Category: View All

First the explanation

A Virtual Private Network is effectively an encrypted ‘tunnel’ between your device (which can be your desk computer at home, your mobile, laptop or tablet) and another computer, such as your corporate VPN server. This gives you protected, secure access to your corporate network. A casual observer looking at the traffic between the device and the server will only see encrypted VPN data, and will be hard pressed to distinguish between the different data types.  However, there are a number of technical papers available regarding VPN analysis and how the flow of the traffic give clues as to the type of data being carried. For example, voice traffic usually flows one way then the other as people hold a conversation.

How it helps

Use of a VPN has pros and cons: it may alert eavesdroppers to the fact that you are trying to cover your tracks, so for those with the type of job where they are likely to be under surveillance from a nation state, staying below the radar by using a VPN as an extra level of security, is very much about choosing the right VPN. Some unfriendly nation states try to ban the use of VPNs for this very reason.

What a VPN can do is provide obfuscation, by using a VPN that a lot of other people use. For example, if you are near a University and you use the same type of VPN as the students or staff, your traffic will hopefully be lost in the general melee of University life.  The VPN encryption means the network operator cannot see that you have made a call, or the number you dialed; therefore, calls to certain numbers (known Government department numbers, for example) that might be monitored, will not attract unwanted attention. By using a VPN, the call is hidden from plain view, and even the fact that you are using Armour Mobile to protect your communications end-to-end is hidden.

Conversely, if you use a specialist or unusual VPN, that could well alert eavesdroppers to the fact that there is something worth listening to.  So choose your VPN wisely!

Why bother to teach an old dog new tricks when the old ones are still working well?

You may well ask!  A recent piece in El Reg ‘Stingray phone stalker tech used near White House, SS7 abused to steal US citizen’s data is a salient reminder that sometimes the old ones are the best.

The SS7 vulnerability is well documented, and indeed it was one of the first topics that we wrote about in this blog (What’s up with WhatsApp).

To recap, SS7 stands for Signalling System No 7 (also called the Common Channel Signalling System 7 in the US or Channel Interoffice Signalling 7 in the UK), and is the system that connects mobile phone and landline networks to each other. SS7 protocols enable phone networks to exchange information needed to process calls and text messages across disparate networks (including roaming on foreign networks), and to ensure correct billing. It also enables local number portability, prepaid payments, SMS and number translation. However, SS7 was designed nearly 40 years ago, long before phone hacking was considered a serious threat and flaws in SS7 enable an attacker to mimic a victim’s device.

This particular hack is typically used to steal personal data and to snoop.  While it is used by nation states, there is equipment available on the dark web for a few hundred bucks (see: With prices like these – anyone could be listening to your mobile calls!) that brings this type of hack into the domain of almost any tech-savvy criminal.

If it can happen near the White House, it can happen anywhere. Time to review your mobile phone security. If you or your staff discuss details of sensitive deals, intellectual property, confidential meetings, or industrial/commercial secrets by mobile, using voice, video, message/text, or send attachments, and if you want them to remain private, you need to use a seriously secure mobile comms service.

 

Contact us today for more information:

Email: sales@armourcomms.com

Tel: +44 (0)20 36 37 38 01

Andy Lilly discusses how securing your mobile communications is a key step in meeting GDPR regulations

The new General Data Protection Regulation (GDPR) is now in force. A lot has been written about it, and how it overrides previous national data protection laws. Many are seeing the introduction of the new regulations as a positive step. It encompasses how personal data is managed, processed and deleted – and in particular, how it is lawfully and fairly protected by documented security measures. GDPR is clear in that it encompasses all of a company’s data (including that held in marketing, sales and finance) when dealing with EU citizens.

With many companies using mobiles to communicate with customers, it also means that texts and messaging, whether internal or external, will be considered within the new data laws.

With non-compliance fines of up to €20m or 4% of global turnover, not to mention reputational damage, companies ignore the legislation at their peril. According to ICO Information Commissioner Elizabeth Denham¹; “If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.”

Getting your ducks in a row
Whatever their business, all organisations need to have their ducks nicely lined up when it comes to data retention, compliance and security. Governance plays an enhanced role under GDPR and you must ensure that your systems and processes in place are able to manage and monitor all data under the new rules. Accountability is also important so as well as complying, you have to be able to demonstrate how you comply.

Armour Mobile enables your organisation to ensure that data and messaging communications are entirely secure whether in transit or stored, either with our cloud solution once you have licensed your mobile devices with us, or with our Armour on-premises solution. In fact, the latter allows your organisation to configure and manage your secure communications service in total privacy, restricting any outside connections.

We can also provide secure voice communications between your mobile and other voice systems (e.g. desk phones within your office) or services (voicemail or conferencing). Securing messaging and voice communications in these ways provides robust audit trails to support compliance and due diligence of the new privacy rules.

GDPR means that all organisations must see data in a different way – adopting Armour for your mobile communications is a big tick in terms of ensuring compliance.

¹ https://ico.org.uk/

What limits does yours have?

When it comes to secure comms apps, group messaging is often taken as a given, expected.  However, sending everyone in a group the same message simultaneously it isn’t quite as straight forward as it sounds.  It all depends on how the messages are handled.  Some apps send messages from the client to every user in the group, and obviously the more members in the group, the more messages that need to be sent.  As the client is required to process each of these messages and any attachments (including any encryption) this can cause issues resulting in practical limits on the numbers in a group.

Alternatively, a single message can be sent to a messaging server, which then replicates the messages to the entire group. This is a far more scalable method, where the server is doing the hard work and the size of a group becomes almost unlimited. This has been achieved in Armour Mobile by extending our encryption capability, drawing on 3GPP standards.

So if your organisation needs to communicate securely within groups, sending bulk messages and attachments efficiently, without limits on the number of recipients, we have the solution for you.

For more information contact us via:

Email: sales@armourcomms.com

Tele: +44 (0)20 36 37 38 01

Do we need yet another wake-up call regarding keeping our data safe?  The latest scandal involving Cambridge Analytica’s mining of Facebook profiles, which has been running for a few weeks now and shows no signs of abating, is a sign of rising public consciousness that personal data is important, it is valuable. The case highlights just how social media companies seem to please themselves when it comes to who has access to what.  At the very least, social media companies take a commercial view which is in their own interests and not in the interests of their customers/users – and who can blame them – it’s how they make a profit.

While those that need to have sensitive and/or commercial communications probably won’t be using Facebook to do so, they might be using consumer grade apps such as WhatsApp (owned by Facebook) or others.  The messages sent on these services are encrypted, but, as we’ve said before, the associated metadata still gives away a lot of valuable information.  To illustrate this point, by profiling the metadata associated with a conversation between two people, it is possible to identify who is the most important, ie. Boss and sub-ordinate, simply based on the frequency, length, number and response times of replies. Using these techniques it is possible to map a whole organisation!

This is a timely reminder that if you’d rather keep your sensitive communications private you need to be aware of where your metadata is held and who might have access to it. Relying on social media companies that makes their money through third parties advertising to the user base, is never going to be good for users – it is the price you pay for a ‘free’ service.

Services provided by security vendors don’t rely on selling advertising to make a profit, they are in business to protect their customer’s data, and their reputation lives or dies by their ability to do so.  Something worth remembering next time you need to send a work/business related communication.

We are all looking to do more, be more productive, efficient and organised. With a plethora of unified communication solutions promising to boost productivity by using time in a smarter way, it’s easy to see how these applications are appealing. But are they secure?

Not all applications are created equally

We often hear of high profile security breaches and the resulting financial and reputational issues they cause. This alone should be motivation for product creators to implement adequate security controls into their solutions. However, speed to market and functionality improvements can often take precedence over security.

When purchasing a new car, we take for granted that safety features have been built in, we don’t ask whether we need to retrofit seatbelts and air bags. Car manufacturers have reinvented the way cars are designed, with passenger safety at the heart of the critical thinking design process. The net result is a product that is secure by design with features that work in unison.

Education not blame

Too often employees are cited as the ‘weakest link’ and are blamed for being the cause of security incidents. In reality, these incidents are often caused by users just trying to get their work done, but in the face of complex and poorly designed applications, they are being put in the position of understanding and making complex security decisions beyond their realm of expertise. Secure communications should be just that, secure by default. Security should be there without the user having to think about it, they are not the experts and we should not expect them to make decisions like one.

For example, a secure messaging application might be required to block pasting text out of the app and perhaps even pasting in. However, from a usability point of view, if the message is a phone number or email address, the user probably wants to be able to paste that across into their dialler or email app, rather than having to retype it. Security and usability have to be carefully balanced.

Businesses need to ensure their employees have the right tools required to carry out the job. If users need to have conversations where the content must remain confidential, then organisations need to provide the appropriate solution that enables this transparently. Which means by default removing burden from the user and ensuring that information is not put at risk.

The way forward

It’s time to stop apportioning blame and seeking to ‘fix the user’ but instead design technology to fit the business process and how people behave, rather than asking employees to adjust themselves.

Users shouldn’t have to be security experts and bear the burden of using solutions where security has been bolted on as an after thought. Employees should take security seriously and be an educated user – but they shouldn’t need cyber security credentials to do their day job.

Choosing a secure communications solution such as an Armour product is a positive way to address this issue. Armour Mobile solutions are cost-effective, easy to use with technology that is always designed to be government-grade level secure – proven assurance to our customers that we take security seriously.

It’s time for the tech industry as a whole to step up and start thinking about the needs of the user and not hiding behind ‘user error’.