Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

Posts Tagged ‘ShazzleMail’

GettyImages-512265474-1-article-header

Secret Text in Senate Bill Would Give FBI Warrantless Access to Email Records

May 27, 2016

A provision snuck into the still-secret text of the Senate’s annual intelligence authorization would give the FBI the ability to demand individuals’ email data and possibly web-surfing history from their service providers without a warrant and in complete secrecy.
If passed, the change would expand the reach of the FBI’s already highly controversial national security letters. The FBI is currently allowed to get certain types of information with NSLs — most commonly, information about the name, address, and call data associated with a phone number or details about a bank account.
Since a 2008 Justice Department legal opinion, the FBI has not been allowed to use NSLs to demand “electronic communication transactional records,” such as email subject lines and other metadata, or URLs visited.
The spy bill passed the Senate Intelligence Committee on Tuesday, with the provision in it. The lone no vote came from Sen. Ron Wyden, D-Ore., who wrote in a statement that one of the bill’s provisions “would allow any FBI field office to demand email records without a court order, a major expansion of federal surveillance powers.”
Wyden did not disclose exactly what the provision would allow, but his spokesperson suggested it might go beyond email records to things like web-surfing histories and other information about online behavior. “Senator Wyden is concerned it could be read that way,” Keith Chu said.
It’s unclear how or when the provision was added, although Sens. Richard Burr, R-N.C., — the committee’s chairman — and Tom Cotton, R-Ark., have both offered bills in the past that would address what the FBI calls a gap and privacy advocates consider a serious threat to civil liberties.
“At this point, it should go without saying that the information the FBI wants to include in the statue is extremely revealing — URLs, for example, may reveal the content of a website that users have visited, their location, and so on,” Andrew Crocker, staff attorney for the Electronic Frontier Foundation, wrote in an email to The Intercept.
“And it’s particularly sneaky because this bill is debated behind closed doors,” Robyn Greene, policy counsel at the Open Technology Institute, said in an interview.
In February, FBI Director James Comey testified during a Senate Intelligence Committee hearing on worldwide threats that the FBI’s inability to get email records with NSLs was a “typo” — and that fixing it was one of the FBI’s top legislative priorities.
Greene warned at the time: “Unless we push back against Comey now, before you know it, the long slow push for an [electronic communication transactional records] fix may just be unstoppable.”
The FBI used to think that it was, in fact, allowed to get email records with NSLs, and did so routinely until the Justice Department under George W. Bush told the bureau that it had interpreted its powers overly broadly.
Ever since, the FBI has tried to get that power and has been rejected, including during negotiations over the USA Freedom Act.
The FBI’s power to issue NSLs is actually derived from the Electronic Communications Privacy Act — a 1986 law that Congress is currently working to update to incorporate more protections for electronic communications — not fewer. The House unanimously passed the Email Privacy Act in late April, while the Senate is due to vote on its version this week.
Sen. John Cornyn, R-Texas, is expected to offer an amendment that would mirror the provision in the intelligence bill.
Privacy advocates warn that adding it to the broadly supported reform effort would backfire.
“If [the provision] is added to ECPA, it’ll kill the bill,” Gabe Rottman, deputy director of the Center for Democracy and Technology’s freedom, security, and technology project, wrote in an email to The Intercept. “If it passes independently, it’ll create a gaping loophole. Either way, it’s a big problem and a massive expansion of government surveillance authority.”
NSLs have a particularly controversial history. In 2008, Justice Department Inspector General Glenn Fine blasted the FBI for using NSLs supported by weak evidence and documentation to collect information on Americans, some of which “implicated the target’s First Amendment rights.”
“NSLs have a sordid history. They’ve been abused in a number of ways, including … targeting of journalists and … use to collect an essentially unbounded amount of information,” Crocker wrote.
One thing that makes them particularly easy to abuse is that recipients of NSLs are subject to a gag order that forbids them from revealing the letters’ existence to anyone, much less the public.

By Jenna McLaughlin

www.theintercept.com

Tags: , , , ,

phishing-attack

Phishing Attacks Soar in Record-Making Surge

May 26, 2016

The Anti-Phishing Working Group (APWG) observed more phishing attacks in the first quarter of 2016 than at any other time in history. According to the APWG’s new Phishing Activity Trends Report, the total number of unique phishing websites observed in Q1 2016 was a record 289,371, with 123,555 of those phishing sites detected in March 2016.
Those quarterly and monthly totals are the highest the APWG has seen since it began tracking and reporting on phishing in 2004.
There was a 250 percent increase in phishing sites between October 2015 and March 2016. “We always see a surge in phishing during the holiday season, but the number of phishing sites kept going up from December into the spring of 2016,” said Greg Aaron, APWG Senior Research Fellow and Vice-President of iThreat Cyber Group. “The sustained increase into 2016 shows phishers launching more sites, and is cause for concern.”
APWG Chairman Dave Jevans said, “Globally, attackers using phishing techniques have become more aggressive in 2016 with keyloggers that have sophisticated tracking components to target specific information and organizations such as retailers and financial institutions that top the list.”
On the heels of this report of record numbers of cybercrime attacks, APWG will be holding its annual general meeting and cybercrime research conference next week in Toronto. There, its global cadre of cybercrime responders, managers and university researchers will be plotting strategies to neutralize the menace of cybercrime, a sprawling threatscape growing seemingly unchecked in scope and virulence in recent years.
In the Q1 Trends Report, APWG found that the Retail / Service sector continued to be the most heavily attacked. APWG member MarkMonitor observed more attacks targeting cloud-based or SAAS companies, which drove significant increases in the Retail/Service sector. Financial and Payment targets were also heavily targeted as usual.
Ransomware continues to be another increasing threat, with APWG members Forcepoint and PandaLabs seeing increasing numbers of ransomware infections in early 2016. According to Carl Leonard, Principal Security Analyst at Forcepoint: “The onslaught of ransomware has not abated in 2016. Ransomware authors exhibited a willingness to adjust their scare tactics and software in Q1 2016 as they sought to scam more end-users. The takeaway is clear – ransomware authors are more determined and aggressive in 2016. End-users should be aware of the danger and take preventative measures.”
APWG co-founder and Secretary General Peter Cassidy reviewing the quarter’s disturbing numbers said, “The threat space continues to expand despite the best efforts of industry, government and law enforcement. It’s clear we have a lot to talk about in Toronto, perhaps broaching some broader resolutions to unify efforts across sectors. After all, what is civilization but the largest conspiracy?”
The full text of the report is available here:
http://docs.apwg.org/reports/apwg_trends_report_q1_2016.pdf
By APWG – Anti-Phishing Working Group
http://www.apwg.org

Tags: , , , , , ,

panama-papers-the-biggest-financial-leak-in-history-3-638

Cybersecurity Lessons Learned From ‘Panama Papers’ Breach

May 24, 2016

In the weeks since the revelation of the Panama Papers, the world of the rich and powerful has been reeling. A single cyberattack against Mossack Fonseca, a quiet Panamanian law firm, has sent a tsunami around the world, toppling one world leader so far, with more turbulence to come.
The attacker absconded with a vast trove of information, consisting of millions of documents, emails, and other information – so much information, in fact, that journalists and other investigators have been poring through it for over a year.
Still a mystery: the identity or identities of the attackers. Perhaps an insider with access to secret passwords? Or maybe a skilled attacker, well-versed in the intricacies of cyberespionage?
In all probability, neither profile is accurate, because the Mossack Fonseca attack was dead simple. So simple, in fact, that a teenager with no hacking knowledge other than basic googling skills could have done it.
Furthermore, the security mistakes Mossack Fonseca made were appallingly common. So common, in fact, that it’s fair to say most of the readers of this article work for organizations that are making at least one of the same mistakes.
Do you think the same thing that happened to Mossack Fonseca and its clients can’t happen quite so easily to your organization? Here’s your wakeup call: it already has. You probably just don’t know it yet.
What are you going to do about it?
The Mossack Fonseca Attack: Dead Simple
The attacker’s point of entry: older versions of popular open source web server software Drupal and WordPress. In the case of WordPress, a particular plugin was the likely culprit. “We think it is likely that an attacker gained access to the MF [Mossack Fonseca] WordPress website via a well-known Revolution Slider vulnerability,” according to Mark Maunder, Wordfence Founder and CEO. “This vulnerability is trivially easy to exploit.”
Fixed versions of the Revolution Slider as well as Drupal had long since been available – but Mossack Fonseca simply had not updated the software on their web server. In fact, outdated versions of software that organizations haven’t properly patched is the most common cybersecurity vulnerability today, as I wrote in an article from April 2015.
The fact that Mossack Fonseca’s web servers were many months out of date was particularly egregious, especially considering the sensitivity of their clients’ information. “They seem to have been caught in a time warp,” says Alan Woodward, a cybersecurity expert from University of Surrey and consultant to Europol’s European Cybercrime Centre. “If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology.”
The Revolution Slider weakness is notorious among hackers for its ease of exploit. Simply download and run a simple utility off of a hacker web site, and the utility immediately provides attackers with shell access on the web server, which means they can now navigate the server’s file system at will, uploading, downloading, and executing files however they like.
Normally, a company that hosts its own web server realizes it’s inherently vulnerable, and separates it from other, more sensitive systems and data – but not Mossack Fonseca. “Their web server was not behind a firewall,” Maunder adds. “Their web server was on the same network as their mail servers based in Panama. They were serving sensitive customer data from their portal website which includes a client login to access that data.”
In other words, Mossack Fonseca failed to take even the most rudimentary steps to protect their confidential client data. However, even if it had put their web server behind a firewall and separated it from their mail servers, the Revolution Slider weakness would still have allowed attackers to access data on internal systems – it would simply have taken them a bit longer.
Important Takeaways for Any Organization
The most urgent cybersecurity task for any organization is to ensure that admins have applied all security patches to all software, not just the software that faces the Internet. Your patching regimen should be prompt and thorough – but never count on all software to be properly patched.
The most diligent of patch regimens, after all, still have their weaknesses: there is always an interval of time between the discovery of a vulnerability and the availability of a patch, giving attackers an opening.
Secondly, automatic updates can cause their own issues, especially in complex enterprise environments and other situations that require high availability. “[Updating web site software automatically] can break your website without notice,” opines Liviu Macsen, a web programmer from Prestimedia in Romania. “And you can’t do this on corporate environment. Updates are sandboxed and tested before production.”
While keeping software up to date is an essential defensive move, organizations must also pay offense as well by minding their data lineage. Data lineage means knowing who has access to your data and when, similar to how law enforcement must handle chains of evidence. You must also know what people are doing with your information and in particular, how they are securing it.
For the firms that trusted Mossack Fonseca with their confidential information, minding their data lineage was a significant weakness – and a vulnerability attackers were only too willing to exploit. “Attacks on third parties like external law firms, contractors and the like have been the main attack vector in the high profile data breaches over the past three years,” explains Adam Boone, CMO of security vendor Certes Networks. “An external partner like a legal firm also represents a path into the IT systems of the main enterprise target itself.”
The third important takeaway from the Mossack Fonseca breach: put your eggs in multiple baskets. Never give anyone access to more than a portion of your sensitive data. Furthermore, the more sensitive the data, the more you need to divide it up.
Such compartmentalization of sensitive information has been an important governmental intelligence tool for centuries, as only people with a ‘need to know’ have access to sensitive information.
In the corporate environment, such compartmentalization requires a new level of segmentation technology. “Without modern access control and application isolation techniques, [law] firms are wide open for malicious insiders or external attackers to get access to the most sensitive data,” Boone explains.
The Importance of Segmentation
The final word of wisdom every organization should glean from the Mossack Fonseca debacle: always assume you’ve already been hacked, and that attackers can achieve at least some of their goals before you shut them down. As a result, detecting the presence of hackers and cleaning up the messes they leave are important – but always remember, damage may have already been done.
Proper segmentation of your environment is the best approach to mitigating such damage. Clearly, if Mossack Fonseca had separated their web server and email server from each other and from other confidential information, it would have contained and thus limited the damage.
From the perspective of the law firm’s clients, such segmentation is a more complex challenge. Every one of them should have ensured Mossack Fonseca had the appropriate protections in place, and they should have also divided up their confidential information across multiple law firms.
The segmentation approach that is right for your organization may look different, but remember, chances are not all of your sensitive information is locked away inside secure areas within your network. Much of it may be in the cloud or in the hands of third parties. You can’t prevent all attacks from succeeding in such complex environments, but you can mitigate the damage through proper segmentation.
By Jason Bloomberg
www.forbes.com

Tags: , , , , , , ,

cyber-attack

(Russian) Cyber Security Should Now Be Firmly On The Radar For Everyone Running A Business

May 19, 2016

It is no longer a question of if a business will be attacked, but when – and how.
There are still many old style fraudsters who forge cheques, submit false invoices for fictional services or seek a “dear friend” who will help them repatriate several million pounds but these are just a reminder of bygone days when a fraud looked like, well, a fraud.
In recent times a fraud is more likely to look like a genuine email from the managing director asking a member of the accounts team to make a payment to what looks like a supplier.
Closer inspection may reveal that the proposed destination of the cash is not quite what it seems.
Perhaps the language is more polite than one would expect from the MD, maybe the email address of the sender isn’t exactly right – although it looks right at first glance.
Any communication regarding the movement of cash should now be subjected to an additional level of scrutiny. Many businesses have already updated their procedures.
Some will not send cash in response to an email request. Many will make a call to the parties involved to check that everything is genuine and that a payment request originates from who it purports to be from.
There has also been a massive escalation of malicious attacks, usually harmless looking emails that invite the recipient to click on what looks like a harmless link.
Clicking the link unleashes a virus that will attack the recipient’s systems, potentially causing major harm to the business.
There are now many hundreds of thousands of cases of computer misuse, hacking and malicious virus attacks reported each year.
Whilst these threats might be conveyed digitally, many need to fool a human being at some point to be effective. Every organisation should therefore run regular training for employees on how to spot fraudulent or malicious activity.
Insurers will increasingly expect this kind of training as a condition of cover. In the current climate, it is arguably negligent to not train staff properly in this regard.
The IoD conducted a survey of business leaders in December 2015 which showed that just under half provided training in cyber security for their staff.
Given the potential for commercial and reputational damage that can result from the cascading effect of a cyber attack, this is an alarmingly low figure. It shows a high degree of misplaced complacency.
Cyber security is a business “hygiene” issue. Suppliers, customers and staff are entitled to expect that a business has the necessary measures and procedures in place.
There is also a rapidly growing market for defined cyber threat insurance.
This used to be carried by a minority of companies but is now something that needs to be in place for the vast majority of businesses, especially bearing in mind that only around one per cent of respondents in the IoD survey thought their business wholly unreliant on the inter- net.
Alongside greater awareness of the threat, the other primary defensive tool in the armoury is software, with good firewalls and analytics that can pick up the bulk of fraudulent or malicious activity
There is no simple solution to the malice and dishonesty that exist in the digital world.
The price of staying ahead of these threats is eternal vigilance, insurance and up-to-date software.

By Jonathan Oxley

www.yorkshirepost.co.uk

Tags: , , , ,

1463600977631262

The Selling Point Of Google’s New Messaging App Is Not Encryption, It’s Surveillance.

May 18, 2016

The buzziest thing Google announced at its I/O conference Wednesday was Allo, a chatbot-enabled smartphone messaging app that looks to take on iMessage, Facebook Messenger, and the Facebook-owned WhatsApp.
Early sentiment about Allo is overwhelmingly positive: It looks beautiful, lets you doodle on images before you send them, comes with stickers as well as emojis, and it’s the first Google product to offer end-to-end encryption, which is certainly a good thing.
But if you care at all about your privacy, you should not use Google Allo.
Allo’s big innovation is “Google Assistant,” a Siri competitor that will give personalized suggestions and answers to your questions on Allo as well as on the newly announced Google Home, which is a competitor to Amazon’s Echo.
On Allo, Google Assistant will learn how you talk to certain friends and offer suggested replies to make responding easier. Let that sink in for a moment: The selling point of this app is that Google will read your messages, for your convenience.
Some reporters have lauded Allo for having an “Incognito Mode,” which will turn on end-to-end encryption for a specific conversation, meaning that, in theory, neither Google, nor hackers, nor law enforcement will be able to read messages sent in this mode. Incognito Mode is indeed a good thing to enable if you are going to use Allo, but a better idea would be to stay away from the app altogether.
Google would be insane to not offer some version of end-to-end encryption in a chat app in 2016, when all of its biggest competitors have it enabled by default. Allo uses the Signal Protocol for its encryption, which is good. But as with all other Google products, Allo will work much better if you let Google into your life.
Google is banking on the idea that you won’t want to enable Incognito Mode, and thus won’t enable encryption.
Lots of people use Chrome’s Incognito Mode for searching for porn or other sensitive or embarrassing stuff, but how many people use Incognito for every search? Likewise, it’s smart to turn off location history in Google Maps because once Google has that data, it’s out of your control. As with any app that collects personal data, it’s hard to know where that data will eventually end up: in the hands of a hacker or law enforcement, for example. However, turning off location history means you have to type in your full home address every time you want directions home.
With Allo, the stated purpose of the app is to have a Google bot integrated into a messaging app, so that it can specifically learn more about you. In doing so, the messages you send to your friends will be more tailored—maybe it’ll suggest a coffee shop that’s halfway between you and the person you’re flirting with, for example. Google will have your express permission to mine your conversations for both your own benefit and the benefit of the company’s business interests (Gboard, Google’s new keyboard app with Google integration, has many of the same problems).
Allo is fundamentally different in this way than Hangouts or Gchat. With those two programs, Google showed no interest in injecting its own suggestions into what you type and thus showed no interest in learning more about you.
Allo, on the other hand, is the first major messaging app to have the express purpose of learning everything about you, further fleshing out Google’s already comprehensive profile of you. And so, of course it’s going to be less fun or useful when you’ve turned off that core feature. In that sense, it’s also entirely different than Facebook Messenger’s ‘M’ assistant bot (which may actually be a human). With M, you are speaking one-on-one with a bot, the bot isn’t monitoring every single thing you say to your friends.
One final note about Allo’s place in the current encryption debate: The FBI only started getting upset about the state of crypto after Apple and Google announced that they were going to turn on encryption on their smartphones by default. Before those announcements, encrypting your iPhone or Android device was possible and easy, but few people actually did it.
And so my point isn’t that Allo is evil or Google is evil. But Allo’s security and privacy features are skin deep at best, and we should treat the app for what it is: Yet another chance for Google to learn more about you.
We’ve seen time and time again that people only use privacy tools when they are seamless and don’t affect the overall experience of using the app or program. With Allo, collecting data is core to the value it’s offering. Google is giving consumers two options: Insecure with a wonderful user experience, or secure with an inferior experience. What do you think the masses are going to choose?
By Jason Koebler
www.motherboard.vice.com

Tags: , , , , ,

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
ph
Chinese deepfake app Zao sparks privacy row after going viral
September 3, 2019

Critics say face-swap app could spread misinformation on a massive scale A Chinese app that lets ...

Read more
1463600977631262
Google tightens grip on some Android data over privacy fears, report says
August 19, 2019

The search giant ends a program that provided network coverage data to wireless carriers. BY CARR...

Read more
4000
Wikipedia co-founder slams Mark Zuckerberg, Twitter and the ‘appalling’ internet
July 8, 2019

Elizabeth Schulze Wikpedia Co-Founder Larry Sanger said in an interview social media companies ...

Read more
venmo_pub_priv
Why America Needs a Thoughtful Federal Privacy Law
June 26, 2019

More than a dozen privacy bills have been introduced in this Congress. Here’s what it needs to do....

Read more
privacy-coins-and-bitcoin-dominance-guide
9 Important Privacy Settings for Windows 10
June 3, 2019

Matt Powell On Jun 3, 2019 At first glance, the Digital Age may seem like a wonderful thing. And ...

Read more