The Business-Technology Weave » data encryption

Concerned About Gov’t. Snooping? There’s an app for that

David Scott — Mon, 17 Jun 2013 19:20:58 +0000

Regardless of the challenge or topic, folks often joke: There’s an app for that!

Need a date? “There’s an app for that.”

Hungry… bored… need a plumber… need an airplane mechanic… ?

“There’s an app for that.”

Concerned about government spying? Someone peering into your e-mails, monitoring your texts, listening in on your phone calls?

There are at least half-a-dozen apps for that.

And undoubtedly more on the way.

Seecrypt and Silent Circle each have a nice splash to inform you how they can protect your privacy the next time you use your smartphone. Each is available online, and I dig that their landing pages are https – that generally doesn’t happen until a few clicks in, definitely at point-of-payment… as I say, nice touch with the early entrée to that realm. It may not mean much on a landing page, but… I noticed.

With these and other/coming apps, an encryption of the data makes it difficult or impossible for a third-party to listen in or to learn who you are calling/texting. These issues are likely to take a higher profile for a couple reasons:

1) Reports such as these make this a growing concern to a growing body of people.

2) The concern bridges political ideology: Republicans, Democrats, Independents and the apolitical are all uniformly concerned about these recent privacy (or lack of…) revelations, and there is already a grapple as to what prudent people should do in protecting themselves.

Therefore, I feel a free license to blog about the issue without political peril, being that this is generally not a political forum. In other words, the issue trumps politics – and this issue is likely to get very big indeed – even bigger, that is.

Many of these privacy protection companies are based outside of the U.S.; thus they are not subject to U.S. privacy laws and subpoena powers. However, the makers of these apps state that they will do “the right thing” if public safety is at risk.

That’s where things can get tricky: How sincere/trustworthy will government requests for content be, and thus, how will these companies adjudicate the requests? Therefore: What exactly are you getting for your money? Be sure to call and ask any of these apps providers, and do your own adjudication.

Harvey Boulter, Chairman of Seecrypt, said “This is an app to restore privacy rights for the average person. We’re not here to empower terrorists, just to be very clear. And so if a government comes to us, and says ‘we need help,’ you know, we will cooperate with them to the full extent that we can.”

Most of these app makers state that once a call is finished, all relevant data is destroyed.

Mathew Green, Johns Hopkins University Professor, weighed in on Fox News and said, “I think what a lot of people don’t realize is that the FBI and intelligence agencies have a lot of capability to hack into computer systems, and they can use that ability right now to eavesdrop on people even if they’re using encryption.”

Yeah – what he said. How exactly are these apps providers going to know that their quality of encryption is enough to thwart government intrusion?

Some of the apps also offer services beyond encryption of phone calls, text and e-mail – into the realm of videoconferencing. Review the claims for services, terms of services, and all user agreements very carefully.

For businesses: If you’re building guarantees for clients based on the use of these apps, for purpose of making secure provisions to those clients, be very careful about promises, guarantees, and just how far you lean into these services. Establish Service Level Agreements (SLAs) at both ends, and set terms for guarantees and damages where failures occur. Large enterprises will have their attorneys and legal affairs departments as robust support; sole-proprietors and small-to-medium businesses will have to work this very, very carefully.

This burgeoning area of concern regarding communications, government activity, and privacy is bound to become an ever-larger issue… it’s not likely to go away, in my humble opinion.

NP: Led Zeppelin, Live at the BBC; real nice hearing vintage Zep live, raw, organic – in the cozy confines of the BBC studios – an aural delight. Everyone is in fine form here.

Department of Justice: Forcing you to decrypt?

David Scott — Tue, 12 Jul 2011 16:26:52 +0000

Does your right to remain silent, as protected by the U.S. Constitution’s Fifth Amendment, extend to encryption on a personal laptop?

It’s an interesting subject, and one that might be settled soon – by the Supreme Court. A woman accused of, and being prosecuted for, a mortgage scam in Colorado is under pressure to disclose her passphrase for decrypting her laptop, which police found in her bedroom upon the raid of her home – she has refused.

The Obama administration is asking a federal judge to order the defendant, Ms. Ramona Fricosu, to decrypt the laptop. As a slight aside, prosecutors don’t want the passphrase itself. They want Ms. Fricosu to simply type it in, and make the files available in their decrypted form. This may seem a minor point, but it does remove any wrinkles that may be encountered upon court rulings that make divulgence of the passphrase itself a protected item within the Fifth Amendment’s protections.

At the heart of the matter is whether a defendant can be compelled to serve up something from the privacy of their mind: Other courts have ruled that protections extend there. Prosecutor’s, however, liken passphrases to physical keys, and defendants can be made to produce keys to safes, for example. It’s an interesting situation.

One could make the argument that forcing a defendant to divulge a passphrase (or password, encryption keys, etc.) enters the realm of breaking protections against self-incrimination. While the Supreme Court has not yet ruled in matters such as these, lower courts have – and their rulings have, essentially, gone both ways: In one case stating that an individual did not have a Fifth Amendment right to keep files encrypted; in the other, that the defendant did – thus “protecting his invocation of his Fifth Amendment privilege against compelled self-incrimination.”

Ms. Fricosu is charged with money laundering, wire fraud, and bank fraud in an alleged attempt to gain titles to homes via falsified court documents. She’s facing up to 30 years or more in prison.

For the rest of us, with – hopefully – more mundane privacy concerns, we can understand a desire to keep business secrets, diaries, and privileged communications from friends and associates private.

For us, and most definitely for business, the case does bear watching.

On this day: July 12, 1962, the Rolling Stones make their first public appearance (Marquee Club, London).

Data Breach at Morgan Stanley: 34,000 customers at risk

David Scott — Wed, 06 Jul 2011 23:50:20 +0000

From Morgan Stanley comes word that two unencrypted CDs have gone missing. They were sent, and actually delivered – to a government tax office; the New York State Department of Taxation and Finance.

However, apparently the package containing the CDs has either gone missing from the desk of the recipient – or – the package arrived at the desk, seemingly intact, but did not contain the expected CDs… depending on what article you read. One thing seems fairly certain, being that Morgan Stanley has issued an apology and warning: The two CDs were sent, did not reach the intended recipient, and are missing.

The CDs are password protected, but that’s mere child’s play these days for anyone who wants to break a password. The idea that these sensitive discs, by virtue of very sensitive data, were not encrypted is quite hard to believe. Someone was either too lazy to follow a protocol and perform the encryption, or – worse, Morgan Stanley has lax policy and standards regarding encryption and protection of data.

If one person is remiss that’s – literally – one thing. That person can be disciplined, trained, or fired. However, if there’s lagging policy and standards regarding data protection, handling (certified mail anyone? Secure courier service?… etc.), and encryption – then that’s indicative of a systemic, organizational, fall down. It’s time for a complete survey of business and IT practices, training programs, and day-to-day standards and comprehensions at Morgan Stanley.

It’s 2011.

The bank has had to notify customers that, at the least, names, addresses, earned income on investments, and tax ID numbers may be compromised. Social security numbers frequently serve as tax ID numbers, and Morgan Stanley has offered a year of credit monitoring services for clients whose SSNs were exposed.

Morgan Stanley was notified on June 8^th that the CDs were missing. An exhaustive search was made through all facilities the CDs and associated package passed through – however, it wasn’t until June 24^th that Morgan Stanley notified customers – via mail.

Remember: Your number one asset is your reputation… your next asset is your customers. Without those, your employees don’t have much reason to show up. Take a look at your business processes and associated security – now.

On this day: On July 6^th, 1924, the first photograph was sent across the Atlantic by radio, from the US to England.

Mobile Access: Make it selective and effective

David Scott — Mon, 14 Mar 2011 17:26:57 +0000

Security is always a delicate balance: You need to provide efficient access, but only to those that are allowed that access.

Because there are a growing number of mobile devices, and more people utilizing them, there is more potential for breach – it’s just a numbers game, really. Your networks require ever more attention: In matters of security solutions and updates; watchfulness for any day-to-day breach; and investigation of any suspect activity. At the same time, access has to be readily available to those authentic users, sustaining their productivity – and they must be be productive within a fully educated posture, based on well-communicated security policies.

First, before a user even authenticates, remember to have the device authenticate. The network must recognize the device, allow it, and further – have your network survey it for currency in updates, patches and policy. Now you’re swingin’.

Also, mobile devices use mobile-broadband, the same networks as mobile phones. Here, it is basically essential to employ a virtual-private-network (VPN) – and also for any access coming through the public internet. Generally, you want to encrypt any data/communications between devices which transmit through public broadband or internet.

The addition of firewalls is another layer of security. They can be comprised of software, hardware, or both – and essentially emplace filters and authenticating standards before letting devices and/or data through.

Remember that any security procedures and policies are only effective so long as the organization enforces them. The organization must invest in security, in more ways than one. More than monetary, it is the organization’s acknowledgement that security is paramount, and that people will be held accountable to security standards. Regularized training and awareness sessions must be adhered to, and all modern and effective security measures must be undertaken in match to the accelerative nature of outside demands and threats.

Get on a schedule of regularized updates in all regards: Organization, people, process, systems, data, communications, education… Also, be certain to weave Business and IT leaders’ understandings and sanctions in creating and adhering to mutually defined and understood goals.

NP: I Can’t Get Started, Cannonball Adderely, jazz24.org