This Week: Can You Count How Many Governments Are Spying On You?
Feds Scurry As China, Russia, Iran, Israel & Others Pwn America's Phone Network.
Americaβs national phone system faces a crisis amid foreign threats. Malicious actors have stolen 390,000 WordPress logins. And a Chinese manufacturer now sits atop 65 percent of the market for the routers that secure and connect U.S. home offices and small businesses to the Internet. This weekβs cybersecurity roundup presents a stark picture of U.S. cyber-insecurity and the steps for individual Americans to secure themselves.
The always beleaguered Cybersecurity and Infrastructure Security Agency (CISA) released guidance Wednesday, directing U.S. officials to ditch phone calls and text messages for end-to-end encryption. The move came a day after revelations that China, Russia, Iran, Israel and other state actors have gained access to U.S. telecommunications infrastructure to spy on Americans. An official had told reporters weeks earlier that Washington believes Beijing took βa large number of Americansβ metadataβ in a compromise attributed to Beijingβs persistent infrastructure-espionage campaign βSalt Typhoon.β
Security experts believe the various national actors may have compromised Washingtonβs own backdoors to access the systems. The pilfering, it seems, was not limited to metadata (extrinsic information about calls and text messages such as source and destination numbers, cellular-tower locations, call times and durations). It also included intercepted audio.
The fedsβ flight from traditional communications platforms seems particularly hasty given the difficulties likely to arise, e.g., in complying with FOIA requests and retention requirements.
Everyday Americans should strongly consider moving to popular open-source encrypted voice and text-messaging platformsβlike Signalβand robust multi-factor authentication that does not use text messages. (Be sure to save recovery keys.)
News also dropped Wednesday that Washington is investigating and might ban Chinese manufacturer TP-Link. Currently, TP-Link produces about 65 percent of the routers that U.S. home offices and small businesses use to secure themselves and connect to the Internet. The Defense Department and NASA also use TP-Linkβs products.
Washingtonβs interest follows an October report by Microsoft that claimed Chinese hackers hijacked thousands of TP-Link routers and used them to attack federal agencies and other Western targets.
Washington has grown increasingly concerned by potential backdoors and other hidden malware in foreign-manufactured products, particularly from China. Its scrutiny of TP-Link follows its ban of Chinese manufacturer Hauwei and its perhaps-ill-fated attempts to force Chinese company ByteDance to cede control of TikTok. (The Supreme Court agreed Wednesday to hear ByteDanceβs latest challenge.)
Washington, though, has its own history of domestic telecommunications espionage. It planted backdoors in Juniper firewalls and, along with London, compromised SIM-card security worldwide before the Snowden revelations. (Federal law allows Washington to force domestic companies to plant backdoors and gag them from disclosing their existence.)
To avoid both foreign and domestic snooping, small businesses and households should strongly consider popular open-source routing solutions, such as pfSense and DD-WRT.
Why popular open-source solutions? They provide perhaps the only trustworthy assurance against software backdoors: widely read public source code. An adversary would have to plant its code in plain sight of programmers, where it would likely be discovered.
In other news this week, the state of Nebraska sued Change Healthcare, a UnitedHealth subsidiary, over the recent ransomware compromise of 100 million Americansβ healthcare and other data. The Cornhusker State alleges that the company neglected βto implement basic security protections,β leading to the βhistoricβ breach.
Not to be outdone, Irelandβs Data Protection Commission slapped Facebookβs parent company Meta with a $260-million fine over a breach the company disclosed six years ago. It involved Facebookβs βHappy Birthday Composer.β Attackers used the feature to log into 29 million Facebook accounts, including three million in the E.U. economic zone.
Hundreds of thousands of Rhode Islanders are bracing for potential fallout as the Ocean State decides whether to pay a ransom demand. Hackers raided the stateβs H.H.S.-benefits portal earlier this month.
Three U.S. senators excoriated automakers for collecting and selling customer data, including driving habits, while fighting right-to-repair laws.
βIt is clear,β Elizabeth Warren, Jeff Merkley and Josh Howley wrote Ford President Jim Farley Jr., βthat the motivation behind automotive companiesβ avoidance of complying with right-to-repair laws is not due to a concern for consumer security or privacy, but instead a hypocritical, profit-driven reaction.β
While carmakers have been fighting tooth and nail against right-to-repair laws that would require [they] share vehicle data with consumers and independent repairers, they have simultaneously been sharing large amounts of sensitive consumer data with insurance companies and other third parties for profitβoften without clear consumer consent. In fact, some car companies use the threat of increased insurance costs to push consumers to opt into safe[-]driving features, and then use those features to collect and sell the user[sβ] data.
Displaying all the grace and tact one would expect from a Gambino-family UNICEF drive, perpetual security piΓ±ata Microsoft is strongarming customers to ditch their passwords for its passkey solution. Affected users are wise to generate and safely store an account-recovery code.
A firm that sells G.P.S. trackers to suspicious spouses and others exposed I.M.E.I. numbers, names and affiliations through an A.P.I. on its website, according to TechCrunch.
Researchers continued dissecting a long-running scheme to steal credentials and encryption keys and hijack systems for cryptocurrency mining. The schemeβs architect provided what was originally a legitimate WordPress library. Subsequent versions morphed into a trojan horse. At publication time, the scheme had swiped logins for 390,000 WordPress sites.
The attack highlights the need to continue auditing open-source supply chains, especially those unlikely to be widely reviewed.
And two organizations made announcements with an eye to the future.
The Australian Signals Directorate is outpacing its American counterpart, the National Institutes of Standards and Technology (NIST), to secure against quantum key breaking. It released new guidance, calling for βHigh Assurance Cryptographic Equipmentβ to retire SHA-256, R.S.A., E.C.D.S.A., E.C.D.H. and other algorithms by 2030, five years earlier than NISTβs goal.
Second, free T.L.S.-certificate-issuer Lets Encrypt announced that next year it will offer βshort-lived certificates.β Under the new program, websites may automatically change their private keys every six days to minimize βexposure β¦ during a key[-]compromise event.β
As threats multiply, deepen, spread and persist, the major constants are the insufficiencies of government and private actions to meet them. Increased proactive diligence at all levels remains overdue.
Rolling Stone calls Martin MartyG Gottesfeld The Hacker Who Cared Too Much, due to his Crusade to Save Children. The Justice Department alleges he βorchestrated one of the largest [distributed denial-of-service] attacks ever conducted,β during the campaign to free Justina Pelletier. He is a Cisco Certified SpecialistβEnterprise Core and publishes this (semi-)weekly cybersecurity roundup at MartyG Reports.
Really informative article -- thanks!