Encryption, a double edged sword for businesses and home users trying to stay safe on the Internet

People may think of encryption as a technology that protects users’ privacy and security. And it’s true, encryption can be a powerful tool to protect ones privacy and secure sensitive information.  However, the current trend toward encrypting everything has created a significant challenge for businesses and users trying to stay safe from hackers and malware.

Encryption is the process of scrambling data so that only the intended users can access it. There are many forms of encryption.  Some encryption technologies protect data in transit such as TLS/HTTPS, which protects the information passed back and forth to websites and through email.  Other forms of encryption are used to protect data at rest on hard drives, iPhones, and cloud storage.

What does this mean for me, my business or my family?

It’s great to know that my credit card number is safe as I buy products online or conduct online banking.  But this same technology is also helping the bad guys to hide their malware and their efforts to steal our money, resources and secrets. The expensive technologies we’ve put in place including gateway firewalls, web filters, email scanning, Antivirus, etc. has been rendered increasingly ineffective now that more and more traffic is protected by the cloak of encryption. The content can only be viewed once it is executed and unpacked on your machine or your network, and by then it too late!

Imagine my 9 year old son, at home, going to YouTube.com to search for videos for fast cars and Hot Rods.  I do limit his access to sites by category, but YouTube.com is considered a legitimate and safe site.  YouTube.com is run entirely over HTTPS, encrypting all traffic from my home computer to the YouTube.com servers.  Once he’s connected, the Next Generation Layer 7 Firewall I have installed at home (perhaps overkill for home but this is my line of work) can’t see anything going back and forth between my son’s input and the results that YouTube gives him because its all encrypted.  His search terms and the results are blind to the filtering I put in place. So when that video of Hot Rods shows up, which was not at all what he was expecting, me and my wife are put in the unenviable position of answering our very inquisitive son why someone might make that video!

The same is true with other legitimate sites.  Almost 50% of websites online are WordPress sites.  These sites, if not maintained, are highly susceptible to compromise. I’ve seen many examples of sites becoming compromised and distributing malware to unsuspecting visitors.  That Youth Hockey site forum or Spa website you frequent may be the source of your next computer virus!  If the site is being run over HTTPS, that traffic is not being filtered by the web filters, firewalls or Antivirus you have in place, letting the malware into your network and your computer unobstructed.

Even this silly Blog is encrypted over HTTPS.  I could be infecting your machine right now! Encryption is being used heavily throughout the hacker world to evade detection and for distributing their malware..

Why is everything being encrypted and how did we arrive at this point?

When Edward Snowden released his Wikileaks documents in June 2013, aside from the specific details and revelations, its greatest impact was that they shattered one of the basic operating principles of the Internet, there is privacy in numbers. It was always understood that the sheer volume of transactions and data on the Internet made the Internet relatively private for most of us.

Why would anyone care about a personal email to my grandma about my plans to meet her on New Year’s Eve?  This email is one of trillions and the subject is seemingly irrelevant to anyone else but Grandma. The amount of time, money and effort for some organization to find, catalog, store and correlate this one email was thought to be improbable if not impossible. It’s like walking through Times Square on New Year’s Eve picking my nose.  Who would notice or care?

But we learned how the U.S. Government had put systems in place to do just that, record huge amounts of data from all communications systems and the Internet, cataloging the information and making this data usable through artificial intelligence, analytics, pattern matching and targeted searches.  Content and data streams from large companies such as Google and Microsoft had also been intercepted and fed into these systems.

Learning of this made individuals, Google and other institutions mad.  People’s privacy and confidence had been breached!  But really, how does this affect me and my email to Grandma?

Our trust and privacy was violated!

Google, Microsoft and other large companies immediately began implementing greater encryption across all their systems.  In 2014, Google made news by modifying their search algorithm to make the results of encrypted sites appear higher in search results and by publishing statistics about ISPs and websites who did and did not encrypt their web and email traffic.  So now this silly blog site is encrypted because I want to be found on Google! Along with this trend, the technology progressed and the processing overhead of encrypting traffic and decryption no longer posed significant overhead for providers.

Now all your search requests to Google, increasing numbers of websites, emails and more are encrypted, making access to this information by the prying eyes of the government and other unwanted and dangerous actors much harder if not impossible to access.  There are even moves to encrypt more traffic on the internet including DNS and other communications.

But are we safer and is our information more secure?

Unfortunately we’re not any safer today. According to Symantec’s latest Threat Report, there were almost double the number of Zero-Day threats discovered in 2015 then in 2014, a record 9 mega data breaches in 2015, over 50% increase in Spear-Phishing campaigns targeted at employees and the list of troubling statistics goes on.  The unintended consequence of ubiquitous encryption has only made the detection and discovery of malware and hackers efforts even harder.

It may be true that the U.S. Government no longer has ready access to your data, but now the tools and solution we have to protect ourselves have been compromised by the use of encryption.  Our personal data has become the domain of private corporations such as Google, who have built walls around their systems with encryption with little oversight and transparency.  Hackers can now more easily and stealthily steal our information and avoid detection with the help of encryption.

Instead of the U.S. Government knowing about my email to my grandma and my plans to meet her in Times Square on New Year’s Eve, Google, their affiliated advertising partners and also anyone else who sees the geographical coordinates published by my photo on Instagram and Facebook know exactly what I’m up to.  Also, because the hackers have successfully installed a quiet keylogger on my machine that was downloaded from the secure Youth Hockey site, they have successfully co-opted my good credit rating and opened 5 credit cards in my name and have left me with $50k in loans. They also managed to rob my house while they knew I was out of town.

What’s a person to do?  I like the privacy encryption provides but I don’t want to be a victim.

I’m not saying encryption is bad or we should stop using it.  However, it does pose a particular challenge to people and businesses alike trying to stay safe on the Internet and protect their information.  There are some technological solutions available to help mitigate these risks including HTTPS inspection solutions, and software and hardware pattern matching solutions.  They are worth consideration for many businesses but they’re expensive and hard to implement effectively.

Also, Antivirus companies are releasing new products and technologies that are starting to address these challenges through sophisticated behavior analysis, so staying up-to-date and implementing their new solutions is important.  There are also some notable startups that are taking different approaches to identifying and fighting malware including Cylance and Barkley.

Keeping computers up-to-date with all their software including OS (Windows, Linux and Mac) and all third party software (Java, flash, browsers, plugins, Microsoft Office, etc.) is also critical in protecting yourself. There are lots of solutions for businesses to deploy updates and patches across a network.  Home users or small offices can use a free tool called Secunia PSI.

The most effective and important thing anyone can do to stay safe is follow Safe Internet Behaviors.  Companies should be testing and training their users by sending out malicious like emails and phone calls to try and trick them into giving out information or access that they shouldn’t. There are now many solutions like PhishingBox that can provide these services.



Safe Internet Behaviors

Clicking on the wrong website links, wrong advertisement links, wrong email attachments and filling in the wrong online forms can expose you, your colleagues, your family, your employer and your friends to significant risk of:

  • Identity theft
  • Stolen online funds
  • Lost data
  • Lost access to online accounts
  • Future unknown risks

1. Email

  • Never open attachments from anyone you don’t know or don’t expect to receive something from.
  • Confirm with the sender what an attachment is before opening if it is unexpected.  If you hit reply to the message, does the To: address look correct? Malicious emails will spoof the sending address so when you reply, the recipient often will not look correct.
  • Never “Enable Macros” or download or install Plugins if ever prompted without fully knowing the validity of file. Malicious PDF and Office documents may try and trick you into running malicious code.
  • Never click on links within emails without confirming them with the sender.  Emails with fake links often report to take you to a GoogleDrive, DropBox or Banking sites but instead send you to a malicious site that will prompt you to download, run or outright infect your machine.
  • Be very suspicious of emails from your bank, IRS, FedEx, USPS and other institutions with links and requests for information. If there is any doubt about the legitimacy of an email or link, go directly to the institution’s website or contact them directly by phone.
  • Do not “unsubscribe” to unwanted emails unless it is from a trusted source that you are aware you signed up for.

2. Web browsing

  • Be very careful about clicking on Sponsored links and advertisements when performing web searches (Google, Bing, Yahoo, etc.). Perpetrators of malware buy ads and insert malicious code and links to try and get more exposure for their malware. Google search results, which appear below the paid advertisements, are safer as they cannot be as easily manipulated to show up on the first page.
  • Be very cautions about clicking on and opening files and programs downloaded from the Internet and only open those from known legitimate sites.
  •  Don’t install or open any files and links that pop up on the screen unexpectedly. Sometimes malicious software will purport to be an update to valid software like Adobe Flash. If you think your software may need to be updated, close the window and go directly to the software publisher’s web site itself.
  • Full screen prompts about your computer being Infected should be treated with great caution. This is frequent technique to get users to click on or run files that will infect your machine. See if the window can be closed and reboot the computer if necessary and contact someone who can help evaluate if your machine has actually been compromised.
  • Never search for license key generators, movie downloads, music downloads, free software, torrents, etc. as they are almost always gateways to malware. 

3. Phone

  • Never accept calls from Microsoft, government agencies, your bank or any other institution that you’re not expecting, that are looking for information, login info or access to your computer. This is a common tactic to gain access to your computer and other information to defraud you.

4. Wire Policy

  • All wire instructions should always be independently verified by outbound phone call.  Secure emails, emails or inbound phone calls should be considered sufficient to process wire instructions. 

If you ever have any doubt or question regarding the legitimacy of an email, attachment, or website, please feel free to reach out to Mantra Computing. If you do have an instance where you feel your computer is infected, the best course of action is to turn off your computer and give Mantra Computing a call to assess the situation and help determine the appropriate next steps.

Cyber Insurance, it’s worth another look for most businesses

In the course of life I find all sorts of reasons to worry.  It really doesn’t take much to get me going.  But technology is my business and it takes a lot to shake me, but recently I’ve been shaken.  The rise of high profile and continued data breaches, the widespread and evolving threat of ransomeware and other cyber threats, it seems nothing is really safe.  Our personal, financial and social lives are all so connected to the Internet and it seems like there is no where to hide.

Is the risk real, am I really a target?

The truth is these concerns are real, not some boogieman.  They are not abstract theoretical risks and I’ve been working with clients over the last few years dealing with their impacts and helping them try to avoid them.

Some of these experiences have included the following:

  • Ransomware attacks including Cryptolocker, Locky, Cryptowall, etc. Costs involve cleanup (removing the infection), restoring lost data (either from backups and/or paying ransom) and down time caused by systems being taken offline and made inaccessible.  These costs add up ranging from a few thousand dollars to tens of thousands of dollars.
  • Online store fronts being compromised by foreign attackers who compromise sites and code to steal CC and other info.  Even in situations where these compromises take place with 3rd party services, culpability and responsibility have been murky and has caused significant cost to clients. Costs range in Notifications requirements, cleanup and due diligence, legal fees, etc. and can range from a few thousand dollars to tens of thousands of dollars.
  • Disclosure of Personal Information (Legally protected by State and Federal laws) through accidental disclosure (Laptop lost, accidental email, etc.) and from flawed 3rd party software/services that become compromised or flaws allow unauthorized access. Costs for these types of situations can range from a few thousand dollars to tens of thousands of dollars due to disclosure/notification requirements, software/service changes, legal fees, state and federal enforcement actions and potential liability implications
  • Lost funds due to Compromised/Hacked network computers and equipment caused by accidental user actions or faulty unpatched software solutions. Many times these bank funds can’t be retrieved and are lost forever.  Other costs include disruption to business, interruption to line of business resources, and other mitigating efforts.

Businesses must take these risks seriously and protect themselves like they do for any other risks. Cyber Insurance is now a real and effective tool for protecting businesses against real and significant financial losses.

What are the options and costs?

Cyber Insurance policies used to be cost prohibitive, poorly defined and confusing to understand.  However, today there are lots of good options.  A good policy should cover the below items, which are not included in Professional Liability solutions:

  • Access to or Disclosure of Nonpublic Files
  • Breach Notification and Credit Monitoring
  • Lost Business Income
  • Reputational Damage
  • Loss or Damage of Computer Systems

Costs can range starting from a couple thousand dollars for a business with a million dollars in gross revenue.

What about all the technology I’ve put in place to protect my business?

In addition to good layered security solutions including Next Generation firewalls, network/computer monitoring, security software, user training and an up-to-date Written Information Security Plan, Cyber Insurance is a good tool that all businesses should be considering.

No matter how good your protections are, mitigating all the risks is impossible.  The risks are constantly changing and Cyber Insurance is there to help fill that gap.