AXEL.org

Cybersecurity

Ransom-Wars: The Task Force Awakens

Ransomware is a significant societal problem. If you’re unaware of how it works, read our previous blog on the topic.  2020 was a banner year for ransomware gangs, as analysts estimate they brought in approximately $350 million, with the average payment exceeding $315,000[1]. It’s gotten so concerning that 60+ government agencies and industry leaders formed a task force to tackle the situation.

Key members include the United States Department of Justice, the FBI, the Department of Homeland Security, Europol, Microsoft, Amazon, Cisco, and more. They recently published an 81-page document that discusses the issue and creates a framework for dealing with ransomware[2]. Lucky for you, we read it, so you don’t have to. Here’s the easily digestible summary.

Definition of ransomware

The first quarter or so of the report focuses on defining ransomware and the tactics threat actors use. These are covered in our previous blog if you’re interested. To summarize quickly, ransomware is a type of malware malicious agents install on high-priority computer systems, typically governmental organizations or successful businesses.

Once they infect these networks, the malware moves throughout them and encrypts or exfiltrates the files it finds. A ransom is given that the organizations must pay to decrypt their data or prevent the hackers from leaking it on the internet.

Some rather nasty gangs require double ransoms, one for decryption, the other for not leaking the information. It’s known as double-extortion and is becoming a popular tactic. Now, onto the proposed framework.

The framework for fighting ransomware

We should note that this document’s crux lies in the need for international cooperation for its implementation. Although the United States suffers the majority of ransomware attacks, it is a global problem. The perpetrators come from many different countries such as Russia, Iran, and North Korea, which have zero incentive to stop. This means the rest of the global community needs to agree to the framework for it to work.

Goal 1: Deter

The first goal of the framework is to prevent as many ransomware infections as possible. The document outlines various steps the world must take to do so:

Establish an international ransomware coalition. Governments and corporations around the world have to come together. The document suggests that leaders must communicate regularly about the threats to keep the global community informed about new groups and malware variants. It outlines that nations should create “investigation hub” networks for data sharing and analysis.

The U.S. Government should prioritize ransomware policy. The task force wants the United States, in particular, to get tough on ransomware. It proposes the intelligence community designate it as a formal national security threat and for the DoJ to prosecute ransomware cases more aggressively. Furthermore, it wants the U.S. to levy sanctions against countries that harbor ransomware gangs to increase pressure for cooperation.

Goal 2: Disrupt

The second objective is to disrupt the current business of ransomware gangs and make it a less profitable endeavor. The task force recommends:

Crack down on cryptocurrency markets. Ransomware groups force victims to pay nearly all ransom payments in cryptocurrency.  They do this because cryptocurrencies are borderless and can be challenging to track. There are anonymous exchanges, privacy coins, and techniques to exchange the assets from cryptocurrency to cryptocurrency to obfuscate the origins. The report suggests governments provide more of a regulatory framework to this market. It wants exchanges to follow current anti-money laundering laws to which other financial institutions must adhere.

Create an insurance company consortium. Insurance companies do offer protective plans against ransomware. The task force would like to see collaboration and data sharing between these organizations. It claims this could reduce payments to sanctioned or terrorist bodies since they could use the mass amount of information to get a clearer picture of the groups demanding the ransoms.

Target infrastructure used by criminals. Ransomware campaigns require significant computer infrastructure. The report proposes international cooperation that targets these systems and brings them down.

Goal 3: Help

Unfortunately, many organizations aren’t well prepared for ransomware attacks. The fact is that most organizations over a certain size will be targeted sooner than later. The task force recognizes this and wants to provide these organizations with more information and better toolsets to deal with attacks. It advises:

Create and highlight complementary materials for the framework’s adoption. There are a significant amount of readily available materials about ransomware prevention and mitigation. The task force wants to promote these existing materials and create new ones to fill in any information gaps. The new materials should be geared toward organizational leaders and include specific implementation procedures.

Require government agencies to follow guidelines and incentivize private businesses. The task force wants to include ransomware-specific guidelines in existing cyber-hygiene standards and require government agencies to follow them. Furthermore, it supports creating more grants while alleviating fines and taxes for private companies that follow the framework. This would make a strong incentive for everyone to be on board.

Goal 4: Respond

Organizations need a more effective response after a ransomware infection. This goal aims to aid businesses and agencies after an incident. The task force recommends:

Increased support for victims. Ransomware is destructive and could be incredibly dangerous if it affected critical infrastructure or health-based organizations such as hospitals. The task force wants to set up a relief fund that would help funnel resources quickly if such a situation ever occurs.

Encouragement to report ransomware.  Ransomware attacks are embarrassing for companies, and many don’t even report them. This stops the flow of information and hinders future efforts to predict and prevent attacks. The task force feels proper encouragement and education materials are crucial to getting an accurate, holistic picture of the insidious malware.

Educate organizations about payment alternatives. The truth is, if organizations stopped paying the ransoms, the income would dry up for ransomware gangs, and it would no longer be a worthwhile endeavor. This is easier said than done, as some data is very sensitive and perhaps not backed up offline. Still, the task force urges companies to look at the alternatives to paying whenever possible.

Potential roadblocks

These all sound like good suggestions and would actually go a long way in fighting ransomware if implemented adequately. However, there are some weaknesses to consider:

Privacy concerns. If the world at large enacts this framework, governments and businesses will share a lot of data. As with most scenarios regarding Big Data collection, this has a good chance of going awry from a privacy standpoint. Is it worth it? A detailed cost-benefit analysis would have to be done, but AXEL believes the possibility of abuse is too great as-is. The fact is, even if governments gave privacy guarantees, they don’t mean much.

Inefficient bureaucracy. The task force recommends multiple new governmental and private-public partnership organizations created to combat ransomware. It’s admirable to put so much thought into methods to take on the problem, but additional levels of bureaucracy may prove (as they typically do) to be inefficient.

Data security

AXEL believes that basic education about cybersecurity best practices for all members of an organization is the best way to prevent ransomware infections currently. While all systems have technical weaknesses, the biggest weakness tends to be the human factor. Teaching employees to be vigilant about ransomware and understand the risks entirely is effective.

Another part of the equation is data security. Are you storing and sharing data securely? If not, or you aren’t sure, you should try AXEL Go. AXEL Go utilizes multiple layers of security to protect data from malicious agents. You can read more about our use of technology and download the app to try for yourself at AXELGo.app. Sign up today and receive a free 14-day trial of our Premium service.

[1] “Ransomware Skyrocketed in 2020, But There May Be Fewer Culprits Than You Think”, ChainAnalysis.com, Jan. 26, 2021, https://blog.chainalysis.com/reports/ransomware-ecosystem-crypto-crime-2021

[2] Ransomware Task Force, “Combatting Ransomware”, SecurityAndTechnology.org, April 2021, https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf

What Else We’ve Learned About the SolarWinds Data Breach

In January, we covered a massive supply-chain data breach known as the SolarWinds attack. To get a broad overview of the incident, how the malicious agents carried out the hack, and the known victims, please read our coverage. Over the past four months, there have been new developments in the story that warrant a follow-up. Here, we go over these updates and discuss the potential for lasting fallout.

A brief synopsis

In December 2020, cybersecurity firm FireEye reported a significant flaw in the SolarWinds Orion database management software suite. When the dust settled, experts found that over 18,000 organizations had inadvertently installed a backdoor for an Advanced Persistent Threat (APT) group, likely Russian in origin. These state-sponsored actors infiltrated major corporations and high-level United States governmental agencies alike. Officials believe it to be the most widespread digital espionage campaign ever carried out against the United States. So, what have we found out since then?

More sophisticated than initially thought

From the very beginning, cybersec professionals knew the culprits were sophisticated and that the program’s scope was enormous. As it turns out, however, initial estimates seemed to have underestimated it. According to a recent analysis by RiskIQ, the infrastructure used by the threat actors was at least 56% larger than originally thought[1].

This implies the state hackers had access to significantly more computing power and probably targeted even more organizations than the known 18,000 victims. The same report also concluded that the use of United States-based infrastructure during the initial attack stage prevented the National Security Agency (NSA) from noticing the situation due to stricter laws against domestic surveillance.

Russians officially blamed

United States intelligence agencies have always blamed Russia for the attack, but it turned into more than an accusation when President Joe Biden and the United States formally sanctioned the adversarial country on March 15[2]. Provisions of the sanctions include:

  • Forbidding U.S. banks from buying bonds from or lending money to Russia’s national financial institutions after June 14.
  • Expelling 10 Russian diplomats accused of being intelligence agents from the United States.
  • Sanctioning six technology companies in Russia accused of supporting intelligence agencies.

The sanctions significantly ratchet up tensions between the two nations and mark a major departure from standard espionage protocol. Previously, the United States and other countries assumed cyber espionage campaigns were always underway from their enemies, and their enemies were under similar assumptions. This meant that there was an implicit understanding that everyone is spying on everyone else, and nobody felt real consequences for it. The sanctions set a new precedent that could result in escalation rather than diplomacy. Although, Russia pulled back troops from the Ukrainian border after the sanctions[3], so perhaps the message landed as intended. Only time will tell what ramifications this act has, but hopefully, it doesn’t increase the divide between the two largest nuclear powers.

Concurrent Chinese involvement

Although analysts blame Russia for the initial breach, it appears like Chinese state hackers also took advantage of the situation[4]. According to a report by Secureworks, some malicious agents used tactics similar to those employed by the Chinese APT, SPIRAL[5]. Furthermore, during the intrusion, the group accidentally revealed its IP, which originated from China. So, while sanctions only targeted Russia, there is evidence that China played a role too.

Of course, as we talked about in the original SolarWinds blog, it’s exceedingly difficult to analyze blame with a hundred percent certainty. State-sponsored digital espionage groups are adept at covering their tracks and obfuscating origins. And, while the United States government seems positive the Russians were the main culprits, hard evidence of this assertion hasn’t been made public. Not to mention the United States government has been wrong about some pretty bold claims before. We may never know the full truth.

Congress grills Microsoft

Interestingly, the company in the hottest water over the whole snafu isn’t SolarWinds; it’s Microsoft. Probably due to its high-profile nature, the U.S. Congress set its sights on the tech behemoth[6]. This is because, after the breach’s first stage, the hackers exploited Microsoft products and stole sensitive emails and other data from thousands of organizations.

Microsoft itself had its source code exposed to the hackers. Since source code is the lifeblood of a tech company, it shows exactly how all-encompassing the breach was. It also proves a crucial point; no matter how secure a system is, nothing can be completely safe from ill-intentioned cyberspies with the backing of an entire country’s resources. So, although House members assuredly loved grandstanding about the holes in Microsoft’s security, the truth is more complex and nuanced.

White House ramps down recovery efforts

This brings us to the conclusion of the saga. On April 19, the White House announced that several national agencies such as the FBI, CISA, and NSA would soon begin ramping down their efforts regarding SolarWinds. Combined with the Russian sanctions, it signals that the U.S. Government considers the incident largely settled. China appears unlikely to receive any formal retaliation. Hopefully, the most significant data breach of our times serves as a lesson for the future of cybersecurity. Undoubtedly similar incidents will occur in the future, but perhaps mitigation policies will improve, and potential damages will be reduced.

Security is a personal responsibility

If there’s one takeaway everyone should have about SolarWinds, it’s that relying on Big Tech’s security policies is a mistake. People should do a bit of research to find redundant cybersecurity methods for their sensitive data.

You can protect your confidential files by ditching cloud drives like Dropbox, OneDrive, and Google Drive and switch to AXEL Go. AXEL Go utilizes our decentralized, distributed files sharing network backed by blockchain and the InterPlanetary File System. This ensures your documents aren’t stored in one place with a single point of failure.

Additionally, every file you transfer via the AXEL Network gets “digitally shredded” and distributed to scattered server nodes. This means even if a malicious agent compromised a server, they wouldn’t have access to the complete file. Documents are only reconfigured for the initial user and any recipients. This system, combined with military-grade encryption, provides multiple layers of security for AXEL Go users.

You can try AXEL Go Premium with all features unlocked free for 14-days. Sign up today and see how AXEL can improve your workflow and harden your organization’s cybersecurity.

[1] “SolarWinds: Advancing the Story”, RiskIq.com, April 22, 2021, https://community.riskiq.com/article/9a515637

[2] Morgan Chalfant, Maggie Miller, “Biden administration sanctions Russia for SolarWinds hack, election interference”, April 15, 2021, https://thehill.com/homenews/administration/548367-biden-administration-unveils-sweeping-sanctions-on-russia?rl=1

[3] “Russia to pull troops back from near Ukraine”, BBC, April 22, 2021, https://www.bbc.com/news/world-europe-56842763

[4] Dan Goodin, “Chinese hackers targeted SolarWinds customers in parallel with Russian op”, Ars Technica, March 8, 2021, https://arstechnica.com/gadgets/2021/03/chinese-hackers-targeted-solarwinds-customers-in-parallel-with-russian-op/

[5] Counter Threat Unit Research Team, “SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group”, Secureworks.com, March 8, 2021, https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group

[6] Frank Bajak, “SolarWinds hacking campaign puts Microsoft in the hot seat”, The Associated Press, April 17, 2021, https://apnews.com/article/business-technology-government-and-politics-f51e53523312b87121146de8fd7c0020

The Ethical Responsibility for Data Security in Finance, Law, and Healthcare

It’s difficult to argue that the vast majority of businesses today don’t have an ethical responsibility to adequately protect and secure their customers’ data. However, it’s an even more crucial aspect for organizations with known fiduciary duties to their clients or consumers, such as those in the Finance, Legal, Healthcare, and Insurance sectors. Let’s dig into each of these industries in the United States, look at their unique ethical demands regarding data security, and find some common solutions.

Finance

The financial industry includes banks, investment firms, real estate companies, and insurance organizations. According to the International Monetary Fund, it is the sector targeted most by hackers[1]. It makes sense. In a 2020 survey by Verizon Communications, researchers found that 86% of data breaches are primarily for money[2]. Who has more money than the financial industry?

Hackers target these institutions in a variety of ways. One of their most common tactics is attempting to gain access to customer login info. Direct attacks against an organization’s reserves gain immediate attention and mitigation, but hackers can take over a user account and move around smaller sums for much longer periods.

Another method they use is stealing sensitive financial documents. It provides the malicious agents with a treasure trove of confidential data to use for identity theft.

So, what ethical obligation do they have to their clients for securing this data? Since they’re such huge targets, financial institutions tend to employ data protection strategies that are more sophisticated than average. In 2020, the Federal Trade Commission proposed amendments to the Safeguards Rule and the Privacy Rule in the Gramm-Leach-Bliley Act. Under these proposals:

  • Financial institutions would need to safeguard customer data more robustly, such as utilizing encryption for all information.
  • Customers could opt-out of data sharing policies between banks and third-parties.
  • Banks would require employees to pass multi-factor authentication (MFA) to access client data.

The FTC has not ratified these amendments yet, but they would serve as a much-needed update to the current regulatory framework.

Law

Legal professionals now face an even greater risk to their clients’ personal information. Being the processors of strictly confidential information always put large targets on them. But, the COVID-19 pandemic forced many lawyers out of the office and courtroom and into their den. Working from home is the new normal for legal pros, and that means more cybersecurity risks. Whereas they probably worked in a closed system at the office that IT experts monitored daily, it’s much more challenging to evaluate weaknesses in everyone’s home networks. Coupled with the fact that lawyers, on the whole, aren’t the most technically literate people in the world, and you’ve got a recipe for data breaches.

The American Bar Association gives broad ethical expectations for data security throughout its Model Rules of Professional Conduct[3]. A recent formal opinion published by the organization outlines them in greater detail[4], specifically for those engaged in a virtual practice. This opinion has the following provisions:

  • Lawyers must make “reasonable efforts to prevent inadvertent or unauthorized access [to client data].” Today, a reasonable attempt goes well beyond attaching a confidential document to an email and sending it off with nothing but the hope that it doesn’t fall into the wrong hands.
  • Virtual practitioners should look into setting up Virtual Private Networks (VPNs), keeping the computer’s operating systems updated so that security patches stay current, utilizing file encryption, using MFA, setting strong passwords, and changing them regularly.
  • Legal professionals must vet software and hardware providers to ensure proper security.
  • Lawyers should never use smart speakers (Alexa, Google Home, etc.) or virtual assistants (Siri) when conducting confidential business. These “helpers” listen to every word that is said and can be hacked easily by malicious agents.

Hopefully, The ABA codifies the recommendations given in this opinion into its formal standards.

Healthcare

The medical industry also deals with extremely private, confidential information and is susceptible to drawing attention from hackers. 2020 was an especially bad year for this, as the rise of COVID-19 caused a 55% spike in data breaches compared to 2019[5]. It’s a chilling reminds of how opportunistic threat actors can be. Sensing healthcare providers were stretched to the max and short on resources, they attacked.

Common reasons to target the healthcare industry include stealing patient medical records for resale on the Dark Web, identity theft purposes, or extortion schemes, and ransomware attacks to cripple critical systems until the organizations pay a hefty fee.

The United States Department of Health and Human Services set national regulations about healthcare data security through the HIPAA Security Rule. Here are some of the guidelines:

  • Organizations must have physical and technical security measures enacted for hosting sensitive health data. Examples include facility access limits, computer access controls, and strict limitations on attempts to transfer, remove, or delete patient records.
  • Technical systems must have automatic log-off settings, file encryption capabilities, regular audit reporting, and detailed tracking logs of user activity.

With COVID cases declining and vaccinations increasing, the healthcare sector could soon return to normal and start allocating more cybersecurity resources. At least for the first time in over a year, there’s cause for optimism.

Conclusion

With cyberattacks on the rise, there’s still much room for improvement in these industries. Organizations should go above and beyond legal requirements if adequate cybersecurity is a priority. Combining the right technical solutions with a plan of ongoing education is crucial. Usually, the weakest links in a network are the employees themselves. Train them regularly on the basics of phishing techniques and how to spot them. You’ll have a more resilient workforce who won’t fall for common scams that can put your organization at serious risk.

AXEL Go

Part of the equation is still using suitable technical systems. If your company transfers or stores confidential data, you need to ensure it’s locked down. AXEL Go is a decentralized, private and secure file-sharing and storage platform. It offers industry-leading security features that set it apart from the typical Big Tech applications. It uses blockchain technology, advanced file sharding, the InterPlanetary File System, and military-grade encryption to keep important documents away from hackers. Try AXEL Go and gain access to all of its premium features for only $9.99/mo. It’s the safest way to share and store online.

 

[1] Jennifer Elliott and Nigel Jenkinson, “Cyber Risk is the New Threat to Financial Stability”, IMF.org, Dec. 7, 2020, https://blogs.imf.org/2020/12/07/cyber-risk-is-the-new-threat-to-financial-stability/

[2] “2020 Data Breach Investigations Report”, Verizon, May. 19, 2020, https://enterprise.verizon.com/resources/reports/dbir/?CMP=OOH_SMB_OTH_22222_MC_20200501_NA_NM20200079_00001

[3] American Bar Association, “Model Rules of Professional Conduct”, Americanbar.org, https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/model_rules_of_professional_conduct_table_of_contents/

[4] American Bar Association Standing Committee On Ethics And Professional Conduct, Formal Opinion 489, Americanbar.org, March 10, 2021, https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba-formal-opinion-498.pdf

[5] “Healthcare Breach Report 2021: Hacking and IT Incidents on the Rise”, Bitglass, Feb. 17, 2021, https://pages.bitglass.com/rs/418-ZAL-815/images/CDFY21Q1HealthcareBreachReport2021.pdf?aliId=eyJpIjoiOE54NGRRTkhCZDY3aUxGMiIsInQiOiJ0RTZ1QVZXbnFPUGRhZXhVbmhyMmVnPT0ifQ%253D%253D

The Microsoft Exchange Hack is Unparalleled

Barely two months after the massive SolarWinds attack (that experts are still attempting to unravel) comes news of perhaps an even larger successful attack. In a patch release on March 2nd, Microsoft announced they fixed four critical vulnerabilities to their Exchange Server email system. No big deal, right? Well, buckle up.

The scope

As it turns out, hackers exploited these zero-day (previously unknown) vulnerabilities for at least two months before Microsoft released the security patch. The security holes themselves were present for over ten years, so it may be an even more widespread issue. During the last two months, however, it seems as if over 30,000 organizations running Exchange  Server were compromised in the United States alone[1]. Worldwide, the number grows to hundreds of thousands of likely victims. And that could be a lowball estimate! According to former CISA Director Chris Krebs, “The numbers I’ve heard dwarf what’s reported here,” referring to a report indicating the 30K number. That’s staggering!

This image has an empty alt attribute; its file name is chrisKrebsMETweet.png

The situation

In early January, the red team ethical hacking group, DEVCORE, led by the Orange Tsai, first reported two of the four zero-day vulnerabilities to Microsoft[2]. Soon after, the cybersecurity firm Volexity detected actual attacks from then-unknown entities using the exploits[3]. By late January, analysts mapped out the breaches and deciphered some details.

The threat actors were installing backend “web shells” on the Exchange servers. Web shells are malicious code injected into web applications that can give hackers administrator access to the infected servers. Then, the cybercriminals can run commands at-will. In this case, it appears that the hackers stole private emails and primed the networks for other malicious activity. Some analysts worry that the affected systems may be vulnerable to future ransomware attacks[4].

The victims

The unfortunate truth is that nearly any organization running non-cloud-based Microsoft Exchange email servers could be a victim. As awareness of the hack spreads, the tally of compromised organizations grows. The scope of the attack is unprecedented. In an official statement, Microsoft claimed that the group responsible for the attack typically targets “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs,[5]” but this attack appears much less selective.

According to the cybersecurity firm Huntress, many of the clients they confirmed as having the web shell installed do not it into these categories[6]. As the Senior Security Researcher of the company says, “These companies do not perfectly align with Microsoft’s guidance as some personas are small hotels, an ice cream company, a kitchen appliance manufacture, multiple senior citizen communities and other ‘less than sexy’ mid-market businesses.”

There have been some high-profile organizations already disclosing breaches, though:

  • European Banking Authority. On March 7th, the EBA, which has a supervisory role in the European Union’s banking industry, admitted hackers compromised their Exchange email servers[7]. Luckily, a security analysis turned up no evidence that the cybercriminals stole any data.
  • Norway’s parliament. The Norwegian parliament, the Storting, did not get off so easy. With the digital forensic investigation still underway, the governmental body admitted, “We know that data has been extracted, but we do not yet have a full overview of the situation.[8]” This is the second major breach the Storting experienced over the past three months.

Undoubtedly, the list of known organizations affected by the situation will increase significantly in the upcoming days.

The perpetrators

Microsoft has consistently assigned blame to a Chinese state-sponsored hacking group dubbed ‘HAFNIUM.[9]’ Details for this assessment are scarce. Evidently, the behavior and tactics are similar to known Advanced Persistent Threats (APTs) from China. The group also worked through leased VPN servers located in the United States, which may point toward a Chinese origin.

However, after the initial disclosure, cybersecurity firms reported that other APTs have joined in on the illicit fun. According to a report by the cybersecurity company ESET, at least ten other APTs are exploiting the Exchange flaws[10]. This includes Tick, LuckyMouse, Calypso,Websiic, Winnti Group, Tonto Team, Cobalt Group, Mikroceen, and three unknown groups. It’s unclear if there is any proper coordination between these factions. The majority -but not all- of them share connections to China, but the fact that multiple web shells were present on some of the affected servers indicates a lack of collaboration.

As was mentioned in our previous SolarWinds article, attribution of an attack is quite tricky. There are instances of APTs disguising their activity and successfully pinning it on a different country. And, as the Vault 7 Wikileaks dump proved, nations have sophisticated tools that obfuscate the attackers’ true origins[11]. However, with so many Chinese APTs linked to the situation, it becomes more challenging to deny involvement (unsurprisingly, the Chinese Communist Party has denied the allegations.)

Uncertainty

So, where do we go from here? As mentioned, Microsoft released a patch that fixed the vulnerabilities. If your organization runs an Exchange email server, install the patches immediately. Microsoft says that these fixes will not help systems already infiltrated with web shells. If you suspect an infection, have cybersecurity professionals analyze the network.

Other than that, there isn’t too much you can do. Experts are still evaluating the full extent of the attack, and nobody knows if/when further damage, such as ransomware, will occur. The situation’s historic magnitude makes it especially scary because it goes against the traditionally-cautious cyber strategy of China’s APTs. It’s brazen and impossible to ignore. What will the fallout be? Only time will tell.

Data security for all

Are you doing enough to protect your files from hackers and intruders? If you’re using a Big Tech solution for file-sharing and online storage, the answer is ‘no.’ Get serious about data security and use the private, safe file-sharing and storage platform AXEL Go. It utilizes blockchain technology, the InterPlanetary File System (IPFS), and robust password encryption to keep your documents out of reach from data mining corporations and hackers. Download it today for Windows, OSX, Android, or iOS and experience a better way to share.

 

[1] Brian Krebs, “At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software”, Krebsonsecurity.com, March 5, 2021, https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/

[2] “What is ProxyLogon”, Proxylogon.com, March 2021, https://proxylogon.com/#timeline

[3] Josh Grunzweig, Mathew Meltzer, Sean Koessel, Steven Adair, Thomas Lancaster, “Operation Exchange Marauder: Active  Exploitation of Multiple Zero-Day Microsoft Exchange vulnerabilities.

[4] Brian Krebs, “Warning the World of a Ticking Time Bomb”, Krebsonsecurity.com, March 9, 2021, https://krebsonsecurity.com/2021/03/warning-the-world-of-a-ticking-time-bomb/

[5] “HAFNIUM targeting Exchange Servers with 0-day exploits”, Microsoft.com, March 2, 2021, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

[6] John Hammond, “Rapid Response: Mass Exploitation of On-Prem Exchange Servers”, March 3, 2021, https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers

[7] Davey Winder, “EU Banking Authority Hacked As Microsoft Exchange Attacks Continue”, March 9, 2021, https://www.forbes.com/sites/daveywinder/2021/03/09/eu-banking-authority-hacked-as-microsoft-exchange-attacks-continue/?sh=29f2026d2fe0

[8] Richard Speed, “A nei! Noway’s Stortinget struck by Microsoft Exchange malware”, The Register, March 11, 2021, https://www.theregister.com/2021/03/11/stortinget_attack/

[9] “HAFNIUM targeting Exchange Servers with 0-day exploits”, Microsoft.com, March 2, 2021, https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

[10] Matthieu Faou, Mathieu Tartare, Thomas Dupuy, “Exchange servers under siege from at least 10 APT groups”, March 10, 2021, https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

[11] “Vault 7: CIA Hacking Tools Revealed”, Wikileaks.org, March 7, 2017, https://wikileaks.org/ciav7p1/index.html

Why the Data Localization Movement is Misguided

Data localization, or data residency, is the concept of storing certain data collected on a nation’s citizens within the country of origin at all times. It gained steam after whistleblower Edward Snowden revealed the scope of government mass surveillance in 2013[1]. Governments worldwide enacted data localization legislation to protect state secrets and their citizens’ personal information from the watchful eyes of perceived competitors.

Governments expected and hoped these regulations would bring a host of benefits, including domestic IT job growth, more-hardened national cybersecurity, and increased data privacy. The truth is a bit murky, however, as the desired advantages haven’t materialized.

Countries and regions with data localization laws

First, let’s look into some examples of countries with data residency laws on the books. It is not a comprehensive list but illustrates how many nations are concerned about their data security.

The European Union

The EU’s sweeping data privacy law, the GDPR, sets many expectations for handling sensitive information, such as:

  • Profile data
  • Employment data
  • Financial data
  • Medical and health information
  • Payment data

The GDPR specifies that the above data types stay secured within the EU.  If any transfers are required out of the European Union, the countries receiving the information must have similar privacy regulations.

China

Unsurprisingly, China wants to keep a tight grip on its data. Basically, domestic network operators must store all data within China. They can transfer info across borders, but anything deemed “important” by the government must undergo a security clearance beforehand. What the CCP considers important is fairly broad. It includes:

  • Anything related to national security
  • Information that could identify Chinese citizens

As the country embraces Big Data collection on its citizens[2], you can expect the CCP to strengthen these laws.

Russia

The Russian Federation requires any personal identifying information about its citizens to be stored locally. This could mean:

  • Profile data
  • Financial information
  • Medical and health records

Interestingly, as long as companies initially stored the data in a Russian database, they can send it out of the country for further processing.

Their regulations don’t only apply to domestic organizations. Anyone doing business in the country is subject to the law, so multinational corporations there must have Russia-specific data centers.

These three regions alone account for over a quarter of the world’s population, and there are many more countries with data localization laws.  So, it’s pretty widespread. But what’s the United States’ opinion on the matter?

The United States viewpoint

The United States’ general belief is that data residency laws unduly stifle commerce and don’t offer the expected benefits. Analysts estimate half of the services trade depends on cross-border data flows[3]. With the United States being a service-dominant economy, it makes sense the government would oppose such regulation.

And oppose it, they have! In fact, it has been a point of contention in nearly all of its recent trade deal negotiations, though the EU and Korea have pushed back on outright bans. The USMCA, the North American trade agreement replacing NAFTA, formally prohibits the practice as a condition of doing business[4]. There are similar provisions in the U.S.-Japan Digital Trade Agreement[5] and the U.S.-Kenya Trade Agreement of 2020[6].

So, what are the downsides of data localization that countries like the United States want to avoid?

Technical issues

There is a multitude of technical headaches accompanying data localization. For instance, what if tech personnel in other countries access it regularly for debugging or maintenance purposes? Or, a company uses foreign backup databases for redundancy?

It’s challenging to build separate data centers in all applicable territories, even for large companies with sizable revenues. That makes it downright impossible for even the pluckiest startup to consider. But that should open up markets for smaller, domestic companies, right?

Lack of domestic stimulus

Unfortunately, significant job growth does not occur due to data localization. There are short-term construction jobs available if the data center requires a new building. After that, however, jobs are scarce. This is because the modern data center is mostly automated. The CBRE’s Data Center Solutions Group estimates that the average data center results in between 5-30 permanent, full-time positions[7]. Given the investment required for implementing data residency, it hardly seems worth it based on employment opportunities.

Privacy and security

Well, it has to be more secure and offer more data protection, though! That’s the biggest piece of the benefit pie. Not so fast.

In reality, the exact opposite appears to be true. Regarding privacy, you’d hope that housing data in the country of origin would benefit the citizens. But think back to some of the countries passing data localization laws. Is a full data set of personal information housed in a single jurisdiction good for the people in China? Or Russia? Very debatable. These nations are already surveillance states. Any data housed within their borders is at the control of their totalitarian governments.

Cybersecurity is another issue where expectations don’t match up with the real-world. Consider that these implementations aren’t in a vacuum and that they’ll inevitably cost a significant amount of money. That’s money the company will need to divert from other areas of the business. Cybersecurity could be one of those areas.

Additionally, data residency results in server centralization. This provides a larger attack surface for malicious agents and could ultimately mean more data breaches, not less.

So, paradoxically, data localization could make it easier for state-sponsored threat actors to carry out successful attacks. Combined with the economic inefficiencies, privacy concerns, and technical problems, it becomes plain to see that decentralization is a better path forward. Companies can employ other, less-expensive methods such as end-to-end encryption to protect sensitive information.

The AXEL Network

The AXEL Network is a decentralized, distributed system of servers backed by blockchain technology and the InterPlanetary File System. It gives users a secure, private way to share and store files on the internet. With server nodes located throughout the world, the AXEL Network offers both resiliency and performance. AXEL Go a the next-generation file-sharing platform using the AXEL Network. It combines all of the advantages listed above with optional AES 256-bit encryption to provide exceptional privacy and security. Download it today for Windows, Mac, Android, or iOS and receive a free 14-day trial of our unrestricted Premium service. Enjoy the power of a decentralized, distributed network.

 

[1] Jonah Force Hill, “The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Business Leaders”, ResearchGate, Jan. 2014, https://www.researchgate.net/publication/272306764_The_Growth_of_Data_Localization_Post-Snowden_Analysis_and_Recommendations_for_US_Policymakers_and_Business_Leaders#:~:text=Abstract,geographies%2C%20jurisdictions%2C%20and%20companies.

[2] Grady McGregor, “The world’s largest surveillance system is growing- and so is the backlash”, Fortune, Nov. 3, 2020, https://fortune.com/2020/11/03/china-surveillance-system-backlash-worlds-largest/

[3] United States International Trade Commission, “Global Digital Trade 1: Market Opportunities and Key Foreign Trade Restrictions”, usitc.gov, Aug. 2017, https://www.usitc.gov/publications/332/pub4716_0.pdf

[4] Agam Shah, Jared Council, “USMCA Formalizes Free Flow of Data, Other Tech Issues”, The Wall Street Journal, Jan. 29, 2020, https://www.wsj.com/articles/cios-businesses-to-benefit-from-new-trade-deal-11580340128

[5] “FACT SHEET ON U.S.-Japan Digital Trade Agreement”, Office of the United States Trade Representative, Oct. 2019, https://ustr.gov/about-us/policy-offices/press-office/fact-sheets/2019/october/fact-sheet-us-japan-digital-trade-agreement

[6] ITI, “ITI: U.S.-Kenya Trade Agreement Can Set New Global Benchmark for Digital Trade”, itic.org, Apr. 28, 2020, https://www.itic.org/news-events/news-releases/iti-u-s-kenya-trade-agreement-can-set-new-global-benchmark-for-digital-trade

[7] John Lenio, “The Mystery Impact of Data Centers on Local Economies Revealed”, areadevelopment.com, 2015, https://www.areadevelopment.com/data-centers/Data-Centers-Q1-2015/impact-of-data-center-development-locally-2262766.shtml

Here’s Why Free Software Can Be a Poison Pill

There was a time when consumer expectations did not demand software be free. Sure, there has always been freeware, but it wasn’t the norm. If someone in the 1980s wanted a word processor, they expected to pay for it!

Today, these expectations have flipped. Why would someone pay for software or web services? Social media platforms are free. Big Tech companies like Google offer free alternatives to traditionally-paid programs such as word processors, spreadsheets, and visual presentation software. What’s the harm? The services are high-quality and users aren’t out a dime. It’s a win-win, right? Well, much like your relationship status during college, it’s complicated.

A costly endeavor

The truth is, software development is expensive. It’s always been expensive. And, even with the proliferation of outsourcing, it remains so today. It is a highly specialized skill requiring considerable knowledge and continued education. The median pay for a developer in the United States was over $107,000 in 2019[1]. Prices for outsourced developers vary by country but expect to pay around $30,000 a year for quality work[2]. Many development teams employ a mixture of domestic and foreign help.

Unlike the 80s, where a small team could complete programs in a basement, now larger units are necessary to deal with the complexities of modern computing. Big Tech’s full-featured products certainly require these sizeable teams of high-cost developers. Their offerings also typically need massive investments in physical infrastructure to keep the services running for millions of potential users. Knowing all this, how do they provide the end products for free? Out of the goodness of the shareholders’ hearts?

The tradeoff

Unsurprisingly, no. Big Tech companies are some of the largest businesses in the world, with billions in yearly revenue. The “free” apps and services they provide do require a form of payment. Your personal data. As the saying goes,” If you aren’t paying for the product, you are the product.”

Today, tech megacorporations collect an absurd amount of data on their users (and in Facebook’s case, even non-users[3].)  The data they find most useful usually falls into the following categories:

  • Email receipts. Who people email consistently can be a wealth of information for data miners.
  • Web activity. Big Tech wants to know which sites everyone visits, how long they stay there, and a host of other browsing metrics. They track across websites, analyze likes and dislikes, and even assess mouse cursor movement.
  • Geolocation. When tracking internet activity isn’t invasive enough, many companies evaluate where people go in the real world. Most don’t understand that their phones’ GPS sensors aren’t strictly used for directions to their Aunt’s new house.
  • Credit card transactions. Purchase records outline a person’s spending habits. Since the entire point of collecting all of this data is to squeeze money out of the user in other ways, this info is extremely valuable.

Imagine the models companies can create of their users, given all of that information. They use these models to personalize advertisements across their platforms. Advertisements more likely to result in sales mean more revenue, so they have an incentive to collect as much data as possible. But that’s not the only way they monetize personal information. Many sell it to third-parties too. Are you creeped out yet?

Alternative data providers

Organizations called ‘alternative data providers’ buy up all of this information, repackage it, and sell it off to whoever wants it (usually financial institutions looking to gain broad insights about the direction of a given market.)

As of 2020, there are over 450 alternative data providers[4], and what happens to your information after they get their hands on it is about as opaque as it gets. This is especially the case in the United States, as there are no federal privacy laws that set clear expectations regarding personal data sales and stewardship. However, there is hope with the passing of California’s new privacy law that Congress will finally tackle the subject.

Privacy policies

One way consumers can stay informed about an organization’s data collection guidelines is to read through its privacy policy and terms of service agreement. There, they can find general information about their practices. Unfortunately, organizations seldom list the specifics (i.e., which companies do they share with or sell the data to, etc.) These documents also tend to be excessively long and filled with confusing legalese. It makes it difficult to extract even basic information and leads to a frustrating user experience.

It’s no wonder that according to a Pew Research survey, only 22% of Americans read privacy policies “always” or “often” before agreeing to them[5]. Most just hit accept without a second thought. We recommend always looking into a company’s privacy policy and terms of service before using their products. If you don’t want to slog through the jargon, try out ToS;dr, a website that breaks down these documents into readable summaries. They also give Big Tech companies “privacy grades” based on what they find. A few examples include: (note: “E” is the lowest grade)

  • Facebook – E. Big surprise here. The company that stores data, whether the person has an account or not, did not score well.
  • Amazon – E. Although online retail is their bread and butter, Amazon also dabbles in providing free apps and services such as the Kindle App. They track people across websites and sell consumer data to third parties, among other egregious tactics.
  • Google – E. Google collects biometric data, shares info with third parties, retains data after erasure requests, and much more.

Search for your favorite social media platform or Big Tech service and see how it stacks up. Spoiler alert: probably not very well.

Another consideration

Open source projects have a poor reputation for cybersecurity since the developers are unpaid and less motivated to provide reliable support. Conversely, free Big Tech products typically get a pass on those risks. After all, their software is well-funded and receives developer support throughout its entire lifespan. This minimizes a few crucial points, though.

First, large tech corporations benefit immensely from a built-in following and the integrated marketing apparatuses at their disposal. This attracts a significantly higher baseline of users for any given service than a startup’s equivalent solution.  These massive user bases attract cybercriminals.

This leads to the second point; while these companies support their products and offer cybersecurity patches regularly, there will always be vulnerabilities. The services almost always run on centralized server farms, making for an enormous attack surface. And the products with the most users will always be the primary targets for phishing scams. So, it’s kind of a paradox. More marketing, support, and users lead to more attacks.

File sharing app examples

There are countless examples of vulnerabilities found in Big Tech apps and services, but here are a few examples in the file-sharing sector:

Google Drive: In the Fall of 2020, threat actors exploited a flaw in Google Drive to send push notifications and emails to users[6]. The messages contained malicious links containing dangerous malware. The situation affected hundreds of thousands of users.

Microsoft OneDrive: Although not officially breached, in April 2020, Microsoft announced a critical vulnerability in their OneDrive cloud app[7]. They quickly released a security fix, but it is unknown if hackers knew about the vulnerability beforehand or if they breached unpatched systems after Microsoft disclosed it.

Dropbox. In 2012, a hacker stole login credentials to over 68 million Dropbox users and sold them on the Dark Web. As if this weren’t bad enough, it took Dropbox three years to disclose the breach! So, during that time, nearly 70 million users were in danger.

ShareIt. This platform may be lesser-known in the United States, but it has 1.8 billion users worldwide and is very popular throughout Asia and Russia. A recent security audit found crucial exploits that could result in hackers stealing sensitive data[8]. Its website doesn’t even default to HTTPS, meaning security doesn’t seem to be a priority for the development team.

In conclusion, free platforms from multibillion-dollar corporations can be dangerous from both data collection and cybersecurity standpoints. Consumers should do their research and consider paying a small fee for privacy and security-focused competitors.

AXEL Go

AXEL is dedicated to giving data custody back to the user. We never sell personal information to third parties or mine accounts. Our file-sharing application, AXEL Go, utilizes blockchain technology, the InterPlanetary File System, and AES 256-bit encryption to provide the most secure cloud-sharing experience in the industry.

Sign up for AXEL Go and receive a free 14-day trial of our Premium service. Premium accounts receive five times more online storage than the Basic account, along with more security options and no restrictions on file sizes. After the trial, users pay $9.99/month to continue the Premium service or downgrade to the Basic account. So, stop worrying and share your documents securely with AXEL Go.

 

 

 

[1] “Occupational Outlook Handbook: Software Developers”, U.S. Bureau of Labor Statistics, 2019, https://www.bls.gov/ooh/computer-and-information-technology/software-developers.htm

[2] Julia Kravchenko, “How Much Does It Cost to Hire Developers: Software Developer Salary Guide 2018”, Hackernoon.com, March 12, 2018, https://hackernoon.com/how-much-does-it-cost-to-hire-developer-software-developer-salary-guide-2018-590fb9e1af2d

[3] Kurt Wagner, “This is how Facebook collects data on you even if you don’t have an account”, Vox, April 20, 2018, https://www.vox.com/2018/4/20/17254312/facebook-shadow-profiles-data-collection-non-users-mark-zuckerberg

[4] Rani Molla, “Why your free software is never free”, Vox, Jan. 29, 2020, https://www.vox.com/recode/2020/1/29/21111848/free-software-privacy-alternative-data

[5] Brooke Auxier, Lee Rainie, Monica Anderson, Andrew Perrin, Madhu Kumar, Erica Turner, “Americans and Privacy: Concerned, Confused And Feeling Lack Of Control Over Their Personal Information”, Pew Research Center, Nov. 15, 2019, https://www.pewresearch.org/internet/2019/11/15/americans-attitudes-and-experiences-with-privacy-policies-and-laws/

[6] Lindsey O’Donnell, “Scammers Abuse Google Drive to Send Malicious Links”, threatpost, Nov. 2, 2020, https://threatpost.com/scammers-google-drive-malicious-links/160832/

[7] Davey Winder, “Windows OneDrive Security Vulnerability Confirmed: All You Need To Know”, Apr. 15, 2020, https://www.forbes.com/sites/daveywinder/2020/04/15/windows-onedrive-security-vulnerability-confirmed-all-you-need-to-know/?sh=517e144b6fa3

[8] Ron Amadeo, “’ShareIt’ Android app with over a billion downloads is a security nightmare”, ars Technica, Feb. 16, 2021, https://arstechnica.com/gadgets/2021/02/shareit-android-app-with-over-a-billion-downloads-is-a-security-nightmare/