SS7 Cell Network Extensively Exploited by “Nefarious Actors”

“I don’t think most Americans realize how insecure US telephone networks are. If more consumers knew how easy it is for bad guys to track or hack their mobile phones, they would demand the FCC, and wireless companies do something about it. These aren’t just hypotheticals.”

The above statement was made last week by Senator Ron Wyden (D-Ore.) after getting a letter from the Department of Homeland Security warning that “nefarious actors may have exploited” worldwide cellular networks “to target the communications of American citizens.”

Wyden on Tuesday explained the issue in a separate letter to Ajit Pai, chairman of the Federal Communications Commission (FCC) responsible for regulating interstate communications:

“Hackers can exploit SS7 flaws to track Americans, intercept their calls and texts, and hack their phones to steal financial information, know when they are at home or away, and otherwise prey on unsuspecting consumers. Moreover, according to multiple news reports, SS7 spying products are widely available to both criminal and foreign governments.”

Disturbingly, the letter reveals that:

“This threat is not merely hypothetical – malicious attackers are already exploiting SS7 vulnerabilities. One of the major wireless carriers informed my office that it reported an SS7 data breach, in which customer data was accessed, to law enforcement.”

There is no clarity whether the warning refers to state-sponsored entities acting for political gain or criminal hackers for financial benefit. It is also unclear who the wireless carrier is and the extent of the breach.

What is SS7?

Signaling System No. 7 (SS7) is a set of signaling protocols that provide the backbone for all mobile phone communication everywhere in the world. It enables phone networks to communicate among themselves to connect users and pass messages between systems, ensure correct billing, and to grant users to roam on other networks.

Image result for ss7

 

SS7 system, first developed in the 1970s is old in technological terms. Critically, no-one at the time thought of building any security measures into it.

It was known to be insecure at least 2008 onwards, and the situation has worsened in recent years. Previously there were only a few mobile networks, and now there are literally thousands worldwide. The industry made no changes as the risks were accepted to be purely theoretical.

This altered in 2014 when vulnerabilities in SS7 enabled hackers to record a somewhat embarrassing secret unencrypted phone conversation between the US ambassador to Ukraine, Geoffrey Pyatt, and US Assistant Secretary of State, Victoria Nuland, in which Pyatt was highly critical of the EU.

It was believed that using encrypted messaging apps such as WhatsApp, Facebook Messenger, Google Hangouts, and Viber, would secure communications.

However, in 2016, a security researcher showcased how hackers with access to the SS7 network could spoof users’ identities and set up fake accounts which would grant them access to messages belonging to users of many messaging apps that rely on phone numbers to authenticate users.

In 2017 O2 Telefonica in Germany confirmed that criminals used the SS7 network to bypass SMS-based two-factor authentication (2FA) to steal money from bank accounts.

Action Time?

Wyden lettered to the FCC urging the regulator to address the problem accurately and to compile a list of SS7 violations known to have happened over the last five years.

This is not the first instance for a call-to-action as in 2016, US congressman Ted Lieu (D-Calif.) made a similar plea, calling for an oversight committee investigation into SS7:

“The applications for this vulnerability are seemingly limitless, from criminals monitoring individual targets to foreign entities conducting economic espionage on American companies to nation states monitoring US government officials. … The vulnerability has serious ramifications not only for individual privacy but also for American innovation, competitiveness, and national security. Many innovations in digital security – such as multi-factor authentication using text messages – may be rendered useless.”

The investigation took place, but the FCC working group responsible for it mainly comprised of telecoms industry lobbyists and not a single academic expert.

The SS7 -Spies Love It!

Initial concerns over the SS7 network was tracking; now there are fears of personal data being accessed from just about every phone user in the world.

As said earlier, it can be used to intercept encrypted communications and 2FA security measures.

According to the Washington Post, “American, Chinese, Israeli and Russian intelligence agencies are the most active users of SS7 surveillance.”

Just this month news came out that US police can find the location of any phone in the country in seconds thanks to SS7. Worse still, barely days after this revelation came to light it was reported that this information was quite easy for hackers to access.

SS7 is a double-edged sword because security companies around the world thrive selling SS7 hacking tools to governments, police forces, and criminals with even benefitting from it. Brian Collins, chief executive of AdaptiveMobile Security, told the Washington Post about this.

Even with the knowledge of SS7 being a threat to US national security, it appears that the US government is least bothered about the problem. The driving factor could be that of SS7’s mass-surveillance capabilities which are too precious to kill off.

 

Russia Wants Apple to Remove Telegram from its App Store

Putin’s government is pressuring Apple to remove Telegram from its App Store as part of their continued effort to curb the use of the popular encrypted messenger.

Russia’s telecoms watchdog Roskomnadzor has threatened Apple – warning that if it does not remove Telegram, the App Store itself could be blocked throughout Russia.

The threats come in between revelations that Telegram’s use in Russia remains high despite Putin’s attempts to block it. The blockade is in place because of Telegram founder Pavel Durov’s refusal to give Putin encryption keys that would allow Putin to snoop on communications.

Kremlin reports ISIS uses Telegram to plan attacks. This is a fact that sparked the widespread use of Telegram in Russia in the first place.

Telegram lost its recent court appeal but refuses to hand over the encryption keys, claiming it doesn’t have them.

Block or Be Blocked

Image result for telegram

Roskomnadzor wants Telegram removed from the App Store and also has requested Apple to stop serving Russian Telegram users push notifications. The document reads: “To avoid possible actions by Roskomnadzor to disrupt the functioning of the above services, Apple, Inc. we ask you to inform us in the shortest possible time about further actions of the Company aimed at solving these problem issues.”

So despite Kremlin’s efforts, it appears that many Russians are still using VPNs and Telegram.

Until now, Putin’s government has blocked IP addresses used by Google Cloud and Amazon Web Services in efforts to shut down Telegram. Now, Roskomnadzor has Apple in its sights.

Why the Commotion?

Image result for target

Putin has insisted that he wants access to Telegram messages for national security, but the general perception is that he wants to snoop on political opponents and dissidents as it is believed that opponents often use Telegram to communicate.

News recently broke about French authorities charging a suspect with scheming a terror attack. In that incident, Paris police cited messages sent with Telegram as evidence in the case. This has led to security experts questioning whether French authorities have a Telegram backdoor (or access to the keys directly from Telegram or via UK intelligence/14 Eyes).

If that is true, then one can’t help but wonder whether Durov is secretly working with British, French, and perhaps other government agencies, which would mean there is more to Russia’s Telegram blockade than meets the eye.

What’s Next?

Russia has given Apple a one-month ultimatum.

Russia also blocked another 50 VPN services in May to further restrict Telegram use.

FBI Takes Control of Russian Botnet

The FBI took control of a massive botnet believed to have been run by hackers working for the Kremlin. The Malware, known as VPNFilter, was found by researchers working at CISCO Talos. VPNFilter grants hackers to hijack routers turning them into a malicious VPN network used by hackers to mask their actual IP address during subsequent attacks.

According to a report released on 23 May, the payload has been in the wild since 2016 at the very least. It is suspected to have infected around 500,000 machines covering 54 countries. Talos stated that the intricacy of the modular malware system likely means it was a state-sponsored attack.

FBI agents have stated that the threat actor is probably Sofacy – a collective hacking run by the Kremlin that has been notorious under a multitude of names over the past five years like APT28, Sednit, Fancy Bears, Pawn Storm, Grizzly Steppe, STRONTIUM, and Tsar Team. Affidavit Excerpt:

“The Sofacy group is a cyber-espionage group believed to have originated from Russia. Likely operating since 2007, the group is known to typically target government, military, security organizations, and other targets of intelligence value.”

Image result for fancy bears

VPNFilter uses a multi-stage attack vector similar to other router based exploits. Once it accesses a victim’s router, it communicates with a Command and Control (CnC) server to download additional payloads.

The secondary stage of the exploit grants the hackers to intercept traffic, steal data, perform file collection, and execute commands. There is also the possibility that additional payloads may have been delivered infecting network devices attached to the router.

Image result for fbi

FBI Takes Control

After months of monitoring the situation, security researchers working with the FBI were successful in pinpointing the domain name used by the advanced hackers.

In an affidavit filed on 23 May, it has been revealed that agents were on it since August when they were willingly given access to an infected router by a Pittsburgh resident.

When news of the infection became public, the FBI acted swiftly to get a warrant from a Pennsylvania judge to take control of the toKnowAll.com domain.

With CnC domain under FBI control, consumers around the world have been asked to reboot their device so that it can phone home. It will help the feds have a clear view of exactly how many devices were affected around the world. The FBI stated that it intends to make a list of all infected IP addresses in order to contact ISPs, private, and public sector partners, to clean up after the global infection – ahead of the setup of a new malicious CnC server to reestablish the botnet.

 

 

BPI Calls for Piracy Crackdown Under New UK Internet ‘Clean-Up’ Laws

This week, Matt Hancock, Secretary of State for Digital, Culture, Media, and Sport, stated new measures would be taken to clean up the ‘Wild West’ elements of the Internet.  Music group BPI responded by saying says the government should use the opportunity to tackle piracy with advanced site-blocking measures, repeat infringer policies, and new responsibilities for service providers.Image result for bpi

The UK Government has for the past several years expressed a strong desire to “clean up” the Internet.

There has been an intense emphasis on making the Internet safer for children, but that’s just the tip of the iceberg.

This week, the Government responded to the Internet Safety Strategy green paper, stating unequivocally that more needs to be done to tackle “online harm”

Considering every six out of ten people face “online harm”, the government while working with social media companies to protect users had seen positive results but the overall outlook has been below par.

For this reason, the Government will introduce new legislation, albeit with the assistance of technology companies, children’s charities and other stakeholders.

The Government has cleared that it wishes to tackle “the full range” of online harms, even though the emphasis is being placed on cyberbullying and online child exploitation. This move has been warmly received by UK music group BPI and thereby requesting the Government to introduce new measures to tackle Internet piracy.

BPI chief executive Geoff Taylor in a statement issued this week welcomed the move towards legislative change and urged the Government to encompass the music industry and beyond.

The BPI has published four initial requests.

  • Establish a new fast-track process for blocking unauthorized sites.
  • Compel online platforms to stop content from being re-posted after it’s been taken down while removing the accounts of repeat infringers.
  • Fines for “online operators” who do not give “transparent contact and ownership information.”
  • Pass laws for a new “duty of care” for online mediators and platforms.

To be published later this, the Department for Digital, Culture, Media & Sport and the Home Office will work on a White Paper to pass laws to tackle “online harms”. The BPI and similar entities will hope that the Government will also do the same.

 

eFail Attack on PGP and S/MIME Encryption

The EFF backed up by security researchers, have issued a warning over PGP and S/MIME encryption. Stop using at least for now to secure your emails.

PGP is widely regarded as the safest way to send secure emails although it does not encrypt metadata and is not the easiest to use.

 

Sebastian Schinzel, Professor of computer security at Münster University of Applied Sciences, on 14 May tweeted: “We’ll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past.”

Professor Schinzel is a respected security researcher for having uncovered many cryptographic vulnerabilities. His most notable find was 2016 DROWN attack which rendered 33% of all HTTPS servers in the world at risk.

The Electronic Frontier Association (EFF) has confirmed the vulnerability:
“A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.”

It is best to follow the EFF’s advice.

The article then gives links to tutorials on how to disable PGP plug-ins in Thunderbird with Enigmail, Apple Mail with GPGTools, and Outlook with Gpg4win.

There is no mention of removing standalone apps such as Gpg4win or PGP browser add-ons such as Mailvelope.

S/MIME

S/MIME is similar to PGP; the only difference is S/MIME uses predefined encryption standards and public-private critical pairs handed by a trusted authority, whereas PGP users define their own encryption methods and sharing of their private encryption keys.

Closing

You should avoid using PGP and S/MIME to encrypt emails until the issue is entirely fixed.

 

Image credit: By arka38/Shutterstock.

 

New Zealand’s New Privacy Bill

A new privacy bill is going through the parliament in New Zealand with the legislation initially proposed back in March. The bill aims to revoke the Privacy Act of 1993 which is outdated.

This Thursday, May 24, public submissions for the new bill will end, and it will be inspected by the Select Committee to determine whether amendments are necessary. The government is hoping the new law will “promote people’s confidence that their personal information is secure and will be treated properly”.

Enhanced Privacy for New Zealanders

John Edwards, New Zealand’s Privacy Commissioner did go on record stating that he hopes the new privacy law will give the government “meaningful enforcement powers, such as an ability to seek fines for serious non-compliance”.

Edwards believes much like European counterparts New Zealand too should make it mandatory for companies to disclose when data violations occur. Any failure to report violations will result in fines reaching $10,000 for businesses that do obey.

This will be critical in making New Zealand based firms alert to data breaches and cyber-attacks.

Edwards also wants the new legislation to address automated processes “that can affect access or entitlement to goods and services”.

Why Not Before?

New Zealand Law Commission in 2011 had recommended an update to the Privacy Act, but nothing happened. So, one could suggest the EU’s GDPR legislation played its part in making this bill a reality.

This is a good sign for digital privacy around the world.

Immaculate Timing

The timing couldn’t have been any better considering the ongoing revelations about corporate data mining such as Facebook.

The recent Cambridge Analytica disaster shed light on how corporations are mining data through social media.

Taking into consideration the many other incidents that have taken place over the years it is safe to say that New Zealand’s legislation bill is so vital.

What’s Next?

This Thursday, the bill will go back to the select committee to address any pending issues. After that, the legislation will be revised for a second reading. Then, the Committee of the Whole House will go through the bill before third reading. In this stage, the bill will get Royal Assent and be passed into law.

Are Companies Devoting Enough to Cyber Security?

Cyber Attacks have not only become more common but also devastating. WannaCry ransomware which happened on 12th May 2017is a prime example of a cyber attack. It struck thousands of computers in more than 150 countries. It crashed some of the most prominent organizations on this planet including UK’s NHS, a health service.

The Likely Calamity from Cyber Attacks

WannaCry crippled NHS to the point that vital works were pushed back. The backlog created has still not been sorted fully.

The NHS could have avoided the WannaCry ransomware which cost them around £180,000 for specific agencies.

While auditing the attack, it was found out simple IT security could have prevented this enormous backlog to NHS. Ultimately, the attack cost them more than say a well-implemented security system.

Cyber attack cost varies from the method used to current security measures. Usually, a cyber attack will set a US company back by a whopping $225,000, UK $150,000.

The overall cost of cyber attacks globally is thought to be around $11.7 million, an increase of 22.7 compared to last year.

The Rise in Cybersecurity Expenditure

Thales e-security reported 73% of surveyed firms expect their cybersecurity expenditure to rise over the course of the year.

Making the Right Moves

Having an internal IT department is safer than hiring a contractor to take care of your cybersecurity needs. Data Spread is highly possible which is an avenue for attack when you open up to third parties.

Internal cybersecurity enables direct control of secretive information, where else sharing your data with a third party is a risky idea.

New Forms of Cyber Attacks Requires Better Solutions

Companies have to come up with better solutions to be one step ahead of hackers. Attacks are becoming more and more sophisticated, so it is only right that better measures are taken.

Spend Wisely for Best Results

Companies may have a lot of money to spend on cybersecurity, but spending it in the right areas is the key. The margin is minimal between getting it right and losing thousands or millions of dollars.