Virtu Email Encryption – Web based email can be easily encrypted

Since former NSA contractor Edward Snowden began divulging information on how vulnerable our personal digital data is – and how much of it security organizations have been helping themselves to – the average web surfer has begun to think a bit more cynically about cyber security. That newfound suspicion creates a headache and a PR-fiasco for the NSA but opens doors for entrepreneurs in the world of online privacy.

Two such entrepreneurs are brothers Will and John Ackerly. The Ackerlys and their startup venture, Washington D.C.-based Vitru, are two weeks into the launch of a product that lets internet users encrypt any and all of their emails for free. Unlike competitors, the service acts as an add-on to your web browser and does not require the email recipient to have signed up for the service. That feature alone makes Virtu notable.

What’s different from what a lot of encrypted communication tools is the integration of their encryption technology directly into Gmail, Yahoo, They have created a simple system that required little technical know-how.

There is no shortage of privacy and security products out there but most users, while concerned about the privacy of their personal information, have not taken action because they don’t know where to go.

Here’s how it works:

Download Virtru as a Firefox add-on and a mobile app. On Firefox, each new email contains a small unobtrusive switch on the top right corner of the message window which turns encryption on (yes, it is opt in). Press “send” and Virtru encrypts the contents on your device with standard AES 256, then sends it to the recipient but separates the encryption key from the message. The recipient does not need to have downloaded Virtru to get the key but does need to confirm his or her identity by email address. Virtru holds the key to that decryption process and won’t fork it over without verification.  They also have a firewall that makes sure that every keystroke that you type inside the compose window never gets to the server. Normally every single keystroke is recorded and sent to Google servers when using Gmail.

On smartphone, the user can send out emails via the Virtru mail app that links to, say a Gmail app but only after verifying your identity on the device. Other free services include the ability to control whether your recipient can forward your message and the power to revoke access to the message after a chosen period of time.

Email encryption is free (“and it will always be free,” according to the company) but they have formulated a revenue model consisting of soon-to-come paid features like attachment security, domain-level enterprise data management platforms, as well as the licensing of their technology to organizations that want to manage their own security keys.  The fees themselves have yet to be determined but will be announced in the second quarter.

So far Virtru has launched its email privacy product as an add-on to Chrome, Firefox and iOS. In the coming weeks compatibility will spread to Internet Explorer, Safari and Android, as well as plugins for Outlook and Mac Mail.

Self-Encrypting Drives: The Evolution of Encryption

Self-encrypting devices (SEDs) have garnered little attention from those outside the information security industry. Although SEDs solve many problems such as data loss and performance issues, many organizations do not use or understand the technology. What is a self-encrypted hard drive? The drive itself protects the data, with either 128-bit or 256-bit AES keys that are stored in the drive itself – the encryption keys are generated within the drive, so there are no keys to lose. The keys never leave the drive.

There’s the media encryption key that encrypts the data, and the authentication key that is used to unlock the drive and decrypt the media encryption key. Without the authentication key, there is no media encryption key in the drive at all. You create the password, then the only way to get back onto the drive–and to the data that’s on the drive–is with the password (or passwords) you set up.

The three main benefits of Self-encrypting devices are:

  1. They replace software-based encryption – can be expensive and negatively impacts device performance. Easily manage and control authorized users and authentication methods.
  2. Significantly reduce the time IT spends on configuration, maintenance, and encryption key management.
  3. There is no complication or performance overhead, unlike disk encryption software, since all the encryption is invisible to the operating system and the host computers processor.

Based on the Trusted Computing Group’s standard, hard drives and solid state drives (SSD), are offering self-encryption built-in. The key difference with these next-generation encrypted drives is that these units have the encryption integrated into a single chip on drive in the drive.

Securing data storage is especially important for small businesses, due to legal specifications that require companies to report breaches, and to maintain data for long periods of time for accountability purposes.

When it comes to Hardware Full Disk Encryption, there are two main use cases – Data At Rest protection, and Cryptographic Disk Erasure.   In Data At Rest protection a laptop is simply closed which powers down the disk. The disk now self-protects all the data on it. Because all the data, even the OS, is now encrypted, with a secure mode of AES, and locked from reading and writing the data is safe. The drive requires an authentication code which can be as strong as 32 bytes (2^256) to unlock.   When a Cryptographic Disk Erasure command is given (with proper authentication credentials), the drive self-generates a new media encryption key and goes into a ‘new drive’ state. The old data has become irretrievable. Unlike other forms of sanitization, this action takes a few milliseconds at most. So a drive can be safely repurposed very quickly.


Pure hardware-based FDE does not have any strong authentication component Lack of scalable management; no central management component   Hardware Full Disk Encryption is only safe when the computer is off or hibernated. If the computer is stolen while turned on or only suspended, a restart which boots from a USB stick or CD may reveal the data without need for the password because it may not be prompted to be entered. Some specific hardware configurations may have additional protection mechanisms to limit this exposure.


Ten Ways to Dodge CyberBullets, Part 7

This is the seventh in a series and is an update to our top 10 things that people can do to protect themselves against malicious activity we provided to our clients two years ago.

7. Call for backup

If sensitive information is stored on your hard drive (and if you don’t have something worth protecting on your system, you’re probably not reading this paper), protect it with encryption.

Furthermore, when you copy or move data elsewhere, it’s usually at least as important to protect/encrypt it when it’s on removable media, or transferred electronically. Even if the target storage device is secure from malware or hacking, you also need to be aware of other dangers such as physical risks, transit risks, business-related risks.

Consider (seriously) regularly backing up your data to a separate disk (as a minimum) and, where possible, a remote site or facility. Sounds extreme? Think about it.

You can’t rely on backing up to another partition on the same disk as the original; if the disk dies, the chances are that all partitions will be lost.

You can’t rely on backing up to another disk on the same system. If the system is stolen, or there’s a fire, for instance, then in the immortal words of Tom Lehrer, they’ll “all go together.” In the latter instance, the chances are that you’ll lose your thumb drives, CD-RWs and so on as well.

And if you’re working in a corporate environment, you might want to avoid doing what some of the accounts we took over have done in the past – back up data to a server, but forget to back up the server itself.

Uncle Sam Can Demand You Decrypt Laptop

A Colorado woman argued that surrendering her full-disk encryption password would violate her Fifth Amendment right against self-incrimination, but a judge disagreed.

A judge has ruled that a Colorado woman accused by federal authorities of real estate fraud must surrender a copy of her laptop’s hard drive to prosecutors, even though the drive is protected with full-disk encryption software.

FBI agents had seized three desktops and three laptops during a search of the house where Fricosu was living with her mother and two children. Only one of the computers, a Toshiba Satellite M305 laptop, was protected by full-disk encryption, and agents couldn’t access its contents. Accordingly, prosecutors sought a warrant to search the computer, based on evidence that Fricosu owned it.