Tag Archives: fbi

FBI’s plea for encryption back doors based on false information

by Steve Blum • , ,

The Federal Bureau of Investigation gave the U.S. congress and the public bad information about the problems it has cracking encrypted phones during investigations, many times over several months. According to a story by Devlin Barrett in the Washington Post, FBI director Christopher Wray repeatedly, and falsely, claimed that agents were locked out of almost 7,800 smart phones and other devices, because of advanced encryption.

He began using the 7,800 figure last year, when he urged congress to give law enforcement back door access to encrypted devices and content…

Wray has repeated the claim about 7,800 locked phones, including in a March speech. Those remarks were echoed earlier [in May] by Attorney General Jeff Sessions.

“Last year, the FBI was unable to access investigation-related content on more than 7,700 devices — even though they had the legal authority to do so. Each of those devices was tied to a threat to the American people,” Sessions said.

Officials now admit none of those statements are true.

The real number, according to the story, is somewhere between 1,000 and 2,000. The FBI used three different data bases to track phones, and “programming errors” led to the over count.

The FBI is actually providing the best arguments against trusting government agencies – even if well intentioned – secret keys to everyone’s encrypted content. In 2016, it warned about foreign governments “successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years”. Earlier this year, the FBI’s inspector general highlighted miscommunication within the agency over an ultimately successful attempt to crack an Apple iPhone owned by one of the shooters that murdered 14 people at a San Bernardino county employee party in 2015. The problem, according to multiple experts who reviewed the report, came down to the FBI just being lazy, raising the question “how much of the going dark debate is the FBI simply seeking easier ways to do investigations?”

Now, it turns out it can’t even keep a couple thousand records straight in its own data bases.

FBI didn’t tell the whole truth about cracking encrypted iPhone

by Steve Blum • , ,

When a pair of shooters attacked an employee party at a San Bernardino County facility in 2015, killing 14 people before being shot by police themselves, one of the attackers left behind an encrypted iPhone that might or might have had information relevant to the subsequent investigation.

Publicly, the Federal Bureau of Investigation’s solution was to force Apple to rewrite its iOS operating system so law enforcement could crack not only the San Bernardino phone, but any iPhone thereafter. Privately, though, the FBI was well on the way to finding a technical solution to the problem, according to a report from the bureau’s inspector general. The report concluded that FBI director James Comey didn’t lie to a U.S. congressional panel when he said his investigators were locked out of the phone, but he also didn’t tell the whole story, apparently because he didn’t know it himself.

According to Politico’s Morning Tech newsletter, the FBI’s priority doesn’t appear to have been unlocking one particular iPhone…

The IG report “raises the question of how seriously the FBI has really been thwarted when devices are locked — and how much of the going dark debate is the FBI simply seeking easier ways to do investigations,” said Susan Landau, a Tufts University computer science professor. “The inspector general is clearly concerned that the whole of the FBI is not committed to finding technical solutions that do not involve the weakening of encryption,” added Greg Nojeim, director of the Freedom, Security and Technology Project at the Center for Democracy and Technology.

So far, both the courts and congress have held the line against the FBI and other police agencies that want a back door into any data that attracts their interest. Although law enforcement officials have legitimate needs, the idea that a back door can remain safe in their hands is ridiculous. Even the supposedly ultra-secure National Security Agency has let exploits slip into criminal hands. Anyone, good or evil, can walk in through a back door. One congressional study concluded that “any measure that weakens encryption works against the national interest”. Just so.

NSA shares blame with criminals for massive ransomware attack

by Steve Blum • , , , ,

Cybercriminals successfully penetrated more than 200,000 computer systems in 150 countries in a continuing attack that began late last week. The initial assault was unwittingly blocked by a security blogger who triggered an off switch while trying to figure out what was going on. But that didn’t help systems that were already infected – it will can still spread from computer to computer within a network – and a new version, without the kill switch, is reported to be already out and running wild.

The ransomware encrypts data on infected networks, and demands a bitcoin payment of $300 to free it up.

It did not have to happen. The ransomware exploited a flaw in Microsoft’s Windows operating system that was 1. known to the U.S. National Security Agency and 2. leaked into the public domain earlier this year. It gives the lie to the claims of the NSA, FBI and other national security and law enforcement agencies that they can be trusted to safeguard and wisely use software and encryption backdoors, as the Washington Post’s Brian Fung explains

The NSA leak in April showed that even those vulnerabilities thought to be under control by responsible state actors can find themselves on the black market. The story of Wanna Decryptor, ultimately, is the story of nearly all weapons technology: Eventually, it will get out. And it will fall into the wrong hands.

“These attacks show that we can no longer say that vulnerabilities will only be used by the ‘good guys,’ ” said Simon Crosby, the co-founder of Bromium, a California-based computer security firm. Crosby likened the unauthorized leak of the NSA’s hacking tools to “giving nuclear weapons to common criminals.”

The NSA’s conduct was irresponsible. When it discovered the Windows exploit, it should have notified Microsoft so that the vulnerability could be fixed immediately. Instead, it kept a backdoor open to millions upon millions of computers and networks, that would have eventually been found and used by criminals, even if it hadn’t managed its own security so incompetently.

A known cyber threat is no threat to those who know it

by Steve Blum • , , ,


Vermont municipal electric utility employees read the cyber security alert jointly published by the FBI and the federal homeland security department, and did what it suggested: check their computers for the specific type of malware detailed in the report. According to a press release from the City of Burlington’s Electric Department

U.S. utilities were alerted by the Department of Homeland Security (DHS) of a malware code used in Grizzly Steppe, the name DHS has applied to a Russian campaign linked to recent hacks. We acted quickly to scan all computers in our system for the malware signature. We detected the malware in a single Burlington Electric Department laptop not connected to our organization’s grid systems. We took immediate action to isolate the laptop and alerted federal officials of this finding.

There are three important take aways here. First, don’t trust the first thing you hear about such events from general news outlets. The Washington Post broke the story and made it sound like the nation’s electric grid was about to come crashing down around us. Not so. It was a single, properly isolated, if perhaps improperly used, laptop. Nothing to see here. Move along.

Second, when malware or bugs are reported running around loose, check to see if your system has been compromised. No one is going to do it for you.

Third, and most importantly, this kind of information has to be released quickly and fully by law enforcement and security agencies as soon as they discover it. They can’t wait until it turns into a international controversy, as Russia’s cracking of democratic party computers did. Or until they themselves have no more use for the exploit. And they certainly can’t continue to demand that technology companies deliberately weaken products in order to make their lives easier and, in doing so, our lives less secure.

The only way to fight clandestine cyber attacks – state sponsored or not, good guys or bad – is to expose the attackers and their weapons to the full light of day.

FBI wants network administrators to tighten security, up to a point

by Steve Blum • , , ,

Crackers working for the Russian government broke into the computer system of “a U.S. political party” during the last election cycle. That’s the unsurprising top line conclusion of a joint report issued by the federal homeland security department and the FBI. Two separate teams working for Russian intelligence agencies phished more than a thousand party functionaries and eventually gained access to administrator level privileges on the target system.

Beneath that top line, though, lurks a fascinating, and ironic, description of how state-sanctioned crackers can penetrate workaday IT networks maintained by corporations and government agencies, and what can be done to stop them.

It’s worth reading, although number one of the top seven list of good security practices in the report seems like a no brainer: keep your software up to date…

Patch applications and operating systems – Vulnerable applications and operating systems are the targets of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker. Use best practices when updating software and patches by only downloading updates from authenticated vendor sites.

The irony lies in the fact that the FBI and other law enforcement and national security agencies not only routinely exploit such software vulnerabilities instead of quickly and publicly squashing such bugs, but also want technology companies to build back doors and weaken encryption to make that job easier.

You can’t have it both ways, as a recent congressional report pointed out (albeit with much handwringing over the need to try). Either the FBI and its fellow travellers are working 24/7 to plug security holes for everyone, or they’re playing on the same team as the Russian, Chinese and other state sponsored cyber spies who are routinely, and correctly, accused of subverting democratic processes and stomping out personal liberty at every opportunity.

Can secure data and the FBI both be in the national interest?

by Steve Blum • , ,

A bipartisan congressional review of encryption policy – particularly in regards to law enforcement access to private data – came down squarely against requiring back doors or giving master keys to cops. The top line conclusion of the study was “any measure that weakens encryption works against the national interest”. But that doesn’t mean that the encryption working group established by the house judiciary, and energy and commerce committees thinks law enforcement agencies should throw up their hands and walk away.

Quite the contrary.

The working group wants congress to “foster cooperation between the law enforcement community and technology companies” where it’s possible, and facilitate legalised cracking when it’s not…

Many stakeholders argue that, rather than building new vulnerabilities into secure products to facilitate law enforcement access, law enforcement agencies should be given the resources to exploit the flaws in secure products that already exist. Several law enforcement agencies noted that legal hacking is a time- and resource-intensive approach, and limited to the subset of cases where the agency actually knows of a flaw to exploit…Other stakeholders expressed concern that a legal hacking regime creates the wrong incentives for government agencies that should be working with private companies to patch vulnerabilities and improve cybersecurity.

That’s the crux of the problem. Government can’t play both sides of the table. There’s no such thing as law enforcement-only zero day exploits – if the FBI can figure it out, so can their Russian and Chinese counterparts, and so can criminal gangs and terrorist networks, and so can that really bright guy sitting in an Internet cafe in Lagos. It’s their job to protect the public from those threats, not join the fraternity.

Either law enforcement agencies are on the side of the vast – as in damn near everyone – majority of companies and private individuals who want to squash bugs and stop exploits cold, or they’re just crackers with a pension.

Who will secure the securers?

by Steve Blum • , , ,

The FBI is offering the best argument for not giving government agencies back door access to encrypted systems: those same government agencies can’t keep their own stuff locked down. According to a story on Motherboard, the FBI has put out a warning about another massive security breach

The feds warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011, according to an FBI alert obtained by Motherboard.

The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years. This comes months after the US government revealed that a group of hackers, widely believed to be working for the Chinese government, had for more than a year infiltrated the computer systems of the Office of Personnel Management, or OPM.

The FBI is playing coy about its ability to unlock iPhones, although coy isn’t quiet. The agency has briefed some members of congress on the technique used to hack into a iPhone used by San Bernardino terrorists, but apparently won’t share that info with Apple, who would be interested in plugging the hole.

There’s a legitimate debate to be had regarding how much access government agencies – police or otherwise – should have to private information. But when it comes to building secure systems with strong encryption protections, there’s no middle ground. Either a system is as secure as humanly possible or it isn’t. The continuing hacks of government systems and leaks of secret data should be reason enough to come down on the side of engineering security for all and not chasing a mythical government-only back door.

FBI shouldn’t ask Apple for a backdoor into iPhones

by Steve Blum • , ,

No problem making a front door.

The legal standoff between the FBI and Apple over a judge’s order to write and turnover a more hackable version of the iOS operating system raises a lot of questions about civil liberties and the U.S. government’s power to 1. dive into any data it wants and 2. force private companies and individuals to help. But it also poses a question about the technical abilities of U.S. investigators.

According to an open letter signed by Apple CEO Tim Cook and posted its website

The U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.

Specifically, the FBI wants us to make a new version of the iPhone operating system, circumventing several important security features, and install it on an iPhone recovered during the [San Bernardino terrorism] investigation. In the wrong hands, this software — which does not exist today — would have the potential to unlock any iPhone in someone’s physical possession.

However, according to an article in the Washington Post by Bruce Schneier, Apple’s help shouldn’t be necessary…

There’s nothing preventing the FBI from writing that hacked software itself, aside from budget and manpower issues. There’s every reason to believe, in fact, that such hacked software has been written by intelligence organizations around the world. Have the Chinese, for instance, written a hacked Apple operating system that records conversations and automatically forwards them to police?…We simply have no idea who already has this capability.

Arguably, a backdoor into encrypted iPhones would be safer in Apple’s hands, given the ongoing problems the U.S. government has keeping its own data secure. But it would be safer still if a backdoor was never built.

If you like low pay and no privacy, the FBI has a deal for you

by Steve Blum • , , ,

On the other hand, it’s probably easier to pass than the math test at Google.

If it seems like the federal government is losing the war for cyberspace, it might be because it is. And that’s due to a lack of talent in key positions, particularly at the Federal Bureau of Investigation. According to a federal justice department study, as reported by Reuters, the FBI launched what it called the Next Generation Cyber Initiative in 2012, which involved hiring 134 computer scientists and creating cybersecurity task forces at all of its 56 field offices.

Three years later, though, only 52 computer experts had been hired and at least five of the field offices were trying to enforce law on the cyber frontier without a fast hand on the keyboard. According to the Reuters story, it’s a problem of money and culture

Lower salaries compared to the private sector made it difficult for the FBI to hire and retain cyber experts, the Office of the Inspector General said in the report.

It also said extensive background check procedures and drug tests excluded many otherwise qualified candidates.

For example, the FBI is unable to hire anyone who is found to have used marijuana in the previous three years or any other illegal drug in the past ten years, it said.

The FBI’s response was that they would try to do better and that it’s a problem “throughout the federal government”. True enough. The recent mega hack on the federal office of personnel management exposed employment records and security clearance information – which can be amazingly intimate in detail – of more than 20 million people or, as Reuters pointed out, about 7% of the U.S. population.

The only potential good news is that the Chinese government is thought to be behind the hack. Since it doesn’t seem to have a problem recruiting techno-wizards, the stolen data is probably in secure hands. For now.