salt typhoon

report:-at&t,-verizon-aren’t-notifying-most-victims-of-chinese-call-records-hack

Report: AT&T, Verizon aren’t notifying most victims of Chinese call-records hack

AT&T, Policy, salt typhoon, verizon / /

Telecom companies aren’t required to notify customers about every breach. A Federal Communications Commission order in December 2023 adopted a “harm-based notification trigger” in which “notification of a breach to consumers is not required in cases where a carrier can reasonably determine that no harm to customers is reasonably likely to occur as a result of the breach, or where the breach solely involves encrypted data and the carrier has definitive evidence that the encryption key was not also accessed, used, or disclosed.”

The FCC said that harm requiring notifications can include, but is not limited to, “financial harm, physical harm, identity theft, theft of services, potential for blackmail, the disclosure of private facts, the disclosure of contact information for victims of abuse, and other similar types of dangers.”

The FCC order argued that the harm-based standard would let carriers “focus their time, effort, and financial resources on the most important and potentially harmful incidents” and protect “customers from over-notification and notice fatigue, specifically in instances where the carrier has reasonably determined that no harm is likely to occur.”

Senator: Telecoms should tell customers

US Sen. Ron Wyden (D-Ore.) this week criticized the carriers for having weak security and the FCC for “let[ting] phone companies write their own cybersecurity rules.” Wyden proposed legislation to beef up telecom security requirements.

A spokesperson for Wyden today said that carriers should notify the affected customers.

“Senator Wyden strongly supports the phone companies notifying their customers about the theft of their data,” the spokesperson told Ars. “Not only do Americans have a right to be told that their information was stolen, but this is useful information that could result in some consumers voting with their wallets and switching service to carriers that retain less data and or have better cybersecurity.”

Stanford University researchers collected and studied telephone metadata for a 2016 paper to determine how it could be used against customers. “Using crowdsourced telephone logs and social networking information, we find that telephone metadata is densely interconnected, susceptible to reidentification, and enables highly sensitive inferences,” they wrote.

Report: AT&T, Verizon aren’t notifying most victims of Chinese call-records hack Read More »

us-recommends-encrypted-messaging-as-chinese-hackers-linger-in-telecom-networks

US recommends encrypted messaging as Chinese hackers linger in telecom networks

Chinese hackers, Policy, salt typhoon, Security / /

An unnamed FBI official was quoted in the same report as saying that phone users “would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption, and phishing-resistant” multifactor authentication for email accounts, social media, and collaboration tools.

The FBI official reportedly said the hackers obtained metadata showing the numbers that phones called and when, the live phone calls of some specific targets, and information from systems that telcos use for court-ordered surveillance.

Despite recognizing the security benefits of encryption, US officials have for many years sought backdoors that would give the government access to encrypted communications. Supporters of end-to-end encryption have pointed out that backdoors can also be used by criminal hackers and other nation-states.

“For years, the security community has pushed back against these backdoors, pointing out that the technical capability cannot differentiate between good guys and bad guys,” cryptographer Bruce Schneier wrote after the Chinese hacking of telecom networks was reported in October.

Noting the apparent hacking of systems for court-ordered wiretap requests, Schneier called it “one more example of a backdoor access mechanism being targeted by the ‘wrong’ eavesdroppers.”

1994 surveillance law in focus

CISA issued a statement on the Chinese hacking campaign in mid-November. It said:

The US government’s continued investigation into the People’s Republic of China (PRC) targeting of commercial telecommunications infrastructure has revealed a broad and significant cyber espionage campaign.

Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to US law enforcement requests pursuant to court orders.

The hacks raise concerns about surveillance capabilities required by a 1994 law, the Communications Assistance for Law Enforcement Act (CALEA), which requires “telecommunications carriers and manufacturers of telecommunications equipment design their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities to comply with legal requests for information.”

US recommends encrypted messaging as Chinese hackers linger in telecom networks Read More »