Slashdot Mirror
Encrypted WhatsApp Message Recovered From Westminster Terrorist's Phone (indiatimes.com)
Bruce66423 brings word that a terrorist's WhatsApp message has been decrypted "using techniques that 'cannot be disclosed for security reasons', though 'sources said they now have the technical expertise to repeat the process in future.'" The Economic Times reports:
U.K. security services have managed to decode the last message sent out by Khalid Masood before he rammed his high-speed car into pedestrians on Westminster Bridge and stabbed to death a police officer at the gates of Parliament on March 22. The access to Masood's message was achieved by what has been described by security sources as a use of "human and technical intelligence"...
The issue of WhatsApp's encrypted service, which is closed to anyone besides the sender and recipient, had come under criticism soon after the attack. "It's completely unacceptable. There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other," U.K. home secretary Amber Rudd had said.
Security sources say the message showed the victim's motive was military action in Muslim countries, while the article adds that though ISIS claimed responsibility for the attack, "no evidence has emerged to back this up."
The issue of WhatsApp's encrypted service, which is closed to anyone besides the sender and recipient, had come under criticism soon after the attack. "It's completely unacceptable. There should be no place for terrorists to hide. We need to make sure that organisations like WhatsApp, and there are plenty of others like that, don't provide a secret place for terrorists to communicate with each other," U.K. home secretary Amber Rudd had said.
Security sources say the message showed the victim's motive was military action in Muslim countries, while the article adds that though ISIS claimed responsibility for the attack, "no evidence has emerged to back this up."
It's possible that they didn't actually decrypt anything and, instead, managed to get into the phone. If the terrorist didn't secure his phone, then whatsapp could easily be opened and messages read. They had access to his phone, that was stated in the article.
exactly. physical security is the first security. given that was compromised. It seems more likely that was the vector they used.
Just another second banana
(OBNOTE: they might have done something far different, but this is one way it could be done -- and it is being done in Brazil):
1. Clone the victim's phone line (not chip, not iemsi, you just need to reassign its phoneline. Costs about US$100 in Brazil to get a sleazy, disgruntled phone-company-cellphone-outlet employee to do it for you).
2. Using the rogue SIM that has the victims' phone number active for a while, install whatsup. Do the SMS verification, it will pass. And yes, that *does* mean you could use the same !@#$@#$ trick to invade banking accounts, steal accounts with SMS verification enabled, etc. Say, like google, microsoft, or DNS registrar (and from there, anything else, such as US$ 200k-worth twitter identities, etc).
==> IT IS NO JOKE that the newest US gov regulations *strongly recommends against* (read: FORBID) the use of anything phone-carrier-routed (SMS, voice, phone number, etc) for security id/validation.
3. Whatsup will download the message history and contacts database, and you have access to the information.
Now, if the target is not an imbecile, he has whatsup 2FA enabled. That means step (2) is a lot more difficult, *but not impossible*. Here's where human intelligence can help, phone hacking can help, and even a court order for whatsup to NOT nuke the account no matter how many failed tries (assuming this does not run afoul of whatever protections did not allow them to order whatsup to shell out the history directly) can help.
IOW: have you removed the insanely dangerous "phone-number-based" recovery options of every account you treasure? If you did not, you better do now. It is quite possible to add defensive layers to SMS-based and voice-based recovery options, but all of them are of the "force several successful attempts over a *large* period of time, with random factors involved" so that the victim will notice what is happening, recover his phone number, and engage defensive measures. NOBODY implements this.
He wasn't part of a terrorist group. He was a batshit psychopath who watched one too many terrorist videos. The terrorist groups don't hide behind tech, they broadcast it out in the open.
In the US anyway, freedom is worth dying for. The best way to fuck the terrorists is to show them that they can't change anything about our social norms. As far as I'm concerned, Whatsapp should be considered an in-the-clear messenger which is only "encrypted" because the government happens not care about the sender at this particular moment. What this sort of "pretend encryption" approach does is let the terrorists know that we're willing to give up our core values so they won't kill anymore of us. Heck, why stop there? We all might as well convert to their perverted brand of Islam. Of course, this is all misguided because eventually they'll find out how to do more damage, encryption or not. Which means we'll still have terror attacks a century from now, but what we won't have is private messaging.
What do we need in order to reclaim the freedom that our ancestors (in America, at least) literally died for? Open source everything, from the circuit diagrams in our chips all the way to the app layer. Is this happening? I hope I'm just ignorant, but the answer would seem to be "no". There's no "real money" in open source anything, and things are getting exponentially more complicated with time. So maybe there's something to be said for building a truly dumb "combox" for private messaging and nothing else, which actually could make money for the people behind it, and therefore be economically viable. Does anyone know of anything like this? And no, I'm not talking about some "brilliant" encryption app running on top of swiss cheese dogshit like Android.
Indeed. The whole statement is so utterly stupid and disconnected from reality _and_ misses what states that tried to get where she wants to go were like (Stalinism, 3rd Reich, etc.) that she cannot be any good at understanding history either. So they have a _bad_ history major as Home Secretary.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Indeed. Terrorists you can typically just ignore with no significant adverse consequences. Fascist politicians are a lot harder to deal with.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
In the case of Signal, I do build it myself from source because I want to make some changes, like adding a decent backup function that Moxie won't do in Signal for some reason he doesn't want to explain. But apart from that, they have reprodcable builds so you can check a self compiled version is the same as the one you download (except for the signature of course).
The BBC reported that they simply got it from the phone of the recipient (which they knew from metadata) who cooperated with them. That person was innocent and uninvolved in the attack so simply gave them the message in plain text.
Sorry no link, the BBC search engine is crap.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Tell that to the idiots using the forgotten social messaging app Whisper, which has nothing to do with the Whisper protocol or Whatsapp.
Nope, it's just a sort of Twitter clone that pretends to be anonymous, and tons of idiots fall for it and post for sale or want to buy messages for "contraband substances" as if nobody can trace them.
The app records the user's IP address, the IMEI of their phone, their GPS (which it uses to set a "nearby messages" group feature), their phone number, and none of this is encrypted in any way AND the developers proudly declare in the TOS that they will happily respond to any requests from law enforcement. The app also inserts ads from the Facebook network so anything you look at on FB may in turn spawn "related" ads in the app. So not only does the app know who you are, we can presume FB in turn knows a lot about which ads are seen when and perhaps even which content the user was looking at.
So it is completely NOT anonymous. And yet idiot users post their messages every day. I had NO idea there were even so many different words for pot.
The app has other major issues, such as a general lack of users -potheads and gays seeking gays seem to be the main users, but they don't add up to very many. So the developer hires workers to make fake posts, uses bots to repost and repost the same messages day after day after day, all in a bid to fake the place into looking like people use it. A lot of the Indian contractors don't even bother to hide that they are posting from Indian call centers.
The app also has a "Popular Posts" feature which presents those items when users first open the app. But what determines what is "popular" is not popularity but the whimsy of one of those Indian workers who decides to promote a particular post to the Popular page, which then gets a lot of views and so forth. So they are manufacturing popularity, not seeking what is naturally popular. It's fraud. The anonymity is fraud.
But very few users bother with this thing and nobody would really notice if it blew away.
Sig for hire.