The US cybersecurity watchdog is urging citizens to only use secure end-to-end encrypted messaging apps, such as Signal, to protect mobile communications.
The Cybersecurity and Infrastructure Security Agency (CISA) shared a series of best practices on Wednesday, December 18, 2024, in the wake of the Salt Typhoon attack. This “unprecedented cyberattack” is believed to be the largest intelligence compromise in US history, hacking at least eight US telecommunications companies to spy on citizens.
While CISA’s latest announcement is aimed at specific people who possess information of interest to Chinese hackers, everyone can benefit from these security tips. These tips include avoiding unsecured virtual private network (VPN) apps.
Signal and more security tips
“Highly targeted individuals should assume that all communications between mobile devices – including government and personal devices – and Internet services are at risk of being intercepted or manipulated,” the US cybersecurity watchdog wrote.
With this in mind, experts urge switching to communication apps similar to Signal. These services encrypt all data in transit to ensure your messages remain private between the sender and receiver (end-to-end).
CISA recommends finding a service compatible with both Android and iPhone, which allows text messaging interoperability between platforms. These may also include features such as disappearing messages and images, which can further improve privacy.
Most importantly, “when selecting an end-to-end encrypted messaging application, evaluate the extent to which the application and associated services collect and store metadata,” CISA said.
Metadata refers to all information that is not content, such as IP address, timestamps, data file size, and more. Metadata collection, for example, is one of the reasons why Signal or Session are considered more secure than WhatsApp.
⚠️ #cyberespionage activity by threat actors affiliated with the People’s Republic of China targets #telecommunications infrastructure, compromising the mobile communications of high-value individuals. Act now: Apply recommendations to protect your information from interception or manipulation. 👉 pic.twitter.com/rOLakd58agDecember 18, 2024
CISA also suggests enabling phishing-resistant forms of two-factor authentication to ensure that hackers cannot bypass this additional layer of protection. Experts recommend enabling Fast Identity Online (FIDO), which includes biometrics (such as fingerprints or facial recognition) and physical security keys.
As a general rule, you should avoid using SMS as a second factor of authentication, as they are not phishing resistant. “SMS messages are not encrypted: an attacker with access to a telecommunications provider’s network who intercepts these messages can read them,” the experts explain.
US citizens are also urged to use secure password management tools to store all login details and find secure combinations. Apps like LastPass, Apple Passwords App, and Google Password Manager Proton Pass are free to use and automatically alert you to weak, reused, or leaked passwords.
Experts also recommend periodically updating the devices’ operating system software to fix any vulnerabilities. They also advise against using unsecured commercial VPN services as “many free and commercial VPN providers have questionable security and privacy policies.”
That’s why it’s important to choose the best VPN apps with a reputable reputation, a strict no-logging policy, and strong security features (even better when independently audited). At the time of writing, TechRadar’s top premium recommendation is NordVPN, while Privado VPN and Proton VPN are the most secure free VPNs.
