WhatsApp hack highlights dangers for business
The communications industry is calling for organisations to stop using consumer-grade, free apps when handling sensitive or commercial information. For people with jobs where security is paramount, for example, journalists, humanitarians, activists or special services working in unfriendly regimes, a phone that has been hacked via an app could put life at risk. For others, the risk of individual’s private information or commercial data being accessed will damage an organisation’s brand integrity and share price. This comes after WhatsApp was recently targeted by cyber criminals.
Daniel Follenfant, Senior Manager Penetration Testing, Consulting Services NTT Security commented, “The hacking of WhatsApp’s messaging service is a classic example of a Buffer overflow attack.
Buffer overflows aren’t new, but you don’t often see them these days and this attack is particularly clever because it uses this flaw to gain access to a phone without the user even answering.
In its simplest form Buffer overflows are a way of writing code to an area of the application in memory that will then be executed. The WhatsApp exploitation resonates the classic but more sophisticated buffer flow attack. To carry this out the attacker had to deceive the receiver by making a call and then send the sending packets of data during the process of the call- once the packers transfer are complete; the packet execution forces what’s app internal buffer to overflow, overwriting the apps security and allows surveillance capability on encrypted chat, eaves drop on calls and microphone and control the camera.
There is nothing you can do about this; it is a design flaw and WhatsApp has quickly addressed the problem by releasing a patch for applications already running and the new versions do not appear to be susceptible.”
David Holman, Director at Armour Comms said; “This latest case of a serious vulnerability in a consumer-grade app highlights the dangers of using free apps, and that they are simply not robust enough for business. While such apps claim that they are secure because they are encrypted, there is so much more to security than just encryption. Encryption is rarely the weakest link, and therefore, unlikely to be targeted by hackers.
“While this particular exploit may have been to target people with specific jobs, there are various other everyday hacks that can be executed relatively easily by low level criminals against these types of product that put users’ data at risk. Breaches of GDPR are a risk to every type of business and come with significant fines.”
In 2018, German automotive supplier Continental AG banned its workers from using the messenger services WhatsApp and Snapchat on company phones, due to concerns about GDPR compliance and general security.
Holman continued; “These free apps proliferate by stealth through organisations, unless firms take positive action, like in the case of Continental AG last year. There are enterprise-grade apps available that provide the same convenient user experience of consumer grade apps, while keeping the user in control of their data and metadata. Some of these apps, like Armour Mobile, have been certified by the National Cyber Security Centre (NCSC), so users can be confident that the software is secure by design.”
Dan Boddington, Systems Engineer, StarLeaf commented “The latest WhatsApp exploit is an extremely severe security hole. Despite instant messaging becoming a growing part of our culture of communication, social platforms are often unwisely used for the businesses. This example clearly demonstrates that there are many organisations aggressively hunting for flaws in consumer applications for commercial gain and for use by third parties. Consumer apps are not designed for business usage. Therefore, it is the responsibility of every employee to only adopt the right solutions to minimise risk and protect users’ data (company & customer). Secure messaging specifically engineered for the enterprise enables a more mobilised workforce to meet and message more effectively, as well as remain data compliant.”
These issues are discussed at length in a recent episode of Comms Business Live where WhatsApp was referred to as a “Time bomb” for businesses.
Industry: Unified communication news
- Architect | Cyber Security | Public sector Permanent
Architect | Cyber Security | Public sector Permanent Seeking a Security Architect with Public Sector / Cloud Security experience for a lead technical role. Public sector security architecture design experience essential. (MoD) Current project experience delivering HLD / assurance of computer networks / build evaluations. Active Security clearance required. If you are open to hear about a new / exclusive opportunity where you are interested to be more than a number in a company reach out to team today. Chris.email@example.com 07884666351
- CIAM Architect Azure B2C
We are seeking a highly skilled and experienced Azure B2C CIAM Architect for a contract starting on Jan 2024. As an Azure B2C CIAM Architect, you will be responsible for designing, implementing, and deploying an new Azure B2C Solution . Responsibilities: Design and implement an Azure B2C-based CIAM solution that meets the needs of our clients organization. Maintain and support the Azure B2C-based CIAM solution. Provide training and support to our employees on the use of the CIAM solution. Background designing, implementing, and maintaining CIAM solutions. Experience with cloud-based identity and access management (IAM) solutions. Experience with OAuth, OpenID Connect,and SAML. Excellent written and verbal communication skills
- Senior IAM Consultant
- Upto €110,000 depending on level of position
Senior IAM Consultant is needed to help lead and deploy IAM Projects for this expand IAM Consultancy The ideal candidate will have a deep understanding of IAM concepts and technologies, as well as experience in deploying and managing complex IAM solutions. Responsibilities Lead the deployment of IAM solutions for our clients Work with clients to understand their IAM requirements and design solutions that meet their needs Configure and implement IAM solutions using best practices Integrate IAM solutions with other enterprise systems Provide training and support to clients on the use of IAM solutions Stay up-to-date on the latest IAM technologies and trends We are looking for an experieneced IAM Consutlatn with: Strong understanding of IAM concepts and technologies,including identity lifecycle management,access control,and authentication Experience in deploying and managing complex IAM solutions Experience with IAM products and solutions,such as SailPoint,One Identity Manager,and Azure Active Directory Excellent communication and interpersonal skills Ability to work independently and as part of a team Fluent in German Candidates witll need to live and have the right to work within Germany to be considered.
- Security Architect - SOC Design - Outside IR35 London. SC / DV cleared
- Outside IR35
Security Architect - With in-depth SOC Design experience needed for Outside IR35 London. SC / DV cleared. 6 month rolling Immediate Experience delivering technical Security Architecture design / assurance of security design with mobile network experience. HLD / LLD Current SC Clearance a must. Willingness to undertake DV. London 3 days a week Immediately interviewing.