We read in the New York Times just this week that thousands of the EU’s diplomatic messages have been intercepted over the course of a concerted three year attack. https://www.nytimes.com/2018/12/18/us/politics/european-diplomats-cables-hacked.html According to Computing the hackers accessed the European network known as COREU or CORTESY.
COREU is a comms network of the European Union for the communication of the Council of the European Union. It is the European equivalent of the American Secret Internet Protocol Router Network (SIPRNet, also known as Intelink-S).
The original system was set up in the early 70s and was telex based. It was replaced in the 90s by CORTESY (COREU Terminal Equipment System), so despite using encryption for messages it is still very old technology.
One crumb of comfort is that information marked as CONFIDENTIAL or SECRET was not affected.
However, this does highlight that even what on the face of it may be mundane, day to day communications are of interest and therefore of value to someone – in this case, the suspected perpetrators are the Chinese military.
Protect your Intellectual Property
While your organisation may not be of interest to the Chinese military, there will be someone out there who probably would like to know a bit more about your business. Competitors that want to target your customers, or access trade secrets (product information, formulae, recipes, etc.), or hackers and criminals looking to steal your identity or the contents of your bank account!
My point is that your information doesn’t need to be what you would naturally think of as confidential or secret. Everyday messages about clients, products, product recalls, meetings, office gossip can all be valuable for profiling and piecing together information about who you are dealing with, the nature of those dealings, and information about individuals that could be used for commercial leverage or identity theft.
Mobile devices – the new End Point
With our almost universal reliance on computers, industrial espionage has become a lot more about hacking skills. Hugely valuable information is accessed by workers from their mobiles and with GDPR many organisations are beginning to understand that the new end-point is mobile phones and the consumer grade apps that staff use to communicate.
As we’ve said on numerous occasions, don’t be lulled into a false sense of security by the word ‘encryption’. Encryption is never the weakest point that hackers will target. It is usually a weakness in the system; in the case of the EU it was old technology. Even if you are using relatively new technology in the form of messaging apps, you still need to consider the security of your whole mobile comms system, including where data is held (i.e. is your service provided by a multi-national social media company that needs to monetize its members’ data to make revenue?), exactly who might have access to it, and any weak points within the system.
Here are a few of our recent blogs that explain the pitfalls in more detail:
The dangers of relying on SMS based two factor authentication:
https://www.armourcomms.com/2018/08/16/avoid-sms-based-two-factor-authentication/?cat-slug=10
Chat apps that have spread through corporate networks by stealth are the most hacked type of app, and the most widely banned:
https://www.armourcomms.com/2018/07/31/free-apps-you-might-get-more-than-you-bargained-for/?cat-slug=10
Avoiding shady Wi-Fi hotspots:
https://www.armourcomms.com/2018/07/05/world-cup-fever-or-holiday-wi-fi-nightmare/?cat-slug=10
Staff mobile phones are also covered by GDPR, here’s what you need to do:
https://www.armourcomms.com/2018/05/24/gdpr-is-here-dont-forget-your-mobile-comms-need-securing-too/
If you fear that your mobile comms could be vulnerable to eavesdroppers, competitors or criminals, contact us today to discuss a solution.
