7.12.23 Social The Hacker News
Meta has officially begun to roll out support for end-to-end encryption (E2EE) in Messenger for personal calls and one-to-one personal messages by default in what it called the "most significant milestone yet."
Social 2024 2023 2022 2021 2020
Meta Launches Default End-to-End Encryption for Chats and Calls on Messenger
7.12.23
Social
The Hacker News
Meta has officially begun to roll out support for end-to-end encryption (E2EE)
in Messenger for personal calls and one-to-one personal messages by default in
what it called the "most significant milestone yet."
"This isn't a routine security update: we rebuilt the app from the ground up, in close consultation with privacy and safety experts," Loredana Crisan, vice president of Messenger at Meta, said in a post shared on X (formerly Twitter).
CEO Mark Zuckerberg, who announced a "privacy-focused vision for social networking" back in 2019, said the update comes "after years of work" redesigning the platform. It's worth noting that E2EE for group messaging in Messenger is still in the testing phase.
Encrypted chats were first introduced in Messenger as an opt-in feature called "secret conversations" in Messenger in 2016. Meta's Instagram also has support for E2EE for messages and calls but it's "only available in some areas" and not enabled by default.
"The extra layer of security provided by end-to-end encryption means that the content of your messages and calls with friends and family are protected from the moment they leave your device to the moment they reach the receiver's device," Crisan said.
In August 2023, the social media giant said that it was on track to widely enable the feature by the end of the year but emphasized that it had to re-architect Messenger to ensure that its servers cannot process or validate messages passing through them.
To that end, it not only upgraded over 100 features to incorporate encryption, but also developed new ways for users to manage their message history between devices, like setting up a PIN, by building a new encrypted storage system called Labyrinth.
The PIN is used as a recovery method post the chat upgrade in Messenger so as to help users restore their messages should they lose, change, or add a device to their account.
"Labyrinth – a novel encrypted message storage protocol – aims to address a number of these challenges by enabling users to store their messages server-side, while also maintaining strong privacy," the company said in a whitepaper.
"It is designed to protect messages against non-members (devices and entities which are not enrolled in a user's Labyrinth mailbox), including preventing new messages from being decryptable on revoked devices which may have previously had access to earlier messages, while achieving low operational overheads and high reliability."
WhatsApp's New Secret Code Feature Lets Users Protect Private Chats with
Password
1.12.23
Social
The Hacker News
Meta-owned WhatsApp has launched a new Secret Code feature to help users protect
sensitive conversations with a custom password on the messaging platform.
The feature has been described as an "additional way to protect those chats and make them harder to find if someone has access to your phone or you share a phone with someone else."
Secret Code builds on another feature called Chat Lock that WhatsApp announced in May, which moves chats to a separate folder of their own such that they can be accessed only upon providing their device password or biometrics.
By setting a unique password for these locked chats that are different from the password used to unlock the phone, the aim is to give users an additional layer of privacy, WhatsApp noted.
"You'll have the option to hide the Locked Chats folder from your chatlist so that they can only be discovered by typing your secret code in the search bar," it added.
The development comes weeks after WhatsApp introduced a "Protect IP Address in
Calls" feature that masks users' IP addresses to other parties by relaying the
calls through its servers.
It also follows calls by the French government urging ministers, secretaries of
state, and cabinet members to refrain from using popular messaging apps like
WhatsApp, Signal, and Telegram in favor of homegrown alternatives like Tchap
(based on the Matrix protocol) and Olvid by December 8, 2023.
The news, which was first reported by Le Point, cited a circulated document that
claimed: "these digital tools are not devoid of security vulnerabilities and
therefore do not ensure the security of conversations and information shared
through them."
In response, Meredith Whittaker, president of Signal, hit back at the French
government's decision, stating, "this claim is not backed by any evidence, and
is dangerously misleading esp. coming from gov." Will Cathcart, the head of
WhatsApp, concurred, saying, "we are of the same opinion."
Instagram's Twitter Alternative 'Threads' Launch
Halted in Europe Over Privacy Concerns
5.7.23
Social The Hacker News
Instagram Threads, the upcoming Twitter competitor from Meta, will not be
launched in the European Union due to privacy concerns, according to Ireland's
Data Protection Commission (DPC).
The development was reported by the Irish Independent, which said the watchdog has been in contact with the social media giant about the new product and confirmed the release won't extend to the E.U. "at this point."
Threads is Meta's answer to Twitter that's set for launch on July 6, 2023. It's billed as a "text-based conversation app" that allows Instagram users to "discuss everything from the topics you care about today to what'll be trending tomorrow."
It also enables users to follow the same accounts they already follow on Instagram. A listing for the app has already appeared in the Apple App Store and Google Play Store, although it's yet to be available for download.
The "App Privacy" section on the App Store indicates that the application is expected to collect a wide range of user data, including Health and Fitness, Purchases, Financial Info, Location, Contact Info, Contacts, User Content, Search History, Browsing History, Identifiers, Usage Data, Sensitive Info, and Diagnostics.
It's believed that while the DPC has not actively blocked Threads from being
launched, Meta is taking a cautious approach to bring the service to the region,
which has stringent privacy protections. It's worth noting that Google postponed
the launch of its artificial intelligence chatbot Bard in the E.U. for similar
reasons.
The development coincides with a series of policy changes at
Twitter, which began blocking unregistered users from being able to use the site
on the web and enforced temporary rate limits for logged-in users to restrict
the number of posts they can see per day.
The Elon Musk-owned company said it's taking the step to "detect and eliminate bots and other bad actors that are harming the platform" by "scraping people's public Twitter data to build AI models" and "manipulating people and conversation on the platform in various ways."
WhatsApp Upgrades Proxy Feature Against Internet
Shutdowns
30.6.23
Social The Hacker News
Meta's WhatsApp has rolled out updates to its proxy feature, allowing more
flexibility in the kind of content that can be shared in conversations.
This includes the ability to send and receive images, voice notes, files, stickers and GIFs, WhatsApp told The Hacker News. The new features were first reported by BBC Persian.
Some of the other improvements include streamlined steps to simplify the setup process as well as the introduction of shareable links to "share functioning/valid proxy addresses to their contacts for easy and automatic installation."
Support for proxy servers was officially launched by the messaging service earlier this January, thereby helping users circumvent government-imposed censorship and internet shutdowns and obtain indirect access to WhatsApp.
The company has also made available a reference implementation for setting up a proxy server with ports 80, 443 or 5222 available and domain name that points to the server's IP address.
"A proxy server is an intermediary gateway between WhatsApp and external
servers," WhatsApp said. "Users may search for trusted accounts on social media
that regularly
post verified proxy addresses, which they can then add to
their WhatsApp accounts."
Internet shutdowns have been increasingly common across the world during times of crises, conflicts, communal violence, and to prevent cheating in examinations. Authorities in 35 countries instituted internet shutdowns at least 187 times in 2022, a number that has already reached 80 for the first five months of 2023.
India alone implemented 84 shutdowns in 2022, making it the leading democratic country to enforce deliberate restrictions for the fifth consecutive year.
Twitter Hacker Sentenced to 5 Years in Prison for
$120,000 Crypto Scam
25.6.23
Social The Hacker News
A
U.K. citizen who took part in the massive July 2020 hack of Twitter has been
sentenced to five years in prison in the U.S.
Joseph James O'Connor (aka PlugwalkJoe), 24, was awarded the sentence on Friday in the Southern District of New York, a little over a month after he pleaded guilty to the criminal schemes. He was arrested in Spain in July 2021.
The infamous Twitter breach allowed the defendant and his co-conspirators to obtain unauthorized access to backend tools used by Twitter, abusing them to hijack 130 popular accounts to perpetrate a crypto scam that netted them about $120,000 in illegal profits.
"In other instances, the co-conspirators sold access to Twitter accounts to others," the U.S. Department of Justice (DoJ) said. "O'Connor communicated with others regarding purchasing unauthorized access to a variety of Twitter accounts, including accounts associated with public figures around the world."
The defendant has also been accused of orchestrating SIM swapping attacks to
seize control of users' Snapchat and TikTok accounts, and in one case, even
target a New York-based cryptocurrency company to steal crypto worth
approximately $794,000 at the time.
"After stealing and fraudulently
diverting the Stolen Cryptocurrency, O'Connor and his co-conspirators laundered
it through dozens of transfers and transactions and exchanged some of it for
Bitcoin using cryptocurrency exchange services," the DoJ said.
"Ultimately, a portion of the Stolen Cryptocurrency was deposited into a cryptocurrency exchange account controlled by O'Connor."
Also in the list of offenses committed by O'Connor is cyberstalking two victims, including a minor in June and July 2020 by falsely claiming that the individual was making threats to shoot people in an attempt to incite a law enforcement response.
O'Connor, who said his crimes were "stupid and pointless," according to TechCrunch, also faces three years of supervised release after serving his jail term. He has also been ordered to forfeit $794,000.
Twitter Finally Rolling Out Encrypted Direct Messages — Starting with Verified
Users
12.5.23
Social The Hacker News
Twitter is officially beginning to roll out support for encrypted direct
messages (DMs) on the platform, more than five months after its chief executive
Elon Musk confirmed plans for the feature in November 2022.
The "Phase 1" of the initiative will appear as separate conversations alongside existing direct messages on users' inboxes. Encrypted chats carry a lock icon badge to visually differentiate them.
That said, the opt-in feature is currently limited to verified users or affiliates to a verified organization. It's also essential both the sender and recipient are on the latest versions of the Twitter apps across Android, iOS, and desktop web.
Another criteria to send and receive encrypted messages is that the recipient must follow the sender, has sent a message to the sender in the past, or has accepted a direct message request from the sender at some point.
While Twitter did not disclose the exact method it uses to secure the conversations, the company said it employs a "combination of strong cryptographic schemes" to encrypt users' messages, links, and reactions.
It further emphasized that the encrypted chat contents remain encrypted while stored on its infrastructure and only decrypted at the receiver's end. The implementation is expected to be open sourced later this year.
That said, the work-in-progress nature of the project also means that it does not support encrypted group conversations or allow exchanging media and other file attachments. Some other notable restrictions are as follows -
Users can only register a maximum of up to 10 devices to send and receive
encrypted messages.
New devices (where the Twitter app is re-installed)
cannot partake in existing encrypted conversations
Logging out from Twitter
will calls all messages including encrypted DMs to be deleted from the current
device
It also said the current architecture does not "offer protections
against man-in-the-middle attacks" and that it does not guarantee forward
secrecy, a crucial security measure that ensures that a compromise of a single
session key will not impact data shared in other sessions.
"If the private key of a registered device was compromised, an attacker would be able to decrypt all of the encrypted messages that were sent and received by that device," Twitter said, adding it doesn't plan to remediate the limitation keeping larger user experience in mind.
Mastermind Behind Twitter 2020 Hack Pleads Guilty and Faces up to 70 Years in
Prison
12.5.23
Social The Hacker News
A
U.K. national has pleaded guilty in the U.S. in connection with the July 2020
Twitter attack affecting numerous high-profile accounts and defrauding other
users of the platform.
Joseph James O'Connor, who also went by the online alias PlugwalkJoe, admitted to "his role in cyberstalking and multiple schemes that involve computer hacking, including the July 2020 hack of Twitter," the U.S. Department of Justice (DoJ) said.
The 23-year-old individual was extradited from Spain on April 26 after the Spanish National Court, in February, approved the DoJ request to hand over O'Connor to face 14 criminal charges in the U.S.
The massive hack, which took place on July 15, 2020, involved O'Connor and his co-conspirators seizing control of 130 Twitter accounts, including those belonging to Barack Obama, Bill Gates, and Elon Musk, to perpetrate a cryptocurrency scam that netted them $120,000 in a few hours.
The attack was made possible by using social engineering techniques to obtain unauthorized access to backend tools used by Twitter, and subsequently leveraging that entry point to seize control of the accounts and, in some instances, sell the access to others. O'Connor himself is said to have purchased unauthorized access to one Twitter account for $10,000.
O'Connor is one of four individuals who have been charged with carrying out the Twitter hack. Nima Fazeli and Graham Ivan Clark were arrested that same month, while O'Connor was apprehended by Spanish authorities in the town of Estepona a year later in July 2021.
Mason Sheppard, according to BBC's Joe Tidy, has not been arrested, although the case against him is active. Clark was awarded a three-year jail term after he pleaded guilty to 30 felony charges in March 2021.
In addition to the Twitter incident, the defendant has been charged with computer intrusions related to takeovers of TikTok and Snapchat user accounts, as well as stalking a juvenile victim online.
This entailed orchestrating SIM swapping attacks against two unnamed victims to gain illicit access to their Snapchat and TikTok accounts, respectively, as well as making false emergency calls to law enforcement about a third victim, claiming that the party was "making threats to shoot people."
SIM swapping occurs when fraudsters contact a telecom service provider under the guise of a victim to port the target's mobile number to a SIM card under their control, resulting in the victim's calls and messages being routed to a malicious unauthorized device controlled by the threat actors.
The miscreants then typically use control of the victim's mobile phone number to take over bank accounts and other services held by the victim that are registered to the mobile phone number by taking advantage of call- or SMS-based two-factor authentication.
O'Connor and his co-conspirators have also been accused of employing SIM swapping techniques to siphon cryptocurrency to the tune of $794,000 from a New York City-based crypto company between March and May 2019.
"After stealing and fraudulently diverting the stolen cryptocurrency, O'Connor and his co-conspirators laundered it through dozens of transfers and transactions and exchanged some of it for Bitcoin using cryptocurrency exchange services," the DoJ said.
"Ultimately, a portion of the stolen cryptocurrency was deposited into a cryptocurrency exchange account controlled by O'Connor."
O'Connor, who has agreed to forfeit about $794,000 in stolen funds, is scheduled to be sentenced on June 23. The charges carry a total maximum penalty of over 70 years in prison.
Meta Uncovers Massive Social Media Cyber Espionage Operations Across South Asia
4.5.23 Social
The Hacker News
Three different threat actors leveraged hundreds of
elaborate fictitious personas on Facebook and Instagram to target individuals
located in South Asia as part of disparate attacks.
"Each of these APTs relied heavily on social engineering to trick people into clicking on malicious links, downloading malware or sharing personal information across the internet," Guy Rosen, chief information security officer at Meta, said. "This investment in social engineering meant that these threat actors did not have to invest as much on the malware side."
The fake accounts, in addition to using traditional lures like women looking for a romantic connection, masqueraded as recruiters, journalists, or military personnel.
At least two of the cyber espionage efforts entailed the use of low-sophistication malware with reduced capabilities, likely in an attempt to get past app verification checks established by Apple and Google.
One of the groups that came under Meta's radar is a Pakistan-based advanced persistent threat (APT) group that relied on a network of 120 accounts on Facebook and Instagram and rogue apps and websites to infect military personnel in India and among the Pakistan Air Force with GravityRAT under the guise of cloud storage and entertainment apps.
The tech giant also expunged about 110 accounts on Facebook and Instagram linked to an APT identified as Bahamut that targeted activists, government employees, and military staff in India and Pakistan with Android malware published in the Google Play Store. The apps, which posed as secure chat or VPN apps, have since been removed.
Lastly, it purged 50 accounts on Facebook and Instagram tied to an India-based threat actor dubbed Patchwork, which took advantage of malicious apps uploaded to the Play Store to harvest data from victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.
Also disrupted by meta are six adversarial networks from the U.S., Venezuela, Iran, China, Georgia, Burkina Faso, and Togo that engaged in what it called "coordinated inauthentic behavior" on Facebook and other social media platforms like Twitter, Telegram, YouTube, Medium, TikTok, Blogspot, Reddit, and WordPress.
All these geographically dispersed networks are said to have set up fraudulent news media brands, hacktivist groups, and NGOs to build credibility, with three of them linked to a U.S.-based marketing firm named Predictvia, a political marketing consultancy in Togo known as the Groupe Panafricain pour le Commerce et l'Investissement (GPCI), and Georgia's Strategic Communications Department.
Two networks that originated from China operated dozens of fraudulent accounts, pages, and groups across Facebook and Instagram to target users in India, Tibet, Taiwan, Japan, and the Uyghur community.
In both instances, Meta said it took down the activities before they could "build an audience" on its services, adding it found associations connecting one network to individuals associated with a Chinese IT firm referred to as Xi'an Tianwendian Network Technology.
The network from Iran, per the social media giant, primarily singled out Israel, Bahrain, and France, corroborating an earlier assessment from Microsoft about Iran's involvement in the hacking of the French satirical magazine Charlie Hebdo in January 2023.
"The people behind this network used fake accounts to post, like and share their own content to make it appear more popular than it was, as well as to manage Pages and Groups posing as hacktivist teams," Meta said. "They also liked and shared other people's posts about cyber security topics, likely to make fake accounts look more credible."
The disclosure also coincides with a new report from Microsoft, which revealed that Iranian state-aligned actors are increasingly relying on cyber-enabled influence operations to "boost, exaggerate, or compensate for shortcoming in their network access or cyberattack capabilities" since June 2022.
The Iranian government has been linked by Redmond to 24 such operations in 2022, up from seven in 2021, including clusters tracked as Moses Staff, Homeland Justice, Abraham's Ax, Holy Souls, and DarkBit. Seventeen of the operations have taken place since June 2022.
The Windows maker further said it observed "multiple Iranian actors attempting to use bulk SMS messaging in three cases in the second half of 2022, likely to enhance the amplification and psychological effects of their cyber-influence operations."
The shift in tactics is also characterized by the rapid exploitation of known security flaws, use of victim websites for command-and-control, and adoption of bespoke implants to avoid detection and steal information from victims.
The operations, which have singled out Israel and the U.S. as a retaliation for allegedly fomenting unrest in the nation, have sought to bolster Palestinian resistance, instigate unrest in Bahrain, and counter the normalization of Arab-Israeli relations.
WhatsApp Introduces New Device Verification Feature to Prevent Account Takeover
Attacks
14.4.23
Social The Hacker News
Popular instant messaging app WhatsApp on Thursday announced a new account
verification feature that ensures that malware running on a user's mobile device
doesn't impact their account.
"Mobile device malware is one of the biggest threats to people's privacy and security today because it can take advantage of your phone without your permission and use your WhatsApp to send unwanted messages," the Meta-owned company said in an announcement.
Called Device Verification, the security measure is designed to help prevent account takeover (ATO) attacks by blocking the threat actor's connection and allowing targets of the malware infection to use the app without any interruption.
In other words, the goal is to deter attackers' use of malware to steal WhatsApp authentication keys and hijack victim accounts, and subsequently impersonate them to distribute spam and phishing links to other contacts.
This, in turn, is achieved by introducing a security-token that's stored locally on the device, a cryptographic nonce to identify if a WhatsApp client is contacting the server to retrieve incoming messages, and an authentication-challenge that acts as an "invisible ping" from the server to a user's device.
The client is required to send the security-token every time it connects to the server so as to detect potentially suspicious connections. The security-token, for its part, is updated every time it fetches an offline message from the server.
An authentication-challenge is considered a failure when the client responds to the challenge from a different device, indicating an anomalous connection originating from an attacker. This causes the connection to be blocked.
Should there be no response from the client, the process is retried a "few more times," after which the connection will be blocked if the client still doesn't respond.
"These three parameters help prevent malware from stealing the authentication key and connecting to WhatsApp server from outside the users' device," Meta's Attaullah Baig and Archis Apte explained.
WhatsApp said Device Verification has been rolled out to all Android users and that it's in the process of being rolled out to iOS users.
The feature is part of a broader set of new enhancements that are designed to authenticate and verify users' identities, including displaying alerts when there is an attempt to migrate a WhatsApp account from one device to another.
Also launched by WhatsApp is a Key Transparency feature to automatically confirm whether chats are end-to-end encrypted without requiring any additional actions from the user.
To do so, it's implementing a new Auditable Key Directory (AKD) that's based on existing protocols like CONIKS and SEEMless to help users verify their conversation security.
"The AKD will enable WhatsApp clients to automatically validate that a user's
encryption key is genuine and enables anyone to verify audit-proofs of the
directory's correctness," the company said.
Verification currently requires
users in a chat to manually compare the security code (which exists as a QR code
and a 60-digit number) by sending it to the participant on the other end via SMS
or email, or alternatively by scanning the QR code if the parties are physically
next to each other.
The security code is nothing but a unique hash of both the public/private key pair that's generated to facilitate end-to-end encrypted messaging. Complicating matters further, it can change when users switch devices or reinstall WhatsApp.
Key Transparency streamlines the verification process by making use of an automated flow that obviates the need for the long code, instead maintaining a record of public key changes in a directory and allowing a client to check against it.
"Key transparency describes a protocol in which the [WhatsApp] server maintains an append-only record of the mapping between a user's account and their public identity key," Meta explained. "This allows the generation of inclusion proofs to assert that a given mapping exists in the directory at the time of the most recent update."
WhatsApp intends to make this feature live in the coming months, although it's already hosting and operating an Auditable Key Directory of all its users. "This is an important mechanism that empowers security-conscious users to verify an end-to-end encrypted personal conversation quickly," the company added.