Category: Blog

New year, new office.

While everyone else was still coming to terms with a New Year, we at Armour have moved down river to splendid new offices in Aldgate. At time of writing everyone is now safely ensconced, with their own desks and pot plants installed, and we all just about know where the coffee machine is.

Strong Revenues and Growth

The move comes at the end of another great year for Armour where our revenue and profits continued to do well year-on-year. We continued to roll out new use cases for several of our significant customers (you know who you are), and we are developing relationships with a number of key alliance partners. Our ranks have been swelled with several new hires across the business covering development and support, and we welcomed our new VP of Sales and Marketing, industry veteran, Richard Brooks.

Impersonation-based and DeepFake threats

We are seeing a step change in the market for secure communications as security conscious organisations realise the risks of impersonation-based attacks, and deepfakes, which are only going to become more believable and more dangerous thanks to AI. The recent deepfake message purporting to be Joe Biden urging voters not to cast their ballots in the New Hampshire Democratic primary is a graphic example: https://time.com/6565446/biden-deepfake-audio/  

Our technology is already poised to help organisations overcome some of these risks. The benefits of identity-based authentication (in our case, the NCSC’s MIKEY-SAKKE protocol) where users must authenticate before they can join a call, send a message or join a video conference, are finally becoming more widely understood and demand for them is clearly growing.

Continued focus on R&D

2023 saw a focus on interoperability. We’ve delivered specific developments for customers that need to communicate with colleagues within the same organisation, but using different channels such as Skype, WhatsApp and Matrix, while maintaining robust security.  Some of these developments will be finding their way into the main product line later this year.

On the industry accreditations front, we maintained and renewed our ISO27001 certification.

Future projects currently under way include work on NCSC’s Principles Based Assurance – watch this space for further announcements.

It’s going to be a busy year, and one that we are looking forward to with relish – especially now that we have posh new digs!

Scottish Covid inquiry finds that Nicola Sturgeon appears to have deleted ALL her WhatsApp messages.

Hot on the heels of the revelation that WhatsApp messages between the then UK prime minister Boris Johnson, and Paymaster General and leader of the Commons Penny Mordaunt, had mysteriously disappeared, we now hear that ex-Scottish First Minster Nicola Sturgeon seems to have suffered a similar fate.

The BBC has reported that Jamie Dawson KC, counsel for the inquiry, stated that the former first minister appeared to “have retained no messages whatsoever”.  The inquiry was also told that her deputy John Swinney had his WhatsApp messages set to auto-delete.  In addition, the inquiry heard how no corporate or central record was made or retained either.  All of this despite some of their discussions being ‘FOI [Freedom Of Information] discoverable’, such that there was a requirement to keep a copy for future reference.

NCSC approved alternative to consumer apps

As we have stated many times before, there is really no excuse for the use of consumer apps by those in public office when there is an NCSC approved alternative that is every bit as engaging and easy to use.  Not only do consumer apps, such as WhatsApp and many others, lack enterprise-grade security features, such as identity-based authentication (which tackles the issues of impersonation-based attacks/spoofs, etc.), but as this case demonstrates yet again, such apps lack any central management of messages and conversations.

Plausible deniability should not be a goal!

The inquiry further heard that a civil servant, while reminding ministers of the FOI requirements, also made the remark: “plausible deniability is my middle name”.

Had ministers been using an approved secure communications platform, such as Armour Mobile, there would be no question about what happened to messages: they would all be archived and available for review by suitably approved and authenticated auditors. It would have been much easier and faster for the inquiry to discover exactly what went on, saving time and public money.

Furthermore, licences for the secure comms platform can be given to trusted colleagues in third party organisations. This would enable ministers and civil servants to communicate with whoever they need to, with the data remaining in the control and ownership of the government.

NCSC’s Secure Communications Principles

The NCSC has published principles dealing with secure communications which are:

• Protect data in transit
• Protect network nodes with access to sensitive data
• Protect against unauthorised user access to the service
• Provision for secure audit of the service
• Allow administrators to securely manage users and systems
• Use metadata only for its necessary purpose
• Assess supply chain for trust and resilience

In an election year, if politicians and civil servants want to take a step towards repairing their somewhat tarnished reputations, following their own government’s guidelines about what constitutes secure communications, would be a good place to start.

For more information about what to look for read our Secure Communications Buyer’s Guide to discover the 10 questions you should be asking: https://armourcomms-25743375.hubspotpagebuilder.eu/buyers-guide-landing-page-2

Some of the world’s largest consultancy firms (including the ‘Big 4’) are asking staff to use burner phones when they visit Hong Kong – but is this really the right solution?

A recent article in the Financial Times highlighted the growing concern about the risk to commercial data and the dangers of working in potentially unfriendly regimes. As Beijing continues to exert more control over the previously semi-autonomous international business centre of Hong Kong, more organisations are suggesting that company executives should take extra care when visiting the city, due to increased risks of hacking and unauthorised access to client data if work devices are used. In short, companies like Deloitte and KPMG are asking staff to use burner phones when in Hong Kong. And this is not being received well by some senior executives who prefer not to travel to the region due to the inconvenience of needing extra devices and leaving their usual phones and laptops at home.

This isn’t the first time that such an edict has hit the headlines. In January 2022 athletes from the US and UK were advised to use burner phones during the Beijing Winter Olympic Games due to concerns about an app provided by the Chinese government for use by all Olympics attendees that had significant security flaws.

This most recent example of organisations taking a stand against the dangers of state-sponsored hacking is equally applicable to many global organisations who have their Asia-Pacific headquarters in Hong Kong, or indeed any untrusted regime. Some of the firms affected have expressed concerns about the legal liability associated with leaks of client data, and the commercial implications should clients’ data be stolen or compromised.

Burner phones – a solution or a risk?

This all raises an important question: What are the pros and cons of burner phones? From the user’s viewpoint, it is inconvenient to have to use a temporary phone, possibly with only a subset of the apps they are used to using. Conversely, if the phone is bought in country, then it might be considered unsafe because its provenance cannot be certain. For cost reasons such phones are usually Androids, which makes them more susceptible to having been ‘jailbroken’ (modified to remove restrictions imposed by the manufacturer, to allow the installation of unauthorised software) or already contain potentially malicious apps from local carriers or distributors. While more secretive users might choose a burner phone because it helps their traffic blend in with the local phone communications, the primary purpose of using a burner phone is to be able to dispose of it when it is no longer required, such that whatever malware it contained, or picked up while in use, is not brought back into the user’s organisation. So, a burner phone is always a short-term solution to manage communications risks.

How Armour® helps

Armour Mobile™ and SigNet by Armour® can protect your mobile communications and data whether you choose to take your normal phone into a potentially hostile environment, or you need a secure communications solution that can be easily deployed on a burner phone.

Armour’s solutions completely isolate the communications and any associated data, metadata or files (attachments such as documents, images, video clips). In addition to end-to-end security over-the-air, all data is encrypted and secured at-rest within the app, protecting your contacts, messages and attachments from malware on the device or if the device is lost or stolen. The ultimate goal is to minimise your organisation’s risk by reducing the residual data held on the device. Armour’s products are ‘Secure by Design’, for example technology in the app requires sole use of the microphone ensuring rogue apps are not ‘listening’ into voice or video calls.

In addition, before the app can be used, the Armour software checks to see if the device has been jailbroken, if so, the user will not be able to use the Armour app.

Armour provides its own viewers for certain types of attachments, so as not to share information with the operating system or third-party viewers, and preventing the user from deliberately, or accidentally, sharing the attachment (and its sensitive information) outside of the Armour app, thus avoiding the potential for data leakage.

To minimise the use of the public internet and untrusted, insecure networks, the Armour apps can be installed in a variety of ways. Depending on the specific use case requirements this can include via SD card or via a completely closed VPN network (using additional technology from Armour technology partners).

Armour Mobile and SigNet also include many security features within the app to protect against data leakage.  This includes the Message Burn and Disappearing Messages features, where the sender of a message can set it to automatically delete at a set time, either after it has been read, or after it has been sent.  This feature can be deployed as a standard setting across chat groups or communities of users.  In addition, if a phone is lost, stolen or compromised, all data held within the Armour platform can be wiped remotely.

For more information about how Armour can help your organisation protect corporate and client information while travelling in untrusted regimes, contact us today.

Or read our Buyer’s Guide to find out what you should be looking for: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/  

The French Prime Minister, Elisabeth Borne has banned the use of consumer messaging solutions WhatsApp, Signal and Telegram by government ministers and their teams.  The ban cites security vulnerabilities, something that we at Armour have been talking about for a number of years now!

Many organisations still commonly use mass-adoption platforms for communicating, when there is an alternative that is every bit as convenient and easy to use as a consumer-grade app, and is approved by the UK’s National Cyber Security Centre (NCSC).  This solution, Armour Mobile, is widely used throughout the MOD, and parts of the government that require higher assurance.

Why are mass-adoption services so unsecure?

Any messaging, communications or collaboration platform that allows anyone to join can not be considered secure, simply because without strong, identity-based authentication, participants cannot be sure that they are really communicating with who they intended to.  Account theft, SIM swapping and simply renaming one’s social media account to look like someone else makes it very easy for people, including government personnel, to get phished and accidentally leak sensitive information.  The exponential increase in the power of AI to generate deep-fake impersonations mean that this is going to be an escalating issue. Our recent blog explains the dangers of impersonation-based attacks and how to mitigate them.

On top of this very significant security flaw, there are a number of other issues such as:

A tempting target

Mass-adoption platforms, due to the very nature that everyone uses them, are a lucrative target for hackers, activists, cyber criminals and nation-state sponsored attacks.  This means that any organisation using WhatsApp, Signal, Telegram, or Teams, Zoom, GoogleMeet could easily get caught in the cross-fire, and suffer lost data, or inability to communicate, even if they are not the intended target.

No data sovereignty

You have no control over where your data goes, what server it is held on and who might have access to it.  At the very least, this raises data privacy concerns, for example, GDPR compliance, quite apart from the issues around handling sensitive data that, if exposed, could put an organisation at a commercial disadvantage, or even compromise national security.

No control over where your information is sent

With social media apps, once a communication has been sent to a third party, the sending organisation has no control over what the recipient then does with that information.  Ex-Health Minister Matt Hancock’s published WhatsApp messages demonstrated this point admirably.  The fierce back-and-forth arguments between Boris Johnson and Dominic Cummings are another such example. Read more here, complete with fruity language https://www.bbc.co.uk/news/uk-67275967    

How Armour Comms delivers secure communications

In answer to the issues outlined above, Armour Comms delivers a secure communications platform with all of the convenience and usability of a consumer-grade app, but with enterprise-grade management features.  Such as:

• Managed communities meaning that only verified people can join, so users can be confident they will only be communicating with authorised and authenticated users.
• All information is protected within the Armour environment. Armour can be hosted in the secure Armour cloud, or on-premises (e.g. within a government or other known data centre), so that you know exactly where your data is being held, delivering your data sovereignty requirements.
• Message Burn and automated message deletion mean that any conversations can be set to automatically delete after a set time to ensure sensitive data doesn’t accumulate on a device. Additionally, individuals can set a message to delete at a certain time after it has been read, or after it has been sent.
• For any device that is lost, stolen, or compromised, all data held within the Armour environment can be remotely wiped.
• Secure auditing capabilities mean that all communications are securely recorded for secure review at a later date, even if the messages have been deleted from the original device, delivering compliance needs, such as Public Records, the Freedom of Information Act and other industry specific regulations.

Armour Mobile is approved by the NCSC and NATO.  It is widely in use across the MOD and defence contractors, as well as areas of the UK government that require higher assurance.

Read our buyer’s guide for more information about how Armour Comms’ secure communications platform can help, and what questions you should be asking. DOWNLOAD HERE

When the lights go out, what happens to your secure comms capabilities? And how do you ensure legislative compliance – particularly in regulated industries?

If you are working in a location prone to power outages, how do your employees continue working and communicating securely if your corporate business systems are out of action? How do you ensure operational resilience?

In many areas around the world, power transmission can’t be taken for granted. Power cuts are an all too frequent occurrence in some geographic locations, for numerous different reasons. People and organisations adapt and generally speaking business continues.

But stop and think for a minute.  Exactly how do your staff continue working?  If they are using their own devices, and non-corporate means of communicating what happens when people are sharing company-confidential information over unmanaged networks to unmanaged devices? All the issues associated with the use of shadow IT during normal operations (lack of oversight, accountability and traceability, and heightened data security risks) are magnified when there is a power outage.

A particular risk for financial services organisations is the punitive fines and loss of reputation should employees be found using non-sanctioned apps such as WhatsApp.  Our previous blogs outline the details of nearly $2 bn in fines levied by the US Securities and Exchange Commission (SEC) and the Commodity Futures Trade Commission (CFTC) for the use of unauthorised apps.  More recently, the UK energy regulator Ofgem fined US bank Morgan Stanley for failing to keep records of communications after energy market traders used WhatsApp to discuss the details of energy deals.

How confident are you that your intellectual property, corporate data, trade secrets, sensitive customer information and commercially valuable information isn’t being put at risk?

Are Satellite Services the answer

For those used to travelling to remote locations where landlines are non-existent and mobile coverage can be patchy, satellite services have long provided an alternative. Today satellite bandwidths are much greater and hence signals more reliable than even just 5 years ago, and while reception can be affected by atmospheric conditions (rain), services are now far more consistent.

As well as providing an alternative means of communication, using satellite services can, in some respects, be a more secure option because it does not rely on the open internet. In fact, in the US’s National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide (SP800-61) https://csrc.nist.gov/pubs/sp/800/61/r2/final, in Section 3.1.1 Preparing to Handle Incidents it states that “…smartphones are one way to have resilient emergency communication and coordination mechanisms. An organization should have multiple (separate and different) communication and coordination mechanisms in case of failure of one mechanism.”

When combined with a built-for-purpose, Secure by Design secure communications platform, a satellite service can provide a strong solution for business resilience.

What do we mean by Secure Communications

Secure communications are defined as a means by which people can share information with a strong degree of certainty that the communications remain completely private. Third parties cannot intercept or overhear what was said, and that information shared remains in the control of the sender (for example, information cannot be forwarded to other unauthorised parties).

Typically truly secure communications run on an independent platform that does not rely on mass-use consumer technology to operate.  Secure communications should include:

• Voice
• Instant Messaging
• Video calls and conferencing
• Sending attachments and files while conversing

Ideally, the secure communications platform runs over a variety of networks including 3/4/5G, Wi-Fi and satellite, and will also interoperate with SIP-based PBXs, providing secure communications right to the desktop.

What exactly should you be looking for?

Consumer applications all claim end-to-end encryption, but there is a lot more to security than just encryption, so when looking for a secure communications solution there are multiple aspects to consider. Understanding the likely threats in this environment and solving each one combined with providing an application that is as easy to use as, say, a consumer application, is key to most organisations decision making. This is an important point made by the UK’s National Cyber Security Centre (NCSC) in its document Secure communications principles which highlights key points to look for in a secure communications solution.

Popular collaboration apps, such as MS Teams, Zoom, GoogleMeet etc. may not provide end-to-end encryption because they often decrypt the data at the server in order to provide an audit capability.  And if power is down, the services cannot be relied upon to be operational, even if your employees can gain access to them.

Our Buyers’ Guide provides a list of pertinent questions applicable to commercial organisations, government, defence, and the wider public sector. It covers key points recommended by NCSC as well as some additional questions that are particularly relevant to the protection and preservation of data in regulated industries such as financial services.

10 Questions to Ask?

1. How is data protected, both at rest on the device, and in transit?
2. How does the app prove identity? Can it protect against deep fake scams?
3. Where is the data stored? Does it provide data sovereignty?
4. Can you separate business and personal communications? Is it suitable for use on a BYOD device?
5. Is the app designed with security in mind (Secure by Design), from the ground up? Are the default settings secure?
6. What are the archiving and audit options?
7. Are there different levels of security to handle different classifications of data? And can people from different entities or groups communicate across the app?
8. How does it handle video conference calls? Does it provide higher levels of security for conference calls?
9. How would your IT/business continuity teams communicate in the event of a severe cyber breach?
10. Do your existing comms and messaging arrangements meet the NCSC 7 principles for secure communications?

Ensuring compliance with industry regulations

In the event of a severe power outage, or other critical incident, being able to communicate securely is of paramount importance for keeping business running.  Many organisations rely on employees using their own phones in an emergency, but when the dust has settled and the lights are back on, it will be extremely difficult to analyse what information was sent where.  And with no audit trail, there will be no possibility of complying with data privacy, Know Your Customer, DORA, MiiFID, GDPR or any other form of industry regulation, and little opportunity to learn from mistakes.

Armour Comms has published the Securing Communications Channels – A buyer’s guide  to help organisations identify the key points they should look for.

Download your copy here: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/