The US cybersecurity agency, CISA, has published a best practices guide for mobile communications, urging government officials to use end-to-end encryption technologies and specifically, in instant messaging applications, the most secure ones like Signal.
The guide has been developed in response to the wave of security violations in telecommunications operators from dozens of countries, including eight in the United States. The CISA and the FBI confirmed these violations at the end of October, after it was learned that Salt Typhoon, a group of cybercriminals allegedly financed by the Chinese state and known under different names since at least 2019, had attacked large telecommunications companies such as T-Mobile, AT&T, Verizon and Lumen Technologies. Although the timing of the breaches is unclear, the attackers reportedly had access to the data during “months or more”.
Although the guidelines mentioned by CISA apply to very specific individuals who are likely to possess information of interest to Chinese cyber spies, the measures can help anyone who wants to protect their data and information from hackers who successfully breach the security of their mobile operators.
And the field of action is total: “It should be assumed that all communications between mobile devices, including government devices, personal devices and Internet services, are at risk of being intercepted or manipulated«says the US cybersecurity agency.
End-to-end encryption
The (strong) recommendation of the use of end-to-end encryption is a great paradigm shift compared to other times where some agencies and regulators requested precisely the opposite, a weakening of these technologies citing ‘national security’.
Security experts and organizations that ensure Internet rights considered that the idea of cutting the security of encryption systems with the useful argument of “security” was pure nonsense. It is not only that a democratic system could not admit that “crime” was an excuse to curtail fundamental rights, it is that Global cybersecurity depends on encryption systemsInternet and services as delicate as e-commerce or online banking.
As for the use of “backdoors” with which to break end-to-end encryption by authorities, they are not considered secure and would most certainly end up reaching cybercriminals who would use them in a terrible model for global security. And it is that weakening encryption systems would destroy everyone’s protection instead of investigating suspects, undermining decades of security advances that protect customers and citizens.
It is not easy to find the balance in these issues, always delicate, where we must also facilitate the battle of states, intelligence services and their security forces against the ‘bad guys’, but the opinion of the US cybersecurity agency in favor of encryption technologies is clear: “CISA strongly urges highly vulnerable individuals to immediately review and apply the best practices provided in the guidance to protect mobile communications, including consistent use of end-to-end encryption«they say from the agency.
Signal, the recommended one in instant messaging
In the best practices guide, CISA recommends using a secure messaging application and specifically names Signal for mobile communication on multiple mobile (iOS, Android) and desktop (macOS, Windows and Linux) platforms.
Although there are other alternatives (even more secure), Signal is the best option among free software. It offers video, voice and text chat, voice and video calls with end-to-end encryption, as well as secure file and photo transfers. It works under the protocol Signal Messaging Protocolwidely recognized as the most secure messaging protocol available and is a development Open Sourcemeaning your code is available online for public scrutiny and any privacy issues or security flaws can be verified by experts.
Despite being far from the millionaire number of users of Telegram or WhatsApp, Signal is currently the big name in instant messaging and It is not unusual for CISA to recommend it.although there are others that are even more secure like Threema or with a more business focus like Wire.
The agency also recommends use multi-factor authentication (MFA) protection, along with hardware-based FIDO security keys (e.g. Yubico or Google Titan) or passcodes to protect Microsoft, Apple, and Google accounts. Whenever possible, options such as Google’s Advanced Protection Program (APP) or Apple’s Lockdown Mode should also be enabled to protect against account hijacking and phishing attacks.
Additionally, CISA recommends avoiding SMS-based MFA (proven insecure), using a password manager to store and protect passwords from attackers, and setting up a phone company PIN or passcode for sensitive operations like porting your phone number. and block SIM swap attempts.
