British signals intelligence agency Government Communications Headquarters (GCHQ) can crack end-to-end encrypted messages sent using WhatsApp and Signal, according to Australian attorney-general George Brandis.

Brandis made the claim speaking to the Australian Broadcasting Corporation's AM program, on the occasion of Australia announcing it would adopt laws mirroring the UK's Investigatory Powers Act. Brandis said the proposed law will place an obligation on device manufacturers and service providers to provide appropriate assistance to intelligence and law enforcement on a warranted basis where it is necessary to interdict or in the case of a crime that may have been committed.

Asked how Australia's proposed regime would allow local authorities to read messages sent with either WhatsApp or Signal, Brandis said Last Wednesday I met with the chief cryptographer at GCHQ ... And he assured me that this was feasible.

Brandis is infamous for being unable to articulate an accurate or comprehensible definition of metadata when asked to do so during a live television interview, so his understanding of cryptographic concerns cannot be trusted without qualification, which The Register is seeking.

But there's no doubt about the intent of Australia's proposed laws, as Brandis later said in a joint appearance with prime minister Malcolm Turnbull that Australia's law enforcement agencies want access to encrypted traffic for three reasons.

The first is that Brandis says Australia already has mechanisms to allow law enforcement authorities to intercept electronic communications. Extending that power to encrypted traffic just brings that power up to date, he argues.

The second is that the Australian Federal Police says it has seen rapid growth in the amount of encrypted traffic from around three per cent a couple of years ago to now over 55, 60 per cent of all traffic.

Lastly, Turnbull said that encrypted messaging services are used by ordinary citizens, they are alsi used by people who seek to do us harm. They're being used by terrorists, they're being used by drug traffickers, they're being used by paedophile rings.

Bad people using encryption means the law needs to be modernised, with a definitely-not-a-backdoor that sees device makers and service providers co-operate with Australia in as-yet-unspecified ways to provide access to encrypted messages when warrants are produced.

Pushed on how encrypted messages could be read when service providers hold neither public or private keys, and Turnbull had this to say:

Your Sydney-based correspondent looks forward to an attempt at repealing gravity so we can see if the laws of Australia override the laws of physics, too.

But we digress.

Brandis and Turnbull said the law will reach Parliament in the Spring sessions which commence on August 8th. Just what it will compel device-makers and service providers to do has not been revealed, nor has how Australia will access messages sent using services based offshore. Turnbull said I'm not suggesting this is not without some difficulty but hinted that in discussions at last week's G20 Leaders' Summit the participants agreed that member nations should be able to rely on colleagues to sort things out with companies resident in their respective jurisdictions.

Visit link:
UK spookhas GCHQ can crack end-to-end encryption says Australian AG - The Register

Nominee for director of the FBI Christopher Wray. Photo: Jim Watson/AFP/Getty Images

News reports from likely future FBI director Chris Wrays Senate hearing today focused on the question of the agencys independence from the White House. This is understandable the bureaus relationship to the White House is at the top of everyones mind and Wray performed well: My commitment is to the rule of law, to the Constitution, he told members of the Senate Judiciary Committee. But when it came to the less attention-getting, but no less important, question of encryption, unfortunately, Wray performed somewhat less inspiringly: Theres a balance, obviously, that has to be struck between the importance of encryption which we can all respect when there are so many threats to our systems and the importance of giving law enforcement the tools that they lawfully need to keep us all safe, he said.

The problem is that there isnt really a legal balance to be struck when it comes to encryption. American tech companies already comply with lawful orders for user information that isnt fully encrypted, and shy of building backdoors into their products, there isnt a lot more they can do.

Unfortunately, Im still not sure how this is an issue that can be solved by working together with industry, said Matthew Green, a renowned cryptography professor at Johns Hopkins University, after seeing Wrays comments. Either the U.S. government will pursue a strategy that includes mandated encryption backdoors or it wont. I believe other forms of cooperation, such as metadata sharing, are already available.

Wray is entering a decades-long debate, one where a principal argument hasnt really changed: Should you be allowed to make a device or a method of communication thats so secure, even you have no way of knowing what your users are doing or saying? The FBI, famously, was so stumped when it couldnt access San Bernardino shooter Syed Farooks iPhone last year that it invoked the All Writs Act of 1789, a broadly written law used when the government needs an authorization that Congress hasnt yet legislated or thought of, and demanded Apple write a personalized, fake software update to get past the phones login screen. At the 11th hour, the FBI said it had found and paid for a rare vulnerability in the code for the 5c, the model Farook had, and stood down.

Technologists and cryptographers have long been unanimous that forcing a tech company to build a secret vulnerability into their products, only to be used for emergency situations a backdoor is a terrible idea. If cops can use it, hackers and foreign governments can probably find it and exploit users, for one thing. And if American companies would be forced by law to build backdoors, as floated in an ill-fated draft bill last year by senators sympathetic to the FBIs concerns about terrorists going dark, privacy-minded consumers would simply start using secure messaging apps made in countries that didnt have that law.

At the same time, its hard to tell the law-and-order crowd that if a terrorist cell in the U.S. is using Signal, the FBI has to simply throw up its hands and use whatever other investigative tools are at its disposal. Thats why a number of political figures, among them former Democratic presidential nominee Hillary Clinton and former FBI Director James Comey, have rejected the idea of outright backdoors, but like Wray today, still declared a wistful support for some kind of compromise solution, achievable by the tech industry and federal government really putting their heads together.

But politicians and law-enforcement figures pushing for a compromise ignore the realities of mathematics and the dire need to increase internet security in favor of pushing technologists to nerd harder and come up with some magical way to create strong security tools that only the FBI could break, said Amie Stepanovich, U.S. policy manager at Access Now, a group that advocates for digital civil liberties.

In Wrays defense, maybe he only hoped for an impossible compromise because he hasnt had time to give the issue much thought: He readily admitted he was an outsider who didnt have enough information about encryption in front of him to present a formal plan, a repeated theme in his hearing. For the future, Wray might consider stressing that pushing for mandatory backdoors should be off the table, or that strong encryption should be a fundamental consumer protection in a world where Russian intelligence agencies target American civilians, like the heads of U.S. presidential campaigns. Wray could have said that agents stymied by locked phones would have to rely more on old-school investigative techniques. He could have admitted that while the gray market of buying exploits in emergencies is far from perfect, its worked so far, and there simply isnt a better solution out there.

Unfortunately, no senator probed Wray much further on the issue. What does he think the FBI should do if the agency encounters another Farook iPhone case, but this time cant find a vendor hawking exploits? Apparently, hope that math changes.

The site is reportedly closer to running out of funds than many expected.

The domino effect is hard to watch.

Then I dont need a jacket.

Itll hit stores next year.

The FCC and Congress have a lot of reading to do.

Conclusion? No collusion.

Angela Nagles Kill All Normies is among the best examinations of the origins of the alt-right.

No matter how much politicians and law enforcement might wish for it, a compromise on encryption cant happen.

Amazon is considering allowing third-party app developers access to your voice queries to Alexa.

Donald Trump Jr. and the Kremlin are at the heart of todays burgeoning Twitter meme.

AlphaBay, an online bazaar for drugs and other contraband, disappeared over a week ago and took millions of dollars with it.

Talking with New Yorks attorney general about net neutrality and what his office has seen while investigating broadband providers.

Thats one way to tell your neighbor what you think of them.

The company initially tested the ads with users in Thailand and Australia.

Five minutes and 25 seconds of chill vibes.

Some of the incentives were as high as $400,000.

My new sous-vide circulator comes with an internet connection, which is convenient both for me and for any teenage hackers creating a botnet.

Nobody should be able to work a knife that fast.

Continued here:
The Encryption 'Balance' Trump's FBI Candidate Wants Is Mathematically Impossible - New York Magazine

1. What is encryption and why is it important?

Encryption is the process of making content unintelligible to anyone or any device without the proper keys to unlock that content. It is important because every time we use a device on the internet we leave a digital footprint that is accessible to those that either want to monetise this information and or those that wish us harm (e.g. terrorists, hackers etc). Encryption, if implemented the right way, puts you back in control over who you allow to view what information.

2. Is encryption a good thing or a bad thing?

Encryption is an important tool. The important point is to ensure that it is implemented in such a way that it cant be used for bad purposes, only for good. The abuse of this tool may result in actions that are evil. Equally, if your medical provider is using encryption to store your health records, then its a very good thing. Its down to society to implement encryption responsibly.

3. Why should ordinary people be bothered with encryption?

Do you leave the doors of your home unlocked and open? We all expect privacy in our homes unless the law has been broken and even then enforcement agencies require a court order to enter. The internet does not offer the same level of privacy that we enjoy in our homes. Our data is under continual scrutiny by advertisers. Our pictures are misappropriated. Our private messages are put into the public domain. Encryption offers a means to redress the balance, and restore online privacy.

4. What are the dangers of building government backdoors into encryption products?

There are numerous risks:

a bad person could gain access to the backdoor and hence all your data; backdoors make systems more complicated and increase the risk of errors in what honest users are doing; backdoors can threaten the democratic process. Imagine for instance an internet voting system; to have secret ballot voting it is essential that government does not have a backdoor. interoperability across borders. Do backdoors match each other, will overseas customers want to buy products with a foreign governments backdoors in it, and the list goes on.

Rather than a seemingly big brother approach to gaining access to personal data that could be deemed as always on, the appropriate solution should be transparent. By using a system of legitimised key escrow, authorities have the necessary powers to gain access to specific information, while ensuring an individuals privacy is intact.

A system like this is just an online implementation of the already accepted process of law enforcement requiring a warrant to gain access to a persons home.

5. Why is there so much debate about encryption and privacy at the moment?

There are two very strong themes. First, terrorist groups are using encrypted messages to organise their activities. Second, we're seeing a growing number of vital public services being hit by cyber attacks. In short, there is a significant cyber threat to national security.

UK Home Secretary Amber Rudd has stated it is "unacceptable" that internet companies should, "provide a secret place for terrorists to communicate with each other," and has met with technology companies with a view to obtaining access to encrypted messages. This has alarmed many members of the technology community, who have pointed out that any weakening of encryption standards could seriously undermine the UK's ability to compete in online services. Many ordinary citizens are also alarmed about the possible prospect of mass, indiscriminate snooping. No one has yet put forward a balanced solution so the debate continues.

6. Should there be a limit to online privacy?

This is a question for civil, legal and ethical authorities and the answer would vary across the globe. There may be a disparity in government policy across differing countries the access of personal information. What is important is ensuring a uniform technical solution, globally together with the unified interoperable government policy.

7. Is there a way to balance peoples privacy and the need for government intervention?

Yes. The use of well-known and accepted cryptographic cyphers with acceptable policy controls and legitimised key escrow is the answer. This enables internal and cross-border laws to be balanced with civil rights.

After considerable search and thought, Scentrics offers a solution using acceptable and recognised cyphers and has made them accessible to developers through their SDK.

8. What is the next stage to encryption and privacy?

There is a change happening in the way that society views online privacy. For the first time there is a viable, low cost technical solution that is scalable to the masses. It makes the service of privacy simple. A one click solution. It leverages the already existing assets in the ecology of the internet and thereby does not intrude on asking the user to invest in assets to make this work. Considering the heightened sensitivity of this issue amongst all areas of society we see the world adopting this technology to have control over their digital personas (in other words our digital footprint).

Importantly this will deliver the right balance of protecting civil ethics and national security. A legacy infrastructure that we know to be the internet which was never born to cope with the current challenges it faces now must incorporate this new IP within its skeleton just as it did some 28 years ago by allowing for a hypertext protocol which we all know and cherish as the world wide web.

Jerome Mohammed, Operations Director, Scentrics Image Credit: Yuri Samoilov / Flickr

Read this article:
Q&A: The importance of encryption - ITProPortal

Researchers at Los Alamos National Laboratory (LANL) have found that most random number generators used for encryption keys are not truly random.

It is not just western countries such as the US and the UK that are being targeted by hackers, as the rapidly developed and wealthy nations of the Middle East become targets of both politically and financially driven attacks. Discover how cyber security expertise can help businesses in the Middle East navigate digital transformations and keep cyber criminals at bay.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

They found that encryption keys are potentially predictable because software-based random number generators typically part of the operating system have a limited capacity.

This is because the software typically depends on capturing signals or events from the physical world, such as mouse movements, hard drive activity and network traffic, to increase the level of randomness.

But because these sources are finite, software-generated encryption keys are not truly random, and could be predicted by attackers. But few organisations are aware of these shortcomings because there is no mechanism for certifying the quality of random number generators.

To address this problem, the quantum security team at LANL spent a decade developing and perfecting the ability to deliver pure entropy the foundation of randomness using quantum technology.

Quantum random number generation is widely regarded as one of the most mature quantum technologies and the inherent randomness at the core of quantum mechanics makes quantum systems a perfect source of entropy. Therefore, only pure quantum entropy is considered to be capable of enabling the generation of truly random numbers for creating cryptographic keys that are impossible to predict.

This capability to generate truly random numbers has been made commercially available through a spin-off firm named Whitewood in reference to Thomas Jeffersons wheel cipher, that was made using discs cut from a cylinder of white wood.

Whitewood is a subsidiary of Allied Minds, which licenses technology from universities and research labs and then sets up companies to commercialise those technologies and take them to market.

In June 2017, Whitewood made this capability available as a free cloud-based service for servers, desktops and laptops running on the Microsoft Windows operating system.

The service is based on the Whitewood Entropy Engine, which uses the core technology developed by LANL and is designed to strengthen cryptographic security systems in traditional datacentres, virtual cloud environments and embedded systems, including internet of things (IoT) devices, where encryption is used increasingly for authentication and assurance of integrity and confidentiality.

The use of crypto tools such as encryption have become ubiquitous in modern IT environments and play a critical role in emerging technologies such as blockchain and bitcoin services and in helping organisations to comply with the EUs General Data Protection Regulation (GDPR).

Encryption is viewed by many organisations as a get out jail card because if they can demonstrate that data was encrypted, they dont have to disclose that they lost it, said Richard Moulds, general manager of Whitewood.

And in the payments world, there are some cost saving benefits because if you encrypt credit card numbers, that database is out of scope in terms of PCI DSS [payment card industry data security standard] assessments.

According to Moulds, PCI DSS is ahead of the GDPR in terms of encryption requirements, so perfect random number generation is likely to become increasingly important for the retail industry, while it is already an area of great interest for banks, the financial services industry and the military.

The free netRandom service for Windows is part of a broader product portfolio from Whitewood that includes support for Linux as well as on-premise entropy management systems with granular reporting functionality and quantum random number generators (QRNGs) for organisations that prefer to deploy their own dedicated or private security infrastructure.

The free service delivers on-demand, quantum entropy from a cloud-based server over standard IP networks to continuously re-seed existing random number generators to make them work properly. Just as the network time protocol drip-feeds time synchronisation to devices, the Whitewood drip-feeds entropy into devices as a background service.

Random number generation is critical for security, but is often poorly understood and is a point of attack and vulnerability highlighted by the SANS Institute as one of the seven most dangerous attacks for 2017, said Moulds.

The growing widespread use of cryptography raises the bar for randomness, making the current best-effort approaches to random number generation no longer sufficient.

In some ways, this is a dirty little secret in the crypto industry, and although it is a problem that is almost universal, almost nobody has thought about it. People tend to worry about where and how encryption keys are stored, who has access to the keys, and who is able to revoke a key, but few people think about where those keys come from or about how random they are.

Underlining the problem, researchers at the University of Pennsylvania found in a 2012 study that 0.75% of TLS certificates shared keys because of insufficient entropy during key generation, and that they were able to obtain the private keys for 0.50% of TLS hosts and 0.03% of SSH hosts because their public keys shared non-trivial common factors due to poor randomness.

According to Moulds, new data protection and privacy regulation such as GDPR raise the bar for randomness even further as organisations seek to use strong encryption, both to protect data from theft by making it unintelligible and to potentially avoid data breach disclosure obligations.

The rapid growth of the IoT is also focusing attention on crypto security as a means of ensuring correct operation and trustworthiness of safety-critical devices and systems such as drones, driverless cars and smart grid infrastructure, he said.

Cryptographic keys can be compromised through theft or calculated guesswork, said Moulds. There is a constant race to keep ahead of the attackers who can exploit ever-faster processing resources to break traditional random number and key generation methods and crypto algorithms a capability that will get a further boost with the availability of quantum computers.

The trend towards virtualisation, containers and distributed environments compounds the problem by abstracting applications from the physical world and the entropy within it, he said.

In the virtual world running on shared hardware with dynamic replication, there can be little or no real entropy, increasing the risk of entropy starvation and making it virtually impossible to guarantee the quality of key generation and system security without entropy from a trusted source, said Moulds.

For this reason, Whitewood is able to deliver entropy not only to physical machines, but also to virtual machines, containers and IoT devices. Whatever random generators developers use, they will work correctly because they are being seeded or shuffled so frequently, said Moulds.

Whitewood has solved three problems, he said: How to generate good entropy fast so there is enough to supply thousands of virtual machines; how to deliver it securely over a network; and we plugged it into the operating system so we are not forcing application developers to adopt a different random number generator because we are enabling existing random number generators in Windows and Linux to work better.

Continued here:
Encryption keys too predictable, warn security researchers - ComputerWeekly.com