Author: armour

You may be aware of significant security concerns raised in the last few days regarding the “Meltdown” and “Spectre” flaws identified in a variety of processors found in PCs, smartphones, servers and other products. This is an advisory to all our customers regarding Armour’s assessment of the effect of these issues.

What’s going on?

Firstly, a brief outline of these issues:*

“Meltdown” is the name given to a side-channel attack on memory isolation that affects most Intel chips since at least 2010, as well as a few Arm cores. “Meltdown” allows a normal (user) application to read (private) kernel memory, potentially allowing the app to steal passwords, cryptographic keys, and other secrets. It is easy to exploit, but easy to patch – and workarounds to kill the vulnerability are available for Windows and Linux, and are already in macOS High Sierra, for Intel parts. There are Linux kernel patches available for the Cortex-A75.

“Spectre” affects, to varying degrees, Intel, AMD, and Arm. Depending on your CPU, “Spectre” allows normal apps to potentially steal information from other apps, the kernel, or the underlying hypervisor. “Spectre” is difficult to exploit, but also difficult to fully patch, so could pose an ongoing threat for some time.

One always needs to ask whether a theoretical vulnerability can be exploited in the real world: in this case the (multiple) teams who reported these problems have proof-of-concept exploits to demonstrate the vulnerabilities so the threat is definitely real.

Although you might initially be concerned about the vulnerabilities this introduces to your personal computer or mobile phone, the wider danger is where data from many users is processed on the same machine, as happens in almost every cloud-based system where multiple applications (often from different companies) run alongside each other, but separated within ‘virtual’ environments (or ‘containers’). These vulnerabilities could allow a malicious application to examine the private data (e.g. customer passwords or cryptographic keys) for another company’s application when present on the same physical machine.

How does this affect Armour customers?

There are three key ways these vulnerabilities need to be addressed:

• Vulnerable Devices – it’s common sense, but we recommend that all customers ensure that their individual devices (PCs, smartphones) have the latest operating system security updates – not all systems have fixes for “Meltdown” or “Spectre” yet, so keep an eye out for further updates.
• Vulnerable Servers – follow the same principle as for other devices; make sure you apply the latest operating system updates. (It is possible that patching for these vulnerabilities may have some performance impact, but this has still to be fully evaluated.)
• Virtualisation – Armour’s server components can be run in a virtual environment, which could be affected by these vulnerabilities; however, it’s important to note that the Armour security architecture already minimises any potential effects:

Customers running an on-premises Armour system have total control over how and where the Armour components are run: if there are no third-party applications or organisations running in the same virtual environments, then the Armour components can’t be attacked by these vulnerabilities.

The really sensitive data (e.g. cryptographic keys) in any Armour system are not exposed to the front-end servers (which is where an attacker might try to insert malware to exploit these vulnerabilities) because this information is stored in the ‘inner’ (more secure) servers.

* For more detail, we suggest you check your preferred, technical web site, as understanding of these issues, their effects and how to counter them, is continually evolving at this time; the formal vulnerability description is on the CERT web page under ID 584653 and MITRE vulnerabilities CVE-2017-5753 and CVE-2017-5715 (for “Spectre”) and CVE-2017-5754 (for “Meltdown”). Of course it’s obligatory for any cyber issue to be given its own web page and fancy icon, hence you could look at https://meltdownattack.com/ or https://spectreattack.com/, though these both direct you to the same joint page.

When news of the KRACK vulnerability in Wi-Fi networks protected by WPA2 hit the headlines a while back there was widespread concern that so many devices were affected, particularly those unloved, back room (internet of things) type devices that are often forgotten about and therefore rarely patched or managed.  While KRACK (Key Reinstallation Attack) is not as much of a problem as at first reported (miscreants need to be within Wi-Fi distance to execute the attack, and it mainly only affects Android and Linux users due to peculiarities in the way that Windows and iOS use WPA2) it does serve to highlight just how complex our networks and technology stack have become.

A couple of weeks later we heard about Eavesdropper, a vulnerability caused by software developers hardcoding credentials into mobile apps, that could potentially result in large-scale exposure of data and metadata in about 700 mobile apps.

Mobile Security = Enterprise Cybersecurity

All of this brings me to the point that I made in my presentation at DSEI, with the escalation in complexity of technology, and the pervasive nature of wireless connectivity of all kinds, mobile devices are now a key part of enterprise cybersecurity.  Mobility increases productivity, communication and collaboration, but it also increases risk. Smartphones and tablets are the new end point, handling increasing amounts of sensitive, corporate data – according to Gartner 27% of corporate data traffic will bypass perimeter security by 2021.

Data is Valuable

There is much more valuable data held on mobile phones than most users would credit. Documents, chat/messages, videos, voice calls and messages, address book, calendar and location are all data, all valuable and to the right criminal, it is well worth stealing.

For everyday users of Wi-Fi KRACK is unlikely to pose much of a threat, however, for those that may be actively targeted due to the work they do, government officials, journalists, law enforcement, covert opps, board level executives, high net worth individuals/royalty/celebrities, it could be an easy way to hijack sensitive and therefore valuable information.

For those holding security conscious positions, selecting the right apps and security solutions can make all the difference when a new vulnerability is uncovered.  In the case of Armour Mobile users, even if Wi-Fi traffic is intercepted using KRACK, all that can be seen is encrypted data. The most that the hacker will be able to deduce is that the user has Armour, they certainly won’t be able to listen in.

Certified Apps, Additional Assurance

The WPA2 KRACK vulnerability is one of a myriad of ways that mobile data can be intercepted, but if users have end-to-end encryption, and apps are from a trusted, certified source, so that you know exactly who developed them and where the data sits/goes, most users will be protected from a lot of these issues. This also helps to minimize the likelihood of malware getting on your mobile device, because once a device is infected, even securely designed apps can be at risk of attack.

Knowing and trusting the provenance of your apps, and that the app developer employs industry best practice should be another key point. Software that has been certified by an independent third party (such as NCSC) provides additional assurance that you are buying exactly what you think you are buying. It also provides a level of assurance that the app is being carefully monitored and should any vulnerabilities be found, you will be notified in good time, and patches will be made available as soon as possible.

The mobile is the new end point, it has improved productivity immeasurably, but so too has the risk. Your data is too valuable to trust to ‘free’ security. Be smart with your users’ smartphones and ensure you only use certified apps.

Just recently a story caught my eye that illustrated like no other the importance of trusting your software developers, and really checking the provenance of any apps that you use.

The story, broken by Appthority, was about a vulnerability dubbed ‘eavesdropper’ that could have resulted in a large-scale exposure of data and metadata in mobile apps. The vulnerability is caused by software developers carelessly hardcoding their credentials into mobile apps that use the Twilio Rest API or SDK. Twilio has responded quickly to news of the vulnerability and reached out to all the developers with affected apps, of which there are apparently 700, some 170 of which are still available on the app stores.

Appthority claim that over a lifetime of poor coding practice, developers using the same credentials can expose massive amounts of sensitive data including call records, minutes of calls, minutes of call audio recordings, and SMS and MMS texts.  We’ve written before about the importance of protecting metadata, and once again, here is another instance where metadata has potentially been compromised.

While Apple are fairly aggressive at pushing security updates to end users, once Android devices have ceased to be the latest model, the same cannot be said. Android devices are notoriously under-patched and under-maintained – a headache for any IT department with users that insist on using older Android devices for business use.

This is another example, if any were needed, of the advantages of using an app that is reviewed and certified by a recognized and trusted authority. This type of vulnerability, caused by poor practice, is exactly the type of flaw that NCSC looks for during its certification process.

Unlike some other suppliers in the ‘secure communications’ space, Armour would never use any third-party analytics or tracking libraries and our app does not communicate with any such third-party servers. It’s for the same reason (the trust of our users) that we don’t outsource any of our development work and only use carefully selected third-party libraries (which are also constantly monitored for security updates). Nor will you find any bitcoin miners slipped into the app when you are not looking!

There is a reason why some of these apps are free to use.  It is worth keeping in mind that if you want genuine security, you do need to pay a little for it.

Changes in iOS 11 that could jeopardize your users’ security settings

It’s hard enough to get users to manage their security settings.  Now Apple have thrown another complication into the equation.  With the latest iOS v11, users may think that they have turned off Wi-Fi and/or Bluetooth from their control centre, only to find that both have mysteriously switched themselves back on again later.

This is because in iOS 11, when a user turns off Wi-Fi and Bluetooth from the control centre (which they are used to doing in iOS 10), although the button indicates that they are off, they are still in fact connected to some Apple services. That’s not all, should the user move location, the Wi-Fi and Bluetooth will come back on, and, both reset themselves the next morning at 5am anyway.

The only way for users to completely disable Wi-Fi and Bluetooth is either to enable Airplane mode or navigate to Settings and switch them off from there.

With the known vulnerabilities in Bluetooth and the latest WiFi key attack (KRACK), it is very important that users understand exactly what their security settings are really doing. These recent changes only serve to highlight just how dependent we all are on the operating systems that underpin our mobile devices, and on the manufacturers for fully informing us regarding updates to how the security settings work. IT departments need to be ever-vigilant to such changes, in order to keep their users fully up to date.

These changes to iOS 11 also highlight just how important it is for those in high threat situations to have a locked down, totally controlled application for secure communications – certainly one that doesn’t just reset itself each morning!

IMSI catchers now available for EU300

With Mobile World Congress drawing to a close for another year, we were very interested to see this story, highlighted to us by one of our colleagues in Spain. It confirms what we were already well aware of; that you don’t need to be a nation state, major law enforcement (or even the now defunct News of the World!) to have the resources to tap into people’s mobile calls anymore.  IMSI catchers (see our previous blog for further explanation) can be purchased online for EU300 according to this story: http://www.elconfidencialdigital.com/seguridad/Maletines-espiar-conversaciones-moviles-euros_0_2881511824.html.  For non-Spanish speakers, Google Translate does a good job at the click of a button.

Not only are the number of attack vectors increasing exponentially, so too are the number of people/organisations/criminals able to execute these attacks. With the barrier to entry dropped so low, this means that the number of potential victims of phone tapping also increases and is now well beyond the high threat targets that we would expect (intelligence community, law enforcement, government officials, celebrities). Anyone that talks about or exchanges commercially sensitive information such as new product details, formulae, industrial secrets, or intellectual property is now at risk!

This only serves to highlight that we all need to be a lot more aware of the potential hazards with the technology we use.

And if you do fancy treating yourself to an IMSI catcher (to find out what your friends, neighbours, work colleagues are up to), you might want to consider a more streamlined rucksack than the one shown in the article!!

NOTE: Much-respected cryptography expert Bruce Schneier recognised these same risks in his blog https://www.schneier.com/blog/archives/2017/04/surveillance_an_2.html

Big data – big trouble

If you’re using WhatsApp, you’ll be on a list somewhere. But not just the lists of friends, family, and work colleagues that you’d expect. Turns out that it is very easy to build a super list using WhatsApp in a web browser.

APIs are available on the web that enable developers, or anyone else for that matter, to request information about any number registered in WhatsApp, it doesn’t need to be in your address book. Information that is freely available includes your profile picture, your about text and your online/offline status. Using this method it is possible to build a database of almost limitless size and construct timelines showing your activity.

Such a database opens up a lot of nefarious possibilities. As the database builds it becomes possible to run queries such as; When was this phone number online? When profile pictures are brought into the equation, with facial recognition technology (which most people use on Facebook), it becomes possible to take a photo of someone and then query the database to find out who they are and their phone number. Apart from being downright creepy, in certain oppressive regimes this could be extremely dangerous.  For those that travel to exotic locations for business, these possibilities are certainly worth keeping in mind.

There are some steps that savvy users can take to guard against this type of abuse of their data.  Casual WhatsApp users should check their privacy settings.

Remember WhatsApp is just an example that has featured in the news of late – almost any other social media app is likely to have similar vulnerabilities and issues with privacy, including where and how your data is stored.

For any sensitive, official or corporate communications social media apps such as WhatsApp should never be used. Better to use an app that you control so that you know where your data is at all times, and that has security and privacy baked in.