WhatsApp claimed the data is encrypted and it does not have access to it.

WhatsApp co-founder Jan Koum, in fact, is known for dedication to user privacy and this is also one of the reasons the app has never sold ads. When WhatsApp announced the end-to-end encryption, Koum wrote, “People deserve security. It makes it possible for us to connect with our loved ones. It gives us the confidence to speak our minds. It allows us to communicate sensitive information with colleagues, friends, and others. We’re glad to do our part in keeping people’s information out of the hands of hackers and cyber-criminals.”

Supreme Court rejects PIL for WhatsApp ban, but encryption debate is just beginning

WhatsApp has relied on the “The Signal Protocol”, designed by Open Whisper Systems for its end-to-end encryption. What is also significant is the feature is enabled by default on WhatsApp, unlike apps like Telegram where you have to go into a secret chat mode for end-to-end encrypted chats.

WhatsApp is also one of the most popular apps in India. In fact, research has consistently shown it is one of most used apps after Facebook, and it is common for most people in India to be part of various groups on the service. Family, School, College friends, even office groups are present on WhatsApp. End-to-end encryption means all of this data is secure, and can’t be accessed by third-parties including government agencies.

For now the Courts have refused to go for a ban on WhatsApp, and instead directed Yadav towards the government. India per se doesn’t have a law on what kind of encryption third-party apps can used.

As we had noted earlier, the 40-bit encryption limit, which is too low given the current times, is something ISPs and TSPs have to stick with and doesn’t apply to apps.

Until India comes up with an encryption law, WhatsApp remains legal and we’ll have to wait and watch how the encryption versus security agency debate plays out in the country.

Greedy Bart ransomware encrypts files in ZIP archives

Greedy Bart ransomware encrypts files in ZIP archives

A new ransomware threat known as Bart is experimenting with the price it charges victims and encryption strategies.

If your PC is infected by Bart you will be asked to pay three Bitcoin (BTC) or just under $2,000 to regain access to your files, which is significantly more than the usual 0.5 BTC ($300) to 1.5 BTC fee.

Also, you won’t get a decryption key, but rather a password that opens password-protected ZIP archives, where the files of Bart-infected machines have been copied.

While .zip is intended primarily for compression, it also offers encryption. However, as PC World recently pointed out, the program used to create and open the ZIP file determines whether the weak ZipCrypto encryption or the tougher-to-crack AES-256 is used.

Security firm PhishMe noted on Friday that Bart’s use of .zip files for encryption differs from most file encrypting ransomware, which traditionally use a more sophisticated asymmetric, public-private key pair for encryption.

Another distinguishing feature of Bart is that it doesn’t rely on command and control infrastructure in order to tell which PCs the malware should proceed to encrypt and provide instructions to pay the ransom.

Security firm Proofpoint also reported the emergence of Bart on Friday, and said that instead of using a command and control host, it relied on a unique browser identifier in the URL.

The Bart ransomware also won’t run if it detects the user’s system language is Russian, Ukranian, or Belorussian, according to Proofpoint.

Proofpoint also found links between the Bart ransomware and the more widely used Locky ransomware, such as a similar looking payment page, and that it like Locky it is being distributed in spam email. However, Proofpoint also found that the ransomware code itself was “largely unique” from Locky.

Russia encryption grab may require chat backdoors as standard

Russia encryption grab may require chat backdoors as standard

MOOTED LEGAL CHANGES in Russia may apply a boot to the face of open and private chat messaging services and create a very cold winter for communications.

Reports from the country said that plans to require backdoors in otherwise encrypted chat services are quite advanced and will launch with a mandatory status.

Russia is often accused of messing with internet liberties, but before we get on our high horse we should remember that this is exactly the kind of ambrosia that the UK and US would like to have with their anti-terror breakfast.

Local news site CurrentTime said that companies resisting the anti-terror laws could be fined, and names WhatsApp as the kind out of service that would be involved.

The report explained that senator Elena Mizulina referred to a research group of some kind, and some ill repute, called the League of Safe Internet that had uncovered evidence of unwelcome underground operations including “a number of closed groups where teenagers [are] brainwashed to kill police officers”.

She added that perhaps it is time to start nipping such activity in the bud and that Russia could “maybe go back to the idea of ​​pre-filtering [messages] as we cannot look at it in silence”.

CurrentTime has a clip of the legislation and it does seem as though Russia will ensure that the right level of deterrent is in place.

“Failure to comply with the organiser of the dissemination of information on the internet obligation to submit to the federal executive authority in the field of safety information required for decoding the received, sent, delivered or processed by electronic communications,” said the bill.

“It is proposed to punish by a fine of ₽3,000 to ₽5,000 [£32 to £52] for citizens, ₽30,000 to ₽50,000 [£316 to £528] for officials and ₽800,000 to ₽1m [£8,450 to £10,565] for legal entities.” µ.

Apple to expand encryption on Macs

Apple to expand encryption on Macs

Apple is amping up its commitment to encryption.

The company is beginning the first major overhaul of the Mac filing system — the way it stores files on the hard drive — in more than 18 years. The move was quietly announced during a conference break out session after Apple’s blockbuster unveiling of its new operating system MacOS Sierra.

Amidst other new features, including the ability to place timestamps on files accurate to fractional seconds and a more efficient mechanism to clone files, the new Apple File System (APFS) updates file encryption.
The new system allows files to be encrypted with multiple keys, providing an extra layer of security against attackers or, to the FBI’s recent chagrin, law enforcement agencies.

The shift comes after Apple faced vocal criticism for its commitment to encrypted data after refusing to unlock an iPhone used by one of the shooters in the San Bernardino, Calif, terrorist attack.

Currently, on computers using OSX’s encryption, files are encrypted using the same key. The operating system unlocks the files on computers where a user has logged in. If an attacker compromises the key or attacks the computer when a user has logged in, the files are no longer encrypted.

On APFS, users will have the option to encrypt different segments of the file storage system with different keys. Access to one file wouldn’t mean access to all of them.

APFS will also encrypt the metadata contained in each file.

The new file system will released in 2017, months after Sierra’s release.

Apple Echoes Commitment to Encryption after Orlando Shooting

Apple Echoes Commitment to Encryption after Orlando Shooting

Apple used the kickoff of its Worldwide Developers Conference Monday to reaffirm the company’s stance on encryption and data monetization, one day after the most deadly mass shooting in U.S. history threatened to rekindle the debate surrounding the use of the technology.

“In every feature that we do, we carefully consider how to protect your privacy,” Apple senior vice president of software engineering Craig Federighi told conference attendees in San Francisco Monday.

Federighi said that includes the Cupertino-based company’s commitment “to use end-to-end encryption by default,” and described a new policy at Apple known as “differential privacy,” which incorporates using machines to learn how users use Apple products via crowdsourced data, while not tracking specific data back to individual users.

Federighi’s keynote came one day after 29-year-old Omar Mateen shot and killed 49 people at a gay nightclub in Orlando early Sunday, and who authorities later said pledged allegiance to ISIS during the attack.

The scenario echoes last year’s shooting in San Bernardino, where two attackers later found to have made a similar pledge to the Islamic extremist terror group were found in possession of an iPhone after a shootout with police that left both dead. The FBI asked Apple to bypass the device’s encryption as part of their investigation — a request Apple refused, prompting a court battle that ended prematurely after the FBI found a third-party to crack the phone’s encryption.

Investigators recovered a phone from Mateen after he died in Sunday’s attack, but have declined to identify its make. Regardless of whether the device is an Apple product, the shooting could easily become fodder for those in government pushing for a back door into encrypted communication platforms like Apple’s, especially given the increasing number and popularity of encryption applications like Telegram of the Facebook-owned WhatsApp.

“We are going through the killer’s life — especially his electronics — to understand as much as we can about his path and whether there was anyone else involved, either in directing him or in assisting him,” FBI Director James Comey said Monday.

The FBI director said investigators are confident Mateen was self-radicalized online.

Comey has repeatedly testified before Congress on the emerging issue of terrorists and criminals “going dark” online as a result of their use of communication platforms with end-to-end encryption, which in Apple’s case, not even the company itself can access without a user’s PIN.

The tug of war between privacy and security has spread from cases still pending in court against Apple and others to Congress, where lawmakers have offered several legislative proposals to discuss or even mandate law enforcement cooperation, all the way up to the 2016 presidential election, with Donald Trump calling for a “boycott” of Apple products.

Apple CEO Tim Cook opened the conference Monday by leading the crowd in a moment of silence for the victims of Sunday’s shooting.

“The Apple community is made up of people from all around the world, all different backgrounds, all different points of view,” said Cook, who came out as gay in 2014. “We celebrate our diversity.”

“We offer our deepest sympathies to everyone whose lives were touched by this violence,” he continued, “this senseless, unconscionable act of terrorism, of hate aimed at dividing and destroying.”

Cook wrote an open letter earlier this year in the wake of the San Bernardino debate pushing back against the FBI’s attempt to force the company into cooperating.

Amazon is going to remove encryption capabilities of its Kindle Fire, Rumours says Apple & FBI Case is reason – Lansing Technology Time

Amazon is going to remove encryption capabilities of its Kindle Fire, Rumours says Apple & FBI Case is reason – Lansing Technology Time

According to Amazon, Removing Kindle Fire,Fire OS 5’s onboard encryption is not a new development, and it’s not related to the iPhone fight

Amazon said that the Fire OS 5 update removed local device encryption support for the Kindle Fire, Fire Phone, Amazon Fire HD, or Amazon Fire TV Stick was because the feature simply wasn’t being used.

Privacy advocates and some users criticized the move, which came to light on Thursday even as Apple Inc was waging an unprecedented legal battle over U.S. government demands that the iPhone maker help unlock an encrypted phone used by San Bernardino shooter Rizwan Farook.

On-device encryption scrambles data so that the device can only be accessed if the user enters the correct password. Cryptologist Bruce Schneier said Amazon’s move to remove the feature was “stupid” and called on the company to restore it.

Amazon’s move is a bad one. But it’s not a retreat in the face of Apple-FBI pressures

One of the features removed includes one that allowed owners to encrypt their device with a pin which, if entered incorrectly 30 times in a row, deletes all the data stored on it. The feature is similar to the safety feature found on the iPhone at the center of the San Berardino shooter trial, which erases all the device data if the passcode is entered incorrectly ten times.

Amazon joined other major technology companies in filing an amicus brief supporting Apple on Thursday, asking a federal judge to overturn a court order requiring Apple to create software tools to unlock Farook’s phone.

Amazon spokeswoman Robin Handaly said in an email that the company had removed the encryption feature for Kindle Fire tablets in the fall when it launched Fire OS 5, a new version of its tablet operating system.

“It was a feature few customers were actually using,” she said, adding that Kindle Fire tablets’ communication with the company’s cloud meets its “high standards for privacy and security including appropriate use of encryption.”

Encryption expert Dan Guido said that Amazon may have eliminated the feature to cut component costs for tablets that sell for as low as $50.

But digital privacy advocates and customers said those arguments were not good enough reasons for discontinuing the feature.

“Removing device encryption due to lack of customer use is an incredibly poor excuse for weakening the security of those customers that did use the feature,” said Jeremy Gillula, staff technologist with the Electronic Frontier Foundation.

“Given that the information stored on a tablet can be just as sensitive as that stored on a phone or on a computer, Amazon should instead be pushing to make device encryption the default – not removing it,” Gillula said.

David Scovetta, a security analyst who owns two Kindle e-readers as well as Amazon’s TV set-top box, said he is now wary of buying new gadgets from the company.

“Amazon could just as easily be encouraging its users to adopt it rather than remove it as a feature. That’s a massive step backwards,” he said.

Fire OS 5 is the first release to use the Android 5.0 “Lollipop” codebase, and as such it is possible that this removal is down to a technical issue (such as battery life or performance). Last year Google reported that it would allow hardware makers to decide whether or not to enable encryption-by-default because of performance issues on older devices.

People are talking about the lack of encryption today because the OS update is only now hitting older devices, like the fourth-generation Fire HD and Fire HDX 8.9. Despite how neatly the sudden forfeiture of encryption by a tech giant fits the Apple-FBI narrative, this encryption deprecation isn’t related to that battle. Instead, Amazon appears to have given up onboard encryption without any public fight at all.

UK’s lower house eases up on encryption

UK's lower house eases up on encryption

The United Kingdom’s House of Commons approved far-reaching authority for spy agencies to access cyber data Tuesday, but pulled back some restrictions on encryption opposed by Apple and Facebook.

The so-called “snooper’s charter,” officially the Investigatory Power Act, codifies intelligence agencies’ use of metadata analysis and malware to hack computers that has been ongoing in the U.K. It requires communications companies to maintain records of customers’ web browsing for a full year to assist investigations.
But the final version eased up on restrictions on encryption. Early drafts of the law mandated encryption include backdoor access – an issue that recently sparked a battle between Apple and the FBI in the U.S. The version passed Tuesday requires only that companies help break encryption if it is reasonable in terms of cost and technology.

That would keep the kinds of encryption used on Apple phones and Facebook’s newly announced end-to-end encrypted messaging service off the table. When properly implemented, neither would be technologically possible to crack.

The changes to encryption were one of a few amendments meant to assuage concerns about the law’s effect on privacy. Civil liberties groups are still unhappy with the complete product, though interior minister Theresa May called the safeguards “world leading.”

The final vote on the IPA was 444-69. It now heads to the House of Lords for their approval.

Customer Headaches Could Curtail Apple’s Encryption Push

Customer Headaches Could Curtail Apple’s Encryption Push

At an event held during Apple’s fight with the FBI over whether it should help unlock a dead terrorist’s iPhone, CEO Tim Cook promised “We will not shrink” from the responsibility of protecting customer data —including from government overreach.

Yet the obvious next step for the company could be hard to take without inconveniencing customers.

Apple is currently able to read the contents of data stored in its iCloud backup service, something at odds with Cook’s claims that he doesn’t want his company to be capable of accessing customer data such as mobile messages.

Apple has not denied reports it is working to change that. And the company is expected to make some mention of its security technology at its World Wide Developers Conference next week, as it did at March’s iPhone event in March.

But redesigning iCloud so that only a customer can unlock his data would increase the risk of people irrevocably losing access to precious photos and messages when they lose their passwords. Apple would not be able to reset a customer’s password for them.

“That’s a really tough call for a company that says its products ‘Just work,’” says Chris Soghoian, a principal technologist with the American Civil Liberties Union—referring to a favorite line of Apple’s founder, Steve Jobs.

Cook has boasted of how the encryption built into Apple’s iPhones and iMessage system keeps people safe by ensuring that only they can access their data. FBI director James Comey has complained about it.

But the design of iCloud means that Apple can read much of its customers’ data, and help the government do so, too. The service is enabled by default (although you can opt out), and automatically backs up messages, photos, and more to the company’s servers. There the data is protected by encryption, which Apple has the key to unlock. The company’s standoff with the FBI happened only because the backups Apple handed the agency from San Bernardino shooter Syed Farook’s iPhone ended six weeks before the shooting, because he had turned them off.

Apple could lock itself and law enforcement out of iCloud data by encrypting each person’s iCloud backups using a password under his control, perhaps the same one that locks his iPhone.

The company has not denied reports from the Financial Times and Wall Street Journal that it is working on such a design. Passwords and credit card details stored using an iCloud feature called Keychain are already protected in this way. But taking this approach would prevent Apple from being able to reset a person’s password if he forgets it. The data would be effectively gone forever.
It is probably impractical for Apple to roll out that approach for everyone’s data, as the company did for the security protections built into the iPhone, says Vic Hyder, chief strategy officer with Silent Circle, which offers secure messaging, calls, and data sharing for corporations.

“It puts control on the customer but also responsibility on the customer,” he says. “This will likely be an option, not the default.”

Soghoian of the ACLU agrees. “I think they will probably offer it as an option, but be reluctant to advertise that feature much,” he says. “More people forget their passwords than get investigated by the FBI.”

Bryan Ford, an associate professor at the Swiss Federal Institute of Technology in Lausanne, says Apple could take steps to reduce the risk of accidental data loss.

The company’s FileVault disk encryption feature for PCs offers the option to print out a recovery key. A similar process could be used for iCloud encryption, says Ford.

Apple could also implement other safeguards, he says. For example, people could have the option of distributing extra encryption keys or passwords to several “trustees,” who could help recover data if the original password was lost. To prevent abuse it could be required that a certain number of trustees, say, three of five, came forward to unlock the data.

The cryptography needed for such a design is well understood, says Ford. He recently designed a similar but more complex system intended to help companies such as Apple prevent their software updates from being abused (see “How Apple Could Fed-Proof Its Software Update System”).

Alan Fairless, cofounder and CEO of SpiderOak, which offers companies fully encrypted data storage, says he thinks companies like Apple will eventually make truly secure cloud storage accessible to consumers.

Encrypted messaging was clunky and hard to use until recently, but is now widespread thanks to Apple and WhatsApp, he points out. Encrypting stored data is more challenging, but Apple has shown itself willing to spend significantly on encryption technology, for example by adding new chips to the iPhone, says Fairless.
However, he also thinks Apple and its customers aren’t yet ready for encrypted iCloud backups to be the default. “It’ll take consumer technology a while to catch up,” says Fairless.

HelpSystems Fills Encryption Gap With Linoma Buy

Despite all the IBM i security vendors that HelpSystems has bought over the years–and there have been at least five of them–the company has lacked one key security capability valued by enterprises: encryption. With last week’s deal to acquire Linoma Software, the Minneapolis software vendor has finally obtained that encryption capability for IBM i.

HelpSystems has been experiencing heavy demand for IBM i encryption capabilities, says CEO Chris Heim. “I wouldn’t say we lost sales because of it, but we definitely wanted to offer a full solution to our customers and that’s why we wanted to check that encryption box,” he tells IT Jungle.

Linoma’s Crypto Complete provides a full-featured encryption solution for IBM i customers. In addition to providing the core encryption capability (by automating the use of IBM’s field-level encryption APIs), it also includes key management and audit trail capabilities that auditors are increasingly expecting companies to have.

Bob Luebbe, who is Linoma’s president and chief architect–and formerly its co-owner along with his wife Christy–says interest in encryption among IBM i shops is on the upswing.

“Most companies have already taken care of credit card data under PCI,” he says. “But now personally identifiable information [PII], such as birthdays and Social Security numbers, is really popular to protect. That’s what we’re seeing the most demand for.”

While there has been no new major federal laws mandating protection of PII, several states have passed state privacy laws that address PII, while HIPAA continues to drive solutions for encryption private health information (PHI). With the average cost of a data breach touching nearly $7 million, the cost of buying software and services to encrypt sensitive fields in a DB2 for i database doesn’t look nearly so bad.

“A lot of companies are being a lot more proactive than ever before,” Luebbe says. “It’s fairly inexpensive to implement encryption camped to getting a multi-million dollar price tag for remediation. Plus a lot of companies in the public eye want to maintain their customers’ trust, to ensure them that their data is being protected and secured.”

Getting the AES algorithms to encrypt and decrypt data in a DB2 for i database is one thing. You actually don’t need a third-party tool like Crypto Complete to do that, provided you’re comfortable working with IBM’s APIs (which can be complex). But increasingly, having encryption means more than that.

“Auditors are getting a lot smarter,” Luebbe says. “An auditor, when they came into your shop, they used to ask if you’re encrypting data, and you check that box. But now they’re getting more diligent. They want to know what kind of key management you have in place, who’s authored to work with those keys, where’s the audit trail, and who’s actually authorized to decrypt that information. They’re really expanding their requirement and putting a lot more pressure on shops to move just beyond calling APIs to encrypt information.”

HelpSystems also had its eye on GoAnywhere, Linoma’s line of managed file transfer (MFT) solutions that help to control the flow of data among file systems and databases running on IBM i, Linux, Windows, and many other on-premise and cloud platforms.

The GoAnywhere suite has been Linoma’s biggest seller lately, and HelpSystems will eagerly begin offering what Heim considers to be best-of-breed.

“I would probably say the encryption piece fills a bigger hole for us in our IBM i security portfolio,” Heim says. “But on cross-platform, it’s MFT. That’s been a dynamite product for Bob. We did a survey of a lot of the products out there and we think it’s the best in the industry.”

There will be few changes for Linoma going forward. The company will continue to operate out of its headquarters in Ashland, Nebraska indefinitely. Linoma’s 2,000 or so customers will get technical support in the same manner. All 32 Linoma employees will be retained; in fact, the company is hiring.

Heim first contacted Luebbe about a possible deal about a year ago, and Luebbe says initially he wasn’t interested. But after several meetings with the Minnesota native, Luebbe eventually came to the conclusion that he could use Help’s help to take Linoma to the next level.

“As we were growing, we were starting to feel the pain in our development [and support structure]. It’s hard to maintain that growth without some help,” Luebbe says. “We were also worried about business continuation if something were to happen to me.”

A similarity between the two companies’ cultures helped seal the deal. “It just felt like a bigger version of Linoma,” Luebbe says. “I love their motto: ‘Happy employees equal happy customers.’ That really drove it home for me. They really treat their people well. They have great customer service.”

Luebbe also likes that he will have HelpSystems’ large Minneapolis team available for brainstorming. “We were like our own little island in the middle of Nebraska,” he says. “It’s great that now we’re going to have a lot of great ideas to bounce back and forth between our sales team and R&D and support team.”

And now that HelpSystems is handling some of the more mundane aspects of running a software business, Luebbe will be free to spend more time with the customers and products.
“I love to give demos and work with the technical team and help design the next releases of the product. Those are the things I love,” he says. “I don’t especially love working with layers and accountants and insurance people.”

Added Heim: “We’re taking over that for him.”