#vulnerabilityHate it when someone tries to read your messages over your shoulder? So do we. A new discovery by researchers from Ruhr-Universität Bochum (RUB) in Germany found that an outsider may be able to secretly eavesdrop on your 'private,' encrypted group chats through WhatsApp and Signal messaging apps.
As a reminder, WhatsApp and Signal use end-to-end encryption, which stops trusting "the intermediate servers in such a way that no one, not even the company or the server that transmits the data, can decrypt your messages or abuse its centralized position to manipulate the service." It appears, however, that anyone who controls WhatsApp/Signal servers can add new members to any private group, allowing them to spy on conversations without the permission of the administrator. In a newly published paper by the researchers, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema,"
they explain how Signal and WhatsApp fail to properly authenticate someone from adding a new member to the group. This could allow an unauthorized person to add someone to the group chat.While WhatsApp has acknowledged the issue, they argued group members will be notified if a new member is added to the group. WhatsApp also released a public statement, “We’ve looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group,” saying if an attacker has admin control over the group, they still couldn’t create a 'hidden' user. Luckily, this attack is not easy to execute unless WhatsApp receives external pressure from the government or an organization, so users should not be too worried about it. Still, the concern is the technique offers a way for WhatsApp to be pressured to access an encrypted group conversation. In the past, however, WhatsApp has traditionally opposed requests to break encryption.
The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group, however, leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally, the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces. -RUB paper
You may recall the UK Government demanded a backdoor for encrypted services after their investigation into the London terror attack uncovered the killer, Khalid Masood, was active on WhatsApp just minutes before he attacked Britain’s Houses of Parliament in Westminster and killed four people. Get the details here.
#wi-fiSmall victory in the world of wireless security. The Wi-Fi Alliance just announced the next generation of the wireless security protocol—Wi-Fi Protected Access (WPA3).
For those unfamiliar, WPA2 has been around for almost 15 years and was long considered in need to repair due to poor security, more specifically, 'unencrypted' open Wi-Fi networks, which allow anyone on the same network to intercept connections on other devices. WPA2 is also vulnerable to KRACK (Key Reinstallation Attack), making it possible for attackers to intercept and decrypt Wi-Fi traffic. Now, with WPA3, "security will be baked deeper into wireless configurations, making it harder to misconfigure or to avoid." Among the four enhancements mentioned in the announcement are brute-force resistance, IoT support, stronger encryption, and a safer public Wi-Fi. Additionally, "WPA3 might provide an automatic system for allowing clients and routers to negotiate encrypted connections even on open networks."What's more, the system could fix cryptographic weaknesses in password-protected Wi-Fi networks whereby a user would get a network password in addition to a password unique to that user. All of these improvements certainly sound great, but what does it mean for the world? Well, organizations and individuals will need to buy new hardware to support the new protocol, so we can expect the transition from WPA2 to WPA3 to take some time. Some WPA3-certified devices are planned to be released later this year, but in the meantime, we should expect more details about the new protocol to surface and security experts to comment on it, so stay tuned.
Wi-Fi security technologies may live for decades, so it’s important they are continually updated to ensure they meet the needs of the Wi-Fi industry. Wi-Fi is evolving to maintain its high-level of security as industry demands increase. -Joe Hoffman, SAR Insight & Consulting
Want to dig deeper into wireless security? Read 'State of the Art Wifi Security Best Practices.'
#encryption "Just make an exception for us." That's what the US government has been reiterating in a debate over their authority to access private encrypted data on devices in cases against criminals.
Another plea on this front was most recently made by Christopher Wray, FBI Director, who called unbreakable encryption an “urgent public safety issue.” Wray, and other supporters of this idea such as James Comey and Rod Rosenstein, believe it is possible to give government (and only government) 'back-door' access to the encrypted digital devices of alleged criminals, without jeopardizing the encryption of other devices. As you can imagine, there has been much push back on this idea, with the CTO of IBM Resilient Systems saying quite frankly, "You don’t get an option where the FBI can break encryption but organized crime can’t. It’s not available technologically." Most security experts are in agreement on this stance and are particularly worried about the government's lack of protection of critical data, citing events such as Wikileaks sharing NSA and CIA tools.From the government's stance, Wray believes a 'selective encryption' access is needed to protect innocent citizens from criminals and terrorists who are using encrypted devices to 'go dark.' The FBI was locked out of 7,775 devices in the calendar year 2017, ending on Sept. 30. which affects some of their ongoing investigations "across the board – human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation, and cyber." In the past, The Attorney General and the FBI have suggested that Congress may need to create new rules allowing law enforcement access to encrypted data or wiretap online communications when they have appropriate legal authority, such as a search warrant. You may recall cases such as the San Bernadino shooting, which continuously resurfaces the debate. It seems that in 2018, this issue will continue to be a point of contention for the government and privacy enthusiasts alike.
This problem impacts our investigations across the board – human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation, and cyber. -Christopher Wray
Explore the world of encryption further. Read 'Encryption Software and Combating Cyber Crime.'
#factbyteResearch from WinMagic has found that 39% of businesses reported their infrastructure was more complex since using the cloud, and 53% spend more time on management tasks than they have done previously. Additionally, more than one third of respondents reported that data is only partially encrypted in the cloud, and 39% admitted to not having unbroken security audit trails across virtual machines in the cloud. Olivia Lynch (@Cybrary_Olivia)
is the Marketing & Communications Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.