Posted on

Armour Mobile now available on Nine23’s secure enterprise platform

Nine23

Partnership with Nine23 provides users with easy to use, secure transparent communications and messaging while protecting enterprise data

London, 26 February 2019: Armour Communications, a leading provider of specialist, secure communications solutions, has announced that its solutions, Armour Mobile and Armour Desktop are now available on Nine23’s certified enterprise management platform, FLEX.  Armour Comms’ solutions will be offered via Nine23’s FLEX platform, which is accredited to handle information up to OFFICIAL-SENSITIVE, enabling enterprise users to securely use mobile, tablet, and laptop devices from any operating system including iOS, Android and Windows10.

Stuart McKean CEO of Nine23 said; “At Nine23 we work with Enterprise clients that operate in highly regulated environments and regard secure communications as necessary for everyday operations. They often have significant members of staff who need to be able to rely on a robust, secure environment to meet the needs of today’s modern mobile or remote working.

“Our proposition is to make it easy for users to access the technology that they need to do a day’s work. If it isn’t easy then they will go elsewhere, creating a potential security vulnerability. Armour Comms’ solutions offer the strength of security that our clients demand, while still being designed with the end user in mind. Platform FLEX is already accredited to connect to the PSN as a gateway provider and Armour’s technology adds value to our platform offering.” 

With its focus on interoperability Armour Mobile was the first secure communications app to connect to Skype for Business. Nine23’s FLEX platform also meets the entire management and audit requirements for Unified endpoint Management (UEM), App Store, Content Management and secure endpoint hosting.

David Holman, Director at Armour Comms commented; “Nine23 is an established provider of a secure cloud environment that enables enterprise mobility to a high security standard. Armour Comm’s partnership with Nine23 is an ideal way for enterprise end users, inside and external to an organisation, to communicate transparently within a secure and private, hosted environment. Our solutions are intuitive and easy to use and together with Nine23’s enterprise cloud platform provide a secure, robust platform for ultimate control of communications and associated meta data.”

Posted on

A third of organisations use consumer-grade apps for business communications

Survey Results

Armour Comms Survey highlights alarming lack of awareness around mobile security

London, 29 January 2019: Armour Communications, a leading provider of specialist, secure communications solutions, has published the results from its Mobile Communications Survey. The findings revealed that a third (32%) of organisations use consumer grade apps such as WhatsApp, SMS and Skype for business communications.  Over two thirds (68%) use these apps regularly every day and over a third (36%) use the apps to discuss sensitive and confidential topics.

The Survey also asked respondents to select from a list of different well known technologies, hacks and viruses which could be used to target mobile phones – nearly half (44%) answered incorrectly.

David Holman, Director at Armour Comms commented; “We see stories in the press on a regular basis about data leakage, sensitive customer data that is hacked by criminals, and yet, for most organisations managing how their staff are using their mobile phones remains a challenge. Consumer-grade apps, where the user has little control of what happens to their data, are often downloaded and used within organisations for sharing sensitive information, almost by stealth, because the IT/security department has no visibility of the apps being used.”

While viruses and malware on mobile phones are rare, tools for eavesdropping, such as IMSI catchers are increasingly within the reach of criminals that want to spy on others. Accordingly to the latest research by Ponemon, organisations have a nearly 28% chance of having a data breach in the next two years. In another report, social engineering is involved in over 90% of data breaches, where people are tricked into doing something, like clicking a link or providing data, to someone impersonating someone else.

Another pitfall for the unwary mobile user is WiFi which is often not as secure as people assume. All of these type of attacks are particularly easy to do with mobile phones where standard network encryption can be poor to non-existent, due to outdated infrastructure that is in parts well over 40 years old and probably no longer fit for purpose. This makes interception of mobile calls and messages much easier than it should be, and the user would be totally unaware until it was too late.

“In our experience end-users don’t deliberately put data at risk, they simply want to get on with their work, and extra security can cause an issue. The results from this survey highlight the fact that many organisations are unaware of the pitfalls of using consumer grade-apps for handling sensitive corporate information, whether that is intellectual property and trade secrets, customer information, or details of commercial transactions.”

Posted on

EU diplomatic message data hacked

EU Flag

We read in the New York Times just this week that thousands of the EU’s diplomatic messages have been intercepted over the course of a concerted three year attack.  https://www.nytimes.com/2018/12/18/us/politics/european-diplomats-cables-hacked.html According to Computing the hackers accessed the European network known as COREU or CORTESY.

COREU is a comms network of the European Union for the communication of the Council of the European Union.  It is the European equivalent of the American Secret Internet Protocol Router Network (SIPRNet, also known as Intelink-S).

The original system was set up in the early 70s and was telex based.  It was replaced in the 90s by CORTESY (COREU Terminal Equipment System), so despite using encryption for messages it is still very old technology.

One crumb of comfort is that information marked as CONFIDENTIAL or SECRET was not affected.

However, this does highlight that even what on the face of it may be mundane, day to day communications are of interest and therefore of value to someone – in this case, the suspected perpetrators are the Chinese military.

Protect your Intellectual Property

While your organisation may not be of interest to the Chinese military, there will be someone out there who probably would like to know a bit more about your business.  Competitors that want to target your customers, or access trade secrets (product information, formulae, recipes, etc.), or hackers and criminals looking to steal your identity or the contents of your bank account!

My point is that your information doesn’t need to be what you would naturally think of as confidential or secret.  Everyday messages about clients, products, product recalls, meetings, office gossip can all be valuable for profiling and piecing together information about who you are dealing with, the nature of those dealings, and information about individuals that could be used for commercial leverage or identity theft.

Mobile devices – the new End Point

With our almost universal reliance on computers, industrial espionage has become a lot more about hacking skills.  Hugely valuable information is accessed by workers from their mobiles and with GDPR many organisations are beginning to understand that the new end-point is mobile phones and the consumer grade apps that staff use to communicate.

As we’ve said on numerous occasions, don’t be lulled into a false sense of security by the word ‘encryption’.  Encryption is never the weakest point that hackers will target.  It is usually a weakness in the system; in the case of the EU it was old technology.  Even if you are using relatively new technology in the form of messaging apps, you still need to consider the security of your whole mobile comms system, including where data is held (i.e. is your service provided by a multi-national social media company that needs to monetize its members’ data to make revenue?), exactly who might have access to it, and any weak points within the system.

Here are a few of our recent blogs that explain the pitfalls in more detail:

The dangers of relying on SMS based two factor authentication:

https://www.armourcomms.com/2018/08/16/avoid-sms-based-two-factor-authentication/?cat-slug=10

Chat apps that have spread through corporate networks by stealth are the most hacked type of app, and the most widely banned:

https://www.armourcomms.com/2018/07/31/free-apps-you-might-get-more-than-you-bargained-for/?cat-slug=10

Avoiding shady Wi-Fi hotspots:

https://www.armourcomms.com/2018/07/05/world-cup-fever-or-holiday-wi-fi-nightmare/?cat-slug=10

Staff mobile phones are also covered by GDPR, here’s what you need to do:

https://www.armourcomms.com/2018/05/24/gdpr-is-here-dont-forget-your-mobile-comms-need-securing-too/ 

If you fear that your mobile comms could be vulnerable to eavesdroppers, competitors or criminals, contact us today to discuss a solution.

Posted on

Rogue Users – What would you do?

Security Mobile

Trump and his foreign nation state eavesdroppers

According to a recent article in the New York Times, conversations on the President’s mobile phones are being listened to by the Russians and Chinese.  As we’ve reported on many occasions, listening in to standard mobile phone conversations is fairly straightforward with IMSI-catcher from just $20, and especially with the resources of a nation state.  The article goes on to explain that the Chinese are monitoring who the President talks to and who influences him.  They are learning what arguments tend to win him over and using that intel to avoid a trade war, so the story goes.

How interesting are your users?

All this begs the question, if the Secret Service, CIA and FBI can’t control one rogue user, how can any organisation be sure that their employees toe the line when it comes to security? As ever, Bruce Schneier articulates the problems of security of mobile devices in his blog very well, and makes the point that it’s not just the President and other heads of state that are at risk.  Anyone who is potentially interesting to criminals or commercial competitors could find themselves subject to eavesdroppers, whether a CEO of a quoted company, any number of sales people, company executives, product developers with trade secrets and intellectual property to protect, or government officials involved in a trade negotiation – I imagine all those involved in the current Brexit dealings are under a huge amount of scrutiny!

Good advice – but does anyone listen?

The UK’s National Cyber Security Centre (NCSC) has a plethora of advice and user guidelines.  All of it is written in easy to understand language, specifically for organisations to re-use with their own employees. Its advice for end users is a case in point.

While all of this seems fairly basic stuff, if you live and breathe cyber security as we do, the following are still good ways to avoid the majority of cyber threats:

  • Use strong passwords and don’t reuse them between different accounts
  • Be careful which apps you download
  • Only use secure/known WiFi connections
  • Don’t leave your device lying around
  • Don’t open phishing emails
  • Don’t visit dodgy websites
  • Be extra careful about what networks you use when abroad
  • Only use secure methods of communication when dealing with sensitive information

 

Making security invisible

The inconvenience of not being able to make a call, send a message or text exactly when you want to is just too much for many workers who are under pressure to perform in today’s always on culture.

Security has to be designed into the apps that we use daily and has to be almost invisible to the end user.  And if you are asking them to use a different app or process to the consumer-grade equivalent, it had better offer at least as good a user experience.

Contact us now for more information about how Armour Mobile can provide a highly useable and secure alternative to consumer-grade communication apps.

Posted on

Armour Comms shows latest version of Armour Mobile at International Security Expo 2018

International Security Expo

Olympia, 28 – 29 November 2018, Stand H10

CTO of Armour Comms addresses the key challenges and how to mitigate risks in the event of a cyberattack in Surveillance, Comms and Data tech workshop

London, 22 November 2018: Armour Communications, a leading provider of specialist, secure communications solutions, has announced that it will be showcasing its latest version of Armour Mobile in the Cyber Intelligence Zone at this year’s International Security Expo on 28-29th November, at Olympia, stand H10. The Zone, which features the TechUK Pavilion, provides a platform for suppliers to demonstrate both physical & IT integration, including connected security devices and IOT, to counter the increasing threat of cyber-attacks. Armour Comms will be demonstrating its technology for secure communications solutions for voice, video, messaging and data on everyday smartphones, tablets and Windows 10 desktops. The latest version of Armour Mobile includes Mission Critical Push to Talk (MCPTT) – functionality that meets the requirements of public safety mission critical voice communication – and Message Burn, which limits the lifespan of confidential data with immediate or timed deletion.

On the second day of the event, Andy Lilly, CTO at Armour Comms, will be presenting in the Surveillance, Comms and Data technology workshop (Theatre 4, 14:55 – 15:10). His talk entitled; “Who you gonna call?” will cover the key challenges of secure communication, he will explain how ‘encrypted’ doesn’t necessarily mean ‘secure’ and the importance of where metadata is stored.

“This event is a great opportunity to meet with IT and security leaders to discuss ways companies can mitigate the risks in the event of cyber attacks. It’s important for organisations to include in their recovery plan how they will communicate to restore operations and mitigate future risks without using the compromised platform.

“By protecting the communications of the IT and digital forensics team and using a secure communications platform, such as Armour Mobile, companies can block a useful source of information from being intercepted or modified by the hackers, helping faster recovery and minimising the risk and damage of a security breach,” said Lilly.

Attendees on Armour’s stand will also be able to participate in their latest industry survey (https://www.surveymonkey.co.uk/r/ArmourCommsAutumnSurvey), designed to capture information on the apps and services that organisations are using for secure communications. All responses submitted will have the opportunity to win a DJI Smart camera drone.

Armour recently successfully participated in a week of plugtesting for (MCPTT) protocols organised by the European Telecommunications Standards Institute (ETSI) and The Critical Communications Association (TCCA) in Texas. The protocols are fully integrated into the Armour Blue solution and supports different use cases including emergency and blue light, police and law enforcement, covert ops and others. Message Burn limits the lifespan of sensitive data at rest, where users can set a time at which their messages are automatically deleted (or as the name implies, ‘burn’) on the recipient’s device, for immediate action after being read, or in the future, according to confidentiality.

Posted on

Armour Comms and Global RadioData Communications partner to provide 24/7 support for Armour Mobile solution

Global Radiodata Communications Logo data marketplace g-cloud

Now available via the Government UK Digital marketplace G-Cloud

London, 13th November 2018: Armour Communications, a leading provider of specialist, secure communications solutions, has partnered with Global RadioData Communications (GRC) to provide a joint solution with 24/7 support. GRC has already secured its first two customers for the new combined solution that provides additional levels of security. The new service is available via the UK Government Digital Marketplace G-Cloud 10, under the cloud hosting, software and support framework listed as SCYTALE Armour Comms.

Subscribers to the GRC solution will be able to communicate with other white listed communities, typically, enabling different government departments to communicate securely using Armour Mobile. The service covers all Armour Mobile standard functionality, which includes voice calls, one-to-one and group messaging, voice and video conference calls, file attachments, sent/received/read message status, and Message Burn, a facility where the sender can set a message to disappear after a certain time (for example 5 minutes after it has been sent, or 10 minutes after it has been read by the recipient).

Steve Slater, Operations Director at GRC commented; “Armour Mobile provides the broadest range of secure communications features currently available for use on an ordinary smartphone, providing security that is transparent to the end user, something that is increasingly important to our user base.  Services that provide a consumer-grade look and feel with higher levels of assurance combined with the convenience of using the phone the user already has, means that making and receiving a secure call or communication does not disrupt normal working patterns, helping to ensure user adoption.”

David Holman, a Director at Armour Comms stated; “GRC is our first partner to provide a 24/7 support service from its HQ. Increasingly, clients are demanding higher levels of assurance and support, and we are delighted to be working with GRC to meet this requirement.

Using a FIPS 140-2 validated crypto core, Armour Mobile has been awarded many certifications including Commercial Product Assurance (CPA) from the National Cyber Security Centre (NCSC) and is included in the NATO Information Assurance catalogue.

Posted on

Cyber Incursion – Defence against the Dark Arts

A lesson from the world’s most famous hacker!

Kevin Mitnick is the keynote speaker at Cyber Incursion, on 22 November, 12.30 to 19.30 at The Honourable Artillery Company (HAC), an event that will see our own Andy Lilly on the panel for the debate about the dangers of Social Engineering and the Insider Threat.

Learning to think like a hacker is a good strategy for improving your cyber security and many of the best security experts who now wear white hats started out as script kiddies.

As the cyber security threat landscape evolves, we are finding that it is not just government and military type organisations that are under siege. Increasingly we are working with private sector companies that are keen to protect their trade secrets and keep intellectual property secure.

Your intellectual property is highly valuable

Cyber Incursion is aimed at companies that are beginning to understand just how valuable their intellectual property and sensitive customer information is.  Whether it is a takeover or merger that could have implications on stock valuations should the news leak too soon, contract negotiations that you wouldn’t want your competitors to see or even know about, or you need to protect customer information to comply with GDPR, most organisations have some IP that they wouldn’t want to lose or see fall into the wrong hands.

You are the weakest link – the dangers of social engineering

These days, hackers are very clever, or should I say, even cleverer.  They will always go for the weakest link, which is us humans, and their approach will often involve some element of social engineering.  When people are out of the office, working via their mobile devices, they are away from their typical work environment; this may lead them to let their guard down, and this is often a good time to strike.  We’ve all been there – a quick call to a colleague to get a vital piece of information to finish off the contract or document we are working on, or to finalise the date and time for a sensitive meeting. The information exchanged could be very valuable to someone else, but it’s only a quick call – what can go wrong?  Well, plenty!

Don’t get caught out

Your call could be intercepted by an IMSI catcher, also known as a fake base station. Even entry level criminals or script kiddies can access this technology, that enables them to harvest your call and location metadata (who you spoke to or messaged, how long for, etc.), for just a few hundred pounds. Depending on the hack, the details of your conversation could be accessed by the attacker.  Alternatively, while the contents of your call might be encrypted, your metadata may not be protected, and sometimes knowing who you are communicating with, for example during a merger or acquisition, can be every bit as helpful to your competitors, or in the case of celebrities, paparazzi or tabloid journalists.

Cyber Incursion

As well as an opportunity to hear from the world’s most famous hacker, Kevin Mitnick (who was once on the FBI’s Most Wanted list because he hacked into 40 major corporations just for the challenge), Cyber Incursion has a packed agenda covering such topics as:

  • AI
  • Threat Intelligence
  • Internet of Things
  • Big Data and Forensics
  • Social Engineering and the Insider Threat
  • And how they can all have a very real impact on commercial business today!

 

Register today – there are limited spaces: https://www.cyberincursion.com/ 

Posted on

The future for mission critical communications

PTT LTE

Currently, mission critical push to talk services in the UK are run over a network called Airwave, which is based on Terrestrial Trunked Radio (TETRA) technology. Although effective for voice communication, the infrastructure required has become increasingly expensive to maintain and the needs of service users are beginning to surpass the capabilities of the technology.

Mission critical services in the digital age

Until now, mission critical users have largely relied on voice services alone, however this is no longer adequate for incident command, control and communications. The existing narrowband voice and data network cannot provide the data services such as video and internet access, which have higher bandwidth requirement. 4G LTE is a technology that delivers the point to point high bandwidth data services required for future needs.

The main benefits of migrating to 4G LTE for mission critical push to talk services is the amazing speed and functionality that it can deliver. Increased bandwidth leads to much faster data transfer speed which is especially advantageous in emergency situations where real-time data will allow officers and control room operators to enhance their assessments of incidents. Additionally, by migrating onto a modern platform, users will no longer have the costs of maintaining legacy infrastructure.

Emergency Services Network

The UK Government has been leading the change to LTE with the development of a new Emergency Services Network (ESN), which will use an existing commercial 4G network that is being expanded to ensure a 99% coverage rate for the UK. This will allow emergency services to access real-time information, send images and stream high resolution video. This level of visibility was not previously possible with the voice only descriptions that were available over the TETRA network.

The increase in digital information collection presents both an opportunity and a challenge for emergency services. Body worn camera footage, dash board cameras and real-time access to systems or CCTV images are valuable but rely on access to a reliable, high availability network. By embracing LTE as the global standard of critical communications, governments can provide an important foundation for new capabilities that increase response times, improve situational awareness and accelerate incident closure rates.

A unified global standard

The 2nd ETSI MCPTT Plugtest held in the spring of 2018 was a defining moment for LTE-based mission critical push-to-talk (MCPTT) technology. The capabilities of Mission Critical voice, video and data were put to the test with a 92 per cent interoperability success rate achieved.

The goal to provide one global standard for Mission Critical services offers huge opportunity for positive change. Governments around the globe have the chance to truly elevate their emergency service communications to world leading standards utilising leading edge technology that is fit for purpose.

Posted on

More reasons to avoid SMS based two factor authentication

2 step authentication

Two factor authentication (2FA), a combination of two of something you know (a PIN), something you have (a token) and/or something you are (biometrics), has long been held up as best practice for login security.  And in fairness, more and more devices (Apple for example) and some websites, are making it mandatory. However, as was highlighted recently by the Reddit security breach, it may not be quite as fool proof as people might have hoped.  Read the details here:

https://www.theregister.co.uk/2018/08/01/reddit_hacked_sms_2fa/

https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/

The incident in question shows that employee accounts were hacked despite using SMS-based 2FA.

Although the exact nature of the hack has not been disclosed, the ability to intercept SMS messages via vulnerabilities in SS7 has been around for years but other mechanisms include getting control of someone’s phone account via SIM-swapping and is a topic that we have written about at length.

Using SMS as the second factor in 2FA is, strictly speaking, not a second factor at all because it is using the same delivery method as the first factor, i.e. in addition to typing your password into a login page, you also type the SMS code into the same web page.  It should really be called Two Step Authentication, and unfortunately can still be subverted by phishing, man-in-the-middle and credential replay attacks.

Using a third party security app like Armour Mobile protects against this type of attack, as not only is the message data encrypted but also the meta data and therefore, it is far harder for criminals to compromise the integrity of a mobile account to intercept messages.  So if you have employees that handle potentially sensitive information, whether that is customer information, or company intellectual property, or commercial secrets, and that could be all of your staff, you need to think about how well their mobile devices are really secured.

Could be time to take a look at Armour Mobile!

Contact us today – sales@armourcomms.com