Today we all communicate constantly over the internet. Some people say we spend too much time on our mobile devices, and we do not interact enough with the world, and with the people around us. However, that is a discussion for another time. In this blog post we want to discuss how we keep our internet communications secure from eavesdropping.
Let us start with the granddaddy of internet communications protocols: E-Mail. Almost before there was any other way of communicating over the internet, there was E-Mail. It ran over a protocol called Post Office Protocol, or POP. The final version of the protocol is POP3. There was only one way to access our email, and that was using an E-Mail client such as Microsoft’s Outlook or Netscape Communicator (old school!) or Eudora (double old school!).
Back in the day there were only a couple of ways to keep your email secure, and that was through encryption. There were a couple of different ways to encrypt email using either a digital certificate or a software suite such as Pretty Good Privacy (PGP). There was also an open source version called Gnu Privacy Guard (GPG).
Both methods are still around and are still effective, although PGP has evolved a bit. It is now owned by Symantec and is part of their Endpoint Security suite solution. Even though the methods for protecting our email communications have evolved, they are still there, and still important. We still send a variety of sensitive information via E-Mail, and we need to protect it.
The easiest way to encrypt our email is to use a digital certificate, also known as a Public Key Certificate . There are a range of options available to obtain an E-Mail digital certificate which is then installed into your E-Mail client and allows you to sign and encrypt email. The drawbacks are that you must be using a dedicated E-Mail client such as Outlook, Apple Mail, or Mozilla Thunderbird , and the people you are communicating with must also have a digital certificate. The same applies if you are using PGP/GPG. Everyone must be using it for it to be effective.
Fortunately, our E-Mail providers are also looking out for us. Companies like Google and Microsoft that provide E-Mail services use end-to-end transport encryption to help make our communications more secure.
All the proceeding brings us to the new kid on the block of internet communications: instant messaging. Or just “messaging” as it’s called now.
Messaging started out on our early mobile phones as text messages, which are not and never were secure. However, today we have a variety of ways we can message each other securely from the Messages app in iOS to Whatsapp to Signal to Slack, etc.
“How are these mobile apps secure?”, I can hear you asking. It is a good question. They all use encryption to make sure no one else can eavesdrop on your messages with your friends, family, and business contacts. Apple was one of the first to do this for its customers when it started encrypting the messages between iCloud users. The drawback is, (and you knew one must be coming), the encryption only works between iCloud users. When you send a message, using the Messages app in iOS, to your friend who uses a smart phone that runs a different mobile operating system, such as Android, the message is a plain, unencrypted text message.
Which brings us to the other mobile apps that will help us communicate securely. There are a lot of them out there, but two that we would like to mention are Signal and Whatsapp. Many, many people use these apps daily to communicate securely and if you communicate with people who use a variety of mobile devices you should too. Some of these apps will even let you make encrypted phone calls, which is a big plus. There is also another kind of solution.
One of the other ways to secure your communications is to use a Virtual Private Network (VPN). Many of us, like me, are used to being able to take our laptops down to the local coffee shop, or with us when we travel, connect to any ‘ole Wi-Fi, and then keep doing what we always do on the internet. What you may not be aware of however, is that unlike our home Wi-Fi networks which are encrypted, open, public Wi-Fi that we get at coffee shops, libraries, airports, etc., are not encrypted. Anything done on those wireless networks can be intercepted by nefarious people. A good rule of thumb is, if you don’t have to enter a passphrase to connect to the wireless, it is not secure.
So how do you secure wireless? I’m glad you asked! It is secured by using a VPN. As with the encryption methods for E-Mail and messaging, there are a variety of VPN providers out there that do not cost a lot of money. An individual or organization should research and decide which one is best for their respective needs. It is not recommended to use a free VPN provider. Free VPN providers can be iffy because they get much of their funding via pushing ads to their users. One way they do that is by tracking what you do, which kind of defeats the purpose of using a VPN in the first place.
Returning to how a VPN can protect your communications, we could go into a lot of detail about what a VPN does, but we will keep it simple instead. Unlike the secure solutions above, which are very specific, a VPN works by creating a tunnel between you and a remote server. This tunnel is encrypted, which means that everything you send through it is protected from eavesdropping. This can be especially useful if you are working at the aforementioned coffee shop or airport.
All the information included in this blog is really our way of getting you to think about how, and who, you are communicating with on the internet, and what data you are sending. The bad guys are out there, and they are always watching and trying to get anything they can. If you are planning a birthday party for your best friend or sending your bank information to your CPA at tax time, do it securely. Do not make it easy for the bad guys!
Michael Allbritton is a Cybersecurity Analyst and Trainer with Alpine Security. He holds several security-related certifications, including Certified Information Systems Security Professional (CISSP), Network+, Security+ and CyberSec First Responder (CFR). Michael has many years of experience in software testing, professional services, and project management. He is equally comfortable working with software engineers on testing and design and with sales to meet and manage customer expectations. Michael’s cybersecurity experience with Alpine includes penetration testing, vulnerability assessments, and social engineering engagements for various clients as well as teaching courses for the above-mentioned certifications.
In his spare time Michael is an enthusiastic amateur photographer, diver, and world traveler. He has photographed wildlife and landscapes in the United States, Africa, Central America, West, and East Europe and has amassed several hundred dives as a PADI Divemaster.