of roughly 5,000 Americans and their digital knowledge. Results prove surprising, insightful and cautionary. It may no longer be enough to have the brains in the back room, running the technological cogs with an invisible hand – as more individual data security rests on a basic digital vocabulary, technology opt-out may no longer be an option. And, in a world where end-to-end encryption is teetering on the edge of ubiquity, will there be anyone to make the rules?
How the Royal Canadian Mounted Police are facing unregulated but defining choices about who gets to be on the inside of the encrypted loop, and why 27 hacked PDF viewers might speak to encryption updates. Implications of a burgeoning crypto-landscape and the decisions it creates, in this week’s Encryption Digest.
Do you know what cookies do? Does “https” mean the site is legitimate or that it’s encrypted? What’s a form of two-factor authentication? Wait. Please keep reading. If you can answer these digital softballs, you may be in the top two percent of survey participants.
It may [or may not] surprise you to discover the paucity of digital know-how among a sampling of Americans questioned by the Pew Research Center. The recent 10 question survey did a pulse check on domestic digital savvy, and this is what it found.
Not surprisingly, the awareness gap runs along educational lines and the age divide. A bachelor’s degree lifts your average from 4 to 6 questions correct and younger participants characteristically outperform older peers.
Bringing It Home
The concerning areas are the more obvious ones. How much of the knowledge gap in older participants is true across the wider generation—a generation that disproportionately makes up our elected officials and policy makers? How will this knowledge gap translate at the polls or in legislatures when privacy rights are pitted against backdoors? How will it affect international business law, or bitcoin, or data security? The Pew Research Center just cast light on what we already know. As the digital landscape progresses, decisions of safety, governance and economic stability will lie in our ability to understand the terms and the speak language; and at this point, so many of us do not.
Sometimes, there are more questions than answers. Why were 20 million Russian records stored by an owner in the Ukraine? Why were most of the PII records from Moscow? Why was the AWS Elasticsearch cluster unencrypted? Who was storing data on those servers, and what organization is behind such a careless handling of sensitive user data? We don’t have those answers, but we have these:
An Amazon Web Services Elasticsearch cluster was indexed by search engines back in May 2018. It contained, unencrypted, Personally Identifiable Information [PII] and tax records dating back to 2009. Security researcher Bob Diachenko found the server last month and searched for the trailhead. “Names, addresses, residency status, passport numbers, phone numbers, tax IDs, employer names and telephone numbers, and tax values were exposed.”
What’s the Damage?
Hard to tell. "We cannot determine whether anyone else accessed the data while it was exposed," report researchers. The data was secured on September 20, and “the owner did make sure the database can no longer be accessed by the public.” However, the owner also did not provide any answers as to ultimate accountability for the records.
Who is Responsible?
"We could only determine that the owner is in Ukraine and know little more about the party responsible” continue researchers.
Has This Happened Before?
Yes, when vpnMentor researchers Ran Locan and Noam Rotem discovered another vulnerable Elasticsearch flaunting the data of Ecuadorian citizens – also this year.
Will This Happen Again?
Assuming the oversight wasn’t purposeful, the best answer we can give is – unless human error is eradicated or PII-storing encryption becomes non-optional – it's a definite maybe.
Who wants to get into your PDFs? We don’t know. But with the right amount of encryption elbow grease, they can.
Six German researchers were able to crack the contents of 23 out of 27 PDF viewers in one strain of attack, the full 27 in another—just by exploiting the protocols. The researchers report that apparently, “[t]he issues...are found in the standard itself.” Because PDFs contain both encrypted and unencrypted content, “an attacker could modify an encrypted document to add unencrypted malicious elements.”
One method of attack, known as PDFex, is dependent upon decryption by an authorized party, upon which a form containing encrypted contents would be submitted to the attacker by means of a predefined PDF Action.
“A second variant on the attack makes use of the fact that PDF standard encryption uses the Cipher Block Chaining (CBC) encryption mode with no integrity checks, allowing the ciphertext to be modified using CBC malleability gadgets.”
It’s the genie in the bottle. Secure cryptography will do our bidding, and at this point no one has set the rules.
The Royal Canadian Mounted Police made an agreement with First Nations to communicate (better) over encrypted chat. For privacy reasons however, not everyone is included. And when those excluded include the local fire department and law enforcement, the security allure may become a hazard.
This is a classic example of snags we might encounter when weighing privacy against safety. Because of “privacy policies in relation to information on the Canadian Police Information Centre,” the police in the area have not had reliable intel from the RCMP and have instead had to rely on [a local crime watch] for vital information about shootings, car theft and criminals at large. “Right now, we get more information from our rural crime watch fan-outs than we do from the RCMP,” said Mark Sproule, Lacombe County’s manager of community peace officer services. “To me, that’s terrible.”
Ultimately, the crux of this story doesn’t rest on the fundamentals, or even the logistics of encryption. It rests, like the debate at large, on who should be included in that loop and who gets to make the decisions. At this point, end-to-end encryption is still relatively a free for all, dictated by the private entities that use it, with a first-come-first-served business model. There is no formal oversight for its use. It is unregulated. It is wild.
As we’ve seen with the recent bilateral agreement between the US and UK, nation states have tried to put a lasso on this beast of a tool, and they might just succeed. Set to go live in six months, the agreement would mandate data sharing of encrypted social media chats for the benefit of international criminal investigations. What does this say? It sends a message that nothing is above the law – even fancy, mystifying technology that has, until now, evaded all forms of formal regulation.
What should be confidential under the jurisdiction of privacy law and what encrypted information should be made available for the public good? And who defines that? When do standalone decisions regarding what gets encrypted and what doesn’t fall under a higher authority, and when do private entities get to dictate its use? We don’t know. And it seems at this point, neither does anyone else.
DoH Debate: Who sets the rules for encryption on the internet? Find out more about the DoH debate and Mozilla’s decision to encrypt traffic through Firefox as we Ask Ash.