Tuesday, July 16, 2013

Fact or Fiction: Encryption Prevents Digital Eavesdropping


There are effective ways to encrypt data, whether it is in transit or in storage, but if that data is left in the clear at any point along its path, it is vulnerable to theft or tampering

Most e-mail programs support SSL encryption as messages are sent from the user’s machine to their ISPs. As messages move through the core of the Internet, they are usually unencrypted, however. “Unless somebody is doing something intentionally to put encryption on the messages, the messages are decrypted at each hop along the way and are visible there,” Kocher says.

Decidedly unsocial
Encryption used in other forms of online messaging—social networks, in particular—is also hit or miss. For the most part, when you have one of these server-based cloud services where the cloud has the ability to access all of the data, all of your security depends on the machines that are hosting your information, Kocher says.

In a statement issued after NSA whistleblower Edward Snowden blew the lid off of his former employer’s PRISM program, Apple claimed conversations taking place over its iMessage and FaceTime services “are protected by end-to-end encryption so no one but the sender and receiver can see or read them.” The company further said that it “cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form.”

Apple’s claim of end-to-end encryption means anyone trying to compromise communications via its services must compromise an end point to capture them. But that isn’t necessarily hard to do, especially for an intelligence agency or an experienced attacker, Kocher says. “It means [they] have to target a particular end point as opposed to turning the vacuum cleaner on and sucking up [every message] automatically.”

Skype used to claim to have endpoint-to-endpoint encryption. “From some evaluations I’m aware of, that actually seemed to be the case in the past,” Kocher says. More recently, however, Microsoft (which bought Skype in 2011) has modified the protocols so that data is decrypted at the server and then reencrypted before being sent out to the other end of the communication. “So it appears that they’ve actually gone from a stronger model to one that is weaker and more susceptible to surveillance,” he adds. Recent reports indicate that Microsoft actually helped the U.S. government circumvent the company’s own encryption, granting the federal agencies access to Skype video calls as well as Outlook Web chats and e-mail, and information stored via Microsoft's cloud-based SkyDrive online backup and storage software.

If more people used encryption, it would be more difficult—not impossible—for cyber thieves and government agencies to eavesdrop. Still, even if people do a better job of protecting their e-mail communications and data stored on their devices, they need to likewise monitor their use of social networks and other Web sites visible to the general public. Who needs a court order or computer virus when so much information if offered up willingly via sites such as Facebook and Twitter?

No comments:

Post a Comment