It’s the digital security training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.

This October, we’re bringing you a twist on our weekly newsletter. Read along as we shine our flashlight into the darker, creepier corners of the online world. After all, it’s spooky season, and we all have the potential to be the heroes when it comes to safeguarding our data.

State-sponsored hacking collectives are myriad, but today let’s focus on one in particular: Salt Typhoon (as Microsoft has dubbed it). Operating with support from the People’s Republic of China, Salt Typhoon burst into mainstream reporting only recently, though the patience and persistence of their exploits indicate they’ve been hard at work for much longer.

To get a sense of the scale of Salt Typhoon’s work, look no further than last month’s New York Times headline, ‘Unrestrained’ Chinese cyberattackers may have stolen data from almost every American. (Shocking, even for some cybersecurity experts.) How did this happen? This highly skilled adversary slowly but surely tested commonly used internet infrastructure for known vulnerabilities, and then infiltrated networks once systems fell out of date. In other words, a joint report issued by a dozen counties suggests they are not dependent on zero-day exploits — the kind where hackers find vulnerabilities in software that not even the program’s developers know about (yet).

At least eight telecommunications companies have been directly impacted. We talked last week about government carve-outs for using technology to skirt Fourth Amendment protections, and here we see the ramifications: Salt Typhoon has effectively hijacked the infrastructure that allows law enforcement to conduct interception of telecommunications carriers. Salt Typhoon and its beneficiaries can listen in real time to conversations and read text messages — and have done so against people of note.

Many of the recommendations for mitigating Salt Typhoon’s efforts rest upon the work of IT professionals (if that’s you, see the list starting on page 22 of this document). As individuals, the first thing we can do is to understand which of our communications can be intercepted by adversaries observing and stealing data from the networks we rely upon. Then we can reclaim our power by protecting these communications and/or choosing alternatives.

Specifically, protect your communications by using end-to-end encrypted communications apps. In a striking memo last year, the U.S. government advocated for residents to use Signal (before things got a little haywire). If for any reason Signal is not an option, WhatsApp may be a good choice, with some recommended settings.

Notably, telecom companies carry SMS-based text messages. SMS messages are encoded but not encrypted, which means the contents of text messages are legible to carriers (and, therefore, adversaries including Salt Typhoon). This presents an issue when using SMS text messages as a secondary way to identify ourselves during the log-in process. While some form of two-factor authentication (2FA) is better than none at all, we highly recommend seeking out secure alternatives to text-message-based forms of 2FA. We love using a security key, and apps like Authy and Google Authenticator are also great. To see what forms of 2FA are available for the accounts you use, look no further than 2fa.directory.

And, finally, in light of the scope of the data collection happening here, it makes sense to protect your phone number from unauthorized changes. This can happen when a scammer contacts your carrier pretending to be you and successfully reroutes your number to a phone that they control. Get ahead of this by contacting your carrier and adding a PIN to your account. Here are instructions from Verizon, AT&T, and T-Mobile.

More information about SIM swapping and other steps you can take to protect your digital communications are available from the Cybersecurity and Infrastructure Security Agency. In addition, we are here to help. Reach out to us to set up a training session, a consultation, or even a digital security audit.

Thank you for reading,

Davis

_

Davis Erin Anderson

Senior Digital Security Trainer

Freedom of the Press Foundation