Author: armour

Whose data is it that was leaked to the press – were they personal messages, or was it Government information?

The latest story of leaks to the press involves a “hapless” and “controversial” Matt Hancock, former Secretary of State for Health and Social Care. Having commissioned a high-profile journalist who was known to be critical of the government’s handling of the pandemic, to ghost write a memoir of his time in office during the pandemic, he was then surprised when said journalist leaked supposedly private WhatsApp messages, despite a confidentiality agreement.

Someone in his position should know that there is no such thing as ‘off the record’ when dealing with journalists.  If you don’t want them to write it, don’t tell them!

Whatever you think of Hancock – an article in the FT ‘The tragedy of Matt Hancock’ described him as mainly “annoying” – this case does highlight some extremely important aspects of managing information, and more specifically, Government information.

Whose data is it anyway?

While the precise definition of “public record” is open to interpretation, such records do include  “…‘not only written records, but records conveying information by any means whatsoever’ – so including electronic documents, emails, social media and databases…” so whether Hancock’s messages were sent via an email, or via WhatsApp, they could be construed as Government data, and so, part of the Public Record.

Question: If they were sent from a Government-provided device/mobile, no matter via what type of app, are they Government data?  One would think so!

Question: Would you be happy if you thought that messages you’d sent to a work colleague expecting them to remain confidential, were subsequently shared with a third party without your permission?

Question: Should someone be making huge profits off the back of data they acquired while in a privileged position, serving the people of this country?  It seems unprofessional and inappropriate to most people.

For example, the Civil Service code is quite clear that one must not “misuse your official position, for example by using information acquired in the course of your official duties to further your private interests or those of others” nor “disclose official information without authority (this duty continues to apply after you leave the Civil Service)”.

The danger of the current slipshod manner of handling such Government information calls into question another important issue – Ministers should be able to discuss policy matters frankly, in private, without fear that their conversations/messages will be leaked. Yet such private discussions keep being leaked – this has happened repeatedly, for example Hancock ‘conspiring’ with Dominic Cummings while Cummings, after being forced out of Downing Street, shared WhatsApp messages where the then-prime minister Boris Johnson criticised Hancock as “hopeless”. As the saying goes… “What goes around comes around.”

Protecting Government data

There is no doubt that consumer messaging apps are easy to use.  But when discussing important Government policy, or any other sort of sensitive information, surely more care should be taken of how and where these discussions take place.

There are built-for-purpose apps available to Government, that are approved for handling classified information.  Armour Mobile is every bit as easy to use as a consumer-grade app, with a whole host of useful additional features for protecting information. There really is no excuse for the current saga involving Hancock’s messages, which is damaging to the reputation of the British Government.

Having your Cake and Eating it – Remote Message Wipe and Audit

Armour Mobile provides a secure alternative to WhatsApp and any other messaging app that does not have centralised control over its users.  Armour Mobile messages can be set by the user to automatically delete at a set time either after the message has been read or after it was sent, leaving no trace of the message behind.

In addition, a central administrator can set retention limits so that all messages automatically delete after a set amount of time, for example, one month.  Does anyone need to keep messages beyond a certain point?  Not unless they are planning to write a book of course!

Finally, if a phone is lost, stolen or compromised, or an employee leaves the organisation, the data held within the Armour app can be remotely wiped by an admin, therefore minimising the risk that sensitive data could be exposed.

Preserving the Public Record

While Armour Mobile securely protects messages, documents, voice and video calls both over-the-air, and also when at-rest on a device, Armour is also able to provide an archive and audit option, ReCall by Armour. If this additional module is enabled on an Armour Mobile system, copies of the encrypted communications can be saved to a secure environment, where only specially approved administrators can decrypt specific messages or conversations, whether for legal compliance purposes or to store as a “public record”.

This means that the contents of any conversations within Armour Mobile can be managed centrally, and removed from devices remotely, while still ensuring a copy is securely saved, should it need to be audited at a later date.  Using such a system, ministers and civil servants can debate policy, argue, bicker and name-call to their hearts’ content, safe in the knowledge that the contents of their discussions are protected centrally, with no copies hanging around afterwards that can be passed retrospectively to third parties… or appear in someone’s memoirs!

Whether the messages were taken out of context, whether the journalist had an axe to grind, whether Hancock was naive and/or incompetent is actually irrelevant. Government data such as this should have been properly protected.

Lessons for Enterprises that don’t want to air linen (dirty or otherwise) in public

It’s easy to bash politicians because they are in the public eye, and when they fall from grace they do so with plenty of noise.  However, there is a lesson to be learnt here for every enterprise and every business person.

Ask yourself – what conversations/chats do you have on your mobile residing in a messaging app that could cause you embarrassment should the wrong person see them?

Now ask yourself what conversations and information might be on your employees’ phones that could do your business damage should they be exposed?

Every enterprise has some intellectual property to protect; every HR department discusses the relative merits of job candidates; managers and supervisors discuss the performance of people in their team; sales people discuss sensitive details of negotiations to close a large deal.  All of this information could cause financial loss, be deeply embarrassing if leaked, lead to loss of reputation, breach GDPR and attract huge fines, or at worst, could jeopardise the entire business.

When considering the predicament an ex-minister finds themselves in, ask yourself whether it could be you or your organisation next?

Contact us today to make sure that the things you want to keep secret are securely protected: https://armourcomms.com/contact

The perils of using consumer grade apps for business

Last week it was widely reported (https://www.bbc.co.uk/news/technology-64584001)  that Signal will leave the UK market if the Online Safety Bill, introduced by Boris Johnson and currently going through Parliament, undermines encryption.  This would leave hundreds of thousands of users looking for an alternative secure messaging service.

The Online Safety Bill, critics say, means that companies could be required by Ofcom to scan messages on encrypted apps for child sexual abuse material or terrorism content under the new law.  Apple tried to address the same issue a couple of years ago, where it proposed introducing new scanning software to detect Child Sexual Abuse Material (CSAM) on people’s iPhones.

No one would argue that cracking down on the peddling of CSAM and the apprehension of terrorists is anything but a good thing. However, in this case, the method was called into question because it introduced a security and privacy weakness in Apple’s operating system, that previously enjoyed a robust reputation. It doesn’t take a huge leap of imagination to see how this type of well-meaning surveillance could be appropriated for more political or sinister purposes.  Indeed, there was such a degree of public outcry that Apple deferred the launch of the service.

As the BBC coverage comments, it is ‘magical thinking’ to imagine that online privacy can be maintained for the good guys, but not the bad guys!

Signal is a well respected service and indeed, our own SigNet by Armour entry-level enterprise service is based on Signal technology. However, this latest story brings into question the wisdom of using consumer-grade apps for business.  If you use a free service, you are at the whim of the supplier.

This also highlights the reasons to use an enterprise/government/military grade solution for secure communications and collaboration. In subscribing to a professional service, such as those provided by Armour, you benefit from the following:

• Hosted or on-premises options for complete control of your data and metadata

• Central management of users with easy provisioning and equally easy revocation

• Access to, and potentially input into, the roadmap of product development

• Bespoke development capabilities to handle unique/complex requirements

Contact us today to find out how Armour Comms can help your organisation to manage secure communications more reliably.

Armour recognised in the Tech200 – an annual list of the top 200 fastest-growing technology companies in the public sector

We love to receive an award, and we’ve won our fair share over the years.  However, this one is all the more exciting as we weren’t expecting it.  The first we knew about it was when we were contacted to check our address for the award  – which has just arrived in our mail room.

So not only has Armour Comms been listed in the Tech200, which is the top 200 fastest-growing technology companies in the public sector, we were ranked at 17^th.  The list, now in its second year,  is compiled by Tussell in association with techUK, and is based on data from Tussell’s market intelligence platform.  This means that the ranking is based on, according to Tussell: “…a purely fact-based, unbiased analysis of the fastest-growing tech firms – completely uninfluenced by any sponsors or the interests of individual companies or organisations.”

Read more here: https://www.tussell.com/insights/what-is-the-tussell-tech200-2022

We are naturally delighted to receive this award as recognition of our continued commitment and success in working with UK public sector, and helping to ensure that sensitive communications are kept secure and protected.

Growing markets for secure conferencing and archive and audit products gain traction for Armour Comms product portfolio

London, UK, 31 January 2023 – Armour Comms has completed another successful year which saw an increase in customer orders of 54%.  Armour also further developed relationships with key industry partners, most notably two new major defence contractors.

David Holman, Director at Armour Comms, stated: “Despite a challenging business environment, we have once again improved the financial standing of the company in 2022.
We have seen continued support from existing customers, as well as many new named contracts, including strategic investments from the defence sector.

“We are extremely positive for the coming year as our enhanced product portfolio is gaining traction and with several exciting new developments soon to be announced.  In addition, we have further cemented relationships with partners including two influential defence contractors which will make a significant impact on our ability to deliver large deployments.”

Plaudits for Armour Comms

As well as a financially successful year, Armour has continued to gain increased industry recognition with the following achievements:

• Unity by Armour was named Best Communications Security Solution in the SC Awards.

• Armour Comms was judged a ‘Leader’ in Secure Comms by a prominent industry analyst appearing in the top right hand corner of the analyst’s sector graph.

• Armour Comms was selected for the ‘Scale’ stream of the government-based Cyber Runway accelerator.

• Cyber Essentials Plus was added to Armour’s long list of industry best practice standards achieved

• ISO 27001 maintenance audit passed with flying colours

• Early in January 2023, Dr. Andy Lilly, CTO of Armour Comms was voted onto the techUK Cyber Management committee.

 

Product Innovations

Product innovation continued apace, with two significant product streams added to the Armour product portfolio:

• Unity by Armour – secure conferencing that confirms and safeguards user identity and protects against ‘uninvited’ attendees (zoom-bombing).

• Recall by Armour – archive and auditing capabilities for regulated industries that need to retain proof of communications/conversations, while ensuring that they remain highly secure.

Both Unity and Recall have gained significant traction within the client base.

In addition, major developments for the core products have continued throughout the year, enhancing Armour’s capabilities for large and complex deployments as well as providing a raft of end-user features that provide a truly superior user-experience when compared to consumer-grade alternatives.  Highlights include:

• Armour Core v5.x which includes Kubernetes capabilities and the ability to deploy remotely and at scale for large enterprise users (10,000+ users)

• A technology preview of the new Configuration Management System which provides management of data within the Armour ecosystem, even on BYOD phones, without the need for a MDM solution.

• SigNet v3.x which includes secure group video calls and increased capabilities for enrolling and managing users, making it even more useable for entry-level direct WhatsApp replacements in enterprise environments.

We are delighted to announce that our very own Dr. Andy Lilly has been appointed to the techUK Cyber Management Committee. Andy joins 25 others, all of whom were voted for by techUK company members.  This techUK committee will set the strategic vision and priorities for the Cyber Security Programme, helping the programme to engage with government and senior industry stakeholders over the next two years.

Andy said: “In a hyper-joined up world, effective cyber security relies on collaboration between government, vendors and end-users to provide a good user experience. I’m looking forward to working with the rest of the committee members to make a real difference in cyber security policies and developments that will have a positive impact across all areas of cyber use, in line with our UK National Cyber Strategy.”

For more information about techUK and the other committee members please visit: https://www.techuk.org/cyber-security-programme/cyber-security-management-committee.html

AWS has announced it has closed Wickr Me to new registrations and will phase out the service by the end of this year. AWS’ aim is to move users to a paid for platform. This is unsurprising as AWS will be looking to recoup its (undisclosed) investment in Wickr as it moves into the communications space.

As we’ve extolled many times in the past, free apps should have no place in enterprise communications.  If you want good security, without the risk of your data being mined for marketing purposes or sold on to third parties, then as a business, you should be prepared to pay to ensure you have control of your data.

So far, so good.  However, for many organisations, suddenly being faced with a bill for something that was previously ‘free’ is a catalyst for all sorts of budget and procurement conversations. If something is ‘free’ people are generally prepared to put up with issues, however, when paying for a service, you might as well get something that is as good as it can possibly be for the budget spent.

Analyst reviews indicate that AWS/Wickr Enterprise, while flexible, lags behind other comparable products for both manageability and features.

With published prices starting at $5 per user per month for a basic package, rising to $15 per user per month for a more comprehensive service, and a ‘please call for more details’ message for on-premises options, Wickr is no longer a cheap option.  Indeed, we have been approached by several organisations who have been quoted eye-watering amounts for continued use of the service.

Armour Mobile and SigNet by Armour provide a range of options suitable for most use cases, at about half the cost quoted to some security conscious organisations we’ve heard about, while still providing data sovereignty and supporting compliance with GDPR.

For more information about how to plan your organisations migration from Wickr contact us today.

How to make a standard mobile secure enough for business use even when handling sensitive information and intelligence.

As Dan Sabbagh rightly points out in his article in the Guardian on 30 October 22, “mobiles are inherently insecure”. He also opens with the very sensible line: “We may never know just what happened with Liz Truss’s mobile, but it’s clear that ministers need to up their security game.” https://www.theguardian.com/technology/2022/oct/30/liz-truss-mobile-inherently-insecure-surprise-british-politicians-ministers-security

Another security foul-up

This most recent high profile ‘security foul-up’ story is yet another reminder, if we needed any, that everyone relies on their mobile phones, and with familiarity comes contempt. Contempt for security and privacy, of our own data as well as business information, and in this example, information that could affect national security.

Furthermore, it has been widely reported, including by the BBC: https://www.bbc.co.uk/news/uk-politics-63442813, that something happened during the summer when Liz Truss was Foreign Secretary, necessitating a new phone number and a replacement government-issued handset. And if you’re a world leader who can’t be separated from your personal phone because you’re tweeting all the time, then the potential security concerns are pretty obvious, as we outline in this blog for a couple of years ago: https://www2s.armourcomms.com/2018/06/05/ss7-vulnerability-still-going-strong-near-the-white-house/

In fact, calls and other communications involving classified or sensitive data CAN be made safe on ordinary mobiles using appropriate software. Although, if the user is deliberately subverting security, or determined to leak data to malicious actors or commercial competitors, security has a much tougher job.

Securing comms on standard mobile phones – it CAN be done, quite simply

For everyone else, apps like Armour Mobile (or SigNet by Armour) can enable secure comms via a standard phone. Something that most business-people, and presumably most ministers/politicians would prefer, as it avoids the need to carry two phones.

Great user experience – fast to deploy

As well as providing a user experience every bit as engaging as a consumer-grade app, Armour Mobile is Secure by Design and Secure by Default, based on our many years of working with the UK’s National Cyber Security Centre (NCSC). It is easy to download from the appropriate app store, and user provisioning (set-up) is controlled centrally, so that only invited, known, trusted (or indeed, vetted) users can join a community.  This is in stark contrast to a consumer app, which anyone can use, and if you know someone’s mobile number, you can contact them – opening the doors wide for a whole range of phishing and social engineering attacks.

Be certain who you are talking to

All communications via Armour are protected within the app, and can only be shared with trusted colleagues in the same or a federated allow list (community of known users), ensuring that users are communicating only with who they intended to communicate with. (This blog explains just how easy it is to spoof a call, and what you can do to prevent it: https://www2s.armourcomms.com/2018/02/27/are-you-talking-to-me/)

Using Armour Mobile, people, including ministers, are able to share sensitive documents and have privileged discussions, safe in the knowledge that their conversations will remain private. Details of all communications, be they voice, video, message or attachment, including associated meta-data are stored securely, preserving data sovereignty.

Engaging bolt-ons – Secure collaboration

In addition, Armour Mobile also has some useful bolt-ons that enable secure collaboration, such as Unity by Armour for secure conferencing and Recall by Armour for audit and archive. Again, all data is held within the app and on designated servers either on a secure cloud, or on-premises, ensuring that you know where your sensitive data is held at all times.

There’s really no excuse for using insecure, easily hacked, easily spoofed consumer-grade apps for sensitive business communications. If people in your organisation are still using consumer communication apps for business, it’s time to contact us and start the clean-up operation.

Sales@armourcomms.com

Part of TechUK Cyber Security Week

Dr. Andy Lilly, CTO of Armour Comms, explains how secure comms is vital for proving identity when exchanging sensitive / valuable information

The first few weeks of a new prime minister has shown the importance of getting communications right, be that the message, the media or the timing. In business, the speed that negatively received messages can go viral has been supercharged by social media. Now think of the potential issues if those communications could be hacked, tampered with, or faked.

The rise of deepfake technologies capable of manipulating video and audio into totally believable corporate communications means it is increasingly critical to know that you are communicating with the person you think you are.

Deepfake fraud is here, now

There are an increasing number of real-world examples of ID fraud and deepfake scams. Over three years ago the Head of a UK subsidiary was tricked into transferring €200,000 to a Hungarian supplier on the instructions of the CEO of the German parent company. In reality, the conversation took place with an artificial intelligence (AI) equipped criminal gang using deepfake software to mimic the German Chief Executive’s voice patterns.

The software was able to perfectly impersonate the voice, including tone, punctuation and German accent, completely fooling the head of the UK subsidiary. The call was also accompanied by an email, supposedly from the CEO reiterating the payment instructions.

It’s no longer enough for organisations to protect sensitive corporate information and intellectual property, such as pricing, product formulas, research, customer lists, etc. It is vital that identities are also safeguarded and remain trustworthy.

Can you really trust video and audio?

Although we have seen deepfakes imitate celebrities and public figures in video format, it’s an endeavour that still takes hours of footage to achieve. Being able to fake voices convincingly takes fewer recordings to produce and with greater computing power will become easier to create. It begs the question can voice recognition be relied on as an accurate form of identity verification?

In the future, deepfake audio fraud is likely to be highly exploited in criminal activity. As the technology continues to evolve, it will become increasingly difficult to distinguish real audio from fake. If you want to ensure authentication of identity you need to use a seriously secure mobile comms service.

Help is out there

Solutions such as Armour Mobile use MIKEY-SAKKE identity-based encryption to secure multimedia services. This enables secure voice and video calls, voice and video conference calls, one-to-one and group messaging, and sending file attachments. The solution ensures that the parties exchanging calls and data are who they claim to be (hence the term “identity-based”). Armour offers several secure communications products with closed user groups, protecting you against fake contacts from external hackers (these systems can run on your own servers for total sovereignty for data and metadata).

The MIKEY-SAKKE protocol uses identity-based cryptography and is designed to enable secure, cross-platform communications by identifying and authenticating the end points. It is an efficient, effective and NCSC-accredited protocol for building a wide range of secure multimedia services for government and enterprises.

Get prepared… now

Deepfake scams may well have arrived but there are proven tools to identify the real from the fake. These help prevent fraudulent activity by enabling secure collaboration between trusted colleagues. Communications can be conducted within a closed user group and only trusted parties added to the system can call and message others. So, when discussing commercially sensitive information such as corporate intellectual property, financial transactions, and customer details, you need to know you can trust your communications.

Prepare your organisation now. The fakes will only become better as AI advances. If trust evaporates, business will become untenable.

For more information about MIKEY-SAKKE visit:  https://www.ncsc.gov.uk/articles/using-mikey-sakke-building-secure-multimedia-services or: https://www2s.armourcomms.com/

Part of TechUK Cyber Security Week

David Holman, Director of Armour Comms explains why an independent secure comms channel is particularly crucial when recovering from a cyber attack

Cyber threats are wide ranging

Every enterprise, great or small; every public sector organisation, national or local has sensitive information crucial to operations. It is imperative that this is protected. From customer lists, to employee data, corporate intellectual property and commercial secrets, a cyber breach could prove catastrophic.

The UK Government’s Cyber Security Breaches Survey 2022 updated in July provides a snapshot of the cyber threats faced by UK organisations each year. 39% of organisations identified a cyber attack, and of these 83% were phishing attempts. One fifth were sophisticated attacks including denial of service (DDOS), malware, ransomware etc. A third of businesses are attacked every week. One ray of sunshine is that 80% of boards recognise that cyber security is an important issue.

Are your communications about attacks secure?

Secure mobile communications play an increasingly important role in protecting sensitive data every day. Less well understood is their role in effectively responding to, and recovering from, cyber attacks. It is imperative that a secure comms channel can be used for the organisation to communicate without the hackers potentially eavesdropping. Don’t rely on the very channels that have just been hacked, because your adversaries will be monitoring them.

Are the hackers listening in?

It is very common when hackers have compromised a system for them to watch for the responses from the IT resources tasked with countering their attack. Typically this includes monitoring and subverting any communications channels the IT team are using, including voice calls, email or messaging apps. It is not unusual for hackers to send spoof messages to try to assess just how well the IT team understands the nature of the attack, to capture updated passwords or other changes to security, and prevent key security messages from being delivered.

During the initial investigation phase of a cyber attack it is difficult to know what systems have been compromised, so it is best not to rely on any of them, if possible.

Safeguard your comms with an independent secure channel

By protecting the communications of the IT and digital forensics team, you are blocking a very useful source of information from being intercepted or modified by the hackers. In addition, by using a secure communications platform, such as Armour Mobile or SigNet by Armour, and having the secure comms hosted by a third party, you are further isolating the IT team’s comms from the potentially compromised systems that they are trying to recover.

Even on BYOD devices

In addition, enterprise-grade secure communications apps like those provided by Armour Comms can also be used on BYOD devices. All information is sandboxed within the Armour app, meaning it can’t be shared, deliberately or otherwise, with anyone other than trusted colleagues in the same secure group, keeping sensitive information protected. After the incident has been dealt with, information can be securely wiped.

For third party ‘blue teams’ brought in to handle such hacking situations it makes perfect sense for them to bring their own secure comms solution with them – and this is a question that you should be asking any would-be supplier when tendering for such services.

Armour is now working with a number of organisations that can provide specialist technical consultancy and cyber advisory services, from penetration testing and assurance, to incident management and response, and technical security research.

Of course, Armour’s apps can also protect all your organisation’s sensitive communications, from the board room to protecting your teams when travelling overseas.