Skip to main content
banner image
venafi logo

Does Sinaloan Cartel Bring Out the Worst in Encryption? [Encryption Digest 13]

Does Sinaloan Cartel Bring Out the Worst in Encryption? [Encryption Digest 13]

sinaloan cartel and encryption
September 26, 2019 | Katrina Dobieski


It’s safe to say

that no security expert wants to create a haven for online opium trading or make texting apps safe for organized crime. It’s also safe to say that no legislator wants to open a pandora’s box that will syphon out all available credit card numbers. However, the issue thickens with WhatsApp being secured on specialty phones encrypted for the Sinaloan cartel. Data-defenders and privacy activists have been holding a staunch line against encryption backdoors, but recent government rumblings indicate the line might be giving way. The complicated tangle that is the ensuing debate for privacy, protection and the pursuit of encryption, in this week’s Digest.

 

 

 

 

How Long Can End-to-End Encryption Hold Out?


For those needing an end-to-end binge reel of the Going Dark encryption debate, Stewart Baker of Lawfare did an excellent job of chronicling the schism. We’ve summarized his points here, and it appears the conclusion may be in plaintext:
 

  • France and Germany call for regulations in 2016 that would stretch across the EU and require mandated decryption at the behest of law enforcement
  • France implements anti-terrorism legislation, requiring “technical assistance” from messaging companies and fines for failure to comply
  • France’s Emmanuel Macron campaigned on transparency with internet companies, declaring them “complicit” to terrorist acts if they refused to decrypt
  • Responding to a European Council questionnaire, Hungary, Croatia, Latvia and Italy all lent their support to “lawful access mandates” throughout Europe
  • Poland gives an ultimatum: install a backdoor or weaken your encryption. Some argue that there may not be a difference.
  • In 2018, the European Electronic Communications Code will require companies to “enabl[e] legal interception by competent national authorities.” Nations in Europe have until 2020 to get on board.
  • The Five Eyes Alliance (Australia, Canada, New Zealand, UK, US) issued a memo calling for “customized solutions” that would allow encryption backdoor access by law enforcement
  • Just this year, Ralphe Goodale, Canadian Public Safety Minister called for a policy to “ensure privacy” while not allowing safe harbor for nefarious exploits like child trafficking. Open-endedly, this implies softened encryption or government accessible backdoors.

 

It’s hard to become very good at one thing.

That’s why we have the term “career politician” - because to get elected, it often takes a career. That’s one less career that can be spent understanding the intricacies of cybersecurity. And that’s one more generalist that unfortunately is being asked to make the decisions of a specialist.
 

Bruce Schneier encourages the existence of a national cybersecurity regulating body that can inform these decisions and provide expert counsel in a world where rapid tech is par for the course. Times are changing. Policy needs to change too. The problem is, do policy makers know how?  Survey says when it comes to encryption: they may not.
 

Related Posts:

 

 

Sinaloan Drug Cartel Abuses Encryption


Richmond, CAN resident Vincent Ramos was a successful CEO by all measures. He ran the cyberfirm Phantom Secure that specialized in specialty encrypted devices, for a niche clientele. The only problem was his niche. He allegedly catered to a Sinaloan organized crime gang that created a WhatsApp chat on his encrypted phones to organize the murders of hundreds of Mexican law enforcement agents.
 

However, one thing Phantom Secure’s CEO can’t be blamed for is allowing investigators an encrypted backdoor into their secure phone network, because he never did. "He was given the opportunity to do significantly less time if he identified users or built in/gave backdoor access," said a source close to Ramos. According to another source, "He never gave law enforcement a backdoor into Phantom Secure. He did not do that."
 

 

"He respected the privacy of clients whoever it was."
 

Encryption backdoors widen the game of cat and mouse. The problem is, in this scenario the mouse is just as big and formidable as the cat. Opening encryption backdoors would allow more good guys to catch bad guys. It would allow more bad guys to catch good guys.
 

It widens the arena and grows the game. The question is—do we want to play?
 

With all the cards being stacked in favor of government access, it may be too late to ask.
 

Related Posts:

 

 

Hide Your Kids, Hide Your Kids’ Daycare Payments


“Your connection is not private.”
 

If you were looking to save a dime with Her Majesty's Revenue and Customs tax care portal, last Sunday would not have been the day. Parents log on to take advantage of the credit that allows you to pay some of your childcare bill before tax. However, on that day the UK tax authority let a TLS certificate lapse, rendering their payment portal unarmed and dangerous.
 

What leads to a certificate related outage? You can watch, below.

 

 

 

Even without a decent certificate management platform, an enterprise should still be able to renew a certificate fairly quickly. Right?
 

I asked Venafi’s Mark Miller, Sr. Director of Support, how long this type of TLS certificate renewal should take in a usual scenario. Here is a Slack transcript, minus the GIFs:


Me: How long should this have taken

MarkM: with [Venafi] TPP, seconds

Me: Cool. How about without?

MarkM: problem is though that you only do this manually every 1-2 years

by the time renewal comes around, you may have different staff and finding all of the right addresses, credentials, and info needed can really extend this to a day or more of work
 

That might have been what happened at HMRC, as well into the next workday, they were still running for a solve. The TLS certificate has now been updated, but hopefully when full awareness of automated certificate management tools becomes ubiquitous, scares like this certificate outage will be as ancient as HTTP.


Don’t Let Certificate Outages Impact Your Business
 

Related Posts:



 

Certificate Errors Continue to Plague Even the Best of Us [Talk Talk]

TalkTalk, quadruple play provider of telecom and broadband services in the UK, was temporarily offline last week. Why? Their certificate had been revoked. Why? Wrong address.
 

In Scott Helme’s twitter feed, he chronicles his minute-by-minute unearthing of the paper trail leading to what appears to be an 11-hour mishap.
 

Apparently, the address—yes, just the physical locale—of the British ISP was originally mistyped with Comapanies House, the UK’s business registration authority. Two days later the address was amended. The CA issued the offending EV certificate 6 months later (a separate issue) and unfortunately did so with the wrong address. Consequently, the certificate had been null since its origination and managed to stay sequestered until just 2 weeks before it was set to expire.
 

In this case, the problem was uncanny. You could even blame the CA. But with certificate related outages leading to breaches averaging $3.4 billion dollars apiece, no major entity can afford to take chances.
 

How common is a certificate related outage? We polled global CIOs.
 

Related Posts:

 

 

Watch This:

Tired of hearing about certificate related outages? So are we. See how we’re going to stop them with VIA Venafi, the industry’s first No Outage Guarantee.

 

 

 

 

 

Like this blog? We think you will love this.
microsoft-office-macro-ban-backtrack
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more