The October 2022 issue of IEEE Spectrum is here!

Close bar

Virtru Crafts Countermeasures to Combat E-mail Snooping

Plus: Target left the gate open, and the Syrian Electronic Army fails to annex

4 min read
Virtru Crafts Countermeasures to Combat E-mail Snooping

This Week in Cybercrime

Anyone who still thinks that e-mail is a secure method for sending and receiving information, raise your hand. Well, it isn’t. Now, put your hands down and pay attention. When e-mail was first created, security was an afterthought. But in the wake of revelations about spying the United States, China, and others, companies are attempting to remedy that by introducing new methods for encrypting messages.

One such company, a startup called Virtru, was founded by a former NSA data security researcher named Will Ackerly. He says the company’s secret sauce is in a browser extension that handles the encryption and decryption of content right on the device. It allows computer users to send secure messages through Gmail, Outlook, and Yahoo webmail interfaces without an external client. The software instantly encrypts whatever the user types in the body of an e-mail. The result: even the Web mail provider only sees encrypted content. Messages are encrypted in the Trusted Data Format (TDF). Ackerly knows quite a bit about TDF; he helped create the open-source security format in 2008 while still in the employ of the NSA.

Ackerly took the additional step of featuring elliptic curve Diffie-Hellman ephemeral key exchange, which means that Virtru generates a new Secure Sockets Layer, or SSL, key for every new e-mail session. Old ones are discarded. So if a hacker somehow gains access to a key or a government agency demands that it be turned over, its value is limited because it wouldn’t decrypt messages sent or received in previous sessions. This is meant to prevent a repeat of what happened to Lavabit, Edward Snowden’s former e-mail service provider. Lavabit fought, but ultimately lost, a court battle over whether it had to turn its SSL key over to the U.S. government, giving the Feds the ability to read all of its customers’ messages.

Virtru is also thinking about letting its customers manage their own keys. This would give a Virtru user the ability to limit access in terms of who can see a message and for how long. A sender could revoke a key and block access to a message, or rig it to expire at a preset time. Forwarded messages would remain encrypted and unreadable unless the new recipient receives authorization from the original sender.  

Ackerly says Virtru plans to offer the service, including all the aforementioned features, for free. According to a Computer World article, the company will generate revenue by “licensing its key management software to businesses, as well as offering other management and access visualization tools for encrypted email. Mobile clients are in the works as well, for Android and iOS.”

Target (and Its Customers) the Victim of Lax Network Security

Investigators are learning more about the data breach that let cybercriminals walk away with the credit and debit card information of tens of millions of Target customers over the holiday shopping season. And what they’re finding is troubling. The upshot: It’s becoming abundantly clear that the incident was not as much due to the genius of the hackers as it was to Target’s poor security controls.

Security blogger Brian Krebs, who originally broke the story of the Target breach, revealed on his blog that hackers gained access to Target’s network using login credentials they had stolen from a heating, ventilation, and air conditioning company. That vendor, Fazio Mechanical Services, was given access to Target’s network so that it could perform tasks such as remotely monitoring stores’ temperature and energy consumption. But it seems the retailer neglected to wall off the parts of its network containing sensitive payment card data.

Krebs says that according to sources close to the investigation, Target’s insistence that the company was the victim of a sophisticated cybercriminal campaign is purely make-believe. Once the hackers got their hands on Fazio’s username and password, they probed the network undetected, tested their malware on a few of Target’s point-of-sale devices, and eventually uploaded the malware to most of the cash registers connected to the network. The operation did not require the services of a criminal mastermind.

But it should have. The Payment Card Industry Data Security Standard, which companies like Target are required to follow, specifically says that companies should segment their networks and isolate sensitive cardholder data.

Facebook Domain Takeover Thwarted

Facebook celebrated its 10th birthday this week. The Syrian Electronic Army (SEA), decided to crash the party by attempting to hijack the social media site’s domain name and reroute it to a server under the hacker group’s control. The cybercriminals managed to get as far as modifying the WHOIS information for, so that the domain's listed contact address was in Damascus, Syria. But they were thwarted in the more crucial step of pointing the website to one of their own servers because Facebook’s domain name registrar, VeriSign, has a registry lock feature requiring additional verification before making such a change.

You would think that requiring additional verification would be de rigueur, but the SEA has gained wide notoriety for successfully taking over domain names such as,,, and (For a detailed account of such a domain name theft, read Steven Cherry's 2005 account of the attack on New York City ISP Panix.) In this instance, just as with the hacker group’s previous takeover campaigns, they attacked the target via a third party. The cybercriminals managed to gain some level of admin control at MarkMonitor, a domain name management company. The MarkMonitor hack was what allowed the SEA to change’s WHOIS address.

In Other Cybercrime News…


The Conversation (0)

Metamaterials Could Solve One of 6G’s Big Problems

There’s plenty of bandwidth available if we use reconfigurable intelligent surfaces

12 min read
An illustration depicting cellphone users at street level in a city, with wireless signals reaching them via reflecting surfaces.

Ground level in a typical urban canyon, shielded by tall buildings, will be inaccessible to some 6G frequencies. Deft placement of reconfigurable intelligent surfaces [yellow] will enable the signals to pervade these areas.

Chris Philpot

For all the tumultuous revolution in wireless technology over the past several decades, there have been a couple of constants. One is the overcrowding of radio bands, and the other is the move to escape that congestion by exploiting higher and higher frequencies. And today, as engineers roll out 5G and plan for 6G wireless, they find themselves at a crossroads: After years of designing superefficient transmitters and receivers, and of compensating for the signal losses at the end points of a radio channel, they’re beginning to realize that they are approaching the practical limits of transmitter and receiver efficiency. From now on, to get high performance as we go to higher frequencies, we will need to engineer the wireless channel itself. But how can we possibly engineer and control a wireless environment, which is determined by a host of factors, many of them random and therefore unpredictable?

Perhaps the most promising solution, right now, is to use reconfigurable intelligent surfaces. These are planar structures typically ranging in size from about 100 square centimeters to about 5 square meters or more, depending on the frequency and other factors. These surfaces use advanced substances called metamaterials to reflect and refract electromagnetic waves. Thin two-dimensional metamaterials, known as metasurfaces, can be designed to sense the local electromagnetic environment and tune the wave’s key properties, such as its amplitude, phase, and polarization, as the wave is reflected or refracted by the surface. So as the waves fall on such a surface, it can alter the incident waves’ direction so as to strengthen the channel. In fact, these metasurfaces can be programmed to make these changes dynamically, reconfiguring the signal in real time in response to changes in the wireless channel. Think of reconfigurable intelligent surfaces as the next evolution of the repeater concept.

Keep Reading ↓Show less