Insights For Success

Strategy, Innovation, Leadership and Security

Instant Messaging

Encryption isn't just for terrorists

GeneralEdward Kiledjian

It seems every time there is a terrorist attack, governments around the world use it as an opportunity to chip away at encryption. The latest attack was the UK Home secretary, Amber Rudd, who called WhatsApp's end-to-end encryption "completely unacceptable". She then adds that there should be “no hiding place for terrorists”.

Encryption is publicly known mathematics and there is no way to put the "cat back in the bag". If encryption is banned for law abiding Joe and Jane public, it makes everyone less safe but terrorists will simply use their resources and public encryption libraries to write their own encrypted programs and do their evil work. 

Minister Rudd's comments are the clearly from someone that doesn't understand the technology and how it is the fundamental underpinning of our entire technological society. Anytime you perform online banking, file your taxes with the government online or request a government service, you are using an encrypted channel of communication called TLS. It is the technology that makes using sensitive services on the internet possible. 

Banning encryption would mean no more online shopping, banking or anything else that requires privacy. So banning would not be accepted by our always online generation.

Government would counter this argument by saying they "simply" want a back door and not a ban on encryption. A backdoor would allow intelligence and police to more easily perform investigations while keeping general encryption alive. 

As a security professional, let me be clear that this is simply not possible. The minute a backdoor is implemented, it becomes a vulnerability that threat actors would attempt to find and exploit (organized crime, nation-state actors, foreign rogue governments, etc).If the Snowden and Vault7 leaks have shown us anything, it is that even government has issues keeping secrets. The reason encryption works is that it is based on mathematics and remains perfectly secure even though all the protocols, formula and applications are well know. 

Creating a backdoor for the good guys means you are also creating it for the bad guys. 

The Vault7 leak showed that governments have already solved the Whatsapp encryption issue by hacking the end device. When hacked, government can see pre/post encryption messages and therefore they are able to get the information they need. Yes it requires more work but every job has its challenges. This would bypass the encryption of Signal, Whatsapp or any other encrypted communicator.

Terrorism is a bad thing that affects as all. It is the worst of humanity being manifested because of hatred and misunderstanding of one another. Politicians are targeting encryption because it is the easy target but it isn't the right one.

As a geeky security professional, I will always be able to protect myself by rolling my own encryption, but the general population won't. Considering everything about us can now easily be stolen from our smartphone, I'm worried about any weakening of encryption. Just think about everything stored on your device (location history, contacts, social networks, where you have been and what you have done, health information, etc) and how you would feel if someone had access to all of it without your knowledge. 

We need technically knowledgeable politicians that will fight the good fight (against terrorism) without trying to neuter good wholesome public protecting technologies. It's like saying we will ban pools because there were 3,536 fatal non-boat related drownings in 2015 (there are over 8M pools public and private in the USA). We can't let a small batch of rotten apples contaminate the entire batch of cider.

Use Whatsapp for free next time you travel

GeneralEdward Kiledjian

Since Apple has decided to keep Apple Messages (iMessage) locked up to its platform, users the world over have chosen Whatsapp as the most common cross platform instant messaging platform. It allows you to send files and pictures. IT allows you to make Voice Over IP calls and is just an overall well designed easy to use tool.

 Whatsapp requires a data connection (3G/LTE) to work. This means using Whatsapp while travelling requires you to buy a local SIM Card (when you travel) or buy an expensive data pack from your home carrier. Until now.

I first wrote about KnowRoaming in 2013 and explained how it can save money when travelling by switching you to a cheaper local plan travelling simply by using the company's intelligent SIM sticker.

Today KnowRoaming announced that their customers will be able to use WhatsApp for free when travelling. You don't even need to buy a data plan and no data charges are levied. As long as you have an active account with some money in it and switch to their service when you travel (which is automatic when you travel), you get free Whatsapp in any country they work in (100+ countries).

This offer is available to on any of their services (Global SIM Card, Global SIM Sticker and Global Hotspot). I use the Global Sticker Option, anytime I land in a new country, their app detects it and switches me to their service.

Telegram Messenger isn't as secure as you think

GeneralEdward Kiledjian

Right after the horribly tragic terror attacks in Paris, we started to read badly written articles by journalists trying to attract readers with sensational headlines.

The easiest target was encrypted communication tools and one of those is Telegram Messenger. It was said ISIS/ISIL used Telegram to chat securely and that they considered it a good solid secure and trustworthy platform. Does it really deserve that reputation?

I wrote a article on March 2014 that explained some of the shortcomings of this messaging platform.

With all the publicity it is receiving now, I wanted to revisit the tool.

Some of the security issues for people wanting the best security available:

  • Uploading your contacts In order to register for Telegram, you have to use your real telephone number and upload your phonebook contacts (to find others that are using Telegram). This means they know with absolute certainty who owns each account and have a list of your contacts.

  • Metadata Metadata Metadata With everything Snowden has released, we know what metadata is and why it is so important to protect. It is how governments around the world can build very accurate profiles of users. Most users will use Telegram Messenger via a smartphone which is a horribly leaking end point for metadata. Even if you encrypt the actual message, your provider, phone manufacturer and phone OS provider know what app is installed, when it was installed, how often it was used, when it was used and for how long. Combining this with triangulated location information and general information collection means tracking down individual users becomes much easier for crafty well-funded hackers or governments.

  • Custom encryption Read my original article about Telegrams custom encryption. We are at a point in Information Security where there are well documented, tried, tested and reliable encryption mechanisms and it is strange that a company comes along and creates it own. This becomes especially worrisome when the protocol and tool aren’t completely open sourced.

Looking back at Telecom

Looking back at Telegram 1 year after the original article, I would still rate its security as medium level. It may be better than the most popular platforms but is nowhere near a level I would call really secure.

What’s the most secure instant messaging tool?

I write a blog post entitled “The most secure smartphone messaging app in 2013 and my recommendation still stands. The most secure instant messaging tool available today is Threema. Key management is handled by each user (not by the platform provider which weakens the security). It’s security model and back end infrastructure has been independently vetted for security.

Canada's Anti Spam Law (CASL) and what it means and CASL 2.0

technologyEdward Kiledjian

Over the last month, I received several emails asking me about CASL (the Canadian Anti Spam Law) which went into effect July 1 2014. The purpose of CASL is to protect consumers from unsolicited email messages.

Nothing in this article should be construed as legal advice. Always check with a qualified legal professional.

What is CASL

There are well written white papers by lawyers that provide the legal perspective on CASL and how it impacts business'. If that applies to you, you should go find and read some of those. The Canadian Anti-Spam Law was designed to protect canadian email addresses (.ca) from receiving unsolicited commercial messages. The main drivers are:

  • Consent  : the sender needs to secure and record detailed explicit consent from the recipient that they want to receive your marketing content
  • Identification : The law required that you clearly identify who is sending the message and who it is being send on behalf of. The recipient must have a way to easily reach you.
  • Unsubscribe :  The recipient must have a simple and clear way to unsubscribe from your mailing list. 

Each message you send must contain Identification and unsubscribe.

Not only email

Legislators made sure CASL protect canadians from multiple mediums of commercial message delivery including emails, instant messaging, social media, etc. 

Assume this applies to all mechanisms you use to contact a customer for marketing purposes.

Does this CASL apply to me?

Let me keep this simple... CASL applies to any entity pushing a marketing message and you should plan on adhering to its standards. 

Does CASL apply to not for profit organizations?

As currently worded, the law provides an exemption for government certified charities performing fund raising through emails. Conversely other revenue generating activities are not exempt. 

The identification and unsubscribe requirements of the law apply to not for profits also.

If you want to add subscribers from one list to another, then you will need explicit consent. 

Non commercial messages (aka regular business type emails) are not covered by CASL. 

You can learn more on the government's website (link)

CASL and email address harvesting

A practice used by some email marketers or resellers of marketing lists is to harvest email addresses using electronic programs to collect email addresses from websites, mailing lists, forums, etc.

CASL amends PIPEDA to forbid the activity of email harvesting.

CASL 2.0

January 15 2015 an additional provision will go into effect called the Computer Program Rules. This new provision will require express consent before the installation of a computer program on someone's PC, smartphone or other electronic device. 

This new wave of CASL comes with very stiff penalties that can reach $10,000,000 for companies. This new wave goes beyond Canadian borders. It applies to organizations (can be located anywhere) installing programs on a computer located in Canada or to Canadians installing program on computers outside of Canada (or under the direction on someone in Canada). 

This section of CASL is fairly complicated so I will let you research the interwebs for additional information if you think it applies to you. 

CASL Best practices

In addition to following the CASL requirements stated above, many organizations are also verifying receiver interest in their messages every 6 months. 

Organizations that can prove that they have an existing business relationship will have 3 years to comply but industry best practice says you should plan to comply immediately.

Whatsapp to become more secure than Apple Messages

technologyEdward Kiledjian
Image by downloadsource.fr used under Creative Commons License

Image by downloadsource.fr used under Creative Commons License

I'm an advocate of personal privacy through encryption. I love the Threema instant messenger (Link) but none of my contacts used it. This is the problem with secure instant messenger apps, your friends aren't there so it becomes useless. 

Now Whatsapp is including the encryption functionality of TextSecure from Open Whisper Systems in their Android client and this will make Whatsapp the most secure instant messenger (beating even Apple's a Messages/iMessage).

Like Whatsapp, Apple's iMessage/Messages offers end to end encryption but in Apple's design, they control the encryption keys which means they could create a man in the middle type situation and you would never know. In the new Whatsapp with encrypted messenger app, the keys are controlled by the client and you will be able to verify the counter-parties encryption key using QR code scanning (similar to Threema) or by verbally exchanging the encryption key verifier. This will make sure beyond any doubt that the messages are encrypted for the intended recipient and no one else. 

How will it work?

When you start a conversation with another Whatsapp android users using the latest version, you will be asked to initiate a secure session. Once initiated, you will see visual marker (lock icon) in a couple of places to remind you the session is protected : next to the send button, next to each encrypted message and in the title bar.

When?

If you are using the latest android client, your version already includes the new end-to-end encryption mechanism and it is activated when talking to other Android based Whatsapp users.

Although I haven't seen any promises for an IOS version upgrade containing this secure technology from Whatsapp, I am confident we will eventually see it on iPhone as well.