Category: Defence

How secure are your communications with your Supply Chain?

The pandemic, and for that matter, Brexit, have recently brought into sharp focus the role of the supply chain, and just how crucial it is to the running of many traditional businesses, including UK plc.  Thanks largely to Brexit planning, certainly most manufacturing businesses were holding reasonably high levels of stock and so were better able to cope with the issues raised by the restrictions of lockdown.  However, one area that gets discussed less often, is the security of communications with the supply chain.

Supply chain due diligence

Risks within the supply chain are many, and not least is the reputational damage to your own brand should something go wrong with one of your suppliers. Best practice due diligence is a standard part of risk mitigation for dealing with suppliers.  For example, most organisations have policies concerning the environment, modern slavery, bribery and corruption and corporate social responsibility, which suppliers are expected to comply with as part of commercial agreements.  However, despite all of these policies designed to protect the company, most organisations do not have procedures in place for communicating with partners and suppliers around sensitive or confidential issues, for example, product, pricing details, orders and contracts, formulae/recipes, logistics and warehousing arrangements. Any of these details could provide valuable information to your competitors, so communications should be secured.

This is particularly important because the very act of communicating with your supply chain has the potential to open up your organisation to much greater security risks. As the NCSC points out In its Secure Communications Principles document, published earlier this year (https://www.ncsc.gov.uk/guidance/secure-communication-principles-alpha-release), “Many organisations will wish to communicate securely with contacts outside of their own organisation. If a communications service does not allow this, then their members may revert to using an insecure service that does not meet these principles.”  People will always find a workaround to; a) get the job done, and; b) make their own lives easier.  For these reasons, it is imperative that a secure comms solution can be extended for use by trusted contacts outside of the organisation.

Consumer apps are not the answer

In the current climate consumer apps, like WhatsApp and Zoom, have been adopted by many, as the means of communication. However, both have their drawbacks. As well as the question over what happens to metadata when you are using an app owned and controlled by a global social media company, in the case of WhatsApp there is also its inability to provide GDPR compliance.  The security flaws in services such as Zoom (and MS Teams for that matter) have already been well documented https://www.bbc.co.uk/news/technology-52133349  with the new phenomenon of Zoombombing where miscreants join calls uninvited to listen in or hurl abuse. Consumer-grade apps, whether on the desktop or mobile devices, give no control of users on the system and no constraints on where confidential messages and attachments can be forwarded to.

There are many questions about consumer apps overall handling of personal data and metadata, and other security concerns, meaning these apps are simply not suitable for corporate communications. See our previous blog which explains why in more detail: https://www.armourcomms.com/2020/02/06/using-consumer-apps-for-business-use-is-illegal/?cat-slug=10  Despite this many people admit to using them  for business use: https://gdpr.report/news/2020/02/14/privacy-almost-half-of-whatsapp-usage-breaches-legal-terms/

A reliance on these apps could potentially leave businesses with significant vulnerabilities in their communications  So how can you communicate with trusted third parties within your supply chain securely?

Secure comms apps support white-listing and groups

Both Armour Mobile and SigNet by Armour provide the facility, subject to certain controls, for different groups or communities to communicate.

Setting up distinct groups and communities within Armour Mobile and SigNet is particularly easy using our Desktop admin module.  It ensures that those that need to communicate with supply chain contacts and external third parties are able to do so easily and securely.

Our client QuoStar, an IT support and consultancy provider that specialises in businesses going through growth and change has used Armour technology to:

• Provide secure conferencing for numerous participants
• Secure intra-company and company to company communications
• Ensure calls and associated metadata are kept private
• Protect data sent in messages, text or as attachments

 

At Sparten, a consultancy that provides discrete intelligence-led, unconflicted advice to high net worth families, corporates and their advisors, they use a range of enhanced security features from Armour that have proven particularly valuable when communicating with third parties:

• Secure Conference Calls for voice and video – the microphone is isolated so no other app can eavesdrop
• White Listing and Groups ensure the sharing of contact details is controlled
• MessageBurn or Audit Trail – some operatives prefer to burn messages once read while others from a legal perspective prefer to keep a record for audit purposes.

 

For more information about how Armour solutions could help you to communicate more securely with your supply chain, read our case studies:

Sparten deploys Armour Mobile to strengthen intelligence led approach

https://www.armourcomms.com/2020/01/06/sparten-deploys-armour-mobile-to-strengthen-intelligence-led-approach/?cat-slug=10

QuoStar safeguards communications and prevents hostile interception of sensitive IP with Armour Mobile

https://www.armourcomms.com/2019/07/24/quostar-safeguards-communications-and-prevents-hostile-interception-of-sensitive-ip-with-armour-mobile/?cat-slug=10

We are delighted to announce that Armour Comms has been shortlisted for the SC Magazine Best Mobile Security Solution – for the third year in a row!

The SC Magazine Awards are recognised in Europe and the US as the leading industry awards celebrating excellence in security and technology. Last year we took top honours and won the award which was presented at a gala dinner held at the London Marriott Hotel Grosvenor Square.  With the UK currently in lockdown due to the coronavirus the awards ceremony, which was due to take place on 2 June, has been cancelled, and the results will be announced online.

Tony Morbin, Editor-in-chief, SC Media UK said: “Our independent judges carefully consider each entrant against a range of criteria – but especially customer satisfaction – to determine who exemplifies best practice and will be this year’s winners. Plus we pick individuals to honour who embody those same attributes.

“Awards are about winners and praising success. This includes the success of every finalist who will have demonstrated that they are at the top of their game, each adding to our ability to defeat our adversaries, and that truly is worth celebrating.”

In the three years that we have been entering these awards our offering has developed significantly.  For example, for this year’s submission we were able to announce the launch and deployment of SigNet by Armour, our latest product which we are developing in parallel with our flagship product Armour Mobile.  SigNet by Armour has been developed for some  specific use cases and offers much of the same functionality, but based on 256bit encryption. It is also available as both a cloud or on-premises installation. The App provides the same ease of use as consumer grade apps, and is available for Android and iOS devices and for use with Windows 10 and Mac OSX desktops.

The other main difference – for those techies amongst you –  between the two product lines is that SigNet uses the double ratchet algorithm with prekeys and 3-DH key management to  provide confidentiality, integrity, authentication, participant consistency, destination validation, forward secrecy, backward secrecy (aka future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity.

For more information on any of our solutions, contact us on +44 (0)20 36 37 38 01 or email us: sales@armourcomms.com

Over the past week, the female employees of Armour Comms hosted three female students from the Shadowing Women in Technology (SWIT) programme at University College London (UCL). Dr Andy Lilly (CTO) introduced Armour to UCL’s students in an evening presentation that included highlighting the many ways that one’s mobile phone data can be hacked and misused. For the visiting students, the aim was to show them what goes on inside an entrepreneurial start-up developing leading-edge security products; to facilitate this, the students circulated between female employees, observing how their different roles in Marketing, Pre-Sales and Development all contribute to Armour’s day-to-day operation.

Andy (Armour’s CTO) was clear that: “At Armour we respect and value staff diversity and inclusivity, so alongside strong links with universities we want to encourage women to study STEM (Science, Technology, Engineering and Mathematics) topics and to pursue rewarding careers in technology.”

A 2017 study by PwC (involving over 2,000 A-Level and university students) found that only 27% of females would consider a career in technology, compared to 61% of males. A lack of female role models was one of several factors that meant only a meagre 3% of the women said a career in technology would be their first choice. Sadly, the students noted that they, too, were very much in a minority in their own courses.

Andreea (Pre-Sales Engineer), one of the Armour hosts, explained: “While I am a member of the development team at Armour, I also support the Sales team in the technical aspects of their job. I gave the students an overview of the software and tools that I use, including the advantages and disadvantages of different operating systems. I described my experience with meeting customers, feeding back their requirements and contributing to internal meetings and technical documentation. Discussing my various training opportunities, led to interesting conversations about professional development.”

Isabelle (Software Developer), said: “I demonstrated how I contribute to different projects and development processes; from software design and testing, to sprint ceremonies for managing current and future planning. I showed how we needed to interact and collaborate across different departments, working to define expectations, implement and test solutions. I highlighted how our supportive office culture optimises our progression, both as teams working to meet shared goals, and our individual growth in continuing to develop skills and knowledge, keeping up to date with advancements in technology.”

Kayleigh (Marketing) described her role: “We felt it was important for the students to see how marketing – everything from event organisation to design of brochures – fitted into the wider company structure of a technical business. Each student asked plenty of thoughtful questions throughout the day and it was refreshing to see their enthusiasm for daily tasks that we tend to take for granted. I hope this experience demystifies the office environment and encourages them to pursue a career in a technology field.”

Andy was delighted with the students’ engagement, and their wide-ranging questions: “Our team was asked about their backgrounds (from apprenticeships to postgraduates), and what had motivated them to enter this industry, Armour itself and their particular roles. The students enjoyed actively participating in our day-to-day meetings, experiencing technology demonstrations and real-life applications of our development processes. They appreciated the openness of our office atmosphere and asked frank questions about what sort of challenges were encountered when first starting here. We hope all the students gained a lot of useful information and have a better idea of the broad range of career opportunities in technology companies.”

Andreea, Kayleigh and Isabelle concluded: “We hope this experience will ultimately enable them to make an informed decision when they choose a career, and also de-bunked some of the myths and clichés about being a woman in tech, and showed them the importance of having passion for the area that you work in.”

In a world where it seems acceptable for the US President to routinely use an unsecured mobile phone vulnerable to monitoring by foreign intelligence services we should all be thankful that the UK’s National Cyber Security Centre (NCSC) continues to work to “make the UK the safest place in the world to live and work online”.

According to the Centre for the Protection of National Infrastructure (CPNI), the UK is a high priority espionage target . Cyber espionage may use any form of cyber attack to steal classified, sensitive data or intellectual property to gain an advantage over a commercial competitor, company, government or nation state, but equally almost any individual (whether of high net worth, or having some knowledge or role of importance) may be a cyber espionage target. In order to achieve success, a cyber-criminal will attempt to identify and then exploit any perceived weakness within your protective security measures and mobile communications are a key area of risk, especially as they are increasingly used as an authentication mechanism for all sorts of logins and financial transactions.

When looking at securing mobile communications, be it voice, video or messaging services, it is important for any solution to deliver 3 key outcomes; confidentiality, integrity and authentication, i.e.

• keeping your communications private and protected from prying eyes / ears;
• making sure that those communications haven’t been tampered with; and
• ensuring that the communications are actually coming from the person you think.

 

While you might think selecting any mobile app that mentions the word “encryption” in its description will solve the first point, not only is this frequently not the case, but security and privacy have much broader considerations, even including where you’re holding your conversations (for a humorous yet worrying example, talking loudly about business on a train . The rapid increase in cases of fake audio (and now fake video) for fraud shows the dangers of compromising integrity or authentication… and we haven’t even got to the insecurity of carrier networks or how everyone is installing audio and video bugs ‘helpful assistants’ everywhere!

So, please go take a read through the advice from those savvy people at the NCSC on the key Secure Communication Principles for all your organisation’s important communications.

As you might expect, Armour’s products are designed to meet these secure communications principles from the ground up, and over the coming weeks we will be highlighting some of the details behind the principles and how you can apply them.

Armour Comms recently signed up for the Armed Services Covenant (www.armedforcescovenant.gov.uk) and it was one of the easiest decisions, as a company, we’ve ever made.  The covenant is a pledge that together all those that have signed it, acknowledge and understand that those who serve and have served in the armed forces, should be treated with fairness and respect in the communities, economy and society that they serve, sometimes with their lives.

Those that have signed the covenant, which include government, the individual services (RAF, Army, Navy), businesses of all sizes, charities, communities and cadet forces aim to go out of their way to help and support serving and retired personnel and their families.  It is something that we are happy to do, in fact, we are proud to treat all of our staff with as much flexibility and compassion as we can.  As a SME, it’s an obvious way for us to retain good, talented people.

Armed forces veterans have a lot of skills that are highly transferable to civilian life, particularly for a company like Armour.  Early next year we will be actively looking to recruit and ex-servicemen and women are strongly urged to apply.

We have two roles in particular that could suit a veteran.  A pre-sales role where technology knowledge and the ability to explain how our products work to potential customers would suit someone with a good level of presentations skills and confidence.  We will also be looking for people to install our technology at client sites, which will require customer service skills and technical and practical skills.

If you are looking ahead to 2020 for your next challenge, why not contact us now?

sales@armourcomms.com

It’s not just hardware that keeps us safe!

Once again we are at DSEI, where the defence industry meets and greets every two years. It’s always an eye-opener to wander around the exhibition halls, see the latest helicopters, armoured vehicles, protective clothing, and this year the new Tempest. People were queuing up to sit in the pilot’s seat and see for themselves its impressive heads up cockpit display that provides a huge amount of information easily digestible even while manoeuvring at high speed. Indeed, it seems we are only a small step away from the Firefox (early 80s movie starring Clint Eastwood, based on the novel by Craig Thomas), where the pilot flew the aircraft by plugging himself in. This week alone there were two articles in the Economist about AI and its role on the battlefield.

The rise of cyber warfare

All this serves to remind us, just how important data has become, not just in defence but in everyday life. Earlier this week we heard reports that policing is becoming more difficult because crime is changing. There are now many more fraud cases where victims are duped online, identities stolen, hacking, phishing and cyber attacks are rife. Social media is now being used by all manner of groups including nation states and freedom fighters/terrorists who use it to spread propaganda and fake news that can potentially affect the outcome of elections. The same techniques can persuade a city under siege to lay down its arms, or fans to buy the latest Taylor Swift album.

Is data the last frontier?

The huge importance of data and online technology is reflected at DSEI with the cyber security section growing ever larger each time we exhibit. While we don’t have large, intimidating hardware to show off, we’ve been getting a lot of interest because everyone can relate to the horror of having your personal, private or company confidential communications hacked. From soldiers on a tour to duty, to journalists in an unfriendly regime, to government officials discussing matters of state or business people sharing intellectual property, we all have information that we would rather did not end up with our competitors, or made public. In some cases this could impact national security.

Free apps – You’re the product!

In a world defined by an always on culture dominated by online interactions and global networks, it is still possible to keep control of your personal and business information. You can stay ‘under the radar’ but not by using free services. The old adage, that if it’s free, then you are the product, is never more true than with social media platforms and the various tools that those platforms own and control.

If you’d rather keep your communications private, contact us now to discuss how. sales@armourcomms.com

Time lapse can be exploited to manipulate sensitive files for malicious intent

WhatsApp is back in the news following the release of new research by Symantec that reveals a vulnerability, termed ‘media file jacking’, that can affect WhatsApp and Telegram for Android. The security flaw allows malicious attackers to manipulate and modify media files such as commercial documents, photos and recordings in WhatsApp and Telegram based on the users’ settings.

The challenge of default settings

Android apps can store files and data in two storage locations: ‘internal’ and ‘external’ storage. Files saved to internal storage are accessible only by the app itself, meaning other apps cannot access them. Files saved to external storage – whether this is a generally-accessible folder on the device, or a public (e.g. cloud) folder –   can be modified by other apps or users beyond the app’s control. WhatsApp and Telegram may store media files in external storage (depending on user settings); this means that, devoid of any proper security measures in place, other apps with write-to-external storage permission can maliciously access and alter files. Effectively these apps place their root of trust in the storage medium rather than controlling the root of trust themselves.

End-to-end encryption is one part of the story

There is a common perception that instant messaging apps are immune from privacy risks and manipulation of attachments due to security features such as end-to-end encryption. Whilst end-to-end encryption is an effective mechanism it doesn’t stop the altering of files on external storage before or after the content is encrypted in transit. A user may innocently download an app unaware that it contains malware capable of manipulating files stored in external storage. An app that appears to be legitimate but is in fact malicious can intercept files, such as a PDF invoice file received via WhatsApp, then programmatically swap the displayed bank account information in the invoice with that of a malicious actor. Equally feasible (as described by Symantec) could be substitution of an altered audio recording giving fraudulent instructions, manipulation of an image or map for deceptive purposes, or even changing a Telegram channel feed to insert ‘fake news’.

Not all applications are created equally

Just as there is no such thing as a free lunch, the saying can be equally applied to applications. Data is a valuable currency and cyber criminals are in the business of quick and easy paydays. With any free app you don’t really know who has access to your information and because it’s free you don’t have any recourse. If you aren’t paying for the product, it means you ARE the product.

Employees should take security seriously but in the absence of a secure and easy to use app, people will naturally seek their own workaround solutions. Armour Mobile is a cost-effective and easy to use solution that works on everyday smartphones. With the same usability as consumer-grade apps, but with significantly enhanced security (secure message attachments are stored in the app’s encrypted database, i.e. controlling the ‘root of trust’ mentioned earlier) it could be the answer to your security needs. Contact us today to discuss a solution.

A couple of months ago I reported that Armour Comms is proudly supporting Army Reservist Mark Howells.  We have now extended our support to include the whole cycling team of the Royal Signals.

Fresh back from training camp, Mark has been filling me in on his training schedule for the rest of the year – a budding team triathlete, this includes swimming as well as cycling.  Over the coming months he certainly has a packed diary, with events and qualifiers every weekend, including qualifiers for the Invictus Games.   As well as a few 100 milers (cycling) Mark will also be taking part in some criterium races (where participants race around a circuit, typically in a town), which tend to be fast and furious with a sprint finish.

We are very much looking forward to seeing Mark and the team in Armour colours, and wish everyone the very best of luck.

Watch this space for further updates.