For the second time this month, federal prosecutors say they’ve obtained a trove of encrypted messages from one of President Trump’s former top associates.
The relative ease with which investigators appear to have accessed the messages of Trump's longtime personal lawyer Michael Cohen highlights an often overlooked reality: encrypted apps like Signal and WhatsApp are only as secure as users choose to make them.
That’s becoming increasingly clear as Robert Mueller’s investigation of Trumpworld’s possible connections to Russia has ensnared Cohen (via a referral to the New York FBI) and former campaign chairman Paul Manafort, now in jail for alleged witness tampering in his fraud and money laundering case.
Prosecutors in New York revealed Friday that they got their hands on more than 700 pages of WhatsApp and Signal messages and call logs from Cohen, who is facing multiple federal investigations. In court filings, they said FBI agents extracted them from one of his BlackBerry phones seized in a search this year. The move comes less than two weeks after prosecutors with Mueller's investigation said they recovered a batch of WhatsApp and Telegram chats from Manafort. A judge on Friday jailed Manafort based on the contents of those chats.
Cohen and Manafort are both finding out the hard way that while WhatsApp, Signal and others offer high levels of security, their exchanges can remain vulnerable to prying eyes if users don't take steps to enable the full protections.
And investigators are making hay of conversations Trump associates clearly believed would be more secure but were actually easily foiled. The apps’ end-to-end encryption makes it nearly impossible to read the chats in their encrypted form, but that doesn’t really help shield data from law enforcement if it’s backed up in the cloud or retained on the device. Or, of course, if any one of the message recipients decides to share the exchanges with the feds.
“Encrypted messaging apps have a very specific purpose,” said Matt Green, a cryptography professor at Johns Hopkins University. “They’re designed to make sure that only the endpoints have access to the communications.”
“The thing that these apps aren’t designed to do is to protect your messages from the endpoints themselves,” he said. “If I send you this message through Signal, then you’ll have a copy of it. I will also have a copy of it. If either of us forgets to delete it — or chooses to retain it — then the encryption doesn’t do us very much good. That seems to be most of what’s going on with these cases.”
In Manafort’s case, prosecutors said the recipients of Manafort’s WhatsApp and Telegram messages simply turned over the strings of texts to FBI agents, as I reported recently. Once they had those on hand, they confirmed Manafort was the sender by searching his iCloud account, where some of them were backed up, according to court filings. Manafort appeared to have left enabled a function in WhatsApp that automatically stores chats in the cloud.
In Cohen’s case, investigators seized two BlackBerrys and an iPad during raids on his office, home and hotel room in April, and have been working to extract data from them.
Prosecutors told U.S. District Judge Kimba M. Wood in a letter Friday that the FBI had managed to pull all the data — 315 megabytes — from one of two BlackBerry phones. They told the judge that the FBI’s original attempt to extract the data “did not capture content related to encrypted messaging applications, such as WhatsApp and Signal,” but that “the FBI has now obtained this material,” which includes 731 pages of messages and call logs. They’re still working on getting the data from the second BlackBerry, according to the letter.
It’s unclear how the FBI accessed this data. But there are several possibilities that don’t involve cracking the encryption.
Like Manafort, Cohen could have been backing up his WhatsApp messages in the cloud, where they would have been accessible with a court order.
Investigators also could have retrieved them from the BlackBerry itself, as Ars Technica’s Sean Gallagher noted. “WhatsApp and Signal store their messages in encrypted databases on the device, so an initial dump of the phone would have only provided a cryptographic blob,” Gallagher wrote. “The key is required to decrypt the contents of such a database, and there are tools readily available to access the WhatsApp database on a PC.” Open-source apps such as WhatsApp Viewer allow users to decrypt and read backed-up WhatsApp messages on a desktop computers.
Whatever the case, the apps’ encryption wouldn’t have put the messages out of investigators’ reach, as Joseph Cox, a reporter for Vice’s Motherboard, pointed out:
wish people sharing ‘the feds got signal texts!’ noted that end to end encryption doesn’t do much if you have one of the ends 🤦♂️— Joseph Cox (@josephfcox) June 17, 2018
Cybersecurity researcher Matt Tait said the same:
Or if it's configured to backup the plaintext to the cloud.— Pwn All The Things (@pwnallthethings) June 17, 2018
Green had some fun with the idea of the Trump associate’s false sense of security, too:
How many of the encrypted app conversations on Michael Cohen’s phone start with “don’t worry, this is encrypted!”— Matthew Green (@matthew_d_green) June 15, 2018
And attorney Michael Avenatti, who represents adult-film star Stormy Daniels in her lawsuit against Cohen and Trump, took a moment to gloat:
See below - just filed in the search warrant case. The second and third bullets could pose a huge problem for Mr. Cohen and ultimately Mr. Trump (especially the third bullet)!!BTW, so much for encryption protection! #Basta pic.twitter.com/RwdYjLAEp2— Michael Avenatti (@MichaelAvenatti) June 15, 2018
Cindy Cohn, executive director of the Electronic Frontier Foundation, said investigators in both the Cohen and Manafort cases have a range of tools to access encrypted messages that stop short of the technically challenging and politically fraught work of breaking into a phone.
“In the Manafort and Cohen cases we’ve seen access to backups and access to seized phones themselves, plus likely other techniques that have not yet been disclosed by law enforcement,” she said. “Security is hard. There are always more ways to break it and usually only one way to get it right, so even without devices, there are software and hardware vulnerabilities and network vulnerabilities that can often be exploited.”
We may continue to see those methods at play in Mueller’s probe into whether Trump campaign officials colluded with Russia in the 2016 election and whether President Trump later attempted to obstruct the investigation.
As CNBC reported this month, attorneys with the special counsel’s office are asking witnesses to hand over their cellphones to inspect their encrypted messaging programs for conversations among Trump associates. Mueller’s team started collecting the phones as early as April to review private conversations in WhatsApp, Confide, Signal and Dust, according to CNBC. And former Trump campaign aide Sam Nunberg told New York magazine this month that he recently handed over two or three old BlackBerry phones to Mueller at the request of the special counsel’s office.
And, as in the Manafort case, potential witnesses collaborating with law enforcement may become even more crucial. “No encryption or other security in the world can protect you from a correspondent who agrees to share your messages with law enforcement,” Cohn said. “This fact shouldn’t be overlooked in evaluating the government’s options, especially in these high-profile, big conspiracy investigations.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Sens. Jeff Flake (R-Ariz.) and Christopher A. Coons (D-Del.) are wondering how good Amazon.com's Echo devices are at protecting user privacy, The Washington Post's Hamza Shaban reports. In a letter to Amazon founder and chief executive Jeffrey P. Bezos last week, Flake and Coons sought details about the way those devices and the Alexa voice assistant operate and whether Amazon takes measures to protect consumers' privacy.
“The senators, who lead the Judiciary subcommittee on privacy, technology and the law, framed the letter around a recent incident involving a family that discovered that their Echo had recorded a private conversation and sent it to a random person in their contacts,” Shaban writes. “The person happened to be the husband's employee and the conversation happened to be about wood flooring. The incident highlighted the risks of installing Internet connected microphones in the home.”
“We all know the tremendous benefits these technologies bring to our lives on a daily basis, but we would also like to be assured that our personal data is not compromised in the process,” Flake said in a statement. “Since these technologies are so new, it’s unclear how these devices work and what steps are being taken to protect consumers’ privacy.” (Bezos is also the owner of The Washington Post.)
PATCHED: California lawmakers directed $134 million to replace or upgrade voting systems as part of a budget that the state legislature passed last week. The budget also set aside $3 million to create an Office of Elections Cybersecurity and an Office of Enterprise Risk Management, according to California Secretary of State Alex Padilla's office. Cyberthreats to elections have become “the new norm,” according to a statement from Padilla. “These investments will improve the voter experience, strengthen existing security measures, and improve collaboration and coordination with county elections officials and our partners in the intelligence community,” Padilla said. The secretary of state's office will use the money to assist counties in purchasing equipment such as ballot-on-demand technology, electronic poll books and open source voting systems.
“While the White House remains in denial, our national security apparatus has verified that the Russian attacks on our democracy did not end with the 2016 election,” California state Sen. Henry Stern (D) said in a statement. “Cyberattacks and misinformation-based warfare continue today. California voters deserve secure elections and credible information leading into November. That’s why we’re establishing the Office of Elections Cybersecurity immediately.”
PWNED: The Pentagon has given U.S. Cyber Command more leeway to carry out offensive cyber operations beyond its usual defensive approach, the New York Times's David E. Sanger reports. The new strategy could raise the risk of conflict with foreign powers but did not go through a formal debate at the White House before it was rolled out in the spring, according to Sanger. “The objective, according to the new 'vision statement' quietly issued by the command, is to 'contest dangerous adversary activity before it impairs our national power,'" he writes in an article adapted from his upcoming book, titled “The Perfect Weapon: War, Sabotage and Fear in the Cyber Age.”
Officials told Sanger that the new strategy draws from counterterrorism operations that aim to fight terrorist groups on their turf before they strike. The new cyber approach involves taking “American defenses 'as close as possible to the origin of adversary activity extends our reach to expose adversaries' weaknesses, learn their intentions and capabilities, and counter attacks close to their origins,' the document says. 'Continuous engagement imposes tactical friction and strategic costs on our adversaries, compelling them to shift resources to defense and reduce attacks.'”
— More cybersecurity news:
— The Kaspersky Lab ban is expanding. The federal government has decided to ban the Russian anti-virus company from its computer systems, and now it is extending the measure to contractors as well, according to FCW's Derek B. Johnson. The ban will be effective July 16 and applies to Kaspersky hardware, software and services. Federal authorities issued the interim rule with no period to submit comments on the policy because of “urgent and compelling reasons." "The new rule not only prohibits contractors from using Kaspersky products and services in federal systems, but they must also report discovery of such products and services discovered during the performance of contract work,” Johnson writes. “The ban extends down to subcontractors.”
The Department of Homeland Security said in a statement last year that it was “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks.”
— Facial recognition versus privacy: A recent arrest in a robbery case in Maryland after police used facial recognition technology to identify a suspect underscores how law enforcement is increasingly relying on this tool during investigations, the Wall Street Journal's Zusha Elinson reports. A detective fed an image taken from an Instagram picture provided by the victim into Maryland's face recognition system and the database returned the driver's license photo of the suspect, Elinson writes. “This digital-age crime-solving technique is at the center of a debate between privacy advocates and law-enforcement officials: Should police be able to search troves of driver’s license photos, many who have never been convicted of a crime, with facial recognition software?” Elinson writes.
— Hackers who take aim at the United States don't fear significant retaliation and inflict damage through a multitude of cyberattacks on a broad range of targets instead of carrying out huge operations, the Times's Sanger wrote in an analysis this weekend. “The larger lesson of the past few years is that unless we get smarter a lot faster about deterring these pernicious, hard-to-find forms of cyberaggression, much of what binds our digitally connected society will be eaten away,” he wrote. “We have spent so much time worrying about a 'cyber Pearl Harbor,' the attack that takes out the power grid, that we have focused far too little on the subtle manipulation of data that can mean that no election, medical record or self-driving car can be truly trusted.”
The U.S. government failed to respond when Russian hackers breached State Department and White House unclassified servers in 2014 and later the Joints Chiefs of Staff system, according to Sanger. Cyberattacks continued in 2015 and 2016 when Russia hacked the Democratic National Committee's computer network. “If Mr. Putin thought there was no price to be paid for invading White House systems, why wouldn't he attack the Democratic National Committee?” Sanger wrote. “And as the Russian attacks continued, no one in the American government detected the larger pattern or Russia’s ambitions to affect the election. Most officials assumed it was plain old espionage.”
— More cybersecurity news from the public sector:
— Tech giants such as Amazon and Microsoft are funding opposition to a proposal in California to demand that companies reveal the type of data that they collect on consumers. “The $195,000 contributions from Amazon and Microsoft, as well as $50,000 from Uber, are only the latest: Facebook, Google, AT&T, and Verizon have each contributed $200,000 to block the measure, while other telecom and advertising groups have also poured money into the opposition group,” the Verge's Colin Lecher reports. “After Mark Zuckerberg was grilled on privacy during congressional hearings, Facebook said it would no longer support the group.” The California Consumer Privacy Act would also give consumers the possibility to refuse that their personal information be sold. State authorities are reviewing the measure to determine whether it has enough valid signatures to make it on the ballot in November, according to Lecher.
— Facebook sometimes evaded questions from lawmakers over the nearly 500 pages of responses it provided to Congress last week, according to Ars Technica's Cyrus Farivar. Facebook did not say whether it will publish the results of its internal investigation in the wake of the Cambridge Analytica scandal. It didn't tell either whether the social network ever shut down a feature over privacy concerns. “Facebook's response, coming in at over 400 words, would not answer in the affirmative or the negative,” Farivar writes.
— More cybersecurity news from the private sector:
— Chinese tech giant Huawei on Monday said concerns in Australia that the company could threaten the country's security are “ill-informed,” Reuters's Colin Packham reports. “Australia is likely to ban Huawei from participating in a 5G mobile telecommunications roll-out in the nation as it fears the company is de facto controlled by China and sensitive infrastructure will fall into the hands of Beijing, according to Australian media reports,” Packham writes. “Huawei denies the allegations, and, in a move that threatens to draw Australian politicians into a public spat that will further stain relations with China, dismissed Canberra’s security concerns.”
— China's cyberattacks against Taiwan occur less frequently but are increasingly successful and harder to detect, Reuters's Jess Macy Yu writes. “They frequently go through online platforms like Google and blogs, to hide themselves and give investigators the impression it is a normal platform or tool, and thus to ignore its background actions,” a person who wasn't authorized to speak to the news media told Reuters.
More cybersecurity news from overseas:
- Justice Department Inspector General Michael E. Horowitz and FBI Director Christopher A. Wray appear before the Senate Judiciary Committee for a hearing on the inspector general’s first report on the department and FBI’s actions before the 2016 election.
- Annual ICIT Forum in Washington.
- Horowitz appears before the House Judiciary Committee and the House Oversight Committee for a joint hearing on the Justice Department and FBI’s actions before the 2016 election tomorrow.
- Cambridge University researcher Aleksandr Kogan appears before a Senate Commerce subcommittee for a hearing on Cambridge Analytica and data privacy tomorrow.
- Senate Appropriations subcommittee markup of the homeland security appropriations bill for fiscal 2019 tomorrow.
- Senate Intelligence Committee hearing on the policy response to Russian interference in the 2016 election on June 20.
- Senate Rules and Administration Committee hearing on election security on June 20.
- House Energy subcommittee hearing titled "Examination of the GAO Audit Series of HHS Cybersecurity" on June 20.
Congress remains at odds over family separation at the border:
Roger Stone did, actually, meet with a Russian:
Jockey is knocked off horse, gets back on and wins race: