Sergey Nvns - Fotolia
FBI Director James Comey isn't sold on the merits of encrypted data, despite the slew of security experts advocating its use and warning against its weakening for government purposes.
At Senate Judiciary and Senate Intelligence Committee hearings Wednesday, Comey outlined the dangers of "going dark" -- i.e., encryption preventing access to electronic data -- and asked not for new legislation to create a government backdoor, rather for tech companies to assist and hand over the encrypted data the FBI believes it needs.
U.S. Deputy Attorney General Sally Yates reiterated Comey's stance.
While the pair acknowledged the benefits of encryption, noting it was a "key tool to secure commerce and trade, safeguard private information, promote free expression and association, and strengthen cybersecurity," they also quickly discussed its pitfalls.
"Our job is to look at a haystack the size of this country to find needles that are increasingly invisible to us because of end-to-end encryption," Comey said.
"We have seen case after case -- from homicides and kidnappings to drug trafficking, financial fraud and child exploitation -- where critical evidence came from smartphones, computers and online communications."
Yet with so many companies, including Apple and Google, putting encryption in the hands of their users through end-to-end encryption schemes, it is becoming more difficult than ever for investigators to get their hands on evidence, Comey said.
"Many communications services now encrypt certain communications by default," Comey and Yates said in a statement, "with the key necessary to decrypt the communications solely in the hands of the end user … If the communications provider is served with a warrant seeking those communications, the provider cannot provide the data because it has designed the technology such that it cannot be accessed by any third party."
Because of this, "law enforcement is sometimes unable to recover the content of electronic communications for the technology provider -- even in response to a court order or duly authorized warrant issued by a Federal judge," Comey said.
"Even when we have the authority to search digital communications, we can't get the information that we need," Yates said, arguing that user data is becoming "warrant-proof."
So, what can be done -- a government backdoor?
"The core question is this: Once all of the requirements and safeguards of the laws and the Constitution have been met, are we comfortable with technical design decisions that result in barriers to obtaining evidence of a crime?" Comey asked.
"We are not asking to expand the Government's surveillance authority, but rather we are asking to ensure that we can continue to obtain electronic information and evidence pursuant to the legal authority that Congress has provided us to keep America safe."
"We want to work with communications providers to get the access we need, and, at the same time, protect the privacy and Internet security interests we all have," Yates said. "We'd like each provider to think about it and work out a way where they can respond to court orders. We're not seeking a front door, back door or any other kind of door, but just to work with industry to be able to respond to these orders."
Comey said companies should keep national security in mind when considering what type of encryption to use.
In other news
- Computer glitches -- not cyberattacks -- are reportedly to blame for three major incidents that occurred Wednesday involving the New York Stock Exchange (NYSE), United Airlines and The Wall Street Journal. At the time, the NYSE attributed its nearly four-hour halt in trading to an "internal technical issue." In a statement released Thursday, the NYSE detailed the problem, saying the issue involved a test rollout of an upcoming software release; the NYSE and NYSE MKT customer gateways were "not loaded with the proper configuration compatible with the new release." Though the gateways were fixed prior to the opening bell, the update to the gateways caused communication issues. After a complete restart, the systems were up and running.
- According to the Los Angeles Times, United grounded all its flights due to a failed network router that disrupted its reservation system. United spokeswoman Jennifer Dohm said the router issue "degraded network connectivity for various applications. Fifty-nine flights were cancelled and more than 800 flights were delayed due to the issue.
- Visitors to the WSJ homepage Wednesday were met with a 504 error that said "something did not respond fast enough, that's all we know." The site was available approximately an hour later, albeit a modified, bare-bones version. While the company has not commented on the outage, outlets suggested the NYSE outage sent a flock of curious readers to WSJ website, overloading the site's servers.
- Researchers announced Monday they've been working on a next-generation Kali Linux, which will be previewed at a Black Hat Vegas 2015 workshop; a DEF CON appearance is in the works. "We've been awfully quiet lately, which usually means something is brewing below the surface," researchers said in a blog post. A video preview of Kali 2.0 -- dubbed Sana -- highlighted the tool's improvements, including a redesigned user interface, restructured menus and tool categories, built-in desktop notifications and more. The penetration testing, security auditing, forensics and reverse engineering toolkit, which is funded and maintained by Offensive Security Ltd., was originally released in March 2013 as a complete rebuild of BackTrack Linux. Kali 2.0 will be available on August 11.
- Security researcher Kevin Beaumont highlighted how OLE Package -- a feature in current Windows systems -- can potentially allow code execution in all versions of Microsoft Office, bypassing embedded executable object controls. OLE Packager, which was introduced in Windows 3.1 and purportedly runs up to XP, is active on Windows OSes and cannot be disabled. While not a new issue, Beaumont noted, it is a problematic one. Mail gateways and antimalware software don't detect the issue. Beaumont tested it on cloud-based email filtering companies, anti-exploit products and antimalware. He published two proof-of-concept examples online. Beaumont said he contacted Microsoft in March and was asked not to disclose the threat, however, said Microsoft has not fixed the issue and does not plan to. To mitigate the risk, Beautmont suggests users deploy Microsoft EMET and add an ASR rule for Excel, WinWord and PowerPoint to deny packager.dll.
Cryptography doesn't have to be cryptic. Learn more here.