In this interview, we spoke with Stefan Ćertić, the CTO of ETalc Technologies, regarding the mobile security industry.
Stefan has spent over 15 years working as CTO and Lead Consultant with some leading mobile companies worldwide.
Table of Contents
Here Are His Responses To Our Questions:
1. Question: You have garnered practical experience in the Mobile and Security industry over the years. How has the journey been so far?
Stefan Ćertić:
At the very beginning, it’s essential to understand the challenges of the Mobile Industry properly. It was a matter of a single decade between the environment in which Mobile Communication was expensive and therefore exclusive to a small group of high-grade individuals who could afford it out of reach for the broad consumer market – only to quickly get us to where we are – everyone carries at least one if not more devices in their pocket.
Huge demand required rapid development, which comes with the price tag of a heavily unregulated market, and as such, making it one of the most significant security concerns. Technology developed way faster than national or international regulators could follow up. Vendors were put into a position to develop solutions overnight and support the business, and these Lucrative businesses emerged on every corner.
By early 2013, initial topology flaws were expensive to address as they required infrastructural changes. Simply put, network protocols were not designed to support several users. SIGTRAN, on one side, managed to cut significant leased links costs of roaming partners by simply tunneling SS7 (STP / SCTP) through regular Internet compared to these old ladies E1/T1 (kids are unlikely to remember).
It was a massive boost for revenue, but we saw an emerging number of cyber-attacks utilizing SRI / PSI / ATI map commands – back in the days exclusive for legitimate government use. And that's what happens when you blind one in to cut the costs and boost the economy.
We were in a situation where we found both Active and Passive IMSI catchers everywhere. I could say it went out of stock globally. Someone needs to speak out loud within the academic and professional community.
Hopefully, I managed to help by publishing that famous 2FA Vulnerabilities research paper and demonstration, as well as remote SIM cloning, leading to intense debate within GSMA back in the day.
Quickly after, a lot of intelligent solutions were incorporated. These Home ocation Registers were not returning IMSI anymore, we witnessed the birth of TMSI. It was a go d sign we started investing in security. With the re ent Diameter implementation, more flaws were addressed. We are far rom being 100% secure, but you know the saying:
“Security is always threated as unnecessary expense till you get a breach. Suddenly everyone is raising question why no-one predicted” – Mobile Security is no exception.
2. Question: In your opinion, how successful has the fight against web vulnerabilities been?
Stefan Ćertić:
You know, it should be treated as a chess game. You need to analyze a few steps ahead before saying EUREKA. Back in 201 , Google announced SSL/TLS encrypted web communication would translate as a positive signal in search engine ranking. In following y ars, the SEO race made us to a point where the majority, 51.8 percent, of websites now use SSL. That’s a co l thing fighting the most widespread attacks through sniffing.
Before you say EUREKA, remember that it was difficult for an average ice cream store owner to think about cryptography. Hence few S aS providers emerged with the proposition “Point your name servers to us and let us do it for you”. I was a warm welcome. Nowadays yo r ISP or “a guy-next-door” can't decode your surfing data or passwords through ethernet or Wifi sniffing.
On the other hand, we have companies serving millions of sites with a single centralized place where these private keys are stored. Did we get or a better or worse? One is for ure; we moved the point of attack. Now you don t need a suspicious WAN in front of your house; everything can be done from the comfort of the office ☺
3. Question: What are the threats associated with exposed personal information?
Stefan Ćertić:
You don’t need to ask me twice, lol – it’s an Analysis of social habits building a fingerprint as accurate as DNA. These two t ings are likely the only ones you can’t change.
You decide to become invisible and prevent anyone from locating you.
You throw away your mobile phone and the sim card and buy a new one or start using the ‘Burner' phone; the same goes for a laptop or any identifiable information. You even change city and state. Totally change the way you look?
And you got found within a day. How, you may ask?
Your habit is to have breakfast at a restaurant at about 9 am, and your new phone goes with you. Do You enjo taking a long walk at the park after your breakfast? Your new ph ne walks with you. Do you like rock music and habitually visit gigs each Friday? Your new ph ne too!
Now give me all the phones that used to connect to a base station in the restaurant, park, rock venue…you name it at the specific time patterns. The number of f matches: 1. Gotha!
We a e living in the era of developed ML algorithms. Private dat exposes you like never before. Remember th TV Series “MacGyver”. Well, just remove the fiction part and there you are.
4. Question: How effective has the government protected citizens’ personally identifiable information?
Stefan Ćertić:
Working with governments on security solutions, protection, and intelligence made me realize how much productivity you can achieve once you strip the ROI out of the equation. The ofauty of working in a “non-profit” environment that can afford top-notch people and technology is nothing but results.
Many technologies developed ten or more years ago in these “smoking-allowed” offices work perfectly today. A good exam le is Asymmetric Elliptic Curve Cryptography. You may kno it from Bitcoins, Cryptocurrencies, and a blockchain. But did you know the same technology globally within your passport booklet chip long before blockchain? The same goes for tons of other technologies.
From the regulatory side, initiatives such as GDPR are nothing but good security practices proven to work well in protecting these very same offices. Same stands with HIPAA or more specialized standards such as FIPS 140-2. Of course, there are also failures in the government sector, but I have a strong impression that everyone realizes there’s no winner in the data acquisition race.
5. Question: Is mobile security essential for smartphone users? If yes, why do you think so?
Stefan Ćertić:
More than ever. The fact that it's always with you makes your smartphone a key to your universe. You use it for communication, social media, financial transactions, and even to start your car.
As such, it’s the primary target and most valuable digital asset. You can’t expect ordinarymon Joe to become a security expert but rather provide a secure environment.
Mobile Security should not be an “Over-the-top” service but a fundamental base. This is why *nix-based smartphones dominate the market. That kernel comes packed with experience dating back from 1960. Funny trivi , it was AT&T Bell Labs who developed one of the first for the mainframe.
6. Question: What are the most effective tips to mitigate cyber threats?
Stefan Ćertić:
Prevention is critical. There is a set of standards published by NIST, and 95% of attacks I saw, result from not following these guidelines or implementing them on a level of formality.
One should take these standards, such as ISO 27001, and understand them as “knowledge transfer” and a set of good practices made by the experience of others so you don’t pay the exact toll.
However, once compromised, the best advice I can give in migration is to threaten the whole system as compromised, regardless of the escalation level. There are tons of funny situations where companies migrate an attack by restoring backups, while in fact, backups are infected in a way that provides security escalation; otherwise, it is not possible. There’s no partial breach in my vocabulary.
7. Question: Do you offer consultancy services for businesses with cybersecurity needs?
Stefan Ćertić:
Please don’t hesitate to get in touch. I have a lot of consultancies. Playing chess with the bad guys has been my driving force for over a decade; it’s not difficult to attract me if you have trouble with one.
Reach Stefan Ćertić through:
- Website: https://www.certic.info
- Twitter: https://twitter.com/cs_networks
- Facebook: https://www.facebook.com/stefancerticofficial
Note: This was initially published in February 2022 but has been updated for freshness and accuracy.
INTERESTING INTERVIEWS
- How To Secure And Protect A Website [We Asked 38 Experts]
- Exclusive Interview with SpyCloud’s CEO and Co-Founder Ted Ross
- Exclusive Interview With Bob Baxley, CTO Of Bastille Networks
- Exclusive Interview With Hugh Taylor, Author Of Digital Downfall
- Exclusive Interview With Mark Stamford, CEO Of OccamSec
- Exclusive Interview With Paul Lipman, CEO Of BullGuard
- Exclusive Interview With Ramil Khantimirov, StormWall’s CEO & Co-founder
- Most Effective Cybersecurity Strategy For A Small Business [We Asked 45+ Experts]
About the Author:
Daniel Segun is the Founder and CEO of SecureBlitz Cybersecurity Media, with a background in Computer Science and Digital Marketing. When not writing, he's probably busy designing graphics or developing websites.
