Pinterest Stumbleupon Whatsapp
Ads by Google

Data security and privacy is increasingly difficult to understand. How can we be truly sure that the messages we’re sending don’t fall into the wrong hands, and the photos we upload don’t get misused?

To understand data security loopholes and how we can avoid them, MakeUseOf spoke with Shaun Murphy. Murphy is a former government security consultant and the founder of Sndr, a free messaging and file-sharing app that he claims solve the most common problems with encrypted data and online security.

Data-Security-Shaun-Murphy

The Problem With Cryptography and Encrypted Emails

We often hear of how the government is reading our emails and how all our text communication is not secure. The common solution offered is to encrypt your emails. These solutions work as a layer on top of email, in the form of cryptographic plugins. However, it’s usually not a practical solution.

“It puts the onus on your recipients to also have the same plugin, exchange some shared secret code/key to read your messages,” Murphy says. “These layers usually add so much friction in communicating with everyone you already know, that people end up abandoning it altogether.”

Data-security-cryptography

Ads by Google

Cryptography, however, is hard How Does Encryption Work, and Is It Really Safe? How Does Encryption Work, and Is It Really Safe? Read More to develop; it’s hard to convince people to use it; and very hard for companies to give up the ability to data mine all of your messages and data, he adds.

“No one or no entity should have access to private citizen’s messages and data that were not clearly intended for public consumption. And for that we need wide adoption of cryptography services between sender and recipients on everything—email, messaging, social media, file sharing. It’s just too risky to leave this stuff unprotected on servers spread out across the world. That’s where Sndr comes in, by putting all of that in one place.”

The Best Tip to Secure Your Inbox: 2FA

Data-Security-two_factor

Murphy recommends two-factor authentication What Is Two-Factor Authentication, And Why You Should Use It What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More (also called 2FA or or 2-step verification) as the best way to first secure your inbox against intruders. 2FA is a double-step security protocol, available for most prominent web services Lock Down These Services Now With Two-Factor Authentication Lock Down These Services Now With Two-Factor Authentication Two-factor authentication is the smart way to protect your online accounts. Let's take a look at few of the services you can lock-down with better security. Read More . After you input your password, the service sends a second code, usually via SMS, to ensure it’s really you.

“This is a very strong authentication mechanism since it requires something you know (password) and something you have (mobile device)—typically, someone with malicious intent will not have access to both,” Murphy says. “Authentication is essential to starting to secure your communication. Remember, if someone gets into your email, they can reset ALL other accounts you have via the “reset my password” links on social media and most other websites… scary stuff!”

Use Offline Email Clients, Especially When Travelling

Security-shaun-murphy-offline-email-client

Given how powerful Gmail or Outlook or other web-based email clients are now, you probably don’t have an offline client like Outlook Express or Thunderbird. But that’s a mistake, according to Murphy. There are some benefits to using an offline email client You Should Ditch Webmail for a Desktop Email Client If... You Should Ditch Webmail for a Desktop Email Client If... A few years ago, webmail was all the rave. Wonder whether it's time to switch back to a desktop email client? Look no further. We show you the merits of a local mail service. Read More like Thunderbird instead of accessing Gmail or Outlook from your browser.

“Your keystrokes won’t be captured (as some social media giant was caught doing recently) as you type your message,” he says. “You have time to review your messages and content for any sensitive information before it is submitted to some connected service. And you can take your time to make sure you connect to a safe network.”

Murphy especially recommends using offline emails clients when you travel. When you are not using your home or office’s Wi-Fi network, you cannot be sure how secure it is. “I do use offline clients when I’m travelling just for the simple reason that most Wi-Fi access points are not safe even if you use many layers to try to protect it,” Murphy says.

Make Passwords 30 Characters Or More

Data-security-keyboard-password-30-characters

XKCD’s comic nails the security secret to passwords, Murphy says. The longer and more complex you make it, the harder it is for a computer algorithm to crack it. So he has two golden rules for passwords:

Complexity can be achieved by special characters, capitalized letters, numbers, etc, Murphy says, offering an example of a really strong password:

Ye8ufrUbruq@n=se

“Well that violates Rule #1: I have to remember that somehow. Forget it, I’ll just write it down or stick in a password remembering program… and that’s not so great for security,” he says. “What if we had a really long password but made it a bit more memorable?” For example:

TodayIsGoing2BeTheBestDayEver!

“The key here is I can remember that, it’s a long passphrase and it is very complex and, to some standards, more secure than the first one just because of the number of characters.”

Attach Important Documents as PDFs or 7-Zip Files

data-security-codes

Emails are often used to transmit important files, from tax return information to sensitive photos. Since we’ve already established the security flaws in email, you need to be doubly sure about these documents. So first put them into an encrypted, locked format and then email them, Murphy says.

After doing one (or both) of those options, you can freely send that file without much worry.

This approach still requires you to send that password to the other person. To be safe, Murphy recommends calling them and saying the password out loud; don’t write it down anywhere. And use the principles of the 30-character password trick to make it memorable and secure.

Security Risks Are Different on PCs and Phones

While our smartphones are slowly replacing our PCs, you can’t treat them as the same type of device when it comes to security practices. The risks are different, and so you need to approach the problem differently. Here’s how Murphy differentiates the risks:

Risks for PCs: A PC is generally set up to allow programs to do whatever they please with the exception of a few hot items (act as a network server, access system or other user files, etc.) Today’s threats on PCs include ransomware Don't Pay Up - How To Beat Ransomware! Don't Pay Up - How To Beat Ransomware! Just imagine if someone showed up on your doorstep and said, "Hey, there's mice in your house that you didn't know about. Give us $100 and we'll get rid of them." This is the Ransomware... Read More —a program that encrypts all of the files you need and forces you to pay them some money to unlock them but the biggie is the silent stuff. Some software programs sit on your computer, crawl the network for juicy stuff and silently transmit those files overseas.

data-security-pc-phone

Risks for Phones: A phone’s security issues What You Really Need To Know About Smartphone Security What You Really Need To Know About Smartphone Security Read More are generally more restricted than a PC because phones aren’t set up to let programs do whatever they want. However, there are other problems. Phones typically know where you are by the cell phone tower it is connected to, any nearby Wi-Fi, and if you have your GPS module turned on. Downloaded apps may have way too many permissions and might be capturing too much information about you (like accessing your contact list and uploading all of them to a server somewhere).

Murphy’s Tip: Encrypt your phone. On Android you have to explicitly do this in the phone’s settings. The latest iPhones ship this way when you have a password. Here’s how to do it How To Encrypt Data on Your Smartphone How To Encrypt Data on Your Smartphone With the Prism-Verizon scandal, what allegedly has been happening is that the United States of America's National Security Agency (NSA) has been data mining. That is, they have been going through the call records of... Read More .

data-security-fingerprint

Also, the actual technology that makes a cell phone communicate with cell towers is generally a black box that the security community doesn’t have much visibility into the inner workings. Is it capable of remotely controlling your phone, turning it on or activating its camera?

Murphy’s Tip: Use a passphrase for login. A simple 4-digit pin isn’t enough, a 6-digit pin is good, a passphrase is best. And pattern locks are out of the question Which Is More Secure, A Password Or a Pattern Lock? Which Is More Secure, A Password Or a Pattern Lock? Our smartphones carry a lot of personal information. All of your text messages, emails, notes, apps, app data, music, pictures, and so much more are all on there. While it's a very great convenience to... Read More .

Fingerprint scanners are getting better but they are not a good replacement for passwords. Fingerprints and other biometrics are better suited to replace a username than a password since a password should be something you know. With that said, fingerprint scanners to unlock phones are better than nothing.

Finally, the size of a phone makes it more likely to be stolen. And since it has all your accounts logged in, the thief simply has to reset passwords to lock you out.

Murphy’s Tip: Turn on remote device management. For Apple users, there’s Find My iPhone How To Use Find My iPhone To Get Your Stolen iPhone Back How To Use Find My iPhone To Get Your Stolen iPhone Back Long story short: my wife had her iPhone stolen when she misplaced it at work the other day. I was able to log into her iCloud account and eventually get the device back. Read More and for Androids, use the Device Manager Find My iPhone for Android? Meet Android Device Manager Find My iPhone for Android? Meet Android Device Manager Jealous of the iPhone's Find My iPhone app? Well, lucky for you there's an equally awesome app for Android called the Android Device Manager! Let's take a look at it. Read More . This will let you remotely wipe sensitive data from your device if it is stolen.?

When to Use Google/Facebook Logins for Sites

data-security-google-facebook-login

Several sites ask you to sign in using your social accounts. Should you do it? Should You Think Twice Before Logging In Using Social Accounts? Should You Think Twice Before Logging In Using Social Accounts? Read More

“It really depends and how much access the site requests for your information,” Murphy says. “If the site simply wants you to authenticate so you can leave comments, try their services, etc. and they request your identity, that’s probably okay.”

“If they ask for all sorts of permission—post to your network ,send messages on your behalf, access your contacts? Watch out!”

Which Services Should You Use?

At the end of all this, you’re probably wondering which of the many popular services you can use and still be assured of your security. Is Gmail safe? Should you be storing your data on Dropbox? What about security-focussed services?

Murphy doesn’t recommend any current cloud app. The popular, convenient and simple ones lack true privacy and security, he says, while the ones that offer true privacy and security are complex to use and have too much of the aforementioned friction.

So what are Murphy’s recommendations?

data-security-pc-security

For email: “Email is sort of a lost cause. Even if you have the most secure provider, your recipients will always be the weak link.”

For cloud storage: “The best is a server that you control, can lock down at the filesystem level, and ensure each file is encrypted with a unique key per file.”

For office suites: “You can still purchase offline office tools or use open source options. Real-time collaboration takes a hit but some secure/open sourced solutions are starting arrive for that functionality.”

For photos: “I go old school with this, connect to a device in my house, transfer pictures from my device to a long term storage drive (not flash, the data will not survive multiple years without being plugged in) and have an automated program encrypt and upload this information to a server I control. It’s not convenient, but it’s secure, not only from prying eyes but from services that go belly up in a few months, year.”

Ask Shaun!

Got any doubts about your data security? Maybe you have questions about how Sndr can help solve those issues? Fire your questions in the comments, we’ll ask Shaun to weigh in!

  1. Gilbert J.
    December 13, 2015 at 12:51 am

    Mr. Murphy raises some interesting points, but I disagree with some of his password advice.
    While I agree that a longer password is generally better than a short one, length by itself won't make it secure. "abcdefghijklmnopqrstuvwxyz", "passwordpasswordpasswordpassword" and "weallliveinayellowsubmarine" are all long, but not all that secure. If you are going to use a password based on words, it is best to have unrelated words, as the XKCD comic suggests, and if you use a sentence it is best to make it nonsense rather than a sentence you might hear in everyday conversation. Someone is less likely to guess "invisiblelilaccamelsdwellbeneathmyvilla" than "todayisgoingtobethebestdayever". Including uppercase letters is good, but the most obvious places to put them are the first letter of the first word and the first letter of every word. It would be better to put them in the middle of one or more words, though this makes the passphrase harder to remember. Few people include symbols in their passwords, but if there is one it is most likely to be an exclamation mark at the end. It would be better to put it somewhere else, and use a different symbol. Use of obvious substitutions like "2" for "to" adds only a little to security.
    Remembering a few passphrases like this is doable, but trying to remember dozens or hundreds of them will become almost impossible, and more trouble than it's worth.
    Also, some sites limit the length of passwords to 10 or 12 or 16 characters, which would make this approach problematic.
    A much better approach is a password manager. That way, you can have ridiculously long and complicated passwords for every site (or at least complex passwords for sites that limit length), but you only have to remember one. If you want to keep it local, use KeePass. If you use more than one machine, you can put KeePass on a thumb drive. If you are willing to trust your information in the cloud, LastPass is a good choice. I understand the arguments that are often put forward against trusting all one's passwords to a password manager, but it appears that Mr. Murphy would like us to entrust our online encryption needs to his service, while telling us that encrypted password vaults shouldn't be trusted.
    On the subject of 7-Zip: You can encrypt your file as an .exe file that can be decrypted without having 7-Zip installed on the recipient's computer. Of course, this requires that they trust an .exe file from you.

  2. Stéphane Moureau
    December 12, 2015 at 3:27 pm

    https://www.moureau.me
    they have a simple way to create complex passwords very easy to remember.

    2FA, does not require a cell phone, at least after registration, you can print codes, and scramble them with useless characters only you know where to remove, 1st and 3rd...

    2FA can use some kind of number generator (OTP) on a key.

    2FA can be with an hardware key ~40$

  3. Patrick Biegel
    December 11, 2015 at 11:52 pm

    If you use a password manager you can use 30 character long really complex passwords for every account like: "M:uS3%*em833(-HeN2.....”. If you don't use a password manager I don't think that you can remember 200 different passwords of your example like "TodayIsGoing2BeTheBestDayEver". If you should not use the same password for multiple accounts how will you remember 200 passphrases (which are also insecure because tey are made of dictionary words) for 200 different accounts? That will not work or you are a genius!

  4. Patrick Biegel
    December 11, 2015 at 11:38 pm

    I think it is more secure to encrypt files on the client side and store it on AWS than on a server that I control. For hackers it's easier to get physical access to a server I control, at least if this served is at home or in my office and not in a data center. Amazon has also more human resources and money to secure their servers than I do.

  5. fcd76218
    December 11, 2015 at 10:03 pm

    The problem with 2FA is that it requires a cell phone. As surprising as it may be, a lot of people do not have a mobile phone. Besides, mobile phones introduce their own insecurities.

    "TodayIsGoing2BeTheBestDayEver!"
    Violates Rule #2. It is not sufficiently complex. It may be long but other than one number and one special character, it is susceptible to a dictionary attack.

Leave a Reply

Your email address will not be published. Required fields are marked *