Tag: encryption

Gang ringleader who smuggled at least 127kg of cocaine into Britain using Encrochat is jailed for 16½ years after detectives ‘hacked into’ encrypted service

The ringleader of a drug network smuggled at least 127kg of cocaine into the UK using the Encrochat messaging service that has been burst open by detectives.

Marius Bucys, 43, of Dagenham in London, has been sentenced to 16 years and six months in prison after being convicted of conspiracy to import Class A drugs.

Bucys is the latest criminal to be busted after cybercrime experts cracked open the Encrochat service and used its data to arrest hundreds of criminals who had, until then, used the app as a near-untraceable means of coordinating drug deals.

European officers blew the app wide open in 2020, and Metropolitan Police detectives used a combination of its data and old-fashioned detective work to snare the drug smuggler – whose drivers used secret compartments to hide their wares.

The Met says Bucys acted as the ringleader in a wider drug network, arranging travel and logistics for the substances to be brought into the UK.

After Encrochat was accessed by police in the Netherlands and France, data was passed to police forces in the UK via the National Crime Agency (NCA) that detectives were able to use to link Bucys to the illicit trade.

Officers also trawled through hundreds of hours of CCTV showing lorry drivers stopping at locations up and down the M25 to pick up the drugs.

When officers raided his address, they found a notebook containing details of the importations.

Keep reading

NYPD Will Spend Nearly $400 Million to Hide its Radio Communications

The New York Police Department (NYPD) will spend nearly $400 million to upgrade its radio system, including encrypting its communications channels, which the public has been able to tune into since 1932.

At a New York City Council meeting Monday, NYPD Chief of Information Technology Ruben Beltran said the upgrade, expected to cost $390 million, will be completed by the end of next year, replacing the old analog radio network with a fully encrypted digital system. 

The move is part of a growing trend. Over the last decade, other large police departments in ChicagoBaltimoreWashington, D.C., and Portland have all encrypted their radio communications or are planning to do so. Departments say broadcasting in the clear gives criminals advance warning. Beltran said encryption would also protect the information of crime victims and block pranksters who jam up NYPD frequencies. (The NYPD regularly leaks information on arrestees and even victims for political purposes.)

However, scanner enthusiasts, news organizations, and elected officials complain that encrypted radio is cutting off a longstanding and useful source of information on police activity. As Gothamist reported, NYPD radio chatter has been the source of several major news stories over the years:

The New York Daily News obtained the crucial video of Officer Daniel Pantaleo killing Eric Garner thanks to a call that came over the police radio in Staten Island. As tens of thousands of peaceful demonstrators flooded the streets in June 2020, Gothamist recorded NYPD officers on radio airwaves using threatening language about the protesters, including saying that officers should run protesters over and shoot them. Responding, one officer was recorded saying “don’t put that over air.”

Police frequencies going dark is especially challenging for photojournalists, who rely on scanners to get to emergency scenes as fast as possible. The Chicago Police Department is considering a 30-minute public broadcast delay to allow news organizations to still hear dispatch calls.

Keep reading

In a first, cryptographic keys protecting SSH connections stolen in new attack

For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established.

Underscoring the importance of their discovery, the researchers used their findings to calculate the private portion of almost 200 unique SSH keys they observed in public Internet scans taken over the past seven years. The researchers suspect keys used in IPsec connections could suffer the same fate. SSH is the cryptographic protocol used in secure shell connections that allows computers to remotely access servers, usually in security-sensitive enterprise environments. IPsec is a protocol used by virtual private networks that route traffic through an encrypted tunnel.

The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined. That translates to roughly 1 billion signatures out of the 3.2 billion signatures examined. Of the roughly 1 billion RSA signatures, about one in a million exposed the private key of the host.

While the percentage is infinitesimally small, the finding is nonetheless surprising for several reasons—most notably because most SSH software in use—including OpenSSH—has deployed a countermeasure for decades that checks for signature faults before sending a signature over the Internet. Another reason for the surprise is that until now, researchers believed that signature faults exposed only RSA keys used in the TLS—or Transport Layer Security—protocol encrypting Web and email connections. They believed SSH traffic was immune from such attacks because passive attackers—meaning adversaries simply observing traffic as it goes by—couldn’t see some of the necessary information when the errors happened.

The researchers noted that since the 2018 release of TLS version 1.3, the protocol has encrypted handshake messages occurring while a web or email session is being negotiated. That has acted as an additional countermeasure protecting key compromise in the event of a computational error. Keegan Ryan, a researcher at the University of California San Diego and one of the authors of the research, suggested it may be time for other protocols to include the same additional protection.

Keep reading

5 WAYS TO PREPARE FOR THE ONLINE PRIVACY CRACKDOWN

The internet is about to change. In many countries, there’s currently a coordinated legislative push to effectively outlaw encryption of user uploaded content under the guise of protecting children. This means websites or internet services (messaging apps, email, etc.) could be held criminally or civilly liable if someone used it to upload abusive material. If these bills become law, people like myself who help supply private communication services could be penalized or put into prison for simply protecting the privacy of our users. In fact, anyone who runs a website with user-uploaded content could be punished the same way. In today’s article, I’ll show you why these bills not only fail at protecting children, but also put the internet as we know it in jeopardy, as well as why we should question the organizations behind the push.

Let’s quickly recap some of the legislation.

Keep reading

The EU Could Push its Private Message Ban as Early as Next Week

The EU is getting ever closer to pushing through the legislation known among critics as “chat control” – officially, Child Sexual Abuse Regulation, CSAR – and is hoping to reach a deal on this within the bloc as early as next week.

One of those who have been consistently opposed to the controversial upcoming rules, a German member of European Parliament (MEP) and lawyer Patrick Breyer, has reacted by warning once again that regardless of some minor changes if passed, the bill would effectively spell the end of proper encryption and private messaging in the EU.

Instead, the implication is, that CSAR would usher in the era of indiscriminate mass surveillance in this part of the digital space.

Warning that a recent “minor concession” the EU member-states have managed to agree on was a bid to finally come up with a majority and push the plans over the top, Breyer, referring to the proposal as “chat control 2.0,” calls it an “unprecedented” (at least for the EU) example of mass surveillance.

The summary of the regulation is that online services that provide messaging and chat would, going forward, have to implement automatic scanning of all private text and images – looking for potential abusive content, and then let the EU know about it.

There is no shortage of controversy and misgivings here, with two clearly standing out: once in place, what can this infrastructure be used for next (if politicians decide) – and the other, how are online platforms even supposed to make it work accurately and fairly, technically speaking?

Now, we are hearing that the EU Council is looking to “soften the blow,” at least rhetorically, but saying that the scanning would at first only apply to “previously classified CSAM (child sexual abuse material)” – but then later still expand it to everything.

Keep reading

9 Mysterious Undeciphered Codes and Inscriptions in History

From Neolithic tablets containing the oldest known system of writing, to a series of letters scrawled on the back of a dead man’s book, some of the most legendary undeciphered codes and texts remain a challenge for even the world’s best cryptographers, code breakers and linguists. Yet unravelling these mysterious puzzles remains as important as ever, since many of these enigmatic inscriptions could hold the keys to understanding civilizations that have long since faded into historic oblivion. Here we feature nine of the most fascinating undeciphered codes and inscriptions throughout history.

Keep reading

Police Seek a Radio Silence That Would Mute Critics in the Press

As a freelance journalist many years ago, I was walking the streets of Brooklyn, looking for a juicy story, anything that I could get into print. I was coming up empty. So I did what anyone would do in that situation. I had lunch.

Halfway through my Jamaican jerk chicken, I heard several gunshots, and in a flash, a man ran by the restaurant. I threw my money on the table and headed to the scene. When I got there a bystander pointed me toward the spent shells. I looked around and talked to witnesses. As one young man pontificated to me about poverty and unemployment leading to crime, I noticed that the cops weren’t there yet. But a photographer from the Daily News was.

That was because, like any good crime reporter, he was listening to police radio and responding to 911 calls, hoping to catch fresh crime footage, fires and other colorful photos that editors love. He’s not alone. Journalists around the country do this, as does anyone who is simply interested in cops, firefighters and other emergency services. Police scanners aren’t cheap, but they are readily available at many electronics retailers.

Keep reading

The UK passes massive online safety bill

The UK’s Online Safety Bill is ready to become law. The bill, which aims to make the UK “the safest place in the world to be online,” passed through the Houses of Parliament on Tuesday and imposes strict requirements on large social platforms to remove illegal content. It will be enforced by UK telecom regulatory agency Ofcom.

Additionally, the Online Safety Bill mandates new age-checking measures to prevent underage children from seeing harmful content. It also pushes large social media platforms to become more transparent about the dangers they pose to children, while also giving parents and kids the ability to report issues online. Potential penalties are also harsh: up to 10 percent of a company’s global annual revenue. The bill has been reworked several times in a multiyear journey through Parliament.

But not only does online age verification raise serious privacy concerns — the bill could also put encrypted messaging services, like WhatsApp, at risk. Under the terms of the bill, encrypted messaging apps would be obligated to check users’ messages for child sexual abuse material.

Depending on how the rule is enforced, this could essentially break apps’ end-to-end encryption promise, which prevents third parties — including the app itself — from viewing users’ messages. In March, WhatsApp refused to comply with the bill and threatened to leave the UK rather than change its encryption policies. It joined Signal and other encrypted messaging services in protesting the bill, leading UK regulators to attempt to assuage their concerns by promising to only require “technically feasible” measures.

Keep reading

U.K. Government Finally Admits It Can’t Scan for Child Porn Without Violating Everybody’s Privacy

The U.K. government finally acknowledges that a component of the Online Safety Bill that would force tech companies to scan data and messages for child porn images can’t be implemented without violating the privacy rights of all internet users and undermining the data encryption tools that keep our information safe.

And so the government is backing down—for now—on what’s been called the “spy clause.” Using the justification of fighting the spread of child sexual abuse material (CSAM), part of the Online Safety Bill would have required online platforms to create “backdoors” that the British government could use to scan messages between social media users. The law also would’ve allowed the government to punish platforms or sites that implement end-to-end encryption and prevent the government from accessing messages and data.

While British officials have insisted that this intrusive surveillance power would be used only to track down CSAM, tech and privacy experts have warned repeatedly that there’s no way to implement a surveillance system that could be used only for this particular purpose. Encryption backdoors allow criminals and oppressive governments to snoop on people for dangerous and predatory purposes. Firms like Signal and WhatsApp threatened to pull their services from the U.K. entirely if this bill component moved forward.

Keep reading

Researchers find deliberate backdoor in police radio encryption algorithm

For more than 25 years, a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities. But now it’s finally getting a public airing thanks to a small group of researchers in the Netherlands who got their hands on its viscera and found serious flaws, including a deliberate backdoor.

The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure. It’s used to transmit encrypted data and commands in pipelines, railways, the electric grid, mass transit, and freight trains. It would allow someone to snoop on communications to learn how a system works, then potentially send commands to the radios that could trigger blackouts, halt gas pipeline flows, or reroute trains.

Researchers found a second vulnerability in a different part of the same radio technology that is used in more specialized systems sold exclusively to police forces, prison personnel, military, intelligence agencies, and emergency services, such as the C2000 communication system used by Dutch police, fire brigades, ambulance services, and Ministry of Defense for mission-critical voice and data communications. The flaw would let someone decrypt encrypted voice and data communications and send fraudulent messages to spread misinformation or redirect personnel and forces during critical times.

Three Dutch security analysts discovered the vulnerabilities—five in total—in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but the flaws remained unknown because encryption algorithms used in TETRA were kept secret until now.

The technology is not widely used in the US, where other radio standards are more commonly deployed. But Caleb Mathis, a consultant with Ampere Industrial Security, conducted open source research for WIRED and uncovered contracts, press releases, and other documentation showing TETRA-based radios are used in at least two dozen critical infrastructures in the US. Because TETRA is embedded in radios supplied through resellers and system integrators like PowerTrunk, it’s difficult to identify who might be using them and for what. But Mathis helped WIRED identify several electric utilities, a state border control agency, an oil refinery, chemical plants, a major mass transit system on the East Coast, three international airports that use them for communications among security and ground crew personnel, and a US Army training base.

Carlo Meijer, Wouter Bokslag, and Jos Wetzels of Midnight Blue in the Netherlands discovered the TETRA vulnerabilities—which they’re calling TETRA:Burst—in 2021 but agreed not to disclose them publicly until radio manufacturers could create patches and mitigations. Not all of the issues can be fixed with a patch, however, and it’s not clear which manufacturers have prepared them for customers. Motorola—one of the largest radio vendors—didn’t respond to repeated inquiries from WIRED.

Keep reading