720-891-1663

Feds Cybersecurity is a Dumpster Fire

The most recent federal administration’s security “malfunction” is with the use of a Signal app clone called TeleMessage.

Signal (or TeleMessage) is the app that the Secretary of Defense used to communicate war plans to the VP and others, including the editor of The Atlantic.

TeleMessage is a clone of Signal (as well as WhatsApp and Telegram) that allows government users to preserve messages received on a personal phone to government computers in order to comply with the law.

Unfortunately, the app that they chose to preserve those messags only considers security as a concept.

While the messages of current cabinet members are not believed to have been compromised, the hacked data does contain the contents of messages, contact information of government employees and login credentials for the backend of TeleMessage.

Data includes data from Customs and Border Protection, the crypto exchange Coinbase and banks like Scotiabank.

As part of TeleMessage’s “security is just a concept”, the archived chat logs of the supposedly secure clone of Signal are not encrypted.

TeleMessage’s owner, Smarsh, says that it suspended operations of TeleMessage and is investigating a “potential security incident”. That is a bit of an understatement.

Coinbase says they are watching the investigation closely, but unlike the feds, they say that they don’t use Signal for anything sensitive like customer information or passwords.

Or war plans.

The other hacked clients didn’t comment.

Over the weekend a journalist received a copy of a TeleMessage URL which was linked to the Android source code of the app. Other researchers received links to the iOS source code.

That, by itself, might not be a huge security problem. Not great, but not terrible.

What is terrible is that the source code contains hard code credentials (userid/password).

That means that ANY user of TeleMessage could access the data that those credentials protect. TeleMessage is not saying whether they had different databases for different customers, but if you use TeleMessage, now might be a great time to review that decision.

The reporters also said that the source code contained other vulnerabilities, which means that the release of the source code puts all users at risk.

It also appears that the way TeleMessage was implemented likely violated the Signal license agreement.

Other than that, it is business as usual for the executive branch of the federal government.

Credit: Tech Crunch and The Register

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *