Enlarge (credit: Getty Images)

The Signal Foundation, maker of the Signal Protocol that encrypts messages sent by more than a billion people, has rolled out an update designed to prepare for a very real prospect that’s never far from the thoughts of just about every security engineer on the planet: the catastrophic fall of cryptographic protocols that secure some of the most sensitive secrets today.

The Signal Protocol is a key ingredient in the Signal, Google RCS, and WhatsApp messengers, which collectively have more than 1 billion users. It’s the engine that provides end-to-end encryption, meaning messages encrypted with the apps can be decrypted only by the recipients and no one else, including the platforms enabling the service. Until now, the Signal Protocol encrypted messages and voice calls with X3DH , a specification based on a form of cryptography known as Elliptic Curve Diffie-Hellman .

A brief detour: WTF is ECDH?

Often abbreviated as ECDH, Elliptic Curve Diffie-Hellman is a protocol unto its own. It combines two main building blocks. The first involves the use of elliptic curves to form asymmetric key pairs, each of which is unique to each user. One key in the pair is public and available to anyone to use for encrypting messages sent to the person who owns it. The corresponding private key is closely guarded by the user. It allows the user to decrypt the messages. Cryptography relying on a public-private key pair is often known as asymmetric encryption.

Enlarge (credit: Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images)

Researchers on Wednesday said they found fake apps in Google Play that masqueraded as legitimate ones for the Signal and Telegram messaging platforms. The malicious apps could pull messages or other sensitive information from legitimate accounts when users took certain actions.

An app with the name Signal Plus Messenger was available on Play for nine months and had been downloaded from Play roughly 100 times before Google took it down last April after being tipped off by security firm ESET. It was also available in the Samsung app store and on signalplus[.]org, a dedicated website mimicking the official Signal.org. An app calling itself FlyGram, meanwhile, was created by the same threat actor and was available through the same three channels. Google removed it from Play in 2021. Both apps remain available in the Samsung store.

Both apps were built on open source code available from Signal and Telegram. Interwoven into that code was an espionage tool tracked as BadBazaar. The Trojan has been linked to a China-aligned hacking group tracked as GREF. BadBazaar has been used previously to target Uyghurs and other Turkic ethnic minorities. The FlyGram malware was also shared in a Uyghur Telegram group, further aligning it to previous targeting by the BadBazaar malware family.

Enlarge (credit: SOPA Images / Contributor | LightRocket )

Banks with employees covertly texting about official business on apps like Signal, WhatsApp, and iMessage have been caught red-handed. Now federal agencies are charging banks with violating laws requiring recordkeeping on all business matters.

Today, the SEC and the Commodity Futures Trading Commission (CFTC) fined 11 firms a combined $549 million for what the SEC described as "widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications."

Wells Fargo was hit with the biggest fines, agreeing to pay the SEC a $125 million penalty and the CFTC another $75 million. Fines for other firms—including Bank of Montreal, BMO Capital Markets Corp., BNP Paribas, Houlihan Lokey Capital, Inc., Mizuho Securities USA, Moelis & Company LLC, SMBC Nikko Securities America, Inc., Société Générale, and Wedbush Securities Inc.—ranged between $9 million and $75 million.

Enlarge (credit: Bloomberg / Contributor | Bloomberg )

A few weeks ago, disgraced FTX founder Samuel Bankman-Fried was in danger of losing his bail package and potentially being jailed until October. The court was fed up with trying to monitor Bankman-Fried’s online activity, and United States district judge Lewis Kaplan decided that the only option left was for Bankman-Fried to recommend independent experts who could help the court set appropriate bail conditions to limit any suspicious online activity.

Kaplan gave Bankman-Fried until this Friday to find experts who could help the court determine precisely what tech privileges needed to be revoked to ensure that Bankman-Fried would be incapable of compromising the court’s investigation into the criminal fraud case, Bloomberg reported . Yesterday, Bankman-Fried officially submitted his recommendations, naming two tech consultants he believes are qualified to advise on his bail conditions: Edward Stroz and Michael McGowan.

Bankman-Fried supplied resumes for both candidates. Stroz was an FBI agent in the 1980s and 1990s, specializing in major international financial crimes. During that time, he created New York City’s Computer Crime Squad and investigated hundreds of cases alleging bank fraud. Since then, he has spent the past two decades managing an international consulting firm, Aon, where his duties include overseeing digital forensics investigations for corporate clients, trial counsel, and civil litigants.

Enlarge (credit: NurPhoto / Contributor | NurPhoto )

When Elon Musk first launched his Twitter Blue subscription service, the whole point was to make it possible to buy the blue checkmark as a coveted status symbol. Now, the billionaire is backtracking (for now, at least), announcing in a tweet that the relaunch of Blue Verified checkmarks will be delayed, and likely when it does roll out, checkmarks distinguishing between Blue Verified subscribers and official verified accounts will be different colors.

“Holding off relaunch of Blue Verified until there is high confidence of stopping impersonation,” Musk tweeted. “Will probably use different color check for organizations than individuals.”

Many Twitter users suggested this obvious solution before the fake-account scandal found the platform sprinkled with popular but chaotic brand impersonations. That ultimately led Musk to revoke the option to pay $8 for a Blue Verified subscription.