Federal prosecutors say they’ve gotten their hands on a batch of potentially incriminating texts that Paul Manafort, the former Trump presidential campaign chairman, sent through encrypted messaging apps to two potential witnesses in his conspiracy and money-laundering case.
But investigators didn’t have to break into his cellphone to find a way around the encryption. Instead, the potential witnesses simply turned over strings of WhatsApp and Telegram texts to FBI agents, who then got a court order to search Manafort’s iCloud account, according to court papers filed late Monday. Through this, they were able to access a trove of WhatsApp messages that were stored there and confirm Manafort was the sender.
While the apps' end-to-end encryption would otherwise have made it virtually impossible for investigators to access the chats, there's a function in WhatsApp that automatically backs up messages on a user’s iCloud account, and Manafort appears to have left it enabled.
The high-profile case undercuts long-standing arguments from law enforcement that encryption thwarts investigations and that agents’ hands are tied without a "back door" for agents to access encrypted data when they have a warrant.
“It sounds like a case that would be hard for law enforcement, but this shows that there are other ways to get at the same data without having to apply computer brute force or super-technical capabilities,” said Daniel Weitzner, who served as the White House’s deputy chief technology officer for Internet policy in the Obama administration.
Prosecutors with special counsel Robert S. Mueller III’s investigation said in their filings that Manafort and a longtime associate used the apps to call and send messages to two unnamed members of a public-relations firm in attempts to get them to falsely testify about secret lobbying work they did at Manafort’s behest in 2013, as my colleagues Spencer Hsu and Devlin Barrett reported. “The FBI said one of the public relations firm’s executives, who also is not named in the filing, told the government he ‘understood Manafort’s outreach to be an effort to ‘suborn perjury’ by encouraging others to lie to federal investigators by concealing the firm’s U.S. work," they write.
Mueller indicted Manafort as part of his probe into whether Trump campaign officials colluded with Russia in the 2016 election and whether President Trump later attempted to obstruct the investigation. Now, with this new evidence, prosecutors are now accusing Manafort of tampering with witnesses and have asked a judge to revoke or tighten the terms of his home detention as he awaits trial. A spokesman for Manafort said he is innocent, and he has already pleaded not guilty to other charges in the case.
To be sure, law enforcement's solution here is not a panacea. The FBI has complained that what it calls the "going dark" problem is only getting worse with the advent of phones and other devices that not even companies can unlock because they do not hold the encryption key.
And it's true that Manafort's overtures would have been much better protected if he had disabled the backups to iCloud. Under federal law, Apple must give prosecutors access to an iCloud account if they present a court order.
Slate's Aaron Mak has a good rundown:
"If the FBI presents Apple with a subpoena, the company is legally required to give the bureau access to the contents of an iCloud account.
However, WhatsApp claimed in 2017 that it had added its own encryption to the backup files, which was supposed to prevent third parties from gaining access to ostensibly secure communications by worming their way into iCloud. Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute, says that the FBI could have subpoenaed WhatsApp for the encryption key or somehow transferred Manafort’s account to another phone.
Backup features ultimately aren’t doing any favors for people focused foremost on confidentiality. 'It definitely degrades the security of WhatsApp,' says Green. 'I think when people lose their message histories they get really, really upset. Companies like WhatsApp are really prioritizing giving users what they want, which is backups, over giving them the most secure solution possible.'"
Still, the Manafort case is likely to provide fodder for opponents of the FBI's push for a bill to require device and software makers to create mechanisms that would enable them to more easily access data on locked devices and encrypted platforms in criminal investigations.
And it comes on the heels of another high-profile blow to bureau's argument: The Washington Post reported late last month that FBI Director Christopher A. Wray, when calling the need for encryption legislation an “urgent public safety issue,” until recently cited falsely inflated statistics showing that criminal investigators were locked out of about 7,800 devices last year. The real figure, as my colleague Devlin Barrett reported, is between 1,000 and 2,000.
Efforts by Sen. Dianne Feinstein (D-Calif.) and other lawmakers to pass encryption-breaking legislation have stalled — and they certainly won’t get a boost from these latest developments.
Weitzner said he expects policymakers to remain skeptical until law enforcement officials can show that cases such as this are an exception and that the same alternatives that existed in Manafort's case don't exist in other criminal probes.
“Policymakers should be looking with a very critical eye at claims that there is some pervasive ‘going dark’ problem can only be solved by introducing insecure back doors,” he told me.
But a “back door” solution remains appealing to some because cracking a device would require far less time and fewer resources.
“Back door access to communications certainly would make many law enforcement investigations easier,” said Benjamin Buchanan, a cybersecurity policy fellow at Harvard’s Belfer Center. “To be sure, sometimes the workarounds to encryption come up short.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: "Facebook admitted Tuesday that it allowed Huawei, a Chinese telecom company with alleged ties to the country’s government, to have special access to data about the social site’s users, an arrangement that could stoke fears that consumers’ personal information is at risk," The Washington Post's Tony Romm reports. The news came as lawmakers on Capitol Hill continued to demand answers about deals between Facebook and device makers over the past decade.
"For years, lawmakers in Congress and top U.S. national security officials have raised red flags about the security of Huawei products, fearing that the Chinese government could demand access to communications stored on their devices or servers," Romm writes. "The company has denied the charges, but the Pentagon took the rare step this year of banning sales of Huawei smartphones on U.S. military bases."
Sen. Marco Rubio (R-Fla.) responded:
Earlier on Tuesday, the top Republican and Democrat on the Senate Commerce Committee wrote to Facebook chief executive Mark Zuckerberg seeking details about Facebook's partnerships with device makers, requesting an answer to their list of questions by June 18. "Given the Committee's ongoing oversight of Facebook's data privacy and security practices in the wake of the revelations surrounding Cambridge Analytica earlier this year, we write to request a further explanation of this issue,” Sen. John Thune (R-S.D.), the panel's chairman, and Sen. Bill Nelson (D-La.), the ranking Democrat, wrote in a letter. Thune and Nelson also asked Zuckerberg how Facebook informed users of its partnerships with device makers.
PATCHED: States are taking more federal money to bolster election security. So far, 26 states have requested almost $210 million of the total $380 million available in federal grants to improve state voting systems that Congress set aside in March as part of a massive spending bill, the Election Assistance Commission announced Tuesday. “This steady stream of funding requests from the states demonstrates an undeniable recognition that this money can have a tangible and immediate impact on the efficiency, security and accessibility of our nation’s elections systems," Thomas Hicks, the commission's chairman, said in a statement. “The Commission has diligently worked with states to distribute these new funds as quickly as possible. It is anticipated that all jurisdictions will submit funding requests by mid-July." (I wrote recently about how actually getting the money and choosing what to do with it isn't that simple for the states.)
PWNED: The Federal Communications Commission will probably have some explaining to do. Gizmodo's Dell Cameron reports that the FCC lied to defend unsubstantiated claims last year about a cyberattack against the agency. “The FCC has been unwilling or unable to produce any evidence an attack occurred — not to the reporters who’ve requested and even sued over it, and not to U.S. lawmakers who’ve demanded to see it,” Cameron writes. “Instead, the agency conducted a quiet campaign to bolster its cyberattack story with the aid of friendly and easily duped reporters, chiefly by spreading word of an earlier cyberattack that its own security staff say never happened.”
The FCC said in May 2017 that several distributed denial-of-service attacks had targeted its systems while Internet users attempted to submit messages on the commission's comment platform during the debate on net neutrality. Not only did the agency not provide any evidence of such attack, but on top of that at least two FCC officials spread false information about a previous security glitch in 2014, according to Cameron. “David Bray, who served as the FCC’s chief information officer from 2013 until June 2017, assured reporters in a series of off-the-record exchanges that a DDoS attack had occurred three years earlier,” Cameron writes. “More shocking, however, is that Bray claimed Wheeler, the former FCC chairman, had covered it up.”
— Lawmakers have questions for Health and Human Services Secretary Alex Azar about his department's compliance with cybersecurity guidelines. “As cyber threats to the health care sector increase in frequency and severity, it is imperative that HHS provide clear and consistent leadership and direction to the sector regarding cyber threats,” a bipartisan group of Senate and House lawmakers wrote to Azar in a letter. The missive was signed by House Energy Committee Chairman Greg Walden (R-Ore.), Senate Health, Education, Labor and Pensions Committee Chairman Lamar Alexander (R-Tenn.) as well as the ranking Democrats on both committees, Rep. Frank Pallone Jr. (D-N.J.) and Sen. Patty Murray (D-Wash.). The lawmakers, who are seeking answers about the department's efforts to comply with provisions of the Cybersecurity Information Sharing Act of 2015, requested a response by June 19.
— More cybersecurity news from the public sector:
— Chinese tech giant ZTE may survive after all. The company has signed a preliminary deal that would lift U.S. sanctions that the Commerce Department imposed on ZTE in April, Reuters's Karen Freifeld reports. "The preliminary deal includes a $1 billion fine against ZTE plus $400 million in escrow to cover any future violations, sources said, adding that the terms were in line with Reuters reporting on the U.S. demands on Friday," according to Freifeld. A Commerce Department spokesman told Freifeld that “no definitive agreement has been signed by both parties.”
"As part of the deal, sources said, ZTE promised to replace its board and executive team in 30 days," Freifeld writes. "It would also allow unfettered site visits to verify that U.S. components are being used as claimed by the company, and post calculations of U.S. parts in its products on a public website, they added."
“If these reports are accurate, this is a huge mistake,” Sen. Mark R. Warner (Va.), the Senate Intelligence Committee's vice chairman, said in a statement. “ZTE poses a threat to our national security. That’s not just my opinion — it’s the unanimous conclusion of our intelligence community.”
From Senate Minority Leader Charles E. Schumer (D-N.Y.):
If these reports are true, @realDonaldTrump has put China, not the United States, first. By letting ZTE off the hook, the president who roared like a lion is governing like a lamb when it comes to China. Congress should move in a bipartisan fashion to block this deal right away. https://t.co/ehRxD8b8bl— Chuck Schumer (@SenSchumer) June 5, 2018
— More cybersecurity news from the private sector:
— The email addresses and hashed passwords of about 92 million users who had signed up for the DNA-testing service MyHeritage before or on Oct. 26 last year were exposed in a data breach, the company announced on Monday in a blog post. It took more than seven months for MyHeritage to become aware of the breach after a security researcher found the data on a private server and informed the firm, The Post's Hamza Shaban reports.
“No other information, except for the email addresses and hashed passwords, was exposed, MyHeritage said,” Shaban writes. “The company said that it does not store customer credit card information. Sensitive data such as DNA information and family trees are stored on systems that are separate from those that contain email addresses, the company said.” MyHeritage also said there is no evidence that the data that was breached was ever used by those responsible for the hack.
“Immediately upon learning about the incident, we set up an Information Security Incident Response Team to investigate the incident,” the company said. “We are also taking immediate steps to engage a leading, independent cybersecurity firm to conduct comprehensive forensic reviews to determine the scope of the intrusion; and to conduct an assessment and provide recommendations on steps that can be taken to help prevent such an incident from occurring in the future.”
- House Homeland Security Committee markup of H.R. 5733 on threats to industrial control systems and H.Res. 898 on cybersecurity threats from Chinese tech firm ZTE.
- Senate Judiciary Subcommittee hearing on student visa integrity.
- Senate Homeland Security and Governmental Affairs Committee hearing on malicious drones.
- Apple Worldwide Developers Conference in San Jose continues through June 8.
- Last day of Techno Security & Digital Forensics Conference in Myrtle Beach, S.C.
- Last day of Cyber:Secured Forum in Denver.
- Gartner Security & Risk Management Summit 2018 in National Harbor, Md., continues through tomorrow.
- Last day of Securing Federal Identity 2018 conference in Washington.
- House Science Subcommittee hearing on "the electric grid of the future" tomorrow.
Remembering iconic fashion designer Kate Spade:
Armored military vehicle rolls through downtown Richmond:
On call with Trump, French President Emmanuel Macron won't say how "sausage" is made: