Tag Archives: Encryption

Joel Wallenstrom , Wickr CEO - Reputation Communications Interview

Like you, we hear a lot about hacking of private and organizational emails, texts and other privacy breaches, as well as foreign actors eavesdropping on the phones of major U.S. corporations. Jeff Bezos is just one example of a V.I.P who was recently in the news after his personal texts became an international news story. Experian’s infamous 2015 breach, in which millions of customers’ private data became public, is another. Government and political leaks are a whole other category. When these confidential personal or corporate communications become public, we wonder why they were not sent out on private channels.

We turned to Joel Wallenstrom, CEO of Wickr, which provides end-to-end encrypted platforms for individual, corporate, government and enterprise users. We asked him to help educate our readers about their options—and why they are at more risk of a breach than they realize.

Even supposedly “secure” platforms are actually not. Snapchat was recently in the news because employees spied on clients’ private messages. Gmail is reportedly exposed to many third parties. How does Wickr address this problem?

Many people don’t realize that providers of collaboration tools like email, text, videoconferencing and file management services underwrite the cost of delivery by getting access to your data, selling it, and/or monetizing it. This is their profit source and the basis for the huge valuations for companies like Slack, Uber and Zoom. Third-party developers of such apps often can access your messaging, location, preferences, habits, and more.  If you are conducting business on an app like WeChat, for instance, the Chinese government is able to read your messages. New popular collaboration tools like Slack are built to give the services provider access to all your communications.  This creates a path to your sensitive files, communications and data.

 Many executives don’t realize that enterprise security, risk and compliance professionals often prefer non-encrypted email platforms because it allows them to identify bad actors within a company and to track potentially suspicious behavior.  This is called telemetry, which essentially means they are collecting everything so that they can see everything. But this gives those who utilize it a great deal of power.  In the recent case of Snapchat, their security team abused this power, appropriately named “God Mode,” to access customer data.  So, when you use mainstream systems, realize you and your team are not the only ones with complete access to them. Your security team, the service provider, and adversaries smart enough to ride their coattails also have access.

Wickr is different. We are the only service provider that has no ability to see clients’ messages, files, calls, videoconferences, and other data. If Wickr is ever breached, the data sent on our system is safe. We provide “clean pipes” for data and enable clients to completely wipe their phones and systems in accordance with their retention and deletion policies.  Further, we provide the ability to store data in their secure archives for as long as clients need.  Because we don’t have access to users’ data and therefore cannot sell or monetize it, our revenue comes from a fee to our corporate customers. We maintain a free service for individuals and small groups.

 Why do so many prominent people in business and elsewhere continue to feel confident about sending the most intimate information via text?

Because it’s easy—and because 98% of people in business don’t understand encryption or how it works.  The phone companies and big tech companies have distributed their technologies en masse, and encryption historically has not been a part of them.  We’ve seen small changes with Apple embracing privacy as a way to differentiate their products and services.  Slack and Zoom are new products that people love to use because they are easy—but they are not secure.  Data privacy is becoming something that people will pay for, or at least influence their purchase decision.  It’s now up to those of us in the privacy industry to make products that are easy to use like Slack and Zoom. It’s a big responsibility and one we take very seriously at Wickr.

 Are there still major organizations that continue to use old platforms for internal and external emails? We hear there are plenty and that it is a cost-cutting decision.

The better question is whether there are major organizations not using old platforms. The biggest change I’ve seen has not been to the underlying technologies, but rather how those technologies are managed.  Email retention policies are a good example.  After the John Podesta incident, many Chief Information Security Officers (CISOs) instituted email retention policies so that emails didn’t simply stick around forever.  But even that commonsensical move proves to be difficult to implement in large organizations, and chief information security officers often feel burned.  Therefore, when the C-Suite asks the security team to adopt really secure and really private enterprise collaboration products like Wickr Pro, the CISO delays, looking for the support of legal and compliance and IT.  This delay simply pushes sensitive communications to consumer products on their own devices that are not managed by the enterprise.  Products like WeChat, WhatsApp and Telegram are dangerous venues for sensitive corporate communications. We are left with a mix of executives sending sensitive business communications on their phones on personal apps managed by China or Facebook, and then sending insecure emails and documents when they need to use a work issued machine like a laptop.  It’s the worst of both worlds.

 What are the most common concerns you hear from CEOs and risk executives regarding adapting to secure communications?

There are three primary concerns: first, they worry that the technology will be too expensive; second, that it will not work at scale; and third, that encryption will somehow aggravate their regulators.  The last point is very important as there are industries that require retention of certain communications for compliance purposes.  There are strong and flexible end-to-end encryption products that conform to any data retention and data deletion policies.  On the contrary, when employees use consumer apps to conduct business, they are unable to conform to any rules or regulations set forth by their organization.  As I mentioned before, it’s up to the privacy industry to make things easy to use and manage.  This is not an easy task, which is why you see most apps simply being sold in app stores and providing no service or integrations with enterprise software management tools.  This is the challenge we took on with Wickr Pro.  We want organizations to have a point of view on data protection and give them powerful tools to protect and control their data.

Wickr offers highly secure, out-of-band communication channels that deploy to provide the necessary capabilities in times of crisis. When were these developed and what type of crises are they used for?

Wickr was originally deployed for very select uses for journalists and NGOs working overseas.  The technology was configured for users whose communications were so sensitive that interception was a matter of life and death.  That product still exists, but we have been more focused on building Wickr Pro atop this platform to create more flexible and general-purpose products.  We think that small groups and large organizations can benefit from the same level of protection needed by warfighters and NGOs.  We’ve simply given people more control over how the product is used.  For example, rather than require that all messages are destroyed after 7 days, an organization might configure WickrPro to mimic their email retention policy and have messages delete after 90 days.  Further, Wickr Pro does not require anonymity, so large organizations can easily deploy at scale using single sign on (SSO). The strength of our cryptography remains— we’ve just made it easy to use.

Wickr’s ephemeral messaging feature allows administrators and users to set self-destruction timers for messages as short as a few seconds. What types of professional situations are those most used for?

The feature set goes far beyond setting a self-destruct timer for an individual message.  Teams can be set up in a security group that has its own settings.  The executive team, for example, can be its own group so that they can send messages to Wickr users outside their company, such as to their law firm or a business partner.  Another group can be set up for interns where nothing is stored for more than a week and they can only communicate internally. I’ve seen executives set self-destruction timers, which we call “Burn on Read” in WickrPro, for messages as short as a few hours when they are sending pictures of whiteboard notes from a Board of Directors (BOD) meeting.  That way, the pictures do not remain on their devices after the notes have been documented by their executive assistants.  I’ve also observed campaign staffers use settings as short as seconds in a group message during a candidate speech given in the 2018 elections. In those same elections, polling data and opposition research reports would be transmitted in secure Wickr Pro rooms that ensured the data was deleted from end user devices after a week when the next round of data was distributed.  With flexible controls, different use cases can be enforced and even orchestrated.  There is nothing exactly the same across all WickrPro customer deployments, except that Wickr cannot touch their data.

*

Joel Wallenstrom has led top white hat hacker teams responding to some of the most high-profile incidents in the past 20 years. Under his leadership, Wickr has pivoted the company from solely offering a free consumer product to a robust enterprise compliance ready, secure collaboration platform used by the Fortune 500 and top federal organizations. Prior to joining Wickr, Joel co-founded iSEC Partners, one of the world’s leading information security research teams, later acquired by the NCC Group. Joel also served as the Director for Strategic Alliances @stake, one of the very first computer security companies, which was acquired by L0pht Heavy Industries and was itself later purchased by Symantec.

*

This is part of our continuing series of interviews with experts whose work relates to online reputation management.

 
 

Congress has sent proposed legislation to President Trump that wipes away landmark online privacy protections. According to The Washington Post, that means removing limits from what companies like AT&T, Verizon and others can do with information like your Internet browsing habits, app usage history, location data and Social Security number. It will also reduce rules requiring providers to strengthen safeguards for your data against hackers and thieves.

Not only will Internet providers be able to monitor your behavior online: without your permission, they will be able to use your personal and financial information to sell highly targeted ads. The providers could also sell your information directly to marketers, financial firms and other companies that mine personal data — all of whom could use the data without your consent. In addition, the Federal Communications Commission, which initially drafted the protections, will be forbidden from issuing similar rules in the future.

If this alarms you as much as it does us, the Electronic Frontier Foundation has extensive resources available to help you reclaim your privacy. First and foremost is Surveillance Self-Defense: Tips, Tools and How-to’s for Safer Online Communications. Browse the section for authoritative information on securely removing deleted information from your computer, the most secure email systems, and the basics of encryption as well as an overview of encryption tools.

The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development.   You may not support their stance on all Internet-related issues, but they are an excellent resource if you are concerned with the security of your data. Their site merits revisiting whenever you want to assume more control over your online privacy and security…or just want more insight into what your options are.

 
 

OUCH!, the security awareness newsletter from the SANS Institute, covers the basics of encryption in its August edition. OUCH! is the world’s leading, free security awareness newsletter designed for the common computer user.  It is available in multiple languages.

Check prior editions for information on email security, malware, safe social networking, and many other topics relevant to professionals and Internet users.

SANS is one of the world’s leading sources for information security training and security certification. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system – the Internet Storm Center. Other free SANS resources include the weekly news digest (NewsBites), the weekly vulnerability digest (@RISK), and more than 1,200 award-winning, original information security research papers.