بونوکس

برچسب: Security

  • Hegseth’s Use of Passwords Raises New Security Concerns

    Hegseth’s Use of Passwords Raises New Security Concerns


    Some of the passwords that Defense Secretary Pete Hegseth used to register for websites were exposed in cyberattacks on those sites and are available on the internet, raising new questions about his use of personal devices to communicate military information.

    Mr. Hegseth did not appear to use those passwords for sensitive accounts, like banking. But at least one password appears to have been used multiple times for different personal email accounts maintained by Mr. Hegseth. If hackers gain access to email accounts, they can often reset other passwords.

    Like many Americans, Mr. Hegseth appears to have reused passwords to remember them more easily. At least one of them is, or was, a simple, lowercase alphanumeric combination of letters followed by numbers, potentially representing initials and a date. The same password was leaked in two separate breaches of personal email accounts, one in 2017 and another in 2018.

    It is not clear whether he has updated the compromised passwords, or if he did so before he used his personal phone in March to share sensitive information about planned U.S. strikes on Houthi militia targets in Yemen.

    Mr. Hegseth’s digital practices and security have been under scrutiny since he discussed the precise timing of those airstrikes in at least two chats on Signal, a free, encrypted messaging app. At least one of the chats took place on his personal phone. That information could have endangered U.S. pilots if an adversarial power had intercepted it.

    In addition to those two Signal chats, Mr. Hegseth used the encrypted app for multiple other ongoing conversations and group messages, according to people briefed on his use of the platform. Some of the messages were posted by a military aide, Col. Ricky Buria, who had access to Mr. Hegseth’s personal phone. The use of the app for multiple ongoing conversations was earlier reported by The Wall Street Journal.

    Mr. Hegseth was initially added to a Signal group created by Michael Waltz, who was the national security adviser at the time, to discuss the Houthi strikes. Mr. Hegseth shared similar details about the strikes with a second Signal group that included his wife, Jennifer. That group was set up on Mr. Hegseth’s personal phone.

    Cybersecurity experts have said that because Mr. Hegseth’s phone number is easy to find on the web, it is a potential target for hackers and foreign intelligence agencies. Signal messages are sent across the internet securely, but messages typed into a phone could be intercepted if an adversarial intelligence agency has installed malware on the device.

    When two-factor authentication is enabled on the sites, hackers will need more than passwords to gain access to information.

    The chief Pentagon spokesman, Sean Parnell, did not respond to a request for comment.

    Experts say that finding exposed passwords is easier than ever.

    “If you know where to look, you can find them,” said Kristin Del Rosso, who monitors breach data at DevSec, a cybersecurity investigations firm.

    Ms. Del Rosso said some companies collect and sell stolen data. Because data breaches are now almost routine, there is a large amount of data that adversaries or criminals could use to get a deeper understanding of an individual and potentially guess other passwords or gain access to more information.

    “You can uncover more,” she said.

    Passwords belonging to Mr. Waltz, who was removed as national security adviser on Thursday, have also been exposed in internet breaches.

    Representatives of the National Security Council did not respond to a request for comment. But a person briefed on the situation said Mr. Waltz had changed his compromised passwords before joining Congress in 2019.

    In March, Der Spiegel, a German news publication, found phone numbers and email addresses associated with Mr. Waltz, Mr. Hegseth and Tulsi Gabbard, the director of national intelligence, who were all on the initial Signal chat.

    The phone numbers online for Ms. Gabbard are no longer associated with her.

    But like Mr. Hegseth, Ms. Gabbard has reused passwords. The New York Times found at least one leaked password linked to multiple personal accounts used by Ms. Gabbard.

    According to a spokeswoman, Ms. Gabbard’s passwords have been changed many times since a breach exposed a password nearly a decade ago. The Times uncovered more recent data breaches involving a similar reused password tied to her personal email account.

    John Ratcliffe, the C.I.A. director, has a disciplined public profile. A former prosecutor and member of the House Intelligence Committee, he does not have an easily identifiable phone number and email address and seems to have left a small digital footprint.

    Mr. Hegseth has repeatedly said he did nothing wrong in disclosing the Yemen strike details in Signal chat groups that included people who did not have a security clearance. But using his personal telephone, with a number — and password — that is available on the internet, will have undoubtedly left a senior Trump national security figure vulnerable to hacking efforts by foreign adversaries, intelligence analysts say.

    “You just have to assume that the bad guys are listening,” Michael C. Casey, the former director of the National Counterintelligence and Security Center, said in an interview. He said that senior national security government officials were supposed to enter their jobs from Day 1 with the assumption that their personal devices were being hacked, and act protectively.

    The use of phones by government officials has long been a security concern.

    President Barack Obama wanted to keep using his personal phone and BlackBerry when he first came into office, former officials in his administration have said.

    Intelligence officials said that using a personal phone presented too many risks. But officials at the National Security Agency eventually provided Mr. Obama with a BlackBerry that had been modified to enhance its security. (Mr. Obama routinely joked that his phone had so many security constraints that using it was “no fun.”)

    Technology has advanced rapidly since then, and national security officials are now more routinely issued government phones that come with security enhancements. Most phones have extra security protocols in place that prevent installing unapproved apps.

    But like Mr. Obama, officials routinely complain that the secured phones are awkward to use and limited in utility, and some continue to communicate with encrypted apps on their private phones.



    Source link

  • Signal Clone Used by Waltz Suspends Service After ‘Security Incident’

    Signal Clone Used by Waltz Suspends Service After ‘Security Incident’


    The application that the Trump White House has been using to collect and securely stores messages sent on popular commercial encrypted apps has temporarily suspended service in the wake of a security breach, the application’s owner said on Monday.

    The application, TeleMessage, is owned by Smarsh, a company based in Portland, Ore., which provides tools for governments to comply with record-keeping regulations and laws. Last week, a Reuters photograph of Mike Waltz, then the national security adviser, showed that he was using the application to read Signal messages on his phone.

    On Sunday, 404 Media reported that a hacker had breached the Israeli company that makes TeleMessage and stolen the contents of some direct messages and group chats sent using its Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat.

    Smarsh declined to answer questions, but in a statement, a spokeswoman said that it was investigating “a recent security incident” and that, “Out of an abundance of caution, all TeleMessage services have been temporarily suspended.”

    The use of Signal by Trump administration officials came to light after Mr. Waltz created a chat on the platform to discuss strikes on Houthi militants in Yemen, but inadvertently added a journalist from The Atlantic to the group.

    It is not clear when Mr. Waltz started using TeleMessage. A federal judge ordered the messages from the original Signal chat be preserved, but government lawyers later told a court in a different case that messages from the original Signal chat had been deleted from one participant’s phone, that of John Ratcliffe, the C.I.A. director.

    Security experts have raised concerns about the service, noting that installing such an application to archive encrypted messages creates numerous security vulnerabilities. WhatsApp and other messaging companies are actively attempting to ban TeleMessage.

    The use of the TeleMessage system is something of a contradiction. Many people use encrypted apps like Signal so that information is sent securely and then automatically deleted. But U.S. government rules require officials to preserve their communications — driving some government lawyers to push for officials to use the TeleMessage clone.

    While the company claims not to decrypt the messages and to archive them securely, the hack on TeleMessage as reported by 404 Media raised questions about the company’s security protocols.

    Security experts have said the U.S. government should aggressively audit TeleMessage before continuing to use the service to archive Signal or other messages.

    In its statement on Monday, Smarsh said it had hired an “external cybersecurity firm” to assist in its investigation of the TeleMessage breach.



    Source link

  • Waltz’s Use of Messaging Platform Raises New Security Questions

    Waltz’s Use of Messaging Platform Raises New Security Questions


    Michael Waltz got himself in trouble with the White House when, as national security adviser, he inadvertently added a journalist to a sensitive chat on Signal, a commercial messaging app.

    Now, as he leaves that job, he has raised a new set of questions about White House use of the encrypted app. A photograph of him looking at his phone on Wednesday during a cabinet meeting makes it clear that he is communicating with his colleagues — including the secretary of state and the director of national intelligence — using a platform originally designed by an Israeli company that collects and stores Signal messages.

    This discovery of the new system came when a Reuters photographer, standing just over Mr. Waltz’s left shoulder, snapped a photo of him checking his phone.

    He was not using a privacy screen, and when zoomed in, the photo shows a list of messages and calls from several senior officials, including Vice President JD Vance and Steve Witkoff, the special envoy who is negotiating on three fronts: the Israel-Hamas talks, the increasingly tense dance with Vladimir V. Putin about Ukraine and the Iran nuclear talks. Secretary of State Marco Rubio and Tulsi Gabbard, the director of national intelligence, are also on his chat list.

    While the app that Mr. Waltz was seen using on Wednesday looks similar to Signal, it is actually a different platform from a company that advertises it as a way to archive messages for record-keeping purposes. That is critical, because one concern that came up when senior officials were using the app was whether it complied with federal record-keeping rules.

    One of Signal’s benefits is that it is both encrypted and can be set to automatically delete messages. But while that is a feature for users seeking secure communications, it is a problem for the National Archives, as it seeks to retain records.

    It is not clear if Mr. Waltz began using the alternative app when he became national security adviser or after a nonprofit watchdog group, American Oversight, sued the government for failing to comply with records laws by using Signal.

    While the real version of Signal gets constant security updates and messages are kept encrypted until they reach a user’s phone, security experts question how secure the alternative app is.

    “This is incredibly dumb,” said Senator Ron Wyden, the Oregon Democrat who is a longtime member of the Senate Intelligence Committee. “The government has no reason to use a counterfeit Signal knockoff that raises obvious counterintelligence concerns.”

    Cybersecurity experts said the platform that Mr. Waltz was using is known as TeleMessage, which retains copies of messages, a way of complying with the government rules. The screen in the photograph shows a request for him to verify his “TM SGNL PIN.” Time stamps indicate that the communications were as recent as the morning of the cabinet meeting.

    TeleMessage, founded in Israel, was purchased last year by Smarsh, a company based in Portland, Ore.

    The TeleMessage platform accepts messages sent through Signal, and captures and archives them.

    Security experts said the use of TeleMessage raised a number of questions. Some said it appeared that the company had in the past routed information through Israel, which is renowned for its electronic spying skills.

    But a Smarsh representative said data from American clients did not leave the United States. Tom Padgett, the president of Smarsh’s enterprise business, said the collected information was not routed through any mechanism that “could potentially violate our data residency commitments to our customers.”

    Mr. Padgett also said the information was not decrypted while being collected for record-keeping purposes or moved to its final archive. Security experts said that whenever information is de-encrypted, security vulnerabilities could be introduced. “We do not de-encrypt,” Mr. Padgett said.

    Smarsh representatives took issue with the idea that their platform was a modified version of the Signal app. They said their platform simply allowed financial institutions and governments to capture communications on various channels to comply with record-keeping regulations.

    But cybersecurity officials said questions remained about how the TeleMessage platform worked, and what vulnerabilities it could introduce into Signal communications.

    Signal is built on open-source code, which allows other organizations to make their own version that uses the same encryption. But Signal Messenger, the company that makes and controls the app, does not support alternative versions and actively tries to discourage their use.

    Mr. Waltz’s use of TeleMessage was reported earlier by the publication 404 Media. According to the publication, the U.S. government contracted with TeleMessage in December 2024 to archive Signal and WhatsApp messages. Smarsh representatives said they have worked with the federal government for a decade but declined to discuss specific contracts.

    It is not clear if the U.S. government audited TeleMessage to determine how it handles the messages and whether it might break or damage the end-to-end security of Signal. Representatives of the National Security Council staff did not immediately respond to requests for comment. Smarsh representative said they allowed security audits.

    Mr. Wyden said the U.S. government and the Navy had developed secure communications tools that comply with record-keeping rules. Using the modified version of Signal is far less secure, he said.

    “Trump and his national security team might as well post American battle plans on X at this rate,” Mr. Wyden said.

    In response to reports of the photo, Steven Cheung, the White House communications director, said in a social media post that “Signal is an approved app that is loaded onto our government phones.”

    As part of the lawsuit filed by American Oversight, government officials have submitted statements saying that the Signal messages from the chat Mr. Waltz created to discuss strikes on the Houthi militia in Yemen are no longer retrievable.

    Chioma Chukwu, the interim executive director of American Oversight, said she had concerns about the use of the modified app.

    “The use of a modified Signal app may suggest an attempt to appear compliant with federal record-keeping laws, but it actually underscores a dangerous reliance on unofficial tools that threaten national security and put our service members at risk,” she said. “Americans have a right to transparency and to know their leaders are following the law, not hiding behind unauthorized workarounds.”



    Source link