Tag Archives: MI5

“Bypassing” Encryption is the same as “Breaking” Encryption

According to the Vault 7 WikiLeaks data the CIA made phone malware that can read your private chats without breaking encryption.

Anyone with half a clue always knew that the best way to subvert encryption was to bypass encryption as we at TMG Corporate Services have always done. From our blog post Am I Being Surveilled? on 29th March 2016:

Still – the point is made I think – visual intercepts are economically viable even for local LE – it’s just an ultra low light wifi enabled pin-hole snake camera in the right spot. One above the driver and passenger seat belt brackets in a private vehicle is a good location (easy access to and plenty of space behind the plastic covering the B pillar to store the bits).

Five uninterrupted minutes and both are installed. Just wait for the target to take a Sunday drive and game on. Most people rest the handset on their lap while typing stationary in traffic or better still upright and in front or on top of the wheel when driving – using one hand – which gives a nice unobstructed keystroke by keystroke view of their typing activities.

Most successful hacks are low tech

Today I have seen a bunch of publications and experts trying to assure people that this is nothing to worry about. The purity of encryption is in tact. It is an academic point.

If you are in the business of handling sensitive data then don’t use your cell phone to transmit it. It’s that simple.

* In the hours since the documents were made available by WikiLeaks, a misconception was developed, making people believe the CIA “cracked” the encryption used by popular secure messaging software including Signal and WhatsApp.

WikiLeaks asserted that: “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloakman by hacking the “smart” phones that they run on and collecting audio and message traffic before encryption is applied.”

This statement by WikiLeaks made most people think that the encryption used by end-to-end encrypted messaging clients such as Signal and WhatsApp has been broken. No, it hasn’t. Instead, the CIA has tools to gain access to entire phones, which would of course “bypass” encrypted messaging apps because it fails all other security systems virtually on the phone, granting total remote access to the agency.

The WikiLeaks documents do not show any attack particular against Signal or WhatsApp, but rather the agency hijacks the entire phone and listens in before the applications encrypt and transmit information.

It’s like you are sitting in a train next to the target and reading his 2-way text conversation on his phone or laptop while he’s still typing, this doesn’t mean that the security of the app the target is using has any issue.

In that case, it also doesn’t matter if the messages were encrypted in transit if you are already watching everything that happens on the device before any security measure comes into play.

But this also doesn’t mean that this makes the issue lighter, as noted by NSA whistleblower Edward Snowden, “This incorrectly implies CIA hacked these apps/encryption. But the docs show iOS/Android are what got hacked—a much bigger problem.”

* From The Hacker News

ENDS

“All uR devICE r belong 2 US”, Vault 7, Weeping Angel, the CIA & Your Samsung TV

CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within CCI (Center for Cyber Intelligence), a department belonging to the CIA’s DDI (Directorate for Digital Innovation). The DDI is one of the five major directorates of the CIA.

The attack against Samsung smart TVs was developed in cooperation with the United Kingdom’s MI5/BTSS.

The EDG is responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA in its covert operations world-wide.

The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell’s 1984, but “Weeping Angel”, developed by the CIA’s Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is it’s most emblematic realization.

After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on.

In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.

ENDS

Extracted entirely from Vault 7: CIA Hacking Tools Revealed

Silencing the Canary & The Key Powers & Reach of The IPA

Please Note: This post is not an advertisement for or an endorsement of ProtonMail 

The Investigatory Powers Bill (IPB) was approved by the UK Parliament and after receiving Royal Assent this week will become The Investigatory Powers Act (IPA) coming into force in 2017. The law gives broad new powers to the UK’s intelligence agencies (GCHQ, MI5, MI6) and law enforcement.

In theory, companies offering encryption services, that are not based in the UK, do not fall under the jurisdiction of the IPA – but that is not actually the reality. Strong encryption isn’t just important for privacy, but also key to providing security in the digital age.

Laws like the IPA pose an unprecedented threat to democracy, and are strikingly similar to surveillance laws from totalitarian states but there are tools today that can help protect your digital rights.

Below is a short summary of the most relevant points of the IPA which was written by ProtonMail, a Swiss based firm that offers encrypted email services. The key powers of the Investigatory Powers Act are:

(Start of ProtonMail Summary – Paraphrased)

Retention of Internet browsing records for 1 year

This is in our opinion the worst part of the law. Imagine your browsing history for the entire past year accessible to the government or police without a warrant. This would allow the construction of detailed profiles on every citizen, and categorization based on political views, personal beliefs, and much more. All UK communication service providers (so Internet providers, phone companies, email providers, etc), will be required to retain 1 year of your internet connection records in a central database. This database includes what sites you visited, when you visited the site, for how long, who you called, who you emailed, etc. All of this data will be stored in a central database accessible to the government and law enforcement. More troubling is that no warrant or judicial oversight is required to gain access to this database, the police will have sole discretion to decide when they need to access this database.

Bulk collection of communications data

British communications providers will be required by law to assist in intercepting communications data in relation to an investigation. So far, foreign companies are not required to comply, but as we will discuss below, there are some caveats to this.

Breaking Encryption

Communication providers will be mandated by law to remove encryption whenever it is “practical”. The law is particularly dangerous because it doesn’t well define what is the meaning of “practical”, which means this can be subject to the government’s interpretation.

Enforcement of gag orders

When a communications provider receives a request for data, it is not permitted to reveal that the request took place. Under the IPA, it is now a criminal offense for either the communications provider, or somebody working for the provider, to reveal a data request. Thus, if the powers of the IPA are abused, a whistleblower would be committing a criminal offense by revealing the abuse.

Impact of the IPA outside of the UK

In theory, the IPA only applies to UK companies, but today with the rise of large multinational tech companies, even non-UK companies can be pressured to comply if they have a significant UK presence and employees in the UK.

Since any such requests will happen behind the scenes, we will never know if foreign companies do comply with the IPA. Since the UK is a member of the Five Eyes network, along with the USA, Canada, Australia, and New Zealand, the intelligence scooped up by the IPA will also be shared with US intelligence so UK residents could find their private data being shared beyond UK borders.

Encrypted email accounts can protect your email communications from being intercepted or read by government agencies. The rest of your online activities can also be protected. In particular, using VPN services that don’t have a physical presence in the UK, and also using apps like Signal for text messaging, or Tresorit for file sharing.

Most importantly, everyone needs to spread the word that more surveillance and less encryption isn’t the solution to today’s security challenges.

(End of ProtonMail Summary)

Silencing the Canary 

A warrant canary is a colloquial term for a regularly published statement that a service provider has not received legal process that it would be prohibited from saying it had received. The canary is a reference to the canaries used to provide warnings in coal mines, which would become sick before miners from carbon monoxide poisoning, warning of the danger.

Once a service provider does receive legal process, the speech prohibition goes into place, and the canary statement is removed. Warrant canaries are often provided in conjunction with a transparency report, listing the process the service provider can publicly say it received over the course of a particular time period.

A company might issue a semi-annual transparency report, stating that it had not received any national security letters in the six month period. NSLs under the Patriot Act come with a gag, which purports to prevent the recipient from saying it has received one. (While a federal court has ruled that the NSL gags are unconstitutional, that order is currently stayed pending the government’s appeal). When the company who is in receipt of an NSL issues a subsequent transparency report without that statement, the reader may infer from the silence that the company has now received an NSL.

The IPA has a different approach to this Silencing the Canary: the lawfulness of the U.K. Investigatory Powers Bill’s secrecy provisions under the ECHR .

END