It is highly recommended that every network operator protects their security by having a signaling firewall, but some still suffer from lots of gaps in their defences. We discuss the reasons why comms providers fail to get comprehensive protection from their signaling firewalls with network security blogger Josué Martins, currently of Accenture and previously with Unitel and Samsung.

Topical news about disruptive network failures and about a string of prosecutions for teenage SIM-swapping hackers also received the scrutiny of our three regular presenters: industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.

Transcript (auto-generated)

Hi, I'm Eric Priezkalns, and this is The Communications Risk Show. Every Wednesday, we chat with experts
about the risks faced by comms providers and their customers. Shows are streamed live,
so you can also join the conversation, submitting questions and observations as we go along. And boy,
we have great conversations on this show. You should have been listening to what we were saying
just before the show started today. I'm loving it already. But we do love your input, so feel free,
get those fingers working, type away at the keyboard directly beneath the streaming window
on our website at You'd think I'd know the URL by now. We also stream live to
LinkedIn, so feel free to share your comments over there. A member of the team will pass your
comments along. I'll try to read out as many of your comments and observations as time allows.
Today's special guest who'll be joining us later on is Josué Martins. Josué is a tech security
blogger who currently works for Accenture and has previously worked at Unitel and Samsung. We'll be
talking to Josué about signaling firewalls and why they don't always work as well as they should.
But first, let's bring on our regular co-presenters. Discussing recent industry news,
I'm going to be joined by Ed Finegold from Chicago and Lee Scargall, who's currently
in Bahrain. Ed, Lee, everybody knows who you are now, so let's just skip past the big introductions
where I talk about how you respected authors and worked in telcos all around the world. Everyone
knows that already. Let's get straight into the nitty gritty, the things that were getting us
worked at before we even started streaming today. Network resilience, reliance upon networks,
things going wrong when networks are not available. Now, as you pointed out a couple of weeks ago,
around 50,000 students at the University of Michigan were told to work from home or use
their mobile phones last week because staff had shut the school's network connections down in
response to what they called a significant cyber security concern on the eve of New Year. And
also recently, we've had some very attention-grabbing news from San Francisco.
They've got these fleets of self-driving taxis in that city now, and one of those fleets of taxis
caused an enormous traffic jam in the middle of town when all those vehicles suddenly stopped
moving. Gregster56, using X, formerly known as Twitter, shared a video to illustrate the impact
upon downtown San Francisco. So, Producer James, you would show us the video now, please.
So, I mean, everything comes to a halt because all these cars have stopped right in the middle
of the road. They're not moving. They're meant to be autonomous. They're meant to be able to drive
people around San Francisco without any problem. They stopped right in the middle of the road.
And the hilarious thing here is that not only did the car stop driving themselves,
there's meant to be human operators in cruisers' office. They were all part of the cruise fleet
of robo-taxis, meant to be human operators to restart these things, get these things going again
when they do stop. Couldn't get through to them because network load, network congestion, and
nearby music festival was taking up all the load, so the operators couldn't get through to get these
cars going again. So, my point here, whether it's transport or education, hospitals, smart meters for
energy, digital currencies, we're increasingly dependent upon networks for every aspect of life.
And at the same time, maybe the money's running out for rolling out things like 5G networks. So,
let's get straight into the heart of the matter, Ed. I really want your take on this to begin with.
Are institutions like universities and hospitals, should we be pressuring them to be a lot more
resilient in their approach before they start racing away and putting too much on networks?
Are we setting ourselves up for a failure, a bit like the city council in San Francisco
set themselves up for a failure by letting these cars on the street,
and then suddenly the streets are all standstill because they're all blocking the roads?
Yeah, I wonder how far are we going to let it go? How far are we going to let the experimentation
with new tech go into the realm of life and death, physical life and death types of scenarios?
How far do we let that go? And so, the answer to your question, obviously, is yes,
with institutions, hospitals. Two things that jumped out at me about these stories
that were mind-boggling. One was, and forgive me, University of Michigan, which I am a graduate of
the University of Michigan, I love U of M, go blue, but the story jumped out at me as being nuts
because when they had to shut down the network for whatever reason they had, read more about it,
and I'm not sure that they've told the whole story, but they encouraged students and faculty
to use external communications networks and cellular networks and what have you.
And what struck me was how much time has been spent on implementing multi-factor authentication
on these campuses and training people about phishing and all of these other things,
and something goes wrong. And it's like, you know what, we're just going to shut our network down
and then use whatever you can and forget about all that stuff that we taught you.
So, that part of the story is what stuns me, and it's not unique by any means to the University
of Michigan. I've seen those stories in other places before. So, that was the one. On the other
hand, with the taxis, I mean, there were too many things that jumped out at me on that one. I mean,
other than the obvious. Thank God they just stopped and didn't start driving around like mad
and crashing into storefronts or what have you, which I think people in San Francisco maybe are
doing more frequently now than they were before, as I understand it. But regardless, the part of
the story that jumped out at me was that it was the congestion of the mobile network, and we talked
about this before the show, because of a nearby festival. So, you've had a peak event, not an
unscheduled one, a scheduled like beyond peak event that demanded enough data that no one put
into the plan that maybe that was going to shut down the taxis by accident. And you want to give
people the benefit of the doubt and say, well, it's new. Well, it's new, and you're asking people
to put their lives at risk getting in the cars. And you also say, well, it's new. Well, it's new,
except we've been talking about these use cases for probably a decade. Anyone that's in the
service assurance business has been talking about these kinds of use cases around these like, you
know, superstar use cases for 5G, like autonomous cars. So, none of this should be a surprise to
anyone, which the last thing I'll say is this puts that whole story into the realm of what I call
Plaxco Burris territory. And I may have talked about this on the show before, but Plaxco Burris
was an American footballer who famously ended his career more or less by shooting himself in the leg.
And he shot himself in the leg because he was at a nightclub at 2.30 in the morning,
carrying a pistol that didn't have a trigger guard in the waistband of his sweatpants.
And if you think about like the six or seven awful decisions that you have to make to put
yourself in the position where you destroy a $10 million a year sports career by shooting
yourself in the leg, that's Plaxco Burris territory. And so, I felt like the taxis were
similar. It was just this collection of no does that ended up, thank God, like we said, in just
the cars stopping as opposed to going haywire or doing something that really would have put
people in danger. I hope it's a lesson. Well, yeah, I will come back straight away on that
one because I think it reflects about how we think about risk and prejudice when we think
about risk and we don't think things through. You could still kill a person by having a car
stopped in the middle of the street, blocking the street, because now you have a situation where if
an ambulance needs to get through to that street to somebody, it can't get through. You can't,
it's not like a situation where you could just wheel the car. I mean, is it possible to put it
into neutral and push it? I mean, has that even been thought through? Even if it was thought
through, do people know that they could do that if they needed to? I would assume that the robo
taxi firm doesn't want people putting their car in the neutral and rolling it off somewhere off
to one side. But these are the kinds of things where there are more than one way. And of course,
when we talk about life and death things, people start to pay attention.
But you could still horribly affect someone's life in all sorts of ways that aren't life and
death scenarios. You make it impossible for them to access their bank account when their bank
account is now tied to network connectivity. You damage their education. You tell somebody,
oh, it's okay. You can't use this university network now. Why don't you go down to Starbucks
and go down there? And as a result, their data gets compromised. Who becomes liable?
So Lee, I mean, I was gobsmacked that you were saying before the show, I've got to share this
with the viewers. You were saying that you were flying around in flying robo taxis in the Middle
East, Lee. And I'm saying to you, don't do it, Lee. You're too precious to us. Don't be flying
around in a robo taxi. It's bad enough, the ones that are on the ground. Well, I haven't actually
been in a robo taxi, a helicopter one that is. But if you actually go online, Aridu, one of my
former employers in Qatar, they actually have them and you can see them flying around there.
Now, I don't know if these are in commercial service, but yeah, when you see an example of
what goes on at cruise, I'd be worried if I was working at Aridu as a risk manager.
Well, the thing for me is also, I think it sends the wrong message about, I mean, look, wow, tech,
it's amazing. It doesn't send to me a message that you're being responsible. If you're just
immediately rushing things out as quickly as possible. I mean, part of you were telling me
about those flying taxes in Qatar is that it's promoting 5G connectivity. Well, it seems to me
that that is a really daft way to promote 5G connectivity because a flying device, a flying
vehicle that you can ride to somewhere else can by definition fly outside of 5G network coverage.
Well, what good is the 5G network coverage to you at that point in time? It can't be in any way
dependent upon 5G network coverage and be safe at the same time. So why is this like a sensible way
to even advertise 5G or flight? It seems to be sending the wrong message that we just don't care
about. We don't think about things like safety because anybody stops for two minutes and thinks
about this can go, this doesn't seem safe to me. Surely this is the wrong message we're sending
to people. Well, I'd kind of hope that the designers have kind of factored in if it does
run out of 5G coverage, then it probably reverts back to satellite connectivity. Right. But anyway,
I'll just leave you this as my final comment. It's actually still safer by the way to travel by air
than it is by road. Well, maybe on a big plane with a proper pilot. I'm not so sure with the
RoboCopter. I mean, because look, France, Vietnam, we've had these big stories, Lee,
criminals driving IMSI catchers around cities. I'm not so sure we're wanting to be flying around
in a flying RoboTaxi, which is dropping down from 5G to 2G because it's lost connectivity.
Someone's sending an SMS message to the taxi to reboot it when it starts to go a bit haywire.
And then some guys driving around at ground level blocking the signal because these are real
things. I mean, we seem to be putting more and more and more risk on top of networks. And to be
serious for a moment here, Lee, are telcos starting to become a bit foolish with the extent to which
they may be held liable for things like a car being in the way, even if it's not an accident,
devices not working as they're supposed to. The more that things get networked, surely there's
increased liability for telcos here. And we're not talking and thinking about that in terms of
risk management. Yeah, you're right. I mean, we mentioned this last week. If it's connected to
the internet, then it can certainly get hacked. And as you're seeing, there's this kind of this
explosion of IOT devices. A lot of them now are going into cars. Some are going into helicopters,
and the danger is that if you hack these, you could actually weaponize them. And this is very
serious when it comes down to the liability aspect of it. And I don't think telcos are thinking this
through because we talk about things like, say, network slicing, which is a bit of a myth,
doesn't really occur in present. But the idea is, oh, great, I'll just sell them the slice.
They'll be able to run some fancy business off the top of it. Yeah, but are you not now
responsible in some way if that business fails, if something goes wrong with that business,
a drone crashes and something? I mean, should telcos be looking at things like insurance to
solve this problem? Or should they just be a bit more wary about putting themselves in a situation
where they're going to get sued at some point or another? Surely somebody in the USA, Ed,
is going to be making a fat load of money in the very near future because they're going to be
suing a telco and not, forgive me for saying so, some dodgy startup business which has bought the
network connectivity from the telco but has no resources. So they're not the ones who are going
to get sued when something goes wrong. Yeah, I'm actually surprised that more of the
tort lawyers here in Chicago haven't wanted to give me a call to talk about all the ways that
there's new business for them in the digital world. It's because of your point that there's
so many new uses and then dangers that are created, that there's going to be all kinds of
holes poked in that and all kinds of lawsuits and new law that's going to only be reactively made
the hard way, especially in the US. And what it reminded me of was a little bit as you were
talking through this was, remember when they made cars without seatbelts? And why are there
seatbelt laws now? Well, there was a lot of blood spilled to get there, basically. I mean, it's sad
to say, but that's true. That's reactively how things tend to happen. And I think that's a little
bit of what we're talking about here with the technology and not just the liabilities of it,
right? We're talking about the actual physical dangers as well. And those two things are
associated because it's the understanding the physical dangers and the dangers that you may
or may not be creating by, like you said, blocking a road, that that's the thing that's going to get
you from a liability perspective. And I don't think anyone's going to think through all those
in advance and come up with a safe way to deal with it. There's going to be a lot of
messiness and a lot of lawsuits to get there. And here's the last thing though, Eric, real quick.
The right answer is somewhere between like those 5G taxis stopped on the road and Theranos,
like in terms of the where the liability lands and how far you can push the this is hype and it
doesn't deliver and it creates danger, right? All the way up through it. No, it's just a flat out
con, but it was a con that was allowed to take blood from people and provide services to them
before it was called that as a con or anyone got busted, right? So there were casualties.
So I know who I would put the burden on here, actually. It would be Lee, because Lee is the
risk manager for the telco. The risk manager manages the risk of the telco. So Lee, I'd be
turning to you and be saying, look, if this company is selling this product to this business,
this network slice over here, that network slice over there, the onus has got to be on the telco to
know its customer and to understand the risks and the liabilities when it takes on new customers.
Is this not more work for you? Yeah, absolutely, Eric. And I think I mentioned earlier that if I
was one of the risk managers for a redo, then I'd probably be a little bit concerned about this
to make sure that the service that we actually provide and they sign up to that it's being
delivered, right? Because if you fail, such as in this case, now, I don't know if Cruz actually had
a slice of the network or whether they were just using the public mobile network,
then there's obviously liability here and that needs to be followed up. So yes,
you're absolutely right, Eric, as a risk manager in a telco, I think you're going to be busy over
the next couple of years. So there's going to be some fights between you and salespeople.
Salespeople are racing ahead to sell this exciting 5G network slices and you saying,
hold the horses, we may not want to be selling these network slices to some of these people.
Yeah, also as well, it comes back to the service assurance as well. It's just to make sure that
what they have actually bought and signed up to is actually delivered as well. So I think there's,
it's not just us, there'll be others involved in this as well.
Okay. Well, thank you for your insights, guys. Now it's time for one of our sponsored features,
the Symmetry Prism Fact of the Week. Each week we share an interesting fact supplied by the Prism
Fraud Intelligence Team at Symmetry Solutions. Now you wouldn't think it's strange to rent a house
or a car, but what about the renting of a GSM VoIP gateway? Should that be allowed or is it
as daft an idea as renting out guns and knives? Symmetry's Prism Intelligence Gathering Team has
been monitoring the businesses which rent out GSM VoIP gateways and other tools that could be used
to make scam calls in bulk. Such services appear to profit from crime without actually breaking
the law. The supplier incurs the capital costs associated with owning the gear,
whilst the criminals then rent the gear and start making money from the crime without
needing to invest significant sums in equipment first. If you're wondering whether there are
legitimate reasons to rent out technology of this type, then you should take a look at some of the
rental screams as they're advertised online with promises of imitating the movements of human users,
IVR detection modules, and time slots to activate SIM cards to reduce the risk of cards being
blocked. Those are the types of technologies that only make sense if the goal is to avoid the
anti-fraud controls implemented by commerce providers. So if you want advice about the
controls your business needs to protect itself from criminal tech like this, turn to Symmetry
Solutions and their Prism Fraud Intelligence Team. Their URL?
And now for some more topical chat. There have been so many stories about this. I know we've
talked about this before on the show. I know Lee says that it's girls as much as boys, but he's the
one who's wrong in this case. There is no equality in this topic because it's always boys.
Young men and boys, SIM swaps, hacking, two-factor authentication. And apologies to everybody who's
been following these stories, but there has been so many cases that have been coming to court
recently. It's worth recapping. A couple of weeks ago, two boys, one now aged 18, the other 17,
found guilty in a British court belonging to the Laxus Hacking Collective. Amongst their crimes
were the hacking of British telcos BT and EE, leading to the theft of at least $100,000 in
cryptocurrency from five customers whose phone accounts were compromised. They haven't been
sentenced yet. Obviously, it's expected it will be a lengthy sentence for them. Three weeks ago,
Anthony Falk, sentenced by a judge in California to three years in prison and had about $20 million
worth of assets forfeited after he agreed a plea deal, admitting he started using SIM swaps as a
stepping stone to raiding cryptocurrency accounts soon after he turned 20 years old. In June of this
year, British SIM swapper Joseph O'Connor, aka Plugwalk Joe, given a five-year prison sentence
by a judge in New York. This kid, a scouser from Liverpool, arrested in Spain in 2021,
but eventually extradited and pled guilty to using SIM swaps to steal from a cryptocurrency
business and to take control of prominent social media accounts, as well as swatting a teenage
girl who rebuffed his online advances. He again began his criminal exploits as he entered his
20s. And in February of this year, 24-year-old Amir Hossein Golshan, subject of an FBI criminal
complaint alleging he used SIM swaps to take control of the accounts of female social media
influence, so he could sexually harass them and extort money from them. And going back to last
year, we don't have to go back to October of last year, when 20-year-old Ellis Pinsky agreed to a
civil judgment to pay $22 million to a cryptocurrency entrepreneur called Michael
Turpin, who had lost $24 million following a SIM swap on his phone service. That took place when
Pinsky was still only 15 years old. It's because of his young age and willingness to cooperate
that law enforcement decided not to push for incarceration, that he was taken to court for a
civil case by Michael Turpin. I could go on and on and on, and it's the same pattern every time.
Boys, young men, teenagers, early 20s, they are entering a criminal
underworld focused on SIM swaps, bribing telco staff, targeting cryptocurrency investors.
To begin with, we're dealing with unpacking the seriousness of the topic and what
we as an industry and what the rest of society should be doing about this.
Let's begin with you, Lee, and security advice. Is it time that we should start not just disagreeing
but rubbishing the security experts who say two-factor authentication using SMS and voice
is a desirable security enhancement to protect people's bank accounts and other
important online services they use? Well, I mean, it's correct for them to say we need
two-factor authentication, but using SMS is just really bad guidance, right? We've discussed this
on the show many, many times now, Eric, that it just isn't safe. There's so many vulnerabilities
ranging from SIM swaps or using social engineering to divulge the OTPs,
and then you've got the intercepting SMS messages through SS7, right? So the list goes on,
right? We've also spoken about voice biometrics, and this is a real worry for me. I actually think
voice biometrics is less secure nowadays, especially with things like voice cloning apps,
right? But no security expert who's worth his salt should be advising to use SMS as
two-factor authentication. I 100% agree with you. I'm absolutely gobsmacked still that people talk
as if we should just be leapfrogging over this redundant old approach of doing two-factor
authentication. We shouldn't even be thinking about implementing it because if you implement
it, it's going to take some time before you replace it with something better. And yet,
we're talking about teenagers, kids. Ed, I want to bring you in here on this one,
though, slightly different point. Obviously, this is a big issue for the telecoms industry
because everybody points the finger back at the telcos. Michael Turpin, he tried to get over $200
million out of AT&T as redress for having his account SIM swapped. Now, if you look at what
these kids are doing, they're offering bribes to low-paid telco employees. Pinsky, the 15-year-old,
well, he started as a 15-year-old who recently started with Turpin. He said that he would find
that 1 in 10 of the people who worked for telcos that he approached were willing to take bribes
from him. That's how he amassed this enormous wealth. And his secret, his unique power in the
hacking world was that he had been very clever about going around social media and gathering a
huge database of people who work at telcos because they would tweet about it or leave some comments
somewhere referring to the telco that employed them. So, he would just build up the contacts,
build up the contacts, and approach them. So, we know that this is not a problem that can be
solved with purely with technology because how do you stop a problem with technology that comes down
to you have low-paid employees and you bribe them? Are we focusing in the wrong place with telcos?
Should we not be focusing instead on the millionaires who are being stolen from because
they've got cryptocurrency accounts and don't seem to be securing them apart from using
two-factor authentication? Should the law, should police, should our focus be instead to say
appropriate controls where it's needed rather than try to do everything around controls around sim swaps?
Yeah, I mean, it's the whole system, right? I mean, I think if I came back to like first principles of
of cyber security, let's say that at least as they have been, you know, told to me or preached
to me by various people, anything that's only looking at one dimension is necessarily vulnerable,
right? So, I think you need to look at each of the dimensions of this which probably also includes
like the sociological part which we're not going to go off the rails and get into now, right? And we
talked a little bit about that last week, but obviously there's an aspect of this that's just
too darn easy. It's too easy and there's too much inertia around, like we've just been saying,
around using something like SMS. And any time I've had a conversation about, you know, well, why are,
if it's been deprecated, right, by various security authorities, why do we keep using it? And it's,
well, it's inertia, it's everybody wants to, it's all these kind of shrug your shoulders types of
answers. And so, I think my point in that though, Eric, is that it comes back to I think the only
way that you end up getting change is if you have a compelling event that mandates some kind of
change in it, right? Because there's already, you know, an official government level recommendation
not to do this. It's been ignored for I think almost eight years now, right? So, if you really
want to take action on it, yeah, it probably requires some kind of legislation, regulation,
and something with teeth to make it happen, right? And like in the form of liability,
like you're talking about, that Daisy changed these things together. And that's, I don't know,
I'm going to keep rambling about this otherwise, so I hope you'll cut me off soon.
No, look, I mean, we covered this last season where it was Malaysia, I believe it was,
that had basically the central bank had dictated that you can no longer use SMS
for two-factor authentication for transactions on the bank account. Is that not really the point?
There's nothing wrong. I mean, two-factor authentication for SMS for something trivial,
well, it's trivial. I mean, it may be sufficient. Maybe we don't need much more sophisticated
protection for some things. Although a lot of these kids started out by just wanting to get
cool handles, user account names for video games. That's how they actually began. This is what
people at Pinsky have said is that they didn't start out with the intention of becoming millionaires.
They just wanted to have a really cool username when they played a video game. So they worked out
how to steal the username for the video game. And the same technique can be applied to stealing
millions and millions of dollars from a cryptocurrency investor. So it's not the
point here that people like Michael Turpin, instead of suing the telco hand over fist for
the money he's lost, shouldn't a guy like that should be saying to himself, why am I so dependent
upon this very trivial, very easily corrupted control when I've got $24 million in a cryptocurrency
account that I don't want stolen? And when it comes to the lawmakers, should they not be the
ones saying to the banks, to the cryptocurrency businesses, you need to impose tougher restrictions
because it makes no sense to impose a tough restriction on everyone.
And then we're in like this open period, right? I'm sorry. Go ahead.
No, no, sorry. I mean, I know we can monopolize the debate. So I want to bring Lee in here.
And he's probably wealthier than the two of us. So he might be arguing on the side of the
cryptocurrency billionaires. You know, with all your wealth and riches, do you not think that
the burden should be on rich people like you, Lee, to protect your assets rather than making it
difficult for a single mother who loses her phone? She needs a replacement SIM. Why should she be the
one who has to pay the price in terms of much more restrictive, difficult procedures to get
a replacement? I mean, because this is the real, the reality is that we tend to talk about SIM
swap crime as if we just put more and more controls in SIM swap, because a lot of people
just lose their phone. And if you make the controls harder for the criminals, you make it harder for
ordinary people too. It's not people like you, Lee, with all your wealth and riches that should
be doing more to protect yourselves. I don't know who you're talking to, Eric,
but I'm certainly not wealthy the last time you saw me anyway. But listen, to go back to your
question, when you were talking about cryptocurrency owners, right, and in particular, this
case, this guy, he had a huge amounts of crypto. I mean, the first thing which came to me is who
on earth leaves that amount of cryptocurrency in an online wallet, right? Surely you would like take
that into old storage, or you'd take it offline, right? I mean, that's a lot more safer for you to
do that, right? So that was the first thing which came to me. But you're right, I think it should
be more demanding from these cryptocurrency owners to start putting more pressure on these
companies that run the wallets, right, to increase the security around it.
And is it not fair that legislation, rather than putting more burden on the telcos,
in order to protect the cryptocurrency business or the banking industry, put more pressure on the
banking industry and the cryptocurrency businesses to take the pressure off the telcos? They're the
ones who generate the profit from having these huge online wallets. That's it. That's it right
there, Eric. Yes, it is that relationship right there. And it's that seam that keeps getting
attacked, right? It's the telcos selling SMS and banks using SMS for this purpose that we're talking
to. That is a huge part of the problem. It is not the only part of the SimSwap problem. We can do a
whole show on non-bank fraud SimSwap problems that get into digital identity. But I totally agree
with you. It is that seam that is the problem right now. Okay. So viewers of the show probably
realize that we have a bit of a problem with our gender ratio, because we all identify as men,
currently the three presenters on this show. But can we as three men also know, I know Lee,
you've disagreed with this in the past, but can we as three men admit that this is uniquely
a problem with men? That there is boys and men, and we need to be looking at addressing
what young men, the messages they get online, what they're taught in schools. Lee, you're a father of
kids. Is it not long overdue that we now start taking a lot more seriously the extent to which
we educate, especially men, about avoiding the temptation of cyber crime? Yeah, without a doubt,
Eric, you know, the majority of this crime is actually committed by young men, right? But as I
keep pointing out, right, it's not just young men who hack. Women do it as well, right? I actually
had a look at the speaker list at the DEF CON event last month, actually. And I would say about
10% of the speakers there were all women. And that you actually look at the hacking groups in China,
you've got the all girls security team over there. And that actually consists of 3000
female hackers, right? So the point I'm trying to get to here is, don't be lulled into a false
sense of security, right? If a lady comes to the office, and she wants to connect a laptop to the
LAN, right, to show you a latest presentation, don't be fooled in thinking, well, she doesn't
fit the profile of a young of a young hacker, right? So she's not going to do any harm. The
point I'm trying to get across here is, you know, hacking, it all comes in all shapes and sizes,
right? So you just need to keep that in mind. Come on! Who's taking the bribes too, guys? Who's
taking the bribes though, too, Eric? So I don't disagree with you, Eric, in terms of like, when
you look at the data, and you quantify the data in terms of the reporting that we've seen, that
the stories are overwhelmingly young males, right? Which interestingly aligns with, you know, bank
robbery in the Old West as well. Overwhelmingly young males, right? There's some kind of parallel
there. Well, it aligns with crime statistics in general. However, those men commit crime.
Here's the other side of this crime though, right? Which would be interesting to look at is
the bribes part. Who's taking the bribes? Is that all men? Is that men and women? And I think that's,
you know, the other side of this, we shouldn't forget either, that there are many various parties
that are involved in these crimes. And though the person who's doing the hacking, and may even be
the orchestrator of the different pieces could be a young, you know, a young man, and it may be young
men that have created the market, so that people working in contact centers that have access to
SIM swaps are like, hey, there's a way to make money here on the side. There's a side hustle
that's built into this, right? Maybe they've created that market, but who are the people
that are taking the bribes? They're at fault, right? Those are people who are employees of
telcos or they're contractors, right? They're criminals too. And I bet there are all sorts of
different people. You'll identify them by the new car in the parking lot. I'm devastated by the way
this conversation is going, because it turns out I'm the one who's most anti the patriarchy. The
three of us, and I would never have thought that would be the case. This is clearly a problem
with men in society. And you two guys, I mean, I hear where you're going. I hear what you're
saying here, but should we not be focusing on frightening the pants off young men and saying,
you could end up like Plugwalk Joe. It doesn't matter if you go to Spain, they're going to get
you and they're going to put you in prison for five years. And it's actually not an argument to
be made here, that the real danger is that because juvenile crime, the way crime works,
organized crime works, that juveniles are attracted to this thing. We know they're attracted to this,
and there's a temptation to be lenient, to be lenient towards young people. Oh, because they're
young, they don't understand, they'll reform later on. One of these lads, the one who can be named
in this case that just been found guilty just two weeks ago in the UK, so the Crown Court,
one of these lads, he was already out on bail, staying in a hotel room selected for him by the
authorities because his name was out there and other criminals wanted to get him. Okay. The
condition of his bail was that he doesn't go online and then guess what? They catch him with
a fire stick that could be used to plug into the TV set in his hotel room, but it's actually being
used to commit more crime. And where did he get this fire stick from? Well, it's on a hotel,
on a big retail estate. Well, it's not going to take too much effort for that lad,
who's got millions of dollars of cryptocurrency and a track record of committing crime and
bribery, it's not going to take much ingenuity for him to walk out of his hotel room, walk across the
street into a store and buy a $40 fire stick so he can get internet access again. Are we not being
incredibly naive here about the extent to which if we don't frighten these people with very,
very serious penalties, not only will the kids keep on doing it, but older criminals,
organised criminals will lure them, will want them to do it because of the belief they won't
get serious hard time. Is it not time now for serious hard penalties, Lee, for these boys,
even if they are very young when they get into these things? I'm not so sure penalties are the
right way to go. I think more about educating at the right level. I've got two boys, one 12,
the other one eight. And it frightens me that they're coming into this age now,
where they know about hacking, right? They're exposed to it. It's glamorised. It's on TikTok.
They see it. Yeah. And they think it's cool. And it's not just they think it's cool.
Kids across the world think it's cool. And there was actually a, there was a survey done in China,
which they were saying hackers there, they're deemed as rock stars. They have rock star status,
right? So it's a big issue. And I think, but I think it comes from education.
You're too soft. Ed, do you agree with me? We need to bang these kids up,
sticking them down bars. Do you agree with me? Yeah. Yeah. I think it's right. I would actually
take both bookends. I mean, I obviously, I think, you know, as a parent, especially when you educate
your kids, and my probably my, my daughters probably have gotten more lectures on protecting
their digital identities than they're ever going to want to in their lifetime and could spit half
of it back at you. But no, I agree with you that I think the, the expectation shouldn't be that
you're going to stop these crimes, because you're not going to stop young men from wanting to commit
exciting crimes that get them money so they can go get girls and fancy cars, right? Like,
that's a always, I think, you know, just be a human thing. And then at least in the paradigm
as our society exists, you know, materialistically today, right? If you want to go offline.
All right. I just don't think you're going to make that go away. But I think you have to take
the crime seriously. No, but the crime should be taken much more seriously. Much more seriously.
Yeah. I think we could go on and on. We're running over in terms of time, but I really
enjoyed the conversation. Now it's time for another one of our sponsored features. Each
week, Geoffrey Ross of Core Authentication, Fraud Prevention and Geolocation Specialists,
OneRoute, takes us on a tour of the world in our phone. This week,
we're going to take a trip to France. Producer James, roll VT.
Hey, everyone from OneRoute. I'm Geoffrey Ross, and this is the world in your phone.
Parlons de la France. Let's talk about France. With this world famous cuisine, picturesque
villages, sweeping vineyards, and influential culture, there's no wonder France is one of the
most popular destinations in the world. But did you know that in early 2023, Orange Group and
Vodafone Group announced to build an open RAN with RAN sharing in rural parts of European countries?
This marks the first time that the French and British telecom giants have agreed to share
open RAN networks in Europe. The first commercial sites to be deployed are planned to start in a
rural area of Romania. And by working together, this will reduce the cost of hardware,
minimize fuel consumption, and the need for duplicate sites, all while eradicating zero
cover spots for both networks. It'll be interesting to see what other industry collaborations will
come about in the future. Some other interesting facts that I've found is France shares its borders
with eight other countries and is the largest country in the EU by land mass. It is approximately
four times the size of the UK and yet still slightly smaller than Texas. France produces
more than 1,600 different kinds of cheese. It is estimated that 25,000 tons of snails are eaten in
France each year, and putting a baguette upside down is considered to be unlucky, all while it
was also technically illegal for women to wear trousers until 2013 when the old law was finally
abolished. Be sure to subscribe to OneRoute on YouTube where you can catch up on the world in
your phone and watch the OneRoute Roundup, the show that spotlights individuals and companies
making a positive difference in the telecom industry. One more fun fact about France,
it is illegal to throw out or burn perfectly edible food in France. Eric, back to you
and more of this great communications for a show. Cheers.
Thanks, Jeffrey. I've always appreciated your tours of the world. I look forward to where we're going next week.
Now, let's welcome today's guest. Josue Martins is a security blogger who regularly writes about
networks and their fallibilities at He joins us today from
Cologne in Germany where he works for Accenture. Previously, he's been the telecom security team
lead at Angolan operator Unitel and he's also been a mobile security engineer for Samsung. Hello, Josue.
Thank you for joining us today. We've been really looking forward to having this conversation with
you. I'm a big admirer of your writing at your website. And let's get straight into this topic
where you're really some very pertinent insights we don't often hear other people talking about.
Key question here we've covered in previous episodes, but you're going to help us set the scene.
Why should telcos, network operators, have a signaling firewall, Josue?
Well, in my point of view, I think that they should have a signaling firewall for multiple reasons.
One of the first reasons is to do actually with protecting mobile subscribers, right? And others
to actually protect the infrastructure. And I can give some examples around that. So,
if there is no signaling firewall in a mobile operator, subscriber are vulnerable to a lot of
attacks. For example, fraud, interception of the traffic. They just say someone can intercept your
call. Someone can then intercept your SMS as you explain account takeover for your banking. So
someone can then do an authorized transfer and people can track your location. For example,
let's just say that you're a VAP client for a mobile operator, you're quite rich and people want
to break into your house, they can definitely use the absence of a signaling firewall to actually
track you and attack you. And in my point of view, I also think that regulators actually should
enforce that signaling firewall must be mandatory for mobile operators to really prevent the type
of fraud and attacks that you just explained in the previous conversation with everyone.
Such as account takeover via SMS interception. Well, great, great observations there, Joshua.
Straightaway question here from one of the viewers, which I want to jump in with here immediately.
This viewer, anonymous viewer says, notice that some operators now using both a firewall
and an intrusion detection subsystem, abbreviated as IDS. The question is,
why would you use both? What do you think of the added value of an intrusion detection subsystem
compared with a firewall? So actually in telecommunications, right, the firewall and
signaling firewall are different from IP firewall. So it's somewhat irrelevant to use an IDS
for signaling because if you use an IDS, the fraud already happened. So you're really not
protecting the subscriber, just being reactive. And then actually the subscriber can sue you,
for example, if someone loses the money because someone intercepted SMS, they actually can sue
you. If someone intercepts the call between the person and their wife, they can actually sue you,
for example. And this kind of attacks were very common in Africa, where a lot of politicians
call were intercepted via SS7. So there's no point of having an IDS. You actually need to have
blocking instead of actually monitoring the traffic because an IDS just alerts, it doesn't
block, just generate alerts. I see. Okay. So that's a really important distinction there.
But would you recommend that you would need, is it better to have both? Is it advantageous?
It's much better to have a signaling firewall on a blocking mode, not actually just generating
alert. It must block actually all the category that JSMH recommends. And that's actually a very
technical stuff that I shouldn't discuss, but the idea is that there should be a firewall that
blocks all the attacks related to coin interception, SMS interception, location,
and alerts is not something that we recommend. And I don't think also regulators should actually
tell mobile operators to put the firewalls, or maybe have an IDS for signaling related attack.
This doesn't solve the problem. This actually, it makes no sense. Technically, it makes no sense.
Okay. Well, this is why we have you on the show because I'm not a technical person.
This is why we need your technical insights, Josue, to help me understand. Now,
one thing I do know that I'm not a technical person, obviously there's different
signaling protocols, SS7, Diameter, the two most obvious examples. Does this mean that not
every firewall protects against every kind of signaling intrusion? Does this then lead
to some vulnerabilities if you've got a firewall for one, but not for the other?
So it depends on your deployment, right? So in a signaling firewall, you have different protocols
and each protocol is actually protected by module. So for example, if you have 2G to 5G,
there's no roaming for 5G because the signaling attacks actually come via roaming,
which is actually attacks from external networks, right? So let's just focus on 2G and 4G. So let's
just say that you have modules that prevents attack for 2G and 3G, but not 4G, then someone
actually can commit like billing fraud. For example, I can start a 4G connectivity from Germany,
pretending to be Eric, and then you receive a bill from your operator. So what makes sense
is to actually have different modules, right, to cover everything. So you have different models to cover
2G, 3G, and 4G. In that case, you're going to be covered from all the external attacks.
As soon as you have 5G, it's also essential that you actually deploy a signaling module for the
5G roaming, but that's in the near future, of course. Yeah, okay, learning a lot here. Is it easy to set up,
I mean, with the modern firewall, is it easy to set up the rules for what exactly will be allowed
through the firewall and what will be stopped by the firewall? To be quite honest, the rules are not
easy to set up. It actually depends on the firewall and also depends on the person using the firewall.
The issue with telecommunication security is that, as a niche field, not a lot of people have
an hybrid knowledge of pure telco, IT, and how a tech works. So you really need to think like an
hacker. If you're sitting behind a signaling firewall, or even any firewall in this case, you need to think
like an hacker. Not every firewall administrator actually thinks like an hacker. They get a training
to look after firewall, but they're not thinking like someone who wants to break into the company.
So if you want to protect a bank, let's just say you're a security guard, and you want to protect
the National Bank of the United States, you need to think like someone that wants to break into
the brand. You don't need to think like a guard. If you think like a guard, you're actually going
to be defeated. So it's really complex to create those rules because you need to have a deep
understanding of telecommunications, you need to understand the protocols, you need to understand
which messages are needed, for example, to extract someone's location, because you can
extract someone's location based on the country level, and based also on GPS coordinates, like 200
meters from where the person is. So you really need to have a deep understanding of which messages
should be blocked and how they should be blocked. And then you also should know which message
shouldn't be blocked, because there are messages you must block that you cannot block, which are
needed. If they're going to a specific subscriber, they should be whitelisted. And then there are
messages that really shouldn't be allowed at all, especially messages that we kind of call
Category 1 messages. Those are messages that you should never see between roaming partners.
And a lot of those messages are actually used to track people. And it's really efficient. It tells
you where you're sitting. If someone would kind of conduct this attack towards your MCDN, Eric,
they would know where you're sitting, and they would know where is your house.
You got me worried here. I won't bring in Lee, because I'm going to start picking on him again
here to try and calm me down here. Lee, as somebody who looks after risk for telcos,
do you see this problem that Josue is picking up on here that we may sometimes lack the multi-skilled
individuals who cross across, who can cover across boundaries, and therefore link together
work that needs to be done? How does this get tackled? Does it get tackled adequately by telcos,
this problem of being able to have these multiple perspectives on the technology and the risks that
the company faces? Yeah, I think there's two separate questions there. The first one is,
I mean, it relates back to what we were just talking about earlier. There was, I think, a lot
of telcos companies, they actually have signaling firewalls in place, but it actually comes down to
the implementation of that signaling firewall. I think the way it gets implemented, there's gaps,
and if you can think like a hacker, there's ways around that. I think it has to be implemented
correctly, and you also have to have that checked and tested by a hacking team just to see if they
can reveal any kind of vulnerabilities or exploits there. The other thing, the other question you
kind of raised there is, you know, if you look at the landscape, the technology landscape,
it's getting very technical and complex in some areas, and I mean, when you look at it is,
when you put a telco together, there's IT, there's networks, there's all kinds of stuff which has to
come together, and it's having somebody with that skill set and ability to kind of sit on top of
that and to kind of think, well, okay, have you thought about this? How does this work? You can't
work in silos, right? You have to have somebody who kind of sees across that, and I think this
is where the role in particular of the enterprise risk team comes in. Yeah, it has to roll
its sleeves up every now and again, and it has to understand the technicalities of how these systems
are implemented. Yeah, but they don't like to do it, do they? They don't like to do it because it's hard.
That's my experience. You know, you take people outside of their comfort zone when you start
talking. That's partly why we discuss these topics on the show, is that we know it's hard. We know
it's difficult for people to get, so even if they get a basic grasp, at least then they're aware of
the extent to which they need to get out of their comfort zone, but people prefer to just do a
traffic light report and a risk register, and it's somebody else's problem. This is why I'm asking
about the difficulty of getting the people that you need in your organisation, Lee. It is. It's
very hard to find. I mean, the thing is, you should never be, you don't have to be an expert.
You know, if you're in the risk team, you don't have to be an expert in signalling firewalls,
right, but you need to at least understand from a high level, okay, we need to have a security
team come in and check this, yeah, and then you need to understand the results. Okay, what does
this vulnerability mean? What do we have to do, right? So, yeah, you don't have to be an expert,
but you have to understand how these pieces of the jigsaw puzzle all fit together if you're
working in the risk team. A few questions coming in, Joseph, but I'm just going to stick on this
topic with you for just a moment because I'm keen to get your point of view too. You've got a very
interesting CV, varied CV, which means that you're in a very strong position to talk about
this multiplicity of skills that someone needs to talk with authority to deal with this problem.
Now, I don't know about you, but I get people asking me questions every now and then,
pretty regular basis, about training, education, progressing their career. If somebody came up to
you, Joseph, and said, I want to become good at being able to manage these kinds of firewalls too,
what advice would you give them? What's the correct way in order to progress your career
to get these kinds of skills so then can be deployed and used in telcos to protect them?
Well, to work in telecom security, you need to have a hybrid CV. That means for you to understand
telecommunication, you need to really understand the 3GPP specification. That needs to become your
Bible. You need to know that by heart, which are a lot of documents. The other part, you need to
understand IT. You need to understand networks. If you can do some training, some certification
on networks, I'm not going to mention any company. There are a lot of them. Then, you can
do also some certifications in IT security, for example, like ethical hacking, and then also some
defensive. If you look into the IT part, the IT part is going to help you to take care of the
firewall itself because the firewall is a server. Then, you'll open your mindset in terms of attacks
because if you're doing an attack, for example, like phishing someone, you get the credential,
but then you use telco to get the two-part notification by SMS. As soon as you get a
deep understanding of IT and then also understand how the 3GPP specifications are, you read it,
and you really understand how the telco flows work, that will facilitate you to really enter
in this field. However, it's a field that you're not going to learn things in less than five years.
You really need to be dedicated, and experience makes a difference, in my point of view.
I think you're 100% right there. I think the danger is that the individual might be dedicated,
but the employer might not be dedicated. The employer might not be helping the individual
to develop, and they might not always be doing a good job of retaining the individual, even if
they've got a professional. That's important, isn't it? In terms of what we've been talking
about so far, we talked about the difficulty of setting things up, and the skills need to set
things up, but there's presumably also a need to maintain the rule sets as well. Do they need to
change over time? Well, for example, like Felice said, you would need a company to do now and then
security pen testing towards your signaling links to make sure that the rule sets are working well,
that there is no new attacks such as bypass that are bypassing your firewalls.
The rule set will change. As soon as you acquire a company to do a pen test towards your network,
they'll send a bunch of SS7 messages, and so on, and other protocols. Then you will notice that
this message actually passed through your firewall. There's leakage of sensitive information.
Then you need to look into that traffic and really understand why is it being bypassed,
why is your firewall being bypassed, and then you need to change your rule set.
Now, as I said, it's really important for you to understand how the call flow works,
how the message are. A tech has also found different ways of actually creating messages
that are not according to the specs, and they still work in telecommunication devices.
That's why I say if you have a mindset of a hacker, you can actually
do things that bypass the existing firewalls.
You're giving me... I'm just glad I don't have to have responsibility for this anymore, Josue,
because I'm getting more and more nervous just thinking about all the burdens here. Now,
we talked about the firewall, but of course, the firewall runs on some kind of operating system
at some level. Can the operating system also come under attack by hackers?
Yes, most definitely. Signaling firewalls are actually firewalls that run on top of
Linux operating system. Most of them, I would not mention Linux flavors, but
there's many Linux flavors, so they actually run on Linux operating system.
And then if you're not patching those operating system accordingly,
then your firewall is also vulnerable. And it's actually very hard for you to patch those
firewalls, because the firewalls actually sit in the service network, so in this case,
they're sitting behind the PE router. So in that security zone, where the firewall stands,
you don't really want to expose to the internet, because there'll be a problem.
So actually, patching firewalls are very difficult. I mean, the operating system of the firewalls,
they're very difficult. If you patch it without testing correctly in the lab of the vendor,
for example, that can break the firewall application. That'll be another problem.
So the firewall itself, since it is a Linux server, it needs to be secure correctly. It
needs to have the appropriate rules in terms of Linux, for example, in terms of IP table rules,
you need to have the appropriate rules in there. You don't need to expose services that are not
needed. You need to really lock down that firewall and really expose the minimum services needed
to the administrator that are doing management services on the firewall.
Well, I have to say, lots of comments coming in here, Josue. So I'm going to break into the
conversation just to share a few of them, so we don't fall too far behind. Edna says,
you're very smart. Arivelto says, knowledge from different domains, telco, security, IT,
is needed to decide what's secure. Otherwise, you'll end up relying upon, as you've said,
lots and lots of default alerts will be the case. So somebody else agreeing with you there.
A particular question here that I don't understand, but I'll let you field it.
What do you think about the different filtering rules defined by the GSMA's FS11-1920 standards?
Are they sufficient? Well, actually, the FS11 and FS1920,
they're actually standards from GSMA that actually kind of explain how the rule set should be for
FS11-1920, right? They are good, but however, there are bypasses, and those documents are
always being updated by GSMA as soon as someone finds a bypass. For example, there was a bypass
recently, right? And then GSMA actually, because I'm also part of GSMA, so GSMA actually reunites
the people, people submit those bypasses to GSMA, and then we all update those standards.
I would say those rules that are in these standards must be implemented by default. As
soon as you have a firewall deployed, your network, right? You deploy those rules,
put your firewall in monitoring mode for around one month just to remove the false positives,
and after that, you put in blocking mode. So those rules in those standards are necessary.
I would say that should be mandatory because they cover a lot of items, but however,
attackers are coming up with new attacks, and these new attacks, we are finding them as an
industry because we are quite big, we talk, we exchange ideas, and we're also sending these
to GSMA, and GSMA is updating the documents. So I would say those rules are relevant,
and I also recommend the operator that they really should follow GSMA standards, and they
should join GSMA to really get the latest information and also get more knowledge from
different experts in those groups, because there's a lot of magnificent people with a lot
of knowledge. Now I think I should be sending an invoice to the GSMA for the great advert that
you gave to them, but I won't get too jealous about the advert you gave to them. Now,
keep things simple for people like me, Josue, because I don't understand too much this clever
technical stuff that you talk about. One of the things that I think about, and this is touching
on what Liu said earlier on, is I may not know the detail of how things work, but one thing I do
need to understand is where in the organisation should responsibility lie? So when we talk about
who's responsible for maintaining a signalling firewall, is that the network operations team
that should be doing that, or should there be a specific part of a security team that has hands-on
responsibility for maintaining, managing the signalling firewall? Well, in my point of view,
I think it's better to be in a security team, especially from those security team that has
employees with a hybrid background of telecommunication security and IT security.
As I said, you have a Linux box, and in that Linux box, you have the firewall application,
so you need to patch everything from the top. So since the firewall actually stays in the service
network, and in front of that firewall, you have an IP firewall, that means you already have
one security firewall, right? So that belongs to the security team, and then you want to have that
signalling firewall also behind that firewall, and also with the same team, because that team
is also responsible for patch management, they have the vulnerability scanner so that they can
scan the firewall. For example, if they're using, I would just say like OpenVAS, they will have
OpenVAS, because I don't want to mention any vendors. They will have OpenVAS, which is open source,
they'll be able to scan the firewall and patch it accordingly. Now, if you move the firewall
to the operations team, let's say talk operations team, they don't have a deep knowledge of the
underlying layer of that firewall when it comes to operating system. They do not know what is
happening there, right? They know the code flows of telecommunications, they know the standards,
but they do not know how to harden a Linux box. For example, they do not know what the
CIS benchmark expects you to actually apply in those Linux box. So in my point of view,
and that's also a recommendation for many people in the field, I think it should be in the hands
of security people, because the issue is that operators are looking into the firewall as a
telco known, it's not an STP, it's somehow different, it has a different purpose. And
that purpose is actually to prevent security attacks, and this should be the security people.
You make a very convincing argument, I'd be persuaded if I was working with you, Joseph.
We've talked a lot about setting up, maintaining the firewall. Again, help me out, I'm not an
expert on these things. How skilled the staff need to be just to understand the output from
the firewall? I'm thinking here about whatever reports are generated by the firewall. I'm not
even clear on the frequency of these reports and whether they need to be looked at. Do you need
highly skilled people looking at output from the firewall in order to ensure
the firewall is working correctly and fulfilling its purpose?
Well, yes, you need actually experienced people to look into the firewall errors. For example,
based on my experience, and experience of other people, and other people talk to me,
there could be some false positives on firewall. So how do you spot false positives if you don't
know how the firewall works, what is wrong? We don't know if there is a wrong parameter. So you
need to have really experience with telecommunications. You need to know what are
those messages to really spot what is wrong with the firewall and improve the rule sets.
And then, yeah, that's more or less what I have to say. Yeah.
Okay. That's interesting. We talk about a firewall as if it's a standalone piece of technology.
How much does a firewall need to interact with other systems in order to do its job in this case?
Can the interaction lead to any weaknesses, vulnerabilities that a hacker might exploit?
Yeah, the solution firewall system is actually viewed as a standalone system, right? Because
it has different modules, right, for different generation of mobile networks. But however,
it must talk to another systems, for example, like an HLR, which is a database that sits
in the network, which is like a core node. It also must talk to a NHSS, because this
firewall needs to get some information regarding the subscriber, where they are, their location.
So it needs to talk to a different system. And if you have a firewall that doesn't have all
the modules, for example, you can have a single firewall that is, they're just looking to
S7 in diameter, it's not looking for GTP. I also recommend that this firewall should talk to another
firewall. However, they also should talk to fraud management systems. For example, I gave an example
that someone could start a blog session with your EMSI, you know, and start the data section,
for example, you're from Germany, and then you are built, you know, and if you connect actually
the firewall, if we share databases or information from the firewall to a fraud management system,
actually the fraud system in the security assurance, you know, people that work with
that actually can correlate those events. So it's really important for you to connect the
firewall with other systems. And the other critical system is actually a CM, which is a security
event management system. So let's just say that you have an insider threat, right? Let's just say
that someone has bribed someone in your operator that works with the firewall for them to turn off
the rules. You want to ingest those logs from the firewall and send it to the CM because the people
in the SOC can see, okay, Joshua Martin has just turned off the firewall at midnight, but for which
reason? Why did he turn off the firewall? So it is important that you really connect the firewall
with other systems because you want to monitor the things that are happening in the firewall from
all levels. You know, we should not isolate the information that is in there because it's a very
critical system. As I said, if we have politicians, if we have businessmen, you know, really,
dial subscriber, everyone wants to intercept your call. If there is a public candle for a big bridge
somewhere, someone wants to intercept the call, you know, so it's really an important system.
I see. That's a great insight. So again, now there's been a lot of recent news about denial
of service attacks on networks. How easy is it? Is it an issue that a signaling firewall could
in a way be overwhelmed if it's not scaled correctly in order to cope with the load that
occurs when there's a denial of service attack? Could this be also a point of vulnerability
that then you overload the network, you overload the signaling firewall, and then the risks you
were trying to mitigate against, they return? Well, there's two types of signaling denial
of service. For example, there's a denial of service towards a subscriber, can be done with
using one message, the firewall block completely, and then you can have signaling storms that
can happen because of misconfiguration, or maybe some attacker just decided to send a lot of traffic,
you know. So if you have signaling storms, if you have provisioned your firewall correctly,
you know, they just say that, you know, you're getting this much of transaction per second,
you know, and then you kind of provision for 50% of it, right? And then you'll be able to
definitely handle that signaling storm. But however, as I said, you know, everything has
limitations. So if you provision your firewall correctly, you'll be able to stop those
signaling storms. However, this depends on deployment. There are deployments that you have
the signaling firewall in front of the STP. So that means if there is a signaling storm, the
firewall in front of the STP takes all that load. If the signaling firewall is parallel to the STP or
behind the STP, then the STP is the one that takes all the signaling storm. And the STP, you really
find good STPs, right, that are really strong, and they can really kind of hold on to a lot of
signaling storm. They can take the first hit, and then add the traffic that is really needed,
you know, for roaming, then they'll send it to the firewall. So it really depends on the firewall
and your deployment and how you provision your infrastructure in your mobile network.
You've done a fantastic job of summarizing very succinctly a lot of the big risks here
that need to be tackled with signaling firewalls and the risk and sense of what can go wrong with
signaling firewalls. Are there some other big risks that I've forgotten to mention,
or we've not included in the conversation so far, that you'd like to draw to our audience's attention?
Well, I think we covered actually the most important risk. I just think what should be
done also to improve the signaling firewall is to make sure that when there is alerts on the
firewall, kind of reporting the type of attacks should be more or less human type of attacks.
For example, use a term like voice interception, SMS interception, because let's just say that I'm
working for Lee, right? And then I'll go to Lee and I say, Lee, okay, there is this SS7 message,
and we're getting a thousand of SS7 messages. And then it looks at it and say, but this means
nothing to me. So you need to use some business technology or C-level technology that really
makes sense for people like Lee. And then they can say, yes, we don't invest more into top cost security
because right now, if you look at signaling firewalls, they really just tell you, okay,
this SS7 message came from this particular operator, particular network, and then that's it.
And this makes no sense in terms of business. So we really need to bridge the gap between
technical terms in top cost security and business. We need to make top cost security more appealing
to C-level and to those who are in management level so that they can understand what is
the importance of signaling firewall. I think you're right, but I'm going to bring Lee back
in here as well. And by the way, you'd have to make it a lot simpler if you were talking to me,
because I'm sure Lee would be pretty good at this kind of stuff. But for me, you'd have to
keep it very simple. But Lee, is there not a potential here, a risk here that actually people
at the C-level especially, and maybe even more board level, they quite like the jargon. They
quite like not understanding things, because if they don't understand something, they feel that
they don't have to be held liable for it. They're not responsible if it goes wrong. It's the security
guy's job to sort it out, or maybe it's your job to sort it out, and they don't want it communicated
in terms they understand. Is that a danger, Lee? Yeah. I mean, there's talk about having somebody
on the board now who actually understands or is qualified in cybersecurity to some extent,
just so they actually understand the ramifications of this. I read something yesterday. I think it
was an article which came up on my LinkedIn feed, and it was quite worrying actually. And it was
talking about security is going to be one of the areas which gets targeted in the future for cost
savings, because obviously things are being squeezed at the moment. And when I read things
like that, I just think, man, what are you doing? You know, okay, you might save a million here or
there, but it's going to cost you tens of millions if something happens. It's just something you
cannot cut the budget on. Well, that links to a comment we've got here from one viewer that I've
been saving for you, Joseph. Let's open it up so I have all the presenters as well in this conversation
as I mentioned this comment here. The question asking for you, Josue, is to actually reflect
upon what we were talking about earlier, the University of Michigan network being hacked,
the robo-taxes going offline. Do you, Josue, feel as though there may be underinvestment in security,
resilience of networks relating to the things that we were talking about earlier? Is that
something that you perceive that there is increasing risk? A bit like Lee is now suggesting
as well with possible cuts on the horizon. Yes, to be honest with you, when people look
into security, right, when people look into security as a whole, they don't look at it as
a priority. Actually, people look first into make functional devices or functional networks,
right, or functional products, something that generates revenue, and then they look into
security second. And they actually start really looking to security when they start losing money.
So when there is fraud, internal fraud, external attacks, when there is mandatory compliance. So
because of cuts, there's really less investment in security, and also the lack of understanding
of boards and C-level, also the lack of understanding of consequences, there's really
really less investment in security. And security is critical. Just to give you an understanding,
let's just say that you live in a neighborhood, right, that's not secure. You're going to,
you're going to have a dog, you're going to have an alarm system, right, you're going to have fences.
But in terms of, in the business world, people do not look at it like that. They just look and
say, let's make a product that sells, and then we think about security once we have money. But
it shouldn't work that way, because in all these products that are used in the internet,
there is critical information, there is sensitive information that belongs to people, you know.
And so I do agree that there is a little investment in security overall.
Ed, I want to bring you in here, because this is about communication as much as anything.
In my own folksy way, I try to get across this point of we should be doing more.
And mostly, I just think we should be doing a lot more. So I just opened up my eyes, and I
used the hand gestures, and I said, do more, do more, do more. But we need guys like Josue,
obviously, to be a bit more specific than I can be in terms of what we need to be doing and where
we need to be investing. For you, Ed, because you deal with this problem in particular,
how much of a challenge is it to convert the story, the information, the outline that we get
from somebody with expertise like Josue, and then convert it into a message that can influence
decision makers at a more senior level, can persuade them of the need to spend more money
on security? And also, not only is it how difficult is it, but do you share my fear,
it may be getting more and more difficult as time passes?
Yeah, I agree. I think it's too complex. It's definitely a couple things. Technically, I think
it's too complex, just based on everything we're talking about. And, you know, Josue made the point
before about, you know, you could have your firewall completely tuned up the way you want.
And if you don't know what you're doing with your Linux operating system it's running on,
it may not matter. So right off the bat, like the more we talk about software abstraction,
the more we put hardware things into software and abstraction, the more we create these kinds
of problems, right? So that's one thing that immediately came to mind, just as we've been
going through all the different issues that keep coming. And then when you get into trying to
explain this to people that need to invest in the right things, and you've been in that room,
man, you got to read the room, right? If you had to split that pie up, sometimes you'll have,
you may, so again, it's not even just who's in the room, but what ends up being the majority
opinion in the group think of the room, right? When you're selling into an executive layer,
obviously that can happen a lot. And sometimes they might be open-minded to these things and
they might be open-minded because there's a compelling event, right? Some of the
proverbial stuff just hit the fan and someone needs to do something about it. And hey,
congratulations Joe Sway, you're the consultant who's got the next 10 minutes to sell me on
something, right? And it can happen kind of reactively like that. But then you can also
have that audience that's like, I just don't bother me with the details. Or that says,
no, someone told me when I was out playing golf, I need to have this other shiny thing.
Go do that. Go meet this guy. Someone scratched my back. And then someone like Joe Sway's put
in a position where they have to use a technology or a relationship that maybe isn't the best answer
for reasons that have nothing to do with the problem you're going to solve. And I think that
those things take this complicated problem and make it ever more complicated to try to solve,
right? And I think we're moving. It's like the boat that's slowly floating away from the dock,
right? And you have to jump to get onto the ferry. That boat's getting a little bit far
from the dock now to make that jump. We're going to get wet. We're definitely
going to get wet. Joe Sway, we're having a bit of a laugh and a joke around before the show even began
because Lee was talking about network slicing as being a solution for this robo-taxi problem.
The taxi's not operating as they should in San Francisco. I'd be keen to have your view here.
Is this another example of racing ahead where we're going to deliver something, we're going to
make something that people want? And the reality is just way, way behind in terms of we're making
these promises about what we can sell and no one's buying it and we don't supply it.
Well, at the moment, I would say it's too early to really talk about network slashing. There are
a few operators that are implementing it, so we still have a long way. Of course, as soon as that
matures, that's going to work very well, to be honest with you. It's really going to work well,
but there is a long way. We need to mature. We need to deploy it correctly. And remember,
network slashes are part of the 3GPP standards for 5G, which are not entirely complete, right?
I think we are on release 17 and we are now working on release 18. So that will take time,
but a slice with a dedicated QoS, that will solve a lot of problems. That has to do,
for example, with latency in terms of cars that are connected to the internet.
And also, we do not have to forget, you need security because if someone does denial of
service towards those cars, you don't have internet connectivity anymore, right? So
there's a lot of things that we have to look into. We cannot just say, okay, we give you these
EVs that are connected to specific slides and it's really fast. There's low latency and there's
a big bandwidth that you can really operate with. But then if someone does a denial of service,
it's gone. So we really need to sit together between people who are selling things and
security people and those who operate the whole mobile network and discuss things and be more
open about it when we are selling stuff. But slices are going to be good.
I love your positivity about that particular topic. But let me ask you a cheeky question,
which is kind of half serious, half comical, okay? Supposing Lee Scargall with his billions
and billions in cryptocurrencies and NFT tokens. I know he spent money on NFT tokens. He might have
lost some money on cryptocurrency, okay? So maybe I'm already making you a target here, Lee,
for all the hackers is going to go after you now. But in a hypothetical future,
he's taking his robo-taxi across town, his flying robo-taxi across town, okay?
Is it not the case that when we talked about these teenage SIM swappers earlier,
the amount of money that a teenage SIM swapper, not I, I would not do it, but the amount of money
that a teenage SIM swapper might give to somebody like you with irrelevant skills to say, Josue,
I don't want that taxi landing where it's supposed to do. Take that taxi and land it over here on
this remote airstrip because I won't be getting that Scargall, okay? Is it not the case that we're
just not actually competing with, we're not able to compete with the criminals to some extent,
and that we're not just that the skills that we need are rare, but they're also not sufficiently
well rewarded because our focus is always on keeping the costs low. And yet we're already
seeing what happens when you keep the costs low. It means that the criminals, the bad actors,
they can afford to pay more than the business is paying to the people. Are we not building up
a scenario here where people like Lee need to start worrying that his RoboTax is going to get
hijacked or whatever? Because if you have that detailed knowledge of the network, and you pointed
out yourself when you were answering all the questions, you've got to have logs, you've got
to know who's using the firewall because what if they switch things off? What if they change the
settings? Is there a real serious danger that people like you, people doing this kind of work,
they're simply not being paid well enough, and they'll become targets because their skills are
so valuable. Rich people like Lee, hijack him, take over his network. Oh, am I painting a ridiculous
dystopian future that we don't need to worry about? Actually, in the cyber criminal world,
those guys actually get more paid than people like us who are actually sitting on the other side,
you know, and actually get better toys than us. Because in cybercrime, there's a lot of money,
if you go look into the statistics of how much countries are losing cybercrime, I think I forgot
how much South Africa was losing, I think it was a lot of money back then when I was in South Africa,
you know, so they actually get a lot of money, the people on the other side, you know, we call
that the dark side of the moon, you know, they really get a lot of money and they have better
tools. We've seen also this type of attacks, you know, in signaling firewall, there is new type of
attacks, there is new things that they're combining, you know, to really bypass firewalls.
So, they have more time to really put in R&D, you know, they have dedicated people,
they know well the game, you know, they have an hybrid team, they know which team exactly where
they're going to touch, you know, they automate the tools, they're really well equipped, you know,
compared to us, because we still going to the C level and try to convince them of things that
some of them don't even want to listen to, or some of them don't really care as much, you know,
until someone intercepts their call. So, you are correct, you know, you are correct.
We should pay you more, the world should pay people like you more, Josue, that's a fact,
and also I'm totally happy with my old car, I will never drive a connected car, I want to have
the most oldest technology possible so no one can hack it. We've totally overrun on time, Josue,
but that was a fascinating interview. I really appreciate your insights today. Apologies to
people who had questions for Josue I didn't read out. Thank you, Josue, for being on today's show,
it's been a pleasure to have you on today. Okay, thank you very much.
Thank you, Josue. Oh gosh, I'm sorry to keep picking on you, but you are the richest member
of the team, so you are the obvious target out of the three of us. Don't pick on me, I've got
no money. Ed's doing all right, but don't pick on me, whatever you do. Go for Lee, he's the guy
who's got all the wealth. We're out of time. Apologies, everybody, for my silliness as well.
Thank you for everyone who's watched. Ed, Lee and I will be back next Wednesday, September the 13th.
The theme of next week's show is the reduction of telemarketing spam in Brazil. Now, Brazilians
receive more spam calls than any other nationality, so representatives of Anatel, the Brazilian
commerce regulator, will be on the show to talk about the innovations they're using to weed out
the bad telemarketers and bring the number of calls under control. Those individuals are Gustavo
Borges, Superintendent of Control of Regulatory Obligations at Anatel, and Sami Benakoush,
Manager of Control of Regulatory Obligations at Anatel. So we look forward to seeing you then.
Tune in live to ask questions at 4 p.m. UK, 11 a.m. U.S. East, 12 noon Brasilia, or 8.30 p.m.
India. Or save me reading out all the time zones by saving the show to your diary by clicking the
link at the Communications Risk Show webpage. Or better still, subscribe to our broadcast schedule
and have every show added to your diary automatically in the right time zone for you.
Thanks again to today's guest, Josué Martins. Thanks to my co-presenters,
my long-suffering co-presenters, Ed Finegold and Lee Scargall. And we must never forget to say
thanks to our hard-working producers too, James Greenley and Matthew Carter. You've been watching
episode three of the second season of the Communications Risk Show. I'm Eric Priezkalns.
Visit the Communications Risk Show website,, to replay recordings from all
our previous shows. Keep visiting for the latest news and opinion about risks in the
comms industry. And be sure to use the free resources of the Risk and Assurance Group,
including their comprehensive leakage and fraud catalogues, which can be downloaded from the Thanks for watching, we'll see you next Wednesday.