This Week: Can You Count How Many Governments Are Spying On You?

Feds Scurry As China, Russia, Iran, Israel & Others Pwn America's Phone Network.

Are your phone and router cheating on you? (PickPik)

America’s national phone system faces a crisis amid foreign threats. Malicious actors have stolen 390,000 WordPress logins. And a Chinese manufacturer now sits atop 65 percent of the market for the routers that secure and connect U.S. home offices and small businesses to the Internet. This week’s cybersecurity roundup presents a stark picture of U.S. cyber-insecurity and the steps for individual Americans to secure themselves.

The always beleaguered Cybersecurity and Infrastructure Security Agency (CISA) released guidance Wednesday, directing U.S. officials to ditch phone calls and text messages for end-to-end encryption. The move came a day after revelations that China, Russia, Iran, Israel and other state actors have gained access to U.S. telecommunications infrastructure to spy on Americans. An official had told reporters weeks earlier that Washington believes Beijing took “a large number of Americans’ metadata” in a compromise attributed to Beijing’s persistent infrastructure-espionage campaign “Salt Typhoon.”

Security experts believe the various national actors may have compromised Washington’s own backdoors to access the systems. The pilfering, it seems, was not limited to metadata (extrinsic information about calls and text messages such as source and destination numbers, cellular-tower locations, call times and durations). It also included intercepted audio.

The feds’ flight from traditional communications platforms seems particularly hasty given the difficulties likely to arise, e.g., in complying with FOIA requests and retention requirements.

Everyday Americans should strongly consider moving to popular open-source encrypted voice and text-messaging platforms—like Signal—and robust multi-factor authentication that does not use text messages. (Be sure to save recovery keys.)

News also dropped Wednesday that Washington is investigating and might ban Chinese manufacturer TP-Link. Currently, TP-Link produces about 65 percent of the routers that U.S. home offices and small businesses use to secure themselves and connect to the Internet. The Defense Department and NASA also use TP-Link’s products.

TP-Link routers include the one pictured, above (Kskhh, Wikimedia Commons)

Washington’s interest follows an October report by Microsoft that claimed Chinese hackers hijacked thousands of TP-Link routers and used them to attack federal agencies and other Western targets.

Washington has grown increasingly concerned by potential backdoors and other hidden malware in foreign-manufactured products, particularly from China. Its scrutiny of TP-Link follows its ban of Chinese manufacturer Hauwei and its perhaps-ill-fated attempts to force Chinese company ByteDance to cede control of TikTok. (The Supreme Court agreed Wednesday to hear ByteDance’s latest challenge.)

Washington, though, has its own history of domestic telecommunications espionage. It planted backdoors in Juniper firewalls and, along with London, compromised SIM-card security worldwide before the Snowden revelations. (Federal law allows Washington to force domestic companies to plant backdoors and gag them from disclosing their existence.)

To avoid both foreign and domestic snooping, small businesses and households should strongly consider popular open-source routing solutions, such as pfSense and DD-WRT.

Why popular open-source solutions? They provide perhaps the only trustworthy assurance against software backdoors: widely read public source code. An adversary would have to plant its code in plain sight of programmers, where it would likely be discovered.

In other news this week, the state of Nebraska sued Change Healthcare, a UnitedHealth subsidiary, over the recent ransomware compromise of 100 million Americans’ healthcare and other data. The Cornhusker State alleges that the company neglected “to implement basic security protections,” leading to the “historic” breach.

Not to be outdone, Ireland’s Data Protection Commission slapped Facebook’s parent company Meta with a $260-million fine over a breach the company disclosed six years ago. It involved Facebook’s “Happy Birthday Composer.” Attackers used the feature to log into 29 million Facebook accounts, including three million in the E.U. economic zone.

Hundreds of thousands of Rhode Islanders are bracing for potential fallout as the Ocean State decides whether to pay a ransom demand. Hackers raided the state’s H.H.S.-benefits portal earlier this month.

Three U.S. senators excoriated automakers for collecting and selling customer data, including driving habits, while fighting right-to-repair laws.

“It is clear,” Elizabeth Warren, Jeff Merkley and Josh Howley wrote Ford President Jim Farley Jr., “that the motivation behind automotive companies’ avoidance of complying with right-to-repair laws is not due to a concern for consumer security or privacy, but instead a hypocritical, profit-driven reaction.”

While carmakers have been fighting tooth and nail against right-to-repair laws that would require [they] share vehicle data with consumers and independent repairers, they have simultaneously been sharing large amounts of sensitive consumer data with insurance companies and other third parties for profit—often without clear consumer consent. In fact, some car companies use the threat of increased insurance costs to push consumers to opt into safe[-]driving features, and then use those features to collect and sell the user[s’] data.

Displaying all the grace and tact one would expect from a Gambino-family UNICEF drive, perpetual security piñata Microsoft is strongarming customers to ditch their passwords for its passkey solution. Affected users are wise to generate and safely store an account-recovery code.

A firm that sells G.P.S. trackers to suspicious spouses and others exposed I.M.E.I. numbers, names and affiliations through an A.P.I. on its website, according to TechCrunch.

Researchers continued dissecting a long-running scheme to steal credentials and encryption keys and hijack systems for cryptocurrency mining. The scheme’s architect provided what was originally a legitimate WordPress library. Subsequent versions morphed into a trojan horse. At publication time, the scheme had swiped logins for 390,000 WordPress sites.

The attack highlights the need to continue auditing open-source supply chains, especially those unlikely to be widely reviewed.

And two organizations made announcements with an eye to the future.

The Australian Signals Directorate is outpacing its American counterpart, the National Institutes of Standards and Technology (NIST), to secure against quantum key breaking. It released new guidance, calling for “High Assurance Cryptographic Equipment” to retire SHA-256, R.S.A., E.C.D.S.A., E.C.D.H. and other algorithms by 2030, five years earlier than NIST’s goal.

Second, free T.L.S.-certificate-issuer Lets Encrypt announced that next year it will offer “short-lived certificates.” Under the new program, websites may automatically change their private keys every six days to minimize “exposure … during a key[-]compromise event.”

As threats multiply, deepen, spread and persist, the major constants are the insufficiencies of government and private actions to meet them. Increased proactive diligence at all levels remains overdue.

Rolling Stone calls Martin MartyG Gottesfeld The Hacker Who Cared Too Much, due to his Crusade to Save Children. The Justice Department alleges he “orchestrated one of the largest [distributed denial-of-service] attacks ever conducted,” during the campaign to free Justina Pelletier. He is a Cisco Certified Specialist—Enterprise Core and publishes this (semi-)weekly cybersecurity roundup at MartyG Reports.

Comments

[Moorea Maguire]

Really informative article -- thanks!