Blog

December 4, 2020

A Look into North Korea’s Legion of Cyber Criminals

When it comes to infamous hacker gangs, Russian ones seem to garner the most attention. However, North Korea’s state-sponsored group is just as formidable. Here, we attempt to break down the rogue nation’s cyber army and see how it operates.

Bureau 121

The Reconnaissance General Bureau (RGB) of North Korea is the country’s intelligence agency, consisting of six different “bureaus.” Formed in 1998, Bureau 121 is the cyber warfare sector of the RGB. According to an intelligence report from the United States Army, this branch consists of four subgroups[1]. These include:

The Andarial Group: Andarial members assess targeted computer systems and identify vulnerabilities to use in future attacks.

The Bluenoroff Group: This group focuses on financial crime. Cyber theft is one of North Korea’s biggest revenue streams.

Electronic Warfare Jamming Regiment: They are in charge of jamming enemy computer systems during actual, on-the-ground war scenarios.

The Lazarus Group: The most notorious part of Bureau 121, The Lazarus group is an agent of social chaos. They infiltrate networks and deliver malicious payloads.

The Lazarus Group is often synonymous with the other three units, especially the financial crime division. It is unknown how many individuals comprise Bureau 121, but it is estimated to be thousands. Members often reside in other countries like Russia, China, Belarus, India, and Malaysia. This helps obscure the true origin of attacks and provides more robust electronic infrastructure to the malicious agents. Due to worldwide economic sanctions and a generally low industrial capacity, North Korea itself does not have access to the resources necessary to carry out large attacks.

An elite organization

North Korea’s internal policies and actions are opaque to the international community. However, defector testimony claims that the nation’s top computer science students from the University in Pyong Yang make up Bureau 121. These talented hackers then enjoy special privileges in North Korean society[2]. Instead of rundown tenements or rural farmhouses, they receive relatively posh -by North Korean standards- uptown apartments in the Capitol. With these kinds of unheard-of perks, it’s no wonder that people desire the positions.

Significant revenue generation

North Korea’s illicit digital activities replace a portion of what’s lost due to sanctions and flawed policies. In 2019, a United Nations report concluded that the rogue country gained $2 billion from cyberattacks[3]. Now, that sounds bad, but maybe it’s some sort of Robin Hood situation, where they steal from the rich to provide food and essentials for their ailing citizens? But no, the money actually went to their weapons division, specifically the nuclear weapons program. This makes North Korean hackers a threat to global security.

Notable attacks

2013 South Korea Cyberattack

In March 2013, North Korea unleashed a devastating cyberattack against their neighbors to the South. Utilizing the “DarkSeoul” malware, they infiltrated banking and media institutions throughout the country. Their top two television stations, the Korean Broadcasting System and MBC, suffered widespread computer issues but were able to stay on the air.

Popular banks such as the Shinhan Bank, Jeju, and NongHyup reported outages for their online banking and in-person services alike. Some even had their internal files erased. Luckily, they recovered most of the data from backups and restored operations within a few hours. Although resolved relatively quickly, it was still proof North Korea could cause chaos to their enemies.

The Sony hack

The November 2014 hack of Sony Pictures remains one of the most-publicized cyberattacks in history. It was a massive data breach that exposed a mountain of sensitive info. This ranged from personal information regarding employees and inter-office emails to plans for upcoming films, scripts, and complete cuts of then-unreleased movies.

If anyone doubted whether North Korea was responsible for the attack, it was all but verified when the hackers made their demands. The most adamant requirement was for Sony to nix the release of “The Interview.” For the readers out there unfamiliar with the intricacies of the Seth Rogen/Jame Franco buddy comedy genre, The Interview starred the famous duo attempting to assassinate the Supreme Leader of North Korea, Kim Jong Un. In the face of the hack, and under threats of terrorism by the attackers, Sony pulled the movie from theaters and released it online only.

The Sony hack was a huge deal. It led the United States to bring formal charges against North Korea and increased tensions to the point that it has never really recovered.

WannaCry ransomware

WannaCry is another extremely high-profile cybersecurity incident. In May of 2017, using a Microsoft Windows vulnerability, WannaCry infected hundreds of thousands of computers in less than a day! While only receiving a paltry (by successful ransomware standards) $130,000 in ransoms, the virus made a huge practical impact.

The biggest example of this was the attack on National Health Service hospitals in England and Scotland. Many of them had to turn away non-life-threatening emergencies, and the incident disrupted ambulance service throughout the region.

After the attack, the United States held a Congressional hearing with security professionals to solicit ideas about improving resiliency to such situations.

Recent activity

The hacks above had the most significant impact on global cybersecurity, but that doesn’t mean Bureau 121 slowed down in recent years. On the contrary, they’ve been extremely busy! The increased popularity of cryptocurrency gives entities like the Lazarus Group an easy way to transact with the organizations they attack and launder the ransoms afterward.

They outright target cryptocurrency-related companies too. Research indicates they use the professional social media platform LinkedIn to lure in unsuspecting employees and spear phish to penetrate network vulnerabilities[4]. These underhanded tactics result in lucrative ill-gotten gains. According to the UN report mentioned above, $571 million out of the $2 billion revenue was from cryptocurrency theft.

Phishers target AstraZeneca

Using the LinkedIn phishing method, the Lazarus Group set their sights on pharmaceutical giant AstraZeneca in late November. State agents posing as high-level recruiters flooded their employees with fake job offers. Then, they emailed the targets with malware attachments. Luckily, no one fell for the scheme, but it shows that Bureau 121 isn’t burdened by any moral compass.

AstraZeneca is one of the companies working on a viable COVID-19 vaccine. Cybersecurity researchers believe that North Korea is focusing on COVID-related organizations at the moment[5]. As one of only 11 countries without a reported COVID-19 case[6], perhaps they don’t see the harm in attacking a vaccine maker. For the rest of us, we can only hope they fail.

Protect your data

When you think of state-sponsored hacking groups, you may assume they only attack political targets. However, rogue nations like North Korea gain a considerable portion of their revenue from such endeavors, as you’ve seen. Therefore, assume that any organization with network vulnerabilities and substantial cashflow is susceptible.

Protect your sensitive data from threat actors by using AXEL Go to store and share files. AXEL Go is built on secure blockchain technology and utilizes robust encryption to keep your documents safe and private. It is available on Windows, Mac, iOS, and Android. So, no matter where your platform allegiances lie, you can enjoy secure, private file sharing. Our free basic account offers all the great features of AXEL Go with 2GB of free online storage. Download it now.

[1] “North Korean Tactics”, Department of the Army, July 2020, http://www.documentcloud.org/documents/7038686-US-Army-report-on-North-Korean-military.html

[2] Ju-min Park, James Pearson, “In North Korea, hackers are a handpicked, pampered elite”, Reuters, Dec. 4, 2014, https://www.reuters.com/article/us-sony-cybersecurity-northkorea/in-north-korea-hackers-are-a-handpicked-pampered-elite-idUSKCN0JJ08B20141205

[3] Michelle Nichols, “North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report”, Reuters, Aug. 5, 2019, https://www.reuters.com/article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyberattacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX

[4] Anthony Cuthbertson, “North Korean Hackers Use LinkedIn for Cryptocurrency Heist, Report Reveals”, The Independent, Aug. 25, 2020, https://www.independent.co.uk/life-style/gadgets-and-tech/news/north-korea-hackers-lazarus-linkedin-cryptocurrency-a9687086.html

[5] Jack Stubbs, “Exclusive: Suspected North Korean hackers targeted COVID vaccine maker AstraZeneca – sources”, Reuters, Nov. 27, 2020, https://www.reuters.com/article/us-healthcare-coronavirus-astrazeneca-no/exclusive-suspected-north-korean-hackers-targeted-covid-vaccine-maker-astrazeneca-sources-idUSKBN2871A2

[6] Kaia Hubbard, “Countries Without Reported COVID Cases”, U.S. News, Nov. 13, 2020, https://www.usnews.com/news/best-countries/slideshows/countries-without-reported-covid-19-cases?slide=13

November 27, 2020

Ransomware is Big Business for REvil Hacker Group

REvil, or Sodinokibi, is one of the most notorious hacker gangs in the world. Known for their ransomware attacks, the group claims it will make $100 million by the end of the year^[1]. Here is a brief overview of the Russian hackers and their illicit accomplishments.

A sordid history

For all of their high-profile attacks, concrete information about the group remains elusive to the public. They are likely based in Russia due to known cybersecurity information as well as their unwillingness to attack companies or governments in the former Soviet-bloc.

An offshoot

Cybersecurity analysts believe malicious developers from a previous group called GandCrab make up REvil^[2]. GandCrab was a prolific gang that collected an estimated $2 billion in ransoms in an 18-month period between 2018-2019. REvil popped up almost immediately after GandCrab stopped activities in 2019, and the two malware share much of the same code.

The gang also employs a Ransomware-as-a-Service (RaaS) model to supplement their revenue. Those interested in a more in-depth breakdown of ransomware can read our recent blog post about the topic.

RaaS is interesting because the gang itself doesn’t have to focus constantly on finding new victims. REvil simply licenses out their malware to vetted affiliates, who do the dirty work of searching for and breaching vulnerable networks. REvil then takes a healthy 20-30% cut of the affiliates’ payments. How’s that for a business model!

High-profile attacks

Texas local governments. In a concerted August attack, REvil infected 23 local Texas government agencies and demanded a $2.5 million collective ransom^[3]. The malware brought down the systems and websites of these agencies. Luckily, the victims were well-prepared in this case. Teams of cybersecurity experts restored the systems via backups or full rebuilds. They did not cooperate with REvil, and their sites are now back online.

Travelex: On New Year’s Eve in 2019, REvil infiltrated Travelex’s network. Travelex is a foreign currency exchange company known for its kiosks in airports around the world. Unfortunately for them, they weren’t very vigilant when it came to cybersecurity. They hadn’t installed any security patches for their VPN system in over two years! This allowed REvil to breach their network and inject ransomware easily.

It spread so fast that it took down their entire operation. Instead of coming clean about the hacking incident, Travelex claimed it was “planned maintenance” and quietly paid a $2.3 million ransom to the notorious gang. Once this information leaked (as it usually does), the company was in real hot water. Not only had their lax security policies led to a data breach and loss of service, but they lied about it. It evidently affected consumers’ trust, as the company did not recover from the situation. After a failed attempt to sell, Travelex fell into administration, cut over 1300 jobs, and is currently undergoing significant corporate restructuring^[4].

Grubman Shire Meiselas & Sacks: In May of 2020, REvil stole over 750 gigabytes of confidential legal documents from the Grubman Shire Meiselas & Sacks law firm^[5]. The practice is famous for representing celebrities and other high-profile clients. REvil gained access to records pertaining to people such as Madonna, Lady Gaga, Drake, Elton John, and United States President Donald Trump. At first, the ransom was an already-obscene $21 million but ballooned to $42 million after they figured out they had Trump’s information.

Upon the FBI’s guidance, the firm allegedly refused to pay the ransom, causing REvil to auction the information on the Dark Web to the highest bidder.

According to a recent interview with an apparent member of the gang, this may not be the entire story. The hacker claims a secret identity paid the ransom to prevent the Trump documents from leaking^[6]. This cannot be confirmed but adds another layer of intrigue to the incident.

Televangelist Kenneth Copeland. Wealthy televangelist pastor Kenneth Copeland suffered a REvil attack recently as well. The hackers encrypted and stole 1.2 terabytes of information from the Kenneth Copeland Ministries’ computer systems. The data includes email databases, bank documents, financial contracts, and more. The actual ransom demand amount isn’t known at the moment, but with an estimated net worth of over $750 million, the famous Pastor can likely afford it. If unpaid, he’ll need to take some time off from banishing evil from the world, to focus on banishing REvil from his network.

Desperate or enterprising?

REvil uses a double-extortion method to extract ransom payments from its victims. This means that they encrypt the breached data so that the victim must either pay to unlock it or restore it from a backup (which they may or may not have). Concurrently, they steal and transfer the information back to their own storage and threaten to sell it on the Dark Web. This means even if the company, agency, or individual has a backup, they still might elect to pay up to stop the data from leaking. It’s a lucrative model, but evidently not lucrative enough.

According to the interview mentioned above, the gang may add another wrinkle. They are now considering flooding a victim’s website with bot traffic, called a Denial-of-Service, to bring it down while also employing the double-extortion methods. This cripples the victim’s ability to function and puts more pressure on them to remedy the situation quickly.

Some analysts wonder if this is a sign that the gang is in desperate need of more money. However, it could just be good, old-fashioned greed. Only time will tell. What is certain is that REvil shows no sign of stopping their practices soon, and even if it does shutter eventually, a new gang will form out of the ashes to continue their dubious legacy.

Data security

AXEL is a company dedicated to data security solutions. Our file sharing and storage cloud, AXEL Go, utilizes three ultra-secure technologies (Blockchain, IPFS, encryption) to keep private documents safe. We offer a fully-featured, free Basic plan with 2GB of online storage, as well as paid plans for power users and enterprise clients. Don’t just sit back and wait for hacker gangs like REvil to set their sights on you; protect yourself with AXEL Go. Download it today and try it out for Windows, Mac, Android, or iOS.

^[1] Tara Seals,”REvil Gang Promises a Big Video-Game Hit; Maze Gang Shuts Down”, threatpost, Oct. 29, 2020, https://threatpost.com/revil-video-game-hit-revenue/160743/

^[2] Jai Vijayan, “GandCrab Developers Behind Destructive REvil Ransomware”, Dark Reading, Sept. 25, 2019,https://www.darkreading.com/attacks-breaches/gandcrab-developers-behind-destructive-revil-ransomware/d/d-id/1335919

^[3] “Texas government organisations hit by ransomware attack”, BBC News, Aug. 2019, https://www.bbc.com/news/technology-49393479

^[4] Kalyeena Makortoff, “Travelex falls into administration, with loss of 1,300 jobs”, The Guardian, Aug. 6, 2020, https://www.theguardian.com/business/2020/aug/06/travelex-falls-into-administration-shedding-1300-jobs

^[5] Lindsey O’Donnell, “REvil Ransomware Attack Hits A-List Celeb Law Firm”, threatpost, May 12, 2020, https://threatpost.com/revil-ransomware-attack-celeb-law-firm/155676/

^[6] Tara Seals,”REvil Gang Promises a Big Video-Game Hit; Maze Gang Shuts Down”, threatpost, Oct. 29, 2020, https://threatpost.com/revil-video-game-hit-revenue/160743/

November 20, 2020

What’s Inside California’s New Privacy Regulations

On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA or Prop 24), a ballot initiative expanding consumer privacy protections. It easily passed, securing over 56% “Yes” votes. We look into some of its major provisions and examine how it differs from a previous California privacy law.

An amendment to current regulations

In 2018, the California Consumer Privacy Act (CCPA) passed and became law. While it outlined a framework for many consumer privacy protections, many felt it was inadequate given the current state of corporate data collection. So, a mere two years later (and less than one year after the CCPA officially went into effect), the CPRA has made significant changes to these stipulations.

An overview of the changes

Here is a brief summary of the significant changes. You can view the full bill here if you enjoy reading 50 pages of legalese (hey, everyone has their preferences).

A higher threshold for mandated compliance

The CCPA required businesses that used 50,000 consumers’ or households’ personal information to comply with the bill’s privacy standards. The CPRA actually increases this number to 100,000 consumers or households. So, it lessens the regulatory burden on small to medium-sized businesses who traffic in personal information.

Is this a win for privacy advocates? It’s unclear. Nobody wants to shutter small businesses due to onerous regulation, but could these exemptions lead to exploitation? While the biggest privacy offenders such as Facebook and Google will fall under the regulatory umbrella, smaller companies get a free pass. Could this create a loophole where corporations spin their data collection arms off into smaller shell companies to avoid compliance? Until governments and organizations address these possibilities, it remains a concern.

A wider net

CCPA restrictions applied to companies receiving 50% or more of their revenue from selling personal data. This seemingly straightforward wording created a giant loophole for the serial data offenders. In many cases, corporations argued they didn’t actually “sell” personal information. They simply gave it away to increase advertising revenue.

The CPRA closes this loophole by injecting the term “sharing” into the clause. As defined by the bill: “sharing, renting, releasing, disclosing, disseminating, making available, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary, or other valuable consideration…” results in mandatory compliance (assuming the other qualifiers are also met). This is a much more encompassing definition and an overall win for privacy advocates.

New data categories

Whereas the CCPA treated most personal information generally, the CPRA creates more granular data categories with distinct regulatory differences. Specifically, the CPRA defines certain types of data as being “Sensitive Personal Information.” This includes:

Government identifiers such as social security numbers or driver’s licenses
Financial accounts and login information
Detailed geolocation data
Info regarding race, religion, philosophical beliefs, or sexual preference
Union membership status
The content of private mail, email, and text messages
Genetic information
Biometric data
Health records

Consumers can now request that businesses limit the use of their Sensitive Personal Information to only what is necessary to provide the desired services. Companies would then no longer be able to sell or share sensitive information without prior consent and authorization.

It also sets up disclosure and opt-out standards for the use of Sensitive Personal Information that organizations must follow. This includes providing opt-out links on their businesses’ homepage and respecting opt-out signals sent by the consumers when they visit their site.

Expanded consumer rights

The CPRA outlines new privacy rights and modifies others already defined in the CCPA. Examples include:

The right to correction. Consumers can now demand businesses update their personal information if it’s inaccurate.

The right to opt-out of profiling. Data collectors use your personal information to construct a “profile” of you, then utilize automated decision-making technology to serve advertisements based on the profile. The CPRA allows consumers to opt-out of this practice.

An expanded right-to-know. Previously, the CCPA entitled consumers to information collected on them for the past 12 months. The CPRA entitles residents to all data collected.

Greater protection for minors. Businesses that collect and sell the personal information of minors under the age of 16 are subject to triple fines per incident, or $7500.

A more robust right to delete. The CPRA strengthens Californians’ right to delete their personal information. Companies now not only must delete the data but inform third parties they’ve shared or sold the data to of the deletion request as well. Note, the right to delete is subject to certain conditions and exemptions.

A new government agency

Under the CCPA, enforcement falls under the California Attorney General’s responsibilities. This bill creates a dedicated government agency that will handle enforcement and penalties. California sure does love their government agencies! It’s called the California Privacy Protection Agency (CPPA); don’t worry if you can’t keep all the acronyms straight. The CPPA will have a $5 million budget in 2021, which will increase to $10 million from 2022 on. Its creation will theoretically lessen the burden on the Attorney General’s office and make enforcement more feasible.

Regular audits

Another important provision of the bill is the requirement for companies to audit their cybersecurity practices. As the constant hacks over the past few years have shown, problems lie not only in data collection but also in data protection. Sensitive information needs to be secured with baseline standards to prevent future phishing attacks, cyber theft, and identity fraud.

Organizations must present the findings from these audits to the newly-formed CPPA on a “regular basis.” Hopefully, this incentivizes companies working with private data to invest more in their cybersecurity solutions and reduce data breaches.

Opposition

The CPRA is a controversial bill, with a diverse set of proponents and opponents. However, the opponents may not be who you’d imagine. While one might assume that the big technology corporations in Silicon Valley aren’t too happy with the bill, none came out in outright opposition. There are two common explanations for this:

Nobody in Big Tech wants to come out against consumer privacy explicitly. Facebook, Google, and the other tech players have all had their share of bad publicity regarding privacy concerns over the past few years. Saying, “Oh yeah, we want all of your data and don’t want you to have any recourse against it,” likely wouldn’t play well to the general user.
Big Tech has sunk its digital claws into the legislation and weakened it considerably. This is actually the standard line for many of those who have come out against it.

Surprising opponents include the California American Civil Liberties Union[1], Consumer Action[2], and the California League of Women Voters[3].

A Frequently cited concern

Those opposing the bill have similar problems with it. They conclude it’s a “pay-for-privacy” scheme that unfairly affects people without the financial means to pay. This is because a clause in the legislation says that a company can charge a consumer requesting privacy the amount of the collected data’s value. It helps tech organizations offset the advertising revenue lost and is a clear motivation for consumers to opt-in to data collection.

An unclear future

Though not everyone agrees that the CPRA is the best possible solution, it’s difficult to argue it isn’t more substantial than the CCPA. It will be fascinating to see the legislation’s future effects on the tech business and consumer privacy. If successful, it could set in motion a slew of similar bills in other states. If it becomes a bureaucratic quagmire, it might stall regulation throughout the country.

One quirk of the CPRA is that lawmakers can no longer amend it unless the amendment is to “further privacy rights.” That may sound good, but its nebulous wording could open up legal challenges down the road if aspects of it need adjustment.

AXEL’s commitment

At AXEL, we believe in everyone’s right to privacy. That’s why we develop file-sharing and cloud storage solutions that prioritize privacy and security. No government-enforced edicts are necessary for us to respect your personal information. It’s an integral component of our corporate philosophy. If you need to share or store files in a safe, private way, download AXEL Go for Windows, Mac, Android, or iOS. Get out from under the watchful eye of Big Tech and experience a better way to use the internet.

[1] Andrea Vittorio, “ACLU Among Activist Opposing Update to California Privacy Rules, Bloomberg Law, July 22, 2020, https://news.bloomberglaw.com/privacy-and-data-security/aclu-among-activists-opposing-update-to-california-privacy-rules

[2] Alegra Howard, Linda Sherry, “Consumer Action opposes California Proposition 24”, consumer-action.org, Aug. 19, 2020, https://www.consumer-action.org/press/articles/consumer-action-opposes-california-proposition-24

[3] “League of Women Voters Opposes Prop 24”, prnewswire, Oct. 28, 2020, https://www.prnewswire.com/news-releases/league-of-women-voters-opposes-prop-24-301162344.html

October 30, 2020

You Can’t Crack Good Encryption But You Can EARN IT

Encryption is a hotly debated topic these days. Privacy advocates love it; governments and law enforcement are less enthusiastic. One of the most significant discussions regarding encryption at the moment is the United States’ EARN IT Act. This controversial piece of legislation could have major privacy implications moving forward.

The EARN IT Act’s journey

On March 5, 2020, a bipartisan group of U.S. politicians, including Sen. Lindsey Graham (R-South Carolina), Sen. Richard Blumenthal (D-Connecticut), Sen. Dianne Feinstein (D-California), and Sen. Josh Hawley (R-Missouri) introduced the EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act. The legislation aimed to curb online child sexual exploitation through the creation of a national commission.

The commission

The act establishes a government commission consisting of 19 appointed individuals from various sectors. It includes high-ranking officials from the Department of Justice, the Department of Homeland Security, the Federal Trade Commission, as well as representatives from top law enforcement agencies, constitutional law experts, survivor groups, and more.

The commission would be responsible for devising a set of “best practices” that online companies would need to follow to maintain immunity from liability regarding third-party content posted on their platform. Congress would review and approve the list of mandated best practices. Once approved, the commission would need to certify companies as compliant with the policies before they received immunity. Simply put, immunity is not guaranteed. Online organizations would have to “earn it” (see what they did there?)

Businesses that do not follow the standard set of best practices would need to prove they have reasonable alternative methods to prevent child exploitation on their platform. As deemed by the commission, those who do not meet the minimum standards would be liable for lawsuits from sexual exploitation victims.

Amendments to the bill

This summer, while making its way throughout the Senate Judiciary Committee, lawmakers altered the bill to empower the states to form their own rules. The commission would still be retained along with its guidelines for best practices. However, it is now up to the states to bring civil and criminal lawsuits against content platforms that don’t do enough to prevent child exploitation.

In either form, the EARN IT Act, at its core, attempts to erode the legal protections stipulated by Section 230 of the Communications Decency Act of 1996. And It could create obstacles for the use of encryption technologies.

Section 230

The Communications Decency Act of 1996 is a component of the more comprehensive Telecommunications Act of 1996. This was the first law that incorporated the Internet into broadcast regulations. Section 230 of the CDA states:

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

This means that content platforms aren’t liable for the content people post on them. It protects them from all sorts of nasty legal situations.

The most current form of the EARN IT Act affords states more leeway to decide whether a content platform is culpable for sexual crimes committed against minors.

The effect on encryption

So, how does this relate to encryption? If passed, the EARN IT Act significantly weakens the utility of it. The first iteration never specifically mentioned encryption, although the implications to the technology were evident. If, for instance, the government held social media websites liable for facilitating child exploitation via encrypted messages, why would the platform ever allow encrypted messages in the first place?

The whole point of encryption is that the centralized platform doesn’t have the keys to decrypt messages between two private parties. This ensures privacy and that Big Brother isn’t watching over your shoulder. Section 230 prevented roadblocks to encrypted communications. But, if the government can hold the content of encrypted messages against a business in civil or criminal cases, the organization has a massive incentive not to offer encryption services.

The amended EARN IT Act that passed through the Senate Judiciary Committee does mention encryption. In fact, it stipulates that end-to-end encryption by itself is not a reason to remove the Section 230 protections for a company. On the surface, this looks like a more reasonable bill. However, it suggests that organizations scan messages before being encrypted to check for suspicious exploitative content. If any is present, they would have to forward them to the proper government authority for closer scrutiny. The practice is called “client-side scanning.”

So, would this really allow for end-to-end encryption? It appears to undermine its usefulness when companies scan every message before transmission.

Far-reaching consequences

AXEL is a data custody and privacy advocate. Our file sharing and storage platform, AXEL Go prioritizes privacy and security. We provide the option to use encrypted password protection for all shared files.

We understand that this is a complex issue, and we want to prevent the exploitation of minors. However, this legislation could have a chilling effect on privacy and the future of encryption.

Encryption is a tool. It isn’t only useful for criminals. Privacy is a right for everyone, and this technology helps facilitate it. It doesn’t just hide your data from governments and corporations, but also malicious agents. Data breaches happen on a daily basis. If the hackers only score encrypted data, the haul ends up being useless. It helps prevent identity theft, as well as stolen credentials and payment information. Encryption is a part of the solution, not the problem. We can usher in a better online experience. One that isn’t fraught with invasions of privacy and data collection. Client-side scanning of all messages is not on the path toward this future.

If you’d like a secure, private file sharing and storage platform, download AXEL Go. It’s an easy-to-use program available on Windows, Mac, iOS, and Android devices. It uses secure technologies such as blockchain, the InterPlanetary File System (IPFS), and the aforementioned password encryption to ensure your data stays safe and confidential. Sign up for one of our free, Basic accounts and you will receive 2GB of free online storage, along with enough of our AXEL Tokens to fuel thousands of shares across our decentralized network.

October 23, 2020

Cyber Monday Attracts Cybercriminals

Black Friday and Cyber Monday have been merging for years. This year, amid a global pandemic, the trend is likely to accelerate. With almost 1/3^rd of historically in-store shoppers claiming they will only shop online this year[1], hackers and online fraudsters will assuredly be on the prowl. Here are some of the most common scams to watch out for and how to avoid them.

Popular Cyber Monday scams

Most of these cons aren’t exclusive to Cyber Monday, but the influx of online shoppers during the time period does magnify thieves’ efforts.

Phishing emails

‘Tis the season for shady emails. Since legitimate retailers send emails en masse during Cyber Week to advertise deals, many fraudulent phishing attempts slip through the cracks. These emails will look like they’re from an established brand but are really trying to trick you.

We recommend being suspicious of any brand emails sent during Cyber Week and checking the sender’s address to ensure it appears valid. Do not trust any address not instantly recognizable as being credible. Never click links or open attachments in these emails. Navigate to the brand’s website via your browser and see if the promotion is there too. If it is, make the transaction through the website rather than clicking any email links.

Fake social media offers

Even Black Friday and Cyber Monday deals have limits to their believability. Cybercriminals make fake social medial accounts to take advantage of consumers wanting the best bargains. These accounts will post up too-good-to-be-true offers with malicious links or bogus surveys with the promise of free rewards.

The easiest way to avoid these scams is not to get caught up in the fear of missing out on a once-in-a-lifetime deal. The truth is, most of these are ploys to infect your system or steal sensitive personal information. Don’t follow strange Twitter accounts shilling pie-in-the-sky promotions.

Formjacking

Also known as “e-skimming,” formjacking is an especially deceptive way to scam unsuspecting online shoppers. Here, the bad actor is able to inject malicious code into otherwise legitimate retail sites. The malware executes once the shopper enters their payment information. Then, the script scrapes the credit card information and transmits it back to the hacker.

Cyberthieves target third-party plugins on e-commerce websites to find vulnerabilities. This makes it difficult for retailers to spot the problem before it becomes a huge issue since it doesn’t even occur in their controlled system. Although smaller companies without the resources to staff large IT teams are most affected, large corporations are also not immune. For example, in 2018, online ticket vendor Ticketmaster suffered a formjacking incident that exposed customer’s personal information and payment data[2].

Preventing formjacking as a consumer is difficult, if not impossible. The website is legit, and there’s no signal that the payment form is compromised. Shop trusted sites you’ve ordered from previously and use a credit card instead of a debit card number, if possible. Typically, credit cards offer more comprehensive fraud coverage than debit cards. You won’t be liable for the vast majority of fraudulent credit card charges. Just remember to pay it off immediately!

Man-in-the-middle attacks

This is a cyberattack where the hacker compromises a network and inserts themselves between two other parties. The attacker can then intercept and alter the information relayed between these parties. A common example of a “man-in-the-middle” attack is when a threat actor gains control of a public WiFi access point. Everyone connecting to the public WiFi is then at the mercy of the cybercriminal. Hackers typically accomplish this in one of two ways:

Hacking the router. If the router used for a businesses’ WiFi is in a public area, or there is a nefarious employee, the router itself is susceptible to a hack. Small companies, such as local restaurants, usually lack sufficient IT personnel to prevent these breaches.

Setting up a fraudulent access point. Sometimes, the fraudsters don’t even have to hack anything. They simply set up their own unauthorized WiFi access point and name it deceptively. This tricks customers into connecting to harmful networks.

Companies should keep their routers out of public spaces and only allow trusted employees to deal with them. However, the best way to prevent these occurrences is for customers to refrain from using public WiFi altogether. Use your cellphone data whenever you can. Cellular networks are much more challenging to crack.

Counterfeit goods

Here’s a new twist on an old classic. Cyber Monday is a massive opportunity for counterfeiters to sell their inauthentic wares. In a bit of irony, counterfeiters may actually charge more for their fakes than usual while still making it look like a great sale to their victims. So, before you click the checkout button on that incredible deal from Gucci-Bag-Sales-4-You.com, think twice. Is the website reputable? If not, you should probably pass.

Check online to see if there are validated reviews for the site before you buy. If there’s even a hint of fake reviews, steer clear. Verify how long the company has been in business. One trick is to perform a WHOIS lookup on the domain. Copy and paste the web address into the WHOIS lookup box and hit the search icon. Then, search for the “Creation Date” attribute within the returned information. If the site was registered recently, that’s a major red flag.

Stay safe

Black Friday, Cyber Monday, and all of Cyber Week are fantastic times to save big on your favorite products. But you have to be safe and vigilant to prevent hacks, data breaches, and other scams. Please don’t get fooled by those looking to leverage other people’s greed to satisfy their own.

AXEL is passionate about data security. That’s why our motto is “Securing data at rest and in motion.” We are a company that’s always utilizing new technologies to offer more robust protection for your information. If you’d like to learn more about our philosophy and software solutions, such as our secure, privacy-focused file-sharing platform, AXEL Go, please visit axelgo.app today.

[1] Emily Eberhard, “How the pandemic may affect holiday shopping”, July 2020, Think With Google, https://www.thinkwithgoogle.com/consumer-insights/consumer-trends/pandemic-holiday-shopping/

[2] John Leyden, “Ticketmaster gatecrash: Gig revelers’ personal, payment info glimpsed by support site malware”, The Register, June 27, 2018, https://www.theregister.com/2018/06/27/ticketmaster_support_bot_hack/

October 16, 2020

A Story of Data Custody in the Modern Age: Part III

Lucas finds AXEL

In Part II of Lucas’ story, he found many companies were still collecting vast amounts of customer information even with new privacy regulations. But, that didn’t mean he was ready to shun technology. It was a modern conundrum shared by every technophile who values their privacy.

“I’m an IT professional who loves the latest and greatest technology. I can’t close myself off from the world and go hide out in a treehouse in the woods. That shouldn’t be my only option just because I don’t want these huge companies spying on me or making detailed models of my behavior. So, I started to scour the web looking for programs and services that weren’t going to auction off my information to the highest bidder. I stumbled upon AXEL from a Google search about cloud storage, and loved what I saw.”

Lucas and AXEL Go

Specifically, Lucas found our private, secure file storage and sharing application, AXEL Go.

“AXEL Go is basically my new best friend. I get instant access to all of my files and can share them with anyone. I use it at home on my PC and on my iPhone when I’m out. The first thing that impressed me was the company kept promoting this concept called ‘data custody.’ I’d never heard of the term before, but after reading into it a bit, it really hit home. It just means they’re all about giving control of data back to the people.”

AXEL is a champion of data custody and considers personal information private property. We never mine any content stored on AXEL Go and do not sell personal information to third parties, ever.

“That in itself sets them apart from most cloud companies. But they not only respect your data, they protect it too. Their security features are way more advanced than other cloud options.”

AXEL Go utilizes three secure technologies as the backbone of AXEL Go; blockchain, the InterPlanetary File System (IPFS), and password encryption. This unique combination makes AXEL Go an industry leader in security, ensuring your content stays safe at rest and in motion.

“It’s the best of both worlds. I don’t have to worry about the company itself selling my info, but I also am less concerned about hackers breaching their system. Their servers are decentralized, and I always use encrypted passwords on my files. So hackers can’t attack a single vulnerable server to get my content, and even if they do somehow get to my files, they won’t be able to access them. I looked it up, and the encryption algorithm they use for passwords takes billions of years to brute force crack. It’s reassuring. Now, if AXEL could make a social media platform…”

A happy ending

Thank you, Lucas, for your kind words and support for AXEL products. If you’re like Lucas and want a cloud sharing solution that provides security and privacy, download AXEL Go today. It’s free to signup, and our Basic accounts include all of AXEL Go’s unique features, 2GB of storage space, and enough fuel tokens to facilitate thousands of shares. AXEL envisions a better future for the internet, where everyone’s data gets the respect it deserves. Together, we will achieve this goal.