Most of us in North America, Europe and much of the rest of the world trust in the confidentiality of our conversations on our mobile phones. There are still places, though, where that’s not the case. In those areas mobile phones aren’t encrypted. When we use a phone in those areas we don’t bother to check and ensure the communication is encrypted, we just assume it. This can lead to serious problems. It also turns out that the encryption in our regular phones may not be as strong as many people think.
In early February this year this fact was brought out when a couple of careless US State Department officials were the victims of eavesdropping when discussing events in Ukraine. The leaked discussion was at the very least embarrassing.
Things are even a bit worse than that. Older GSM (Global System for Mobile Communication) systems use a fairly weak encryption system that can reportedly be broken in seconds in some cases. New 3G and 4G systems are more secure, and you can read about it elsewhere. I also talked about a related vulnerability some time ago. I wrote specifically about phone eavesdropping at the end of 2013.
But there is a bigger problem. We trust other systems to be secure when they may not be. If we think our phones are secure, we think all phones are secure. Likewise if we think our mobile phone is secure, we tend to think all mobile phones are secure. Similarly, if we think our PCs are secure we tend to think all the computers we use are secure. We trust email to be secure, too, even though we know it’s not. This is human nature, but it can have serious consequences as the example above shows.
People get complacent. We are also trusting. Remember when older, analog handheld cordless home phones could be picked up on baby monitors? People would report hearing all about the neighborhood scandals. But few people changed their habits because they trusted “phones” to be secure. Now that phones are digital and there is some encryption we trust our phones to be secure.
There are two things we need to do: 1) remind our users often that most phones and other communication may not be as confidential as they assume (although there are phones with strong encryption), and 2) take the effort to encrypt all confidential data including mail, data files (data at rest), phone calls, data traversing networks (e.g. with scp), backups and so forth.
In Learning Tree Course 468, System and Network Security Introduction we discuss this, of course. Strong encryption and well secured keys are critical to protecting confidential information. Keeping users aware of threats is critical, too. We can deploy strong protection but if users don’t use it or actively circumvent it, it’s not very good protection. And if users aren’t aware of the threats and how to use the countermeasures , they’re not very useful either. A good plan that people use is essential for securing any organization.
Rather than ask you to share in the comments below where you use encryption and where you don’t (which could clearly expose vulnerable areas to attackers), instead let us know what you’d like to hear more of in the area of system or network confidentiality.