Beginning in mid-2015, two Russian-linked cyber actors launched a concerted hacking effort against a variety of political campaigns, nonprofit organizations, and other groups. Both attackers targeted users with a barrage of spear phishing emails, attempting to gain access to their respective networks. Their most famous victim was of course the Democratic National Committee, the breach of which received massive media attention. What garnered less notice, however, was that this spate of cyber intrusions also marked a continuation of a broad effort to breach the networks of American think tanks b ..read more

How to know if your vendor is complying with NIST standards for FIPS 140-2 Defense contractors looking to comply with NIST 800-171 know they need to protect all Controlled Unclassified Information (CUI) both at rest and in transit with FIPS 140-2 validated encryption. And this requirement can extends to not just CUI in contracts but also to all the technology and services they use. Given that CUI represents sensitive defense information, contractors should realize the importance of properly using FIPS 140-2 encryption algorithms, which are the benchmark for effective cryptographic hardware and ..read more

This blog provides overview of end-to-end encryption and how it protects the enterprise. Over the past few years, the vulnerability of social networks like Facebook or messaging apps like Chat has given rise to using end-to-end encrypted platforms to protect communications. Today, platforms like WhatsApp, Signal and PreVeil use end-to-end encryption to protect the exchanges of users’ data. Yet what is end-to-end encryption and how does it work? How does it differ from other forms of data protection and how does end-to-end encryption ensure the protection of data?   This piece will focus o ..read more

Wall Street Journal, Letters to the Editor February 29, 2020   Insecure communication systems let hackers infiltrate executive accounts remotely via phishing attacks or attacks on passwords or even on servers. (“Hackers Aid Rise in Wire Transfer Scam,” Business and Finance, Feb. 24). From there, they can learn and mimic the writing style of the target, and then masquerade as that individual to send digital instructions for wire transfers, file transfers, the sharing of privileged information, or whatever else they please. Your company’s fate is in the hacker’s hands.   It’s high time ..read more

What are MITM attacks and how to prevent them? On the internet, we believe we know who we are communicating with. And, for the most part we are pretty sure when we send a message to a colleague, that it is indeed our colleague who is answering our request. But, can we be sure? Is there an attacker inserting themselves in between our communication and eavesdropping on our conversation?   Only a decade ago, it was not uncommon for attackers to sit on the transmission layer of a conversation and intercept it in order to manipulate the discussion. These became known as Man-In-the-Middle (MITM ..read more

In May of this year, it was reported that a misconfiguration in an Amazon S3 bucket allowed the Magecart cartel to compromise over 17,000 domains. This attack was but one example of many over the past few years. Although errors in the configuration of the relevant business logic settings allowed access to these repositories of information, the recent data leaks point to a larger problem: without the veneer of protection that AWS’ encryption at rest provides, these organizations’ data was almost completely exposed.   Cloud storage offers flexibility and scalability to enterprises, but also ..read more

Verizon’s recent Data Breach Investigations Report (DBIR) notes that company executives are six times more likely than regular employees to be targets of a social engineering attack. Social engineering is often the first step attackers take towards business email compromise (BEC). Last year alone, BEC cost businesses over $1.2 billion in losses.   Companies are clearly looking for a way to protect their executives and avoid damage to the company’s finances and reputation. Sadly, existing solutions are structurally flawed. They are too narrowly focused and only resolve a slice of the prob ..read more

The growth of cloud services has been one of the most disruptive phenomena of the Internet era.  However, even the most popular cloud services (including Yahoo, Gmail, Microsoft Outlook 365, and Dropbox) are vulnerable to attack because their servers operate on unencrypted data.   The move to cloud-based services offers enormous benefits compared with managing these services in-house.  The cloud is scalable, cost-effective, easy to manage, and accessible to a wide range of devices anywhere.   But because cloud services represent a centralized repository of information, they ..read more

End-to-end encryption relies on the use of public and private keys. At PreVeil we often find ourselves explaining the concepts of how public and private keys work when we talk to prospective clients. So, we thought it would be helpful to discuss what these keys are, what they aren’t, and how they work.   The blog below provides a general overview on public and private key pairs rather than an architectural overview of PreVeil. For a detailed understanding of PreVeil’s public-private key architecture, please check out our architectural whitepaper. How private and public keys work Public an ..read more

Last week, Facebook CEO Mark Zuckerberg announced a major strategic shift. His 3200-word missive announced that his company will pivot its messaging applications to privacy-focused chat and ephemeral communications. At the heart of this privacy focus is the use of end-to-end encryption, an advanced security technology by which messages are encrypted on the user’s device. Only the sender and the recipient can access the message. No one else, not even the provider of the messaging service can see the communication.   The rationale behind Facebooks strategic shift was based on Mr. Zuckerberg ..read more