Communications security lessons from top cyber incident responders at IR17

Chris Howell, Wickr CTO

IR17 Conference, Washington DC

IR17 Conference, Washington DC

For the past few years, my team has been building tools to enable completely private end-to-end encrypted and ephemeral communication for organizations sharing highly sensitive business information. Last week, I got to test my own assumptions and share insights with over 400 top cyber incident responders (IR) who came together to talk about getting ready for compromise.

Here are a few takeaways:

  • You can’t fight a fire with a burning fire truck — there is no use of running an incident investigation on the same network that is already compromised;
  • Responders understand the need to be self-reliant – you can only count on the tools you bring to the incident.
  • Most effective responders are those who have plans in place to communicate securely long before there is an incident so when the time comes, you aren’t scrambling to get everyone to an out-of-band channel.

Many of us in the information security space have known for decades that there’s no such thing as 100% security and it is better to prepare for the emergency today than wait until it actually happens. The ongoing avalanche of massive data breaches is beginning to drive that point home for everyone else. It infinitely improves your chances to mitigate the incident when your team knows the drill far in advance and has all necessary tools in place before it happens. Ironically, the knowledge sharing at IR17 took place against the backdrop of one of the largest breaches of personal information in the US to date. Talk about the importance of IR foresight…

So what separates an effective response from horror scenarios we all have seen unfold in the news?

Sharing sensitive information during incident response: how & where

Panel on Secure Communications during Incident Response at IR17

Panel on Secure Communications during Incident Response at IR17

The aspect of incident response I have long seen as critical is protecting sensitive conversations and information to avoid detection by an adversary on a compromised network.

The information security community has long recognized the importance of sharing intel (network attack signatures, malware signatures, attack vectors, timing, source correlation, etc.) across corporate boundaries and is actively exchanging insights to improve defenses against common threats. But how do you ensure that your team’s investigative progress and operational chatter are not accessible to an adversary, particularly before you know exactly what systems are compromised?

With 80% of corporate IP still shared via mainstream insecure communications tools, the exact target of attackers, the IR experts agreed that it’s essential to direct all sensitive communications around incident response to an out-of-band secure channel away from desktops running on internal corporate networks.

“If at any point the team considers their phone, laptop, email, SMS, or other means of communications to be compromised — they should practice good judgement about what is transmitted, and make a best effort to communicate “out of band” of any adversarial eavesdropping.

— Ryan McGeehan, IR Expert

Source:  Starting Up Security

Any IR information you would rather share in a face-to-face conversation or a secure phone call should only be shared via encrypted ephemeral channels to ensure effective cyber incident response.

State vs. non-state attacks against communications systems

Another interesting aspect that came up frequently among IR experts last week is how pilfered communications are being weaponized in ways in which not many of traditional IR strategies were prepared.

While state and non-state attackers may have access to the same tech for offense/defense, the depth of resources available to nation states now translates into their ability to be far more patient and persistent than the adversary we were all trained to face in the private sector. In addition, it used to be that the motivation behind the attacks against sensitive corporate communications was driven to steal trade secrets or gain business advantage, which of course is devastating. However, the attacker pool was limited and the incident would generally run its course entirely under the radar. Today, the motivation behind these attacks is increasingly political, aimed more at making a company/organization/country look bad than gaining competitive advantage. 

With so many causes and emotions to play on, cyber incidents are now amplified by countless media outlets taking stolen communications public, so a single unfortunate statement taken out of context can do incredible damage to a brand or organization.

So aside from having a robust PR strategy, what are the ways to protect your company from becoming a victim of attacks against stored communications? For many in the IR community, the answer is simple – what isn’t there cannot be compromised. 

Countless breaches of corporate, political, and personal communications are all part of the same problem – we collectively store too much information that is either too sensitive to retain or completely useless to spend resources on securing. Businesses willingly expand the attack surface by building a massive database of high-target customer and corporate information that is impossible to secure with 100% certainty.

The most reliable path to regaining power is to rethink how you treat sensitive data, including IR communications, so that no one, including your service providers, can access, monetize, or compromise your conversations and sabotage your team’s IR efforts. Ephemerality must become a norm for enforcing strong security hygiene over valuable business information to ensure that no message between your team lives beyond its useful life and is accessible to an adversary.


Interested in learning more about Wickr Pro for your incident response team? Reach out to Wickr deployment experts here.

Wickr Me Update: Granular expiration & BOR controls for each message

Thanks for using Wickr Me and sharing your feedback with us! Please keep it coming here.

In today's release of Wickr Me, we are introducing major improvements to expiration and burn-on-read (BOR) settings requested by our users:

  • Ephemerality settings (Exp. & BOR) are moved down to the side of text box (where it used to be prior to recent update)

  • Larger number of Expiration and BOR options

  • Added custom option for Expiration and BOR timers.

More new and old features and improvements are coming! Stay tuned👍

Wickr Me Private Messenger: granular expiration & burn-on-read settings for each message and conversation

Wickr Pro & Wickr Plus Update: contact finder, message recall, and group management

Wickr Pro & Wickr Plus Update: Private collaboration platforms for team and enterprises

Wickr Pro & Wickr Plus Update: Private collaboration platforms for team and enterprises

By Randy Brumfield, Head of Customer Success at Wickr

We are passionate about building tools to help you to collaborate in the most secure way possible. I hope the updates we released today will make it easier for your team to do just that🔒
 
Wickr Plus.png
Pro Prod small.png
 

Today’s Wickr Pro and Wickr Plus updates include some great changes to how you can find friends and colleagues on your respective Wickr apps, recall messages that are already sent and leave group conversations.

Before I dive into the details on new features, I wanted to thank our growing community for continuously sharing your feedback with us, you are directly influencing what features come next to Wickr private collaboration apps across all platforms. 👏 

So here are the new cool things available today in Pro and Plus:

ID Connect (Optional):

To enable your contacts to find you on Wickr Pro or Wickr Plus, you can securely associate your phone number with your Wickr ID. Wickr never stores or has access to your information.

Contact Finder (Optional):

To find friends and colleagues on Wickr Pro or Wickr Plus, you can enable access to your device’s contacts for Wickr in which case the app will securely check if any of your contacts are on Wickr Pro / Wickr Plus. Wickr does not store nor has access to your contact list.

Find friends and colleagues on your Wickr app and start communicating securely and sharing files in an end-to-end encrypted environment with ephemerality controls at your fingertips.


Local custom names for Wickr contacts:

You can assign custom names to your colleagues you communicate with on your Wickr app so you can find them easier in your contact list and when using @mentions.


Recall Message:

Recall a message after it was sent. Messages will be deleted from all devices of all participants in a Secure Room, Group or 1:1 Conversation as soon as they are online.

Recall messages after they are sent


Delete Message:

You can now delete a message from your devices, locally. This will not affect messages on the recipients’ devices.

Leave Network:

You can leave your current Network at any time if moving onto another team or company.

Finally, a few minor branding changes are in for Wickr Plus (Wickr SCIF in its previous life😊).

As always, we welcome your feedback and please remember to update your Wickr apps.

Have questions for Wickr support? Head here>>

Wickr Me Private Messenger: update & what's coming next

Wickr Me Private Messenger: update & what's coming next

Thanks for all the support and patience.

By now, most of you are on the new version of Wickr Me, our private messenger. We are thankful for the feedback. WE HEAR YOU and you are directly influencing what comes next to Wickr products. You will see new features on a regular basis AND we are using your feedback to prioritize.

Adopting Ephemeral Technology In the Workplace

By Jennifer DeTrani

General Counsel // Wickr


One of the best things about my job is experiencing first-hand how the secure ephemeral communication technology we build helps customers across industries and governments solve critical problems that they face daily. Whether it’s a law firm communicating on an M&A transaction, a media company protecting high-value client assets, or an incident response team dealing with real-time threat intelligence sharing, the need for a secure communication channel is a high priority for all.

Here at Wickr, we love to support our partners in understanding the role that tools like Wickr Pro can play in assisting their organizations seamlessly transition into ephemeral operations and away from the data hoarding practices of yesteryear. The first step is always to start with understanding exactly what information security, communications, and retention requirements currently exist.  Once established that there are credible business and security objectives that are effectively served by deploying ephemeral messaging – to either secure critical communications or disgorge communications that don’t need to live forever – Wickr Pro quickly becomes the solution of choice.

 

I am pleased to share a new white paper authored by credible voices in the legal community focused on addressing ephemeral communication tools like Wickr as a way forward for organizations who take information security seriously. Warning: side effects may include significant improvement in information security and reduction in electronic discovery and data storage costs.

Announcing Wickr Me update: New Features, Open Crypto Source Code & Enhanced Privacy

Last updated: August 12, 2017

WHAT: Today we’re announcing an upcoming Wickr Me update: new crypto protocol, stability and usability fixes and many more changes.

WHEN: The Wickr Me update is now available in app stores and on Wickr website for desktop.

HOW: You need to update Wickr Me App on all devices and login using your Wickr ID and password. Your contacts will be in the new app; however, any previous messages will not be carried over to the updated app.

IMPORTANT!!! There is no password reset on Wickr Me – we don't know who our users are which prevents us from verifying users to reset their password.

Please ensure you remember your password, without it, you will not be able to login to Wickr Me. If you use TouchID on your phone, we recommend trying to login to your account via a secondary device to ensure you indeed have the correct password. Please see below for further details:


YOU KNOW YOUR WICKR ID & PASSWORD.  HOORAY!!!


  • Make sure you DO remember your Wickr ID so you can use it to login to your account once Wickr Me is updated. Here is where to find it IF YOU ARE CURRENTLY LOGGED INTO YOUR APP: Settings > General > Account: at the top of the screen.
  • MAKE SURE you DO know your Wickr Me password. You will have 10 attempts to login before you are locked out of your account for 24 hours.
  • If automatic updates are enabled on your devices, Wickr Me will do its work and upgrade.
  • If you don’t have auto update enabled, you will need to update HERE.
  • Login to updated Wickr Me. You will see your contacts; no past conversations will be available.
  • Send messages – you are back in touch with your important contacts on Wickr Me. Enjoy your privacy!

You forgot your password…Don’t worry!


  • If you are certain you don’t have your password, avoid throwing your phone – we got ya!
  • If you use TouchID on your phone and are currently logged in, write down the Wickr IDs of your most important contacts so you can connect with them from your new account. 
  • Create a NEW Wickr ID and password and please remember your new login/password.
  • Update your Wickr Me app across all your devices by visiting this download page.
  • Login to Wickr Me using your NEW Wickr ID and password.  You will NOT see your old contacts.
  • Reconnect with the important contacts you had on your old Wickr Me account, the ones you wrote down before creating a new Wickr Me ID.  You are back in touch with your friends on an updated Wickr Me. Enjoy!

Important Facts

Messages to users who have not updated will not be sent:

  • When you attempt to initiate a message from the updated Wickr Me to a user who HAS NOT updated their app, you will see a notification that the intended recipient(s) have not yet upgraded. You won’t be able to communicate with users on the older version of the app.
  • However, to make the transition easier for users who have not yet updated, when you attempt to initiate a message from a newer version, we will do our best to ensure that they receive a notification that someone is trying to contact them on a new Wickr Me so they should update.

Wickr ID Connect & Contact Finder:

If you wish to use ID connect and Contact Finder features, your device contacts who are on Wickr Me will populate in your Wickr contact list and those who know your phone number will be able to find you on Wickr Me as well. These features are optional, but they may be helpful to you in reconnecting with your contacts during the update. You can always turn them off later. Wickr never stores your address book on its servers – see more details in our Privacy Policy.

Key Verification

  • If you use key verification, you will have to re-verify your contacts.
  • Video key verification will take a more prominent place through UI/UX enhancement. SMS and email as other methods of verifying contacts will not be supported at this time in Wickr Me. Learn more about key verification here.

SECURITY & PRIVACY ENHANCEMENTS

We are beyond excited to share the progress we have made in applying the updated Wickr Messaging protocol (published on GitHub and documented here) to large group conversations, secure file transfer, and device security.

First off, the upgrade in the crypto protocol significantly improves the efficiency in key management for group conversations. A significantly lighter and faster protocol, wickr-crypto-c enables scalable, strong perfect forward and backward secrecy and ephemeral collaboration for Wickr Me users. This update enables users to easily join and leave groups making group chats become dynamic while maintaining the same level of security including e2e and PFS/PBS.

The design of the Wickr Messaging protocol has been vetted by top security researchers, including Wickr’s own advisors and 3rd party auditors. You can learn more about Wickr security here.

In a nutshell, the privacy and security of user content and accounts is enabled by the following:

  • Account data is protected by scrypt to harden against off-line dictionary attacks;
  • Message data is protected by AES-256 GCM and signed using ECDSA with Elliptic curve P521;
  • Message keys are exchanged using ECDH with Elliptic curve P521 and HKDF; 
  • SHA512 is used as a hashing function for security critical operations.

As always, no phone number or email address is required to communicate on Wickr Me. Unlike any other secure messenger, Wickr Me users are anonymous to us; we collect no metadata and know nothing about the content of your communications.


 NEW FEATURES

We are bringing the top most requested features to Wickr Me: file transfer, message recall, Touch ID for Android, enhanced UI/UX for key verification and expiration settings. Learn more about these and other new features here.

Wickr will now deliver updates and new features to Wickr Me and Wickr Pro on the same release cycle. This will promote product stability and improve our ability to service the app across all platforms. Please share your feedback here in the event any of the above features are important to your use case.

Secure file sharing: With this update, files of any format, up to 10 MB, can now be shared via Wickr Me. On desktop, you can simply drag and drop a document or a photo to send it end-to-end encrypted with a set expiration timer. This feature supports collaboration and maximum data hygiene for parties who trust each other. If you do not trust the person you’re talking to, do not open files coming from them or send them photos/files you do not want to be saved.

Expiration settings: Wickr Me users will have a more visible and granular message retention controls via the expiration time and/or burn-on read time. You can control these settings for both 1:1 conversations and group chats.

Message recall: In addition to messages being ephemeral by default, Wickr Me users can now recall a message after it was sent – it will be deleted from every device participating in a conversation as soon as they come online.

Mentions: To manage notifications noise in your settings, you can turn off your notifications globally or turn them on only for messages directed to you.

Group Management: You can now leave a group conversation at any time.


 USER FEEDBACK

Some features are not available in this Wickr Me update, including those least requested by our users. Please share your feedback here to help us prioritize the features to come next to Wickr Me. WE MEAN IT, YOUR FEEDBACK IS VERY IMPORTANT TO US, SO PLEASE LET US KNOW WHAT FEATURES YOU WOULD LIKE TO SEE IN FUTURE RELEASES OF WICKR ME.

Wickr Me features that will not be supported at this time include:

  • Screenshot notifications on iOS;
  • Message locks;
  • Tap & Hold Image or Video to view;
  • Conversation names;
  • White list;
  • Doodles & stickers;
  • Multi-language support: more languages will be added in the coming months;
  • Voice messages.
  • View only images

WICKR PROMISE

As always, Wickr is committed to building the best security and user experience across our private communications tools. With this update, Wickr Me will move to the same regular update/release cycle as the rest of our business collaboration products to ensure that new features and privacy enhancements are available to all Wickr users. Wickr Me will continue undergoing regular security audits both internally and by independent 3rd party security research teams. Finally, as was recently recognized by the Electronic Frontier Foundation, Wickr Me will remain committed to transparency and protecting user privacy.

Secure conference calling is finally here

WICKR ANNOUNCES ENCRYPTED GROUP CALLING, VIDEO CONFERENCING & FEDERATION FOR WICKR PRO USERS

Joel Wallenstrom, Wickr CEO

Today, we are releasing our beta end-to-end encrypted calling and video conferencing for select Wickr Pro Networks. This is a significant step forward for secure collaboration among teams sharing valuable information and making high-stakes decisions, including incident response or sensitive business negotiations like mergers and acquisitions.

Joël Alwen, Cryptographer at Wickr: “For the first time we no longer have to choose between the powerful security and privacy benefits of forward secret end-to-end encryption and the convenience of conference calling.”

While one-on-one encrypted calling is offered by a few messaging apps, Wickr is the only platform enabling secure group conferencing with perfect forward secrecy between federated private networks. If your company has its own Wickr Pro Network, you can now launch conference calls while keeping control over your privacy.

Read More >>

Key Verification in Secure Messaging

Or how can I know you are who you say you are?

By Joël Alwen

There are many things cryptography solves when it comes to ensuring the integrity and privacy of user connection — from protecting the content of communications so only intended recipients can decrypt them to authenticating the parties to multi-actor transactions. One of the coolest things crypto enables is ensuring that a person I think I am talking to is exactly who I think it is, even if they are thousands of miles away and I’ve never met them. I want to share our thinking about key verification design and ways we implement it to help our users across Wickr apps to authenticate their contacts.

Read More >> 

The Bit-Security of Cryptographic Primitives

By Joël Alwen, Cryptographer

As the Wickr community continues to grow, our engineering & crypto teams are developing new tools and techniques to protect user information while continuously improving our existing security architecture. One of the core concepts that we work with is “bit security,” which refers to the order of magnitude of the amount of resources needed to break a crypto primitives’ security.

In this post, I’ll share a quick overview of the bit security of several common generic types of cryptographic primitives as well as a few specific examples used by the Wickr protocol and why they were chosen by our team.

Read More>>

Contact Discovery, ID Policy & Anonymity

Secure messengers have long wrestled with how to balance contact discovery process with protecting both the privacy ofusers’ identity and their contact lists. Each product team makes its decisions on how to design its apps based on the security and business models at the product’s core. Often, the choice is about balancing user privacy/anonymity against growth opportunities for the user base — obviously, such choices are never easy nor can they be made lightly. 

Wickr's Core Crypto Goes Public

At Wickr, we build world-class communications products that must scale and be hardened against a wide range of sophisticated attacks. In doing so, it is critical that our crypto design and code are easy to review and are vetted by our peers.

Wickr has actively engaged the security and crypto communities to test and scrutinize our software and design decisions. No Wickr product goes to market without extensive scrutiny by our Advisors and best in the industry 3rd party security teams.

Today, we are excited to open Wickr’s core crypto protocol on GitHub for public review. We also published a short technical white paper to serve as an aid to those who wish to audit the source code.

Positive Lessons to Learn From the Public 'Frenzy' Over WhatsApp's Security

While many of us did not need an event like this to motivate us build strong security, let’s hope that more and more product teams will now have a better understanding of how and why key exchange must be handled with caution and care. And also that design decisions must take into account potential attack vectors and the policy consequences of these decisions.

The Rising Cost of Storage: Why Data Should Not Live Beyond Its Useful Life

Imagine a team detecting the signs of a data breach within a global network, or a multinational company launching a new product in a competitive, and possibly hostile, new market. As a security professional, I know these teams need a safe, uncompromised channel of communications they can trust to act, collaborate, and share real-time information.

To Peace, Love and Managing a Bug Bounty

It was bound to happen someday, right? "If you manage a bug bounty program long enough,” said a friend to me almost three years ago when Wickr was preparing to announce its program, "there will inevitably come a day when you are criticized for the way you manage it.” I laughed it off at the time, deep down fearing she was right but convinced that I could make it different. 

Wickr's Commitment to Data Security

A national debate has erupted over the recent U.S. District Court order in which the U.S. government is trying to compel Apple Computer to unlock the iPhone at the center of an ongoing investigation.  Looking beyond the specific assertions by parties to the case, there is a broad set of issues caught between the headlines:  individual privacy rights, the state of encryption technology, and the rights and responsibilities of companies that develop encryption software.  

The State of Cyber Affairs: The Case For Universal Encryption

This fall has been rich in cyber security and privacy news, both domestically and internationally. The U.S. – China cyber agreements announced by President Obama and President Xi Jinping are an important first step in addressing bilateral tension over the growing number of cyber attacks against American companies. Around the same time, the long-fought national debate over government-mandated backdoors into encryption technology was diffused by the Obama administration’s decision not to seek legislation to force companies to decrypt user data. Both of these significant developments do not come in a vacuum, but are intimately connected to the broader issue of re-building trust between businesses, governments and online citizenry while strengthening the security of national and global economies against criminal attacks.