Another day, another hack – using client-side encryption to protect your data online
By David Jones
The theft of extremely sensitive data at extra-marital affairs site Ashley Madison is just the latest in a series of online data thefts to hit the headlines. As each new case is reported, it reinforces the message that client-side (or end-to-end) encryption – encrypting your data before it leaves your computer or phone – is the best way to be sure that your data is safe online. This article looks at the threats and three ways you can protect your files, data and messages on the web.
Inside Jobs, Social Engineering and Weak Passwords
Ashley Madison claimed that it had received an award for its security measures but unfortunately it was not immune to the inside job – it appears that a company contractor with access to their database has stolen the personal data of millions of users, leaving them and the company open to blackmail and fraud.
Other widely reported hacks have been performed using social engineering. This is the practice of tricking the operators of web sites and services to reveal information or perform actions such as resetting passwords. Many social engineers are highly skilled at this kind of manipulation, but it’s often weak practices at the companies themselves that lead to security compromises.
But probably the most common cause of security breaches is still good old-fashioned password guessing. Too many people still use weak passwords, or the same password across multiple sites, so as soon as one of their sites is compromised all their accounts are at risk.
The best way to protect your data online is to encrypt it before it even gets there. That way, even if an attacker gets access to your account, they cannot decrypt it unless they have access to the keys and they reside on your computer or mobile phone. There’s no way to compromise your data without having access to one of your client devices.
Protecting your files online with SpiderOak and Tresorit
File Sync and Share services such as Dropbox and Google Drive are immensely popular because of their convenience and price. But they don’t encrypt your files before they leave your device – if an attacker gets access to your account at the cloud service they will have full access to all your files. High security alternatives such as Tresorit and SpiderOak are a much safer bet. Their client applications encrypt your files before they leave your computer and let you keep control of the encryption keys. By the time your files reach the cloud their content is unintelligible, and can only be decrypted on your computer or phone by you or someone you’ve authorised.
Protecting your live data online with iPushPull
We’ve built client-side encryption into iPushPull so you can share live data between Excel spreadsheets securely without any middle man being able to intercept it. This isn’t possible with Google Sheets or Excel Online which don’t support client side encryption. And because we’ve built encryption across our entire suite of applications, you can access and update your encrypted data on your mobile phone, in desktop Excel and using our upcoming Google Sheets plugin.
Instant Messaging – who can you trust?
The most popular business messaging services such as Skype do not support end-to-end encryption and are widely believed to have been compromised. In response, the number of end-to-end encrypted messaging services is increasing rapidly and includes established players such as BlackBerry Messenger Protected and more recent entrants such as the highly-respected Wickr. The EFF has produced a handy summary of the strengths and weaknesses of many of the players in the instant messaging market.
The cloud is a convenient place to store and share files, data and messages but your stuff isn’t always as safe as you might want it to be. However, with minimal extra effort you can add end-to-end encryption to stay in control and keep your data secure.