In this interview, we spoke with Stefan Ćertić, the CTO of ETalc Technologies regarding the mobile security industry.
Stefan has spent over 15 years working as CTO and Lead Consultant with some of the leading mobile companies across the world.
Here Are His Responses To Our Questions:
1. Question: Over the years, you have been garnered practical experience in the Mobile and Security industry. How has the journey been so far?
At the very beginning, it’s important to properly understand the challenges of the Mobile Industry. It was a matter of a single decade between the environment in which Mobile Communication was expensive and therefore exclusive to a small group of high-grade individuals who can afford it out of reach for the wide consumer market – only to quickly get us to where we are – everyone carries at least one if not more devices in their pocket.
Huge demand required rapid development which comes with the price tag of a heavy unregulated market, and as such, making it one of the most significant security concerns. Technology developed way faster than national or international regulators could follow up. Vendors were put into a position to come up with solutions overnight and support the business and these Lucrative businesses emerged on every corner.
By early 2013, initial topology flaws are expensive to address as they required infrastructural changes. Simply, Network Protocols were not designed to support a number of users. SIGTRAN, at one side, managed to cut significant leased links costs of roaming partners by simply tunneling SS7 (STP / SCTP) through regular Internet compared to these old ladies E1/T1 (kids are unlikely to remember).
It was a huge boost for revenue, but we saw an emerging number of cyber-attacks utilizing SRI / PSI / ATI map commands – back in the days exclusive for legitimate government use. And that’s what happens when you blind one eye in to cut the costs and boost the economy.
We were in a situation finding both Active and Passive IMSI catchers everywhere. I could confidently say it went out of control on a global scale. Someone needed to speak out loud within the academic and professional community.
Hopefully, I managed to help a bit by publishing that famous 2FA Vulnerabilities research paper and demonstration as well as remote SIM cloning leading to strong debate within GSMA back in the days.
Quickly after a lot of smart solutions were incorporated. These Home Location Registers were not returning IMSI anymore, we witnessed the birth of TMSI. It was a good sign we started investing in security. With the recent Diameter implementation, more flaws were addressed. We are far from being 100% secure, but you know the saying:
“Security is always threated as unnecessary expense till you get a breach. Suddenly everyone is raising question why no-one predicted” – Mobile Security is no exception.
2. Question: In your opinion, how successful has the fight against web vulnerabilities been?
You know, it should be treated as a chess game. You need to analyze a few steps ahead before saying EUREKA. Back in 2014, Google announced SSL/TLS encrypted web communication will translate as a positive signal in search engine ranking. Following years, the SEO race made us to a point that the majority, 51.8 percent of websites now use SSL. That’s a cool thing fighting the most widespread attacks through sniffing.
Well before you say EUREKA, remember for an average ice cream store owner it was difficult to think about cryptography. Hence few SaaS providers emerged with the proposition “Point your name servers to us and let us do it for you”. I was a warm welcome. Nowadays your ISP or “a guy-next-door” can’t decode your surfing data or passwords through ethernet or Wifi sniffing.
But on the other side, we have companies serving millions of sites with a single centralized place these private keys are being stored. Did we get for a better or worse? One is for sure; we moved the point of attack. Now you don’t need a suspicious WAN in front of your house, everything can be done from the comfort of the office ☺
3. Question: What are the threats associated with exposed personal information?
You don’t need to ask me twice lol – it’s an Analysis of social habits building a fingerprint as accurate as DNA. These two things are likely the only ones you can’t change.
You decide to become invisible and prevent anyone from locating you.
You throw away your mobile phone along with the sim card and buy a new one or start using the ‘Burner’ phone, same for laptop, or any identifiable information. You even change city and state. Totally change the way you look?
And you got found within a day. How you may ask?
Your habit is to have breakfast at a restaurant at about 9 am and your new phone goes with you. Do You enjoy taking a long walk at the park after your breakfast? Your new phone walks with you. Do you like rock music, and have a habit of visiting gigs each Friday? Your new phone too!
Now give me all the phones that used to connect to a base station in the restaurant, park, rock venue…you name it at the specific time patterns. The number of matches: 1. Gotha!
We are living in the era of developed ML algorithms. Private data exposes you like never before. Remember the TV Series “MacGyver”. Well, just remove the fiction part and there you are.
4. Question: In your opinion, how effective has the government been in protecting citizens’ personally identifiable information?
Working with governments on security solution, protection and intelligence made me realize how much productivity you can achieve once you strip the ROI out of the equation. The beauty of working in a “non-profit” environment that can afford top-notch people and technology is nothing but results.
Many technologies developed 10 or more years ago in these “smoking allowed” offices work perfectly today. A good example is Asymmetric Elliptic Curve Cryptography. You may know it from Bitcoins, Cryptocurrencies, and a blockchain. But did you know the same technology is used globally within your passport booklet chip long prior to blockchain? The same goes for tons of other technologies.
From the regulatory side, initiatives such as GDPR are nothing but good security practices proven to work well protecting these very same offices. Same stands with HIPAA, or more specialized standards such as FIPS 140-2. Of course, there are failures in the government sector as well, but I have a strong impression everyone realizes there’s no winner in the data acquisition race.
5. Question: Is mobile security essential for smartphone users? If yes, why do you think so?
Definitely more than ever. The fact it’s always with you makes your smartphone a key to your very own universe. You use it for communication, social media, but also financial transactions, even to start your car.
As such it’s the primary target and most valuable digital asset. You can’t expect a common joe to become a security expert, rather provide a secure environment.
Mobile Security should not be “Over-the-top” service, rather a fundamental base. This is why *nix-based smartphones dominate the market. That kernel comes packed with experience dating back from 1960. Funny trivia, it was AT&T Bell Labs who developed one of the first for the mainframe.
6. Question: What are the most effective tips to mitigate cyber threats?
Obviously, prevention is key. There are set of standards published by NIST, and 95% of attacks I saw in my career are a consequence of not following these guidelines or implementing them on level of formality.
One should take these standards such as ISO 27001 and understand them as “knowledge transfer” and a set of good practices made by the experience of others so you don’t pay the same toll.
However once compromised, the best advice I can give in migration is to threaten the whole system as compromised no matter of escalation level. There are tons of funny situations with companies migrating an attack by restoring backups, while in fact, backups were infected in a way to provide security escalation otherwise not possible. There’s no partial breach in my vocabulary.
7. Question: Do you offer consultancy services for businesses with cybersecurity needs?
Please don’t hesitate to get in touch, I do a lot of consultancies. Playing chess with the bad guys is my driving force for over a decade, it’s not difficult to attract me if you have trouble with one.
Reach Stefan Ćertić through:
- Website: https://www.certic.info
- Twitter: https://twitter.com/cs_networks
- Facebook: https://www.facebook.com/stefancerticofficial
- How To Secure And Protect A Website [We Asked 38 Experts]
- Exclusive Interview with SpyCloud’s CEO and Co-Founder Ted Ross
- Exclusive Interview With Bob Baxley, CTO Of Bastille Networks
- Exclusive Interview With Hugh Taylor, Author Of Digital Downfall
- Exclusive Interview With Mark Stamford, CEO Of OccamSec
- Exclusive Interview With Paul Lipman, CEO Of BullGuard
- Exclusive Interview With Ramil Khantimirov, StormWall’s CEO & Co-founder
- Most Effective Cybersecurity Strategy For A Small Business [We Asked 45+ Experts]