encryption – Page 8 – DoGoodSoft's Official Blog

McCaul wants new commission on encryption and law enforcement

The chairman of the House Homeland Security Committee said he plans to introduce legislation that would allow the creation of a “national commission on security and technology challenges in the Digital Age.”

The legislation “would bring together the technology sector, privacy and civil liberties groups, academics, and the law enforcement community to find common ground,” Chairman Rep. Michael McCaul (R-Texas) said in a Dec. 7 speech at National Defense University. “This will not be like other blue ribbon panels, established and forgotten.”

He said the ability of terrorist groups to use encrypted applications while communicating is one of his biggest fears. “We cannot stop what we cannot see,” he said in reference to recent attacks in San Bernardino, Calif., and Paris.

McCaul described the Islamic State as not a “terrorist group on the run” but a “terrorist group on the march.” He said 19 Islamic State-connected plots in the U.S. have been thwarted by government officials. But he added that terrorist groups are using the Internet to expand.

“Americans are being recruited by terrorist groups at the speed of broadband while we are responding at the speed of bureaucracy,” he said.

FBI Director James Comey has been a vocal critic of end-to-end encryption in commercial devices, and his advocacy has received a mixed reception on Capitol Hill. During an Oct. 27 hearing, Rep. Will Hurd (R-Texas), a former CIA officer who has private-sector cybersecurity experience, criticized Comey for saying encryption thwarts counterterrorism efforts and for “throwing certain companies under the bus by saying they’re not cooperating,” a charge that Comey denied.

In an interview, Hurd welcomed McCaul’s proposed commission by saying, “I think getting a group of industry experts from all sides of this issue to talk — and to not talk past one another — is ultimately a good thing.”

Hurd, a member of the Homeland Security Committee, said he would planned to speak with McCaul to make sure the commission had the “right folks in the room.”

He added that the right people would be leaders of technology firms whose encryption services have been at the center of debate and law enforcement officers who might be able to identify situations in which agencies would need to get around encryption, Hurd said.

But those situations still seem elusive. When he was a CIA officer working on cybersecurity issues, Hurd said he did not think of encryption as an insurmountable roadblock.

“Guess what? Encryption was around back then,” he said.

Hurd pointed out that intelligence can be gleaned from the contours of encrypted channels — such as communications between IP addresses — without decrypting the communications.

“I still haven’t gotten anybody to explain to me a very specific case where the investigation went cold” because of encryption, he said of his conversations with law enforcement officials.

McCaul sounded a more dire note by saying, “I have personally been briefed on cases where terrorists communicated in darkness and where we couldn’t shine a light, even with a lawful warrant.”

He said countering Islamic State’s use of encrypted messaging is “one of the greatest counterterrorism challenges of the 21th century.” At the same time, he was careful not to target encryption technology itself, which he described as “essential for privacy, data security and global commerce.”

In a Dec. 6 speech from the Oval Office, President Barack Obama announced plans to seek public/private cooperation on challenges posed by encrypted communications. He said he will “urge high-tech and law enforcement leaders to make it harder for terrorists to use technology to escape from justice.”

However, it is not clear if that message represents more than a change in tone from current policy. The administration had previously said it would not seek legislation to push companies to retain customers’ encryption keys and share them with law enforcement agencies.

U.S. CIO Tony Scott told FCW in a November interview that “at the end of the day, I think the better policy is probably not to require these backdoors” for law enforcement.

Although a new law could potentially cover U.S.-based providers and devices manufactured by U.S.-based companies, encryption applications would still be widely available beyond the country’s jurisdiction.

“All the really bad people who are highly motivated to keep their stuff secret are going to use the encryption method that doesn’t have a backdoor,” Scott said.

McCaul used the bulk of his speech to call for tighter restrictions on the Visa Waiver Program, as outlined in a bill introduced this week that would require high-risk individuals who have visited a terrorist hot spot to undergo an intensive screening process before entering the United States. He said that approach would also strengthen intelligence sharing with allies and help prevent passport fraud.

Why Government and Tech Can’t Agree about Encryption

Your g better and better at protecting your privacy. But Uncle Sam isn’t totally comfortable with that, because it’s also complicating the work of tracking criminals and potential national-security threats.
For decades, tech companies have steadily expanded the use of encryption — a data-scrambling technology that shields information from prying eyes, whether it’s sent over the Internet or stored on phones and computers. For almost as long, police and intelligence agencies have sought to poke holes in the security technology, which can thwart investigators even when they have a legal warrant for, say, possibly incriminating text messages stored on a phone.

The authorities haven’t fared well; strong encryption now keeps strangers out of everything from your iMessages to app data stored on the latest Android phones. But in the wake of the Paris attacks, U.S. officials are again pushing for limits on encryption, even though there’s still no evidence the extremists used it to safeguard their communications.

While various experts are exploring ways of resolving the impasse, none are making much headway. For now, the status quo favors civil libertarians and the tech industry, although that could change quickly — for instance, should another attack lead to mass U.S. casualties. Such a scenario could stampede Congress into passing hasty and potentially counterproductive restrictions on encryption.

“There are completely reasonable concerns on both sides,” said Yeshiva University law professor Deborah Pearlstein. The aftermath of an attack, however, “is the least practical time to have a rational discussion about these issues.”

Encryption plays a little heralded, yet crucial role in the modern economy and daily life. It protects everything from corporate secrets to the credit-card numbers of online shoppers to the communications of democracy advocates fighting totalitarian regimes.

At the same time, recent decisions by Apple and Google to encrypt smartphone data by default have rankled law enforcement officials, who complain of growing difficulty in getting access to the data they feel they need to build criminal cases and prevent attacks. For months, the Obama administration — which has steered away from legislative restrictions on encryption — has been in talks with technology companies to brainstorm ways of giving investigators legal access to encrypted information.

But technology experts and their allies say there’s no way to grant law enforcement such access without making everyone more vulnerable to cybercriminals and identity thieves. “It would put American bank accounts and their health records, and their phones, at a huge risk to hackers and foreign criminals and spies, while at the same time doing little or nothing to stop terrorists,” Sen. Ron Wyden, D-Ore., said in an interview Monday.

Lawmakers on the U.S. Senate Select Committee on Intelligence remain on what they call an “exploratory” search for options that might expand access for law enforcement, although they’re not necessarily looking at new legislation.

The FBI and police have other options even if they can’t read encrypted files and messages. So-called metadata — basically, a record of everyone an individual contacts via phone, email or text message — isn’t encrypted, and service providers will make it available when served with subpoenas. Data stored on remote computers in the cloud — for instance, on Apple’s iCloud service or Google’s Drive — is also often available to investigators with search warrants. (Apple and Google encrypt that data, but also hold the keys.)

Some security experts suggest that should be enough. Michael Moore, chief technology officer and co-founder of the Baltimore, Maryland-based data security firm Terbium Labs, noted that police have managed to take down online criminals even without shortcuts to encryption. He pointed to the 2013 take down of Silk Road, a massive online drug bazaar that operated on the “dark Web,” essentially the underworld of the Internet.

“The way they figured that out was through good old-fashioned police work, not by breaking cryptography,” Moore said. “I don’t think there’s a shortcut to good police work in that regard.”

Others argue that the very notion of “compromise” makes no sense where encryption is concerned. “Encryption fundamentally is about math,” said Mike McNerney, a fellow on the Truman National Security Project and a former cyber policy adviser to the Secretary of Defense. “How do you compromise on math?” He calls the idea of backdoors “silly.”

Some in law enforcement have compromise ideas of their own. The Manhattan District Attorney’s office, for instance, recently called for a federal law that would require smartphone companies to sell phones they could unlock for government searches — in essence, forcing them to hold the keys to user data.

In a report on the subject, the office called its suggestion a “limited proposal” that would only apply to data stored on smartphones and restrict searches to devices that authorities had already seized. Privacy advocates and tech companies aren’t sold, saying it would weaken security for phones that are already too vulnerable to attack.

Marcus Thomas, the chief technology officer at Subsentio and former assistant director of the FBI’s operational technology division, argued that it’s too late to turn back the clock on strong encryption, putting law enforcement in a “race against time” to obtain investigatory data whenever and wherever it can. But he urged security experts to find ways to help out investigators as they design next-generation encryption systems.

The idea of allowing law enforcement secure access to encrypted information doesn’t faze Nathan Cardozo, a staff attorney for the San Francisco-based Electronic Frontier Foundation, provided a warrant is involved. Unfortunately, he says, cryptographers agree that the prospect is a “pure fantasy.”

Encryption Debate Erupts Post-Paris Attacks But Don’t Expect Any Change Soon

Despite the lack of evidence, the Obama Administration has revived the encryption debate, pointing to encryption as an aid to the terrorists behind the Nov. 13 Paris attacks.

Investigators from France and the U.S. have conceded that there has been no evidence backing up their conclusion that the terrorist behind the attacks relied on the latest, high-level encryption techniques being offered to consumers by Google and Apple.

Yet, the debate over government-grieving encryption is back in high gear.

Decrypting the Encryption Debate

The Great Encryption debate kicked into full swing about a year ago, when current and former chiefs of the U.S. Department of Justice began calling on Apple and Google to create backdoors in iOS 8 and Android Lollipop.

The encryption built for the two mobile operating systems is so tough, that the world’s best forensic scientists in all of computing wouldn’t be able to crack devices running the software in time for a seven-year statute of limitations.

While it’s possible to crack the encryption in less time, each misstep would push back the subsequent cool-down period before the software would allow for another go.

A few weeks before the Nov. 13 attacks on Paris, the DOJ employed a new strategy to coerce Apple into handing over the keys to iOS – and it’s a good one. The tech world is still awaiting Apple’s counterpunch.

Roughly a year ago, then U.S. Attorney General Eric Holder frame the debate on encryption and stated the DOJ’s stance while speaking at the Global Alliance Against Child Sexual Abuse Online.

“Recent technological advances have the potential to greatly embolden online criminals, providing new methods for abusers to avoid detection,” Holder said, adding that there are those who take advantage of encryption in order to hide their identities and “conceal contraband materials and disguise their locations.”

The Information Technology Industry Council, which speaks on behalf of the high-tech industry, sees all of the above issues as reasons everyone needs encryption.

“Encryption is a security tool we rely on everyday to stop criminals from draining our bank accounts, to shield our cars and airplanes from being taken over by malicious hacks, and to otherwise preserve our security and safety,” said Dean Garfield, president and CEO of ITI.

While stating the ITI’s deep “appreciation” for the work done by law enforcement and the national security community, Garfield said there is no sense in weakening the security just to improve it.

“[W]eakening encryption or creating backdoors to encrypted devices and data for use by the good guys would actually create vulnerabilities to be exploited by the bad guys, which would almost certainly cause serious physical and financial harm across our society and our economy,” he explained.

Paris as a Talking Point

In the wake of the recent Paris Attack, U.S. officials have again reissued their call for software developers – Apple, Google and others – to provide law enforcement agencies with keys to the backdoor of operating systems with government-grade encryption.

While there is still no evidence that law enforcement agencies, with encryption keys in hand, could have given police on the ground in Paris a game-changing heads up of the attacks. Nevertheless, Paris has been turned into a talking point said Michael Morell, a former deputy director of the CIA, who stated that the tragic events will reshape the encryption debate.

“We have, in a sense, had a public debate [on encryption],” said Morell. “That debate was defined by Edward Snowden.” Although, instead of what the former NSA contractor and leaker had done, the issue of encryption will now be “defined by what happened in Paris.”

Paris attacks reignite debate over encryption,surveillance and privacy

WASHINGTON — Friday’s terrorist attacks in Paris have revived the debate over whether U.S. tech companies should be required to build “backdoors” into encrypted phones, apps and Internet sites to let law enforcement conduct surveillance of suspected terrorists.

There has been widespread speculation among law enforcement authorities and the media that the Islamic State terrorists who attacked Paris were using some kind of encryption technology to communicate. However, American and French authorities have said there is no hard evidence to back up that assumption.

Still, the possibility has been enough to renew criticism of commercial encryption, putting pressure on U.S. companies that are increasingly using the technology to thwart hackers and reassure customers that their data will be kept private.

“When individuals choose to move from open means of communication to those that are encrypted, it can cause a disruption in our ability to use lawful legal process to intercept those communications and does give us concern about being able to gather the evidence that we need to continue in our mission for the protection of the American people,” Attorney General Loretta Lynch told the House Judiciary Committee Tuesday.

Lynch said the FBI and other Justice Department agencies work with Internet providers to try to find a way to enforce court orders to conduct surveillance of suspected terrorists. However, companies are increasingly employing encryption that even they cannot break to access their customers’ data.

In those cases, federal agents use other types of surveillance and intelligence-gathering tools, Lynch said.

“But it (encryption) does cause us the loss of a very valuable source of information,” she told the committee.

Despite strong criticism of encryption by the FBI, the White House announced in October that it would not seek legislation to force U.S. tech companies to build backdoors to let law enforcement get around the technology to access people’s messages and other information.

Apple’s Encryption Fight Turns To The UK

After a major victory in the United States, Apple is facing an another threat to its encryption efforts on a different front: the United Kingdom.

The Cupertino-based tech giant typically shies away from taking firm stances on specific legislation and works through lobbying groups representing technology companies’ interests. Apple’s CEO Tim Cook today told students in Dublin that the company is opposed to a new British proposal that would require it to provide law enforcement with access to encrypted data.

Cook said creating a so-called backdoor for law enforcement would expose personal data to hackers.

“If you leave a back door in the software, there is no such thing as a back door for good guys only,” Cook said, according to Reuters. “If there is a back door, anyone can come in the back door.”

Cook’s statements have been backed up by privacy and technology experts. This summer, a group at MIT reported government limits on encryption would present risks.

Cook also said the British bill in its current form is vague. He said at the same event that it is not clear how Apple has to comply.

The Brtish bill, known as the Investigatory Powers Bill, would make explicit in law for the first time that law enforcement can hack and bug computers and phones, and it obliges companies to help officials bypass encryption.

Apple began encrypting its smartphones by default in 2014 with the introduction of iOS 8. Law enforcement in the United States has rallied against the update, claiming it would prevent them from obtaining information key to solving investigations.

However the White House has said it will not take a firm stance against encryption. Though the debate has continued heavily in the Capitol Hill hearing rooms, the U.S. Congress has not proposed any legislative solutions to the encryption debate.

The danger of the U.K.’s current proposal does not lie just in the privacy and security risks it presents to British citizens, but in the global precedent such a law would set. If the U.K. passes a law that requires that law enforcement be able to access encrypted data with a warrant, what’s to stop China or Russia from passing a similar law?

Apple hasn’t backed down on encryption since this issue first bubbled up last year. Though it’s been able to hold its own in the debate over encryption, this is the first time it will have to fight a bill targeting this practice.

Snowden Never Told Us About Ransom Encryption

While Edward Snowden is the source behind the largest scandal on the internet, he sure didn’t warn us that hackers would put ransoms onto their spyware. A special ransomware virus was discovered which targets Linux-based systems specifically, and it’s telling us hackers are expanding to web browsers for their vicious attacks.

This specific malware, labeled Lunix.Encoder.1, it breakes all files and goes through specific directories, encrypting home directories, the MySQL server directory, logs, and Web directories of Apache and the Ngnix web servers. It leaves a ransom note in every directory that contains encrypted files, and they are next to impossible to recover without appropriate backups or if users don’t pay the ransom.

This specific virus encrypts archives that contain the very word ‘backup’, so getting out of the pinch without paying the ransom is extremely difficult. The team behind the discovery urge users to keep active backups and make sure their information is as secure as possible. The team also revealed that it’s likely that the malware uses brute force guessing of remote access credentials or Web application exports combined with local privilege escalations, and it probably gives Snowden himself a warm feeling in the heart.

It’s an interesting development in how we are willing to pay to keep our information secure, as anti-virus software continues to grow, perhaps ransoms will start getting more aggressive and more lethal. Could this have been something Snowden missed or failed to inform the world about?

Investigatory Powers Bill could allow Government to ban end-to-end encryption, technology powering iMessage and WhatsApp

The new Investigatory Powers Bill could ban WhatsApp and iMessage as they currently exist and lead to the weakening of security.

Introducing the Bill this week, Home Secretary Theresa May said that it didn’t include a controversial proposal to ban the encryption that ensures that messages can’t be read as they are sent between devices. But it does include rules that could allow the Government to force companies to create technology that allows those messages to be read, weakening encryption.

The Bill gives wide-ranging powers to the Home Secretary to force companies to make services that that can be more easily read by intelligence agencies.

Section 189 of the law allows the Government to impose “obligations” on companies that provide telecommunications services. That can include “the removal of electronic protection”, as well as a range of others.

It isn’t clear how that law would be used in practice. But it could allow for the breaking of encryption so that messages can be read.

Some of those powers were already available. But the new legislation repeats them – despite the suggestion that the ban on encryption has been dropped – as well as strengthening some of the ways that Government can impose such obligations.

At the moment, services including WhatsApp and Apple’s iMessage use end-to-end encryption. That means that the phones that are sending each other use keys to ensure that nobody else – including WhatsApp and Apple themselves – can’t read messages.

When end-to-end encryption is used, it isn’t possible to set up a system so that it only allows for the breaking of messages from a specific phone, or of messages sent between two specific people. Instead, allowing for the viewing of just two messages would entail entirely re-engineering the system so that WhatsApp and Apple had the keys to unlock any message, sitting in the middle of all messages.

Technology companies are understood to be concerned about that setup, because if they are able to read through messages then the same system could be used by members of staff or hackers to read through the messages of all of a services’ users.

Earlier this year, a report from some of the world’s leading computer experts said that weakening encryption “will open doors through which criminals and malicious nation states can attack the very individuals law enforcement seeks to defend”.

“If law enforcement’s keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege,” the report argued.

Apparently partly in response to that criticism, the US Government has mostly walked back its attempts to weaken encryption.

New U.K. online surveillance proposal could have international reach

A new surveillance proposal in the United Kingdom is drawing criticism from privacy advocates and tech companies that say it gives the government far-reaching digital surveillance powers that will affect users outside the nation’s borders.

The Draft Investigatory Powers Bill released by British Home Secretary Theresa May Wednesday would force tech companies to build intercept capabilities into encrypted communications and require telecommunications companies to hold on to records of Web sites visited by citizens for 12 months so the government can access them, critics allege.

Policy changes are necessary to maintain security in a changing digital landscape, the government argued. “The means available to criminals, terrorists and hostile foreign states to co-ordinate, inspire and to execute their plans are evolving,” May wrote in a forward to the bill. “Communications technologies that cross communications platforms and international borders increasingly allow those who would do us harm the opportunity to evade detection.”

The bill has some new judicial oversight mechanisms, but the response from privacy advocates was largely negative, with some arguing that those changes aren’t enough to compensate for the expanse of new powers.

“The law would apply to all companies doing business with the UK, which includes basically all companies that operate over the internet,” said Nathan White, senior legislative manager at digital rights group Access. “This means that even wholly domestic encrypted communications in the United States, France, or South Africa would be put at risk.”

Some tech companies themselves also raised alarm bells. “Many aspects of the draft Bill would directly impact internet users not just in the UK, but also beyond British borders,” Yahoo said in a blog post. “Of most concern to us at this stage is the UK Government’s proposal to affirm extraterritorial jurisdiction over foreign service providers.”

The U.K. government says some of the controversial aspects of the draft, including the requirement to unlock encrypted communications, date back to laws already on the books and it replaces a patchwork of powers which go back to the early days of the Web. However, while a Code of Conduct for Interception Capabilities released by the British government earlier this year said communications companies were required to maintain a “permanent interception capability,” it made no mention of decrypting such content.

Privacy advocates say the government is reinterpreting earlier laws in problematic ways. “This is a major change” that would effectively outlaw end-to-end encryption, a form of digital security where only the sender and the recipient of a message can unlock it, White said.

In meetings before the draft was released, the government pressed at least one tech company to build in backdoors into encrypted communications, according to a person familiar with the issue who requested anonymity because he was not authorized to comment on the issue.

Apple’s iMessage system uses end-to-end encryption as do an increasingly number of standalone messaging and calling apps including Signal. If the proposal becomes law, critics warn, such services may be forced to alter their systems to include such “backdoors” to allow the government to access encrypted content — something encryption experts say would undermine security by making the underlying code more complex and giving hackers something new to target — or exit the market. Apple declined to comment on the bill, but chief executive Tim Cook has been a vocal opponent of government-mandated backdoors in the past.

Encryption was at the heart of a U.S. policy debate over the last year. The dialogue was triggered when Apple moved to automatically protect iOS devices with encryption so secure the company itself cannot unlock data stored on an iPhone even if faced with a warrant, assuming that a user turns off automatic back-ups to the company’s servers.

Some law enforcement officials warn that criminals and terrorists are “going dark” due to such technology. But the Obama administration decided not to press for a legislative mandate that would require companies to build ways to access such content into their products, although it has not yet come out with a full policy position on the issue.

Critics argue that has led to ambiguity which emboldened British officials. “This draft proposal from the U.K. government demonstrates the lack of leadership on encryption policy from the Obama Administration” and could lead to similar proposals in other parts of the world, said White.

If one country is able to force companies to unlock encrypted data it will be hard to fend off such requests from others including China and Russia, some inside tech companies fear.

When asked about the British proposal by The Post, National Security Council spokesperson Mark Stroh declined to weigh in. “We’d refer you to the British government on draft British legislation,” he said via e-mail.

Tech Companies and Civil Liberties Groups Force Obama To Weigh In On Encryption Debate

President Obama will now be forced to publicly describe the extent of his commitment to protecting strong encryption, after nearly 50 major technology companies, human rights groups, and civil liberties collectives—including Twitter, the ACLU, and Reddit — succeeded in getting over 100,000 signatures on a White House petition on Tuesday.

The government’s “We the People” platform, created in 2011, was designed as “a clear and easy way for the American people to petition their government.” Once a petition gains 100,000 signatures, it is guaranteed a response.

The savecrypto.org petition demands that Obama “publicly affirm your support for strong encryption” and “reject any law, policy, or mandate that would undermine our security.”

FBI director James Comey has been preaching about the dangers of end-to-end encryption for the past year, saying it blocks law enforcement from monitoring communications involving criminals and terrorists. He’s asked for special access into encrypted communications — a “back door” or “front door.”

However, technologists and privacy advocates insist that any hole in encryption for law enforcement can be exploited by hackers.

Comey testified earlier this month before the Senate Homeland Security and Governmental Affairs Committee that the White House was not seeking legislation to force companies to build backdoors into their products—at least not yet.

However, top intelligence community lawyer Robert S. Litt wrote in a leaked e-mail obtained by the Washington Post that public opinion could change “in the event of a terrorist attack or criminal event” where encryption stopped law enforcement from detecting the threat. He recommended “keeping our options open for such a situation.”

Now, the White House will have to speak for itself.

“More than 100,000 users have now spoken up to ask the Administration to make a strong statement in support of data security – no back doors, no golden keys, no exceptional access,” said Amie Stepanovich, the U.S. Policy Manager for digital rights group Access Now, one of the founding organizations of the petition along with the Electronic Frontier Foundation. “We thank those who have stood with us and look forward to President Obama’s response.”

Your self-encrypting hard drive isn’t nearly as secure as you thought

If you want to keep your information away from hackers and snoops, whether it’s your Internet use, email, hard drive data or your backup, the best thing you can do is use encryption. Encryption scrambles your data and, in theory, the only way to unscramble it is to know the password. That’s why choosing a strong password no one can guess is important.

This is also what makes a ransomware virus that encrypts your files so dangerous. Without paying for the decryption password, you can’t get your files back. Learn three steps you can take to beat ransomware. Unfortunately for your security, encryption isn’t always a secure as you’d hope.

Without going into too much technical detail, there are a lot of ways that encryption can happen, from the method it uses to encrypt the data to how many bits it uses. For example, you’ll see 128-bit AES and 256-bit AES show up a lot in programs and Web encryption. There’s SHA-1 and SHA-2 from the NSA. For your router, you’ll see options like WEP, WPA TKIP, WPA2 AES and more.

Unfortunately, not all encryption is created equal. For centuries, mathematicians and cryptographers have been coming up with and breaking encryption schemes. As computers have gotten more powerful, encryption that should have taken centuries to crack can fail in seconds.

That’s why you don’t see much 64-bit AES anymore, why using WEP on your router is the same has having no encryption, and why large organizations are moving from SHA-1 to SHA-2 encryption.

Of course, this is way more than the average person should have to think about. You should be able to trust that every company is using the best encryption possible in the products you buy and use. Unfortunately, that often isn’t the case, and we just got a fresh reminder.