Category: View All

 “Armour Mobile was the standout solution for its superior functionality, use and ease of deployment. The client’s communications are now secure and the cost savings from no longer requiring hand delivery of documents has been immediate and substantial.”

• Simon Gadsby, Chief Operating Officer, QuoStar

 

QuoStar is an IT support and consultancy provider that specialises in businesses going through growth and change. When one of its international clients reported that it was experiencing network traffic interception from global threat actors,the team at QuoStar set about finding a solution to secure telecommunications.  Armour Mobile was deployed into the client’s environment and, upon seeing the benefits, QuoStar adopted the Armour solution to safeguard their own sensitive communications.

Business Drivers

QuoStar’s client required a high assurance communications platform for secure conference calls, messaging and document sharing across teams in multiple international locations. The client was keen to protect communications that were at risk of interception. To mitigate risk, documents were dispatched via personal courier services ensuring all documents were hand-held until reaching the final destination. This method was hugely costly, both financially and in terms of resources, with documents travelling by hand from country to country and across continents. A new solution was required that could:

• Provide secure conferencing for numerous participants
• Secure intra-company and company to company communications
• Ensure calls and associated metadata are kept private
• Protect data sent in messages, text or as attachments

 

The Solution

It was important for a new solution to be cost-effective, easy to use and incorporate advanced security techniques to ensure communications could not be intercepted or compromised. After assessing several solutions Armour Mobile was selected for its wide range of features and ease of deployment.

Armour Mobile hosted on Armour’s secure cloud was deployed providing a trusted platform for communications to be set up, enterprise-wide, within hours, followed by an Armour Mobile On-Premises solution enabling complete control of all meta-data. The Armour solution has enabled the client to benefit from economies of scale, savings associated with using VoIP technology, all in a secure environment. 

Secure collaboration

Conference calls and group messaging is an important part of how teams communicate within the organisation. Using Armour Mobile allows multiple users to collaborate securely utilising the same communications platform. New team members can be provisioned quickly, with no additional hardware required. The Armour Mobile app is downloaded from the app store onto employees’ existing handsets and IT provisions the user in minutes, providing the employee with a safe and secure channel of communication.

One of the major benefits of Armour Mobile is its ease of use for the end-user.  With all the functionality and user experience associated with consumer-grade apps, there is no need to for training as the app is intuitive to use.

“Armour Mobile delivers the secure communications, information management and ease of deployment that the client wanted. The additional in-app security, closed group communications and encryption of data in motion provides the flexible and highly secure communications platform that the client required.”

Business Benefits

• Secure communications – calls are protected from the risk of eavesdropping and documents from interception by outside agencies. Armour Mobile encrypts data in-transit and at rest, rendering it unreadable, and therefore protected. Sensitive corporate information sent via message or text is protected in line with EU General Data Protection Regulation (GDPR).
• Substantial cost saving – deploying Armour Mobile has eliminated the need for couriers to hand deliver documents across the globe saving thousands of pounds within the first month of deployment and providing an instant Return on Investment.
• Improved efficiency and productivity – the ability to securely transmit documents has resulted in greater productivity and efficiency. No longer hindered by the time delays of documents being delivered by hand, colleagues can quickly share information without delay.
• Improved data security, governance and auditability – providing assured safe and secure communications across international operations has improved information assurance and data management processes. The client is able to assure its stakeholders that intra-firm communications are secure, encrypted and private. 

 

Appreciation drove adoption within QuoStar

“Seeing the real-world benefits of Armour Mobile in operation at the client’s premises prompted a review of our own secure communications. The ease of use and functionality across the whole communications spectrum drove the decision to adopt Armour Mobile for use amongst QuoStar’s executive management team. This is a testament to just how good Armour Mobile is.”

It’s not often that global telcos could be described as a ‘David’ in a ‘David and Goliath’ analogy, but that is exactly what we are looking at in the latest hacking scandal.

In a story that broke this week in El Reg https://www.theregister.co.uk/2019/06/25/global_telcos_hacked/ and CNBC https://www.cnbc.com/2019/06/25/hackers-hit-telecommunications-firms-cybereason.html, a long running espionage campaign has been waged by (it is alleged) the Chinese government against at least ten cellular telcos around the world.  While a telco might have a security team of 50 people, huge by comparison to most organisations, this is miniscule when compared to the resources of a nation state, hence the David and Goliath reference. The campaign, which has apparently been running for several years, has even involved VPNs being set up within the telcos’ own infrastructure so that the perpetrators could snoop more quickly and easily on their targets.  So the story goes, the campaign was aimed at 20 to 30 high value targets, and the snoopers were able to access hundreds of gigabytes of phone records, text messages, device and user metadata and location data for hundreds of millions of subscribers.

This is another reminder that you can’t necessarily rely on your telco or ISP to protect your data and metadata. This is not because they are particularly negligent or complicit, but simply that flaws in the old technology, that underpins most networks around the world, can be exploited by nation states with almost limitless resources.

If you don’t want to be tracked, if you want to keep your communications private, if you discuss company intellectual property or trade secrets that you don’t want your competitors to learn about, if you are a journalist, aid worker, or special/covert services operating in an unfriendly regime, you need to take steps to ensure that your mobile data is protected.

Watch this space for more on this story in the coming weeks.

And we are not talking about design or style…

Keen fans of TV police dramas may be aware of the term ‘metadata’ which is frequently mentioned in the tense investigation scenes as the police narrow their focus on the perpetrator.  However how many of us actually know what metadata is?

Metadata is all the information relating to your phone call except the content of the call itself. It is the information we are used to seeing on itemised mobile phone bills; the when, how, from where and with whom we communicate. However, in the age of the smartphone, metadata collected from our daily activities actually reveals more about us than we realise. Most of us use our smartphone for more than just calls. It is our convenient go-to device for email, messaging, social media, banking, electronic wallet, GPS and camera, in addition to making calls. For many of us, losing our smartphones would impact our day-to-day lives far more than if we lost our credit card.

Digital footprint

A smartphone passively generates a vast amount of metadata, leaving behind a digital trace of the activity of its user. Each action and interaction provides a snapshot of our daily activities. Email addresses, websites visited, photos taken and files downloaded all present many new opportunities to gather metadata. Pieced together this information provides a comprehensive record of our associations and public movements, revealing a wealth of detail about our interactions, points of view and personal and professional associations. The reason metadata is so valuable is that it doesn’t lie, it is a digital footprint of our activities.

Stealing metadata

There are many ways that hackers can obtain metadata illegally. The SS7 vulnerability is well documented, and was one of the first topics that we wrote about in this blog (What’s up with WhatsApp). SS7 was designed over 40 years ago, long before phone hacking was considered a serious threat. SS7 stands for Signalling System No 7, also called the Common Channel Signalling System 7 in the US or Channel Interoffice Signalling 7 in the UK, and is the system that connects mobile phone and landline networks to each other. SS7 protocols enable phone networks to exchange information needed to process calls and text messages across disparate networks, including roaming on foreign networks, and to ensure correct billing. It also enables local number portability, prepaid payments, SMS and number translation.

Limitations in the SS7 protocols enable an attacker to mimic a victim’s device, steal personal data and to snoop on a users’ network communications. While this technique is used by nation states, there is equipment available on the dark web for a few hundred dollars that brings this type of attack into the domain of almost any tech-savvy criminal!

Fake base station

Exploiting the SS7 vulnerability isn’t the only means to access metadata. IMSI (international mobile subscriber identity) catchers, also known as fake base stations, are well established pieces of surveillance technology used by law enforcement all over the world. This portable device is used to intercept digital communications by essentially impersonating a legitimate mobile phone mast. The device can capture the IMSI of every phone in the area and intercept messages, calls and metadata, and even block phones from operating.

IMSI catchers are illegal to operate by parties other than law enforcement agencies and, even then, there are strict codes of conduct. However, for an attacker motivated by financial or commercial gain, remaining on the correct side of the law is rarely of concern! Videos freely available on YouTube show how a DIY IMSI catcher is relatively trivial to setup for a tech savvy criminal. The technology is available to anyone with a cheap laptop, $20 of readily available hardware and the ability to essentially copy and paste some commands into a computer terminal.

The power to control your own metadata

The fact that metadata is collated and sold by telecom carriers and internet companies shows how valuable it can be. Social media companies in particular are regularly sharing our metadata to third parties as a way of targeting advertising and this is typically the key value creator for such companies. Applying this capability across a population, it is possible to compile a very detailed, even invasive, picture of the population including behaviours and interactions which governments, organisations and cyber criminals can act upon.

Whilst it’s not possible to stop metadata from being generated, steps can be taken to control access to it. Armour Comms securely manages communications in the cloud ensuring metadata is minimised and protected. We also offer an on-premises solution for those who want complete control, allowing customers to store metadata on their own servers. Our solutions not only protect the content of communications, but also consider the broader aspects of securing your data and privacy

The weakest link

As the cyber security threat landscape evolves, it’s clear that securing modern methods of communication requires a new approach. Without secure practices, smartphones can effectively be viewed as surveillance devices, exposing confidential business dealings, intellectual property, state secrets, or commercially valuable information to risk. As the saying goes, you’re only as strong as your weakest link. If you fear that your mobile comms could be vulnerable to eavesdroppers, competitors or criminals then it’s time to act. Contact us today to discuss a solution.