A rumored vulnerability in Signal appears to have been a false alarm. Here’s what to know. | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

Welcome to The Cybersecurity 202! I know he had the night off last night, but if you’ve been watching Victor Wembanyama in (admittedly nonserious) NBA action, it’s hard not to see that he can live up to the hype.

Was this forwarded to you? Sign up here.

Below: A telecom group pushes back on FCC’s security sales pitch for Title II rules, and CISA updates its secure-by-design guidance. First:

The Signal vulnerability that wasn’t

Rumors of a previously undisclosed vulnerability in the encrypted messaging app Signal briefly set the cybersecurity world abuzz this week, only for Signal itself to reply, saying it was a “false alarm.”

“Important PSA for those who received the odd viral report of a vuln in Signal,” the president of Signal, Meredith Whittaker, said Tuesday on X, formerly known as Twitter. “After investigating: WE HAVE NO EVIDENCE THAT THE REPORT IS REAL. Pls share with anyone who passed you this info. The vague and viral form of the report has the hallmarks of a disinfo campaign.”

The incident generated a discussion online about the potential risks of false vulnerability news. It also served as a parallel to another kind of not-infrequent cyber scare, when an organization’s service goes down and unfounded rumors spread that it was caused by a cyberattack — itself posing its own risks.

The rumors appeared to start when people asserted that unnamed government sources said there was a zero-day vulnerability related to Signal’s “Generate Link Preview” feature.

Despite being a trusted encrypted app for journalists, human rights activists and others, Signal isn’t invulnerable — no such tech probably exists.

  • A vulnerability in Twilio last year, for example, made it so that, for 1,900 users, attackers “could have attempted to re-register their number to another device or learned that their number was registered to Signal,” as Signal explained. (The hackers took over cybersecurity journalist Lorenzo Franceschi-Bicchierai’s number on Signal, Franceschi-Bicchierai wrote last year.)
  • Only the sender and receiver should be able to obtain Signal messages, but prosecutors used Signal messages in the trial of Oath Keepers leader Stewart Rhodes. It’s unknown how they did so, but it’s possible some of the senders or recipients showed prosecutors undeleted messages.
  • If there was a Signal zero-day, it could fetch a hefty price to private sector brokers of such vulnerabilities — at least $1.5 million.

At least one cyber professional — Jon DiMaggio, chief security strategist at Analyst1 — allowed for the possibility that something was going on with Signal despite the president’s message. “If not true, why all the talk?” he asked on X.

But most of the response from the cybersecurity community was warning that spreading news of false vulnerabilities was potentially dangerous, or at least silly.

“Viral & unsubstantiated warnings about secure messaging apps can push people to *less safe apps*,” John Scott-Railton, senior researcher at the University of Toronto’s Citizen Lab, said in a tweet thread. “In Ukraine, for example, we saw last year that a vague warning about @WhatsApp. Result? Some ppl moved sensitive chats to platforms Russia might have an *easier* time snooping on.”

John Hammond, a cybersecurity researcher with Huntress Labs, took a more humorous approach before Signal’s denial.

To safeguard against the supposed vulnerability, Signal users could disable the “Generate Link Preview” feature, U.S. government sources allegedly said as part of the rumor.

Before Signal’s denial, Johns Hopkins University cryptographer Matthew Green said that wouldn’t have been much to ask.

“PS If a viral report goes around saying there’s a vulnerability and you should turn off link previews, there’s really not a lot of cost to being cautious for a day or two,” he said on X. “It’s not like someone is asking you to inject chlorine into your veins.”

Everything has vulnerabilities, noted security researcher Will Dormann. But spreading “unsubstantiated claims that there’s an ‘0day’ in an app, well, you’re not helping anyone,” he tweeted

It reminded Graham Cluley, the security blogger and former cybersecurity pro, of an old maxim.

Telecom group pushes back on FCC’s security sales pitch for Title II rules

As the Federal Communications Commission works to gain broad support for a process it will soon initiate to have more regulatory power over internet providers, a prominent industry group is pushing back against an agency sales pitch that argues the federal telecom regulator would have more power to prevent bad actors from breaching communications infrastructure.

  • The FCC will kick off a new rulemaking process Thursday to reclassify broadband as a Title II service, giving it the ability to bring back “net neutrality” rules that were jettisoned in 2017. Chairwoman Jessica Rosenworcel last month also said reinstating Title II would “give the FCC and its national security partners the tools needed to defend our networks from potential security threats.”

But an Oct. 16 USTelecom letter addressed to the leaders of the Senate and House intelligence committees argues the agency “is veering into the complex realm of cybersecurity and national security via top-down regulation rather than collaborative partnership” and argues that the FCC would be unable to improve U.S. national security posture with reclassification.

  • The concerns echo the views of some cybersecurity policy and legal sources who previously told The Post that the commission has already done significant work to keep potential cyberthreats off U.S. networks, and that a Title II revamp wouldn’t give it much more runway to handle national security matters.
  • The missive also argues the move could be burdensome for security product innovation, and that Congress has not directed the agency to address broadband cybersecurity.

For its part, the commission argues that while it is already involved in federal cybersecurity planning, it has a limited ability to update cyber standards in communications networks unless updated. Those limitations include an authority that allows it to hamstring phone networks deemed security risks, but does not allow the same for broadband providers. 

  • “The FCC is the expert agency with telecommunication network experience, and as such it should always have a seat at the table,” FCC spokesperson Jonathan Uriarte said. “Anyone suggesting that the agency is better off taking on bad actors with one hand tied behind its back should consider how this would undermine the FCC’s successful work to deny foreign-owned companies deemed a national security threat access to our nation’s most vital communication networks.”

U.S. pushing countries to not pay hacker ransoms

The United States is pushing a group of governments to publicly commit to not paying hackers’ ransoms ahead of an annual meeting with 45 nations in Washington later this month, Bloomberg News’s Katrina Manson reports.

  • Manson writes: “Anne Neuberger, deputy national security adviser, told Bloomberg News that she is ‘incredibly hopeful’ about enlisting support for such a statement but acknowledged it’s a ‘hard policy decision.’ If members can’t agree to the statement in advance of the meeting, then it will be included as a discussion point, she said.”
  • “Ransom payments are what’s driving ransomware,” she said. “That’s the reason we think it’s so needed.”

A Biden administration-backed ransomware task force reconvened for its two-year anniversary in May, where leaders told your newsletter host that steady progress has been made on developing ransomware deterrence and disrupting ransomware operatives, but more work was still needed.

Ahead of the Oct. 31 meeting that will push nations further to deter engagement with ransomware actors, Neuberger said: “We’re going to eradicate the ghost of Colonial Pipeline,” in reference to the high-profile 2021 ransomware hack that breached major U.S. pipelines. 

  • A recent Splunk report indicates that organizations are increasingly deciding to pay ransomware demands. 
  • Relatedly, our March experts survey predicted that ransomware would be worse in 2023 than last year.

CISA out with new batch of secure-by-design guidance

The Cybersecurity and Infrastructure Security Agency and 17 international partners rolled out updates to a “secure-by-design” guidance document that seeks to help software providers set up their products in ways that prevent them from exposure to hackers.

“Initially published in April 2023, this joint guidance urges software manufacturers to take urgent steps necessary to ship products that are secure by design and revamp their design and development programs to permit only secure by design products to be shipped to customers,” CISA says.

  • Japan, Korea, Israel and the Czech Republic are among the international partners that the updated guidance was published in partnership with.
  • The report sought to provide manufacturers more detail on how to follow key protective recommendations including steps to take ownership of customers’ security, embrace high degrees of transparency and accountability, and build a company structure to achieve such goals.

CISA and the National Security Agency on Oct. 5 unveiled a listing of the top 10 security misconfigurations that software makers build into their offerings. Top erroneous configurations include using applications with their default settings in place, insufficient internal network oversight, poor management of software patches and weak multifactor authentication (MFA) methods.

US Treasury inks cybersecurity agreement with United Arab Emirates (The Record)

What are federal agencies doing to fill out the cyber workforce? (Nextgov/FCW)

CISA, FBI urge admins to patch Atlassian Confluence immediately (Bleeping Computer)

Trump placed under limited gag order in federal election case in D.C. (By Rachel Weiner, Perry Stein, Tom Jackman, Devlin Barrett and Spencer S. Hsu)

From high life hackers to national menace: The rise and fall of digital bandits ‘ACG’ (404 Media)

UK minister urges greater access to intelligence for political parties (Financial Times)

WhatsApp turns on passwordless logins with passkeys for Android users (The Verge)

Colorado court OKs use of Google Search data in murder case (Bloomberg News)

A surveillance tower in Mexico becomes an unsettling landmark for privacy advocates (The Record)

  • NIST Emerging Technologies Director Elham Tabassi and others testify to the House Science Committee on AI governance tomorrow at 10 a.m.
  • The House Energy and Commerce Committee holds a hearing on data privacy and AI tomorrow at 10 a.m.

Thanks for reading. See you tomorrow.


Click Here For The Original Source.

National Cyber Security