Category: View All

How secure are your sensitive video calls?

The BBC reports that Germany has admitted to a hack by Russia of a military meeting where officers discussed giving Ukraine long-range missiles, and their possible targets. https://www.bbc.co.uk/news/world-europe-68457087  Elsewhere it was reported that British forces involved with transporting the missiles could therefore be at additional risk.

It has been confirmed by the German government that the call was authentic and, has been leaked by the Russians on the dark web.

There are so many levels on which this worrying story gives rise for concern.  Not least is the highly insecure practice of using a non-secure channel for discussing military secrets. And it comes hot on the heels of a story that broke in January that US security company Ultra Intelligence and Communications fell victim to a cyberattack that, amongst others, affected the Swiss Air Force, when thousands of documents were stolen and made available on the dark web.

This isn’t necessarily a case of Russian intelligence being particularly clever, by not using a secure communications platform designed specifically to protect sensitive conversations, people are making it easy for them!

For protecting the most sensitive of conversations, such as the military secrets discussed in this instance, there are highly secure, on-premises communications solutions that could have been used. By running an on-premises solution organisations significantly reduce the potential attack vectors, as well as keeping total control of every aspect of their sensitive communications,

Armour Unity secure video conferencing

One problem facing many security conscious organisations is how employees handle data of mixed classifications. When sharing information that can be OFFICIAL, OFFICIAL-SENSITIVE, NATO Restricted or even SECRET, what are the appropriate/approved collaboration tools to use?  And, how do you ensure data sovereignty.

Armour Unity™ provides an alternative to consumer grade applications. Unity delivers secure conferencing in an easy-to-use app for mobile and desktop use, with enterprise security features not provided by free-to-use consumer products including a choice of cloud or on-premises installation to ensure data sovereignty. Unity is available in several configurations to ensure the level of security matches the sensitivity of the conversation. Unity combats the issue of ghost callers that may eavesdrop on sensitive conversations by highlighting to all users whether a participant has joined the call via an app, or securely via a browser –browser options often increase vulnerabilities.

Award-winning Armour secure communications

• Given its multi-domain, multi-organisation structure with strictly siloed security Armour can augment and broaden secure communications and collaboration capabilities.
• OFFICIAL SENSITIVE collaboration can be provided via Armour’s Secure Cloud extending to include desktops, workstations and unified comms systems.
• The Armour installation can be hosted and managed on-premises to give the organisation total data sovereignty.
• All users of the Armour ecosystem are centrally managed, and only those invited are able to join a communications group.
• Identity-based encryption and authentication means that users can be confident that they are communicating with trusted colleagues, rather than impostors.
• Remote wipe means that all sensitive information can be removed from the Armour ecosystem should a user or a device be compromised.
• The organisation keeps control of its data because messages and documents cannot be forwarded to third parties outside of the platform.
• Message Burn enables the sender to set a message to self-delete after a specific time either after it has been sent, or after it has been read.
• Central admin can set all messages for all users to auto-delete after a set period, for example, 7 days, or a month.
• Armour Recall™, a secure audit capability, is available as an additional service, where conversations and associated files are archived for future reference by a suitably security-screened auditor. The files are securely preserved even if the original messages have been deleted or lost.

Not on the High Street

This type of robust secure collaboration is not available from mass-adoption communication tools such as MS Teams, Zoom, GoogleMeet and WebEx. They all claim end-to-end encryption, however, as we’ve mentioned on numerous occasions, there is a lot more to security than just encryption. When looking for a secure communications solution there are multiple aspects to consider. Understanding the likely threats in this environment and solving each one combined with providing an application that is as easy to use as, say, a consumer application, is key to most organisations’ decision making. This is an important point made by the UK’s National Cyber Security Centre (NCSC) Seven Principles for Secure Communications.  For more information on this topic, read our blog:  https://www.armourcomms.com/2021/04/21/replacing-whatsapp-advice-from-ncsc/

Armour® provides highly usable and engaging solutions, so your users will have no reason not to use them.  Our Buyer’s Guide gives advice as to what you should be looking for: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/

12 March, Digital Security Authority, Nicosia, Cyprus

Our CTO, Dr. Andy Lilly is presenting at the Cyber Security in Telecom Summit: Safeguarding the Digital Frontier, being held in Nicosia, Cyprus on the 12 March.

Organised by the Cyprus Computer Society and the British High Commission Cyprus, with support from the Digital Security Authority, this is set to be a groundbreaking event. The conference aims to bring together leading experts, professionals, and enthusiasts to explore and exchange insights into the latest trends, challenges, and solutions in the dynamic field of cyber security and telecom.

The Threat in your Pocket

Andy will be presenting a session about the threat in your pocket – your mobile phone. Almost everyone carries a computer in their pocket, or handbag, with access to every aspect of our personal lives, financial, medical and – in some cases – very sensitive commercial, defence, or government data. Andy will present a summary of the broad range of attack vectors against mobile devices, from the network level down to the threats within the device itself. Not least is the significant threat from common messaging applications.  Andy will explain the UK’s NCSC principles for secure communication and provide guidance on mitigating the serious risks from consumer grade messaging apps.

For more information and register visit here: https://ccs.org.cy/el/news/conference-on-cybersecurity-in-telecommunications-614

We look forward to seeing you there.

New year, new office.

While everyone else was still coming to terms with a New Year, we at Armour have moved down river to splendid new offices in Aldgate. At time of writing everyone is now safely ensconced, with their own desks and pot plants installed, and we all just about know where the coffee machine is.

Strong Revenues and Growth

The move comes at the end of another great year for Armour where our revenue and profits continued to do well year-on-year. We continued to roll out new use cases for several of our significant customers (you know who you are), and we are developing relationships with a number of key alliance partners. Our ranks have been swelled with several new hires across the business covering development and support, and we welcomed our new VP of Sales and Marketing, industry veteran, Richard Brooks.

Impersonation-based and DeepFake threats

We are seeing a step change in the market for secure communications as security conscious organisations realise the risks of impersonation-based attacks, and deepfakes, which are only going to become more believable and more dangerous thanks to AI. The recent deepfake message purporting to be Joe Biden urging voters not to cast their ballots in the New Hampshire Democratic primary is a graphic example: https://time.com/6565446/biden-deepfake-audio/  

Our technology is already poised to help organisations overcome some of these risks. The benefits of identity-based authentication (in our case, the NCSC’s MIKEY-SAKKE protocol) where users must authenticate before they can join a call, send a message or join a video conference, are finally becoming more widely understood and demand for them is clearly growing.

Continued focus on R&D

2023 saw a focus on interoperability. We’ve delivered specific developments for customers that need to communicate with colleagues within the same organisation, but using different channels such as Skype, WhatsApp and Matrix, while maintaining robust security.  Some of these developments will be finding their way into the main product line later this year.

On the industry accreditations front, we maintained and renewed our ISO27001 certification.

Future projects currently under way include work on NCSC’s Principles Based Assurance – watch this space for further announcements.

It’s going to be a busy year, and one that we are looking forward to with relish – especially now that we have posh new digs!

Scottish Covid inquiry finds that Nicola Sturgeon appears to have deleted ALL her WhatsApp messages.

Hot on the heels of the revelation that WhatsApp messages between the then UK prime minister Boris Johnson, and Paymaster General and leader of the Commons Penny Mordaunt, had mysteriously disappeared, we now hear that ex-Scottish First Minster Nicola Sturgeon seems to have suffered a similar fate.

The BBC has reported that Jamie Dawson KC, counsel for the inquiry, stated that the former first minister appeared to “have retained no messages whatsoever”.  The inquiry was also told that her deputy John Swinney had his WhatsApp messages set to auto-delete.  In addition, the inquiry heard how no corporate or central record was made or retained either.  All of this despite some of their discussions being ‘FOI [Freedom Of Information] discoverable’, such that there was a requirement to keep a copy for future reference.

NCSC approved alternative to consumer apps

As we have stated many times before, there is really no excuse for the use of consumer apps by those in public office when there is an NCSC approved alternative that is every bit as engaging and easy to use.  Not only do consumer apps, such as WhatsApp and many others, lack enterprise-grade security features, such as identity-based authentication (which tackles the issues of impersonation-based attacks/spoofs, etc.), but as this case demonstrates yet again, such apps lack any central management of messages and conversations.

Plausible deniability should not be a goal!

The inquiry further heard that a civil servant, while reminding ministers of the FOI requirements, also made the remark: “plausible deniability is my middle name”.

Had ministers been using an approved secure communications platform, such as Armour Mobile, there would be no question about what happened to messages: they would all be archived and available for review by suitably approved and authenticated auditors. It would have been much easier and faster for the inquiry to discover exactly what went on, saving time and public money.

Furthermore, licences for the secure comms platform can be given to trusted colleagues in third party organisations. This would enable ministers and civil servants to communicate with whoever they need to, with the data remaining in the control and ownership of the government.

NCSC’s Secure Communications Principles

The NCSC has published principles dealing with secure communications which are:

• Protect data in transit
• Protect network nodes with access to sensitive data
• Protect against unauthorised user access to the service
• Provision for secure audit of the service
• Allow administrators to securely manage users and systems
• Use metadata only for its necessary purpose
• Assess supply chain for trust and resilience

In an election year, if politicians and civil servants want to take a step towards repairing their somewhat tarnished reputations, following their own government’s guidelines about what constitutes secure communications, would be a good place to start.

For more information about what to look for read our Secure Communications Buyer’s Guide to discover the 10 questions you should be asking: https://armourcomms-25743375.hubspotpagebuilder.eu/buyers-guide-landing-page-2

Some of the world’s largest consultancy firms (including the ‘Big 4’) are asking staff to use burner phones when they visit Hong Kong – but is this really the right solution?

A recent article in the Financial Times highlighted the growing concern about the risk to commercial data and the dangers of working in potentially unfriendly regimes. As Beijing continues to exert more control over the previously semi-autonomous international business centre of Hong Kong, more organisations are suggesting that company executives should take extra care when visiting the city, due to increased risks of hacking and unauthorised access to client data if work devices are used. In short, companies like Deloitte and KPMG are asking staff to use burner phones when in Hong Kong. And this is not being received well by some senior executives who prefer not to travel to the region due to the inconvenience of needing extra devices and leaving their usual phones and laptops at home.

This isn’t the first time that such an edict has hit the headlines. In January 2022 athletes from the US and UK were advised to use burner phones during the Beijing Winter Olympic Games due to concerns about an app provided by the Chinese government for use by all Olympics attendees that had significant security flaws.

This most recent example of organisations taking a stand against the dangers of state-sponsored hacking is equally applicable to many global organisations who have their Asia-Pacific headquarters in Hong Kong, or indeed any untrusted regime. Some of the firms affected have expressed concerns about the legal liability associated with leaks of client data, and the commercial implications should clients’ data be stolen or compromised.

Burner phones – a solution or a risk?

This all raises an important question: What are the pros and cons of burner phones? From the user’s viewpoint, it is inconvenient to have to use a temporary phone, possibly with only a subset of the apps they are used to using. Conversely, if the phone is bought in country, then it might be considered unsafe because its provenance cannot be certain. For cost reasons such phones are usually Androids, which makes them more susceptible to having been ‘jailbroken’ (modified to remove restrictions imposed by the manufacturer, to allow the installation of unauthorised software) or already contain potentially malicious apps from local carriers or distributors. While more secretive users might choose a burner phone because it helps their traffic blend in with the local phone communications, the primary purpose of using a burner phone is to be able to dispose of it when it is no longer required, such that whatever malware it contained, or picked up while in use, is not brought back into the user’s organisation. So, a burner phone is always a short-term solution to manage communications risks.

How Armour® helps

Armour Mobile™ and SigNet by Armour® can protect your mobile communications and data whether you choose to take your normal phone into a potentially hostile environment, or you need a secure communications solution that can be easily deployed on a burner phone.

Armour’s solutions completely isolate the communications and any associated data, metadata or files (attachments such as documents, images, video clips). In addition to end-to-end security over-the-air, all data is encrypted and secured at-rest within the app, protecting your contacts, messages and attachments from malware on the device or if the device is lost or stolen. The ultimate goal is to minimise your organisation’s risk by reducing the residual data held on the device. Armour’s products are ‘Secure by Design’, for example technology in the app requires sole use of the microphone ensuring rogue apps are not ‘listening’ into voice or video calls.

In addition, before the app can be used, the Armour software checks to see if the device has been jailbroken, if so, the user will not be able to use the Armour app.

Armour provides its own viewers for certain types of attachments, so as not to share information with the operating system or third-party viewers, and preventing the user from deliberately, or accidentally, sharing the attachment (and its sensitive information) outside of the Armour app, thus avoiding the potential for data leakage.

To minimise the use of the public internet and untrusted, insecure networks, the Armour apps can be installed in a variety of ways. Depending on the specific use case requirements this can include via SD card or via a completely closed VPN network (using additional technology from Armour technology partners).

Armour Mobile and SigNet also include many security features within the app to protect against data leakage.  This includes the Message Burn and Disappearing Messages features, where the sender of a message can set it to automatically delete at a set time, either after it has been read, or after it has been sent.  This feature can be deployed as a standard setting across chat groups or communities of users.  In addition, if a phone is lost, stolen or compromised, all data held within the Armour platform can be wiped remotely.

For more information about how Armour can help your organisation protect corporate and client information while travelling in untrusted regimes, contact us today.

Or read our Buyer’s Guide to find out what you should be looking for: https://www.armourcomms.com/2023/06/29/securing-communications-channels-a-buyers-guide/