Tag Archive | Security

Security as a unique selling point

While Apple and Samsung are competing fiercely at the higher end of the smartphone market, a new niche market is emerging in the industry. Instead of ever improving the specifications of their flagship smartphones, these new devices do not even come close to their hardware level. Yet, they are offered in the same price range. If it are not the specs, then what else is it that adds so much value to these phones?

Truth is, it is the security they offer. A few days ago, Archos – a French manufacturer that has not produced anything of note in recent times – introduced the GranitePhone. This smartphone was developed in a partnership with SIKUR, a Brazilian vendor of encrypted company-focused communications apps (Androidpolice, 2015). The phone is the latest to enter the emerging global market of ultra-secure smartphones, in which manufacturers  are anticipating growing concerns regarding the protection of data. That the software is coming from a Brazilian company might not come as a surprise. In 2013, the president of the country, Dilma Rousseff, cancelled a state visit to the United States, after Edward Snowden released documents which indicated her email and phone calls were monitored by the U.S (Bloomberg, 2015). The Granitephone is not the first of this type. Precedents include the Blackphone, produced by Silent Circle, and the Boeing Black smartphone. Interestingly, none come from established smartphone manufacturers and offer these companies an entry position in the entire smartphone market.

In this market, which surpassed 1 billion yearly smartphone sales in 2014 (Gartner, 2015), the advantages are well known. The devices have become an extension of daily life and are often trusted with our most intimate data. In addition, they generate enormous amounts of new data about the users. This is also where concerns are being raised, as the data appears to be less private and secure than is often realized by the user. (Jeon, et al., 2011) identify eight threats apparent to smartphones, of which four are caused by external attackers and the other four by the unawareness of the user:

  1. Malware. Malware can alter or expose private information and abuse costly services and functions.
  2. Wireless network attacks. An attacker can corrupt, modify, or block information on the wireless network.
  3. Denial of service. The risk of availability due to attacks on base stations and networks, or using radio interference.
  4. Break-in. An attacker gaining partial or full control of the device.
  5. Malfunction. The user can mistakenly disable their device.
  6. Phishing. Exposing private information due to phishing activities.
  7. Loss. The user can lose his/her smartphone.
  8. Platform alteration. Intentional alteration of the smartphone (e.g. jailbreaking).

The GranitePhone offers a solution focusing on the first four threats. It encrypts all outgoing messages and calls by storing them on SIKUR’s cloud based platform, which is only accessible through various layers of authentication (Tech Times, 2015). The Boeing Black smartphone even tackles one of the user-related threats, as it self-destructs in case of loss or theft. As the example of the Brazilian president above indicates, it are not only consumers which should be concerned about their mobile privacy. For corporations, politicians and defense the benefits of a secure phone might be even greater, as they possess more sensitive information.

So, are there no limitations of the Granitephone? Sure there are. As mentioned before, the hardware specifications of the phone are nothing special. The functionality is also limited. Currently, there is no internet browser available. In addition, it seems unlikely that productive applications like Gmail will be available on the device. It is even unclear if third party software can be installed at all. Then there is the price. It currently costs $849, around the price one can buy the newest iPhone for. In addition, there is debate about the actual security of the platform and the transparency around it.

Hence, it is unlikely that the phone will appeal to the mass consumer market. However, for certain corporate and political positions it might be the solution to safeguarding their most valuable information. Maybe more importantly, it adds to the existing debate on the security and privacy of mobile data, which governments and other companies seem take into account less and less.

  • Bas van Baar (358545sb)

Androidpolice, 2015. Archos Enters The Niche ‘Secure Phone’ Market With The $850 GranitePhone. [Online]
Available at: http://www.androidpolice.com/2015/10/10/archos-enters-the-niche-secure-phone-market-with-the-850-granitephone/
[Accessed 10 October 2015].

Bloomberg, 2015. Brazilians Are Developing an Untappable Phone. [Online]
Available at: http://www.bloomberg.com/news/articles/2015-02-24/brazil-s-untappable-phone-seen-buoyed-after-rousseff-spy-scandal

Gartner, 2015. Gartner Says Smartphone Sales Surpassed One Billion Units in 2014. [Online]
Available at: http://www.gartner.com/newsroom/id/2996817

Jeon, W., Kim, J., Lee, Y. & Won, D., 2011. A Practical Analysis of Smartphone Security. Human Interface and the Management of Information, pp. 311-320.

Tech Times, 2015. Techtimes. [Online]
Available at: http://www.techtimes.com/articles/94336/20151012/archos-announces-security-enterprise-focused-granitephone.htm
[Accessed 12 October 2015].

Safe and Easy in the Cloud – Tresorit

With recent scandals around Apple’s iCloud services being hacked, the question arises: Are cloud services truly safe enough to store personal or even business-related data? And even if they are safe from outside attacks, what stops the provider to take advantage of the data stored on their servers? Tresorit, a Hungary-based startup company claims to have the safest solution yet, powered by user-side encryption processes.

So how is it different from any other mainstream cloud service out there?

While using the same level of safety as Dropbox regarding storage and transfer of files (AES-256 bit encryption, SSL/TLS transfer), Tresorit claims that the prime issue regarding the safety of data in the cloud is actually not it being hacked by outside parties, but the inefficiency of barriers that would stop the provider peeping into data uploaded into their cloud. This breach would be made possible by the encryption process used by most big companies, namely server-side encryption which practically means that the encryption key is to be found somewhere at the provider’s side. Of course, this could be quite easily mitigated by the user, through encrypting the uploaded files themselves. But as cloud storage is mainly used for collaboration, it would be quite a hassle.

Thus Tresorit has introduced an integrated system for encrypting files on the user’s computer, enabling them to effectively control who can decrypt and access the content. As both encryption and decryption are done on the client’s side, the company claims that not even they can see the content of uploaded files.  Further key selling points of Tresorit are that one can practically share any folder on the computer (as opposed to the single folder of Dropbox), and also set unique permitted access levels to shared files and folders.

The creators of Tresorit are quite confident in the safety of their product. Actually so much, that they offer USD 50,000 for anyone who can hack into their system. Their confidence seems well-based, as for the 468 days the challenge has been open, none of 900 hackers (including MIT and Stanford) has managed to take the prize.

So what do You think? Do you generally trust the safety of the cloud? Or would you feel safer using a solution like Tresorit?

Sources: 

https://tresorit.com/

http://weestro.blogspot.nl/2013/11/goodbye-dropbox-hello-tresorit.html

http://lifehacker.com/the-best-cloud-storage-services-that-protect-your-priva-729639300

http://www.yummy-wakame.com/archives/2013/03/31/cloud-storage-comparison-drop-box-vs-google-drive-vs-skydrive-vs-icloud-vs-box

Big Data is watching you!

Image

 

Edward Snowden has revived the debate privacy versus security. Edward Snowden, born in 1983, is a computer specialist that has worked for the CIA and NSA. On June 5th he became world-famous for his whistle blowing of massive privacy violation by the United States and British governments.

Snowden pointed out that the NSA had developed PRISM, a mass electronic data mining system. This system is able to track every US citizen with a digital footprint. The problem is not that PRISM can collect data, the problem is the data that is being collected:

…audio and video chats, photographs, e-mails, documents, and connection logs… [Skype] can be monitored for audio when one end of the call is a conventional telephone, and for any combination of “audio, video, chat, and file transfers” when Skype users connect by computer alone. Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms.

                                                                      – Washington Post

This not only counts for Skype and Google, but for Microsoft, Facebook, YouTube, Yahoo and many more as well. Practically everything you have ever done online is to be found by PRISM, including a lot of private information that you would not share with your government voluntarily.

When thinking of the consequences a system like PRISM might have on privacy, the famous movie ’1984’ from George Orwell comes to mind as an extreme possibility. A state where every civilian is closely monitored and controlled by the government. A state in which the government knows everything about you, and sees everything you do. Big Brother is watching you. And Big Brother uses big data to do this.

As reaction to Snowden’s whistle blowing, the NSA has proclaimed that this kind of surveillance has already prevented dozens of potential attacks towards the US. There lies truth in this as well, as increased surveillance also increases the likeliness to detect acts of violence/crime/terror.  

When we abstract to a higher level, there seems to be a constant trade-off between privacy and security. We all want to be secure, but we all see privacy as an important and not-to-be-violated right at the same time. The government is the main body to offer security, but it increasingly wants more of your private information to do this.

There remains one question:  How much of your privacy are you willing to trade for security?

 

 

 

 

http://videos.huffingtonpost.com/nsa-chief-surveillance-has-stopped-dozens-of-potential-attacks-517815763

http://www.biography.com/people/edward-snowden-21262897?page=2

http://videos.huffingtonpost.com/prism-is-a-good-thing-517811845

http://gizmodo.com/what-is-prism-511875267

Mobile payments are so 2012

 

We have seen blog posts regarding commerce, payments and biometric recognition. These topics are thought provoking on their own, but what happens when you mix these up? Biometric payments; a solution to a wide variety of different problems existing in the world today.

 

Biometric payments is a concept enveloping biometric recognition and monetary transactions, i.e. conducting a financial transaction based on a biometric signature you have at your disposal at all times.

 

Forget mobile payments for just one second, because what happens to those who don’t have their mobile device at hand, or quite possibly do not even own a smart device? Why does the ability to organize our lives have to constantly revolve around being encumbered by a digital device when things can be so much simpler? Using a biometric signature such as your fingerprint, iris and/or heat signature relieves the user from carrying or even owning a mobile device.

 

Second of all, there is a significant security enhancement that comes hand-in-hand with biometric payments, not only over convention cards transactions (i.e. Visa or Maestro), but also over mobile payments. Research by Frost & Sullivan suggests that over 60% of smartphones are not even secured with a security code. Furthermore, security codes or PIN numbers are easily skimmed by the naked eye, and remembering them to begin with can be troublesome for most.

 

Third, and the ability to utilize the biometric signature infrastructure for a variety of other different goals such as identification or voting, can provide those in less fortunate parts of the world an easier existence. For example, according to Plan International, a children’s rights organization in Africa, 66% of children born are not being registered making housing, schooling and medical planning an impossible task. Biometric signature recognition could make this process as simple as “swiping” an infants finger and registering his or her name and birth date. This not only allows the infant to be registered, vote in later years and facilitate access to a local school, but could also provide him or her with an easy and safe pay in which to trade goods and services in the future.

 

Of course, as with all emerging technologies, there are downsides such as an immense initial investment. Furthermore, tracking return on investment on such initiatives is difficult as the cost estimate of things such as theft and fraud are speculative at best.

 

Biometric payments has fallen in the shadow of mobile payments, but may provide an added edge of the latter. It boasts added security, easy benefits and is applicable to a wide variety of other information conundrums. Albeit an expensive alternative to a system relying on Personal Identification Numbers (PIN), the long-term benefits may greatly outweigh its costs. 

 

References:

Georges, J.N. 2013. Can Biometrics Revolutionize Mobile Payment Security? Retrieved on 29-09-2013 from http://www.frost.com/sublib/display-report.do?searchQuery=60%25+mobile+biometric&ctxixpLink=FcmCtx1&ctxixpLabel=FcmCtx2&id=9817-00-89-00-00&bdata=aHR0cDovL3d3dy5mcm9zdC5jb20vc3JjaC9jYXRhbG9nLXNlYXJjaC5kbz9wYWdlU2l6ZT0xMiZxdWVyeVRleHQ9NjAlMjUrbW9iaWxlK2Jpb21ldHJpYyZ4PTAmeT0wQH5AU2VhcmNoIFJlc3VsdHNAfkAxMzgwNDY0NTgzODgx

Plan International, 2013. Count every child campaign Retrieved on 29-09-2013 from http://plan-international.org/where-we-work/africa/campaigns/campaigns/

Information Security: New hashing algorithms needed soon

Hashes are widely used for security. For example, hashes are used to safely store passwords, verify that software has not been altered by someone else, and to verify certificates used by websites. The idea behind hashes, is that it is practically impossible to use different bases which calculate to the same hash on purpose. Although theoretically this is possible as the hashes are far shorter than its original base (in numbers) and the number of unique hash-codes is limited.

Trying to find two (or more) numbers that would result in the same hash is called a collision attack. When these attacks can be done successfully and consistently a hashing algorithm is said to be broken. This has happened in the past to algorithms such for instance MD2 and MD3.

SHA-1 is currently the most widely used hashing algorithm. However, this algorithm is in need of an upgrade very soon. An Intel researcher calculated that by 2018 successful collision attacks can be made on SHA-1 hashes. This means that in 2018 any security based on SHA-1 can be compromised by anyone with sufficient funds. Currently, the SHA-2 alghorithm is already available to upgrade security and  an SHA-3 standard has recently been agreed upon. Regardless of the timing, it is certain that long before 2018 everything that needs to be secure must have been migrated to a more secure algorithm.

What I am wondering however, with the speed at which computational power increases, will our creativity remain able to outpace it? Or will there be a time where algorithms are broken in such a short period of time (after acceptation) that they become useless for security?