Evizone can protect you against the police’s Stingray devices

News that governments have been using IMSI catchers to collect mobile device data is not new. Back in September 2016, we shared information on our blog about how one correctional facility in Ontario used these devices to monitor cell phone transmissions within the prison. The repercussion was that prison guards were actually hacking their own phones and having their communications monitored as well.

Now we have more information: police forces across Canada are using these devices to monitor regular Canadians. The Ontario Provincial Police, the Calgary police, and Winnipeg police have confirmed that they are using IMSI catchers, according to the CBC. The RCMP had already confirmed to using Stingray technology to assist Toronto and Vancouver police with investigations. The CBC contacted 30 different law enforcement agencies, but only Calgary answered in full.

The CBC report states that “while Ontario and Winnipeg police refused to say whether they use the technology to intercept private communications, Calgary police and the RCMP insist they only deploy their IMSI catchers to identify — and occasionally, in the RCMP’s case, track — cellular devices.”

They also described the surveillance tool as vital when “used under warrant to help pinpoint suspects, and as a first step toward applying for wiretaps in serious criminal and national security investigations.”

Many are worried about what these devices can be used for. As the B.C. Civil Liberties Association expressed, “we want the police to have the appropriate tools.”  Yet at the same time, the public should care that they “don’t have the appropriate oversight and that those tools have the potential for abuse.”

As we wrote in September, IMSI catchers access information that is unprotected or only moderately encrypted. If you’re storing information directly on your phone, it can be accessed. If you’re storing information in an account that is always logged on your phone, they can likely access it too. It’s also unclear if criminal elements could have access to these types of monitoring systems.

With Evizone’s patented military-grade storage and encryption, there is absolutely no way for the government to access your data with this questionable technology. Evizone’s mobile app uses numerous security features to protect your data and always logs out when you exit the app.

We respect the work done by police forces across the country, yet we do not have a clear picture of what Stingrays are used for and it’s unclear if there are any oversights. For this and many more reasons, everyone should take precautions and protect their data today.

WhatsApp, encryption and public safety

Last month brought news of yet another lone wolf terror attack, in London this time, and yet another instance involving modern communications technology. It seems that the attacker was communicating on his smart phone just moments before the attack using WhatsApp. Naturally the security services want to know who he was communicating with and the content. The wrinkle is that WhatsApp is refusing to break their own encryption to cooperate with the authorities.

At Evizone we have thought long and hard about the dynamic tension between legitimate rights to privacy and the public good. It is technically feasible to build an encryption system so that not even we could break our own encryption. Possibly this is what WhatsApp has done. Is it the right thing to do however? We think not. There are circumstances, and the London attack is certainly one, where the public good must prevail.

Furthermore, Evizone’s secure communications and compliance systems are designed for use by enterprise and government. The need for transparency in the workings of the organization is just as imperative as the need for security. Imagine if employees or public servants are all communicating with unbreakable encryption so no one can monitor what actually is going on. This is why compliance regulations and the duty to provide “Proof of Supervision” exist. The need to maintain transparency and oversight while still preserving appropriate security of sensitive information is critical. Unbreakable encryption and “Proof of Supervision” are mutually exclusive.

It is a difficult needle to thread, but we have done it at Evizone. Information is secure when it needs to be, but transparency and control are maintained and “Proof of Supervision” is unquestioned. Give us a call and we will be happy to show you how we do it.

Bill Wells is the Chairman of Evizone. This blog originally appeared on Bill’s LinkedIn page.

Law firms should worry about their cybersecurity

It should be no surprise that law firms store vast amounts of confidential and valuable information in their digital networks. This makes them a treasure trove for hackers – and all too often, an easy target.

As the National Post reported in their March 22 issue, the potential for a breach has led many Canadian law firms to focus more on cybersecurity. Past intrusions – including recent reports that nearly 500 UK law firms and two in the U.S. were infiltrated by hackers – help make the case.

The National Post reached out to Miller Thompson LLP lawyer Imran Ahmad for comment, who said that “Law firms are fertile ground for hackers because they have precious financial information, like transactional information, client information, and human resource records, that allows hackers to build online profiles of individuals.”

The article continues:

“Canadian law firms have hardly been immune from cyberattacks. The most highprofile attack in Canada started in September 2010 when hackers compromised the security of seven major Canadian firms — Blake, Cassels & Graydon LLP and Stikeman Elliott LLP among them — involved in BHP Billiton’s proposed takeover of Potash Corp. of Saskatchewan. Both Blakes, counsel to BHP, and Stikeman Elliott, counsel to Potash, say that no client information was compromised.

An investigation revealed that the spyware responsible had been formulated on a Chinese- language keyboard and could be traced to servers in China linked to stateowned enterprises.

It was no secret that the Chinese government, worried about a global potash monopoly, opposed the deal. As the Chinese have long been accused of resorting to cyberespionage for various political and commercial purposes, the evidence implicating China was telling.

It subsequently emerged that an unrelated attack had targeted another major M&A, while a third was aimed at high-profile litigation.”

This issue is a big business problem for law firms. If clients can’t trust that their representatives properly secure their confidential information, they may consider leaving for another, more cyber-enlightened firm. Legal practices cannot ignore this issue in the twenty-first century.

Imran Ahmad also added that 2017 will be a big year because new privacy legislation “will require custodians of data, including law firms, to report information security breaches that pose a “real risk of significant harm.””

Luckily, Evizone provides the exact services law firms need to keep their worried clients at ease.

With Evizone Secure Communications (ESC), client and internal communications are protected by the strongest commercially available system for the secure exchange of messages and documents. Our patented technology ensures that client data is not exposed. Evizone Communications Governance (ECG) adds the benefit of complete transparency and accountability, giving law firms the tools to assure clients of their security. ECG’s powerful discovery tools can also automate discovery processes resulting in greater efficiency and happy clients.

If the CIA can screenshot your screen, who else is doing it?

It’s no surprise that the CIA spies on people. But you might be shocked at how they do it.

A massive leak of nearly 9,000 CIA documents, released by the whistleblowing organization Wikileaks, revealed the methods used by the spy agency to get past mobile app security features. While initially reports claimed that the CIA hacked apps like WhatsApp, the truth is that the apps themselves are generally safe – it’s the phones that are the problem. The New York Times reports:

“WikiLeaks said that the C.I.A. and allied intelligence services have managed to compromise both Apple and Android smartphones, allowing their officers to bypass the encryption on popular services such as Signal, WhatsApp and Telegram. According to WikiLeaks, government hackers can penetrate smartphones and collect “audio and message traffic before encryption is applied.”

At a time of increasing concern about the privacy of calls and messages, the revelations did not suggest that the C.I.A. can actually break the encryption used by popular messaging apps. Instead, by penetrating the user’s phone, the agency can make the encryption irrelevant by intercepting messages and calls before their content is encrypted, or, on the other end, after messages are decrypted.”

If the CIA can get into your phone, then of course they can record and take screenshots of what you’re doing. You could be looking at emails, bank statements, sensitive corporate documents, anything – it is all vulnerable if you’re on their target list and they can take screenshots or recordings without your knowledge. If they have access to your sound and your screen, they can bypass any security features.

Except if you’re using Evizone.

Evizone Secure Communications (ESC) is equipped with optional patented Anti Screen Capture (ASC) technology which prevents anyone from making copies of your screen, whether you’re using Evizone on your mobile device or on a computer. The beauty of this technology is that it continues to protect you even if you’re not using the Evizone App. If you have our ASC installed and enabled, everything you view on your phone – including WhatsApp – is protected. You can trust that your communications and documents will not be stolen by anyone using the CIA’s methods.

It is important to note that there’s no proof that the tool has been used against Americans. Yet it is unclear if the U.S. government is the only state or private agent to have developed such technology. It is safe to assume they are not alone in using these techniques and that sophisticated private hackers may be using them as well. Apple and Google should immediately fix the issues with their software that allowed the CIA to penetrate their phones. But responsibility also falls on the user to protect their data. A layered defense using the best technology available like Evizone is a wise precaution. Defense in depth using the latest technology is essential to protect yourself.

Prevent unauthorized copying of your data and give us a call to get your free trial today.

Evizone Secure Communications would prevent extortion linked to SharePoint hacking

Here we go again.

Everyone is familiar with allegations of Russian interference of the U.S. Presidential Election last fall. Here in Canada, there were also allegations that foreign influences tried to alter our own parliamentary results. We generally think of hackings as a means to blackmail individuals or companies for money, but it is all too common for cybercriminals to target political organizations in an effort to embarrass them or harm them in the minds of the public. Sometimes, they do both.

As Bloomberg reports, Russian hackers have been targeting left-wing groups in the US for months, threatening to release emails and documents unless a ransom is paid.

“At least a dozen groups have faced extortion attempts since the U.S. presidential election, said the people, who provided broad outlines of the campaign. The ransom demands are accompanied by samples of sensitive data in the hackers’ possession.

In one case, a non-profit group and a prominent liberal donor discussed how to use grant money to cover some costs for anti-Trump protesters. The identities were not disclosed, and it’s unclear if the protesters were paid.

At least some groups have paid the ransoms even though there is little guarantee the documents won’t be made public anyway. Demands have ranged from about $30,000 to $150,000, payable in untraceable bitcoins, according to one of the people familiar with the probe.”

It’s impossible to say definitively whether the hacks are organized by criminal elements or the Russian government, but as Bloomberg points out, the two are not always mutually-exclusive.

The report continues: “Along with emails, the hackers are stealing documents from popular web-based applications like SharePoint, which lets people in different locations work on Microsoft Office files, one of the people said.”

The source of hacks like this is never a surprise. Hackers likely gained access to organization emails through a phishing scheme, just like what happened to Hillary Clinton’s campaign chairman. Once they can log into an email account, they have access to all organizational documents through unsecure cloud storage programs like Microsoft’s SharePoint. All it takes is for one person to get fooled by spear phishing and the whole business becomes exposed. This is why conventional workgroup collaboration tools like SharePoint are insecure.

That’s why Evizone was created. Our military-grade encryption and secure communications and file storage tools ensure that even if systems are compromised, information held inside Evizone is secure. If you use our services, you can sleep well at night knowing that no one – not even infamous Russian hackers – can access your data.

Canada a hotbed for corporate hackings

If a recent study by Ipsos is anything to go by, you should change all your passwords right now.

As the Globe and Mail reports, the study – developed in conjunction with the consulting firm MNP LLP – found that “half of Canadian C-suite executives and nearly a quarter of entrepreneurs say their businesses’ cybersecurity was breached in the past year.”

This is no small matter. The article continues:

“The survey of 100 Canadian executives of medium- and large-sized businesses also polled 1,000 small-business owners. While 93 per cent of the combined groups said they felt their companies effectively protected customer data, nearly three in five of those polled “either suspect or know for certain” they were victims of hacking attempts.”

An MNP executive rightly called this a worrying fact. “The big thing to note is the gap between the level of confidence businesses have in thinking they can prevent cyberattacks and their experience is quite different,” said Greg Draper, “The level of overconfidence is quite striking.”

Ignorance is bliss, as they say. But the risks associated with poor cybersecurity is not something that should be overlooked by companies nor consumers. Loblaw, Canadian Tire, Quebec’s SAQ liquor stores, and Cineplex have all been in the news recently for fear that their systems were hacked and data compromised. We can all name even larger historical Canadian hacks like the one on the Ashley Madison website.

Every time a company has to announce a digital security breach, consumer confidence in that brand is reduced. This is unfortunate given how easy data protection really is.

With Evizone Secure Communications (ESC), corporate communication and data storage are both protected by the strongest commercially available encryption there is. That means that consumer data will never be exposed and sensitive company secrets will never see the light of day.

Again, it’s important to note just how accessible these solutions are. Companies have no excuses for data breaches anymore. It’s time for them to join the twenty-first century and use Evizone.

Canada wants to get serious about electoral cybersecurity

Following the news that a former Canadian Security Intelligence Service (CSIS) director believes Canada’s elections had been hacked, the government has responded by announcing that they wants to take cybersecurity seriously.

In his mandate letter to the new Democratic Institutions Minister Karina Gould, Prime Minister Justin Trudeau listed defending the electoral system from cyberthreats as a priority. In addition, the Communications Security Establishment (CSE) has been asked to analyze the risks and release a report on the issue.

According to the Globe and Mail, the CSE will conduct a comprehensive study on cyberthreats to the electoral system and provide political parties and Elections Canada with information on how to avoid vulnerabilities, such as updating software. Minister Gould said that there are a “number of actors that we’re concerned about, some are countries, some are criminal organizations.”

The concern clearly revolves around Russia, the country that is still blamed for interfering in the American election and releasing compromising information on Hillary Clinton.

As mentioned in our previous blog post on the topic, any interference in a Canadian election would likely happen on the constituency level given how the Westminster system operates. Yet this is no less a threat than what happened in the United States.

There are two issues at play here: communications security and data storage.

Like Hillary Clinton, it is likely that any hacking of Canada’s elections would arise from poor email security. This is why anyone in a position of influence – like politicians and Elections Canada – should not be using this method of online communication. They should instead switch to a secure tool like patented Evizone Secure Communications (ESC) which provides complete security backed up by military-grade encryption.

The second issue is data storage and compliance review. Elections Canada stores a generous amount of sensitive information related to Canadian voters, and political parties have databases of information they never want released to the world. Yet if anyone manages to hack into their networks, however, these files would be vulnerable to exposure. This information also needs to be reviewed regularly to ensure compliance with appropriate regulation.

Only Evizone Secure Communications (ESC) provides the secure data storage and accountability to prevent hackers from the outside accessing your database, account for potential leaks from those within the system and ensure a robust review of all information for compliance violations.

Switching these large organizations away from email to a new product could seem daunting, but with Evizone, a new communications and governance system could be up and running within 30 days.

If the government is serious about cybersecurity and compliance, they’ll give us a call.

David Beckham’s latest scandal proves you need to ditch your email account

Have you heard of Beckileaks? It’s the latest scandal sweeping Britain, and it wouldn’t have happened without poor email security.

Russian hackers gained access to millions of emails and documents on the computers of David Beckham’s PR representative. Spotting an opportunity to profit, the hackers blackmailed the soccer star, asking to be paid one million pounds or else everything would be released. Instead of complying, Beckham’s team called the police.

As you can imagine, everything was leaked.

In one correspondence, Beckham allegedly refused to give $1 million to the UNICEF children’s charity, arguing “it’s my f***ing money”.

A spokesperson responded by saying:

“This story is based on outdated material taken out of context from hacked and doctored private emails, from a third-party server, and gives a deliberately inaccurate picture. David Beckham and UNICEF have had a powerful partnership in support of children for over 15 years … David and UNICEF are rightly proud of what they have and will continue to achieve together and are happy to let the facts speak for themselves.”

In another email, he lashes out about missing the opportunity to receive a knighthood, calling the honours committee responsible for the decision “unappreciative c***s”.

This hack is just another drop in the bucket. While it’s deeply embarrassing for Beckham and takes away from much of the good charity work he does, it goes to show that everyone should assume anything discussed in an email will one day become public. It doesn’t matter who you are – but it’s especially true if you’re a celebrity or company.

Email is an archaic form of communication when you consider how far advanced other technologies like Evizone Secure Communications (ESC) are. Beckham himself wasn’t even hacked – but he wound up in the crossfire and suffered because of someone else’s poor security measures. All totally avoidable if only he had used Evizone Secure Communications.

Strong email security can’t stop human error at the Bank of Canada

In February 2014 alone, employees at the bank of Canada were flooded with 25,000 phishing emails encouraging them to open a document containing malware that would infect their computer and steal banking credentials.

As the Financial Post reports, a good chunk of those emails were filtered out by the central bank’s security software, but some managed to land in employee inboxes. 33 people opened the document, but they were stopped by another security measure warning them that it could be infected with a virus. Nonetheless. five people, according to the article, still opened it.

In March 2016, the number of malicious emails exploded to 15 million, the consequences of which are still unknown. Since 2012, a known virus was installed in 17 separate cases.

The Post’s Claire Brownell writes that “anyone from foreign governments to organized crime could stand to gain from insider information about the central bank. The institution affects the entire economy by forming monetary policy and setting interest rates, information that could be very profitable to anyone with improper advance knowledge.”

Unsurprisingly, the Bank of Canada tried to explain that everything is okay. “Canadians can be assured that it has comprehensive cyber defences and business continuity plans in place,” a spokesperson told the Post.

But this revelation should deeply worry everyone.

No matter how strong the Bank’s email filters are, human error will always exist, and hackers are only getting more sophisticated in their infiltration techniques. It is only a matter of time until something catastrophic happens, and the chances are high when tens of millions of malware-ridden emails are received every month.

Email is inherently flawed. The only way to prevent a serious breech is for the Bank of Canada to move on to a new, more secure technology.

With Evizone Secure Communications (ESC), for example, The Bank of Canada would have the strongest electronics communication system commercially available. ESC provides full TRUE protection, something even the strongest cybersecurity measures cannot guarantee with traditional emails.

In addition, Evizone Communications Governance (ECG) protects against the problem of human error. ECG provides full accountability within an organization, protecting not only against external threats but internal ones as well.

This issue is not to be taken lightly. It is not just about someone’s old personal Hotmail account getting hacked. A breech at the Bank of Canada is a matter of national security. That it has already happened at least 17 times is a damning indictment and should make moving to a less archaic communications platform a top priority.

We cannot afford to wait until it’s too late to make a change.

Publicly-traded companies don’t disclose their cyber-vulnerabilities adequately

61% of companies in the S&P/TSX Composite Index acknowledged cybersecurity as a material risk to their business. This was the main finding of the Canadian Securities Administrators’ (CSA) staff notice on the disclosure of cybersecurity risks and incidents.

However, the CSA’s research is more much more troubling. While the organizations acknowledge a risk, they rarely disclosed the specific risks related to their unique company – only to their industry as a whole. This suggests that publicly-traded companies have very little understanding of the threats that are directly targeted towards them.

The review was commissioned to look at how public companies addressed cybersecurity issues in their risk factor disclosures. This included the risk of a cyberattack.

Only 12% of the companies identified a specific person, group, or committee as being responsible for cybersecurity matters within the organization. For the remaining 49% of companies, it was unknown whether or not anyone was tasked with overseeing cybersecurity and managing proper procedural enforcement. Acknowledging a risk is not enough – actions are needed to ensure maximum protection.

The CSA says that:

“Issuers should consider the reasons they may be exposed to a cyber security breach, the source and nature of the risks, the potential consequences of a cyber security breach, the adequacy of preventative measures, as well as a consideration of prior material cyber security incidents and their effects on the issuer’s cyber security risk. Issuers should also address how they mitigate the risk, including whether and to what extent the issuer maintains insurance covering cyber attacks, or reliance on third party experts for their cyber security strategy or to remediate prior or future cyber attacks. It is also relevant to disclose governance issues, including identifying a committee or person responsible for the issuer’s cyber security and risk mitigation strategy.”

It is our hope that Canada’s publicly traded companies will heed the advice of the CSA. Every potential cybersecurity threat should be identified given each company’s individual situation. The companies should also disclose what they are doing to prevent future attacks without divulging information that could put them more at risk.

Given the very public hackings that hit Sony and the Democratic National Committee recently, the use of email for confidential corporate information exchange should itself be considered a major disclosable risk. Many examples exist to show just how lethal a hacked email can be for a corporation. Investors deserve to know if companies are running this risk and what the possible consequences are in detail.

Similarly, any company that is not using a system to monitor incoming and outgoing electronic communications should disclose the matter as a major risk, given it implies an egregious lack of control over information. Companies should be monitoring the content of all electronic communications on a real-time basis to detect problems. They should also have compliance procedures in place to deal immediately with problems detected and permanent records to demonstrate appropriate supervision. Today, this is the minimum standard. Anything less implies an unacceptable level of risk and must be disclosed to investors.