Security Bits Logo no alpha channel

Security Bits — 20 December 2020 – SolarWinds, Apple’s Tracking Transparency

Feedback & Followups

Listener Thomas Cooper Question — Is TikTok a National Security Threat?

TL;DR — nope

We got some listener feedback asking about the US’s proposed ban on TikTok on national security grounds.

This is very much an opinion piece by Bart — there aren’t enough hard facts for this to be anything else.

The argument for the ban is that TikTok is a Chinese company, so, in theory, the Chinese government could order them to hand over data to them. The argument isn’t that this is happening, but that this could happen. There’s no way to disprove that, but that doesn’t make it a good argument. As Bertrand Russell famously said, “I can’t prove there isn’t a Tea Pot in orbit around Mars, but that doesn’t mean there is!”

The way I think of TikTok is as a Chinese wanna-be Facebook. The data they can collect is similar, but since they’re not as all-pervasive, they’ll be less effective at data hoovering than Facebook is.

To be clear, there is zero evidence TikTok share anything with the Chinese Government, but for the sake of argument, let’s pretend they share everything. What would that mean?

With the exception of a few edge cases like political leaders, it would pose no direct danger. If I were the President of America on a secret mission to visit the troops in a war zone I’d be darn careful not to use any social media, because giving away my location could be very dangerous indeed!

Leaving aside the edge cases, all that’s left is soft power, specifically:

  1. Intelligence gathering — what do typical Americans do? What views are common? What does the average American like?
  2. Censorship — TikTok could be (and probably has been) ordered to block content referencing things the Chinese government find objectionable, like their persecution of the Uyghurs or the Tiananmen Square massacre
  3. Propaganda — the algorithms could be tweaked to push content the Chinese government do like.

I can’t see a substantial difference between a European using Facebook, and an American using TikTok. We know the American government has secret courts it uses to force companies to hand over data to the government, and we suspect the Chinese government do too.

So, is TikTok a problem? IMO, yes, but no more or less so than Facebook!


Deep Dive(s)

🇺🇸 Deep Dive 1 — The SolarWinds Attack on the US Government

On the 17th of December, the US Cybersecurity & Infrastructure Security Agency (CISA) released an alert detailing a long-running attack by an advanced persistent thread (APT) against US ‘government agencies, critical infrastructure, and private sector organizations’. At least as far back as March 2020, an APT (generally a euphemism for state-sponsored hackers) has been successfully infiltrating the US government, etc. We can’t know for certain, but the consensus in the security community seems to be pointing the finger at Russia.

A big part of this attack has been the successful injection of malware into the third-party network monitoring and management platform Orion sold by US software company SolarWinds and widely used in large organisations. The attackers infiltrated SolarWinds so deeply that they were able to get their malicious code incorporated into the software distributed through SolarWinds’ standard software update processes. This is what is referred to as a supply chain attack. This is difficult to pull off, but very powerful, because it turns ‘stay patched to stay secure’ into ‘stay patched to get hacked’!

The reason this activity has gone unnoticed until now is that the APT used the new powers at their disposal very judiciously — this kind of access us extremely valuable, so you want to focus on the highest possible value targets before your cover is blown, and you want to do as little obvious damage as possible for as long as possible so you don’t come to anyone’s attention for as long as possible. So, while all fully patched users of Orion had a hypothetical back door into their systems, most of those back doors were never opened.

The most recent update from the CISA suggests this attack involved other vectors of exploitation, i.e. other lines of attack, not just Orion, and, it may have been going on from before March. The details are still very hazy, and CISA have promised more updates as they learn more.

CISA issued only its 5th ever emergency order on the 17th, ordering all US government agencies to power down their Orion appliances ASAP, and to start examining their networks for evidence of infiltration by checking their logs for a list of specific Indicators of Compromise, or IOCs.

Because of how this attack worked, simply patching Orion doesn’t solve the problem at all. Orion was just a proverbial beach-head, giving the attackers a powerful entry point into a network from where they can burrow in properly.

Like an AV on your desktop computer has to be given highly privileged access within your OS to do its job, a system like Orion needs very highly-privileged access to the network, and to key Windows servers to do its job. One of the things the attackers did was to leverage the level of access Orion had to steal the private keys for vitally important security protocols, and use those to forge valid but unauthorised digital access tokens. These tokens could be used to directly access data like files, account details, or email messages via APIs, or to reset passwords on key system accounts, or create entirely new privileged accounts. In some cases the attackers even added entirely new federated identity provides to the network, tricking all servers on the network into trusting accounts issued by a server controlled by the attackers!

Listener Lynda asked if the Orion vulnerability affected Windows or Macs, or if it was just servers. That’s not really a relevant question when it comes to this kind of attack. This is not like a malicious version or Word or something, this is a compromise of a domain-level service that does run on specific Windows servers in a very literal sense, but it effectively infects the entire Windows domain.

Once your network is compromised as deeply as the victims of this attack have been compromised, it’s an absolutely Herculean task to get the attackers out completely. Like treating a cancer that’s spread throughout the body, if you miss just one device in a corner somewhere, the attackers can lay dormant for weeks, months, or even years, before slowly and carefully starting to infest your network again. The list of required actions in the various CISA documents is sobering — if you know anyone working in US government IT, buy them a coffee, they’ll need it!

A smaller part of this story is that the security company FireEye was also attacked by this ATP, and some of their internal red team hacking tools were stolen. To protect the community FireEye have open-sourced the tools and released advice for detecting their use, neutering their effectiveness. FireEye were also keen to point out that none of the stolen tools exploit any currently un-patched vulnerabilities.

Another smaller detail is that in some cases the attackers were able to spread beyond the victim’s local Windows domain, and up into the victim’s Office365 tenancy too. There were some initial reports that Microsoft’s own servers were compromised, but that doesn’t seem to be correct, and Microsoft are insistent that they have not been compromised.

The bottom line is that this is going to take a very long time indeed to deal with, and, that we’ve only discovered the tip of the iceberg in terms of the damage done. Over the coming days and weeks expect to hear news reports that the attacks started earlier, affected more systems in more organisations, and did more damage than we currently know.


Deep Dive 2 — Facebook’s PR Campaign Against Apple’s Up-Coming Tracking Transparency Feature

As a reminder, at WWDC this summer Apple announced that it would be adding a feature to iOS to make access to a device’s tracking ID for advertisers opt-in instead of opt-out. Apps could still use the ID to facilitate cross-app tracking, but only with explicit consent from the user.

This new level of transparency is deeply worrying to Facebook because their business model depends on clandestine tracking. Facebook know users would find the level of tracking they do creepy if they knew about it, and Apple’s change will ensure people will know, and, will have a chance to opt-out.

Facebook are painting this forced honesty as a ban on tracking, which is interesting. It shows they know what they are doing now would not be sustainable if people knew about it.

To that end Facebook ran two full-page newspaper ads in the US arguing that Apple’s move to shine a light on tracking amounts to an attack on small businesses and that Facebook are the good-guys, standing up for all those little guys. They also argue that because of COVID Apple should not go ahead with their change.

Apple replied with a simple message pointing out that they’re not blocking anything, and simply giving users information and choices, and showing a sample dialogue box.

While the flash-point for this campaign is the pending release of the app tracking transparency feature in iOS, Facebook and indeed the entire ad industry are still reeling from the improved tracking protections Apple has been adding to Safari over the past few years.

In related news, US publishers also signed on to Epic’s Coalition for App Fairness, again, over fears of tracking-based ad revenue going away.


❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

Interesting Insights

Palate Cleansers


When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
🎧 A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
📊 A link to graphical content, probably a chart, graph, or diagram.
🧯 A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂
💵 A link to an article behind a paywall.
📌 A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
🎩 A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top