Risk
10/19/2012
02:28 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Silent Circle's Military-Grade Encryption: BYOD Tool?

Silent Circle's encryption tools for smartphones and tablets are a boon for privacy enthusiasts--but enterprises could find them useful too.

Silent Circle's suite of apps for smartphones and tablets is designed to make calls, text messages, video chats, and, in coming months, emails virtually invulnerable to surveillance efforts.

It's no surprise the company sensed a market for this sort of service. As technology and terrorist threats have evolved over the last decade, lines between national security efforts, invasive data mining, civil liberties, and Big Brother-like policies have become increasingly difficult to discern. A few recent examples: Carrier IQ debate, the FBI's attempts to gain backdoor access to various electronic communication and social media platforms, ramped-up domestic surveillance initiatives at both the federal and local levels, contentious court rulings around businesses that spy on customers, and an explosion of data-pilfering malware. Privacy concerns have ballooned beyond the ranks of conspiracy theorists to include an increasing number of ordinary citizens.

But what about businesses? As much as average users have reason to proactively protect their privacy, enterprises--thanks in large part to the BYOD phenomenon--arguably need to be even more diligent. Many businesses are already invested in a slew of precautions, including next-gen firewalls, mobile application management tools, and more. Does Silent Circle bring something new to businesses that have already deployed such measures?

Absolutely, according to co-founder Mike Janke, a former Navy SEAL and--along with email encryption pioneer Phil Zimmermann--one of the company's co-founders.

"It's great that people want to use VPN," he said during a phone interview, "but there are nation states and criminal groups breaking them open like coconuts." These ubiquitous encryption tools usually connect to a server where security keys are stored, he explained, making them less than fully secure.

[ Were key details omitted from the FTC's privacy audit of Google? Read more at Google Privacy Audit Leaves Lingering Questions. ]

Infiltrating such enterprise-grade perimeters demands a certain level of sophistication, of course. But elaborate viruses, many ostensibly designed to breach complex targets such as industrial control systems, are already roaming the Internet. Free access to this malware not only demonstrates that high-level sophistication is already being applied but it also allows less skilled hackers to piggyback on these more accomplished efforts.

The issue of government-sponsored espionage, meanwhile, has been a hot topic, with recent headlines focusing on Iran and China. The United States, as Stuxnet revealed, also has an active stake in cyber-warfare's evolution. While these developments can lead to overstated rhetoric, risks remain: data loss can be incredibly damaging, and as strong as some security measures are, they have to contend with talented but unscrupulous people working against them.

Silent Circle isn't a panacea against all of those threats, of course, but it does offer an alternative to the security key dilemma. The products' encryption is peer-to-peer, meaning that it is uniquely generated every time a data transfer is initiated and also deleted, either immediately or after a user-defined period, afterward. Silent Circle doesn't store a key that can be used to decrypt data. The result is information that's not only much more difficult to intercept but also more challenging to use if an attacker actually gets his or her hands on it.

What's more, the interface generally preserves the native app experience, making it user-friendly. As some frustrated IT managers will no doubt agree, security protocols are sometimes subverted by employees who either don't understand all the measures they need to observe or opt for workarounds because they think the policies get in the way of productivity. Janke remarked that Silent Circle deliberately avoided anything "too geeky" in order to make the experience "just like what [users] are used to."

Currently, Silent Circle's products work on iOS devices (except for first- and second-generation versions of the iPhone and iPod Touch). Support for additional operating systems, starting with Android, will come online in the coming months.

The company's encryption tools offer potentially powerful capabilities for those who need to secure sensitive data. However, broader MDM and MAM capabilities currently aren't included, which means that Silent Circle could be a component in an enterprise's security policy but not a complete solution. Given the products' focus on privacy, it's not likely that this larger set of capabilities is in the cards, but Janke said there are plans for additional features that will appeal to enterprises. He mentioned that real-time collaboration tools and encrypted data storage, for example, should join the suite in 2013.

Time to patch your security policy to address people bringing their own mobile devices to work. Also in the new Holes In BYOD issue of Dark Reading: Metasploit creator HD Moore has five practical security tips for business travelers. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.