Malware poses a significant threat to our personal information and security. From ransomware to keyloggers, malicious software programs can infiltrate our devices and compromise our most sensitive data, including contact lists. In this post, we’ll explore how malware works, the risks it presents, and the potential consequences of a breach.
What is Malware?
Malware, short for malicious software, is any software designed to harm, exploit, or compromise the functionality of a computer or network. One of the primary goals of many malware types is to steal sensitive information. Here’s how it works:
Malware often enters a device through infected downloads, email attachments, or compromised websites. Users may inadvertently install it by clicking on malicious links or accepting untrustworthy downloads.
Once installed, the malware can access various parts of the system. Spyware, for instance, can monitor keystrokes and capture personal information, while other types may directly search for files containing sensitive data.
Many malware types can scan for contact lists stored on devices, and extract names, phone numbers, and email addresses. This information can then be used for spam, phishing attacks, or sold on the dark web.
In today’s digital world, privacy and security are more important than ever. As we navigate online communications, it’s important to understand how encryption can safeguard our emails. Let’s explore what encryption is, how it works, and why you want to consider using it.
What is Encryption?
When you send an email without encryption, it’s like sending a private message on a postcard – anyone who handles it can read its contents. At its core, encryption works by converting the readable data of an email into a scrambled format. Basically, the contents of that email turns into gibberish so that nobody can read it. The point is to keep the email private while it’s in transit from you to the recipient.
Even though most email services use some form of encryption for data in transit, this is not the same as end-to-end encryption. With end-to-end encryption, only the sender and the recipient can read the message. This method effectively prevents anyone else, including email providers, from accessing the content of your messages.
While many of us might feel that we have little to hide and aren’t overly concerned about others reading our communications, it’s important to understand how our information could be accessed. Encryption helps to safeguard our personal information, which may contain sensitive details about our personal finances, family matters, or other private information.
The Real Cost of Our Digital Communications is Our Privacy.
You’ve been happily using “free” email for years, and haven’t thought much about it. The problem is that it’s not really free. You become the product, and you pay with your privacy. Let’s dive into what it means.
1. Free is not free
With countless services offering “free” email accounts, it’s easy to assume that we can communicate without any cost. But companies that offer free email typically rely on advertising revenue, which means they collect vast amounts of data about our habits, interests, and communications. They use this information to tailor advertising, and that’s how they make money.
Do you use email aliases? Aliases are a great tool that can help protect your identity, reduce spam, and organize your inbox.
Aliases are alternative email addresses that you can use to separate emails. Instead of using the same address for everything, you set up different aliases for online subscriptions, registrations, newsletters, social media, business contacts and so on. Any category that works for you. You can use your main address for friends and family, or create another alias.
All your aliases are set up under your main email account, and is delivered to your primary inbox. You can even set up filters so that mail is separated into specific folders in your account.
Not only will aliases give you another layer of anonymity, it also gives you control over your information and makes online tracking more difficult. Having aliases can help prevent someone hacking your main email account, and helps protect you from phishing attacks. If one of your aliases starts to receive lots of spam, you can easily delete the alias and set up a new one.
When we go online or use apps, we are being tracked. Companies collect our personal data by tracking us across the web sites we visit. They build profiles on us based on our browsing history and online behavior. They want to sell us their products and services, and the more they know about us the better they can use this data to manipulate our behavior.
You know those ads that pop up everywhere after you looked up something? After you’ve looked up a new car, car ads follow you around all day. You research a vacation to Alaska, and travel ads show up everywhere. This is the result of targeted advertising, which is based on data they collected on you. Some call it surveillance capitalism, and it’s big business.
Privacy is about how your data is collected, processed, stored and used. It’s about maintaining control over your personal information and your identity. Privacy isn’t about hiding secrets, it’s about keeping your personal information safe from people who can do harm.
Suddenly you are noticing strange things happening with your email. You’re receiving email messages about login attempts, password resets and two-factor authentication codes, and your friends and family are wondering why you’re sending them weird emails. You can’t even log in to your own email account and you’ve been bumped out of your social media accounts. What is going on? Your email might have been hacked.
Don’t panic… but act quickly. You can minimize a lot of damage if you act fast and methodically.
Because your email is a gateway to all your online accounts, like banking, shopping, social media and streaming, it can potentially be a goldmine for a cyber criminal if they gain access. Here’s what you can do.
There’s an uptick in phishing emails again. Here’s a refresher.
In the past few weeks there have been a series of phishing attacks aimed at a small subset of Runbox customers. The goal of these scams is to trick unsuspecting email users into clicking on malicious web links and entering their Runbox username and password, enabling the scammers to steal their password.
At Runbox we are constantly on guard against phishing attacks against our customers, and here we take a closer look at this increasing problem and some simple steps you can take to protect yourself.
As a summary, ensure that you check:
The From address. Phishing messages almost always come from a random email address that do not match our list of Official Runbox Email Addresses.
The messageaddresses you by name. Scammers typically only have lists of email addresses without any first or last names, so if the message does not address you by your first and last name it is likely to be a scam.
The legitimacy of any email with links. Check where the link will actually take you. Hover over it with your mouse, and you can see whether it will in fact take you to some random address not associated with Runbox at all.
Any false urgency. Runbox will never pressure you to act suddenly. Scammers may try to create a sense of urgency to persuade you to do what they’re asking.
What is phishing?
Example of a recent phishing message
Phishing is a type of cyber attack in which an attacker attempts to obtain sensitive information such as usernames, passwords, or credit card details by posing as a trustworthy entity via email messages.
The word “phishing” is derived from fishing and refers to using lures to “fish” for sensitive information. Phishing attacks typically use social engineering to gain a victim’s trust, and use spoofing such as faking an email address or URL to make the attack appear legitimate.
When phishing attacks are targeted at certain services or individuals it’s called “spear phishing”, and in this case they appear to be sent from Runbox Support, the Runbox Team, or other similar official sounding names.
Email users who are unfortunate enough to receive a spear phishing message and end up divulging their Runbox login details can end up having their Runbox accounts hijacked and used to send spam, which then forces us to suspend the accounts until the customer can regain access.
With access to an email user’s account the attackers may then be able to access their personal information and use it to commit fraud or identity theft, which can in turn result in financial loss or worse.
Naturally such account hijacking causes much confusion for the affected customers in addition to the privacy intrusion and consequences for the recipients of the spam being sent, which is often another phishing scam. The phishing then continues to cascade to new groups of innocent users of other email services, while exploiting people’s trust and rarely being caught.
It is important to understand that these scammers are criminals, and that being tricked into disclosing any login details can have serious consequences.
How to spot phishing
The easiest way to see whether a message is in fact from Runbox is to check the From address, as phishing emails almost always come from a random email address not on any Runbox domain names such as runbox.com.
Another important clue is whether the email addresses you by name, or whichever name you have entered in your Runbox Account details. Attackers typically only have lists of email addresses without any first or last names, so if the message does not address you by name it is likely to be a scam.
The third way to check the legitimacy of any email which asks you to click on a link, is to check where the link will actually take you. Some phishing links look like they link to a Runbox web page, but if you hover over it with your mouse, you can see that it will in fact take you to some random address not associated with Runbox at all.
If in doubt, go to our main website Runbox at https://runbox.com for information, or contact us via Runbox Support at https://support.runbox.com.
Do not be fooled or threatened by the scams
Most phishing emails have a very urgent and even threatening tone, trying to scare the recipient into acting right away to avoid having their account shut down or disrupted.
The scammers might even read our blog or other web pages and notice that we have two webmail versions, and subsequently send messages claiming that if you don’t switch to the newer version within X days, then your account will be shut down, for instance.
Legitimate messages from the Runbox Team will always give notice about something happening in the future, or optional new features.
Catching the scammers
We are constantly working to improve our defenses against phishing attacks, spam, and viruses, and we take immediate action to remove spear phishing messages as soon as we become aware of an attack.
If you have received any scam emails like the ones described above without responding in any way then your account is perfectly safe. We do however appreciate you notifying us via Runbox Support at https://support.runbox.com so that we can take steps to protect you and our other customers against the attack.
One of the main objectives for the European Union (EU) when they developed the replacement for the Data Protection Directive 95/46 (from 1995), was to expand individual control over the use of personal data.
This can be seen in a broader view as an implementation of the right to one’s private life, as laid down in the European Convention on Human Rights (Article 8). The right to respect for one’s private and family life is also stated in the EU Treaty on Fundamental Rights (Article 7).
Already in GDPR1 Article 1 we see the connection between the GDPR and especially the Treaty on Fundamental Rights:
This Regulation protects fundamentalrights and freedoms of natural personsand in particular their right to the protection of personal data
Article 1-2 of the GDPR
Observe the expression “rights and freedoms of natural persons“, which is very important throughout the Regulation and is used 31 times in all.
Before we go further into the subject of this post, it is important to state that Norway’s legislation on the processing of personal data was already compliant with the GDPR before the latter was declared as the new framework for the legislation in Norway. The Norwegian Personal Data Act (PDA2), as compliant with the GDPR, tok effect 20 July 2018.
First and foremost, the GDPR states that no processing of personal data shall be done unless the data subject has given consent (Article 6-1, a). Runbox obtains consent to registration of our users’ personal data when they sign up for an account and accept our Terms of Service.
The GDPR (Article 6-1, ff.) allows a controller – that is Runbox in our context – to process personal data when there is a legitimate reason for doing so, i.e. something that is necessary to use our services.
It is an important objective for the GDPR to secure one’s control of one’s own personal data. In this respect, the GDPR has given the data subjects eight fundamental rights (Article 15—17).
When implementing these rights in Runbox, we found that most of those were already there. However, the introduction of the GDPR provided us with a checklist and the opportunity to analyze our status, and to improve our services in this respect.
Our Privacy Policy provides exhaustive information about how we process personal data, but here is an overview of the data subject’s rights, and our implementation of them:
The right to access (Article 15): Since Runbox does not collect other types of information than what the users register by themselves, they can easily check which personal data is processed. The data processing is only done in order to process your emails, and optionally your web site and domain name.
The right to rectification (Article 16): You may at any time log in to your email account and change your personal information.
The right to erasure (‘right to be forgotten’) (Article 17): You may terminate your subscription any time, and your account contents will subsequently be deleted after 6 months. Your personal details data will be deleted after 5 years in accordance with Norwegian accounting regulations. However, you may send a request to dataprotectionofficer@nullrunbox.com for immediate erasure of your account contents.
The right to restriction of processing (Article 18): Runbox will never use your personal information for purposes other than providing our services to you, so restrictions are not necessary in our context.
The right to be informed (Article 19): Runbox uses your personal information only in order to provide our services to you..
The right to data portability (Article 20): In case that you wish to move to another email service provider and export your data, you will find information on how to do this through our services and documentation.
The right to object (Article 21): Since we never will use your personal data for other purposes than to deliver the services you have agreed to, this right is implicitly fulfilled.
The right to individual decision-making (Article 22): This article is intended to protect data subjects against automated data-processing that might involve profiling them based on personally identifiable information, which is something Runbox doesn’t do.
Regarding questions or concerns about our implementation of the GDPR, customers may use the email address dataprotectionofficer@nullrunbox.com as a direct channel to our appointed Data Protection Officer.
Some final remarks about consent: Runbox uses cookies in order to provide our services, and new users must give express consent to this on our signup page. On this page, and on the Account page once logged in, you may also give/revoke consent to future news and offers from Runbox.
In our next post in this series, we will consider our contractual situation regarding GDPR requirements. Stay tuned.
Footnotes
1. The GDPR means Regulation EU 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC General Data Protection, General Data Processing Regulation. Article refers to Article in the GDPR, unless stated otherwise.
2. The Personal Data Act (the PDA) means the regulations that are currently in force in Norway for the protection of individuals in connection with the processing of personal data, which includes the implementation of GDPR in Norway (2018-07-20).
At Runbox we are continuously working to improve the security of our services. We are now strengthening the security of your web browser’s connection to our servers to ensure that it utilizes modern web security standards.
If you are using an updated version of one of the major web browsers such as Firefox, Chrome, Safari, Opera, and Edge you will probably not notice any effects. You can then continue using our services just like before, while knowing that the strongest encryption protocols are being utilized.
If you’re using a non-standard or not updated web browser, then please read the information below for more details about these changes and how they may affect you.
Those who are interested in the technical details of these changes may also find this information useful.
What we are doing
When you visit our website the connection between your web browser and our web servers is encrypted. This means that no one can intercept your username, password or any other transmitted data including the content of your email messages.
It’s important to use a modern browser that supports modern encryption methods to prevent that encryption from being broken and compromised. This is essential to web security because hackers increasingly use more powerful computers and techniques in their attempts to decrypt data and eavesdrop on unsuspecting users.
In order to ensure that Runbox is providing the latest and most secure encryption between your browser and our service we will therefore end support for outdated encryption methods.
This entails that we will only support the strongest encryption cipher suites that are compatible with most major web browsers.
It also helps us prevent unauthorized access to our servers and helps keep the Runbox services safe for all of our customers.
On December 1, 2019 we will retire some outdated encryption methods and this might affect some older web browsers.
Once these changes are made the TLS protocol version and cipher suites will be the same for all access methods to our email services, including web, POP, IMAP, and SMTP.
The technical details
You don’t need to delve into all the technical details, but we know many customers are interested in this and it is useful for everyone to stay educated about web security.
The changes involve retiring support for TLS (Transport Layer Security) version 1.0 and 1.1, and only provide support TLS 1.2 or later. We will also only support a small suite of strong encryption cipher suites that are recommended by the reputable organizations Mozilla and OWASP.
TLS 1.2 has been around for 10 years so there has been a long time for browsers to adopt the use of this type of encryption. However, you don’t need to understand anything about this to make any necessary changes.
All the cipher suites we will be utilizing are of the type Diffie-Hellman Ephemeral (DHE), which means that a unique cryptographic key is generated each time a new connection is made.
This in turn means that even in the unlikely event that one set of keys is compromised it cannot be used for another connection made from another client (“forward secrecy”).
An updated list of cipher suites that are supported currently include the following:
The
vast majority of web browsers already support TLS 1.2 and you are only
likely to have a problem if you are using an outdated browser and/or an
outdated operating system.
We have tested the following browsers and they all work with the modern encryption that we will use:
Firefox
Chrome
Safari
Opera
Edge
Many other modern browsers are also likely to work with TLS 1.2 and those listed above are just commonly used ones that we have tested.
What you can do
If you are not using an upgraded version of one of the major web browsers listed above, please upgrade your web browser and/or operating system now. This is the most important action you can take to ensure that your data and communications are secure.
If you’re using a web browser not listed above and are unsure whether it will continue to work with the specifications we have provided, we recommend that you keep one of the major web browsers available as an alternative.
We generally recommend Firefox as it is free, standards compliant, and open source, and therefore reviewed by the security community.
Further help
If you need any further information or help on this issue please contact Runbox Support with details of how we can help you.
In part 3 of this blog series we described how we mapped the “world” of our operations, including the following components:
Server infrastructure, including all servers and other hardware as well as the links between these.
Softwarecomponents that comprise our application stack from the operating system level to the front-end application level.
Data networks, including how and where our serves are connected to the Internet, but also the Local Area Network at our premises.
Data inventory, i.e. all personal data including customer and employee data, financial records, information about partners/associates, etc.
Applications necessary to run the company itself, meaning software that is managerial in nature.
Access control concerns permissions attached to system-related objects. Within each of the components listed above, there may be several sub-objects — servers, software modules, data files, catalogues etc., to which restricted access should be implemented.
Creating an Access Control Table
These objects then form one axis of an Access Control matrix or table (ACT). The other axis of the table include organizational units, broken down into person-related objects, for instance segments or groups, but also individuals, for each unit.
After breaking these objects down to an appropriate level, we attached roles to each of these components. In terms of the GDPR, data processor and data controller are examples of roles to use in this context.
To each of the defined roles, we attached categories of tasks, for instance sysadmin, developer, and support staff tasks.
For our email service systems we found it convenient to structure the system-related objects in 3 main categories:
General software.
Application software.
Personal data.
Within each of these categories there are various numbers of objects, to which access permissions are attached, comprising the Access Control Table for the realm in question. For other realms of our “world” we used a similar approach, resulting in a number of ACTs that implement a principle of least privilege.
With this the groundwork was laid for establishing various mechanisms for implementing the access control regime, in order to secure our most precious pieces of hardware, software, and data.
In our next blog post in this series we will look at Information and Tools for Implementation of Users’ Rights.
