Wednesday, April 26, 2017

Heffalumps in the wild

Every once in a while even a jaded old man like me comes up against something on the internet that takes my breath away.  I would like to thank (@TomWellborn, @MelJBry, @LousieMensch) for bringing this to my attention, and then for all the help in making sense of it.

From the moment I saw it - my weird radar lit up and after some poking around, I flagged it, because I realized I was completely out of my depth. Hopefully the powers that be will be able to think more carefully about it and reach some kind of decision on it.

@MelJBry suggested the name "Heffalump" to capture what we had just seen. It made sense to me, Heffalump may not be real but they look pretty frightening.

I want to lay out some of the background here before I get into the weeds with what appears to be going on here.

Most electronic communications (email, text, phone) use clouds and ISPs. The data that is shuttled between these servers can be penetrated and patterns in the data can be analyzed. This gets a lot easier if you are someone like the NSA/CSS or the FBI. You can basically compel a ISP or Cloud services company to give you the access you need. At the risk of sounding heretical, right now - that kind of access is playing a major role in securing our country. Without  that access we would be at risk.

A lot of people who don't like the NSA/CSS looking into their communications are promoting the use of E2EE (End To End Encryption) software. @rcallimachi has told us how for example IS uses a variety of E2EE texting apps to communicate with its people. The most common E2EE scheme is PGP. As with all encryption schemes a key has to be exchanged between receiver and sender. Once the key is shared, the data is encrypted and sent over public servers from the sender to the recipient. If the key exchange can be penetrated (via for example an "impersonation attack") then the security is breached. Alternatively whoever generates your key can share the key with someone else (like MS did with the CSS) and access all your data.

To defeat this kind of thing one can add other layers of security - authentication, encryption or obfuscation (digital drop etc...) the key exchange etc... but for most companies this proves too expensive to indulge in. Most companies have 100s of GB of data (high velocity) coming in on an hourly basis. This is too much to bother encrypting multiple times.  Whoever indulges in this added levels of encryption must really want to keep stuff secret. That a small niche market but one that as you might imagine is quite lucrative.

So what is going on here? 

We seem to be seeing two things primarily

1) A set of companies appear to be offering a multilayer encryption that encrypts your data via a PGP key before you send it to a commercial cloud (like MS or AMZN etc...) .  This way even if there is an MITM attack or backdoor at the Cloud service provider, and your 2nd PGP key exchange is compromised, the attacker will only see encrypted data. There is also a suggestion to use something called "Tunnel Bear" to access data from certain encrypted clouds.

2) A peculiar version of a digital drop involving separate send and receive channels on Twitter is demonstrated. I am guessing here but what is happening is that the sender is using the receiver's public key to encrypt a PGP key. The encrypted PGP key is being sent on a separate twitter channel and the receipt confirmation is occurring on a different (as yet unknown) twitter channel. The only thing that the sender/receiver need to share is the names of the TX/RX twitter accounts & a public key. This is innocuous information that can be sent over open channels with almost zero overhead.

I don't know if this is just some demonstration for marketing purposes by one of the companies providing the PGP service (a "Hello World" experiment as @TomWellborn calls it), but it is very interesting.

And whoever wants this probably has very deep pockets and dark secrets.

@LouiseMensch seems to think it is the usual suspects.

I have an open mind, but the Heffalumps are certainly curious creatures to be wandering free on the internet like this.


Post a Comment

<< Home