Encrypted messaging apps offer crucial protections for those who want to safeguard their communications from prying eyes. But a high-profile leak investigation is a reminder that the apps may provide a false sense of security for people who do not use them correctly or take other security precautions.
The government unveiled criminal charges Wednesday against a Treasury Department employee accused of leaking confidential banking reports involving key figures in the special counsel’s probe of Russian election interference. Prosecutors say Natalie Mayflower Sours Edwards, a senior official at the department's financial crimes unit, sent photos of the documents through an encrypted app to a reporter, who used them as the basis for a dozen stories related to the probe, as my colleagues Devlin Barrett and Matt Zapotosky report. The exchanges allegedly included materials related to former Trump campaign chairman Paul Manafort, Russian diplomats and other Trump associates.
It would have been extremely difficult for investigators to have intercepted the messages because of the high level of security encrypted messaging apps provide. But prosecutors say they found hundreds of the messages Edwards stored on her cellphone when they searched the device this week. The messages apparently included communications in which Edwards “transmitted or described” the banking documents to the reporter."
The case offers another high-profile reminder that users need to take extra steps -- beyond just downloading and typing in the app -- to reap the full protections offered by encrypted messaging. Services such as Signal cloak messages when they’re going from one device to another — but once they reach their destination, it’s up to the user to make sure they can’t be accessed. In other words, if you are backing up your decrypted messages onto to your device, you are no longer protected by the app.
Ars Technica reporter Cyrus Farivar, author of a new book on surveillance law, pointed out the risks:
Fellow reporters: if you’re going to exchange encrypted messages with a govt source, that crypto will do you no good IF THE SOURCE SAVES ALL THE MESSAGES AND THE FEDS GET INTO THE PHONE.https://t.co/cwslzUjRIx— Cyrus Farivar (@cfarivar) October 17, 2018
Federal prosecutors charged Edwards with conspiracy and unauthorized disclosure of suspicious activity reports. The reports, known as SARs, are documents that banks generate when they see a financial transaction that may involve illegal activity. Prosecutors didn’t identify the news organization or the reporter, but the stories cited in court papers match the headlines and details of BuzzFeed News stories from the past year and a half, as my colleagues report.
An 18-page criminal complaint says Edwards and the reporter sent hundreds of encrypted messages to each other over the past year, at one point exchanging more than 500 in a single day. It’s not clear how investigators unlocked Edwards’s cellphone. The filing also says that Edwards confessed during an interview yesterday with authorities to sending the documents to the reporter over the encrypted app.
The potential false sense of security is an especially important warning sign for reporters and their sources, who have turned increasingly to encrypted apps for confidential communication as such services have proliferated in recent years. From cybersecurity reporter Kim Zetter:
This should be an instruction for both reporters and their sources -- encrypted messages are UNENCRYPTED on receiving/sending devices. If authorities obtain the device, the encryption does you no good. https://t.co/SEaNEvAhAk— Kim Zetter (@KimZetter) October 17, 2018
A similar issue came up earlier this year, when prosecutors involved in Robert S. Mueller III’s investigation revealed that they’d recovered a batch of WhatsApp and Telegram chats from Manafort’s cellphone, as I reported. Witnesses in the case gave strings of texts to FBI agents, and investigators later searched Manafort’s iCloud account, where some of the chats had been automatically backed up. The same month, investigators in a separate matter extracted a trove of Signal and WhatsApp messages from the BlackBerry phones of Trump’s former personal lawyer Michael Cohen.
The latest criminal complaint shows that investigators knew before arresting Edwards that she had allegedly exchanged messages with the reporter. According to the complaint, investigators started tracking the pair’s messages and phone calls in early August using a surveillance device known as a pen register and a “trap and trace” order. Those tools, regularly used by law enforcement in criminal investigations, allow investigators to record the time and duration of the exchanges but not the content. In this case, it could have given investigators strong clues about what to look for when they seized Edwards’s cellphone.
But even some tech experts wondered how that process would have applied to encrypted apps. From Farivar:
Would a conventional pen register record encrypted messaging exchanges? I honestly don’t know.— Cyrus Farivar (@cfarivar) October 17, 2018
And Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford University's Center for Internet and Society:
Great question. Me neither. I mean, it won't get the contents - pen registers wouldn't do that even for unencrypted messages - but I don't actually know what the metadata looks like to a pen register. Might depend on the app.— 💀Riana-Mator💀 (@Riana_Crypto) October 17, 2018
And Alex Stamos, Facebook’s former chief security officer:
If they get the equivalent to NetFlow data from the ISP of two people, which is my understanding of a pen register in this context, then it would be trivial to prove they were communicating with one another.— Alex Stamos (@alexstamos) October 17, 2018
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: IBM's threat intelligence team is touring the country in a jet-black 18-wheel truck that they've converted into a mobile cybersecurity training center — and today they'll be on Capitol Hill to school congressional staffers in how to respond to cyberthreats. The team's training exercises are designed to encourage lawmakers to rethink how both government and the private sector grapple with digital attacks, said Caleb Barlow, IBM Security's vice president of threat intelligence. “The biggest takeaway from a legislative perspective is that it’s not just about trying to prevent the breach but also knowing what to do when the inevitable happens," he told me. "It’s like CPR — when someone falls on ground in front of you, now’s not the time to pull the book of the shelf and learn to do it.”
The event will also offer some nitty-gritty advice for lawmakers and staff to better protect themselves against email phishing scams and other digital intrusions that they face on a daily basis. "This audience is very likely to fall victim to highly targeted attacks," Barlow said. "We’ll show them some of the tools the bad guys actually use. When you understand how an adversary operates, you’ll be better protected.”
PATCHED: “Twitter accounts originating in Iran masqueraded as foreign journalists and concerned U.S. citizens in their attempt to push political messages on the social media site until they were suspended earlier this year, according to research published Wednesday,” The Washington Post's Tony Romm reported. “The analysis — performed by the Atlantic Council’s Digital Forensic Research Lab — reflects an attempt by some in Iran to ‘spread regime messaging through covert channels.’ ” However, as Tony noted, the Iranian trolling operation was less effective than Russia's online efforts to sow discord during the past U.S. presidential election, according to the researchers.
The tech company “shared roughly 1.1 million tweets from Iran with the Atlantic Council, which said it could not fully attribute the accounts to the country’s government in its own report Wednesday,” my colleague wrote. “But researchers said the Iranian operation relied on many identities, and at times bots, to push the preferred messages of the Iranian government over a six-year period.” Tony also reported that in an effort to be more transparent, “Twitter on Wednesday announced it would make available roughly 10 million tweets and 2 million images, live video and other content that had been created by the Iranian accounts and thousands of other, widely reported online trolls that previously had been tied to Russia.”
PWNED: Omar Abdulaziz, a Saudi opposition activist living in Canada and close associate of the missing Saudi journalist Jamal Khashoggi, said that spyware infected his phone this summer as both men were working on several plans — such as an online dissidence project and a short film — that may have displeased the Saudi government, The Washington Post's Loveday Morris and Zakaria Zakaria reported Wednesday. “The Citizen Lab, a University of Toronto project that investigates digital espionage against civil society, warned him in August that his phone may have been hacked,” my colleagues wrote. “Two weeks ago, the group concluded with a ‘high degree of confidence’ that his cellphone had been targeted. The group said it believed the operator is linked to ‘Saudi Arabia’s government and security services.’”
Abdulaziz said he thinks his phone was infected when he clicked on a tracking link after he placed an online order. “They had everything,” Abdulaziz told my colleagues. “They saw the messages between us. They listened to the calls.” The apparent hack occurred at a time when Abdulaziz and Khashoggi were developing a plan “to buy SIM cards with Canadian and American numbers that Saudis inside the kingdom could use” to challenge government-aligned online trolls without having to link their Saudi phone numbers to their Twitter accounts, Loveday and Zakaria wrote.
Abdulaziz's device was infected with the Pegasus spyware from Israeli cyber-surveillance company NSO Group, according to a report issued on Oct. 1 by the Citizen Lab. “Once a phone is infected, the customer has full access to a victim’s personal files, such as chats, emails, and photos,” the report said. “They can even surreptitiously use the phone’s microphones and cameras to view and eavesdrop on their targets.”
— More cybersecurity news:
— A group of House Democrats on Wednesday chastised President Trump and Vice President Pence for saying that China seeks to interfere in American politics ahead of the midterm elections. Reps. Bennie Thompson (Miss.), Elijah E. Cummings (Md.), Jerrold Nadler (N.Y.), Adam Smith (Wash.) and Robert A. Brady (Pa.) said in a statement that “conflating the interference by Russian and Chinese actors is irresponsible.”
The lawmakers said that an intelligence assessment they received from the Department of Homeland Security does not back up Trump and Pence's comments about Chinese interference. “Nothing we have learned through this update supports the President’s or Vice President’s recent claims or changes our view that their statements on this issue are driven by partisan politics rather than the facts,” the congressmen said in the statement.
DHS Secretary Kirstjen Nielsen said last week that China is “exerting unprecedented effort to influence American opinion,” but she added that the federal government so far has not detected “any Chinese attempts to compromise election infrastructure.”
— “There’s a shortage of nearly 3 million cybersecurity professionals worldwide and nearly 500,000 in North America, according to a study released by a major cybersecurity certification organization Wednesday,” Nextgov's Joseph Marks reported. “Those figures echo a cyber workforce shortage in the federal government that has bedeviled agencies struggling to improve the security of their networks. The shortage of qualified cyber professionals is now the number one job concern for cyber workers, beating out low budgets and lack of resources, according to the report, which was compiled by the International Information System Security Certification Consortium, or (ISC)², a major cyber credentialing organization.”
— “Apple Inc on Wednesday rolled out an online tool to users in the United States and several other countries to download, change or delete all the data that the iPhone maker has collected on them,” Reuters's Stephen Nellis reported. “Apple updated its privacy website with the tool, which was unveiled earlier this year for users in the European Union in response to the region’s General Data Protection Regulation, or GDPR. Apple will now let users in the United States, Canada, Australia and New Zealand see and download all information that Apple has collected on them.”
— Entertainment systems in cars hold information that can be retrieved even if the vehicle's owner sought to erase the data, Forbes's Thomas Brewster reported Wednesday. “A recent investigation saw the feds exhume data from two distinct vehicular car entertainment hardware units, one made by LG, the other by Bosch,” Brewster wrote. “That’s according to a search warrant unearthed by Forbes detailing the case, which focused on narcotics and firearms trafficking crimes allegedly tied to an individual called Dennis Campbell Jr. Kenneth Pitney, an agent with the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), wrote in the warrant that he believed deleted information was retrievable from the 2014 Cadillac CTS in which Campbell was caught with traces of crack cocaine, marijuana and a Smith and Wesson pistol.”
A warrant document indicates that data from the car's two entertainment modules was successfully extracted, according to Forbes. Craig Smith, a security expert who founded Open Garages, told Brewster that when a user deletes information from a car's entertainment system, the data isn't actually erased. “He said that when a car owner requests files be deleted from the vehicle, rather than overwrite the data, the entertainment unit will simply move the information to another not-so-well-hidden area,” Brewster reported. “From there, all a digital forensics officer or other hacker has to do is grab the internal memory and they have all the information they need, Smith said.”
— More cybersecurity news from the private sector:
— A survey that Forrester Consulting conducted for the company Diligent found that “a majority of board members are still using personal email accounts to share corporate information — and a third of them have misplaced a company-owned mobile device or computer in the past year,” Bloomberg News's Jeff Green reported. “All told, 56 percent of directors and 51 percent of C-suite executives are using personal email, rather than a corporate account, to send sensitive company information.” The study, which was released Wednesday, surveyed more than 400 board members and governance officials in 11 countries, according to Bloomberg News.
- DC CyberWeek organized by CyberScoop in Washington through tomorrow.
- IBM holds a cybersecurity training session in a truck, which the company calls IBM X-Force Command Cyber Tactical Operations Center, on the National Mall in Washington.
- Palo Alto Networks Federal Ignite 2018 conference in Washington on Oct. 23.
How Trump rallies are frozen in time:
Trump awards retired Marine Medal of Honor:
The many Democrats refusing to back Nancy Pelosi in 2018: