Secure Video Conferencing Solution Protects Content and Metadata in Voice and Video Communication
The need for global secure voice and video communication is constantly growing. Whether it’s for corporate intellectual property (IP) being shared between dispersed research centers or legal offices discussing mergers and acquisitions, both content and metadata needs to be protected from surveillance.
While the content of video conference sessions is relatively easy to protect with encryption, the metadata remains visible to hackers, governments and agencies.
Metadata (source, destination, timing, location etcetera), and especially patterns of metadata, can provide strong inferences over content.
Dispel, a U.S. company formed in 2014 and based in New York, has launched what it calls ‘the first commercially available counter-reconnaissance voice and video system’ that ‘renders live-stream communications impenetrable to metadata-driven surveillance and hacking.’
Dispel, the company told SecurityWeek, takes a new approach to security. Traditionally, companies defend their networks by building bigger and stronger walls; but this approach leaves attackers with a huge advantage: they have time to locate unknown weaknesses. Dispel’s approach is to hide the network and make it transient
“Enterprises and professionals,” says Scott Crawford, research director of information security at 451 Research, “particularly those stationed in insecure regions and locales, require a secure communications platform that can be trusted, and free-from-surveillance voice and video communication tools for their business needs.”
Metadata is the weak point. Many countries allow their agencies unrestricted access to communications metadata. “Parallel with the increased use of encryption, big data analysis and behavioral inference have become the techniques of choice for technically sophisticated parties attempting to decipher what companies, governments, and persons of interest are communicating, as well as where their assets are located,” comments Ethan Schmertzler, CEO of Dispel.
Dispel promises complete security of communication by first providing the videoconferencing software, and then protecting the content and hiding or neutralizing the metadata. The content of the communication is protected by a combination of SHA-256 with a 4096-bit key, and 2048-bit RSA key. The metadata is hidden, or dispersed, with a scattergrid approach similar but superior to that used by TOR. Very simply, Dispel bounces the communications between randomly raised VM machines in and between different cloud providers. These are currently Amazon, Azure (soon), DigitalOcean, Rackspace, SoftLayer and Vultr.
However, the user is able to control that data through the software console, thus never losing its chain of custody. The entire Dispel infrastructure remains under the licensed control of the user, and regulatory compliance can be controlled through geographic specifications. For example, US defense companies could insist that the communications remain within the US; European health or pharmaceutical companies could insist that data remains within the European Union. The user is able to specify the use of the cloud providers and which of their data centers to employ, or leave the system to randomly choose the route from location to destination.
The process leaves no forensic footprint. Firstly, the network (or route) cannot be predicted by an adversary, and secondly it is automatically dismantled on completion. The resources used are subsequently re-provisioned by the cloud provider to other unassociated cloud users.
Two of the major weaknesses of the TOR approach to security and anonymity are also eliminated. Monitoring and timing entry points and exit points is impossible — this is just like any other encrypted traffic entering and leaving a general purpose cloud provider. Furthermore, the inherently low speeds of TOR are replaced by enterprise quality high speed cloud communication.
Dispel requires no local agent. It is operated entirely through the browser and is currently supported by Chrome, Firefox, Vivaldi, and Opera on macOS, Windows, Linux, and Android. This makes it particularly easy to use, and suitable for anything from high-powered financial circles to a publisher communicating with a single journalist in a sensitive region.