It is highly recommended that every network operator protects their security by having a signaling firewall, but some still suffer from lots of gaps in their defences. We discuss the reasons why comms providers fail to get comprehensive protection from their signaling firewalls with network security blogger Josué Martins, currently of Accenture and previously with Unitel and Samsung.
Topical news about disruptive network failures and about a string of prosecutions for teenage SIM-swapping hackers also received the scrutiny of our three regular presenters: industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.
Hi, I'm Eric Priezkalns, and this is The Communications Risk Show. Every Wednesday, we chat with experts about the risks faced by comms providers and their customers. Shows are streamed live, so you can also join the conversation, submitting questions and observations as we go along. And boy, we have great conversations on this show. You should have been listening to what we were saying just before the show started today. I'm loving it already. But we do love your input, so feel free, get those fingers working, type away at the keyboard directly beneath the streaming window on our website at tv.commsrisk.com. You'd think I'd know the URL by now. We also stream live to LinkedIn, so feel free to share your comments over there. A member of the team will pass your comments along. I'll try to read out as many of your comments and observations as time allows. Today's special guest who'll be joining us later on is Josué Martins. Josué is a tech security blogger who currently works for Accenture and has previously worked at Unitel and Samsung. We'll be talking to Josué about signaling firewalls and why they don't always work as well as they should. But first, let's bring on our regular co-presenters. Discussing recent industry news, I'm going to be joined by Ed Finegold from Chicago and Lee Scargall, who's currently in Bahrain. Ed, Lee, everybody knows who you are now, so let's just skip past the big introductions where I talk about how you respected authors and worked in telcos all around the world. Everyone knows that already. Let's get straight into the nitty gritty, the things that were getting us worked at before we even started streaming today. Network resilience, reliance upon networks, things going wrong when networks are not available. Now, as you pointed out a couple of weeks ago, around 50,000 students at the University of Michigan were told to work from home or use their mobile phones last week because staff had shut the school's network connections down in response to what they called a significant cyber security concern on the eve of New Year. And also recently, we've had some very attention-grabbing news from San Francisco. They've got these fleets of self-driving taxis in that city now, and one of those fleets of taxis caused an enormous traffic jam in the middle of town when all those vehicles suddenly stopped moving. Gregster56, using X, formerly known as Twitter, shared a video to illustrate the impact upon downtown San Francisco. So, Producer James, you would show us the video now, please. So, I mean, everything comes to a halt because all these cars have stopped right in the middle of the road. They're not moving. They're meant to be autonomous. They're meant to be able to drive people around San Francisco without any problem. They stopped right in the middle of the road. And the hilarious thing here is that not only did the car stop driving themselves, there's meant to be human operators in cruisers' office. They were all part of the cruise fleet of robo-taxis, meant to be human operators to restart these things, get these things going again when they do stop. Couldn't get through to them because network load, network congestion, and nearby music festival was taking up all the load, so the operators couldn't get through to get these cars going again. So, my point here, whether it's transport or education, hospitals, smart meters for energy, digital currencies, we're increasingly dependent upon networks for every aspect of life. And at the same time, maybe the money's running out for rolling out things like 5G networks. So, let's get straight into the heart of the matter, Ed. I really want your take on this to begin with. Are institutions like universities and hospitals, should we be pressuring them to be a lot more resilient in their approach before they start racing away and putting too much on networks? Are we setting ourselves up for a failure, a bit like the city council in San Francisco set themselves up for a failure by letting these cars on the street, and then suddenly the streets are all standstill because they're all blocking the roads? Yeah, I wonder how far are we going to let it go? How far are we going to let the experimentation with new tech go into the realm of life and death, physical life and death types of scenarios? How far do we let that go? And so, the answer to your question, obviously, is yes, with institutions, hospitals. Two things that jumped out at me about these stories that were mind-boggling. One was, and forgive me, University of Michigan, which I am a graduate of the University of Michigan, I love U of M, go blue, but the story jumped out at me as being nuts because when they had to shut down the network for whatever reason they had, read more about it, and I'm not sure that they've told the whole story, but they encouraged students and faculty to use external communications networks and cellular networks and what have you. And what struck me was how much time has been spent on implementing multi-factor authentication on these campuses and training people about phishing and all of these other things, and something goes wrong. And it's like, you know what, we're just going to shut our network down and then use whatever you can and forget about all that stuff that we taught you. So, that part of the story is what stuns me, and it's not unique by any means to the University of Michigan. I've seen those stories in other places before. So, that was the one. On the other hand, with the taxis, I mean, there were too many things that jumped out at me on that one. I mean, other than the obvious. Thank God they just stopped and didn't start driving around like mad and crashing into storefronts or what have you, which I think people in San Francisco maybe are doing more frequently now than they were before, as I understand it. But regardless, the part of the story that jumped out at me was that it was the congestion of the mobile network, and we talked about this before the show, because of a nearby festival. So, you've had a peak event, not an unscheduled one, a scheduled like beyond peak event that demanded enough data that no one put into the plan that maybe that was going to shut down the taxis by accident. And you want to give people the benefit of the doubt and say, well, it's new. Well, it's new, and you're asking people to put their lives at risk getting in the cars. And you also say, well, it's new. Well, it's new, except we've been talking about these use cases for probably a decade. Anyone that's in the service assurance business has been talking about these kinds of use cases around these like, you know, superstar use cases for 5G, like autonomous cars. So, none of this should be a surprise to anyone, which the last thing I'll say is this puts that whole story into the realm of what I call Plaxco Burris territory. And I may have talked about this on the show before, but Plaxco Burris was an American footballer who famously ended his career more or less by shooting himself in the leg. And he shot himself in the leg because he was at a nightclub at 2.30 in the morning, carrying a pistol that didn't have a trigger guard in the waistband of his sweatpants. And if you think about like the six or seven awful decisions that you have to make to put yourself in the position where you destroy a $10 million a year sports career by shooting yourself in the leg, that's Plaxco Burris territory. And so, I felt like the taxis were similar. It was just this collection of no does that ended up, thank God, like we said, in just the cars stopping as opposed to going haywire or doing something that really would have put people in danger. I hope it's a lesson. Well, yeah, I will come back straight away on that one because I think it reflects about how we think about risk and prejudice when we think about risk and we don't think things through. You could still kill a person by having a car stopped in the middle of the street, blocking the street, because now you have a situation where if an ambulance needs to get through to that street to somebody, it can't get through. You can't, it's not like a situation where you could just wheel the car. I mean, is it possible to put it into neutral and push it? I mean, has that even been thought through? Even if it was thought through, do people know that they could do that if they needed to? I would assume that the robo taxi firm doesn't want people putting their car in the neutral and rolling it off somewhere off to one side. But these are the kinds of things where there are more than one way. And of course, when we talk about life and death things, people start to pay attention. But you could still horribly affect someone's life in all sorts of ways that aren't life and death scenarios. You make it impossible for them to access their bank account when their bank account is now tied to network connectivity. You damage their education. You tell somebody, oh, it's okay. You can't use this university network now. Why don't you go down to Starbucks and go down there? And as a result, their data gets compromised. Who becomes liable? So Lee, I mean, I was gobsmacked that you were saying before the show, I've got to share this with the viewers. You were saying that you were flying around in flying robo taxis in the Middle East, Lee. And I'm saying to you, don't do it, Lee. You're too precious to us. Don't be flying around in a robo taxi. It's bad enough, the ones that are on the ground. Well, I haven't actually been in a robo taxi, a helicopter one that is. But if you actually go online, Aridu, one of my former employers in Qatar, they actually have them and you can see them flying around there. Now, I don't know if these are in commercial service, but yeah, when you see an example of what goes on at cruise, I'd be worried if I was working at Aridu as a risk manager. Well, the thing for me is also, I think it sends the wrong message about, I mean, look, wow, tech, it's amazing. It doesn't send to me a message that you're being responsible. If you're just immediately rushing things out as quickly as possible. I mean, part of you were telling me about those flying taxes in Qatar is that it's promoting 5G connectivity. Well, it seems to me that that is a really daft way to promote 5G connectivity because a flying device, a flying vehicle that you can ride to somewhere else can by definition fly outside of 5G network coverage. Well, what good is the 5G network coverage to you at that point in time? It can't be in any way dependent upon 5G network coverage and be safe at the same time. So why is this like a sensible way to even advertise 5G or flight? It seems to be sending the wrong message that we just don't care about. We don't think about things like safety because anybody stops for two minutes and thinks about this can go, this doesn't seem safe to me. Surely this is the wrong message we're sending to people. Well, I'd kind of hope that the designers have kind of factored in if it does run out of 5G coverage, then it probably reverts back to satellite connectivity. Right. But anyway, I'll just leave you this as my final comment. It's actually still safer by the way to travel by air than it is by road. Well, maybe on a big plane with a proper pilot. I'm not so sure with the RoboCopter. I mean, because look, France, Vietnam, we've had these big stories, Lee, criminals driving IMSI catchers around cities. I'm not so sure we're wanting to be flying around in a flying RoboTaxi, which is dropping down from 5G to 2G because it's lost connectivity. Someone's sending an SMS message to the taxi to reboot it when it starts to go a bit haywire. And then some guys driving around at ground level blocking the signal because these are real things. I mean, we seem to be putting more and more and more risk on top of networks. And to be serious for a moment here, Lee, are telcos starting to become a bit foolish with the extent to which they may be held liable for things like a car being in the way, even if it's not an accident, devices not working as they're supposed to. The more that things get networked, surely there's increased liability for telcos here. And we're not talking and thinking about that in terms of risk management. Yeah, you're right. I mean, we mentioned this last week. If it's connected to the internet, then it can certainly get hacked. And as you're seeing, there's this kind of this explosion of IOT devices. A lot of them now are going into cars. Some are going into helicopters, and the danger is that if you hack these, you could actually weaponize them. And this is very serious when it comes down to the liability aspect of it. And I don't think telcos are thinking this through because we talk about things like, say, network slicing, which is a bit of a myth, doesn't really occur in present. But the idea is, oh, great, I'll just sell them the slice. They'll be able to run some fancy business off the top of it. Yeah, but are you not now responsible in some way if that business fails, if something goes wrong with that business, a drone crashes and something? I mean, should telcos be looking at things like insurance to solve this problem? Or should they just be a bit more wary about putting themselves in a situation where they're going to get sued at some point or another? Surely somebody in the USA, Ed, is going to be making a fat load of money in the very near future because they're going to be suing a telco and not, forgive me for saying so, some dodgy startup business which has bought the network connectivity from the telco but has no resources. So they're not the ones who are going to get sued when something goes wrong. Yeah, I'm actually surprised that more of the tort lawyers here in Chicago haven't wanted to give me a call to talk about all the ways that there's new business for them in the digital world. It's because of your point that there's so many new uses and then dangers that are created, that there's going to be all kinds of holes poked in that and all kinds of lawsuits and new law that's going to only be reactively made the hard way, especially in the US. And what it reminded me of was a little bit as you were talking through this was, remember when they made cars without seatbelts? And why are there seatbelt laws now? Well, there was a lot of blood spilled to get there, basically. I mean, it's sad to say, but that's true. That's reactively how things tend to happen. And I think that's a little bit of what we're talking about here with the technology and not just the liabilities of it, right? We're talking about the actual physical dangers as well. And those two things are associated because it's the understanding the physical dangers and the dangers that you may or may not be creating by, like you said, blocking a road, that that's the thing that's going to get you from a liability perspective. And I don't think anyone's going to think through all those in advance and come up with a safe way to deal with it. There's going to be a lot of messiness and a lot of lawsuits to get there. And here's the last thing though, Eric, real quick. The right answer is somewhere between like those 5G taxis stopped on the road and Theranos, like in terms of the where the liability lands and how far you can push the this is hype and it doesn't deliver and it creates danger, right? All the way up through it. No, it's just a flat out con, but it was a con that was allowed to take blood from people and provide services to them before it was called that as a con or anyone got busted, right? So there were casualties. So I know who I would put the burden on here, actually. It would be Lee, because Lee is the risk manager for the telco. The risk manager manages the risk of the telco. So Lee, I'd be turning to you and be saying, look, if this company is selling this product to this business, this network slice over here, that network slice over there, the onus has got to be on the telco to know its customer and to understand the risks and the liabilities when it takes on new customers. Is this not more work for you? Yeah, absolutely, Eric. And I think I mentioned earlier that if I was one of the risk managers for a redo, then I'd probably be a little bit concerned about this to make sure that the service that we actually provide and they sign up to that it's being delivered, right? Because if you fail, such as in this case, now, I don't know if Cruz actually had a slice of the network or whether they were just using the public mobile network, then there's obviously liability here and that needs to be followed up. So yes, you're absolutely right, Eric, as a risk manager in a telco, I think you're going to be busy over the next couple of years. So there's going to be some fights between you and salespeople. Salespeople are racing ahead to sell this exciting 5G network slices and you saying, hold the horses, we may not want to be selling these network slices to some of these people. Yeah, also as well, it comes back to the service assurance as well. It's just to make sure that what they have actually bought and signed up to is actually delivered as well. So I think there's, it's not just us, there'll be others involved in this as well. Okay. Well, thank you for your insights, guys. Now it's time for one of our sponsored features, the Symmetry Prism Fact of the Week. Each week we share an interesting fact supplied by the Prism Fraud Intelligence Team at Symmetry Solutions. Now you wouldn't think it's strange to rent a house or a car, but what about the renting of a GSM VoIP gateway? Should that be allowed or is it as daft an idea as renting out guns and knives? Symmetry's Prism Intelligence Gathering Team has been monitoring the businesses which rent out GSM VoIP gateways and other tools that could be used to make scam calls in bulk. Such services appear to profit from crime without actually breaking the law. The supplier incurs the capital costs associated with owning the gear, whilst the criminals then rent the gear and start making money from the crime without needing to invest significant sums in equipment first. If you're wondering whether there are legitimate reasons to rent out technology of this type, then you should take a look at some of the rental screams as they're advertised online with promises of imitating the movements of human users, IVR detection modules, and time slots to activate SIM cards to reduce the risk of cards being blocked. Those are the types of technologies that only make sense if the goal is to avoid the anti-fraud controls implemented by commerce providers. So if you want advice about the controls your business needs to protect itself from criminal tech like this, turn to Symmetry Solutions and their Prism Fraud Intelligence Team. Their URL? SymmetrySolutions.co.uk. And now for some more topical chat. There have been so many stories about this. I know we've talked about this before on the show. I know Lee says that it's girls as much as boys, but he's the one who's wrong in this case. There is no equality in this topic because it's always boys. Young men and boys, SIM swaps, hacking, two-factor authentication. And apologies to everybody who's been following these stories, but there has been so many cases that have been coming to court recently. It's worth recapping. A couple of weeks ago, two boys, one now aged 18, the other 17, found guilty in a British court belonging to the Laxus Hacking Collective. Amongst their crimes were the hacking of British telcos BT and EE, leading to the theft of at least $100,000 in cryptocurrency from five customers whose phone accounts were compromised. They haven't been sentenced yet. Obviously, it's expected it will be a lengthy sentence for them. Three weeks ago, Anthony Falk, sentenced by a judge in California to three years in prison and had about $20 million worth of assets forfeited after he agreed a plea deal, admitting he started using SIM swaps as a stepping stone to raiding cryptocurrency accounts soon after he turned 20 years old. In June of this year, British SIM swapper Joseph O'Connor, aka Plugwalk Joe, given a five-year prison sentence by a judge in New York. This kid, a scouser from Liverpool, arrested in Spain in 2021, but eventually extradited and pled guilty to using SIM swaps to steal from a cryptocurrency business and to take control of prominent social media accounts, as well as swatting a teenage girl who rebuffed his online advances. He again began his criminal exploits as he entered his 20s. And in February of this year, 24-year-old Amir Hossein Golshan, subject of an FBI criminal complaint alleging he used SIM swaps to take control of the accounts of female social media influence, so he could sexually harass them and extort money from them. And going back to last year, we don't have to go back to October of last year, when 20-year-old Ellis Pinsky agreed to a civil judgment to pay $22 million to a cryptocurrency entrepreneur called Michael Turpin, who had lost $24 million following a SIM swap on his phone service. That took place when Pinsky was still only 15 years old. It's because of his young age and willingness to cooperate that law enforcement decided not to push for incarceration, that he was taken to court for a civil case by Michael Turpin. I could go on and on and on, and it's the same pattern every time. Boys, young men, teenagers, early 20s, they are entering a criminal underworld focused on SIM swaps, bribing telco staff, targeting cryptocurrency investors. To begin with, we're dealing with unpacking the seriousness of the topic and what we as an industry and what the rest of society should be doing about this. Let's begin with you, Lee, and security advice. Is it time that we should start not just disagreeing but rubbishing the security experts who say two-factor authentication using SMS and voice is a desirable security enhancement to protect people's bank accounts and other important online services they use? Well, I mean, it's correct for them to say we need two-factor authentication, but using SMS is just really bad guidance, right? We've discussed this on the show many, many times now, Eric, that it just isn't safe. There's so many vulnerabilities ranging from SIM swaps or using social engineering to divulge the OTPs, and then you've got the intercepting SMS messages through SS7, right? So the list goes on, right? We've also spoken about voice biometrics, and this is a real worry for me. I actually think voice biometrics is less secure nowadays, especially with things like voice cloning apps, right? But no security expert who's worth his salt should be advising to use SMS as two-factor authentication. I 100% agree with you. I'm absolutely gobsmacked still that people talk as if we should just be leapfrogging over this redundant old approach of doing two-factor authentication. We shouldn't even be thinking about implementing it because if you implement it, it's going to take some time before you replace it with something better. And yet, we're talking about teenagers, kids. Ed, I want to bring you in here on this one, though, slightly different point. Obviously, this is a big issue for the telecoms industry because everybody points the finger back at the telcos. Michael Turpin, he tried to get over $200 million out of AT&T as redress for having his account SIM swapped. Now, if you look at what these kids are doing, they're offering bribes to low-paid telco employees. Pinsky, the 15-year-old, well, he started as a 15-year-old who recently started with Turpin. He said that he would find that 1 in 10 of the people who worked for telcos that he approached were willing to take bribes from him. That's how he amassed this enormous wealth. And his secret, his unique power in the hacking world was that he had been very clever about going around social media and gathering a huge database of people who work at telcos because they would tweet about it or leave some comments somewhere referring to the telco that employed them. So, he would just build up the contacts, build up the contacts, and approach them. So, we know that this is not a problem that can be solved with purely with technology because how do you stop a problem with technology that comes down to you have low-paid employees and you bribe them? Are we focusing in the wrong place with telcos? Should we not be focusing instead on the millionaires who are being stolen from because they've got cryptocurrency accounts and don't seem to be securing them apart from using two-factor authentication? Should the law, should police, should our focus be instead to say appropriate controls where it's needed rather than try to do everything around controls around sim swaps? Yeah, I mean, it's the whole system, right? I mean, I think if I came back to like first principles of of cyber security, let's say that at least as they have been, you know, told to me or preached to me by various people, anything that's only looking at one dimension is necessarily vulnerable, right? So, I think you need to look at each of the dimensions of this which probably also includes like the sociological part which we're not going to go off the rails and get into now, right? And we talked a little bit about that last week, but obviously there's an aspect of this that's just too darn easy. It's too easy and there's too much inertia around, like we've just been saying, around using something like SMS. And any time I've had a conversation about, you know, well, why are, if it's been deprecated, right, by various security authorities, why do we keep using it? And it's, well, it's inertia, it's everybody wants to, it's all these kind of shrug your shoulders types of answers. And so, I think my point in that though, Eric, is that it comes back to I think the only way that you end up getting change is if you have a compelling event that mandates some kind of change in it, right? Because there's already, you know, an official government level recommendation not to do this. It's been ignored for I think almost eight years now, right? So, if you really want to take action on it, yeah, it probably requires some kind of legislation, regulation, and something with teeth to make it happen, right? And like in the form of liability, like you're talking about, that Daisy changed these things together. And that's, I don't know, I'm going to keep rambling about this otherwise, so I hope you'll cut me off soon. No, look, I mean, we covered this last season where it was Malaysia, I believe it was, that had basically the central bank had dictated that you can no longer use SMS for two-factor authentication for transactions on the bank account. Is that not really the point? There's nothing wrong. I mean, two-factor authentication for SMS for something trivial, well, it's trivial. I mean, it may be sufficient. Maybe we don't need much more sophisticated protection for some things. Although a lot of these kids started out by just wanting to get cool handles, user account names for video games. That's how they actually began. This is what people at Pinsky have said is that they didn't start out with the intention of becoming millionaires. They just wanted to have a really cool username when they played a video game. So they worked out how to steal the username for the video game. And the same technique can be applied to stealing millions and millions of dollars from a cryptocurrency investor. So it's not the point here that people like Michael Turpin, instead of suing the telco hand over fist for the money he's lost, shouldn't a guy like that should be saying to himself, why am I so dependent upon this very trivial, very easily corrupted control when I've got $24 million in a cryptocurrency account that I don't want stolen? And when it comes to the lawmakers, should they not be the ones saying to the banks, to the cryptocurrency businesses, you need to impose tougher restrictions because it makes no sense to impose a tough restriction on everyone. And then we're in like this open period, right? I'm sorry. Go ahead. No, no, sorry. I mean, I know we can monopolize the debate. So I want to bring Lee in here. And he's probably wealthier than the two of us. So he might be arguing on the side of the cryptocurrency billionaires. You know, with all your wealth and riches, do you not think that the burden should be on rich people like you, Lee, to protect your assets rather than making it difficult for a single mother who loses her phone? She needs a replacement SIM. Why should she be the one who has to pay the price in terms of much more restrictive, difficult procedures to get a replacement? I mean, because this is the real, the reality is that we tend to talk about SIM swap crime as if we just put more and more controls in SIM swap, because a lot of people just lose their phone. And if you make the controls harder for the criminals, you make it harder for ordinary people too. It's not people like you, Lee, with all your wealth and riches that should be doing more to protect yourselves. I don't know who you're talking to, Eric, but I'm certainly not wealthy the last time you saw me anyway. But listen, to go back to your question, when you were talking about cryptocurrency owners, right, and in particular, this case, this guy, he had a huge amounts of crypto. I mean, the first thing which came to me is who on earth leaves that amount of cryptocurrency in an online wallet, right? Surely you would like take that into old storage, or you'd take it offline, right? I mean, that's a lot more safer for you to do that, right? So that was the first thing which came to me. But you're right, I think it should be more demanding from these cryptocurrency owners to start putting more pressure on these companies that run the wallets, right, to increase the security around it. And is it not fair that legislation, rather than putting more burden on the telcos, in order to protect the cryptocurrency business or the banking industry, put more pressure on the banking industry and the cryptocurrency businesses to take the pressure off the telcos? They're the ones who generate the profit from having these huge online wallets. That's it. That's it right there, Eric. Yes, it is that relationship right there. And it's that seam that keeps getting attacked, right? It's the telcos selling SMS and banks using SMS for this purpose that we're talking to. That is a huge part of the problem. It is not the only part of the SimSwap problem. We can do a whole show on non-bank fraud SimSwap problems that get into digital identity. But I totally agree with you. It is that seam that is the problem right now. Okay. So viewers of the show probably realize that we have a bit of a problem with our gender ratio, because we all identify as men, currently the three presenters on this show. But can we as three men also know, I know Lee, you've disagreed with this in the past, but can we as three men admit that this is uniquely a problem with men? That there is boys and men, and we need to be looking at addressing what young men, the messages they get online, what they're taught in schools. Lee, you're a father of kids. Is it not long overdue that we now start taking a lot more seriously the extent to which we educate, especially men, about avoiding the temptation of cyber crime? Yeah, without a doubt, Eric, you know, the majority of this crime is actually committed by young men, right? But as I keep pointing out, right, it's not just young men who hack. Women do it as well, right? I actually had a look at the speaker list at the DEF CON event last month, actually. And I would say about 10% of the speakers there were all women. And that you actually look at the hacking groups in China, you've got the all girls security team over there. And that actually consists of 3000 female hackers, right? So the point I'm trying to get to here is, don't be lulled into a false sense of security, right? If a lady comes to the office, and she wants to connect a laptop to the LAN, right, to show you a latest presentation, don't be fooled in thinking, well, she doesn't fit the profile of a young of a young hacker, right? So she's not going to do any harm. The point I'm trying to get across here is, you know, hacking, it all comes in all shapes and sizes, right? So you just need to keep that in mind. Come on! Who's taking the bribes too, guys? Who's taking the bribes though, too, Eric? So I don't disagree with you, Eric, in terms of like, when you look at the data, and you quantify the data in terms of the reporting that we've seen, that the stories are overwhelmingly young males, right? Which interestingly aligns with, you know, bank robbery in the Old West as well. Overwhelmingly young males, right? There's some kind of parallel there. Well, it aligns with crime statistics in general. However, those men commit crime. Here's the other side of this crime though, right? Which would be interesting to look at is the bribes part. Who's taking the bribes? Is that all men? Is that men and women? And I think that's, you know, the other side of this, we shouldn't forget either, that there are many various parties that are involved in these crimes. And though the person who's doing the hacking, and may even be the orchestrator of the different pieces could be a young, you know, a young man, and it may be young men that have created the market, so that people working in contact centers that have access to SIM swaps are like, hey, there's a way to make money here on the side. There's a side hustle that's built into this, right? Maybe they've created that market, but who are the people that are taking the bribes? They're at fault, right? Those are people who are employees of telcos or they're contractors, right? They're criminals too. And I bet there are all sorts of different people. You'll identify them by the new car in the parking lot. I'm devastated by the way this conversation is going, because it turns out I'm the one who's most anti the patriarchy. The three of us, and I would never have thought that would be the case. This is clearly a problem with men in society. And you two guys, I mean, I hear where you're going. I hear what you're saying here, but should we not be focusing on frightening the pants off young men and saying, you could end up like Plugwalk Joe. It doesn't matter if you go to Spain, they're going to get you and they're going to put you in prison for five years. And it's actually not an argument to be made here, that the real danger is that because juvenile crime, the way crime works, organized crime works, that juveniles are attracted to this thing. We know they're attracted to this, and there's a temptation to be lenient, to be lenient towards young people. Oh, because they're young, they don't understand, they'll reform later on. One of these lads, the one who can be named in this case that just been found guilty just two weeks ago in the UK, so the Crown Court, one of these lads, he was already out on bail, staying in a hotel room selected for him by the authorities because his name was out there and other criminals wanted to get him. Okay. The condition of his bail was that he doesn't go online and then guess what? They catch him with a fire stick that could be used to plug into the TV set in his hotel room, but it's actually being used to commit more crime. And where did he get this fire stick from? Well, it's on a hotel, on a big retail estate. Well, it's not going to take too much effort for that lad, who's got millions of dollars of cryptocurrency and a track record of committing crime and bribery, it's not going to take much ingenuity for him to walk out of his hotel room, walk across the street into a store and buy a $40 fire stick so he can get internet access again. Are we not being incredibly naive here about the extent to which if we don't frighten these people with very, very serious penalties, not only will the kids keep on doing it, but older criminals, organised criminals will lure them, will want them to do it because of the belief they won't get serious hard time. Is it not time now for serious hard penalties, Lee, for these boys, even if they are very young when they get into these things? I'm not so sure penalties are the right way to go. I think more about educating at the right level. I've got two boys, one 12, the other one eight. And it frightens me that they're coming into this age now, where they know about hacking, right? They're exposed to it. It's glamorised. It's on TikTok. They see it. Yeah. And they think it's cool. And it's not just they think it's cool. Kids across the world think it's cool. And there was actually a, there was a survey done in China, which they were saying hackers there, they're deemed as rock stars. They have rock star status, right? So it's a big issue. And I think, but I think it comes from education. You're too soft. Ed, do you agree with me? We need to bang these kids up, sticking them down bars. Do you agree with me? Yeah. Yeah. I think it's right. I would actually take both bookends. I mean, I obviously, I think, you know, as a parent, especially when you educate your kids, and my probably my, my daughters probably have gotten more lectures on protecting their digital identities than they're ever going to want to in their lifetime and could spit half of it back at you. But no, I agree with you that I think the, the expectation shouldn't be that you're going to stop these crimes, because you're not going to stop young men from wanting to commit exciting crimes that get them money so they can go get girls and fancy cars, right? Like, that's a always, I think, you know, just be a human thing. And then at least in the paradigm as our society exists, you know, materialistically today, right? If you want to go offline. All right. I just don't think you're going to make that go away. But I think you have to take the crime seriously. No, but the crime should be taken much more seriously. Much more seriously. Yeah. I think we could go on and on. We're running over in terms of time, but I really enjoyed the conversation. Now it's time for another one of our sponsored features. Each week, Geoffrey Ross of Core Authentication, Fraud Prevention and Geolocation Specialists, OneRoute, takes us on a tour of the world in our phone. This week, we're going to take a trip to France. Producer James, roll VT. Hey, everyone from OneRoute. I'm Geoffrey Ross, and this is the world in your phone. Parlons de la France. Let's talk about France. With this world famous cuisine, picturesque villages, sweeping vineyards, and influential culture, there's no wonder France is one of the most popular destinations in the world. But did you know that in early 2023, Orange Group and Vodafone Group announced to build an open RAN with RAN sharing in rural parts of European countries? This marks the first time that the French and British telecom giants have agreed to share open RAN networks in Europe. The first commercial sites to be deployed are planned to start in a rural area of Romania. And by working together, this will reduce the cost of hardware, minimize fuel consumption, and the need for duplicate sites, all while eradicating zero cover spots for both networks. It'll be interesting to see what other industry collaborations will come about in the future. Some other interesting facts that I've found is France shares its borders with eight other countries and is the largest country in the EU by land mass. It is approximately four times the size of the UK and yet still slightly smaller than Texas. France produces more than 1,600 different kinds of cheese. It is estimated that 25,000 tons of snails are eaten in France each year, and putting a baguette upside down is considered to be unlucky, all while it was also technically illegal for women to wear trousers until 2013 when the old law was finally abolished. Be sure to subscribe to OneRoute on YouTube where you can catch up on the world in your phone and watch the OneRoute Roundup, the show that spotlights individuals and companies making a positive difference in the telecom industry. One more fun fact about France, it is illegal to throw out or burn perfectly edible food in France. Eric, back to you and more of this great communications for a show. Cheers. Thanks, Jeffrey. I've always appreciated your tours of the world. I look forward to where we're going next week. Now, let's welcome today's guest. Josue Martins is a security blogger who regularly writes about networks and their fallibilities at josue-martins.medium.com. He joins us today from Cologne in Germany where he works for Accenture. Previously, he's been the telecom security team lead at Angolan operator Unitel and he's also been a mobile security engineer for Samsung. Hello, Josue. Thank you for joining us today. We've been really looking forward to having this conversation with you. I'm a big admirer of your writing at your website. And let's get straight into this topic where you're really some very pertinent insights we don't often hear other people talking about. Key question here we've covered in previous episodes, but you're going to help us set the scene. Why should telcos, network operators, have a signaling firewall, Josue? Well, in my point of view, I think that they should have a signaling firewall for multiple reasons. One of the first reasons is to do actually with protecting mobile subscribers, right? And others to actually protect the infrastructure. And I can give some examples around that. So, if there is no signaling firewall in a mobile operator, subscriber are vulnerable to a lot of attacks. For example, fraud, interception of the traffic. They just say someone can intercept your call. Someone can then intercept your SMS as you explain account takeover for your banking. So someone can then do an authorized transfer and people can track your location. For example, let's just say that you're a VAP client for a mobile operator, you're quite rich and people want to break into your house, they can definitely use the absence of a signaling firewall to actually track you and attack you. And in my point of view, I also think that regulators actually should enforce that signaling firewall must be mandatory for mobile operators to really prevent the type of fraud and attacks that you just explained in the previous conversation with everyone. Such as account takeover via SMS interception. Well, great, great observations there, Joshua. Straightaway question here from one of the viewers, which I want to jump in with here immediately. This viewer, anonymous viewer says, notice that some operators now using both a firewall and an intrusion detection subsystem, abbreviated as IDS. The question is, why would you use both? What do you think of the added value of an intrusion detection subsystem compared with a firewall? So actually in telecommunications, right, the firewall and signaling firewall are different from IP firewall. So it's somewhat irrelevant to use an IDS for signaling because if you use an IDS, the fraud already happened. So you're really not protecting the subscriber, just being reactive. And then actually the subscriber can sue you, for example, if someone loses the money because someone intercepted SMS, they actually can sue you. If someone intercepts the call between the person and their wife, they can actually sue you, for example. And this kind of attacks were very common in Africa, where a lot of politicians call were intercepted via SS7. So there's no point of having an IDS. You actually need to have blocking instead of actually monitoring the traffic because an IDS just alerts, it doesn't block, just generate alerts. I see. Okay. So that's a really important distinction there. But would you recommend that you would need, is it better to have both? Is it advantageous? It's much better to have a signaling firewall on a blocking mode, not actually just generating alert. It must block actually all the category that JSMH recommends. And that's actually a very technical stuff that I shouldn't discuss, but the idea is that there should be a firewall that blocks all the attacks related to coin interception, SMS interception, location, and alerts is not something that we recommend. And I don't think also regulators should actually tell mobile operators to put the firewalls, or maybe have an IDS for signaling related attack. This doesn't solve the problem. This actually, it makes no sense. Technically, it makes no sense. Okay. Well, this is why we have you on the show because I'm not a technical person. This is why we need your technical insights, Josue, to help me understand. Now, one thing I do know that I'm not a technical person, obviously there's different signaling protocols, SS7, Diameter, the two most obvious examples. Does this mean that not every firewall protects against every kind of signaling intrusion? Does this then lead to some vulnerabilities if you've got a firewall for one, but not for the other? So it depends on your deployment, right? So in a signaling firewall, you have different protocols and each protocol is actually protected by module. So for example, if you have 2G to 5G, there's no roaming for 5G because the signaling attacks actually come via roaming, which is actually attacks from external networks, right? So let's just focus on 2G and 4G. So let's just say that you have modules that prevents attack for 2G and 3G, but not 4G, then someone actually can commit like billing fraud. For example, I can start a 4G connectivity from Germany, pretending to be Eric, and then you receive a bill from your operator. So what makes sense is to actually have different modules, right, to cover everything. So you have different models to cover 2G, 3G, and 4G. In that case, you're going to be covered from all the external attacks. As soon as you have 5G, it's also essential that you actually deploy a signaling module for the 5G roaming, but that's in the near future, of course. Yeah, okay, learning a lot here. Is it easy to set up, I mean, with the modern firewall, is it easy to set up the rules for what exactly will be allowed through the firewall and what will be stopped by the firewall? To be quite honest, the rules are not easy to set up. It actually depends on the firewall and also depends on the person using the firewall. The issue with telecommunication security is that, as a niche field, not a lot of people have an hybrid knowledge of pure telco, IT, and how a tech works. So you really need to think like an hacker. If you're sitting behind a signaling firewall, or even any firewall in this case, you need to think like an hacker. Not every firewall administrator actually thinks like an hacker. They get a training to look after firewall, but they're not thinking like someone who wants to break into the company. So if you want to protect a bank, let's just say you're a security guard, and you want to protect the National Bank of the United States, you need to think like someone that wants to break into the brand. You don't need to think like a guard. If you think like a guard, you're actually going to be defeated. So it's really complex to create those rules because you need to have a deep understanding of telecommunications, you need to understand the protocols, you need to understand which messages are needed, for example, to extract someone's location, because you can extract someone's location based on the country level, and based also on GPS coordinates, like 200 meters from where the person is. So you really need to have a deep understanding of which messages should be blocked and how they should be blocked. And then you also should know which message shouldn't be blocked, because there are messages you must block that you cannot block, which are needed. If they're going to a specific subscriber, they should be whitelisted. And then there are messages that really shouldn't be allowed at all, especially messages that we kind of call Category 1 messages. Those are messages that you should never see between roaming partners. And a lot of those messages are actually used to track people. And it's really efficient. It tells you where you're sitting. If someone would kind of conduct this attack towards your MCDN, Eric, they would know where you're sitting, and they would know where is your house. You got me worried here. I won't bring in Lee, because I'm going to start picking on him again here to try and calm me down here. Lee, as somebody who looks after risk for telcos, do you see this problem that Josue is picking up on here that we may sometimes lack the multi-skilled individuals who cross across, who can cover across boundaries, and therefore link together work that needs to be done? How does this get tackled? Does it get tackled adequately by telcos, this problem of being able to have these multiple perspectives on the technology and the risks that the company faces? Yeah, I think there's two separate questions there. The first one is, I mean, it relates back to what we were just talking about earlier. There was, I think, a lot of telcos companies, they actually have signaling firewalls in place, but it actually comes down to the implementation of that signaling firewall. I think the way it gets implemented, there's gaps, and if you can think like a hacker, there's ways around that. I think it has to be implemented correctly, and you also have to have that checked and tested by a hacking team just to see if they can reveal any kind of vulnerabilities or exploits there. The other thing, the other question you kind of raised there is, you know, if you look at the landscape, the technology landscape, it's getting very technical and complex in some areas, and I mean, when you look at it is, when you put a telco together, there's IT, there's networks, there's all kinds of stuff which has to come together, and it's having somebody with that skill set and ability to kind of sit on top of that and to kind of think, well, okay, have you thought about this? How does this work? You can't work in silos, right? You have to have somebody who kind of sees across that, and I think this is where the role in particular of the enterprise risk team comes in. Yeah, it has to roll its sleeves up every now and again, and it has to understand the technicalities of how these systems are implemented. Yeah, but they don't like to do it, do they? They don't like to do it because it's hard. That's my experience. You know, you take people outside of their comfort zone when you start talking. That's partly why we discuss these topics on the show, is that we know it's hard. We know it's difficult for people to get, so even if they get a basic grasp, at least then they're aware of the extent to which they need to get out of their comfort zone, but people prefer to just do a traffic light report and a risk register, and it's somebody else's problem. This is why I'm asking about the difficulty of getting the people that you need in your organisation, Lee. It is. It's very hard to find. I mean, the thing is, you should never be, you don't have to be an expert. You know, if you're in the risk team, you don't have to be an expert in signalling firewalls, right, but you need to at least understand from a high level, okay, we need to have a security team come in and check this, yeah, and then you need to understand the results. Okay, what does this vulnerability mean? What do we have to do, right? So, yeah, you don't have to be an expert, but you have to understand how these pieces of the jigsaw puzzle all fit together if you're working in the risk team. A few questions coming in, Joseph, but I'm just going to stick on this topic with you for just a moment because I'm keen to get your point of view too. You've got a very interesting CV, varied CV, which means that you're in a very strong position to talk about this multiplicity of skills that someone needs to talk with authority to deal with this problem. Now, I don't know about you, but I get people asking me questions every now and then, pretty regular basis, about training, education, progressing their career. If somebody came up to you, Joseph, and said, I want to become good at being able to manage these kinds of firewalls too, what advice would you give them? What's the correct way in order to progress your career to get these kinds of skills so then can be deployed and used in telcos to protect them? Well, to work in telecom security, you need to have a hybrid CV. That means for you to understand telecommunication, you need to really understand the 3GPP specification. That needs to become your Bible. You need to know that by heart, which are a lot of documents. The other part, you need to understand IT. You need to understand networks. If you can do some training, some certification on networks, I'm not going to mention any company. There are a lot of them. Then, you can do also some certifications in IT security, for example, like ethical hacking, and then also some defensive. If you look into the IT part, the IT part is going to help you to take care of the firewall itself because the firewall is a server. Then, you'll open your mindset in terms of attacks because if you're doing an attack, for example, like phishing someone, you get the credential, but then you use telco to get the two-part notification by SMS. As soon as you get a deep understanding of IT and then also understand how the 3GPP specifications are, you read it, and you really understand how the telco flows work, that will facilitate you to really enter in this field. However, it's a field that you're not going to learn things in less than five years. You really need to be dedicated, and experience makes a difference, in my point of view. I think you're 100% right there. I think the danger is that the individual might be dedicated, but the employer might not be dedicated. The employer might not be helping the individual to develop, and they might not always be doing a good job of retaining the individual, even if they've got a professional. That's important, isn't it? In terms of what we've been talking about so far, we talked about the difficulty of setting things up, and the skills need to set things up, but there's presumably also a need to maintain the rule sets as well. Do they need to change over time? Well, for example, like Felice said, you would need a company to do now and then security pen testing towards your signaling links to make sure that the rule sets are working well, that there is no new attacks such as bypass that are bypassing your firewalls. The rule set will change. As soon as you acquire a company to do a pen test towards your network, they'll send a bunch of SS7 messages, and so on, and other protocols. Then you will notice that this message actually passed through your firewall. There's leakage of sensitive information. Then you need to look into that traffic and really understand why is it being bypassed, why is your firewall being bypassed, and then you need to change your rule set. Now, as I said, it's really important for you to understand how the call flow works, how the message are. A tech has also found different ways of actually creating messages that are not according to the specs, and they still work in telecommunication devices. That's why I say if you have a mindset of a hacker, you can actually do things that bypass the existing firewalls. You're giving me... I'm just glad I don't have to have responsibility for this anymore, Josue, because I'm getting more and more nervous just thinking about all the burdens here. Now, we talked about the firewall, but of course, the firewall runs on some kind of operating system at some level. Can the operating system also come under attack by hackers? Yes, most definitely. Signaling firewalls are actually firewalls that run on top of Linux operating system. Most of them, I would not mention Linux flavors, but there's many Linux flavors, so they actually run on Linux operating system. And then if you're not patching those operating system accordingly, then your firewall is also vulnerable. And it's actually very hard for you to patch those firewalls, because the firewalls actually sit in the service network, so in this case, they're sitting behind the PE router. So in that security zone, where the firewall stands, you don't really want to expose to the internet, because there'll be a problem. So actually, patching firewalls are very difficult. I mean, the operating system of the firewalls, they're very difficult. If you patch it without testing correctly in the lab of the vendor, for example, that can break the firewall application. That'll be another problem. So the firewall itself, since it is a Linux server, it needs to be secure correctly. It needs to have the appropriate rules in terms of Linux, for example, in terms of IP table rules, you need to have the appropriate rules in there. You don't need to expose services that are not needed. You need to really lock down that firewall and really expose the minimum services needed to the administrator that are doing management services on the firewall. Well, I have to say, lots of comments coming in here, Josue. So I'm going to break into the conversation just to share a few of them, so we don't fall too far behind. Edna says, you're very smart. Arivelto says, knowledge from different domains, telco, security, IT, is needed to decide what's secure. Otherwise, you'll end up relying upon, as you've said, lots and lots of default alerts will be the case. So somebody else agreeing with you there. A particular question here that I don't understand, but I'll let you field it. What do you think about the different filtering rules defined by the GSMA's FS11-1920 standards? Are they sufficient? Well, actually, the FS11 and FS1920, they're actually standards from GSMA that actually kind of explain how the rule set should be for FS11-1920, right? They are good, but however, there are bypasses, and those documents are always being updated by GSMA as soon as someone finds a bypass. For example, there was a bypass recently, right? And then GSMA actually, because I'm also part of GSMA, so GSMA actually reunites the people, people submit those bypasses to GSMA, and then we all update those standards. I would say those rules that are in these standards must be implemented by default. As soon as you have a firewall deployed, your network, right? You deploy those rules, put your firewall in monitoring mode for around one month just to remove the false positives, and after that, you put in blocking mode. So those rules in those standards are necessary. I would say that should be mandatory because they cover a lot of items, but however, attackers are coming up with new attacks, and these new attacks, we are finding them as an industry because we are quite big, we talk, we exchange ideas, and we're also sending these to GSMA, and GSMA is updating the documents. So I would say those rules are relevant, and I also recommend the operator that they really should follow GSMA standards, and they should join GSMA to really get the latest information and also get more knowledge from different experts in those groups, because there's a lot of magnificent people with a lot of knowledge. Now I think I should be sending an invoice to the GSMA for the great advert that you gave to them, but I won't get too jealous about the advert you gave to them. Now, keep things simple for people like me, Josue, because I don't understand too much this clever technical stuff that you talk about. One of the things that I think about, and this is touching on what Liu said earlier on, is I may not know the detail of how things work, but one thing I do need to understand is where in the organisation should responsibility lie? So when we talk about who's responsible for maintaining a signalling firewall, is that the network operations team that should be doing that, or should there be a specific part of a security team that has hands-on responsibility for maintaining, managing the signalling firewall? Well, in my point of view, I think it's better to be in a security team, especially from those security team that has employees with a hybrid background of telecommunication security and IT security. As I said, you have a Linux box, and in that Linux box, you have the firewall application, so you need to patch everything from the top. So since the firewall actually stays in the service network, and in front of that firewall, you have an IP firewall, that means you already have one security firewall, right? So that belongs to the security team, and then you want to have that signalling firewall also behind that firewall, and also with the same team, because that team is also responsible for patch management, they have the vulnerability scanner so that they can scan the firewall. For example, if they're using, I would just say like OpenVAS, they will have OpenVAS, because I don't want to mention any vendors. They will have OpenVAS, which is open source, they'll be able to scan the firewall and patch it accordingly. Now, if you move the firewall to the operations team, let's say talk operations team, they don't have a deep knowledge of the underlying layer of that firewall when it comes to operating system. They do not know what is happening there, right? They know the code flows of telecommunications, they know the standards, but they do not know how to harden a Linux box. For example, they do not know what the CIS benchmark expects you to actually apply in those Linux box. So in my point of view, and that's also a recommendation for many people in the field, I think it should be in the hands of security people, because the issue is that operators are looking into the firewall as a telco known, it's not an STP, it's somehow different, it has a different purpose. And that purpose is actually to prevent security attacks, and this should be the security people. You make a very convincing argument, I'd be persuaded if I was working with you, Joseph. We've talked a lot about setting up, maintaining the firewall. Again, help me out, I'm not an expert on these things. How skilled the staff need to be just to understand the output from the firewall? I'm thinking here about whatever reports are generated by the firewall. I'm not even clear on the frequency of these reports and whether they need to be looked at. Do you need highly skilled people looking at output from the firewall in order to ensure the firewall is working correctly and fulfilling its purpose? Well, yes, you need actually experienced people to look into the firewall errors. For example, based on my experience, and experience of other people, and other people talk to me, there could be some false positives on firewall. So how do you spot false positives if you don't know how the firewall works, what is wrong? We don't know if there is a wrong parameter. So you need to have really experience with telecommunications. You need to know what are those messages to really spot what is wrong with the firewall and improve the rule sets. And then, yeah, that's more or less what I have to say. Yeah. Okay. That's interesting. We talk about a firewall as if it's a standalone piece of technology. How much does a firewall need to interact with other systems in order to do its job in this case? Can the interaction lead to any weaknesses, vulnerabilities that a hacker might exploit? Yeah, the solution firewall system is actually viewed as a standalone system, right? Because it has different modules, right, for different generation of mobile networks. But however, it must talk to another systems, for example, like an HLR, which is a database that sits in the network, which is like a core node. It also must talk to a NHSS, because this firewall needs to get some information regarding the subscriber, where they are, their location. So it needs to talk to a different system. And if you have a firewall that doesn't have all the modules, for example, you can have a single firewall that is, they're just looking to S7 in diameter, it's not looking for GTP. I also recommend that this firewall should talk to another firewall. However, they also should talk to fraud management systems. For example, I gave an example that someone could start a blog session with your EMSI, you know, and start the data section, for example, you're from Germany, and then you are built, you know, and if you connect actually the firewall, if we share databases or information from the firewall to a fraud management system, actually the fraud system in the security assurance, you know, people that work with that actually can correlate those events. So it's really important for you to connect the firewall with other systems. And the other critical system is actually a CM, which is a security event management system. So let's just say that you have an insider threat, right? Let's just say that someone has bribed someone in your operator that works with the firewall for them to turn off the rules. You want to ingest those logs from the firewall and send it to the CM because the people in the SOC can see, okay, Joshua Martin has just turned off the firewall at midnight, but for which reason? Why did he turn off the firewall? So it is important that you really connect the firewall with other systems because you want to monitor the things that are happening in the firewall from all levels. You know, we should not isolate the information that is in there because it's a very critical system. As I said, if we have politicians, if we have businessmen, you know, really, dial subscriber, everyone wants to intercept your call. If there is a public candle for a big bridge somewhere, someone wants to intercept the call, you know, so it's really an important system. I see. That's a great insight. So again, now there's been a lot of recent news about denial of service attacks on networks. How easy is it? Is it an issue that a signaling firewall could in a way be overwhelmed if it's not scaled correctly in order to cope with the load that occurs when there's a denial of service attack? Could this be also a point of vulnerability that then you overload the network, you overload the signaling firewall, and then the risks you were trying to mitigate against, they return? Well, there's two types of signaling denial of service. For example, there's a denial of service towards a subscriber, can be done with using one message, the firewall block completely, and then you can have signaling storms that can happen because of misconfiguration, or maybe some attacker just decided to send a lot of traffic, you know. So if you have signaling storms, if you have provisioned your firewall correctly, you know, they just say that, you know, you're getting this much of transaction per second, you know, and then you kind of provision for 50% of it, right? And then you'll be able to definitely handle that signaling storm. But however, as I said, you know, everything has limitations. So if you provision your firewall correctly, you'll be able to stop those signaling storms. However, this depends on deployment. There are deployments that you have the signaling firewall in front of the STP. So that means if there is a signaling storm, the firewall in front of the STP takes all that load. If the signaling firewall is parallel to the STP or behind the STP, then the STP is the one that takes all the signaling storm. And the STP, you really find good STPs, right, that are really strong, and they can really kind of hold on to a lot of signaling storm. They can take the first hit, and then add the traffic that is really needed, you know, for roaming, then they'll send it to the firewall. So it really depends on the firewall and your deployment and how you provision your infrastructure in your mobile network. You've done a fantastic job of summarizing very succinctly a lot of the big risks here that need to be tackled with signaling firewalls and the risk and sense of what can go wrong with signaling firewalls. Are there some other big risks that I've forgotten to mention, or we've not included in the conversation so far, that you'd like to draw to our audience's attention? Well, I think we covered actually the most important risk. I just think what should be done also to improve the signaling firewall is to make sure that when there is alerts on the firewall, kind of reporting the type of attacks should be more or less human type of attacks. For example, use a term like voice interception, SMS interception, because let's just say that I'm working for Lee, right? And then I'll go to Lee and I say, Lee, okay, there is this SS7 message, and we're getting a thousand of SS7 messages. And then it looks at it and say, but this means nothing to me. So you need to use some business technology or C-level technology that really makes sense for people like Lee. And then they can say, yes, we don't invest more into top cost security because right now, if you look at signaling firewalls, they really just tell you, okay, this SS7 message came from this particular operator, particular network, and then that's it. And this makes no sense in terms of business. So we really need to bridge the gap between technical terms in top cost security and business. We need to make top cost security more appealing to C-level and to those who are in management level so that they can understand what is the importance of signaling firewall. I think you're right, but I'm going to bring Lee back in here as well. And by the way, you'd have to make it a lot simpler if you were talking to me, because I'm sure Lee would be pretty good at this kind of stuff. But for me, you'd have to keep it very simple. But Lee, is there not a potential here, a risk here that actually people at the C-level especially, and maybe even more board level, they quite like the jargon. They quite like not understanding things, because if they don't understand something, they feel that they don't have to be held liable for it. They're not responsible if it goes wrong. It's the security guy's job to sort it out, or maybe it's your job to sort it out, and they don't want it communicated in terms they understand. Is that a danger, Lee? Yeah. I mean, there's talk about having somebody on the board now who actually understands or is qualified in cybersecurity to some extent, just so they actually understand the ramifications of this. I read something yesterday. I think it was an article which came up on my LinkedIn feed, and it was quite worrying actually. And it was talking about security is going to be one of the areas which gets targeted in the future for cost savings, because obviously things are being squeezed at the moment. And when I read things like that, I just think, man, what are you doing? You know, okay, you might save a million here or there, but it's going to cost you tens of millions if something happens. It's just something you cannot cut the budget on. Well, that links to a comment we've got here from one viewer that I've been saving for you, Joseph. Let's open it up so I have all the presenters as well in this conversation as I mentioned this comment here. The question asking for you, Josue, is to actually reflect upon what we were talking about earlier, the University of Michigan network being hacked, the robo-taxes going offline. Do you, Josue, feel as though there may be underinvestment in security, resilience of networks relating to the things that we were talking about earlier? Is that something that you perceive that there is increasing risk? A bit like Lee is now suggesting as well with possible cuts on the horizon. Yes, to be honest with you, when people look into security, right, when people look into security as a whole, they don't look at it as a priority. Actually, people look first into make functional devices or functional networks, right, or functional products, something that generates revenue, and then they look into security second. And they actually start really looking to security when they start losing money. So when there is fraud, internal fraud, external attacks, when there is mandatory compliance. So because of cuts, there's really less investment in security, and also the lack of understanding of boards and C-level, also the lack of understanding of consequences, there's really really less investment in security. And security is critical. Just to give you an understanding, let's just say that you live in a neighborhood, right, that's not secure. You're going to, you're going to have a dog, you're going to have an alarm system, right, you're going to have fences. But in terms of, in the business world, people do not look at it like that. They just look and say, let's make a product that sells, and then we think about security once we have money. But it shouldn't work that way, because in all these products that are used in the internet, there is critical information, there is sensitive information that belongs to people, you know. And so I do agree that there is a little investment in security overall. Ed, I want to bring you in here, because this is about communication as much as anything. In my own folksy way, I try to get across this point of we should be doing more. And mostly, I just think we should be doing a lot more. So I just opened up my eyes, and I used the hand gestures, and I said, do more, do more, do more. But we need guys like Josue, obviously, to be a bit more specific than I can be in terms of what we need to be doing and where we need to be investing. For you, Ed, because you deal with this problem in particular, how much of a challenge is it to convert the story, the information, the outline that we get from somebody with expertise like Josue, and then convert it into a message that can influence decision makers at a more senior level, can persuade them of the need to spend more money on security? And also, not only is it how difficult is it, but do you share my fear, it may be getting more and more difficult as time passes? Yeah, I agree. I think it's too complex. It's definitely a couple things. Technically, I think it's too complex, just based on everything we're talking about. And, you know, Josue made the point before about, you know, you could have your firewall completely tuned up the way you want. And if you don't know what you're doing with your Linux operating system it's running on, it may not matter. So right off the bat, like the more we talk about software abstraction, the more we put hardware things into software and abstraction, the more we create these kinds of problems, right? So that's one thing that immediately came to mind, just as we've been going through all the different issues that keep coming. And then when you get into trying to explain this to people that need to invest in the right things, and you've been in that room, man, you got to read the room, right? If you had to split that pie up, sometimes you'll have, you may, so again, it's not even just who's in the room, but what ends up being the majority opinion in the group think of the room, right? When you're selling into an executive layer, obviously that can happen a lot. And sometimes they might be open-minded to these things and they might be open-minded because there's a compelling event, right? Some of the proverbial stuff just hit the fan and someone needs to do something about it. And hey, congratulations Joe Sway, you're the consultant who's got the next 10 minutes to sell me on something, right? And it can happen kind of reactively like that. But then you can also have that audience that's like, I just don't bother me with the details. Or that says, no, someone told me when I was out playing golf, I need to have this other shiny thing. Go do that. Go meet this guy. Someone scratched my back. And then someone like Joe Sway's put in a position where they have to use a technology or a relationship that maybe isn't the best answer for reasons that have nothing to do with the problem you're going to solve. And I think that those things take this complicated problem and make it ever more complicated to try to solve, right? And I think we're moving. It's like the boat that's slowly floating away from the dock, right? And you have to jump to get onto the ferry. That boat's getting a little bit far from the dock now to make that jump. We're going to get wet. We're definitely going to get wet. Joe Sway, we're having a bit of a laugh and a joke around before the show even began because Lee was talking about network slicing as being a solution for this robo-taxi problem. The taxi's not operating as they should in San Francisco. I'd be keen to have your view here. Is this another example of racing ahead where we're going to deliver something, we're going to make something that people want? And the reality is just way, way behind in terms of we're making these promises about what we can sell and no one's buying it and we don't supply it. Well, at the moment, I would say it's too early to really talk about network slashing. There are a few operators that are implementing it, so we still have a long way. Of course, as soon as that matures, that's going to work very well, to be honest with you. It's really going to work well, but there is a long way. We need to mature. We need to deploy it correctly. And remember, network slashes are part of the 3GPP standards for 5G, which are not entirely complete, right? I think we are on release 17 and we are now working on release 18. So that will take time, but a slice with a dedicated QoS, that will solve a lot of problems. That has to do, for example, with latency in terms of cars that are connected to the internet. And also, we do not have to forget, you need security because if someone does denial of service towards those cars, you don't have internet connectivity anymore, right? So there's a lot of things that we have to look into. We cannot just say, okay, we give you these EVs that are connected to specific slides and it's really fast. There's low latency and there's a big bandwidth that you can really operate with. But then if someone does a denial of service, it's gone. So we really need to sit together between people who are selling things and security people and those who operate the whole mobile network and discuss things and be more open about it when we are selling stuff. But slices are going to be good. I love your positivity about that particular topic. But let me ask you a cheeky question, which is kind of half serious, half comical, okay? Supposing Lee Scargall with his billions and billions in cryptocurrencies and NFT tokens. I know he spent money on NFT tokens. He might have lost some money on cryptocurrency, okay? So maybe I'm already making you a target here, Lee, for all the hackers is going to go after you now. But in a hypothetical future, he's taking his robo-taxi across town, his flying robo-taxi across town, okay? Is it not the case that when we talked about these teenage SIM swappers earlier, the amount of money that a teenage SIM swapper, not I, I would not do it, but the amount of money that a teenage SIM swapper might give to somebody like you with irrelevant skills to say, Josue, I don't want that taxi landing where it's supposed to do. Take that taxi and land it over here on this remote airstrip because I won't be getting that Scargall, okay? Is it not the case that we're just not actually competing with, we're not able to compete with the criminals to some extent, and that we're not just that the skills that we need are rare, but they're also not sufficiently well rewarded because our focus is always on keeping the costs low. And yet we're already seeing what happens when you keep the costs low. It means that the criminals, the bad actors, they can afford to pay more than the business is paying to the people. Are we not building up a scenario here where people like Lee need to start worrying that his RoboTax is going to get hijacked or whatever? Because if you have that detailed knowledge of the network, and you pointed out yourself when you were answering all the questions, you've got to have logs, you've got to know who's using the firewall because what if they switch things off? What if they change the settings? Is there a real serious danger that people like you, people doing this kind of work, they're simply not being paid well enough, and they'll become targets because their skills are so valuable. Rich people like Lee, hijack him, take over his network. Oh, am I painting a ridiculous dystopian future that we don't need to worry about? Actually, in the cyber criminal world, those guys actually get more paid than people like us who are actually sitting on the other side, you know, and actually get better toys than us. Because in cybercrime, there's a lot of money, if you go look into the statistics of how much countries are losing cybercrime, I think I forgot how much South Africa was losing, I think it was a lot of money back then when I was in South Africa, you know, so they actually get a lot of money, the people on the other side, you know, we call that the dark side of the moon, you know, they really get a lot of money and they have better tools. We've seen also this type of attacks, you know, in signaling firewall, there is new type of attacks, there is new things that they're combining, you know, to really bypass firewalls. So, they have more time to really put in R&D, you know, they have dedicated people, they know well the game, you know, they have an hybrid team, they know which team exactly where they're going to touch, you know, they automate the tools, they're really well equipped, you know, compared to us, because we still going to the C level and try to convince them of things that some of them don't even want to listen to, or some of them don't really care as much, you know, until someone intercepts their call. So, you are correct, you know, you are correct. We should pay you more, the world should pay people like you more, Josue, that's a fact, and also I'm totally happy with my old car, I will never drive a connected car, I want to have the most oldest technology possible so no one can hack it. We've totally overrun on time, Josue, but that was a fascinating interview. I really appreciate your insights today. Apologies to people who had questions for Josue I didn't read out. Thank you, Josue, for being on today's show, it's been a pleasure to have you on today. Okay, thank you very much. Thank you, Josue. Oh gosh, I'm sorry to keep picking on you, but you are the richest member of the team, so you are the obvious target out of the three of us. Don't pick on me, I've got no money. Ed's doing all right, but don't pick on me, whatever you do. Go for Lee, he's the guy who's got all the wealth. We're out of time. Apologies, everybody, for my silliness as well. Thank you for everyone who's watched. Ed, Lee and I will be back next Wednesday, September the 13th. The theme of next week's show is the reduction of telemarketing spam in Brazil. Now, Brazilians receive more spam calls than any other nationality, so representatives of Anatel, the Brazilian commerce regulator, will be on the show to talk about the innovations they're using to weed out the bad telemarketers and bring the number of calls under control. Those individuals are Gustavo Borges, Superintendent of Control of Regulatory Obligations at Anatel, and Sami Benakoush, Manager of Control of Regulatory Obligations at Anatel. So we look forward to seeing you then. Tune in live to ask questions at 4 p.m. UK, 11 a.m. U.S. East, 12 noon Brasilia, or 8.30 p.m. India. Or save me reading out all the time zones by saving the show to your diary by clicking the link at the Communications Risk Show webpage. Or better still, subscribe to our broadcast schedule and have every show added to your diary automatically in the right time zone for you. Thanks again to today's guest, Josué Martins. Thanks to my co-presenters, my long-suffering co-presenters, Ed Finegold and Lee Scargall. And we must never forget to say thanks to our hard-working producers too, James Greenley and Matthew Carter. You've been watching episode three of the second season of the Communications Risk Show. I'm Eric Priezkalns. Visit the Communications Risk Show website, tv.commsrisk.com, to replay recordings from all our previous shows. Keep visiting commsrisk.com for the latest news and opinion about risks in the comms industry. And be sure to use the free resources of the Risk and Assurance Group, including their comprehensive leakage and fraud catalogues, which can be downloaded from the riskandassurancegroup.org. Thanks for watching, we'll see you next Wednesday.