In 2016, Myntex Inc. was
growing as a business and we wanted to better position the company for the
digital economy. However Myntex® is based in Canada, where the banks have been slow to adopt crypto and we were getting pushback to accept it.
The Solution To Our Problem Receiving Crypto
Ultimately, we were able to
arrange our payments through BitPay. When we released ChatMail™ in 2017, our Certified
Executive Partners appreciated being able to use cryptocurrency. While it is not
a cryptocurrency exchange, BitPay is a blockchain/cryptocurrency payment
processor that enables you to accept cryptocurrencies as a payment method in
exchange for goods or services you sell to your customers.
Working through our financial
institution, Myntex can accept digital purchases from our CEPs, who have relied
on BitPay for many years. At the start of the pandemic, when stores and banks
across Europe were forced to close due to lockdowns. Without BitPay, it would
have been a challenge to receive transactions from our CEPs. We appreciate the
extent to which BitPay went to for our certification.
What Services Does BitPay Provide?
BitPay converts payments to
Canadian dollars, depositing them straight into our chequing account. Unlike an
exchange, BitPay does not store or manage digital assets. With its Payment Protocol, BitPay allows blockchain wallet and cryptocurrency users to make
transactions that are fast and efficient. Shoppers receive quick confirmations
that the correct amount and required fee were sent.
For privacy cautious
customers like ours, BitPay adds another layer of protection to your
transactions. BitPay is easy to use. Individuals, can use their card to turn
crypto into cash, secure and use crypto on the go in your wallet and spend
crypto from your internet browser. For businesses, you can accept bitcoin on your website for online
payments, as well as for billing purposes via email. You can payout bitcoin to
anyone, anywhere. And BitPay accepts crypto for NFTs.
How Safe Is Cryptocurrency?
In a blog post about the security of blockchain, Certified Information Systems Security Professional Magda
Chelly, PhD notes, “Cryptocurrencies are built on top of blockchain technology,”
adding, “blockchain provides the infrastructure for cryptocurrencies, while
also allowing them to function in a decentralized manner.” Chelly continues, “For
individuals, blockchain offers greater security and privacy when making online
transactions. And for businesses, blockchain can help streamline processes,
reduce costs, and speed up transactions.”
The first and most prevalent
crypto, Bitcoin, was built on the blockchain. According to Investopedia, more
than 10,000 other cryptocurrency systems are running on the same technology
today.
Blockchain and cryptocurrency
have a distinct yet connected relationship. “Defined as a digital or virtual currency, crypto
uses cryptography for security and is not owned by any particular authority,
making it difficult for governments to manipulate . . . By moving the means of
transaction out of siloed, closed networks, blockchain is helping to solve some
of the challenges around the interoperability of disparate financial systems around
the world.”
We believe in BitPay’s
mission to transform how businesses and people send, receive, and store
money around the world.
BlackBerry®
Unified Endpoint Manager unlocks the Android For Work security component built
into Android devices. This allows Myntex to deploy our encrypted mobile
solutions on authorized off the shelf devices around the world. BlackBerry UEM is
an important component of our organization as it works with a wide variety of
models for use with ChatMail™.
We
can attest to the fact, “With its single management console and trusted
end-to-end security, BlackBerry UEM
provides flexibility and security to keep your employees connected and
protected so they can work from practically any device, anywhere.”
Our History With BlackBerry
We
were inspired by the security and privacy afforded by BlackBerry Messenger and all the capabilities of the BlackBerry phones. As a
company, Myntex began offering PGP encryption on BlackBerry phones as a white
label solution in 2011.
BlackBerry
phones introduced Secure
Wipe and Remote data wipe, two of
the features that businesses appreciate to secure their data in situations such
as when an employee loses their phone or is terminated.
The Many Ways of Using UEM
As stated on their website, “You can install BlackBerry
UEM in an on-premises environment for the utmost control over your servers,
data, and devices. This prevents any third party from having access to the
secure configuration. An alternate method is to use BlackBerry UEM Cloud,
which offers an easy-to-use, low-cost, and secure solution. BlackBerry hosts
BlackBerry UEM Cloud over the Internet. You only need a supported web browser
to access the service.”
Rather than using BlackBerry UEMs virtual machine on
their cloud, Myntex runs a self-hosted instance in our own private data center.
This allows us to maintain granular control over our infrastructure,
eliminating the risk of unauthorized access and intrusion.
How Myntex Adopted BlackBerry UEM
In 2005,
Blackberry released BBM Enterprise through the Google Play Store and then on
the Apple Store. The BlackBerry Wikipedia page refers
to BBMe as “An
IP-based enterprise instant
messaging platform that provides end-to-end encryption for voice, video, and text-based
communication.” Afterwards, a Software Development Kit was issued for
BBMe, which gave Myntex the impetus to create ChatMail.
BlackBerry Enterprise Server was introduced in 1999 and by
2008, as technology changed, BES became vulnerable to several issues that
eroded its’ security. The company acquired a solid MDM solution from Good
Technology and merged it with BES, rebranding the combined service as BlackBerry UEM.
BBMe let developers add the brand’s trustworthy capabilities
into their own applications, including secure messaging, voice, video, and file
sharing. BBMe was
developed, first and foremost, as a business tool, and (was) a lot more
streamlined by design . . . Because it was built for use in high-security
industries, BBMe (offered) stronger encryption than BBM. BlackBerry retired BBM
in 2019.
UEM has many different configuration options, you can
choose to integrate with Microsoft based products like active directory and
Microsoft Exchange, but you can also use it as a standalone secure AFW
management tool. Without having to introduce additional third-party software.
We do not use Microsoft Exchange or active directory because they introduce
further vulnerabilities. We only use UEM for securing and locking down the
phone. BlackBerry UEM provisions the phone and secures the device using the
built-in security policies provided by Android For Work.
What Does Blackberry Have Access To?
The ingenious design of UEM, in conjunction with AFW,
allows us to privately manage our own secure, private version of the Google
Play Store. This organizational play store is only available on our custom
devices and can only be managed by our company. This is very different from
what is available on standard smartphones. Our organizational play store is
controlled exclusively by Myntex. All applications are signed internally with
our cryptographic keys, further guarding against malicious code attacks. This
allows secure distribution of our custom applications to UEM secured devices.
BlackBerry UEM has no access to our ecosystem at all. This
means UEM doesn’t have access to any of our infrastructure, nor do they have
access to the application data on our secure devices. Furthermore, UEM doesn’t
track your location. If the GPS was ever accessed maliciously, mock location
data is sent – further ensuring your privacy.
A Global Industry Leader
Today,
BlackBerry UEM ranks alongside the market front-runners including Microsoft
Endpoint Manager, VMware Workspace One, Citrix Endpoint Management, IBM
MaaS360, and Ivanti UEM.
The Best UEM software will be a matter of choice for each enterprise depending
on the needs within the Internet of Things they want to securely enable. “Using
BlackBerry UEM, enterprise workers can work from almost any device, anywhere,
using a single management dashboard and end-to-end security.”
Key Blackberry UEM Differentiators:
provides behavioral risk scores to users based on
applications usage, with users who use applications consistently being deemed
low risk
offers multi-factor authentication for a secure and easy
connection to a VPN on a device
manage mobile devices from a single management interface,
reducing risks and ensuring regulatory compliance
ownership model includes bring your own device company
owned, personally enabled, and company owned business only
supports wearables such as smart glasses
For
our purposes, Myntex trusts UEM to seamlessly provide Mobile Device Management
to support our need to control mobile device functionality, including device
enrollment, and device lockdown.
We’ve become accustomed to hearing news about cyber warfare.
From hacks to ransomware and misinformation—bad actors have made worldwide
headlines with their malicious attacks.
There are measures you can take to protect yourself, like
using industry-leading cell phone encryption
to stay a step ahead of threats. By the time you realize you have been targeted
by hackers it is too late.
Just days before Russia’s invasion of Ukraine a malware menace,
known as HermeticWiper, struck Ukrainian entities as well as related targets in
Latvia and Lithuania. Examining this data wiping malware reinforces the need
for ensuring every exposed vector has the best digital security. Let’s take a
closer look at HermeticWiper to see how destructive it is.
HermeticWiper and HermeticRansom
On February
24, 2022, after a series of distributed denial of service attacks against Ukraine,
designed to knock websites offline—overwhelming them with requests until they
crash—a Slovakian security firm was first to report it found the wiper on
hundreds of machines in Ukraine. Another 50 banking systems with government
contracts were reported by Symantec to have been hit in Ukraine.
The malware was given the name “HermeticWiper” because of a
digital certificate stolen from a company called Hermetica Digital Ltd. The
first variant of this malware surfaced in
November 2021.
Lawrence Adams
of Bleeping
Computer says, “A data wiper is malware that intentionally destroys data on
a device to make the data unrecoverable and for the operating system to no
longer work correctly.”
HermeticRansom, also known as PartyTicket, was created with
Go open-source programing language. It struck on the same day as the highly
effective HermeticWiper. HermeticRansom had a decidedly unsophisticated style
and poor implementation. There was no obfuscation or intent to misdirect, and
the functioning was straightforward, suggesting it was created quickly, leading
experts to suspect it was a distraction to help the HermeticWiper do more
damage.
Mobile solutions like ChatMail™ have military-grade strength
encryption, proprietary server storage, and secondary security features preventing
malware like these type of wiper attacks. ChatMail’s technology doesn’t allow
third-party apps which perpetrate this type of attack. Additionally, it is
worth mentioning these targeted attacks were directed at the Ukraine government
and not the public.
Who Was Responsible?
Like
ransomware, a wiper requires the compromise of identities and the abuse of
privileged credentials.
Given the
nature of the ongoing war in Ukraine and the cyber conflict, future attacks could
easily expand in scope. Russian oligarchs are frantically moving their money in
the wake of international sanctions, while government officials and journalists
operate in a climate of intense eavesdropping and information control.
Other similar cyberattacks, notably WhisperGate (which sent a fake ransomware note before rendering the Master Boot Record useless once the computer is shutdown) prompted warnings from several US government agencies. Regardless of who is to blame, these wiper attacks are designed to prevent targets from using their devices to access data and further enforce the need for heightened vigilance.
Given the
nature of the ongoing war in Ukraine and the cyber conflict, future attacks could
easily expand in scope. Russian oligarchs are frantically moving their money in
the wake of international sanctions, while government officials and journalists
operate in a climate of intense eavesdropping and information control.
Whoever was
responsible, there’s nothing to suggest that the next cyber-victim will be confined
to a military opponent in the war itself. The code’s simplicity, along with the
spelling and grammar errors, suggests it was slapped together.
Plausible Deniability
The nature of cyberattacks makes it difficult to peg down
precisely who was responsible, as attackers can always invoke plausible
deniability. For example, hackers can partially take over your home computer and
use it, without your knowledge or approval, to launch
cyberattacks.
One researcher told BBC News, “Ukraine’s
military and banking websites have seen a more rapid recovery, likely due to
preparedness and increased capacity to implement mitigations.”
Governments and enterprises need to protect every aspect of
their business with digital security designed from the ground up. Myntex
provides you with complete mobile device security.
We designed and built ChatMail from the ground up, including
our custom encryption protocol. For your protection, anything unencrypted isn’t
displayed. Our parsing algorithm takes emails sent with external PGP encryption and
displays them in an easy-to-read bubble that looks like a chat message. Confidential
communications remain private as no threads remain on our servers. We do not have
roster, group, or message storage. You can access and delete your confidential
information while being offline.
As fervent advocates of privacy, Myntex extends its affiliation with likeminded companies to further enhance our customer’s privacy experience. That’s why we’ve partnered with SLNT®, a privacy alternative offering protection to an array of important non-encrypted devices.
Our flagship product – ChatMail™ prevents
anyone from eavesdropping through multiple encryption layers and security
protocols. For many of our clients, the
increasing risks of cybersecurity threats have led executives to realize the
benefits of implementing security policies, adopting the use of secure phones
with end-to-end encryption. ChatMail is
the right solution for this purpose. For all the other mobile devices you carry
that are not encrypted, SLNT offers our clients the privacy they need. The SLNT
line of products (wallets, key cases, tech sleeves and travel bags) are
designed with patented Silent Pocket® Faraday technology. Simply slip your device into one of these
sleek bags and they virtually go dark, unseen to prying eyes.
Myntex wants to protect you on all fronts. The
benefit SLNT gives you is the peace of mind that your personal information is undetectable
to eavesdroppers or criminals. Passports, credit cards, and mobile devices
cannot be accessed to tap your data when secured within.
We appreciate the design SLNT infused with
their tech, providing an understated look and refined feel. ChatMail uses a
simple yet elegant interface; styling matters to us as well as anonymity. We configure
our phones to ensure your conversations and content are secure. Whether your
communications are in transit, or your data is at rest—our customized,
tamper-proof phones and proprietary CAMP encryption protocol protects your
device from being tracked, cracked, or monitored.
ChatMail prohibits you from online browsing or installing
third-party apps, which make other phones vulnerable to cyber-attacks or
spying, because ChatMail devices are uniquely engineered for security. Designed
for privacy, ChatMail phones cannot let hackers turn on your camera or listen
to your conversation by hijacking the microphone on your device.
You can add an extra layer of protection to any
unsecure mobile phones, smart watches, key fobs, or portables you carry with
you. The technology used by SLNT is new, but the science behind comes from the
19th century experiments of Michael Faraday with electromagnetics.
This physics research became known as the Faraday
law of induction (Faraday’s law). Faraday used it to build a large box
lined with wire mesh to experiment with his discovery. He zapped the outside of
the cage with electricity, while he stood inside with an electroscope. No
electricity was detected within the wire structure. The enclosure was named
after the inventor.
The Faraday cage is still used today
in places like hospitals, such as MRIs, or in your kitchen to keep you safe
when using your microwave oven. “It works on the principle that when an
electromagnetic field hits something that can conduct electricity, the charges
remain on the exterior of the conductor rather than traveling inside.” This is
how SLNT protects your devices from electromagnetic radiation with its patented
technology, which blocks 100% of all signals.
In addition to being solar and weather-proof,
SLNT protects the contents of its containers so nothing on the outside can
access what’s inside. This includes your Bluetooth, camera, cellular, GPS,
navigation or satellite devices, and Wi-Fi. It also blocks RFID, used in ID
badges, key fobs, smartphone chips, even library books. Not only does this
protect your privacy and keep your data secure, but it also shields you from
the unhealthy effects of EMF radiation.
Trust the tech gear used by business leaders,
governments, military, and travelers alike—consider SLNT when you’re looking
for accessories to keep you and your information safe on the go.
While government
spying grabs headlines, apps that secretly eavesdrop on and track victims are
an ongoing issue. What’s more, these apps are poorly made and managed, leaving
targets data exposed.
The Vulnerability Common Across Several Stalkerware Apps
Stalkerware,
also known as spyware, is a type of app marketed for consumers who want to
secretly track someone online, often a spouse or child. It needs to be
physically installed on the target device to monitor the behaviour of the user
who is being spied on. A victims and survivors
support group was launched in 2019 and stalkerware
was banned from the Google Play Store in 2019, with mixed results.
TechCrunch found
some 400,000 user’s private data was exposed through the flaw when it conducted
a worldwide investigation spanning several months. Highly sensitive user data was
exposed through a security flaw in several spyware apps including browsing
history, photos, location data, text messages, records of phone calls and call
recordings.
An application program interface vulnerability can exist when there
are few or no safety protocols in place. The issue is explained by Carnegie Mellon University. “The
backend infrastructure shared by multiple mobile device monitoring services
does not adequately authenticate or authorize API requests, creating an IDOR
(Insecure Direct Object Reference) vulnerability.”
An IDOR
flaw can leave user’s personal data open to exploitation on the developer’s data
center. While IDORs are easy to fix at the server level, the spyware apps in
question are poorly managed and badly built. Not only do they share the same
code and web dashboards, but they are also routed through the same infrastructure.
Why Server Storage is a Vulnerability
A server controlled by 1Byte, based in Vietnam, was found to be the
common link in the nine related spyware apps. Because the apps share the same
server, they also have the same exposure. TechCrunch revealed efforts to resolve
the security flaw was ignored by both the web host for the spyware apps and the
back-end server operations.
One of the
key features about ChatMail
encrypted phones is our proprietary approach to data storage.
Your messages are stored on your encrypted phone. We never store your sensitive
information on our servers. The only data we keep is your username, account activation
date, and expiry date.
How To Protect Yourself from Coding Vulnerabilities
The impact of an IDOR is wide reaching. “An unauthenticated remote
attacker can access personal information collected from any device with one of
the stalkerware variants installed.”
Having an encrypted device designed
from the ground up to maximize privacy ensures protection against this type of
vulnerability. Myntex products are deliberately incompatible with third-party
apps because of the various security risks they introduce.
Most apps
ask for an excessive number of permissions, and users often grant this
permission without much examination. Third-party apps may sell user data to
other affiliates, as outlined above. They may also store information insecurely
on servers, which is also what happened here.
Is There Spyware on Your Phone?
TechCrunch
couldn’t reveal specific details about the vulnerability because it would
further risk compromising people who are currently unaware that their phones
have been breached. The spyware is designed to be covert, not appearing
anywhere on your home screen.
Change your
setting on Google
Play to prevent any further data theft, though this won’t address any
information already stolen. Also, check your accessibility settings to see if
they’ve been tampered with or altered.
Accessibility
features rely on wide access to your phone by design. If you don’t recognize
downloading a service in the accessibility options, delete it. You may need
further research to clarify how to do these processes since spyware is designed
to be difficult to identify and remove.
The safest
thing you can do is avoid using a phone with these vulnerabilities in the first
place. The most secure open
communication platforms let you use them without stress about information
breaches or take the time necessary to become an expert on tracking and
removing spyware.
Installing
spyware requires the perpetrator to have physical access to their victim’s
phone. Anybody is liable to leave their phone unlocked or use a weak password.
Myntex phones have a notebook lock screen with a customized pin.
Everything Needs to Be Encrypted
On the
surface, 1Byte looks like a normal software start-up. They have a Facebook
group showing people, supposedly employees, sharing team dinners and other
activities colleagues typically engage in. They went to elaborate lengths to
hide their own identities and the connections between various apps that are all
essentially the same spyware.
The many
obfuscating layers between the spyware creators put in place only reinforce how
necessary it is for every aspect of the phone to have military-grade encryption
for messages, phone conversations, and even pictures.
Legal Gray Area
Technically,
possessing
spyware is not illegal, so the government has its hands tied. The US
government has taken rare action against people who illegally plant spyware
solely for intercepting a person’s communication because they break national
wiretapping laws.
However,
enforcement powers are severely limited because global
spyware operators are out of their jurisdiction. Eliminating
these types of risks isn’t as simple as flicking a switch, even if everyone
agrees it’s a flagrant privacy violation.
The
hackers and data thieves are usually one step ahead of law enforcement and at
least two steps ahead of ordinary, unsuspecting people just trying to use their
phones. It may seem counterintuitive since everyone agrees that privacy
invasion is a type of theft that ought to be illegal, but law enforcement
doesn’t have many tools at their disposal.
It’s
understandable that most people associate data theft and privacy breaches with
the high-profile stories about spyware created by governments and sold to
other governments worldwide. Cyber and digital election interference also
draw a lot of eyeballs.
Many
people in diverse fields like journalism, politics, business, and activists
need to protect themselves from every privacy threat, even the ones that fly
under the radar.
Weeks
before Russia invaded the Ukraine, American intelligence agencies warned that Vladimir
Putin was planning state-sponsored cyber operations around the world against
critical infrastructure. Targets include Defense, Energy, Governments,
Healthcare, and Telecommunications. The Cybersecurity and Infrastructure
Security Agency, Federal Bureau of Investigation, and National Security Agency
issued a joint Cybersecurity Advisory outlining the threats and for the global
community to adopt a proactive, heightened state of awareness.
The
CSA overview served to highlight the risks and list strategies to assist with
detection, mitigation and incident response. The advisory noted in the
technical details, “Historically, Russian state-sponsored advanced persistent
threat actors have used common but effective tactics—including spearphishing,
brute force, and exploiting known vulnerabilities against accounts and networks
with weak security—to gain initial access to target networks.” A reward of up
to $10 million may be offered for information about Russian cyber operations
targeting U.S. critical infrastructure, an example of how seriously CISA, the
FBI, and NSA are taking the threat.
How it started?
On February 24, 2022, as Russia launched a large-scale attack on the Ukraine, CISA issued another alert about a group of Iranian government sponsored APTs known as MuddyWater, a subordinate element within the Iranian Ministry of Intelligence and Security. The group was observed “Conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America.”
The eve of the invasion came with a dire warning from President Putin, translated
into English, “To
anyone who would consider interfering from the outside – if you do, you will
face consequences greater than any you have faced in history.”
Of course, the world has good reason to take the threat seriously.
Just days before the physical assault came a pre-emptive virtual
strike, with distributed denial
of service attacks on Ukraine’s
government websites, foreign
ministry,
state security services and banks. Ukraine’s defense ministry and major
banks were hit with DDoS
attacks the week before, with limited impact.
How it’s going?
“The
war [in cyberspace] is underway and unfolding very intensively,” the Russian
Foreign Ministry’s international information security director
said in December 2021. “The media
rightly says that this [is] a Third World War, and what matters now is to
calculate the damage and determine who will lose it in the end and what shape
the world will eventually acquire as a result of this war.”
A botnet malware dubbed Cyclops Blink is being used by the notorious
Sandworm hackers, a destructive threat group that has been working with the
Russian military to exploit vulnerabilities in firewalls and infect networks to
gain remote access. Systems may then be used as a conduit to conduct additional attacks elsewhere, as the
point of entry may not be the primary target.
Such strategy may well have been underway for months if not years.
The US
Energy Secretary noted, “Experts
believe that Russian hackers trying to bring down part of the U.S. grid would
probably enter via a side route — breaking into a major energy provider’s
networks by infecting a software update from a less secure company.”
Another weapon in the Russian war machine cache is misinformation.
Putin’s propaganda tactics have been a hallmark of his political career. Social
Media has been infiltrated by Russian troll farms to wage political warfare on
his adversaries. Russia was accused of spreading fake news through troll
factories, swaying the US Presidential election in favour of Trump, confirmed
by former FBI Director Robert Mueller when he investigated the alleged Russian
interference in the 2016 election.
When the Kremlin invaded Crimea, Ukrainian journalist and
political analyst, Mykola Riabchuk, said the Russian hype had evolved into a
full-fledged information war. Riabchuk wrote, “Three major
narratives emerged that can be summed up as “Ukraine’s borders are artificial”,
“Ukraine’s society is deeply divided”, and “Ukrainian institutions are
irreparably dysfunctional.” To put it simply, Ukraine is a failed state (“not a
country”) . . . and it, therefore, needs external, apparently Russian,
guardianship.”
Putin’s deceptive attempt to rationalize his attack on Ukraine was
characteristic, according to one criminal
justice professor who
was quoted as saying, “This is one of those times where we can expect Russian
troll farms to be heavily active in an attempt to either depict a narrative
that fits the notion that they’re a peacekeeping force, or that there’s false flag
events that have occurred that justify their presence there or the use of
serious violence against civilians or anything else.”
Ukraine responded to the cyber threats by asking the hacker world
to come to its aid. Just as the country has built a strong resistance from
within to defend against the military attack, volunteers have rushed in to
answer the call to strike back at Russian targets online. An IT
army with thousands of hackers have already answered the call within a
matter of days. Elon Musk assisted the effort by activating Starlink satellite
service over Ukraine.
Hacktivists
took over Russian TV stations to broadcast footage from the front lines,
thwarting the state efforts to control the narrative, which likely fuelled the
increased number of protestors who risked arrest by defiantly demonstrating
against the invasion of their neighbours. Russian media sites were hijacked to
be replaced with a tombstone bearing the number of reported Russian troop
casualties.
How to be prepared?
With the potential for anyone to become a victim if Russia
retaliates with a global cyber conflict, now is the time to be extra vigilant
with your online behaviour.
Know that governments are focused on keeping critical infrastructure
safe in this heightened state of crisis. This means being aware is important
but there is no need to panic. Arm yourself with trustworthy information and
don’t amplify baseless reports.
Myntex recommends several methods to keep your digital vectors
safe from attack. Start with some basics, like ensuring your system updates are
handled promptly to patch developer vulnerabilities. Implement multi-factor
authentication wherever possible. Practice cybersecurity common sense by
staying apprised of phishing attack techniques and other means of infiltration
used by threat actors. Ensure your service provider secures the servers you rely on with
DDoS protection. In these uncertain times, it is wise to have a plan
to remain operational in the event of a cyber-attack, such as ransomware.
The best way for business to secure mobile devices is to remove
the risk from online browsing and to use end-to-end encrypted
communications to safeguard your privacy. Don’t trust free apps, you’ll be
giving away your personal data when you agree to their terms of use. If you’re
not paying for the product, you become the product.
While the implications for a growing cyber-conflict are real, it
is encouraging to note the world is standing guard against attacks, which have yet
to materialize at the time of writing this post.
There’s so much public discussion about digital security and
privacy these days. In 2022, the number of mobile phone users worldwide is 7.2
billion, over 90% of the population. Anyone using a cell phone can be targeted
by hackers or fall victim to identity theft. While digital security concerns can
impact most people, few understand the nature of specific vulnerabilities.
Examining a major cybersecurity
threat can shed light on how hackers access unauthorized material and
demonstrate the importance of how your personal and sensitive data may be
exposed online.
The Canada Revenue Agency recently reported it was susceptible to
the Log4j security vulnerability, known as Log4Shell. It was not alone, 44% of global
corporate networks were reportedly affected. Estimates of 10 million attempts per
hour in the U.S. alone were made to exploit it after being discovered in December
2021.
The CRA outlined
the problem in a series of statements and was offline for several days while
it took precautionary measures to mitigate the risk to Canadians. While the agency
claims no system or user information was compromised, it was a major disruption
for those who use the site for a variety of tax and income benefit programs.
CyberNews noted,
“Log4j is incorporated in widely used Apache-related frameworks, which means the
spread of vulnerability might be like something never seen before.” In addition
to government sites—like the CRAs—Amazon, Android OS, Apple, Google Documents, LinkedIn,
Netflix, Steam, Twitter, Uber, and millions of other firms were exposed due to
the software bug.
Software Flaw
Log4J is known as a Zero Day exploit, a term that applies to
vulnerabilities that are compromised by malicious threat actors before the
software developer discovers the error. Despite multiple fixes implemented to
the Java-based library for the open-source logging utility, the threat lingers.
Cybersecurity experts worry that many were unaware of the danger and didn’t act
fast enough to mitigate the risk.
If IT teams didn’t patch the defect promptly it would be able to grant
easy
access to internal networks where those with mal-intent could mine data, launch
malware attacks, manipulate information, etc. Hackers who were able to find
loopholes may be waiting for opportunities to attack or sell access to the
compromised sites on the dark web for future exploitation.
The vulnerability was rated 10 out of 10 by the non-profit Apache Software Foundation, which administers the software’s
development. “Anyone with the exploit can obtain full access to an unpatched
computer that uses the software. Experts said the extreme ease with which the
vulnerability lets an attacker access a web server–no password required–is what
makes it so dangerous.”
Big
Implications
Log4j is present
in almost all Java-based products and web services, from webcams to car
navigation systems and medical devices. The repercussions from something like a
ransomware attack or any number of other threats would be enormous.
While no major attacks have been detected, experts said there
probably would be eventually. Fear, uncertainty, and doubt is a strong
motivator in a digital society. For Log4j, an urgent alarm was raised within
the IT community for valid reasons. The FUD factor was not exaggerated and was,
in fact, necessary to achieve the prompt response required to avert a potential
disaster online.
Illusion of
Security
Vulnerabilities exist in many free apps that are popular today. Unlike
this recently discovered one, that the world has scrambled to fix, there are
issues you should be aware of before you trust your privacy to an encrypted
cell phone communication app like Telegram.
While these types of free services may offer end-to-end encryption
or promote their service as being encrypted on their cloud, if the messages you
send are stored on its servers, they are still vulnerable to being hacked. Many
encrypted devices are sold using free services, like Signal,
despite a list of
vulnerabilities.
Businesses, governments, and individuals need the confidence of
knowing their encrypted
cell phone is built for security from the ground up.
Even if free messaging services offer ample levels of encryption,
vulnerabilities may still exist in the company’s business model that undermine
the level of security they offer. For example, WhatsApp has been known to share
users’ personal
information with Facebook (Meta) and third-party marketers.
Similarly, WhatsApp has accidentally permitted unauthorized access
to user information after storing sensitive data insecurely. A company can
offer the strongest level of encryption available, but it’s all for nothing if
they also compromise
data privacy as a routine part of their business practices or because they
don’t have strong security protocols in place.
Security
Above All
Myntex prioritizes security and privacy. Where other companies market
personal data leveraged from their customers to third parties, Myntex secure communications ensures
users’ private information remains confidential.
From the proprietary design that ensures servers don’t store
confidential information like notes, emails, or encrypted messages, people can enjoy
peace of mind knowing that their information won’t get into the wrong hands. Keeping
totally secure is also straightforward for anybody, even if they aren’t
especially tech-savvy.
Smartphones
are popular around the world, so it’s not surprising that people everywhere
care about digital privacy. Phones are an incredible piece of technology that
keep us connected to the people, products, and information all around us.
They are
also a means through which hackers, cybercriminals, government agencies, and
other groups can gather your personal information.
Germany’s
new coalition government offers many things digital rights activists have asked
for, such as a “right to encryption,” “a right to anonymity,” “increased IT
security,” and more. However, in practice, even governments that claim they
value encryption often don’t guarantee it.
How can people
be sure of their privacy when robust encryption laws exist simultaneously with
legal mechanisms for state surveillance and decryption? A deeper look into
Germany’s recent past and present makes it clear that the difference between
total privacy and some privacy is irreconcilable.
Encryption Backdoors
Versus Government Hacking
The
government has at least two ways of accessing people’s private information:
installing a secret backdoor into encryption protocols or outright hacking.
Both methods compromise citizens’ privacy but in different ways.
In 2021,
the prior conservative German government issued statistics about its use of
hacking for the first time. Police and investigative authorities
ordered the more
invasive online search 33 times in 21 procedures and used it in 12 cases.
Hacking to eavesdrop through surveillance was used 31 times and used in three
cases. “These
authorities use government hacking tools primarily to investigate drug and
property crimes, not murder or terrorism as initially intended.”
According to another report, German government hacking wasn’t used in any successful criminal investigation or emergency response between 2017 and 2020. “Government hacking is understood as interfering with the integrity of software – including online services — or hardware to access data in transit, data at rest, and sensors to manipulate a target’s device by law enforcement for the purpose of criminal investigations [in a targeted manner].”
Encryption
backdoors would allow the government to bypass any encryption used by the
population. Unlike government hacking, using a backdoor to sidestep
encryption still compromises security and would be done outside of the protections
afforded by law.
Whereas
hacking exists within a legal framework, encryption backdoors directly
contradict the law as it currently stands. That’s why policy discussions within
Germany only extend to government hacking. However, they might influence EU law
to allow for encryption backdoors, where they may have a higher chance for
success.
German Foreign
Intelligence and the CIA / NSA
The
European Council, in December 2020, adopted a resolution called Security
Through Encryption and Security Despite Encryption. It underlines the
importance of encryption for security while also undermining encryption by
indirectly asking for backdoors to encryption for the authorities.
Such a conflicting
approach is not new to German surveillance.
During the Cold War, the Federal Republic of Germany’s foreign
intelligence service worked with the CIA to decode messages from allies and enemies alike. Dubbed Operation
Rubicon, these intelligence agencies both made money off the technology and
used it to eavesdrop for decades.
The partnership was considered the “intelligence coup of the century”. The encryption devices, made by a Swiss firm and sold to NATO allies for their own espionage purposes, were owned by the CIA—unbeknownst to the buyers—and enabled the two countries to spy on their own allies with ease. The US and Germany not only listened freely, but they also collected money from the victims. However, such alliances aren’t always trustworthy in the long term. It turns out that undermining encryption communications can backfire against the perpetrators.
Denmark
helped the US spy on countries like Germany, including eavesdropping on German
chancellor Angela Merkel between 2012-2014. The US National Spy Agency accessed
text messages and phone conversations of numerous prominent individuals by
tapping Danish internet cables with the cooperation of the FE, Denmark’s secret
service.
Known by
the codename Operation Dunhammer, the digital communications
surveillance of allied countries heads of state proved not only enemies
couldn’t be trusted with respecting privacy and security. How can ordinary
citizens put their faith in government to secure their privacy if world leaders
can’t protect their own?
For almost
too many reasons to name, the importance of secure and open
communication
cannot be overstated: people need to feel like they can chat freely for the
sake of staying in touch with friends, engaging in political discourse, conducting
business, and so much more.
Permeable Encryption
The group
in Germany that supports embedding systematic weaknesses in encryption, to
enable intelligence and law enforcement agencies to be more effective, is
small.
Governments,
like Germany, are increasingly exploiting the public’s rights to privacy. Using
the premise of heightened security to extend law enforcements’ reach, governments
justify hacking and asking for backdoors into encryption.
Encryption
keeps people safe from cybercrime and prying eyes, but it can’t do that if
governments’ want access to support justice because once a backdoor is in place
bad actors will get in. Germany might be seeking to appease digital rights
advocates in the country, but deliberately leaving holes in their privacy
protection is a risk to the government and its’ citizens.
Using a
hardened phone on a device built from the ground up for maximum security and
privacy protection is the only way to ensure your digital communications are
never compromised. Business leaders, journalists, lawyers, and, as the above
has made clear, world leaders need to know that no one can crack their phone.
The only
way to ensure your conversations remain confidential is to get a phone with
military-grade encryption with secondary security features hosted on a private
server to protect against potential vulnerabilities.
It was the end of an era for the BlackBerry 10 Operating System, which now ceases to exist starting today – January 4, 2022. BlackBerry BB10 powered smartphones—with the legacy QWERTY keyboard favoured by professionals, businesses, and world leaders—haven’t been produced since 2017.
BlackBerry delayed
decommissioning the service out of loyalty to its customers, according to CEO, John
Chen, who successfully transitioned the firm to a software company in 2016. However,
BlackBerry Android devices were not affected by the BB OS end of life.
The BlackBerry phone was introduced in 1999, by the Canadian
technology parent company originally called Research in Motion. The phone was a
hit, with the business world thanks to email on the go and instant messaging.
Celebrities played a role in the brand’s popularity.
In 2008, Kim Kardashian flaunted an 8330 Pink Curve and President Barack Obama had
to fight hard to be able to continue to use his BlackBerry when elected that
same year. BlackBerry
Messenger was even featured in the lyrics and titles of songs by the likes
of Sean Kingston. The BBM encrypted program ceased in 2019.
BlackBerry phone sales peaked at 50 million in 2011. But it had
already peaked as having the largest slice of pie in the smartphone segment,
which was serving a different experience to a new demographic.
When RIM released its first touch screen—Storm—in 2008, it was
certain their product would prevail. The company wasn’t convinced its new
competitors were not a threat. By 2011, the iPhone had eclipsed BlackBerry. But
the company was tenacious and would not give up easily.
Designed to save the one-time industry front-runner, the BB10 OS was
two years late in its rollout. During the delay the company’s market share had
taken a dive from 20 per cent to just five per cent of a mobile phone niche
catering to business. The company’s stock plummeted.
Two new phones were designed to work with the OS, which
finally arrived in January 2013. To coincide with the late
launch, RIM changed its name to BlackBerry
Limited. The
rebranded company had high hopes for its latest touch screen model, without an
external keyboard, the Z10. The Q10, which featured a full functioning QWERTY
setup, was released a few months later. But the phones felt dated upon
arrival and struggled to compete in the saturated market of touch screens dominated
by Apple.
Wall Street Journal columnist Walter Mossberg was quoted as saying, ““The Z10
and BB10 represent a radical reinvention of the BlackBerry,” writes
Mossberg. “The hardware is decent and the user interface is logical and
generally easy to use. I believe it has a chance of getting RIM back into the
game, if the company can attract a lot more apps.”
When BlackBerry’s then CEO, Thorsten Heins, launched BB10, he laid claim to the Z10s target audience. “The device is for people with a hyperconnected social group, who like to get things done, who like balance in their work and social life, who like the simplicity of having everything in one place, who want to move from app to app without having to hit the home button the whole time.” Even though the Z10 promised an extraordinary battery life with 10 hours of talk time, smartphone users had moved on. Developers were designing apps for the competitors instead, which was what consumers wanted.
Myntex CEO, Geoff Green says, “I think it’s great to see a company like BlackBerry show initiative and create one of the first mainstream encrypted communication platforms for customers. If we think back a decade ago, neither Apple nor Android had anything similar.” The public is still being educated about the advantages of encryption and the risks of using free apps. But the business world embraced the benefits of privacy and security when they made BlackBerry a sensation, with stock prices rising to $145 a share..
When Myntex was a start-up business, BlackBerry
PGP encryption was an attractive prospect thanks to its security and authentication, providing
users with peace of mind their email was private. Myntex began by providing custom
encrypted solutions for BlackBerry phones. Although, Myntex did not adopt the
BB10 OS to use with the company’s flagship product, ChatMail; various models of
hardware from the BlackBerry collection have been used. BlackBerry relinquished
fabrication of its hardware in 2019 when it also stopped adding BB10 to its
phones.
Myntex has also used Blackberry Unified Endpoint Management as a
trusted security model. BlackBerry UEM continues to be an industry-leading
interface for business, regardless of the platform they choose to use, and will
continue to serve business—which is what the company does best—providing
protection for years to come.
People everywhere are worried about keeping their private
data confidential when using digital technology, but convenience usually
outweighs concern people have about encryption and what happens after sensitive
information becomes public. How is your data being gathered? What do companies or
governments who harvest personal information do with it and what happens when a
hacker gets your details?
People would be surprised to know how
data is collected and what’s done with it. Let’s examine some of these
questions to further understand why safeguarding your personal data is crucial.
Government Spying
Governments worldwide use the power at their disposal to
gather data on citizens who they perceive to be a threat, like activists,
political rivals, journalists and others. Vice
reported that border agents seize tens of thousands of digital devices
every year from travellers, even when they haven’t been charged with a crime.
The information extracted from these devices is then uploaded
into a searchable database and retained for up to 75 years, including sensitive
information like GPS history, text messages, emails, social media posts,
photos, transaction records, financial accounts and more.
The idea of a centralized collection of personal data
gathered from people who aren’t even charged with a crime is disturbing. Can an
entity that goes to such elaborate lengths to compile this much sensitive data
on innocent people be trusted to use it responsibly?
Corporate Data Harvesting
Most free app developers tell users they take digital
security seriously, often proclaiming their product has “end-to-end
encryption.”
However, while many do use encryption on data in transit,
none of these free apps can promise encryption at rest. And the majority have
policies to sell the data they collect from users to third-party marketing
companies. Sometimes, users don’t realize how much personal information they
turn over to companies when they agree to the permissions on these apps.
This is potentially dangerous. The stakes
are high when hackers obtain all the information available from millions of
people. In June 2020, the data from one-fifth of all Facebook users appeared
for sale on an online forum. By April of the following year, a dataset of 500
million Facebook users became available for free to download by anyone online.
Hackers want to make money from the data they steal, but
they also make it widely accessible to large numbers of people to increase
their prestige within the hacker subculture. In other words, they’re
leveraging stolen data for profit, but they’re also driven to give it away for
free.
Companies and businesses
need privacy to keep up with digital threats, staying a step ahead instead
of constantly being a step behind. It’s all too common for people to conduct
business through platforms where leaks have occurred.
Secure features such as ChatMail encrypted calling let
managers and executives keep up with the pace of business in a way that’s
fundamentally safe. It’s essential to avoid using third-party platforms that put
them at risk. Using a platform with features that are built for security from
the ground up keeps you connected without risking your privacy.
What Can Happen to Stolen Data?
Companies that harvest data may use it in a way that
negatively impacts your business. What happens to your data after a breach?
Back in 2015, researchers sought to answer this question by posting fake
employee credentials online to an anonymous dark
web file-sharing site, which they would then track to learn where stolen
data goes.
Embedding a hidden watermark in files the researchers were
able to find out information about the person who opened it, including their
geolocation, IP address and device type. In just a few days, the data reached
more than five countries on three continents and gained over 200 views. Less
than two weeks later, it reached more than 22 countries and had over 1,000
views.
Deeper analysis revealed a high rate of activity among two
cybercrime syndicates from Nigeria and Russia. The dark web’s organized
marketplace for criminal activity includes data harvested from breaches. These
data resellers are even formalized to the point where suppliers, who number in
the hundreds, have user reviews from people who have purchased their stolen
data.
In 2020, Verizon concluded in a study that most data theft
is driven by financial motives rather than mischief or grudge settling.
Typically, hackers steal data then ask for ransom, or they’ll sell the info
they stole on the dark web. Financial hacks are six to seven times more likely
to occur than those driven by ideology or something else.
Double Extortion
High-profile hacks like the one conducted in 2014 against
Sony had a double effect: the hackers threatened to publish sensitive
information unless their demands were met and once they were, the hackers
published the stolen data anyway. Sony had to pay millions to compensate
employees whose data was stolen and published online and suffered vast economic
and operational damage.
Companies like
IBM are now opposed to paying a ransom because there’s no guarantee the
hackers will deliver on their promise. How trustworthy can data thieves
possibly be?
Sometimes the hacker doesn’t steal information but prevents users
from accessing their own computer until they get a ransom. Even in these cases,
the payment isn’t the only problem.
Ultimately, once you’ve been hacked, the best possible
outcome is still quite grim. Using an encrypted
phone line on a platform designed for maximum security prevents this
scenario from even arising.
Trying to find out what happens to your data after a breach
is not something you want to experience. Best to heed the warnings and use a
hardened device with security features that intentionally doesn’t allow
third-party apps, to ensure your privacy.