Tag Archives: Signal

Security News for the Week Ending January 15, 2021

US Bulk Energy Providers Must Report Attempted Breaches

The Solar Winds attack, from what little we know about it, was bad enough, but what if it was Russia’s trial run for taking down the power grid like they did in Ukraine or taking out the water supply or gas supply? NERC, the electric utility regulator, released CIP -008-6 which requires relevant bulk power providers to report attempted hacks in addition to successful ones.

All cybersecurity incidents, whether actual compromises or attempts to comprise, have to be reported to the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), now known as National Cybersecurity and Communications Integration Center (NCCIC), as well as the Electricity Information Sharing and Analysis Center (E-ISAC). Unfortunately, the feds have not clearly defined what an attempt is. Credit: CSO Online

Researchers Say Bitcoin Hacks in 2020 Netted $3.78 Billion

In fairness, that is at today’s Bitcoin value, but lets say it is only $2 billion. Does that make you feel better? The most lucrative target was individual Bitcoin wallets, but hackers went after exchanges and apps too. Credit: ZDNet

FAA Changes Rules on Mask Wearing on Airplanes

Up until today, if passengers would not follow flight crew’s instructions to wear masks and were unruly, threatened or intimidated flight crews, the FAA tried to counsel them or hit them with civil fines. Now they have changed the rules and anyone who does that will be charged with interfering with a flight crew, which caries the penalty of up to 20 years in prison and a $35,000 fine. Or both. Ouch. Credit: Vice

Apple Changes Rules That Exempted Themselves from Security Rules

In MacOS 11 Apple created a rule that exempted 53 of its own apps from having to go through the Mac’s firewall. After all, Apple does know best. Apple claimed the exemption was temporary. Why? Because Apple made some changes in MacOS and they didn’t have time to iron out all the bugs in their apps before they shipped the software. That’s comforting. Once 11.2 ships, Apple’s apps will no longer be exempted. Oh, by the way, they forgot to tell their users that they were exempting their buggy apps from the firewall. Because? Don’t know. Probably would not be good PR. Credit: ZDNet

Signal Messaging App Creaking Under The Load

Years ago Facebook bought the privacy oriented messaging app WhatsApp which has become very popular. Last month Facebook created new terms which require users to allow Facebook to mine your WhatsApp data which is sort of unpopular with people who signed up for a privacy oriented app. Under the covers, WhatsApp is really just Signal, Moxie Marlinspike’s privacy oriented messaging app with some lipstick on it. As a result of Facebook’s not understanding that users would be displeased with the change to their terms of service, apparently tens of millions of people are moving from WhatsApp to Signal. Combine that with the shutdown of Parler, and Signal, which is a non-profit, is having trouble managing the load. Last week Elon Musk told his 40+ million followers to use Signal. It is likely that they will get things sorted out but any time a company gets 25-50 million new customers all at once, while it is a good problem, it is a problem. Stay tuned. Credit: The Register

Weekly Security News for the Week Ending December 20, 2019

Retailer LightInTheBox Exposes 1.6 Billion Customer Records

The challenge with today’s big data world is that the breaches are enormous.  LightInTheBox left customer transaction data exposed due to, apparently, a server misconfiguration.   They effectively breached themselves.  The data was a web server log with dates from Aug  9 to Oct 11 of this year.   It appears that there was no payment data in the log files, which is a good thing.  Also, they did not figure it out;  a security researcher told them about it.  1.6 billion records will cause them some pain.  The good news is that this happened before CCPA went into effect.  This time next month and it would have been a much, much more expensive breach.  Source: SC Mag

Facebook, Twitter Disable Sprawling Pro-Trump Disinformation Operation

Facebook and Twitter this week disabled a  global network of hundreds of fake accounts distributing pro-Trump messages which used AI to generate fake photographs to cover its tracks.  The accounts, they say, were associated with two media groups, the BL and Epoch Media.  They said that the accounts were suspended because of their tactics and not because of their content.

Facebook said the BL was linked to hundreds of fake accounts that posted political messages at high frequencies and attempted to direct traffic to their web sites.

On Facebook alone, the disabled network had more than 600 accounts and had purchased $9 million in advertisements.  Twitter deleted 700 accounts.

Some of these activities were linked to the countries of Georgia and Saudi Arabia.

It looks like 2020 election engineering activities have already begun.  Source: WaPo

Business Email Compromise Scams Google and Facebook out of $120 Million

While $120 million to Facebook and Google is kind of like $120 to you and me, still, it is impressive that the hackers were able to present $120 million of fake invoices and fake supporting documents  like contracts.

One of the hackers was caught and made a plea deal for 60 months in jail and fined $26 million.  Source: The Register

While British Politicians Demand Facebook Doesn’t Encrypt Your Messages, They Switch to Signal So Their Messages Can’t Be Read

At the same time that the Brits, Australians and U.S. are demanding that Facebook doesn’t encrypt Messenger messages in a way they can’t read them, they are shifting their own messages from WhatsApp to Signal.  The reason?  They don’t want their messages to be intercepted.  Source: The Register

Credentials Can Now Be Extracted From iPhones

iPhones have a well deserved reputation for being secure, but now the Russian software company Elcomsoft says that they can extract some information from iPhones, even before its first login after power up, the most secure state.

They are using the Checkm8 vulnerability in the boot ROMs of most iPhones before the iPhone 11 that, it appears, will be impossible to fix.  If you have $1,495, you, too, can hack into anyone’s iPhone that you can physically get your hands on.  In theory, they only sell to good guys, but that definition is probably a bit loose.  Based on the price, the cops probably love it as they have complained that encrypted devices stop them from solving crimes.  Source: 9to5Mac

Friday News Bites for May 18, 2018

Signal Does it Right

Matt Green, the well known cryptographer and professor at Johns Hopkins said this about the encrypted messaging app Signal: “After reading the code, I literally discovered a line of drool running down my face.  It’s really nice.”  But even nice code isn’t perfect.  Last Friday, researchers announced very serious bug in Signal’s Windows and Linux implementation and within hours, Signal had it fixed and available for download.  I wish every vendor moved at this speed.  Signal may not auto update, so make sure that you download the new version [1.10.1] (Source: The Hacker News).

Google Gets It RIght – Probably.  Finally.

One of my big complaints about Android is the lack of consistent patching from vendor to vendor.  Some vendors were even caught lying saying that they had patched software that was not patched.  Google has announced that with Android P (version 9), OEMs will be required to release regular patches as part of their license agreement.  Details are not out yet, so stay tuned, but this, if it happens, will close down a major security difference between Android and iOS (Source: The  Hacker News).

Facebook isn’t the Only One Selling Your Data

The big 4 cell carriers – AT&T, Verizon, T-Mobile and Sprint – and others are selling your location data to data aggregators such as LocationSmart, who in turn sell it to companies like Securus, sometimes through distributors.  Securus is the company who put its head in a noose by giving location data of judges and state police officers to a sheriff without a warrant and for reasons unknown.  While this data is likely only accurate to a few hundred yards because it uses cell tower data rather than GPS data, it works perfectly even if you have location tracking turned off.  And, of course, everyone makes money off the deal – the carriers, the aggregators and the distributors.  Sounds like a win for everyone but you and me.  They say that due to what may be sloppy drafting of the Electronic Communications Privacy Act, selling this data may not be illegal.  While the Sheriff who used it should have had a warrant, private companies who buy the data just need to pay for it – no questions asked as to what or why.  (Source: ZDNET).

Securus Attacked By Hackers

Securus (as in Secure Us), the incredibly unsecure company that gave a Missouri sheriff location information on state police and judges (that we can assume he did not like) with no judicial oversight, has been hacked.  We also don’t know if the attacker was somehow thinking that they deserved it.

One example of the data stolen by the hacker and given to Motherboard was a spreadsheet with names, emails, phone numbers, weakly hashed passwords and security questions for over 2,500 law enforcement customers.  Assuming this data makes it to the black market, it could be used as a hit list for cops – who already are being attacked on a daily basis.

We also don’t know what else the attacker took or what he plans to do with it.

Securus, who has a track record of poor security, says they are “investigating it” (Source: Motherboard).

For the Second Time in a Week – Another Critical Signal Bug

Right after I upgraded my copy of Signal for Windows to version 1.10.1 (see the first item in this post), I noticed that it upgraded itself to 1.11.1 .  Yup!  That means that they found another bug – a critical one – that could reveal data and even Windows passwords.

Does this mean that Signal is bad?  Actually not,  Think about the number of patches for Windows that Microsoft has released over the years.  The number is likely in the tens of thousands.  Signal has released 10.  BUT, no software is perfect.  Or invincible.  So upgrade your copy of Signal and don’t assume that Signal is invincible.   It is not.  It is good, but that is different. (Source: The Hacker News).