A (cyber) war with North Korea has already been waged for years

For a country with notoriously limited internet access, North Korea has been surprisingly aggressive with their cyberattacks over the last couple of years. Although a geopolitical storm is brewing between the United States and the Hermit Kingdom, a digital battle has already been fought for some time. Western governments and companies should brace for this cyberwar to heat up even more as the verbal threats fly.

It was reported this week that individuals involved with U.S. defense contractors were baited by Lazarus, the infamous hacker group believed to work for the North Korean authorities. This is the same group responsible for the 2014 Sony hack, a retaliation for the production of The Interview, a comedy depicting the assassination of Kim Jong-Un.

The group is also thought to be behind the WannaCry ransomware attack earlier this year. WannaCry affected over 300,000 people in 150 countries, notably by crippling the computer system of Britain’s National Health Service (NHS), causing surgery delays and emergency room shutdowns. It was the largest ransomware scheme in history, affecting banks, telecommunications companies, and a host of players in other vital sectors.

The latest hack was announced by Palo Alto Networks on Monday. They reported that weaponized Microsoft Office Documents were posted online using the exact copy of publicly available job descriptions for U.S. defense contractors and hosted on compromised systems. While it is unclear how the documents were distributed to contractors and if any were fooled by the postings, the malware was clearly targeted to those who may hold in their networks very sensitive information about U.S. military secrets and other government information.

As we have repeated many times, anyone acting as a supplier to the government or major companies is at great risk of being targeted by cybercriminals.

With the situation in North Korea escalating, companies and contractors everywhere need to take a serious look at their digital weaknesses and assess how to strengthen their cybersecurity capabilities.

The best way to do this is to use Evizone Secure Communications (ESC) and Evizone Communications Governance (ECG). Sign up for a free trial of our software and see for yourself how our closed communication and data storage system can protect your most precious information from unwanted intrusions.

Will NAFTA 2.0 compromise your data?

The renegotiation of the North American Free Trade Agreement (NAFTA) is slated to begin on August 16, and it’s top of mind for government officials in the U.S., Canada, and Mexico.

U.S. President Donald Trump made the renegotiation a key plank of his campaign platform, though it now seems like his government intends to enter the talks with a scalpel rather than the promised axe. Changes to the trade of goods and services will likely resemble modernization rather than a protectionist scale-back, as many worried about.

Yet even small changes could have exponential consequences, as many have pointed out with the issue surrounding copyrights and patents. There are similar concerns around cybersecurity, an issue that wasn’t of great concern when NAFTA commenced in 1994.

As Motherboard reports, privacy experts are “concerned American law enforcement or spy agencies could get access to Canadians’ sensitive information.” This is because the United States has indicated “it wants to end any regulations that restrict cross-border data flow, arguing they prevent US-based cloud storage companies from doing their business there.”

Data stored on Canadian servers are subject to the Charter of Rights and Freedoms and other Canadian privacy laws, but it does not apply to Canadian data stored on foreign servers. Canadian data stored on U.S. servers don’t benefit from American protections.

As a result, both British Columbia and Nova Scotia have implemented rules requiring government agencies to store their data in Canada. The U.S. administration sees these rules as unfair.

Critics cited in the article point out that that Canadian officials already share way too much information with the United States, and that data might not be safer on either side of the border.

Under these conditions, can Canadians ever expect to keep their data safe from prying eyes?

With Evizone, the answer is yes.

All data trusted to us through Evizone Secure Communications (ESC) and Evizone Communications Governance (ECG) gets stored in certified high-security data centers. Our patented software is the strongest commercially available system for the secure exchange and compliance archiving of electronic communications, and all files are protected by our proprietary double layer military-grade encryption.

Do give us a call to learn more, or visit us at http://evizone.com/free-trial/ for a free trial of Evizone Secure Communications and Evizone Communications Governance.

A new attack on HBO

You’d think after the multitude of examples of cyberattacks on titans of the entertainment industry – most notably the gargantuan Sony hack in October 2014 – that companies in that sector would be rushing to adequately protect their online assets.

Unfortunately, you’d be wrong. Not long after the most recent season of Netflix’s Orange is the New Black was stolen by hackers, cable TV powerhouse HBO suffered a cyberattack:

…upcoming episodes of a couple series and at least one alleged script or treatment have been put online by hackers who breached the company’s systems — with more threatened to be coming soon.

“HBO recently experienced a cyber incident, which resulted in the compromise of proprietary information,” the network confirmed in a statement. “We immediately began investigating the incident and are working with law enforcement and outside cybersecurity firms. Data protection is a top priority at HBO, and we take seriously our responsibility to protect the data we hold.”

Hackers claimed to have obtained 1.5 terabytes of data from the company. So far, an upcoming episode of Ballers and Room 104 have apparently been put online. There is also written material that’s allegedly from next week’s fourth episode of Game of Thrones. More is promised to be “coming soon.”

Many hacks occur when third-parties, who have crucial proprietary information and files, are attacked by cybercriminals. That was the case with Netflix: hackers were able to steal Orange is the New Black by gaining access to the network of Larson Studios, an audio post-production company. It wasn’t Netflix that was attacked, but rather a vendor to the company. In some cases, the hackers gain access to corporate secrets through spear phishing schemes, in which any and all employees can unknowingly become the gateways to their company’s most sensitive information due to poor email practices.

Anyone acting as a third-party supplier to major companies is at great risk and must take steps to protect their assets. If they fail to do this, they risk losing the confidence of their clients. These types of attacks aren’t going away anytime soon. In fact, they will get more common.

Services like Evizone help to ensure that proprietary information is protected with the strongest cybersecurity technology available on the market.

Don’t wait until it is too late to act!

End to End Encryption and Proof of Supervision: Who Wins?

Australia’s recent move to ban end to end encryption puts the spotlight on the conflict between the right to privacy and a country’s responsibility to protect its citizens. Australian Prime Minister Malcolm Turnbull explained  “we need to ensure that the internet is not used as a dark place for bad people to hide their criminal activities from the law” as a justification for banning end-to-end encryption. We agree entirely, but this does not justify a lack of due process and unreasonable invasions of personal privacy by unaccountable governments.

In reality, the mathematical encryption of data is no more a declaration of guilt than locking the doors to your house means you have something to hide. We believe it to be the right of every citizen, within reason, to protect their data as they would any other possession.

And while encryption and protection are at the core of our business, we equally believe in the need for transparency; when required by the law or fiduciary obligations as it is for most organizations.  The need for transparency in the workings of an organization is just as imperative as the need for security. As Evizone chairman Bill Wells puts it:

“Imagine if employees or public servants are all communicating with unbreakable encryption so no one can monitor what actually is going on. This is why compliance regulations and the duty to provide “Proof of Supervision” exist. The need to maintain transparency and oversight while still preserving appropriate security of sensitive information is critical. Unbreakable encryption and “Proof of Supervision” are mutually exclusive.

It is a difficult needle to thread, but we have done it at Evizone. Information is secure when it needs to be, but transparency and control are maintained and “Proof of Supervision” is unquestioned. Give us a call and we will be happy to show you how we do it.”

At Evizone you can be sure your communications are secured with the strongest security commercially available and we will defend your right to due process. At the same time you can also be sure that you have total transparency and oversight of the content of your organization’s communications – all managed by policy and with iron clad Proof of Supervision. Falling for the “end to end encrypted therefore safe” canard only means assuming an even bigger risk as Proof of Supervision goes out the window. Failure to supervise constitutes gross negligence and can create enormous liability for any organization.

Do give us a call to learn more, or visit us at http://evizone.com/free-trial/ for a free trial of Evizone Secure Communications and Evizone Communications Governance.

The UN is worried about cybersecurity – they should be

The International Telecommunication Union (ITU), a division of the United Nations, recently released their Global Cybersecurity Index for 2017. The report looks at the ability of countries to defend themselves against major cyberattacks – which include shutting down power grids and freezing communications in hospitals.

The agency reports that “there is still an evident gap between countries in terms of awareness, understanding, knowledge and finally capacity to deploy the proper strategies, capabilities and programmes [sic] to ensure a safe and appropriate use of [information and communication technology] as enablers for economic development.”

Reviewing the cybersecurity policies of 193 nations while considering legal, technical, organizational, capacity building and cooperation aspects, the ITU ranked the following as the 10 most prepared countries in the world:

  1. Singapore
  2. United States of America
  3. Malaysia
  4. Oman
  5. Estonia
  6. Mauritius
  7. Australia
  8. Georgia
  9. France
  10. Canada

And since you’re probably wondering who ranks in the 10 worst, they are:

  1. Equatorial Guinea
  2. Yemen
  3. Central African Republic
  4. Dominica
  5. Tuvalu
  6. Timor-Leste
  7. Somalia
  8. Guinea-Bissau
  9. Comoros
  10. Vatican

There is obviously a discrepancy in terms of wealth between these nations, but it is still worrying to see that those considered to be the most prepared are nevertheless highly vulnerable to attacks.

While the United States ranks second best, it still faces a load of problems. We need only to think of the Sony hacks, the election scandals, and the WannaCry and Petya ransomware attacks to know that the government should not be slapping its own back in satisfaction.

One in 131 emails sent around the world are malicious and 15% or more of businesses in the top 10 industry sectors have been attacked. Global ransomware damages are predicted to exceed $5 billion in 2017.

It’s time for countries to develop better cybersecurity contingency plans. Until they do, companies and individuals need to do everything they can to ensure that their own data is well protected.

For a free trial of Evizone Secure Communications and Evizone Communications Governance, visit us at http://evizone.com/free-trial/.

Use the summer lull to update your cybersecurity protection

The summer provides the ideal time for a number of catch-up activities: you can watch those blockbuster films you missed all year, finally thumb through that pile of subscription magazines, and clean out the old dusty toolshed in the backyard.

The dog days are also a great time for companies to think about their cybersecurity.

An article for SecurityWeek suggests that the vacation period leaves firms open to vulnerabilities:

“With employees travelling, it’s important to address your security posture. Are your assets patched, encrypted and up to date with the latest protection updates as driven by your security posture? If not, can you make this a priority before those assets start traveling to unknown locations in employees’ luggage and carry-on bags?

Within the security organization specifically, have you planned for personnel shortages and coverage while employees take vacation? Do you have contact information for all critical members of the organization and their backups in case a significant incident is discovered? The threat actors in today’s environment recognize that organizations may not be as diligent about monitoring alerts over the summer, and they’ll take advantage of the potential opportunity for increased dwell time. Now is the time to plan and prepare; you may even want to conduct an incident response drill.

In addition to evaluating your organization’s overall security posture and your team’s readiness to handle staffing challenges, the summer gives individuals on your security team the chance to expand their roles and responsibilities. Are there projects that need additional resources? Processes that need to be improved or standardized? The summer is a fantastic time to do an overall evaluation and put in place new challenges and opportunities for security staff members to undertake in the second half of the year.

As you evaluate your security program, think about everything you can do to make progress toward your annual goals. How are you expanding the security visibility in your organization? Do you have access to the data sources you need to confidently detect and respond to threats in your organization? Do you have processes in place to efficiently handle incidents? How have these things changed over the course of the year so far? With half the year already behind you, it’s important to step back and evaluate the overall security posture.”

Evizone provides the ideal protection against theft and data breaches. No information transmitted through our secure communications software is stored on the devices involved. Instead, data resides on servers protected with military-grade encryption.

Take advantage of our FREE TRAIL and rest easy, margarita in hand, knowing that your company is utilizing the strongest commercially available communication tool on the market.

BREAKING: new ransomware attacks companies around the world

Here we go again.

In May, the world was afflicted by the WannaCry ransomware scheme targeting hospitals, banks, telecommunication companies, and other essential services in over 150 countries. A similar outbreak is taking place today as well.

Several media outlets are reporting that private companies in Spain, France, Ukraine, Russia, and others are being locked out of their corporate data and being extorted for $300 worth of bitcoins in order to regain access to their vital files.

Motherboard reports:

[Costin Raiu, a security researcher at Kaspersky Lab,] believes the ransomware strain is known as Petya or Petrwrap, a well-known type of ransomware. Researchers at MalwareHunterTeam, a research group focused on ransomware, told Motherboard in a Twitter direct message they believed the attack was from the same malware family as the one identified by Raiu. Like other types of ransomware, the malware seen Tuesday encrypts files on a user’s system; hackers say they will give victims the encryption key in exchange for bitcoin.

According to a tweet from anti-virus company Avira, the Petya attacks were taking advantage of the EternalBlue exploit previously leaked by the group known as The Shadow Brokers (Motherboard could not independently confirm this at the time of writing). EternalBlue is the same exploit used in the WannaCry attacks; it takes advantage of a vulnerability in the SMB data-transfer protocol, and Microsoft has since patched the issue. However, whether customers apply that patch is another matter.

Spanish outlet El Confidencial reported hackers had hit the Madrid office of DLA Piper, a global law firm. One person familiar with the attack sent Motherboard a photo of an infected computer the source said was in DLA Piper’s Washington DC office, and claimed that employees had been told to leave their workstations (neither the DC or Madrid office immediately responded to phone calls).

Hackers also attacked a Ukrainian media company, according to a local report from 24tv, one of the company’s outlets.

The hackers who control the email account posted in the ransomware message did not immediately respond to a request for comment.

Security researchers from Kaspersky Lab reported that the ransomware hit Russia, Ukraine, Spain, France, among others. Several people on Twitter reported witnessing or hearing reports of the outbreak in their respective countries, and across a wide range of industries. Companies around the world also reported computer outages.

Chris Sistrunk, a security researcher at Mandiant, said that it looks like there’s “another global outbreak attack.”

As we have warned in the past, these types of attacks will only become more common as time goes on. It’s time for companies to rethink their data storage strategy and look towards services like Evizone to ensure their information is protected by the strongest cybersecurity technology available on the market. Don’t wait to get hacked before acting.

New York State puts the hammer down on cybersecurity for financial services – with global implications!

If you are a financial services firm operating in New York State as of March 1, 2017 your world has changed. Even those not operating in New York and not in financial services should pay close attention. Rules promulgated in New York have a way of spreading worldwide when it comes to financial services and public companies. I predict these rules will become standard for any company listed on the NYSE or Nasdaq eventually and from there to all public companies worldwide. The link to the rules is HERE.

There is a lot of implications in these rules. I will focus on just a few related to Evizone’s specialty of electronic communications in order to encourage you to read the rules and think about what it means for your business. The rules require (among many other things):

  • Encryption of Nonpublic Information held or transmitted both in transit over external networks and at rest;
  • Secure disposal on a periodic basis of any Nonpublic Information that is no longer necessary for business operations or for other legitimate business purposes, except where such information is otherwise required to be retained by law or regulation;
  • Multi factor authentication;
  • Audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of normal operations.

The Chairman or an appropriate senior officer of the firm is required to certify compliance, in writing, with these rules annually.

These rules have profound implications for electronic communications. Here are just a few:

  1. Use of regular or encrypted e mail for Nonpublic Information outside the firm’s networks is non-compliant (i.e. communicating with external auditors, law firms, consultants etc.) since multi factor authentication cannot be enforced, encryption at rest is questionable, secure disposal is not enforceable and audit trails once the information has been sent are non-existent;
  2. Comprehensive monitoring of all types of electronic communications is required to ensure Nonpublic Information is not being transmitted inappropriately. This monitoring system must have a strong governance model, maintain non-tamperable audit trails, be encrypted in motion and at rest, require multi factor authentication and ensure secure disposal in accordance with policy;
  3. Electronic communications records on laptops and mobile devices are subject to these requirements as well. If a laptop goes missing with megabytes of Nonpublic Information held in old e mails and documents on the hard drive that is a major fail under these rules;
  4. Compliance archiving systems must also ensure encryption in motion and at rest, require multi factor authentication, maintain non-tamperable audit trails and ensure secure disposal in accordance with policy;
  5. While not mentioned specifically there is an implication that encryption of documents at rest must be kept up to the latest standard. A five year old document using five year old encryption is effectively not encrypted as the old standards become vulnerable.

I could go on and on, but I believe the point has been made. Current methods of electronic communications and compliance archiving simply do not satisfy these rules. Firm Chairs or Officers who certify that they do are at great risk.

Fortunately at Evizone we have been working on these issues for years. Evizone’s Secure Communications and Communications Governance products do comply with these rules in every respect. Give us a call to find out how we do it. We will be happy to show you.

Bill Wells is the Chairman of Evizone. This blog originally appeared on Bill’s LinkedIn page.

Is cybersecurity dead? Not by a longshot

It’s a provocative title. An op-ed in Forbes declared that Cybersecurity is Dead. Author Mike Baukes writes that:

It is 2017, and we now have ample evidence proving that the false promise of so much cybersecurity — that risk can be entirely eliminated with one simple program — will, barring a technological revolution, never be realized.

The data is in: Cybersecurity is dead. Even as global cybersecurity spending is expected to balloon to over $100 billion by 2020, the frequency and severity of cyberattacks continue to grow, with seemingly no end in sight. While exploits and hacking tools become even more widely available and simple to deploy, there has been little commensurate progress in beating back attackers, who continue to find success striking at persistent, common weak points. How is this possible?

The answer is one that must chagrin any CISO spending exorbitant amounts of money on cybersecurity programs: The entire conception upon which cybersecurity rests — of constructing a castle, against which any marauding attackers stand little chance of breaching — is barely of use.

It would be mildly amusing but for a simple fact: The integrity of sensitive data, ranging from your grandmother’s medical records to your personal financial information, relies on its secure storage by a dizzying array of institutions. It is no exaggeration to say that cyber risk — the accumulated potential for the exposure of privileged data — is a matter of life and death, as seen in the frightening effects of cyberattacks on the healthcare industry across the world. The existing conceptions of how IT systems can be secured and protected must be discarded in favor of a new and more diffuse understanding of cyber risk.

He makes a good point. A chain is only as strong as its weakest link. If data isn’t stored on secure servers, even the most advanced software in the world won’t protect your information.

But to say cybersecurity is dead is hyperbole. What needs to be done is to radically rethink the general approach to online communications and data storage.

Thankfully, Evizone has already done the rethinking.

Our two products, Evizone Secure Communications (ESC) and Evizone Communications Governance (ECG) provide the strongest commercially available system for secure communication and document sharing.

Evizone has created the ideal proverbial digital castle: all data transmitted through Evizone is stored on servers protected with patented military-grade technology. Nothing is ever stored on external devices, meaning cellphones or computers will not compromise any information.

Evizone provides its clients with a closed-circuit system, the only way you can have true secure communications in the twenty-first century. What use is a castle if the drawbridge is always down?

Far from dead, cybersecurity just needed to be approached from a different angle. Evizone brings you to the forefront of this new way of thinking.

University emails at high risk of hacking

A new report from the Digital Citizens Alliance called Cyber Criminals, College Credentials, and the Dark Web demonstrates the enormous challenge that arises from unsecure higher education emails and the damage they can cause.

Over the past eight years, researchers have discovered 13,930,176 e-mail addresses and passwords belonging to faculty, staff, students, and alumni at the 300 largest higher education institutions in the United States available to cyber criminals on Dark Web sites. Anyone can purchase the data and use the emails to enact their fraudulent schemes.

While many of the accounts are hacked from staff and students, some of the emails available for sale in the digital underground are fake emails. While not attributed to a real person, these addresses utilize the institution’s domain name, taking advantage of the credibility often associated with a .edu address.

The non-profit’s press release notes that “fake e-mails can be used to scam others in the university and college communities. Criminals can also use fakes to take advantage of discounts offered to students and faculty on software and various other products.”

The University of Michigan-Ann Arbor led the pack with 122,556 credentials for sale on the dark web, but the Massachusetts Institute of Technology (MIT) ranked highest in terms of corrupt email ratio. For every legitimate email with an MIT domain name, there are 2.81 fake emails – a truly staggering number.

The report recommends universities share the following tips to reduce the risk of compromising emails:

  • Use a mix of uppercase, lowercase, numbers, and special characters
  • Make the password as long as the system allows
  • Think in terms of passphrases instead of passwords
  • Use a random password generator to avoid social engineering
  • Do not re-use university provided password for other systems
  • Change passwords at least annually or if exposure is suspected
  • Consider using a password vault to store passwords
  • Never share passwords with others
  • Report any suspicious activity to local law enforcement or the institutional IT incident response team

These are fine recommendations, but ignore the fact that there are still plenty of other ways to access the accounts. Email is an inherently flawed form of communication, and it’s time to look for safer and more advanced alternatives.

One of these alternatives is Evizone Secure Communications (ESC), our proprietary technology that offers the strongest commercially available system for the secure exchange and compliance archiving of electronic communications.

The Digital Citizens Alliance report should concern educational institutions everywhere. If they’re serious about their cybersecurity, they should reach out to us or sign up for a free trial at http://evizone.com/free-trial/.