Email Clients

LOQMail 2.2: Secure email to anyone

Posted on July 28, 2011 by Neal Smith

One of the great features we added last fall was creating a “read only” function.  This allowed subscribers of our service to send secure messages and attachments to any email address.  Benefits of this feature were twofold.

1)      It enhanced the value of the LOQMail service to subscribers by giving them the power to be compliant and secure in any of their transmissions sent with LOQMail to any email address.

2)      It provided non-subscribers a way to get secure emails without becoming full subscribers and installing our client software.

After the initial rollout we decided to provide even more value with a “reply once” feature for read only messages.  Today we announced this version of LOQMail 2.2  – allowing people who receive secure email messages and documents with the ability to “reply” to that message securely.  Again, these are for people that are outside of the normal “LOQMail environment” and can be at any email address.  While this feature might seem like a simple task, it was quite an engineering feat by our development team to provide this simple usability with robust security.

From our initial beta tests with clients we found these features to be a smashing success!  They meet a number of needs for LOQMail clients.  For example, during tax season, we saw the traffic of “read only” messages going to external users sky-rocketed.  CPAs could send tax returns securely to users and ensure that the confidential information was sent safe, secure and compliantly.  

There have been a number of other “extreme-use case” scenarios that we have uncovered for our technology.  We will be making some additional announcements and sharing these with you in the weeks to come.  Until then, I recommend you give our LOQMail product a try and see how it can help you communicate with confidence.

Posted in Accounting, Current Topics, Encryption, Privacy, Security, Taxes | Leave a comment

Former CIA Director: Build a new Internet with “.SECURE” network to improve cybersecurity

Posted on July 12, 2011 by Neal Smith

Fox News and NextGov have reported that General Michael Hayden, the former CIA chief during the Bush administration, stated that we must consider creating a new Internet infrastructure to reduce the threat of cyber-attacks.

The article states, “Several current federal officials, including U.S. Cyber Command chief Gen. Keith Alexander, also have floated the concept of a “.secure” network for critical services such as banking that would be walled off from the public Web. Unlike .com, .xxx and other new domains now proliferating the Internet, .secure would require visitors to use certified credentials for entry and would do away with users’ Fourth Amendment rights to privacy.”

Today, WebLOQ offers, .SECURE domains and email extensions, like mine, smith@WebLOQ.secure.  While this may seem extreme to some, those that have experienced cybercrimes and home land security officials see it as a measure to protect ourselves against internet threats. Many cannot fathom giving up their Fourth Amendment rights until they have become victims of a cyber-attack: losing their identity, reputation and money. This is human nature to believe that it is not a problem until it impacts you personally.

WebLOQ has known since its inception that eventually the idea of total anonymity and the lack of privacy as the internet is currently constructed could escalate into a huge problem.  Cybercrime is now being reported as possibly the largest crime wave the world has ever seen.

Not long ago we teamed with Network Solutions and created a joint website at www.loqmail.com . This site offers exactly the type of protection that General Hayden and General Keith Alexander are speaking about and you can sign up today to register a .SECURE domain and email.  Once you become a LOQMail subscriber, you have become a member of a .secure community where everyone is known and accountable for their identity, email, and actions.

Posted in Current Topics, Cybercrime, Encryption, Government, Privacy, Regulation, Security | Leave a comment

Lessons Learned from the I.M.F. Cyber-Attack: Virtual Private Community is a Solution

Posted on June 15, 2011 by Neal Smith

The United States is seriously concerned about cyber-attacks and is prepared to use force against those it considers acts of war, Defense Secretary Robert Gates said at a security meeting in Asia last week.

On Monday, the New York Times reported that the attack on the International Monetary Fund (I.M.F.), “would have probably been made using a technique known as ‘spear phishing’. This is where an individual is tricked into clicking on a link in an email that runs a program, allowing a hacker to access their computer.”

The cyber-attack started from an email link that then distributed the virus to other I.M.F. computers. I.M.F. employees were told not to open email unless they are from a known source.  But how does an average email user verify that the sender isn’t someone who has stolen the real sender’s identity?

As long as organizations and companies continue to use email to send and receive sensitive information without taking the necessary steps to ensure security, hackers will have their way. A single email can provide a hacker an opening into a company to launch an attack and compromise a whole corporation. 

Many larger entities use Virtual Private Networks (VPNs) to protect their email communication.  But they are costly, time consuming to install and hard to maintain. Additionally, it can be difficult to protect an entire organization with VPNs alone because of the necessity for all important email to be sent through a VPN.  The challenge is when a message is sent outside of a company to a partner, customer or supplier (not through a VPN) where enforcement can be difficult to deploy and enforce.

There is a simple, inexpensive method that can be implemented in lieu of VPNs.  We refer to this method as a Virtual Private Community or VPC. A VPC has several attributes that make it a smart choice:

  1. VPCs can either be hosted externally or self-hosted internally
  2. A VPC is self-administered by an organization
  3. The VPC can be extended to include suppliers, vendors, patients, agents, customers or anyone the system administrator chooses to enroll into the community
  4. All communication within the VPC is encrypted at the sender’s computer and then sent through an encrypted tunnel to the recipient’s computer
  5. Each email has a tracking number assigned to it very much like a FedEx or UPS package.  The entire chain of custody can be traced with all sent, received and forwarded emails
  6. A VPC is inexpensive, quick to deploy, and easy to maintain
  7. Users may install the solution on multiple devices

 

Recent news has highlighted cyber-attacks against Sony, Lockheed Martin, Google and other notable companies.  Just think about the many others that have not yet discovered that they have been compromised or have chosen to cover-it-up to save face and not lose credibility.

CIA Director Leon Panetta recently said that the next war against the US will most likely be a cyber-war. “The next Pearl Harbor we confront could very well be a cyber-attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.”

Posted in Breach, Current Topics, Encryption, Government, Privacy, Regulation, Security | Tagged , , , , , , , , , , , | Leave a comment

Beyond the Firewall: There’s danger waiting for the unprepared!

Posted on June 10, 2011 by Neal Smith

As you may have heard by now, influential government employees have had their Gmail accounts hacked.  Government officials were quick to note that no accounts were compromised; however, the incident has raised

concerns among lawmakers that sensitive information could have been compromised especially if White House

staffers or others were using their Gmail accounts to conduct business.

It is beyond belief that senior U.S. government officials, military personnel and political activists would be so naïve as to use their personal Gmail account to transmit sensitive information.  But this incident is not a rarity; rather, it is common place for those communicating beyond the safe harbor of the corporate firewall to conduct business in this manner.

Being in the Internet security business, I have found that it is extremely difficult for most email users to want to voluntarily protect themselves because they don’t understand the dangers of sending sensitive information unencrypted.  This may partly be because of the following:

  1. Encryption solutions in the past have been hard to use especially for the average non-technical person and the inherent complexity has dissuaded many from ever trying to implement encryption solutions.
  2. Most users have never been seriously compromised and they believe that it will never happen to them.  A similar analogy can be used to the person who refuses to buy health insurance because they don’t think they will get sick.
  3. Encryption has mainly been accessible to larger corporations with large budgets leaving smaller companies and individuals unprotected because of cost barriers.

Times are changing quickly and the bad guys in many cases are better equipped and more agile than those working to protect us. So we need to wake up and not be complacent and quit thinking we can continue to do business as usual. No matter who you are or where you work, as long as you continue to send unencrypted sensitive email you are susceptible to becoming a victim of an Internet crime.

Hopefully, as more stories emerge about the dangers of sending sensitive documents unencrypted, users will begin to see the light and become proactive and deploy encryption solutions.  In order for this to happen the solution must be easy to use, inexpensive and will not require the user to change their existing work habits.

Posted in Breach, Current Topics, Encryption, Government, Privacy, Regulation, Security | Tagged , , , , , , , , , | Leave a comment

Hack into Gmail Highlights Web-based Email Vulnerabilities

Posted on June 2, 2011 by Neal Smith

Today Google acknowledged that for the second time in 17 months, a high-tech scheme based in China has broken into Gmail accounts.  The accounts broken into in the attack included those of U.S. government officials, military personnel and political activists.  The Chinese government has denied any involvement in the phishing attack and Google has not accused the government in involvement; rather, stating the attack “originated” in China.

The breach was discovered by Mila Parkour, a security researcher who alerted Google to problem that had been going on for at least a year.   The “spear phishing” attack included gaining access to the email accounts, then using information discovered in the personal accounts as bait to solicit more information in future emails. 

In an Associated Press article, Parkour said, “the ruse served as a reminder of the security weaknesses of Web-based email services such as Google’s.”

It is astonishing that U.S. government officials and military personnel would use Gmail as a means for communications.  While web-based email can be convenient for accessing messages from various points, it is vulnerable and susceptible to being compromised.

WebLOQ combats these weaknesses in a couple of ways with a suite of products:

  • First, our core technology and LOQMail product automatically uses dual-layer encryption to the entire message, header and body.
  • Second, if a portable delivery system is what is needed, the LOQMail Portable allows the same encryption/decryption client to be installed on USB devices. Emails and attachments are routed through the LOQMail secure channels to anywhere in the world, and are automatically protected using LOQMail’s industry standard, double-encryption methodologies.

While we are not advocates of hacks and attacks, we hope that people, companies and government organizations learn from their experiences.  While Web-based email might seem like it is “free”, it can actually end up costing all of us a lot more.

Posted in Breach, Current Topics, Encryption, Government, Security | Tagged , , , , , , | Leave a comment

The Epsilon Breach is a Small Part of a Bigger Problem

Posted on April 15, 2011 by George Sidman

The Epsilon breach of March 30 will no doubt have many consequences. The least of which is an expected increase in the effectiveness of targeted spam campaigns. However, if the millions of compromised addresses were indeed nothing more than a name and email address, then there is a good chance the spammers won’t be very interested.
The spammer’s life blood is large quantities of email addresses harvested from the open Internet. Any script kiddie in his teens can get all the malicious software he needs from the open Internet to harvest addresses at will. He purloins the addresses for free and can launch a spam or other campaign easily. If the Epsilon invaders had also harvested related company data, or email content, then this breach would have been far worse. Then the fraudsters could target a spear phishing campaign (going after identified individuals with counterfeit web sites that imitate legitimate relationships.) They apparently did not get more than a name and address, so the malware value of this particular breach is minimal.
The PR damage to Epsilon and the companies whose files were compromised is probably the larger issue. It adds fuel to the bad rap that standard email has, but it will hopefully increase the need for business email that cannot be so easily compromised. There are many things about ordinary email that are just plain wrong. It operates in the clear, it uses the grand-daddy of all malware enablers, the public DNS – it offers no authentication or attribution – and it operates in the protocol layer where management oversight is impossible.

This, of course, leads us to the shameless plug for LOQMail. If the hijacked addresses were LOQMail addresses they would useless without a LOQMail account. Such an account has protective mechanisms that would render a malware campaign ineffective, and the offender could be simply shut off. In short, the LOQMail space is protected end-to-end, is indeed private, and the addresses used are not routable under standard protocols. Of the many thousands of LOQMail messages sent over the past few years, there have been zero incidents of malware, quarantined files, junk, bots, or anything other than legitimate emails. And, if the hackers had gotten into the LOQMail servers, there is nothing there they could get.

Services like Epsilon need a wakeup call. When their customers demand better email services, then a new level of email, with privacy, attribution, security – as well as tracking and reporting – is the answer.

Posted in Breach, Current Topics, Encryption, Privacy, Security, Uncategorized | Tagged , , , , , , , , , | Leave a comment

Your Online Privacy and Email Privacy

Posted on March 1, 2011 by Neal Smith

This week the Wall Street Journal continued its comprehensive series on internet privacy.  This has been eye-opening to many that are just now beginning to discover all of the information that is being amassed about all of us in our daily, connected lives.

A link to the Wall Street Journal A link to the Wall Street Journal

Of particular interest to WebLOQ is the term “privacy” that has been part of our mantra for our email product LOQMail since the beginning.  (The other two major tenants are around “security” and “compliance”).

The Journal’s article, “The Market for Online Privacy”provides readers with information about start-up companies and those such as “ Microsoft Corp., McAfee Inc.—and even some online-tracking companies themselves—that are rolling out new ways to protect users from having their movements monitored online.”  While not discussed in the article, let’s talk about the ways in which LOQMail can protect your privacy.

First, if you are a user of webhosted free mail services (i.e. Gmail, Hotmail, Yahoo, etc.) you are subject to being tracked and monitored by being on the website.  The business model that these companies employ includes giving you “free” service that is based on collecting information on usage patterns and trends and selling that information to marketing and advertising companies.  Ever wonder how that ad framing your email seems so pertinent?  It is because you have been sharing with them what your interests, likes and dislikes are.

Now, I don’t want to start a panic and say that these companies are reading your email – that would be a major privacy breach – but what are some of the other types of data attributes that might be of interest to marketers about your email use?  These are valuable data points that could help build user and cohort profiles just like web click-streams.  For example:

1)      How many emails do you send/ receive per day?

A marketer could determine if you used this account for business or for personal use.

2)      What is the data volume and size of email you send and receive?

Again another attribute that could help determine more about you based on your particular usage.

3)      What geographic locations are the other server and IP addresses of the people that you send and receive email with?

Are you interested in offers from a geographic region since you seem to be communicating with an IP address that is based in Scottsdale. Are you interested in a hotel package?

 4)      What devices access the email account?

As different IP addresses connect to the email account to send/ receive email it begins to share more about the user type and levels of technical sophistication.

 5)      What time of day and days of the week does your email pattern follow?

Email during the day indicates that it is used for business purpose while email at night could indicate it is a personal account.

 6)      What types of file attachments do you send?

Are you sending .PDF attachments or JPEG pictures? If I knew you sent a lot of pictures you might be interested in photo sharing software and services.

At WebLOQ, our LOQMail product provides complete privacy.  Your messages are double-encrypted and all information in the message, all attachments and even the message header information (i.e. To, From, Subject) are encrypted and are completely invisible.  Want to stay off the radar and keep your business and personal life private from marketers?  Give LOQMail a try and stay private and secure.

Posted in Breach, Current Topics, Encryption, Marketing, Privacy, Regulation, Security, Software | Leave a comment

Email Privacy on Mobile Devices

Posted on January 17, 2011 by George Sidman

As the number of mobile devices continues to grow beyond the number of desktops and laptops, many corporations and government agencies have expressed concerns over the privacy of emails and other communications to and from the handheld. All high end mobile devices do offer email in various forms, and there are apps that provide a limited form of encrypted email. However, there are no apps yet that deliver complete end-to-end email privacy between the handheld and the desktop or laptop, regardless of the carrier or type of device.

The main problem with all current mobile encryption solutions, as revealed by the Obama/BlackBerry media blitz, is the single hop encryption that ends when the email reaches a central server. BlackBerry encryption, and all other mobile email encryption apps, fall into this category. The email is indeed encrypted before it leaves the handheld, but when it arrives at the central server, it is decrypted and stored in the clear.
 
To be fair to RIM, if an email sent from a BlackBerry is retrieved onto another BlackBerry, it is re-encrypted and delivered safely (presuming an email stored in the clear at the RIM NOC is safe). However, if the email is to be sent to any other device – a handheld or a laptop or a corporate email service – it leaves the protection of the RIM environment and is delivered in the clear, rendering the initial encryption cycle fairly useless. We are willing to bet that the majority of emails sent from a BlackBerry are retrieved onto a non-BlackBerry device.
 
All the encrypted email apps we have seen for Android, iPhone and the others follow the single encryption hop model. The only benefit is that the email cannot be seen when in transit over the airwaves. But as soon as the email moves beyond to the open Internet, it is as exposed as any ordinary email.
 
This is why we are at work on apps that will add mobile support to the LOQMail solution. As we release these apps they will extend LOQMail privacy, which today provides many industries with end-to-end email privacy, directly to the handheld. Then mobile device emails will become a part of the overall LOQMail fabric; completely secure and private to and from any desktop, laptop, Exchange Server, etc.  We will re-visit this post as the apps become available…..

Posted in Uncategorized | Tagged , , , , , | Leave a comment

“Health Internet” Sounds Like a LOQMail Private Community

Posted on December 22, 2010 by Neal Smith

There is a great recap of “Top Healthcare Security Trends for 2011,” on Healthcare Info Security.  In the article, Dixie Baker, a well-known healthcare information security expert who’s advising federal regulators on policy issues, offers her predictions for the top trends for 2011.  Based on her experience and observations it is clear that she is plugged into what is going on in the industry. ( Disclosure, I have not met Ms. Baker….but would like to and hear more about her industry predictions).

Her two overarching trends she outlines are not surprising:  The move to implement electronic health records and the rapid pace by which hospitals and clinics are working to qualify for electronic health record incentive payments under the HITECH Act to comply with HIPAA privacy and security rules.

What really got me excited was the discussion about her comments on:

  • The emergence of a “health Internet” to handle exchange of health information among physicians and hospitals, as well as consumers.
  • The development of privacy and security policies to support emerging business models, such as health information exchanges, personal health records and cloud computing. 

These are exactly the types of applications that LOQMail is being utilized for in Healthcare and we see the opportunity growing.

 First, a “health Internet” is what our networks of clients are creating today.  By using LOQMail to establish private communities, they are able to confidently communicate in a secure and compliant manner.  This allows for the safe transfer of patient data, charts and files to and from healthcare, medical and insurance professionals. 

Second, the idea of secure “health information exchanges” is definitely a hot topic.  But how will healthcare professionals balance the availability of patient data with secure access?

We have started with step one on this journey this fall, announcing our Portable LOQMail product that can reside on a secure USB.  As we move forward on the next step in this puzzle, we look forward to sharing our progress with you.  And if you have some input to share on your similar journey, we look forward to hearing from you.  Your comments are always welcome.

Posted in Data-in-motion, Encryption, HIPAA, Healthcare, Privacy, Regulation, Security | Tagged , , , , , , | Leave a comment

More Policy and Watchdog Groups? Or Just Better Policy and Security.

Posted on December 20, 2010 by Jerry Williams

I was recently lucky enough to receive the government’s latest concern with my privacy as covered in its publication titled, Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers, Preliminary FTC Staff Report, December 2010. Well, they got part of this right…we are in an era of rapid change.

I found humor in a few of the phrases that the government officials write and speak in their documents.  For example in the summary of their findings it sounds like some of you out there are responsible……and most businesses are just “reckless”.

The FTC’s goal is honorable: to propose a normative framework for how companies should protect consumers’ privacy. But the words are a little askew.  What is “normative”?  It sounds to me that’s exactly what we already have…some do privacy well and some are screwing up and being “reckless”. The norm is what we currently have so I think it would be a good thing to set minimum requirements like a responsible government should do and thereby provide some leadership in this arena.

I also like this quote about privacy included in the FTC Summary…privacy means “the right to be left alone”, of course in the real world and, for thousands of years, this has not been the case. So we can forget about modern times being the cause for the need of control over privacy. As far back in time as you wish to go, the local merchant knew what the family down the street was buying in his store. He might even order the next month’s goods in anticipation of those next month’s orders.

Today, the problem is more in the sharing of information and protection of this knowledge than it is a matter of acquiring it to begin with. The bullet points in the FTC Summary bear this out…it’s all about unauthorized sharing (aka: eavesdropping, that’s what it used to be called). I don’t think any of these activities are authorized in our Bill of Rights or the Constitution.

Rather than make the good life for our attorney friends, even more lucrative, let’s just ask the consumer a few simple questions:

  • Do you want any of your private information you supplied to this Internet site (or Saver Card, Loyalty Rewards Card, etc.) shared elsewhere? If your answer is no, end of story.
  • If yes, complete the following table as to with whom you want your private information shared. Table to be provided by the entity asking for your private information.

 

This is akin to the Miranda Rights we all have in the law. Companies that don’t abide by a fundamental privacy statement will be exposed to criminal action and hefty fines. We don’t need to be so lucky that we have created another “watchdog” government body to do what each of us can do, which is to take care in what we allow the corner druggist to ask, to know and to share elsewhere.

There are many ways to get to consumer buying habits, trends and projections without the personal knowledge of who we are as individuals. What we are most worried about is how to keep the hackers and data thieves out of our personal data files.  If you want to hear more about how to do just that, then let’s talk.

Posted in Current Topics, Government, Marketing, Privacy, Regulation | Tagged , , , , , , | Leave a comment