Feedback & Followups
- Yet another reminder that developers are in the attacker’s sights: VSCode extensions with 9 million installs pulled over security risks — www.bleepingcomputer.com/…
- Microsoft’s prompt and very effective response to proactively disabled the plugin in everyone’s app is noteworthy, and reassuring!
Deep Dive — 🇬🇧 The UK’s Demand Apple Break Advanced Data Protection for All
Some Context — Regular -v- Advanced Data Protection
I’m seeing & hearing a lot of inaccurate reporting on this, so let’s start from the basics.
All iCloud backups are encrypted both in transit and at rest on Apple’s Servers. For regular iCloud users, Apple retain a well-secured copy of the decryption key to most of the stored data so they can facilitate account recovery if users forget their password. This also means Apple can, and hence must, also decrypt that data for law enforcement when provided an appropriate court order from a relevant jurisdiction.
Notice I said most of the data, not all of the data. Health data and passwords are always end-to-end encrypted so Apple can never share that with anyone, and users can’t recover it if they reset their password.
With Apple’s optional Advanced Data Protection feature, all the iCloud data is end-to-end encrypted and Apple can’t share it with anyone, and can’t recover the account for the user if they lose their password, the data is simply lost. This means Advanced Data Protection is only for users with a high threat profile who would rather take full responsibility for saving their password knowing there is no way to get back in if they lose it than have Apple have the proverbial spare key to their stuff.
What we Knew Last Time
When we last covered this story we just had a very credible leak from within the UK government stating that a secret demand had been issued to Apple that they add a secret recovery key to all accounts with Advanced Data Protection enabled (not those for UK users) despite the feature explicitly promising there is no such key because that literally breaks the definition of end-to-end encryption. This demand was reportedly made under the UK’s controversial Investigatory Powers Act which makes it illegal for Apple to acknowledge the existence of the demand.
The leak was so credible, US lawmakers with strong records on cybersecurity and national security from both parties believed it was legitimate.
What has Happened Since
Since our previous instalment 2 weeks ago, Apple has removed the ability for UK users to enable Advanced Protection, and informed existing users with the feature enabled that they would probably be forced to disable it in the near future. This is not something Apple can unilaterally do because the data is encrypted with keys Apple does not have! The off-boarding process can only be facilitated by the user if the data is not to be lost.
Apple’s statement only said they were “unable” to offer the feature in the UK at this time, without elaborating. This is the most they could possibly do without breaking the Investigatory Powers Act.
Meanwhile, the US government is taking this very seriously. The recently confirmed DNI (Director of National Intelligence) Tulsi Gabbard has launched a formal investigation, and administration officials say they have raised the matter with the UK government.
In a letter to senators, the DNI stated that she is investigating whether the order breaches the US/UK CLOUD treaty which regulates data sharing between UK users and US companies.
Finally, the US government appear to have leaked a report to the American press claiming the Biden administration had been made aware of the planned demand and had assured the UK authorities that such an order would be just fine with them, and would not be considered a breach of the CLOUD Act. Editorial by Bart: if true, this is utterly disgraceful in my opinion, and a real indictment of the Biden administration’s naïviteé or incompetence.
Links
- Apple pulls end-to-end encryption in UK, spurning backdoors for gov’t spying — arstechnica.com/…
- Apple Pulls Advanced Data Protection From the UK, in Defiance of UK Demand for Global Backdoor — daringfireball.net/…
- US intelligence head moves to block UK demand for backdoor into locked iCloud data — www.cultofmac.com/…
- Director of National Intelligence Tulsi Gabbard suggests UK broke agreement in secretly asking Apple to build iCloud backdoor — 9to5mac.com/…
- Washington Post: ‘Biden Justice Department Downplayed U.K. Demand for Apple “Back Door”‘ — daringfireball.net/…
❗ Action Alerts
- New OpenSSH flaws expose SSH servers to MiTM and DoS attacks — www.bleepingcomputer.com/… (If you have an internet-facing SSH server you should probably patch, and since one of the two bugs is in the client, you should patch every machine you connect from too!)
- Users of Parallels should be aware that there is an as-yet unpatched bug in Parallels Desktop that could give an attacker root access to your Mac, update as soon as a patch is released, and avoid creating new VMs in the meantime — www.bleepingcomputer.com/…
- For home users, the danger is not very high because for the attack, exploits a weakness in the VM-created code
- The danger is further dented by the fact that something malicious already needs to be present on your Mac to take advantage of this bug, but it could allow malware that has been successfully restricted to running with just user rights by existing protections to gain root access.
Worthy Warnings
- MAYBE: 🇺🇸 US drug testing firm DISA says data breach impacts 3.3 million people — www.bleepingcomputer.com/…
- Beware: attackers have found a way of abusing a legitimate PayPal feature (with terrible data validation) to send phishing emails from genuine PayPal addresses that pass all mail validation because it really is PayPal’s servers sending them — www.bleepingcomputer.com/…
- NosillaCastaways started reporting receiving these on the Podfeet slack before this detailed explanation emerged
- Be extra vigilant with PayPal-related mails for the next while (until PayPal lock down this feature with better data validation)
- Beware: more and more scammers are starting to abuse Signal’s device linking QR codes in phishing attacks, tricking users into scanning the QR codes and then clicking through to grant access, hence letting attackers into their Signal account and letting them intercept all messages — www.bleepingcomputer.com/…
- Note that while this most recent example uses Signal, this can be abused in any app that uses QR codes for device linking, including the very popular WhatsApp from Meta.
- If you live in a building with door access controls branded MESH by Viscount, you need to contact your building’s operators ASAP to make sure your building is safely configured: Over 49,000 misconfigured building access systems exposed online — www.bleepingcomputer.com/…
- More horrifying details on Security Now episode 1014 — www.grc.com/…
Notable News
- Have-I-Been-Pwned has added another massive password stealer log-type breach to their database, and released new features to allow home users, enterprises, and website owners to more easily get the details of their exposure (specific domains and usernames) — www.bleepingcomputer.com/… & www.troyhunt.com/…
- Security researchers have discovered a very clever technique for tricking Apple’s Find My network to track any Bluetooth device — appleinsider.com/…
- The technique requires massive computing power, so it utterly impractical for all but the most targeted use by the most advanced adversaries, so nothing for regular folks to worry about, at least not for now
- This will not be easy for Apple to fix as it will continue to be at least somewhat of a weakness until every single FindMy-compatible device from every vendor has been updated with new firmware that does not even exist yet
- Apple have announced improvements to their child protection features — www.macobserver.com/…
- Finer-grained and more clearly defined age ratings in the App Store
- An upcoming new API to allow developers of reader-type apps to filter the offerings they display based on coarse-grained age information added to child accounts by parents
- A simplified onboarding experience for parents creating child accounts for their kids
- Related: a nice guide to Apple’s large range of existing child protection features: How to Use Apple’s Child Safety Features to Protect Your Kids Online | Beginner’s Guide — www.macobserver.com/…
- Google have updated Chrome’s Enhanced Protection feature to utilise AI for real-time detection of suspicious looking sites and plugins — www.bleepingcomputer.com/…
- The cybersecurity firm Apiiro has released a free tool that can scan Git merges for malicious code using AI to recognise suspicious behaviour — www.bleepingcomputer.com/… (This is a real boon for large open source projects that get a lot of code submissions)
- 🧯After a brief kerfuffle, Firefox have updated their TOS to clarify how they use the data users enter into the open source browser — thehackernews.com/…
- Editorial by Bart: I don’t think there was ever anything malicious going on here, Firefox went from having no formal terms and just relying on their open source licensing to an explicit policy, which is just better for everyone, and even before they re-worded it to use better phrasing, there was never anything outlandish in it anyway, but now it’s very explicitly and clearly fine, so a win for all I guess 🙂
Top Tips
Excellent Explainers
- A revealing look at how scammers have switched to new phishing techniques which allow them to trick users into linking their payment cards into digital wallets (Apple Pay, Google Pay, Samsung Pay etc.) on devices owned by the attackers — krebsonsecurity.com/…
- Phishing campaigns trick users into first entering their card details and then ‘verifying’ the purchase by entering a code their bank sends them — the page that took the details is fake, and the code is not to authenticate a purchase, but to authenticate adding the newly stolen card into the wallet!
- Traditional card cloning is finally being effectively combatted with the near-complete rollout of chip-enabled cards (even in the US!), so new techniques are needed.
- Scammers are loading tens of cards onto burner phones and then selling those pre-loaded phones on the dark web.
- Wallet companies could dent this by limiting the number of cards that can be loaded onto any single device, as that would drive the per-card cost right up.
- 🇺🇸 With so much going on in the US ATM the new administration’s effects on cybersecurity are getting somewhat lost in the noise, Brian Krebs has a good breakdown of the detrimental effects the impulsive and un-considered changes are having — krebsonsecurity.com/…
- Related: all cybersecurity work has not ground to a complete halt though: US healthcare org pays $11M settlement over alleged cybersecurity lapses — www.bleepingcomputer.com/… (settlement with US DOJ)
- NosillaCastaway George Gousha posted a link in our Slack to the video recording of his presentation to the Silicon Valley Mac User’s group, all about how to spot scam emails.
Palate Cleansers
- From Allison: Have I Been Pwned: “New breach: The flat earth sun, moon & zodiac app…” – Infosec Exchange — infosec.exchange/…
- From Bart: 🎧 The Changelog: Software Development, Open Source: Programming with LLMs (Interview) — overcast.fm/… (I learned a lot about why GitHub copilot does such a good job of anticipating exactly the lines of code and comments I’m about to type)
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to. When the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |
| 🎦 | A link to video content. |