Tag Archives: Going Dark

Security News for the Week Ending February 19, 2021

Parler is Back Online

After being down for a month after getting kicked off Amazon, Parler is back online. Existing accounts can log in now; new accounts can be created next week. They have a new interim CEO after the board fired the last one. It does not appear that old content was moved over to the new platform. Apple and Google have not restored Parler’s apps and there are lawsuits and Congressional investigations, so they are not completely out of the woods yet. It remains to be seen what their content moderation strategy will be. In their notice it says that they don’t moderate and then proceed to talk about all the content moderation they are doing – likely to try and stay out of jail. Credit: MSN

Even Though FBI Complains About Going Dark, they Unlock Phones

While the FBI will never be happy until we return to the 1990s when there was no encryption, apparently, according to court documents, the FBI can get into iPhones after first unlock after power up (which is 99.99% of the time) and even read Signal messages. Likely using tools like GrayKey and Cellebrite they can extract data from many encrypted phones. Credit: Hackread

Certification Labs UL Hit By Ransomware

Underwriters Labs, the safety certification organization – which also has a cybersecurity certification – has apparently been hit by a ransomware attack which caused them to shut down their IT systems. Attempts to connect to the MyUL.Com portal return a ‘can’t reach this page’ error message. They have been down for a week so far and have decided not to pay the ransom. This points to how long it takes to recover from ransomware, even for a big company. Credit: Bleeping Computer

Microsoft Says SolarWinds Hackers Stole Some Source Code

Microsoft is now admitting that the SolarWinds hackers were able to download some of their source code including parts of code for Intune, Exchange and Azure. While not complete code for anything, any code that makes it onto the dark web will make it easier for hackers to figure out how to hack Microsoft users in the future. Credit: ZDNet

John Deere Promised Right to Repair But Didn’t Quite Do That

In 2018 John Deere lobbyists successfully killed a number of state legislative bills that would have allowed farmers to repair their own tractors and heavy equipment. In exchange, Deere pinky-promised to make the software and manuals available in three years. That would be January 1 of this year. Apparently, Deere, while successful at killing the bills, has not lived up to their end of the bargain and some of the state legislators are not terribly happy. Expect at least some states to introduce new “right to repair” bills this year. What is unknown is how broad these bills will be. Will they just allow a farmer to repair his/her tractor or will it also allow iPhone users to also repair their phones? Credit: Vice

How The Law Decrypts Your Phone’s Encryption

Law enforcement agencies around the world have been whining about the “going dark” problem at least since the early 1990s when they tried really hard to put Phil Zimmerman in jail for creating encryption that mere mortals could use. There is no question that bad folks use encryption to hide stuff, but good folks also do and it is going to be impossible to create a master key that will only be used by the good guys for good. Not going to happen.

So that leaves the police with the option of hacking your phone, which, is less impossible than they often claim.

Johns Hopkins cryptographer Matthew Green managed a team of experts to tear apart the secrets and see what they found.

They looked at available documentation and also did some hacking. They also reviewed all of the existing news that they could find about what the cops have done in the past to break in.

Green thought, going in, that security on Apple and Google phones was pretty good, but coming out he realized that almost nothing is protected as well as it could be.

The researchers figured that it would be really difficult to steal any of the many levels of encryption keys that iPhones use, but that turns out not to be the case.

If your iPhone was powered off and someone turned it on, the security would be pretty good – what Apple calls “Complete Protection”. But as soon as you log in, you move from “Complete Protection” to “Protected Until First User Authentication”. That is likely the state your phone is in 99.99% of the time.

The major difference between these two states is that in the after the first login, many of the keys are available in memory. At this point, if someone can exploit your phone, getting those keys and decrypting the data those keys protect is easy.

This is likely how all forensic tools like Cellebrite and Grayshift work.

Android works very similarly except while Apple has a way for apps to protect small bits of data more securely after first login – like a banking password – Android does not have a feature like that. That means that tools like Grayshift can grab more data once you have logged in.

Android also suffers from dozens of manufacturers and hundreds of models and many people who have not seen an upgrade or patch in years.

When the researchers explained what they had done to the folks at Apple, they basically said that they were concerned about protecting your stuff against street thieves and not well funded attackers and they chose user convenience over security (my words). From a marketing standpoint that makes sense, but they don’t really tell people that up front.

Google, like Apple, said these attacks require physical access (like what might happen when you cross the border and the customs person says “papers please” and “phone please”. They said it also requires these folks to know about bugs that have not been patched. Google said that you can expect to see additional hardening in the next release of Android.

If you think it is only the FBI or NSA that buys these Celebrite and similar tools, you are very wrong. Researchers found nearly 50,000 examples of police in all 50 states using these tools between 2015 and 2019 and that was just what they were able to uncover. Law enforcement has not exactly volunteered that they can hack your phone at the push of a button.

Given this, you might wonder why the police are complaining about going dark. I think it is because they can’t just snoop on anything, any time, any where, including over the air and unless they can do that, they will complain. Credit: Wired

Going Dark – Maybe It Isn’t the Biggest Problem

O P I N I O N

Law enforcement in general and the FBI in particular have been talking about the “going dark” problem caused by encryption on phones.  Except, maybe, that isn’t the biggest problem that law enforcement is facing.

The Center for Strategic and International Studies just released a study based on interviews with law enforcement from across the country.  What did they discover?

  • A quarter of the people said that they had a lack of guidance from tech companies and convincing them to turn over data.
  • Law enforcement officers said that they received barely any training in digital evidence.  Local police received an average of 10 hours of training a year (about one day).  State police received 13 hours and federal law enforcement received 16 hours a year.  Only 16 percent of the cops said that they received training more than once a year.  It seems to be a tad of a problem.  If you ask people to deal with digital evidence and then you don’t train them, do you really think they will be able to do their job?
  • 19 percent said that not being able to access data on a device was their biggest issue.  That is only 1 out of 5 law enforcement professionals who think that is the biggest problem.
  • 30 percent said their biggest issue what not knowing which company had the data that they needed for their investigation. Much of that data is not encrypted or the service providers have the encryption keys.
  • The National Domestic Communications Assistance Center (NDCAC) is charged with assisting state and local law enforcement.  They have a whopping $11 million budget.  To cover the entire nation.  For a whole year.

We saw that with the San Bernardino killer iPhone situation.  The FBI went all crazy on Apple, but Apple said that they never reached out to them for help until the made enough mistakes that Apple couldn’t help them.   Apple said that if they had contacted them sooner and if they had not shut down the WiFi in the killers’ apartment, they would have been able to retrieve the data.

That doesn’t mean that encryption doesn’t present problems, but if you only give cops 10-16 hours of training a year and only give the one organization that is supposed to help them a budget of $11 million you can’t really expect very good outcomes.  And you don’t get them.

Try the simple stuff first.  After that’s handled we can talk about inserting backdoors.  IF we even need to.

Source: Politico and Schneier on Security.

FBI Can Unlock Most Devices That It Receives

FBI Director Comey has talked a lot about the “going dark” problem but we now have some statistics on the problem.

So far this fiscal year, the FBI has received 6,814 devices – phones or computers – to forensically examine.

Of those devices, only 2,095 of them had any form of password on the device.  That means that roughly 70 percent of the devices that bad guys used did not have a password on it.  If you assume that this statistic mirrors the general population – and it may not – then only 30 percent of people protect their devices with a password.

Of the 2.095 devices that were password protected, the Feds were able to get into 1,210 of those.  They do not say what techniques they used to get into those devices.

This means that out of almost 7,000 devices, the cops could not read about 880 of them.  Said differently, the Feds were able to get into 87 percent of the devices that they were presented to evaluate.

These stats don’t include numbers for devices that local police receive and don’t turn over to the Feds.  This means that the 13 percent number – of devices that they cannot get into – may be high because there may be a number of devices that local police receive that they can easily get into and therefore don’t ask the Feds for help.

It also may include devices that are damaged.  For examine, if a device is broken during an arrest,such as a bad guy intentionally throwing a device off a building on onto oncoming traffic – which probably is not that uncommon in a case where the bad guys think the phone contains evidence – those numbers would be included in the “we couldn’t get into that device”,  How many devices fall into that category is unknown.  So while that is part of the going dark problem, it is not because of encryption.

Still, 13 percent is the most definitive number we have seen so far.

What we don’t have any numbers for is how many of those 6,800 devices contained any useful evidence of a crime.

From the Feds perspective, they want to be able to get into every device.  They are used to the days of executing a search warrant where they are looking for papers and where likely, in almost every case, they are able to examine almost 100 percent of the information that they are interested in looking at.

In response, the FBI said that 13 percent is significant and, in their defense, it is likely significant.  But it is far from an epidemic, at least at this point.

What is unclear is whether there was any evidence on those 880 phones or whether the inability to get into those phones made any difference in the prosecution or non-prosecution of those cases.  From a bad guy’s perspective, they likely have little incentive to unlock a phone even if there is nothing on it.  Their attorney would likely tell them that they could be something on the device that could be used against them, so don’t cooperate.  This is the digital equivalent of challenging a search warrant, but in this case, control is in the hands of the bad guy rather than in the hands of a judge and the Feds likely don’t appreciate that fact.

At least, for the first time, we have some information about the problem.

Information for this post came from Motherboard.