The Facebook-owned WhatsApp messaging service announced this week that all messaging done with the latest version of the app is encrypted, end to end. Previously, WhatsApp encryption was made available for some types of messages, but now, all messaging -- including text, photo, video, file and voice messages -- are end-to-end encrypted by default, including group chats, for all of WhatsApp's over 1 billion users.
"The idea is simple: When you send a message, the only person who can read it is the person or group chat that you send that message to," wrote Jan Koum and Brian Acton, founders of WhatsApp Inc., based in Mountain View, Calif. "No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us. End-to-end encryption helps make communication via WhatsApp private -- sort of like a face-to-face conversation."
While noting that "there has been a lot of discussion about encrypted services and the work of law enforcement," and that they recognize the importance of the efforts of law enforcement in keeping people safe, Koum and Acton said "efforts to weaken encryption risk exposing people's information to abuse from cybercriminals, hackers and rogue states."
Senators take sides
Reaction to the WhatsApp encryption announcement was strong and swift. The security industry welcomed WhatsApp encryption, while a pair of U.S. senators took opposing positions.
"This is a significant step to strengthen online security for millions of people worldwide," Wyden said. "This is especially important for human rights activists, political dissidents and persecuted minorities around the world."
Noting that "some continue to spread fear about modern technology," Wyden said strong encryption "is essential to Americans' individual security."
"If American companies don't provide these services, there are already hundreds of foreign encryption products available online," Wyden said. "While law-enforcement agencies have legitimate concerns about challenges caused by encryption, the solution is to adapt by developing new techniques and resources for the digital age. Attacking the use of strong encryption only empowers criminals, foreign hackers and predators who will take advantage of weak digital security."
Sen. Tom Cotton (R-Ark.) released a statement denouncing WhatsApp's move.
"The WhatsApp and Facebook decision to add end-to-end encryption to all of WhatsApp's services, with no secure method to comply with valid search warrants, continues a dangerous trend in the tech and data world," Cotton said. "This is an open invitation to terrorists, drug dealers and sexual predators to use WhatsApp's services to endanger the American people."
"We cannot allow companies to purposefully design applications that make it impossible to comply with court orders," Cotton said. "We should have the same rules and expectations for tech and data companies that we do for telecom companies and banks: That the presumption of privacy contain[s] narrow exceptions for court-ordered searches related to law enforcement and national security."
Cotton called on WhatsApp and Facebook to "re-evaluate their decision before they help facilitate another terrorist attack."
Burr, Feinstein encryption bill drops
Meanwhile, the Burr Encryption Bill Discussion Draft became available late this week -- the first public release of the long-awaited encryption bill sponsored by Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.).
The proposed legislation, titled Compliance with Court Orders Act of 2016, requires "covered entities" -- electronic communication services, remote computing services, service providers, manufacturers of devices or software, or "any person who provides a product or method to facilitate a communication or the processing or storage of data" -- to decrypt data, or help the government decrypt data, whenever they receive a court order to do so.
Although the draft does not specify penalties for noncompliance, companies that are required to provide technical assistance in decrypting data will be compensated for "such costs as are reasonably necessary and which have been directly incurred in providing such technical assistance or such data in an intelligible format."
The draft also explicitly stated it is not to be considered a mandate by the government to dictate product design.
"Nothing in this Act may be construed to authorize any government officer to require or prohibit any specific design or operating system to be adopted by any covered entity." In other words, the details of how companies must comply with the legislation are left up to those companies.
Initial reaction to the draft from security experts on Twitter was decidedly negative. Matthew Green, assistant professor at Johns Hopkins University and cryptography expert, tweeted:
It's not hard to see why the White House declined to endorse Feinstein-Burr. They took a complex issue, arrived at the most naive solution.— Matthew Green (@matthew_d_green) April 8, 2016
Matt Blaze, associate professor of computer and information science at the University of Pennsylvania, and author a paper that sank the U.S. government's Clipper Chip key escrow proposal in 1994, tweeted:
They've actually come up with something worse than Clipper.— matt blaze (@mattblaze) April 8, 2016
And Julian Sanchez, senior fellow at the libertarian Cato Institute, tweeted:
Burr-Feinstein may be the most insane thing I've ever seen seriously offered as a piece of legislation. It is "do magic" in legalese.— Julian Sanchez (@normative) April 8, 2016
While the White House declined to publicly support the legislation after reviewing a draft last week, according to Reuters, sources said they did provide some feedback on the bill. If the White House continues to decline to support the proposed encryption bill, its chances for passage are low.
Encryption legislation and Apple-FBI fallout
Meanwhile, there was more fallout from the ongoing "going dark" fight, as more information came to light about the Apple-FBI legal battle over the San Bernardino, Calif., shooter's iPhone.
James Comeydirector of FBI
Speaking at Kenyon College on Wednesday evening, FBI Director James Comey opened with an explanation of why probable cause trumps privacy in the U.S. "There is no such thing as absolute privacy in America. There is no place outside the reach of judicial authority."
Comey said the iPhone in question was unlocked using a tool that was purchased from an unnamed "outside party." Comey said the tool works only on the Apple iPhone 5c model, which he called a corner case, meaning it did not represent a significant population of phone users. Apple had sold at least 24 million of that model as of two years ago, according to Forbes.
"If we tell Apple, then they're going to fix it and we're back where we started from," Comey said, adding "we may end up there, we just haven't decided yet." Noting that the FBI would consider sharing the tool with local or state law-enforcement agencies, Comey said details of the tool might come out in subsequent trials. However, he suggested his agency might be more open to using the tool to unlock phones to discover leads, rather than to collect evidence, so the FBI could avoid having to testify about how the leads were obtained.
The FBI has briefed Sen. Feinstein on how it bypassed the security lock on the San Bernardino shooter's iPhone 5c, and plans to brief Sen. Burr soon.
"The FBI is very good at keeping secrets," Comey said when asked about whether his agency could ensure the security of the tool used. "The people we bought this from, I know a fair amount about them, and I have a high degree of confidence that they are very good at protecting it and their motivations align with ours."
In other news
- According to an alert issued quietly in February, "The FBI has obtained and validated information regarding a group of malicious cyberactors who have compromised and stolen sensitive information from various government and commercial networks." The report stated the threat group has been active in the U.S. since at least 2011, and listed domains associated with their activities. "Research and analysis indicate that these domains were associated with the command and control of customized malicious software. Furthermore, these domains have also been used to host malicious files -- often through embedded links in spear phishing emails. Any activity related to these domains detected on a network should be considered an indication of a compromise requiring mitigation and contact with law enforcement." Motherboard reported the threat group is APT6, the code name for an advanced persistent threat group thought to be associated with the government of China.
- Microsoft announced availability of its new Microsoft Cloud App Security product based on technology acquired last year with Israel-based cloud security firm Adallom. The comprehensive cloud-delivered service is intended to "help companies design and enforce a process for securing cloud usage -- from discovery and investigation capabilities to granular control and protection," according to the announcement. The service collects information from firewalls and proxies, rather than through agents, to identify which -- of over 13,000 different cloud apps -- are being used in the enterprise. The service, which is being offered for $5 per user, per month, integrates with Microsoft's other identity and security services, including Azure Active Directory, Microsoft Advanced Threat Analytics and Azure Rights Management.
- This week, Microsoft, Apple, Adobe, Google and Cisco all issued urgent security patches:
- Bug bounty hunter Jack Whitton reported details of a vulnerability that could be exploited to obtain login tokens for a Microsoft Outlook, Office or Azure Account. The patch was released just two days after it was reported to Microsoft at the end of last month.
- Meanwhile, Google released patches for 39 Android vulnerabilities, including 15 rated as critical, that would allow remote code execution or privilege escalation. One of the patched vulnerabilities, CVE-2015-1805, reported last month, was being actively exploited. Patches went out to Nexus devices in an over-the-air update, as well as to the Android Open Source Project repository this week.
- Also this week, Apple pushed out a patch for a local lock bypass vulnerability on the iPhone 6s and 6s Plus running iOS 9.3.1. The bug is reported to be exploitable using the iOS intelligent assistant, Siri, to perform a search on a locked iPhone, and could be temporarily remediated by hardening settings for Siri.
- Cisco also joined the patch party this week with its fix for "a vulnerability in the malicious file detection and blocking features of Cisco Firepower System software, [which] could allow an unauthenticated, remote attacker to bypass malware detection mechanisms on an affected system."
- Adobe posted yet another security advisory; this time, for a critical vulnerability in Adobe Flash Player. While the patch is expected to go live as early as April 7, Adobe stated "CVE-2016-1019 is being actively exploited on systems running Windows 10 and earlier with Flash Player version 22.214.171.1246 and earlier."
- The researcher who outed a broken Java patch from Oracle last month reported a similar situation with a patch from IBM. Adam Gowdiak, CEO and founder of Security Explorations, based in Poland, wrote that IBM's patch to its Java implementation "requires only several minor changes to our original proof-of-concept code published in July 2013," and a "complete Java security sandbox escape could be achieved" with the exploit code he provided.
- Ransomware continues to threaten individuals and businesses worldwide, and the Department of Homeland Security, in collaboration with the Canadian Cyber Incident Response Centre, issued an alert last week to raise awareness of the problem. "Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist." The alert lists a number of preventive measures to protect against ransomware, starting with using backup for all critical data, application whitelisting, staying up to date with system software updates, using current antivirus scanners, disabling macros when opening email attachments and avoiding clicking on unsolicited Web links in emails. Meanwhile, the FBI changed its official position on paying ransoms. "The FBI does not advise victims on whether or not to pay the ransom," Donald Good, deputy assistant director for the FBI's cyber division, wrote in a response to questions from Sen. Wyden, noting that backups and other implementation of other security "best practices" should be used to protect against ransomware. "If none of these precautions have been taken, and the individual or business still wants to recover their files, the victim's remaining alternative is to pay the ransom." Last year, Joseph Bonavolonta, assistant special agent in charge of the cyber and counterintelligence program in the FBI's Boston office, said the FBI "often advise[s] people to just pay the ransom."
Learn more about how metadata may provide the answer to the FBI's "going dark" problem.