EncryptionFeds forced to get creative to bypass encryption

As increasingly sophisticated encryption technology becomes widely available, federal authorities have been forced to find new ways to conduct surveillance against suspected criminals or terrorists.

With cyber security fears growing, more software manufacturers are building sophisticated encryption tools into their operating systems like Apple’s FileVault and Microsoft’s BitLocker. Starting in 2005, PGP, a data encryption program, began offering whole disk encryption for Windows and Mac OS X.

Now when federal authorities try to gather evidence on suspects, they frequently encounter PGP encrypted documents that they cannot hack into. Instead authorities have tried using court orders that force Web-based providers to turn over a suspect’s passwords to see if they match.

“Sometimes if we can go in and find one of those passwords, or two or three, I can start to figure out that in every password, you use the No. 3,” said Stuart Van Buren, a U.S. Secret Service agent. “There are a lot of things we can find.”

According to Van Buren, “Every new agent who goes to the Secret Service academy goes through a week of training” in computer technology to learn how to deal with issues like encrypted data and hard drives.

These new technologies, particularly encrypted web-based email systems and social media sites, have confounded the FBI, which says it cannot conduct wiretapping operations on these networks when it has received a court order because of encryption.

To combat this problem, which the FBI calls “going dark,” FBI general counsel Valerie Caproni recently floated a proposal that would force Web based e-mail servers and social networks to build backdoors so that federal authorities could conduct surveillance.

Caproni said the FBI was seeking “a way for police armed with wiretap orders to conduct surveillance of Web-based e-mail, social networking sites, and peer-to-peer communications technology.”

The FBI quickly backed away from mandating backdoors, but did not specify what it planned on doing to address the going dark problem.

“Most our interception challenges could be solved using existing technologies that can be deployed without re-designing the Internet and without exposing the provider’s system to outside malicious activity,” Caproni said.

Authorities are experimenting with several methods to bypass encryption including keystroke logging spyware, seizing the computer while it is still on, and forcing an individual to turn over their passwords to federal authorities. But the latter method has proven ineffective and illegal.

Howard Cox, the assistant deputy chief for the Justice Department’s Computer Crime and Intellectual Property Section, said law enforcement agencies did not have the legal authority to force a suspect to turn over their password.

“We believe we don’t have the legal authority to force you to turn over your password unless we already know what the data is,” he said.

Cox explained, “It’s a form of compulsory testimony that we can’t do… Compelling people to turn over their passwords for the most part is a non-starter.”

Federal authorities have also resorted to using a program that will establish the passphrase after testing every single combination, in what Van Buren calls a “brute force attack.”

He says, if the password is short enough, “there’s a reasonable chance that if I do lower upper and numbers I might be able to figure it out.”

It took three days to determine a seven character password and sixty-two times as long to crack an eight character passphrase.

“All of a sudden I’m looking at close to a year to do that. That’s not feasible,” Van Buren said.

To avoid resorting to this timely method, the Secret Service tries to seize a computer while it is still on so the encryption codes are still in the computer’s memory.

“Traditional forensics always said pull the plug,” Van Buren said. “That’s changing. Because of encryption…we need to make sure we do not power the system down before we know what’s actually on it.”

To guarantee that the computer is on and the suspect logged in, authorities will sometimes contact the individual via Internet chat and then send an agent disguised as a delivery man to the door. The suspect will be arrested and the computer seized.