Fake law enforcement with encryption backdoors

Internet

Brian Krebs reported a growing trend of fake law enforcement requests to hand over user data, which companies are falling for:

[…] some hackers have figured out there is no quick and easy way for a company that receives one of these [Emergency Data Requests] to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.

Bruce Schnier connects the logical dots with a related issue we’ve been warning about ever since former prime minister Malcolm Turnbull said the “laws of maths don’t trump the laws of Australia”:

The “credentials” are even more insecure than we could have imagined: access to an email address. And the data, of course, isn’t very secure. But imagine how this kind of thing could be abused with a law enforcement encryption backdoor.

Author bio and support

Me!

Ruben Schade is a technical writer and IaaS engineer in Sydney, Australia who refers to himself in the third person in bios. Wait, not BIOS… my brain should be EFI by now.

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite cloud infrastructure provider.

You can leave me a comment by contacting me, and I might publish your thoughts. Please read the FAQs first though.

If you found this post helpful or entertaining, you can shout me a coffee or buy some silly merch. Thanks!