GRyan Masters Blog

Cybersecurity and Encryption

6. Viber has implemented end-to-end encryption within its’ app. — April 21, 2016

6. Viber has implemented end-to-end encryption within its’ app.

Viber, a competitor to WhatsApp, has also just release that they have implemented end-to-end encryption for its’ 7 million subscribers (Conger, 2016).  The COO, Michael Shmilov, announced that the encryption being used by Viber will only allow the communicating party to see the messages, and that the company does not have access to the content of the message sent using its’ app. The company does have the visibility to see the phone numbers of the party communicating. A Viber spokesperson did tell TechCrunch that “MD5 is not being used”, and that “Viber will not grant backdoor access under any circumstance and in and country” (Conger, 2016). Viber has taken the side of Apple and WhatsApp.

One thing that is troubling many is that Viber has yet to publish any information on how they plan to encrypt messages or which type of encryption that they will use. Joe Hall, the chief technologist of the Center for Democracy and Technology, is concerned that these companies are to quick to use encryption that they may not be completely securing the technology the way they should (Conger, 2016). “In the rush to encrypt everything, I’m hoping encryption doesn’t become just a fad, resulting in poor security engineering. It’s not clear if that’s what’s happening here, but I suspect we’ll see that at some point,” Hall told TechCrunch (Conger, 2016).

What is the government going to do with this growing encryption retaliation? Before we know it the National Deficit will increase by another trillion dollars because the government is suing every company in America that uses some type of encryption. Should the general public be worried about this? On a daily basis citizens use passwords to access information, encryption is used when logging into many business websites to purchase items, to check banking information, or even encrypting data so that spies on public networks are not stealing their data. The government forcing corporate entities to give up their encryption security so that the government can get information from one persons phone is the correct approach. While getting the information for this one device, they are creating a vulnerability in every device that uses the same type of security.

Grant Ryan

Conger, K. (2016, April 20). Viber defends new end-to-end encryption protocol against criticism. Retrieved from http://social.techcrunch.com/2016/04/20/viber-defends-new-end-to-end-encryption-protocol-against-criticism/
5. More Companies Encrypt Data — April 17, 2016

5. More Companies Encrypt Data

In a recent article WhatsApp, owned by Facebook, is now using encryption that is said to be stronger than Apples’. By Apples’ I mean Apple Inc. not the bright red fruit. I mention Apples’ encryption because of the on going debate with the FBI. WhatsApp has increased in encryption to all transmission and not just messages i.e. photos, videos, messages, etc… It has already been warned that violent extremists and criminals can use WhatsApp to hide their tracks (BR, Bailey, & Writer, 2016).

Also in Brazil WhatsApp was the cause for a Facebook Inc. executive to be arrested (he has been released). Apple and WhatsApp are not the only companies that use encryption to protect the transmission of data. Other less popular services use encryption also. Signal, Wickr and Telegram use end-to-end encryption also (BR, Bailey, & Writer, 2016).

The outcomes of the debate between Apple and the FBI will be an interesting turning point for these types of services, and the history of encryption. Many things could come from the debate. What will happen next? Will the government take encryption for itself and require that all encryption methods contain a backdoor for government to access? Will encryption be added to the list of things that are illegal? Would everyone using encryption be considered a criminal or terrorist because they are hiding something? I do not know where the history of encryption will go, but it will definitely be interesting.

Grant Ryan

BR, Bailey, O., & Writer, A. T. (2016, April 16). WhatsApp extends encryption to photos, video, other messages. Retrieved from http://ksnt.com/2016/04/16/whatsapp-extends-encryption-to-photos-video-other-messages/
4. Compliance with Court Orders Act of 2016 — April 10, 2016

4. Compliance with Court Orders Act of 2016

This new bill called the “Compliance with Court Orders Act of 2016” (“Burr Encryption Bill – Discussion Draft,” n.d.) is going to destroy the foundation of encryption. Encryption was created to protect data and was not intended to have backdoors built into their designs. As mentioned by “Keys Under Doormats” (Adelson et al., 2015), any backdoor created for law enforcement also creates a potential risk for hackers and cyberspies (Greenberg, 2016). The title “Keys Under Doormats” is appropriately named because how secure is your house if the key is under the doormat. If encryption is designed with a backdoor in mind, then why even build it. Creating a master key that would decrypt any other key would also prove pointless.

The Senate and House must seek the appropriate technical assistance before attempting to write this type of garbage up as a law. Does Congress realize what they are demanding in the full scope or are they just creating a bill that is a fix for only a few issues that are currently preventing further investigation from the U.S Government? If this is voted into law every American should just use an FTP to store all there information, change all current passwords to “password” or “1234”, where t-shirts custom made to display your credit card information, and do not lock your cars. Why should American’s do these things? Without encryption these things will not matter anyway. So much of out lives depends on encryption and the government is trying to build up its’ wall while they tear down ours. Any files that may be stored in the cloud are protected by encryption, or authentication. Passwords are transmitted using encryption so that a spying eye cannot capture them. Credit card information is secured through encrypted transactions, secure tunnels, or digital certificates.

Cars? Why mention not locking your vehicle? It’s not protected by an encrypted key, a physical key must be used to unlock and start my car. The Swiss Federal Institute of Technologies test 8 cars that used key less fobs for unlocking and starting a vehicle, and they successfully started all 8 vehicles (Hyde, 2011). What does this have to do with encryption? If encryption is required to have a way for court ordered law enforcement to gain access to it, then the encryption is flawed from the start. It takes one person to find the key and all devices from that manufacturer are now unsecured. American is becoming the land of free information, and the home of the weak security.

By: Grant Ryan

Adelson, H., Anderson, R., Bellovin, S., Benaloh, J., Blaze, M., Diffie, W., … Weitzner, D. (2015, July 7). paper-keys-under-doormats-CSAIL.pdf. Retrieved from https://www.schneier.com/cryptography/paperfiles/paper-keys-under-doormats-CSAIL.pdf
Burr Encryption Bill – Discussion Draft. (n.d.). Retrieved April 9, 2016, from https://www.scribd.com/doc/307378123/Burr-Encryption-Bill-Discussion-Draft
Greenberg, A. (2016, April 8). The Senate’s Draft Encryption Bill Is “Ludicrous, Dangerous, Technically Illiterate.” Retrieved April 9, 2016, from http://www.wired.com/2016/04/senates-draft-encryption-bill-privacy-nightmare/
Guido, D. (2016, February 17). Apple can comply with the FBI court order. Retrieved from http://blog.trailofbits.com/2016/02/17/apple-can-comply-with-the-fbi-court-order/
Hyde, J. (2011, January 18). How Hackers Can Use Smart Keys To Steal Cars. Retrieved April 10, 2016, from http://jalopnik.com/5736774/how-hackers-can-use-smart-keys-to-steal-cars
3. VNC Security Breech — April 1, 2016

3. VNC Security Breech

What is worst than not changing the default password to a device or program? Not setting a password at all. Recently a hacker that goes by “Revolver” has recovered data from unsecured computers. Revolver wanted to see how many computers were insecure so he created a script that cycled through IP addresses and select ports on his own computer, which tries to connect to unsecured servers through a web-based VNC viewer (Whittaker, 2016). The script would only capture a screenshot if there was a connection, if there was not a connect the script would goto the next IP address.

I reviewed this site when the article was fist posted and many of the images were pretty disturbing. Not disturbing in the sense of gore, but in the sense that some of the information contained was damaging. One of the screenshots was of a pediatrics office and patient records where displayed when the screenshot was captured. Another screenshot was the system control panel for a German hydropower plant. Some of the other captures when not of much importance.

Now the site that the photos were posted to has been taken down (VNC Roulette) Since the site was taken down I accessed the cached site from Google.com just to see if the photos were cached and the site that Revolver setup for the VNC Roulette was hacked by another hacker calling himself “FatalSec”. This is a way for hackers to get their name out there as a better hacker than the last hacker. Here is the cached link to the hacked VNCRoulette website (I’m not responsible if anything happens to you computer by clicking the link. Click the link at your own risk): http://webcache.googleusercontent.com/search?q=cache:PFK3vnAnCOgJ:vncroulette.com/+&cd=1&hl=en&ct=clnk&gl=us.

{Update}

I have located the website with the photos of the screenshots. I am not posting this for the purpose of capturing the data, just as a visual tool to see the amount of data that is open to the public VNCRoulette working link

VNC Roulette. (n.d.). Retrieved April 1, 2016, from http://5.230.225.107/index.php?picture=0
Whittaker, Z. (2016, March 29). How one hacker exposed thousands of insecure desktops that anyone can remotely view | ZDNet. Retrieved March 29, 2016, from http://www.zdnet.com/article/hacker-exposes-thousands-of-insecure-desktops-that-anyone-can-remotely-view/