Category: Secure Email

Late last week, CareFirst BlueCross BlueShield said that it was the victim of a data breach which potentially exposed the personal information of 6,800 of its members including names, member identification numbers and dates of birth. In eight cases, social security numbers could have been exposed.

CareFirst believes the breach was the result of an email “phishing” scheme. Phishing attacks use deceptive emails and websites to convince people to disclose personal information. Phishing has become one of the most pervasive problems facing data security staffs today. Generally speaking, a basic phishing attack is relatively easy to conduct and inexpensive for the attacker.

Our Checklist:

When you are going through your email and before you click that link, consider these rules of thumb before opening or clicking any links.

  1. Does the email ask for personal or sensitive information, such as your date of birth, Social Security number, an account number or login credentials? Most legitimate businesses do not request such data in an email.
  2. Does the email asks you to click on a link to access a web site? If so, that site might be fake.
  3. Does the email have a generic salutation rather than your name? Your bank or service provider know who you are and normally will address you by name.
  4. Does the email have an attachment? If you are not expecting an attachment, don’t click on it. Confirm its validity first with the sender.
  5. When you move your mouse over the email, is the entire email a hyperlink? If so, it likely is a phishing attack.
  6. If the email makes an offer too good to be true, such as a large sum of money, a prepaid gift card or an expensive piece of electronics for free, it’s likely a phishing attack.
  7. Be careful of emails that make an emotional plea while asking for money. While many charities use such tactics, it also is a popular approach used by phishers.
  8. If the email claims you have an immediate problem, such as a virus or that you are running out of email storage space, and you must take immediate action, be careful. This is a common phishing tactic.
  9. If the email makes a direct threat and requires that you take immediate action by clicking a link for the IRS, a police agency or the like, it’s probably fake.
  10. An email might appear to be from a friend asking for money. Never send money without calling the friend first to confirm the request.

Find out just where you are with your tech. Technology should never be considered a “set it and forget it” part of your business. It takes constant tweaking, monitoring and maintenance to make your system reliable. You should strongly consider having a formal IT Security Assessment performed on your system no matter how large or small your business is as these formal scans can give you an excellent chance to find out just where you have vulnerabilities.

We can assist you with any of the above protection measures mentioned above. It is far less costly to be proactive than it is to be reactive. NOW is the time to find out, not later or even worse… after!

Ransomware is a type of malware that prevents or limits users from accessing their system or data. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to unlock their data.

Users may encounter this threat through a variety of ways. Ransomware can be downloaded by users by visiting malicious websites. It can also be downloaded by other malware. Some ransomware are delivered as attachments to spammed email. Once executed in the system, a ransomware can either lock the computer screen or encrypt predetermined files with a password. Once infected, the malware shows the instructions on how users can pay for the ransom. The second type of ransomware locks files like documents, spreadsheets and other important files.

Attackers may use one of several different approaches to extort money from their victims:

  • After a victim discovers he cannot open a file, he receives an email ransom note demanding a relatively small amount of money in exchange for a private key. The attacker warns that if the ransom is not paid by a certain date, the private key will be destroyed and the data will be lost forever. These ransoms are often required to be paid in hard-to-trace Internet currency.
  • The victim is tricked into believing he is the subject of a police investigation. After being informed that unlicensed software or illegal web content has been found on his computer, the victim is given instructions for how to pay an electronic fine.
  • The malware encrypts the victim’s data but does nothing else. In this approach, the data kidnapper anticipates that the victim will look on the Internet for how to fix the problem and makes money by selling anti-ransomware software on legitimate websites.

Security companies first identified the CryptoLocker attacks in September 2013, believe that the virus struck 250,000 computers in its first 100 days. Other security researchers believe the latest versions of ransomware were created by hackers in Eastern Europe and Russia. The hackers conceal their identities by deploying the virus through the dark web. The dark web, an unindexed arm of the Internet, allows users to bounce their communications through multiple computer servers to make them nearly impossible to trace.

The hacker infects computers by sending tainted e-mails that appear to come from the FBI, local police agencies or package delivery services such as UPS and FedEx, or in PDF attachments. When the user opens the e-mail or file, the virus infects the PC. The hacker will also implant the viruses on websites, then try to lure people there, often with pornography or the promise of free items.

The best way to combat a CryptoLocker virus or other ransomware is to establish a line of defense by using paid-for security software from a reliable security software vendor. Keep both the application and virus definition lists up to date. Virus definitions are the lists of malware and viruses that the program knows how to address. Using a spam-blocking software or spam hardware device will limit the amount of tainted emails that reach your inbox in the first place.

Last, but certainly not least, always make multiple copies of your data. The best way to recover from a ransomware virus is not to give in and pay the ransom, but rather wipe the hard drive of the infected machines, reload, and then restore the data. Sometimes having principals and not paying the ransom is not the easiest way, but it’s the best way!

Infoencrypt is a free, web-based service for easily securing your messages. Simply enter the text of your message and the encryption password that will be used for both encryption and decryption. The program encrypts your message using a strong encryption algorithm, making it secure to send. Anyone who intercepts the encrypted message without the password will not be able to read the original message.

SafeGmail is a free extension for Google Chrome that allows you to send encrypted emails to anyone. The messages are encrypted and decrypted within the browser and remain encrypted in both the sender’s and receiver’s email inboxes. The messages also automatically expire after a random amount of time.

RMail allows you to easily send emails with end-to-end security and compliance. Send encrypted email from your current email address (10 free messages allowed per month) and automatically receive a Registered Receipt™ record proving encrypted delivery and compliance with open tracking.

Sendinc is a web-based service that makes it safe and simple to transmit sensitive information via email. You and your recipients can use Sendinc for free. No software is required.

Sendinc secures your message by ensuring that your data remains encrypted from the time it leaves your computer through the time your recipients retrieve it. At no point in the process is your message data transmitted or stored in an unencrypted format. Sendinc further ensures the safety of your messages by verifying your recipients are in fact your intended recipients.

Messages are encrypted with a powerful randomly-generated encryption key that is emailed to your recipients in the form of a link. Sendinc does not save a copy of your recipients’ encryption keys and your message can not be decrypted without the key – not even by Sendinc. This means only your recipients can decode the message data.

Hushmail is a secure web-based free email service that looks and feels just like any other web-mail site, but adds strong encryption to your emails to protect your secrets from prying eyes. It uses standards-compliant encryption and provides mobile access (Android, iPhone, BlackBerry, etc.).

Lockbin is a free web application for sending private email messages and files. Lockbin ends message persistence, which means your email message will not be backed up on email servers or stored in backup files. Network sniffers can also spy on your email traffic while in transit. Use Lockbin to obscure the content of your message and avoid these hazards to your privacy.

No registration is required to use Lockbin. Your message and file attachments are protected by strong AES-256 bit encryption and your secret password. You invent the password and deliver it to the recipient using a different secure method, not email.

iSafeguard is a software package that provides easy-to-use and highly secure encryption and digital signature solutions for everyone from big companies to individual users. The software allows you to sign and encrypt files, folders, and emails and verify digital signatures and countersignatures. It provides a secure text editor and allows you to wipe files, folders, and free disk space. It also integrates with the Windows shell.

The freeware edition of their software is for non-business, individual users. Although it lacks some of the features the enterprise and professional editions have it does provide powerful encryption and digital signatures capabilities, and security is as strong as the enterprise and professional editions.

Hushmail is a secure web-based free email service that looks and feels just like any other web-mail site, but adds strong encryption to your emails to protect your secrets from prying eyes. It uses standards-compliant encryption and provides mobile access (Android, iPhone, BlackBerry, etc.).

Paid plans are also available that provide additional storage, unlimited email aliases, dedicated technical support, and desktop access.

Crypto Anywhere
Crypto Anywhere is a program that is small enough to fit on a USB flash drive, providing free secure email on the go. Don’t have a computer yourself but want to protect your web based e-mail at your local internet cafe? Crypto Anywhere is for you. If you run Crypto Anywhere from a USB flash drive, you can encrypt your email without even installing software on your workstation. With Crypto Anywhere you can send and receive secure email to and from anyone with an email account – the recipients do not have to have Crypto Anywhere themselves.

Crypto Anywhere is free for personal and corporate use.

The information is the blog post was accumulated from multiple sources but especially