Category: View All

In revelations by Computer Weekly, Microsoft has admitted that it cannot guarantee the sovereignty of UK data hosted on its hyperscale public cloud infrastructure.  This worrying development was discovered via a Freedom of Information (FOI) request to the Scottish Police Authority (SPA).

SPA has discovered that data hosted in Microsoft’s hyperscale public cloud infrastructure is regularly transferred and processed overseas, a situation that is also likely to be true for all UK government users.

In a detailed article Computer Weekly explains the situation.  Part 3 of the Data Protection Act (DPA) 2018 says that law enforcement data must be kept within the UK, as must all public sector data under the G-Cloud 14 framework regulations. In the article it states that Microsoft has confirmed for the first time that a guarantee of sovereignty for ‘data at rest’ does NOT extend to ‘data being processed’, NOR does it cover the provision of support which may entail accessing data. Microsoft, in common with many multi-national suppliers, provides ‘follow-the-sun’ support, meaning that people providing support outside of UK office hours are not necessarily going to be UK-based.

Furthermore, in a separate FOI response from SPA, as recently as May 2024 Microsoft confirmed that they cannot guarantee data sovereignty for M365 (Microsoft 365 is a suite of productivity apps that includes Microsoft Teams, Word, Excel, PowerPoint, Outlook, and OneDrive).  As many police forces, government departments and the wider public sector rely on M365 for the day-to-day desktop operations, this brings into question, what is happening to classified data, and how can it be handled in accordance with UK law?

Certainly any information that needs higher assurance handling should not be discussed using M365, including the Teams video conferencing app, if data sovereignty cannot be guaranteed, which appears to the case. This is quite apart from the other security issues we have highlighted before regarding the use of a mass-adoption communications apps which includes their susceptibility to AI-generated deepfake and impersonation-based attacks.

So how can organisations that need to protect highly sensitive data ensure data sovereignty?

Award-winning Armour secure communications

The Armour® Secure Communications Platform (recent recipient of the SC Awards Best Communications Security Solution) provides an alternative to consumer grade applications. The platform brings together a quick-to-deploy, easy-to-use solution suitable for BYOD devices and desktops, with enterprise security features not provided by mass-adoption collaboration products or free-to-use consumer apps. It protects data throughout its lifecycle, providing all elements of mobile communications/collaboration including voice, instant messaging, and video conferencing, encrypting data both at-rest and over-the-air.

Suitable for higher assurance video conferencing

Security conscious organisations such as government departments, the military, defence contractors and public sector bodies all need products designed with their specific requirements in mind. The Armour Secure Communications platform is built to give organisations control of where they deploy and where their data resides, with both secure hosted and on-premises options available.  It addresses issues such as GDPR and industry-specific regulations including DPA 2018 Part 3 as cloud-based providers often cannot satisfy sovereign needs, as this latest story demonstrates.

Armour Recall™ captures, retains and archives data to ensure organisations keep control of their data and can prove compliance.

Armour Unity™ delivers secure conferencing in an easy-to-use app for mobile use and is available in several configurations to ensure the level of security matches the sensitivity of the conversation.

Armour Connect™ provides voice and video interoperability with unified comms systems, and Armour Bridge™ delivers messaging interoperability with other messaging apps,

Strict security measures within Armour give the organisation total control over data. For example, constraining message retention, Message Burn (automatically deleting messages after a set time), controlling features like forwarding/sharing data, erasing all data in the event of device (or user) compromise.

Users and call groups are centrally managed, people can only join and use the app by invitation. Identity-based authentication (using NCSC’s MIKEY-SAKKE protocol) means that users can be confident when using the platform that they are communicating with who they think they are.  In this way Armour addresses the issue of identity-spoofing and ghost-callers, including AI-generated deepfakes.

Federated secure communications

The Armour Platform can provide a multi-domain, multi-organisation structure with strictly siloed security making it suitable for federated secure communications between  Armour communities.  This means that different police forces, government departments or social services (for example) using Armour are able to communicate, once Admins have set up the appropriate links between the groups of users, while each organisation retains total control over its own users.

This type of robust secure collaboration is not available from mass-adoption communication tools such as MS Teams, Zoom, GoogleMeet and WebEx. They all claim end-to-end encryption, however, as we’ve mentioned on numerous occasions, there is a lot more to security than just encryption.

When looking for a secure communications solution there are multiple aspects to consider. Understanding the likely threats in this environment and solving each one combined with providing an application that is as easy to use as, say, a consumer application, is key to most organisations’ decision making. This is an important point made by the UK’s National Cyber Security Centre (NCSC) Seven Principles for Secure Communications and Armour distinguishes itself by meeting all seven principles.

For more information on this topic, read our blog:  https://www.armourcomms.com/2021/04/21/replacing-whatsapp-advice-from-ncsc/

Also for Nine tips for keeping communications secure read this blog: https://www.armourcomms.com/2024/02/05/nine-tips-for-keeping-communications-secure-within-the-supply-chain/?cat-slug=10

Armour® provides highly usable and engaging solutions, so your users will have no reason not to use them.  Our Buyer’s Guide gives detailed advice as to what you should be looking for: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/

What is Kubernetes and why is the new Armour Core server-side platform based on it.

Initially released in 2015, amid the usual hype and hoopla of an exciting new technology, Kubernetes has now completed the ‘hype cycle’ and is firmly in its maturity phase. And after a lot of work to master this powerful concept to bring the very best benefits to our customers, we are now ready to announce the availability of Armour Mobile Kubernetes edition.

Armour Mobile Kubernetes is an enhanced version of the Armour Mobile infrastructure that delivers robust secure scalability to support the fast deployment to, potentially, thousands of users at a time. This can be achieved on premises, cloud or hybrid cloud. As requirements change, deployments can be scaled back equally as fast to save resources and costs.

Kubernetes was first developed by a team at Google and later donated to the Cloud Native Computing Foundation (CNCF ). It is an open-source platform to manage containerised workloads and services.

But what is Kubernetes?  Why does it matter and more importantly what benefits can it deliver to your business?  Here we explain why the Kubernetes container orchestration platform is one of the fastest moving projects in the history of open-source software.

1.Building blocks – reusing resources

To understand why we need Kubernetes, we must first understand containers. A container is a unit of software that can be isolated for security or scalability, usually performing a specific task, with control over its access to the underlying operating system (OS) and hardware resources. Multiple containers can be combined to build an application and because containers can be reused across different applications, new functionality can be developed more quickly. As well as faster time to value for new features and functions, reusing resources also saves time and costs.

Containers are lightweight and virtualise processing, memory, storage and network resources at the OS level, rather than hardware level. As containers are virtual environments that share the kernel of the host operating system, they can more easily be ported to run on a range of hardware platforms that support containerisation (compared to more traditional virtualisation technologies such as virtual machines, i.e. VMS).

2.Scale and management – supporting super-fast deployment

Kubernetes delivers a framework to run distributed systems by automating the deployment, scaling and management of containers. In the case of Armour Mobile, we can define how we need the platform to operate; for example if hardware fails, or if traffic load is high, Kubernetes is configured to ensure resilience without the need for manual intervention. Additionally, Kubernetes is self-healing, restarting containers that fail and killing and replacing containers that fail to respond to defined health checks.

All of this provides the ability to scale up rapidly, which supports fast mass deployments, which may be required, for example, during emergency situations, troop manoeuvres, launching a new business division, or project, or coordinating a government enquiry, as well as many other business cases.

Security by Design is the ethos by which we develop all Armour solutions. Security is achieved by the way in which we use Kubernetes and processes incorporated within Armour solutions. Kubernetes allows us to set policies at a cluster-level to prevent or restrict processes or data access which we might consider a security risk.

3.Resilience and reliability

Kubernetes is a proven technology that allows Armour to deliver a platform that is more powerful, robust, and extensible. We can deliver features such as monitoring, load balancing, and failover, high availability and much more. This makes the provision of Armour Mobile more flexible, more resilient and more reliable for our customers. Even when under load from a high volume of concurrent users or high network traffic, Kubernetes can load balance and distribute the network traffic so that the deployment is stable.

4.Delivered to suit your needs

Armour customers will benefit from our use of Kubernetes, whatever their current choice of deployment, be it on premises, cloud, or hybrid. Using Kubernetes has delivered an array of improvements to our existing development cycle which will benefit our customers.

Kubernetes also allows for a hybrid cloud approach for customers who require it. The Armour Mobile solution can be managed using Kubernetes tools, both in-house on bare metal and in the cloud.

For more information about how Armour Comms can help your organisation to adopt a more secure approach to communications and collaborative working, contact us today.

 

 

 

 

With CyberUK, billed as the UK government’s flagship cyber security event, taking place at the ICC, Birmingham later this week, The Times published a pertinent article over the weekend. The piece in question entitled “Russia targets British soldiers’ mobile phones”, states that UK troops have been warned about the risk of Russian agents spying on their mobile phones. While this has long been suspected, during recent NATO battle exercises in Estonia, troops were once again reminded of the dangers around using mobile phones while in theatre.

Fake base stations – on old attack vector still in use

An investigation has indicated that Russian forces are using transportable antenna (fake base stations launched via drones – see our previous blog on how an IMSI catcher attack works) to access data sent by devices, and in some cases to erase information held on phones. As long ago as 2017 soldiers were reporting ‘strange things’ happening to their phones such as contacts disappearing.  Troops have been warned against posting content online, even to restricted profiles visible only to friends, because such posts can easily be accessed by uninvited third parties.

The very real threat from Russian cyber-attacks was also demonstrated a couple of months ago when an RAF plane carrying Defence Secretary Grant Shapps reported that its GPS had been jammed.

In early March the BBC reported that Germany admitted to a hack by Russia of a military meeting where officers discussed giving Ukraine long-range missiles, and their possible targets. https://www.bbc.co.uk/news/world-europe-68457087.  The hack was helped in part by the fact that they were not using a secure communications channel.

The growth of Artificial Intelligence (AI), impersonation-based attacks using deepfakes is also an attack vector that is becoming more prevalent.  Video calls are becoming so believable that in February a finance worker in a multinational company was duped into paying out $25 million after a video call with a deepfake chief financial officer. https://edition.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html  Not only was the CFO on the call a deepfake, so were all the other participants, all of whom were known to the finance worker.

Cyber-warfare affects us all

There are lessons here for the rest of us.  Cyber-warfare is increasingly becoming an all too real occurrence, and so too are impersonation-based attacks.  We all need to take care. While our mobile phones, which have the computing power undreamt of just a few decades ago, are for many of us pivotal to running our lives, they also carry many threats to privacy and safety.  Not least among these are what do we do if/when systems go down. If GPS were down for example, people would need to navigate using paper maps again.

We can all do our bit by protecting our own privacy and that of our family, friends, and colleagues by being careful about our use of social media apps.  For example, being more aware about how we communicate and the importance of keeping business and personal lives separate. Using a secure means of communication that is Secure by Design and has attributes such as identity-based encryption and authentication, not only protects users from impersonation-based attacks, these platforms also help to protect users contact lists, thereby safeguarding friends and family as well as work colleagues.

To learn more about how Armour Comms can help your organisation protect sensitive business communications, visit us at Cyber UK, or email us: sales@armourcomms.com

Can we get anything in here about deep fake and impersonation based threats?

With Cyber UK just a couple of weeks away, the UK’s National Cyber Security Centre (NCSC) has announced new guidance for using mobile devices in high-threat organisations.

In a blog published on 1 May, NCSC outlines its new Advance Mobile Solutions (AMS) risk model, architecture patterns and associated technologies that will allow high-threat organisations to stay connected while ‘on the go’.

It explains how the use of special or hardened mobile phones is expensive and has proven extremely difficult to maintain. We see from anecdotal evidence that people don’t like using them either. However, consumer grade devices can be a realistic alternative, when combined with the AMS model to mitigate as many of the threats as possible.

The starting premise of the AMS risk model is that mobile devices cannot be trusted, and that organisations must assume that a device may be compromised, and that information held on it could be at risk. The risk model goes on to state that core networks and services must be protected, and that sensitive information should not be aggregated in the mobile infrastructure.

The AMS architecture

The AMS architecture enables secure mobile working taking into account the associated risks.  The architecture aims to:

• Protect consumer mobile devices as well as possible.
• Prevent data from being aggregated in mobile infrastructure.
• Provide robust protections for core systems using hardware-based, cross domain technology.

 

Key elements of the architecture include:

• Protecting the device.
• Protecting data on global networks.
• Protecting the remote access zone.
• Protection for core networks and systems.
• And, assume compromise.

 

The use of Armour Mobile™ can help in a number of ways from preventing data within the Armour ecosystem being leaked or accessed by other apps on the device; preventing information from being forwarded or shared to unsanctioned individuals; central user management which ensures that only invited people can join a chat group; identity-based encryption that helps to positively authenticate users (combats deepfakes and impersonation-based attacks); and should a device be compromised, remote wipe of all information held in the Armour platform on the device.

Secure mobile is difficult to achieve and it’s certainly not one size fits all.  For more information about Advance Mobile Solutions and how Armour® Comms could help your organisation see us at Cyber UK, 13 – 15 May, ICC, Birmingham Register here: https://www.cyberuk.uk/2024/about

The management of messaging apps within an organisation is often non-existent, reminiscent of how cyber security was treated 30 years ago. Back in the day, cyber security was often an afterthought with very little focus on controlling data, and even less on where and how users were saving data (remember the two disks containing personal details of 25 million UK citizens were lost by HMRC anyone?).

We are seeing a return to the days of the wild west in the way that un-sanctioned messaging apps have been allowed to proliferate under the radar for business use. People love these consumer apps because they are easy to use and they already have them on their personal devices, so why not use them for business too. Another reason for their popularity is that users can build their own chat groups, and have conversations with colleagues without any oversight, avoiding scrutiny by their organisation (government, political, or corporate). This enables individuals, departments or whole organisations to invoke ‘plausible deniability’ as a defence because messages are mysteriously lost (or deleted) when they should have been saved, documented or archived in official organisational systems.

Taking control of data to provide oversight should be a rite of passage

As organisations grow and professionalise their operations by taking control of their data, ad-hoc and ‘shadow IT’ arrangements are replaced with built-for-purpose applications, that provide more powerful enterprise features and can be centrally managed. The same should be true for messaging apps. Indeed, in the financial services industry authorities have been cracking down on the use of unregulated communications channels for a number of years. Numerous financial institutions have been fined, and some high-profile bankers have even lost their jobs as a result. Unfortunately the same cannot be said for some government organisations where use of consumer apps still appears to be widespread.

Emails of government employees and ministers are securely stored and have been for many years. So, with the ubiquity of instant messaging, why are these communications not treated in the same way? Many other countries’ governments have banned the use of consumer apps such as WhatsApp, Telegram and Signal, with France making an announcement last year.  Given the amount of resources invested in IT systems, surely no organisation should be relying on free-to-use apps over which they have absolutely no control for business/government communications.

Consumer apps pose serious security risks but that’s not all

It’s not just that the use of un-sanctioned messaging apps to discuss state secrets pose a serious security threat, (as demonstrated recently when Russia hacked a German military video call that subsequently put British troops in danger) using these apps for business contravenes GDPR.  These apps can also put individuals at risk from phishing and impersonation-based attacks that could result in compromise due to blackmail, as happened just a few weeks ago to a number of ministers, staffers and a political journalist.

Furthermore, consumer and mass-adoption apps do not meet the NCSC’s 7 Principles for Secure Communications, which translates to many government and public sector organisations NOT following the recommendations of the UK’s own technical authority for cyber security.

All this emphasizes the need for organisations to keep control of their own data – something that the use of consumer apps simply doesn’t allow.

Choose your secure comms platform carefully

When it comes to enterprise secure comms, organisations should avoid the lure of ‘shadow IT’ – just because people like it and everyone uses it does not make it acceptable, particularly when there are credible alternatives. A built-for-purpose, Secure by Design secure comms platform can provide an equally slick user experience plus the ability to manage and control data.  Whether on-premises or a secure hosted solution, an enterprise-grade secure comms platform that covers voice calls, instant messaging and video conferencing ensures data sovereignty (your data stays on sovereign soil, i.e. you know where it is being held) and data separation (no mixing of data, be that different classifications of data, or business and personal).

Enterprise secure comms platforms provide additional services such as archive and audit, which enable the review of communications at a later date, to ensure compliance with regulations (GDPR, FOI, for example). None of this is available from consumer apps.

In short, our government officials and politicians should be leading by example, following the guidance of their own organisations. To understand how Armour Comms can help your organisation to take control of its data, even on BYOD devices, download our Buyer’s Guide, which includes 10 Top Questions you should be asking, or visit us at Cyber UK, 13 – 15 May, ICC, Birmingham.

How can you be sure who you are really talking to?

The most recent story to hit the headlines of politicians’ use of consumer grade apps carries with it yet another warning for us all. 12 people including ministers, politicians, staffers and a political journalist have been targeted in a highly personal and potentially compromising attack. Politico, a news website, reported https://www.bbc.co.uk/news/uk-politics-68731683.amp that one senior MP was targeted via a dating app, and tricked/blackmailed into sharing contact details of colleagues that also worked in Westminster with their new ‘beau’.  By the time that the victim realised what was happening the account of the perpetrator had disappeared.  12 people have now admitted to receiving unsolicited approaches via WhatsApp in what appears to be a highly co-ordinated and well planned attack.

When personal life gets mixed up with business

Call it catfishing, spearfishing or social engineering, this incident demonstrates the dangers of mass adoption messaging apps, particularly for those holding public office. It is vitally important for people to be aware of the importance of checking the identity and to be sure that they are communicating with who they think they are. While using a secure messaging platform would probably not have helped in this instance as the situation developed in someone’s personal life, it does show just how quickly business life can become mixed up with personal.  And it certainly highlights just how easily mass adoption apps such as WhatsApp can be subverted, making them totally unsuitable for business, where any amount of sensitive information, potentially putting at risk national security, could be at risk.

Dealing with AI and deepfake secure identity is key

In the age of AI and deepfakes these type of attacks are likely to become more prevalent and everyone needs to up their game in terms of thinking more carefully about where information is coming from, and who they are dealing with.

Keep your personal life to yourself and your business life professional

The Armour Secure Comms platform provides a closed secure environment where people can only join the platform if authorised to do so by their organisation, are allowed only to access the user groups that they need to, and built-in identity-based encryption and authentication ensures that everyone they communicate with is, indeed, who they say they are. Plus, if needed, these communications can be stored for audit, compliance or public records.

If you are discussing matters of state, commercially valuable information, or sensitive client/partner information, better to do it over an environment that your organisation has complete control of.

Read our Buyer’s Guide to find out what you should be looking for, and the questions you should ask of any vendor.  https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/

As UK Government calls out China for state-affiliated actors for malicious attacks.

NCSC has this week upgraded its Defending Democracy guidelines with additional detailed information on how to reduce the risk of cyber attacks in the light of latest findings.

The UK government has called out China state-affiliated actors for carrying out malicious cyber activity targeting UK institutions and individuals important to democracy.  The National Cyber Security Centre (NCSC) assesses that the China state-affiliated cyber actor APT31 was almost certainly responsible for targeting UK parliamentarians.

Paul Chichester, NCSC Director of Operations, said:

“The malicious activities we have exposed today are indicative of a wider pattern of unacceptable behaviour we are seeing from China state-affiliated actors against the UK and around the world.

“The targeting of our democratic system is unacceptable and the NCSC will continue to call out cyber actors who pose a threat to the institutions and values that underpin our society.

“It is vital that organisations and individuals involved in our democratic processes defend themselves in cyberspace and I urge them to follow and implement the NCSC’s advice to stay safe online.”

The publication of new Defending Democracy guidance follows the release of fresh advice for high-risk individuals published by NCSC in December.

What is a high-risk individual?

The NCSC’s definition of a high-risk individual in a cyber-security context is those whose  work or public status means they have access to, or influence over, sensitive information that could be of interest to nation state actors. High-risk individuals include those working in political life (including elected representatives, candidates, activists and staffers), academia, journalism and the legal sector.

NCSC states that in recent years there have been a number of targeted cyber attacks against high-risk individuals in the UK, to attempt to gain access to their accounts and devices. This has resulted in the theft and publication of sensitive information, which can also cause reputational damage.

Advice about the use of Messaging Apps

As well as the usual advice around the use of social media and wherever possible only using corporately managed accounts and devices, NCSC gives specific advice around the use of messaging apps such as such as WhatsApp, Messenger and Signal. When using these types of mass-adoption application, for personal use on a personal device, it recommends:

• The use of disappearing messages that automatically delete after a set period. This may limit what an attacker might access, should they be successful. However, while some consumer-grade apps do have disappearing messages, they will not necessarily be deleted from all devices, if they have been saved, or forwarded to a third party.
• Be careful who you are communicating with as impersonation-based attacks can be very convincing, as can deepfakes powered by AI. Can you be certain that you are communicating with who you think you are?
• Be mindful of who else is in the chat group – unless it is a closed group, you probably don’t know who else is in the group for certain.
• Avoid accepting message requests from unknown accounts – consider calling first to verify who they are
• Ensure that the latest security updates are installed and set up two-step verification (2SV) for when you log in.

 

WhatsApp et al are not suitable for organisational use

As we’ve stated many times before, personal messaging apps are not secure enough for business use.  An enterprise-grade secure communications platform should be used for business communications as this provides a much higher level of protection and avoids many of the issues with mass-adoption apps.

How Armour® helps

Armour Mobile™ protects mobile communications and data on corporately owned and BYOD devices.

Centrally managed, identity-based encryption and authentication

Armour’s solutions are centrally managed, so only those invited can join a group. Armour uses identity-based encryption and authentication so users can be sure that they are communicating with who they think they are, and not an impostor or a deepfake.

Keeps communications separate – avoids data leakage to other apps

The Armour platform completely isolates the communications and any associated data and files (attachments such as documents, images, video clips). In addition to end-to-end security over-the-air, all data is encrypted and secured at-rest within the app, protecting contacts, messages and attachments from malware, either on the device or if the device is lost or stolen.

Armour provides its own viewers for certain types of attachments, so as not to share information with the operating system or third-party viewers, and preventing the user from deliberately, or accidentally, sharing the attachment (and its sensitive information) outside of the Armour app, thus avoiding the potential for data leakage.

Secure by Design, Secure by Default

Armour’s products are ‘Secure by Design’ and ‘Secure by Default’, out of the box.  The end user does not need to select a secure setting, it is already configured.  For example technology in the app requires sole use of the microphone ensuring rogue apps are not ‘listening’ into voice or video calls.

Secure provisioning routines, and closed VPN

To minimise the use of the public internet and untrusted, insecure networks, the Armour apps can be installed in a variety of ways. Depending on the specific use case requirements this can include via SD card or via a completely closed VPN network (using additional technology from Armour technology partners).

Message Burn – manage messages even after they are sent

The Armour platform includes many security features within the app to protect against data leakage.  This includes Message Burn/Disappearing Messages features, where the sender of a message can set it to automatically delete at a set time, either after it has been read, or after it has been sent.  This feature can be deployed centrally as a standard setting across chat groups or communities of users. Optionally, the app can be set to delete all messages after a set period, for example, 30 days, so that old messages are not hanging around for longer than they need to. In addition, if a phone is lost, stolen or compromised, all data held within the Armour platform can be wiped remotely.

Engaging user experience

Armour applications are every bit as intuitive and engaging to use as consumer and mass-adoption communication apps. The Armour platform is quick to deploy and communities can be up and running within hours.

For more information about how Armour can help your organisation defend democracy and protect sensitive corporate and client information contact us today.

Or read our Buyer’s Guide to find out what you should be looking for: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/