Later On

A blog written for those whose interests more or less match mine.

FBI’s Anti-Encryption Campaign Is a Big Lie

leave a comment »

Jenna McLaughlin reports in The Intercept:

To hear FBI Director James Comey tell it, strong encryption stops law enforcement dead in its tracks by letting terrorists, kidnappers and rapists communicate in complete secrecy.

But that’s just not true.

In the rare cases in which an investigation may initially appear to be blocked by encryption — and so far, the FBI has yet to identify a single one — the government has a Plan B: it’s called hacking.

Hacking — just like kicking down a door and looking through someone’s stuff — is a perfectly legal tactic for law enforcement officers, provided they have a warrant.

And law enforcement officials have, over the years, learned many ways to install viruses, Trojan horses, and other forms of malicious code onto suspects’ devices. Doing so gives them the same access the suspects have to communications — before they’ve been encrypted, or after they’ve been unencrypted.

Government officials don’t like talking about it — quite possibly because hacking takes considerably more effort than simply asking a telecom provider for records. Robert Litt, general counsel to the Director of National Intelligence, recently referred to potential government hacking as a process of “slow uncertain one-offs.”

But they don’t deny it, either. Hacking is “an avenue to consider and discuss,” Amy Hess, the assistant executive director of the FBI’s Science and Technology branch, said at an encryption debate earlier this month.

The FBI “routinely identifies, evaluates, and tests potential exploits in the interest of cyber security,” bureau spokesperson Christopher Allen wrote in an email.

Hacking In Action

There are still only a few publicly known cases of government hacking, but they include examples of phishing, “watering hole” websites, and physical tampering.

Phishing involves an attacker masquerading as a trustworthy website or service and luring a victim with an email message asking the person to click on a link or update sensitive information.

When a high school student made repeated bomb threats in Lacey, Washington, in 2007 — disguising his identity by routing his web traffic through Italy — FBI agents launched a phishing attack using the bureau’s in-house malware by sending a link to a fake news article to his MySpace inbox. When he clicked, he unknowingly installed the malware, which revealed his identity.

This was controversial and received widespread media attention because of the FBI’s choice of a faked news article as their vector of attack. But it also told us two things about FBI hacking: that the FBI has been using that particular kind of malware attack since at least 2007, and that it took the public until 2014 to find out.

A watering hole attack infects a website with malware, so that anyone who visits it is also infected, potentially allowing the attackers to identify and control the visitor’s devices.

In 2013, as part of a child-porn investigation, the FBI seized a large number of web servers and installed malware that reveals personally identifying information of online visitors to several different popular websites, including an email provider. The sites were “Tor hidden service sites,” or sites that reroute web traffic around the globe to cloak their destination. The FBI snuck in a piece of code on every single website hosted by the Freedom Hosting service, directing information about hacked visitors back to a server in northern Virginia.

This watering hole attack landed a large number of people in the FBI’s trap, most of them innocent people who hadn’t committed any crimes. And the FBI never told them about it, because it never subpoenaed their identities — even though their computers had been compromised.

The earliest reported case of the FBI using physical tampering . . .

Continue reading. Lots more.

Written by LeisureGuy

28 September 2015 at 11:47 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.