Encryption: what do you need to know about it?
Welcome to Threat Intel’s #WednesdayWisdom column, which aims to help improve your cyber security knowledge and keep you informed on important developments.
Encryption is defined as “the process of converting information or data into a code, especially to prevent unauthorized access.”
While once talk of encryption, cryptography, and codebreaking was confined to the realm of spies and those wishing to communicate secret messages using symbols and codes, in our hyper-connected world the encryption of communications sent over the internet has become more and more important to people.
People’s concerns about the privacy of their online communications have grown substantially in recent years, especially in the wake of revelations such as Edward Snowden’s, rule changes that have allowed ISPs in the U.S. to sell people’s browsing data, and talks of governments cracking down on the end-to-end encryption provided by some messaging apps.
End-to-end encryption
Certain messaging apps, including Signal and WhatsApp, are enabled with end-to-end encryption. Also called asymmetric encryption, this form of encryption involves a pair of keys: a public key and a private key. The sender “signs” the message with their public key before sending it. The data is then encrypted by the recipient’s public key, and can only be unlocked with the private key of the recipient. Even the service provider cannot read what is written in the message. End-to-end encryption has caused some controversy in recent times, with some governments claiming that it could be exploited by terrorists, and in some cases even seeking to ban it.
While messages sent through Signal and WhatsApp (which has more than a billion users worldwide) are already encrypted, there are other ways to further encrypt your life to protect your data and communications from prying eyes. Here are just five:
1. Use encrypted email or PGP
While Gmail discussed introducing end-to-end encryption in 2014, it still has not happened, and an article in Wired earlier this year implied that the project appears to have stalled somewhat.
However, there are other email providers out there that offer end-to-end encryption: ProtonMail and Tutanota are probably two of the better known offerings.
Other people — particularly journalists, or others who may want to keep their communications private — use the PGP (Pretty Good Privacy) tool, which allows people to encrypt email even if they are not sending it through a provider that offers end-to-end encryption. PGP uses key pairs to encrypt and decrypt messages.
2. Use 2FA
We say this in a lot of the articles we write, but enabling two-factor authentication (2FA) is one of the best ways to keep your data safe from prying eyes. If you have 2FA enabled it means that, even if an attacker has cracked or stolen your password, they will not be able to access your account. When 2FA is enabled a person needs to not just know your user name and password to access your account, they also need to enter a unique code, which is generally sent to your mobile phone, either via text message or through an app, token, or other one-use password tool. There have been instances of 2FA via text message being intercepted, so if it is possible to enable 2FA through an app or other tool that may be the better option. However, no form of 2FA is 100 percent unbreakable, but it does make life significantly more difficult for attackers.
3. Encrypt your hard drive
If you want to keep the data on your hard drive extra secure, then you can encrypt your hard drive.
Both Mac and Windows have built-in full-disk encryption that you simply need to turn on.
Once you turn on encryption you will need to have a recovery key or password to retrieve your data.
4. Use TOR
TOR (The Onion Router) is an anonymizing service that allows internet users to connect to the internet without revealing their identity. TOR and similar services operate by bouncing your traffic around the web so that your ISP does not know what sites you visit, and the sites you visit do not know your IP address.
TOR users do not connect directly to the website or service they want to visit. Instead, they bounce through a series of nodes on the network. Each node only knows the data it receives and the node to which it is passing the data. The website will only know the final node that connected to it, it will not know the IP address that originally sent the request to connect to the service.
While VPNs (Virtual Private Networks) do offer a level of privacy, they do not offer the same level of anonymity as TOR, so for those who are very serious about privacy TOR is the better option. TOR sometimes gets a bad reputation as a service that is used by those involved in illegal activities, but it is also used by people to access websites that may be blocked in their countries, by journalists who want to communicate privately with sources, and by people like whistleblowers and dissidents, as well as by people who are simply conscious about keeping their browsing habits private.
5. Use password protection on your phone/tablet
While many phones and tablets now can be unlocked using your fingerprint — or even your face — it is still advisable to always also protect your device with a unique passcode.
As mentioned in the above-linked article on biometrics, in the U.S., under the Fifth Amendment, you cannot be compelled to reveal your device’s passcode to law enforcement officials. However, there have been instances where people have been compelled to unlock their device using their fingerprint, as this is not considered to be protected under the Fifth Amendment.
It is also advisable to use a passcode over an unlock pattern, with a study recently finding unlock patterns to be much less secure than passwords. While a lot of people use four-digit passcodes for their devices, remember that it is possible to create a longer password, and the longer a password is the harder it is to guess.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
