Hackers Using Fake Police Data Requests against Tech Companies

Brian Krebs has a detailed post about hackers using fake police data requests to trick companies into handing over data.

Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.

But in certain circumstances ­—such as a case involving imminent harm or death—­ an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.

It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR -­- and potentially having someone’s blood on their hands -­- or possibly leaking a customer record to the wrong person.

Another article claims that both Apple and Facebook (or Meta, or whatever they want to be called now) fell for this scam.

We allude to this kind of risk in our 2015 “Keys Under Doormats” paper:

Third, exceptional access would create concentrated targets that could attract bad actors. Security credentials that unlock the data would have to be retained by the platform provider, law enforcement agencies, or some other trusted third party. If law enforcement’s keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege. Moreover, law enforcement’s stated need for rapid access to data would make it impractical to store keys offline or split keys among multiple keyholders, as security engineers would normally do with extremely high-value credentials.

The “credentials” are even more insecure than we could have imagined: access to an email address. And the data, of course, isn’t very secure. But imagine how this kind of thing could be abused with a law enforcement encryption backdoor.

Posted on April 5, 2022 at 6:04 AM33 Comments

Comments

Paul April 5, 2022 6:45 AM

EDR – aka, give us data now. Better than any backdoor but not as good as FBI’s secret requests, or are they?
Note, a officer can call a judge to get sign-off on subpoena’s and warrant’s. But, who needs oversight.

Clarke April 5, 2022 8:25 AM

@Paul

+1

EDR’s are totally illegal under U.S. 4th Amendment — so this specific problem would vanish if we could ever get American police agencies to obey the law.

The larger problem still remains of massive insecurities in government IT Systems and the massive governmental power exercised through those systems.

Clive Robinson April 5, 2022 8:35 AM

@ Bruce, ALL,

Sadly an expected result of “Corner Cases” and “FUD” when combined with technology and people that are goal oriented in a pathological manner.

Expect to see more of this as time goes on…

It will not ve stopped because the authorities abuse the process themselves as it,

1, Makes things happen faster.
2, Makes their life easier.
3, And the victim of their grab has no legal right to know.

In the US you supposadly are secure in your “possessions and papers” but clearly the “imminent Danger” nonsense alows the authorities to bypass this, and all your privacy going back a very long time gets stripped bare for their titilation.

It’s why people realy realy need proper “End-to-End Encryption”(E2EE)

But hey, it does not matter how often we say it, the likes of alleged “Secure Messanger Apps” that in fact are not, is “Fake-Newsed” into most of their uses heads for commercial reasons…

And so “Privacy Dies” a death of a thousand cuts, each a little nearer to the point where Privacy is dead, and can not be brought back for any price most would pay. The result tyranny goes unhindered and the door on the guilded cage society sleepwalked into gets locked, and quickly the guilding wears off we wake and the ugly truth remains around us every where we look.

Remember “Think of your Children” as they most certainly are not, no matter what they say, for them no harm no atrocity is to small that they will not use it to gain the ultimate form of power “Control over others”.

Ted April 5, 2022 9:01 AM

Cory Doctorow has a great thread and article on this.

This is a lesson as old as CALEA – if you create a backdoor that tens of thousands of people can access, then you create a backdoor that anyone can access, because it’s impossible to prevent the impersonation, subordination, or corruption of that many people. 28/

https://twitter.com/doctorow/status/1509085328350527488

Nobby April 5, 2022 9:30 AM

Using their illicit access to police email systems
Can’t even lol…
Isn’t EDR, however bad, just one, and not the main problem in such a case?

Doug April 5, 2022 9:51 AM

@Clarke:

You say “EDR’s are totally illegal under U.S. 4th Amendment”. Can you elaborate on this? Why do you think they don’t fall under the exigent circumstances exception?

…doug

tim April 5, 2022 10:28 AM

Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.

I’ve worked for a number of highly regulated companies and these requests are highly vetted including validating who its coming from. I guess its not a surprise that companies that aren’t highly regulated wouldn’t even do the basics. But if this results in a lawsuit against them – you can guarantee their legal teams are going to lock this down.

@ Clarke

EDR’s are totally illegal under U.S. 4th Amendment

In the US – who owns the data that you entered in that sits on a Facebook server? I’ll await your white paper backed by case law on the subject.

JonKnowsNothing April 5, 2022 12:59 PM

@tim , @All

re: online have departments that routinely review and process such requests … these requests are highly vetted

If you consider how other branches of governments in the USA and other countries handle these “vetted requests”, whether they are for law enforcement, visa applications, citizenship reviews, social services, there are at least 2 aspects involved:

a) Heavily automated AI/ML review
b) Work Directives aimed at reducing output(authorizing visas or social services) or reducing departmental costs (government expenses per application or process)

For a) there are AI/ML, input field design, work flows that move or block the process if not completed. In the case of EDR, the input cycle would be designed to have the least amount of delay (see Emergency).

For b) Work Directives detail how a process is to be executed, the number of times it can be elevated (re-post), the order of elevation (seniority of workers), and overall departmental goals: either X+completed or X-refused. For LEAs the X-refused would be a small number goal. The directives would be Push It First Then Ask Validation Later.

The idea of AI/ML preview is to limit the number of complex cases that would require human overview, and severely limit the number of senior members being involved, thereby reducing potential legal liability.

General Hayden called it “throwing the request over the transom”.

Acme April 5, 2022 1:12 PM

@tim

” I guess its not a surprise that companies that aren’t highly regulated wouldn’t even do the basics. But if this results in a lawsuit against them – you can guarantee their legal teams are going to lock this down.”

And when your bank account or something has been hacked because someone gave away personal info in in an EDR, you know exactly who gave it away and can prove it, right? TH only way to know for sure is to get the bad guy that hacked your bank account where he got the information from and they admit they ent a fake EDR to lets say Facebook/Meta

Or maybe if you got the bad guy that ahdr that he is willing to tell everything, just sue him and send him to jail.

On the other side of it all FB/Meta has to do is say, “Yea, we know this EDR stuff is flaky, and we don’t like it, but the FBI said we have to accept it, and turn over the data fast. If we didn’t do that and make LEOs happy, they would go to their Congress-Critters and have new laws put in place that harm us.”

AcmeXYZ April 5, 2022 1:13 PM

@tim

” I guess its not a surprise that companies that aren’t highly regulated wouldn’t even do the basics. But if this results in a lawsuit against them – you can guarantee their legal teams are going to lock this down.”

And when your bank account or something has been hacked because someone gave away personal info in in an EDR, you know exactly who gave it away and can prove it, right? TH only way to know for sure is to get the bad guy that hacked your bank account where he got the information from and they admit they ent a fake EDR to lets say Facebook/Meta

Or maybe if you got the bad guy that ahdr that he is willing to tell everything, just sue him and send him to jail.

On the other side of it all FB/Meta has to do is say, “Yea, we know this EDR stuff is flaky, and we don’t like it, but the FBI said we have to accept it, and turn over the data fast. If we didn’t do that and make LEOs happy, they would go to their Congress-Critters and have new laws put in place that harm us.”

lurker April 5, 2022 3:41 PM

Obviously some details of this won’t be published, but… If the intruders have impersonated a valid existing email acct, wouldn’t some of this activity be visible to the normal user of that acct? or his sysadmins? If Outlook stores forwarding rules on the server does the user get any notification of changes to those rules? It’s a quarter century since I last had my hands on an Outlook acct, and I’ve no desire to go back there…

LeRay April 5, 2022 3:50 PM

it’s impossible to prevent the impersonation, subordination, or corruption of that many people.

That’s ambiguously worded; I’d expect better from a professional writer. The defenders need to prevent the impersonation etc. of any one of those tens of thousands of people. The attackers only need to impersonate one. But it’s a rather defeatist view to suggest that we shouldn’t do something unless we can do it perfectly; we could say the same about court orders. These systems could be a lot better than “some person claims to be a cop or judge”.

We should remember, though, that cops couldn’t do anything remotely like this for the first century of the USA, and the first several millenia of civilization in general. Nobody knew this much about anyone else. So when the cops say they can’t do their job without these emergency powers, they’re lying, or they’re much less competent than their predecessors. Read the FBI file of Paul Erdős to see how much effort it took just to see whether someone was an employee of a specific university.

David Leppik April 5, 2022 11:21 PM

If I got that request from someone claiming to be from a US-based police department, I’d call that police department on the phone, using their published phone number. I can’t believe those requests would require you to respond by email.

FA April 6, 2022 8:24 AM

We should remember, though, that cops couldn’t do anything remotely like this for the first century of the USA, and the first several millenia of civilization in general. Nobody knew this much about anyone else. So when the cops say they can’t do their job without these emergency powers, they’re lying, or they’re much less competent than their predecessors.

Isn’t that a bit too simple ? For the last several millenia, criminals didn’t have the same means (information, communication, transport, technology) that they have now either.

But I’d agree that the balance has shifted in favor of LE and will likely continue to do so. Whether this is a good thing (TM) is interesting question…

Sumadelet April 6, 2022 8:46 AM

some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate

departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.

At the very least, we have the technology to sign the Emergency Data Request (EDR) with a digital signature using the requesting police department’s (or other institution authorised to issue EDRs) private key.

That should help to prevent most fraudulent misrepresentation.

Is it too much to ask for a gpg/PGP signature, and a repository of public keys?

Furthermore, information provided back should be signed by the requestees with their private key to prevent subsequent tampering. Plain text emails can be abused in so many ways.

Checking the authenticity of a signature is another problem, as is ensuring only authorised people can produce signatures, but at the very least, it would allow non-signed emails to be ignored.

LeRay April 6, 2022 11:32 AM

@FA,

Isn’t that a bit too simple ? For the last several millenia, criminals didn’t have the same means (information, communication, transport, technology) that they have now either.

Perhaps, but I feel like the difference—or at least, its effect on crime—is exaggerated. An odd thing that comes up in some historical documents, for example, is that people in London UK could send mail within the city and get a reply within several hours. More commonly known is that people rode horses. While neither is as fast is its modern equivalent, they’re still pretty fast, and cops were hampered by these limitations too. If a criminal 300 years ago could be anywhere within a 10-mile radius, and the cops couldn’t send news of this criminal faster than the criminal can move, how would they find the person? It’s hard for me to conclude it’s today’s cops who have a disadvantage.

We’re talking in the context of warrantless emergency requests here. It’s not obvious that more information or technology plays much role in crimes that would be considered emergencies. Rather, people have gotten spoiled by the amount of data that exists, and the meaning of “emergency” has probably been expanding. Originally, it used to mostly cover obvious ongoing or very recent crimes—like, police could enter a home if they heard someone screaming inside, or chase someone who just robbed a bank—and if there was time to ask other parties anything more than “which way did the person in black just go?”, it probably wasn’t an emergency. In the modern world where law enforcement can have a judge on speed-dial to issue an electronic warrant, immediately visible to hundreds of officers, does the scope of warrantless authority really need to be greater?

EvilKiru April 6, 2022 1:15 PM

@lurker: Obviously some details of this won’t be published, but… If the intruders have impersonated a valid existing email acct, wouldn’t some of this activity be visible to the normal user of that acct? or his sysadmins?

No, because impersonating a valid existing email account doesn’t involve actually using said account. It just involves lying when using the standard email protocol to make it look like the email is coming from the spoofed email address, which is trivially easy with no effective way to prevent such spoofing.

Clive Robinson April 6, 2022 2:34 PM

@ LeRay,

It’s hard for me to conclude it’s today’s cops who have a disadvantage.

They very definitely do not.

A century and a half ago, electronic communications was making a difference to society even at the lower levels. The first commercial telegraph was the Cooke and Wheatstone telegraph, invented and setup in 1837[1]. But it would not be long before it’s reach from the Old World to the new would change forever the way business and news was carried out. And yes criminals got caught. But within a few year in 1910 Dr Crippen was hanged, his notoriety in history fixed by the fact he was the first man arrested by transalantic Wireless telegraphy or as we now call it radio[3].

What was less well known is that people were deeply suspicious of the telegraph companies, the authorities and the “opperators” the lessons of Almon Brown Strowger were not lost on them. Thus you could buy Commercial Codes for a few pennies to keep your business secrets secret across the telegraph and telephone. It was these codes that were such a pain to the telegraphists that they were responsible for the “five letter groups” you see with most military and diplomatic crypto systems. Such was the concern about the theft of business on the viability of the telegraphs that existing secrets laws for mail were extended, ammended and passed such that accessing and divulging messages was a serious crime.

But that did not stop the “Post Master Generals” of the time for “National Security” accessing the messages surreptitiously.

Back in the days of the “Founding Fathers” as many know general warrants from Kings were of such concern that eventually they were legislated out of existance. But electronic communications has effectively brought them back, but worse than ever before.

In the days of paper it was possible to secure your communications such that if they became accessed by others you would be well aware of it.

Thus you would be put on guard to defend yourself against those who would attack you. A principle of English thus American law is “Equity of Arms” that is warrants and their like, are ment to limit the over reaching power of the State and it’s Agents being used against you.

Technology alows both all forms of electronic communications being copied, and in some cases letters being copied without opening them.

Thus “The State and it’s Agents” can read your communications with others for years or decades compleatly unhindered and without you being aware. Just looking for something to hang you with… Which they will find, because the laws are such that on average we all committ “three crimes a day” and certainly in the US invented mail fraud, conspiracy, or lying to officers are “catch alls” that even judges have said publically they know the likes of the FBI and DoJ have used often.

So yes what are as far as the victim is concerned “warrantless searches” of their possessions and papers can go on indefinately, an advantage that the authorities steadily build on year by year and receive no punishment for if caught in the act…

[1] Some of the history of commercial “electrical telegraphs” can be found at,

https://en.m.wikipedia.org/wiki/Electrical_telegraph

But for millenia before messages were telegraphed by burning branches, flags and mechanical devices, as their use was stratigic to Nations and Spys abounded Codes and Ciphers were used.

[2] First Transalantic cable message August 1858, 164 years ago this year,

https://www.wired.co.uk/article/transatlantic-cables

[3] Dr Crippen and his “alleged” crime, that may never have been committed,

https://en.m.wikipedia.org/wiki/Hawley_Harvey_Crippen

If proof is found that he was “fitted up” it would be a very great embarrassment to the British Government and the Met Police, both of whom have behaved in ways that suggests they do not want the case re-opened…

lurker April 6, 2022 2:55 PM

@EvilKiru
This would also require that the Reply-to header would be different from the From header. I’m too clever to be a cop, because for heavy stuff like this I always check all headers, which might give a clue where it came from.

I was astonished the first time I saw a plaintext printout of an email presented in evidence in court…

SpaceLifeForm April 6, 2022 3:27 PM

@ EvilKiru, lurker

The recipient could require that the sender must use DKIM.

They could say, either you use DKIM, or you provide a warrant signed by a judge.

If an email arrives, without DKIM, then they could ignore it as a matter of policy.

This is probably the best solution today.

Clive Robinson April 6, 2022 5:05 PM

@ SpaceLifeForm, EvilKiru, lurker,

Re : “Domain Keys Identified Mail”(DKIM)

It’s a bit of a “swiss cheese solution” thus problematic at best…

As Wikipedia notes[1],

Problem Number one,

“[They] are affixed or verified by the infrastructure rather than the message’s authors and recipients.”

Which means there is all sorts of “invisable” to users at both ends with “configuration issues”

Problem Number two,

“Usually, DKIM signatures are not visible to end-users”

So a recipent effectively get’s told “valid” but has no clue as to what actually signed…

Then there is Problem Number Three which has caused problems with similar systems in the past,

“A valid signature also guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed.”

Thus has all the same problems as “code signing” then some more on top.

I know why these problems exist, and to be honest we should dump the current Email protocols because these sorts of issues can not be fixed by “bolt-ons”.

However when you see what Google has done via W3C to HTML5 and to not only Chrome but other browsers… Are you going to trust that they are not going to screw with any EMail replacment protocol? How about the NSA or other Five-Eyes through NIST or ISO committee… We know there are still question marks hanging over IPv6 and security that came from another standards group…

As you note of DKIM,

This is probably the best solution today.

And not a very good one. So all in all a bit of a problem…

[1] Wikipedia article on “Domain Keys Identified Mail”(DKIM),

https://en.m.wikipedia.org/wiki/DomainKeys_Identified_Mail

SpaceLifeForm April 6, 2022 6:10 PM

@ Clive

Re : “Domain Keys Identified Mail”(DKIM)

Gee, you make it sound like security is hard or something.

It would be a start. Not full solution. But it may very well reduce the problem.

Maybe they could require PGP/GPG instead?

Or, just go with valid warrant?

lurker April 6, 2022 6:29 PM

@Clive, @SLF

Can MSExchange be trusted to sanely handle DKIM?

When gmail receives a DKIM it appears to display the sig in the full headers. I’ve never had anything serious enough to be bothered checking it myself…

Clive Robinson April 7, 2022 2:04 AM

@ SpaceLifeForm,

Gee, you make it sound like security is hard or something.

Not when it comes to insecurity that’s easy, we mostly do that all the time when it comes to user communications…

@ ALL,

A security lesson that has poped up so many times for existing systems is,

“How do we make this system secure?”

The answer for most user communications systems is,

“If security was not built-in from before ‘day zero’, it is often not possible to retrospectively add either effectively, or at all.”

With Email the latter currently appears to be the case, because of fundemental design decisions and later additions.

I don’t want to realy get into it all but you can find out a lot of it from attempts that started way back last century, that still plague us today.

The most obvious is the “human interface” almost always gives problems. With EMail it came to a head with PGP. That in 1999 gave rise to Doug Tygar’s paper[1],

“Why Johnny Can’t encrypt”

Which covers just a small but fundemental part of the problem.

But that “small problem” is not specific to Email… Since then it has been recognised that it’s not just EMail systems. In fact most if not all other user communications systems above a certain simple level of complexity suffer from it as well.

So new papers appear from time to time. One such[2] is Matt Blazes,

“Why (special agent) Johnny (still) Can’t Encrypt”

It is for another communications system “P25 Digital Radio” that to many would appear unrelated to EMail but is in fact from the base protocol perspective the same.

Then there was[3],

“Why Johnny Still, Still Can’t Encrypt”

And a few more…

The “Johnny Can’t …” problem was distilled down as being “user view -v- key managment” which whilst true, is not the entirety of the problem by a very very long way.

So people are going to ask,

“What of today?”

Now we are moving away from Email to even more complex systems such as “Secure Messaging Apps” and “Secure Video conferencing”.

Well the answer is primarily NOT at all good, in fact it raises the possibility of being impossible to meet user expectations securely.

I’ve warned consistently about the very fundemental dangers of “Security End Points” in applications on the “Communications End Point” devices, which alow attackers to bypass the communications security entirely.

I’ve also warned when the subject has come up about the currently still unsolved “Secure Rendezvous Discovery” Problem with respect to “Mobile Devices”.

And well I think most are aware of the “End to End Encryption”(E2EE) battle that has been going on for the past half decade or more.

Which at least as I’ve pointed out has a partial security solution at least for the “One to One Message Contents”. But not for the “One to Many Message Contents” or “Traffic Analysis” issues.

Because as the “Covid Years” of “Home Working” the notion of “Telework” has finally been given a real test and has been found totally wanting security wise. Because of,

1, “End Point”
2, “Rendezvous Discovery”.
3, “One to Many”
4, “Many to One”
5, “Betrayal” by Second Party
6, “Deniability” lack of
7, “Traffic Analysis”
8, “Key Managment”

Problems, most of which are not being talked about, or worse even considered by supposed solution providers with a very misplaced “Can Do Attitude” that actually is beyond suicidal[4].

Which means we actually won’t get secure systems, because at each step we will make the same stupid mistakes that we have made already over and over since the need for what we call Email security arose in the late 1970’s…

But to misquote part of a song,

“People are going to ask for some happy news…”

Well, from my point of view there is not any. But others unfortunately[4] think “maybe baby”…

So to that end I’m in no way recommending or agreeing with this from just over a month ago, especially as it’s only “message contents” security being covered,

https://pixelprivacy.com/resources/encrypted-messaging/

Even so as I’ve repeatedly said I see them all as “insecure”, that is their security is at best illusory, and just another variation of “the hamster wheel of pain”, for all those involved with the “Setup, operation, use, maintenance, and end of life” of such systems.

As for those who actually need real security rather than the illusion[4]… Just don’t use any of them, you will just be slipping the rope around your neck or committing seppuku / harakiri if you do.

[1] https://www.usenix.org/conference/8th-usenix-security-symposium/why-johnny-cant-encrypt-usability-evaluation-pgp-50

[2] https://www.mattblaze.org/blog/p25/

[3] https://www.arxiv-vanity.com/papers/1510.08555/

[4] Some here remember that the CIA “Can Do Attitude” got a lot of people killed and worse not so long ago,

“A breach of the classified communications system, or “covcom,” used by the C.I.A. helped to expose the agency’s networks in China and in Iran”

Was the specific problem but it is just part of a more general “culture” problem,

https://www.nytimes.com/2021/10/05/us/politics/cia-informants-killed-captured.html

JonKnowsNothing April 7, 2022 6:57 AM

@Clive, @ SpaceLifeForm, @All

A MSM report

Telstra joins other major telcos in scanning SMS messages, with consumer watchdog saying the moves have halved reported scams…

The technology has been rolled out and switched on for every mobile device on Telstra’s network – including those signed up to other providers using Telstra’s mobile network like Belong.

The text messages will be automatically scanned on Telstra’s network before being delivered to customers, and if it looks suspicious – with malicious links or similar patterns and characteristics to other messages – Telstra will block the message from being delivered.

The report indicated that other companies are planning or already doing message scanning.

There was no mention of the final disposition of the blocked message or what LEA involvement is (before, during, after) with the targeted messages.

Clive Robinson April 7, 2022 7:54 AM

@ JonKnowsNothing, SpaceLifeForm, All,

or what LEA involvement is (before, during, after) with the targeted messages.

Hmmm what makes a message suspicious or targeted is a very large gate to the paddock.

We know that in China anything involving one of the three English childrens stories bears or anything to do with tanks and men on their own is automatically suspicious…

I’m fairly certain that any LEA would have a Nixon style “Hippie List” to check for….

Akira April 7, 2022 9:00 AM

Re. the ‘Why Johnny still can’t encrypt’ papers:

The methodology (and conclusions) of these tests are rather suspect.

I’m pretty sure that if the participants had received say on hour of proper instruction then most of them would be able to send and receive encrypted messages without any problem.

The problem here is the unreasonable expectation that every tool should be usable without any understanding or training, just by clicking around.

I’ve you’ve never driven a car and then try to in an emergency you’d probably end up against a tree or in some other trouble. Yet almost all people are able to get their driving license.

lurker April 7, 2022 12:19 PM

@Akira
Ever notice there’s no printed manual in the box these days?
It’s one of the sales features of the internet, Instant Gratification.

Sumadelet April 8, 2022 4:24 AM

@Clive Robinson

The Matt Blaze paper is sobering. One would have a reasonable expectation that a government procurement project would have access to the right kind of expert to prevent the kind of problems described.

Given the huge increase in numbers of people gaining paid employment from delivery of Internet-based services, I would have thought a reasonable increase in expertise around encryption and key-management would have occurred. Plainly, it hasn’t. I think I end up with an unpopular view espoused by Bruce: regulation is required, because the free-market perceives proper security as a hindrance.

I deal with several financial organisations. The vast majority have no process for accepting inbound encrypted electronic documents, or sending them for that matter. Most customer service representatives state (I don’t know it they are following a script) that ‘their e-mail is secure’, so sending a scan of your passport as an attachment to an unencrypted mail is, to them, an acceptable way of transferring sensitive personal information.

I found one organisation that was willing to accept an encrypted attachment with the password send by a separate channel. One.

I’d love to see a solution for key management, both for organisations, and also for the general population – which includes the disabled and people with IQs at least one standard deviation below the mean*. Anything too difficult to be used will be ignored or worked around.

*even some supposedly intelligent** people regard ‘securing’ access to things with a 4-digit PIN set to the day and month of their birthday as sufficient. And they still use pet-names as passwords.

**At least 2 SD above the mean. It just confirms that ‘General Intelligence’ does not measure common sense, or even technical competence.

Nick Levinson April 8, 2022 8:19 AM

Procedure that might work:

A legal but apolitical answer for the U.S. is that I don’t know if a company is obligated by law to help in EDR cases not otherwise legally binding. Maybe it’s like if an individual chooses to walk past a stranger who’s dying on a public street if the individual had nothing to do with why the victim is dying.

A solution may be for the company to immediately call the relevant agency for verification, and to post in its public EDR instructions that anyone sending a request must do so in a way that can be confirmed through an official channel known to the company independently of the EDR. So, the sender who’s in the field should tell their agency that they’re about to contact the company with an EDR about a particular party or, perhaps, situation.

The company probably can audio-record the phone call, with any requisite notification to the other party to a call, perhaps beeps; the company can say so in its public EDR procedure, and a legitimate agency will not object to that.

If it takes time to gather the info, the company can start doing so while verification is pending and can do so without displaying the info to the company’s contact point, to prevent premature revelation. It can even prevent revealing whether it has the info until verification is complete.

It would not be enough for the agency to recognize its own sender. It would have to recognize its own request, too.

This, too, has a fault: The agency might confirm every EDR verification request. But this is better than no verification attempt, since at least it would afford protection with agencies that are careful and not make it worse for anyone else. If failure to receive verification gets the company criticized, its speed and carefulness will be a strong answer, and it can release its log, phone recording, etc.

@Clarke, @Doug, & @tim: I’m not sure EDRs are always illegal. A company might wish voluntarily to comply. National self-defense might be an exception to the U.S. Constitution’s 4th Amendment; the exception comes from the norms of international law and is higher than conflicting national provisions in the Constitution. And many big companies have nexus in multiple nations, and, regardless of where their data is located or who owns it (and you probably don’t anywhere “own” your name, national ID number, or date of birth), nexus even in a friendly nation can be leveraged into a legal requirement under that nation’s law.

@Sumadelet, @SpaceLifeForm, @Clive Robinson, & @lurker: Smaller agencies probably don’t have those keys, DKIM, or PGP/GPG or know about them or trust them, so they can’t be required by the companies as proof, although they can help with agencies that use them.

@David Leppik:

Email, being written, templatable, and easily copied and often having traceable headers, may be preferred in both directions by police now.

Decades ago, in the U.S., a White House executive asked the FBI director, J. Edgar Hoover, to investigate a prominent TV journalist. Hoover asked if the exec was in his office. Affirmative. Hoover called him and confirmed the request. Later, it turned out the investigation was a bad idea; an agent had told the journalist it was about his being appointed to an unspecified Federal job; he replied that he didn’t want the job and the full investigation was promptly called off by the FBI. The White House exec later said he only wanted a check of Who’s Who-type sources. Whatever the truth behind the request, I didn’t see criticism of Hoover’s callback.

Clive Robinson April 8, 2022 11:37 AM

@ Sumadelet,

I think I end up with an unpopular view espoused by Bruce: regulation is required, because the free-market perceives proper security as a hindrance.

Personally I don’t think useful “regulation” will happen…

Look at it this way, it’s not just Law Enforcment and Intelligence Agents who win by ordinary people making encryption Snafus.

Thus many in positions of influence would see “regulation” as “killing the Golden Goose” of information.

OK William Barr is nolonger Attorney General of the US, but many within the FBI and DoJ supported his anti-encryption policies.

Ohvand as far as I remember he’s not barred from returning to that office if the next President thought he would be still good in the role…

Similarly Mike Penze and several others…

Douglas Knight April 12, 2022 12:46 PM

The excerpt makes it sound like EDR are much more vulnerable than subpoenas, but the article left me with the impression that subpoenas are just as vulnerable. The only difference is that a subpoena is more detailed, so the hacker has to know what it looks like to forge it.

JonKnowsNothing April 28, 2022 9:40 AM

@All

There is a new article there about a company that plans to “fight fake EDRs” by giving police departments a “credit score”. Presumably if the score is high you get the data and if low you don’t.

The more interesting parts are the inclusions of summary reporting details about how many requests are being handled by these companies. Entire departments and divisions are doing Law Enforcement for Free – except nothing is free, consumers are paying for it and perhaps Law Enforcement is paying for it on the backside.

iirc(badly) LEAs may have to reimburse some costs for compliance to their requests.

Other than providing a smaller footprint for targeting, I don’t see this scheme as that useful. Once the baddies-goodies have the right target and the right score and better yet, have hacked and exfiltrated the entire dataset and source code, it will be just another layer in the middle.

===

ht tps://krebs on securit y.com/2022/04/fighting-fake-edrs-with-credit-ratings-for-police/

(url fractured)

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.