E2EE RCS Between iOS and Android; Alexa Verbal Commands Will be Sent to Cloud; UK Holds Closed-Door IPT Hearing Despite Outcry

Another good step forward to 'E2EE' everywhere. Now, let's see if they get the user interface right and find ways to communicate to the user if a message was encrypted, digitally signed, or just sent 'plain.'

Johannes Ullrich

This will be a great improvement as it would allow for a more secure messaging option over potentially compromised services. Google already uses E2EE for RCS messages between Android devices; Apple and Google will be rolling out the cross-platform feature in future OS updates. Once available, you'll need to enable RCS, which already improves the cross-platform messaging experience.

Lee Neely

Pervasive use of device-to-device encryption will resist pervasive bureaucratic surveillance; therefore we should all support it and use it. However, it will not resist highly targeted surveillance. It is not suitable for life and limb applications, where true end-to-end, i.e., person-to-person, encryption is indicated.

William Hugh Murray

This is essentially mobile operators and device manufacturers giving the finger to Government surveillance. While each device manufacturer already had their own proprietary E2EE implementation, it didn't protect cross-platform communication. Adhering to the updated RCS does. A win for security professionals, less so for Government.

Curtis Dukes

Hey Green Bubbles, you get Crypto, and you get Crypto, everyone gets Crypto. Although many more people have been using Signal anyway, or worse, Telegram.

Moses Frost

There are two kinds of 'AI companies': The companies that ignore privacy and intellectual property rights, and the companies that will fail. One of the critical pieces needed for any of these AI models is training data, and your customers are the easiest place to get it from.

Johannes Ullrich

This is intended to both increase the range of commands supported and reduce the error rate, but I'm wondering about Gen AI hallucinations. While you're already considering the microphone mute when sensitive conversations happen near your digital assistant, you need to decide if the risk of processing commands remotely is acceptable, particularly for your workspace, including home office devices.

Lee Neely

In the current era of hybrid and remote working this is a real risk that organisations should consider. Indeed, during the COVID-19 pandemic the Irish Revenue service issued a warning to staff working from home to ensure they do not talk about citizens' tax details in proximity to smart speakers https://www.irishtimes.com/business/technology/revenue-tells-staff-not-to-discuss-confidential-matters-near-smart-speakers-1.4241279

Brian Honan

Seems like AMZ has determined they need more data in which to build their LLM and this is a convenient source; or it's simply a ploy to drive users to the subscription-based application. The question becomes, how much do you trust AMZ with your data?

Curtis Dukes

There is something ironic about a secret hearing on removing encryption in the name of transparency for law enforcement. A larger question is, should a single government have the right to undermine protections used worldwide, particularly in light of carrier security concerns?

Lee Neely

All data privacy eyes will be on the UK, looking to see if the Government blinks. Unfortunately, since the meeting and ruling will be done in secret, no consequence for the members in how they vote. We'll know the outcome by the actions affected device and app manufacturers take.

Curtis Dukes

Not sure what the outcome will be for this closed-door meeting, but we will know at some point how this appeals process will go. The fact that there is little transparency has many groups worried.

Moses Frost

Star Chambers are an instrument of tyrants. If we tolerate them, Democracy is over. It is under threat in any case.

William Hugh Murray

Note that this attack bypassed the most common best-practice security precautions. The 'tj-actions' repository is well respected and widely used. The attacker retroactively changed older versions. Even organizations that 'pinned' a particular version were affected, not just organizations using the latest version. You must be able to detect sudden changes to your supply chain like this.

Johannes Ullrich

CI/CD Security was a big topic for many years in the Cloud Penetration Testing course I wrote. Mostly because it was never seen as a target for attackers, even though we all should have known better. In this case, the attacker groups abuse GitHub's CI/CD supply chain. They have done a few interesting things. They modified a well-known 'step' function in the CI/CD world, a 'plug-in' that 23,000 customers use today. This function lists all file changes between the current and previous CI/CD runs. The modification pulls a new Python script from GitHub that renders internal 'secrets' as plain text. The writeup from Step Security, who found the issue, was excellent. One interesting tactic was calling their GitHub commit username 'Response Bot,' the name of an internal GitHub bot. It was a pretty interesting read.

Moses Frost

A key step in incident response is learning from incidents. Although, it is always better to learn from others' incidents rather than your own. Even if you are not in the telecom industry I recommend reading the reports around these attacks to see what lessons you can apply to your own environment

Brian Honan

At this point, telecom providers should assume comprise and take actions to both hunt for IOCs and secure their network, as well as communicate with subscribers about security of their networks. Consumers need to enable encryption where possible, and consider using non-SMS options for sensitive messages: Signal, WhatsApp, etc.

Lee Neely

I guess using the term 'heightened cyber threat' somehow helps focus the telecommunications sector? I mean, one would have thought that this important sector would always be a target of nation states and extra emphasis already put on its security. But if this helps focus on actively monitoring the network, then heightened it is.

Curtis Dukes

In the short-run, the targets will be the journalists, activists, and government officials. However, if these attackers are able to achieve the persistence that I fear, the target list will expand.

William Hugh Murray

They are not saying it is Salt Typhoon, but there is a group that is targeting telcos in the world called Salt Typhoon, so this could be Salt Typhoon, but at the end of the day, there is a group in a Telco that has root.

Moses Frost

This flaw is trivial to exploit, and existing deserialization exploit tools can easily be used. We actually do use a very similar vulnerability (and exploit tool) in our SEC522 (Defending Web Applications) class, and have for a few years now.

Johannes Ullrich

I just got wind of this one. This isn't good. It seems like full weaponization in 30 hours. The exploit vector uses the PUT method to store the session on disk (as they are all for every language) in a serialized fashion. Simply using the GET request will cause deserialization to occur, in which case there is an RCE. Now, I haven't gotten all the details of the bug. I know that Apache Tomcat is everywhere, but I am not sure how many of these instances have been implemented with the PUT method. Make sure you patch. Please.

Moses Frost

Beyond the update, make sure writes are disabled for the default servlet (off by default) and look at disabling partial PUT (enabled by default). For services with embedded Tomcat, you're going to have to contact the supplier for information about when the update will be available, as manually updating can produce an unstable or unsupported configuration.

Lee Neely

If you're in the healthcare industry you're a target. Make sure that you're not ignoring cyber hygiene, and you're doing regular independent assessments/validation. There are free/low cost resources available to help, connect your local ISAC, CISA, or professional associations for options.

Lee Neely

Security by design is significantly easier in single-application purpose-built devices, than in full-function general-purpose computers. Unfortunately, that is not what is happening. Rather, the designers start with a full-function operating system. Even it they were able to achieve a reasonably secure implementation, all that functionality is a target for botnet operators.

William Hugh Murray

The KEV is your friend. It enables you to make your expensive but necessary patching activity more efficient and timely.

William Hugh Murray

Doesn't really seem to be news that a ransomware gang would use known vulnerabilities to exploit victims. It does however, give threat researchers an opportunity to give a new name to a ransomware actor.

Curtis Dukes