Amid an unprecedented cyberattack on telecommunications companies such as AT&T and Verizon, U.S. officials have recommended that Americans use encrypted messaging apps to ensure their communications stay hidden from foreign hackers.
The hacking campaign, nicknamed Salt Typhoon by Microsoft, is one of the largest intelligence compromises in U.S. history, and it has not yet been fully remediated. Officials on a news call Tuesday refused to set a timetable for declaring the country's telecommunications systems free of interlopers. Officials had told NBC News that China hacked AT&T, Verizon and Lumen Technologies to spy on customers.
A spokesperson for the Chinese Embassy in Washington did not immediately respond to a request for comment.
In the call Tuesday, two officials — a senior FBI official who asked not to be named and Jeff Greene, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency — both recommended using encrypted messaging apps to Americans who want to minimize the chances of China's intercepting their communications.
"Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it's on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible," Greene said.
The FBI official said, "People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant" multi-factor authentication for email, social media and collaboration tool accounts.
The scope of the telecom compromise is so significant, Greene said, that it was "impossible" for the agencies "to predict a time frame on when we'll have full eviction."
[...] The FBI and other federal law enforcement agencies have a complicated relationship with encryption technology, historically advocating against full end-to-end encryption that does not allow law enforcement access to digital material even with warrants. But the FBI has also supported forms of encryption that do allow some law enforcement access in certain circumstances.
[...] In a statement to NBC News, Ron Wyden, D-Ore, one of the Senate's fiercest privacy advocates, criticized America's reliance on CALEA as it leaves such sensitive information unencrypted.
"Whether it's AT&T, Verizon, or Microsoft and Google, when those companies are inevitably hacked, China and other adversaries can steal those communications," he said.
Related Stories
The cryptographer who blogs under the pseudonym Soatok has written an in depth discussion of the practical limitations of End-to-End Encryption on his blog. For some things, such as planning military strikes, Sensitive Compartmented Information Facility (SCIFs) are the right tool for the job, while smartphone apps of any stripe are not.
In the aftermath of this glorious fuck-up by the Trump administration, I have observed many poorly informed hot takes. Some of these were funny, but others are dangerous: they were trying to promote technologies that claim to be Signal alternatives, as if this whole story was somehow a failure of Signal’s security posture.
Not to put too fine a point on it: Switching to Threema or PGP would not have made a lick of difference. Switching to Matrix would have only helped if you consider “unable to decrypt message” helping.
To understand why, you need a clear understanding of what end-to-end encryption is, what it does, what it protects against, and what it doesn’t protect againt.
His prediction is that the White House will lash out at both The Atlantic and at Signal to distract from the catastrophic procedural failure which the administration demonstrated through this incident. He also observed that adding a journalist to the chat group would provide a good distraction from possibly compromised smartphones, devices which are notoriously insecure even when the stakes are much lower.
Previously:
(2025) Apple Pulls End-to-End Encryption From UK Rather Than Provide Government a Backdoor
(2024) U.S. Officials Urge Americans to Use Encrypted Apps Amid Unprecedented Cyberattack
(2024) Here's the Paper No One Read Before Declaring the Demise of Modern Cryptography
(2024) How I Got a Truly Anonymous Signal Account
... and more.
Companies are advised to constantly update their apps and software, and patch known network vulnerabilities to prevent such attacks:
A ransomware group called "Ghost" is exploiting the network vulnerabilities of various organizations to gain access to their systems, according to a joint advisory issued by multiple U.S. federal agencies.
"Beginning early 2021, Ghost actors began attacking victims whose internet-facing services ran outdated versions of software and firmware," the Cybersecurity and Infrastructure Security Agency (CISA) said in the Feb. 19 joint advisory. "Ghost actors, located in China, conduct these widespread attacks for financial gain."
The attacks have targeted schools and universities, government networks, critical infrastructure, technology and manufacturing companies, health care, and several small and mid-sized businesses.
[...] The criminals use publicly available code to exploit "common vulnerabilities and exposures" of their targets to secure access to servers. They leverage vulnerabilities in servers running Adobe ColdFusion, Microsoft Exchange, and Microsoft SharePoint.
Also at BleepingComputer.
Related:
- Chinese Salt Typhoon Hackers 1st Spotted on Federal Networks Under Another Name
- U.S. Treasury Confirms It Was Breached by China-Backed Hackers
- A 9th Telecoms Firm Has Been Hit by a Massive Chinese Espionage Campaign, the White House Says
- U.S. Officials Urge Americans to Use Encrypted Apps Amid Unprecedented Cyberattack
- T-Mobile Hacked in Massive Chinese Breach of Telecom Networks, WSJ Reports
(Score: 3, Insightful) by Anonymous Coward on Saturday December 07, @03:25AM (8 children)
But only the ones with back doors for law enforcement access, right?
Heh, so much for their concern about "hackers"
The apps are irrelevant anyway. The real back doors are baked into the hardware. The mic and camera are always on, in addition to the keyloggers. And non removable batteries make it impossible to know if the phone is really turned off.
(Score: 2) by fraxinus-tree on Saturday December 07, @08:07AM
One can't really predict when the government gets the clue. But it happens once in a while.
(Score: 3, Informative) by pTamok on Saturday December 07, @09:24AM
"the keyloggers"
Yup - that's the convenient 'keyboard apps'.
The most popular Chinese language keyboard had a vulnerability that allowed those in the know to take a copy of everything typed.
https://www.technologyreview.com/2024/04/24/1091740/chinese-keyboard-app-security-encryption/ [technologyreview.com]
https://spectrum.ieee.org/chinese-pinyin-keyboard-software-exploits [ieee.org]
https://journal.probeinternational.org/2024/04/29/keyboard-app-flaws-expose-almost-one-billion-to-network-threats/ [probeinternational.org]
https://thehackernews.com/2024/04/major-security-flaws-expose-keystrokes.html [thehackernews.com]
https://infotechgroup.co.uk/blog/almost-every-chinese-keyboard-app-has-a-security-flaw-that-reveals-what-users-type/ [infotechgroup.co.uk]
The Citizen Lab do good work.
https://citizenlab.ca/2024/04/vulnerabilities-across-keyboard-apps-reveal-keystrokes-to-network-eavesdroppers/ [citizenlab.ca]
Worth reading all of this one, including the email exchanges with Sogou
https://citizenlab.ca/2023/08/vulnerabilities-in-sogou-keyboard-encryption/ [citizenlab.ca] "“Please do not make it public” Vulnerabilities in Sogou Keyboard encryption expose keypresses to network eavesdropping"
https://www.eff.org/deeplinks/2023/08/vulnerability-tencents-sogou-chinese-keyboard-can-leak-text-input-real-time [eff.org]
(Score: 3, Insightful) by RedGreen on Saturday December 07, @02:13PM
"But only the ones with back doors for law enforcement access, right?"
That was my first thought when reading it too, like them kind loving hackers are not going to bother with getting into them back doors too. What a bunch of morons these people are, what should have already been standard procedure is only now being urged on emergency basis once the horse has bolted the barn. Same as the infrastructure for the power grid and water the traffic lights, etc. after years of attacks the clowns still have not done a thing to secure them. Meanwhile the normal suspects like Russia, China, North Korea and Iran laugh at us and the chicken shit response these people do which is next to nothing letting them still mess us about anytime they want.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 4, Insightful) by mcgrew on Saturday December 07, @04:23PM (2 children)
Apparently, your anonymous conspiracy theory sounds insightful to a couple of S/Ners. It's almost certainly correct in dictatorships, not so in democracies.
McGrew's Law: No anonymous musing should be taken at face value and should be considered bullshit until proven otherwise.
Wise up, kids. A Russian posted the screed I am replying to. That's a stupid conspiracy theory, too, but at least I'm not such a foolish coward I must hide.
Now, this would matter if Illinois hadn't legalized weed in 2020. If the Chinese or the Sangamon County Sheriff's Department want to read my mail, I assure them that my novels are far more interesting.
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 0) by Anonymous Coward on Saturday December 07, @07:10PM (1 child)
Most amusing...
Your "bravery" is duly noted
(Score: 0) by Anonymous Coward on Saturday December 07, @11:00PM
Indeed, it is on page 3 of his file.
(Score: 0) by Anonymous Coward on Saturday December 07, @07:06PM (1 child)
> ... non removable batteries make it impossible to know if the phone is really turned off.
Next best thing? Put phone in Faraday cage when not in use? Other ideas?
(Score: 0) by Anonymous Coward on Saturday December 07, @09:15PM
Yeah, that works great if you never use your phone
(Score: 3, Insightful) by pTamok on Saturday December 07, @09:13AM (1 child)
Let me decode that for you: "responsibly managed encryption" means encryption with a government back-door.
Why would I give the government access to my private communications when they have just shown they are incapable of responsibly managing the telecommunications infrastructure? The telecommunications backbone is 'national infrastructure'. It's important. Yet they have just demonstrated an inability to secure it. What guarantee is there they will keep access to my private data secure?
(Score: 0) by Anonymous Coward on Saturday December 07, @06:50PM
Responsibly managed encryption? lmao! Like these whore-ass telecomm companies? Get a job, parasites!
(Score: 4, Touché) by Thexalon on Saturday December 07, @12:21PM (7 children)
"Hey everybody, make sure the Chinese and Russians can't read your text messages. That's a job for the NSA only!"
Although I'm not sure exactly what government intel agencies or EVIL HAX0RS are going to do with the fact that my wife wants me to pick up milk and a loaf of bread at the store. Security around information should match the value of that information as a general rule.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 1) by pTamok on Saturday December 07, @01:26PM (3 children)
An issue is that many financial institutions use SMS messages as the 'independent channel' for verifying logins. You log in with username and password, the institution sends a one-time code using SMS to the mobile phone number associated with your account, which you then use to complete the log in.
If your username and password are no longer secret for some reason, for example, if the username happens to be your email address, and you have a habit of re-using password or making them easily guessable, or it is revealed in some other way, then someone who has access to the SMS message from the financial institution (because they have compromised the telecommunications infrastructure) has method of logging in as you and emptying your account - or, at least, making your life difficult.
Current other 2FA methods are lousy, because it is so easy for people to lose access to accounts. But nobody wants to step up and provide easy-to-use, user friendly identity verification services that work for people who lose or accidentally damage key-fobs (e.g. Yubikeys or one-time code generators), are slightly senile/confused, or have below average IQ. It is hard. And often expensive. And the consequences of getting it wrong are disastrous. So, of course, nobody wants to until forced to by government regulation. Which doesn't exist yet.
(Score: 3, Insightful) by gnuman on Saturday December 07, @02:21PM (2 children)
Because they cater to lowest common denominator. In many places you can't even use your yubikey or OTP. It's sad that you can secure your gmail better than your bank account.
(Score: 2) by mcgrew on Saturday December 07, @04:34PM (1 child)
What are yubikies and OTPs?
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 3, Interesting) by gnuman on Saturday December 07, @06:34PM
OTP - one time passwords.
https://www.onelogin.com/learn/otp-totp-hotp [onelogin.com]
TOTP - time based OTP, like the ones used by Google Authenticator. Codes change every 30 seconds.
HOTP - HMAC based OTP, like used by Yubikey (google for images of yubikey). It's a hardware token you carry around. You may need a pin to access to Yubikey so just snatching someone's keys and knowing their passwords will still lock you out.
Both TOTP and HOTP do not use some communication channel to generate tokens. SMS sends a "secret" message when you want to login. OTP protocols do not.
Gmail can use types of OTP. Paypal can use both. Microsoft and github uses both. But most banks are completely oblivious to these and only use it when forced by regulation. In EU, the banks were forced by regulation to use 2FA and not SMS or one-time-pads (because people carried their one time pads in their wallets)
Hope that clears things up.
(Score: 2) by mcgrew on Saturday December 07, @04:29PM
...I'm not sure exactly what government intel agencies or EVIL HAX0RS are going to do with the fact that my wife wants me to pick up milk and a loaf of bread at the store.
Decrypting and reading value-free messages like you and I would be sending wastes the enemy's time and resources. While they're reading your note, Roger in the CIA's note is being undecrypted and unread, hopefully until Roger finishes his nefarious deeds for our welfare.
Impeach Donald Saruman and his sidekick Elon Sauron
(Score: 0) by Anonymous Coward on Sunday December 08, @08:59AM (1 child)
(Score: 2) by janrinok on Sunday December 08, @09:18AM
I already fight against this.
There is nothing illegal about sending a series of random words to an email address, providing that both sender and recipient accept the emails.
There is nothing illegal about send a random series of characters to an email address. If someone wants to waste computer time trying to decipher it then I am not responsible for their actions.
I have multiple email addresses, in multiple countries. Set up a cron job and leave it alone....
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.