GRyan Masters Blog

Cybersecurity and Encryption

11. Victory for Encryption — May 29, 2016

11. Victory for Encryption

Recently in the news there has been articles about the Senate encryption bill. The bill has not had the support needed, so for now it is effectively dead. With the current political landscape getting ready for the new presidency, voting on this bill could potentially harm the parties. The CIA and NSA have said that they would not back this bill because they know that this would impact their encryption as well (Fingas, 2016).

This is certainly a victory for the way of encryption. If this bill would have passed, the American encryption would be the same as having a gate to protect your property, but not being able to lock it. The bill also shows how desperate politicians are to write up a bill and through it to The House and The Senate to vote on without knowing anything about the implications. If this bill would have been passed, the American people would have been crippled by their own government.

GRyan

Fingas, J. (2016, May 29). Senate anti-encryption bill is effectively dead, for now. Retrieved May 29, 2016, from http://www.engadget.com/2016/05/28/senate-anti-encryption-bill-dies/
Advertisements
10. Snowden calls out Google over Allo — May 21, 2016

10. Snowden calls out Google over Allo

In a recent news article, NSA whistleblower, Edward Snowden, says that “Google’s decision to disable end-to-end encryption by default in its new #Allo chat app is dangerous, and makes it unsafe. Avoid it for now (Tung, 2016).” While this is not totally the case, Allo uses end-to-end encryption if the users select incognito mode. This will also reduce the function available during app use. Thai Duong, Google’s ‘cyber overlord’ and co-lead has said “I can’t promise anything now, but I’m pushing for a setting where users can opt out of cleartext messaging. Basically with one touch you can tell Allo that you want to, “Always chat in incognito mode going forward,” and from that moment on all your messages will be end-to-end encrypted and auto-deleted (Tung, 2016).”

Thai goes on to explain that the primary security for Allo is that message disappear after a set amount of time. Allo will also not be viewable by Google. Thai explained that Google would sacrifice if using end-to-end encryption by default; “In normal mode, an artificial intelligence run by Google, but no humans including the Allo team or anyone at Google, can read your messages. This AI will use machine learning to analyze your messages, understand what you want to do, and give you timely and useful suggestions. For example, if you want to have dinner, it’ll recommend restaurants or book tables. If you want to watch movies, it can buy you tickets (Tung, 2016).”

This is interesting coming from Google. Allo is developed with the disappearance of messages as security instead of encryption. What if the messages are captured before the server deletes them? What impact will this have on the usage of the messenger? Let’s hope that Google knows what they are doing when it comes to the disappearing messages. With the current spike in the government being interested in recovering data from devices or servers when needed for investigation, what will happen when the courts give an order to Google to produce information that was transmitted within the Allo app.

GRyan

Tung, L. (2016, May 20). NSA whistleblower Snowden: Google Allo without default encryption is “dangerous.” Retrieved May 21, 2016, from http://www.zdnet.com/article/nsa-whistleblower-snowden-google-allo-without-default-encryption-is-dangerous/
9. British Judge Rules in Favor of Hacker. — May 13, 2016

9. British Judge Rules in Favor of Hacker.

The British FBI, (The National Crime Agency) confiscated the computer and hard drives from Louri Love, who was accused by the U.S. Authorities for hacking into multiple federal systems between 2012 – 2013 (Gallagher, 2016). The National Crime Agency served Love with an order to turn over the passwords for his encrypted data, and Love did not comply with this request. Love then launched a civil case to request The National Crime Agency return his equipment to him. When Love filed this case they again asked for his compliance with the original order to give them the password for the encrypted data and also said that they cannot give the equipment back to Love because some of the data on it does not belong to Love, (the hacked data).

On Tuesday, at Westminster Magistrates’ Court in London, judge Nina Tempia ruled in Love’s favor. Tempia said that she was “not persuaded” by the National Crime Agency’s argument that Love should be compelled to disclose his passwords and encryption keys to prove his ownership of the data. She also took a swipe at the agency’s attempt to “circumvent” the Regulation of Investigatory Powers Act, which she described as the “specific legislation that has been passed in order to deal with the disclosure sought (Gallagher, 2016).”

This was a great victory for Love. Love said “If they’d ruled in the other way it would have been very concerning for anyone who has to store sensitive information, especially people with obligations to clients, people under their care in terms of their confidentiality (Gallagher, 2016).”

The U.S. Authorities are also looking to extradite Love so he can be tried in American courts. Love has been diagnosed with Asperger’s syndrome and does not feel that he would receive a fair trial in the U.S (Gallagher, 2016). Love also said “There will be no decryption” and fully intends to defend this case to the fullest.

The encryption battle rages on and it is good to see that judges like Nina Tempia are still on the bench and willing to defend what is right and not who holds the highest power. I believe the FBI had no right to pursue Apple Inc. because of what a customer decided to do with his device. If I buy a Toyota and go on a mass rampage and run-over everyone that I see, is the government going to go after Toyota and try to force them to tell me why I did it?  or possibly force them to detect my GPS location at every second during the spree and locate an audio message that may have been received inside the video? As the battle over encryption wages, stay tuned for weekly updates.

GRyan

Gallagher, R. (2016, May 10). British Hacker Wins Court Battle Over Encryption Keys. Retrieved May 13, 2016, from https://theintercept.com/2016/05/10/uk-hacker-lauri-love-encryption-court-victory/
8. Encryption Racism — May 8, 2016

8. Encryption Racism

The battle for encryption rages on. The debate between the FBI and Apple Inc. has forced encryption matter to the front of the line. Now more than ever, people are paying attention to encryption, even if they know nothing more than encryption is a way to protect your data. Many other countries are starting to approach the encryption barrier before it becomes a problem for them. India has announced that it has developed a mobile forensics tool that can handle smartphone, even the iPhone (Kochar, 2016). India has accepted that encryption may become a problem to law enforcement and create issues with them properly conducting their duties.

There is another protest that is against the banning of encryption for reasons of discrimination. Anti-encryption measures are a violation of our first and fourth amendment rights (Renderos & Putterman, 2016). Already, communities of color, or non-American, are experiencing a rise in illegal surveillance, boarder control, and illegal policing (Renderos & Putterman, 2016). What I don’t agree with this article about (“To the next POTUS: For communities of color, encryption is a civil right”) is that is encryption is weakened or that state or the Federal Government decides to change the way that encryption is allow, all Americans: black, white, hispanic, muslim, etc.. will suffer equally. To say that communities of color will feel the effects greater, is false. Yes without the encryption to protect those within the community, surveillance measures will be more successful, but technology and data do not have a race. Everyone will be equally likely to have data compromised. Also, just as with any other laws that are passed to reduce any aspect, the criminals will prevail while the law-abiding citizens give into the law and become victims of these same laws.

Encryption is not a topic that should be decided on using it or not, or even the topic of reducing the effectiveness of it. The government needs to come up with a way to combat it the same way they have developed methods to deal with other situations. If the government is going to reduce encryption standards, they should also mandate that everyone leave a spare key to their house with the local police in the event they need or want to get into your house (same for vehicles). Sometimes it makes me wonder if the government really protects its’ citizens, or do whatever they see fit to complete its’ own objectives.

GRyan

Kochar, R. (2016, May 7). A Tool For Mobile Forensics Has Been Developed To Handle Encryption, Including iPhone, says Ravi Shankar Prasad. Retrieved May 8, 2016, from https://www.entrepreneur.com/article/275384
Renderos, S., & Putterman, M. T. (2016, March 7). To the next POTUS: For communities of color, encryption is a civil right. Retrieved from http://social.techcrunch.com/2016/05/06/to-the-next-potus-for-communities-of-color-encryption-is-a-civil-right/
7. The Encryption Debate — May 1, 2016

7. The Encryption Debate

What started as a crime has now turned into a national debate. The massacre that happened December, 2015, at the Inland Regional Center in California, was the start of the FBI vs. Apple Inc. debate. The FBI acquired an iPhone from one of the killers, and was pressuring Apple Inc. to modify their iOS software and allow for the FBI to gain access to the device. This need for access to the devices lead to a Supreme Court lawsuit, and has started a national debate over encryption.

There is a new bill that the Senate is trying to pass “Compliance with Court Orders Act 2016” (114th Congress, 2016). If this bill is passed, what will become of encryption standards? There are many concerns with this piece of legislation. If this legislation is passed it will not have good implications. Companies that abide by the law will follow this new bill, but the criminals, terrorist, or hackers will not. These groups will abuse this bill to their advantage. Also this bill does not apply to a particular venue i.e. communication companies like Apple Inc, WhatsApp, Viber. These companies are in the site of everyone’s minds because Apple Inc. is the highlight company for the creation of this potential bill, but this will apply to every company that uses encryption. From operating systems (OS), companies that create encryption software, and companies that deploy encryption, will be subject to weaken standards or using software that has a backdoor.

The Federal Government will not follow this bill. They will create another bill that allows the use of unfettered encryption to remain on government information systems. This bill will also create “new criminals” because some companies will not comply with this bill because of the increased security vulnerabilities that will be created by the government.

If this was a decision that would not have heavy security impacts on companies, then the bill would not be an issue. This bill is being attacked at every angle. Many say that this bill was created by people that do not understand encryption nor the implications that this bill will have on industries (Peterson, 2016). Bob Lord, Yahoo’s Chief Security Officer, talks about why Yahoo is looking into encryption that even Yahoo cannot decrypt. (Twitter, 2016).

GRyan

114th Congress. (2016, April 30). Compliance with Court Orders Act of 2016. Retrieved May 1, 2016, from https://www.burr.senate.gov/imo/media/doc/BAG16460.pdf
Peterson, C. (2016, April 30). Hated encryption bill should prompt U.S. intelligence reform. Retrieved May 1, 2016, from http://venturebeat.com/2016/04/30/hated-encryption-bill-should-prompt-u-s-intelligence-reform/
Twitter, A. S. (2016, April 28). Yahoo’s Security Chief On Encryption Debate: What Is The Greater Good? Retrieved May 1, 2016, from http://www.npr.org/sections/alltechconsidered/2016/04/28/475883338/yahoos-security-chief-on-encryption-debate-what-is-the-greater-good
6. Viber has implemented end-to-end encryption within its’ app. — April 21, 2016

6. Viber has implemented end-to-end encryption within its’ app.

Viber, a competitor to WhatsApp, has also just release that they have implemented end-to-end encryption for its’ 7 million subscribers (Conger, 2016).  The COO, Michael Shmilov, announced that the encryption being used by Viber will only allow the communicating party to see the messages, and that the company does not have access to the content of the message sent using its’ app. The company does have the visibility to see the phone numbers of the party communicating. A Viber spokesperson did tell TechCrunch that “MD5 is not being used”, and that “Viber will not grant backdoor access under any circumstance and in and country” (Conger, 2016). Viber has taken the side of Apple and WhatsApp.

One thing that is troubling many is that Viber has yet to publish any information on how they plan to encrypt messages or which type of encryption that they will use. Joe Hall, the chief technologist of the Center for Democracy and Technology, is concerned that these companies are to quick to use encryption that they may not be completely securing the technology the way they should (Conger, 2016). “In the rush to encrypt everything, I’m hoping encryption doesn’t become just a fad, resulting in poor security engineering. It’s not clear if that’s what’s happening here, but I suspect we’ll see that at some point,” Hall told TechCrunch (Conger, 2016).

What is the government going to do with this growing encryption retaliation? Before we know it the National Deficit will increase by another trillion dollars because the government is suing every company in America that uses some type of encryption. Should the general public be worried about this? On a daily basis citizens use passwords to access information, encryption is used when logging into many business websites to purchase items, to check banking information, or even encrypting data so that spies on public networks are not stealing their data. The government forcing corporate entities to give up their encryption security so that the government can get information from one persons phone is the correct approach. While getting the information for this one device, they are creating a vulnerability in every device that uses the same type of security.

Grant Ryan

Conger, K. (2016, April 20). Viber defends new end-to-end encryption protocol against criticism. Retrieved from http://social.techcrunch.com/2016/04/20/viber-defends-new-end-to-end-encryption-protocol-against-criticism/
5. More Companies Encrypt Data — April 17, 2016

5. More Companies Encrypt Data

In a recent article WhatsApp, owned by Facebook, is now using encryption that is said to be stronger than Apples’. By Apples’ I mean Apple Inc. not the bright red fruit. I mention Apples’ encryption because of the on going debate with the FBI. WhatsApp has increased in encryption to all transmission and not just messages i.e. photos, videos, messages, etc… It has already been warned that violent extremists and criminals can use WhatsApp to hide their tracks (BR, Bailey, & Writer, 2016).

Also in Brazil WhatsApp was the cause for a Facebook Inc. executive to be arrested (he has been released). Apple and WhatsApp are not the only companies that use encryption to protect the transmission of data. Other less popular services use encryption also. Signal, Wickr and Telegram use end-to-end encryption also (BR, Bailey, & Writer, 2016).

The outcomes of the debate between Apple and the FBI will be an interesting turning point for these types of services, and the history of encryption. Many things could come from the debate. What will happen next? Will the government take encryption for itself and require that all encryption methods contain a backdoor for government to access? Will encryption be added to the list of things that are illegal? Would everyone using encryption be considered a criminal or terrorist because they are hiding something? I do not know where the history of encryption will go, but it will definitely be interesting.

Grant Ryan

BR, Bailey, O., & Writer, A. T. (2016, April 16). WhatsApp extends encryption to photos, video, other messages. Retrieved from http://ksnt.com/2016/04/16/whatsapp-extends-encryption-to-photos-video-other-messages/
4. Compliance with Court Orders Act of 2016 — April 10, 2016

4. Compliance with Court Orders Act of 2016

This new bill called the “Compliance with Court Orders Act of 2016” (“Burr Encryption Bill – Discussion Draft,” n.d.) is going to destroy the foundation of encryption. Encryption was created to protect data and was not intended to have backdoors built into their designs. As mentioned by “Keys Under Doormats” (Adelson et al., 2015), any backdoor created for law enforcement also creates a potential risk for hackers and cyberspies (Greenberg, 2016). The title “Keys Under Doormats” is appropriately named because how secure is your house if the key is under the doormat. If encryption is designed with a backdoor in mind, then why even build it. Creating a master key that would decrypt any other key would also prove pointless.

The Senate and House must seek the appropriate technical assistance before attempting to write this type of garbage up as a law. Does Congress realize what they are demanding in the full scope or are they just creating a bill that is a fix for only a few issues that are currently preventing further investigation from the U.S Government? If this is voted into law every American should just use an FTP to store all there information, change all current passwords to “password” or “1234”, where t-shirts custom made to display your credit card information, and do not lock your cars. Why should American’s do these things? Without encryption these things will not matter anyway. So much of out lives depends on encryption and the government is trying to build up its’ wall while they tear down ours. Any files that may be stored in the cloud are protected by encryption, or authentication. Passwords are transmitted using encryption so that a spying eye cannot capture them. Credit card information is secured through encrypted transactions, secure tunnels, or digital certificates.

Cars? Why mention not locking your vehicle? It’s not protected by an encrypted key, a physical key must be used to unlock and start my car. The Swiss Federal Institute of Technologies test 8 cars that used key less fobs for unlocking and starting a vehicle, and they successfully started all 8 vehicles (Hyde, 2011). What does this have to do with encryption? If encryption is required to have a way for court ordered law enforcement to gain access to it, then the encryption is flawed from the start. It takes one person to find the key and all devices from that manufacturer are now unsecured. American is becoming the land of free information, and the home of the weak security.

By: Grant Ryan

Adelson, H., Anderson, R., Bellovin, S., Benaloh, J., Blaze, M., Diffie, W., … Weitzner, D. (2015, July 7). paper-keys-under-doormats-CSAIL.pdf. Retrieved from https://www.schneier.com/cryptography/paperfiles/paper-keys-under-doormats-CSAIL.pdf
Burr Encryption Bill – Discussion Draft. (n.d.). Retrieved April 9, 2016, from https://www.scribd.com/doc/307378123/Burr-Encryption-Bill-Discussion-Draft
Greenberg, A. (2016, April 8). The Senate’s Draft Encryption Bill Is “Ludicrous, Dangerous, Technically Illiterate.” Retrieved April 9, 2016, from http://www.wired.com/2016/04/senates-draft-encryption-bill-privacy-nightmare/
Guido, D. (2016, February 17). Apple can comply with the FBI court order. Retrieved from http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/
Hyde, J. (2011, January 18). How Hackers Can Use Smart Keys To Steal Cars. Retrieved April 10, 2016, from http://jalopnik.com/5736774/how-hackers-can-use-smart-keys-to-steal-cars
3. VNC Security Breech — April 1, 2016

3. VNC Security Breech

What is worst than not changing the default password to a device or program? Not setting a password at all. Recently a hacker that goes by “Revolver” has recovered data from unsecured computers. Revolver wanted to see how many computers were insecure so he created a script that cycled through IP addresses and select ports on his own computer, which tries to connect to unsecured servers through a web-based VNC viewer (Whittaker, 2016). The script would only capture a screenshot if there was a connection, if there was not a connect the script would goto the next IP address.

I reviewed this site when the article was fist posted and many of the images were pretty disturbing. Not disturbing in the sense of gore, but in the sense that some of the information contained was damaging. One of the screenshots was of a pediatrics office and patient records where displayed when the screenshot was captured. Another screenshot was the system control panel for a German hydropower plant. Some of the other captures when not of much importance.

Now the site that the photos were posted to has been taken down (VNC Roulette) Since the site was taken down I accessed the cached site from Google.com just to see if the photos were cached and the site that Revolver setup for the VNC Roulette was hacked by another hacker calling himself “FatalSec”. This is a way for hackers to get their name out there as a better hacker than the last hacker. Here is the cached link to the hacked VNCRoulette website (I’m not responsible if anything happens to you computer by clicking the link. Click the link at your own risk): http://webcache.googleusercontent.com/search?q=cache:PFK3vnAnCOgJ:vncroulette.com/+&cd=1&hl=en&ct=clnk&gl=us.

{Update}

I have located the website with the photos of the screenshots. I am not posting this for the purpose of capturing the data, just as a visual tool to see the amount of data that is open to the public VNCRoulette working link

VNC Roulette. (n.d.). Retrieved April 1, 2016, from http://5.230.225.107/index.php?picture=0
Whittaker, Z. (2016, March 29). How one hacker exposed thousands of insecure desktops that anyone can remotely view | ZDNet. Retrieved March 29, 2016, from http://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/
2. FBI Vs. Encryption — March 27, 2016

2. FBI Vs. Encryption

The FBI continues to target Apple and the security of their devices. FBI Director, James Comey, is trying to get legislation passed that will restrict technology companies from having encryption that prevents the government from accessing the data stored on devices (Lord, 2014). As mentioned in my previous post, allowing any kind of backdoor into a system cripples the security of the device. It is obvious that anything that is encrypted can be decrypted, but adding a cellar door to your basement is just an invitation for anyone that wants what you have.

I am in total disagreement with the request of the FBI. Right now it is Apple that is being ordered to comply, but in the future it may be all other companies that sell products in the USA. If these types of laws are allowed to exist then the competitive advantage for the U.S technology companies has just been crippled by its’ own government (Lord, 2014).

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized (“Bill of Rights Transcript Text,” n.d.).

Over 220 years ago the government tried to protect use against ourselves and now we see things of this nature in the news so often. We are a free nation, but are we really. We can’t even protect our own data without someone else wanting access to it. Without encryption we would not be the nation that we are, or have the technologies and pleasures that we do have. What secrets would the government have without being able to protect the data that they have? To ask the people to give up a means to secure their persons, or effects is unconstitutional at worst, and just poor programs, politics, and leaders at best.

Grant Ryan

 

Bill of Rights Transcript Text. (n.d.). Retrieved March 27, 2016, from http://www.archives.gov/exhibits/charters/bill_of_rights_transcript.html
Lord, N. (2014, October 20). The Security Hot Seat: Personal Device Encyption. Retrieved March 27, 2016, from https://digitalguardian.com/blog/security-hot-seat-personal-device-encyption