teissTalk: What can the arms race with the attackers teach us?

Technology09 Jan 2023

On 17 November, teissTalk host Geoff White was joined Steven F. Fox, Deputy CISO, Policy & Program Management, State of Washington; Jamie Moles, Senior Technical Marketing Manager, ExtraHop; Adam Gordon, Edutainer & SME, ITProTV; Troy Stairwalt, Vice President & Chief Information Security Officer, Akron Children’s Hospital.

Views on news

MPs have been told their phones are a “potential goldmine” for hostile states who are targeting them to influence democracy in the UK.

The advice came from the National Cyber Security Centre (NCSC), accompanied by a letter from Speaker of the House of Commons Lindsay Hoyle telling colleagues only one person’s phone camera or microphone is needed for everyone to be compromised in a room.

MPs were advised to limit the amount of time messages were stored on their phone and review their privacy settings to limit apps’ access to their microphone or location data, as well as to disable message previews. The mobile security of top politicians in the US is somewhat more advanced than in the UK. President Biden, for example, is not allowed to have his own mobile phone, only a specially commissioned device. Blackberries, devices used previously by politicians, were actually rather secure compared to smart phones. Mobiles also can’t be secure because they are never turned off and their microphones and the contents of the internal storage can always be accessed.

Before Covid, 75% of US citizens used their own mobile for work, which must be much higher now. Applications downloaded to secure mobiles have to get approved by a mobile device management programme.

Is end-to-end encryption impossible to breach?

The story of the Pegasus spyware has been another evidence for how mobiles can be taken advantage of for collecting intelligence, and currently, there are about a dozen similar software offerings on the market. A mobile can easily fall victim to jailbreaking, when malicious actors download spy software on it. (Mobiles were disposed of in Troy’s company whenever their owner returned from a trip to China, as burning down the operating system and rebuilding it wasn’t sufficient to mitigate the risk.

WhatsApp, Signal and Telegram are the big three private communications systems that use end-to-end encryption, which makes them popular with politicians for confidential chats.

However, if you are on one end of the conversation, you can snarf the encryption key from memory and grab data though, for example, a false access point. According to research, Downing Street 10 was spied upon by Pegasus in 2020-21, possibly by the UAE. As mobiles have no end-point protection or detection at all, therefore their owners wouldn’t even know when they have been compromised.

The panel’s advice

Employees, and people in general, need to be trained not to share confidential information on their mobiles, especially not in public places.

Bar mobile from meetings.

Make sure you don’t share an excessive number of cyber security stories and breaches with your C-suite, as they can get in the way of effective communication with them about threats and budgets.

Don’t just deliver news of breaches but ask yourself, who actually cares about it. Give top executives the bit of the news that will spur them to do what you want them to.