Posted on

What does your smart phone say about you?

What does your smartphone say about you?

And we are not talking about design or style…

Keen fans of TV police dramas may be aware of the term ‘metadata’ which is frequently mentioned in the tense investigation scenes as the police narrow their focus on the perpetrator.  However how many of us actually know what metadata is?

Metadata is all the information relating to your phone call except the content of the call itself. It is the information we are used to seeing on itemised mobile phone bills; the when, how, from where and with whom we communicate. However, in the age of the smartphone, metadata collected from our daily activities actually reveals more about us than we realise. Most of us use our smartphone for more than just calls. It is our convenient go-to device for email, messaging, social media, banking, electronic wallet, GPS and camera, in addition to making calls. For many of us, losing our smartphones would impact our day-to-day lives far more than if we lost our credit card.

Digital footprint

A smartphone passively generates a vast amount of metadata, leaving behind a digital trace of the activity of its user. Each action and interaction provides a snapshot of our daily activities. Email addresses, websites visited, photos taken and files downloaded all present many new opportunities to gather metadata. Pieced together this information provides a comprehensive record of our associations and public movements, revealing a wealth of detail about our interactions, points of view and personal and professional associations. The reason metadata is so valuable is that it doesn’t lie, it is a digital footprint of our activities.

Stealing metadata

There are many ways that hackers can obtain metadata illegally. The SS7 vulnerability is well documented, and was one of the first topics that we wrote about in this blog (What’s up with WhatsApp). SS7 was designed over 40 years ago, long before phone hacking was considered a serious threat. SS7 stands for Signalling System No 7, also called the Common Channel Signalling System 7 in the US or Channel Interoffice Signalling 7 in the UK, and is the system that connects mobile phone and landline networks to each other. SS7 protocols enable phone networks to exchange information needed to process calls and text messages across disparate networks, including roaming on foreign networks, and to ensure correct billing. It also enables local number portability, prepaid payments, SMS and number translation.

Limitations in the SS7 protocols enable an attacker to mimic a victim’s device, steal personal data and to snoop on a users’ network communications. While this technique is used by nation states, there is equipment available on the dark web for a few hundred dollars that brings this type of attack into the domain of almost any tech-savvy criminal!

Fake base station

Exploiting the SS7 vulnerability isn’t the only means to access metadata. IMSI (international mobile subscriber identity) catchers, also known as fake base stations, are well established pieces of surveillance technology used by law enforcement all over the world. This portable device is used to intercept digital communications by essentially impersonating a legitimate mobile phone mast. The device can capture the IMSI of every phone in the area and intercept messages, calls and metadata, and even block phones from operating.

IMSI catchers are illegal to operate by parties other than law enforcement agencies and, even then, there are strict codes of conduct. However, for an attacker motivated by financial or commercial gain, remaining on the correct side of the law is rarely of concern! Videos freely available on YouTube show how a DIY IMSI catcher is relatively trivial to setup for a tech savvy criminal. The technology is available to anyone with a cheap laptop, $20 of readily available hardware and the ability to essentially copy and paste some commands into a computer terminal.

The power to control your own metadata

The fact that metadata is collated and sold by telecom carriers and internet companies shows how valuable it can be. Social media companies in particular are regularly sharing our metadata to third parties as a way of targeting advertising and this is typically the key value creator for such companies. Applying this capability across a population, it is possible to compile a very detailed, even invasive, picture of the population including behaviours and interactions which governments, organisations and cyber criminals can act upon.

Whilst it’s not possible to stop metadata from being generated, steps can be taken to control access to it. Armour Comms securely manages communications in the cloud ensuring metadata is minimised and protected. We also offer an on-premises solution for those who want complete control, allowing customers to store metadata on their own servers. Our solutions not only protect the content of communications, but also consider the broader aspects of securing your data and privacy

The weakest link

As the cyber security threat landscape evolves, it’s clear that securing modern methods of communication requires a new approach. Without secure practices, smartphones can effectively be viewed as surveillance devices, exposing confidential business dealings, intellectual property, state secrets, or commercially valuable information to risk. As the saying goes, you’re only as strong as your weakest link. If you fear that your mobile comms could be vulnerable to eavesdroppers, competitors or criminals then it’s time to act. Contact us today to discuss a solution.

Posted on

Biometrics – An extra layer of security

Biometrics

We will be showing the latest version of Armour Mobile at Cyber UK (24-25 April 2019), and one of our most exciting upgrades is the provision of the ability to use biometrics as an extra layer of authentication.

We haven’t just jumped on a bandwagon here, biometrics is an important development for security.  While our products use identity-based cryptography and are designed to enable secure, cross-platform communications by identifying and authenticating the end points, this doesn’t necessarily identify who is actually using the device.  (More about identity-based encryption (IBE) and its benefits in our previous blog post here: https://www.armourcomms.com/2018/02/27/are-you-talking-to-me/?cat-slug=10)

When biometric authentication is added to Armour Mobile, it also confirms that it is the right person using the phone.  Armour Mobile integrates with the biometric authentication algorithms on the latest smartphones (iOS and Android) and uses them to open the Armour Mobile app. The user simply logs in to our app using their fingerprint or face ID, which is authenticated by the device and – through its link into the mobile’s built-in, secure key store – can then unlock our app (when closed, our app’s data-at-rest is kept encrypted).

The biometric component makes it simpler to login without needing to retype a password every time. This convenience removes another of the (perceived) ease-of-use barriers to using a secure, enterprise app that has been designed for purpose, rather than a consumer-grade app.

We will be demoing exactly how it works on our stand B9 at Cyber UK, at the Scottish Event Campus,  Glasgow,  24 – 25 April.

In addition, we will be demonstrating full integration with Secure Chorus’ interoperability standards for encrypted voice calls, to a live audience, with Leonardo, BAE Applied Intelligence and a defence organisation. The interactive workshop, hosted by the NCSC and led by Secure Chorus takes place on 24 April at 14.00 and is part of Stream G.

Several of our partners are also exhibiting, including BAE Systems on stand E22, Amiosec on stand E20, Leonardo on stand E15, Qinetiq on stand B2, Nine23 on stand SBH15 and Templar Executives on stand SBH7.

So all in all, well worth a visit!  For more information and to register visit:  https://www.ncsc.gov.uk/section/cyberuk/overview

Posted on

It’s a question of Trust

Phone Number

Phone numbers – not that unique and not that secure!

A spate of recent disclosures calls into question once again the wisdom of using phone numbers for authentication. As we’ve discussed elsewhere on this blog, mobile phones are relatively easy to spoof, hijacking of phone accounts is becoming worryingly commonplace, and what happens if you lose your phone or have to change your mobile phone number? This hair raising account from Allison Nixon, director of security research at New York City-based cyber intelligence firm Flashpoint https://krebsonsecurity.com/2019/03/why-phone-numbers-stink-as-identity-proof/, highlights many of the issues, for example, when phone numbers are used for authentication within apps, or when banks send out sensitive updates via SMS.

Another issue regarding the use of personal numbers is where employees use their own mobile phones for business. If numbers are published in a corporate directory, that means anyone who works for the organisation has access to those personal numbers. Industry contacts related an incident where this led to female employees receiving unwanted calls at weekends, which as well as being a nuisance and potentially intimidating for the victim, also raises concerns as to their employer’s management of their personal data!

So while using our mobile numbers for authentication is very convenient, it is now becoming frighteningly insecure.

What else is at risk if your social media account is hacked?

If that isn’t enough horror to contemplate for one day, we have recently heard how ‘9 million data items containing passwords in plain text’ have been exposed at our perennial favourite, Facebook… for years!  And their response?  “We’ve not found any cases so far in our investigations where someone was looking intentionally for passwords, nor have we found signs of misuse of this data”. We’re guessing that any malfeasance is unlikely to be admitted! More details here:

https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/

How many websites now invite us to login using our Facebook credentials? If your Facebook identity is hacked, what else does the hacker gain access to?

Security by design – or just an after-thought?

This brings us to the salient point that when large companies talk about security and encryption, it often doesn’t seem to apply to their own staff.  Indeed, one of the points made by Allison Nixon, is that banks often don’t know how to remove a mobile phone number associated with an account once the account holder has lost the phone number.

When it comes to keeping your private data secure, this all makes the case for using apps that are designed specifically with security in mind, not consumer-grade apps where security is an after-thought and a begrudging add-on at that!

Armour Mobile can be used with abstract numbers or random strings as identifiers, you don’t need to expose your own mobile number. These identifiers are then tied back to real-world identities within the Armour system, which is controlled in our secure cloud, or by your own, on-premises administrators.  Providing the users are known in some manner, and the identities are centrally controlled, this approach provides better security than relying on phone numbers to prove someone’s identity.

Posted on

Army Reservists Cyber Protection team pilot Armour Mobile

Army Reserves

A recent initiative to give the Army Reserves more responsibility has led to the forming of a Cyber Protection Team.  One of the first issues that the team addressed, was to find a more secure way to communicate. In other words, a secure replacement for WhatsApp.  Like many organisations, WhatsApp (along with other consumer-grade apps) has become widely adopted across the Armed Services.  It has invaded almost by stealth.  It’s easy to use, everyone has it, and it’s encrypted.  What’s not to like.

However, as we have discussed on many occasions, consumer-grade apps are generally owned by multi-national social media companies, that don’t particularly care about your meta data, and might even sell it to advertisers.

Recognising this vulnerability, the Cyber Protection Team is piloting Armour Mobile.  Currently being used very successfully by a small group that often work remotely, the plan is to encourage the use of Armour Mobile more widely.

Watch this space for further details.

Posted on

Armour supports Royal Signals Cyclist

Working in secure comms, we come across many interesting and varied characters, all with a different background story to tell.  Recently I met Mark Howells, a reservist with the Royal Signals, and formerly a full timer, having seen several tours of active service. Mark has been instrumental in setting up a new cyber protection team within his regiment, and we’ve talked shop on several occasions.

However, what really got my interest was when Mark started to tell me about the proactive steps he was taking to deal with his Post Traumatic Stress Syndrome (PTSD). Depending on which source to you go to, PTSD affects from 5 – 10% of military personnel, and is on the increase.  Although the increase could be because it is now a recognised condition, that is talked about, and so people feel more able to ask for help.  Whichever way you look at it, mental health is something that we all need to be aware of.

Mark told me how he found cycling was a great therapy helping him to manage his symptoms, and so continue an active and healthy lifestyle.  With coaching from the Army, and a strict training regime, Mark has achieved a lot.  Not only that, he has big ambitions.

Mark’s goal is to represent his country at the Invictus Games in 2020.  Meanwhile he is taking part in events every week, and has a packed schedule of races for the coming season.

At Armour we are very proud to support Mark in his endeavours, and will publish occasional posts here, to up date you of his progress.

Posted on

EU diplomatic message data hacked

EU Flag

We read in the New York Times just this week that thousands of the EU’s diplomatic messages have been intercepted over the course of a concerted three year attack.  https://www.nytimes.com/2018/12/18/us/politics/european-diplomats-cables-hacked.html According to Computing the hackers accessed the European network known as COREU or CORTESY.

COREU is a comms network of the European Union for the communication of the Council of the European Union.  It is the European equivalent of the American Secret Internet Protocol Router Network (SIPRNet, also known as Intelink-S).

The original system was set up in the early 70s and was telex based.  It was replaced in the 90s by CORTESY (COREU Terminal Equipment System), so despite using encryption for messages it is still very old technology.

One crumb of comfort is that information marked as CONFIDENTIAL or SECRET was not affected.

However, this does highlight that even what on the face of it may be mundane, day to day communications are of interest and therefore of value to someone – in this case, the suspected perpetrators are the Chinese military.

Protect your Intellectual Property

While your organisation may not be of interest to the Chinese military, there will be someone out there who probably would like to know a bit more about your business.  Competitors that want to target your customers, or access trade secrets (product information, formulae, recipes, etc.), or hackers and criminals looking to steal your identity or the contents of your bank account!

My point is that your information doesn’t need to be what you would naturally think of as confidential or secret.  Everyday messages about clients, products, product recalls, meetings, office gossip can all be valuable for profiling and piecing together information about who you are dealing with, the nature of those dealings, and information about individuals that could be used for commercial leverage or identity theft.

Mobile devices – the new End Point

With our almost universal reliance on computers, industrial espionage has become a lot more about hacking skills.  Hugely valuable information is accessed by workers from their mobiles and with GDPR many organisations are beginning to understand that the new end-point is mobile phones and the consumer grade apps that staff use to communicate.

As we’ve said on numerous occasions, don’t be lulled into a false sense of security by the word ‘encryption’.  Encryption is never the weakest point that hackers will target.  It is usually a weakness in the system; in the case of the EU it was old technology.  Even if you are using relatively new technology in the form of messaging apps, you still need to consider the security of your whole mobile comms system, including where data is held (i.e. is your service provided by a multi-national social media company that needs to monetize its members’ data to make revenue?), exactly who might have access to it, and any weak points within the system.

Here are a few of our recent blogs that explain the pitfalls in more detail:

The dangers of relying on SMS based two factor authentication:

https://www.armourcomms.com/2018/08/16/avoid-sms-based-two-factor-authentication/?cat-slug=10

Chat apps that have spread through corporate networks by stealth are the most hacked type of app, and the most widely banned:

https://www.armourcomms.com/2018/07/31/free-apps-you-might-get-more-than-you-bargained-for/?cat-slug=10

Avoiding shady Wi-Fi hotspots:

https://www.armourcomms.com/2018/07/05/world-cup-fever-or-holiday-wi-fi-nightmare/?cat-slug=10

Staff mobile phones are also covered by GDPR, here’s what you need to do:

https://www.armourcomms.com/2018/05/24/gdpr-is-here-dont-forget-your-mobile-comms-need-securing-too/ 

If you fear that your mobile comms could be vulnerable to eavesdroppers, competitors or criminals, contact us today to discuss a solution.

Posted on

Rogue Users – What would you do?

Security Mobile

Trump and his foreign nation state eavesdroppers

According to a recent article in the New York Times, conversations on the President’s mobile phones are being listened to by the Russians and Chinese.  As we’ve reported on many occasions, listening in to standard mobile phone conversations is fairly straightforward with IMSI-catcher from just $20, and especially with the resources of a nation state.  The article goes on to explain that the Chinese are monitoring who the President talks to and who influences him.  They are learning what arguments tend to win him over and using that intel to avoid a trade war, so the story goes.

How interesting are your users?

All this begs the question, if the Secret Service, CIA and FBI can’t control one rogue user, how can any organisation be sure that their employees toe the line when it comes to security? As ever, Bruce Schneier articulates the problems of security of mobile devices in his blog very well, and makes the point that it’s not just the President and other heads of state that are at risk.  Anyone who is potentially interesting to criminals or commercial competitors could find themselves subject to eavesdroppers, whether a CEO of a quoted company, any number of sales people, company executives, product developers with trade secrets and intellectual property to protect, or government officials involved in a trade negotiation – I imagine all those involved in the current Brexit dealings are under a huge amount of scrutiny!

Good advice – but does anyone listen?

The UK’s National Cyber Security Centre (NCSC) has a plethora of advice and user guidelines.  All of it is written in easy to understand language, specifically for organisations to re-use with their own employees. Its advice for end users is a case in point.

While all of this seems fairly basic stuff, if you live and breathe cyber security as we do, the following are still good ways to avoid the majority of cyber threats:

  • Use strong passwords and don’t reuse them between different accounts
  • Be careful which apps you download
  • Only use secure/known WiFi connections
  • Don’t leave your device lying around
  • Don’t open phishing emails
  • Don’t visit dodgy websites
  • Be extra careful about what networks you use when abroad
  • Only use secure methods of communication when dealing with sensitive information

 

Making security invisible

The inconvenience of not being able to make a call, send a message or text exactly when you want to is just too much for many workers who are under pressure to perform in today’s always on culture.

Security has to be designed into the apps that we use daily and has to be almost invisible to the end user.  And if you are asking them to use a different app or process to the consumer-grade equivalent, it had better offer at least as good a user experience.

Contact us now for more information about how Armour Mobile can provide a highly useable and secure alternative to consumer-grade communication apps.

Posted on

Cyber Incursion – Defence against the Dark Arts

A lesson from the world’s most famous hacker!

Kevin Mitnick is the keynote speaker at Cyber Incursion, on 22 November, 12.30 to 19.30 at The Honourable Artillery Company (HAC), an event that will see our own Andy Lilly on the panel for the debate about the dangers of Social Engineering and the Insider Threat.

Learning to think like a hacker is a good strategy for improving your cyber security and many of the best security experts who now wear white hats started out as script kiddies.

As the cyber security threat landscape evolves, we are finding that it is not just government and military type organisations that are under siege. Increasingly we are working with private sector companies that are keen to protect their trade secrets and keep intellectual property secure.

Your intellectual property is highly valuable

Cyber Incursion is aimed at companies that are beginning to understand just how valuable their intellectual property and sensitive customer information is.  Whether it is a takeover or merger that could have implications on stock valuations should the news leak too soon, contract negotiations that you wouldn’t want your competitors to see or even know about, or you need to protect customer information to comply with GDPR, most organisations have some IP that they wouldn’t want to lose or see fall into the wrong hands.

You are the weakest link – the dangers of social engineering

These days, hackers are very clever, or should I say, even cleverer.  They will always go for the weakest link, which is us humans, and their approach will often involve some element of social engineering.  When people are out of the office, working via their mobile devices, they are away from their typical work environment; this may lead them to let their guard down, and this is often a good time to strike.  We’ve all been there – a quick call to a colleague to get a vital piece of information to finish off the contract or document we are working on, or to finalise the date and time for a sensitive meeting. The information exchanged could be very valuable to someone else, but it’s only a quick call – what can go wrong?  Well, plenty!

Don’t get caught out

Your call could be intercepted by an IMSI catcher, also known as a fake base station. Even entry level criminals or script kiddies can access this technology, that enables them to harvest your call and location metadata (who you spoke to or messaged, how long for, etc.), for just a few hundred pounds. Depending on the hack, the details of your conversation could be accessed by the attacker.  Alternatively, while the contents of your call might be encrypted, your metadata may not be protected, and sometimes knowing who you are communicating with, for example during a merger or acquisition, can be every bit as helpful to your competitors, or in the case of celebrities, paparazzi or tabloid journalists.

Cyber Incursion

As well as an opportunity to hear from the world’s most famous hacker, Kevin Mitnick (who was once on the FBI’s Most Wanted list because he hacked into 40 major corporations just for the challenge), Cyber Incursion has a packed agenda covering such topics as:

  • AI
  • Threat Intelligence
  • Internet of Things
  • Big Data and Forensics
  • Social Engineering and the Insider Threat
  • And how they can all have a very real impact on commercial business today!

 

Register today – there are limited spaces: https://www.cyberincursion.com/