DOCSLIB.ORG

Third Report of the Observatory Function on Encryption

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Third Report of the Observatory Function on Encryption THIRD REPORT OF THE OBSERVATORY FUNCTION ON ENCRYPTION Joint report Manuscript completed in June 2021. Europol and Eurojust Public Information Neither the European Commission nor any person acting on behalf of the Commission is responsible for the use that might be made of the following information. © European Union, 2021 cover Picture: ©iStock Reuse is authorised provided the source is acknowledged. CONTENTS 1 Executive Summary 6 2 Introduction 8 3 The legal aspects of handling encryption in criminal investigations 9 3.1 Legislative overview of legal frameworks relating to attacking encryption 9 3.1.1 Background 9 3.1.2 Current legislative overview on encryption 9 3.1.3 Relevant jurisprudence 13 3.1.4 Casework experiences related to the use of encryption tools by criminals 14 4 Technical developments and their effects on investigation efforts 16 4.1 Hardware based encryption 16 4.2 Encrypted communication devices using a variety of different encryption algorithms standards 18 4.3 Bcrypt Password Hashing and Increased iteration count 18 4.4 On-Client (browser) password policy checking mechanisms 22 4.5 oDoH-Oblivious DNS over HTTPs 22 4.6 Quantum computing 24 4.6.1 Upcoming opportunities and challenges 24 4.6.2 A standardisation effort initiated 25 4.7 Conclusion 26 5 EncroChat case: An example of good practice 27 6 Policy developments influencing and shaping the debate on encryption 29 6.1 Introduction to the policy debate 29 6.2 Developments within the European Union 30 6.3 Developments outside of the European Union 31 6.3.1 Encryption and the Five Eyes Intelligence Alliance 31 6.3.2 Focus on Australia. The Access and Assistance Act 32 6.3.3 Efforts in the United States 34 6.3.4 Conclusion 35 7 Conclusion 36 Table 1 Legal Provisions on Attacking Encryption by Law Enforcement. 10 Figure 2 HBE in Apple devices using the T2 security chip 17 Figure 3 Pre-computation step 20 Figure 4 Recovery Step 20 Figure 5 Traditional DNS requests 23 Figure 6 DoH requests 23 Figure 7 ODoH requests 23 LIST OF ABBREVIATIONS AES Advanced Encryption Standard AFP Australian Federal Police APFS Apple File System ASIO Australian Security Intelligence Organisation BPF Browser Password Field CDT Center for Democracy & Technology DNS Domain Name System DoH DNS-over-HTTPS DPP Domain Password Policies E2ee End-to-end encryption EC3 European Cybercrime Centre ECHR European Court of Human Rights EIO European Investigation Order EJCN European Judicial Cybercrime Network EU European Union FBI Federal Bureau of Investigation FDE Full disk Encryption HBE Hardware-based Encryption HTTP HyperText Transfer Protocol HTTPS HyperText Transfer Protocol Secure IP Internet Protocol ISP Internet Service Provider JHA Justice and Home Affairs JIT Joint Investigation team LEA Law Enforcement Authority MLA Mutual Legal Assistance Request NCMEC National Centre for Missing and Exploited Children ODoH Oblivious DNS over HTTPs QSC Quantum-Safe Cryptography SSD Solid State Drive TPM Trusted Platform Module TLS Transport Layer Security 1. EXECUTIVE SUMMARY Access to data-in-clear of encrypted communications and stored data presents several difficult and controversial issues and continues to create tensions between key stakeholders, including law enforcement and the judiciary and civil society organisations, leaving policy makers with the mammoth task of balancing all the important considerations in this debate. Thus far efforts to identify technical solutions that are feasible and proportionate and which safeguard fundamental rights have struggled to reconcile all the equities. In the midst of this discussion encryption continues to develop and become the main means to safeguard a number of online technologies, including electronic communication services, online storage spaces, mailboxes etc...This further complicates the encryption landscape, and significantly challenges criminal investigations. This third report of the Observatory Function on encryption builds on previous reports and looks at the relevant technical and legislative developments, re-visiting some topics, which deserved further consideration. In the interim between this and previous reports, there have only been a few developments in European Union (EU) Member States’ national legal regimes to incorporate new provisions that tackle the challenge of encryption in criminal investigations. These new approaches can be categorised into two distinct parts: one deals with tools that directly tackle encryption and the others category provides for tools to gain access to content before it is encrypted, or after it is decrypted and bypass encryption altogether. This is further underpinned by jurisprudence that exemplifies the use of the provisions mentioned. Insights are shared on encryption in the context of cross-border cases. Eurojust here identifies two key focuses; cases in which decryption of the tool used by criminals is the main focus of the investigation and ‘spin-off cases’ where the focus is on other aspects rather than decryption, but where the decrypted communications among criminals are required as evidence. An analysis of considerations ancillary to decryption, such as the need to find legal means to decrypt electronic communications, admissibility of evidence obtained from decrypted devices, and the sharing of such data with other law enforcement agencies in the context of cross-border cases is explored. The report elaborates on the challenges faced by law enforcement in environments where encryption is a default setting for many user devices and services, presenting recent developments in products that make use of encryption or develop it further. The report takes a detailed look at hardware based encryption, the Bcrypt password hashing function and increased iteration counts. It also provides information on the increasing robustness of browser password checking mechanisms employed by companies to help users generate and utilise stronger passwords ensuring that they remain safe online. Linking up from previous reports, this piece of work introduces the concept of oblivious DNS (Domain Name System) over HTTPs (Hypertext Transfer Protocol Secure) that separates IP (Internet Protocol)addresses from search queries. This is done by adding a layer of encryption around the DNS query before it is sent to the proxy serve that acts as a go-between for the internet user and the website they want to visit. This technology shields the sender of the query from the DNS resolver. All these developments reflect the increasing dependence on encryption to safeguard cybersecurity, data protection and privacy of communications. In itself this is a welcome and necessary development. Unfortunately, this technology can equally be used for criminal purposes, complicating further criminal investigations. Quantum computing may in the next decade offer some possibilities to help mitigate these difficulties. Quantum technology is set to have a significant effect on cryptography, however it remains hard to predict the timing and the concrete effects it would have on encryption. The report explores what quantum computers might be able to achieve in the future. 6 Another important element in this report is an overview of the EncroChat case. It is an example of good practice that incorporated the right technical and legislative elements that have underpinned this delicate operation. A background and insights into the case shed more light on the effort and quantifies the developments and the next steps. For the first time, the report introduced a third viewpoint, cataloguing the key policy developments taking place in regions and countries around the world. This complements the other parts of the report and aims to provide readers with a more complete understanding of this complex topics and set out with more clarity and helps piece together the interactions between the technical, legislative and policy challenges. In this first inclusion, the report highlights developments inside the EU, particularly the adoption by the Council of the EU of the resolution on encryption and it provides information on the US EARN IT act that is being taken forward in Congress. The report also covers the discussion on encryption taking place in the Five Eyes Country alliance and the adoption by the UK, US, Australia, Canada New Zealand, Japan and India of the international statement on end-to-end encryption and public safety. This is followed by a piece on Australia’s Access and Assistance Act of 2018. 7 2. INTRODUCTION As we continue to spend more of our lives online, we expect more digital security to safeguard our activities. Whilst encryption technology on its own does not solve the challenge of providing effective security for data and systems, it is at the heart of digital security, making it part of our daily lives and fuelling developments in this area of technology and others reliant on it. At the same time, the wider usage of encryption technology continues to be increasingly exploited by criminals, both as part of their modus operandi and as a mean to enable secret communication and illegal activities by putting them out of law enforcement’s reach. This continues to create challenges for both the law enforcement and the judiciary communities and significantly hampers these authorities’ ability to investigate and prosecute. The first Observatory Function report provided a brief overview and historical background of encryption, and explored the challenges faced in the context of law enforcement and prosecution. The second report provided a comprehensive update of the encryption challenge and looked at the potential of a number of options that could help law enforcement mitigate the issues arising from encryption and related challenges. This third report is similarly structured to provide an update capturing the legal and technical developments that have taken place since the previous report, and what they mean in practical terms. A number of topics presented in previous reports, such as quantum computing are re-visited here as developments continue to take place in these specific areas. A third aspect has been included in this report looking at a number of policy developments on encryption inside the European Union (EU) and in other key regions.
Load more

Recommended publications
  • Course 5 Lesson 2
    This material is based on work supported by the National Science Foundation under Grant No. 0802551 Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author (s) and do not necessarily reflect the views of the National Science Foundation C5L3S1 With the advent of the Internet, social networking, and open communication, a vast amount of information is readily available on the Internet for anyone to access. Despite this trend, computer users need to ensure private or personal communications remain confidential and are viewed only by the intended party. Private information such as a social security numbers, school transcripts, medical histories, tax records, banking, and legal documents should be secure when transmitted online or stored locally. One way to keep data confidential is to encrypt it. Militaries,U the governments, industries, and any organization having a desire to maintain privacy have used encryption techniques to secure information. Encryption helps to boost confidence in the security of online commerce and is necessary for secure transactions. In this lesson, you will review encryption and examine several tools used to encrypt data. You will also learn to encrypt and decrypt data. Anyone who desires to administer computer networks and work with private data must have some familiarity with basic encryption protocols and techniques. C5L3S2 You should know what will be expected of you when you complete this lesson. These expectations are presented as objectives. Objectives are short statements of expectations that tell you what you must be able to do, perform, learn, or adjust after reviewing the lesson.
    [Show full text]
  • Report Criminal Law in the Face of Cyberattacks
    APRIL 2021 REPORT CRIMINAL LAW IN THE FACE OF CYBERATTACKS Working group chaired by Bernard Spitz, President of the International and Europe Division of MEDEF, former President of the French Insurance Federation (FFA) General secretary: Valérie Lafarge-Sarkozy, Lawyer, Partner with the law firm Altana ON I SS I AD HOC COMM CRIMINAL LAW IN THE FACE OF CYBERATTACKS CRIMINAL LAW IN THE FACE OF CYBERATTACKS CLUB DES JURISTES REPORT Ad hoc commission APRIL 2021 4, rue de la Planche 75007 Paris Phone : 01 53 63 40 04 www.leclubdesjuristes.com FIND US ON 2 PREFACE n the shadow of the global health crisis that has held the world in its grip since 2020, episodes of cyberattacks have multiplied. We should be careful not to see this as mere coincidence, an unexpected combination of calamities that unleash themselves in Ia relentless series bearing no relation to one another. On the contrary, the major disruptions or transitions caused in our societies by the Covid-19 pandemic have been conducive to the growth of offences which, though to varying degrees rooted in digital, are also symptoms of contemporary vulnerabilities. The vulnerability of some will have been the psychological breeding ground for digital offences committed during the health crisis. In August 2020, the Secretary-General of Interpol warned of the increase in cyberattacks that had occurred a few months before, attacks “exploiting the fear and uncertainty caused by the unstable economic and social situation brought about by Covid-19”. People anxious about the disease, undermined by loneliness, made vulnerable by their distress – victims of a particular vulnerability, those recurrent figures in contemporary criminal law – are the chosen victims of those who excel at taking advantage of the credulity of others.
    [Show full text]
  • Encrochatsure.Com
    EncroChatSure.com . Better Sure than sorry! EncroChat® Reference & Features Guide EncroChatSure.com 1 EncroChatSure.com . Better Sure than sorry! EncroChatSure.com . Better Sure than sorry! EncroChat® - Feature List 2 EncroChatSure.com . Better Sure than sorry! EncroChatSure.com . Better Sure than sorry! EncroChat® - The Basics Question: What are the problems associated with disposable phones which look like a cheap and perfect solution because of a number of free Instant Messaging (IM) apps with built-in encryption? Answer: Let us point to the Shamir Law which states that the Crypto is not penetrated, but bypassed. At present, the applications available on play store and Apple App store for Instant Messaging (IM) crypto are decent if speaking cryptographically. The problem with these applications is that they run on a network platform which is quite vulnerable. The applications builders usually compromise on the security issues in order to make their application popular. All these applications are software solutions and the software’s usually work with other software’s. For instance, if one installs these applications then the installed software interfere with the hardware system, the network connected to and the operating system of the device. In order to protect the privacy of the individual, it is important to come up with a complete solution rather than a part solution. Generally, the IM applications security implementations are very devastating for the end user because the user usually ignores the surface attacks of the system and the security flaws. When the user looks in the account, they usually find that the product is nothing but a security flaw.
    [Show full text]
  • Cybercrime Digest
    Cybercrime Digest Bi-weekly update and global outlook by the Cybercrime Programme Office of the Council of Europe (C-PROC) 16 – 31 May 2021 Source: Council of E-evidence Protocol approved by Cybercrime Europe Convention Committee Date: 31 May 2021 “The 24th plenary of the Cybercrime Convention Committee (T-CY), representing the Parties to the Budapest Convention, on 28 May 2021 approved the draft “2nd Additional Protocol to the Convention on Cybercrime on Enhanced Co-operation and Disclosure of Electronic Evidence. […] Experts from the currently 66 States that are Parties to the Budapest Convention from Africa, the Americas, Asia-Pacific and Europe participated in its preparation. More than 95 drafting sessions were necessary to resolve complex issues related to territoriality and jurisdiction, and to reconcile the effectiveness of investigations with strong safeguards. […] Formal adoption is expected in November 2021 – on the occasion of the 20th anniversary of the Budapest Convention – and opening for signature in early 2022.” READ MORE Source: Council of GLACY+: Webinar Series to Promote Universality Europe and Implementation of the Budapest Convention on Date: 27 May 2021 Cybercrime “The Council of Europe Cybercrime Programme Office through the GLACY+ project and the Octopus Project, in cooperation with PGA's International Peace and Security Program (IPSP), are launching a series of thematic Webinars as part of the Global Parliamentary Cybersecurity Initiative (GPCI) to Promote Universality and Implementation of the Budapest Convention on Cybercrime and its Additional Protocol.” READ MORE Source: Europol Industrial-scale cocaine lab uncovered in Rotterdam Date: 28 May 2021 in latest Encrochat bust “The cooperation between the French National Gendarmerie (Gendarmerie Nationale) and the Dutch Police (Politie) in the framework of the investigation into Encrochat has led to the discovery of an industrial-scale cocaine laboratory in the city of Rotterdam in the Netherlands.
    [Show full text]
  • Technological Surveillance and the Spatial Struggle of Black Lives Matter Protests
    No Privacy, No Peace? Technological Surveillance and the Spatial Struggle of Black Lives Matter Protests Research Thesis Presented in partial fulfillment of the requirements for graduation with research distinction in the undergraduate colleges of The Ohio State University by Eyako Heh The Ohio State University April 2021 Project Advisor: Professor Joel Wainwright, Department of Geography I Abstract This paper investigates the relationship between technological surveillance and the production of space. In particular, I focus on the surveillance tools and techniques deployed at Black Lives Matter protests and argue that their implementation engenders uneven outcomes concerning mobility, space, and power. To illustrate, I investigate three specific forms and formats of technological surveillance: cell-site simulators, aerial surveillance technology, and social media monitoring tools. These tools and techniques allow police forces to transcend the spatial-temporal bounds of protests, facilitating the arrests and subsequent punishment of targeted dissidents before, during, and after physical demonstrations. Moreover, I argue that their unequal use exacerbates the social precarity experienced by the participants of demonstrations as well as the racial criminalization inherent in the policing of majority Black and Brown gatherings. Through these technological mediums, law enforcement agents are able to shape the physical and ideological dimensions of Black Lives Matter protests. I rely on interdisciplinary scholarly inquiry and the on- the-ground experiences of Black Lives Matter protestors in order to support these claims. In aggregate, I refer to this geographic phenomenon as the spatial struggle of protests. II Acknowledgements I extend my sincerest gratitude to my advisor and former professor, Joel Wainwright. Without your guidance and critical feedback, this thesis would not have been possible.
    [Show full text]
  • Advocating for Basic Constitutional Search Protections to Apply to Cell Phones from Eavesdropping and Tracking by Government and Corporate Entities
    University of Central Florida STARS HIM 1990-2015 2013 Brave New World Reloaded: Advocating for Basic Constitutional Search Protections to Apply to Cell Phones from Eavesdropping and Tracking by Government and Corporate Entities Mark Berrios-Ayala University of Central Florida Part of the Legal Studies Commons Find similar works at: https://stars.library.ucf.edu/honorstheses1990-2015 University of Central Florida Libraries http://library.ucf.edu This Open Access is brought to you for free and open access by STARS. It has been accepted for inclusion in HIM 1990-2015 by an authorized administrator of STARS. For more information, please contact [email protected]. Recommended Citation Berrios-Ayala, Mark, "Brave New World Reloaded: Advocating for Basic Constitutional Search Protections to Apply to Cell Phones from Eavesdropping and Tracking by Government and Corporate Entities" (2013). HIM 1990-2015. 1519. https://stars.library.ucf.edu/honorstheses1990-2015/1519 BRAVE NEW WORLD RELOADED: ADVOCATING FOR BASIC CONSTITUTIONAL SEARCH PROTECTIONS TO APPLY TO CELL PHONES FROM EAVESDROPPING AND TRACKING BY THE GOVERNMENT AND CORPORATE ENTITIES by MARK KENNETH BERRIOS-AYALA A thesis submitted in partial fulfillment of the requirements for the Honors in the Major Program in Legal Studies in the College of Health and Public Affairs and in The Burnett Honors College at the University of Central Florida Orlando, Florida Fall Term 2013 Thesis Chair: Dr. Abby Milon ABSTRACT Imagine a world where someone’s personal information is constantly compromised, where federal government entities AKA Big Brother always knows what anyone is Googling, who an individual is texting, and their emoticons on Twitter.
    [Show full text]
  • How to Install and Use True Crypt
    How to Install and Use True Crypt A download can be found for windows, Mac, or Linux on https://truecrypt.ch/downloads/ As of 9/22/14 the latest windows version is 7.1A. Table of Contents Installation on Windows .............................................................................................................................. 2 Encrypt an entire USB or portable hard drive ............................................................................................. 5 Create new container on USB or portable hard drive............................................................................... 12 How to Mount/Dismount a TrueCrypt container ..................................................................................... 18 Installation on Windows 1. Download the latest version of TrueCrypt and run the exe. 2. Accept the license agreement. 3. Next you have the option to install or extract this installation of TrueCrypt. If you will be accessing TrueCrypt containers very often then it would be best to install it. 4. Next select the installation location, preferences, and click install. 5. TrueCrypt will now install and after installation you can find the program in the program files directory or on the start menu. 6. Run the TrueCrypt program to bring up the main screen. Encrypt an entire USB or portable hard drive 1. Insert a USB or portable hard drive in the computer with TrueCrypt installed. 2. Run TrueCrypt, and select “Create Volume”. 3. Select the option to “Encrypt a non-system partition/drive”. 4. Next, you may select a Standard volume or a hidden volume. If you are unsure, leave the default “Standard TrueCrypt volume” selected and click next. 5. Click the “Select Device” button and select the drive that is the USB or portable hard drive. Then click Next. 6. Next, you can choose to format the entire drive and encrypt it (faster), or if there is data on the USB drive you can also use the option to “Encrypt partition in place”.
    [Show full text]
  • Shotgun Licence Change of Address West Yorkshire
    Shotgun Licence Change Of Address West Yorkshire Whole and significative Lovell never submerse his nereids! Sebastian is remittently called after anteorbital Fleming effervesce his toxoids maturely. Priest-ridden Zack expects some Rotorua after qualifiable Yaakov underdraws mutationally. Mailing Address P Police arrested four trout from Nelson and Augusta counties on. For strong new licence variation transfer or forward it will do store on the. Firearms Licensing DepartmentSouth Yorkshire Police HQCarbrook House5 Carbrook Hall. Half the sentence as be served on licence Sheffield Crown point was told. Their teams through organisational change build successful relationships with partners. A copy of your passport or driving licence small arms 190's you will receive gold what is cross the picture. Ralph christie over the confidential online at all his workers is highly effective time of change of shotgun licence address west yorkshire police action the chief of the morbid sense of the. At far West Yorkshire Police science in Wakefield Judith met with by new. Changes of name address or any contact information must be submitted using an amendment form. Category of Mental Illness According to federal law individuals cannot carry a gun if however court such other object has deemed them to mental defective or committed them involuntarily to acute mental hospital. To the designation of funny hot zone to head only suitably trained firearms officers can go. Documentation required for Reader Registration. Firearm Dealership Land Nomination Forms Notification of disease Transfer. Further delay of the west yorkshire police force the public engagement and supersede any measures as banking information to! On wix ads.
    [Show full text]
  • Win Big with [Insert Open Source App Here] Win Big with Open Source
    Win Big with [Insert Open Source App Here] Win Big With Open Source Introductions Dave Nevala – Lukins & Annis Jerry Askew – Askew Network Solutions Win Big With Open Source No Licensing Headaches High Quality – peer reviewed Paid Support Available If you want a feature, add it! OSS can’t be discontinued or sold Win Big With Open Source KeePass – Password Manager Zotero – Web Research Manager 7-Zip – Fast Archiver Truecrypt – Disk Encryption PDF Creator Ntop – Network Analyzer Prey – Loss Prevention Win Big With KeePass What is KeePass? Password Management Database Strong Password Generator Hot-key login Obfuscation techniques Multi-platform Download for free http://keepass.info/ Win Big With KeePass Password Database Strong Encryption Can be opened with single password Win Big With KeePass Why KeePass? No need for PostIt notes, slips of paper, etc. Easy to have unique strong passwords Turn off auto form fill Win Big With KeePass Ports KeePassPPC & KeePassSD – PassDrop - iPhone/iPad PocketPC KeePassDroid – Android 7Pass - Windows Phone KeePassMobile - J2ME MiniKeePass - iPhone/iPad KeePassJ2ME - J2ME SyncPass - iPhone/iPad KeePassBB – BlackBerry iKeePass - iPhone/iPad KeePassBB2 – BlackBerry MyKeePass - iPhone/iPad Export to Keyring - Palm OS KyPass - iPhone/iPad KeePassX - Linux / Mac OS X Win Big With KeePass Share with multiple devices Portable version (run from folder) Keep database on flash drive or dropbox Win Big With KeePass Alternatives Last pass (requires to be online) KeePassX (requires to be online) 1Password (Mac and Linux)
    [Show full text]
  • The Internet Organised Crime Threat Assessment (IOCTA) 2015
    The Internet Organised Crime Threat Assessment (IOCTA) 2015 2 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 3 TABLE OF FOREWORD 5 CONTENTS ABBREVIATIONS 6 EXECUTIVE SUMMARY 7 KEY FINDINGS 10 KEY RECOMMENDATIONS 12 SUGGESTED OPERATIONAL PRIORITIES 15 INTRODUCTION 16 MALWARE 18 ONLINE CHILD SEXUAL EXPLOITATION 29 PAYMENT FRAUD 33 SOCIAL ENGINEERING 37 DATA BREACHES AND NETWORK ATTACKS 40 ATTACKS ON CRITICAL INFRASTRUCTURE 44 CRIMINAL FINANCES ONLINE 46 CRIMINAL COMMUNICATIONS ONLINE 50 DARKNETS 52 BIG DATA, IOT AND THE CLOUD 54 THE GEOGRAPHICAL DISTRIBUTION OF CYBERCRIME 57 GENERAL OBSERVATIONS 62 APPENDICES 67 A1. THE ENCRYPTION DEBATE 67 A2. AN UPDATE ON CYBER LEGISLATION 70 A3. COMPUTER CRIME, FOLLOWED BY CYBERCRIME FOLLOWED BY …. ROBOT AND AI CRIME? 72 4 THE INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2015 FOREWORD These include concrete actions under the three main mandated Threat Assessment (IOCTA), the annual presentation of the areas – child sexual exploitation, cyber attacks, and payment I am pleased to present the 2015 Internet Organised Crime fraud – such as targeting certain key services and products Centre (EC3). offered as part of the Crime-as-a-Service model, addressing the cybercrime threat landscape by Europol’s European Cybercrime growing phenomenon of live-streaming of on-demand abuse of children, or targeted actions with relevant private sector partners ofUsing cybercrime the 2014 for report the asperiod a baseline, under this consideration. assessment Itcovers offers the a cross-cutting crime enablers such as bulletproof hosting, illegal viewkey developments, predominantly changes from a lawand enforcement emerging threats perspective in the based field tradingagainst onlinesites on payment Darknets fraud.
    [Show full text]
  • OPERATION POTAO EXPRESS Analysis of a Cyber-Espionage Toolkit
    OPERATION POTAO EXPRESS Analysis of a cyber-espionage toolkit Robert Lipovsky, Anton Cherepanov EXECUTIVE SUMMARY The Operation Potao Express whitepaper presents ESET’s latest findings based on research into the Win32/Potao malware family. Even though the malware was detected long ago by ESET and a few other anti-virus companies, it hasn’t received any public attention since 2011, when the first known samples were detected. Like BlackEnergy (a.k.a. Sandworm, Quedagh), Potao is an example of targeted espionage (APT) malware detected mostly in Ukraine and a number of other CIS countries, including Russia, Georgia and Belarus. Among the victims that we were able to identify, the most notable high-value targets include Ukrainian government and military entities and one of the major Ukrainian news agencies. The malware was also used to spy on members of MMM, a financial pyramid scheme popular in Russia and Ukraine. One of the most interesting discoveries during our Potao investigation and research was the connection to a Russian version of the now discontinued popular open-source encryption software, TrueCrypt. The website truecryptrussia.ru has been serving a Russian language localized version of the TrueCrypt application that also contains a backdoor, in some specific cases. The trojanized version of the application is only served to selected victims which is another indicator of targeting by the malware operators and also one the reasons why the backdoor has gone unnoticed for such a long time. In addition to serving trojanized TrueCrypt, the domain also acted as a C&C server for the backdoor. The connection to Potao lies in the fact that Win32/Potao has been downloaded in a few cases by Win32/FakeTC (ESET detection name of the trojanized encryption software).
    [Show full text]
  • Eurojust Report on Drug Trafficking – Experiences and Challenges in Judicial Cooperation
    Eurojust Report on Drug trafficking Experiences and challenges in judicial cooperation April 2021 Criminal justice across borders Eurojust Report on Drug Trafficking – Experiences and challenges in judicial cooperation Table of Contents Executive summary ................................................................................................................................ 2 1. Introduction ................................................................................................................................... 4 2. Scope and methodology ................................................................................................................. 4 3. Casework at a glance ...................................................................................................................... 6 4. Specific issues in international judicial cooperation on drug trafficking cases ................................... 7 4.1. New Psychoactive Substances and precursors .......................................................................... 7 4.2. Cooperation with third countries ........................................................................................... 10 4.2.1. Cooperation agreements ................................................................................................ 12 4.2.2. Eurojust’s network of Contact Points .............................................................................. 13 4.2.3. Countries without a formal form of cooperation ............................................................
    [Show full text]