Encrochat busted by NCA
Discussion
I've never quite understood the point of these services like 'Encrochat' these days.
End to end encrypted messaging services are widely available in the public realm (Signal, Wickr, even bloody WhatsApp) plus pretty highly secured consumer handsets.
Buy payg SIM card with cash. Buy iPhone, or Android if you know how to set it up securely, with cash. Set up without attaching it to any of your 'real name' accounts or services. Ensure you use a decent alphanumeric passcode on your handset. Ensure you don't have iCloud backup turned on. Or Google Drive back up. Hey presto, one pretty anonymous and protected phone, with e2e messaging. Without getting involved with specialist encrypted services, being a customer of which I'd have thought is a pretty big red flag.
End to end encrypted messaging services are widely available in the public realm (Signal, Wickr, even bloody WhatsApp) plus pretty highly secured consumer handsets.
Buy payg SIM card with cash. Buy iPhone, or Android if you know how to set it up securely, with cash. Set up without attaching it to any of your 'real name' accounts or services. Ensure you use a decent alphanumeric passcode on your handset. Ensure you don't have iCloud backup turned on. Or Google Drive back up. Hey presto, one pretty anonymous and protected phone, with e2e messaging. Without getting involved with specialist encrypted services, being a customer of which I'd have thought is a pretty big red flag.
Edited by pip t on Thursday 2nd July 23:38
Earthdweller said:
I’m firmly in the camp of not telling the enemy everything
Some things are better left unsaid
There are mechanisms to protect the methods and the source available in the legal system
I wonder whether it’s another case if politics getting in the way of effective policing
Politicians wanting a “big” success to crow about
When the trials start it's the evidence will show that they were able to read their communications. No point trying to hide methods that will become publicSome things are better left unsaid
There are mechanisms to protect the methods and the source available in the legal system
I wonder whether it’s another case if politics getting in the way of effective policing
Politicians wanting a “big” success to crow about
If you really believe it's political, then the big news is the raids and the arrests. People like watching police battering doors down and arresting crooks. Intelligence stuff is not glamorous.
I suspect any intelligence methods that won't be exposed the trail, will remain "unsaid". The intelligence services are not stupid. You may even find they are using the press to misdirect the public (and the "enemy") about their methods.
pip t said:
I've never quite understood the point of these services like 'Encrochat' these days.
End to end encrypted messaging services are widely available in the public realm (Signal, Wickr, even bloody WhatsApp) plus pretty highly secured consumer handsets.
Buy payg SIM card with cash. Buy iPhone, or Android if you know how to set it up securely, with cash. Set up without attaching it to any of your 'real name' accounts or services. Ensure you use a decent alphanumeric passcode on your handset. Ensure you don't have iCloud backup turned on. Or Google Drive back up. Hey presto, one pretty anonymous and protected phone, with e2e messaging. Without getting involved with specialist encrypted services, being a customer of which I'd have thought is a pretty big red flag.
OCG members don't have a great rep for being clever.End to end encrypted messaging services are widely available in the public realm (Signal, Wickr, even bloody WhatsApp) plus pretty highly secured consumer handsets.
Buy payg SIM card with cash. Buy iPhone, or Android if you know how to set it up securely, with cash. Set up without attaching it to any of your 'real name' accounts or services. Ensure you use a decent alphanumeric passcode on your handset. Ensure you don't have iCloud backup turned on. Or Google Drive back up. Hey presto, one pretty anonymous and protected phone, with e2e messaging. Without getting involved with specialist encrypted services, being a customer of which I'd have thought is a pretty big red flag.
Edited by pip t on Thursday 2nd July 23:38
Pothole said:
pip t said:
I've never quite understood the point of these services like 'Encrochat' these days.
End to end encrypted messaging services are widely available in the public realm (Signal, Wickr, even bloody WhatsApp) plus pretty highly secured consumer handsets.
Buy payg SIM card with cash. Buy iPhone, or Android if you know how to set it up securely, with cash. Set up without attaching it to any of your 'real name' accounts or services. Ensure you use a decent alphanumeric passcode on your handset. Ensure you don't have iCloud backup turned on. Or Google Drive back up. Hey presto, one pretty anonymous and protected phone, with e2e messaging. Without getting involved with specialist encrypted services, being a customer of which I'd have thought is a pretty big red flag.
OCG members don't have a great rep for being clever.End to end encrypted messaging services are widely available in the public realm (Signal, Wickr, even bloody WhatsApp) plus pretty highly secured consumer handsets.
Buy payg SIM card with cash. Buy iPhone, or Android if you know how to set it up securely, with cash. Set up without attaching it to any of your 'real name' accounts or services. Ensure you use a decent alphanumeric passcode on your handset. Ensure you don't have iCloud backup turned on. Or Google Drive back up. Hey presto, one pretty anonymous and protected phone, with e2e messaging. Without getting involved with specialist encrypted services, being a customer of which I'd have thought is a pretty big red flag.
Edited by pip t on Thursday 2nd July 23:38
pip t said:
I've never quite understood the point of these services like 'Encrochat' these days.
It had additional features, like the ability to clear messages from devices after a set time period, and an e-purge facility to remove all the information immediately.Also, whilst WhatsApp has been increasingly rigid in its position, as does face constant pressure from UK Government to introduce back door access to the software.
GDPR does not apply to you if you are a Esher/Chislehurst Drug Lord kingpin with £5m in cash lying in the bedroom of a council estate terrace house.
My understanding of imessage and whatsapp is even though the messages can’t be handed over to the police a) the phone numbers, location and usernames of source and destination of said messages are i.e if you are in a whatsapp group all the members can be identified b) andriod/iphone handsets can be more easily compromised.
These Encrochat handsets operate more like military hardware, designed to conseal and hide to a much higher level. You don’t know the source, the destination or the location and even if you find one during a drugs raid,
compromising one is much harder. That’s why in the end, the security compromise/hack came from the server side and not the device end.
My understanding of imessage and whatsapp is even though the messages can’t be handed over to the police a) the phone numbers, location and usernames of source and destination of said messages are i.e if you are in a whatsapp group all the members can be identified b) andriod/iphone handsets can be more easily compromised.
These Encrochat handsets operate more like military hardware, designed to conseal and hide to a much higher level. You don’t know the source, the destination or the location and even if you find one during a drugs raid,
compromising one is much harder. That’s why in the end, the security compromise/hack came from the server side and not the device end.
Big Rig said:
Fascinating subject hacking, can anyone explain how they actually did it?
Sent am email to Joe Lag at Pentonville Rd along the lines of "Dear Lag, I'm Mr Umboogoo and I have a business proposition...." or "This is Lloyds Bank. We have important information about the ill gotten gains in your account. Please open the attached spreadsheet/link". Joe Lag does as he's told in the email, plod get his account details. Job jobbed.Or plod find Joe Lag's phone, turn it on and use 'password1234' et voila.
Modern crypto is very difficult to break if the people implementing are careful. The biggest vulnerabilities are the idiots using the system.
untakenname said:
Condi said:
untakenname said:
The article mentions that 90% of the French users were criminals but that still leaves 10% which surely have had their data violated in contravention of GDPR?
GDPR still allows for law enforcement to use data legitimately. In the case of the encrochat and the amount of cash, drugs and weapons seized it's certainly proportionate.
pip t said:
I've never quite understood the point of these services like 'Encrochat' these days.
End to end encrypted messaging services are widely available in the public realm (Signal, Wickr, even bloody WhatsApp) plus pretty highly secured consumer handsets.
Buy payg SIM card with cash. Buy iPhone, or Android if you know how to set it up securely, with cash. Set up without attaching it to any of your 'real name' accounts or services. Ensure you use a decent alphanumeric passcode on your handset. Ensure you don't have iCloud backup turned on. Or Google Drive back up. Hey presto, one pretty anonymous and protected phone, with e2e messaging. Without getting involved with specialist encrypted services, being a customer of which I'd have thought is a pretty big red flag.
You think its about buying a phone with cash and not entering your real name when logging into your apple accountEnd to end encrypted messaging services are widely available in the public realm (Signal, Wickr, even bloody WhatsApp) plus pretty highly secured consumer handsets.
Buy payg SIM card with cash. Buy iPhone, or Android if you know how to set it up securely, with cash. Set up without attaching it to any of your 'real name' accounts or services. Ensure you use a decent alphanumeric passcode on your handset. Ensure you don't have iCloud backup turned on. Or Google Drive back up. Hey presto, one pretty anonymous and protected phone, with e2e messaging. Without getting involved with specialist encrypted services, being a customer of which I'd have thought is a pretty big red flag.
Edited by pip t on Thursday 2nd July 23:38
The Police can find out all mobile phones at your address quite easily without them being registered to you. They will know all of the local high level criminals, where they live etc. Thats just basic intelligence.
clio007 said:
You think its about buying a phone with cash and not entering your real name when logging into your apple account
The Police can find out all mobile phones at your address quite easily without them being registered to you. They will know all of the local high level criminals, where they live etc. Thats just basic intelligence.
But they have to prove it and that's the challenge. The Police can find out all mobile phones at your address quite easily without them being registered to you. They will know all of the local high level criminals, where they live etc. Thats just basic intelligence.
Systems like Encrochat will not work like ordinary phones. You don't get a message from 0745402040. You get a message from #45m5489-0 - which doesn't resolve to an identity the police can use. You know that this user id is Fred, but anyone casually looking at the phone doesn't know this. The plod know it is your phone, they know it is at the address, but they can't see message history on it, and they can't (normally) "see" the data because it is encrypted. The crim can't be busted for refusing to decrypt because they can decrypt .... and there's nothing there.
You could do the whole thing in software using an app like Signal, which seems pretty robust. It is open source, so you can review the code that is going onto your machine if you have the skills to do so. You remain vulnerable to your endpoint (Fred) saving all his messages and/or working for the police. If I was going to do this, I'd take a version of Signal. modify it to delete on read (enforced), and do whatever I could to make it a closed network for my "gang". If I wanted to be much more secure (proper paranoia level), I'd make it work over bluetooth and make sure local gangs had some physical point that they all passed every week. You wouldn't need the mobile network at that point.
clio007 said:
You think its about buying a phone with cash and not entering your real name when logging into your apple account
The Police can find out all mobile phones at your address quite easily without them being registered to you. They will know all of the local high level criminals, where they live etc. Thats just basic intelligence.
That's a fairly gross over simplification of what I said (Which was actually an oversimplification in itself I admit). Indeed, if you just do those two things, there will be little problem in tracing you. However, with judicious use of software, being extremely careful about how you set it up (including what network connections you use to set it up), being extremely careful where you use it, and over what connections, I'd maintain it's possible to get close to an EncroChat type setup without using that kind of service.The Police can find out all mobile phones at your address quite easily without them being registered to you. They will know all of the local high level criminals, where they live etc. Thats just basic intelligence.
rxe said:
But they have to prove it and that's the challenge.
Systems like Encrochat will not work like ordinary phones. You don't get a message from 0745402040. You get a message from #45m5489-0 - which doesn't resolve to an identity the police can use. You know that this user id is Fred, but anyone casually looking at the phone doesn't know this. The plod know it is your phone, they know it is at the address, but they can't see message history on it, and they can't (normally) "see" the data because it is encrypted. The crim can't be busted for refusing to decrypt because they can decrypt .... and there's nothing there.
However if somebody has been competent and disciplined in the set up and use of '0745402040' that can potentially lead to the same kind of dead end as '#45m5489-0.'Systems like Encrochat will not work like ordinary phones. You don't get a message from 0745402040. You get a message from #45m5489-0 - which doesn't resolve to an identity the police can use. You know that this user id is Fred, but anyone casually looking at the phone doesn't know this. The plod know it is your phone, they know it is at the address, but they can't see message history on it, and they can't (normally) "see" the data because it is encrypted. The crim can't be busted for refusing to decrypt because they can decrypt .... and there's nothing there.
rxe said:
You could do the whole thing in software using an app like Signal, which seems pretty robust. It is open source, so you can review the code that is going onto your machine if you have the skills to do so. You remain vulnerable to your endpoint (Fred) saving all his messages and/or working for the police. If I was going to do this, I'd take a version of Signal. modify it to delete on read (enforced), and do whatever I could to make it a closed network for my "gang". If I wanted to be much more secure (proper paranoia level), I'd make it work over bluetooth and make sure local gangs had some physical point that they all passed every week. You wouldn't need the mobile network at that point.
This is my point really. With care and competence it's perfectly possible to set up something with a similar level of protection as a service like EncroChat, without actually becoming a customer of something that may arouse suspicion.Reading your post of course does lead me to realising the point of the commercial services like EncroChat is that it takes away some of the risk of compromise through the incompetence or sheer laziness of the user. You remove the possibility of someone accidentally turning on or using a software feature that will compromise you on a 'normal' consumer handset.
Perfectly summed up here:
Murph7355 said:
Modern crypto is very difficult to break if the people implementing are careful. The biggest vulnerabilities are the idiots using the system.
EncroChat and the like remove the 'idiot' vulnerability as far as that's possible.Carl_Manchester said:
GDPR does not apply to you if you are a Esher/Chislehurst Drug Lord kingpin with £5m in cash lying in the bedroom of a council estate terrace house.
We do have drug kingpins in Chislehurst (probably with £5mm of cash on hand), but they don't live in council estate terraced houses as there are none in Chislehurst 
Big Rig said:
Fascinating subject hacking, can anyone explain how they actually did it?
The vice article talks about them compromising the phones in order to get the data - as someone said earlier you find a vulnerability in the system (eg. you can install additional apps by sending someone a malformed image) - but the volume of data they have collected doesn't make me think that's the way it's been done - it sounds like they compromised a high proportion of the devices rather than just one or two. If I were to guess, assuming the details in the vice article are accurate, they compromised the system update servers for Encrochat, added in some back doors and monitoring tools to the phone OS and waited for all the phones to get system/application updates, or used redirection / man in the middle attacks to push fake updates to the phones with cooperation of the phone networks.
If you have enough leverage to ensure cooperation from the service providers, that would be the easiest way - you strong arm the "offshore" hosting company into allowing you physical/direct access to their server then off you go..
Big Rig said:
Fascinating subject hacking, can anyone explain how they actually did it?
From what I read French/Dutch Police somehow located the servers and gained access to them and then uploaded some fancy bug which gathered all the data. It had been going on for a few few months before Encrochat admin's realised and sent the warning message to users.
Interesting to read there was a few bent coppers with handsets.
Post from 2016 points to the company being government controlled so basically a honeypot set up with the express idea from the start to lure in criminals or if not at the start then very early on in the companies which was probably why no enforcement action was taken against the company.
https://medium.com/@fordnic/evidence-suggests-encr...
View of the webpage from webback machine from the same time as the article above, why any criminal would use it after that I don't know.
https://web.archive.org/web/20160713025449/http://...
https://medium.com/@fordnic/evidence-suggests-encr...
View of the webpage from webback machine from the same time as the article above, why any criminal would use it after that I don't know.
https://web.archive.org/web/20160713025449/http://...
sebdangerfield said:
Under the IPA the innocent 10% you're referring to are termed collateral intrusion. The act allows this data to be obtained along with the naughty 90% as long as it's necessary and proportionate to what you're trying to achieve. Any data obtained under collateral intrusion must not be acted upon but must be stored for disclosure in the appropriate secure way. In essence, if your data is collected as collateral intrusion then it ends up in an incredibly secure data base held by a law agency where noting is done with it when it would previously be held on a less secure data base by the service provider.
In the case of the encrochat and the amount of cash, drugs and weapons seized it's certainly proportionate.
Interesting didn't realise that, wonder what percentage is the tipping point for collateral intrusion?In the case of the encrochat and the amount of cash, drugs and weapons seized it's certainly proportionate.
Cheburator mk2 said:
Carl_Manchester said:
GDPR does not apply to you if you are a Esher/Chislehurst Drug Lord kingpin with £5m in cash lying in the bedroom of a council estate terrace house.
We do have drug kingpins in Chislehurst (probably with £5mm of cash on hand), but they don't live in council estate terraced houses as there are none in Chislehurst easy driving distance from Woodlands Road on Bickley park
Dealing is Absolutely endemic in that part of the world and wouldn’t surprise me if a few local stories start popping up on News Shopper related to this bust.
Carl_Manchester said:
Cheburator mk2 said:
Carl_Manchester said:
GDPR does not apply to you if you are a Esher/Chislehurst Drug Lord kingpin with £5m in cash lying in the bedroom of a council estate terrace house.
We do have drug kingpins in Chislehurst (probably with £5mm of cash on hand), but they don't live in council estate terraced houses as there are none in Chislehurst easy driving distance from Woodlands Road on Bickley park
Dealing is Absolutely endemic in that part of the world and wouldn’t surprise me if a few local stories start popping up on News Shopper related to this bust.
god love the NewsShopperCarl_Manchester said:
Cheburator mk2 said:
Carl_Manchester said:
GDPR does not apply to you if you are a Esher/Chislehurst Drug Lord kingpin with £5m in cash lying in the bedroom of a council estate terrace house.
We do have drug kingpins in Chislehurst (probably with £5mm of cash on hand), but they don't live in council estate terraced houses as there are none in Chislehurst easy driving distance from Woodlands Road on Bickley park
Dealing is Absolutely endemic in that part of the world and wouldn’t surprise me if a few local stories start popping up on News Shopper related to this bust.
Anyway, apropos of the operation overall, kudos to the police and security services. This is a really big deal and will hopefully leave our streets a good deal safer.
The police are getting increasingly innovative and creative in their forensic electronics. It's good to see.
This is a very interesting video generally about transatlantic cables and data, but also touches on how when an ISP’s data passes through the U.K. it allows direct access to that data by GCHQ.
It does make you wonder just how much of everyday data is analysed and looked at
https://youtu.be/K_nnUbX7uuQ
It does make you wonder just how much of everyday data is analysed and looked at
https://youtu.be/K_nnUbX7uuQ
Gassing Station | News, Politics & Economics | Top of Page | What's New | My Stuff