Cryptohip, security card or trustchip

As mobile communication encryption is getting more and more important, several companies announce their solutions build around micro SD security cards. You get this special micro SD card (security card, cryptocard or trust chip, several names for the very same hardware piece), put it into your smart phone's micro SD slot, and your communication is secured. Or not?

With this new development a myth arose, namely that all micro SD security card based solution provides eavesdrop-proof mobile communication. These systems are more secure than purely software based solutions, that's no question. However using a micro SD security card in a mobile encryption solution does not guarantee eavesdrop-proof communication.

Anyone who thinks it over comes to this conclusion. What happens if a smart phone has a micro SD card with an integrated trust chip or security chip in its micro SD card slot, but a spy ware running on the phone reaches the phone's microphone during calls? The spyware records the conversation, and the conversation is tapped before it even gets to the trust chip. Or what if the trust chip uses standard public key (PKI) encryption, and sends out keys needed to encrypt messages? Well, it is a big help for anyone who tries to crack into the system. Knowing the encryption key significantly reduces the time to figure out the decryption key, therefore to get the message.

Encrypted mobile communication solution has to be chosen based on technical implementation of the encryption system, not based on marketing buzzwords. 100% percent security can be reached only with triple level protection, when a hardware - micro SD cryptocard - protects the encryption keys, a software - an app running on the smart phone - protects against malware and spyware, and a unique encryption solution, that provides eavesdrop-proof communication.

If a company does not take this into consideration, choosing a wrong solution will hurt badly sooner or later.

Years old technology sold to Germany heavily overpriced - BlackBerry z10s

I read the news that Germany decided to buy 5000 BlackBerry z10s for 2500 € apiece for encrypted mobile communication (http://bit.ly/1eWFGc1). They were told that this is a brand new technology, and was first seen at Cebit 2013. The technology - in nutshell - is that they use cryptochip integrated on microSD card for storing and using encryption keys during mobile communication. You can put this microSD criptochip into BlackBerry z10 (SecuSmart's solution for governmental use).

Well, we are far away from truth...

The technology is not new. It debuted at Cebit Hannover, but years ago. And not by SecuSmart... Secfone, a startup company launched in 2006, introduced the first implementation of microSD criptochip mobile encryption, and is selling its solution for companies and governments for years.

Secfone's solution is not tight to any smartphone brand (unlike SecuSmart's solution, that was sold to German government). It can be used with most of the new smartphones (smartphone whitelist).

German government bought the BlackBerry z10s for 2500 € apiece. However, you can get Secfone microSD cryptocard for 300 €. If you do not want to have your own managing servers, than for another 55 €/ month you can use Secfone's infrastructure. So it is really affordable for governmental institutes with smaller budget, to multinational companies, or even to smaller companies.

And the best at the end. Secfone provides higher security level based on a patent it uses (Patent No WO2005083972 A1).

Tadaaaa....

Funniest mobile security expert on YouTube

Share on Facebook, follow the blog, follow the YouTube channel, send it in e-mail.
That's it.

5 functions of TPM you did not know about

TPM or Trusted Platform Module is a hardware piece - or say a chip - that stores encryption keys and sensitive data, and provides encryption services. It is still the most secure way to store sensitive data. There is no simple way to read out data from these chips. Only some industry hacking experts could read out some information from these chips with 9 months of work on the chip (known as Tarnovsky crack). That means the chip has to be in possession of the cracker. Otherwise it is bullet-proof (However, Tarnovsky cracked a 2010 modell, and the crack does not work anymore on the new chips)

What does these chips do? 

1. Protect secrets
   It works as an electronic safe for sensitive data.
2. Can create, store and manage keys
   Creates it's own unique encryption keys on production, so these chips are unreproducable.
3. Perform cryptographic functions
   It works as a black box, gets the plain information, and gives the encrypted information back.
4. Provide unique keys
   It can produce severl unique encryption keys during its operation too
5. Protect itself against attacks
   Detects any physical attempt to read out its content (oscilloscope, electro-microscope etc.) and destorys the sensitive data immediately

Sounds good. Several solutions use TPM technology to provide integrity of systems - servers, laptops or any devices - for example Microsoft BitLocker Drive Encryption. These systems are still secure, because if the TPM chip is removed - otherwise it can not be investigated in any way-, the system stops working, which is noticed immediately - or at least during the next 9 months.

However, if you use TPM technology to encrypt communication on the fly - for example to encrypt VoIP calls-, than you are 100% secure. If the TPM is stolen or lost, the communication is stopped. You can get another TPM with other unique encryption keys :-)

Takeaway
Secure communication encryption solutions always include a unique hardware piece, preferable a cryptochip or TPM chip. Softwares are physically unable to protect any sensitive information, including encryption keys. Take this into consideration when you choose a secure mobile communication solution for your company...

Bonus: http://prezi.com/i_dlwntjy1jt/5-functions-of-secfone-cryptochip/

Please click +Google or share on Facebook if you found this article interesting.

3 characteristics of any eavesdrop proof mobile communication solution

Eavesdropping and tapping is a hot topic right now. But how can a company choose a really eavesdrop proof solution?

You can read articles on daily basis on how politicians were tapped by several national agencies. You might think that there is no eavesdrop proof mobile communication solution on the market, because if there were, at least Angela Merkel would buy it. Let's take a close look.

There are 3 requirements of eavesdrop proof encrypted mobile solutions:

1. Purely software-based solutions are not secure

The reason is evident. Computer softwares are codes that reside and run on devices, like laptops, smartphones or tablets. These codes use the general storing and processing capabilities of devices, which are not designed to protect or secure any information. So if you find a software on Google Play or iTunes Store that claims it can protect you communications if you download it, it is simply not true.

Think of softwares that can be downloaded from torrent sites. Those softwares consist of codes. Codes, that construct a purely software based encryption solution too. Sounds safe?

If you have ever encountered a software that can not be copied, that software must have been included some kind of unique hardware protection (USB dongle for example). The unique hardware piece provides the security, because the hardware can not be copied.

2. Using standard encrpytion methods reduces security

If a solution claims that is uses standard encryption that means only one thing: It is a way easier to crack that solution than a solution that use non-standard encryption. Standardization is a big help for a cracker. The more characteristics regulated by the standard, the easier to crack the solution. Not mentioning that agencies specialized in cracking encryptions have hardware designed to crack standardized encryptions.

3. Certificates of agencies indicate backdoor

If you run into a solution that claims it is a certified solution of for example an Israeli agency, that means you can be sure that the agency in question has access to a backdoor in the solution. The reason is simple. There is not a single agency in a world that would encourage the use of a solution that can not be controlled - that is eavesdropped - by that agency. The picture is getting clear as you think it over...

Now comes the final question. Are there solutions on the market meeting these requirements? Of course yes, there are. But most of them are not available for public, only for agencies and governmental institutes.

UPDATE:

The only hardware based encrypted mobile communication solution that provides triple layer protection is Secfone.

Secfone Official Website

Please click +Google or share on Facebook if you found this article interesting.

What is the privacy score of your smartphone?

You might know that apps on smartphones ask for permissions upon installing. However, some apps might ask more permission than their function really needs. If you would like to protect your information, than the first step is to check if your smartphone can leak your data. We have tried an app that does the work, Clueful (available for Android and iOS).

Clueful gives a general privacy score, that gives you an idea how safe is your smartphone.

It categorizes the apps into three categories:

• High risk apps
• Moderate risk apps
• Low risk apps

You should really think over to uninstall apps that are in the high risk category. After installation Clueful checks new installations too, and alerts if a new app asks for too many permissions. Filtering by specific types of risks is also available (what apps can send SMS for example).

Check your smartphone, and put your Privacy Score in a comment here. Its free.

Please click +Google or share on Facebook if you found this article interesting.

Did US Tap Chancellor Merkel’s Mobile Phone? - Opinion

I read new articles every day on how Germany complains about NSA spying. Now turned out that there is a high chance that even Merkel’s phone conversations were tapped. What is the main problem behind protecting ourselves?

1. Security solutions come from US

This is a big problem since there is not a single security solution in US that has no backdoor. Even the “most secure” PGP was compromised, however PGP has no connection to any US governmental institutes. Why not to use PGP? Read this: https://github.com/pagekite/Mailpile/issues/79. Blackberry is very popular smartphone in Germany, and guess, what encryption Blackberry uses? Yes, you all right, PGP.

2. Standard mobile encryption solutions

The standards considerably decrease the security level. You now why? Because standard sets rules that is a good help when you try to break an encryption (you know the key lenghts for example). Not mentioning that governmental institutes and corporations have hardware and software resources tailored to break standard encryptions. Any non standard encryption need substantial extra effort to break.

3. Software based solutions

To protect a communication channel you need to protect all information that provides security of that converstion. These are encryption keys in the first place. If you use software base solution, your keys are stored in standard storing elements of your device. These elements (memory for example) are readable, writeable storages, not designed to store anything in a secure way. That means your encryption keys can be read or written. Sounds secure? Not really…

Any solution?

Of course, there is a solution. The keys that provide the security of a communication network have to be stored in a secure place, which MUST BE some kind of a hardware piece. Several solutions are on the market with unique hardware protection, mainly available for governmental use. These are special hardwares, you can not use it with you smartphone. However, Secfone seems to break the rule…

Please click +Google or share on Facebook if you found this article interesting.