Myntex is on a
mission to provide the world with fundamental security through mobile
communications. We rely on encryption to ensure the performance of our
technology. Governments that threaten to undermine encryption in the name of
privacy are doing more harm than good.
This is why we
signed an Open Letter by Fight for the Future. The goal is to urge democratic
leaders to defend laws that strengthen encryption to protect us all, rather
than creating policies to open backdoors to surveillance, malicious actors, and
authoritarian abusive regimes.
While proponents
of Bills aimed at protecting the vulnerable online believe encryption is a
threat to law enforcement, it is the mechanism that secures online activity and
without it, individuals, businesses, educators, and the very governments that
seek to break end-to-end encryption would all be at risk of cybersecurity
challenges including unwanted observation and unprotected privacy in a digital
world.
Attacks on Encryption
are Attacks on the Right to Privacy
End-to-end encryption lets companies, like Myntex, ensure data and
communications remain private and secure. The only ones who should be able to
decrypt messages or calls are the intended recipients. No one, including law
enforcement, politicians, government officials, or hackers, should have access
to a backdoor; and you cannot grant access to one and restrict another.
These are the
main tenets excerpted from the letter, with links to the referenced legislation:
“The value of this technology in
defending privacy cannot be overstated but is also seen as a threat to law
enforcement who argue that the ability to freely access individuals’
communications is critical for criminal investigations. This messaging has
spurred worrying initiatives such as the Online Safety Bill
in the UK, the
Lawful Access to Encrypted Data Act in the USA, India’s Directions
20(3)/2022 – CERT-In, Bill
C26 in Canada, the
Surveillance Legislation Amendment Act in Australia, as well as the proposed
rules to prevent and combat child sexual abuse
in the EU. These laws aim to take away the right to privacy online by forcing
encrypted services to weaken the security of their users and give law
enforcement access to user information upon request.”
“Everyone
deserves a free and open internet. The Internet must remain inclusive, free,
and fair by providing everyone with unfettered access to online services,
including encrypted services. This enables users to exercise their right to
privacy, their right to engage in private discourse, and their right to hold
those in power accountable by shedding light on human rights abuses,
corruption, misinformation and environmental destruction – something that is
vital to the democratic process of forming public opinion.”
Please take the time
to read the letter, linked below, and ask your organization to endorse it. https://www.fightforthefuture.org/news/2023-05-03-open-letter-protect-our-rights-to-privacy-free-expression-and-press-freedom/
Uber is an app you likely
have on your phone. It’s also an example of what happens when data privacy is
mismanaged. This analysis covers several angles, from employees who don’t take
proper precautions with their personal cell phones (especially important if
your employer lets you BYOD to work), to the need for businesses to safeguard
the customer data they collect. It lends support to the position that employees
are the weakest link in cybersecurity and demonstrates the risk posed by
storing data on third-party servers.
A Series
of Unfortunate Events
A major
breach in September was one of 2022’s most significant. A post in the world’s
largest taxi alternative’s newsroom
provided details of the incident.
“An Uber
EXT contractor had their account compromised by an attacker. It is likely that
the attacker purchased the contractor’s Uber corporate password on the dark
web, after the contractor’s personal device had been infected with malware,
exposing those credentials. The attacker then repeatedly tried to log in to the
contractor’s Uber account. Each time, the contractor received a two-factor
login approval request, which initially blocked access. Eventually, however,
the contractor accepted one, and the attacker successfully logged in.” The
breach reportedly compromised the company’s entire network, including internal
databases and their Slack channel. Uber disclosed about 57 million customers’
and drivers’ personal information was stolen by the hacker.
The New York Post noted,
“The hacker who took responsibility reportedly claims to be just 18 years old,
and gained access to the ride-sharing giant’s internal networks by pretending
to be an IT worker and asking for an unnamed Uber employee’s password.”
Then in
December, a third-party vendor attack breached corporate and employee data as
well as company documents, which were all leaked. BleepingComputer Editor-in-Chief Lawrence Abrams reported, “A threat actor named
‘UberLeaks’ began leaking data they claimed was stolen from Uber and Uber
Eats on a hacking forum known for publishing data breaches.”
“The
leaked data includes numerous archives claiming to be source code associated
with mobile device management platforms (MDM) used by Uber and Uber Eats and
third-party vendor services.” The attack targeted an AWS backup server
outsourced by Teqtivity to store data for its customers.
Transparency about breaches
needs to be swift. Uber’s former Chief Security Officer Joseph Sullivan awaits
sentencing after being convicted on two charges for covering up data leaked
on millions of customers in 2014 and 2016. This is the company’s tenth
cybersecurity incident.
Reflecting
on the guilty verdict of Uber’s ex-CSO, the CISO of SafeBreach submitted a
commentary in DarkReading. “A
breach is, quite correctly, viewed as a failure of the company to protect the
data that was breached. It can also ultimately be viewed as a failure of the
CISO.” Organizations need to think about outcomes—as this CISO notes—when
(not if) bad actors or nation-states attack your company.
“Addressing
worst-case scenarios and having a contingency plan in place before you get
breached can minimize the financial and operational fallout when you do.” He
adds, “Such a plan will only be successful if it has been created, vetted, and
rehearsed well in advance.”
A Better Way to Protect Your Mobile Privacy
Companies need to have a
robust Data Privacy Framework to ensure they are
operating within privacy regulations where they do business. CISOs must
implement a strict mobile device management policy.
An IT review of the Uber breach last fall notes, “Hard-coded credentials used in the
Uber breach allowed for administrative access to a privileged access management
programme.” It adds, “To guarantee that workers and outside contractors have
the least amount of permissions necessary to perform their responsibilities,
consistently use the principle of least privilege, beginning at the endpoint.”
You can turn off tracking
and location services in your privacy and security settings on your phone, however, “Apps like Uber and Lyft will track
your location for their drivers, and they may do it constantly, not just when
you need a ride. There isn’t usually a way to turn off location tracking for
these apps without disabling them.”
Contact us to learn more
about how you can protect your company with our encrypted mobile solutions: ChatMail™,
and our latest innovation Renati, a secure mobile operating system currently in beta
testing.
Last week some of you may have noticed a brief outage in
ChatMail’s core services. We are happy to report our team worked quickly to
restore all connections with minimal downtime. We take our uptime and our
commitment to transparency very seriously, and we would like to breakdown what
occurred to help our resellers and clients understand what happened and how we
plan to improve our network reliability in the future.
What happened?
On December 5th, 2022, we were notified by our NOC (Network Operations Center) and TAC (Radware) team that we had a service outage in our primary data center at Myntex Headquarters. Effectively, our internet had gone down and taken our critical infrastructure with it (including websites, email, portal, VPN, and core ChatMail services).
How long did it last?
Roughly 4 hours, from 8:03am to 12:01pm MDT on December 5th, 2022.
What steps were taken to fix it?
Our initial steps were to contact our ISP (Internet Service Provider) to verify their services were still operational. After some further troubleshooting, we were able to eliminate our internet availability as the culprit. We then began the meticulous process of isolating the issue within our own network. Eventually we were able to narrow it down to the primary Core Edge Router.
Was there a security vulnerability?
No. This was a hardware failure, nothing to do
with the security of our network.
What was the solution?
As part of our disaster recovery plan, we have extra critical hardware on hand allowing us to quickly hot swap network equipment if required. Once we replaced our Core Edge Router with a new one, our networking team was able to configure the new device. After that was completed, all functions were fully restored, and we immediately notified our network of ChatMail partners of the issue and that all services were restored.
How will we improve for the future?
We’ve replenished our stock of critical network hardware so that if/when this happens again, we’ll have the equipment on hand to make the necessary repairs. To allow for quicker troubleshooting and faster deployment we will be pre loading the network hardware with our latest stable configurations.
Our users’ experience can only be as good as our uptime. The last outage we experienced was back in March of 2021 (following a forced fibre relocation). That’s why the home page of Myntex.com boasts a “99.9% server uptime”. After this December’s outage, we are still achieving 99.95% uptime, or less than 4.38 hours of downtime per year.
No one can guarantee 100% uptime, but we’re determined to get as close as possible.
Cybercrime
exploded during the pandemic and continues to rise. Enterprise organizations reporting
huge data breaches this year include Apple (18MM users), Microsoft (65K companies
in 111 countries), and Twitter (5.4MM account profiles). While American
companies are targeted more than most, the problem is global in scope.
“2022
has been littered with thefts of sensitive information. This year, they’ve
affected companies and organizations of all shapes, sizes, and sectors.”
You Don’t
Have To Be Rich or Famous
Personal Identifiable Information is considered the top category sought in
breaches because customer data typically includes financial records. On the
dark web, customer PII – representing 80% of breaches reported in 2020 by IBM
& Ponemom. It adds up fast when stolen data can be sold by criminals online
to fraudsters for US$175 per record.
The
ID Theft Center notes in its’ 2022 Business
Impact Report that 57% of US small businesses have had
a security or data breach, or both. This proves all businesses are at risk of
exposure and economic loss despite headlines highlighting the major violations.
Five of
the Worst Recent Cyberattacks
Australia
has been hard hit with hacks this year, including the latest cyberattack which
targeted the Department of Justice. Two of the biggest breaches jeopardized the
privacy of millions of its’ citizens.
A
massive data breach at Australian telecom, Optus, in September may have
been the worst incident there ever. The company has close to 10 million
subscribers (about 40% of the country’s population).
The
hack was either a State-Sponsored attack (SSA) or conducted by a crime organization, penetrating the
company’s firewall to find sensitive info. Physical addresses, driver’s
licenses and passport numbers were amongst the intel obtained. No ransom was
paid despite the hacker’s demand for US $1.5MM. However, the cost for Optus
to settle the resulting class action lawsuit could be between $5B and $20B, with payments per
individual of between $5,000 to $20,000.
In
October, Australia’s largest health insurance provider was hacked. Medibank
holds the private records of every client, past and present, affecting 10 million
victims. All were visible to the assailants –
including those belonging to foreign students.
Reports show, beyond the
personal data obtained, “Significant amounts of customers’ health data was
compromised as well.” This includes health claims data,
Medicare card numbers, and policy numbers. Following these infringements, Australia’s
government moved to make companies more accountable. The Attorney-General wants
penalties “three times the value of the benefit obtained through misuse of
data, or 30 per cent of a company’s adjusted turnover in the relevant period” –
whichever is higher, up to the maximum fines of $50MM against repeatedly
breached companies.
Medibank’s
stock price plummeted 14%, which was the sharpest drop for the company
in a single day since it started trading shares. The company is still investigating;
however, it believes a criminal organization compromised user credentials. It
then started payment negotiations after stealing data. Police warned Medibank
not to pay the cyber extortionist. In November, the hackers followed through on
a threat to pay the ransom within 24-hours or they would publicly release the
stolen data. Millions of health records were posted on the dark web. The cost to
remediate the damage caused by the breach is expected
to be $150MM.
As
for repeat
breaches, the Costa Rican Government
declared a state of emergency in May after its second cyberattack in as many
months by the ransomware gangs, Conti. In its first assault, Conti demanded
$10MM from the Ministry of Finance, which declined to pay. The second attack
saw a single threat actor from the Ransomware-as-a-Service (RaaS) organization claiming
responsibility.
One report noted, “In the first two days of the attack alone, the
Costa Rican Chamber of Foreign Commerce estimated losses of over $125
million.” To try pressure the newly elected President to pay, the attackers
sent an intimidating message saying it would be able to overthrow Costa Rica’s government
if ransom wasn’t paid, raising the amount to $20MM.
The
Conti attack prompted the US government to offer rewards of up to $10MM for identifying information on the
location of Conti leadership and a further $5MM if the intelligence leads to
arrest of any conspirators in a Conti ransomware incident in any country.
“This
type of attack is designed to be controlled remotely. Malware operators hack
into a network and gain domain and administrator credentials, locking and
encrypting the entire hard drive.” Conti leaked more than 670 gigabytes of
data on May 20th from Costa Rican government servers.”
An
American student loan servicing company, Nelnet, is facing a class
action over a data breach affecting the Oklahoma Student Loan Authority and
Edfinancial. “Nelnet failed to uphold its data security obligations to
Plaintiff and Class Members,” the suit
alleges. “As a result, Plaintiff and Class
Members are significantly harmed and will be at a high risk of identity theft
and fraud for many years to come.”
The
names, addresses, email addresses, phone numbers, and Social Security numbers
of those impacted were exposed. Further information on the how the breach
happened was not shared by Nelnet.
More than
2.5 million borrowers had their private information stolen when an
unauthorized actor gained access to the company’s network from June 1st
through to July 22nd. It wasn’t identified until August 17th.
The breach could result in those affected being targeted by bad actors for subsequent
attacks such as, impersonation, social engineering, phishing, and various
scamming schemes from the PII being sold on the deep web.
One of
the largest verified breaches to date this year targeted the fantasy digital
pet company, Neopets. According to the rogue hacker, interviewed by BleepingComputer, the account data of over 69 million members had
been stolen, but did not reveal how they gained access. The database contained
source code for the neopets.com website owned by Jumpstart; a subsidiary of
China based NetDragon. Instead of extorting the company, interested buyers were
being courted in online forums.
It’s
surprising the attacker didn’t demand ransom, considering NetDragon
group currently holds over US$40MM worth of
cryptocurrencies. (Perhaps this attack aimed to raise the hackers’ status?) Instead,
the source code and database for the popular website is up for sale on an
online forum. The hacker is only asking four bitcoins, valued atUS $90,500.
Last November, NetDragon sold ~4,200 non-fungible tokens over four days. The
NFTs are known as the Neopets Metaverse Collection.
How
Criminals Obtain Private Data
Most data breaches are due to cyberattacks, with
phishing and ransomware continuing to be the root causes again this year. Security
Magazine found the largest attack vector was
“unknown” in Q1 2022, which was a 40% increase in the total number of unknown
breaches for all of 2021. “While data breach notice updates may include more
attack information, the increasing lack of transparency in the notices is a
risk to organizations and consumers.”
Hacking
was the primary cause of data breaches in companies with 500 or less employees.
However, remote workers were responsible in 35% of reported incidents and
third-party vendors in another 29% of cases. More than half of the companies
though their accounts were compromised by responding to a direct message and
45% say a phishing link or shared account credentials with an impersonator was
to blame. One-third said the malicious actor claimed to be a customer,
prospect, or vendor.
About
half of the impacted companies spent between a quarter and a half million
dollars to cover the cost of these breaches and almost 20% spent from $500k to
$1MM USD. Coming back from a breach can take one to two years for most
companies. In addition to the financial burden, a third of those surveyed
experienced loss of customer trust.
Perception
vs Reality
Questions are being raised as to whom or what is to blame for the proliferation
of major data center breaches around the world. With governments, service
providers, retailers, insurers, and health care agencies amongst some of the
biggest hacks this year—cybersecurity experts point to apathy.
Fittingly, the responsibility lies with CEOs, CISOs, boards, and corporate
policy. There is a focus in business today that prioritizes data intelligence
over data security.
According to Harvard
Business Review, most companies either don’t have any cyber insurance or not
enough. Furthermore, with the increase in ransomware attacks and payouts, the
industry itself is at risk. Ransomware attacks have skyrocketed, and payouts
have grown exponentially. This is a worrisome trend for insurers.
For example, “With around 250 companies buying at least $200
million in protection, it would only take five insured losses of a bit more
than that amount to wipe out an entire year’s premium. That’s only 2% of the
companies in the market buying that much coverage. That kind of loss would
likely take decades for insurers to earn back such losses.”
Clearly, the focus needs to be on prevention instead of damage recovery.
A
Better Way To Block Attacks
Considering the main gateway to ransomware attacks and breaches is
phishing, you have to look at your mobile
device management. BYOD policies put businesses at risk. You need to mitigate the
element of human error. Perhaps the most important practice you can instill in
your workforce is password hygiene. But even the best cybersecurity training
can’t stop employees from inadvertently making a mistake.
Unless you remove unnecessary apps, internet
browsing, and other activities not essential to business communications, you
will never be truly protected. Don’t settle for a free app that is only focused
on privacy and not on network security. Ensure your teams’ messages and calls
are secured by a service provider that uses end-to-end
encryption and doesn’t store
any of your PII in its data center.
Myntex Partners’ Top Cybersecurity Threats based on August 2022 Survey Results
Each autumn, with the back-to-business mindset
following summer holidays, organizations reflect on their sensitive data during
Cybersecurity Awareness Month, observed in October. Businesses spend billions
of dollars annually on cybersecurity. Statista forecasts
the global Information Security market will approach $175B by 2024. Products
and services supporting this market are expected to hit $1.1725 trillion USD
in 2022.
We asked a selection of our business partners—BlackBerry,
JT IoT, and SLNT—for their perspective on the current threat landscape and what
they’re doing to mitigate risks.
Every
enterprise knows the importance of investing in InfoSec. Increasingly,
CEOs are adding a box to their org chart filled by a Chief Information Security
Officer. Nonetheless, CISOs face pushback from
their peers in the C-Suite. The CFO says cybersecurity is too expensive. The COO
thinks all the controls slow productivity. The CIO advocates for IT outsourcing.
While the CMO wants marketing to have access to custom data.
Mobile Device Management is a critical
element of any robust IS strategy, which is essential to keep
your network safe from harm. Specializing in encrypted
mobile solutions, security and privacy is our core business at Myntex. We are
focused on the very essence of cybersecurity, which is verifying the identity
of others, while continuously proving our encryption is authenticated to defend
against malicious interference and data breaches.
The Most Common and Costliest Cyberattacks on Business
Ransomware has been the dominant
cybersecurity news story this past year, affecting not only enterprise
organizations but increasingly targeting small-to-medium business.
As an industry leader in cybersecurity BlackBerry
notes, “The current infrastructure of the underground cyber economy continues
to evolve quickly with threat groups sharing hacking techniques, malware code,
tech infrastructure, target lists, and even exporting stages of the process to
hackers with specializations, allowing for attackers to operate faster and at
scale. In fact, some of the biggest incidents of 2021 appear to have been the
result of this outsourcing. On top of that, cybercriminals can often circumvent
being shut down by authorities by breaking up and reorganizing as new
cybercriminals groups.”
The company
confirmed it believes the best defense is to adopt a prevention-first approach
to cybersecurity. “BlackBerry customers benefit with artificial intelligence
(AI) and machine learning (ML) driven cybersecurity products, which have been
independently proven to prevent malware from executing on endpoints including
the latest ransomware strains.”
Gateway Attacks and Vulnerabilities As indicated in the Statista charts below, phishing was the most common cause of ransomware attacks reported by managed service providers.
Source: Statista, Phishing gateway to Ransomware.
According to Datto’s Global State of the Channel Ransomware
Report, “Carelessness and gullibility are
the greatest threat to small businesses. With phishing mails, poor user
practices and lack of cybersecurity training on top of the list of leading
causes of ransomware attacks, it becomes clear that end user education is an
essential part of IT security.”
These cybersecurity threats resonate with our industry
partners. Employee driven threats appeared across the companies we surveyed as
a top concern.
SLNT®
CEO, Aaron Zar, ensures all
employees and contractors are trained on cybersecurity best practices, which the company regularly updates to keep staff and systems
safe.
“Just like technology,
cybersecurity is always changing and evolving,” notes company spokesperson Avie
Zar. “Our Cybersecurity mitigation plan is reviewed annually. When reviewing
and updating a plan we always cover these key topics.”
By analyzing and identifying potential
threats, through internal and external risk assessments. Beyond implementing a
plan to protect the business, SLNT keeps
looking for vulnerabilities, with monitoring practices aimed at detection.
Key Business Systems Under Attack
Enterprise Management – An Internet
Crime Report shows business email and spoofing
attacks rose sharply with the pandemic, leading victims to send criminals
fraudulent wire transfers. “They do so by compromising an employer or financial
director’s email, such as a CEO or CFO, which would then be used to request
employees to participate in virtual meeting platforms.”
Operations Management – The latest DBIR
notes, “2021 illustrated how one key supply chain breach can lead to wide
ranging consequences. Supply chain was responsible for 62% of System Intrusion
incidents this year. Unlike a Financially motivated actor, Nation- state threat
actors may skip the breach and keep the access.”
Financial Management – Today’s CFO makes critical
cybersecurity decisions, especially with the risks
associated with ransomware. “There are costs for
remediation, cybersecurity software meant to prevent ransomware, and loss of
productivity. There’s also a potential cost associated with damage to an
organization’s brand and reputation.”
Business email compromise (BEC)
scams may lack the drama of hacking attacks but it’s possible to argue that
they’ve become the biggest cybersecurity issue facing the world today.
“Losses to cybercrime increased significantly in 2021.
The losses – which are located mainly in the U.S. but were collected around the
world – are estimated at $6.9 billion last year, up from $4.2 billion in 2020.
Other costly cyber crimes with businesses at their center were personal data breaches and corporate data
breaches, which occur when criminals steal or release the personal data of
individuals or companies previously stored in a secure location.
Out of all victims recorded by the FBI, 59 percent were in the U.S., 38 percent in the UK and 3 percent elsewhere.”
Source: Statista, The Costliest Types of Cyber Crime (per million/USD)
Preventing Attacks On Business Mobile Devices
One of the
world’s leading carrier-neutral IoT connectivity platforms, JT IoT is a SIM card provider for our custom encrypted mobile solution,
ChatMail™. “Supported by a team of 70+ people and with over 500+ global
networks, JT IoT provides customers sustainable, scalable, compliant, and
secure access to connectivity.” The company has a Bring Your Own Device to work policy, which it
manages through Microsoft Endpoint. Proactive security audits with penetration
tests from third-party providers is part of their cybersecurity risk mitigation
plan.
Organizations
need to be pre-emptive in safeguarding mobile communications with policies to
protect all users and hardened devices for key team members who need extra
security. Awareness of possible attack vectors is a fundamental first step,
especially for small to medium size businesses who are increasingly being
targeted.
Malware
– malicious software that can steal login credentials while bypassing 2FA
BYOD
programs – a risk to your MDM in part due to the use of apps and
social media
MitM
attacks – mobile applications using unencrypted HTTP
Cybersecurity
Awareness is a daily practice and with the right tools you can trust your
communications are both private and secure.
Myntex is
an industry leader in the field of encryption technology, offering enterprises
expertise in mobile security supported with evidence based live data
extractions.
Data Source: Check Point Average Weekly Cyberattacks (2021) per Organization by Industry
With the cost to manage vulnerabilities in digital security expected
to grow from $6.7 billion in 2020 to $15.86
billion by 2030, it makes sense to know the cyber risks your industry faces to
proactively prepare.
Human error is the main risk factor for business cyberattacks. When
your employees use smartphones for work, they are introducing vulnerabilities.
Third-party apps, internet browsing, Bluetooth, GPS, USB connectivity – all of
these are vectors for malicious actors to access your sensitive and valuable
data. Imagine how much more secure these sectors would be if they used
encrypted, hardened phones. Never mind the cost to your bottom line or
reputation.
According to Check Point Research, 2021 saw a 40% increase worldwide
in cyberattacks with about one in 60 organizations impacted weekly by
ransomware.
“The researchers
define a cyberattack attempt as a single isolated cyber occurrence that
could be at any point in the attack chain — scanning/exploiting
vulnerabilities, sending phishing emails, malicious website access, malicious
file downloads (from Web/email), second-stage downloads, and
command-and-control communications.”
Here’s a look at the five industries most targeted by
cyberattacks in 2021, inspired
by research posted in Forbes by a global thought leader in
cybersecurity and emerging technology, Chuck Brooks.
Education/Research
Considering the shift to distance learning during the pandemic, it is not surprising education and research is the top sector being targeted by malicious actors. The Data Group Manager at Check Point, noted, “Students, parents and schools are tempting targets for hackers, mainly because of data – there’s lots of it. From gradebooks to online assignments, hackers have far more access points to sensitive information and data. Data is leverage for hackers and can be used to orchestrate ransomware attacks.”
The top regions for cyberattacks on education/research were the Pacific Rim, with an average of 4,176 a week in Australia and New Zealand, just slightly ahead the rest of Asia. Europe had 1,861 attacks weekly.
A study of ransomware attacks in 2021 revealed education and retail were equally targeted with a 44% increase, yet as a sector education had three times as many cyberattacks. Schools, tied with places of worship, received the most brand-impersonation credential phishing attacks.
Government/Military
This was the second highest sector to be attacked in 2021. Government agencies are high valued targets for the information they hold with a vast amount of confidential data, which hackers exploit – often through state-sponsored attacks.
At the end of 2021, the Log4j vulnerability left countries around the world scrambling to fix the single biggest threat in the last decade and likely the most critical code loophole ever. The Belgian military, as an example, was hit hard and spent five days countering the cyberattack.
The SolarWinds Supply Chain Trojan attack was a global threat, believed to have been a Russian sponsored attack, which affected the US government as well as major corporations. Newsweek reported, “State Department, Department of Homeland Security and some parts of the Pentagon appeared to have been compromised.”
An Iranian Facebook hacking campaign target US Military was revealed in 2021 in which social engineering was used to send infected malware files and to use phishing schemes to get credentials.
Communications
In third place, this sector experienced many devastating cyberattacks. The industry vertical for Technology, Media and Telecommunications made headlines around the world for notable takedowns. The Australian broadcaster Channel Nine was hit by a cyberattack, which left the network unable to air several shows or its Sunday news on March 28, 2021. Coincidentally, the Australian government faced an attack at the same time.
Mobile phone companies were also hard hit. A year ago on August 17th, the T-Mobile cyberattack compromised data of millions of their customers, former customers, and prospective customers. T‑Mobile said, “Fortunately, the breach did not expose any customer financial information, credit card information, debit or other payment information but, like so many breaches before, some SSN, name, address, date of birth and driver’s license/ID information was compromised.”
Internet Service Providers/Management Service Providers
Irish ISPs were the target of a series of “denial of
service” strikes in May 2021. There was no indication the DDoS cyberattacks
were related to the concurrent Health Service Executive ransomware attack, which
caused the country’s IT systems to be shut down nationwide.
The Internet
of Things has proven to be a major cybersecurity challenge
for ISPs. An estimated 25 billion IoT devices were connected online in 2021. Cybercriminals
increased their IoT attacks with both ISPs and Telecoms seeing the impact
through hacking and data breaches. This included DDoS attacks, Network
congestion, RFID interference, Routing attacks, and Sybil attacks on
computer network security.
According to the Sophos
State of Ransomware 2021 white paper, IT,
technology and telecoms were the industry vertical hardest hit by Ransomware.
Management Service Providers are outsourced IT
services. Typically, MSPs handle IT infrastructure, technical support, user access within corporate client systems, and hardware outsourcing.
MSPs also act as third-party server storage, provide Software-as-a-Service,
or niche technical expertise. Microsoft Exchange is a
cloud-based email service. A mass cyberattack affected millions of Microsoft
clients around the globe, wherein threat actors actively exploited four
zero-day vulnerabilities in Microsoft’s Exchange Server. It is believed that
nine government agencies, as well as over 60,000 private companies in the US
alone, were affected by the attack.
Healthcare
The Abnormal Security Email Threat Report noted there is a rise in
business email compromise attacks. BECs occur when a scammer accesses the email
of the targeted business contact and impersonates them using their identity to target
other victims.
When
cybersecurity expert, Brian Krebs, reported on Ransomware attacks
in the
Healthcare sector, he asked a source how many healthcare organizations get hit
with ransomware on average in one week? His source confided “It’s more like one
a day.”
The
Bigger Picture
Overall, the global distribution of cyberattacks was highest in
Africa, with an average of 1,615 per organization each week, which is an
increase of 15% over 2020. Asia
and the Pacific was second with a 20% increase amounting to an average
of 1,300 weekly attacks per organization. Coming in third, with an average of
1,115 attacks weekly, at almost a 40% increase, is Latin America.
Business Email Compromise attacks can be sent to anyone, but
executives or finance department personnel are prime targets. According to a
report on email
and phone fraud scams in 2021, despite having employee preventative training, IT
departments and cybersecurity support, the companies with the highest
probability of being targeted by an attack are those with the most employees.
In fact, enterprise organizations have a 95% chance of receiving a BEC attack
every week due to the high volume of email received.
“Small businesses under 500 employees were fortunate to experience
only an average 12% probability of attack throughout the half, but large
organizations comprised of more than 50,000 employees received an attack nearly
three weeks out of each month.”
As a Cybersecurity expert, Brooks shared risk management strategies
in a Homeland
Security blog, surmising, “The
bottom line is that almost every type of business, large and small, touches
aspects of cybersecurity whether it involves law, finance, transportation,
retail, communications, entertainment, healthcare, or energy. Cyber threats are
ubiquitous, and they can be an existential event for companies and the C-Suite
urgently needs to have a plan.”
As world renowned business and technology futurist Bernard Marr
stated in his report on the biggest cyber
security risks in 2022, “Aside from the potential for
breach of privacy, loss of money, and disruption to infrastructure from
cyber-attacks, there’s another genuine and pressing problem that’s often
overlooked: A loss in the trust in tech and data.”
Myntex has an encrypted mobile
solution, ChatMail™, which can securely protect your
privacy and reduce your at risk attack vectors for email, messaging, calling,
notes and pictures. Enterprise businesses can request a live data extraction
proving the soundness of our technology.
Encryption conventions permeate every part of the
Internet. There are many different protocols, each with its own merits and in
some cases vulnerabilities. Despite providing end-to-end encryption, the policies and practices of popular free apps can put your reputation at risk.
Facebook wants to use homomorphic encryption to monetize WhatsApp
and Messenger user data
Telegram actively
shares user data with government agencies and censors content
Myntex Inc. engineered our most secure mobile solution,
ChatMail, to be the best in the world. We prove our encryption with live data
extractions for enterprise organizations and we are the only encrypted phone provider
to do so.
ChatMail’s Advanced Message and Parsing protocol, known
as CAMP,
protects users of our encrypted phones across multiple layers. The reasons
behind our decision to incorporate the custom cryptographic algorithms we use
is the focus of this exposé.
Parsed Messaging Encryption
Myntex designed ChatMail with privacy in mind,
utilizing multiple encryption algorithms. PGP, which stands for Pretty Good
Privacy, is the system we use to relay encrypted external email. We were the
first to parse PGP. Our parsing algorithm
takes encrypted email and displays it in an easy-to-read message bubble to look
like a chat message. That’s why we named it ChatMail. It is the only system to
automatically identify both internal and external users. Internal users default
to elliptic curve encryption and external users default to PGP. ChatMail’s
Unified User Interface displays internal email in blue and external email in grey.
The algorithm used is shown in each individual message.
Our default system uses the strongest
encryption protocol available, safeguarding you and your data. Internal ChatMail
clients use high-speed, state-of-the-art Diffie-Hellman Elliptic Curve25519 cryptography,
with optional fallback to PGP. External users are PGP by default.
True End-to-End Encryption
Combining
the most reliable algorithms in cryptography, our CAMP protocol ensures customer
privacy
with leading-edge security. The choice to use Elliptical Curve Cryptography for E2E encrypted messaging was for privacy.
Encryption begins on the sending device using ECC 25519, so that even if the
recipient is not using the phone to accept the message promptly, it will remain
encrypted in a delivery queue and cannot be decrypted or read until downloaded
on the receiving end. Your data is never
stored in plain text.
We use message encryption by default. Our customers cannot send or
receive unencrypted messages. Users’ voice
messages, pictures and notes are always encrypted. With ChatMail, your content is encrypted
in transit, at and only stored on your device.
Calling Encryption
ChatMail
key exchange for encrypted calling works with the Zimmermann Real-time
Transport Protocol. With ZRTP, parties verbally confirm
matching shared codes to ensure calls are private and have not been intercepted.
Secure RTP
protects ChatMail encrypted calls from eavesdropping.
Transport
Layer Security is used to configure encrypted calling traffic. Our
encrypted calling uses ECDHE X25519 (the last “E” stands for
“ephemeral” which is suited
to mobile devices as it is faster) with TLS 1.2 ciphers. This keeps calls and messages private and secure by removing
them from prying eyes on the public internet.
ChatMail features tamper proof hardware and encryption
that experts consider to be quantum proof:
Hash:
SHA-384 – our Secure Hash Algorithm transforms cryptographic keys with an output of 384 bits, providing unbreakable protecting against key length extension attacks
Cipher: AES-256 – the algorithm used to perform encryption or decryption is called a cipher and AES-256, also
referred to as Military-grade encryption, is the Advanced Encryption Standard adopted by the U.S.
government to protect classified information
SAS Rendering: B256 – SAS stands for Sharing a Secret, and we use
it with the PGP word list to convert strings of code into simple phrases used
for authenticating encrypted calls, thereby preventing Man-in-the-Middle attacks, while B256 indicates the key size in bits
Auth Tag: HS80 – an Authentication Tag in ZRTP confirms each encrypted audio frame sent over an SRTP
channel and HS80 is an 80-bit tag, which is preferred for security purposes
Key Agreement: X25519 – encryption is performed by
keys and
the key size for ECDHE X25519 is 256 bits, which provides forward secrecy as an extra layer of protection against
hackers,
so that if one message was ever compromised, it would not affect the security
of future messages
The Importance
of Server-Side Security
Our data center acts as a delivery system for
mobile solutions. We do not store any sent or received messages on our servers.
Therefore, we also do not keep a roster. A roster is a list of
contacts associated with clients for apps that retain messages on their server.
Even if the company says they delete messages after 24-hours, it will leave a
roster of contact information. When you delete a
message from ChatMail, since there is no server storage there is no record of
it.
Companies that delete
messages older than 24 hours do not delete message threads and they often
contain weeks’ worth of confidential communications. For an example, Telegram notes in its
policy, “We store messages, photos, videos, and documents from your cloud chats
on our servers so that you can access your data from any of your devices
anytime without having to rely on third-party backups.”
Myntex removes the need for local server storagewith our CAMP
protocol. ChatMail is the only encrypted mobile solution supported by a private data center. Encryption
protocols are irrelevant if the server has a backdoor or if user data is shared
with marketers, governments, or other entities.
Owning and operating a private,
state-of-the-art Data
Center sets Myntex Inc. apart from its competition
in the custom encrypted phone app industry. Myntex CEO, Geoff
Green, gives an overview in this Q&A.
Question # 1
What exactly is the function of the Myntex
Data Center?
Geoff:
You can think of our data center as the brains
of our infrastructure. Regarding our messaging service, the data center acts as
a messaging agent. When communicating with end-to-end encryption, devices need
to know how to reach one another. Networking is not magic, but it is cool. You need
some sort of tunnel to each device so when you send a message it can reach the
intended recipient. By utilising open-source virtualization technology and
custom designed hardware our data center has been the primary reason we have
been able to cost effectively grow as a company. The alternative would be a
less secure approach by renting co-located space and paying large fees in
licensing.
Question # 2
How has the Myntex Data Center evolved over
the years?
Geoff:
From a virtualization perspective we started
out with the original Xen from Xen Project, which has gone through many changes
throughout the years as an open-source virtualization technology.
We later transitioned to XenServer when Citrix
became the dominating provider of features for the Xen hypervisor which did
require license fees for support contracts. But when a new open-source project
came to market called XCP-ng based on the same hypervisor we made the switch.
XCP-ng is what we currently use and will continue to support their development.
We use XCP-ng for our primary virtualization
technology and then on top of that, we use Docker. We run a series of virtual
machines on our hardware, which means we can use orchestration software instead
of a physical computer to run programs and deploy apps. CDW
Canada helped us source the right equipment to fit our
needs.
We’re the only encrypted mobile
solution provider with our own data center. We chose to
invest in one, even though it’s expensive, because it provides better privacy. We
planned and developed it ourselves. Some companies just can’t afford the investment
or lack the knowledge to run a private data center. You need to hire the right
people, which makes it more costly.
Question # 3
What maintenance is required to ensure optimal
performance in the Data Center?
Geoff:
Running a datacenter does have to have a
maintenance schedule, generators, networking, hardware all must be tested and
monitored to make sure they are performing at their best.
APC by Schneider Electric performs an annual
inspection and maintenance. Most of the critical pieces of equipment go through
their own diagnostics automatically. You’ll sometimes hear weird beeps, coming
from the data center which is when the system is doing self-testing, which is a
huge time saver.
The air-conditioning gets looked at every year
or two. We have N+1 for all pieces of equipment including the A/C unit. If a main
unit were to break, we still have a standby backup unit.
Our primary backup generator is tested monthly
and must be load tested every year.
Question # 4
What disaster recovery plans are in place?
Geoff:
We took a pre-emptive approach to disaster
planning. We did a complete threat analysis. Are we in a flight path? How close
are we from the fuel depot? We’re not on a floodplain.
There are only a few people who have access to
the data center. We have offsite backups in an undisclosed location. But the most
important piece is backups of our proprietary code, which would allow us to
rebuild our entire infrastructure even if the building was destroyed. The nice
thing about our Calgary location is it’s not on a fault line so, you don’t have
to worry about catastrophic earthquakes.
We learned a lot about flood protection when
we went through a major flood in Canmore, which also devasted central Calgary.
It’s the reason we opted for diesel powered backup generators, because when the
2013 flood happened, Emergency Management worried about the water exposing the underground
natural gas pipes, so they shut the gas off. Calgary does have one of the most
stable power grids in the world, but a generator is a must.
We have a two-stage fire suppression system
inside the data center. In stage one a fire alarm sounds, and safety systems are
activated. If the second stage is triggered, there’s a different alarm to warn
you to get out immediately. Seconds later a dry chemical flame retardant is
dispersed. We don’t use halon. We use a non-toxic, Novec fire suppression
system. That’s industry standard for most data centers. There’s no water in the
pipes inside the data center. There are special smoke strobes in the server
room that can detect any kind of laser break, even the smoke from vaping.
80% to 85% of the costs we put into building
our world class headquarters went into securing our data center. We have
ballistic protection on the windows and armored doors on top of that, for
protection as well as 24/7 surveillance and monitoring.
Question # 5
What are the industry standards for a Data
Center security?
Geoff:
A data center needs N+1 redundancy and you
should have safety systems in place, the minimum being two‑stage fire
suppression. If a company has server equipment with only one A/C unit and no backup
generator … that’s not a real data center. That’s more like a networking
closet.
N+1 plus ensures system sustainability in the
event of component failure. Components (N) have at least one independent backup
(+1). The power modules in ours are N+2 redundancy, so we can lose two power
modules before we’re in a critical state. So, that redundancy is vital in a
data center. All the switch gears are redundant to the point of N+1, N+4 on
some things, depending on where it is and what its purpose is. The best of
example is N+1 from a networking perspective means if you have two routers you
better have two switches to prevent a single point of failure.
To maintain 100% uptime, we use triple
replication for high availability. So, for each server we have three, running
on three different servers. They’re all virtualized, but they’re across three
different pieces of hardware. Everything is running redundant that way.
Question # 6
What method of protection does Myntex use for
DDoS?
Geoff:
We utilize different techniques and
technologies for protection but our main provider is Radware, which protects us
from large scale DDoS attacks – and they’ve been doing a great job for many
years.
Question # 7
Why is a data center location important, and
explain why Myntex is in Canada?
The one thing that I personally have heard
numerous times is many people in Europe seem to think Canada is the United States.
I think that could be a misnomer, where people just don’t quite understand how
we are separate sovereign nations.
Question # 8
For Mobile Device Management, Myntex has
relied on BlackBerry UEM, how do you ensure its secure?
Geoff:
We self-host UEM, so we control it, nobody
else does. If there’s a problem, I call BlackBerry to explain the issue. We may
do a screen share so they can look, but they have no access to our server at
all.
You can also host BlackBerry UEM in their
cloud, but then you don’t physically control the server. Therefore, BlackBerry
gives organizations the option to self-host.
Question # 9
What’s the difference between the Myntex Data
Center and companies using cloud servers?
Geoff:
A cloud could technically speaking still be in
a single data center. It would be considered a non-resilient cloud, but it is
possible to still call it a cloud if it’s using cloud-based computing, like the
OpenNebula open-source cloud computing platform developed by NASA, is awesome.
I believe the big difference between using a
cloud provider and hosting our own datacenter is that we own the data center,
we control the data, we control the physical access. If you are hosted in a third-party
data center, you don’t control anything. They control it and give you access,
like they give you a remote login, but that’s all you get.
Question # 10
Bonus Question: Have you been able to clock
the speed of your messaging service since you operate your own servers at the
Myntex Data Center?
No, we don’t have exact metrics like that.
When it comes to messaging, I guarantee they can send in under 200 milliseconds,
but you have all the infrastructure that’s tied between it. So, when we say we
have the fastest messaging in our industry it comes down to many factors… my
phone is running through a network to our servers through another network and
received on another device. So, when you send an image, it normally takes about
500 milliseconds, probably even less, to go from my physical phone to you.
(Myntex COO and co-founder, Chantel Duplantie,
sends him an image and it instantly pings his phone.)
See that? That’s how fast it is. I have seen
many other messaging systems and how long some take to send a picture, you’ll
be waiting like … two minutes from the initial press of the send button. And
when I say our industry I’m referring is our niche industry, I still think we
might be faster than Signal
and WhatsApp, but they also have many more users which is
a major factor when it comes to speed.
To achieve some of the insane speeds we use different
types of technology including Erlang, Redis, Elasticsearch and RabbitMQ which
is implements of my favorite protocols AMQP. They’re all a type of in‑memory storage. We use RabbitMQ for our primary messaging
between our microservices. It’s instantaneous. Same with Erlang, we use
it for the messaging system’s capability.
The speed with which we can send pictures and
voice messages just blows our competition away.
In 2016, Myntex Inc. was
growing as a business and we wanted to better position the company for the
digital economy. However Myntex® is based in Canada, where the banks have been slow to adopt crypto and we were getting pushback to accept it.
The Solution To Our Problem Receiving Crypto
Ultimately, we were able to
arrange our payments through BitPay. When we released ChatMail™ in 2017, our Certified
Executive Partners appreciated being able to use cryptocurrency. While it is not
a cryptocurrency exchange, BitPay is a blockchain/cryptocurrency payment
processor that enables you to accept cryptocurrencies as a payment method in
exchange for goods or services you sell to your customers.
Working through our financial
institution, Myntex can accept digital purchases from our CEPs, who have relied
on BitPay for many years. At the start of the pandemic, when stores and banks
across Europe were forced to close due to lockdowns. Without BitPay, it would
have been a challenge to receive transactions from our CEPs. We appreciate the
extent to which BitPay went to for our certification.
What Services Does BitPay Provide?
BitPay converts payments to
Canadian dollars, depositing them straight into our chequing account. Unlike an
exchange, BitPay does not store or manage digital assets. With its Payment Protocol, BitPay allows blockchain wallet and cryptocurrency users to make
transactions that are fast and efficient. Shoppers receive quick confirmations
that the correct amount and required fee were sent.
For privacy cautious
customers like ours, BitPay adds another layer of protection to your
transactions. BitPay is easy to use. Individuals, can use their card to turn
crypto into cash, secure and use crypto on the go in your wallet and spend
crypto from your internet browser. For businesses, you can accept bitcoin on your website for online
payments, as well as for billing purposes via email. You can payout bitcoin to
anyone, anywhere. And BitPay accepts crypto for NFTs.
How Safe Is Cryptocurrency?
In a blog post about the security of blockchain, Certified Information Systems Security Professional Magda
Chelly, PhD notes, “Cryptocurrencies are built on top of blockchain technology,”
adding, “blockchain provides the infrastructure for cryptocurrencies, while
also allowing them to function in a decentralized manner.” Chelly continues, “For
individuals, blockchain offers greater security and privacy when making online
transactions. And for businesses, blockchain can help streamline processes,
reduce costs, and speed up transactions.”
The first and most prevalent
crypto, Bitcoin, was built on the blockchain. According to Investopedia, more
than 10,000 other cryptocurrency systems are running on the same technology
today.
Blockchain and cryptocurrency
have a distinct yet connected relationship. “Defined as a digital or virtual currency, crypto
uses cryptography for security and is not owned by any particular authority,
making it difficult for governments to manipulate . . . By moving the means of
transaction out of siloed, closed networks, blockchain is helping to solve some
of the challenges around the interoperability of disparate financial systems around
the world.”
We believe in BitPay’s
mission to transform how businesses and people send, receive, and store
money around the world.
BlackBerry®
Unified Endpoint Manager unlocks the Android For Work security component built
into Android devices. This allows Myntex to deploy our encrypted mobile
solutions on authorized off the shelf devices around the world. BlackBerry UEM is
an important component of our organization as it works with a wide variety of
models for use with ChatMail™.
We
can attest to the fact, “With its single management console and trusted
end-to-end security, BlackBerry UEM
provides flexibility and security to keep your employees connected and
protected so they can work from practically any device, anywhere.”
Our History With BlackBerry
We
were inspired by the security and privacy afforded by BlackBerry Messenger and all the capabilities of the BlackBerry phones. As a
company, Myntex began offering PGP encryption on BlackBerry phones as a white
label solution in 2011.
BlackBerry
phones introduced Secure
Wipe and Remote data wipe, two of
the features that businesses appreciate to secure their data in situations such
as when an employee loses their phone or is terminated.
The Many Ways of Using UEM
As stated on their website, “You can install BlackBerry
UEM in an on-premises environment for the utmost control over your servers,
data, and devices. This prevents any third party from having access to the
secure configuration. An alternate method is to use BlackBerry UEM Cloud,
which offers an easy-to-use, low-cost, and secure solution. BlackBerry hosts
BlackBerry UEM Cloud over the Internet. You only need a supported web browser
to access the service.”
Rather than using BlackBerry UEMs virtual machine on
their cloud, Myntex runs a self-hosted instance in our own private data center.
This allows us to maintain granular control over our infrastructure,
eliminating the risk of unauthorized access and intrusion.
How Myntex Adopted BlackBerry UEM
In 2005,
Blackberry released BBM Enterprise through the Google Play Store and then on
the Apple Store. The BlackBerry Wikipedia page refers
to BBMe as “An
IP-based enterprise instant
messaging platform that provides end-to-end encryption for voice, video, and text-based
communication.” Afterwards, a Software Development Kit was issued for
BBMe, which gave Myntex the impetus to create ChatMail.
BlackBerry Enterprise Server was introduced in 1999 and by
2008, as technology changed, BES became vulnerable to several issues that
eroded its’ security. The company acquired a solid MDM solution from Good
Technology and merged it with BES, rebranding the combined service as BlackBerry UEM.
BBMe let developers add the brand’s trustworthy capabilities
into their own applications, including secure messaging, voice, video, and file
sharing. BBMe was
developed, first and foremost, as a business tool, and (was) a lot more
streamlined by design . . . Because it was built for use in high-security
industries, BBMe (offered) stronger encryption than BBM. BlackBerry retired BBM
in 2019.
UEM has many different configuration options, you can
choose to integrate with Microsoft based products like active directory and
Microsoft Exchange, but you can also use it as a standalone secure AFW
management tool. Without having to introduce additional third-party software.
We do not use Microsoft Exchange or active directory because they introduce
further vulnerabilities. We only use UEM for securing and locking down the
phone. BlackBerry UEM provisions the phone and secures the device using the
built-in security policies provided by Android For Work.
What Does Blackberry Have Access To?
The ingenious design of UEM, in conjunction with AFW,
allows us to privately manage our own secure, private version of the Google
Play Store. This organizational play store is only available on our custom
devices and can only be managed by our company. This is very different from
what is available on standard smartphones. Our organizational play store is
controlled exclusively by Myntex. All applications are signed internally with
our cryptographic keys, further guarding against malicious code attacks. This
allows secure distribution of our custom applications to UEM secured devices.
BlackBerry UEM has no access to our ecosystem at all. This
means UEM doesn’t have access to any of our infrastructure, nor do they have
access to the application data on our secure devices. Furthermore, UEM doesn’t
track your location. If the GPS was ever accessed maliciously, mock location
data is sent – further ensuring your privacy.
A Global Industry Leader
Today,
BlackBerry UEM ranks alongside the market front-runners including Microsoft
Endpoint Manager, VMware Workspace One, Citrix Endpoint Management, IBM
MaaS360, and Ivanti UEM.
The Best UEM software will be a matter of choice for each enterprise depending
on the needs within the Internet of Things they want to securely enable. “Using
BlackBerry UEM, enterprise workers can work from almost any device, anywhere,
using a single management dashboard and end-to-end security.”
Key Blackberry UEM Differentiators:
provides behavioral risk scores to users based on
applications usage, with users who use applications consistently being deemed
low risk
offers multi-factor authentication for a secure and easy
connection to a VPN on a device
manage mobile devices from a single management interface,
reducing risks and ensuring regulatory compliance
ownership model includes bring your own device company
owned, personally enabled, and company owned business only
supports wearables such as smart glasses
For
our purposes, Myntex trusts UEM to seamlessly provide Mobile Device Management
to support our need to control mobile device functionality, including device
enrollment, and device lockdown.