Telegram does offer “secret chats,” which provides end-to-end encryption, albeit only from one device to another, between just two people. It won’t sync across multiple devices and it won’t work for groups. Telegram says this is technically difficult to do, albeit both Signal and iMessage have managed to execute this level of encryption flawlessly. In reality, Telegram’s architecture is designed to provide fast and seamless multi-device access to a cloud repository—its priorities are different. //

The Signal settings you must change are the “registration lock” and the “screen lock.” Of these, the registration lock is the critical one. This means you’ll need that PIN to install your Signal account on a new phone, stopping anyone hijacking your account. If someone does hijack your account, they won’t get access to your message history—just messages sent while they have access. This is similar to WhatsApp, albeit such hijacks have become a major issue. As Signal gains popularity, the risk will increase.

After tech behemoths like Twitter moved to ban Trump and thousands of other far-right accounts, millions moved to apps like Signal and Telegram for their encrypted messaging services.

There's one rub, though: Telegram, unlike Signal, doesn't have end-to-end encryption by default.

End-to-end encryption means that only the message sender and receiver can read the message. Even the server that hosts it, such as Signal or iMessage on Apple devices, can't decrypt and read what someone wrote. If those servers were ever hacked, hackers wouldn't be able to read the messages, either. It's safe to say, then, that end-to-end (e2e) encryption is an imperative element to secure messaging.

Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing.

For free.

The US National Security Agency (NSA) says that companies should avoid using third party DNS resolvers to block threat actors' DNS traffic eavesdropping and manipulation attempts and to block access to internal network information. //

"NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver," the US intelligence agency said.

• Screen Lock (iOS and Android): Means you have to enter your biometrics (Face ID, Touch ID, fingerprint or passcode) to access the app

• Enable Screen Security (iOS) or Screen Security (Android): On the iPhone this prevents data previews being shown in the app switcher, while on Android it prevents screenshots being taken

• Registration Lock (iOS and Android): Requires your PIN when registering with Signal (a handy way to prevent a second device being added)
  Incognito Keyboard (Android only): Prevents the keyboard from sending what you type to a third-party, which might allow sensitive data to leak

One countermeasure that can partially mitigate the attack is for service providers that offer key-based 2FA to use a feature baked into the U2F standard that counts the number of interactions a key has had with the provider’s servers. If a key reports a number that doesn’t match what’s stored on the server, the provider will have good reason to believe the key is a clone. A Google spokeswoman said the company has this feature.

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.

[…]

Installing patches removes the backdoor account, which, according to Eye Control researchers, uses the “zyfwp” username and the “PrOw!aN_fXp” password.

“The plaintext password was visible in one of the binaries on the system,” the Dutch researchers said in a report published before the Christmas 2020 holiday.

For now, though, responders emphasize that companies and other organizations can still protect themselves. They can make ransomware less lucrative for attackers by focusing on basic security protections and tightening their defenses in fundamental ways. This not only makes it more difficult for attackers to find vulnerable targets in the first place; it can make it less likely that victims will actually need to pay a ransom to restore their services if they do get hit.

“Organizations need to get the basics right, that is absolutely critical,” Emsisoft's Callow says. “In the past, companies could often get away with having somewhat weak security, but now they can’t. They'll pay the price literally and figuratively.”

A protective relay attached to that generator was designed to prevent it from connecting to the rest of the power system without first syncing to that exact rhythm: 60 hertz. But Assante’s hacker in Idaho Falls had just reprogrammed that safeguard device, flipping its logic on its head.

At 11:33 am and 23 seconds, the protective relay observed that the generator was perfectly synced. But then its corrupted brain did the opposite of what it was meant to do: It opened a circuit breaker to disconnect the machine.

When the generator was detached from the larger circuit of Idaho National Laboratory’s electrical grid and relieved of the burden of sharing its energy with that vast system, it instantly began to accelerate, spinning faster, like a pack of horses that had been let loose from its carriage. As soon as the protective relay observed that the generator’s rotation had sped up to be fully out of sync with the rest of the grid, its maliciously flipped logic immediately reconnected it to the grid’s machinery.

The moment the diesel generator was again linked to the larger system, it was hit with the wrenching force of every other rotating generator on the grid. All of that equipment pulled the relatively small mass of the diesel generator’s own spinning components back to its original, slower speed to match its neighbors’ frequencies.

On the visitor center’s screens, the assembled audience watched the giant machine shake with sudden, terrible violence, emitting a sound like a deep crack of a whip. The entire process from the moment the malicious code had been triggered to that first shudder had spanned only a fraction of a second. //

The test director ended the experiment and disconnected the ruined generator from the grid one final time, leaving it deathly still. In the forensic analysis that followed, the lab’s researchers would find that the engine shaft had collided with the engine’s internal wall, leaving deep gouges in both and filling the inside of the machine with metal shavings. On the other side of the generator, its wiring and insulation had melted and burned. The machine was totaled.

In the wake of the demonstration, a silence fell over the visitor center. “It was a sober moment,” Assante remembers. The engineers had just proven without a doubt that hackers who attacked an electric utility could go beyond a temporary disruption of the victim’s operations: They could damage its most critical equipment beyond repair. “It was so vivid. You could imagine it happening to a machine in an actual plant, and it would be terrible,” Assante says. “The implication was that with just a few lines of code, you can create conditions that were physically going to be very damaging to the machines we rely on.”

But Assante also remembers feeling something weightier in the moments after the Aurora experiment. It was a sense that, like Robert Oppenheimer watching the first atomic bomb test at another US national lab six decades earlier, he was witnessing the birth of something historic and immensely powerful.

“I had a very real pit in my stomach,” Assante says. “It was like a glimpse of the future.”

One of the other methods cyber criminals use to gain entry to networks is taking advantage of weak passwords, either buy buying them on dark web forums or simply guessing common or default passwords.

To prevent this, organisations should encourage employees to use more complex passwords and accounts should have the additional security of multi-factor authentication, so if an intruder does manage to crack login credentials to gain access to a network, it's harder for them to move around it.

Businesses should also make sure they're prepared for what could happen should they end up falling victim to a ransomware attack. Regularly creating backups of the network and storing them offline means that if the worst happens and ransomware encrypts the network, it's possible to restore it from a relatively recent point – and without giving into the demands of cyber criminals.

Even fitness trackers ruled a big risk due to potential for record-matching identifying your family

Every day that goes by SolarWinds proprietary software Orion network monitoring product supply chain security failure gets bigger and bigger. //

Ironically, SolarWinds claimed open source software as being untrustworthy because anyone can infect it with malicious code. A SolarWind writer claimed: security “risk is far less when it comes to proprietary software. Due to the nature of open source software allowing anyone to update the code, the risk of downloading malicious code is much higher. One source referred to using open-source software as “eating from a dirty fork.” When you reach in the drawer for a clean fork, you could be pulling out a dirty utensil. That analogy is right on the money.”

Right. Sure.

SolarWinds followed this up by remarking in another blog that the whole foundation of cloud native computing — containers and container orchestration aren’t trustworthy either. //

But, open source is not the one that’s inherently insecure here. Proprietary software — a black box where you can never know what’s really going on — is now, always has been, and always will be more of a security problem.

I would no more trust anything mission critical to proprietary software than I would drive a car at night without lights or a fastened seat belt. That’s why I’m writing this on Linux Mint with LibreOffice rather than Windows and Microsoft Word. That’s why the internet, cloud native computing, and the cloud — yes even Microsoft Azure — use Linux and open source. //

In short, proprietary software companies, like SolarWinds, are still making huge security blunders, which are hidden from users until the damage is done. At the time, open source programmers and their allies are continuing to make their programs ever more secure and in the open so that everyone benefits

We conclude that the Dominion Voting System is intentionally and purposefully designed with inherent errors to create systemic fraud and influence election results. The system intentionally generates an enormously high number of ballot errors. The electronic ballots are then transferred for adjudication. The intentional errors lead to bulk adjudication of ballots with no oversight, no transparency, and no audit trail. This leads to voter or election fraud. Based on our study, we conclude that The Dominion Voting System should not be used in Michigan. We further conclude that the results of Antrim County should not have been certified.

#Q:

I am asking this because WhatsApp says it is end-to-end encrypted.

1. Are there any problems with sending a public key through WhatsApp?

2. There might be some objections to sending symmetric and private keys.

Under what circumstances can I send symmetric and private keys?

#A:

E2EE doesn't protect data at rest. Unlike Signal, WhatsApp doesn't encrypt internal message database. A forensic analysis can recover deleted messages in plain text if the lock screen password is known. WhatsApp daily chat backup encrypts message database with AES-GCM-256 key which is known to WhatsApp service (see How can WhatsApp restore local or Google Drive Backups?). Although, the chat backup is not possessed by WhatsApp service but Google Drive does if Google Drive backup is enabled. There you have no control of how it is used by state surveillance.

Apps with accessibility permission can see the content on the screen.

Sending passwords through Signal is somewhat safer if you implicitly trust the security of the device. Signal encrypts the message database with database encryption key which is itself encrypted with a key stored in hardware backed keystore (android 7+). That leaves deleted messages unreadable from forensic recovery even if the lockscreen password is known.

Private keys shouldn't be sent in any cases. It shouldn't be even available to you for sharing.

The report urges election officials to use machines relying on voter-marked paper ballots and pair those with “statistically rigorous post-election audits” to verify the outcome of elections reflects the will of voters. The authors also warn that supply chain issues “continue to pose significant security risks,” including cases where machines include hardware components of foreign origin, or where election administrators deploy foreign-based software, cloud, or other remote services. The report lands as officials in several states are working to upgrade election equipment, and as lawmakers in Washington, D.C. debate federal election security legislation and funding. //

Ultimately, the report notes flaws that have been acknowledged for years.

“As disturbing as this outcome is, we note that it is at this point an unsurprising result,” the authors conclude. “However, it is notable—and especially disappointing—that many of the specific vulnerabilities reported over a decade earlier…are still present in these systems today.”

The modality of the BMD systems’ capacity to deprive voters of their cast votes without burden, long wait times, and insecurity regarding how their votes are actually cast and recorded in the unverified QR code makes the potential constitutional deprivation less transparently visible as well, at least until any portions of the system implode….

The Plaintiffs’ national cybersecurity experts convincingly present evidence that this is not a question of “might this actually ever happen?” – but “when it will happen,” especially if further protective measures are not taken. Given the masking nature of malware and the current systems described here, if the State and Dominion simply stand by and say, “we have never seen it,” the future does not bode well.

Still, this is year one for Georgia in implementation of this new BMD system as the first state in the nation to embrace statewide implementation of this QR barcode-based BMD system for its entire population. Electoral dysfunction – cyber or otherwise – should not be desired as a mode of proof. It may well land unfortunately on the State’s doorstep. The Court certainly hopes not.

Japan's NICT has developed a real time, 3D network monitoring system called Daedalus that can visual traffic flow and alert administrators to virus infections and network attacks.

Which VPN is best and what can they do?

Mark Jaycox has written a long article on the US Executive Order 12333: “No Oversight, No Limits, No Worries: A Primer on Presidential Spying and Executive Order 12,333“:

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3486701

Abstract: Executive Order 12,333 (“EO 12333”) is a 1980s Executive Order signed by President Ronald Reagan that, among other things, establishes an overarching policy framework for the Executive Branch’s spying powers. Although electronic surveillance programs authorized by EO 12333 generally target foreign intelligence from foreign targets, its permissive targeting standards allow for the substantial collection of Americans’ communications containing little to no foreign intelligence value. This fact alone necessitates closer inspection.

This working draft conducts such an inspection by collecting and coalescing the various declassifications, disclosures, legislative investigations, and news reports concerning EO 12333 electronic surveillance programs in order to provide a better understanding of how the Executive Branch implements the order and the surveillance programs it authorizes. The Article pays particular attention to EO 12333’s designation of the National Security Agency as primarily responsible for conducting signals intelligence, which includes the installation of malware, the analysis of internet traffic traversing the telecommunications backbone, the hacking of U.S.-based companies like Yahoo and Google, and the analysis of Americans’ communications, contact lists, text messages, geolocation data, and other information.

After exploring the electronic surveillance programs authorized by EO 12333, this Article proposes reforms to the existing policy framework, including narrowing the aperture of authorized surveillance, increasing privacy standards for the retention of data, and requiring greater transparency and accountability.

Jones • September 28, 2020 8:04 AM

There’s a great New York Times article on the NSA from 1983 that details how the agency was created by executive order and how Congress has never passed any law limiting its power or clarifying its scope:

https://www.nytimes.com/1983/03/27/magazine/the-silent-power-of-the-nsa.html

There’s another report by the Brennan Center called “What Went Wrong With the FISA Court?” that details the creation of FISA after the Church Committee hearings, and how post-911, FISA has been amended to require the types of activities that FISA was created to prevent:

https://www.brennancenter.org/our-work/research-reports/what-went-wrong-fisa-court

Both documents are important for understanding what EO 12333 means in practice today.

Cody • September 28, 2020 10:00 AM

Reagan’s EO 12333 replaced Gerald Ford’s EO 11905.
Ford’s 1976 EO was a reluctant response to the shocking revelations of the 1975 Senate ‘Church Committee’, which uncovered widespread illegal domestic spying activity (& illicit forein interventions) by Federal agencies including USArmy, IRS, CIA, NSA. Most of the Church findings were kept classified from the American public.

Church did make public the discovery of “Operation SHAMROCK”, in which the major US telecommunications companies shared all their traffic with the NSA from 1945 to the early 1970s.

A 2015 study by Google titled “Secrets, Lies and Account Recovery” (PDF) found that secret questions generally offer a security level that is far lower than just user-chosen passwords. Also, the idea that an account protected by multi-factor authentication could be undermined by successfully guessing the answer(s) to one or more secret questions (answered truthfully and perhaps located by thieves through mining one’s social media accounts) is bothersome.