Author: armour

The old adage ‘You get what you pay for’ has never been more true when it comes to cyber security, and messaging apps.  We are reminded once again, by the latest Appthority Pulse Report that chat apps are amongst the most popular and yet most risky and blacklisted apps in the Enterprise.

The report, which was published a week or so ago, looks at the most common iOS and Android apps in use within enterprises, and the apps most commonly blacklisted by enterprises.

The report states that WhatsApp Messenger and Facebook Messenger are the top two most risky apps found in the enterprise for both iOS and Android devices.

Risky Apps Proliferate by Stealth

The issue for many enterprises is that these apps can appear by stealth.  It all starts off innocently enough, people use these free, social media messaging apps for organising their personal lives.  Then it slips into use with people from work, and the temptation is to use the same apps for business as you do in other aspects of your life because it is so easy. Before you know it meetings are being arranged and sensitive data being shared on an app owned by a multi-national social media company that could very well be sharing (or selling) your metadata, for profit.

And as a quick reminder as to why these apps are so risky to the enterprise…

Susceptible to the SS7 hack

While WhatsApp uses the respected Signal protocol for its encryption, it is susceptible (like similar applications) to attacks, using flaws in SS7 that allow an attacker to mimic a victim’s device.  WhatsApp depends on the integrity of your mobile phone number to identify you, but this can be faked at the SS7 level because of vulnerabilities in that system (many of which have been known about for years – giving the criminals plenty of time to hone their skills!). Hackers can take on a victim’s WhatsApp identity and send and receive messages to other users. Of course, a hacker with access to the SS7 system can also transparently control normal voice and SMS services to and from a mobile, intercepting calls, reading SMS messages, and tracking the phone’s location.

Makes you think again about how you arrange meetings with an important client, maybe for contract negotiations.  Some of our clients have been victims to industrial espionage and lost contracts worth hundreds and thousands (and more!), and now only use secure methods, such as Armour Mobile. for communicating sensitive client information.

Insecure Authentication

Apart from eavesdroppers listening in to your potentially sensitive conversations, where they may gain commercially valuable information, one of the biggest dangers is the interception of two-step verification codes. This vulnerability is equally true for any app that uses this form of authentication including Telegram, Viber and many other apps.

For those that are likely to be targeted due to the work that they do (government, military/defence, handling commercially sensitive information like intellectual property, company secrets, financial transactions, sales deals, etc.), this is a relatively easy hack, and one that you wouldn’t know about until it was too late.

GDPR – So what?

We might have GDPR, but that only covers Europe, and there are plenty out there that want your data for nefarious reasons, and won’t be worried about legislation. Even when a service claims that it has no access to your encrypted data, it still has access to ‘metadata’, such as the date and time of calls and messages, the mobile phone numbers of the recipients or senders of each call or message, and (depending on the application), other information such as your location, native contact lists and the like – all of which a security-minded user might prefer not to have collected by a large social media company.

You get what you pay for

With any free app you don’t really know who has access to your information.  And you certainly don’t know who will have access to it in the future as organisations are acquired and personal data becomes a lucrative asset to be traded.

If you would prefer that your sensitive corporate conversations remain private you should take positive steps to ensure that they stay that way. That means using security applications that you control, so that you know exactly where your data is being held and who has access to it.

AND you need to educate your staff so that they are not using insecure apps ‘under the radar’.

Take the plunge and ban risky consumer apps

The Appthority report states that the top blacklisted apps within enterprise are WhatsApp Messenger and Facebook Messenger, followed closely by Wickr Me and Tinder!  Only last month the FT reported that car industry supplier Continental had banned WhatsApp and other social media apps due to concerns about privacy.  So don’t be shy, you won’t be alone in banning these apps in your organisation.  Your sales guys may even thank you for it, particularly if you are able to provide them with something equally engaging and easy to use – such as Armour Mobile!

Contact us today and try it out for yourself.

With the Football World Cup and summer holidays upon us, it’s a good time to reflect on security measures when travelling abroad whether for business or pleasure. After all, it’s not just diplomats, journalists and defence contractors that visit potentially unfriendly regimes!  El Reg reported recently on some research about shady hotspots and wi-fi in host cities of the world cup that could catch out the unwary. https://www.theregister.co.uk/2018/06/06/world_cup_russia/

The research, carried out by Kaspersky Lab, reported that one in five wi-fi hotspots in 11 Russian cities hosting world cup matches had little or no protection, leaving users wide open to having their data harvested by criminals.

If you are travelling to Russia to see some football, or anywhere else for that matter, and taking your work mobile with you, remember that if your phone is hacked, that could be all your business contacts’ details compromised and every text, message or attachment you’ve ever sent from your mobile stolen.  Certainly something to think about!

As the article suggests, there are some relatively easy steps to improve security, such as avoiding the use of unknown and untrusted wireless connections, and only using wi-fi when absolutely required. Even so, it is extremely difficult for the ordinary traveler to know if the cell their phone has locked onto is legitimate or a fake base station (known as an IMSI catcher) designed to catch your metadata.

An IMSI catcher or a rogue cell as it is sometimes referred to, hoovers up details of callers’ International Mobile Subscriber Identity, hence the name. It may also divert your phone’s traffic and/or try to decrypt its weakly protected voice or data. As an ordinary mobile user, you would never know if your calls had been intercepted by an IMSI catcher. There is technology to enable you to check which base station you are connected to, but generally speaking they require a technically knowledgeable user and so would only really be used by law enforcement agencies.

For those people who have sensitive or commercially valuable information on their mobiles, a secure communications platform can protect against leaking your calls or data (whether sent over unprotected Wi-Fi or intercepted by an IMSI catcher attack), by securing calls and texts between your mobile device and a desk phone, for example. It does this by using software installed on the phone that does the encryption and decryption. Whatever is sent from the mobile using the software, be it a call, text or attachment (such as a video or photo), is completely encrypted end-to-end including your meta data, and therefore protected.

Having said all this, there is so much more to security than encryption which is rarely the weakest link.  The dangers in using free apps for business, or on devices that also have business data on them, revolve far more around how your sensitive data is managed, where it goes and who has access to it.

Armour Mobile is as easy and convenient to use as any of the consumer grade apps, while giving superior security and ensuring your data isn’t being hoovered up by a hacker, or one of the global corporations.  Something worth thinking about before travelling abroad this summer.

First the explanation

A Virtual Private Network is effectively an encrypted ‘tunnel’ between your device (which can be your desk computer at home, your mobile, laptop or tablet) and another computer, such as your corporate VPN server. This gives you protected, secure access to your corporate network. A casual observer looking at the traffic between the device and the server will only see encrypted VPN data, and will be hard pressed to distinguish between the different data types.  However, there are a number of technical papers available regarding VPN analysis and how the flow of the traffic give clues as to the type of data being carried. For example, voice traffic usually flows one way then the other as people hold a conversation.

How it helps

Use of a VPN has pros and cons: it may alert eavesdroppers to the fact that you are trying to cover your tracks, so for those with the type of job where they are likely to be under surveillance from a nation state, staying below the radar by using a VPN as an extra level of security, is very much about choosing the right VPN. Some unfriendly nation states try to ban the use of VPNs for this very reason.

What a VPN can do is provide obfuscation, by using a VPN that a lot of other people use. For example, if you are near a University and you use the same type of VPN as the students or staff, your traffic will hopefully be lost in the general melee of University life.  The VPN encryption means the network operator cannot see that you have made a call, or the number you dialed; therefore, calls to certain numbers (known Government department numbers, for example) that might be monitored, will not attract unwanted attention. By using a VPN, the call is hidden from plain view, and even the fact that you are using Armour Mobile to protect your communications end-to-end is hidden.

Conversely, if you use a specialist or unusual VPN, that could well alert eavesdroppers to the fact that there is something worth listening to.  So choose your VPN wisely!

Why bother to teach an old dog new tricks when the old ones are still working well?

You may well ask!  A recent piece in El Reg ‘Stingray phone stalker tech used near White House, SS7 abused to steal US citizen’s data is a salient reminder that sometimes the old ones are the best.

The SS7 vulnerability is well documented, and indeed it was one of the first topics that we wrote about in this blog (What’s up with WhatsApp).

To recap, SS7 stands for Signalling System No 7 (also called the Common Channel Signalling System 7 in the US or Channel Interoffice Signalling 7 in the UK), and is the system that connects mobile phone and landline networks to each other. SS7 protocols enable phone networks to exchange information needed to process calls and text messages across disparate networks (including roaming on foreign networks), and to ensure correct billing. It also enables local number portability, prepaid payments, SMS and number translation. However, SS7 was designed nearly 40 years ago, long before phone hacking was considered a serious threat and flaws in SS7 enable an attacker to mimic a victim’s device.

This particular hack is typically used to steal personal data and to snoop.  While it is used by nation states, there is equipment available on the dark web for a few hundred bucks (see: With prices like these – anyone could be listening to your mobile calls!) that brings this type of hack into the domain of almost any tech-savvy criminal.

If it can happen near the White House, it can happen anywhere. Time to review your mobile phone security. If you or your staff discuss details of sensitive deals, intellectual property, confidential meetings, or industrial/commercial secrets by mobile, using voice, video, message/text, or send attachments, and if you want them to remain private, you need to use a seriously secure mobile comms service.

 

Contact us today for more information:

Email: sales@armourcomms.com

Tel: +44 (0)20 36 37 38 01

Andy Lilly discusses how securing your mobile communications is a key step in meeting GDPR regulations

The new General Data Protection Regulation (GDPR) is now in force. A lot has been written about it, and how it overrides previous national data protection laws. Many are seeing the introduction of the new regulations as a positive step. It encompasses how personal data is managed, processed and deleted – and in particular, how it is lawfully and fairly protected by documented security measures. GDPR is clear in that it encompasses all of a company’s data (including that held in marketing, sales and finance) when dealing with EU citizens.

With many companies using mobiles to communicate with customers, it also means that texts and messaging, whether internal or external, will be considered within the new data laws.

With non-compliance fines of up to €20m or 4% of global turnover, not to mention reputational damage, companies ignore the legislation at their peril. According to ICO Information Commissioner Elizabeth Denham¹; “If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.”

Getting your ducks in a row
Whatever their business, all organisations need to have their ducks nicely lined up when it comes to data retention, compliance and security. Governance plays an enhanced role under GDPR and you must ensure that your systems and processes in place are able to manage and monitor all data under the new rules. Accountability is also important so as well as complying, you have to be able to demonstrate how you comply.

Armour Mobile enables your organisation to ensure that data and messaging communications are entirely secure whether in transit or stored, either with our cloud solution once you have licensed your mobile devices with us, or with our Armour on-premises solution. In fact, the latter allows your organisation to configure and manage your secure communications service in total privacy, restricting any outside connections.

We can also provide secure voice communications between your mobile and other voice systems (e.g. desk phones within your office) or services (voicemail or conferencing). Securing messaging and voice communications in these ways provides robust audit trails to support compliance and due diligence of the new privacy rules.

GDPR means that all organisations must see data in a different way – adopting Armour for your mobile communications is a big tick in terms of ensuring compliance.

¹ https://ico.org.uk/

What limits does yours have?

When it comes to secure comms apps, group messaging is often taken as a given, expected.  However, sending everyone in a group the same message simultaneously it isn’t quite as straight forward as it sounds.  It all depends on how the messages are handled.  Some apps send messages from the client to every user in the group, and obviously the more members in the group, the more messages that need to be sent.  As the client is required to process each of these messages and any attachments (including any encryption) this can cause issues resulting in practical limits on the numbers in a group.

Alternatively, a single message can be sent to a messaging server, which then replicates the messages to the entire group. This is a far more scalable method, where the server is doing the hard work and the size of a group becomes almost unlimited. This has been achieved in Armour Mobile by extending our encryption capability, drawing on 3GPP standards.

So if your organisation needs to communicate securely within groups, sending bulk messages and attachments efficiently, without limits on the number of recipients, we have the solution for you.

For more information contact us via:

Email: sales@armourcomms.com

Tele: +44 (0)20 36 37 38 01

Do we need yet another wake-up call regarding keeping our data safe?  The latest scandal involving Cambridge Analytica’s mining of Facebook profiles, which has been running for a few weeks now and shows no signs of abating, is a sign of rising public consciousness that personal data is important, it is valuable. The case highlights just how social media companies seem to please themselves when it comes to who has access to what.  At the very least, social media companies take a commercial view which is in their own interests and not in the interests of their customers/users – and who can blame them – it’s how they make a profit.

While those that need to have sensitive and/or commercial communications probably won’t be using Facebook to do so, they might be using consumer grade apps such as WhatsApp (owned by Facebook) or others.  The messages sent on these services are encrypted, but, as we’ve said before, the associated metadata still gives away a lot of valuable information.  To illustrate this point, by profiling the metadata associated with a conversation between two people, it is possible to identify who is the most important, ie. Boss and sub-ordinate, simply based on the frequency, length, number and response times of replies. Using these techniques it is possible to map a whole organisation!

This is a timely reminder that if you’d rather keep your sensitive communications private you need to be aware of where your metadata is held and who might have access to it. Relying on social media companies that makes their money through third parties advertising to the user base, is never going to be good for users – it is the price you pay for a ‘free’ service.

Services provided by security vendors don’t rely on selling advertising to make a profit, they are in business to protect their customer’s data, and their reputation lives or dies by their ability to do so.  Something worth remembering next time you need to send a work/business related communication.