Did you know that seemingly harmless chatter in public forums and phone calls are being mined by multiple parties?
People around the world continue to divulge sensitive information via certain chat apps and social media platforms.
Such information is constantly being mined and stored away for future reference by both cybercriminals and state-sponsored threat groups. In the era of hybrid-working, people are also working around corporate rules about data and messaging security, especially when they are less bound to the office.
How serious is the threat of calls, chats and other communications being intercepted, mined for data and/or eavesdropped on? CybersecAsia.net hears some startling revelations from David Wiseman, Vice President of Secure Communications, BlackBerry.
CybersecAsia: What are the types of interception or espionage threats that South-east Asian governments and industries need to be aware of? David Wiseman (DW): While cyberattacks and data breaches hit the headlines daily, other backdoors left ajar to malicious attackers are often overlooked. This includes the interception of phone calls and messaging apps used to share valuable information, potentially by a fierce industry competitor or state-sponsored threat actor.
For South-east Asian governments, some of the risks to be aware of include the following:
- Risks emanating from their own country that are developed from illegally deployed Stingray IMSI-catcher devices that can intercept cellular traffic (both calls and data). These devices have been regularly detected in cities around the world. In some cases, they have even been deployed by foreign governments, and in other cases by organized-crime groups. They should also be aware of international calls and messages placed from their home country to another and ensure calls from foreign networks to any home country number are protected. Recent events have called out the vulnerability of these traditional telephone networks, particularly from a mobile perspective, as well as the use of consumer apps on top of those networks.
- Next comes identity risk. How can people truly verify the identity of the person they are communicating with? Encryption of data streams does not protect communications from identity attacks. One should assume that all these records are captured and archived as they pass through a country’s network gateways.
- The third risk involves commercial and adversary metadata collection and mining. Threat actors do not have to know the content of the conversation to learn a lot of information. From a foreign adversary perspective, information like the order of battle and distribution of forces can be found in metadata. All cellular calls and data may be collected and analyzed by governments. To prepare for this risk, it is important to consider a government-grade, certified, end-to-end encrypted mobile communications system that provides full trust and control over transmissions — from the battlefield to the boardroom.
CybersecAsia: How should we prevent eavesdropping over international, public and private networks?
DW: One can never be certain who is listening, but it is safe to assume that multiple governments are. A notable, recent example would be the Russian troops that used unsecured smartphones that led to costly consequences in battle.
Such forms of eavesdropping could provide unwanted listeners with confidential or sensitive intel, result in spoofing and hijacking of identities of high-profile leaders (in both public and private sectors), and more.
To prevent identity spoofing, organizations should avoid using systems that allow consumers to publicly self-register without any form of identity verification. This includes consumer grade systems like WhatsApp, Telegram and Signal. Instead, use a private communications network that ensures user activation credentials are shared in a secure manner — not through a regular text message.
The system would be staffed by a system administrator that specifically authorizes and manages user accounts. Identity checks are continually made for each call or message to confirm the device being used and ensure the user’s account is still approved in the system.
Therefore, the ability to perform continual evaluation and validation of users and devices every time a communication initiates is one of the best mitigation approaches.
CybersecAsia: How can organizations avoid metadata being collected for certain applications (regardless of secure encryption)?
DW: Metadata could include call detail records, message detail records, and message content. Organizations need to remember that the metadata itself is included inside of the securely encrypted packets. These packets are then decrypted at the system level to determine where to route the traffic to.
With this approach, metadata that identifies who is communicating with whom would be unavailable to external parties. The only piece of accessible metadata is that a particular device established a connection with a specific central IP address. The data itself can be further blurred by using secondary VPN tunnels and traffic obfuscation tools such as onion routing.
To have total confidence in their encryption systems, organizations should only consider solutions certified by governments around the world, including those that have been evaluated for use by National Security Agency-accredited independent labs based on approved National Information Assurance Partnership Protection Profiles.
To mitigate the risk of losing control and ownership of their metadata, organizations need to ensure they maintain full customer control over the metadata collected, but also full control over who has access to it.
CybersecAsia: What are some ways to ensure sensitive communications remain safe when employees are able to think up workarounds in their communications?
DW: Certain messaging services are being intercepted at rates never seen before. The ‘work anywhere’ movement now adds further to the threat, with government employees messaging and calling from any place, time or device. Governments cannot afford to compromise security for flexibility.
To prevent ‘workarounds’, it all depends on how willing an organization is, to insist that all sensitive communications be done through an approved system. One option is to provide employees with devices that only allow access in the proper manner: however, if employees want to, they will still try to use other non-compliant ways of communication, including their personal phone and consumer apps.
One way to avoid employees carry a second ‘Frankenstein’ phone around for secure communications is to deploy specific call-security apps on phones already in the hands of employees. Such an app can then encrypt and secure one-to-one and group voice calls, messages, file exchange and group chats across international networks, in a low-friction way that makes it far easier for staff to comply with the use of approved systems.
CybersecAsia thanks David for sharing his insights with readers.