Rather than add a backdoor, Apple decides to kill iCloud E2EE for UK peeps
Infosec in brief Apple has responded to the UK government’s demand for access to its customers’ data stored in iCloud by deciding to turn off its Advanced Data Protection (ADP) end-to-end encryption service for UK users.
Cupertino’s decision came after a row that began earlier this month amid reports that the UK Home Office had requested a backdoor to access data belonging to UK citizens under the auspices of the Investigatory Powers Bill.
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy,” Apple told The Register in a statement.
The end-to-end encryption (E2EE) afforded by ADP is therefore off the table for UK residents, meaning both Apple and law enforcement agencies that secure a subpoena will be able to access requested data without the need for backdoor access.
Apple noted that some data stored in iCloud is still protected by E2EE, including health info, iMessages and FaceTime calls. iCloud backups, storage, photos, notes, reminders, Safari bookmarks, Siri shortcuts, Wallet passes, voice memos, and Freeform digital whiteboard files, however, will no longer be locked protected.
Apple won’t turn off ADP. UK customers who attempt to enable the feature will now see an error message, while those who currently use it will be given a limited time to disable the feature. Access to iCloud will be blocked for those who don’t turn off ADP.
“As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will,” Apple said. Instead, customers in the UK will simply have to make do with lesser security than the iGiant advocate as best practise.
$1.4 billion crypto-heist hits Bybit
Over $1.4 billion worth of Ethereum-based tokens were stolen last week from a wallet belonging to cryptocurrency exchange Bybit.
CEO Ben Zhou explained the incident took place when Bybit made a transfer from a cold wallet to a warm wallet.
But unbeknown to Bybit, the payload of that transaction was obfuscated or spoofed.
A version of events we’ve seen on crypto-centric news services suggests that Bybit staff were fooled into authorizing transactions, perhaps after phishing directed them to a fake website.
“The signing message was to change the smart contract logic of our ETH cold wallet. This resulted Hacker took control of the specific ETH cold wallet we signed and transferred all ETH in the cold wallet to this unidentified address,” Zhou wrote.
The CEO has reassured clients Bybit “is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss.”
The company nonetheless saw over 350,000 requests to withdraw investments, and Zhou said Bybit successfully processed 99.994 percent of them. The CEO also shared the output of his wearable fitness monitor so customers could understand his stress levels.
Eagle-eyed Coast Guardian minimizes billing breach
Members of the US Coast Guard (USCG) have an unnamed hero to thank for minimizing the impact of a breach of its payroll systems.
According to a USCG spokesperson who spoke to The Register, the branch is currently investigating a data breach within its personnel and payroll system that has involved the compromise of banking account details for some of its members. The incident has led to delays in processing the pay of 1,135 of its troops, but the branch declined to go into details as to what happened.
“The Coast Guard Investigative Service and Coast Guard Cyber Command are leading an exhaustive investigation to determine the source and impact of the breach, and will ensure it is resolved as soon as possible,” a spokesperson told us.
But it could have been worse.
“Due to the diligence of a junior Petty Officer who reported anomalous activity affecting their account to the Coast Guard Cyber Command, we were able to minimize the impact of the breach,” the USCG told us. We salute you, coastie.
Critical vulnerabilities of the week: Atlassian patching time
Atlassian last week warned of seven high severity and five critical vulnerabilities, including one that breaks authentication and session management in the company’s Crowd SSO product for both datacenter and server setups.
That vulnerability, CVE-2024-50379 (CVSS 9.8), is found in the org.apache.tomcat:tomcat-cataline dependency and allows an unauthenticated attacker to expose assets in secure environments without user interaction.
SEC spins up crypto crime unit
There’s a new sheriff in town, fixin’ to shoot down crypto crime and protect retail investors from fraud: The US Securities and Exchange Commission’s Cyber and Emerging Technologies Unit (CETU).
The unit, announced last week, replaces the Crypto Assets and Cyber Unit and will be made up of 30 fraud experts and lawyers from the SEC, operating under a remit to stop fraud and protect the average citizen.
“The unit will not only protect investors but will also facilitate capital formation and market efficiency by clearing the way for innovation to grow,” said acting SEC chairman Mark Uyeda. “It will root out those seeking to misuse innovation to harm investors and diminish confidence in new technologies.”
The CETU will try to reduce AI-assisted fraud, hacking to obtain material non-public information, takeovers of retail brokerage accounts, plus general blockchain and crypto fraud.
Phishing-as-a-service gets simpler with Darcula-Suite 3.0
Brands worried about being targeted by cybercriminals for phishing campaigns, be aware: There’s a new tool available that makes it easier than ever for a no-skill miscreant to impersonate a company.
The new darcula-suite 3.0 is “a significant shift in criminal capabilities,” according to Netcraft analysts who spotted it up for sale on Telegram. “The biggest innovation baked into the darcula-suite is the ability for any user to generate a phishing kit for any brand, regardless of technical ability or prior resources.”
All it takes for someone to launch a phishing campaign using a company’s assets is a URL to the target’s website, which a browser automation tool crawls to extract assets and HTML needed to create a phishing page. Darcula users can then customize the template to extract card details, steal MFA codes and the like.
Potential phishing victims, be warned: Messages might start coming from unlikely sources.
SANS wants YOU to help develop FOSS AI security
Unhappy with the proprietary nature of existing AI-powered cybersecurity systems, the SANS Institute is asking the open-source community to help develop a free and open-source solution to the problem AI presents for cybersecurity.
The Institute is doing so by hosting an AI cybersecurity hackathon from February 15 to March 15 and is welcoming anyone who wishes to try their hands at building AI-powered security project to join the festivities.
“Through this hackathon, SANS hopes to not only contribute vital open-source tools but also encourage individuals to pursue and refine the AI security skills the industry desperately needs,” SANS research chief Rob Lee said.
SANS also hopes the event will cultivate new talent in the AI security field.
“AI is transforming cybersecurity at an unprecedented rate, but organizations are struggling to find professionals with the right expertise to secure these evolving technologies,” Lee added.
Those interested in joining the hackathon can sign up here before March 15. ®
READ MORE HERE