Banner image of Monthly review – July 2020

Monthly review – July 2020

Each month, we publish a review that covers essential activities of the last 30 days. This month, we talk about the discussions regarding the Signal PIN, our AMA event, and upcoming content.

Always stay in the loop!
Subscribe to our RSS/Atom feeds.

The Signal PIN

This month, people started discussing the Signal PIN. In this Monthly Review, we dedicate our news section to these discussions to clarify some points.

What is the Signal PIN?

The Signal PIN is a password for your Signal account. At the moment, your Signal account uses a telephone number as an identifier; however, Signal plans to change this in the future. To support accounts that aren’t based on phone numbers, Signal needs to store your contacts. Currently, Signal uses your phone’s address book to do so. However, this isn’t possible when migrating to the new model. The new model stores your encrypted profile, settings, and contacts on Signal servers. Contrary to this, your message history isn’t stored on their servers.

What is all the recent fuss about?

For server-side protection, Signal relies on Intel SGX (Software Guard Extensions). A recent security vulnerability (SGAxe) demonstrated that vulnerable Signal servers could learn about contacts of Signal users and reduce the security of a user account to the strength of the Signal PIN. Since the minimum length of the PIN is four digits, some people argued that Signal accounts “can be hacked instantly.” Ultimately, this means a server-side attacker could see all contacts of a Signal user, their profile information, and settings.

What needs to be considered?

To decrypt the user data, the attacker needs to extract the hashed user PIN from the main memory of unpatched Signal servers. Furthermore, users need to set weak PINs because it remains infeasible to guess strong PINs. Some statements seem to simplify the whole attacker’s perspective significantly so that Signal appears “completely insecure.” It is quite evident that this isn’t a trivial attack.

What is the solution?

As an average user, you should set a strong PIN. This rule is valid for any service that requires passwords. In the best case, you use a password manager like KeePassXC to create a long password or passphrase and store it securely.

If it doesn’t matter that you may lose access to your Signal account when losing your device, Signal introduced an option to disable the Signal PIN. In this case, encrypted data is still stored on Signal servers; however, the user-provided PIN is replaced by a strong key that never leaves the user’s device. The strong key ensures that server-side parties can’t decrypt user data, even if the SGX protection fails.

What is bad about the whole story?

Some people started to convince Signal users to switch to messengers that come with no server-side protection. To put it in perspective: Signal stores some encrypted data on their servers, while many other messengers store much more data on their servers in cleartext (including the complete message history). In our opinion, there is absolutely no reason to panic.

Data breaches and leaks

In July 2020, the total number of breached accounts on Have I Been Pwned exceeded 10 billion. The latest breaches are:

  • Wattpad (breached in June 2020)
  • Promo (breached in July 2020)
  • Dave (breached in June 2020)
  • Hurb (breached in March 2019)
  • Drizly (breached in July 2020)
  • Dunzo (breached in June 2019)
  • Chatbooks (breached in March 2020)
  • Scentbird (breached in June 2020)
  • Appen (breached in June 2020)
  • Swvl (breached in June 2020)

Check if you were affected, and change your credentials. Besides, feel free to subscribe to our RSS/Atom feed, or directly follow us in the Fediverse to learn about data breaches and much more.

Our activities of the month

Ask Me Anything

From July 13 to July 23, we hosted an “Ask Me Anything” (AMA; technically “Ask Us Anything”) event. We answered more than 200 questions. 50 categorized questions and answers are available in three blog articles.

All in all, this was our first AMA event, and we enjoyed the vast amount of good questions and inspiring discussions with our readers.

New and updated content

In July, we published one article:

  • KeePassXC for beginners – setup and basic usage: Some of our readers asked for a basic tutorial on setting up KeePassXC. We satisfied their wish and hope that more people migrate from weak passwords, stored in their brains, to strong passwords, stored in a password database.

Besides, we changed several things on our blog:

  • We updated our Recommendations: We added “Darknet Diaries” (a bi-weekly podcast about “hacker” stories), a new book (CompTIA Network+ Certification All-in-One Exam Guide), and KeePassXC as an alternative to KeePass 2.
  • We switched to inclusive terms. For instance, we now use “allowlist” instead of “whitelist.” We know that this doesn’t make sense for some people; however, nobody is hurt by this, and terms change all the time. 😉
  • For admins: We disabled the “Permissions-Policy” (formerly named “Feature-Policy”) due to no real client-side support. Besides, we added the “Cross-Origin-Opener-Policy” for testing purposes.

Follow us on Mastodon:
@infosechandbook

Closing words

In August, we likely publish the following three blog articles (the actual titles might differ):

  • Using U2F as two-factor authentication for OpenSSH (instead of OATH-TOTP)
  • Basic WireGuard setup
  • Bitwarden for beginners – setup and basic usage

Besides, we work on integrating a news section into our blog, as explained in last month’s Monthly Review. Update (August 2020): We added a “News” section.

Furthermore, we publish security news in the Fediverse (feel free to subscribe to our RSS/Atom feed, or directly follow us in the Fediverse).

Read also