Wednesday, March 19, 2014

"@WIRED: consulted with experts to compile this list of 10 measures tech companies should adopt to protect customer data, whether it resides on a distant corporate server or is making its way across the Internet." #security, #privacy

Here is an excerpt from the Wired article. You can read the full article on:

 1) End-to-end encryption. This is the most important technological change. End-to-end encryption would help protect data through its entire journey from sender to recipient. Google and other services currently only encrypt data as it makes its way from a user to a given service, where it is may be decrypted. That leaves data vulnerable to collection from the service provider’s servers or from internal data links where it might be unencrypted.
“End-to-end encryption … makes mass surveillance impossible at the network level,” Snowden said, and provides a more constitutionally protected model of surveillance, because it forces the government to target endpoints to get data — by hacking individual users — rather than conducting mass collection against people who are not the target of an investigation.

2) Bake user-friendly encryption into products from the get-go. Currently, the only option available is for users to take it upon themselves to add end-to-end encryption to their communications.
PGP (Pretty Good Privacy), GPG, or Off-the-Record messaging all allow users to encrypt email and instant messaging communications. But they can be difficult to install and use, and they only work if the person with whom you’re communicating also has them installed. But if you’re offering a communications service or product today, you should already have user-friendly encryption baked in, and it should be one of the features users demand.
A handful of companies, like Silent Circle, are already producing communication systems and services that purport to encrypt email, instant messaging, text messaging, VOIP or video chat. But consumers have no way of knowing if a service is truly secure and robust. To that end, EFF is hosting a workshop in July at the Symposium on Usable Privacy and Security conference to develop metrics for judging, testing and awarding a prize for the best end-to-end encryption products.

3) Make all web sites SSL/TLS. Following revelations from the Snowden documents, Yahoo announced that it would enable encryption by default for anyone logging into its web-based email service.

4) Enable HTTP Strict Transport Security. Otherwise known as HSTS, this is a mechanism whereby domains like and tell your browser the first time it connects to their domain to always connect to a secure version of their web site, using an HTTPS connection by default, even if users fail to type HTTPS into their browser. If a spy agency or other intruder then attempts to hijack the user’s connection to Facebook by directing their browser to an unsecured connection — so the communication can be monitored — the browser will switch to the secured connection by default.

This also prevents fellow users on unsecured Wi-Fi networks — say, at Starbucks — from seeing your communication if you forget to initiate a secure connection with the site on your own. And it helps prevent an attacker from trying to get your browser to connect to an unsecured fake Facebook page, prompting your browser to produce an error message instead and refuse to connect to the page.

In order for HSTS to work, however, websites need to provide secure versions of their pages, and browsers need to support HSTS. Chrome, Firefox, Safari and Opera all support HSTS in their latest versions. Microsoft recently told EFF that it plans to begin supporting HSTS for web servers handling email, personal or business documents, and media, messaging, contacts, and credentials. But its own browser, Internet Explorer, currently does not support HSTS.
Slide from NSA PowerPoint deck, courtesy of the Washington Post.
Slide from NSA PowerPoint deck, courtesy of the Washington Post.

 5) Encrypt data-center links. Google and other companies were shocked when documents leaked by Snowden to the Washington Post revealed that the NSA and Britain’s GCHQ had secretly tapped the fiber-optic links between their data centers. Google was already encrypting communications between its servers and its users’ computers, but had been slow in rolling out internal encryption between the data centers where customer data is stored — a vulnerability the NSA was more than happy to exploit.

Since the story broke last October, Google has sped up its data center encryption program, and other companies like Microsoft and Yahoo are in the process of encrypting their data center links as well. But this should be standard procedure for all companies who want to protect not only customer data, but their own data as well.

6) Use perfect forward secrecy. It’s great to employ encryption for communication with customers, but if you’re a target as big as a major tech company and you employ it in the wrong way, then an intelligence agency who somehow obtains your private key can use it not only to decrypt future traffic, but all past encrypted traffic it may have collected as well.

Perfect forward secrecy, however, uses ephemeral keys for the session keys with users, which means that even if an intelligence agency or someone else manages to obtain the secret key, they won’t be able to derive the session key to decrypt your communication.

7) Secure software downloads. We already know that governments have hijacked software update services to install spyware on targeted systems. One way to thwart this would be to authenticate and encrypt download channels and provide a means for users to verify that the download they are getting is legitimate.

8) Reduce storage/logging time. To reduce the amount of data governments can obtain, companies should minimize the data they collect from users to only information needed to provide them with the company’s services. They should also develop reasonable data retention policies that limit the length of time data and activity logs are stored, thereby reducing the chance for governments to get it.

9) Replace Flash with HTML5. Flash, one of the most ubiquitous methods for serving dynamic content to web visitors, is rife with security vulnerabilities and is one of the primary ways attackers exploit systems to hack them. Eckersley calls Flash a “ghastly and broken contraption that should never be attached to the web.” Although HTML5 is not perfect and likely has elements that will need work to make them more secure, “at least they’re open tech, and the web community will do that work,” he says.

10) Fund a global account to support community audits of open source code. With news that the NSA has attempted to undermine encryption algorithms and place backdoors in systems and software, a plan emerged to fund a crowdsourced audit of the TrueCrypt open source encryption software to ensure that users can trust it. More than 1,400 donors from more than 90 countries chipped in about $60,000 and another 32.6 bitcoins (more than $20,000 at Monday’s exchange rate) to fund the auditing work, which began in January. But a general account, managed by a nonprofit, to fund additional projects would help combat the NSA’s ability to undermine trusted systems.

No comments:

Post a Comment