A Program for Journalists to Experience Mobile Security

Myntex offers 3-months of free usage of ChatMail on Renati and funds for organizations

Photo Credit: AmparoGV

The UK’s Online Safety Bill, which effectively creates a backdoor to encryption, and proposed regulations elsewhere underscore the urgency to protect the privacy of investigative journalists, their teams, and sources. 

Myntex Inc., an industry-leading secure mobile solutions developer, wants to help. To this end, Myntex® created a program for journalists with 200 free licenses to use its trusted end-to-end encrypted phone suite, ChatMail, on the resilient new revolutionary mobile OS, Renati. Teams of 2–10 contacts can apply. Qualifying cohorts worldwide will experience mobile communication confidentiality and security, free of charge, for 3-months.

Surveillance, spyware, phishing, and malware targeting journalists jeopardize their safety. The device hardening features of ChatMail paired with the fully locked-down ecosystem of Renati mitigate these threat vectors and stop location reporting. ChatMail on Renati is certified against physical extraction.

A fundraising component is included in the program. A donation of $100 CAD per activated license will be given to the applicant’s choice of Amnesty International; Citizen Lab; Forbidden Stories; International Center for Journalists; or Reporters Without Borders. An advocate for strong encryption and the right to privacy, Myntex stands aligned with non-governmental organizations committed to digital privacy and security. These five NGOs were selected to support their projects that help to protect journalists.

Geoff Green, Myntex CEO and Chief Systems Architect empathizes with these vulnerable investigative teams. “When we saw the raw deal journalists are getting with the new anti-privacy proposed laws in Europe, that allow spying and interception on phones, we just had to do something about it. Security is critical for journalists and their sources.” Green emphasized, “ChatMail on Renati provides security-first protection and privacy. It even blocks Pegasus and similar exploits.”

To qualify, applicants must provide a link showcasing their body of work as investigative journalists. Also required is a compatible OEM unlocked Pixel phone, a computer, and a secure internet connection.

By following Myntex or ChatMail on social media and providing their relevant account link, the company will be able to authenticate applicants. A welcome email will be sent to journalists who are accepted into the program, providing a unique link to the web installer for Renati OS™ and instructions to simplify the setup of the device and deployment of ChatMail®.

The journalist program is open through December 2023 or until capacity is reached. Apply now.

Contact: 
Chantel Duplantie, COO
info@myntex.ca
+1 (866) 473 5440

About Myntex

The global mobile data protection market is expected to reach $13.6 B in 2027. Myntex occupies a niche as the developer of ChatMail and Renati. The company also owns and operates a private, on-site custom data center. Confirmed reliability has made Myntex Canada’s largest provider of end-to-end encrypted phone solutions.

Myntex is redefining privacy through technology with an innovative vision for secure communications. Established in 2010, Myntex flourished in its field. Founded as a tech start-up by President and CEO Geoff Green and COO Chantel Duplantie—offering PGP‑encrypted email solutions from Canmore, Alberta—Myntex opened its high-tech Calgary headquarters in 2016.

Myntex is on a mission to provide the definitive offering and security performance of encrypted phones.

Certified Partners oversee global distribution in 180+ countries, managed locally by 150+ ChatMail resellers. An ardent supporter of global efforts to protect the fundamental human right to privacy, Myntex stands against efforts to undermine encryption in our actions, advocacy, and affiliations. Educating the public in this regard through our blogs and social media is an important pillar of our business. See how we’re effecting change by visiting us at myntex.com

Myntex Launches Renati — Disrupting Data Collection in the Mobile Phone Sphere with a Security Focused Operating System

Giving Users Complete Control Over Their Identity

Calgary, Alberta — Myntex Inc. announced the release of ChatMail® on Renati today, culminating two years of design, development, and simultaneous infrastructure transformations; positioning this proprietary OS to start a technological revolution.

“We have a discerning target audience for our customer base,” Myntex® President and CEO, Geoff Green, notes. “Like me, they don’t trust embedded services, third-party apps, or devices that are open and susceptible to malicious intrusion. Society is waking up to the need for confidentiality, not exploitation.”

Today’s surveillance capital economy monetizes personally identifiable information. Sensitive data is sourced through search engines, web browsers, and app developers. Analytics are revealing.

Green champions confidentiality. “Myntex empowers people to take control of their mobile communications. We help clients retain their privacy in a digital world that turns consumers into the product.”

Renati OS was purpose-built for ChatMail®—the device-hardening software Myntex created for Android™ phones. Providing protection against exposure to data breaches, identity theft, location tracking, and scrutiny, Renati eliminates attack surfaces and threat vectors on a range of Pixel devices.

Security experts warn about an onslaught of AI-assisted cybercrime, which emphasizes the need for mitigation. Myntex enlisted Unique Wire to try to penetrate Renati’s security and physically extract customer-generated data on ChatMail. Commercial forensic tools were no match, proving ChatMail on Renati is resilient.

Green notes, “If Pegasus gets into your phone, the encryption doesn’t matter anymore. The protection needs to start in the operating system. Renati is rock solid.”

Myntex revamped the backend of its framework with microservices for its closed platform. “We constructed a bi-directional secure socket tunnel for our phones to communicate in real-time with our infrastructure,” Green explains. “But the main advantage of RMDM is we are independent of having to use Google Firebase to fully lock down our OS. We’re leading a culture shift that demands mobile device defence.”

Renati—mobile security reborn. Read the Uncut Product Innovation Story.

Contact: 
Chantel Duplantie, COO
info@myntex.ca
+1 (866) 473 5440

About Myntex

The global mobile data protection market is expected to reach $13.6 B in 2027. Myntex occupies a niche as the developer of ChatMail and Renati. The company also owns and operates a private, on-site custom data center. Confirmed reliability has made Myntex Canada’s largest provider of end-to-end encrypted phone solutions.

Myntex is redefining privacy through technology with an innovative vision for secure communications. Established in 2010, Myntex flourished in its field. Founded as a tech start-up by President and CEO Geoff Green and COO Chantel Duplantie—offering PGP‑encrypted email solutions from Canmore, Alberta—Myntex opened its high-tech Calgary headquarters in 2016.

Myntex is on a mission to provide the definitive offering and security performance of encrypted phones.

Certified Partners oversee global distribution in 180+ countries, managed locally by ChatMail 150+ resellers.

An ardent supporter of global efforts to protect the fundamental human right to privacy, Myntex stands against efforts to undermine encryption in our actions, advocacy, and affiliations. Educating the public in this regard through our blogs and social media is an important pillar of our business. See how we’re effecting change by visiting us at myntex.com

Standing United In Support of Encryption—Myntex® Defends Your Right to Privacy

Image – Myntex ® Data Center

Myntex is on a mission to provide the world with fundamental security through mobile communications. We rely on encryption to ensure the performance of our technology. Governments that threaten to undermine encryption in the name of privacy are doing more harm than good.

This is why we signed an Open Letter by Fight for the Future. The goal is to urge democratic leaders to defend laws that strengthen encryption to protect us all, rather than creating policies to open backdoors to surveillance, malicious actors, and authoritarian abusive regimes.

While proponents of Bills aimed at protecting the vulnerable online believe encryption is a threat to law enforcement, it is the mechanism that secures online activity and without it, individuals, businesses, educators, and the very governments that seek to break end-to-end encryption would all be at risk of cybersecurity challenges including unwanted observation and unprotected privacy in a digital world.

Attacks on Encryption are Attacks on the Right to Privacy

End-to-end encryption lets companies, like Myntex, ensure data and communications remain private and secure. The only ones who should be able to decrypt messages or calls are the intended recipients. No one, including law enforcement, politicians, government officials, or hackers, should have access to a backdoor; and you cannot grant access to one and restrict another.

These are the main tenets excerpted from the letter, with links to the referenced legislation:

“The value of this technology in defending privacy cannot be overstated but is also seen as a threat to law enforcement who argue that the ability to freely access individuals’ communications is critical for criminal investigations. This messaging has spurred worrying initiatives such as the Online Safety Bill in the UK, the Lawful Access to Encrypted Data Act in the USA, India’s Directions 20(3)/2022 – CERT-In, Bill C26 in Canada, the Surveillance Legislation Amendment Act in Australia, as well as the proposed rules to prevent and combat child sexual abuse in the EU. These laws aim to take away the right to privacy online by forcing encrypted services to weaken the security of their users and give law enforcement access to user information upon request.”

“Everyone deserves a free and open internet. The Internet must remain inclusive, free, and fair by providing everyone with unfettered access to online services, including encrypted services. This enables users to exercise their right to privacy, their right to engage in private discourse, and their right to hold those in power accountable by shedding light on human rights abuses, corruption, misinformation and environmental destruction – something that is vital to the democratic process of forming public opinion.” Please take the time to read the letter, linked below, and ask your organization to endorse it. https://www.fightforthefuture.org/news/2023-05-03-open-letter-protect-our-rights-to-privacy-free-expression-and-press-freedom/

Breaking Down a Data Breach – An Uber Case Study

freestocks-photos @pixabay

Uber is an app you likely have on your phone. It’s also an example of what happens when data privacy is mismanaged. This analysis covers several angles, from employees who don’t take proper precautions with their personal cell phones (especially important if your employer lets you BYOD to work), to the need for businesses to safeguard the customer data they collect. It lends support to the position that employees are the weakest link in cybersecurity and demonstrates the risk posed by storing data on third-party servers.

A Series of Unfortunate Events

A major breach in September was one of 2022’s most significant. A post in the world’s largest taxi alternative’s newsroom provided details of the incident.

“An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.” The breach reportedly compromised the company’s entire network, including internal databases and their Slack channel. Uber disclosed about 57 million customers’ and drivers’ personal information was stolen by the hacker.

The New York Post noted, “The hacker who took responsibility reportedly claims to be just 18 years old, and gained access to the ride-sharing giant’s internal networks by pretending to be an IT worker and asking for an unnamed Uber employee’s password.”

Then in December, a third-party vendor attack breached corporate and employee data as well as company documents, which were all leaked. BleepingComputer Editor-in-Chief Lawrence Abrams reported, “A threat actor named ‘UberLeaks’ began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches.”

“The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services.” The attack targeted an AWS backup server outsourced by Teqtivity to store data for its customers.

Transparency about breaches needs to be swift. Uber’s former Chief Security Officer Joseph Sullivan awaits sentencing after being convicted on two charges for covering up data leaked on millions of customers in 2014 and 2016. This is the company’s tenth cybersecurity incident.

Reflecting on the guilty verdict of Uber’s ex-CSO, the CISO of SafeBreach submitted a commentary in DarkReading. “A breach is, quite correctly, viewed as a failure of the company to protect the data that was breached. It can also ultimately be viewed as a failure of the CISO.” Organizations need to think about outcomes—as this CISO notes—when (not if) bad actors or nation-states attack your company.

“Addressing worst-case scenarios and having a contingency plan in place before you get breached can minimize the financial and operational fallout when you do.” He adds, “Such a plan will only be successful if it has been created, vetted, and rehearsed well in advance.”

A Better Way to Protect Your Mobile Privacy

Companies need to have a robust Data Privacy Framework to ensure they are operating within privacy regulations where they do business. CISOs must implement a strict mobile device management policy.

An IT review of the Uber breach last fall notes, “Hard-coded credentials used in the Uber breach allowed for administrative access to a privileged access management programme.” It adds, “To guarantee that workers and outside contractors have the least amount of permissions necessary to perform their responsibilities, consistently use the principle of least privilege, beginning at the endpoint.”

You can turn off tracking and location services in your privacy and security settings on your phone, however, “Apps like Uber and Lyft will track your location for their drivers, and they may do it constantly, not just when you need a ride. There isn’t usually a way to turn off location tracking for these apps without disabling them.”

Contact us to learn more about how you can protect your company with our encrypted mobile solutions: ChatMail™, and our latest innovation Renati, a secure mobile operating system currently in beta testing.

December 5th Network Outage Report

Myntex Data Centre

Last week some of you may have noticed a brief outage in ChatMail’s core services. We are happy to report our team worked quickly to restore all connections with minimal downtime. We take our uptime and our commitment to transparency very seriously, and we would like to breakdown what occurred to help our resellers and clients understand what happened and how we plan to improve our network reliability in the future.

What happened?

On December 5th, 2022, we were notified by our NOC (Network Operations Center) and TAC (Radware) team that we had a service outage in our primary data center at Myntex Headquarters. Effectively, our internet had gone down and taken our critical infrastructure with it (including websites, email, portal, VPN, and core ChatMail services).

How long did it last?

Roughly 4 hours, from 8:03am to 12:01pm MDT on December 5th, 2022.

What steps were taken to fix it?

Our initial steps were to contact our ISP (Internet Service Provider) to verify their services were still operational. After some further troubleshooting, we were able to eliminate our internet availability as the culprit. We then began the meticulous process of isolating the issue within our own network. Eventually we were able to narrow it down to the primary Core Edge Router.

Was there a security vulnerability?

No. This was a hardware failure, nothing to do with the security of our network.

What was the solution?

As part of our disaster recovery plan, we have extra critical hardware on hand allowing us to quickly hot swap network equipment if required. Once we replaced our Core Edge Router with a new one, our networking team was able to configure the new device. After that was completed, all functions were fully restored, and we immediately notified our network of ChatMail partners of the issue and that all services were restored.

How will we improve for the future?

We’ve replenished our stock of critical network hardware so that if/when this happens again, we’ll have the equipment on hand to make the necessary repairs. To allow for quicker troubleshooting and faster deployment we will be pre loading the network hardware with our latest stable configurations.

Our users’ experience can only be as good as our uptime. The last outage we experienced was back in March of 2021 (following a forced fibre relocation). That’s why the home page of Myntex.com boasts a “99.9% server uptime”. After this December’s outage, we are still achieving 99.95% uptime, or less than 4.38 hours of downtime per year.

No one can guarantee 100% uptime, but we’re determined to get as close as possible.

Stored Data is a Double-edged Sword

Image by Myntex

Cybercrime exploded during the pandemic and continues to rise. Enterprise organizations reporting huge data breaches this year include Apple (18MM users), Microsoft (65K companies in 111 countries), and Twitter (5.4MM account profiles). While American companies are targeted more than most, the problem is global in scope.

“2022 has been littered with thefts of sensitive information. This year, they’ve affected companies and organizations of all shapes, sizes, and sectors.”

You Don’t Have To Be Rich or Famous

Personal Identifiable Information is considered the top category sought in breaches because customer data typically includes financial records. On the dark web, customer PII – representing 80% of breaches reported in 2020 by IBM & Ponemom. It adds up fast when stolen data can be sold by criminals online to fraudsters for US$175 per record.

The ID Theft Center notes in its’ 2022 Business Impact Report that 57% of US small businesses have had a security or data breach, or both. This proves all businesses are at risk of exposure and economic loss despite headlines highlighting the major violations.

Five of the Worst Recent Cyberattacks

Australia has been hard hit with hacks this year, including the latest cyberattack which targeted the Department of Justice. Two of the biggest breaches jeopardized the privacy of millions of its’ citizens.

A massive data breach at Australian telecom, Optus, in September may have been the worst incident there ever. The company has close to 10 million subscribers (about 40% of the country’s population).

The hack was either a State-Sponsored attack (SSA) or conducted by a crime organization, penetrating the company’s firewall to find sensitive info. Physical addresses, driver’s licenses and passport numbers were amongst the intel obtained. No ransom was paid despite the hacker’s demand for US $1.5MM. However, the cost for Optus to settle the resulting class action lawsuit could be between $5B and $20B, with payments per individual of between $5,000 to $20,000.

In October, Australia’s largest health insurance provider was hacked. Medibank holds the private records of every client, past and present, affecting 10 million victims. All were visible to the assailants – including those belonging to foreign students.

Reports show, beyond the personal data obtained, “Significant amounts of customers’ health data was compromised as well.” This includes health claims data, Medicare card numbers, and policy numbers. Following these infringements, Australia’s government moved to make companies more accountable. The Attorney-General wants penalties “three times the value of the benefit obtained through misuse of data, or 30 per cent of a company’s adjusted turnover in the relevant period” – whichever is higher, up to the maximum fines of $50MM against repeatedly breached companies.

Medibank’s stock price plummeted 14%, which was the sharpest drop for the company in a single day since it started trading shares. The company is still investigating; however, it believes a criminal organization compromised user credentials. It then started payment negotiations after stealing data. Police warned Medibank not to pay the cyber extortionist. In November, the hackers followed through on a threat to pay the ransom within 24-hours or they would publicly release the stolen data. Millions of health records were posted on the dark web. The cost to remediate the damage caused by the breach is expected to be $150MM.

As for repeat breaches, the Costa Rican Government declared a state of emergency in May after its second cyberattack in as many months by the ransomware gangs, Conti. In its first assault, Conti demanded $10MM from the Ministry of Finance, which declined to pay. The second attack saw a single threat actor from the Ransomware-as-a-Service (RaaS) organization claiming responsibility.

One report noted, “In the first two days of the attack alone, the Costa Rican Chamber of Foreign Commerce estimated losses of over $125 million.” To try pressure the newly elected President to pay, the attackers sent an intimidating message saying it would be able to overthrow Costa Rica’s government if ransom wasn’t paid, raising the amount to $20MM.

The Conti attack prompted the US government to offer rewards of up to $10MM for identifying information on the location of Conti leadership and a further $5MM if the intelligence leads to arrest of any conspirators in a Conti ransomware incident in any country.

“This type of attack is designed to be controlled remotely. Malware operators hack into a network and gain domain and administrator credentials, locking and encrypting the entire hard drive.” Conti leaked more than 670 gigabytes of data on May 20th from Costa Rican government servers.”

An American student loan servicing company, Nelnet, is facing a class action over a data breach affecting the Oklahoma Student Loan Authority and Edfinancial. “Nelnet failed to uphold its data security obligations to Plaintiff and Class Members,” the suit alleges. “As a result, Plaintiff and Class Members are significantly harmed and will be at a high risk of identity theft and fraud for many years to come.”

The names, addresses, email addresses, phone numbers, and Social Security numbers of those impacted were exposed. Further information on the how the breach happened was not shared by Nelnet.

More than 2.5 million borrowers had their private information stolen when an unauthorized actor gained access to the company’s network from June 1st through to July 22nd. It wasn’t identified until August 17th. The breach could result in those affected being targeted by bad actors for subsequent attacks such as, impersonation, social engineering, phishing, and various scamming schemes from the PII being sold on the deep web.

One of the largest verified breaches to date this year targeted the fantasy digital pet company, Neopets. According to the rogue hacker, interviewed by BleepingComputer, the account data of over 69 million members had been stolen, but did not reveal how they gained access. The database contained source code for the neopets.com website owned by Jumpstart; a subsidiary of China based NetDragon. Instead of extorting the company, interested buyers were being courted in online forums.

It’s surprising the attacker didn’t demand ransom, considering NetDragon group currently holds over US$40MM worth of cryptocurrencies. (Perhaps this attack aimed to raise the hackers’ status?) Instead, the source code and database for the popular website is up for sale on an online forum. The hacker is only asking four bitcoins, valued at US $90,500. Last November, NetDragon sold ~4,200 non-fungible tokens over four days. The NFTs are known as the Neopets Metaverse Collection.

How Criminals Obtain Private Data

Most data breaches are due to cyberattacks, with phishing and ransomware continuing to be the root causes again this year. Security Magazine found the largest attack vector was “unknown” in Q1 2022, which was a 40% increase in the total number of unknown breaches for all of 2021. “While data breach notice updates may include more attack information, the increasing lack of transparency in the notices is a risk to organizations and consumers.”

Hacking was the primary cause of data breaches in companies with 500 or less employees. However, remote workers were responsible in 35% of reported incidents and third-party vendors in another 29% of cases. More than half of the companies though their accounts were compromised by responding to a direct message and 45% say a phishing link or shared account credentials with an impersonator was to blame. One-third said the malicious actor claimed to be a customer, prospect, or vendor.

About half of the impacted companies spent between a quarter and a half million dollars to cover the cost of these breaches and almost 20% spent from $500k to $1MM USD. Coming back from a breach can take one to two years for most companies. In addition to the financial burden, a third of those surveyed experienced loss of customer trust.

Perception vs Reality

Questions are being raised as to whom or what is to blame for the proliferation of major data center breaches around the world. With governments, service providers, retailers, insurers, and health care agencies amongst some of the biggest hacks this year—cybersecurity experts point to apathy.

Fittingly, the responsibility lies with CEOs, CISOs, boards, and corporate policy. There is a focus in business today that prioritizes data intelligence over data security.

According to Harvard Business Review, most companies either don’t have any cyber insurance or not enough. Furthermore, with the increase in ransomware attacks and payouts, the industry itself is at risk. Ransomware attacks have skyrocketed, and payouts have grown exponentially. This is a worrisome trend for insurers.

For example, “With around 250 companies buying at least $200 million in protection, it would only take five insured losses of a bit more than that amount to wipe out an entire year’s premium. That’s only 2% of the companies in the market buying that much coverage. That kind of loss would likely take decades for insurers to earn back such losses.”

Clearly, the focus needs to be on prevention instead of damage recovery.

A Better Way To Block Attacks

Considering the main gateway to ransomware attacks and breaches is phishing, you have to look at your mobile device management. BYOD policies put businesses at risk. You need to mitigate the element of human error. Perhaps the most important practice you can instill in your workforce is password hygiene. But even the best cybersecurity training can’t stop employees from inadvertently making a mistake. Unless you remove unnecessary apps, internet browsing, and other activities not essential to business communications, you will never be truly protected. Don’t settle for a free app that is only focused on privacy and not on network security. Ensure your teams’ messages and calls are secured by a service provider that uses end-to-end encryption and doesn’t store any of your PII in its data center.

Real-World Views on Cybersecurity and The Cost of Cybercrime to Business

Myntex Partners’ Top Cybersecurity Threats based on August 2022 Survey Results

Each autumn, with the back-to-business mindset following summer holidays, organizations reflect on their sensitive data during Cybersecurity Awareness Month, observed in October. Businesses spend billions of dollars annually on cybersecurity. Statista forecasts the global Information Security market will approach $175B by 2024. Products and services supporting this market are expected to hit $1.1725 trillion USD in 2022.

We asked a selection of our business partners—BlackBerry, JT IoT, and SLNT—for their perspective on the current threat landscape and what they’re doing to mitigate risks.

Every enterprise knows the importance of investing in InfoSec. Increasingly, CEOs are adding a box to their org chart filled by a Chief Information Security Officer. Nonetheless, CISOs face pushback from their peers in the C-Suite. The CFO says cybersecurity is too expensive. The COO thinks all the controls slow productivity. The CIO advocates for IT outsourcing. While the CMO wants marketing to have access to custom data.

Mobile Device Management is a critical element of any robust IS strategy, which is essential to keep your network safe from harm. Specializing in encrypted mobile solutions, security and privacy is our core business at Myntex. We are focused on the very essence of cybersecurity, which is verifying the identity of others, while continuously proving our encryption is authenticated to defend against malicious interference and data breaches.

The Most Common and Costliest Cyberattacks on Business

Ransomware has been the dominant cybersecurity news story this past year, affecting not only enterprise organizations but increasingly targeting small-to-medium business.

As an industry leader in cybersecurity BlackBerry notes, “The current infrastructure of the underground cyber economy continues to evolve quickly with threat groups sharing hacking techniques, malware code, tech infrastructure, target lists, and even exporting stages of the process to hackers with specializations, allowing for attackers to operate faster and at scale. In fact, some of the biggest incidents of 2021 appear to have been the result of this outsourcing. On top of that, cybercriminals can often circumvent being shut down by authorities by breaking up and reorganizing as new cybercriminals groups.”

The company confirmed it believes the best defense is to adopt a prevention-first approach to cybersecurity. “BlackBerry customers benefit with artificial intelligence (AI) and machine learning (ML) driven cybersecurity products, which have been independently proven to prevent malware from executing on endpoints including the latest ransomware strains.”

Gateway Attacks and Vulnerabilities As indicated in the Statista charts below, phishing was the most common cause of ransomware attacks reported by managed service providers.

Source: Statista, Phishing gateway to Ransomware.

According to Datto’s Global State of the Channel Ransomware Report, “Carelessness and gullibility are the greatest threat to small businesses. With phishing mails, poor user practices and lack of cybersecurity training on top of the list of leading causes of ransomware attacks, it becomes clear that end user education is an essential part of IT security.”

These cybersecurity threats resonate with our industry partners. Employee driven threats appeared across the companies we surveyed as a top concern.

SLNT® CEO, Aaron Zar, ensures all employees and contractors are trained on cybersecurity best practices, which the company regularly updates to keep staff and systems safe.

“Just like technology, cybersecurity is always changing and evolving,” notes company spokesperson Avie Zar. “Our Cybersecurity mitigation plan is reviewed annually. When reviewing and updating a plan we always cover these key topics.”

By analyzing and identifying potential threats, through internal and external risk assessments. Beyond implementing a plan to protect the business, SLNT keeps looking for vulnerabilities, with monitoring practices aimed at detection.

Key Business Systems Under Attack

Enterprise Management – An Internet Crime Report shows business email and spoofing attacks rose sharply with the pandemic, leading victims to send criminals fraudulent wire transfers. “They do so by compromising an employer or financial director’s email, such as a CEO or CFO, which would then be used to request employees to participate in virtual meeting platforms.”

Operations Management – The latest DBIR notes, “2021 illustrated how one key supply chain breach can lead to wide ranging consequences. Supply chain was responsible for 62% of System Intrusion incidents this year. Unlike a Financially motivated actor, Nation- state threat actors may skip the breach and keep the access.”

Financial Management – Today’s CFO makes critical cybersecurity decisions, especially with the risks associated with ransomware. “There are costs for remediation, cybersecurity software meant to prevent ransomware, and loss of productivity. There’s also a potential cost associated with damage to an organization’s brand and reputation.”

Business Email Compromise Attacks

A recent report in ZDNET noted, “While ransomware gets global attention when it takes down vital services and cyber criminals get away with multi-million dollar ransom payments, there’s another big cybersecurity issue that’s costing the world more money, but remains an embarrassing secret for many, even though, according to the FBI, it’s cost victims over $43 billion dollars to date

Business email compromise (BEC) scams may lack the drama of hacking attacks but it’s possible to argue that they’ve become the biggest cybersecurity issue facing the world today. 

BECs were the costliest types of cybercrime connected to financial losses in 2021.

“Losses to cybercrime increased significantly in 2021. The losses – which are located mainly in the U.S. but were collected around the world – are estimated at $6.9 billion last year, up from $4.2 billion in 2020.

Other costly cyber crimes with businesses at their center were personal data breaches and corporate data breaches, which occur when criminals steal or release the personal data of individuals or companies previously stored in a secure location.

Out of all victims recorded by the FBI, 59 percent were in the U.S., 38 percent in the UK and 3 percent elsewhere.”

Source: Statista, The Costliest Types of Cyber Crime (per million/USD)

Preventing Attacks On Business Mobile Devices

One of the world’s leading carrier-neutral IoT connectivity platforms, JT IoT is a SIM card provider for our custom encrypted mobile solution, ChatMail™. “Supported by a team of 70+ people and with over 500+ global networks, JT IoT provides customers sustainable, scalable, compliant, and secure access to connectivity.” The company has a Bring Your Own Device to work policy, which it manages through Microsoft Endpoint. Proactive security audits with penetration tests from third-party providers is part of their cybersecurity risk mitigation plan.

Organizations need to be pre-emptive in safeguarding mobile communications with policies to protect all users and hardened devices for key team members who need extra security. Awareness of possible attack vectors is a fundamental first step, especially for small to medium size businesses who are increasingly being targeted.

  • Malware – malicious software that can steal login credentials while bypassing 2FA
  • BYOD programs – a risk to your MDM in part due to the use of apps and social media
  • MitM attacks – mobile applications using unencrypted HTTP
  • Insecure devices – the lack of security and privacy features of a tamper-proof phone

Cybersecurity Awareness is a daily practice and with the right tools you can trust your communications are both private and secure.

Myntex is an industry leader in the field of encryption technology, offering enterprises expertise in mobile security supported with evidence based live data extractions.

The Most Exposed and Targeted Sectors at Risk of Cyber Crime

Data Source: Check Point Average Weekly Cyberattacks (2021) per Organization by Industry

With the cost to manage vulnerabilities in digital security expected to grow from $6.7 billion in 2020 to $15.86 billion by 2030, it makes sense to know the cyber risks your industry faces to proactively prepare.

Human error is the main risk factor for business cyberattacks. When your employees use smartphones for work, they are introducing vulnerabilities. Third-party apps, internet browsing, Bluetooth, GPS, USB connectivity – all of these are vectors for malicious actors to access your sensitive and valuable data. Imagine how much more secure these sectors would be if they used encrypted, hardened phones. Never mind the cost to your bottom line or reputation.

According to Check Point Research, 2021 saw a 40% increase worldwide in cyberattacks with about one in 60 organizations impacted weekly by ransomware.

“The researchers define a cyberattack attempt as a single isolated cyber occurrence that could be at any point in the attack chain — scanning/exploiting vulnerabilities, sending phishing emails, malicious website access, malicious file downloads (from Web/email), second-stage downloads, and command-and-control communications.”

Here’s a look at the five industries most targeted by cyberattacks in 2021, inspired by research posted in Forbes by a global thought leader in cybersecurity and emerging technology, Chuck Brooks.

Education/Research

Considering the shift to distance learning during the pandemic, it is not surprising education and research is the top sector being targeted by malicious actors. The Data Group Manager at Check Point, noted, “Students, parents and schools are tempting targets for hackers, mainly because of data – there’s lots of it. From gradebooks to online assignments, hackers have far more access points to sensitive information and data. Data is leverage for hackers and can be used to orchestrate ransomware attacks.”

The top regions for cyberattacks on education/research were the Pacific Rim, with an average of 4,176 a week in Australia and New Zealand, just slightly ahead the rest of Asia. Europe had 1,861 attacks weekly.

A study of ransomware attacks in 2021 revealed education and retail were equally targeted with a 44% increase, yet as a sector education had three times as many cyberattacks. Schools, tied with places of worship, received the most brand-impersonation credential phishing attacks.

Government/Military

This was the second highest sector to be attacked in 2021. Government agencies are high valued targets for the information they hold with a vast amount of confidential data, which hackers exploit – often through state-sponsored attacks.

At the end of 2021, the Log4j vulnerability left countries around the world scrambling to fix the single biggest threat in the last decade and likely the most critical code loophole ever. The Belgian military, as an example, was hit hard and spent five days countering the cyberattack.

The SolarWinds Supply Chain Trojan attack was a global threat, believed to have been a Russian sponsored attack, which affected the US government as well as major corporations. Newsweek reported, “State Department, Department of Homeland Security and some parts of the Pentagon appeared to have been compromised.”

An Iranian Facebook hacking campaign target US Military was revealed in 2021 in which social engineering was used to send infected malware files and to use phishing schemes to get credentials.

Communications

In third place, this sector experienced many devastating cyberattacks. The industry vertical for Technology, Media and Telecommunications made headlines around the world for notable takedowns. The Australian broadcaster Channel Nine was hit by a cyberattack, which left the network unable to air several shows or its Sunday news on March 28, 2021. Coincidentally, the Australian government faced an attack at the same time.

Mobile phone companies were also hard hit. A year ago on August 17th, the T-Mobile cyberattack compromised data of millions of their customers, former customers, and prospective customers. T‑Mobile said, “Fortunately, the breach did not expose any customer financial information, credit card information, debit or other payment information but, like so many breaches before, some SSN, name, address, date of birth and driver’s license/ID information was compromised.”

Internet Service Providers/Management Service Providers

Irish ISPs were the target of a series of “denial of service” strikes in May 2021. There was no indication the DDoS cyberattacks were related to the concurrent Health Service Executive ransomware attack, which caused the country’s IT systems to be shut down nationwide.

The Internet of Things has proven to be a major cybersecurity challenge for ISPs. An estimated 25 billion IoT devices were connected online in 2021. Cybercriminals increased their IoT attacks with both ISPs and Telecoms seeing the impact through hacking and data breaches. This included DDoS attacks, Network congestion, RFID interference, Routing attacks, and Sybil attacks on computer network security.

According to the Sophos State of Ransomware 2021 white paper, IT, technology and telecoms were the industry vertical hardest hit by Ransomware.

Management Service Providers are outsourced IT services. Typically, MSPs handle IT infrastructure, technical support, user access within corporate client systems, and hardware outsourcing.

MSPs also act as third-party server storage, provide Software-as-a-Service, or niche technical expertise. Microsoft Exchange is a cloud-based email service. A mass cyberattack affected millions of Microsoft clients around the globe, wherein threat actors actively exploited four zero-day vulnerabilities in Microsoft’s Exchange Server. It is believed that nine government agencies, as well as over 60,000 private companies in the US alone, were affected by the attack.

Healthcare

The Abnormal Security Email Threat Report noted there is a rise in business email compromise attacks. BECs occur when a scammer accesses the email of the targeted business contact and impersonates them using their identity to target other victims.

When cybersecurity expert, Brian Krebs, reported on Ransomware attacks in the Healthcare sector, he asked a source how many healthcare organizations get hit with ransomware on average in one week? His source confided “It’s more like one a day.”

The Bigger Picture

Overall, the global distribution of cyberattacks was highest in Africa, with an average of 1,615 per organization each week, which is an increase of 15% over 2020. Asia and the Pacific was second with a 20% increase amounting to an average of 1,300 weekly attacks per organization. Coming in third, with an average of 1,115 attacks weekly, at almost a 40% increase, is Latin America.

Business Email Compromise attacks can be sent to anyone, but executives or finance department personnel are prime targets. According to a report on email and phone fraud scams in 2021, despite having employee preventative training, IT departments and cybersecurity support, the companies with the highest probability of being targeted by an attack are those with the most employees. In fact, enterprise organizations have a 95% chance of receiving a BEC attack every week due to the high volume of email received.

“Small businesses under 500 employees were fortunate to experience only an average 12% probability of attack throughout the half, but large organizations comprised of more than 50,000 employees received an attack nearly three weeks out of each month.”

As a Cybersecurity expert, Brooks shared risk management strategies in a Homeland Security blog,  surmising, “The bottom line is that almost every type of business, large and small, touches aspects of cybersecurity whether it involves law, finance, transportation, retail, communications, entertainment, healthcare, or energy. Cyber threats are ubiquitous, and they can be an existential event for companies and the C-Suite urgently needs to have a plan.”

As world renowned business and technology futurist Bernard Marr stated in his report on the biggest cyber security risks in 2022, “Aside from the potential for breach of privacy, loss of money, and disruption to infrastructure from cyber-attacks, there’s another genuine and pressing problem that’s often overlooked: A loss in the trust in tech and data.”

Myntex has an encrypted mobile solution, ChatMail™, which can securely protect your privacy and reduce your at risk attack vectors for email, messaging, calling, notes and pictures. Enterprise businesses can request a live data extraction proving the soundness of our technology.

Why We Created Proprietary Encryption Protocols and Why It Matters

Encryption conventions permeate every part of the Internet. There are many different protocols, each with its own merits and in some cases vulnerabilities. Despite providing end-to-end encryption, the policies and practices of popular free apps can put your reputation at risk.

  • Facebook wants to use homomorphic encryption to monetize WhatsApp and Messenger user data
  • Telegram actively shares user data with government agencies and censors content
  • Viber has various security and privacy issues

Myntex Inc. engineered our most secure mobile solution, ChatMail, to be the best in the world. We prove our encryption with live data extractions for enterprise organizations and we are the only encrypted phone provider to do so.

ChatMail’s Advanced Message and Parsing protocol, known as CAMP, protects users of our encrypted phones across multiple layers. The reasons behind our decision to incorporate the custom cryptographic algorithms we use is the focus of this exposé.

Parsed Messaging Encryption

Myntex designed ChatMail with privacy in mind, utilizing multiple encryption algorithms. PGP, which stands for Pretty Good Privacy, is the system we use to relay encrypted external email. We were the first to parse PGP. Our parsing algorithm takes encrypted email and displays it in an easy-to-read message bubble to look like a chat message. That’s why we named it ChatMail. It is the only system to automatically identify both internal and external users. Internal users default to elliptic curve encryption and external users default to PGP. ChatMail’s Unified User Interface displays internal email in blue and external email in grey. The algorithm used is shown in each individual message.

Our default system uses the strongest encryption protocol available, safeguarding you and your data. Internal ChatMail clients use high-speed, state-of-the-art Diffie-Hellman Elliptic Curve25519 cryptography, with optional fallback to PGP. External users are PGP by default.

True End-to-End Encryption

Combining the most reliable algorithms in cryptography, our CAMP protocol ensures customer privacy with leading-edge security. The choice to use Elliptical Curve Cryptography for E2E encrypted messaging was for privacy.

Encryption begins on the sending device using ECC 25519, so that even if the recipient is not using the phone to accept the message promptly, it will remain encrypted in a delivery queue and cannot be decrypted or read until downloaded on the receiving end. Your data is never stored in plain text.

We use message encryption by default. Our customers cannot send or receive unencrypted messages. Users’ voice messages, pictures and notes are always encrypted. With ChatMail, your content is encrypted in transit, at and only stored on your device.

Calling Encryption

ChatMail key exchange for encrypted calling works with the Zimmermann Real-time Transport Protocol. With ZRTP, parties verbally confirm matching shared codes to ensure calls are private and have not been intercepted. Secure RTP protects ChatMail encrypted calls from eavesdropping.

Transport Layer Security is used to configure encrypted calling traffic. Our encrypted calling uses ECDHE X25519 (the last “E” stands for “ephemeral” which is suited to mobile devices as it is faster) with TLS 1.2 ciphers. This keeps calls and messages private and secure by removing them from prying eyes on the public internet.

ChatMail features tamper proof hardware and encryption that experts consider to be quantum proof:

  • Hash:  SHA-384 – our Secure Hash Algorithm transforms cryptographic keys with an output of 384 bits, providing unbreakable protecting against key length extension attacks
  • Cipher:  AES-256 – the algorithm used to perform encryption or decryption is called a cipher and AES-256, also referred to as Military-grade encryption, is the Advanced Encryption Standard adopted by the U.S. government to protect classified information
  • SAS Rendering:  B256 – SAS stands for Sharing a Secret, and we use it with the PGP word list to convert strings of code into simple phrases used for authenticating encrypted calls, thereby preventing Man-in-the-Middle attacks, while B256 indicates the key size in bits
  • Auth Tag:  HS80 – an Authentication Tag in ZRTP confirms each encrypted audio frame sent over an SRTP channel and HS80 is an 80-bit tag, which is preferred for security purposes
  • Key Agreement:  X25519 – encryption is performed by keys and the key size for ECDHE X25519 is 256 bits, which provides forward secrecy as an extra layer of protection against hackers, so that if one message was ever compromised, it would not affect the security of future messages

The Importance of Server-Side Security

Our data center acts as a delivery system for mobile solutions. We do not store any sent or received messages on our servers. Therefore, we also do not keep a roster. A roster is a list of contacts associated with clients for apps that retain messages on their server. Even if the company says they delete messages after 24-hours, it will leave a roster of contact information. When you delete a message from ChatMail, since there is no server storage there is no record of it.

Companies that delete messages older than 24 hours do not delete message threads and they often contain weeks’ worth of confidential communications. For an example, Telegram notes in its policy, “We store messages, photos, videos, and documents from your cloud chats on our servers so that you can access your data from any of your devices anytime without having to rely on third-party backups.”

Myntex removes the need for local server storage with our CAMP protocol. ChatMail is the only encrypted mobile solution supported by a private data center. Encryption protocols are irrelevant if the server has a backdoor or if user data is shared with marketers, governments, or other entities.

Top 10 Data Center Security Must-Haves with CEO Geoff Green

Owning and operating a private, state-of-the-art Data Center sets Myntex Inc. apart from its competition in the custom encrypted phone app industry. Myntex CEO, Geoff Green, gives an overview in this Q&A.

Question # 1

What exactly is the function of the Myntex Data Center?

Geoff:

You can think of our data center as the brains of our infrastructure. Regarding our messaging service, the data center acts as a messaging agent. When communicating with end-to-end encryption, devices need to know how to reach one another. Networking is not magic, but it is cool. You need some sort of tunnel to each device so when you send a message it can reach the intended recipient. By utilising open-source virtualization technology and custom designed hardware our data center has been the primary reason we have been able to cost effectively grow as a company. The alternative would be a less secure approach by renting co-located space and paying large fees in licensing.

Question # 2

How has the Myntex Data Center evolved over the years?

Geoff:

From a virtualization perspective we started out with the original Xen from Xen Project, which has gone through many changes throughout the years as an open-source virtualization technology.

We later transitioned to XenServer when Citrix became the dominating provider of features for the Xen hypervisor which did require license fees for support contracts. But when a new open-source project came to market called XCP-ng based on the same hypervisor we made the switch. XCP-ng is what we currently use and will continue to support their development.

We use XCP-ng for our primary virtualization technology and then on top of that, we use Docker. We run a series of virtual machines on our hardware, which means we can use orchestration software instead of a physical computer to run programs and deploy apps. CDW Canada helped us source the right equipment to fit our needs.

We’re the only encrypted mobile solution provider with our own data center. We chose to invest in one, even though it’s expensive, because it provides better privacy. We planned and developed it ourselves. Some companies just can’t afford the investment or lack the knowledge to run a private data center. You need to hire the right people, which makes it more costly.

Question # 3

What maintenance is required to ensure optimal performance in the Data Center?

Geoff:

Running a datacenter does have to have a maintenance schedule, generators, networking, hardware all must be tested and monitored to make sure they are performing at their best.

APC by Schneider Electric performs an annual inspection and maintenance. Most of the critical pieces of equipment go through their own diagnostics automatically. You’ll sometimes hear weird beeps, coming from the data center which is when the system is doing self-testing, which is a huge time saver.

The air-conditioning gets looked at every year or two. We have N+1 for all pieces of equipment including the A/C unit. If a main unit were to break, we still have a standby backup unit.

Our primary backup generator is tested monthly and must be load tested every year.

Question # 4

What disaster recovery plans are in place?

Geoff:

We took a pre-emptive approach to disaster planning. We did a complete threat analysis. Are we in a flight path? How close are we from the fuel depot? We’re not on a floodplain.

There are only a few people who have access to the data center. We have offsite backups in an undisclosed location. But the most important piece is backups of our proprietary code, which would allow us to rebuild our entire infrastructure even if the building was destroyed. The nice thing about our Calgary location is it’s not on a fault line so, you don’t have to worry about catastrophic earthquakes.

We learned a lot about flood protection when we went through a major flood in Canmore, which also devasted central Calgary. It’s the reason we opted for diesel powered backup generators, because when the 2013 flood happened, Emergency Management worried about the water exposing the underground natural gas pipes, so they shut the gas off. Calgary does have one of the most stable power grids in the world, but a generator is a must.

We have a two-stage fire suppression system inside the data center. In stage one a fire alarm sounds, and safety systems are activated. If the second stage is triggered, there’s a different alarm to warn you to get out immediately. Seconds later a dry chemical flame retardant is dispersed. We don’t use halon. We use a non-toxic, Novec fire suppression system. That’s industry standard for most data centers. There’s no water in the pipes inside the data center. There are special smoke strobes in the server room that can detect any kind of laser break, even the smoke from vaping.

80% to 85% of the costs we put into building our world class headquarters went into securing our data center. We have ballistic protection on the windows and armored doors on top of that, for protection as well as 24/7 surveillance and monitoring.

Question # 5

What are the industry standards for a Data Center security?

Geoff:

A data center needs N+1 redundancy and you should have safety systems in place, the minimum being two‑stage fire suppression. If a company has server equipment with only one A/C unit and no backup generator … that’s not a real data center. That’s more like a networking closet.

N+1 plus ensures system sustainability in the event of component failure. Components (N) have at least one independent backup (+1). The power modules in ours are N+2 redundancy, so we can lose two power modules before we’re in a critical state. So, that redundancy is vital in a data center. All the switch gears are redundant to the point of N+1, N+4 on some things, depending on where it is and what its purpose is. The best of example is N+1 from a networking perspective means if you have two routers you better have two switches to prevent a single point of failure.

To maintain 100% uptime, we use triple replication for high availability. So, for each server we have three, running on three different servers. They’re all virtualized, but they’re across three different pieces of hardware. Everything is running redundant that way.

Question # 6

What method of protection does Myntex use for DDoS?

Geoff:

We utilize different techniques and technologies for protection but our main provider is Radware, which protects us from large scale DDoS attacks – and they’ve been doing a great job for many years.

Question # 7

Why is a data center location important, and explain why Myntex is in Canada?

Geoff:

I think people just don’t understand the advantages and implications of server location. Canada has a large international economy; we have a stable government and is one of the last remaining countries that cares about our privacy and freedom.

The one thing that I personally have heard numerous times is many people in Europe seem to think Canada is the United States. I think that could be a misnomer, where people just don’t quite understand how we are separate sovereign nations.

Question # 8

For Mobile Device Management, Myntex has relied on BlackBerry UEM, how do you ensure its secure?

Geoff:

We self-host UEM, so we control it, nobody else does. If there’s a problem, I call BlackBerry to explain the issue. We may do a screen share so they can look, but they have no access to our server at all.

You can also host BlackBerry UEM in their cloud, but then you don’t physically control the server. Therefore, BlackBerry gives organizations the option to self-host.

Question # 9

What’s the difference between the Myntex Data Center and companies using cloud servers?

Geoff:

A cloud could technically speaking still be in a single data center. It would be considered a non-resilient cloud, but it is possible to still call it a cloud if it’s using cloud-based computing, like the OpenNebula open-source cloud computing platform developed by NASA, is awesome.

I believe the big difference between using a cloud provider and hosting our own datacenter is that we own the data center, we control the data, we control the physical access. If you are hosted in a third-party data center, you don’t control anything. They control it and give you access, like they give you a remote login, but that’s all you get.

Question # 10

Bonus Question: Have you been able to clock the speed of your messaging service since you operate your own servers at the Myntex Data Center?

No, we don’t have exact metrics like that. When it comes to messaging, I guarantee they can send in under 200 milliseconds, but you have all the infrastructure that’s tied between it. So, when we say we have the fastest messaging in our industry it comes down to many factors… my phone is running through a network to our servers through another network and received on another device. So, when you send an image, it normally takes about 500 milliseconds, probably even less, to go from my physical phone to you.

(Myntex COO and co-founder, Chantel Duplantie, sends him an image and it instantly pings his phone.)

See that? That’s how fast it is. I have seen many other messaging systems and how long some take to send a picture, you’ll be waiting like … two minutes from the initial press of the send button. And when I say our industry I’m referring is our niche industry, I still think we might be faster than Signal and WhatsApp, but they also have many more users which is a major factor when it comes to speed.

To achieve some of the insane speeds we use different types of technology including Erlang, Redis, Elasticsearch and RabbitMQ which is implements of my favorite protocols AMQP.  They’re all a type of in‑memory storage. We use RabbitMQ for our primary messaging between our microservices. It’s instantaneous. Same with Erlang, we use it for the messaging system’s capability.

The speed with which we can send pictures and voice messages just blows our competition away.