Why We Created Proprietary Encryption Protocols and Why It Matters

Encryption conventions permeate every part of the Internet. There are many different protocols, each with its own merits and in some cases vulnerabilities. Despite providing end-to-end encryption, the policies and practices of popular free apps can put your reputation at risk.

  • Facebook wants to use homomorphic encryption to monetize WhatsApp and Messenger user data
  • Telegram actively shares user data with government agencies and censors content
  • Viber has various security and privacy issues

Myntex Inc. engineered our most secure mobile solution, ChatMail, to be the best in the world. We prove our encryption with live data extractions for enterprise organizations and we are the only encrypted phone provider to do so.

ChatMail’s Advanced Message and Parsing protocol, known as CAMP, protects users of our encrypted phones across multiple layers. The reasons behind our decision to incorporate the custom cryptographic algorithms we use is the focus of this exposé.

Parsed Messaging Encryption

Myntex designed ChatMail with privacy in mind, utilizing multiple encryption algorithms. PGP, which stands for Pretty Good Privacy, is the system we use to relay encrypted external email. We were the first to parse PGP. Our parsing algorithm takes encrypted email and displays it in an easy-to-read message bubble to look like a chat message. That’s why we named it ChatMail. It is the only system to automatically identify both internal and external users. Internal users default to elliptic curve encryption and external users default to PGP. ChatMail’s Unified User Interface displays internal email in blue and external email in grey. The algorithm used is shown in each individual message.

Our default system uses the strongest encryption protocol available, safeguarding you and your data. Internal ChatMail clients use high-speed, state-of-the-art Diffie-Hellman Elliptic Curve25519 cryptography, with optional fallback to PGP. External users are PGP by default.

True End-to-End Encryption

Combining the most reliable algorithms in cryptography, our CAMP protocol ensures customer privacy with leading-edge security. The choice to use Elliptical Curve Cryptography for E2E encrypted messaging was for privacy.

Encryption begins on the sending device using ECC 25519, so that even if the recipient is not using the phone to accept the message promptly, it will remain encrypted in a delivery queue and cannot be decrypted or read until downloaded on the receiving end. Your data is never stored in plain text.

We use message encryption by default. Our customers cannot send or receive unencrypted messages. Users’ voice messages, pictures and notes are always encrypted. With ChatMail, your content is encrypted in transit, at and only stored on your device.

Calling Encryption

ChatMail key exchange for encrypted calling works with the Zimmermann Real-time Transport Protocol. With ZRTP, parties verbally confirm matching shared codes to ensure calls are private and have not been intercepted. Secure RTP protects ChatMail encrypted calls from eavesdropping.

Transport Layer Security is used to configure encrypted calling traffic. Our encrypted calling uses ECDHE X25519 (the last “E” stands for “ephemeral” which is suited to mobile devices as it is faster) with TLS 1.2 ciphers. This keeps calls and messages private and secure by removing them from prying eyes on the public internet.

ChatMail features tamper proof hardware and encryption that experts consider to be quantum proof:

  • Hash:  SHA-384 – our Secure Hash Algorithm transforms cryptographic keys with an output of 384 bits, providing unbreakable protecting against key length extension attacks
  • Cipher:  AES-256 – the algorithm used to perform encryption or decryption is called a cipher and AES-256, also referred to as Military-grade encryption, is the Advanced Encryption Standard adopted by the U.S. government to protect classified information
  • SAS Rendering:  B256 – SAS stands for Sharing a Secret, and we use it with the PGP word list to convert strings of code into simple phrases used for authenticating encrypted calls, thereby preventing Man-in-the-Middle attacks, while B256 indicates the key size in bits
  • Auth Tag:  HS80 – an Authentication Tag in ZRTP confirms each encrypted audio frame sent over an SRTP channel and HS80 is an 80-bit tag, which is preferred for security purposes
  • Key Agreement:  X25519 – encryption is performed by keys and the key size for ECDHE X25519 is 256 bits, which provides forward secrecy as an extra layer of protection against hackers, so that if one message was ever compromised, it would not affect the security of future messages

The Importance of Server-Side Security

Our data center acts as a delivery system for mobile solutions. We do not store any sent or received messages on our servers. Therefore, we also do not keep a roster. A roster is a list of contacts associated with clients for apps that retain messages on their server. Even if the company says they delete messages after 24-hours, it will leave a roster of contact information. When you delete a message from ChatMail, since there is no server storage there is no record of it.

Companies that delete messages older than 24 hours do not delete message threads and they often contain weeks’ worth of confidential communications. For an example, Telegram notes in its policy, “We store messages, photos, videos, and documents from your cloud chats on our servers so that you can access your data from any of your devices anytime without having to rely on third-party backups.”

Myntex removes the need for local server storage with our CAMP protocol. ChatMail is the only encrypted mobile solution supported by a private data center. Encryption protocols are irrelevant if the server has a backdoor or if user data is shared with marketers, governments, or other entities.

Top 10 Data Center Security Must-Haves with CEO Geoff Green

Owning and operating a private, state-of-the-art Data Center sets Myntex Inc. apart from its competition in the custom encrypted phone app industry. Myntex CEO, Geoff Green, gives an overview in this Q&A.

Question # 1

What exactly is the function of the Myntex Data Center?


You can think of our data center as the brains of our infrastructure. Regarding our messaging service, the data center acts as a messaging agent. When communicating with end-to-end encryption, devices need to know how to reach one another. Networking is not magic, but it is cool. You need some sort of tunnel to each device so when you send a message it can reach the intended recipient. By utilising open-source virtualization technology and custom designed hardware our data center has been the primary reason we have been able to cost effectively grow as a company. The alternative would be a less secure approach by renting co-located space and paying large fees in licensing.

Question # 2

How has the Myntex Data Center evolved over the years?


From a virtualization perspective we started out with the original Xen from Xen Project, which has gone through many changes throughout the years as an open-source virtualization technology.

We later transitioned to XenServer when Citrix became the dominating provider of features for the Xen hypervisor which did require license fees for support contracts. But when a new open-source project came to market called XCP-ng based on the same hypervisor we made the switch. XCP-ng is what we currently use and will continue to support their development.

We use XCP-ng for our primary virtualization technology and then on top of that, we use Docker. We run a series of virtual machines on our hardware, which means we can use orchestration software instead of a physical computer to run programs and deploy apps. CDW Canada helped us source the right equipment to fit our needs.

We’re the only encrypted mobile solution provider with our own data center. We chose to invest in one, even though it’s expensive, because it provides better privacy. We planned and developed it ourselves. Some companies just can’t afford the investment or lack the knowledge to run a private data center. You need to hire the right people, which makes it more costly.

Question # 3

What maintenance is required to ensure optimal performance in the Data Center?


Running a datacenter does have to have a maintenance schedule, generators, networking, hardware all must be tested and monitored to make sure they are performing at their best.

APC by Schneider Electric performs an annual inspection and maintenance. Most of the critical pieces of equipment go through their own diagnostics automatically. You’ll sometimes hear weird beeps, coming from the data center which is when the system is doing self-testing, which is a huge time saver.

The air-conditioning gets looked at every year or two. We have N+1 for all pieces of equipment including the A/C unit. If a main unit were to break, we still have a standby backup unit.

Our primary backup generator is tested monthly and must be load tested every year.

Question # 4

What disaster recovery plans are in place?


We took a pre-emptive approach to disaster planning. We did a complete threat analysis. Are we in a flight path? How close are we from the fuel depot? We’re not on a floodplain.

There are only a few people who have access to the data center. We have offsite backups in an undisclosed location. But the most important piece is backups of our proprietary code, which would allow us to rebuild our entire infrastructure even if the building was destroyed. The nice thing about our Calgary location is it’s not on a fault line so, you don’t have to worry about catastrophic earthquakes.

We learned a lot about flood protection when we went through a major flood in Canmore, which also devasted central Calgary. It’s the reason we opted for diesel powered backup generators, because when the 2013 flood happened, Emergency Management worried about the water exposing the underground natural gas pipes, so they shut the gas off. Calgary does have one of the most stable power grids in the world, but a generator is a must.

We have a two-stage fire suppression system inside the data center. In stage one a fire alarm sounds, and safety systems are activated. If the second stage is triggered, there’s a different alarm to warn you to get out immediately. Seconds later a dry chemical flame retardant is dispersed. We don’t use halon. We use a non-toxic, Novec fire suppression system. That’s industry standard for most data centers. There’s no water in the pipes inside the data center. There are special smoke strobes in the server room that can detect any kind of laser break, even the smoke from vaping.

80% to 85% of the costs we put into building our world class headquarters went into securing our data center. We have ballistic protection on the windows and armored doors on top of that, for protection as well as 24/7 surveillance and monitoring.

Question # 5

What are the industry standards for a Data Center security?


A data center needs N+1 redundancy and you should have safety systems in place, the minimum being two‑stage fire suppression. If a company has server equipment with only one A/C unit and no backup generator … that’s not a real data center. That’s more like a networking closet.

N+1 plus ensures system sustainability in the event of component failure. Components (N) have at least one independent backup (+1). The power modules in ours are N+2 redundancy, so we can lose two power modules before we’re in a critical state. So, that redundancy is vital in a data center. All the switch gears are redundant to the point of N+1, N+4 on some things, depending on where it is and what its purpose is. The best of example is N+1 from a networking perspective means if you have two routers you better have two switches to prevent a single point of failure.

To maintain 100% uptime, we use triple replication for high availability. So, for each server we have three, running on three different servers. They’re all virtualized, but they’re across three different pieces of hardware. Everything is running redundant that way.

Question # 6

What method of protection does Myntex use for DDoS?


We utilize different techniques and technologies for protection but our main provider is Radware, which protects us from large scale DDoS attacks – and they’ve been doing a great job for many years.

Question # 7

Why is a data center location important, and explain why Myntex is in Canada?


I think people just don’t understand the advantages and implications of server location. Canada has a large international economy; we have a stable government and is one of the last remaining countries that cares about our privacy and freedom.

The one thing that I personally have heard numerous times is many people in Europe seem to think Canada is the United States. I think that could be a misnomer, where people just don’t quite understand how we are separate sovereign nations.

Question # 8

For Mobile Device Management, Myntex has relied on BlackBerry UEM, how do you ensure its secure?


We self-host UEM, so we control it, nobody else does. If there’s a problem, I call BlackBerry to explain the issue. We may do a screen share so they can look, but they have no access to our server at all.

You can also host BlackBerry UEM in their cloud, but then you don’t physically control the server. Therefore, BlackBerry gives organizations the option to self-host.

Question # 9

What’s the difference between the Myntex Data Center and companies using cloud servers?


A cloud could technically speaking still be in a single data center. It would be considered a non-resilient cloud, but it is possible to still call it a cloud if it’s using cloud-based computing, like the OpenNebula open-source cloud computing platform developed by NASA, is awesome.

I believe the big difference between using a cloud provider and hosting our own datacenter is that we own the data center, we control the data, we control the physical access. If you are hosted in a third-party data center, you don’t control anything. They control it and give you access, like they give you a remote login, but that’s all you get.

Question # 10

Bonus Question: Have you been able to clock the speed of your messaging service since you operate your own servers at the Myntex Data Center?

No, we don’t have exact metrics like that. When it comes to messaging, I guarantee they can send in under 200 milliseconds, but you have all the infrastructure that’s tied between it. So, when we say we have the fastest messaging in our industry it comes down to many factors… my phone is running through a network to our servers through another network and received on another device. So, when you send an image, it normally takes about 500 milliseconds, probably even less, to go from my physical phone to you.

(Myntex COO and co-founder, Chantel Duplantie, sends him an image and it instantly pings his phone.)

See that? That’s how fast it is. I have seen many other messaging systems and how long some take to send a picture, you’ll be waiting like … two minutes from the initial press of the send button. And when I say our industry I’m referring is our niche industry, I still think we might be faster than Signal and WhatsApp, but they also have many more users which is a major factor when it comes to speed.

To achieve some of the insane speeds we use different types of technology including Erlang, Redis, Elasticsearch and RabbitMQ which is implements of my favorite protocols AMQP.  They’re all a type of in‑memory storage. We use RabbitMQ for our primary messaging between our microservices. It’s instantaneous. Same with Erlang, we use it for the messaging system’s capability.

The speed with which we can send pictures and voice messages just blows our competition away.

Adding a Bitcoin Payment Service Provider Future Proofed our Business

Credit: angelbi88 at envato

In 2016, Myntex Inc. was growing as a business and we wanted to better position the company for the digital economy. However Myntex® is based in Canada, where the banks have been slow to adopt crypto and we were getting pushback to accept it.

The Solution To Our Problem Receiving Crypto

Ultimately, we were able to arrange our payments through BitPay. When we released ChatMail™ in 2017, our Certified Executive Partners appreciated being able to use cryptocurrency. While it is not a cryptocurrency exchange, BitPay is a blockchain/cryptocurrency payment processor that enables you to accept cryptocurrencies as a payment method in exchange for goods or services you sell to your customers.

Working through our financial institution, Myntex can accept digital purchases from our CEPs, who have relied on BitPay for many years. At the start of the pandemic, when stores and banks across Europe were forced to close due to lockdowns. Without BitPay, it would have been a challenge to receive transactions from our CEPs. We appreciate the extent to which BitPay went to for our certification.

What Services Does BitPay Provide?

BitPay converts payments to Canadian dollars, depositing them straight into our chequing account. Unlike an exchange, BitPay does not store or manage digital assets. With its Payment Protocol, BitPay allows blockchain wallet and cryptocurrency users to make transactions that are fast and efficient. Shoppers receive quick confirmations that the correct amount and required fee were sent.

For privacy cautious customers like ours, BitPay adds another layer of protection to your transactions. BitPay is easy to use. Individuals, can use their card to turn crypto into cash, secure and use crypto on the go in your wallet and spend crypto from your internet browser. For businesses, you can accept bitcoin on your website for online payments, as well as for billing purposes via email. You can payout bitcoin to anyone, anywhere. And BitPay accepts crypto for NFTs.

How Safe Is Cryptocurrency?

In a blog post about the security of blockchain, Certified Information Systems Security Professional Magda Chelly, PhD notes, “Cryptocurrencies are built on top of blockchain technology,” adding, “blockchain provides the infrastructure for cryptocurrencies, while also allowing them to function in a decentralized manner.” Chelly continues, “For individuals, blockchain offers greater security and privacy when making online transactions. And for businesses, blockchain can help streamline processes, reduce costs, and speed up transactions.”

The first and most prevalent crypto, Bitcoin, was built on the blockchain. According to Investopedia, more than 10,000 other cryptocurrency systems are running on the same technology today.

Blockchain and cryptocurrency have a distinct yet connected relationship. “Defined as a digital or virtual currency, crypto uses cryptography for security and is not owned by any particular authority, making it difficult for governments to manipulate . . . By moving the means of transaction out of siloed, closed networks, blockchain is helping to solve some of the challenges around the interoperability of disparate financial systems around the world.”

We believe in BitPay’s mission to transform how businesses and people send, receive, and store money around the world.

The Advantages of BlackBerry UEM for Mobile Device Management

Myntex Data Center

BlackBerry® Unified Endpoint Manager unlocks the Android For Work security component built into Android devices. This allows Myntex to deploy our encrypted mobile solutions on authorized off the shelf devices around the world. BlackBerry UEM is an important component of our organization as it works with a wide variety of models for use with ChatMail™.

We can attest to the fact, “With its single management console and trusted end-to-end security, BlackBerry UEM provides flexibility and security to keep your employees connected and protected so they can work from practically any device, anywhere.”  

Our History With BlackBerry

We were inspired by the security and privacy afforded by BlackBerry Messenger and all the capabilities of the BlackBerry phones. As a company, Myntex began offering PGP encryption on BlackBerry phones as a white label solution in 2011.

BlackBerry phones introduced Secure Wipe and Remote data wipe, two of the features that businesses appreciate to secure their data in situations such as when an employee loses their phone or is terminated.

The Many Ways of Using UEM

As stated on their website, “You can install BlackBerry UEM in an on-premises environment for the utmost control over your servers, data, and devices. This prevents any third party from having access to the secure configuration. An alternate method is to use BlackBerry UEM Cloud, which offers an easy-to-use, low-cost, and secure solution. BlackBerry hosts BlackBerry UEM Cloud over the Internet. You only need a supported web browser to access the service.”

Rather than using BlackBerry UEMs virtual machine on their cloud, Myntex runs a self-hosted instance in our own private data center. This allows us to maintain granular control over our infrastructure, eliminating the risk of unauthorized access and intrusion.

How Myntex Adopted BlackBerry UEM

In 2005, Blackberry released BBM Enterprise through the Google Play Store and then on the Apple Store. The BlackBerry Wikipedia page refers to BBMe as “An IP-based enterprise instant messaging platform that provides end-to-end encryption for voice, video, and text-based communication.” Afterwards, a Software Development Kit was issued for BBMe, which gave Myntex the impetus to create ChatMail.

BlackBerry Enterprise Server was introduced in 1999 and by 2008, as technology changed, BES became vulnerable to several issues that eroded its’ security. The company acquired a solid MDM solution from Good Technology and merged it with BES, rebranding the combined service as BlackBerry UEM.

BBMe let developers add the brand’s trustworthy capabilities into their own applications, including secure messaging, voice, video, and file sharing. BBMe was developed, first and foremost, as a business tool, and (was) a lot more streamlined by design . . . Because it was built for use in high-security industries, BBMe (offered) stronger encryption than BBM. BlackBerry retired BBM in 2019.

UEM has many different configuration options, you can choose to integrate with Microsoft based products like active directory and Microsoft Exchange, but you can also use it as a standalone secure AFW management tool. Without having to introduce additional third-party software. We do not use Microsoft Exchange or active directory because they introduce further vulnerabilities. We only use UEM for securing and locking down the phone. BlackBerry UEM provisions the phone and secures the device using the built-in security policies provided by Android For Work.

What Does Blackberry Have Access To?

The ingenious design of UEM, in conjunction with AFW, allows us to privately manage our own secure, private version of the Google Play Store. This organizational play store is only available on our custom devices and can only be managed by our company. This is very different from what is available on standard smartphones. Our organizational play store is controlled exclusively by Myntex. All applications are signed internally with our cryptographic keys, further guarding against malicious code attacks. This allows secure distribution of our custom applications to UEM secured devices.

BlackBerry UEM has no access to our ecosystem at all. This means UEM doesn’t have access to any of our infrastructure, nor do they have access to the application data on our secure devices. Furthermore, UEM doesn’t track your location. If the GPS was ever accessed maliciously, mock location data is sent – further ensuring your privacy.

A Global Industry Leader

Today, BlackBerry UEM ranks alongside the market front-runners including Microsoft Endpoint Manager, VMware Workspace One, Citrix Endpoint Management, IBM MaaS360, and Ivanti UEM.

The Best UEM software will be a matter of choice for each enterprise depending on the needs within the Internet of Things they want to securely enable. “Using BlackBerry UEM, enterprise workers can work from almost any device, anywhere, using a single management dashboard and end-to-end security.”

Key Blackberry UEM Differentiators:

  • provides behavioral risk scores to users based on applications usage, with users who use applications consistently being deemed low risk
  • offers multi-factor authentication for a secure and easy connection to a VPN on a device
  • manage mobile devices from a single management interface, reducing risks and ensuring regulatory compliance
  • ownership model includes bring your own device company owned, personally enabled, and company owned business only
  • supports wearables such as smart glasses

For our purposes, Myntex trusts UEM to seamlessly provide Mobile Device Management to support our need to control mobile device functionality, including device enrollment, and device lockdown.

Ransomware-like Attack in Ukraine – HermeticWiper

We’ve become accustomed to hearing news about cyber warfare. From hacks to ransomware and misinformation—bad actors have made worldwide headlines with their malicious attacks.

There are measures you can take to protect yourself, like using industry-leading cell phone encryption to stay a step ahead of threats. By the time you realize you have been targeted by hackers it is too late.

Just days before Russia’s invasion of Ukraine a malware menace, known as HermeticWiper, struck Ukrainian entities as well as related targets in Latvia and Lithuania. Examining this data wiping malware reinforces the need for ensuring every exposed vector has the best digital security. Let’s take a closer look at HermeticWiper to see how destructive it is.

HermeticWiper and HermeticRansom

On February 24, 2022, after a series of distributed denial of service attacks against Ukraine, designed to knock websites offline—overwhelming them with requests until they crash—a Slovakian security firm was first to report it found the wiper on hundreds of machines in Ukraine. Another 50 banking systems with government contracts were reported by Symantec to have been hit in Ukraine.

The malware was given the name “HermeticWiper” because of a digital certificate stolen from a company called Hermetica Digital Ltd. The first variant of this malware surfaced in November 2021.

Lawrence Adams of Bleeping Computer says, “A data wiper is malware that intentionally destroys data on a device to make the data unrecoverable and for the operating system to no longer work correctly.”

HermeticRansom, also known as PartyTicket, was created with Go open-source programing language. It struck on the same day as the highly effective HermeticWiper. HermeticRansom had a decidedly unsophisticated style and poor implementation. There was no obfuscation or intent to misdirect, and the functioning was straightforward, suggesting it was created quickly, leading experts to suspect it was a distraction to help the HermeticWiper do more damage.

Mobile solutions like ChatMail™ have military-grade strength encryption, proprietary server storage, and secondary security features preventing malware like these type of wiper attacks. ChatMail’s technology doesn’t allow third-party apps which perpetrate this type of attack. Additionally, it is worth mentioning these targeted attacks were directed at the Ukraine government and not the public.

Who Was Responsible?

Like ransomware, a wiper requires the compromise of identities and the abuse of privileged credentials. 

Given the nature of the ongoing war in Ukraine and the cyber conflict, future attacks could easily expand in scope. Russian oligarchs are frantically moving their money in the wake of international sanctions, while government officials and journalists operate in a climate of intense eavesdropping and information control.

Other similar cyberattacks, notably WhisperGate (which sent a fake ransomware note before rendering the Master Boot Record useless once the computer is shutdown) prompted warnings from several US government agencies. Regardless of who is to blame, these wiper attacks are designed to prevent targets from using their devices to access data and further enforce the need for heightened vigilance.

Given the nature of the ongoing war in Ukraine and the cyber conflict, future attacks could easily expand in scope. Russian oligarchs are frantically moving their money in the wake of international sanctions, while government officials and journalists operate in a climate of intense eavesdropping and information control.

Whoever was responsible, there’s nothing to suggest that the next cyber-victim will be confined to a military opponent in the war itself. The code’s simplicity, along with the spelling and grammar errors, suggests it was slapped together.

Plausible Deniability

The nature of cyberattacks makes it difficult to peg down precisely who was responsible, as attackers can always invoke plausible deniability. For example, hackers can partially take over your home computer and use it, without your knowledge or approval, to launch cyberattacks.

One researcher told BBC News, “Ukraine’s military and banking websites have seen a more rapid recovery, likely due to preparedness and increased capacity to implement mitigations.”

Governments and enterprises need to protect every aspect of their business with digital security designed from the ground up. Myntex provides you with complete mobile device security.

We designed and built ChatMail from the ground up, including our custom encryption protocol. For your protection, anything unencrypted isn’t displayed. Our parsing algorithm takes emails sent with external PGP encryption and displays them in an easy-to-read bubble that looks like a chat message. Confidential communications remain private as no threads remain on our servers. We do not have roster, group, or message storage. You can access and delete your confidential information while being offline.

Myntex Partners with SLNT® to enhance its privacy offerings

Image by Myntex Inc.

As fervent advocates of privacy, Myntex extends its affiliation with likeminded companies to further enhance our customer’s privacy experience. That’s why we’ve partnered with SLNT®, a privacy alternative offering protection to an array of important non-encrypted devices. 

Our flagship product – ChatMail™ prevents anyone from eavesdropping through multiple encryption layers and security protocols.  For many of our clients, the increasing risks of cybersecurity threats have led executives to realize the benefits of implementing security policies, adopting the use of secure phones with end-to-end encryption.  ChatMail is the right solution for this purpose. For all the other mobile devices you carry that are not encrypted, SLNT offers our clients the privacy they need. The SLNT line of products (wallets, key cases, tech sleeves and travel bags) are designed with patented Silent Pocket® Faraday technology.  Simply slip your device into one of these sleek bags and they virtually go dark, unseen to prying eyes. 

Myntex wants to protect you on all fronts. The benefit SLNT gives you is the peace of mind that your personal information is undetectable to eavesdroppers or criminals. Passports, credit cards, and mobile devices cannot be accessed to tap your data when secured within.

We appreciate the design SLNT infused with their tech, providing an understated look and refined feel. ChatMail uses a simple yet elegant interface; styling matters to us as well as anonymity. We configure our phones to ensure your conversations and content are secure. Whether your communications are in transit, or your data is at rest—our customized, tamper-proof phones and proprietary CAMP encryption protocol protects your device from being tracked, cracked, or monitored.

ChatMail prohibits you from online browsing or installing third-party apps, which make other phones vulnerable to cyber-attacks or spying, because ChatMail devices are uniquely engineered for security. Designed for privacy, ChatMail phones cannot let hackers turn on your camera or listen to your conversation by hijacking the microphone on your device.

You can add an extra layer of protection to any unsecure mobile phones, smart watches, key fobs, or portables you carry with you. The technology used by SLNT is new, but the science behind comes from the 19th century experiments of Michael Faraday with electromagnetics.

This physics research became known as the Faraday law of induction (Faraday’s law). Faraday used it to build a large box lined with wire mesh to experiment with his discovery. He zapped the outside of the cage with electricity, while he stood inside with an electroscope. No electricity was detected within the wire structure. The enclosure was named after the inventor.

The Faraday cage is still used today in places like hospitals, such as MRIs, or in your kitchen to keep you safe when using your microwave oven. “It works on the principle that when an electromagnetic field hits something that can conduct electricity, the charges remain on the exterior of the conductor rather than traveling inside.” This is how SLNT protects your devices from electromagnetic radiation with its patented technology, which blocks 100% of all signals.

In addition to being solar and weather-proof, SLNT protects the contents of its containers so nothing on the outside can access what’s inside. This includes your Bluetooth, camera, cellular, GPS, navigation or satellite devices, and Wi-Fi. It also blocks RFID, used in ID badges, key fobs, smartphone chips, even library books. Not only does this protect your privacy and keep your data secure, but it also shields you from the unhealthy effects of EMF radiation.

Trust the tech gear used by business leaders, governments, military, and travelers alike—consider SLNT when you’re looking for accessories to keep you and your information safe on the go.

The Spyware that Flies Under the Radar

Credit: Antoni Shkraba via Pexels

While government spying grabs headlines, apps that secretly eavesdrop on and track victims are an ongoing issue. What’s more, these apps are poorly made and managed, leaving targets data exposed.

The Vulnerability Common Across Several Stalkerware Apps

Stalkerware, also known as spyware, is a type of app marketed for consumers who want to secretly track someone online, often a spouse or child. It needs to be physically installed on the target device to monitor the behaviour of the user who is being spied on. A victims and survivors support group was launched in 2019 and stalkerware was banned from the Google Play Store in 2019, with mixed results.

TechCrunch found some 400,000 user’s private data was exposed through the flaw when it conducted a worldwide investigation spanning several months. Highly sensitive user data was exposed through a security flaw in several spyware apps including browsing history, photos, location data, text messages, records of phone calls and call recordings.

An application program interface vulnerability can exist when there are few or no safety protocols in place. The issue is explained by Carnegie Mellon University. “The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.”  

An IDOR flaw can leave user’s personal data open to exploitation on the developer’s data center. While IDORs are easy to fix at the server level, the spyware apps in question are poorly managed and badly built. Not only do they share the same code and web dashboards, but they are also routed through the same infrastructure.

Why Server Storage is a Vulnerability

A server controlled by 1Byte, based in Vietnam, was found to be the common link in the nine related spyware apps. Because the apps share the same server, they also have the same exposure. TechCrunch revealed efforts to resolve the security flaw was ignored by both the web host for the spyware apps and the back-end server operations.

One of the key features about ChatMail encrypted phones is our proprietary approach to data storage. Your messages are stored on your encrypted phone. We never store your sensitive information on our servers. The only data we keep is your username, account activation date, and expiry date.

How To Protect Yourself from Coding Vulnerabilities

The impact of an IDOR is wide reaching. “An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.”

Having an encrypted device designed from the ground up to maximize privacy ensures protection against this type of vulnerability. Myntex products are deliberately incompatible with third-party apps because of the various security risks they introduce.

Most apps ask for an excessive number of permissions, and users often grant this permission without much examination. Third-party apps may sell user data to other affiliates, as outlined above. They may also store information insecurely on servers, which is also what happened here.

Is There Spyware on Your Phone?

TechCrunch couldn’t reveal specific details about the vulnerability because it would further risk compromising people who are currently unaware that their phones have been breached. The spyware is designed to be covert, not appearing anywhere on your home screen.

Change your setting on Google Play to prevent any further data theft, though this won’t address any information already stolen. Also, check your accessibility settings to see if they’ve been tampered with or altered.

Accessibility features rely on wide access to your phone by design. If you don’t recognize downloading a service in the accessibility options, delete it. You may need further research to clarify how to do these processes since spyware is designed to be difficult to identify and remove.

The safest thing you can do is avoid using a phone with these vulnerabilities in the first place. The most secure open communication platforms let you use them without stress about information breaches or take the time necessary to become an expert on tracking and removing spyware.

Installing spyware requires the perpetrator to have physical access to their victim’s phone. Anybody is liable to leave their phone unlocked or use a weak password. Myntex phones have a notebook lock screen with a customized pin.

Everything Needs to Be Encrypted

On the surface, 1Byte looks like a normal software start-up. They have a Facebook group showing people, supposedly employees, sharing team dinners and other activities colleagues typically engage in. They went to elaborate lengths to hide their own identities and the connections between various apps that are all essentially the same spyware.

The many obfuscating layers between the spyware creators put in place only reinforce how necessary it is for every aspect of the phone to have military-grade encryption for messages, phone conversations, and even pictures.

Legal Gray Area

Technically, possessing spyware is not illegal, so the government has its hands tied. The US government has taken rare action against people who illegally plant spyware solely for intercepting a person’s communication because they break national wiretapping laws.

However, enforcement powers are severely limited because global spyware operators are out of their jurisdiction. Eliminating these types of risks isn’t as simple as flicking a switch, even if everyone agrees it’s a flagrant privacy violation.

The hackers and data thieves are usually one step ahead of law enforcement and at least two steps ahead of ordinary, unsuspecting people just trying to use their phones. It may seem counterintuitive since everyone agrees that privacy invasion is a type of theft that ought to be illegal, but law enforcement doesn’t have many tools at their disposal.

It’s understandable that most people associate data theft and privacy breaches with the high-profile stories about spyware created by governments and sold to other governments worldwide. Cyber and digital election interference also draw a lot of eyeballs. Many people in diverse fields like journalism, politics, business, and activists need to protect themselves from every privacy threat, even the ones that fly under the radar.

Russia Declares Cyber War

Photo: TheDigitalArtist Pixabay

Weeks before Russia invaded the Ukraine, American intelligence agencies warned that Vladimir Putin was planning state-sponsored cyber operations around the world against critical infrastructure. Targets include Defense, Energy, Governments, Healthcare, and Telecommunications. The Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and National Security Agency issued a joint Cybersecurity Advisory outlining the threats and for the global community to adopt a proactive, heightened state of awareness.

The CSA overview served to highlight the risks and list strategies to assist with detection, mitigation and incident response. The advisory noted in the technical details, “Historically, Russian state-sponsored advanced persistent threat actors have used common but effective tactics—including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security—to gain initial access to target networks.” A reward of up to $10 million may be offered for information about Russian cyber operations targeting U.S. critical infrastructure, an example of how seriously CISA, the FBI, and NSA are taking the threat.

How it started?

On February 24, 2022, as Russia launched a large-scale attack on the Ukraine, CISA issued another alert about a group of Iranian government sponsored APTs known as MuddyWater, a subordinate element within the Iranian Ministry of Intelligence and Security. The group was observed “Conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America.”

The eve of the invasion came with a dire warning from President Putin, translated into English, “To anyone who would consider interfering from the outside – if you do, you will face consequences greater than any you have faced in history.” Of course, the world has good reason to take the threat seriously.

Just days before the physical assault came a pre-emptive virtual strike, with distributed denial of service attacks on Ukraine’s government websites, foreign ministry, state security services and banks. Ukraine’s defense ministry and major banks were hit with DDoS attacks the week before, with limited impact.

How it’s going?

“The war [in cyberspace] is underway and unfolding very intensively,” the Russian Foreign Ministry’s international information security director said in December 2021. “The media rightly says that this [is] a Third World War, and what matters now is to calculate the damage and determine who will lose it in the end and what shape the world will eventually acquire as a result of this war.”

A botnet malware dubbed Cyclops Blink is being used by the notorious Sandworm hackers, a destructive threat group that has been working with the Russian military to exploit vulnerabilities in firewalls and infect networks to gain remote access. Systems may then be used as a conduit to conduct additional attacks elsewhere, as the point of entry may not be the primary target.

Such strategy may well have been underway for months if not years. The US Energy Secretary noted, “Experts believe that Russian hackers trying to bring down part of the U.S. grid would probably enter via a side route — breaking into a major energy provider’s networks by infecting a software update from a less secure company.”

Another weapon in the Russian war machine cache is misinformation. Putin’s propaganda tactics have been a hallmark of his political career. Social Media has been infiltrated by Russian troll farms to wage political warfare on his adversaries. Russia was accused of spreading fake news through troll factories, swaying the US Presidential election in favour of Trump, confirmed by former FBI Director Robert Mueller when he investigated the alleged Russian interference in the 2016 election.

When the Kremlin invaded Crimea, Ukrainian journalist and political analyst, Mykola Riabchuk, said the Russian hype had evolved into a full-fledged information war. Riabchuk wrote, “Three major narratives emerged that can be summed up as “Ukraine’s borders are artificial”, “Ukraine’s society is deeply divided”, and “Ukrainian institutions are irreparably dysfunctional.” To put it simply, Ukraine is a failed state (“not a country”) . . . and it, therefore, needs external, apparently Russian, guardianship.”

Putin’s deceptive attempt to rationalize his attack on Ukraine was characteristic, according to one criminal justice professor who was quoted as saying, “This is one of those times where we can expect Russian troll farms to be heavily active in an attempt to either depict a narrative that fits the notion that they’re a peacekeeping force, or that there’s false flag events that have occurred that justify their presence there or the use of serious violence against civilians or anything else.”

Ukraine responded to the cyber threats by asking the hacker world to come to its aid. Just as the country has built a strong resistance from within to defend against the military attack, volunteers have rushed in to answer the call to strike back at Russian targets online. An IT army with thousands of hackers have already answered the call within a matter of days. Elon Musk assisted the effort by activating Starlink satellite service over Ukraine.

Hacktivists took over Russian TV stations to broadcast footage from the front lines, thwarting the state efforts to control the narrative, which likely fuelled the increased number of protestors who risked arrest by defiantly demonstrating against the invasion of their neighbours. Russian media sites were hijacked to be replaced with a tombstone bearing the number of reported Russian troop casualties.

How to be prepared?

With the potential for anyone to become a victim if Russia retaliates with a global cyber conflict, now is the time to be extra vigilant with your online behaviour.

Know that governments are focused on keeping critical infrastructure safe in this heightened state of crisis. This means being aware is important but there is no need to panic. Arm yourself with trustworthy information and don’t amplify baseless reports.

Myntex recommends several methods to keep your digital vectors safe from attack. Start with some basics, like ensuring your system updates are handled promptly to patch developer vulnerabilities. Implement multi-factor authentication wherever possible. Practice cybersecurity common sense by staying apprised of phishing attack techniques and other means of infiltration used by threat actors. Ensure your service provider secures the servers you rely on with DDoS protection. In these uncertain times, it is wise to have a plan to remain operational in the event of a cyber-attack, such as ransomware.

The best way for business to secure mobile devices is to remove the risk from online browsing and to use end-to-end encrypted communications to safeguard your privacy. Don’t trust free apps, you’ll be giving away your personal data when you agree to their terms of use. If you’re not paying for the product, you become the product.

While the implications for a growing cyber-conflict are real, it is encouraging to note the world is standing guard against attacks, which have yet to materialize at the time of writing this post.

The Riskiest Coding Loophole Ever and Other Vulnerabilities

Image by gstockstudioon Envato

There’s so much public discussion about digital security and privacy these days. In 2022, the number of mobile phone users worldwide is 7.2 billion, over 90% of the population. Anyone using a cell phone can be targeted by hackers or fall victim to identity theft. While digital security concerns can impact most people, few understand the nature of specific vulnerabilities.

Examining a major cybersecurity threat can shed light on how hackers access unauthorized material and demonstrate the importance of how your personal and sensitive data may be exposed online.

The Canada Revenue Agency recently reported it was susceptible to the Log4j security vulnerability, known as Log4Shell. It was not alone, 44% of global corporate networks were reportedly affected. Estimates of 10 million attempts per hour in the U.S. alone were made to exploit it after being discovered in December 2021.

The CRA outlined the problem in a series of statements and was offline for several days while it took precautionary measures to mitigate the risk to Canadians. While the agency claims no system or user information was compromised, it was a major disruption for those who use the site for a variety of tax and income benefit programs.

CyberNews noted, “Log4j is incorporated in widely used Apache-related frameworks, which means the spread of vulnerability might be like something never seen before.” In addition to government sites—like the CRAs—Amazon, Android OS, Apple, Google Documents, LinkedIn, Netflix, Steam, Twitter, Uber, and millions of other firms were exposed due to the software bug.

Software Flaw

Log4J is known as a Zero Day exploit, a term that applies to vulnerabilities that are compromised by malicious threat actors before the software developer discovers the error. Despite multiple fixes implemented to the Java-based library for the open-source logging utility, the threat lingers. Cybersecurity experts worry that many were unaware of the danger and didn’t act fast enough to mitigate the risk.

If IT teams didn’t patch the defect promptly it would be able to grant easy access to internal networks where those with mal-intent could mine data, launch malware attacks, manipulate information, etc. Hackers who were able to find loopholes may be waiting for opportunities to attack or sell access to the compromised sites on the dark web for future exploitation.

The vulnerability was rated 10 out of 10 by the non-profit Apache Software Foundation, which administers the software’s development. “Anyone with the exploit can obtain full access to an unpatched computer that uses the software. Experts said the extreme ease with which the vulnerability lets an attacker access a web server–no password required–is what makes it so dangerous.”

Big Implications

Log4j is present in almost all Java-based products and web services, from webcams to car navigation systems and medical devices. The repercussions from something like a ransomware attack or any number of other threats would be enormous.

While no major attacks have been detected, experts said there probably would be eventually. Fear, uncertainty, and doubt is a strong motivator in a digital society. For Log4j, an urgent alarm was raised within the IT community for valid reasons. The FUD factor was not exaggerated and was, in fact, necessary to achieve the prompt response required to avert a potential disaster online.

Illusion of Security

Vulnerabilities exist in many free apps that are popular today. Unlike this recently discovered one, that the world has scrambled to fix, there are issues you should be aware of before you trust your privacy to an encrypted cell phone communication app like Telegram.

While these types of free services may offer end-to-end encryption or promote their service as being encrypted on their cloud, if the messages you send are stored on its servers, they are still vulnerable to being hacked. Many encrypted devices are sold using free services, like Signal, despite a list of vulnerabilities.

Businesses, governments, and individuals need the confidence of knowing their encrypted cell phone is built for security from the ground up.

Even if free messaging services offer ample levels of encryption, vulnerabilities may still exist in the company’s business model that undermine the level of security they offer. For example, WhatsApp has been known to share users’ personal information with Facebook (Meta) and third-party marketers.

Similarly, WhatsApp has accidentally permitted unauthorized access to user information after storing sensitive data insecurely. A company can offer the strongest level of encryption available, but it’s all for nothing if they also compromise data privacy as a routine part of their business practices or because they don’t have strong security protocols in place.

Security Above All

Myntex prioritizes security and privacy. Where other companies market personal data leveraged from their customers to third parties, Myntex secure communications ensures users’ private information remains confidential.

From the proprietary design that ensures servers don’t store confidential information like notes, emails, or encrypted messages, people can enjoy peace of mind knowing that their information won’t get into the wrong hands. Keeping totally secure is also straightforward for anybody, even if they aren’t especially tech-savvy.

Germany to Support End-to-End Encryption

Smartphones are popular around the world, so it’s not surprising that people everywhere care about digital privacy. Phones are an incredible piece of technology that keep us connected to the people, products, and information all around us.

They are also a means through which hackers, cybercriminals, government agencies, and other groups can gather your personal information.

Germany’s new coalition government offers many things digital rights activists have asked for, such as a “right to encryption,” “a right to anonymity,” “increased IT security,” and more. However, in practice, even governments that claim they value encryption often don’t guarantee it.

How can people be sure of their privacy when robust encryption laws exist simultaneously with legal mechanisms for state surveillance and decryption? A deeper look into Germany’s recent past and present makes it clear that the difference between total privacy and some privacy is irreconcilable.

Encryption Backdoors Versus Government Hacking

The government has at least two ways of accessing people’s private information: installing a secret backdoor into encryption protocols or outright hacking. Both methods compromise citizens’ privacy but in different ways.

In 2021, the prior conservative German government issued statistics about its use of hacking for the first time. Police and investigative authorities ordered the more invasive online search 33 times in 21 procedures and used it in 12 cases. Hacking to eavesdrop through surveillance was used 31 times and used in three cases. “These authorities use government hacking tools primarily to investigate drug and property crimes, not murder or terrorism as initially intended.”

According to another report, German government hacking wasn’t used in any successful criminal investigation or emergency response between 2017 and 2020. “Government hacking is understood as interfering with the integrity of software – including online services — or hardware to access data in transit, data at rest, and sensors to manipulate a target’s device by law enforcement for the purpose of criminal investigations [in a targeted manner].”

Encryption backdoors would allow the government to bypass any encryption used by the population. Unlike government hacking, using a backdoor to sidestep encryption still compromises security and would be done outside of the protections afforded by law.

Whereas hacking exists within a legal framework, encryption backdoors directly contradict the law as it currently stands. That’s why policy discussions within Germany only extend to government hacking. However, they might influence EU law to allow for encryption backdoors, where they may have a higher chance for success.

German Foreign Intelligence and the CIA / NSA

The European Council, in December 2020, adopted a resolution called Security Through Encryption and Security Despite Encryption. It underlines the importance of encryption for security while also undermining encryption by indirectly asking for backdoors to encryption for the authorities.

Such a conflicting approach is not new to German surveillance.  During the Cold War, the Federal Republic of Germany’s foreign intelligence service worked with the CIA to decode messages from allies and enemies alike. Dubbed Operation Rubicon, these intelligence agencies both made money off the technology and used it to eavesdrop for decades.

The partnership was considered the “intelligence coup of the century”. The encryption devices, made by a Swiss firm and sold to NATO allies for their own espionage purposes, were owned by the CIA—unbeknownst to the buyers—and enabled the two countries to spy on their own allies with ease.  
The US and Germany not only listened freely, but they also collected money from the victims. However, such alliances aren’t always trustworthy in the long term. It turns out that undermining encryption communications can backfire against the perpetrators.

Denmark helped the US spy on countries like Germany, including eavesdropping on German chancellor Angela Merkel between 2012-2014. The US National Spy Agency accessed text messages and phone conversations of numerous prominent individuals by tapping Danish internet cables with the cooperation of the FE, Denmark’s secret service.

Known by the codename Operation Dunhammer, the digital communications surveillance of allied countries heads of state proved not only enemies couldn’t be trusted with respecting privacy and security. How can ordinary citizens put their faith in government to secure their privacy if world leaders can’t protect their own?

For almost too many reasons to name, the importance of secure and open communication cannot be overstated: people need to feel like they can chat freely for the sake of staying in touch with friends, engaging in political discourse, conducting business, and so much more.

Permeable Encryption

The group in Germany that supports embedding systematic weaknesses in encryption, to enable intelligence and law enforcement agencies to be more effective, is small.

Governments, like Germany, are increasingly exploiting the public’s rights to privacy. Using the premise of heightened security to extend law enforcements’ reach, governments justify hacking and asking for backdoors into encryption.

Encryption keeps people safe from cybercrime and prying eyes, but it can’t do that if governments’ want access to support justice because once a backdoor is in place bad actors will get in. Germany might be seeking to appease digital rights advocates in the country, but deliberately leaving holes in their privacy protection is a risk to the government and its’ citizens.

Using a hardened phone on a device built from the ground up for maximum security and privacy protection is the only way to ensure your digital communications are never compromised. Business leaders, journalists, lawyers, and, as the above has made clear, world leaders need to know that no one can crack their phone.

The only way to ensure your conversations remain confidential is to get a phone with military-grade encryption with secondary security features hosted on a private server to protect against potential vulnerabilities.