This Week: Can You Count How Many Governments Are Spying On You?
Feds Scurry As China, Russia, Iran, Israel & Others Pwn America's Phone Network.

Americaās national phone system faces a crisis amid foreign threats. Malicious actors have stolen 390,000 WordPress logins. And a Chinese manufacturer now sits atop 65 percent of the market for the routers that secure and connect U.S. home offices and small businesses to the Internet. This weekās cybersecurity roundup presents a stark picture of U.S. cyber-insecurity and the steps for individual Americans to secure themselves.
The always beleaguered Cybersecurity and Infrastructure Security Agency (CISA) released guidance Wednesday, directing U.S. officials to ditch phone calls and text messages for end-to-end encryption. The move came a day after revelations that China, Russia, Iran, Israel and other state actors have gained access to U.S. telecommunications infrastructure to spy on Americans. An official had told reporters weeks earlier that Washington believes Beijing took āa large number of Americansā metadataā in a compromise attributed to Beijingās persistent infrastructure-espionage campaign āSalt Typhoon.ā
Security experts believe the various national actors may have compromised Washingtonās own backdoors to access the systems. The pilfering, it seems, was not limited to metadata (extrinsic information about calls and text messages such as source and destination numbers, cellular-tower locations, call times and durations). It also included intercepted audio.
The fedsā flight from traditional communications platforms seems particularly hasty given the difficulties likely to arise, e.g., in complying with FOIA requests and retention requirements.
Everyday Americans should strongly consider moving to popular open-source encrypted voice and text-messaging platformsālike Signalāand robust multi-factor authentication that does not use text messages. (Be sure to save recovery keys.)
News also dropped Wednesday that Washington is investigating and might ban Chinese manufacturer TP-Link. Currently, TP-Link produces about 65 percent of the routers that U.S. home offices and small businesses use to secure themselves and connect to the Internet. The Defense Department and NASA also use TP-Linkās products.

Washingtonās interest follows an October report by Microsoft that claimed Chinese hackers hijacked thousands of TP-Link routers and used them to attack federal agencies and other Western targets.
Washington has grown increasingly concerned by potential backdoors and other hidden malware in foreign-manufactured products, particularly from China. Its scrutiny of TP-Link follows its ban of Chinese manufacturer Hauwei and its perhaps-ill-fated attempts to force Chinese company ByteDance to cede control of TikTok. (The Supreme Court agreed Wednesday to hear ByteDanceās latest challenge.)
Washington, though, has its own history of domestic telecommunications espionage. It planted backdoors in Juniper firewalls and, along with London, compromised SIM-card security worldwide before the Snowden revelations. (Federal law allows Washington to force domestic companies to plant backdoors and gag them from disclosing their existence.)
To avoid both foreign and domestic snooping, small businesses and households should strongly consider popular open-source routing solutions, such as pfSense and DD-WRT.
Why popular open-source solutions? They provide perhaps the only trustworthy assurance against software backdoors: widely read public source code. An adversary would have to plant its code in plain sight of programmers, where it would likely be discovered.
In other news this week, the state of Nebraska sued Change Healthcare, a UnitedHealth subsidiary, over the recent ransomware compromise of 100 million Americansā healthcare and other data. The Cornhusker State alleges that the company neglected āto implement basic security protections,ā leading to the āhistoricā breach.
Not to be outdone, Irelandās Data Protection Commission slapped Facebookās parent company Meta with a $260-million fine over a breach the company disclosed six years ago. It involved Facebookās āHappy Birthday Composer.ā Attackers used the feature to log into 29 million Facebook accounts, including three million in the E.U. economic zone.
Hundreds of thousands of Rhode Islanders are bracing for potential fallout as the Ocean State decides whether to pay a ransom demand. Hackers raided the stateās H.H.S.-benefits portal earlier this month.
Three U.S. senators excoriated automakers for collecting and selling customer data, including driving habits, while fighting right-to-repair laws.
āIt is clear,ā Elizabeth Warren, Jeff Merkley and Josh Howley wrote Ford President Jim Farley Jr., āthat the motivation behind automotive companiesā avoidance of complying with right-to-repair laws is not due to a concern for consumer security or privacy, but instead a hypocritical, profit-driven reaction.ā
While carmakers have been fighting tooth and nail against right-to-repair laws that would require [they] share vehicle data with consumers and independent repairers, they have simultaneously been sharing large amounts of sensitive consumer data with insurance companies and other third parties for profitāoften without clear consumer consent. In fact, some car companies use the threat of increased insurance costs to push consumers to opt into safe[-]driving features, and then use those features to collect and sell the user[sā] data.
Displaying all the grace and tact one would expect from a Gambino-family UNICEF drive, perpetual security piƱata Microsoft is strongarming customers to ditch their passwords for its passkey solution. Affected users are wise to generate and safely store an account-recovery code.
A firm that sells G.P.S. trackers to suspicious spouses and others exposed I.M.E.I. numbers, names and affiliations through an A.P.I. on its website, according to TechCrunch.
Researchers continued dissecting a long-running scheme to steal credentials and encryption keys and hijack systems for cryptocurrency mining. The schemeās architect provided what was originally a legitimate WordPress library. Subsequent versions morphed into a trojan horse. At publication time, the scheme had swiped logins for 390,000 WordPress sites.
The attack highlights the need to continue auditing open-source supply chains, especially those unlikely to be widely reviewed.
And two organizations made announcements with an eye to the future.
The Australian Signals Directorate is outpacing its American counterpart, the National Institutes of Standards and Technology (NIST), to secure against quantum key breaking. It released new guidance, calling for āHigh Assurance Cryptographic Equipmentā to retire SHA-256, R.S.A., E.C.D.S.A., E.C.D.H. and other algorithms by 2030, five years earlier than NISTās goal.
Second, free T.L.S.-certificate-issuer Lets Encrypt announced that next year it will offer āshort-lived certificates.ā Under the new program, websites may automatically change their private keys every six days to minimize āexposure ⦠during a key[-]compromise event.ā
As threats multiply, deepen, spread and persist, the major constants are the insufficiencies of government and private actions to meet them. Increased proactive diligence at all levels remains overdue.
Rolling Stone calls Martin MartyG Gottesfeld The Hacker Who Cared Too Much, due to his Crusade to Save Children. The Justice Department alleges he āorchestrated one of the largest [distributed denial-of-service] attacks ever conducted,ā during the campaign to free Justina Pelletier. He is a Cisco Certified SpecialistāEnterprise Core and publishes this (semi-)weekly cybersecurity roundup at MartyG Reports.
Really informative article -- thanks!