Russ Harvey Consulting - Computer and Internet Services

Encryption: Protecting Your Data

5 Recommendations | Encryption Software | Encryption Principles

Protecting your data

Why Encryption is Necessary

Not that many years ago, data encryption was relatively unknown to most computer users. Many realized that governments and corporations used this protection, but why did they need it?

However, in today's world of hacking by criminals and spying by governments, it is important that we protect our most important documents from being stolen, or if stolen, prevent fraudulent use such as identity theft.

[A]s a technological tool, encryption is extremely important, even essential, for the protection of personal information and for the security of electronic devices in use in the digital economy. Unfortunately, the crux of the problem springs from the fact there is no known way to give systemic access to government without simultaneously creating an important risk to the security of this data for the population at large. Laws should not ignore this technological fact. — Privacy Commissioner of Canada

Watch Mozilla's Encrypt series videos to better understand why we need encryption for our everyday communications and privacy.

Stand up for strong encryption. It matters.

Data Used to Be Safer

Most people only had a desktop computer. Few were connected to the Internet. Documents were transmitted using the mail, courier or fax.

Those that were connected used a telephone modem (dialup) so interactions with the Internet were relatively brief. Their computers only left home (or the office) when going to the repair shop.

Mobile More Vulnerable

A desktop computer is stationary and, unless you haven't secured the location, is not particularly vulnerable. Mobile devices (smart phones, tablets and laptops), on the other hand, are more likely to be used in unsecured locations (at least part of the time).

Mobile devices contain a lot of personal information — often as much as our offices used to hold. Most of these devices are continually connected to the Internet.

Portability Increased Risk

These, along with the USB hard drives and thumb drives we used to store and transfer data, are at greater risk for loss or theft just because they are portable.

Privacy Laws are Outdated

Privacy laws were developed in the days of snail mail and paper documents. They are no longer sufficient because today's storage conditions are different.

The laws were created before the Internet was widely used. Documents were normally stored on paper in locked file cabinets (or at least not accessible without physically entering the premises). The government could only legally intercept mail (with a warrant) while in transit.

Today many of us permanently store our documents and other data in online facilities like DropBox and Google Docs and our emails are left online with Gmail or Hotmail (what is referred to generically as “the Cloud”).

Just as an envelope prevents anyone from reading a letter while it's traveling through the mail, encryption stops snoopers from viewing the content of your emails and searches, and prevents hackers from getting access to your sensitive information. — Google

The assumptions old laws used in restricting access to mail delivery no longer apply. Our data is stored in online computers controlled by others. Bulk collection of data is much easier and less costly than ever before.

Encryption is under attack

We're told that the FBI, R.C.M.P. and other agencies need back doors to encryption protocols (or have it banned altogether). We are told that the authorities are only targeting terrorists or child pornographers. These are, at best, deceptive.

These agencies want every encryption protocol (if it is allowed at all) to have a “back-door” (i.e. special decryption made available to police and government agencies).

If a backdoor exists, then anyone can exploit it. All it takes is knowledge of the backdoor and the capability to exploit it. And while it might temporarily be a secret, it's a fragile secret. Backdoors are one of the primary ways to attack computer systems. — Bruce Schneier

The Terrorist Argument Invalid

Banning encryption (or other modern communication technologies) by using the argument that it is used by terrorists isn't reasonable.

Criminals have used telephones and mobile phones since they were invented. Drug smugglers use airplanes and boats, radios and satellite phones. Bank robbers have long used cars and motorcycles as getaway vehicles, and horses before then. And while terrorism turns society's very infrastructure against itself, we only harm ourselves by dismantling that infrastructure in response — just as we would if we banned cars because bank robbers used them too. — Bruce Schneier

Same Arguments About “Going Dark”

The history of the Clipper chip should tell us otherwise. The FBI used the same arguments about the ability of criminals to “go dark” unless a back door was included. Concerns about privacy and widespread surveillance caused it to fail.

Democracies around the world have long recognized that electronic surveillance power in the hands of government is a threat to open societies unless it is properly regulated by an effective legal system. Many countries have enacted surveillance laws, but laws on the books alone to not protect privacy. A vibrant legal system with respect for the rule of law is necessary for privacy protection in the face of ever more powerful electronic surveillance technologies. — Journal of Cybersecurity

Understanding the Implications: What's at Stake

Most people don't understand the implications of disallowing or weakening the use of encryption to protect our data. So let's use another analogy to see the fallacy of that argument.

Would you give police unrestricted access to everything you own?

Imagine if you were required by law to make a copy of EVERY key (or provide the combination) for every lock you have (home, business, mailbox, car, filing cabinets, safety deposit box, etc.) and provide them to your local police station where they would be routinely used without your permission or judicial oversight (warrant). Would you still feel your privacy is not at risk? Would you feel safer?

For a more in depth discussion see:

Your Voice is Needed

Do your part to make the Internet a safer place by ensuring that these misleading arguments don't compromise ecommerce and your privacy by banning encryption. We must stand together to shape the future of the Internet and keep the momentum going for surveillance reform.

Data Encryption Moves Mainstream

Microsoft made encryption easier starting with Windows 7 Ultimate's built-in BitLocker Drive Encryption and the Encrypting File System. This capability is easily obtained for other Windows versions by installing third-party software.

But how secure is that encryption software?

In providing the R.C.M.P. with access to organized criminals' phones, Blackberry also provided access to every Blackberry phone in Canada that wasn't part of a corporate network. That's what an encryption back door would do.

Snowden Reveals Massive NSA Access

Edward Snowden, a former contractor for the NSA, revealed that NSA has backdoors into virtually all operating systems and commercial encryption software — realtime access into anybody's computer was a reality.

Terrorism Threat Exploited

Governments and corporations are using the threat of terrorism to spy on their own citizens without any oversight from independent third parties and changing laws that protect your privacy so these regulations become ineffective. Everything they have is a state secret, but nothing of yours is. It is this morally-bankrupt status that Snowden felt compelled to reveal.

When asked questions about programs by Congress, the NSA and CIA lie, often reinterpreting standard terminology to their advantage (i.e. they feel they can collect information without a warrant and haven't broken any laws because no one has examined it yet). They'll state that a certain code-named program "doesn't do that" without revealing that another does. Obviously the same tactics would hardly keep you safe from legal prosecution in similar circumstances, making them "above the law" because it is impossible to hold secret courts accountable.

The NSA has turned the fabric of the internet into a vast surveillance platform, but they are not magical. They're limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible. — Bruce Schneier
[T]he one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is called packet injection — basically, a technology that allows the agency to hack into computers. — Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World by Bruce Schneier

CIA Tools Frightening

WikiLeaks released a list of CIA Hacking Tools. Many of these are frightening, mostly because you and I are likely the target of these intrusions.

One of these tools is Weeping Angel which allows the CIA to hack your smart phone or smart TV and listen in on you without your knowledge or permission — even if it is turned off.

Everyone is Hacking

The assumptions that only the “good guys” are using these tools is ignorant. We now live in a world where anyone has access to these tools at the cost of both individual privacy and national security.

This has weakened the Internet everywhere as well as the attractiveness of U.S. technology overseas.

Encryption is the Only Defense

The only self defense from all of the above is universal encryption. Universal encryption is difficult and expensive, but unfortunately necessary.

Encryption doesn't just keep our traffic safe from eavesdroppers, it protects us from attack. DNSSEC validation protects DNS from tampering, while SSL armors both email and web traffic.

There are many engineering and logistic difficulties involved in encrypting all traffic on the internet, but its one we must overcome if we are to defend ourselves from the entities that have weaponized the backbone. — Nicholas Weaver

Return to top

What Can You Do? Five Recommendations

Don't be fooled that your communications are uninteresting — that only the “bad guys” are targets.

The NSA is spending incredible amounts of money to ensure that it can see into your computer, compromise your network and to record your phone calls, then storing the information for later study.

In NSA surveillance: A guide to staying secure, Bruce Schneier listed five pieces of advice:

  1. Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.
  2. Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections — and it may have explicit exploits against these protocols — you're much better protected than if you communicate in the clear.
  3. Assume that while your computer can be compromised, it would take work and risk on the part of the NSA — so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.
  4. Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
  5. Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.

I strongly recommend reading the entire article for the context and to understand what Schneier is saying.

Return to top

Encryption Software

There are a number of good encryption solutions. Pretty Good Privacy (now owned by Symantec) was one of the original products.

The Linux encryption app Cryptkeeper has a rather stunning security bug: the single-character decryption key "p" decrypts everything. — Bruce Schneier

Folder Encryption Solutions

SafeHouse Explorer

SafeHouse Explorer is a free encryption solution for disks and memory sticks.

  • SafeHouse Explorer uses passwords and maximum-strength 256-bit advanced encryption to completely hide and defend your sensitive files, including photos, videos, spreadsheets, databases and just about any other kind of file that you might have.

Cypherix

Cypherix has a number of products including corporate solutions.

  • Cryptainer LE a free disk encryption software, creates multiple 25 MB of encrypted and password protected drives/containers.
  • Secure IT encrypts all your files and folders. All you need to do is select a file you want to encrypt and assign a password.
  • Cryptainer PE protects your data by creating multiple encrypted vaults for all your files and folders using 448-bit strong encryption without changing the way you work.

WinMagic SecureDoc

WinMagic specializes in securing data using SecureDoc Anywhere, Everywhere, No-Compromise Security including cross-platform solutions like SecureDoc Cloud. See the WinMagic eStore for

A review of the Mac version gave WinMagic a 6.7 out of 10, noting that it had a small memory and storage footprint. The main concern was that the software was perhaps too complex and powerful for casual users.

Drive-Encryption Solutions

TrueCrypt

TrueCrypt was a free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X and Linux.

WARNING: Using TrueCrypt is not secure. You should download TrueCrypt only if you are migrating data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform. — TrueCrypt site

The TrueCrypt site recommends migrating from TrueCrypt to BitLocker (instructions are provided).

Bitlocker is not recommended by Bruce Schneier (see recommendation 5) because it is more likely to have a NSA back door:

[I]t's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered.

FreeOTFE

FreeOTFE is a free, open source, "on-the-fly" transparent disk encryption program for PCs and PDAs that allows you to encrypt the entire drive.

  • Supports all versions of Windows from Windows 2000 onwards (including Windows 7).
  • No need to install it; making it ideal for use on USB memory drives, etc.
  • Highly portable. Not only does FreeOTFE offer portable mode, eliminating the need for it to be installed before use, it also offers FreeOTFE Explorer — a system which allows FreeOTFE volumes to be accessed not only without installing any software, but also on PCs where no administrator rights are available. This makes it ideal for use with USB flash drives, and when visiting Internet Cafês, where PCs are available for use, but only as a standard user.

Return to top

More About Encryption

These sites have useful information on encryption:

Return to top

Encryption Principles

While your computer's security software may protect your data while it is running normally, your hard drive can be removed and the data collected by placing it into another computer or by using various utilities.

Data encryption works by encrypting the files, folders or even whole drive. This protection is not dependent upon the operating system's security — it works even if someone removes your hard drive.

The Downside

However, if your drive becomes corrupted or if you lose the encryption key the data will be unrecoverable, even by you.

Frequent backups become your only source of recovery in this situation and they must be physically secured to protect the previously encrypted information these backups contain.

What's Best?

Which solution is best depends upon the nature of the information on your computer and how it is used.

If you encrypt the entire drive of your laptop this ensures that all your data is safe if the computer is lost or stolen (even if the drive is removed for data extraction).

Alternatively, if only certain folders contain vulnerable information, you can simply protect those folders.

How Does It Work?

The following short video by Google shows the basics of how encryption works:

Google Take Action: Encryption helps to keep us safe and secure online. Share this graphic and help spread the word! Click to view

Usually encryption software requires you to login to use the encrypted information (or when opening certain folders if only specific folders are encrypted).

Once you have done this, operating the computer should be the same as it is with an unencrypted computer.

Performance

On modern computers with sufficient RAM and other resources, the overhead of running this software should be minimal.

Older computers may suffer slowdowns or jerky operation if there are insufficient resources to run the encryption software properly.

Use Quality Passwords

The security of this solution is dependent upon the quality of your passwords. You should take a moment to review the qualities that make a good password and you'll want to ensure your password isn't compromised.

Return to top

Related Resources

Related resources on this site:

or check the resources index.

Return to top


If these pages helped you,
buy me a coffee!


www.RussHarvey.bc.ca/resources/encryption.html
Updated: August 12, 2017