Tom Olzak

Posts Tagged ‘Encryption’

Another Encryption Perspective

In Access Controls, Application Security, Cyber-warfare, Cybercrime, Data Security on July 9, 2015 at 14:36

Hacking Team solutions aren’t the only ways government has to access encrypted information.  Most large government agencies have their own tools that perform the same tasks: capturing encrypted data when it’s not encrypted.  All data must be decrypted to be used or processes.  That is when it is most vulnerable.  So why the debate?  Ii discuss this in a Toolbox.com blog entry posted today.

Is Encryption a Right?

In Access Controls, Application Security, Encryption, Government on July 8, 2015 at 04:00

With governments beginning to make noise again about weakening encryption, several security professionals have come out against any moves to do this.  But does government have the right to take away our right to privacy?

Absolute privacy can be a national security issue.  But so is weakening business and critical infrastructure security in the name of protecting society.  The question I’ve been asking myself is whether strong encryption is a right: a right no government has the “right” to take from us.

In the U.S., our government has repeatedly resisted demands to limit the strength of encryption via things like backdoors and weak algorithms.  In the 1990’s, when these issues were dealt with, many believed the “crypto wars” were over.

“But they may not have realized that we would be on the brink of a similar battle over the right to use strong encryption some 15 years later. That’s why the key takeaway from the conflict is that weakening or undermining encryption is bad for the U.S. economy, Internet security, and civil liberties—and we’d be far better off if we remembered why the Crypto Wars turned out they way they did, rather than repeating the mistakes of the past” (Danielle Kehl, 2015).

It’s time to resolve this.  Congress and the People need to decide whether absolute privacy is a right in view of the internal and external threats we face as individuals, as organizations, and as a nation.  When deciding, we should keep in mind the following:

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized” (4th Amendment of the U.S. Constitution).

Whatever we decide, a balance must be struck between security and our right to manage our lives as we see fit without interference by government.  The only exception is when living as we choose causes harm to others.

Help for the Clueless

In Data Security, Email, Mobile Device Security, Network Security, Risk Management, Uncategorized on July 15, 2009 at 08:06

For the past four years, I haven’t connected to any public hotspot unless I was using a service which encrypts my session over the local network unless I was doing someone not even remotely important online.  I did this—and continue to do so—because it’s been common knowledge for at least long that connecting to public wireless is like posting your personal information on a bulletin board in the parking lot; it’s available to anyone interested in looking.

So why are so many users still connecting to hotel, airport, coffee shop, rogue, and restaurant public wireless networks and sending passwords, PINs, and other sensitive information in the clear?  A few years ago we might have given them the benefit of the doubt.  But today there is enough information available from numerous sources to ensure every computer user has at least heard that public wireless is dangerous.  In my opinion, the problem is they can’t be bothered or they have no clue how to protect themselves.

Evidence of the problem showed up recently in an online article in which the author writes,

“Much of the time, people just log in to the first robust network they see,” says AirTight spokeswoman Della Lowe. “When we did our airport study, we found only 3 percent of the people were using secure networks.” (Wireless Cybercriminals Target Clueless Vacationers, Fox Charlotte, 11 Jul 2009)

As security professionals, we may need to speak a little louder about solutions for this growing—and largely ignored—problem.  Every chance we get we should discuss with our mobile business users, acquaintances, and anyone else who will listen how to protect themselves, including:

  1. Resisting the urge connect to the first hotspot they see without giving it some thought and without protecting their user session
  2. Using HTTPS protected Web mail, such as Gmail
  3. Using online VPN services, such as WiTopia or ShareVPN, both fee-based but inexpensive

Going beyond one-off user solutions, organizations with more than a few mobile users should encourage or force their users to access the Internet via a company-hosted VPN solution, such as SSL VPN.  Under no circumstances should company laptops access the Web via public hotspots unless the sessions are encrypted, at least through the hotspot infrastructure.

Send secure email free, including attachments

In Data Security, Email on July 7, 2009 at 18:48

The other day (or once upon a time, whatever), I tried to use Gmail to send an attachment encrypted with SecureZIP.  I was quickly reminded by the Google email service that it didn’t allow encrypted attachments.  So I tried our restaurant’s Yahoo mailbox.  Same result.  I needed to send a secure attachment, and I didn’t want to sign up for a for-fee service to do so.  So I searched the Web for a free secure mail service.  I found two which show promise: Lockbin.com and SendInc.com.

Lockbin.com was simple to use.  After accepting the user agreement and entering a CAPTCHA string, I was presented with the text entry form shown below.  Since the connection established with the site was encrypted (HTTPS), anything I entered and sent was safe from unauthorized sets of eyes.

Lockbin Text Entry

I entered a short test message and clicked Continue.  The next window (below) prompted for a password to lock the message until picked up by the recipient.  The password, or “Secret Word,” has to be sent to the person receiving the message via standard email, phone call, text message, etc.  I entered a password and clicked Continue.

linkbinword 

Finally I was prompted for my name, my email address and the recipient’s email address.  I was also shown how the alert message would look when it showed up in the destination mailbox.  The text was not editable at this point.  Clicking enter again, the message was sent. 

Since I had sent the test message to one of my addresses, an alert quickly appeared in my mailbox (shown below) letting me know I had a secure message to retrieve.  To read the message, I clicked the link as instructed.  This opened a secure session with Lockbin.com.  After entering the password I provided when I sent the message, I was shown the message text.  Simple, but not quite what I needed.

lockbinMail

There are two potential issues with Lockbin.  First, the sent email is deleted from the Lockbin server as soon as the recipient opens it.  If the person you correspond with doesn’t understand this, you might find yourself resending it.

Second, Lockbin doesn’t support attachments.  This is OK if what you want to share is a small list of private data.  However, I needed to send a complete document.  So on to SendInc.

Like Lockbin, SendInc is a free secure email service which requires no downloads.  But unlike the first solution, SendInc is a better fit for home office or small business use.

With SendInc, I can send up to twenty messages per day.  This would be a serious limitation for larger businesses, but it’s fine for my needs.  And although there is a send limit, I can receive an unlimited number of secure messages.  The best thing about SendInc, however, is that I can include attachments up to 10 MB.

With Lockbin, no account is necessary.  This is not true with SendInc.  This is probably due to the eventual offering of a for-fee service for users with a need for more than 20 outgoing secure messages per day.  SendInc knew immediately after I entered my email address that I didn’t have an account.  I was presented with an account activation form.  Once the form was complete, I entered an activation code sent as the final form completion step.  Now I was ready to enter the test message, as shown below.

SendMailEntry

After entering my test message and attaching a 5 MB Word attachment, I clicked the send button at the bottom of the form.  The email was  immediately processed, and I received a notification in my Gmail account.  The following image shows the contents of the alert.

Sendincreceived

Again, I simply clicked the provided link to establish a secure session with SendInc.  However, the Gmail account I sent the message to was not registered with SendInc.  So I was required to activate an associated account with a form similar to the one I completed when activating the sending account, as shown in the following image. 

SendActivate

Once both accounts were activated, I was able to send and receive secure messages with them by supplying the relevant passwords.  Messages once processed are not retained by SendInc.

Both of these solutions work as advertised.  Neither are perfect, and I wouldn’t use them to share national defense secrets.  But I don’t deal with national security issues.  For quick messages without an attachment, Lockbin is certainly easier to use.  For attachments, there is always SendInc.

%d bloggers like this: