Tag Archives: Whatsapp

Security News for the Week Ending September 10, 2021

Signal Provides Customer IP Address to Swiss Police

While police all over the world complain about the universe going dark on them, that is only true to an extent. Proton maintains no logs, but they can capture data in real time. In this case they received an order from the Swiss Federal Department of Justice, which they complied with. I don’t have a lot of heartburn over this. If people break the law they should assume that cloud providers will not ignore that fact and pretend everything is okay. Note that they cannot provide any content in this case, so really it is a person’s IP address that was exposed. Smart crooks might access their mail via changing VPNs or Tor, but apparently, in this case, they were not smart enough to do that. One positive thing is that the suspects were required to be notified of the data being turned over, unlike in most countries. Credit: Proton Reddit

McDonalds in El Salvador (and Everyone Else) Now Accept Bitcoin

El Salvador’s Bitcoin law went into effect this week, requiring all businesses and government agencies to accept Bitcoin. Of course everyone needs to figure out how to do that. For large companies that can afford to spend millions, that can be done, even if it is clunky. For small business, that is a different story. That doesn’t protect any company from the huge swings in Bitcoin price. In one direction, the company is okay; in the other, not so much. We shall see if this is a trend, but I doubt it. Tesla was accepting Bitcoin for cars, but stopped after realizing that they might sell a car for $30,000 but only recover $20,000 when they cashed in the Bitcoin. Credit: Vice

Corporate Execs Fear That SEC Investigation Will Uncover Other Breaches They “Forgot” to Report

As the SEC investigates the reach of the SolarWinds attack, it is asking companies to turn over “any other” data breach or ransomware attack information since the start of the SolarWinds attack in 2019. This will likely turn over rocks that companies would prefer remain right side up. Companies could lie and say they don’t have anything, but if a whistleblower informs the SEC of the truth, or the SEC figures out the truth by itself, now companies have really big problems. A consultant working with some of these companies says that “most” companies have had unreported breaches and they don’t know how the SEC might deal with that. The SEC said that companies would not be penalized if they shared data about the SolarWinds attack voluntarily, but they didn’t say they would give companies amnesty for other breaches that they should have reported. Credit: Reuters

WhatsApp Promises End to End Encrypted Backups on iCloud

Apple’s backups on iCloud are readable by Apple and that fact has allowed Apple to turn over data to police and was the core of the Apple spying service that they recently postposed. Facebook (WhatsApp) says that they are about to roll out end to end encrypted WhatsApp backups to iCloud for iPhone users and Google Drive for Android users. Assuming they are correct, this is the first time that someone offered fully encrypted backups for two billion users. Credit: The Register

Encryption – The Devil Is In The Details – Listen Up Whatsapp and iMessage

Jonathan Zdziarski wrote about an implementation challenge for the security conscious among us.  While Whatsapp does delete the message when you tell it to, it leaves artifacts behind.  Whatsapp and other phone apps use the SQLLite database.  SQLLite, likely to reduce wear in your phone’s memory, doesn’t actually delete the message, but rather just marks it deleted.  If you create more new messages after you delete old ones, the old messages may be overwritten in the database, but then again, may not – at the whim of how the database works.

Worse yet, on an iPhone, that database is backed up to the cloud, which as we all know, Apple will turn over to law enforcement if asked.

The question for me then became – but I thought there were doing end to end encryption.  Well the answer APPEARS to be, kind of, sort of.  It is end to end meaning that from the sender to the recipient it is encrypted, but it appears that locally, it is not stored encrypted.  This means that anyone who has access to your phone or your iCloud backup may be able to read your messages, deleted or not.

Maybe you want to use iMessage instead.  Turns out it has the same problem.  The iMessage database is copied to the cloud and to your PC if you back up your phone to your PC and even if you encrypt it, if you use a weak password, that can be easily cracked with tools available to hackers and others.

Curiously, according to Jonathan, Signal, the free chat and call app designed by famed hacker Moxie Marlinspike and others leaves almost no forensic traces behind.  This is due to design choices they made.

What can you do?

If you use iTunes backup, use a long, complex password and do not store password in the keychain or PC, otherwise it could be recovered using forensics tools.

Disable backups with iCloud as it does not honor your backup password – nice huh?

Really, the only effective way is to periodically uninstall the app as this will delete the database.  Then you can reinstall it.  Sounds like a bit of a pain.

Alternatively, you can use Signal.  It works just as well and leaves almost no artifacts.

BUT – and it is a big butt – both sender and recipient have to use Signal in order for it to do its magic.  Signal will send a regular SMS message if the person at the other end is not a Signal user and won’t tell you that it is not secure. Those are not encrypted.

For the developers in the crowd, Jonathan does suggest several ways for developers to fix this problem in their app – it really isn’t hard, just requires some advance planning.

Just some food for thought.

Information for this post came from Jonathan Zdziarski’s blog.