signal

the-atlantic-publishes-texts-showing-trump-admin-sent-bombing-plan-to-reporter

The Atlantic publishes texts showing Trump admin sent bombing plan to reporter

Policy, signal, trump administration / /

White House didn’t want texts released

Prior to running its follow-up article, The Atlantic asked Trump administration officials if they objected to publishing the full texts. White House Press Secretary Karoline Leavitt emailed a response:

As we have repeatedly stated, there was no classified information transmitted in the group chat. However, as the CIA Director and National Security Advisor have both expressed today, that does not mean we encourage the release of the conversation. This was intended to be a an [sic] internal and private deliberation amongst high-level senior staff and sensitive information was discussed. So for those reason [sic]—yes, we object to the release.”

Obviously, The Atlantic moved ahead with publishing the texts. “The Leavitt statement did not address which elements of the texts the White House considered sensitive, or how, more than a week after the initial air strikes, their publication could have bearing on national security,” the article said.

On Monday, the National Security Council said it was “reviewing how an inadvertent number was added to the chain.” Trump publicly supported Waltz after the incident, but Politico reported that “Trump was mad—and suspicious—that Waltz had Atlantic editor-in-chief Jeffrey Goldberg’s number saved in his phone in the first place.” One of Politico’s anonymous sources was quoted as saying, “The president was pissed that Waltz could be so stupid.”

Senate Armed Services Chairman Roger Wicker (R-Miss.) said the committee will investigate, according to The Hill. “We’re going to look into this and see what the facts are, but it’s definitely a concern. And you can be sure the committee, House and Senate, will be looking into this… And it appears that mistakes were made, no question,” he said.

The White House said its investigation is being undertaken by the National Security Council, the White House Counsel’s office, and a group led by Elon Musk. “Elon Musk has offered to put his technical experts on this to figure out how this number was inadvertently added to the chat, again to take responsibility and ensure this can never happen again,” Leavitt told reporters.

The Atlantic publishes texts showing Trump admin sent bombing plan to reporter Read More »

russia-aligned-hackers-are-targeting-signal-users-with-device-linking-qr-codes

Russia-aligned hackers are targeting Signal users with device-linking QR codes

apt44, Biz & IT, device linking, Google, GRU, qr codes, russian threat actors, Security, signal, threat intelligence / /

Signal, as an encrypted messaging app and protocol, remains relatively secure. But Signal’s growing popularity as a tool to circumvent surveillance has led agents affiliated with Russia to try to manipulate the app’s users into surreptitiously linking their devices, according to Google’s Threat Intelligence Group.

While Russia’s continued invasion of Ukraine is likely driving the country’s desire to work around Signal’s encryption, “We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war,” writes Dan Black at Google’s Threat Intelligence blog.

There was no mention of a Signal vulnerability in the report. Nearly all secure platforms can be overcome by some form of social engineering. Microsoft 365 accounts were recently revealed to be the target of “device code flow” OAuth phishing by Russia-related threat actors. Google notes that the latest versions of Signal include features designed to protect against these phishing campaigns.

The primary attack channel is Signal’s “linked devices” feature, which allows one Signal account to be used on multiple devices, like a mobile device, desktop computer, and tablet. Linking typically occurs through a QR code prepared by Signal. Malicious “linking” QR codes have been posted by Russia-aligned actors, masquerading as group invites, security alerts, or even “specialized applications used by the Ukrainian military,” according to Google.

Apt44, a Russian state hacking group within that state’s military intelligence, GRU, has also worked to enable Russian invasion forces to link Signal accounts on devices captured on the battlefront for future exploitation, Google claims.

Russia-aligned hackers are targeting Signal users with device-linking QR codes Read More »

imessage-gets-a-major-makeover-that-puts-it-on-equal-footing-with-signal

iMessage gets a major makeover that puts it on equal footing with Signal

Apple, Biz & IT, iMessage, messaging apps, MESSENGER, quantum computing, Security, signal / /
Stylized illustration of key.

iMessage is getting a major makeover that makes it among the two messaging apps most prepared to withstand the coming advent of quantum computing, largely at parity with Signal or arguably incrementally more hardened.

On Wednesday, Apple said messages sent through iMessage will now be protected by two forms of end-to-end encryption (E2EE), whereas before, it had only one. The encryption being added, known as PQ3, is an implementation of a new algorithm called Kyber that, unlike the algorithms iMessage has used until now, can’t be broken with quantum computing. Apple isn’t replacing the older quantum-vulnerable algorithm with PQ3—it’s augmenting it. That means, for the encryption to be broken, an attacker will have to crack both.

Making E2EE future safe

The iMessage changes come five months after the Signal Foundation, maker of the Signal Protocol that encrypts messages sent by more than a billion people, updated the open standard so that it, too, is ready for post-quantum computing (PQC). Just like Apple, Signal added Kyber to X3DH, the algorithm it was using previously. Together, they’re known as PQXDH.

iMessage and Signal provide end-to-end encryption, a protection that makes it impossible for anyone other than the sender and recipient of a message to read it in decrypted form. iMessage began offering E2EE with its rollout in 2011. Signal became available in 2014.

One of the biggest looming threats to many forms of encryption is quantum computing. The strength of the algorithms used in virtually all messaging apps relies on mathematical problems that are easy to solve in one direction and extremely hard to solve in the other. Unlike a traditional computer, a quantum computer with sufficient resources can solve these problems in considerably less time.

No one knows how soon that day will come. One common estimate is that a quantum computer with 20 million qubits (a basic unit of measurement) will be able to crack a single 2,048-bit RSA key in about eight hours. The biggest known quantum computer to date has 433 qubits.

Whenever that future arrives, cryptography engineers know it’s inevitable. They also know that it’s likely some adversaries will collect and stockpile as much encrypted data now and decrypt it once quantum advances allow for it. The moves by both Apple and Signal aim to defend against that eventuality using Kyber, one of several PQC algorithms currently endorsed by the National Institute of Standards and Technology. Since Kyber is still relatively new, both iMessage and Signal will continue using the more tested algorithms for the time being.

iMessage gets a major makeover that puts it on equal footing with Signal Read More »