Our choices for more secure and confidential communications

Why are we changing our phone service?
We have for several years used a Skype telephone service to receive general voicemails. However, since last fall, we have had continual issues keeping that service functioning.
Recently, for example, we learned that calls we made to the service went to voicemail, consistent with our longstanding program preferences. However, others who called the Skype business number would quickly get a busy signal. They would not be rolled over to voicemail. Why this has occurred remains unexplained and unresolved, since we have other Skype accounts with the same preferences, that continue to operate without problem.
This situation has raised the question as to how easy is it to perform denial of service attacks on Skype phones.
The answer is that it is easy if someone gets your Skype IP address. One proposed solution is to obtain a new Skype account and then allow only your known contacts to see it. However, software exists to still get the IP address from a Skype name.
A more general question is how resistant Skype phones are to attacks, and whether the communications are reasonably secure. As we often note to others, one of our first assessments of digital communication security is to determine whether a communication method is HIPAA compliant. HIPAA is a U.S. federal law setting standards for the protection of patient information.
With respect to Skype and HIPAA compliance, it has been noted by the American Psychological Association (APA) that Skype has several potential deficiencies:
By Legal and Regulatory Affairs staff ...
Skype does use encryption, a factor related to HIPAA Security Rule compliance. Even so, that factor alone does not accommodate HIPAA requirements.
The use of Skype raises several concerns related to HIPAA. ...
 Security Rule compliance requires that covered entities use technologies that include:
  • Audit controls, which are mechanisms for monitoring who is accessing ePHI..
  • Breach notification tools, which are means of alerting users when there is an unauthorized disclosure of or access to ePHI.
Skype does not appear to offer any audit control or breach notification tools to alert you if there has been an unauthorized disclosure of ePHI.
Some organizations recommend not using Skype and similar Web-based platforms because of concerns related to HIPAA requirements. The bottom line: If you opt to use Skype to communicate with patients, be aware of the risk that HIPAA rules may be violated.
The threat is not just one of Skype's operating blindly. Last month, it was noted that:
“Researchers found a complex backdoor malware [T9000] which targets Skype, capturing video, audio, and chat messages as well as grabbing screenshots and stealing files, before sending the data back to the attacker.”
Finally, the following email subject line we received with respect to our Skype account renewal might summarize our experience with Skype best:
Skype claim of success is highly misleading - Not well written - Screen shot 2016-03-27 at 2.50.33 PM
The subject line was truncated on the screen of a cell phone. As it turned out, the “success” it seemed to announce was anything but that: when opened, the message stated that the Skype account had been “successfully” canceled.
We have chosen Signal for our primary phone and text contact method
We have been using Signal for iPhone and its complement for Android phones, Text Secure and RedPhone, for quite some time with those who work with us. We believe, based primarily on the studies of others, e.g. see this EFF report, that Signal has many of the security and confidentiality features we seek. (So does Silent Phone/Silent Text, which we have also used for several years.)
In short, EFF reported with respect to Signal / RedPhone: 
Encrypted in transit?: Yes
Encrypted so the provider can’t read it?: Yes
Can you verify contacts’ identities?: Yes
Are past communications secure if your keys are stolen?: Yes
Is the code open to independent review?: Yes
Is security design properly documented?: Yes
Has the code been audited?: Yes
Link:
https://whispersystems.org/blog/signal/
Now that a unified Signal app has been produced for Android phones, it should be just as easy to set up for text and calls as for iPhones. And it is free.
One particular question we get most often about Signal is whether it will protect the identity of those communicating, and not only the contents of the communications.
We put that question directly to Open Whisper Systems (OWS), the entity which produces Signal, who responded:
“Signal sends hashed phone numbers for message contact discovery and uses encrypted bloom filters for calling contact discovery. Names and other contact details are never transmitted, and the information is not stored on our servers. What will be seen is that you are contacting our servers, and the frequency in which you contact our servers.”
So a powerful entity could in theory produce a list of phones contacting the OWS servers to use Signal. From there, identities of those communicating might be deduced from timing and other considerations. Also, like Tor, OWS has received U.S. government funding. But of course, so have many of the people with whom we communicate. We keep our threat model to legal defense firms and the hackers that they may employ. As mentioned earlier, we believe that digital communications products should at a minimum be HIPAA compliant for use in whistleblower and legal cases.
For more on Signal's security and confidentiality, see here.
The bottom line is that we believe Signal (and Silent Phone/Text) are much better than alternatives like Skype, particularly if the “opponent” does not have significant influence over a nation-state.

Nick and Rob

Nick has been working for a decade in network security with multiple SANS certifications, including in forensic analysis and incident handling. He is also a certified pen tester. Rob studied network security at HUST and is CompTIA Security+ certified.

More Posts

Posted in featured, recommendations.

Leave a Reply

Your email address will not be published. Required fields are marked *