Tuesday, 17 January 2017

Supreme Court issue notice to WhatsApp and Facebook over privacy policy

The Supreme Court of India has issued notices to central government,  Telecom Regulatory Authority of India (TRAI), WhatsApp, and Facebook over a plea seeking privacy on data.

The petition was filed by two law students against the  WhatsApp's proposal to start sharing some of the user data with the parent company, Facebook.

The Delhi High Court had earlier denied the petition and refused to interfere with matter. However, the Apex court has directed the companies to reply to the notices within two weeks.

"What is disturbing here is you want to continue using this private service and at the same time want to protect your privacy... You can choose not avail of it [WhatsApp], you walk out of it,” Chief Justice of India J.S. Khehar said.

According to the petitioner, there are 157 million users on WhatsApp and Facebook.

It's not that Facebook and WhatsApp are facing privacy issue in India only, the even European Union has raised questions about Facebook's privacy policy.

Last month the European Union  Commissioner, Margrethe Vestager,   had said that "Facebook was misleading it about WhatsApp.Companies are obliged to give the Commission accurate information during merger investigations... In this specific case, the Commission's preliminary view is that Facebook gave us incorrect or misleading information during the investigation into its acquisition of WhatsApp. Facebook now has the opportunity to respond."

WhatsApp’s encrypted messages can be vulnerable to MITM attacks


This week, an article by Guardian reported that Whatsapp’s encrypted messages are vulnerable to hacks. The encryption keys in social messenger leave users wide open to man-in-the-middle attacks, enabling third-parties to tap their communications.

Last spring, Whatsapp announced that every message on its service is delivered with end-to-end encryption which means not even Whatsapp can tell what's inside.

In the MITM attack, if an attacker gains access to a WhatsApp server, he could forcibly reset the keys used to encrypt messages and install himself as a relay point, intercepting any future messages sent between the parties. The recipient of the message would not be alerted to the change in keys, and the sender will only be alerted if they’ve opted into the app’s “Show security notifications” setting.

The underlying weakness has to do with alerts rather than cryptography. Although they share the same underlying encryption, the Signal app by Open Whisper Systems isn’t vulnerable to the same attack. If the Signal client detects a new key, it will block the message rather than risk sending it insecurely.

WhatsApp will send that message anyway. Since the key alert isn’t on by default, most users would have no idea.

Based on its Signal Protocol (also used for encrypted messaging in Google's Allo), each client is identified by a public key that's shared with other people, and a private key on the device. Because people change phones or uninstall and reinstall apps, the pair of keys can change. Users can ensure their communication is secure by checking the security code displayed on each end, if it matches, then they can be sure their messages aren't subject to MITM attack by a third party.

The attack cannot be exploited by many criminals because it requires server access but still an unusually skilled attacker or a court order could compel WhatsApp to break its own security.

The messenger was quick to push back against the allegation saying that “WhatsApp does not give governments a ‘backdoor’ into its systems and would fight any government request to create a backdoor.” WhatsApp team and people who helped design the implementation defended the flaw saying that the design decision isn’t putting users at risk.

The bug reported in the article had long been known to security professionals, and there’s no evidence WhatsApp ever tried to conceal it. The persistence of the weakness shows how hard it is to balance security with the demands of everyday users.

The flaw has been described as a "security back door" by The Guardian and privacy campaigners but more sober voices have described it as a minor bug and criticised the media outlet for going over the top. A number of security professionals have chimed in to agree, including Frederic Jacobs, who helped design the protocol being used.

The vulnerabilities in key handling were first discovered by German computer scientist Tobias Boelter in April 2016. In his blog, Boelter blamed the bug on the use of closed-source software, rather than a deliberately inserted back door.

The Guardian raised the urgency of this flaw by pointing to the UK’s recently passed Investigatory Powers Bill, which gives that government significant new legal powers for aggressive data collection. But it would be very hard to use this vulnerability for mass surveillance. A successful attack would allow WhatsApp servers to break a given conversation’s encryption, but to provide data en masse to the government, the servers would have to perform that attack continuously on every conversation in the UK, sending out a cascade of pings to anyone with security notifications enabled.

If WhatsApp were to leverage this bug to fulfil lawful access demands, the company would have to implement the attack continually on every user in the country, which would be extremely noisy and extremely visible. The end result wouldn’t be much different from shipping an update and announcing that the service is no longer encrypted.

For users, the most responsible thing to do seems to be to turn on notifications and check your security codes regularly.

Italian siblings arrested for cyberattack

Italian police have arrested a nuclear engineer, Giulio Occhionero, 45 and his sister, Francesca Maria Occhionero, 49 for hacking into 18,000 high-profile email accounts, including the former Prime Minister.
Authorities suspect that the siblings may have ties to the Freemasons, because the malware used in the hack was called “Eye Pyramid,” believed to be a reference to the all-seeing eye of God, or Eye of Providence, a symbol typically associated with Freemasonry. The name of the software may also have been a play on his own surname – Occhionero means “black eye” in Italian.
The widespread cyber-attack compromised communications of prominent Italian institutions and individuals, including Vatican’s two former Prime Ministers, Vatican cardinals, bank executives and other high profile targets, which prosecutors claim was used to conduct insider trading. Mario Draghi, the president of the European Central Bank was also among the targeted individuals. Former Prime Minister, Matteo Renzi was also one who resigned in December last year after losing a constitutional reform referendum.
The attackers, who have dual residencies in London and Rome, are accused of spearphishing attacks using malware to gain access to victims' email accounts and illegally accessing classified information and breaching and intercepting information technology systems and data communications since 2012. The siblings were most recently living in Italy.
Vatican officials have not yet commented on the attack and it is yet unknown to what extent sensitive Vatican information may have been compromised.
There are indications the malware campaign may have been running from as early as 2008. In total, just under 1800 passwords were allegedly captured by the Occhionero siblings, who exfiltrated around 87 gigabytes of data to servers in the United States.
Mr Occhionero who had strong links to the Masonic movement allegedly developed software that infected email accounts, enabling him to access the information. Several of the compromised accounts belonged to Mason members.
Whether or not there are ties to the Masons, cyber security experts believe it is highly unlikely that the sibling pair acted alone.
The illegally accessed information was stored on servers in the United States, leading to an ongoing investigation with the assistance of the FBI’s cyberdivision. The stolen data has been seized by Italian police and the FBI.

Italian police believe the siblings used the stolen confidential information to make investments through a firm operated by Mr Occhionero, a nuclear engineer by profession.