Once again, the FBI is putting pressure on Apple to help them break into the phone of a mass shooter. And once again, Apple has been largely resistant to the effort. Which is good, because a government having control over a private company that gives them secret backdoor access into people's personal technology devices is an authoritarian wet dream waiting to happen.

It also doesn't matter anyway because as Reuters pointed out this week Apple already buckled under FBI pressure a few years and cancelled their plans to add end-to-end encryption to all iPhone backups in iCloud:

The company said it turned over at least some data for 90% of the requests it received [from the FBI]. It turns over data more often in response to secret U.S. intelligence court directives, which sought content from more than 18,000 accounts in the first half of 2019, the most recently reported six-month period.

But what if the FBI wants access to someone's locked iPhone, and they haven't backed it up to iCloud? Theystill don't need Apple's help, because as with the San Bernardino shooting there are plenty of third-party companies that can and will gladly solve the problem in exchange for money.

From OneZero:

Over the past three months,OneZero sent Freedom of Information Act (FOIA) requests to over 50 major police departments, sheriffs, and prosecutors around the country asking for information about their use of phone-cracking technology. Hundreds of documents from these agencies reveal that law enforcement in at least 11 states spent over $4 million in the last decade on devices and software designed to get around passwords and access information stored on phones.

[]

The documents range from contracts, requests for proposals (RFPs), invoices for payments by law enforcement, quotes from forensic companies, and emails traded between officials discussing vendor approval. They suggest that most law enforcement agencies bought forensic investigation products from a small group of companies that includeCellebrite, Grayshift, Paraben, BlackBag, and MSAB. In addition to selling the software and hardware needed to unlock phones, these companies also charge thousands of dollars each year to upgrade the software in their products. In addition, their customers spend thousands on training sessions to teach personnel in their offices how to use the tools.

And perhaps that's the most frustrating thing about this whole scenario. The US government is always warning us about the authoritarian overreaches of surveillance states like those in China, but really, they just want to replicate it without feeling guilty. Meanwhile, supposed-innovations of free market enterprise are providing the same opportunities for authoritarian surveillance capitalism, but, ya know, privately-owned, so immune to any legal oversight or transparency, because America. Isn't that supposed to be the dream?

Exclusive: Apple dropped plan for encrypting backups after FBI complained [Joseph Menn / Reuters]

Exclusive: U.S. Cops Have Wide Access to Phone Cracking Software, New Documents Reveal [Michael Hayes / OneZero]

Image via the White House

No encrypted iCloud backups for you, citizen!

The time is always right to do what is right, thats true. But the timing of this is a pretty ugly retconespecially after a new trove of FBI files on Martin Luther King, Jr. were just released six months ago, painting an ugly picture of frequent sexual misconduct.

Gee, thanks.

You dont need to be a climate scientist in order to know that the Earth is in serious trouble, but the good news is that you also dont need to necessarily make any drastic changes to your lifestyle in order to do your part to help. This nOcean Wearable Reusable Silicone Straw will help you []

When it comes to conquering that resolution list and hitting all of your goals in 2020, nothing is more important than getting a great nights sleep every night so you can wake up feeling refreshed and extra productive. The CarbonIce: 7-in-1 Bacteria Protection & Cooling Pillow will help you do just that, and right now []

Its no secret that business leaders and project managers require a certain set of skills in order to outpace the competition and increase the overall efficiency of their company or team. The Lean Six Sigma Expert Training Bundle will take your managerial skills to the next level through training that will help you earn some []

See the original post:
The FBI doesn't need Apple to give it a backdoor to encryption, because it already has all the access it needs - Boing Boing

This report focuses on the global Encryption Software status, future forecast, growth opportunity, key market and key players. The study objectives are to present the Encryption Software development in United States, Europe and China.

In 2017, the global Encryption Software market size was million US$ and it is expected to reach million US$ by the end of 2025, with a CAGR of during 2018-2025.

The key players covered in this study

IBM

Microsoft

Sophos Ltd

Gemalto

Net App Inc

Hewlett- Packard

Vormetric

Oracle

Intel

Symantec

Market segment by Type, the product can be split into

Encryption for Data-at-rest

Full Disc Encryption (FDE)

File Level Encryption

Others

Market segment by Application, split into

IT & Telecom

BFSI

Government & Public Utilities

Manufacturing Enterprise

Others

Market segment by Regions/Countries, this report covers

United States

Europe

China

Japan

Southeast Asia

India

Central & South America

The study objectives of this report are:

To analyze global Encryption Software status, future forecast, growth opportunity, key market and key players.

To present the Encryption Software development in United States, Europe and China.

To strategically profile the key players and comprehensively analyze their development plan and strategies.

To define, describe and forecast the market by product type, market and key regions.

In this study, the years considered to estimate the market size of Encryption Software are as follows:

History Year: 2013-2017

Base Year: 2017

Estimated Year: 2018

Forecast Year 2018 to 2025

For the data information by region, company, type and application, 2017 is considered as the base year. Whenever data information was unavailable for the base year, the prior year has been considered.

Table of Contents

Chapter One: Report Overview

1.1 Study Scope

1.2 Key Market Segments

1.3 Players Covered

1.4 Market Analysis by Type

1.4.1 Global Encryption Software Market Size Growth Rate by Type (2013-2025)

1.4.2 Encryption for Data-at-rest

1.4.3 Full Disc Encryption (FDE)

1.4.4 File Level Encryption

1.4.5 Others

1.5 Market by Application

1.5.1 Global Encryption Software Market Share by Application (2013-2025)

1.5.2 IT & Telecom

1.5.3 BFSI

1.5.4 Government & Public Utilities

1.5.5 Manufacturing Enterprise

1.5.6 Others

1.6 Study Objectives

1.7 Years Considered

Chapter Two: Global Growth Trends

2.1 Encryption Software Market Size

2.2 Encryption Software Growth Trends by Regions

2.2.1 Encryption Software Market Size by Regions (2013-2025)

2.2.2 Encryption Software Market Share by Regions (2013-2018)

2.3 Industry Trends

2.3.1 Market Top Trends

2.3.2 Market Drivers

2.3.3 Market Opportunities

Chapter Three: Market Share by Key Players

3.1 Encryption Software Market Size by Manufacturers

3.1.1 Global Encryption Software Revenue by Manufacturers (2013-2018)

3.1.2 Global Encryption Software Revenue Market Share by Manufacturers (2013-2018)

3.1.3 Global Encryption Software Market Concentration Ratio (CRChapter Five: and HHI)

3.2 Encryption Software Key Players Head office and Area Served

3.3 Key Players Encryption Software Product/Solution/Service

3.4 Date of Enter into Encryption Software Market

3.5 Mergers & Acquisitions, Expansion Plans

Chapter Four: Breakdown Data by Type and Application

4.1 Global Encryption Software Market Size by Type (2013-2018)

4.2 Global Encryption Software Market Size by Application (2013-2018)

Chapter Five: United States

5.1 United States Encryption Software Market Size (2013-2018)

5.2 Encryption Software Key Players in United States

5.3 United States Encryption Software Market Size by Type

5.4 United States Encryption Software Market Size by Application

Chapter Six: Europe

6.1 Europe Encryption Software Market Size (2013-2018)

6.2 Encryption Software Key Players in Europe

6.3 Europe Encryption Software Market Size by Type

6.4 Europe Encryption Software Market Size by Application

Chapter Seven: China

7.1 China Encryption Software Market Size (2013-2018)

7.2 Encryption Software Key Players in China

7.3 China Encryption Software Market Size by Type

7.4 China Encryption Software Market Size by Application

Chapter Eight: Japan

Original post:
Encryption Software Market: Global Industry Analysis, Size, Share, Growth, Trends and Forecast 2020 - 2025 - Expedition 99

This article originally appeared on VICE US.

The US government is once again reviving its campaign against strong encryption, demanding that tech companies build backdoors into smartphones and give law enforcement easy, universal access to the data inside them.

At least two companies that sell phone-cracking tools to agencies like the FBI have proven they can defeat encryption and security measures on some of the most advanced phones on the market. And a series of recent tests conducted by the National Institute of Standards and Technology (NIST) reveal that, while there remain a number of blind spots, the purveyors of these tools have become experts at reverse engineering smartphones in order to extract troves of information off the devices and the apps installed on them.

Asked whether the NIST test results have any bearing on the public debate about backdoors for police, Barbara Guttman, who oversees the Computer Forensic Tool Testing program for NIST told Motherboard, None at all.

This is a completely different question. Thats a policy question, she said, adding that NISTs only purpose is to ensure that If youre acquiring the phone [data], you should acquire it correctly.

But the demonstrated ability of phone cracking tools to break into and extract data from the latest phones is further proof that the government is perfectly capable of getting into terrorists devices, Andres Arrieta, the director of consumer privacy engineering at the Electronic Frontier Foundation, told Motherboard.

When it comes to the capabilities from law enforcement, I think these documents show theyre quite capable, he said. In the San Bernardino case, they claimed they didnt have the capabilities and they made a big circus out of it, and it turned out they did. Theyve proven consistently that they have the tools.

The never-ending public debate over smartphone security has focused on backdoors for law enforcement to bypass device encryptionand more recently, Apple features that erase all data after 10 failed password attempts or block data extraction through lightning ports. But accessing a phone is only part of the battle; once inside, digital forensic investigators have to understand the complicated data structures they find and translate them into a format that meets the high accuracy standards for evidence, using acquisition tools from companies like Cellebrite, Grayshift, and MSAB.

Results from an NIST test of Cellebrite found that it largely works as expected.

In a series of reports published over the last year, NISTs Computer Forensic Tool Testing program documented how well the latest tools perform that task on dozens of different smartphones and apps. The tests paint a picture of an industry trying to keep pace with the constantly changing smartphones and social media landscapewith mixed results.

Lets say you can get into the phone, you can defeat the encryption. Now you have a blob of ones and zeros, Bob Osgood, a veteran FBI agent who is now the director of digital forensics at George Mason University, told Motherboard. Smartphones contain millions of lines of code, the structures of which differ between every device and can change with every OS or app update. Cracking a phones encryption doesnt necessarily mean an investigator can access the code on it, including deleted and hidden files, hence the need for the tools tested by NIST. In the digital forensics world, the state of complete Nirvana is to get a complete image of the phone, Osgood said. The amount of technical know-how it takes to actually do this stuffreverse engineer, beat the encryption, get data itselfis massive. There are a million moving targets.

Take Cellebrite, the Israeli company whose Universal Forensic Extraction Device (UFED) is a favorite of police departments and the FBI. In June, the company announced that its new premium tool could crack the encryption on any iOS device and many top-end Androidsa major win for law enforcement agencies that had been complaining about built-in encryption.

The companys current UFED 4PC software is then capable of accurately extracting the vast majority of important device informationGPS data, messages, call logs, contactsfrom an iPhone X and most previous models, according to a NIST test from April. It was able to partially extract data from Twitter, LinkedIn, Instagram, Pinterest, and Snapchat as well. NIST did not test the extraction ability for other apps, like Signal.

UFED 4PC could not extract email data from newer iPhone models, but police can gain access to cloud email services like Gmail with a warrant.

Results from Cellebrite on Android phones

Cellebrite was less successful with phones running Android and other operating systems, though. The UFED tool was unable to properly extract any social media, internet browsing, or GPS data from devices like the Google Pixel 2 and Samsung Galaxy S9 or messages and call logs from the Ellipsis 8 and Galaxy Tab S2 tablets. It got absolutely nothing from Huaweis P20 Pro phone.

Some of the newer operating systems are harder to get data from than others. I think a lot of these [phone] companies are just trying to make it harder for law enforcement to get data from these phones ... under the guise of consumer privacy, Detective Rex Kiser, who conducts digital forensic examinations for the Fort Worth Police Department, told Motherboard. Right now, were getting into iPhones. A year ago we couldnt get into iPhones, but we could get into all the Androids. Now we cant get into a lot of the Androids.

Cellebrite, which did not respond to requests for comment, frequently updates its products to address the failures discovered in testing and in the field, experts said, so the weaknesses NIST identified may no longer exist. Previous NIST testing data, though, shows that many blindspots can last for years.

It is important to note that just because a cracking tool cant successfully extract data doesnt mean a forensic investigator cant eventually get to it. The process just becomes much longer, and requires significant expertise.

Kiser said that Cellebrite is currently the industry leader for most devices. The exception is iPhones, where Grayshift, an Atlanta-based company that counts an ex-Apple security engineer among its top staff, has taken the lead.

Like Cellebrite, Grayshift claims that its GrayKey toolwhich it sells to police for between $15,000 and $30,000can also crack the encryption on any iPhone. And once inside, NIST test results show that GrayKey can completely extract every piece of data off an iPhone X, with the exception of Pinterest data, where the tool achieved partial extraction.

Grayshift did not respond to a request for comment.

Other products, like Virginia-based Parabens E3:DS or Swedish MSABs XRY displayed weaknesses in acquiring social media, internet browsing, and GPS data for several phones. Some of those tests, though, are older than the recent results for Cellebrite and Grayshift.

In the NIST tests, both Cellebrite and Grayshift devices were able to extract nearly all the data from an iPhone 7one of the phones used by the Pensacola naval air station shooter. That incident prompted the Department of Justices latest call for phone manufacturers to create encryption backdoors, despite ample evidence that hacking tools can break into the latest, most privacy conscious phones, like the iPhone 11 Pro Max.

This whole thing with the new terrorists and [the FBI] cant get into their phones, thats complete BS, Jerry Grant, a private New York digital forensic examiner who uses Cellebrite tools, told Motherboard.

Go here to read the rest:
US Government Report Reveals Its Favourite Way to Hack iPhones, Without Backdoors - VICE

The US government is once again reviving its campaign against strong encryption, demanding that tech companies build backdoors into smartphones and give law enforcement easy, universal access to the data inside them.

At least two companies that sell phone-cracking tools to agencies like the FBI have proven they can defeat encryption and security measures on some of the most advanced phones on the market. And a series of recent tests conducted by the National Institute of Standards and Technology (NIST) reveal that, while there remain a number of blind spots, the purveyors of these tools have become experts at reverse engineering smartphones in order to extract troves of information off the devices and the apps installed on them.

Asked whether the NIST test results have any bearing on the public debate about backdoors for police, Barbara Guttman, who oversees the Computer Forensic Tool Testing program for NIST told Motherboard, None at all.

This is a completely different question. Thats a policy question, she said, adding that NISTs only purpose is to ensure that If youre acquiring the phone [data], you should acquire it correctly.

But the demonstrated ability of phone cracking tools to break into and extract data from the latest phones is further proof that the government is perfectly capable of getting into terrorists devices, Andres Arrieta, the director of consumer privacy engineering at the Electronic Frontier Foundation, told Motherboard.

When it comes to the capabilities from law enforcement, I think these documents show theyre quite capable, he said. In the San Bernardino case, they claimed they didnt have the capabilities and they made a big circus out of it, and it turned out they did. Theyve proven consistently that they have the tools.

The never-ending public debate over smartphone security has focused on backdoors for law enforcement to bypass device encryptionand more recently, Apple features that erase all data after 10 failed password attempts or block data extraction through lightning ports. But accessing a phone is only part of the battle; once inside, digital forensic investigators have to understand the complicated data structures they find and translate them into a format that meets the high accuracy standards for evidence, using acquisition tools from companies like Cellebrite, Grayshift, and MSAB.

Results from an NIST test of Cellebrite found that it largely works as expected.

In a series of reports published over the last year, NISTs Computer Forensic Tool Testing program documented how well the latest tools perform that task on dozens of different smartphones and apps. The tests paint a picture of an industry trying to keep pace with the constantly changing smartphones and social media landscapewith mixed results.

Lets say you can get into the phone, you can defeat the encryption. Now you have a blob of ones and zeros, Bob Osgood, a veteran FBI agent who is now the director of digital forensics at George Mason University, told Motherboard. Smartphones contain millions of lines of code, the structures of which differ between every device and can change with every OS or app update. Cracking a phones encryption doesnt necessarily mean an investigator can access the code on it, including deleted and hidden files, hence the need for the tools tested by NIST. In the digital forensics world, the state of complete Nirvana is to get a complete image of the phone, Osgood said. The amount of technical know-how it takes to actually do this stuffreverse engineer, beat the encryption, get data itselfis massive. There are a million moving targets.

Take Cellebrite, the Israeli company whose Universal Forensic Extraction Device (UFED) is a favorite of police departments and the FBI. In June, the company announced that its new premium tool could crack the encryption on any iOS device and many top-end Androidsa major win for law enforcement agencies that had been complaining about built-in encryption.

The companys current UFED 4PC software is then capable of accurately extracting the vast majority of important device informationGPS data, messages, call logs, contactsfrom an iPhone X and most previous models, according to a NIST test from April. It was able to partially extract data from Twitter, LinkedIn, Instagram, Pinterest, and Snapchat as well. NIST did not test the extraction ability for other apps, like Signal.

UFED 4PC could not extract email data from newer iPhone models, but police can gain access to cloud email services like Gmail with a warrant.

Results from Cellebrite on Android phones

Cellebrite was less successful with phones running Android and other operating systems, though. The UFED tool was unable to properly extract any social media, internet browsing, or GPS data from devices like the Google Pixel 2 and Samsung Galaxy S9 or messages and call logs from the Ellipsis 8 and Galaxy Tab S2 tablets. It got absolutely nothing from Huaweis P20 Pro phone.

Some of the newer operating systems are harder to get data from than others. I think a lot of these [phone] companies are just trying to make it harder for law enforcement to get data from these phones ... under the guise of consumer privacy, Detective Rex Kiser, who conducts digital forensic examinations for the Fort Worth Police Department, told Motherboard. Right now, were getting into iPhones. A year ago we couldnt get into iPhones, but we could get into all the Androids. Now we cant get into a lot of the Androids.

Cellebrite, which did not respond to requests for comment, frequently updates its products to address the failures discovered in testing and in the field, experts said, so the weaknesses NIST identified may no longer exist. Previous NIST testing data, though, shows that many blindspots can last for years.

It is important to note that just because a cracking tool cant successfully extract data doesnt mean a forensic investigator cant eventually get to it. The process just becomes much longer, and requires significant expertise.

Kiser said that Cellebrite is currently the industry leader for most devices. The exception is iPhones, where Grayshift, an Atlanta-based company that counts an ex-Apple security engineer among its top staff, has taken the lead.

Like Cellebrite, Grayshift claims that its GrayKey toolwhich it sells to police for between $15,000 and $30,000can also crack the encryption on any iPhone. And once inside, NIST test results show that GrayKey can completely extract every piece of data off an iPhone X, with the exception of Pinterest data, where the tool achieved partial extraction.

Grayshift did not respond to a request for comment.

Other products, like Virginia-based Parabens E3:DS or Swedish MSABs XRY displayed weaknesses in acquiring social media, internet browsing, and GPS data for several phones. Some of those tests, though, are older than the recent results for Cellebrite and Grayshift.

In the NIST tests, both Cellebrite and Grayshift devices were able to extract nearly all the data from an iPhone 7one of the phones used by the Pensacola naval air station shooter. That incident prompted the Department of Justices latest call for phone manufacturers to create encryption backdoors, despite ample evidence that hacking tools can break into the latest, most privacy conscious phones, like the iPhone 11 Pro Max.

This whole thing with the new terrorists and [the FBI] cant get into their phones, thats complete BS, Jerry Grant, a private New York digital forensic examiner who uses Cellebrite tools, told Motherboard.

The rest is here:
Government Report Reveals Its Favorite Way to Hack iPhones, Without Backdoors - VICE

Feature

By Lester Victor MarksFriday, January 24, 2020, 05:49 am PT (08:49 am ET)

AppleInsider editor Victor Marks and writer William Gallagher discuss:

We like reader email send us your comments and concerns!

The show is available on iTunes and your favorite podcast apps by searching for "AppleInsider." Click here to listen, subscribe, and don't forget to rate our show.

Listen to the embedded SoundCloud feed below:

Sponsors:

Masterclass - Get unlimited access to EVERY MasterClass, and as an AppleInsider listener, you get 15% off the Annual All-Access Pass! Go to masterclass.com/appleinsider.

CLEAR is the absolute best way to get through airport security. It works great with Pre-Check too! Right now, listeners of our show can get their first two months of CLEAR for FREE. Go to clearme.com/appleinsider and use code appleinsider.

Show notes:

Follow our hosts on Twitter: @vmarks and @wgallagher

Feedback and comments are always appreciated. Please contact the AppleInsider podcast at [emailprotected] and follow us on Twitter @appleinsider, plus Facebook and Instagram.

Those interested in sponsoring the show can reach out to us at [emailprotected].

See the article here:
Apple Watch rewards, iCloud encryption, and WhatsApp hacks on the AppleInsider Podcast - AppleInsider

Apple had intended to make end-to-end encryption of an entire device's data, which would then be uploaded to iCloud, available to customers. But then the FBI stepped in and put the kibosh on those plans.

The problem, according to law enforcement: Fully locked-down iPhones could be a roadblock to investigations, like the probe into a Saudi Air Force officer who shot three people dead at a Pensacola, Florida naval base last month.

U.S. Attorney General William Barr publicly asked Apple to unlock the two iPhones the shooter had in his possession. The company eventually did hand over backups from his iCloud account, but the whole ordeal shone a light on the back-and-forth dialogue going on between the U.S. government and tech companies that disagree about whether or not end-to-end encryption should be allowed. Just last month, both Democratic and Republican senators considered legislation to ban end-to-end encryption, using unrecoverable evidence in crimes against children as an example.

Apple had been planning to introduce end-to-end encryption for over two years and even told the FBI, according to a Reuters report that cited one current and three former Bureau officials, as well as one current and one former Apple employee. Shortly thereafter, the FBIs cybercrime agents and its operational technology division came out as staunchly opposed to those plans because it would make it impossible for Apple to recover people's messages for use in investigations.

"Legal killed it, for reasons you can imagine," another former Apple employee told Reuters. "They decided they werent going to poke the bear anymore."

In this case, the bear is the government. In 2016, a nearly identical showdown between the FBI and Apple took place after the two parties got into a legal battle over access to an iPhone owned by a suspect in the San Bernardino, California mass shooting.

The nixed encryption plans are a loss for iPhone users because end-to-end encryption is more advanced than today's industry standard for security: basic encryption. Loads of companies use encryption, which basically scrambles the contents of a message or some other snippet of data, rendering it completely useless without the decryption key, which can unshuffle the jargon and restore the original.

Under this framework, a company usually has the cryptographic encryption key, which means the data isn't truly safe if a government or hacker gets their hands on the key. End-to-end encryption, though, means only the, well, end computerthe one receiving the datahas the encryption key stored. In theory, that person's computer could still be hacked and the encryption key could be forfeited, but it really reduces those odds.

But that limitation on who has access to the encryption key is the very crux of law enforcement's issue with end-to-end encryption: If Apple doesn't have the encryption key to access backups of a person's iPhone on the cloud, then the government can't access that data either.

Still, it's not entirely clear that the government is to blame for this project being killed. It's entirely possible Apple didn't want to have to deal with the headache of its customers accidentally locking themselves out of their own data.

For the rest of the world's smartphone users who rely on the Android operating system, end-to-end encryption is an option. Back in October 2018, Google announced that customers could use a new capability that would keep backed-up data from their phones completely locked down by using a decryption key that's randomly generated on that user's phone, using their lock screen pin, pattern, or passcode.

"By design, this means that no one (including Google) can access a user's backed-up application data without specifically knowing their passcode," the company wrote in a blog post. This end-to-end encryption offering is still available.

See the original post here:
Apple Wanted the iPhone to Have End-to-End Encryption. Then the FBI Stepped In - Popular Mechanics

In the wake of last months shooting at a Pensacola, Florida, naval base, Attorney General William Barr isputting pressureon Apple to help FBI investigators unlock two of the shooters iPhones. Followers of these issues will recall a similarpressure campaignin 2016 to force Apple to decrypt the San Bernardino, California, shooters iPhone. In that case, the FBI ultimatelyhiredan external company to break the encryption, at a cost of over $1 million.

One might think that the FBIs current efforts mean that iPhone encryption has advanced such that only Apple has the capability to unlock the shooters iPhones, but depending on the exact model of the Pensacola shooters phone, the FBI could payas little as$15,000 to reach the data locked inside. However, if commercially available solutions dont work, its likely there isno way for Appleto unlock the phone without its passcode.

Read the original article.

Read the original:
iPhone War: The Justice Department Is Taking On Apple Over Encryption (Again) - Yahoo News

An Amazon Web Services (AWS) engineer last week inadvertently made public almost a gigabytes worth of sensitive data, including their own personal documents as well as passwords and cryptographic keys to various AWS environments.

While these kinds of leaks are not unusual or special, what is noteworthy here is how quickly the employees credentials were recovered by a third party, whoto the employees good fortune, perhapsimmediately warned the company.

On the morning of January 13, an AWS employee, identified as a DevOps Cloud Engineer on LinkedIn, committed nearly a gigabytes worth of data to a personal GitHub repository bearing their own name. Roughly 30 minutes later, Greg Pollock, vice president of product at UpGuard, a California-based security firm, received a notification about a potential leak from a detection engine pointing to the repo.

Despite the privacy concerns, labor strikes, and reports that Amazon is selling literal trash on

An analyst began working to verify what specifically had triggered the alert. Around two hours later, Pollock was convinced the data had been committed to the repo inadvertently and might pose a threat to the employee, if not AWS itself. In reviewing this publicly accessible data, I have come to the conclusion that data stemming from your company, of some level of sensitivity, is present and exposed to the public internet, he told AWS by email.

AWS responded gratefully about four hours later and the repo was suddenly offline.

Since UpGuards analysts didnt test the credentials themselveswhich would have been illegalits unclear what precisely they grant access to. An AWS spokesperson told Gizmodo on Wednesday that all of the files were personal in nature and unrelated to the employees work. No customer data or company systems were exposed, they said.

At least some of the documents in the cache, however, are labeled Amazon Confidential.

Alongside those documents are AWS and RSA key pairs, some of which are marked mock or test. Others, however, are marked admin and cloud. Another is labeled rootkey, suggesting it provides privileged control of a system. Other passwords are connected to mail services. And there are numerous of auth tokens and API keys for a variety of third-party products.

AWS did not provide Gizmodo with an on-the-record statement.

It is possible that GitHub would have eventually alerted AWS that this data was public. The site itself automatically scans public repositories for credentials issued by a specific list of companies, just as UpGuard was doing. Had GitHub been the one to detect the AWS credentials, it would have, hypothetically, alerted AWS. AWS would have then taken appropriate action, possibly by revoking the keys.

But not all of the credentials leaked by the AWS employee are detected by GitHub, which only looks for specific types of tokens issued by certain companies. The speed with which UpGuards automated software was able to locate the keys also raises concerns about what other organizations have this capability; surely many of the worlds intelligence agencies are among them.

GitHubs efforts to identify the leaked credentials its users uploadwhich began in earnest around five years agoreceived scrutiny last year after a study at North Carolina State University (NCSU) unearthed over 100,000 repositories hosting API tokens and keys. (Notably, the researchers only examined 13 percent of all public repositories, which alone included billions of files.)

While Amazon access key IDs and auth tokens were among the data examined by the NCSU researchers, a majority of the leaked credentials were linked to Google services.

GitHub did not respond to a request for comment.

UpGuard says it chose to make the incident known to demonstrate the importance of early detection and underscore that cloud security is not invulnerable to human error.

Amazon Web Services is the largest provider of public cloud services, claiming about half of the market share, Pollock said. In 2019, a former Amazon employee allegedly stole over a hundred million credit applications from Capital One, illustrating the scale of potential data loss associated with insider threats at such large and central data processors.

In this case, Pollock added, theres no evidence that the engineer acted maliciously or that any customer data was affected. Rather, this case illustrates the value of rapid data leaks detection to prevent small accidents from becoming larger incidents.

The rest is here:
Amazon Engineer Leaked Private Encryption Keys. Outside Analysts Discovered Them in Minutes - Gizmodo

A brigade of paratroopers deployed in early January to the Middle East in the wake of mounting tensions with Iran has been asked by its leadership to use two encrypted messaging applications on government cell phones.

The use of the encrypted messaging applications Signal and Wickr by the 82nd Airbornes Task Force Devil underscores the complexity of security and operations for U.S. forces deployed to war zones where adversaries can exploit American communications systems, cell phones and the electromagnetic spectrum.

But it also raises questions as to whether the Department of Defense is scrambling to fill gaps in potential security vulnerabilities for American forces operating overseas by relying on encrypted messaging apps available for anyone to download in the civilian marketplace.

All official communication on government cell phones within TF Devil has been recommended to use Signal or Wickr encrypted messaging apps, Maj. Richard Foote, a spokesman for the 1st Brigade Combat Team, told Military Times.

These are the two apps recommended by our leadership, as they are encrypted and free for download and use, Foote said.

Foote added that there is no operational discussions via the apps and an extra layer of security is provided because users must go through virtual private networks.

However, there are government transparency concerns with the use of encrypted messaging apps like Signal and Wickr, which feature auto-delete functions where messages are erased after a set period of time. Electronic communications and text messages sent as part of official government business are part of the public record, and should be accessible via a Freedom of Information Act request.

The Department of Defense did not respond to queries from Military Times regarding government records keeping policies and whether Signal and Wickr have been audited for security flaws by the DoD. Military Times has reached out to the National Security Agency, and has yet to receive a response.

Get the military's most comprehensive news and information every morning.

(please select a country) United States United Kingdom Afghanistan Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, The Democratic Republic of The Cook Islands Costa Rica Cote D'ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands (Malvinas) Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guinea Guinea-bissau Guyana Haiti Heard Island and Mcdonald Islands Holy See (Vatican City State) Honduras Hong Kong Hungary Iceland India Indonesia Iran, Islamic Republic of Iraq Ireland Israel Italy Jamaica Japan Jordan Kazakhstan Kenya Kiribati Korea, Democratic People's Republic of Korea, Republic of Kuwait Kyrgyzstan Lao People's Democratic Republic Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia, Federated States of Moldova, Republic of Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory, Occupied Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russian Federation Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan, Province of China Tajikistan Tanzania, United Republic of Thailand Timor-leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates United Kingdom United States United States Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Viet Nam Virgin Islands, British Virgin Islands, U.S. Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe

Subscribe

By giving us your email, you are opting in to the Early Bird Brief.

Operational planners and military commanders rely on government cell phones for basic menial tasks from scheduling and daily muster even when deployed overseas.

Foote told Military Times that there is no requirement for extensive use of cell phones for work communication for the deployed 82nd paratroopers.

If cell phones are used, we have taken the best steps, readily available, to ensure the best security of our transmissions, Foote explained

To be clear, the term official communication in this setting refers to coordination of assets, sharing of meeting time changes, etc. There is no operational discussion on these platforms, Foote said.

Adversaries like Iran, which boast robust cyber and electronic warfare capabilities can glean much information from phone collections and basic text messages that could highlight daily patterns on an installation or sudden shifts and changes in schedules potential indications of pending operations.

But Foote explained to Military Times that the 82nds government cell communications include an extra layer of security.

When official business is being conducted via cell, it is done on the apps over VPN-protected [virtual private network] connectionssystems reviewed and recommended by our Communications and Cyber sections, Foote said.

In 2016, Signal received a positive security review when it was audited by the International Association for Cryptologic Research.

We have found no major flaws in the design, IACR said in its 2016 security audit of Signal.

A former military intelligence operator who has extensive experience working with the special operations community told Military Times that the Signal app was very secure with no known bugs.

He explained that the 82nd Airbornes reliance on the app for government cell communications wasnt necessarily an indication that the DoD was behind the curve on protecting cellphone security for deployed troops. The former intelligence operator said he believed the DoD was just being lazy.

Unfortunately, those apps are more secure than texting in the clear, which is more or less the alternative. Granted, if a hostile party has access to the handset, that encryption isnt particularly helpful, a former U.S. defense official told Military Times.

The former U.S. defense official, who spoke to Military Times on condition of anonymity because he was not authorized to speak on the record, said the DoD should use commercial applications as long as they are tested and meet security requirements.

I dont have confidence that DoD could build a unique texting system with proper security protocols that would beat any commercial, off the shelf, version, the former official said.

With regards to transparency and records keeping requirements, Foote said he cannot confirm if any personnel have Signal or Wickr settings which allow auto-delete of messages at this time.

Military Times has not been able to confirm if Signal and Wickr have been audited for security flaws and vulnerabilities by the DoD.

Officials from Signal and Wickr did not immediately respond to requests for comment.

Continue reading here:
Deployed 82nd Airborne unit told to use these encrypted messaging apps on government cell phones - Military Times

By: Express News Service | New Delhi | Updated: January 25, 2020 7:24:53 am Suggested changes currently need production of a court order before a messaging intermediary is required to break encryption.

The Information Technology Intermediaries Guidelines (Amendment) Rules, 2018, the new set of rules on regulation of social media which the government is to submit to the Supreme Court later this month, will push for traceability of content which in effect means breaking end-to-end encryption, even of messaging intermediaries.

This will make it difficult for large social media intermediaries, mostly international business conglomerates, to give in without a battle.

The guidelines, which are not being discussed or debated publicly with only a few in the government privy to the details, are meant to control online content deemed unlawful. But these will raise fundamental questions on both freedom of speech and privacy of ordinary users.

Suggested changes currently need production of a court order before a messaging intermediary is required to break encryption.

The Indian Express has been told that there could be two levels of online intermediaries defined in the new set of rules, each with different regulations, for social and non-social media.

Non-social media may have relatively lighter regulations given that there could be mandatory local legal incorporation for large social media intermediaries. Non-social media intermediaries will still have to appoint a local office for grievance redressal.

On November 21 last year, Sanjay Dhotre, Minister of State for Electronics and Information Technology, in a written reply to a question in Rajya Sabha, confirmed that the Centre was going ahead with new amended rules for social media. He said social media companies have to follow certain due diligence as laid out in the Information Technology (Intermediary Guidelines) Rules, 2011 under Section 79 of the Information Technology Act.

The issue of messaging apps being required to break end-to-end encryption has been a sticky point between governments and messaging apps like Facebook-owned WhatsApp, especially after revelations last year on the use of spy software being used by governments to break into phones and conduct surveillance into private conversations of activists, journalists and lawyers, including in India.

The need to conduct surveillance for reasons of security versus the right to privacy of citizens and users has been a heated debate, and remains unresolved the government appears to be pushing for more and intermediaries are insisting on greater transparency in the rules-framing process.

On December 24, 2018, The Indian Express reported that in the draft of The Information Technology Intermediaries Guidelines (Amendment) Rules, 2018, Rule 3 (9) required intermediaries, or online platforms, to deploy technology-based automated tools or appropriate mechanisms, with appropriate controls, for proactively identifying or removing or disabling access to unlawful information or content.

It is now learnt that automatic proactive filtering for all unlawful content could be replaced by a re-upload prevention provision it will prevent re-uploading of certain specific categories of content deemed illegal and taken down by platforms.

Social media intermediaries will still be required to provide user data within 72 hours in response to a government surveillance request, and have content-takedown timelines of 24 hours for content declared unlawful.

For all the latest India News, download Indian Express App

See the original post:
Govt looks to break into encrypted messages - The Indian Express