The US cybersecurity watchdog is urging citizens to use only secure end-to-end encrypted messaging apps like Signal to secure mobile communications.
The Cybersecurity and Infrastructure Security Agency (CISA) shared a series of best practices on Wednesday, December 18, 2024, in response to the Salt Typhoon attack. This ‘unprecedented cyber attack’ is believed to be the largest intelligence compromise in US history, with at least eight US telecom companies being hacked to spy on citizens.
While the latest CISA announcement is aimed at highly targeted individuals who hold information of interest to Chinese hackers, everyone can benefit from these security tips. These tips include avoiding unsecured VPN (virtual private network) apps.
Signal and more security tips
“Highly targeted individuals should assume that all communications between mobile devices – including government and personal devices – and internet services are at risk of interception or tampering,” the US cybersecurity watchdog wrote.
With this in mind, experts are pushing to move to Signal-like communication apps. These services encrypt all data in transit to ensure that your messages remain private between the sender and the recipient (from start to finish).
CISA recommends finding a service that is compatible with both Android and iPhone, allowing SMS interoperability between platforms. These can also include features such as disappearing messages and images, which can improve privacy even further.
Most importantly, “When selecting an end-to-end encrypted messaging app, evaluate the extent to which the app and its associated services collect and store metadata,” CISA said.
Metadata refers to any information that is not part of the content, such as IP address, timestamps, data file size and more. For example, metadata collection is one of the reasons why Signal or Session are considered more secure than WhatsApp.
⚠️ #CyberEspionage activities by PRC-affiliated threat actors are targeting #telecom infrastructure, compromising mobile communications for high-value individuals. Act now: Apply recommendations to protect your data from interception or manipulation. 👉 https://t.co/dtmWL9F82I pic.twitter.com/rOLakd58agDecember 18, 2024
CISA also proposes enabling phishing-resistant forms of two-factor authentication to ensure hackers cannot bypass this extra layer of protection. Experts recommend enabling Fast Identity Online (FIDO), including biometrics (such as fingerprints or facial recognition) and physical security keys.
As a rule of thumb, you can avoid using SMS as a second factor for authentication as they are not phishing resistant. “SMS messages are not encrypted – a threat actor with access to a telecommunications provider’s network who intercepts these messages can read them,” the experts explain.
US citizens are also urged to use strong password management tools to save all login details and find strong combinations. LastPass, Apple Passwords App and Google Password Manager Proton Pass are all free to use and automatically alert you to weak, reused or leaked passwords.
Experts also recommend regularly updating device operating system software to patch any vulnerabilities. They also advise against using unsecured commercial VPN services, as “many free and commercial VPN providers have questionable security and privacy policies.”
That’s why it’s important to choose the best VPN apps with a reputable reputation, a strict no-log policy and strong security features – even better if they’re independently audited. At the time of writing, NordVPN is Ny Breaking’s top premium recommendation, while Privado VPN and Proton VPN are the most secure free VPNs.