Posted on

GDPR fines – mobile losses could be next for Finance Sector

Finance Sector

Over a year since the implementation of GDPR regulations, and the ICO has started handing out fines for infringements. The finance sector is well used to dealing with regulation (pardon the pun), however mobile devices often go under the radar. While some unsecured voice calls on mobiles can be recorded via the usual VoIP phone systems, it is information exchanged using messaging apps that is of particular concern.  You may think that these so-called ‘secure’ messaging apps are secure because they are encrypted, but as we have documented in this blog on various occasions, there is a lot more to security than simply encryption.

Worryingly, in the past couple of months it has been stated that ‘almost half of the cyber-security incidents reported in the UK during the past year were caused by internal errors, where employees failed to follow security protocol or data protection policies.’ Furthermore, 70 percent of financial companies faced a cyber-security incident, and the number of attacks are increasing year on year.  Details here: https://www.scmagazineuk.com/70-uk-financial-companies-report-hit-cyber-incidents-blame-internal-error/article/1594018

How secure are attachments?

Only recently, research from Symantec found flaws in Android that allowed so-called media file jacking, where malicious attackers are able to manipulate and modify media files such as commercial documents, photos and recordings in WhatsApp and Telegram based on the users’ settings.

As well as the integrity of files, another issue to keep in mind, is where your data is being stored when you use mobile comms apps.  There is currently a high profile lawsuit being filed against Apple, claiming that iCloud storage is actually, in some instances, farmed out to other suppliers such as Amazon Web Services and Google. See: https://www.theregister.co.uk/2019/08/14/apple_cloud_confusing/

Sharing your contacts with the world

As well as knowing where your data is being stored, it is vital to keep control of your contact lists. Some consumer grade apps, such as WhatsApp, automatically upload all of your native contacts to the WhatsApp/Facebook server when you install the app, so that it can cross reference your contacts and enable you to call them using the app. While this might appear to be user-friendly in our social lives, in a corporate environment it is very different. If you use a corporate device in this scenario, you are effectively sharing other people’s personal details, without their permission.  This would be a contravention of GDPR, which could open up the business to potential fines of 4% of global turnover.  A heavy price to pay for simply using a ‘free’ app – not quite so free after all!

Fully Auditable mobile comms

While these consumer grade apps are encrypted end-to-end which provides some level of security for the contents of messages and attachments, that also means that the system doesn’t provide any capability to manage organisational and/or regulatory compliance. In essence, there is no audit facility for any of the communications that take place.  Whether you’re a CISO who needs to ensure your staff are adhering to FCA policies, or a financial advisor who needs to prove what guidance you gave to a high value client, the lack of an audit capability for your communications system is a major issue.  And as previous mentioned, you have no control over where your data is held, so the case against consumer apps quickly stacks up.

With an enterprise-grade, certified mobile comms app you get the very best of all worlds:

  • An easy to use product with all the functionality of a consumer-grade app
  • Complete control of your meta data
  • Complete control of your contacts lists
  • Attachments that are stored securely
  • Audit functionality – for reviewing all communications including voice calls
  • GDPR compliance

 

Contact us today for more details.

Posted on

Armour Comms’ latest version of Armour Mobile now available on Apple and Google stores

Armour Mobile v4.0

Armour Mobile v4 provides host of new features designed for the enterprise user, including faster authentication, secure voicemails and community whitelisting

London, 23 September 2019: Armour Communications, the leading provider of specialist, secure communications solutions, has announced that the latest version of Armour Mobile, Version 4.0, is now available for download from the Apple and Google app stores. The new version is a significant upgrade with a range of features that improve the user experience, including community whitelisting, secure voicemails and faster authentication. The improved usability and new features also make it easier and faster for IT departments to deploy and manage.

Armour Mobile connects multiple groups securely and transparently to end users, making it easy to communicate across different organisations for collaboration on joint projects. The improved community whitelisting feature within the app provides added security when adding a new secure contact (or conference number), actively checking the security community and retrieving the keys required to communicate with that contact. The new secure voicemail feature within the app lets the caller quickly record a secure voice mail or message, when the person being called has turned off their phone (or has no signal), that can be picked up as soon as the phone connects to the network.

The latest version of Armour Mobile v4.0 also includes biometric authentication (fingerprint and facial recognition), that can be used to start the app, avoiding the need for a password.  It enables rapid ‘auto’ provisioning of new users using secure QR codes or encrypted links within emails. Like the Armour Activation Card, the new activation methods are one-time use only.

David Holman, Director at Armour Comms commented; “Secure enterprise communications are becoming vital as phones have become a key business tool and users require confidence that company and competitive information is safeguarded.

“The latest version of Armour Mobile includes many additional refinements to make it more user-friendly, encouraging both adoption and use throughout the enterprise and making it easier for IT departments to deploy and manage. For example, faster authentication, secure voicemails, increased community and conference call security and added notifications for Burn Messages all make it easier to use – and provide confidence that company communications are protected.”

Armour Comms’ solutions for secure communications work on everyday smartphones, tablets and Windows 10 desktops. With the same usability as consumer-grade apps, and with significantly enhanced security, Armour Mobile supports voice calls, video calls, one-to-one and group messaging, voice and video conference calls, file attachments and sent/received/read message status.

Using a FIPS 140-2 validated crypto core, Armour Mobile has been awarded many other certifications including CPA (Commercial Product Assurance) from the NCSC and is included in the NATO Information Assurance catalogue.

Posted on

View from DSEI

It’s not just hardware that keeps us safe!

Once again we are at DSEI, where the defence industry meets and greets every two years. It’s always an eye-opener to wander around the exhibition halls, see the latest helicopters, armoured vehicles, protective clothing, and this year the new Tempest. People were queuing up to sit in the pilot’s seat and see for themselves its impressive heads up cockpit display that provides a huge amount of information easily digestible even while manoeuvring at high speed. Indeed, it seems we are only a small step away from the Firefox (early 80s movie starring Clint Eastwood, based on the novel by Craig Thomas), where the pilot flew the aircraft by plugging himself in. This week alone there were two articles in the Economist about AI and its role on the battlefield.

The rise of cyber warfare

All this serves to remind us, just how important data has become, not just in defence but in everyday life. Earlier this week we heard reports that policing is becoming more difficult because crime is changing. There are now many more fraud cases where victims are duped online, identities stolen, hacking, phishing and cyber attacks are rife. Social media is now being used by all manner of groups including nation states and freedom fighters/terrorists who use it to spread propaganda and fake news that can potentially affect the outcome of elections. The same techniques can persuade a city under siege to lay down its arms, or fans to buy the latest Taylor Swift album.

Is data the last frontier?

The huge importance of data and online technology is reflected at DSEI with the cyber security section growing ever larger each time we exhibit. While we don’t have large, intimidating hardware to show off, we’ve been getting a lot of interest because everyone can relate to the horror of having your personal, private or company confidential communications hacked. From soldiers on a tour to duty, to journalists in an unfriendly regime, to government officials discussing matters of state or business people sharing intellectual property, we all have information that we would rather did not end up with our competitors, or made public. In some cases this could impact national security.

Free apps – You’re the product!

In a world defined by an always on culture dominated by online interactions and global networks, it is still possible to keep control of your personal and business information. You can stay ‘under the radar’ but not by using free services. The old adage, that if it’s free, then you are the product, is never more true than with social media platforms and the various tools that those platforms own and control.

If you’d rather keep your communications private, contact us now to discuss how. [email protected]

Posted on

Armour Comms adds to family of secure mobile comms solutions with SigNet by Armour

SigNet by Armour

Market leading Mobile Comms security company previews new product line with 256 bit encryption at DSEI 2019

London, 06 August 2019: Armour Comms, the leading provider of specialist, secure communications solutions, is to preview a brand new product line at DSEI in September. The new solution, SigNet by Armour, provides secure voice, video, messaging, group chat, file attachments and MessageBurn (timed messages) with AES-256 bit encryption, with an on-premises option for total privacy and no auditability. SigNet by Armour provides the same ease of use as consumer grade apps, and will be available for Android and iOS devices and for use with Windows 10 and Mac OSX desktops. This new product line will run concurrently with Armour Mobile.

David Holman, Director at Armour Comms commented; “SigNet by Armour has been designed for use by those organisations, typically in non-regulated industries, that require absolute privacy where it is paramount to keep information completely controlled. For this reason it is based on a different technology architecture to our award-winning Armour Mobile. Going forward we expect to develop the two product lines in parallel, with customers selecting the technology and features that best suit their specific requirements.”

SigNet by Armour will be available as a Software as a Service (SaaS) product hosted on Armour’s secure cloud, or as an on-premises installation, and uses a peer-to-peer key management system. It uses the double ratchet algorithm with prekeys and 3-DH key management to  provide confidentiality, integrity, authentication, participant consistency, destination validation, forward secrecy, backward secrecy (aka future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity.

SigNet by Armour can be seen at Defence & Security Equipment International,

10 – 13 September 2019, ExCeL, London,

Stand No: N7-260

Posted on

QuoStar safeguards communications and prevents hostile interception of sensitive IP with Armour Mobile

QuoStar

 “Armour Mobile was the standout solution for its superior functionality, use and ease of deployment. The client’s communications are now secure and the cost savings from no longer requiring hand delivery of documents has been immediate and substantial.”

  • Simon Gadsby, Chief Operating Officer, QuoStar

 

QuoStar is an IT support and consultancy provider that specialises in businesses going through growth and change. When one of its international clients reported that it was experiencing network traffic interception from global threat actors,the team at QuoStar set about finding a solution to secure telecommunications.  Armour Mobile was deployed into the client’s environment and, upon seeing the benefits, QuoStar adopted the Armour solution to safeguard their own sensitive communications.

Business Drivers

QuoStar’s client required a high assurance communications platform for secure conference calls, messaging and document sharing across teams in multiple international locations. The client was keen to protect communications that were at risk of interception. To mitigate risk, documents were dispatched via personal courier services ensuring all documents were hand-held until reaching the final destination. This method was hugely costly, both financially and in terms of resources, with documents travelling by hand from country to country and across continents. A new solution was required that could:

  • Provide secure conferencing for numerous participants
  • Secure intra-company and company to company communications
  • Ensure calls and associated metadata are kept private
  • Protect data sent in messages, text or as attachments

 

The Solution

It was important for a new solution to be cost-effective, easy to use and incorporate advanced security techniques to ensure communications could not be intercepted or compromised. After assessing several solutions Armour Mobile was selected for its wide range of features and ease of deployment.

Armour Mobile hosted on Armour’s secure cloud was deployed providing a trusted platform for communications to be set up, enterprise-wide, within hours, followed by an Armour Mobile On-Premises solution enabling complete control of all meta-data. The Armour solution has enabled the client to benefit from economies of scale, savings associated with using VoIP technology, all in a secure environment. 

Secure collaboration

Conference calls and group messaging is an important part of how teams communicate within the organisation. Using Armour Mobile allows multiple users to collaborate securely utilising the same communications platform. New team members can be provisioned quickly, with no additional hardware required. The Armour Mobile app is downloaded from the app store onto employees’ existing handsets and IT provisions the user in minutes, providing the employee with a safe and secure channel of communication.

One of the major benefits of Armour Mobile is its ease of use for the end-user.  With all the functionality and user experience associated with consumer-grade apps, there is no need to for training as the app is intuitive to use.

“Armour Mobile delivers the secure communications, information management and ease of deployment that the client wanted. The additional in-app security, closed group communications and encryption of data in motion provides the flexible and highly secure communications platform that the client required.”

Business Benefits

  • Secure communications – calls are protected from the risk of eavesdropping and documents from interception by outside agencies. Armour Mobile encrypts data in-transit and at rest, rendering it unreadable, and therefore protected. Sensitive corporate information sent via message or text is protected in line with EU General Data Protection Regulation (GDPR).
  • Substantial cost saving – deploying Armour Mobile has eliminated the need for couriers to hand deliver documents across the globe saving thousands of pounds within the first month of deployment and providing an instant Return on Investment.
  • Improved efficiency and productivity – the ability to securely transmit documents has resulted in greater productivity and efficiency. No longer hindered by the time delays of documents being delivered by hand, colleagues can quickly share information without delay.
  • Improved data security, governance and auditability – providing assured safe and secure communications across international operations has improved information assurance and data management processes. The client is able to assure its stakeholders that intra-firm communications are secure, encrypted and private. 

 

Appreciation drove adoption within QuoStar

“Seeing the real-world benefits of Armour Mobile in operation at the client’s premises prompted a review of our own secure communications. The ease of use and functionality across the whole communications spectrum drove the decision to adopt Armour Mobile for use amongst QuoStar’s executive management team. This is a testament to just how good Armour Mobile is.”

Posted on

Media file jacking vulnerability found in WhatsApp and Telegram

File Jacking

Time lapse can be exploited to manipulate sensitive files for malicious intent

WhatsApp is back in the news following the release of new research by Symantec that reveals a vulnerability, termed ‘media file jacking’, that can affect WhatsApp and Telegram for Android. The security flaw allows malicious attackers to manipulate and modify media files such as commercial documents, photos and recordings in WhatsApp and Telegram based on the users’ settings.

The challenge of default settings

Android apps can store files and data in two storage locations: ‘internal’ and ‘external’ storage. Files saved to internal storage are accessible only by the app itself, meaning other apps cannot access them. Files saved to external storage – whether this is a generally-accessible folder on the device, or a public (e.g. cloud) folder –   can be modified by other apps or users beyond the app’s control. WhatsApp and Telegram may store media files in external storage (depending on user settings); this means that, devoid of any proper security measures in place, other apps with write-to-external storage permission can maliciously access and alter files. Effectively these apps place their root of trust in the storage medium rather than controlling the root of trust themselves.

End-to-end encryption is one part of the story

There is a common perception that instant messaging apps are immune from privacy risks and manipulation of attachments due to security features such as end-to-end encryption. Whilst end-to-end encryption is an effective mechanism it doesn’t stop the altering of files on external storage before or after the content is encrypted in transit. A user may innocently download an app unaware that it contains malware capable of manipulating files stored in external storage. An app that appears to be legitimate but is in fact malicious can intercept files, such as a PDF invoice file received via WhatsApp, then programmatically swap the displayed bank account information in the invoice with that of a malicious actor. Equally feasible (as described by Symantec) could be substitution of an altered audio recording giving fraudulent instructions, manipulation of an image or map for deceptive purposes, or even changing a Telegram channel feed to insert ‘fake news’.

Not all applications are created equally

Just as there is no such thing as a free lunch, the saying can be equally applied to applications. Data is a valuable currency and cyber criminals are in the business of quick and easy paydays. With any free app you don’t really know who has access to your information and because it’s free you don’t have any recourse. If you aren’t paying for the product, it means you ARE the product.

Employees should take security seriously but in the absence of a secure and easy to use app, people will naturally seek their own workaround solutions. Armour Mobile is a cost-effective and easy to use solution that works on everyday smartphones. With the same usability as consumer-grade apps, but with significantly enhanced security (secure message attachments are stored in the app’s encrypted database, i.e. controlling the ‘root of trust’ mentioned earlier) it could be the answer to your security needs. Contact us today to discuss a solution.

Posted on

Global phone carriers targeted by espionage campaign

David and Goliath

It’s not often that global telcos could be described as a ‘David’ in a ‘David and Goliath’ analogy, but that is exactly what we are looking at in the latest hacking scandal.

In a story that broke this week in El Reg https://www.theregister.co.uk/2019/06/25/global_telcos_hacked/ and CNBC https://www.cnbc.com/2019/06/25/hackers-hit-telecommunications-firms-cybereason.html, a long running espionage campaign has been waged by (it is alleged) the Chinese government against at least ten cellular telcos around the world.  While a telco might have a security team of 50 people, huge by comparison to most organisations, this is miniscule when compared to the resources of a nation state, hence the David and Goliath reference. The campaign, which has apparently been running for several years, has even involved VPNs being set up within the telcos’ own infrastructure so that the perpetrators could snoop more quickly and easily on their targets.  So the story goes, the campaign was aimed at 20 to 30 high value targets, and the snoopers were able to access hundreds of gigabytes of phone records, text messages, device and user metadata and location data for hundreds of millions of subscribers.

This is another reminder that you can’t necessarily rely on your telco or ISP to protect your data and metadata. This is not because they are particularly negligent or complicit, but simply that flaws in the old technology, that underpins most networks around the world, can be exploited by nation states with almost limitless resources.

If you don’t want to be tracked, if you want to keep your communications private, if you discuss company intellectual property or trade secrets that you don’t want your competitors to learn about, if you are a journalist, aid worker, or special/covert services operating in an unfriendly regime, you need to take steps to ensure that your mobile data is protected.

Watch this space for more on this story in the coming weeks.

Posted on

Royal Signals cyclist continues gruelling training schedule

A couple of months ago I reported that Armour Comms is proudly supporting Army Reservist Mark Howells.  We have now extended our support to include the whole cycling team of the Royal Signals.

Fresh back from training camp, Mark has been filling me in on his training schedule for the rest of the year – a budding team triathlete, this includes swimming as well as cycling.  Over the coming months he certainly has a packed diary, with events and qualifiers every weekend, including qualifiers for the Invictus Games.   As well as a few 100 milers (cycling) Mark will also be taking part in some criterium races (where participants race around a circuit, typically in a town), which tend to be fast and furious with a sprint finish.

We are very much looking forward to seeing Mark and the team in Armour colours, and wish everyone the very best of luck.

Watch this space for further updates.