Tag Archives: Signal

Cybersecurity News for the Week Ending April 30, 2021

Signal Tells Cellebrite to Back Off

Signal is the encrypted message app created by white hat hacker Moxie Marlinspike and his team. Cellebrite is the Israeli company that cracks cells phones for law enforcement. Cellebrite claims to be able to crack Signals messages (it is not clear if they are breaking the crypto or have figured out a way to get Signal to decrypt messages for it). Moxie says that Cellebrite’s software development practices are so bad that he can totally corrupt – subtly – any data that they collect. He proposes a truce which he knows they won’t accept. In the mean time he is planting timebombs in his software so that if Cellebrite looks at his data, well, sorry Celebrite. Credit: Hackread

 

Third Party Risk. Third Party Risk. Third Party Risk.

I can’t say it enough. We hire these vendors and then they get breached. And we get sued. This time it is the California DMV. They use a vendor to verify people’s addresses. Not exactly sure why, but it might make sense to outsource it. The vendor is American Funds Transfer Services (AFTS). AFTS got hit by ransomware and they had 20 month’s worth of data (why?). They said they shut down the network real quick after they figured out they were attacked AND they hired a whole new company to build them a bright, shiny, new, (?more secure?) network. THESE FOLKS JUST LOST THEIR CONTRACT WITH THE DMV AS A RESULT OF THE ATTACK – consider that! Credit: Freightwaves

Feds Delay Real-ID Requirement Again

After terrorists flew planes into the Twin Towers on 9/11 the feds decided that the real problem was that our drivers’ licenses were not secure enough, allowing terrorists to get fake IDs. That was the genesis of the RealID Act in 2005. It requires states to get better identification of people before issuing licenses, including people who already have one, but more importantly to the feds, it gives them access to all 50 states drivers’ license databases. A few states have resisted and the feds have come back and said well, then, you won’t be able to board airplanes or enter federal buildings. That was 2005. Until this week, the deadline to prevent terrorists from getting drivers’ licenses was October 2021. Think about that. If it really was anything other than a big data grab, would waiting 20 years to fix the so-called problem be acceptable? Now, due to Covid, they moved the deadline back to May 2023. While all states finally succumbed to federal pressure, less than half of the drivers’ licenses in circulation have been updated to meet the requirement. Credit: CNN

 

Feds Tell Businesses to Tighten Security in Wake of Russian Attacks

In light of SolarWinds and other attacks, the feds are telling businesses to review any connections between their business networks (IT) and their control networks (OT). OT networks are the networks that control the electrical grid, water, sewer and gas. But they are also used in manufacturing, refining and normal businesses. The feds say, correctly, every connection between your IT network and OT networks increase the attack surface. Credit: Cyberscoop

Babuk Ransomware Group Says Encryption Unnecessary for Extortion

Babuk, one of the big ransomware groups that even had an affiliate program, has figured out where the money is. Encrypting your data has not encouraged enough people to pay the ransom. On the other hand, stealing your data and threatening to publish or sell it is generating good revenue, so they are shifting their business model. No longer are they encrypting your data; they are just stealing it. Of course, this is just one ransomware gang. Credit: Bleeping Computer

Security News for the Week Ending January 15, 2021

US Bulk Energy Providers Must Report Attempted Breaches

The Solar Winds attack, from what little we know about it, was bad enough, but what if it was Russia’s trial run for taking down the power grid like they did in Ukraine or taking out the water supply or gas supply? NERC, the electric utility regulator, released CIP -008-6 which requires relevant bulk power providers to report attempted hacks in addition to successful ones.

All cybersecurity incidents, whether actual compromises or attempts to comprise, have to be reported to the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), now known as National Cybersecurity and Communications Integration Center (NCCIC), as well as the Electricity Information Sharing and Analysis Center (E-ISAC). Unfortunately, the feds have not clearly defined what an attempt is. Credit: CSO Online

Researchers Say Bitcoin Hacks in 2020 Netted $3.78 Billion

In fairness, that is at today’s Bitcoin value, but lets say it is only $2 billion. Does that make you feel better? The most lucrative target was individual Bitcoin wallets, but hackers went after exchanges and apps too. Credit: ZDNet

FAA Changes Rules on Mask Wearing on Airplanes

Up until today, if passengers would not follow flight crew’s instructions to wear masks and were unruly, threatened or intimidated flight crews, the FAA tried to counsel them or hit them with civil fines. Now they have changed the rules and anyone who does that will be charged with interfering with a flight crew, which caries the penalty of up to 20 years in prison and a $35,000 fine. Or both. Ouch. Credit: Vice

Apple Changes Rules That Exempted Themselves from Security Rules

In MacOS 11 Apple created a rule that exempted 53 of its own apps from having to go through the Mac’s firewall. After all, Apple does know best. Apple claimed the exemption was temporary. Why? Because Apple made some changes in MacOS and they didn’t have time to iron out all the bugs in their apps before they shipped the software. That’s comforting. Once 11.2 ships, Apple’s apps will no longer be exempted. Oh, by the way, they forgot to tell their users that they were exempting their buggy apps from the firewall. Because? Don’t know. Probably would not be good PR. Credit: ZDNet

Signal Messaging App Creaking Under The Load

Years ago Facebook bought the privacy oriented messaging app WhatsApp which has become very popular. Last month Facebook created new terms which require users to allow Facebook to mine your WhatsApp data which is sort of unpopular with people who signed up for a privacy oriented app. Under the covers, WhatsApp is really just Signal, Moxie Marlinspike’s privacy oriented messaging app with some lipstick on it. As a result of Facebook’s not understanding that users would be displeased with the change to their terms of service, apparently tens of millions of people are moving from WhatsApp to Signal. Combine that with the shutdown of Parler, and Signal, which is a non-profit, is having trouble managing the load. Last week Elon Musk told his 40+ million followers to use Signal. It is likely that they will get things sorted out but any time a company gets 25-50 million new customers all at once, while it is a good problem, it is a problem. Stay tuned. Credit: The Register

Weekly Security News for the Week Ending December 20, 2019

Retailer LightInTheBox Exposes 1.6 Billion Customer Records

The challenge with today’s big data world is that the breaches are enormous.  LightInTheBox left customer transaction data exposed due to, apparently, a server misconfiguration.   They effectively breached themselves.  The data was a web server log with dates from Aug  9 to Oct 11 of this year.   It appears that there was no payment data in the log files, which is a good thing.  Also, they did not figure it out;  a security researcher told them about it.  1.6 billion records will cause them some pain.  The good news is that this happened before CCPA went into effect.  This time next month and it would have been a much, much more expensive breach.  Source: SC Mag

Facebook, Twitter Disable Sprawling Pro-Trump Disinformation Operation

Facebook and Twitter this week disabled a  global network of hundreds of fake accounts distributing pro-Trump messages which used AI to generate fake photographs to cover its tracks.  The accounts, they say, were associated with two media groups, the BL and Epoch Media.  They said that the accounts were suspended because of their tactics and not because of their content.

Facebook said the BL was linked to hundreds of fake accounts that posted political messages at high frequencies and attempted to direct traffic to their web sites.

On Facebook alone, the disabled network had more than 600 accounts and had purchased $9 million in advertisements.  Twitter deleted 700 accounts.

Some of these activities were linked to the countries of Georgia and Saudi Arabia.

It looks like 2020 election engineering activities have already begun.  Source: WaPo

Business Email Compromise Scams Google and Facebook out of $120 Million

While $120 million to Facebook and Google is kind of like $120 to you and me, still, it is impressive that the hackers were able to present $120 million of fake invoices and fake supporting documents  like contracts.

One of the hackers was caught and made a plea deal for 60 months in jail and fined $26 million.  Source: The Register

While British Politicians Demand Facebook Doesn’t Encrypt Your Messages, They Switch to Signal So Their Messages Can’t Be Read

At the same time that the Brits, Australians and U.S. are demanding that Facebook doesn’t encrypt Messenger messages in a way they can’t read them, they are shifting their own messages from WhatsApp to Signal.  The reason?  They don’t want their messages to be intercepted.  Source: The Register

Credentials Can Now Be Extracted From iPhones

iPhones have a well deserved reputation for being secure, but now the Russian software company Elcomsoft says that they can extract some information from iPhones, even before its first login after power up, the most secure state.

They are using the Checkm8 vulnerability in the boot ROMs of most iPhones before the iPhone 11 that, it appears, will be impossible to fix.  If you have $1,495, you, too, can hack into anyone’s iPhone that you can physically get your hands on.  In theory, they only sell to good guys, but that definition is probably a bit loose.  Based on the price, the cops probably love it as they have complained that encrypted devices stop them from solving crimes.  Source: 9to5Mac

Friday News Bites for May 18, 2018

Signal Does it Right

Matt Green, the well known cryptographer and professor at Johns Hopkins said this about the encrypted messaging app Signal: “After reading the code, I literally discovered a line of drool running down my face.  It’s really nice.”  But even nice code isn’t perfect.  Last Friday, researchers announced very serious bug in Signal’s Windows and Linux implementation and within hours, Signal had it fixed and available for download.  I wish every vendor moved at this speed.  Signal may not auto update, so make sure that you download the new version [1.10.1] (Source: The Hacker News).

Google Gets It RIght – Probably.  Finally.

One of my big complaints about Android is the lack of consistent patching from vendor to vendor.  Some vendors were even caught lying saying that they had patched software that was not patched.  Google has announced that with Android P (version 9), OEMs will be required to release regular patches as part of their license agreement.  Details are not out yet, so stay tuned, but this, if it happens, will close down a major security difference between Android and iOS (Source: The  Hacker News).

Facebook isn’t the Only One Selling Your Data

The big 4 cell carriers – AT&T, Verizon, T-Mobile and Sprint – and others are selling your location data to data aggregators such as LocationSmart, who in turn sell it to companies like Securus, sometimes through distributors.  Securus is the company who put its head in a noose by giving location data of judges and state police officers to a sheriff without a warrant and for reasons unknown.  While this data is likely only accurate to a few hundred yards because it uses cell tower data rather than GPS data, it works perfectly even if you have location tracking turned off.  And, of course, everyone makes money off the deal – the carriers, the aggregators and the distributors.  Sounds like a win for everyone but you and me.  They say that due to what may be sloppy drafting of the Electronic Communications Privacy Act, selling this data may not be illegal.  While the Sheriff who used it should have had a warrant, private companies who buy the data just need to pay for it – no questions asked as to what or why.  (Source: ZDNET).

Securus Attacked By Hackers

Securus (as in Secure Us), the incredibly unsecure company that gave a Missouri sheriff location information on state police and judges (that we can assume he did not like) with no judicial oversight, has been hacked.  We also don’t know if the attacker was somehow thinking that they deserved it.

One example of the data stolen by the hacker and given to Motherboard was a spreadsheet with names, emails, phone numbers, weakly hashed passwords and security questions for over 2,500 law enforcement customers.  Assuming this data makes it to the black market, it could be used as a hit list for cops – who already are being attacked on a daily basis.

We also don’t know what else the attacker took or what he plans to do with it.

Securus, who has a track record of poor security, says they are “investigating it” (Source: Motherboard).

For the Second Time in a Week – Another Critical Signal Bug

Right after I upgraded my copy of Signal for Windows to version 1.10.1 (see the first item in this post), I noticed that it upgraded itself to 1.11.1 .  Yup!  That means that they found another bug – a critical one – that could reveal data and even Windows passwords.

Does this mean that Signal is bad?  Actually not,  Think about the number of patches for Windows that Microsoft has released over the years.  The number is likely in the tens of thousands.  Signal has released 10.  BUT, no software is perfect.  Or invincible.  So upgrade your copy of Signal and don’t assume that Signal is invincible.   It is not.  It is good, but that is different. (Source: The Hacker News).