E2E Encryption Could Make WhatsApp a Spam Magnet

Facebook’s WhatsApp last week announced it would roll out end-to-end encryption for its users to better protect their privacy, but the move could make the service more attractive to spammers, too.

While encryption can safeguard information from data thieves, it also can block data protectors from detecting malicious activity on their networks.

“WhatsApp’s encryption policy is a win for privacy advocates, but it will not stop the growth of spam on the platform and could make the problem worse,” said Simeon Coney, chief strategy officer for AdaptiveMobile.

“WhatsApp has always had limited spam control in place,” he told TechNewsWorld, “and encryption will make detecting spam and malicious links with malware that much more difficult.”

Spam Magnet

Over the last three to four years, mobile carriers have made it harder for spammers to deliver their junk messages, Coney noted. That’s prodded them to look for greener pastures.

“We’ve seen spammers move from services like SMS, MMS and RCS to services like WhatsApp,” he said.

Not only does it cost spammers less to spew their rubbish on WhatsApp, but it’s easier to find targets there.

“WhatsApp is a very friendly service to spammers because it allows them to validate phone numbers to see if they have a WhatsApp account,” Coney explained, “so they can upload large number ranges to test who has a WhatsApp account and just send bulk messages to them.”

Because end-to-end encryption prevents protection systems from seeing what’s in a spam message, they can’t guard against malicious activity like phishing, account hijacking, spam and malware.

“It’s simple economics,” Coney said. “As certain channels get closed off to these spammers, they’re finding other ways to reach their targets. They only make money if they get their messages through and they get a reasonable conversion rate.”

Making Sense of Mossack Fonseca Data

If you’re a journalist and someone drops 2.6 TB of hot data in your lap, where do you begin to make sense of it?

For the International Consortium of Investigative Journalists, the answer was Nuix.

Nuix provides services for turning large pots of data into searchable pools of information.

With its software, which the company donated to the ICIJ and the German newspaper Sddeutsche Zeitung, the investigative journalists were able to process, index and analyze the Panama Papers, 11.5 million documents taken from the Panama offices of Mossack Fonseca, an international law firm and a major player in the offshore asset industry.

Much of the data in the dump was scanned documents, which were turned into searchable information with Nuix’s optical character recognition software. Other Nuix analytical tools helped identify and cross-reference Mossack Fonseca clients throughout the document cache.

1,500 Data Types

Nuix’s search technology was developed in 2000 at the request of the Australian government. “They had a huge cache of Lotus Notes emails, and they didn’t have a way to tag them, format them and make them easily searchable,” said Keith Lowry, Nuix’s senior vice president of threat intelligence and a former chief of staff at the U.S. Department of Defense.

“Over the years, we have been able to absorb a lot more types of information,” he told TechNewsWorld. “It has grown to the point where we can natively ingest over 1,500 different file types and flatten the data and make it presentable to whomever is analyzing the data.”

Although 2.6 TB of data is immense by journalistic standards, it’s only a medium-sized data set compared to some Nuix has been enlisted to massage in its e-discovery and regulatory investigative work. “On any given day, our software is sorting through petabytes of data,” Lowry said.

Nuix gave the ICIJ and Sddeutsche Zeitung technical assistance in processing the data stolen from Mossack Fonseca, but no employees ever handled the data, the company said.

“We didn’t participate in the collection of the data,” Lowry said. “We just processed it for them.”

iPhone’s Secure Enclave

Maybe the FBI just wanted to impress legislators of the urgency for action on the Going Dark issue or maybe it just wanted to thumb its nose at Apple, but last week it began demonstrating to lawmakers how it cracked the security on the iPhone 5c of San Bernardino, California, gunman Syed Rizwan Farook.

The first legislator on the agency’s demo list was Sen. Dianne Feinstein, D-Calif., who, with colleague Richard Burr, R-N.C., is drafting legislation to compel companies like Apple to extract data from their products or provide technical assistance to government authorities to extract the data when ordered to do so by a judge.

Feinstein and Burr’s bill is a response to a recent tussle between the FBI and Apple. The FBI wanted Apple to write code that the agency could use to brute force the lock code on Farook’s phone. Apple refused to do so, saying such code could be used to undermine the security of all iPhones.

Eventually the FBI found a way to access the data on the phone, but it’s believed the method won’t work with newer model iPhones. That’s because Apple added another chip — called the “Secure Enclave” — to the latest models of its mobiles.

“What it does is lock up all the encryption keys,” said Matthew Green, a professor specializing in cryptography at Johns Hopkins University.

“Even if you can hack the phone itself — which is what the FBI did — the encryption keys will still be locked up,” he told TechNewsWorld.

Panic Room in a Phone

The secure enclave — where high security functions, including login, are handled — is a separate environment from the iPhone as a whole, noted Georgia Weidman, founder and CTO of Shevirah.

“If someone, be it a security researcher, the FBI or a malicious attacker, discovers an exploitable vulnerability that allows them to attack the latest iOS release, they will need another, likely more sophisticated exploit to take that access to the next level to also exploit the secure enclave,” she told TechNewsWorld.

“Think of it like a panic room at a celebrity’s home,” Weidman continued. “There are walls, security guards, and all other manner of industry standards of home security on the house. A very skilled burglar may bypass them, but they will have to work even harder, basically starting again, to get into the panic room.”

It was bad form for the FBI to show legislators how it compromised Farook’s iPhone while keeping Apple in the dark about it, she added.

“As security researchers, when we find security issues we practice something called ‘responsible disclosure.’ We inform the vendor of the issue we found so it can be fixed,” Weidman said.

“By refusing to share the technique they used with Apple so it can be fixed,” she continued, “the FBI is moving into the territory of black hat hackers, or hackers for evil, keeping the vulnerability open so they can use it again as it suits them in other cases as they arise.”

Breach Diary

  • April 3. The International Consortium of Investigative Journalists publishes first article in series on the Panama Papers, a trove of 11 million files stolen in a data breach of Mossack Fonseca, an international law firm headquartered in Panama and a major player in the offshore industry, which is used by some of the world’s rich to hide assets and facilitate a number of unsavory and illegal activities.
  • April 4. Ponemon Institute releases a survey that finds 37 percent of businesses do not believe their third-party vendors would notify them of a data breach; 73 percent doubted that a fourth-party vendor would alert them of such a breach.
  • April 4. Security blogger Brian Krebs reports banking sources are telling him that for the second time in less than a year, fraudsters have compromised the Trump Hotel Collection payment card system.
  • April 4. Hackers post to the Internet personal information of nearly 50 million Turkish citizens, exposing them to possible identity theft and fraud.
  • April 5. KSN-TV in Wichita, Kansas, reports tax information of 1,357 employees at Hutchinson Community College is at risk after their W-2 data was emailed to an unauthorized third party.
  • April 6. Trend Micro reports that a data breach at the Philippines Commission on Elections has exposed on the Internet personal information, including passport and fingerprint data, of 55 million voters.
  • April 6. U.S. District Court Judge R. Gary Klausner approves a multimillion-dollar settlement of a lawsuit against Sony Pictures Entertainment that will give some 437,000 people identity theft protection from the time a data breach was discovered in 2014 through 2017. An exact figure for the settlement can’t be determined yet because the deadline hasn’t passed for workers to sign up for the protection services.
  • April 6. Whiting-Turner, a Baltimore construction company, files breach notification letters with California and Vermont stating that tax information of its employees and their children is at risk because of a security incident at a vendor hired to provide tax services for the builder.
  • April 7. The National Childbirth Trust, a charity in the UK, alerts 15,085 new and expectant parents that their email addresses, usernames and passwords have been compromised by a data breach.
  • April 7. U.S. Magistrate Judge Nathanael Cousins rejects a motion by health insurer Anthem to inspect the computers of former customers in connection with a lawsuit resulting from a data breach in February that compromised the records of as many as 80 million customers.
  • April 7. Einstein Healthcare Network in Pennsylvania alerts some 3,000 patients their personal information is at risk because a database at the provider’s website inadvertently was exposed to the Internet.
  • April 7. The Hill publishes a discussion draft of a bill by U.S. Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., to force companies to provide “information or data” to the government “in an intelligible format” when served with a court order.

Upcoming Security Events

  • April 15-16. B-Sides Canberra. ANU Union Conference Centre, Canberra, Australia. Fee: AU$50.
  • April 16. B-Sides Nashville. Lipscomb University, Nashville, Tennessee. Fee: $10.
  • April 16. B-Sides Tampa. Stetson College of Law, Tampa Center, 1700 N. Tampa St., Tampa, Florida. Free.
  • April 16. B-Sides NOLA. Hilton Garden Inn, New Orleans Convention Center, 1001 S. Peters St., New Orleans. Fee: $15.
  • April 20-21. SecureWorld Philadelphia. Sheraton Valley Forge Hotel, 480 N. Guelph Road, King of Prussia, Pennsylvania. Registration: conference pass, $325; SecureWorld Plus, $725; exhibits and open sessions, $30.
  • April 20-22. CSA Summit 2016. Lichtstr. 43i, first floor, Cologne, Germany. Registration: 500 euros.
  • April 23. B-Sides ROC. B. Thomas Golisano College of Computing and Information Sciences, Rochester Institute of Technology, 20 Lomb Memorial Drive, Rochester, New York. Free with registration.
  • April 23-24. B-Sides Charm City. Baltimore Convention Center, One West Pratt St., Baltimore. Tickets: $15 to $60.
  • April 25. “Some Musings on Cyber Security by a Cyber Iconoclast.” 1:30-3 p.m. ET. University of New Haven, Tagliatela College of Engineering, Buckman Hall, Schumann Auditorium, room B120, 300 Boston Post Road, New Haven, Connecticut. Presentation by Professor Gene Spafford, Purdue University. Free with registration.
  • April 26. 3 Key Considerations for Securing Your Data in the Cloud. 1 p.m. ET. Webinar sponsored by BrightTalk. Free with registration.
  • April 28-29. B-Sides Calgary. SAIT Polytechnic (Orpheus Theater), 1301 16 Ave. NW, Calgary, Alberta. Tickets: students, CA$20; professional, CA$50; VIP, CA$150.
  • April 28. Ransomware Resurgence: Locky and Other “New Cryptolockers.” 2 p.m. ET. Webinar by Cyphort. Free with registration.
  • April 28-29. B-Sides Calgary. SAIT Polytechnic (Orpheus Theater), 1301 16 Avenue NW,Calgary, Alberta, Canada. Tickets: students, CA$20; professional, CA$50; VIP, CA$150.
  • May 3. Dallas Cyber Security Summit. Omni Dallas Hotel, 555 S. Lamar, Dallas. Registration: $250.
  • May 4. SecureWorld Kansas City. Overland Park Convention Center, 6000 College Blvd., Overland Park, Kansas. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • May 7. B-Sides Chicago. Concord Music Hall, 2047 N. Milwaukee Ave., Chicago. Free.
  • May 11. SecureWorld Houston. Norris Conference Centre, 816 Town and Country Blvd., Houston. Registration: conference pass, $195; SecureWorld Plus, $625; exhibits and open sessions, $30.
  • May 18-19. DCOI|INSS USA-Israel Cyber Security Summit. The Marvin Center, 800 21st St. NW, Washington, D.C. Hosted by George Washington University. Free.
  • May 20-21. B-Sides Boston. Microsoft NERD, 1 Memorial Drive, Cambridge, Massachusetts. Tickets: $20.
  • June 1-2. SecureWorld Atlanta. Cobb Galleria Centre (Ballroom), Atlanta. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
  • June 9. SecureWorld Portland. Oregon Convention Center. Registration: conference pass, $325; SecureWorld plus $725; exhibits and open sessions, $30.
  • June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: until April 15, $2,950; after April 15, $3,150; public sector, $2,595.
  • June 29. UK Cyber View Summit 2016 — SS7 & Rogue Tower Communications Attack: The Impact on National Security. The Shard, 32 London Bridge St., London. Registration: private sector, Pounds 320; public sector, Pounds 280; voluntary sector, Pounds 160.
  • June 30. DC/Metro Cyber Security Summit. The Ritz-Carlton Tysons Corner, 1700 Tysons Blvd., McLean, Va. Registration: $250.

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels