SE Labs

Posts tagged 'gchq'

The Government Encryption Enigma

big-brother-nsa-snooping-8039934
Is Amber Rudd right about encryption? Jon Thompson isn’t so sure.

UK Home Secretary Amber Rudd recently claimed in an article that “real people” prefer ease of use to unbreakable security when online. She was met immediately by outrage from industry pundits, but does she have a point?

Though paywalled, as reported elsewhere, Rudd asks in her article, “Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family?”

Rudd name-checked Khalid Masood, who used WhatsApp minutes before he drove a van into pedestrians on Westminster Bridge killing three, and then fatally stabbed a police officer outside Parliament before being shot dead. However, Masood was not part of any MI5 investigation. In fact, a week after the attack, police had to appeal for information about him. His final WhatsApp message seems to have been the first sign that he was about to strike. The recipient was entirely innocent, and knew nothing of his murderous intentions.

There are plenty of other atrocities that were planned in part via social media apps. The attacks on Paris in December 2015, and the Stockholm lorry attack to name but two. In the UK the new UK Investigatory Powers Act 2016 (IPA), which caused so much fuss last year, can compel vendors to decrypt. So, why not just use that? The answer is somewhat complicated.

The IPA makes provision for Communications Service Providers to be served with a notice that they must remove encryption from messages to assist in the execution of an interception warrant. Apart from Providers needing access to private decryption keys, reports suggest that any move to enforce this measure would meet stiff opposition, and may not even be enforceable.

Many of the most popular secure messaging apps use the Signal Protocol, developed by Open Whisper Systems. This is a non-profit organisation and lies outside the UK’s jurisdiction, so its compliance would be difficult to obtain, even if the companies using the protocol agreed to re-engineer their platforms to include backdoors, or to lower encryption standards. There are also plenty of other issues to be resolved if Rudd is to get her way.

If the government mandates weaker encryption for messaging apps in the UK, then companies will face difficult business choices and technological challenges. It boils down to a choice: they could weaken their encryption globally, or they could just weaken encryption in the UK. But what happens
if you send a secure message from outside the UK to someone inside the country? Can the UK authorities read it? Can the recipient, using a lower encryption standard, decrypt it? How would international business communications work if the UK office doesn’t use the same encryption standard as a foreign parent company?

This isn’t the first time the UK government has attempted to find an answer to the problem of encryption. Back in January 2015, the then-Prime Minister David Cameron gave a speech in which he said there should be no means of communication “which we cannot read”. He was roundly criticised as “technologically illiterate” by opposition parties, and later clarified his views, saying he didn’t want to ban encryption, just have the ability to read anyone’s encrypted communications.

amber2brudd-2638730Authoritative voices have since waded into the argument. Lord Evans, the former head of MI5, has recently spoken out about the problems posed by strong encryption: “It’s very important that we should be seen and be a country in which people can operate securely – that’s important for our commercial interests as well as our security interests, so encryption in that context is very positive.”

Besides, if the government can decrypt all messages in the UK, won’t genuine terrorists simply set up their own “dark” services? Ten seconds on Google Search shows plenty of open source, secure chat packages they could use. If such groups are as technologically advanced as we’re led to believe, then it should be simple for them, and terrifying for the rest of us. Wouldn’t it be better to keep such groups using mainstream apps and quietly develop better tools for tracking them via their metadata?

Rudd’s argument that “real people” want ease of use over strong encryption implies that secure apps are in some way difficult to set up and require effort to maintain. The opposite is plainly true, as anyone who’s ever ‘butt dialled’ with their mobile phone can tell you.

Rudd’s argument also plays into the idea that if you have nothing to hide you have nothing to fear. While writing this piece, I accessed several dozen online information sources, from mainstream news reports of terrorist outrages to super paranoid guides for setting up secure chat services. I accessed many of these sources multiple times. I didn’t access any extremist material, but my browsing history shows a clear and persistent interest in recent atrocities perpetrated on UK soil, secure chat methods, MI5 and GCHQ surveillance methods, encryption algorithms, and so on. Joining the dots to arrive at the wrong conclusion would be a grave mistake, and yet without the wider context of this blog piece to explain myself, how would authorities know I’m not planning to be the next Khalid Masood or Darren Osborne? The answer lies in developing better tools that gather more context than just what apps you use.

Inside the CIA…

cia-ioc-9786148

Who is behind the CIA’s hacking tools? Surprisingly ordinary geeks, it seems.

At the start of March came the first part of yet another Wikileaks document dump, this time detailing the CIA’s hacking capabilities. The world suddenly feared spooks watching them through their TVs and smartphones. It all made for great headlines.

The Agency has developed scores of interesting projects, not to mention a stash of hitherto unknown zero day vulnerabilities. The dump also gives notes on how to create well-behaved, professional malware that stands the least chance of detection, analysis and attribution to Langley. We’ve also learned some useful techniques for defeating antivirus software, which the Agency calls Personal Security Products (PSPs).

There’s also a deeper tale to tell. It’s about the personalities behind the redacted names working on these tools and techniques. They don’t seem so different from anyone else working in infosec.

User #524297 says he is a “Coffee addict, Connoisseur of International Barbecues, and Varied Malt Beverage Enthusiast.” Thanks to his comments, we know an ex-boss (nicknamed “Panty-Raider”) was considered “really odd”. Another had a large, carved wooden desk that went with him from job to job.

User #524297 also maintains a page dedicated to some interesting ideas. One is to use the OpenDNS DNSCrypt service to hide DNS requests emanating from a compromised host.

Another fun-loving User is #71473. He has a page called “List of ideas for fun and interesting ways to kill/crash a process“, which enumerates a dozen homebrew techniques and variations. Most are still at the concept stage, but under the list of uses to which they may be put, he includes “Knockover (sic) PSPs” and “Troll people”.

He also describes several proof-of-concept tools for his process crashing techniques. One is called DisorderlyShutdown, which waits a programmable amount of time (plus a random offset to make things seem natural) to select a random process to crash in the hope of leading to “data loss and gnashing of teeth”. Another is WarheadsToForeheads, which attempts to crash processes. About this tool, he says: “Considering making this an infinite enumeration to squash all user processes and make the user experience especially horrific.”

Revealingly, User #71473 also likes to hack the home pages of other Users: ” Its 11:30… time to deface people’s unprotected user pages…”

User #11628962 was deeply impressed by Subramaniam and Hunt’s “Practices of an Agile Developer”, and went to great lengths to enumerate the principles behind the work for others in his group. 

Meanwhile, we learn that User # 71475 loves to listen to music online and lists several streaming services and YouTube channels. He’s also an avid collector of ASCII-based emoticons. Everyone needs a hobby, right? ¯_(ツ)_/¯

Amusingly, User #20873595 is keen for people understand that his last name does not begin with C, implying that it is in fact Hunt. There was also some debate about what User #72907’s office nickname should be. “Monster Lite” was the apparent front runner.

hearthstone_screenshot-1364834

We also learned from the dump that some of the Users are heavily into the online card game Hearthstone, which unfriendly foreign state actors are likely now feverishly trying to hack.

The public at large has moved on, and the first of the vulnerabilities highlighted in the dump has been patched, but the industrious CIA hackers who originally found them are still beavering away, creating new tools to replace the old ones, finding new zero-days, thinking up new nicknames, trolling each other, and of course playing Hearthstone.

Trump’s Cybersecurity Policy

trump-3170923What does a Trump presidency mean for global cybersecurity?

Washington is nervous. No one knows if President Trump understands cybersecurity, or whether he’ll listen to those who do.

Some pundits are already suggesting that his first 100 days in office will include a cyber emergency.

How he responds is crucial, but his comments so far have instilled little confidence.

“Cyber is becoming so big today, it’s becoming something that a number of years ago, a short number of years ago wasn’t even a word.”

“We have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem. I have a son. He’s 10 years old. He has computers. He is so good with these computers, it’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly doable.”

To be fair, Trump’s campaign site does say that he’ll order a review of “all U.S. cyber defences and vulnerabilities” by a specially assembled Cyber Review Team formed from “the military, law enforcement and the private sector”.

But Washington needs to know if he will implement or even believe the Cyber Review Team’s recommendations. After all, this is the man who, when experts discovered Russian-backed groups attacking the Democratic National Committee, said:

“I don’t think anybody knows it was Russia that broke into the DNC. She’s saying Russia, Russia, Russia, but I don’t — maybe it was. I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, OK?”

According to The Washington Post, a sense of dread is descending on the US intelligence community. Former CIA director Michael Hayden summed up the mood:

“I cannot remember another president-elect who has been so dismissive of intelligence received during a campaign or so suspicious of the quality and honesty of the intelligence he was about to receive.”

Trump’s policy also places an onus on deterring attacks by state and non-state actors, and he has a has a particular thing about China’s hackers. He seems openly irritated by the country’s refusal to observe intellectual property law. His plan here is to:

“Enforce stronger protections against Chinese hackers … and our responses to Chinese theft will be swift, robust, and unequivocal.”

By this logic, it’s apparently difficult to attribute an attack when it’s Russia, but not when it’s China. This kind of thinking will need to change or it could damage superpower relationships at a uniquely dangerous point in world history.

Part of the danger is that a sufficiently irked President could order a pre-emptive cyber-strike against China to show everyone who’s boss. How will he pick the right target if he doesn’t listen to his advisors? China’s a very big place, and what looks like state-sponsored hacking to some might in fact turn out to be private enterprise. Such actions could be taken as an act of war, and even a limited cyberwar could leave swathes of the internet useless until rebuilt.

Trump also famously likes to abandon the script and simply ad lib during speeches, but national security depends on secrecy. Will he blurt out something in a speech that gives an enemy state a clue about America’s capabilities or, even worse, her vulnerabilities?

gchq-9563617Trump’s view that “torture works” could also irreparably damage the relationship between GCHQ and the NSA. Torture is a no-no for the UK. The Cheltenham Doughnut is expressly forbidden from sharing intelligence with countries that openly engage in torture.

A change in policy by the US would further compromise the flow of intelligence already put at risk by Brexit. The Open Rights Group also believes that Trump will exert a great deal of influence over the UK’s intelligence community.

Retaining skilled infosec talent from abroad is also about to become more of a problem for US companies, because Trump plans a crackdown on H-1B work visas. Taking up the slack means boosting cybersecurity degree courses, but any increase in trained manpower will take time to trickle through. In the meantime, who will fill the skills gap?

Ultimately, Trump is going to have to stop threatening and promising things he can’t deliver, and start listening to his advisors. To do so, he must leave his preconceptions at the door to the Oval Office and think calmly and clearly before acting. Whether that will happen is anyone’s guess, but it’s not hyperbole to suggest that a huge amount depends on it.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press