web analytics

CISA Recommends Encrypted Messaging Apps as Telecom Security Questioned  – Source:cyble.com

cisa-recommends-encrypted-messaging-apps-as-telecom-security-questioned -–-source:cyble.com
Rate this post

Source: cyble.com – Author: Ashish Khaitan.

The security of U.S. telecom networks has come under fresh scrutiny in recent months, with the latest example coming this week when the Cybersecurity and Infrastructure Security Agency (CISA) recommended that individuals in need of high security use encrypted messaging apps for mobile communications. 

Concern grew in October when CISA and the FBI confirmed that China-linked threat actors had infiltrated telecom networks in an attempt to spy on President-elect Donald Trump and the campaign of Vice President Kamala Harris, among other top U.S. officials. 

Congressional hearings followed, including an extraordinary admission from Senator Mark Warner that “thousands and thousands and thousands” of vulnerable telecom network devices might need to be replaced. 

“Unlike some of the European countries where you might have a single telco, our networks are a hodgepodge of old networks,” Warner told the Washington Post. “The big networks are combinations of a whole series of acquisitions, and you have equipment out there that’s so old it’s unpatchable.” 

Guidance earlier this month from U.S. cyber and national security agencies and counterparts in Canada, Australia and New Zealand offered comprehensive advice for hardening and securing global telecom networks in light of the attacks, and the U.S. Federal Communications Commission (FCC) said it would take steps to mandate stronger telecom security. 

Attention Turns to SS7 and Diameter as List of Attackers Grows 

Recently, the security of the 40-year-old Signaling System No. 7 (SS7) telecom protocols used in 2G and 3G SMS and phone services – as well as international roaming – came under renewed scrutiny over SS7’s potential to allow location tracking, interception of voice data and multi-factor authentication keys, as well as the protocol’s potential as a spyware delivery vector. The 4G and 5G Diameter protocol also has location tracking vulnerabilities, and 4G and 5G users could also find themselves downgraded to SS7 when roaming. 

Senator Ron Wyden earlier this month released 23 pages of correspondence with the U.S. Department of Defense (DoD) detailing insecurities in telecom messaging systems and the SS7 and Diameter protocols. Wyden and Senator Eric Schmitt asked DoD Inspector General Robert Storch to “investigate the Department of Defense’s (DOD) failure to secure its unclassified telephone communications from foreign espionage.” 

“Teams and certain other platforms utilized by DOD are not end-to-end encrypted by default, causing concerning gaps in security that could easily be mitigated,” the Senators wrote. “End-to-end encrypted voice, video, and text messaging tools such as Signal, WhatsApp, and FaceTime better protect communications in the event that the company that offers the service is hacked.” 

DoD has begun limited pilots of a potentially more secure platform known as Matrix that is widely used by NATO allies, but the senators said the Defense Department needs to do more. 

The letter included a number of appendices detailing correspondence between Wyden’s staff and the DoD. 

In one, Wyden’s staff asked the DoD if it agreed with three statements by the Department of Homeland Security on SS7’s and Diameter’s security shortcomings that were included in a 2017 report – and the DoD responded that it agreed with the statements. 

The three DHS statements the DoD agreed with are: 

  • DHS “believes that all U.S. carriers are vulnerable to [SS7 and Diameter] exploits, resulting in risks to national security, the economy, and the Federal Government’s ability to reliably execute national essential functions.” 
  • DHS “believes SS7 and Diameter vulnerabilities can be exploited by criminals, terrorists, and nation-state actors/foreign intelligence organizations.” 
  • DHS “believes many organizations appear to be sharing or selling expertise and services that could be used to spy on Americans.” 

Wyden also said he had seen an unreleased CISA report from 2022 detailing U.S. telecom security issues that contained “alarming details about SS7-related surveillance activities involving U.S. telecommunications networks.” 

Wyden asked if DoD was “aware of any incidents in 2022 or 2023 in which DoD personnel, whether located in the U.S. or outside the U.S, were surveilled through SS7 and Diameter enabled technologies?” 

The DoD replied that the question “Requires a classified response.” 

Wyden sent the DoD a slide from a 2017 DHS event (not included in the documents) that identified the “primary countries reportedly using telecom assets of other nations to exploit U.S. subscribers. Those countries, according to the DHS presentation, are Russia, China, Israel and Iran.” 

Wyden said Russia, China, Israel and Iran had also used telecom assets of countries in Africa, Central and South America, Europe, the Middle East, and Africa to “attack US subscribers … indicating that these foreign governments are using SS7 to target U.S. users, and that these SS7 attack are being routed through 3rd country networks.” 

Asked if it agreed with those assessments, the DoD replied that it “is not in a position to render an assessment without access to the underlying data that informed this presentation.” 

CISA’s Encrypted Messaging Guidance 

With that background, CISA’s guidance issued this week merits particularly close attention by anyone engaged in sensitive communications, especially those who may come under international roaming. 

The CISA document includes specific recommendations for Android and iPhone devices, but general guidance includes: 

  • Using a free messaging application for secure communications that guarantees end-to-end encryption, such as Signal or similar apps. 
  • Enable Fast Identity Online (FIDO) phishing-resistant authentication. 
  • Take inventory of valuable accounts, including email and social media and review any accounts where information leakage would benefit threat actors 
  • Enroll each account in FIDO-based authentication, especially Microsoft, Apple, and Google accounts. Once enrolled in FIDO-based authentication, disable other less secure forms of MFA. 
  • For Gmail users, enroll in Google’s Advanced Protection (APP) program to strengthen defenses against phishing and account hijacking. 
  • Migrate away from Short Message Service (SMS)-based MFA and disable SMS as a second factor for authentication. 
  • Use a password manager to store all passwords. 
  • Set a Telco PIN and MFA for mobile phone accounts to protect against SIM-swapping techniques. 

Related

Original Post url: https://cyble.com/blog/us-telecom-networks-security/

Category & Tags: Telecommunications,CISA,FIDO,Telecom networks – Telecommunications,CISA,FIDO,Telecom networks

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Practical DevSecOps
API Security Fundamentals – Your Handy Guide to Building an Unhackable System by practical-devsecops.com
API Security Fundamentals – Your...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos