CircleCi, a software company whose products are popular with developers and software engineers, confirmed that some customers’ data was stolen in a data breach last month.
The company said in a detailed blog post on Friday that it identified the intruder’s initial point of access as an employee’s laptop that was compromised with malware, allowing the theft of session tokens used to keep the employee logged in to certain applications, even though their access was protected with two-factor authentication.
The company took the blame for the compromise, calling it a “systems failure,” adding that its antivirus software failed to detect the token-stealing malware on the employee’s laptop.
Session tokens allow a user to stay logged in without having to keep re-entering their password or re-authorizing using two-factor authentication each time. But a stolen session token allows an intruder to gain the same access as the account holder without needing their password or two-factor code. As such, it can be difficult to differentiate between a session token of the account owner, or a hacker who stole the token.
CircleCi said the theft of the session token allowed the cybercriminals to impersonate the employee and gain access to some of the company’s production systems, which store customer data.
“Because the targeted employee had privileges to generate production access tokens as part of the employee’s regular duties, the unauthorized third party was able to access and exfiltrate data from a subset of databases and stores, including customer environment variables, tokens, and keys,” said Rob Zuber, the company’s chief technology officer. Zuber said the intruders had access from December 16 through January 4.
Zuber said that while customer data was encrypted, the cybercriminals also obtained the encryption keys able to decrypt customer data. “We encourage customers who have yet to take action to do so in order to prevent unauthorized access to third-party systems and stores,” Zuber added.
Several customers have already informed CircleCi of unauthorized access to their systems, Zuber said.
The post-mortem comes days after the company warned customers to rotate “any and all secrets” stored in its platform, fearing that hackers had stolen its customers’ code and other sensitive secrets used for access to other applications and services.
Zuber said that CircleCi employees who retain access to production systems “have added additional step-up authentication steps and controls,” which should prevent a repeat-incident, likely by way of using hardware security keys.
The initial point of access — the token-stealing on an employee’s laptop — bears some resemblance to how the password manager giant LastPass was hacked, which also involved an intruder targeting an employee’s device, though it’s not known if the two incidents are linked. LastPass confirmed in December that its customers’ encrypted password vaults were stolen in an earlier breach. LastPass said the intruders had initially compromised an employee’s device and account access, allowing them to break into LastPass’ internal developer environment.
Updated headline to better reflect the customer data that was taken.
is planning to significantly expand its data-encryption practices, a step that is likely to create tensions with law enforcement and governments around the world as the company continues to build new privacy protections for millions of iPhone users.
The expanded end-to-end encryption system, an optional feature called Advanced Data Protection, would keep most data secure that is stored in iCloud, an Apple service used by many of its users to store photos, back up their iPhones or save specific device data such as Notes and Messages. The data would be protected in the event that Apple is hacked, and it also wouldn’t be accessible to law enforcement, even with a warrant.
While Apple has drawn attention in the past for being unable to help agencies such as the Federal Bureau of Investigation access data on its encrypted iPhones, it has been able to provide much of the data stored in iCloud backups upon a valid legal request. Last year, it responded to thousands of such requests in the U.S., according to the company.
With these new security enhancements, Apple would no longer have the technical ability to comply with certain law-enforcement requests such as for iCloud backups—which could include iMessage chat logs and attachments and have been used in many investigations.
Apple has added additional methods to help users recover their end-to-end encrypted data.
Photo:
Apple
The company said the security enhancements, which were announced Wednesday, are designed to protect Apple customers from the most sophisticated attackers.
“As customers have put more and more of their personal information of their lives into their devices, these have become more and more the subject of attacks by advanced actors,” said
Craig Federighi,
Apple’s senior vice president of software engineering, in an interview. Some of these actors are going to great lengths to get their hands on the private information of people they have targeted, he said.
The FBI said it was “deeply concerned with the threat end-to-end and user-only-access encryption pose,” according to a statement provided by an agency spokeswoman. “This hinders our ability to protect the American people from criminal acts ranging from cyberattacks and violence against children to drug trafficking, organized crime and terrorism,” the statement said. The FBI and law enforcement agencies need “lawful access by design,” it said.
A spokesman for the Justice Department declined to comment.
Former Western law-enforcement and intelligence officials said they were surprised by Apple’s decision in part because the company had refrained in the past from rolling out such encryption settings for iCloud. The officials said Apple would sometimes point authorities to the iCloud as a possible means of collecting information that could be useful for criminal investigations.
Ciaran Martin,
former chief of the U.K.’s National Cyber Security Centre, said the announcement by Apple could pose legal complications for the company in multiple democracies that in recent years have adopted or weighed restrictions on technology that can’t be responsive to law-enforcement demands.
“Things will only be clearer when further technical details are given,” Mr. Martin said. “But on the face of it, existing legislation in Australia and looming legislation in the U.K. would seem to give those governments the power to tell Apple in those countries effectively not to do this.”
Last year, Apple proposed software for the iPhone that would identify child sexual-abuse material on the iPhone. Apple now says it has stopped development of the system, following criticism from privacy and security researchers who worried that the software could be misused by governments or hackers to gain access to sensitive information on the phone.
SHARE YOUR THOUGHTS
What do you think about Apple’s new security feature? Join the conversation below.
Mr. Federighi said Apple’s focus related to protecting children has been on areas such as communication and giving parents tools to protect children in iMessage. “Child sexual abuse can be headed off before it occurs,” he said. “That’s where we’re putting our energy going forward.”
Apple released a feature in December 2021 called “Communication Safety” in Messages, which offers tools for parents that warn their children when they have received or attempt to send photos that contain nudity. The option is part of Apple’s “Screen Time” parental-controls software.
The new encryption system, to be tested by early users starting Wednesday, will roll out as an option in the U.S. by year’s end, and then worldwide including China in 2023, Mr. Federighi said.
“This development will prompt questions at home and abroad, including whether the government of China will really accept a loss of data access,” said Sumon Dantiki, a former senior FBI and Justice Department official who worked on cyber investigations and is now a partner at the King & Spalding law firm. U.S. officials have long pointed to China’s increasingly strict demands for access to data on companies that operate within its borders as a national-security concern.
In addition to Advanced Data Protection, Apple is also modifying its Messages app to make it harder for messages to be snooped on, and it will now allow users to log in to their Apple accounts with hardware-based security keys made by other companies such as Yubico.
Privacy groups have long called on Apple to strengthen encryption on its cloud servers. But because the Advanced Protection encryption keys will be controlled by users, the system will restrict Apple’s ability to restore lost data.
Apple has added additional methods to help users recover their end-to-end encrypted data.
Photo:
Uncredited
To set up Advanced Data Protection, users will have to enable at least one data-recovery method. This could be a recovery key—a long list of numbers and characters that users could print out and store in a secure location—or the user could assign a friend or family member as a recovery contact.
Over the past two decades, businesses and consumers have moved much of their data off computer systems that they control and onto the cloud—data centers filled with servers that are operated by large technology companies. That trend has made these cloud systems an attractive target for cyber intruders.
Mr. Federighi said that Apple isn’t aware of any customer data being taken from iCloud by hackers but that the Advanced Protection system will make things harder for them. “All of us in the industry who manage customer data are under constant attack by entities that are attempting to breach our systems,” he said. “We have to stay ahead of future attacks with new protections.”
As Apple has locked down its systems, governments worldwide have become increasingly interested in the data stored on phones and cloud computers. That interest has led to friction between Apple and law-enforcement agencies, along with a growing market for iPhone hacking tools. In 2020, Attorney General
William Barr
pressured Apple for a way to crack the iPhone’s encryption to help with a terror investigation into a shooting that killed three people at a Florida Navy base.
Newsletter Sign-up
Tech Things With Joanna Stern
Everything is now a tech thing. Columnist Joanna Stern is your guide, giving analysis and answering your questions about our always-connected world.
Advanced Protection will reduce the amount of iCloud information that Apple can provide to law-enforcement agencies, who frequently request iPhone data from Apple as part of their investigations. Apple received requests for information on 7,122 Apple accounts from U.S. authorities in the first six months of 2021, the last period for which the company has provided information.
Apple had already offered end-to-end encryption for some of its services, but the protection will now extend to 23 services, including iPhone backups and Photos. However, three services—Mail, Contacts and Calendar—won’t qualify for Advanced Protection because they use older technology protocols, Mr. Federighi said.
Mr. Federighi said Apple believes it shares the same mission as law enforcement and governments: keeping people safe. If sensitive information were to get in the hands of an attacker, a foreign adversary or some other bad actor, it could be disastrous, he said.
“We’re giving users the option to keep that key only on their devices, which means that even if an attacker were to successfully breach the cloud and access all that data, it would be nonsense to them,” Mr. Federighi said. “They’d lack the key to decrypt it.”
Short Messaging Service, popularly known as SMS, turned 30 today, and to celebrate its birthday, Google announced that its Messages app will support end-to-end encryption for group chats over the coming weeks – a feature that’s been available for one-on-one conversations for a couple of years.
However, end-to-end encryption for group chats is only open to Messages users enrolled in the beta program, so if you want to try it, you’ll have to participate in the beta program. You can head this way to learn more about the beta program for the Messages app.
In addition to announcing end-to-end encryption for group chats, Google also announced that the Messages app will soon let users react to RCS (Rich Communication Services) messages with any emoji, similar to WhatsApp.
Google also took the 30th birthday of SMS as an opportunity to take a dig at Apple for its refusal to adopt RCS, saying, “all of the major mobile carriers and manufacturers have adopted RCS as the standard — except for Apple. Apple refuses to adopt RCS and continues to rely on SMS when people with iPhones message people with Android phones, which means their texting is stuck in the 1990s.”
The Mountain View-based internet search giant launched the #GetTheMessage campaign a few months ago, calling for Apple to adopt RCS, but the Cupertino-based tech giant has been quite adamant and stubborn on its stance, with Apple CEO Tim Cook saying he would rather convert Android users to iPhones.
It remains to be seen how this “green bubble vs. blue bubble” thing pans out and how long until Apple budges and adopts RCS.
Facebook announced on Thursday it will begin testing end-to-end encryption as the default option for some users of its Messenger app on Android and iOS.
The development comes as the company is facing backlash for handing over messages to a Nebraska police department that aided the department in filing charges against a teen and her mother for allegedly conducting an illegal abortion.
Facebook messenger users currently have to opt in to make their messages end-to-end encrypted (E2E), a mechanism that theoretically allows only the sender and recipient of a message to access its content.
But had all Facebook messages been encrypted by default back in June when Nebraska police issued a search warrant for Facebook user data of the mother investigated in the case, Facebook would not have messages to hand over to police in the first place.
Facebook spokesperson Alex Dziedzan said on Thursday that E2E encryption is a complex feature to implement and that the test is limited to a couple of hundred users for now so that the company can ensure the system is working properly.
Dziedzan also said the move was “not a response to any law enforcement requests”.
Meta, Facebook’s parent company, said it had planned to roll out the test for months. The company had previously announced plans to make E2E encryption the default in 2022 but pushed the date back to 2023.
An affidavit in support of the search warrant in the Nebraska case shows that a Norfolk police department detective asked Facebook in June for the “profile contact information, wall postings, and friend listing, with Facebook IDs” of the mother. Authorities also requested all of her photos and private messages from April to the day the warrant was issued.
The extent of the user data Facebook ended up handing over is not clear, but private messages between the women discussing how to obtain abortion pills were given to police by Facebook, according to the Lincoln Journal Star.
Experts previously told the Guardian that the main way for tech companies to avoid aiding in abortion-related prosecutions is to not store or collect the data at all.
“The only way for companies like Facebook to meaningfully protect people is for them to ensure that they do not have access to user data or communications when a law enforcement agency comes knocking,” Evan Greer, the director of the digital rights group Fight for the Future, said. “Expanding end-to-end encryption by default is a part of that, but companies like Facebook also need to stop collecting and retaining so much intimate information about us in the first place.”
The Nebraska case illustrates that some tech companies’ focus on limiting or deleting abortion-specific user data in response to privacy concerns may not be an effective strategy.
Facebook this week said that the warrant it received did not mention that the investigation was abortion-related.
Unfortunately this is as many privacy experts projected, that legal data requests are not going to come through neatly labeled as being for abortion. They’ll be for stillbirths, murder, drug trafficking, and all the other wild nonsensical charges they throw at people. https://t.co/QJk2XwYVDH
— Don’t post about crimes. (@KateRoseBee) August 10, 2022
Unfortunately this is as many privacy experts projected, that legal data requests are not going to come through neatly labeled as being for abortion. They’ll be for stillbirths, murder, drug trafficking, and all the other wild nonsensical charges they throw at people. https://t.co/QJk2XwYVDH
— Don’t post about crimes. (@KateRoseBee) August 10, 2022
As Kate Rose, who works on privacy and abortion access at the Digital Defense Fund, tweeted, “legal data requests are not going to come through neatly labeled as being for abortion”.
The expiration of a key digital encryption service on Thursday sent major tech companies nationwide scrambling to deal with internet outages that affected millions of online users.
Tech giants — such as Amazon, Google, Microsoft, and Cisco, as well as many smaller tech companies — were still battling with an endless array of issues by the end of the night. The problems were caused by the forced expiration of a popular digital certificate that encrypts and protects the connection between devices and websites on the internet. The certificate is issued by Let’s Encrypt, the largest issuer of such certificates in the world.
At least 2 million people have seen an error message on their phones, computers, or smart gadgets in the past 24 hours detailing some internet connectivity problems due to the certificate issue, according to Scott Helme, an internet security researcher and well-known cybersecurity expert.
“So many people have been affected, even if it’s only the inconvenience of not being able to visit certain websites or some of their apps not working,” Helme said.
“This issue has been going on for many hours, and some companies are only just getting around to fixing it, even big companies with a lot of resources. It’s clearly not going smoothly,” he added.
MILLIONS OF OLD PHONES, LAPTOPS, AND SMART GADGETS COULD STOP WORKING LATER THIS WEEK FOR A WEIRD REASON
There was an expectation before the certificate expired, Helme said, that the problem would be limited to gadgets and devices bought before 2017 that use the Let’s Encrypt digital certificate and haven’t updated their software. However, many users faced issues on Thursday despite having the most cutting-edge devices and software on hand.
Dozens of major tech products and services have been significantly affected by the certificate expiration, such as cloud computing services for Amazon, Google, and Microsoft; IT and cloud security services for Cisco; sellers unable to log in on Shopify; games on RocketLeague; and workflows on Monday.com.
This problem has flown under the radar of many major tech manufacturers, including Big Tech companies such as Apple, Google, Sony, and Microsoft — none of which have made announcements to customers about the issues, Helme told the Washington Examiner on Wednesday before the certificate expired.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
He added this is one of the first major digital certificates to expire since the advent of the internet in the 1980s. As a result, there is no precedent for solving the problem besides updating the software on devices and tech IT teams troubleshooting for each client or customer.
Apple unveiled plans to scan US iPhones for images of child sexual abuse, drawing applause from child protection groups but raising concern among some security researchers that the system could be misused, including by governments looking to surveil their citizens.
The tool designed to detect known images of child sexual abuse, called “neuralMatch,” will scan images before they are uploaded to iCloud. If it finds a match, the image will be reviewed by a human. If child pornography is confirmed, the user’s account will be disabled and the National Center for Missing and Exploited Children notified.
Separately, Apple plans to scan users’ encrypted messages for sexually explicit content as a child safety measure, which also alarmed privacy advocates.
The detection system will only flag images that are already in the center’s database of known child pornography. Parents snapping innocent photos of a child in the bath presumably need not worry. But researchers say the matching tool — which doesn’t “see” such images, just mathematical “fingerprints” that represent them — could be put to more nefarious purposes.
Matthew Green, a top cryptography researcher at Johns Hopkins University, warned that the system could be used to frame innocent people by sending them seemingly innocuous images designed to trigger matches for child pornography. That could fool Apple’s algorithm and alert law enforcement. “Researchers have been able to do this pretty easily,” he said of the ability to trick such systems.
The FBI has previously complained at Apple for not breaking into the iPhones of the alleged gunman after the Naval Air Station Pensacola shooting in 2019.AP
Other abuses could include government surveillance of dissidents or protesters. “What happens when the Chinese government says, ‘Here is a list of files that we want you to scan for,’ ” Green asked. “Does Apple say no? I hope they say no, but their technology won’t say no.”
Tech companies including Microsoft, Google, Facebook and others have for years been sharing digital fingerprints of known child sexual abuse images. Apple has used those to scan user files stored in its iCloud service, which is not as securely encrypted as its on-device data, for child pornography.
Apple has been under government pressure for years to allow for increased surveillance of encrypted data. Coming up with the new security measures required Apple to perform a delicate balancing act between cracking down on the exploitation of children while keeping its high-profile commitment to protecting the privacy of its users.
Apple’s “neuralMatch” tool will be implemented in its iPhones, Macs and Apple Watches. AP
But a dejected Electronic Frontier Foundation, the online civil liberties pioneer, called Apple’s compromise on privacy protections “a shocking about-face for users who have relied on the company’s leadership in privacy and security.”
Meanwhile, the computer scientist who more than a decade ago invented PhotoDNA, the technology used by law enforcement to identify child pornography online, acknowledged the potential for abuse of Apple’s system but said it was far outweighed by the imperative of battling child sexual abuse.
“Is it possible? Of course. But is it something that I’m concerned about? No,” said Hany Farid, a researcher at the University of California at Berkeley, who argues that plenty of other programs designed to secure devices from various threats haven’t seen “this type of mission creep.” For example, WhatsApp provides users with end-to-end encryption to protect their privacy, but also employs a system for detecting malware and warning users not to click on harmful links.
The Electronic Frontier Foundation fears Apple’s iCloud detection tool will compromise users’ “privacy and security.” The Washington Post via Getty Images
Apple was one of the first major companies to embrace “end-to-end” encryption, in which messages are scrambled so that only their senders and recipients can read them. Law enforcement, however, has long pressured the company for access to that information in order to investigate crimes such as terrorism or child sexual exploitation.
Apple said the latest changes will roll out this year as part of updates to its operating software for iPhones, Macs and Apple Watches.
“Apple’s expanded protection for children is a game changer,” John Clark, the president and CEO of the National Center for Missing and Exploited Children, said in a statement. “With so many people using Apple products, these new safety measures have lifesaving potential for children.”
Digital forensics expert Hany Farid argues Apple’s “neuralMatch” tool will do more to detect child abusers than invade users’ privacy.AP
Julie Cordua, the CEO of Thorn, said that Apple’s technology balances “the need for privacy with digital safety for children.” Thorn, a nonprofit founded by Demi Moore and Ashton Kutcher, uses technology to help protect children from sexual abuse by identifying victims and working with tech platforms.
But in a blistering critique, the Washington-based nonprofit Center for Democracy and Technology called on Apple to abandon the changes, which it said effectively destroy the company’s guarantee of “end-to-end encryption.” Scanning of messages for sexually explicit content on phones or computers effectively breaks the security, it said.
The organization also questioned Apple’s technology for differentiating between dangerous content and something as tame as art or a meme. Such technologies are notoriously error-prone, CDT said in an emailed statement. Apple denies that the changes amount to a backdoor that degrades its encryption. It says they are carefully considered innovations that do not disturb user privacy but rather strongly protect it.
Julie Cordua, the CEO of Thorn, praised Apple’s “neuralMatch” tool as a means of preserving “digital safety for children.” Getty Images/iStockphoto
Separately, Apple said its messaging app will use on-device machine learning to identify and blur sexually explicit photos on children’s phones and can also warn the parents of younger children via text message. It also said that its software would “intervene” when users try to search for topics related to child sexual abuse.
In order to receive the warnings about sexually explicit images on their children’s devices, parents will have to enroll their child’s phone. Kids over 13 can unenroll, meaning parents of teenagers won’t get notifications.
Apple said neither feature would compromise the security of private communications or notify police.
