How Vulnerable are Messaging Services? E061 A Bit of Security for April 15, 2025
There has been some talk about secure messaging recently. Here are some things to do if you want to have a secure, private conversation.
First, do not use public Wi-Fi. When you connect to a public Wi-Fi system you identify yourself to the system by clicking on its link, then entering some information. It’s not the information that presents the problem; it’s the act of clicking on the link. When you do that, you give that application permission to run things on your cellphone. Those things can include installing malware, spyware, key loggers; downloading information including your SIM identifier, your contact lists, your call history, your browser history, your phone’s make and model, and all your permissions and settings, any and all applications you are running; intercepting and stealing any crypto wallets you might have; installing crypto mining software on your device or any devices you might connect with; and modifying your access control settings, your default installation passwords, your privacy settings, your preferred browser, any stored passwords you might have, any transaction history you have, and updating any browser extensions associated with any browsers you are running and any controls you have over your location services, camera, microphone, near-field and Bluetooth communications, and anything else that might be of interest to any attacker, or foreign government, on your phone.
Other than that, you are perfectly secure.
When traveling to potentially insecure locations, use a burner phone. But be careful where you source that device – many third-party phone stores sell counterfeit devices, which are loaded with malware. You can use the Ctl-Z app to verify the hardware configuration on your Android phone. Using a burner phone allows you to destroy the device when you are done with the trip. Only install needed information on it prior to your trip. But, once you connect to a host, any malware you picked up will traverse the same route. So only connect through a limited function portal (this is a network access control capability now included in the zero-trust architecture) and minimize the amount of data you choose to access. Assume that everything you see is being read and copied.
Do not use biometric authentication. Police can compel you to show your face or extend your hand. Police cannot compel you to enter a password. It is a good practice to set your phone up with a password limit, so if you enter the wrong password, the phone locks or even wipes the data. Allow remote wiping of data through an administrative interface, as well.
If you must transmit sensitive information, use a one-time pad. Mathematical encryption can be hacked, and as we’ve discussed, the unencrypted data will be visible to any spyware on your phone while you are reading it. As an example, a book code is uncrackable to anyone not having the reference book available. You and the person you’re communicating with pick a book. Never mention the particular book you pick – that’s the shared secret. In this example we will use the Fanny Farmer Cookbook, eighth printing, 2003. To send the message “Have Gold in Section 254”:
78-3-15 encodes the word “have” – page 78, line 3, 15th word.
544-2-2 encodes the word “gold”
733-31-3 “section”
254-0-0
Another technique is to simply use external cues. One client, an upstream oil company, was prospecting in central Asia. The government mandated that they provide all their codes to the state police. The code was that they would send a message at 10:00 AM saying (encrypted) “There is no oil here” and another around 3:00 PM saying “We found oil.” The key was that morning messages were to be ignored.
The message is simple. Technology has never – in human history, never – solved a management problem. The history of civilization is about how we built processes – how we used management – to solve technological problems.
For most of us, using a cellphone is part of our daily life. Do not rely on VPNs or public Wi-Fi. Use MFA to access critical applications. SMS messages are better than static passwords. If you must use a password, the only significant measure of strength is its length. Longer is stronger. NIST gave up on the nonsense about using special characters, upper and lower case, etc. years ago. It was never a good idea, and it was never verified mathematically.
And also make sure you know who is in your group chats before discussing really sensitive information.
How Secure are Messaging Services? - A Bit of Security for April 15, 2025
Secure messaging services are vulnerable – but there are things you can do. Listen to this -
Let me know what you think in the comments below or at wjmalik@noc.social
#cybersecuritytips #Signal #securemessaging #SMS #phonesecurity #BitofSec
Музыка
Фильмы
ТВ Шоу
Категории видео
