More Secure Ways To Send Data

Today on the show we go over the security news of the week. We talk about ProtonMail and TutaNota encrypted mail. We talk about Signal, iMessage, and WhatsApp. We get into the open-source software Globaleaks and much more.

We Talk New of The Week

  • Russian hackers were inside Ukraine’s telecoms
  • Russia hacks more than 10,000 security cameras in Ukraine
  • 23andMe hit with over 30 lawsuits
  • LastPass is making changes
  • Ivanti and Juniper have patches
  • Microsoft Patch Tuesday
  • Globaleaks A Secure Way To Send Data To Source

Plus Much More.

The Security Assessment Podcast is Brought To You By Lipani Security LLC.

(Full Show Transcript)

Using Signal for Secure Messaging

Signal is an encrypted messaging service for instant messaging, voice, and video calls. The Signal Foundation was launched in February 2018 as a 501 nonprofit with the mission to develop open-source privacy technology that protects free expression and enables secure global communication.

I recommend everyone use an end-to-end encryption type messenger like Signal. End-to-end encryption is a method of secure communication that prevents third parties from accessing data while it’s transferred from one system or device to another. Communications like Snapchat, Facebook Messenger, Skype, Google Chat, and text messaging are not secure and can be viewed by the providers and third parties.

Signal uses verification servers to ensure the phone numbers are real using a third-party service to send a registration code via SMS or voice call to verify that the person in possession of a given phone number intended to sign up for a Signal account. This is a critical step in helping to prevent fake accounts from signing up for the service.

Signal sends messages encrypted so only the sender and receiver are or can read them. Signal uses metadata encryption technology to protect intimate information about who is communicating with whom. Signal can’t read or access any end-to-end encrypted messages because the keys that are required to decrypt messages are on your device, not their servers. If Signal was asked to provide information to authorities they would be unable since they do not have the keys and store very little if any data on their servers for this reason.

Signal is even proactive with storing undelivered messages When you send a message, the Signal service temporarily queues that message for delivery. As soon as your message is delivered, that small bundle of encrypted data (i.e. your message) can be dropped from the queue. The storage of end-to-end encrypted files is temporary too, and any undelivered end-to-end encrypted data is automatically purged after a period of inactivity.

To add an extra layer of security for held messages Signal has server infrastructure from several providers like Amazon AWS, Google Cloud, Microsoft Azure, and others to ensure that not all saved messages are saved in one place in the event of a security breach. Even if there was a breach of these messages Signal can’t access the messages and neither can the companies that provide any of the infrastructure or even the attackers because the keys are on the user’s device, not the server.

Signal added Snapchat-like features with a feature called scheduling messages. Timers may be attached to messages to automatically delete the messages from both the sender’s and the receivers’ devices. The period for keeping the message may be between five seconds and one week and begins for each recipient once they have read their copy of the message. Signal has in addition added a story’s feature which is something available on all messaging platforms.

Since most Apple and Android devices backup to the cloud Signal excludes users’ messages from non-encrypted cloud backups by default. This is a great idea considering by default Android and iOS store backups unencrypted on iCloud and Google Drive.

Signal allows users to blur the faces of people in photos to protect identities automatically. Signal includes a payment and wallet system but only supports the payment method MobileCoin which is a privacy-focused digital currency.

All Signal contacts and contacts lists are stored on your device encrypted and never sent to Signals servers. Group messaging is designed so that the servers do not have access to the membership list, group title, or group icons. Instead, the creation, updating, joining, and leaving of groups is done by the clients, which deliver pairwise messages to the participants in the same way that one-to-one messages are delivered.

Signal is banned in certain countries where governments are allowed to read all citizen communications.  China, Egypt, Cuba, Uzbekistan, and Iran have banned Signal outright. In the U.K., the Signal app warns it will quit the UK if the law weakens end-to-end encryption. The United Nations has recommended the use of Signal in certain countries.

I would rate Signal as the best and most secure app to use at the moment. The company is a non-profit focused on security and not profit. Recently Signal did release a blog post asking for donations as running a worldwide secure message service is not free. If you are using Signal please consider donating to this service which puts people over profit.

Messaging With End-To-End Encryption

Just like computers, there are security vulnerabilities in smartphones and even messengers. We all remember using AOL Instant Messenger and MSN Messenger back in the day, but messengers have evolved over the years. We now have Skype, Facebook, iMessage, WhatsApp, and many others too many to list at this point. Just like a hacker can spy on you using free Wi-Fi they can also grab your messages.

Not all messages are at risk of being spied on by hackers. Messengers like iMessage and Signal use end-to-end encryption meaning only you and the person receiving the message can read it no one else can sense it’s encrypted from beginning to end. Facebook has started using secure messaging on Facebook Messenger as well as WhatsApp. But Facebook has admitted to being able to not read the message but the metadata and the geolocation and other small pieces of data to me that’s not end-to-end encryption.

Services like Skype and Google Hangouts do not support end-to-end encryption meaning Microsoft and Google can read your messages or pictures. Any message that goes over  WIFI or the cellular can be spied on if not using end-to-end encryption. That goes for SMS text messages as well which are never encrypted.

Snapchat like Facebook has enabled end-to-end encryption with a catch. End-To-End encryption is used for photographs exchanged between Snapchat users but text messages and other messages transmitted using Snapchat are not encrypted. Meaning Snapchat can see the data.

Telegram offers encrypted. It secures everything, including chats, groups, media, and so on. But it’s not on by default to use Telegram’s end-to-end encryption, you must start a secret chat by tapping the person’s name, the more or menu button, and Start Secret Chat. Secret chats appear separately from non-secret chats

If you want to keep your data private from someone, I suggest using iMessage or Signal for everything.