Category: View All

What other undesirable apps are potentially accessing your corporate data?

On 16 March the UK Government announced a ban on the use of TikTok on government phones and devices.  The ban is in line with those announced by US and Canadian governments and the European Commission.  A report submitted to the Australia’s Select Committee on Foreign Interference through Social Media “…confirms beyond any plausible doubt that TikTok is owned by ByteDance, ByteDance is a People’s Republic of China (PRC) company, and ByteDance is subject to all the influence, guidance and de facto control to which the Chinese Communist Party (CCP) now subjects all PRC technology companies.”  The report shows “… how the CCP and PRC state agencies (together, the Party-state) have extended their ties into ByteDance to the point that the company can no longer be accurately described as a private enterprise.”

The Register states: “The report, by a quartet of researchers, was hailed as “the most comprehensive exploration yet of the CCP’s ties to TikTok” by Brendan Carr, commissioner of the United States’ Federal Communications Commission. India’s IT minister Rajeev Chandrasekhar retweeted Carr’s remarks.”

This latest revelation must raise serious concerns amongst CISOs and anyone with any interest in data security. Any mobile phone that is used for business that also uses TikTok may raise the risk of leaking valuable commercial data and intellectual property to a totalitarian regime that actively pursues industrial and academic espionage.

If we needed any further reminder that consumer apps should NEVER be trusted to handle enterprise data, here are a few other recent stories…

Mobile phone account takeovers – are you safe from mobile phone number recycling?

When registering for a free messaging app it is common practice to use your mobile phone number.  Indeed, for most services, this is the only option available.  However, this brings its own privacy  issues because the data security at the multi-national social media companies that tend to own consumer apps is often found wanting.

This cautionary tale appeared on El Reg recently concerning accidental WhatsApp account takeover  and is about a person moving from one country to another for work, and changing to a local mobile phone number as they did so. They then started receiving WhatsApp messages meant for someone else. While not specifically a WhatsApp issue, it serves to highlight the issues of using a mobile phone number when setting up a messaging app.

It begs the question – what messages do you have in your WhatsApp chat history?  Would you be happy for them to be read by a complete stranger?

Protect your own privacy

Unlike consumer apps, with Armour Mobile and Signet you are able to register with a unique identifier.  As well as protecting your account against spoofing (mobile phone numbers being notoriously easy to clone/hack/impersonate), the benefits of identity-based authentication (MIKEY-SAKKE) is that you can be sure that you are communicating with who you think you are communicating with (avoiding deep fake scams).  In addition, all this provides an extra level of personal privacy protection.

WhatsApp fined again

In other news, WhatsApp has once again been slapped with a fine for mis-handling data under GDPR legislation. While the sum in question, €5.5m, is fairly paltry in terms of scale it is a further indication of the seriousness of such transgressions in that it has been levied in addition to previous fines. The Data Protection Commission (DPC), Ireland’s data watchdog, has upheld a complaint against WhatsApp dating from 2018, around the requirement of users to accept new terms and conditions that require them to share data, in order to continue using the app.

This comes despite having rewritten its European privacy policy after a previous eye-wateringly hefty fine of €225million for GDPR contraventions.

Armour Mobile and Signet by Armour ensure that contact lists remain private and that personal information is not shared without the owners’ permission. Read our previous blog about GDPR and mobile comms for more information.

Not suitable for Government says ICO (or Enterprise)

Last year, the Information Commissioners Office (ICO) recommended that Government departments review the use of consumer-grade apps such as WhatsApp, private emails and messaging platforms after a year-long investigation that highlighted inadequate data security during the COVID pandemic.

If there are fears for the privacy of government communications, there should equally be caution among the private sector.  All enterprises, no matter how large or small, have intellectual property that they would not wish to fall into competitor hands (formulae, customer lists, product roadmaps, employee information, details of proposed mergers and acquisitions, to give just a few examples).

In line with the recommendations made by the ICO, at Armour we urge organisations to review the use of messaging apps to ensure that sensitive and commercially valuable information is not in danger of being compromised, or shared unwittingly.  Here we go into more depth about why consumer-grade apps are a security risk.

For more information about how Armour Mobile can help your organisation to protect sensitive information and comply with GDPR, while providing an engaging and easy to use secure comms app to your staff, contact us today 

Whose data is it that was leaked to the press – were they personal messages, or was it Government information?

The latest story of leaks to the press involves a “hapless” and “controversial” Matt Hancock, former Secretary of State for Health and Social Care. Having commissioned a high-profile journalist who was known to be critical of the government’s handling of the pandemic, to ghost write a memoir of his time in office during the pandemic, he was then surprised when said journalist leaked supposedly private WhatsApp messages, despite a confidentiality agreement.

Someone in his position should know that there is no such thing as ‘off the record’ when dealing with journalists.  If you don’t want them to write it, don’t tell them!

Whatever you think of Hancock – an article in the FT ‘The tragedy of Matt Hancock’ described him as mainly “annoying” – this case does highlight some extremely important aspects of managing information, and more specifically, Government information.

Whose data is it anyway?

While the precise definition of “public record” is open to interpretation, such records do include  “…‘not only written records, but records conveying information by any means whatsoever’ – so including electronic documents, emails, social media and databases…” so whether Hancock’s messages were sent via an email, or via WhatsApp, they could be construed as Government data, and so, part of the Public Record.

Question: If they were sent from a Government-provided device/mobile, no matter via what type of app, are they Government data?  One would think so!

Question: Would you be happy if you thought that messages you’d sent to a work colleague expecting them to remain confidential, were subsequently shared with a third party without your permission?

Question: Should someone be making huge profits off the back of data they acquired while in a privileged position, serving the people of this country?  It seems unprofessional and inappropriate to most people.

For example, the Civil Service code is quite clear that one must not “misuse your official position, for example by using information acquired in the course of your official duties to further your private interests or those of others” nor “disclose official information without authority (this duty continues to apply after you leave the Civil Service)”.

The danger of the current slipshod manner of handling such Government information calls into question another important issue – Ministers should be able to discuss policy matters frankly, in private, without fear that their conversations/messages will be leaked. Yet such private discussions keep being leaked – this has happened repeatedly, for example Hancock ‘conspiring’ with Dominic Cummings while Cummings, after being forced out of Downing Street, shared WhatsApp messages where the then-prime minister Boris Johnson criticised Hancock as “hopeless”. As the saying goes… “What goes around comes around.”

Protecting Government data

There is no doubt that consumer messaging apps are easy to use.  But when discussing important Government policy, or any other sort of sensitive information, surely more care should be taken of how and where these discussions take place.

There are built-for-purpose apps available to Government, that are approved for handling classified information.  Armour Mobile is every bit as easy to use as a consumer-grade app, with a whole host of useful additional features for protecting information. There really is no excuse for the current saga involving Hancock’s messages, which is damaging to the reputation of the British Government.

Having your Cake and Eating it – Remote Message Wipe and Audit

Armour Mobile provides a secure alternative to WhatsApp and any other messaging app that does not have centralised control over its users.  Armour Mobile messages can be set by the user to automatically delete at a set time either after the message has been read or after it was sent, leaving no trace of the message behind.

In addition, a central administrator can set retention limits so that all messages automatically delete after a set amount of time, for example, one month.  Does anyone need to keep messages beyond a certain point?  Not unless they are planning to write a book of course!

Finally, if a phone is lost, stolen or compromised, or an employee leaves the organisation, the data held within the Armour app can be remotely wiped by an admin, therefore minimising the risk that sensitive data could be exposed.

Preserving the Public Record

While Armour Mobile securely protects messages, documents, voice and video calls both over-the-air, and also when at-rest on a device, Armour is also able to provide an archive and audit option, ReCall by Armour. If this additional module is enabled on an Armour Mobile system, copies of the encrypted communications can be saved to a secure environment, where only specially approved administrators can decrypt specific messages or conversations, whether for legal compliance purposes or to store as a “public record”.

This means that the contents of any conversations within Armour Mobile can be managed centrally, and removed from devices remotely, while still ensuring a copy is securely saved, should it need to be audited at a later date.  Using such a system, ministers and civil servants can debate policy, argue, bicker and name-call to their hearts’ content, safe in the knowledge that the contents of their discussions are protected centrally, with no copies hanging around afterwards that can be passed retrospectively to third parties… or appear in someone’s memoirs!

Whether the messages were taken out of context, whether the journalist had an axe to grind, whether Hancock was naive and/or incompetent is actually irrelevant. Government data such as this should have been properly protected.

Lessons for Enterprises that don’t want to air linen (dirty or otherwise) in public

It’s easy to bash politicians because they are in the public eye, and when they fall from grace they do so with plenty of noise.  However, there is a lesson to be learnt here for every enterprise and every business person.

Ask yourself – what conversations/chats do you have on your mobile residing in a messaging app that could cause you embarrassment should the wrong person see them?

Now ask yourself what conversations and information might be on your employees’ phones that could do your business damage should they be exposed?

Every enterprise has some intellectual property to protect; every HR department discusses the relative merits of job candidates; managers and supervisors discuss the performance of people in their team; sales people discuss sensitive details of negotiations to close a large deal.  All of this information could cause financial loss, be deeply embarrassing if leaked, lead to loss of reputation, breach GDPR and attract huge fines, or at worst, could jeopardise the entire business.

When considering the predicament an ex-minister finds themselves in, ask yourself whether it could be you or your organisation next?

Contact us today to make sure that the things you want to keep secret are securely protected: https://armourcomms.com/contact

The perils of using consumer grade apps for business

Last week it was widely reported (https://www.bbc.co.uk/news/technology-64584001)  that Signal will leave the UK market if the Online Safety Bill, introduced by Boris Johnson and currently going through Parliament, undermines encryption.  This would leave hundreds of thousands of users looking for an alternative secure messaging service.

The Online Safety Bill, critics say, means that companies could be required by Ofcom to scan messages on encrypted apps for child sexual abuse material or terrorism content under the new law.  Apple tried to address the same issue a couple of years ago, where it proposed introducing new scanning software to detect Child Sexual Abuse Material (CSAM) on people’s iPhones.

No one would argue that cracking down on the peddling of CSAM and the apprehension of terrorists is anything but a good thing. However, in this case, the method was called into question because it introduced a security and privacy weakness in Apple’s operating system, that previously enjoyed a robust reputation. It doesn’t take a huge leap of imagination to see how this type of well-meaning surveillance could be appropriated for more political or sinister purposes.  Indeed, there was such a degree of public outcry that Apple deferred the launch of the service.

As the BBC coverage comments, it is ‘magical thinking’ to imagine that online privacy can be maintained for the good guys, but not the bad guys!

Signal is a well respected service and indeed, our own SigNet by Armour entry-level enterprise service is based on Signal technology. However, this latest story brings into question the wisdom of using consumer-grade apps for business.  If you use a free service, you are at the whim of the supplier.

This also highlights the reasons to use an enterprise/government/military grade solution for secure communications and collaboration. In subscribing to a professional service, such as those provided by Armour, you benefit from the following:

• Hosted or on-premises options for complete control of your data and metadata

• Central management of users with easy provisioning and equally easy revocation

• Access to, and potentially input into, the roadmap of product development

• Bespoke development capabilities to handle unique/complex requirements

Contact us today to find out how Armour Comms can help your organisation to manage secure communications more reliably.

Armour recognised in the Tech200 – an annual list of the top 200 fastest-growing technology companies in the public sector

We love to receive an award, and we’ve won our fair share over the years.  However, this one is all the more exciting as we weren’t expecting it.  The first we knew about it was when we were contacted to check our address for the award  – which has just arrived in our mail room.

So not only has Armour Comms been listed in the Tech200, which is the top 200 fastest-growing technology companies in the public sector, we were ranked at 17^th.  The list, now in its second year,  is compiled by Tussell in association with techUK, and is based on data from Tussell’s market intelligence platform.  This means that the ranking is based on, according to Tussell: “…a purely fact-based, unbiased analysis of the fastest-growing tech firms – completely uninfluenced by any sponsors or the interests of individual companies or organisations.”

Read more here: https://www.tussell.com/insights/what-is-the-tussell-tech200-2022

We are naturally delighted to receive this award as recognition of our continued commitment and success in working with UK public sector, and helping to ensure that sensitive communications are kept secure and protected.

Growing markets for secure conferencing and archive and audit products gain traction for Armour Comms product portfolio

London, UK, 31 January 2023 – Armour Comms has completed another successful year which saw an increase in customer orders of 54%.  Armour also further developed relationships with key industry partners, most notably two new major defence contractors.

David Holman, Director at Armour Comms, stated: “Despite a challenging business environment, we have once again improved the financial standing of the company in 2022.
We have seen continued support from existing customers, as well as many new named contracts, including strategic investments from the defence sector.

“We are extremely positive for the coming year as our enhanced product portfolio is gaining traction and with several exciting new developments soon to be announced.  In addition, we have further cemented relationships with partners including two influential defence contractors which will make a significant impact on our ability to deliver large deployments.”

Plaudits for Armour Comms

As well as a financially successful year, Armour has continued to gain increased industry recognition with the following achievements:

• Unity by Armour was named Best Communications Security Solution in the SC Awards.

• Armour Comms was judged a ‘Leader’ in Secure Comms by a prominent industry analyst appearing in the top right hand corner of the analyst’s sector graph.

• Armour Comms was selected for the ‘Scale’ stream of the government-based Cyber Runway accelerator.

• Cyber Essentials Plus was added to Armour’s long list of industry best practice standards achieved

• ISO 27001 maintenance audit passed with flying colours

• Early in January 2023, Dr. Andy Lilly, CTO of Armour Comms was voted onto the techUK Cyber Management committee.

 

Product Innovations

Product innovation continued apace, with two significant product streams added to the Armour product portfolio:

• Unity by Armour – secure conferencing that confirms and safeguards user identity and protects against ‘uninvited’ attendees (zoom-bombing).

• Recall by Armour – archive and auditing capabilities for regulated industries that need to retain proof of communications/conversations, while ensuring that they remain highly secure.

Both Unity and Recall have gained significant traction within the client base.

In addition, major developments for the core products have continued throughout the year, enhancing Armour’s capabilities for large and complex deployments as well as providing a raft of end-user features that provide a truly superior user-experience when compared to consumer-grade alternatives.  Highlights include:

• Armour Core v5.x which includes Kubernetes capabilities and the ability to deploy remotely and at scale for large enterprise users (10,000+ users)

• A technology preview of the new Configuration Management System which provides management of data within the Armour ecosystem, even on BYOD phones, without the need for a MDM solution.

• SigNet v3.x which includes secure group video calls and increased capabilities for enrolling and managing users, making it even more useable for entry-level direct WhatsApp replacements in enterprise environments.

We are delighted to announce that our very own Dr. Andy Lilly has been appointed to the techUK Cyber Management Committee. Andy joins 25 others, all of whom were voted for by techUK company members.  This techUK committee will set the strategic vision and priorities for the Cyber Security Programme, helping the programme to engage with government and senior industry stakeholders over the next two years.

Andy said: “In a hyper-joined up world, effective cyber security relies on collaboration between government, vendors and end-users to provide a good user experience. I’m looking forward to working with the rest of the committee members to make a real difference in cyber security policies and developments that will have a positive impact across all areas of cyber use, in line with our UK National Cyber Strategy.”

For more information about techUK and the other committee members please visit: https://www.techuk.org/cyber-security-programme/cyber-security-management-committee.html

AWS has announced it has closed Wickr Me to new registrations and will phase out the service by the end of this year. AWS’ aim is to move users to a paid for platform. This is unsurprising as AWS will be looking to recoup its (undisclosed) investment in Wickr as it moves into the communications space.

As we’ve extolled many times in the past, free apps should have no place in enterprise communications.  If you want good security, without the risk of your data being mined for marketing purposes or sold on to third parties, then as a business, you should be prepared to pay to ensure you have control of your data.

So far, so good.  However, for many organisations, suddenly being faced with a bill for something that was previously ‘free’ is a catalyst for all sorts of budget and procurement conversations. If something is ‘free’ people are generally prepared to put up with issues, however, when paying for a service, you might as well get something that is as good as it can possibly be for the budget spent.

Analyst reviews indicate that AWS/Wickr Enterprise, while flexible, lags behind other comparable products for both manageability and features.

With published prices starting at $5 per user per month for a basic package, rising to $15 per user per month for a more comprehensive service, and a ‘please call for more details’ message for on-premises options, Wickr is no longer a cheap option.  Indeed, we have been approached by several organisations who have been quoted eye-watering amounts for continued use of the service.

Armour Mobile and SigNet by Armour provide a range of options suitable for most use cases, at about half the cost quoted to some security conscious organisations we’ve heard about, while still providing data sovereignty and supporting compliance with GDPR.

For more information about how to plan your organisations migration from Wickr contact us today.

How to make a standard mobile secure enough for business use even when handling sensitive information and intelligence.

As Dan Sabbagh rightly points out in his article in the Guardian on 30 October 22, “mobiles are inherently insecure”. He also opens with the very sensible line: “We may never know just what happened with Liz Truss’s mobile, but it’s clear that ministers need to up their security game.” https://www.theguardian.com/technology/2022/oct/30/liz-truss-mobile-inherently-insecure-surprise-british-politicians-ministers-security

Another security foul-up

This most recent high profile ‘security foul-up’ story is yet another reminder, if we needed any, that everyone relies on their mobile phones, and with familiarity comes contempt. Contempt for security and privacy, of our own data as well as business information, and in this example, information that could affect national security.

Furthermore, it has been widely reported, including by the BBC: https://www.bbc.co.uk/news/uk-politics-63442813, that something happened during the summer when Liz Truss was Foreign Secretary, necessitating a new phone number and a replacement government-issued handset. And if you’re a world leader who can’t be separated from your personal phone because you’re tweeting all the time, then the potential security concerns are pretty obvious, as we outline in this blog for a couple of years ago: https://www.armourcomms.com/2018/06/05/ss7-vulnerability-still-going-strong-near-the-white-house/

In fact, calls and other communications involving classified or sensitive data CAN be made safe on ordinary mobiles using appropriate software. Although, if the user is deliberately subverting security, or determined to leak data to malicious actors or commercial competitors, security has a much tougher job.

Securing comms on standard mobile phones – it CAN be done, quite simply

For everyone else, apps like Armour Mobile (or SigNet by Armour) can enable secure comms via a standard phone. Something that most business-people, and presumably most ministers/politicians would prefer, as it avoids the need to carry two phones.

Great user experience – fast to deploy

As well as providing a user experience every bit as engaging as a consumer-grade app, Armour Mobile is Secure by Design and Secure by Default, based on our many years of working with the UK’s National Cyber Security Centre (NCSC). It is easy to download from the appropriate app store, and user provisioning (set-up) is controlled centrally, so that only invited, known, trusted (or indeed, vetted) users can join a community.  This is in stark contrast to a consumer app, which anyone can use, and if you know someone’s mobile number, you can contact them – opening the doors wide for a whole range of phishing and social engineering attacks.

Be certain who you are talking to

All communications via Armour are protected within the app, and can only be shared with trusted colleagues in the same or a federated allow list (community of known users), ensuring that users are communicating only with who they intended to communicate with. (This blog explains just how easy it is to spoof a call, and what you can do to prevent it: https://www.armourcomms.com/2018/02/27/are-you-talking-to-me/)

Using Armour Mobile, people, including ministers, are able to share sensitive documents and have privileged discussions, safe in the knowledge that their conversations will remain private. Details of all communications, be they voice, video, message or attachment, including associated meta-data are stored securely, preserving data sovereignty.

Engaging bolt-ons – Secure collaboration

In addition, Armour Mobile also has some useful bolt-ons that enable secure collaboration, such as Unity by Armour for secure conferencing and Recall by Armour for audit and archive. Again, all data is held within the app and on designated servers either on a secure cloud, or on-premises, ensuring that you know where your sensitive data is held at all times.

There’s really no excuse for using insecure, easily hacked, easily spoofed consumer-grade apps for sensitive business communications. If people in your organisation are still using consumer communication apps for business, it’s time to contact us and start the clean-up operation.

Sales@armourcomms.com

Part of TechUK Cyber Security Week

Dr. Andy Lilly, CTO of Armour Comms, explains how secure comms is vital for proving identity when exchanging sensitive / valuable information

The first few weeks of a new prime minister has shown the importance of getting communications right, be that the message, the media or the timing. In business, the speed that negatively received messages can go viral has been supercharged by social media. Now think of the potential issues if those communications could be hacked, tampered with, or faked.

The rise of deepfake technologies capable of manipulating video and audio into totally believable corporate communications means it is increasingly critical to know that you are communicating with the person you think you are.

Deepfake fraud is here, now

There are an increasing number of real-world examples of ID fraud and deepfake scams. Over three years ago the Head of a UK subsidiary was tricked into transferring €200,000 to a Hungarian supplier on the instructions of the CEO of the German parent company. In reality, the conversation took place with an artificial intelligence (AI) equipped criminal gang using deepfake software to mimic the German Chief Executive’s voice patterns.

The software was able to perfectly impersonate the voice, including tone, punctuation and German accent, completely fooling the head of the UK subsidiary. The call was also accompanied by an email, supposedly from the CEO reiterating the payment instructions.

It’s no longer enough for organisations to protect sensitive corporate information and intellectual property, such as pricing, product formulas, research, customer lists, etc. It is vital that identities are also safeguarded and remain trustworthy.

Can you really trust video and audio?

Although we have seen deepfakes imitate celebrities and public figures in video format, it’s an endeavour that still takes hours of footage to achieve. Being able to fake voices convincingly takes fewer recordings to produce and with greater computing power will become easier to create. It begs the question can voice recognition be relied on as an accurate form of identity verification?

In the future, deepfake audio fraud is likely to be highly exploited in criminal activity. As the technology continues to evolve, it will become increasingly difficult to distinguish real audio from fake. If you want to ensure authentication of identity you need to use a seriously secure mobile comms service.

Help is out there

Solutions such as Armour Mobile use MIKEY-SAKKE identity-based encryption to secure multimedia services. This enables secure voice and video calls, voice and video conference calls, one-to-one and group messaging, and sending file attachments. The solution ensures that the parties exchanging calls and data are who they claim to be (hence the term “identity-based”). Armour offers several secure communications products with closed user groups, protecting you against fake contacts from external hackers (these systems can run on your own servers for total sovereignty for data and metadata).

The MIKEY-SAKKE protocol uses identity-based cryptography and is designed to enable secure, cross-platform communications by identifying and authenticating the end points. It is an efficient, effective and NCSC-accredited protocol for building a wide range of secure multimedia services for government and enterprises.

Get prepared… now

Deepfake scams may well have arrived but there are proven tools to identify the real from the fake. These help prevent fraudulent activity by enabling secure collaboration between trusted colleagues. Communications can be conducted within a closed user group and only trusted parties added to the system can call and message others. So, when discussing commercially sensitive information such as corporate intellectual property, financial transactions, and customer details, you need to know you can trust your communications.

Prepare your organisation now. The fakes will only become better as AI advances. If trust evaporates, business will become untenable.

For more information about MIKEY-SAKKE visit:  https://www.ncsc.gov.uk/articles/using-mikey-sakke-building-secure-multimedia-services or: https://www.armourcomms.com/