New BYOD Threat: Email That Self-Destructs

Employees who bring apps like Wickr to work could bypass enterprise security systems.

Boonsri Dickinson, Associate Editor of BYTE

January 23, 2013

5 Min Read

Who Is Hacking U.S. Banks? 8 Facts

Who Is Hacking U.S. Banks? 8 Facts

Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)

As the BYOD movement infiltrates the enterprise, IT managers have more to worry about than ever. The latest challenge: Employees who use apps to send messages that "self-destruct."

The possibility of employees dropping company secrets into Dropbox already worries IT managers, but at least such actions leave behind a trail that can be traced. What happens when employees send messages to each other and to others outside the organization that are deleted by default?

A popular app called Snapchat allows users to text self-destructing photos in real time. A similar app called Wickr takes the concept to the next level. Launched six months ago, Wickr lets users share more than just photos -- they can send encrypted multimedia messages that self-destruct after a set amount of time.

[ For more lessons learned on BYOD security, see Close The BYOD Security Hole. ]

With Wickr, you can send voice, text and audio messages, all of which delete themselves after a period of time. The app encrypts everything and it also scrubs content from the file system, making it hard for anybody to know what was sent or if anything was sent.

Wickr, which already has downloaded hundreds of thousands of times from the Apple store, offers some useful features -- for example, it provides a convenient way for journalists to communicate with sources anonymously. The Wickr app is free, but the company also offers a service that lets users send messages to groups of people. Wickr targets the messaging market, which includes apps such as WhatsApp and Voxer.

"BYOD is sweeping over the enterprise. Wickr is a way for people to have private communications on their phone without anyone seeing [them]," said Nico Sell, co-founder of Wickr and an organizer of Defcon, the largest hacker conference in the world. "We are flipping messaging on [its] head."

The industry is going to see a shift, predicted Sell. "You are going to think about how long you want something to live before you send it: [Some] kinds of messages need to live for seven years. [Other] kinds of messages -- to your spouse [for example] -- should disappear right way and not be archived."

Having that control is the main idea behind Wickr, Sell said. She has surmised from customer reviews and emails that Wickr is popular with doctors and lawyers who use it to communicate with patients and clients, and she hopes more consumers will take Wickr to the workplace. "We think of ourselves as a consumer company, and [we] are going after consumers," she said. "We give power to the people ... through anonymous free speech." People should be more aware of their digital footprint, said Sell. She points out that when you send a message in the traditional way, it's stored on multiple servers where others can potentially see it by accessing or hacking a database. "There's stuff that is easy to get," she said. "And money can buy you crazy stuff about people via the deep Web." At the other end of the spectrum, "criminals are all over the world. If you have money or anything of value, you need to start looking at your digital footprint," she said.

The United States is Wickr's biggest market, but the app is available in 110 countries and is the number-one free social app in Greece, Singapore and South Africa, in the same category as Facebook and Twitter. Sell attributes that popularity to people wanting to have control over private, anonymous free speech. "Private correspondence is important to a free society," she said.

Security expert Dan Kaminsky, an advisor for Wickr, agreed. "Non-permanent communication came first -- humans have been speaking before they have been writing," he pointed out. "Communicating privately ... is core to the experience of being human. People need to be able to express their thoughts and converse with their friends, family and spouses -- and feel secure in their communication."

But Wickr also raises a lot of hard questions about security and regulation. Sell acknowledges that when she works with chief security officers, questions about regulation in the enterprise come up frequently. How will IT leaders manage communications when apps such as Wickr and Snapchat inevitably make their way into the enterprise? Many companies are required by law or regulation to keep records of all communications for many years. These new apps could make that much more difficult, if not impossible.

Derek Schueren, who co-founded data management, governance and analytics company Recommind, helps companies organize and index unstructured data. Recommind uses a technology called CORE that can help enterprises organize their data and make it easier to search and sort.

Most companies have a wide variety of electronically stored information, much of it in spreadsheets, databases, text messages, instant messages, email, file fragments and digital images. In most cases, that information can be searched and specific bits of data can be retrieved, if necessary, to respond to lawsuits or patent disputes or for other reasons. Many companies have policies that specify when certain types of data can be deleted. Other companies try to keep everything for decades.

"You have an obligation [to retain data] if there's a possibility of litigation. This includes email [and other forms of communication]," Schueren said.

Companies might worry about Wickr from a legal perspective, according to Schueren, but a bigger concern may be that Wickr could be used for destructive purposes. An employee could take photos of company secrets or forthcoming products and send them to someone outside the company.

"It used to be files were locked in a cabinet and you knew who had the key," Schueren said. "Now everyone has the key. Everyone has connections to the outside world and companies are more exposed than they used to be."

About the Author(s)

Boonsri Dickinson

Associate Editor of BYTE

Boonsri Dickinson is the Associate Editor of BYTE

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights