The Next Crypto Wars

AusCERT 2016 Opening Keynote

Christopher Soghoian works for the team within the ACLU that sues the FBI and other agencies over their use of surveillance. His Twitter profile simply says “I fight surveillance”.

Christopher Soghoian speaking at AusCERT2016
Christopher Soghoian speaking at AusCERT2016

"For 100 years our telephone systems were designed with surveillance in mind,” he says. Carriers and governments have always worked together to ensure surveillance was baked into communications services.

Soghoian says part of the reason was that telephone carriers came from government entities. And as infrastructure has changed, from copper to fiber, governments have injected themselves into those projects to ensure governments "could get what they wanted when they needed it”.

Turning his attention to the Apple vs FBI, Soghoian says the fight had been building for a while. While the focus of encryption was usually on data at rest, this fight moved the fight to data in flight. For example, iMessage moved communications from open to encrypted in 2011 - without any extra effort on the part of users.

Comparing this to the use of encrypted email - something Soghoian advocates - which is too hard, suddenly users could send encrypted data that the “carrier” - Apple in this case - had no access to the communications.

This was the pivot point where governments suddenly lost access to communications.

“Apple doesn’t want to be in the surveillance business’” says Soghoian.

Christopher Soghoian speaking at AusCERT2016
Christopher Soghoian speaking at AusCERT2016

In contrast, Google’s new messaging system, Allo, does not encrypt messages as Google is looking for opportunities to monetise the service by integrating it with online concierge services.

Unsurprisingly, Soghoian turned his attention to the exploits Edward Snowden.

“That disclosure kickstarted an international conversation,” says Soghoian. The result was a new point of differentiation in the security market where end-to-end encryption became a selling point. For example, a recent update to WhatsApp enabled end-to-end encryption for all users without any extra action needing to be taken - “they simply flicked a switch”.

The irony, says Soghoian, is that the encryption used by WhatsApp was developed using US tax-payer dollars. He quoted presidential candidate Senator Hillary Clinton who said, in 2011, that encryption was useful as it protect users from censors, hackers and thugs who imprison people who dissent.

But now, we are seeing politicians saying "unpleasant things” about tech companies and pushing back against user access to encryption. The terrorist attacks in Paris in late 2015 accelerated the legislative fight against widespread encryption although this hasn’t yet come to pass.

Many of the government rules are happy for end-to-end encryption to remain in place but for tech companies to retain a copy of the encryption key - what is called “key escrow”.

Soghoian says the trouble is that if there’s a second encryption key there will be someone who wants to steal it. This was what happened when Gemalto was attacked resulting in a vast number of SIM cards they manufactured becoming compromised when they were stolen by UK Government Communications Headquarters.

The GCHQ executed the hack by targeting system administrators at Gemalto - a group of users that many government agencies consider to be “fair game” according to Soghoian.

Similarly, when RSA was hacked by Chinese parties, it was encryption keys held by RSA that were targeted.

“This shows we cannot trust key escrow,” says Soghoian.

Christopher Soghoian speaking at AusCERT2016
Christopher Soghoian speaking at AusCERT2016

Centralised surveillance systems, says Soghoian, are significant targets. For example, the Chinese government allegedly attacked Google in order to access communications records in order to identify potential intelligence operatives working for the United States.

Soghoian’s key message is that we need more encryption and not less.

Part of the challenge, says Soghoian, is companies that use encryption such as Apple and WhatsApp don’t make it obvious that the services are encrypted. As a result, people are still using unsecured channels for business communications and encrypted services for less critical, personal communications.

For example, cell phone communications can be easily intercepted as they are either unencrypted or encrypted with weak ciphers. More worrying is that the equipment required for doing this is available online or easily made for less than $200.

“We can no longer trust these channels”.

Encryption doesn’t stop government surveillance but it does stop bulk surveillance says Soghoian. It’s possible to hack into specific devices but they simply lack the resources to hack every device. That means they need to target their surveillance, rather than surveil everyone.

Join the CSO newsletter!

Error: Please check your email address.

Tags AusCERT2016Apple VS FBIencryption softwareGCHQ hackfbiACLUkeynote speakershackingGCHQApplesurveillanceCrypto warstargeted attacksrsa security

More about AppleFBIGCHQGemaltoGoogleRSATwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place