Tag Archives: Parliament

The Challenge Of Encryption Backdoors

In the wake of the recent London Bridge terrorist attack using a truck as a weapon, British Prime Minister Theresa May has renewed her desire for software vendors to provide her with an encryption backdoor so that British law enforcement can look at messages from iPhones and Facebook’s Whatsapp, among other software.

In the U.S., some law enforcement officials, most notably the FBI, have asked for similar backdoors, while the U.S spy agencies – the NSA and CIA – have said that would be a really bad idea.

This past week we had a real world example of why giving any government what is referred to as a “golden key” would be a bad idea.

A hacker attempted to hack into British Members of Parliament email using a brute force attack (just keep trying passwords until something works).  The British Parliament IT folks detected this attempt and solved the problem by turning off Parliament’s email servers – sort of a self inflicted denial of service attack.  This, they claimed, was part of “robust measures” to protect their accounts and systems.

The mistake they made, apparently, was turning the servers back on.

Now they are saying that some number – they say less than 1% but they are still looking – of the accounts on the Parliament email server were compromised.

They blamed the user’s poor choice of passwords.  Likely true, but blaming the user won’t get you many brownie points.

That brute force attack came just days after reports surfaced of Russians selling MP’s credentials stolen from other breaches – working on the assumption, I guess, that people reuse passwords.  Which, of course, they do.

Apparently their systems did not have very robust protections against simple brute force hacking;  they did not require users to change their passwords in light of the Russian report, they did not force users to choose secure passwords and they did not implement what is becoming the new norm, two factor authentication.

But they want us to trust them to be able to protect a golden encryption key.  What makes you think that if they cannot protect an email server, they can protect what is likely a much more coveted target – a golden encryption key.

On this side of the pond, both the NSA and CIA – organizations that rightfully pride themselves as being among the most security conscious organizations in the work – continue to be the source of leaked hacking tools.

The CIA continues to be embarrassed by Wikileaks disclosure of more and more hacking tools as part of what they are calling Vault 7 and the NSA has to deal with the likes of Edward Snowden and Hal Martin, both Booz Allen contractors to the NSA who stole massive amounts of highly sensitive data from the Agency.  In Martin’s case, they are saying it amounts to tens of terabytes of highly classified information.

But, we should trust these folks – and the much lower echelon folks such as city police departments – with golden encryption keys.

I am not beating them up.  If one person knows something, it is a secret.  As soon as two people know it, it is not a secret any more.

In the case of encryption keys, reality says that it will be tens, hundreds or thousands of people, whether government employees or vendors to the government, like Booz, that will have to know these keys.  It is just hard to do and those keys will be HIGHLY prized by hackers.

If one of these keys is compromised, what do you do then?  There is likely NO WAY to undo the damage of compromising any communications that were protected using those compromised keys.  No way at all.  You just can’t get that genie back in the bottle again.  You might be able to change the key, but that would require updating every copy of the software anywhere in the world – not a simple task.

This is all in the name of what some people call the “Going Dark” problem – of people using encryption.

At the same time the NSA built a data center – over one million square feet – near Bluffdale, Utah.  Forbes estimates that it will have a storage capacity of between 3 and 12 exabytes of data in the short term.  Of course, the real number is classified, so do not expect the NSA to confirm or deny that number.  And that capacity, whatever it is, will only grow over time.

An exabyte is 1,000,000,000,000,000,000 bytes of data.  A somewhat large number.

Even with that massive capacity, reports are that the NSA can only store what it currently collects for a few days, quickly filtering what it wants to keep while trashing the rest.

It is, as they say, an interesting problem.  One which I am sure that politicians – and likely NOT computer security folks – will try to solve by passing a law.

Stay tuned;  this has just begun.

Information for this post came from Bleeping Computer.


Snooping On You Is OK; On Me, Not So Much

Apparently some British Members of Parliament (MPs) are not terribly happy today.  It came to light by way of some more leaked documents from Edward Snowden that GCHQ – the British equivalent of the CIA – has been reading the emails of Members of Parliament for years.

Given that Parliament is in the middle of debating a bill that is affectionately called the Snooper’s Charter (by those who don’t like it) that gives GCHQ even more power to snoop, it appears a bit disingenuous to complain about GCHQ snooping.

The best I can tell, they think it is OK to snoop on everyone else, just not them.

Here is the back story.

The UK government migrated to Office 365 in 2014, which means that all those documents and emails are stored in Microsoft data centers – in Ireland and the Netherlands.  Since they are no longer INSIDE Britain, GCHQ legally can suck up all that data on those underseas fibers leaving Britain and check out things.  The sender, recipient and subject is considered metadata, which has an even lower bar for snooping, so at least that data can be hoovered up.

According to ComputerWeekly, over 60% of the emails are routed internationally and EVERY ONE of those contained evidence of passing through computers connected to GCHQ.  If there really is evidence of GCHQ hoovering, those folks need to go back to spy school.  When NSA does that, there is no evidence left behind.

In addition, the emails are scanned for malware and spam by MessageLabs, which looks inside all the emails, so there is another place to get all the content.

GCHQ has, according to the Snowden documents, a program called Haruspex which allows them to scan emails on the basis of national security – exactly what the Snooper’s Charter aims to make even more invasive.

The NSA also reads those emails, too, based on ‘obligations’ it forces on Microsoft.

The Parliament’s IT dude, Rob Greig, told the IBTimes that “All Parliamentary emails are private and are strongly encrypted end-to-end whilst they are in our infrastructure”  I guess Rob needs to pay more attention to the news.  SSL, which is what he is calling encryption, was broken by the agencies years ago.

Some British MPs thought the “Wilson Doctrine”, an antique policy from the 1960s to stop people from listening in to MPs’ phone calls still applies.  They should also be reading the news.  Last year, the Investigatory Powers Tribunal said that the Wilson Doctrine was not “absolute”, meaning the spies were fine to ignore it.  In fact, they went so far as to say that it was never absolute.  So there!

Apparently, the Home Office, which has been pushing to get the Snoopers’ Charter passed through Parliament, has been getting some flack and is about to offer some amendments to the bill while defending the need for it.

In light of this revelation, they may need to make some more concessions – stay tuned.

Things get much more personal when it is my ox that gets gored.

Of course, all of this snooping is done without the approval of or even informing of Parliament – which makes them even more upset.  Maybe they now understand how the rest of the country feels.

Personally, I just call it karma.  And, as we know, karma can be a B**ch.

Stay tuned to see where this ends up.

Information for this post came from the IB Times.