Author: armour

As we’ve commented before , the use of consumer grade messaging apps has spread its insidious tentacles throughout the working environment and it’s easy to see why. Effective communication is essential to getting the job done. With instant messaging, teams can communicate quickly and in real-time, without the delay of waiting for an email response. Geographically dispersed teams can communicate efficiently and remain engaged, improving effectiveness and productivity.

However, is a consumer grade app such as WhatsApp suitable for business communications?

GDPR compliance and liability

WhatsApp was primarily designed for personal use; a fact they make abundantly clear in their terms of service :

Legal And Acceptable Use. You must access and use our Services only for legal, authorized, and acceptable purposes. You will not use (or assist others in using) our Services in ways that: (a) […] (f) involve any non-personal use of our Services unless otherwise authorized by us.

After downloading WhatsApp users are presented with a popup that asks “WhatsApp Would Like to Access Your Contacts”. It goes on to explain, “Upload your contacts onto WhatsApp’s servers to help you quickly get in touch with your friends and help us provide a better experience”.

Agreeing to this means that all phone contacts are now accessible in WhatsApp, irrespective of whether they are business or personal contacts. The problem with this is your contacts haven’t given consent for a third party to process their data. This could be a breach of GDPR  but who is liable?

The tricky business of data consent

Before using WhatsApp, all clients must “Agree & Continue” to accept the Terms of Service. Only once consent is given can users access the service. However, WhatsApp has been explicit in its terms that the app is only for your personal use and has sought the consent of the user for accessing contacts… so, when it comes to GDPR it’s not WhatsApp that needs to be concerned about data consent, it’s the user!

In most instances, it appears that individuals choosing to use WhatsApp for any business communications are in contravention of the terms of service. This limits WhatsApp’s liability in terms of GDPR as they have abdicated all responsibility to the user for seeking the consent of their contacts.

Be safe, or risk being sorry

Since the introduction of GDPR, organisations have taken great strides in understanding their responsibility towards safeguarding data. However, too often the security of mobile communications is overlooked when auditing such risks. It’s easy to do, just ask the owner of Amazon, Jeff Bezos, who was recently allegedly hacked via WhatsApp. Compromising the security of the wealthiest man in the world is no small undertaking.

What this episode, and the many others before it, highlight are that consumer grade apps are not designed for business use. WhatsApp doesn’t hide this fact, it’s written in the Terms of Service, but when did a user ever read those before clicking the ‘Accept’ button?

It’s time for organisations to stop side tracking the issue and provide their employees with the right tools to get the job done. The benefit is not only greater efficiency and productivity within your workforce but secure communications that don’t expose your business to cyber threats. A thought that has probably crossed Jeff Bezos’ mind quite a lot recently.

Armour’s solutions for secure communications work on everyday smartphones, tablets and Windows 10 desktops. With the same usability as consumer-grade apps, but with significantly enhanced security it could be the answer to your security needs.

Read how others have benefited:

Links to Sparten Case study and QuoStar Case study.

Contact us today to discuss a solution.

It’s always a pleasure to see a blog written by Dr Ian Levy (NCSC Technical Director) given the approachable, down-to-earth manner in which he discusses key topics of national security. His latest post covers the DCMS supply chain review for the UK’s future (5G) telecoms networks.

Depending on your preferred flavour of paranoia / news source, it may seem like this decision throws away our last bastions of privacy in the UK and condemns us to a future of (Chinese) state surveillance and espionage. However, one might want to consider this in a broader context, for example: the ongoing “bitter trade battle” between the US and China; growing recognition of the issues around China’s domination of computer manufacturing (so can you trust what’s been baked into the chips inside your laptop?); and balanced against the majority of western youth who think putting embarrassing pictures on Instagram is a good idea (quickly dispelled when they learn that recruiting managers know how to search one’s social media timeline…)

Levy has already addressed the underlying principles for assessing the security of the UK’s future networks but in his latest blog he highlights key points, such as which parts of a 5G system are most critical to protect, the different types of risk (with an example of an “attack tree”), how to address particular attack vectors, and the difficulty of managing risk in such a complicated environment, while reminding us all that a $5 wrench can be an effective password hacking tool.

Huawei is an easy target for criticism due to the belief that the Chinese state can influence the company to hide espionage or denial-of-service features within its products, as well as subverting the marketplace through heavily subsidised pricing. However, remember that other manufacturers could introduce risks through poor security ‘hygiene’ (whether this be at a protocol level, such as SS7, or in something as simple – but lethal – as hardcoding ‘backdoor’ admin passwords into switches.

If you’d like some further views on 5G security and its potential impacts, Brookings are informative and highlight just how many aspects of our future, digitally-connected life might be affected if 5G was attacked or simply failed, ranging from our internet-connected fridges failing to automatically re-stock our milk, to our entire 5G-connected autonomous vehicle transport system coming to a crashing halt (with correspondingly huge numbers of human casualties)…

At Armour, the concept of securing one’s communications is key to our business and to our beliefs, whether that be protecting one’s personal privacy or securing government secrets. Using end-to-end encryption and authentication helps to overcome some of the potential hazards of untrusted (or to use the buzzword “zero-trust”) networks. Many of the possible risks being raised around 5G are present right now, whether you’re a CEO using your mobile to discuss sensitive trade deals while roaming on a foreign country’s phone network… or an NHS patient worrying about which of your personal data just got Whatsapp’d between the nurses treating you in a UK hospital…

For more information contact us here.

“Armour Mobile enables teams at Sparten working on complex, multi-jurisdictional projects to communicate effectively and securely. Armour helps us to provide the infrastructure we need so that our people can operate at their best, and therefore provide an excellent service to our customers.”

Harry Abdy-Collins, Partner and Investigations Lead at Sparten Group.

Founded on the stoic principles of Wisdom, Honour, Integrity, Practical Intelligence and Excellence, Sparten provides discrete intelligence-led, unconflicted advice to high net worth families, corporates and their advisors.  In keeping with its own guiding principles, Sparten aims to provide the infrastructure to its employees and third party firms to ensure that they can operate to the very best levels.  To do this, Sparten uses a number of tools for secure communications, however, for secure, encrypted conference calls there was only one solution that provides the ease of use, coupled with the range of features and security options required; Armour Mobile.

Business Drivers

Sparten works with a wide range of advisors and third party firms across diverse geographies and jurisdictions on complex projects.  Teams from many partner organisations may be working on multiple different projects with Sparten and secure communications is an important process discipline and enabler.

As Partner and Investigations Head at Sparten Harry Abdy-Collins explains; “Operating in a safe environment that we can control is essential for Sparten and our clients. Regardless of threat or situation, Armour provides us with confidence and communications continuity.”

The Solution

Sparten has deployed Armour Mobile on iOS, Android and Windows Desktop for employees, its professional advisors and their clients. The new secure QR provisioning option makes setting up a new user extremely quick and easy and the Windows Desktop version enables project administrators to set up and manage calls within groups.

Enhanced security features

Armour Mobile has a number of features that are particularly valuable to Sparten. These include:

Secure Conference Calls

While there are other products on the market that can provide secure one-to-one communications, Armour Mobile provides a secure platform for conference calls for both voice and video.  Uniquely, the Armour app isolates the microphone, ensuring that no other app on the phone can listen in or eavesdrop. Even if the phone has been bugged, communications via Armour remain protected and private.

White Listing and Groups

Armour Mobile allows white lists and groups, and sharing of contact details, in a controlled way across communities. This means that Sparten is able to set up groups for each project, ensuring that are no slip-ups when sharing confidential information.  This is particularly quick and easy for administrators to do using Armour Desktop

MessageBurn or Audit Trail

Armour provides various options for storing or deleting old messages.  Some operatives at Sparten prefer to burn messages once they have been read or after a certain time. Others from a legal background often prefer to keep a record of who sent what to whom and when, so that they have an audit trail.  With Armour Mobile, Sparten is able to offer both options to users.

In Summary

Harry Abdy-Collins commented; “Armour Comms is very aware of the needs of its users, and the product continues to develop and evolve.  There are new features within the product that we find extremely useful. The support is also excellent, we are able to speak to technical people who are able to make things happen fast when we need them to.

“In short, Armour Mobile provides the comfort of seriously secure communications, with the flexibility of consumer grade products, that enables our staff, associates and clients to have confidence in our communications and deliver the very best outcomes possible for the client.”

Just when you thought the cost of overseas calls was decreasing…..

As if battling cybercrime wasn’t hard enough, criminals have now weaponised artificial intelligence in the form of deepfake audio. In a recent example, the Chief Executive Officer (CEO) of a UK subsidiary energy company was tricked into wiring €200,000 to a Hungarian supplier on the instructions of who the CEO believed to be the Chief Exec of the German parent company. In reality, the conversation took place with an artificial intelligence (AI) equipped criminal gang using deepfake software to mimic the German Chief Exec. The software was able to perfectly impersonate the voice, including tone, punctuation and German accent, completely fooling the CEO. The call was accompanied by an email, supposedly from the Chief Exec, reiterating the payment instructions. As everything appeared in order, the funds were transferred to Hungary, however, were soon moved on to Mexico and various other locations, with law enforcement still looking for suspects.

Who do you think you’re talking to?

Although this incident reads like the plot line of a Mission Impossible film, it is unfortunately not an isolated case. Since the fraudulent incident in March this year, other deepfake voice frauds cases have come to light. This social engineering attack could be a sign of things to come. Although we have seen deepfakes imitate celebrities and public figures in video format, it’s an endeavour that still takes several hours of footage to achieve. Being able to fake voices convincingly takes fewer recordings to produce and with greater computing power will become easier to create. It begs the question can voice recognition be relied on as an accurate form of identity verification?

Do you know who I am?

In the future, deepfake audio fraud is likely to be highly exploited in criminal activity. As the technology continues to evolve, it will become increasingly more difficult to distinguish real audio from fake. If you want to ensure authentication of identity you need to use a seriously secure mobile comms service.

Armour Mobile uses MIKEY-SAKKE identity-based encryption protocol to secure multimedia services. It provides secure voice and video calls, voice and video conference calls, one-to-one and group messaging and file attachments. The solution ensures that the parties exchanging calls and data are the parties they claim to be!  Most importantly Armour Mobile protects not only the content of communications, but also the associated meta-data. This means no-one even knows you are having a conversation, let alone what that conversation is about.

Imitation – not always the sincerest form of flattery

Deepfakes might have arrived but there are tools to identify the real from the fake. Armour mobile helps prevent fraudulent activity by enabling secure collaboration between trusted colleagues. Communications are conducted within a closed user group and only those added to the system can call and message others. So, when discussing commercially sensitive information such as corporate intellectual property, financial transactions, and customer details, you will know exactly who you are speaking with.

With deepfake ransomware among experts’ list of cyber fears for 2020, it’s time to armour up.

Contact us today for more details.

Someone recently asked me how to add favourites in Armour Mobile.  It reminded me that actually, not everyone does use consumer apps, so to ensure that anyone and everyone really can get to grips with Armour Mobile, we’ve developed a library of video clip tutorials to help our users get the most out of the product. The videos guide users through the various tasks and features in the latest version of Armour Mobile for both iOS and Android platforms. 

Each clip runs for between 30 seconds and a minute, so it doesn’t take long to get your users trained up.   Topics include:

• Message Burn
• Conference Calls
• Group Messaging
• File and Photo Attachments
• Settings and Biometrics
• Activation via Deep Link
• Activation with QR with Password
• Activation with QR without Password
• Importing Contacts and Final Setup
• Ringtones
• Adding Favourite Contacts
•  

Contact your account manager today to get links to the videos for iOS and/or Android and see for yourself how easy to use Armour Mobile can be.