Category: View All

A lesson from the world’s most famous hacker!

Kevin Mitnick is the keynote speaker at Cyber Incursion, on 22 November, 12.30 to 19.30 at The Honourable Artillery Company (HAC), an event that will see our own Andy Lilly on the panel for the debate about the dangers of Social Engineering and the Insider Threat.

Learning to think like a hacker is a good strategy for improving your cyber security and many of the best security experts who now wear white hats started out as script kiddies.

As the cyber security threat landscape evolves, we are finding that it is not just government and military type organisations that are under siege. Increasingly we are working with private sector companies that are keen to protect their trade secrets and keep intellectual property secure.

Your intellectual property is highly valuable

Cyber Incursion is aimed at companies that are beginning to understand just how valuable their intellectual property and sensitive customer information is.  Whether it is a takeover or merger that could have implications on stock valuations should the news leak too soon, contract negotiations that you wouldn’t want your competitors to see or even know about, or you need to protect customer information to comply with GDPR, most organisations have some IP that they wouldn’t want to lose or see fall into the wrong hands.

You are the weakest link – the dangers of social engineering

These days, hackers are very clever, or should I say, even cleverer.  They will always go for the weakest link, which is us humans, and their approach will often involve some element of social engineering.  When people are out of the office, working via their mobile devices, they are away from their typical work environment; this may lead them to let their guard down, and this is often a good time to strike.  We’ve all been there – a quick call to a colleague to get a vital piece of information to finish off the contract or document we are working on, or to finalise the date and time for a sensitive meeting. The information exchanged could be very valuable to someone else, but it’s only a quick call – what can go wrong?  Well, plenty!

Don’t get caught out

Your call could be intercepted by an IMSI catcher, also known as a fake base station. Even entry level criminals or script kiddies can access this technology, that enables them to harvest your call and location metadata (who you spoke to or messaged, how long for, etc.), for just a few hundred pounds. Depending on the hack, the details of your conversation could be accessed by the attacker.  Alternatively, while the contents of your call might be encrypted, your metadata may not be protected, and sometimes knowing who you are communicating with, for example during a merger or acquisition, can be every bit as helpful to your competitors, or in the case of celebrities, paparazzi or tabloid journalists.

Cyber Incursion

As well as an opportunity to hear from the world’s most famous hacker, Kevin Mitnick (who was once on the FBI’s Most Wanted list because he hacked into 40 major corporations just for the challenge), Cyber Incursion has a packed agenda covering such topics as:

• AI
• Threat Intelligence
• Internet of Things
• Big Data and Forensics
• Social Engineering and the Insider Threat
• And how they can all have a very real impact on commercial business today!

 

Register today – there are limited spaces: https://www.cyberincursion.com/ 

Currently, mission critical push to talk services in the UK are run over a network called Airwave, which is based on Terrestrial Trunked Radio (TETRA) technology. Although effective for voice communication, the infrastructure required has become increasingly expensive to maintain and the needs of service users are beginning to surpass the capabilities of the technology.

Mission critical services in the digital age

Until now, mission critical users have largely relied on voice services alone, however this is no longer adequate for incident command, control and communications. The existing narrowband voice and data network cannot provide the data services such as video and internet access, which have higher bandwidth requirement. 4G LTE is a technology that delivers the point to point high bandwidth data services required for future needs.

The main benefits of migrating to 4G LTE for mission critical push to talk services is the amazing speed and functionality that it can deliver. Increased bandwidth leads to much faster data transfer speed which is especially advantageous in emergency situations where real-time data will allow officers and control room operators to enhance their assessments of incidents. Additionally, by migrating onto a modern platform, users will no longer have the costs of maintaining legacy infrastructure.

Emergency Services Network

The UK Government has been leading the change to LTE with the development of a new Emergency Services Network (ESN), which will use an existing commercial 4G network that is being expanded to ensure a 99% coverage rate for the UK. This will allow emergency services to access real-time information, send images and stream high resolution video. This level of visibility was not previously possible with the voice only descriptions that were available over the TETRA network.

The increase in digital information collection presents both an opportunity and a challenge for emergency services. Body worn camera footage, dash board cameras and real-time access to systems or CCTV images are valuable but rely on access to a reliable, high availability network. By embracing LTE as the global standard of critical communications, governments can provide an important foundation for new capabilities that increase response times, improve situational awareness and accelerate incident closure rates.

A unified global standard

The 2nd ETSI MCPTT Plugtest held in the spring of 2018 was a defining moment for LTE-based mission critical push-to-talk (MCPTT) technology. The capabilities of Mission Critical voice, video and data were put to the test with a 92 per cent interoperability success rate achieved.

The goal to provide one global standard for Mission Critical services offers huge opportunity for positive change. Governments around the globe have the chance to truly elevate their emergency service communications to world leading standards utilising leading edge technology that is fit for purpose.

Two factor authentication (2FA), a combination of two of something you know (a PIN), something you have (a token) and/or something you are (biometrics), has long been held up as best practice for login security.  And in fairness, more and more devices (Apple for example) and some websites, are making it mandatory. However, as was highlighted recently by the Reddit security breach, it may not be quite as fool proof as people might have hoped.  Read the details here:

https://www.theregister.co.uk/2018/08/01/reddit_hacked_sms_2fa/

https://krebsonsecurity.com/2018/08/reddit-breach-highlights-limits-of-sms-based-authentication/

The incident in question shows that employee accounts were hacked despite using SMS-based 2FA.

Although the exact nature of the hack has not been disclosed, the ability to intercept SMS messages via vulnerabilities in SS7 has been around for years but other mechanisms include getting control of someone’s phone account via SIM-swapping and is a topic that we have written about at length.

Using SMS as the second factor in 2FA is, strictly speaking, not a second factor at all because it is using the same delivery method as the first factor, i.e. in addition to typing your password into a login page, you also type the SMS code into the same web page.  It should really be called Two Step Authentication, and unfortunately can still be subverted by phishing, man-in-the-middle and credential replay attacks.

Using a third party security app like Armour Mobile protects against this type of attack, as not only is the message data encrypted but also the meta data and therefore, it is far harder for criminals to compromise the integrity of a mobile account to intercept messages.  So if you have employees that handle potentially sensitive information, whether that is customer information, or company intellectual property, or commercial secrets, and that could be all of your staff, you need to think about how well their mobile devices are really secured.

Could be time to take a look at Armour Mobile!

Contact us today – sales@armourcomms.com

The old adage ‘You get what you pay for’ has never been more true when it comes to cyber security, and messaging apps.  We are reminded once again, by the latest Appthority Pulse Report that chat apps are amongst the most popular and yet most risky and blacklisted apps in the Enterprise.

The report, which was published a week or so ago, looks at the most common iOS and Android apps in use within enterprises, and the apps most commonly blacklisted by enterprises.

The report states that WhatsApp Messenger and Facebook Messenger are the top two most risky apps found in the enterprise for both iOS and Android devices.

Risky Apps Proliferate by Stealth

The issue for many enterprises is that these apps can appear by stealth.  It all starts off innocently enough, people use these free, social media messaging apps for organising their personal lives.  Then it slips into use with people from work, and the temptation is to use the same apps for business as you do in other aspects of your life because it is so easy. Before you know it meetings are being arranged and sensitive data being shared on an app owned by a multi-national social media company that could very well be sharing (or selling) your metadata, for profit.

And as a quick reminder as to why these apps are so risky to the enterprise…

Susceptible to the SS7 hack

While WhatsApp uses the respected Signal protocol for its encryption, it is susceptible (like similar applications) to attacks, using flaws in SS7 that allow an attacker to mimic a victim’s device.  WhatsApp depends on the integrity of your mobile phone number to identify you, but this can be faked at the SS7 level because of vulnerabilities in that system (many of which have been known about for years – giving the criminals plenty of time to hone their skills!). Hackers can take on a victim’s WhatsApp identity and send and receive messages to other users. Of course, a hacker with access to the SS7 system can also transparently control normal voice and SMS services to and from a mobile, intercepting calls, reading SMS messages, and tracking the phone’s location.

Makes you think again about how you arrange meetings with an important client, maybe for contract negotiations.  Some of our clients have been victims to industrial espionage and lost contracts worth hundreds and thousands (and more!), and now only use secure methods, such as Armour Mobile. for communicating sensitive client information.

Insecure Authentication

Apart from eavesdroppers listening in to your potentially sensitive conversations, where they may gain commercially valuable information, one of the biggest dangers is the interception of two-step verification codes. This vulnerability is equally true for any app that uses this form of authentication including Telegram, Viber and many other apps.

For those that are likely to be targeted due to the work that they do (government, military/defence, handling commercially sensitive information like intellectual property, company secrets, financial transactions, sales deals, etc.), this is a relatively easy hack, and one that you wouldn’t know about until it was too late.

GDPR – So what?

We might have GDPR, but that only covers Europe, and there are plenty out there that want your data for nefarious reasons, and won’t be worried about legislation. Even when a service claims that it has no access to your encrypted data, it still has access to ‘metadata’, such as the date and time of calls and messages, the mobile phone numbers of the recipients or senders of each call or message, and (depending on the application), other information such as your location, native contact lists and the like – all of which a security-minded user might prefer not to have collected by a large social media company.

You get what you pay for

With any free app you don’t really know who has access to your information.  And you certainly don’t know who will have access to it in the future as organisations are acquired and personal data becomes a lucrative asset to be traded.

If you would prefer that your sensitive corporate conversations remain private you should take positive steps to ensure that they stay that way. That means using security applications that you control, so that you know exactly where your data is being held and who has access to it.

AND you need to educate your staff so that they are not using insecure apps ‘under the radar’.

Take the plunge and ban risky consumer apps

The Appthority report states that the top blacklisted apps within enterprise are WhatsApp Messenger and Facebook Messenger, followed closely by Wickr Me and Tinder!  Only last month the FT reported that car industry supplier Continental had banned WhatsApp and other social media apps due to concerns about privacy.  So don’t be shy, you won’t be alone in banning these apps in your organisation.  Your sales guys may even thank you for it, particularly if you are able to provide them with something equally engaging and easy to use – such as Armour Mobile!

Contact us today and try it out for yourself.

With the Football World Cup and summer holidays upon us, it’s a good time to reflect on security measures when travelling abroad whether for business or pleasure. After all, it’s not just diplomats, journalists and defence contractors that visit potentially unfriendly regimes!  El Reg reported recently on some research about shady hotspots and wi-fi in host cities of the world cup that could catch out the unwary. https://www.theregister.co.uk/2018/06/06/world_cup_russia/

The research, carried out by Kaspersky Lab, reported that one in five wi-fi hotspots in 11 Russian cities hosting world cup matches had little or no protection, leaving users wide open to having their data harvested by criminals.

If you are travelling to Russia to see some football, or anywhere else for that matter, and taking your work mobile with you, remember that if your phone is hacked, that could be all your business contacts’ details compromised and every text, message or attachment you’ve ever sent from your mobile stolen.  Certainly something to think about!

As the article suggests, there are some relatively easy steps to improve security, such as avoiding the use of unknown and untrusted wireless connections, and only using wi-fi when absolutely required. Even so, it is extremely difficult for the ordinary traveler to know if the cell their phone has locked onto is legitimate or a fake base station (known as an IMSI catcher) designed to catch your metadata.

An IMSI catcher or a rogue cell as it is sometimes referred to, hoovers up details of callers’ International Mobile Subscriber Identity, hence the name. It may also divert your phone’s traffic and/or try to decrypt its weakly protected voice or data. As an ordinary mobile user, you would never know if your calls had been intercepted by an IMSI catcher. There is technology to enable you to check which base station you are connected to, but generally speaking they require a technically knowledgeable user and so would only really be used by law enforcement agencies.

For those people who have sensitive or commercially valuable information on their mobiles, a secure communications platform can protect against leaking your calls or data (whether sent over unprotected Wi-Fi or intercepted by an IMSI catcher attack), by securing calls and texts between your mobile device and a desk phone, for example. It does this by using software installed on the phone that does the encryption and decryption. Whatever is sent from the mobile using the software, be it a call, text or attachment (such as a video or photo), is completely encrypted end-to-end including your meta data, and therefore protected.

Having said all this, there is so much more to security than encryption which is rarely the weakest link.  The dangers in using free apps for business, or on devices that also have business data on them, revolve far more around how your sensitive data is managed, where it goes and who has access to it.

Armour Mobile is as easy and convenient to use as any of the consumer grade apps, while giving superior security and ensuring your data isn’t being hoovered up by a hacker, or one of the global corporations.  Something worth thinking about before travelling abroad this summer.