CySecurity News - Latest Information Security and Hacking Incidents: End-to-End Encryption

Account Takeover browser hijacking Cyber Fraud Device Pairing End-to-End Encryption Identity Threats QR Phishing Social Engineering WhatsApp Security

GhostPairing Attack Puts Millions of WhatsApp Users at Risk

An ongoing campaign that aims to seize control of WhatsApp accounts by manipulating WhatsApp's own multi-device architecture has been revealed by cybersecurity experts in the wake of an ongoing, highly targeted attack designed to illustrate the increasing complexity of digital identity threats.

Known as GhostPairing, the attack exploits the trust inherent in WhatsApp's system for pairing devices - a feature that allows WhatsApp Web users to send encrypted messages across laptops, mobile phones, and browsers by using the WhatsApp Web client.

Through a covert means of guiding victims into completing a legitimate pairing process, malicious actors are able to link an attacker-controlled browser as a hidden companion device to the target account, without alerting the user or sending him/her any device notifications at all.

The end-to-end encryption and frictionless cross-platform synchronization capabilities of WhatsApp remain among the most impressive in the industry, but investigators warn that these very strengths of the service have been used to subvert the security model, which has enabled adversaries to have persistent access to messages, media, and account controls.

Although the encryption remains intact in such a scenario technically, it will be strategically nullified if the authentication layer is compromised, allowing attackers to read and reply to conversations from within their own account. This effectively converts a feature that was designed to protect your privacy into an entry point for silent account takeovers, effectively converting a privacy-first feature into a security-centric attack.

Analysts have characterized GhostPairing as a methodical account takeover strategy that relies on WhatsApp’s legitimate infrastructure of device linkage as a means of obtaining access to accounts instead of compromising WhatsApp’s security through conventional methods of authentication. In this technique, users are manipulated socially so that they link an external device, under the false impression that they are completing a verification process.

As a general rule, an attack takes place through messages appearing to come from trusted contacts, often compromised accounts, and containing links disguised as photos, documents, or videos. Once accessed by victims, these links lead them to fake websites meticulously modeled after popular social media platforms such as Facebook and WhatsApp, where allegedly the victim will be asked to enter his or her phone number as part of an authentication process.

Moreover, the pages are designed to generate QR codes that are used to verify customer support, comply with regulations regarding KYC, process job applications, update KYC records, register promotional events, or recover account information. By scanning QR codes that mirror the format used by WhatsApp Web, users unintentionally link their accounts to those of attackers, not realizing they are scanning QR codes that are actually the same format used by WhatsApp Web.

It is important to know that once the connection is paired, it runs quietly in the background, and the account owner does not receive an explicit login approval or security alert. Although WhatsApp’s encryption remains technically intact, the compromise at the device-pairing layer allows threat actors to access private communications in a way that effectively sidesteps encryption by allowing them to enter authenticated sessions from within their own account environment, even though WhatsApp’s encryption has remained unbroken technologically.

The cybercriminals will then be able to retrieve historical chat data, track incoming messages in real time, view and transmit shared media — including images, videos, documents, and voice notes — and send messages while impersonating the legitimate account holder in order to take over the account. Additionally, compromised accounts are being repurposed as propagation channels for a broader range of targets, further enlarging the campaign's reach and scale.

The intrusion does not affect normal app behavior or cause system instability, so victims are frequently unaware of unauthorized access for prolonged periods of time, which allows attackers to maintain persistent surveillance without detection for quite a while.

The campaign was initially traced to users in the Czech Republic, but subsequent analysis has shown that the campaign's reach is much larger than one specific country. During their investigation, researchers discovered that threat actors have been using reusable phishing kits capable of rapid replication, which allows operations to scale simultaneously across countries, languages, and communication patterns.

A victim's contact list is already populated with compromised or impersonated accounts, providing an additional layer of misplaced trust to the outreach, which is what initiates the attack chain. In many of these messages, the sender claims that they have found a photograph and invites their recipients to take a look at it through a link intentionally designed to look like the preview or media viewer for Facebook content.

As soon as the link is accessed, users are taken to a fake, Facebook-branded verification page that requires them to authenticate their identity before they can view the supposed content. The deliberate mimicry of familiar interfaces plays a central role in lowering suspicions, thereby encouraging victims to complete verification steps with little hesitation, according to security analysts.

A study published by Gen Digital's threat intelligence division indicates that the campaign is not relying on malware deployments or credential interceptions to execute. This malware manipulates WhatsApp's legitimate device-pairing system instead.

As a consequence of the manipulation, WhatsApp allows users to link browsers and desktop applications together for the purpose of synchronizing messaging. Attackers can easily bind an unauthorized browser to an account by convincing the users to voluntarily approve the connection. In other words, they are able to bypass encryption by entering through a door of authentication that they themselves unknowingly open, rather than breaking it.

It has become increasingly apparent that threat actors are moving away from breaking encryption towards undermining the mechanisms governing access to it, as evidenced by GhostPairing. As part of this attack, people are using WhatsApp's unique feature: frictionless onboarding and the ability to link their devices to their account with just a phone number in order to extend your account to as many devices as they like.

The simplicity of WhatsApp, often cited as a cornerstone of the company's global success, means that users don't have to enter usernames or passwords, reinforcing convenience, but inadvertently exposing more vulnerabilities to malicious use. WhatsApp's end-to-end encryption architecture further complicates things, since it provides every user with their own private key.

Private cryptographic keys that are used to securely encrypt the content of the messages are stored only on the user's device, which theoretically should prevent eavesdropping unless an attacker is able to physically acquire the device or deploy malware to compromise it remotely if it can be accessed remotely.

By embedding an attacker's device within an authenticated session, GhostPairing demonstrates that a social engineering attack can circumvent encryption without decrypting the data, but by embedding an attacker's device within a session in which encrypted content is already rendered readable, thus circumventing the encryption.

Researchers have found that the technique is comparatively less scalable on platforms such as Signal, which supports only QR-based approvals for pairing devices, and this limitation has been noted to offer some protection against similar thematically driven device linking techniques.

The analysts emphasize from a defensive standpoint that WhatsApp provides users with an option to see what devices are linked to them through their account settings section titled Linked Devices. In this section, unauthorized connections can, in principle, be identified, as well. The attackers may be able to establish silent persistence through fraudulently linking devices, but they cannot remove or revoke their device access themselves, since the primary registered device remains in charge of revocation.

The addition of two-step PIN verification as a mitigation, which prevents attackers from making changes to an account's primary email address, adds additional hurdles for attackers. However, this control does not hinder access to messages once pairing has been completed. Especially acute consequences exist for organizations.

A common way for employees to communicate is via WhatsApp, which can sometimes lead to informal group discussions involving multiple members - many of which are conducted outside of formal documentation and oversight. It has been recommended by security teams to assume the existence of these shadow communication clusters, rather than treat them as exceptions, but as a default risk category.

A number of industry guidelines (including those that have prevailed for the past five years) emphasize the importance of continued user awareness, and in particular that users should be trained in identifying phishing attempts, unsolicited spam, and the like, even if the attempt seems to come from well-known contacts or plausible verification attempts.

The timing of the attack is difficult to determine when viewed from a broader perspective, but there are no signs that there is any relief. According to a report published by Meta in April of this year, millions of WhatsApp users had their mobile numbers exposed, and Meta confirmed earlier this year that the Windows desktop application had security vulnerabilities.

In parallel investigations, compromised Signal-based messaging tools have also been found to have been compromised by political figures and senior officials, confirming that cross-platform messaging ecosystems, regardless of whether or not they use encryption strength, are now experiencing identity-layer vulnerabilities that must be addressed with the same urgency as network or malware attacks have been traditionally addressed.

The GhostPairing campaign signals a nuanced, yet significant change in techniques for gaining access to accounts, which reflects a longer-term trend in which attackers attempt to gain access to identities through behavioral influence rather than technical subversion.

Threat actors exploit WhatsApp's ability to link devices exactly as it was intended to work, whereas they decrypt the secure communication or override authentication safeguards in a way that seems to be more effective.

They engineer moments of cooperation through the use of persuasive, familiar-looking interfaces. A sophisticated attack can be carried out by embedding fraudulent prompts within convincingly branded verification flows, which allows attackers to secure enduring access to victim accounts with very little technical skill, relying on legitimacy by design instead of compromising the systems.

There is a warning from security researchers that this approach goes beyond regional boundaries, as scalable phishing kits and interface mimicry enable multiple countries to deploy it across multiple languages.

A similar attack can be attempted on any digital service that allows set-up via QR codes or numeric confirmation steps, irrespective of whether the system is built on a dedicated platform or not. This has an inherent vulnerability to similar attacks, especially when human trust is regarded as the primary open-source software vulnerability.

Analysts have emphasized that the attack's effectiveness stems from the convergence of social engineering precision with permissive multi-device frameworks, so that it allows adversaries to penetrate encrypted environments without any need to break the encryption at all — and to get to a session in which all messages have already been decrypted for the authenticated user.

It is encouraging to note that the defensive measures necessary to combat such threats are still relatively straightforward. The success rate of such deception-driven compromises could be significantly reduced if regular device hygiene audits, greater user awareness, and modest platform refinements such as clearer pairing alerts and tighter device verification constraints were implemented.

Especially for organizations that are exposed to undocumented employee group chats that operate outside the formal oversight of the organization are of crucial importance for reducing risk. User education and internal reporting mechanisms are crucial components of mitigating risks.

Amidst the rapid increase in digital interactions, defenders are being urged to treat vigilance in the process not as an add-on practice, but rather as a foundational layer of account security for the future. GhostPairing's recent appearance serves to serve as a reminder that the security of modern communication platforms is no longer solely defined by encryption standards, rather by the resilience of the systems that govern access to them, and that the security of these systems must be maintained at all times.

It is evident that as messaging ecosystems continue to grow and integrate themselves into everyday interactions — such as sharing personal media or coordinating workplace activities — the balance between convenience and control demands renewed scrutiny.

It is strongly advised for users to follow regular digital safety practices, such as verifying unexpected links even if they are sent by familiar contacts, regularly auditing linked devices, and activating two-factor safeguards, such as two-step PIN verification, to ensure that their data is secure.

As organizations become increasingly aware of threats beyond the perimeter of their organizations, they should cultivate a culture of internal threat reporting that ensures that unofficial communication groups are acknowledged in risk models rather than ignored.

Security teams are advised to conduct phishing awareness drills, make device-pairing alerts more clear at the platform level, and conduct periodic access hygiene reviews of widely used communication channels, such as encrypted messengers, for a number of reasons.

With the incidence of identity-layer attacks on the rise, researchers emphasize that informed users remain the best countermeasure against silent account compromise - making awareness the best strategic strategy in the fight against silent account compromises, not only as a reactive habit, but as a long-term advantage.

Gmail Users Face New AI Threats as Google Expands Encryption and Gemini Features



 

Technology

client-side encryption Gmail End-to-End Encryption Gmail AI threats Gmail encryption Gmail security update Google Gemini Technology

Gmail Users Face New AI Threats as Google Expands Encryption and Gemini Features

Gmail users have a fresh security challenge to watch out for — the mix of your Gmail inbox, Calendar, and AI assistant might pose unexpected risks. From malicious prompts hidden in emails or calendar invites to compromised assistants secretly extracting information, users need to stay cautious.

According to Google, “a new wave of threats is emerging across the industry with the aim of manipulating AI systems themselves.” These risks come from “emails, documents, or calendar invites that instruct AI to exfiltrate user data or execute other rogue actions.”

The integration of Gemini into Gmail was designed to simplify inbox management with smarter search, replies, writing assistance, and summaries. Alongside this, Google has rolled out another significant Gmail feature — expanded client-side encryption (CSE).

As announced on October 2, this feature is now “generally available.” Gmail users with CSE can send end-to-end encrypted (E2EE) messages to anyone, even non-Gmail users. Recipients simply receive a notification and can view the encrypted message through a guest account — offering secure communication without manual key exchanges.

However, these two major Gmail updates — Gemini AI and encryption — don’t work seamlessly together. Users must choose between AI assistance and total privacy. When CSE is active, Google confirms that “the protected data is indecipherable to any unauthorized third-party, including Google or any generative AI assistants, such as Gemini.”

That means Gemini cannot access encrypted messages, which aligns with how encryption should work — but it limits AI functionality. Google adds that the new encryption will be “on by default for users that have access to Gmail Client-side encryption.” While the encryption isn’t purely end-to-end since organizations still manage the keys, it still offers stronger protection than standard emails.

When it comes to Gemini’s access to your inbox, Google advises users to “apply client-side encryption to prevent Gemini’s access to sensitive data.” In short, enabling encryption remains the most crucial step to ensure privacy in the age of AI-driven email management

Child Abuse Detection Efforts Face Setbacks Due to End-to-End Encryption



 

Technology

AI Artificial Intelligence child abuse Cyberhackers CyberThreat End-to-End Encryption Online Safety Technology

Child Abuse Detection Efforts Face Setbacks Due to End-to-End Encryption

Technology has advanced dramatically in the last few decades, and data has been exchanged across devices, networks, and borders at a rapid pace. It is imperative to safeguard sensitive information today, as it has never been more important-or more complicated—than it is today. End-to-end encryption is among the most robust tools available for the purpose of safeguarding digital communication, and it ensures that data remains safe from its origin to its destination, regardless of where it was created.

The benefits of encryption are undeniable when it comes to maintaining privacy and preventing unauthorised access, however, the process of effectively implementing such encryption presents both a practical and ethical challenge for both public organisations as well as private organisations. Several law enforcement agencies and public safety agencies are also experiencing a shift in their capabilities due to the emergence of artificial intelligence (AI).

Artificial intelligence has access to technologies that support the solving of cases and improving operational efficiency to a much greater degree. AI has several benefits, including facial recognition, head detection, and intelligent evidence management systems. However, the increasing use of artificial intelligence also raises serious concerns about personal privacy, regulatory compliance, and possible data misuse.

A critical aspect of government and organisation adoption of these powerful technologies is striking a balance between harnessing the strengths of artificial intelligence and encryption while maintaining the commitment to public trust, privacy laws, and ethical standards. As a key pillar of modern data protection, end-to-end encryption (E2EE) has become a vital tool for safeguarding digital information. It ensures that only the intended sender and recipient can access the information being exchanged, providing a robust method of protecting digital communication.

It is highly effective for preventing unauthorised access to data by encrypting it at origin and decrypting it only at the destination, even by service providers or intermediaries who manage the data transfer infrastructure. By implementing this secure framework, information is protected from interception, manipulation, or surveillance during its transit, eliminating any potential for interception or manipulation.

A company that handles sensitive or confidential data, especially in the health, financial, or legal sectors, isn't just practising best practices when it comes to encrypting data in a secure manner. It is a strategic imperative that the company adopt this end-to-end encryption technology as soon as possible. By strengthening overall cybersecurity posture, cultivating client trust and ensuring regulatory compliance, these measures strengthen overall cybersecurity posture.

As the implementation of E2EE technologies has become increasingly important to complying with stringent data privacy laws like the Health Insurance Portability and Accountability Act (HIPAA) in the United States, and the General Data Protection Regulation (GDPR) in Europe, as well as other jurisdictional frameworks, it is increasingly important that the implementation of E2EE technologies is implemented.

Since cyber threats are on the rise and are both frequent and sophisticated, the implementation of end-to-end encryption is an effective way to safeguard against information exposure in this digital age. With it, businesses can confidently manage digital communication, giving stakeholders peace of mind that their personal and professional data is protected throughout the entire process. While end-to-end encryption is widely regarded as a vital tool for safeguarding digital privacy, its increasing adoption by law enforcement agencies as well as child protection agencies is posing significant challenges to these agencies.

There have been over 1 million attempts made by New Zealanders to access illegal online material over the past year alone, which range from child sexual abuse to extreme forms of explicit content like bestiality and necrophilia. During these efforts, 13 individuals were arrested for possessing, disseminating, or generating such content, according to the Department of Internal Affairs (DIA). The DIA has expressed concerns about the increasing difficulty in detecting and reacting to criminal activity that is being caused by encryption technologies.

As the name implies, end-to-end encryption restricts the level of access to message content to just the sender and recipient, thus preventing third parties from monitoring harmful exchanges, including regulatory authorities. Several of these concerns were also expressed by Eleanor Parkes, National Director of End Child Prostitution and Trafficking (ECPAT), who warned that the widespread use of encryption could make it possible for illegal material to circulate undetected.

Since digital platforms are increasingly focusing on privacy-enhanced technologies, striking a balance between individual rights and collective safety has become an issue not only for technical purposes but also for societal reasons It has never been more clearly recognised how important it is to ensure users' privacy on the Internet, and standard encryption remains a cornerstone for the protection of their personal information across a wide array of digital services.

In the banking industry, the healthcare industry, as well as private communications, encryption ensures the integrity and security of information that is being transmitted across networks. This form of technology is called end-to-end encryption (E2EE), which is a more advanced and more restrictive implementation of this technology. It enhances privacy while significantly restricting oversight at the same time. In contrast to traditional methods of encrypting information, E2EE allows only the sender and recipient of the message to access its content.

As the service provider operating the platform has no power to view or intercept communications, it appears that this is the perfect solution in theory. However, the absence of oversight mechanisms poses serious risks in practice, especially when it comes to the protection of children. Platforms may inadvertently be used as a safe haven for the sharing of illegal material, including images of child sexual abuse, if they do not provide built-in safeguards or the ability to monitor content. Despite this, there remains the troubling paradox: the same technology that is designed to protect users' privacy can also shield criminals from detection, thus creating a troubling paradox.

As digital platforms continue to place a high value on user privacy, it becomes increasingly important to explore balanced approaches that do not compromise the safety and well-being of vulnerable populations, especially children, that are also being safe. A robust Digital Child Exploitation Filtering System has been implemented by New Zealand's Department of Internal Affairs (DIA) to combat the spread of illegal child sexual abuse material online. This system has been designed to block access to websites that host content that contains child sexual abuse, even when they use end-to-end encryption as part of their encryption method.

Even though encrypted platforms do present inherent challenges, the system has proven to be an invaluable weapon in the fight against the exploitation of children online. In the last year alone, it enabled the execution of 60 search warrants and the seizure of 235 digital devices, which demonstrates how serious the issue is and how large it is. The DIA reports that investigators are increasingly encountering offenders with vast quantities of illegal material on their hands, which not only increases in quantity but also in intensity as they describe the harm they cause to society.

According to Eleanor Parkes, National Director of End Child Prostitution and Trafficking (ECPAT), the widespread adoption of encryption is indicative of the public's growing concern over digital security. Her statement, however, was based on a recent study which revealed an alarming reality that revealed a far more distressing reality than most people know. Parkes said that young people, who are often engaged in completely normal online interactions, are particularly vulnerable to exploitation in this changing digital environment since child abuse material is alarmingly prevalent far beyond what people might believe.

A prominent representative of the New Zealand government made a point of highlighting the fact that this is not an isolated or distant issue, but a deeply rooted problem that requires urgent attention and collective responsibility within the country as well as internationally. As technology continues to evolve at an exponential rate, it becomes increasingly important to be sure that, particularly in sensitive areas like child protection, both legally sound and responsible. As with all technological innovations, these tools must be implemented within a clearly defined legislative framework which prioritises privacy while enabling effective intervention within the context of an existing legislative framework.

To detect child sexual abuse material, safeguarding technologies should be used exclusively for that purpose, with the intent of identifying and eliminating content that is clearly harmful and unacceptable. Law enforcement agencies that rely on artificial intelligence-driven systems, such as biometric analysis and head recognition systems, need to follow strict legal frameworks to ensure compliance with complex legal frameworks. As the General Data Protection Regulation (GDPR) is established in the European Union, and the California Consumer Privacy Act (CCPA) is established in the United States, there is a clear understanding of how to handle, consent to, and disclose data.

The use of biometric data is also tightly regulated, as legislation such as Illinois' Biometric Information Privacy Act (BIPA) imposes very strict limitations on how this data can be used. Increasingly, AI governance policies are being developed at both the national and regional levels, reinforcing the importance of ethical, transparent, and accountable technology use. Noncompliance not only results in legal repercussions, but it also threatens to undermine public trust, which is essential for successfully integrating AI into public safety initiatives.

The future will require striking a delicate balance between innovation and regulation, ensuring that technology empowers protective efforts while protecting fundamental rights in the meantime. For all parties involved—policymakers, technology developers, law enforcement, as well as advocacy organisations—to address the complex interplay between safeguarding privacy and ensuring child protection, they must come together and develop innovative, forward-looking approaches. The importance of moving beyond the viewpoint of privacy and safety as opposing priorities must be underscored to foster innovations that learn from the past and build strong ethical protections into the core of their designs.

The steps that must be taken to ensure privacy-conscious technology is developed that can detect harmful content without compromising user confidentiality, that secure and transparent reporting channels are established within encrypted platforms, and that international cooperation is enhanced to combat exploitation effectively and respect data sovereignty at the same time. Further, industry transparency must be promoted through independent oversight and accountability mechanisms to maintain public trust and validate the integrity of these protective measures.

Regulatory frameworks and technological solutions should be adapted rapidly to safeguard vulnerable populations without sacrificing fundamental rights to keep pace with the rapid evolution of the digital landscape. As the world becomes increasingly interconnected, technology will only be able to fulfil its promise as a force for good if it is properly balanced, ethically robust, and proactive in its approach in terms of the protection of children and ensuring privacy rights for everyone.

Encryption Under Siege: A New Wave of Attacks Intensifies



 

Government surveillance

Cyber Security Data Privacy Digital Security Encryption End-to-End Encryption Government surveillance

Encryption Under Siege: A New Wave of Attacks Intensifies

Over the past decade, encrypted communication has become a standard for billions worldwide. Platforms like Signal, iMessage, and WhatsApp use default end-to-end encryption, ensuring user privacy. Despite widespread adoption, governments continue pushing for greater access, threatening encryption’s integrity.

Recently, authorities in the UK, France, and Sweden have introduced policies that could weaken encryption, adding to EU and Indian regulatory measures that challenge privacy. Meanwhile, US intelligence agencies, previously critical of encryption, now advocate for its use after major cybersecurity breaches. The shift follows an incident where the China-backed hacking group Salt Typhoon infiltrated US telecom networks. Simultaneously, the second Trump administration is expanding surveillance of undocumented migrants and reassessing intelligence-sharing agreements.

“The trend is bleak,” says Carmela Troncoso, privacy and cryptography researcher at the Max-Planck Institute for Security and Privacy. “New policies are emerging that undermine encryption.”

Law enforcement argues encryption obstructs criminal investigations, leading governments to demand backdoor access to encrypted platforms. Experts warn such access could be exploited by malicious actors, jeopardizing security. Apple, for example, recently withdrew its encrypted iCloud backup system from the UK after receiving a secret government order. The company’s compliance would require creating a backdoor, a move expected to be challenged in court on March 14. Similarly, Sweden is considering laws requiring messaging services like Signal and WhatsApp to retain message copies for law enforcement access, prompting Signal to threaten market exit.

“Some democracies are reverting to crude approaches to circumvent encryption,” says Callum Voge, director of governmental affairs at the Internet Society.

A growing concern is client-side scanning, a technology that scans messages on users’ devices before encryption. While presented as a compromise, experts argue it introduces vulnerabilities. The EU has debated its implementation for years, with some member states advocating stronger encryption while others push for increased surveillance. Apple abandoned a similar initiative after warning that scanning for one type of content could pave the way for mass surveillance.

“Europe is divided, with some countries strongly in favor of scanning and others strongly against it,” says Voge.

Another pressing threat is the potential banning of encrypted services. Russia blocked Signal in 2024, while India’s legal battle with WhatsApp could force the platform to abandon encryption or exit the market. The country has already prohibited multiple VPN services, further limiting digital privacy options.

Despite mounting threats, pro-encryption responses have emerged. The US Cybersecurity and Infrastructure Security Agency and the FBI have urged encrypted communication use following recent cybersecurity breaches. Sweden’s armed forces also endorse Signal for unclassified communications, recognizing its security benefits.

With the UK’s March 14 legal proceedings over Apple’s backdoor request approaching, US senators and privacy organizations are demanding greater transparency. UK civil rights groups are challenging the confidential nature of such surveillance orders.

“The UK government may have come for Apple today, but tomorrow it could be Google, Microsoft, or even your VPN provider,” warns Privacy International.

Encryption remains fundamental to human rights, safeguarding free speech, secure communication, and data privacy. “Encryption is crucial because it enables a full spectrum of human rights,” says Namrata Maheshwari of Access Now. “It supports privacy, freedom of expression, organization, and association.”

As governments push for greater surveillance, the fight for encryption and privacy continues, shaping the future of digital security worldwide.

VPN Services May Not Be as Secure as They Seem, Recent Research Finds



 

WireGuard

Cyber Security End-to-End Encryption IPsec secure VPN VPN encryption VPN protocols VPN research VPN security VPN vulnerabilities WireGuard

VPN Services May Not Be as Secure as They Seem, Recent Research Finds

VPNs are widely known for their benefits, including preventing location-based overcharging, safeguarding online privacy, and enabling access to geographically restricted content like foreign Netflix libraries. Historically, VPNs have been considered safe, but a new investigation by Top10VPN challenges this assumption.

Collaborating with security researcher Mathy Vanhoef, Top10VPN uncovered critical vulnerabilities impacting over 4 million systems. These include VPN servers, home routers, mobile servers, and CDN nodes, with high-profile companies like Meta and Tencent among those affected. The findings, set to be presented at the USENIX 2025 conference in Seattle, highlight flaws in key protocols—IP6IP6, GRE6, 4in6, and 6in4—designed to secure data transmission.

According to the research, these protocols fail to ensure sender identity matches the authorized VPN user profile. This weakness allows attackers to exploit one-way proxies, repeatedly gaining unauthorized access undetected. By sending data packets using compromised protocols, hackers can launch denial-of-service (DoS) attacks or infiltrate private networks to steal sensitive information.

To mitigate these risks, experts recommend additional security mechanisms like IPsec or WireGuard, which ensure end-to-end encryption. These tools limit the ability to access VPN traffic data, decryptable only by the designated server.

The investigation revealed that VPN services and servers deemed insecure were concentrated in the US, Brazil, China, France, and Japan. Users are advised to select VPNs that incorporate robust encryption methods and to remain cautious when using such services. Independent testing of VPN security is essential for ensuring reliability and safety.

For those seeking trusted options, refer to independent reviews and comparisons of the best VPN services, which prioritize user security and encryption protocols.

Top 5 Ways to Encrypt Your Internet Traffic for Enhanced Securit



 

VPN

Cyber Security Encrypted Email encrypted messaging apps Encryption End-to-End Encryption internet Security private browser Protonmail Signal app Telegram Tor Browser TutaNota VPN

Top 5 Ways to Encrypt Your Internet Traffic for Enhanced Securit

Encryption involves converting data into a format that is unreadable without the corresponding decryption key, thereby bolstering security and preventing unauthorized access.

Securing your internet connection with encryption is indeed possible, but it necessitates a multi-pronged strategy. Here are five approaches to encrypting your internet traffic:

1. Utilize a Private Browser:

Your browser serves as the primary gateway to the internet. If it doesn't shield you from tracking, other security measures won't be as effective. The Tor Browser stands out as a truly private option. It redirects traffic through a series of relays, encrypting it at each step. While it's indispensable for privacy-conscious tasks, its speed may be a limitation for everyday use. In such cases, browsers like Brave or Firefox, while not as robust as Tor, offer enhanced privacy and tracking protection compared to mainstream options like Chrome or Microsoft Edge.

2. Employ a VPN:

The use of a Virtual Private Network (VPN) is recommended, especially when combined with browsers other than Tor. A VPN enhances privacy and complicates efforts to track online activities. However, not all VPN providers are equal. It's crucial to choose one with robust encryption, a strict no-logs policy, protection against DNS leaks, a kill-switch feature, and reliable performance. Ensure thorough testing after selection, and extend VPN use to all devices, not just computers.

3. Embrace Encrypted Messaging Apps:

While a secure browser and VPN are crucial, using an encrypted messaging app is equally important. Opt for apps with end-to-end encryption, ensuring only the sender and recipient can read messages. Signal is highly recommended due to its reputation and emphasis on user privacy. Telegram offers a good alternative, especially for those seeking social features. WhatsApp, despite being owned by Meta, also provides end-to-end encryption and is more secure than many mainstream messaging apps.

4. Switch to an Encrypted Email Provider:

Email services from major companies like Google, Microsoft, and Yahoo collect substantial amounts of user data. By using their services, you not only contribute to Big Tech profits but also expose yourself to potential risks. Consider migrating to an encrypted email provider, which typically offer superior encryption, advanced security measures, and a focus on user privacy. While some advanced features may require payment, providers like ProtonMail, TutaNota, and Mailfence enjoy excellent reputations.

5. Invest in Encrypted Cloud Storage:

File storage plays a crucial role in internet traffic encryption, especially with the widespread use of cloud storage for personal data. Opt for providers offering end-to-end encryption and robust security practices. While numerous options are available, paid encrypted cloud storage services like Icedrive, pCloud, Tresorit, and Proton Drive provide reliable and secure solutions. Free options are scarce due to the substantial costs associated with providing this level of security and infrastructure.

By implementing these measures, you can significantly enhance the encryption of your internet traffic and fortify your overall cyber infrastructure. Additionally, consider local encryption and encrypting your entire hard drive for added security.

Seure Messaging Apps: A Safer Alternative to SMS for Enhanced Privacy and Cybersecurity



 

alternative messaging apps Cyber Security End-to-End Encryption Privacy Concerns Secure Messaging Signal app SMS security risks SMS vulnerabilities Telegram WhatsApp

Seure Messaging Apps: A Safer Alternative to SMS for Enhanced Privacy and Cybersecurity

The Short Messaging Service (SMS) has been a fundamental part of mobile communication since the 1990s when it was introduced on cellular networks globally.

Despite the rise of Internet Protocol-based messaging services with the advent of smartphones, SMS continues to see widespread use. However, this persistence raises concerns about its safety and privacy implications.

Reasons Why SMS Is Not Secure

1. Lack of End-to-End Encryption

SMS lacks end-to-end encryption, with messages typically transmitted in plain text. This leaves them vulnerable to interception by anyone with the necessary expertise. Even if a mobile carrier employs encryption, it's often a weak and outdated algorithm applied only during transit.

2. Dependence on Outdated Technology

SMS relies on Signaling System No. 7 (SS7), a set of signalling protocols developed in the 1970s. This aging technology is highly insecure and susceptible to various cyberattacks. Instances of hackers exploiting SS7 vulnerabilities for malicious purposes have been recorded.

3. Government Access to SMS

SS7 security holes have not been adequately addressed, potentially due to government interest in monitoring citizens. This raises concerns about governments having the ability to read SMS messages. In the U.S., law enforcement can access messages older than 180 days without a warrant, despite efforts to change this.

4. Carrier Storage of Messages

Carriers retain SMS messages for a defined period, and metadata is stored even longer. While laws and policies aim to prevent unauthorized access, breaches can still occur, potentially compromising user privacy.

5. Irreversible Nature of SMS Messages

Once sent, SMS messages cannot be retracted. They persist on the recipient's device indefinitely, unless manually deleted. This lack of control raises concerns about the potential exposure of sensitive information in cases of phone compromise or hacking.

Several secure messaging apps provide safer alternatives to SMS:

1. Signal

Signal is a leading secure messaging app known for its robust end-to-end encryption, ensuring only intended recipients can access messages. Developed by the non-profit Signal Foundation, it prioritizes user privacy and does not collect personal data.

2. Telegram

Telegram offers a solid alternative to SMS. While messages are not end-to-end encrypted by default, users can enable Secret Chats for enhanced security. This feature prevents forwarding and limits access to messages, photos, videos, and documents.

3. WhatsApp

Despite its affiliation with Meta, WhatsApp is a popular alternative with billions of active users. It employs end-to-end encryption for message security, surpassing the safety provided by SMS. It's available on major platforms and is widely used among contacts.

In conclusion, SMS is not a recommended option for individuals concerned about personal cybersecurity and privacy. While it offers convenience, its security shortcomings are significant.

Secure messaging apps with end-to-end encryption are superior alternatives, providing a higher level of protection for sensitive communications. If using SMS is unavoidable, caution and additional security measures are advised to safeguard information.

E2E Encryption Under Scrutiny: Debating Big Tech's Role in Reading Messages



 

Cyberattacks CyberCrime Cybersecurity End-to-End Encryption iMessage Privacy WhatsApp

E2E Encryption Under Scrutiny: Debating Big Tech's Role in Reading Messages

A recurring conflict between Silicon Valley and several governments is primarily about "end-to-end encryption," "backdoors," and "client-side scanning," which appear to be complex issues. However, in its simplest form, this issue boils down to the question: should technology companies be allowed to read people's messages?

In the last few years, this fundamental dispute has rumbled. With such a platform, you can chat with others using popular platforms such as WhatsApp, iMessage, Android Messages, and Signal. These platforms offer end-to-end encryption to ensure your privacy.

In response to a potential landmark law being considered by the UK government, Meta's Mark Zuckerberg is on a collision course with the UK government. This is over his continued plans to build ultra-secure messaging into all his apps despite a ban. Various governments around the world are closely watching the showdown to see who blinks first as they oppose popular technology as well.

The biggest argument in technology, the argument about End-to-End encryption, backdoors, and client-side scanning, seems very complicated right now. There is, however, a simple question to answer to determine the outcome. What are the consequences of technology companies reading text messages?

The crux of this disagreement has been brewing in Silicon Valley for years. It continues to have repercussions across the globe involving at least a dozen nations. There are several end-to-end encryption services in the market including WhatsApp, iMessage, Android Messages, and Signal.

This technology means that only the person sending the message, at one end, and the person receiving the message, at the other end, will be able to see, hear, and read the messages. There is no access to the content for anyone but the app makers.

Messages are encrypted and decrypted using cryptographic keys stored on endpoints that are configured to handle them. Encryption is based on public key technology, which is very secure.

Personalized, or asymmetric, encryption is composed of a private key and a public key shared with others. Upon sharing the public key, others can use the private key to encrypt a message and send it to the private key owner. Decrypting the message with the corresponding private key involves using the decryption key.

Almost always, when two parties involved in an exchange communicate online, an intermediary is entrusted with the task of handling the messages between the two parties. There are usually a variety of intermediaries including servers that belong to ISPs, telecom companies, or a variety of other companies that serve as mediators.

Using a public key infrastructure such as E2EE's, intermediaries are unable to intercept messages that are sent between parties. It is recommended to embed the public key within a certificate digitally certified by a recognized certificate authority (CA) to ensure that a public key is a legitimate key created by a legitimate recipient. It can be assumed that a certificate signed by that public key is authentic since its distribution and knowledge of the public key is widespread; the legitimacy of a certificate signed by the public key can be relied upon.

There might be a case in which the CA would reject a certificate that has a different public key associated with the same name as the one associated with the recipient since the certificate identifies the recipient's name and public key.

It is imperative to note that a system that provides end-to-end encryption ensures that only the parties involved in sending and receiving messages, media, and phone calls can access the content, including app developers. Governments and security agencies reluctantly accepted the rise of these encrypted apps as they gained immense popularity and became increasingly popular. The fact that end-to-end encryption was not the standard for Messenger and Instagram arose four years ago when Mark Zuckerberg, the CEO of Meta, announced plans to implement it in their applications.

Having launched this ambitious project back in 2012, Meta has been diligently working on it ever since. However, there are insufficient details regarding the project progress and the switchover timeline. There have been growing concerns, leading to requests to halt the switchover or create safeguards to protect consumers. As well, law enforcement agencies such as Interpol, in several countries have expressed concerns about the technology. These countries include the United Kingdom, Australia, Canada, New Zealand, the United States, India, Turkey, Japan, and Brazil.

One of the most noticeable attempts to address this issue is the proposed Online Safety Bill in the UK. The paper suggests that technology companies must be encouraged to include backdoors in their systems that allow them to scan messages for illegal content. Even though this bill has sparked debates over the balance between privacy and security, it remains in the bill. There is no doubt that governments and law enforcement agencies believe that accessing message content is crucial for convicting criminals and protecting children from online grooming. However, opponents assert that end-to-end encryption is critical for maintaining privacy and safety online.

A recent survey conducted by the National Society for the Prevention of Cruelty to Children (NSPCC) revealed that 73% of the UK public believe that technology companies should have the legal obligation to scan private messages for child sexual abuse when they are in an end-to-end encrypted environment, according to the study conducted by YouGov. The Research Crime and Security Initiative has voiced concerns that the Online Safety Bill could have detrimental effects on end-to-end encryption, undermining privacy guarantees and setting the stage for citizen surveillance by repressive regimes to become more common.

Adding to the discussion, WhatsApp and Signal have both announced that they will withdraw their services from the UK if security is compromised in favor of end-to-end encryption. It is thought that this may be their way of expressing their commitment to end-end encryption. The discussion about end-to-end encryption in Twitter messages was further sparked by Elon Musk's announcement of his plans to integrate it directly into the system.

Although implementing end-to-end encryption is a complex process and a significant financial undertaking, technology companies view it as necessary to regain users' trust after several high-profile data breaches. As a result of this encryption, it becomes much harder to monitor content users share with others, which makes content moderation more challenging.

There is a continuing debate between governments, privacy organizations, and tech companies regarding the ethical and legal ramifications of end-to-end encryption while negotiating a careful balance between privacy, security, and online abuses.

Big Switchover

End-to-end encrypted apps have grown in the last ten years as billions of people use them every day, making them one of the fastest-growing app categories. Law enforcement officers will likely lose out on one of their most critical sources of evidence if they cannot ask Meta for people's messages in the future.

The government and security agencies were slow to accept that end-to-end encryption would, as a standard, be implemented in the Messenger and Instagram apps. This was until Facebook founder Mark Zuckerberg announced four years ago that apps would transition to end-to-end encryption.

End-to-end: Undermines Privacy

In another letter published on Wednesday, 68 prominent defense and privacy researchers expressed their dissatisfaction with the Online Safety Bill for breaking end-to-end encryption, which shows the passion on both sides of this debate.

As a result of the law, experts say tech firms cannot implement safety measures to prevent children from being harmed. However, they can maintain user privacy.

Rebuilding Trust

Despite this, WhatsApp and Signal have made it clear that they are strongly opposed to any compromise to the security of end-to-end encryption in the UK.

Announcing in May that Elon Musk was incorporating end-to-end encryption into Twitter messages was not only a worry for those who criticize the technology but also compounded the problem for those who criticize it. A meta-analysis shows that switching to technology is one of the most challenging decisions companies have to make, but it is worth it in the end.

After years of data scandals, big tech organizations feel regaining customers' trust in their services is the key to regaining customers' confidence.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

Report Abuse

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

GhostPairing Attack Puts Millions of WhatsApp Users at Risk

Gmail Users Face New AI Threats as Google Expands Encryption and Gemini Features

Child Abuse Detection Efforts Face Setbacks Due to End-to-End Encryption

Encryption Under Siege: A New Wave of Attacks Intensifies

VPN Services May Not Be as Secure as They Seem, Recent Research Finds

Top 5 Ways to Encrypt Your Internet Traffic for Enhanced Securit

Seure Messaging Apps: A Safer Alternative to SMS for Enhanced Privacy and Cybersecurity

E2E Encryption Under Scrutiny: Debating Big Tech's Role in Reading Messages

Footer About

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Menu Item