New Ways to Keep Hackers Out of Your Business
Encryption isn’t typically something we hear too much about, even though most people use it every day unknowingly. When we surf the Web, for example, Secure Sockets Layer (SSL) is what establishes an encrypted link between a Web server and a browser.
If your eyes are already starting to glaze over, stick with me.
You’d be surprised how interesting encryption can be, and the rapidly-evolving mobile space has a lot to do with it.
Did you know, for example, that health care workers who text patient information to each other to save time can be breaking HIPAA privacy laws? Or that drug gangs are using their own encrypted cellular towers to do business under the radar? And in Africa, encrypted mobile phone messages are creating an all-new commerce and banking infrastructure? It’s some pretty intriguing stuff.
While you might think of encryption as something we’ve been using only since the advent of computers, it’s really a rather old practice. "Encryption is based upon a secret," says Davi Ottenheimer, expert on the Focus network and founder of San Francisco-based security consulting firm flyingpenguin, who likes to cite Julius Caesar and Thomas Jefferson as examples of historical figures who have hidden things by using cryptography.
Caesar used a substitution cipher to communicate with his generals that involved replacing the letters in a message with a shifted alphabet. For instance, a shift of three would make all the As in message Ds; Bs would become Es, and so forth.
Jefferson used a type of wheel cipher during the Revolutionary War that involved 36 disks stacked on an axle, each with a different version of a scrambled alphabet on the outer edge. When both the sender and receiver had the numbered disks in the same order and rotated them in the right way, an understandable message would appear.
"People have historically improved encryption during times of conflict or war," Ottenheimer says. "It’s all about secrecy, really, confidentiality. It doesn’t require super-sophisticated technology as much as it requires people being fairly intelligent about how they can keep a secret."
Today encryption relies more on computerized mathematical algorithms than the tactics Caesar and Jefferson used, but the concept is still the same: If you want to get at my data, you’re going to need the right key.
And Ottenheimer says that key, which is really just a secret, can be any amount of information that someone else can’t figure out. Encryption is faster when the same key is used for both encryption and decryption, but it also means you need to get the key to your recipient without the wrong person getting his hands on it. But it’s tricky business.
"If I have a key that's a secret and I want to give it to you I obviously can't just send the key over e-mail because anyone can get into your e-mail while it’s being sent, including your e-mail provider," Ottenheimer says.
To help with that, PGP, or the Pretty Good Privacy program created in 1991, is a way of hiding keys and is often used to encrypt files, directories and even whole disk partitions, increasing the security of e-mail.
He also explains public key exchange which involves using key pairs—two private keys and two public keys—in which both parties need only the other’s public key. When a public and a private key are put together—voilà—the door is opened.
Before exchanging keys, companies like VeriSign can be involved to verify that an entity is what it says it is. They provide websites the equivalent of a driver’s license that prove their identities.
But even the certificate issuers can be hacked, and that’s why there’s been such an uptick in the number of attacks we’re seeing in the news.
"There’s a lot of hype around ‘most secure ever,’ or ‘impossible to break into,'" Ottenheimer says. "Anybody in security knows there is no impossible. Everything is possible, it’s just a matter of time."
So when a bad guy breaks into a certificate issuer to make their own, it’s like people breaking into the government office that creates drivers’ licenses. You’d never be able to tell they’re made without approval.
Personal Key Management Systems and Peer-based Authority Networks
Ottenheimer says those fake certificates have become such a problem that peer-based or social-based encryption is looking like a promising alternative.
"Rather than trust a central authority to deploy keys and vouch for them, groups can trade levels of trust. This is based on the Pretty Good Privacy (PGP) theory of signing keys, but it scales much higher because it is based on even home users running a trusted hardware-based key management system. Those systems used to be available only to large enterprise datacenter environments, but the cost of managing keys has come down dramatically and is now a consumer, let alone small business, opportunity. You may soon have one in your own home,” he says, adding that StrongAuth has products such as their KeyAppliance that serve this new market.
Encrypted Texts, E-mails and IMs
What about the healthcare workers texting patient information to each other? While you might not think hackers would care about health records, getting patient information can actually be a pretty lucrative business, especially when it comes to celebrity records. The latest detail about a famous person’s health status can be worth gold to tabloids who want the latest scoop.
“While one can certainly imagine how the use of text messaging would increase staff productivity and result in enhanced patient care, one can also see that the transfer of this data via non-secured text messaging is a HIPAA privacy breach waiting to happen,” says Robert Parham, Focus expert and director of Information Security Practice for the global software services company Marlabs.
There are now ways to encrypt text messages that can keep that data safe.
Parham suggests TigerText, which earlier this year launched an enterprise version of its product called TigerTextPRO, that lets companies deploy their own private and secure mobile network in hours, meaning employees can communicate privately on their existing mobile devices at work.
TigerText’s mobile apps let users delete messages from both the sender and receiver’s phone by selecting a lifespan for the message, which ranges from one minute up to 30 days. And since the messages are not stored on TigerText servers they can’t be retrieved once they expire. It even offers a "Delete on Read" option, which deletes a message 60 seconds after the recipient opens it.
According to Richard Stiennon, chief research analyst with Michigan-based IT-Harvest and Focus network expert, Vaporstream works similarly, but with e-mails, and instant messages as well.
"In addition to encrypting your messages they are only presented as an image on your screen that is stored in video RAM which is not accessible by any malware you may be infected with," he says.
Location-based, Tamper-proof Options
Ottenheimer says there are more and more systems that lock out hackers if they try to move data somewhere it’s not supposed to be.
"Your data—whether on a laptop, tablet, or phone—will not be accessible, for example, unless it is in the right place at the right time," he says. "If someone tries to copy the data to California, but you live in Texas, then your data will be illegible to them…RSA has been developing this technology."
Conseal USB is another example. The software e-mails you if someone tries to access your USB or external hard drives, creates a log of what computer tried to do it and lets you remotely destroy the device.
Hiding from Salesforce, Google and Facebook
What if you don’t want an application provider you’re using to see your stuff? While SaaS providers are convenient, they also pose some security, performance and availability concerns when companies move from private, internal networks to the open and dispersed cloud environment.
"CloudShield uses a gateway device to encrypt just the data fields you are concerned about as they are uploaded to Salesforce and other Web-based sites," says IT-Harvest’s Richard Stiennon.
There are also tools available that will encrypt your posts on Facebook and Google+ if you’re worried about data mining or facial recognition. Social Fortress, for example, really does encrypt all your Google+ and Facebook posts. The thing is, unless all the rest of your friends and contacts also use the app, no one can read what you’re posting.
Not only that, but Ottenheimer takes issue with using a public platform and trying to make it private.
“You are not always in a position of control over a service provider. You’re almost saying I’m going to live in their space, which is public and open and accessible but expect it on its own to not be public, and open and accessible. It’s contradictory in my mind,” he says.
Mobile Commerce Encryption
Encryption is also being integrated into radio frequencies in Africa for robust secure communication over long distances.
“Messages are sent confidentially and with integrity from sea or land across relays and without central authority. I am not aware of any companies developing this yet for civilian use although the M-PESA system in Kenya is an example of how demand for this capability is exploding—a secure wireless replacement for bank accounts and even debit or credit cards,” says Ottenheimer.
And microwave relay stations are also being used in Mexico, but for less stellar purposes. Here’s a Military.com story about how Mexican authorities reportedly dismantled a number of radio towers and encryption equipment that the Zeta drug cartel was operating to coordinate their activities in Veracruz.
“Encryption, despite its complexity, is a good thing, and highly recommended whenever possible,” says Andrew Baker, director of service operations for New York-based SWN Communications and expert on the Focus network.
“At the very least, people should be using highly encrypted password safes to store their passwords and other credentials. And corporate users should be using whole disk encryption for sensitive laptops,” says Baker, who recommends GnuPG, which is an open source PGP-compatible encryption tool, and TrueCrypt for disk encryption.
Even so, Ottenheimer warns that security is more about how people behave and less about the quality of the technology. “[You can drive] a really fast car with great brakes and suspension, but at the end of the day it comes down to whether somebody is driving drunk or whether they know how to drive a car,” he says.
One common mistake, experts say, are the bad passwords most people use.
“Effective encryption requires the user to enter a good passphrase, which most are simply not capable of doing. Passwords such as Phillies2011 is but one example,” says Ben Rothke, manager of Information Security for global hospitality company Wyndham Worldwide.
Indeed, when I took Baker’s advice and encrypted my laptop’s hard drive using TrueCrypt, the software strongly advised me to choose a password at least 20 characters in length.
Check out more on creating an excellent password. It works!