A Whirlwind of Trouble as Salt Typhoon Hacks Cellular Wiretap Infrastructure 

The morning of December 4, 2024 was a cold one, with a high temperature of 46 degrees—the sort of weather people generally prefer to observe from the comfort of their heated homes. But US senators had just received news about a cyberattack of unprecedented scope, so instead they gathered in Washington, D.C. for a classified briefing. The attackers were a highly skilled group known as Salt Typhoon. As I write this article, their attack is still going on. In fact, if you use a phone, it’s likely affecting you right now. 

Way back in October 2024, the Wall Street Journal first reported the attack. They suggested a link between Salt Typhoon and the Chinese government. Of course, you might be thinking. It’s always that. This time, though, the motives behind the operation are more mysterious. 

You really only need to worry about this if you have a phone—specifically, a phone with a Verizon, AT&T, or T-Mobile plan. Those seem to be the provider networks infiltrated by Salt Typhoon. I say “seem” because reports have been inconsistent. T-Mobile claims they’ve seen no evidence of malicious presence in their infrastructure. Verizon, on the other hand, admits a command-and-control (C2) presence. But all the providers mentioned above participated in the briefing on December 4. If nothing else, this demonstrates their mutual concern.  

The question is, what specific data has Salt Typhoon accessed? And how could it affect you? The participating service providers claim the attack only affected the infrastructure used to wiretap specific targets. That said, we don’t know the extent to which these providers have been logging information. And whatever that extent is, Salt Typhoon has access to it as well. Under Section 702 of the Foreign Intelligence Surveillance Act (FISA), the FBI cannot target US citizens randomly. But if the infrastructure to tap is in place, and can be turned on for anyone the FBI decides to surveil, it’s quite possible that Salt Typhoon could do the same without FISA-based reservation. Meaning anyone could be a potential target. 

Regardless of your paranoia level, there is something you can (and probably should) do: namely, following the counsel of Jeff Greene, the Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA). “Our suggestion, what we have told folks internally, is not new here,” he says. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible.” 

What your Cochise County Cyber Guys recommend is an app called Signal. You can get it on either iPhone or Android, and once you do get it, you can install the companion app on your PC or MacOS. With Signal, you can send and receive encrypted files, text chats, individual and group calls. You can even hold Zoom-style meetings with screen sharing. All this is end-to-end encrypted. That means even Salt Typhoon (and the FBI) won’t know what you’re up to. 

Having said all this, we don’t condone illegal activity. We just think you have a constitutional right to privacy. Everyone does. 

This article was originally published in the Sierra Vista Herald here.

Cyber-attacks on voting infrastructure. Is there a backup plan?

Imagine that during this upcoming election in November if no results were available until days after the election. On July 31st the Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the Federal Bureau of Investigation (FBI) released a public service announcement stating that there is potential for a Distributed Denial of Service (DDOS) attack on election infrastructure and adjacent infrastructure that supports operations. 

To better understand the situation, here is some background information. CISA was established in November 2018 to enhance the security, resilience, and reliability of the nation’s critical infrastructure. CISA is at the heart of mobilizing a collective defense to understand and manage risk to our critical infrastructure and associated National Critical Functions. Basically, CISA is charged with protecting US cyberspace as well as the nation’s critical infrastructure such as power, water, and even our elections.

A DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of internet traffic. Hackers do this by using many compromised computer systems as a source of attack traffic. It is like a mob of people rushing to a store to block legitimate customers from shopping. Imagine tens of thousands of computers that have been loaded with malware without the users’ knowledge. Now imagine all those computers running a program at the same time against specific sites making continuous requests against the election infrastructure.

Now back to the announcement from CISA: 

“With Election Day less than 100 days away, it is important to help put into context some of the incidents the American public may see during the election cycle that, while potentially causing some minor disruptions, will not fundamentally impact the security or integrity of the democratic process,” said CISA Senior Advisor Cait Conley. “DDoS attacks are one example of a tactic that we have seen used against election infrastructure in the past and will likely see again in the future, but they will NOT affect the security or integrity of the actual election.”

CISA’s intent is to assure the public that the elections will not be affected even though there may be disruptions that may prevent the public from receiving timely information. However, if they know that adversaries may target the elections, how do they know that the elections will be safe and secure? How do they know that a DDoS against the voting tabulation network won’t block results from being collated. How do they keep a breach from occurring in the voting infrastructure? What happens if there is a major regional power outage due to cyber-attack? As we know from the CrowdStrike outage where Maricopa County’s Dominion voting machines got the blue screen of death update (see article from 2 weeks ago for more details), voting machines are on the network. Why would it just be periphery report structure and not the actual voting? As a cybersecurity professional the joint FBI and CISA statement provides more questions than answers. 

Perhaps to properly secure the election system, we need to employ the same cybersecurity strategies that businesses use in case of emergencies. There should be contingency plans ready in case of a cybersecurity event. Precincts, counties and states should be ready to manually count the votes for all the races in case of a regional or national cyber-attack. The people required to perform the required functions – counters, watchers, recorders should be prepared and ready. Knowing the risks, should manual counting of paper ballots at the precinct level be the primary method with machine backup?

It seems CISA and the FBI are placating the public and telling us not to worry. Maybe they should spend more resources into hardening the infrastructure and working with the local resources on contingency planning in case of emergency. 

This article was originally published in the Sierra Vista Herald found here.

Every Move You Make, Adware Is Watching You

How were the U.S. intelligence services able to track Vladimir Putin’s movement without a local spy, special satellites, or hacking? They simply bought advertising data for the country of Russia.   Although it did not track Putin’s phone, the data tracked his entourage’s phones.  The phones belonged to his drivers, security personnel, political aids and other support staff through advertising data.  

With the prevalence of smartphones, who needs a map anymore?  Our phones are GPS tracking devices capable of taking us anywhere in the country – just put the address into your map application and you have turn-by-turn instructions.   Your phone is constantly sending your exact location to your map app … as well as almost every other application running on your phone.   

There is a saying about free applications.  If it’s free, then you are the product.  It turns out selling your data, to include location, is a billion-dollar business called the advertising exchange.  Advertisers bid on the exchange for a block of data in a particular geographic area.   In 2020, for a few hundred thousand dollars a month, you could access the global feed of every phone on earth.  Here’s how it works.   Whether you have an iPhone or an Android phone, your device has been given an “anonymized” advertising ID. It’s a long string of numbers and letters and looks like gibberish.   The advertisers don’t know your name, but they do know your location.  That is helpful for them to serve up targeted ads for the local restaurants or stores.  Other data includes the specifications of your device, what other applications you may have loaded on your phone, and even your browsing habits.  

Even though your advertising ID is anonymized, it is relatively easy for anyone who buys the data to find out where you live, work, and shop.  They can find out who you know and how often you visit them and for how long. They know what your hobbies are whether they are running, target practice, knitting, homebrewing, hiking, or biking.   

The military uses of this technology are alarming.   One of the companies that was developing their tools for the intelligence community began with data in the U.S.  They tracked phones that were in McDill Airforce Base, FL.  This is the home of the US Special Operations Command units.  They watched the phones go to Canada, Turkey, and end up in a small town in Syria.  Without trying, they uncovered a forward operating base of the deployed Special Forces personnel in the anti-ISIS campaign.   

Some of these advertising data mining tools are being used in the United States by government agency, such as the DIA, FBI, US Customs and Border Protection, Immigration and Customs Enforcement, and the Secret Service.  They would use this data for finding border tunnels, tracking down unauthorized immigrants, and trying to solve domestic crimes. 

What apps can track you? Look at your privacy settings on your phone to find out.  

Apple Advertising – View Ad Targeting Information is on by default which opens a wide range of information for the advertisers to see. 

The biggest setting that provides advertisers your GPS location is “Location Services.” Without this, your map program will not work and many other apps that you may depend on, so it is not the greatest idea to turn this off altogether. However, you should review the apps that use it and decide for yourself what you want to share. Almost all my installed apps used to have access to my location – from weather and driving directions, to grocery stores, browsers, banking, and insurance. Set these as you see fit.  

Another area inside location services is called system services. Look at those options. Significant Locations tracks your every movement. Mine is off. I would also caution against the use of the “improve analytics” for any application and “product improvement” settings. They pull even more data from your phone. 

Be careful where you take your phone.  Every move you make, every step you take, Adware will be watching you.   

Original article can be found here.