Category: Blog

Spear phishing is what happens to gullible idiots who are not paying proper attention, right?

Wrong! Spear phishing mixes increasingly clever social engineering to make spoof emails appear real, and it’s all too easy to become a victim.  Even if you are way too clever to get caught, your business users, who are not necessarily thinking about technology and security every minute of their day, may fall victim to these types of attacks.

And their mobile phones could be helping…?

Here’s how. Details of supposedly private conversations between colleagues can be used to make a spear phishing scam more believable. If your business users are subject to an IMSI catcher attack, where a fake base station is used to intercept calls, forcing them down to 2G technology (which negates the stronger encryption used across 3G & 4G networks), their conversations, which they think are private, can actually be listened to.  See our previous blog for details on how this works.

Then all it takes is a phishing email addressed from a trusted colleague, referring to an earlier conversation, which gives the email credibility, a request to click a link, and a virus or Trojan could be launched. The person that has been hacked doesn’t even know.

So how can you tell if your mobile phone has been subject to interception?  Short answer, you wouldn’t, unless you are in the covert ops industry with access to some pretty heavy duty technology. Who could launch such an attack? Almost anyone that wants to – with entry level hacking skills, and a piece of kit that can be purchased online for about €300. This could be a disgruntled ex-employee, competitors looking to steal your intellectual property, or even just pranksters/script kiddies.

The security and IT press has been talking about ‘protecting the endpoint’ for years, now the endpoint includes mobile phones. If your business users have intellectual property to protect, commercial secrets that you’d rather remained a secret, then perhaps now is a good time to start looking at protecting your ultimate endpoint – the mobile phone!

 

What’s the difference between security and privacy – well, quite a lot actually.

When it comes to making calls or sending texts from your mobile phone, there are a myriad of ways that eavesdroppers can listen in.  From colleagues simply being nosy and overhearing your conversations, to various over-the-air attacks, intercepting your calls via a rogue base station, cracking the encryption or exploiting vulnerabilities within the GSM network protocols, mobile conversations or texts are not that secure.  There are a number of apps now available, some of them free to download, that claim to provide encryption and security.  However, a word of caution when it comes to free services from Tim Cook, CEO of Apple.  As he so eloquently put it; “A few years ago, users of Internet services began to realise that when an online service is free, you’re not the customer. You’re the product!”

But is the content of your communication the only part that needs to be secure? What about privacy too?

Let me explain.  Imagine you are communicating with someone or an organisation that you don’t want anyone else to know about.  For example, applying for a new job.  They call you to arrange an interview using standard GSM technology (any mobile phone).  That is like sending the details on a postcard.  The address and the contents of the communication can be read by anyone in Royal Mail.

If you use a more secure method, say a free to download encrypted messaging solution, that is like asking a social media company to deliver your message.  It may well be encrypted (in the previous example the contents would now be in a sealed envelope rather than on a postcard) so they don’t know what it says, but they know who you are talking to, when and how frequently, and where both of you are. If they have this information, they can make their own deductions, for example, you are either applying for a job, or already work for the organisation in question. So even without knowing the contents, they can piece together some intelligence, and they might share this information – your privacy is compromised and you have no control.

The ultimately secure method is for a courier that works for the organisation to deliver the letter to you personally, and you then reply, using the courier.  This way, no one knows that you are communicating except for you and the organisation in question.  Not only do any potential eavesdroppers not know what is going on, they don’t even know that anything is going on, and therefore maybe are less suspicious, keeping your activities under the radar – and private.

These three scenarios I have just described are the difference between using GSM, an encrypted messaging solution (like WhatsApp, Facebook Messenger, Snapchat, Telegram, Viber, Threema, WeChat and Line), and an on-premises secure communications solution, that you control, so that you know where your data is held at all times.

Sometimes security and privacy sound like the same thing, and sometimes it doesn’t much matter, if for example, you are arranging a surprise party. On the other hand, depending on your work, it can matter a great deal, and if you are operating in an oppressive regime, where it is imperative that your communications remain private, even covert, it can be the difference between life and death.