Someone just attempted to activate #Signalapp on my phone number (I received the SMS verification code all the sudden). Even if they would have some #SS7 hack going on where they can get a duplicate of the SMS, I actually do have a registration lock enabled. (*)
However, it could also be someone making a mistake entering their phone number during setup.
*) https://support.signal.org/hc/en-us/articles/360007059792-Signal-PIN
The year is 2027. Email is #unreliable; little gets past #Gmail filters without a contract to receive your #email. #Governments don't stop it because (a) they have a contract, and (b) they don't understand how email works. Or worked.
#Tech companies finally realize that #SS7 is #insecure. Phone calls and texts can't be #trusted. Machine-learning-generated ("AI") audio and video means video and voice calls are doubly cursed - too many #FAANG executives have had embarrassing public #failures, falling #victim to the corporate equivalent of the grandparent #scam.
Few people use #TOTP, because the tech #companies don't promote it, they each call it something else and make it work differently, and they all want you to use their "app" rather than the standard 3-line script that can generate the correct code given a key and the current timestamp. The technically-minded try to educate their relatives and friends as part of the free-tech-support assumption, but no one cares.
#Account #recovery now involves waiting at home to sign for an envelope delivered by the lowest-cost (and therefore bribe-able) courier to the #registered home address of the account. Millions each year lose their email, #photos, videos, "purchased" digital #content, password vaults, etc because they've moved since they set up the account, or they have a P.O. box and companies don't believe those #exist.
The #internet is a vast digital #wasteland - wait, a saviour onstage: "Walled Garden-Net!".
Burn it.
[Перевод] Хороший, Плохой, Расширенный: SS7 атака с использованием расширенных тэгов
Есть два типа операций в SS7, друг мой: безобидные... и те, что держат револьвер... ... Это, конечно, утрирование. Однако, как и герои спагетти-вестернов, операции в SS7 предстают перед нами в полном своем разнообразии и глубине, и иногда их сложно распарсить, а главное - обработать безопасно для абонента. Неверная обработка операций (команд) в SS7 (они же PDUs), несет за собой серьезные риски и потенциально может привести к угрозам уровня уязвимостей нулевого дня, открывая широкий спектр возможных атак.
Privacy Cell warnt vor unsicheren 2G/3G-Netzen (SS7-anfällig) & IMSI-Catchern – checkt deine Mobilfunkprotokolle für mehr Sicherheit! 📱🔍 Open-Source-App auf F-Droid. https://f-droid.org/en/packages/com.stoutner.privacycell/ #Privacy #FOSS #Datenschutz #SS7
#MeeMeep xD
🔍 frontal enthüllt: First WAP-Software trackt Smartphones weltweit heimlich via #SS7 Lücke – Red Bull-Chefs, Vatikan-Journalisten & mehr betroffen! Dubiose Deals auf Überwachungsmessen. Schockierende Recherche! 📱🕵️♂️ https://www.youtube.com/watch?v=zcnw-RGcoP4 #TelefonÜberwachung #Datenskandal #Privatsphäre #Investigativ #LighthouseReports #FirstWAP #ZDF
Zwakke 2FA/MFA werkt AVERECHTS
In https://www.security.nl/posting/912441/65-plussers+gebruiken+tweestapsverificatie+minder+vaak+dan+gemiddeld#posting912477 schreef ik eerder deze week:
❝
2FA (MFA) is ruk.
Laat de overheid een wachtwoordmanager adviseren die wél op domeinnamen checkt.
❞
(Dat laatste kan standaard onder Android, iOS en iPadOS - middels "AutoFill").
Op veler "verzoek" onderbouwde ik die stelling (niet voor de eerste keer) in https://www.security.nl/posting/912441/65-plussers+gebruiken+tweestapsverificatie+minder+vaak+dan+gemiddeld#posting912530.
En in https://www.security.nl/posting/912441/65-plussers+gebruiken+tweestapsverificatie+minder+vaak+dan+gemiddeld#posting912733 legde ik uit waarom online inloggen *lastig* veilig te krijgen is - wat je ook verzint (het blijven shared secrets).
Vandaag heb ik Microsoft Authenticator ook maar weer eens getest (onder Android). Mijn bevindingen leest u in (de tweede helft van) https://www.security.nl/posting/912441/65-plussers+gebruiken+tweestapsverificatie+minder+vaak+dan+gemiddeld#posting912864 - hieronder een stukje daaruit.
#ZwakkeMFA #SMS #AuthenticatorApps #Zwakke2FA #Weak2FA #WeakMFA #MicrosoftAuthenticator #2FAsucks #MFAsucks #Phishing #NepWebsites #PhaaS #Evilginx2 #SIMswap #SS7 #AcountTakeOver #CookieTheft #AccountLockout
![Screenshot van een stukje uit https://security.nl/posting/912530
Microsoft Authenticator: stommer en lastiger kan niet
Ook account lockout is supersimpel: ik heb zojuist Microsoft Authenticator geïnstalleerd op m'n Android smartphone. Inderdaad stond "Cloud backup" standaard uit: aangezet.
Daar moest ik een Microsoft account voor hebben: voor "create" gekozen en een test-Gmail account opgegeven. De bevestigingsmail met pincode arriveert in mijn spambox.
Mijn nieuwe MS account heb ik verder aangemaakt zonder dat er ergens om een wachtwoord werd gevraagd (alles, behalve m'n gmail checken, vond overigens plaats in de Microsoft Authenticator app). Na het aanmaken van het account krijg ik een melding dat de backup is mislukt. En de knop "Cloud backup" is weer uitgezet.
Microsoft Authenticator gesloten en weer
[...]](https://files.mastodon.social/cache/media_attachments/files/115/548/906/844/600/094/original/9dd2b836c93dc3a3.jpeg)
@HonkHase This is why most carriers have since quite a while implemented #SS7 firewalls. German mobile carriers certainly have this since years. Anyways, a good way of opening the focus wide on the surveillance other than #chatcontrol. Also a good point in time to remember that since 2013 (Ed Snowdens releases) more than a decade has passed, and so has technology.
The Surveillance Empire That Tracked World Leaders, a Vatican Enemy, and Maybe You
"Inside the hidden world of First Wap, whose untraceable tech has targeted politicians, journalists, celebrities, and activists around the globe."
Handy-Spionage mit #SS7: Tausende Opfer wurden wohl ausgespäht | heise online https://www.heise.de/news/Handy-Spionage-mit-SS7-Tausende-Opfer-wurden-wohl-ausgespaeht-10767347.html #Malware #spyware #surveillance #Überwachung #Datenschutz #privacy #NSOgroup #NSO #Cellebrite #1stWap
Wann wird sich endlich um #SS7 gekümmert? 😤🔥
frontal - die Doku: Dein Handy als Spion: Heimlich überwacht?
"Mit #Überwachungstechnik einer Sicherheitsfirma sollen jahrelang Tausende Mobiltelefone weltweit geortet und getrackt worden sein. Das legen ein Datensatz und eine Undercover-Recherche nahe."
https://www.zdf.de/video/dokus/frontal-doku-100/doku-ueberwachung-tracking-mobiltelefon-100
Wenig überraschend. Bereits 2014 von CCC kritisiert.
youtu.be/zcnw-RGcoP4...
#SS7 #1stWAP #Ueberwachung #Tracking
Heimlich überwacht? Dein Handy...
Wenig überraschend. Bereits 2014 von CCC kritisiert.
@ycombinator this is the #ss7 security leak that has been presented in a #ccc talk i think in the year 2014.
What was the app called, that could identify such SS7 network interceptions?
Since anonymous billing is not a feasible method for paying utilities and large-scale services, the location-ID of cellular
modems cannot be kept private from carriers (ISPs). But this is the case for home APs (Access Points, routers) also.
The tracking techniques that First Wap used are nothing like what happens with geocache, geoclue (and equivalents), or browser cookies that you can blame people for "volunteering" for in order to get access.
There are no baseband VPNs. Still, if you use a socks5 messaging client
and Tor Browser on mobile broadband, geolocation data will not be relevant (as if there were not a fully-integrated Garrison State under the transnational Masonic Regime).
Imagine a world where you could privately pay and get private service.
#crypto
Without private treasury, companies and bad actors will always find ways to get to government back-doors (as if the
government was a trusted, good actor). Hence, the #SS7 problem.
https://www.motherjones.com/politics/2025/10/firstwap-altamides-phone-tracking-surveillance-secrets-assad-erik-prince-jared-leto-anne-wojcicki/
[14:34] "if your phone is on and connected, it is fair game" - baseband, including and not appart from cellular data
Lighthouse Reports
https://lighthousereports.com/investigation/surveillance-secret
#Qannon #Journalism #EU
"Operating from their base in Jakarta, where permissive export laws have allowed their surveillance business to flourish, First Wap’s European founders and executives have quietly built a phone-tracking empire, with a footprint extending from the Vatican to the Middle East to Silicon Valley.
It calls its proprietary system Altamides, which it describes in promotional materials as “a unified platform to covertly locate the whereabouts of single or multiple suspects in real-time, to detect movement patterns, and to detect whether suspects are in close vicinity with each other.”
Altamides leaves no trace on the phones it targets, unlike spyware such as Pegasus. Nor does it require a target to click on a malicious link or show any of the telltale signs (such as overheating or a short battery life) of remote monitoring.
Its secret is shrewd use of the antiquated telecom language Signaling System No. 7, known as SS7, that phone carriers use to route calls and text messages. Any entity with SS7 access can send queries requesting information about which cell tower a phone subscriber is nearest to, an essential first step to sending a text message or making a call to that subscriber. But First Wap’s technology uses SS7 to zero in on phone numbers and trace the location of their users.
First Wap emphasizes that its technology is used by law enforcement to “fight against organized crime, terrorism and corruption.” It sells Altamides directly, as well as through third-party resellers."
#CyberSecurity #Surveillance #FirstWap #Altamides #SS7 #Privacy #LocationData
Snowden warned us about escalating surveillance, but we forgot him and his warning.
https://anonsys.net/display/bf69967c-5568-ef8d-2f14-39d731845079
Per various customers I overheard talking about this in a parking lot, the problem would vary by which cell tower you were connecting to at a given time.
Some said text would work, but not calls.
They messed up something wrt to SIM id and routing.
⚠️ Researchers identify a new SS7 encoding attack used by a surveillance vendor to bypass defenses and access mobile subscriber data.
Read: https://hackread.com/researchers-ss7-encoding-attack-surveillance-vendor/
@heiseonline allein die Masse von #SS7 Angriffen macht dies IMHO zur #Govware die verboten gehört.
#red_team #blue_team #SS7 #MobileTelephony #Diameter
https://habr.com/ru/companies/ruvds/articles/531138/
https://networkguru.ru/ataka-na-protokol-ss7/
С развитием сетей 4G и началом развертывания 5G в России протокол `Diameter` стал важнейшим инструментом для современных телекоммуникационных операторов.
`Diameter` используется для:
- управления доступом в сети LTE/5G,
- аутентификации пользователей и устройств,
- реализации биллинговых систем и учета трафика,
- поддержки качества обслуживания (QoS).
Кроме того, Diameter активно применяется в системах управления политиками (Policy Control), которые позволяют операторам предоставлять персонализированные услуги на основе потребностей абонентов.
https://www.securitylab.ru/blog/personal/paragraph/354693.php
