Posted on

Out-of-Band Secure Communications are vital for Incident Management

The on-going cyber-attacks at high profile retailers is a timely reminder that all organisations should carefully consider how they would communicate when their day-to-day systems are compromised. Minister for Intergovernmental Relations and Chancellor of the Duchy of Lancaster, Pat McFadden, stated at CyberUK in his keynote speech that “companies must treat cyber security as an absolute priority”.  Having an Out-of-Band secure communications system is vital for corporate cyber resilience and incident management, and to ensure that organisations can respond quickly and effectively to a cyber-attack, taking control of the situation early.

As the National Cyber Security Centre (NCSC) so succinctly puts it:

During a cyber incident, your usual communications channels may not be available. You may need to establish alternative ways to keep in touch with staff, stakeholders and customers, using phone lines, messaging apps or social media platforms – NCSC

The point that organisations cannot rely on mass-adoption apps has been demonstrated all too well in recent weeks with reports from the BBC that “anonymous hackers showed the BBC screenshots of the first extortion message they sent to Co-op’s head of cyber security in an internal Microsoft Teams chat on 25 April”

If hackers get inside corporate systems, they can not only send messages that appear to be from legitimate users, and participate in internal chat and conference systems, but also listen in to conversations between security teams and management about incident response and recovery, and so are able to cause even more chaos by anticipating and circumventing your countermeasures. The only solution is to use an independent, out-of-band, secure communications solution that doesn’t rely on the organisation’s every-day technology.

And its not like we haven’t been warned.  Earlier this year UK intelligence and security organisations raised threat levels. The National Protective Security Authority (NPSA) updated its threat picture and issued guidance on how to counter the risk of sabotage to UK interests and national security. At about the same time, NCSC issued guidance on effective communications in a cyber incident.

Prepare with incident management and response

One way that organisations can protect themselves is to prepare for the threats posed by cyber-attacks, by creating robust incident management and response policies and processes, that are set up and (most importantly) tested in advance.

Secure communication with key stakeholders, including external suppliers, is one area that many organisations overlook in the panic to deal with a serious incident. Indeed, it is one of the first points that NCSC makes in its guidance document for effective communications in a cyber incident (referred to above) and goes on to state that “…effective communication to staff, stakeholders, customers and the media is crucial for shaping how an organisation is perceived.”

Both NIST and the Digital Operational Resilience Act (DORA) suggest that incident response groups with key contacts/structures are pre-defined and set up before an incident occurs, so that communications can begin immediately on the secure channel.

Our previous blog In the midst of a cyber attack, who you gonna call? And how? explains the challenges in more detail.

How do current systems stack up?

Mass-adoption desktop platforms that include messaging and collaboration tools are often the basis for an entire enterprise technology infrastructure with many critical dependencies. For example, if your main systems were attacked so that your Active Directory or Identity and Access Management systems are compromised, how would the business operate?  What would be the ramifications for your employees trying to do their jobs and communicate with colleagues? Could they trust the emails, chats and even conference calls they receive have not been compromised?

Ensuring you have the right infrastructure components for effective incident management and response is key.

Back up communications channels

For all organisations it is crucial to have a back-up communications channel (often referred to as out-of-band) that can be used to marshal a response to any attack or major incident, and organise recovery processes.

A standalone, independently or in-house hosted secure communications platform that is as engaging and easy to use as a consumer-grade app can ensure that employees have a solution that keeps data secure, while providing the capability to communicate effectively.  Such platforms deliver:

  • Data protection using UK Government and NATO approved tools, Secure by Design/Secure by Default
  • One easy-to-implement solution that enables multi-domain integration of communications amongst trusted third parties and stakeholders
  • Instant, remote and mobile secure collaboration

What is an ‘out-of-band’ communications channel?

An out-of-band communications channel is one that does not rely on the standard enterprise infrastructure: It is a system that can operate completely on its own as a standalone solution, i.e. it doesn’t rely on email, Microsoft Office/365, or other mainstream systems. An out-of-band communications platform can work when other systems are compromised and its standalone nature protects it from the attackers.

How Armour can help

Armour provides a single platform for communicating securely even on personal/BYOD devices, keeping control of the data without the requirement for an MDM. It enables secure calls (audio and video), video conferencing, and secure instant messaging with document exchange, using personal, off-the-shelf smartphones and desktops. This allows trusted colleagues to share and discuss sensitive information, protected from eavesdroppers, even in the event of a cyber attack.

Armour can also provide a genuinely secure archive/audit capability, as required by regulated industries and public sector bodies where a record of material conversations and communications are a legal imperative, and may be required for Freedom of Information (FOIA) responses.  In addition, recording the incident response can be invaluable for internal review, criminal proceeding against the hackers and to refine response to incidents by an organisation in the future to further improve incident management processes.

Control users – be sure who is on the call

Users/call groups are centrally managed, and people can only join and use the app by invitation. Identity-based authentication (using NCSC’s MIKEY-SAKKE protocol) means that users can be confident when using the platform that they are communicating with who they think they are.  Armour addresses the issue of identity-spoofing and ghost-callers, particularly useful when video conferencing.

Armour can be deployed as a cloud or on-premises installation which preserves data sovereignty by giving full control as to where data resides, as well as providing the independence from third party solutions required to provide an ‘out-of-band’ emergency communications channel.

And, of course, Armour can also be deployed for day-to-day, sensitive communications (with built-in audit compliance), if your business needs to protect its C-suite users, frequent overseas travellers, commercial negotiations, strategic discussions, etc.

Secure Communications Buyer’s Guide

For more comprehensive information about what you should be looking for in an ‘out-of-band’ secure communications platform to support your Incident Management and Response capabilities, download our Buyer’s Guide: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/

Posted on

Secure Communications – providing the right tools to do the job

Armour CTO, Dr. Andy Lilly asks: “Have we learnt our lesson yet when it comes to using consumer apps for sensitive conversations?”

When it comes to government, military and business communications about sensitive topics, consumer apps are simply not designed for the job.  However, there are commercially available solutions that are built for exactly these type of conversations.  They are every bit as easy to use as consumer apps, but with far more robust security. With all the stories that have hit the headlines in the last 18 months, surely it’s about time that government agencies provided their employees with a suitable tool to enable them to do their jobs securely (Matthew Wilson, chair and co-founder of Penten – an Armour partner – explains in this interview with CyberDaily )

 

When will they learn?

The most recent, and arguably the most high profile example, was the news that a journalist was mistakenly included in US government discussions about sensitive military operations (aka “SignalGate” ).  It has been reported by the BBC that the journalist’s number was mistakenly attributed to one of the government staff who  was invited to the group chat. So, in this instance, it was human error that such sensitive data leaked to the outside world, but an app that was Secure by Design would have ensured that user identities could not be confused in this way.

In June 2024 news broke that the ex-Prime Minister and (at that time) UK Foreign Secretary David Cameron had fallen victim to a hoax video call.  The call was with someone pretending to be former Ukrainian President Petro Proshenko, with whom Mr Cameron had had multiple dealings, including face-to-face, during his tenure as Prime Minister.  As soon as the impostor started asking for contact details, Mr Cameron smelt a rat and ended the conversation, with no sensitive information exchanged.

This was clearly a sophisticated, targeted attack, given that Mr. Cameron was taken in by the impersonation, and demonstrates how such calls provided no authentication of the true caller identity. A communications app that uses identity-based encryption means that people using the app can be sure of the identity of those they are communicating with.

In May 2024, The Times article “Russia targets British soldiers’ mobile phones” stated that UK troops had been warned about the risk of Russian agents spying on their mobile phones. While this had long been suspected, during NATO battle exercises in Estonia, troops were once again reminded of the dangers around using mobile phones while in theatre.  This particular attack involved the use of fake base stations and GSM calls, which are inherently unsecure – an old attack vector which is still in use. (Our blog ‘Is someone listening in on your confidential calls?‘ explains how it works)

Spear-phishing attacks against targeted organisations and individuals

In February 2025, we read about a spate of instances involving the use of malicious QR codes to compromise Signal accounts, including those of military users, by exploiting the device-linking feature within the app. Google Threat Intelligence Group (GTIG) reported that use of the device-linking feature is being widely used by state-sponsored groups to attack Signal accounts, using social engineering to trick targets into scanning malicious QR codes that link their device to a device controlled by the attacker.  The scammer can then synchronize with the victim’s device and see all their sensitive communications.

A secure, centrally managed communications service would not allow users to add unauthorised devices to their accounts in this manner, nor allow unauthorised users to ever get access to the service in the first place.

Of course, the use of consumer apps also makes it ridiculously easy for a malicious insider to deliberately exfiltrate sensitive data sent over such systems, as demonstrated by the Daniel Khalife case.

Mis-use of personally-identifiable information (PII) in consumer apps

While a covert operative really won’t want their personal phone number associated with their classified conversations, the direct and visible link between most consumer apps and the user’s underlying phone number raises personal privacy issues. Use of a platform where personal details of users can be protected, provides stronger ‘duty of care’ processes, while the ability to record, store and securely audit communications further ensures compliance with data protection regulations.

Such measures can protect against potential harassment in the workplace, mis-use or abuse of the communications service, and other such serious issues.

Some Governments have banned the use of consumer apps 

In December 2024, the Scottish Government hit global headlines when it announced a ban on the use of the consumer messaging app WhatsApp for official business. The Scottish government were not the first to take such measures; the French government banned the use of WhatsApp, Signal and Telegram by ministers and their teams, as have banks (e.g. NatWest ), and over previous years, privacy-sensitive companies (e.g. Germany’s Continental AG ).

There’s more to security than end-to-end encryption

Mass adoption apps are simply not secure enough. While they all claim end-to-end encryption that protects data in transit, the incidents mentioned above demonstrate that this doesn’t mitigate the wrong person being added to a group chat, users being fooled by deepfake impersonation-based attacks, spear-phishing, social engineering, accidental or deliberate insider mis-use. As we’ve discussed many times before, there is much more to secure communication than encryption (while remembering that ‘normal’ phone calls and text services are even less secure, especially if your telecoms provider has been compromised by a nation state attacker.

Central management of users significantly mitigates the risks

A particular danger of consumer apps is that there is no central management of users. Anyone can download an app, and anyone can assume a false user identity. For handling sensitive, higher assurance conversations and data, instant messaging apps must be Secure by Design and Secure by Default. For example, the use of crypto protocols such as identity-based encryption will ensure a user really is who they say they are, and so prevent imposter-based attacks. Without built-in security features, with default settings to control users and data, instant messaging apps are prone to human error as well as deliberate mis-use.

It’s ironic that these are often referred to as “Closed Messaging Apps” when, in fact, in most aspects they are actually totally open – to faked identities, social engineering and other abuses.

Delivering Certainty in an Uncertain World

The Armour Secure Communications Platform offers total data sovereignty within a controlled environment where all users are centrally managed and enrolled.  Users can only enrol once invited to do so by their Administrator.  Once their device is enrolled, the user authenticates to the communications app in their usual manner (which can include in-built biometric readers) and only then can they use the service.

Different organisations working together, for example, on a joint project, or across different government departments or branches, often need to communicate at more secure levels of assurance to protect commercially or operationally sensitive information. The Armour platform provides a trusted mechanism to enable federated communication capabilities between disparate user Communities while maintaining robust security.

As a trusted third-party system, the Armour Secure Communications Platform can be used for sensitive conversations, safely segregated from the IT infrastructure used for everyday communications.

Award-winning Armour Comms solution

  •  Multi-domain, multi-organisation structure with strictly siloed security means that Armour can augment and broaden secure communications and collaboration capabilities
  •  Corporate Confidential, OFFICIAL, OFFICIAL SENSITIVE, NATO RESTRICTED, and higher assurance collaboration can be provided via Armour’s Secure Cloud extending to include desktops, workstations and unified comms systems (such as office phone systems).
  • Alternatively, the Armour installation can be hosted and managed on-premises to give the organisation total data sovereignty.
  • Different groups can be ‘Federated’ to permit them to communicate using the Community Allow-list feature.
  • Third parties can be added and removed as needed, and only Federated to collaborate with specific teams or project

 

 

Armour will be at Cyber UK, being held in Manchester 6 – 8 May 2025.

Visit us to learn more about how your organisation can provide secure communications capabilities to staff.  And read our latest white paper: Secure Communications Architecture and Platform for security conscious organisations  – Designed for, and used in, higher assurance environments.

Posted on

US Government Signal Security Breach

The news that a journalist was mistakenly included in US government discussions about sensitive military operations, reminds us once again that consumer apps for instant messaging are not suitable for sensitive communications.

There’s more to security than end-to-end encryption

Mass adoption apps are simply not secure enough. While they all claim end-to-end encryption that protects data in transit, that doesn’t mitigate the issues that led to the breach.  As we’ve discussed many times before, there is much more to secure communication than encryption.

The particular danger of consumer apps is that there is no central management of users. Anyone can join, anyone can pretend to be whoever they want to be, and that’s before we consider the implications of imposter-based attacks and AI-generated deepfakes that are now frighteningly realistic. Remember the incident last year when the then Foreign Secretary took a call from someone pretending to be former Ukrainian President Petro Proshenko, with whom Mr Cameron had multiple dealings, including face-to-face, during his tenure as Prime Minister.  (Fortunately, when Mr Cameron smelt a rat he ended the conversation, with no sensitive information exchanged.)

For handling sensitive, higher assurance conversations and information, instant messaging apps need to be Secure by Design and Secure by Default. For example, the use of crypto protocols such as identity-based encryption will ensure someone is who they say they are, and so prevent imposter-based attacks. Without built-in security features, with default settings to control users and data, instant messaging apps are prone to human error as well as deliberate mis-use,

Central control of users

While the productivity benefits of using instant messaging are tempting, at higher assurance levels the risk of information being leaked, or stolen, are all too apparent, and clearly unacceptable.

An enterprise level communications platform provides robust security features including the central management of users, which is one of the biggest differentiators between a free-to-use consumer app and an enterprise product that is designed for purpose.

A truly secure communications platform offers a controlled environment in which all users are centrally managed and enrolled.  Users join by invitation only, which they receive from an administrator.  Once their device is enrolled, the user authenticates to the communications app which can include biometric readers. Only once securely provisioned, with a proven identity, can the user use the service.  And when they leave the organisation, or if they or their device is compromised, their account can be remotely wiped, ensuring sensitive information is removed.

Ideally, users should be cryptographically segregated into groups, which can be based on division/department, location, project, or seniority/rank, and (by default) can only contact others within the same group. An administrator defines which groups can communicate with which other groups on an “as needed” basis.

Managing users by groups (or communities) ensures that there is clear segregation of community-related data. This enables organisations to maintain strong internal data segmentation where sensitive data is protected from accidental leakage to other parts of the organisation. Typically, the user has access to the minimum set of contacts and data, by default; this approach – the opposite of consumer apps – ensures that data and communication are controlled and managed appropriately.

 

NCSC provides plenty of guidance

More food for thought.  The National Cyber Security Centre (NCSC) has published 7 Principles of Secure Communication, which are:

  •  Protect Data in transit
  •  Protect network nodes with access to sensitive data
  •  Protect user access to the service
  •  Ensure secure audit of communications is provided
  •  Allow administrators to securely manage users and systems
  •  Use metadata only for its necessary purpose
  •  Assess supply chain for trust and resilience

 

Consumer apps meet 2 or 3 of these at best. Dedicated, Secure by Design, communications platforms that meet all 7 principles, have been available for years… so why are organisations still exchanging sensitive data over consumer messaging apps?

UK leading the way

Thankfully there are some within the UK Government and defence organisations that are making real headway in securing their communications. However, the rate of adoption needs to be faster and broader if we, in the UK, are to show leadership in this field, and so avoid a similar embarrassment and breach of national security as the US.

In a hyper-connected world, it is still, frequently, human error that creates vulnerabilities… make sure it’s not you!

For more details about what you should be looking for when Securing Communications Channels download our Buyer’s Guide.

Posted on

Beware malicious QR codes when using WhatsApp and Signal

New spearfishing attacks against targeted organisations and individuals

A recent spate of instances involving the use of malicious QR codes is a timely reminder, once again, that mass-adoption consumer apps are often a favoured attack vector for criminals and state-sponsored actors… and so should NOT be relied upon for military, sensitive or commercial business communications.

The latest story to hit the headlines is the compromise of Signal accounts, including some used by military targets, by exploiting the device-linking feature within the app. Google Threat Intelligence Group (GTIG) has reported that use of the device-linking feature is being widely used by state-sponsored groups to attack Signal accounts. Social engineering is used to trick targets into scanning malicious QR codes that link their device to a device controlled by the attacker.  From there the scammer can synchronize with the victim’s device and see all their secure communications.

Signal QR code attack vector is evolving

This trick is being adapted by the attackers depending on the target. For a broader attack the malicious code is disguised as a legitimate app resource, such as a Signal group invite or device pairing instructions from the Signal website.  When individuals are targeted, phishing sites are set up that have been specifically designed to attract the victim’s attention.  In other examples, a legitimate group invite page is altered to redirect to a malicious domain that then pairs the victim’s device with a device controlled by the attacker.

GTIG has reported that this type of attack has successfully been perpetrated on devices used by military forces on the battlefield.

Particularly worrying is that this compromise is very difficult to spot and so can remain undetected for extended periods of time.

WhatsApp attacks proliferating too

Activity by the group known as Star Blizzard is another case in point, with an advisory notice issued from the national technical authorities of all of the ‘Five Eyes’ community (NCSC, CISA, FBI, NSA, CNMF, ACSC, CCCS, NZNCSC).

Star Blizzard creates email accounts and fake social media profiles impersonating known contacts of the target, using malicious, but authentic-looking domains.  They take time to build rapport with the victim and then send a link to the malicious site. What is new here is that the attackers are now inviting people (including US government officials) to join a WhatsApp group with a QR code. which includes malicious code that gives the attacker access to the victim’s account.  The perpetrator can see messages, correspondence, credentials, contacts, and can steal them. By joining the WhatsApp group the victim gives access to their data, so the attackers can exfiltrate it.

There has been a concerted effort in the mainstream media to highlight the dangers of ‘pig butchering’ – a gruesome name for the practice where a scammer builds a ‘rapport’ with the victim, often over many months, before asking for money. The victims are often so convinced that they part with significant amounts of money before the fraud is unearthed – leading to some heartbreaking cases.

In a similar manner, the ongoing, broad, and totally inappropriate use of WhatsApp for sensitive government and defence communications has predictably led to similar, targeted, social engineering attacks on such users, as well as high value zero-day hacks.  Even commercial solutions such as Teams are targeted in a similar manner.

Mass adoption apps increase risk of compromise for sensitive communications

These two examples are a clear demonstration of why mass adoption and consumer apps (such as WhatsApp and Signal) are simply not suitable for business use.  People are familiar with using them in their personal lives and are therefore much more likely to be tricked/scammed because they will not be on their guard in quite the same way – familiarity breeds contempt.

Mass adoption apps are difficult (if not impossible) for IT departments to manage as they are usually controlled by organisations that are more concerned with building a user base as large as possible, rather than protecting individuals’ security. Their use is so widespread that they make an obvious target for malicious actors looking to disrupt and/or steal valuable information.  There may also be questionable use of the app data by its creator.

Armour Secure Communications Platform – built for purpose

By keeping work conversations/communications within built-for-purpose business applications, such as Armour Mobile, sensitive communications, documents, files and contact lists, etc, remain controlled and protected within the Armour platform. Data sovereignty is maintained and information can’t be exported or shared outside of strictly controlled groups of Armour users.

The central management of the complete Armour Mobile user lifecycle provides robust security such that only authorised users can access the system, and their access and data can be instantly revoked when they leave, or if their device is lost or stolen. This is one of the biggest differentiators between a free-to-use consumer app and an enterprise level product such as Armour Mobile. Using a Secure by Design (and Secure by Default) communications and collaboration platform such as Armour fosters and enforces good security practices and supports user and organisational data privacy.

For more information about what you should be looking for in a Secure Communications Platform read our Buyer’s Guide: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/