Salt Typhoon: US cybersecurity watchdog urges switch to Signal-like messaging apps
The US cybersecurity watchdog is urging citizens to use only secure end-to-end encrypted messaging apps like Signal to secure mobile communications.
The Cybersecurity and Infrastructure Security Agency (CISA) shared a series of best practices on Wednesday, December 18, 2024, in the wake of the Salt Typhoon attack. This “unprecedented cyberattack” is thought to be the biggest intelligence compromise in US history, hacking at least eight US telecom companies to spy on citizens.
While the latest CISA announcement is aimed at highly targeted individuals who possess information of interest to Chinese hackers, everyone can benefit from these security tips. These tips include avoiding unsecured virtual private network (VPN) apps.
Signal and more security tips
“Highly targeted individuals should assume that all communications between mobile devices – including government and personal devices –and internet services are at risk of interception or manipulation,” wrote the US cybersecurity watchdog.
With this in mind, the experts urge switching to Signal-like communications apps. These services encrypt all the data in transit to ensure your messages remain private between the sender and the receiver (end to end).
CISA recommends finding a service compatible with both Android and iPhone, allowing text message interoperability across platforms. These may also include features like disappearing messages and images, which can enhance privacy even further.
Most importantly, “When selecting an end-to-end encrypted messaging app, evaluate the extent to which the app and associated services collect and store metadata,” said CISA.
Metadata refers to all the information that is not the content, such as IP address, timestamps, data file size, and more. Metadata collection, for instance, is one of the reasons why the likes of Signal or Session are considered more secure than WhatsApp.
⚠️ #CyberEspionage activity by PRC-affiliated threat actors is targeting #telecom infrastructure, compromising mobile communications for high-value individuals. Act now: Apply recommendations to protect your info from interception or manipulation. 👉 https://t.co/dtmWL9F82I pic.twitter.com/rOLakd58agDecember 18, 2024
CISA also suggests enabling phishing-resistant forms of two-factor authentication to ensure hackers cannot bypass this extra layer of protection. Experts recommend enabling Fast Identity Online (FIDO), which includes biometrics (like fingerprints or facial recognition) and physical security keys.
As a rule of thumb, you should avoid using SMS as a second factor for authentication as these aren’t phishing-resistant. “SMS messages are not encrypted – a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them,” explain the experts.
US citizens are also urged to use strong password manager tools to store all login details and find strong combinations. The likes of LastPass, Apple Passwords App, and Google Password Manager Proton Pass are all free to use and automatically alert on weak, reused, or leaked passwords.
Experts also recommend regularly updating devices’ operating system software to patch any vulnerabilities. They also advise against the use of unsecured commercial VPN services as “many free and commercial VPN providers have questionable security and privacy policies.”
This is why it’s important to choose the best VPN apps with a reputable reputation, strict no-log policy, and strong security features – even better when independently audited. At the time of writing, TechRadar’s top premium recommendation is NordVPN, while Privado VPN and Proton VPN are the most secure free VPNs.