Tag Archives: information security

Technology

Apple Plans New Encryption System to Ward Off Hackers and Protect iCloud Data

Leave a comment

Apple Inc.

AAPL -1.38%

is planning to significantly expand its data-encryption practices, a step that is likely to create tensions with law enforcement and governments around the world as the company continues to build new privacy protections for millions of iPhone users.

The expanded end-to-end encryption system, an optional feature called Advanced Data Protection, would keep most data secure that is stored in iCloud, an Apple service used by many of its users to store photos, back up their iPhones or save specific device data such as Notes and Messages. The data would be protected in the event that Apple is hacked, and it also wouldn’t be accessible to law enforcement, even with a warrant.

While Apple has drawn attention in the past for being unable to help agencies such as the Federal Bureau of Investigation access data on its encrypted iPhones, it has been able to provide much of the data stored in iCloud backups upon a valid legal request. Last year, it responded to thousands of such requests in the U.S., according to the company. 

With these new security enhancements, Apple would no longer have the technical ability to comply with certain law-enforcement requests such as for iCloud backups—which could include iMessage chat logs and attachments and have been used in many investigations.

Apple has added additional methods to help users recover their end-to-end encrypted data.



Photo:

Apple

The company said the security enhancements, which were announced Wednesday, are designed to protect Apple customers from the most sophisticated attackers.

“As customers have put more and more of their personal information of their lives into their devices, these have become more and more the subject of attacks by advanced actors,” said

Craig Federighi,

Apple’s senior vice president of software engineering, in an interview. Some of these actors are going to great lengths to get their hands on the private information of people they have targeted, he said.

The FBI said it was “deeply concerned with the threat end-to-end and user-only-access encryption pose,” according to a statement provided by an agency spokeswoman. “This hinders our ability to protect the American people from criminal acts ranging from cyberattacks and violence against children to drug trafficking, organized crime and terrorism,” the statement said. The FBI and law enforcement agencies need “lawful access by design,” it said.

A spokesman for the Justice Department declined to comment.

Former Western law-enforcement and intelligence officials said they were surprised by Apple’s decision in part because the company had refrained in the past from rolling out such encryption settings for iCloud. The officials said Apple would sometimes point authorities to the iCloud as a possible means of collecting information that could be useful for criminal investigations.

Ciaran Martin,

former chief of the U.K.’s National Cyber Security Centre, said the announcement by Apple could pose legal complications for the company in multiple democracies that in recent years have adopted or weighed restrictions on technology that can’t be responsive to law-enforcement demands.

“Things will only be clearer when further technical details are given,” Mr. Martin said. “But on the face of it, existing legislation in Australia and looming legislation in the U.K. would seem to give those governments the power to tell Apple in those countries effectively not to do this.”

Last year, Apple proposed software for the iPhone that would identify child sexual-abuse material on the iPhone. Apple now says it has stopped development of the system, following criticism from privacy and security researchers who worried that the software could be misused by governments or hackers to gain access to sensitive information on the phone.

SHARE YOUR THOUGHTS

What do you think about Apple’s new security feature? Join the conversation below.

Mr. Federighi said Apple’s focus related to protecting children has been on areas such as communication and giving parents tools to protect children in iMessage. “Child sexual abuse can be headed off before it occurs,” he said. “That’s where we’re putting our energy going forward.”

Apple released a feature in December 2021 called “Communication Safety” in Messages, which offers tools for parents that warn their children when they have received or attempt to send photos that contain nudity. The option is part of Apple’s “Screen Time” parental-controls software.

The new encryption system, to be tested by early users starting Wednesday, will roll out as an option in the U.S. by year’s end, and then worldwide including China in 2023, Mr. Federighi said.

“This development will prompt questions at home and abroad, including whether the government of China will really accept a loss of data access,” said Sumon Dantiki, a former senior FBI and Justice Department official who worked on cyber investigations and is now a partner at the King & Spalding law firm. U.S. officials have long pointed to China’s increasingly strict demands for access to data on companies that operate within its borders as a national-security concern.

In addition to Advanced Data Protection, Apple is also modifying its Messages app to make it harder for messages to be snooped on, and it will now allow users to log in to their Apple accounts with hardware-based security keys made by other companies such as Yubico.

Privacy groups have long called on Apple to strengthen encryption on its cloud servers. But because the Advanced Protection encryption keys will be controlled by users, the system will restrict Apple’s ability to restore lost data. 

Apple has added additional methods to help users recover their end-to-end encrypted data.



Photo:

Uncredited

To set up Advanced Data Protection, users will have to enable at least one data-recovery method. This could be a recovery key—a long list of numbers and characters that users could print out and store in a secure location—or the user could assign a friend or family member as a recovery contact.  

Over the past two decades, businesses and consumers have moved much of their data off computer systems that they control and onto the cloud—data centers filled with servers that are operated by large technology companies. That trend has made these cloud systems an attractive target for cyber intruders. 

Mr. Federighi said that Apple isn’t aware of any customer data being taken from iCloud by hackers but that the Advanced Protection system will make things harder for them. “All of us in the industry who manage customer data are under constant attack by entities that are attempting to breach our systems,” he said. “We have to stay ahead of future attacks with new protections.”

As Apple has locked down its systems, governments worldwide have become increasingly interested in the data stored on phones and cloud computers. That interest has led to friction between Apple and law-enforcement agencies, along with a growing market for iPhone hacking tools. In 2020, Attorney General

William Barr

pressured Apple for a way to crack the iPhone’s encryption to help with a terror investigation into a shooting that killed three people at a Florida Navy base.  

Advanced Protection will reduce the amount of iCloud information that Apple can provide to law-enforcement agencies, who frequently request iPhone data from Apple as part of their investigations. Apple received requests for information on 7,122 Apple accounts from U.S. authorities in the first six months of 2021, the last period for which the company has provided information.

Apple had already offered end-to-end encryption for some of its services, but the protection will now extend to 23 services, including iPhone backups and Photos. However, three services—Mail, Contacts and Calendar—won’t qualify for Advanced Protection because they use older technology protocols, Mr. Federighi said.

Mr. Federighi said Apple believes it shares the same mission as law enforcement and governments: keeping people safe. If sensitive information were to get in the hands of an attacker, a foreign adversary or some other bad actor, it could be disastrous, he said. 

“We’re giving users the option to keep that key only on their devices, which means that even if an attacker were to successfully breach the cloud and access all that data, it would be nonsense to them,” Mr. Federighi said. “They’d lack the key to decrypt it.”

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

Read original article here

Business

Twitter Exodus Hits Teams Tasked With Regulatory, Content Issues Globally

Leave a comment

Elon Musk’s

move to purge Twitter Inc. employees who don’t embrace his vision has led to a wave of departures among policy and safety-issue staffers around the globe, sparking questions from regulators in key jurisdictions about the site’s continued compliance efforts.

Scrutiny has been particularly close in Europe, where officials have in recent years assumed a greater role in regulating big tech companies.

Staff departures in recent days include dozens of people spread across units such as government policy, legal affairs and Twitter’s “trust and safety” division, which is responsible for functions like drafting content-moderation rules, according to current and former employees, postings on social media and emails sent to work addresses of people who had worked at Twitter that recently bounced back. They have left from hubs including Dublin, Singapore and San Francisco.

Many of the departures follow Mr. Musk’s ultimatum late last week that staffers pledge to work long hours and be “extremely hardcore” or take a buyout. Hundreds or more employees declined to commit to what Mr. Musk has called Twitter 2.0 and were locked out of company systems. That comes after layoffs in early November that cut roughly half of the company’s staff.

Twitter conducted another round of job cuts affecting engineers late Wednesday, before the Thanksgiving holiday in the U.S., people familiar with the matter said. The exact scope couldn’t be immediately learned, though some of the people estimated dozens of employees were let go.

Twitter sent fired engineers an email saying their code wasn’t satisfactory and offering four weeks of severance, some of the people said. Some other engineers received an email warning them to improve their performance to keep their jobs, the people said.

Ireland’s Data Protection Commission said this week it was asking Twitter whether it still had sufficient staff to assure compliance with the European Union’s privacy law, the General Data Protection Regulation, or GDPR. The company last week told the Irish data regulator that it did, but is still reviewing the impact of the staff departures, a spokesman for the Irish regulator said.

He said Twitter has appointed an interim chief data protection officer, an obligation under the GDPR, after the departure of Damien Kieran, who had served in the role but left shortly after the first round of layoffs.

In France, meanwhile, the country’s communications regulator said it sent a letter last Friday asking that Twitter explain by this week whether it has sufficient personnel on staff to moderate hate speech deemed illegal under French law—under which Twitter could face legal orders and fines.

SHARE YOUR THOUGHTS

What will be the impact on Twitter of having a reduced staff to oversee regulatory and content issues? Join the conversation below.

The staff departures come as Twitter holds talks with the EU about the bloc’s new social-media law, dubbed the Digital Services Act, which will apply tougher rules on bigger platforms like Twitter by the middle of next year.

Didier Reynders,

the EU’s justice commissioner, is slated to attend a previously scheduled meeting with Twitter executives in Ireland on Thursday. He plans to ask about the company’s ability to comply with the law and to meet its commitments on data protection and tackling online hate speech, according to an EU official familiar with the trip.

Věra Jourová, a vice president of the EU’s executive arm, said she was concerned about reports of the firing of vast amounts of Twitter staff in Europe. “European laws continue to apply to Twitter, regardless of who is the owner,” she said.

Mr. Musk has said that he would follow the laws of the countries where Twitter operates and that it “cannot become a free-for-all hellscape.”

Twitter didn’t respond to a request for comment.

Late Wednesday, Mr. Musk tweeted that the number of views of tweets he described as “hate speech” had fallen below levels seen before a spike in such views in late October.
“Congrats to the Twitter team!” Mr. Musk wrote. 

Some of the people who either departed or declined to sign on to Twitter 2.0 appear to include Sinead McSweeney, the company’s Ireland-based vice president of global policy and philanthropy, who led government relations and compliance initiatives with regulations worldwide, as well as the two remaining staffers in Twitter’s Brussels office.

Ms. McSweeney and the two Brussels employees declined to comment, but emails to their work addresses started bouncing back undeliverable in recent days according to checks by The Wall Street Journal. Four other Brussels-based employees were earlier this month told they were being laid off, according to social-media posts and people familiar with the matter.

Twenty Air Street, London, the home of Twitter’s U.K. office.



Photo:

Dan Kitwood/Getty Images

Damien Viel, Twitter’s country manager for France, was also among a wave of staffers who posted publicly this week that they had left the company. He declined to comment when reached by the Journal.

At least some of the departures occurred in teams that reported to

Yoel Roth,

Twitter’s former head of trust and safety, who resigned earlier this month. In an op-ed for the New York Times, Mr. Roth said he resigned because Mr. Musk made it clear that he alone would make decisions on policy and the platform’s rules and that he had little use for those at the company who were advising him on those issues.

The team included Ilana Rosenzweig, who worked as Twitter’s senior director and head of international trust and safety. She has left the company, according to her LinkedIn profile. Based in Singapore, Ms. Rosenzweig led Twitter’s trust and safety teams across Europe, the Middle East and Africa, along with Japan and other Asia-Pacific countries, according to her profile.

“I decided not to agree to Twitter 2.0,” Keith Yet, a Twitter trust and safety worker based in Singapore, wrote on LinkedIn on Monday. Mr. Yet worked on child sexual exploitation issues and handling legal escalations from Japan and other countries, according to his LinkedIn profile. Attempts to reach Ms. Rosenzweig and Mr. Yet were unsuccessful.

The departures come amid a wave of new tech regulation, particularly in Europe. The Digital Services Act, which will by the middle of next year require tech companies like Twitter with more than 45 million users in the EU to maintain robust systems for removing content that European national governments deem to be illegal. 

The layoff announcements just keep coming. As interest rates continue to climb and earnings slump, WSJ’s Dion Rabouin explains why we can expect to see a bigger wave of layoffs in the near future. Illustration: Elizabeth Smelov

The act also requires these companies to reduce risks associated with content that regulators consider harmful or hateful. It mandates regular outside audits of the companies’ processes and threatens noncompliance fines of up to 6% of a company’s annual revenue.

Political leaders had warned that Mr. Musk’s Twitter would have to comply with EU rules. “In Europe, the bird will fly by our rules,” tweeted the EU’s commissioner for the internal market,

Thierry Breton,

hours after Mr. Musk completed his Twitter deal in late October tweeting, “the bird is free.”

A spokesman for the European Commission, the EU’s executive arm, said this week that it had active contacts with the company regarding the regulation and tackling disinformation and illegal hate speech, but declined to comment on the substance of Twitter’s compliance plans.

Activists and researchers are also concerned that the departures could undermine Twitter’s ability to block state-backed information operations aimed at spreading propaganda and harassing adversaries. The wave of departures “raises questions about how Twitter will moderate tweets and comments in a professional and neutral manner,” said Patrick Poon, an activist turned scholar at Japan’s Meiji University, who analyzes free speech.

—Liza Lin, Alexa Corse and Sarah E. Needleman contributed to this article.

Write to Sam Schechner at Sam.Schechner@wsj.com, Kim Mackrael at kim.mackrael@wsj.com and Newley Purnell at newley.purnell@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

Read original article here

Business

Twitter’s Ex-Security Head Files Whistleblower Complaint on Spam, Privacy Issues

Leave a comment

Twitter Inc.’s

TWTR -7.32%

former head of security filed a whistleblower complaint against the company, accusing it of failing to protect sensitive user data and lying about its security problems, just weeks ahead of the social-networking platform’s courtroom battle with

Elon Musk.

Peiter Zatko, who was fired as Twitter’s head of security earlier this year, submitted the complaint last month to the Securities and Exchange Commission, according to a representative of Whistleblower Aid, an organization that helped file the claims. His submission says that he “uncovered extreme, egregious deficiencies by Twitter in every area of his mandate,” including privacy, digital and physical security, platform integrity and content moderation.

Among Mr. Zatko’s claims are that Twitter executives, including Chief Executive

Parag Agrawal,

deliberately undercounted the prevalence of spam on the platform. Those claims could further complicate Twitter’s battle with Mr. Musk, whom the company sued in July to enforce a $44 billion takeover deal. Mr. Musk has alleged Twitter misrepresented its business, particularly as it relates to the level of spam or bot accounts—claims Twitter denies.

A five-day nonjury trial is slated to begin in October.

The existence of the whistleblower complaint was earlier reported by the Washington Post and CNN.

A Twitter spokeswoman said Mr. Zatko was fired “for ineffective leadership and poor performance” and that the complaint “is riddled with inconsistencies and inaccuracies and lacks important context.”

A lawyer for Mr. Musk said: “We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding.”

Twitter shares were down roughly 5% in Tuesday intraday trading.

Mr. Zatko, a former hacker who is known as “Mudge,” has been a noted computer-security researcher for decades. He was a member of a Boston cybersecurity collective that came to prominence in 1998 when it offered warnings about the state of national cybersecurity in testimony to the U.S. Senate. During one Senate hearing, the group told lawmakers they could take down the internet in 30 minutes.

He was hired by Twitter in late 2020 after a career that included other corporate roles.

Whistleblower Aid’s founder John Tye said Mr. Zatko first approached the nonprofit in early March through the encrypted messaging app Signal. Mr. Tye said Mr. Zatko has never met or spoken with Mr. Musk and that Mr. Musk’s team hasn’t been in contact with the nonprofit about Mr. Zatko’s complaint.

“He sees this whistleblowing as sort of the last resort,” Mr. Tye said of Mr. Zatko. “He obviously worked hard inside the company, used the internal channels and ultimately has ended up as a whistleblower.”

Mr. Zatko was brought into Twitter by co-founder

Jack Dorsey

after a high-profile hack by a teenager who bypassed the company’s securities systems. Mr. Dorsey “specifically recruited Mudge for his reputation of speaking truth to power,” according to the complaint.

Mr. Dorsey, however, was only a sporadic presence at the company, and the new hire—who had hundreds of staff reporting to him—was quickly overwhelmed by the task at hand, according to the complaint. At one point, Mr. Agrawal told his team, “Twitter has 10 years of unpaid security bills,” per the complaint.

The relationship between Mr. Zatko and Twitter’s leadership deteriorated over the subsequent months, according to both parties. Mr. Zatko helped oversee a critical report on Twitter’s ability to fight misinformation and spam, which other executives watered down, according to the complaint, which said Mr. Zatko was told by a Twitter lawyer that the changes were intended to hide the findings and prevent them from leaking internally or externally.

The complaint also expresses concerns about Twitter’s ties to foreign governments and says the company may have foreign spies on its payroll. It states that Mr. Zatko believed that the Indian government had forced the company to knowingly hire at least one employee who had access to “vast amounts of Twitter sensitive data.” India’s Washington embassy didn’t immediately respond to a request for comment.

Earlier this month, a former Twitter employee was found guilty by a U.S. jury of spying for Saudi Arabia by passing on private user information associated with critics of the kingdom in exchange for hundreds of thousands of dollars while he worked at the company from 2013 to 2015.

Much of the complaint, though, deals with fake or spam accounts, a topic that Mr. Musk drew attention to in his takeover bid for Twitter.

Like the

Tesla Inc.

CEO, Mr. Zatko alleges that Twitter miscounts such users by focusing only on what are known as monetizable daily users, or MDAU, rather than all total daily users. The former category counts only those accounts that are thought to view advertising.

“There are many millions of active accounts that are not considered ‘mDAU,’ either because they are spam bots, or because Twitter does not believe it can monetize them,” Mr. Zatko’s complaint says. “These millions of non-mDAU accounts are part of the median user’s experience on the platform.”

Twitter has said it has a system for measuring users and spam that entails multiple human reviews of thousands of accounts sampled at random over time.

Mr. Zatko’s complaint said he attempted to formally notify Twitter’s board of his concerns but was steered off by Mr. Agrawal.

In a memo to employees Tuesday about the whistleblower complaint, Mr. Agrawal said: “I know this is frustrating and confusing to read, given Mudge was accountable for many aspects of this work that he is now inaccurately portraying more than six months after his termination.” Mr. Agrawal defended Twitter’s work on privacy and security, while adding that the attention the complaint has brought to the company will make its work harder. “We will pursue all paths to defend our integrity as a company and set the record straight,” he said.

Twitter in 2011 reached an agreement with the Federal Trade Commission to maintain rigorous security, including limiting the number of employees with access to its key security and privacy controls. Mr. Zatko alleges that the company is in violation of that accord. The FTC didn’t respond to a request for comment.

Copies of the complaint were sent to the Senate Judiciary and Intelligence committees, aides of each panel said.

Democrats and Republicans have raised concerns about Twitter and other social-media companies in recent years over how they use and protect customer data, and have considered legislation that could require firms to adhere to certain data transparency or security standards. “If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” Sen.

Dick Durbin

(D., Ill.), chairman of the Judiciary Committee, said in a statement.

—Dave Michaels, Erin Mulvaney and Dustin Volz contributed to this article.

Corrections & Amplifications
Parag Agrawal is the CEO of Twitter. An earlier version of this article incorrectly spelled his last name as Agarwal. (Corrected on Aug. 23)

Write to Sarah E. Needleman at sarah.needleman@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

Read original article here

Technology

Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout

Leave a comment

Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that’s under active attack in the wild.

Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one of which plugs another zero-day flaw that Google disclosed as being actively exploited in real-world attacks.

Top of the list of this month’s updates is CVE-2022-22047 (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem (CSRSS) that could be abused by an attacker to gain SYSTEM permissions.

“With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools,” Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. “With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly.”

Very little is known about the nature and scale of the attacks other than an “Exploitation Detected” assessment from Microsoft. The company’s Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) have been credited with reporting the flaw.

Besides CVE-2022-22047, two more elevation of privilege flaws have been fixed in the same component — CVE-2022-22026 (CVSS score: 8.8) and CVE-2022-22049 (CVSS score: 7.8) — that were reported by Google Project Zero researcher Sergei Glazunov.

“A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM,” Microsoft said in an advisory for CVE-2022-22026.

“Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment.”

Also remediated by Microsoft include a number of remote code execution bugs in Windows Network File System (CVE-2022-22029 and CVE-2022-22039), Windows Graphics (CVE-2022-30221), Remote Procedure Call Runtime (CVE-2022-22038), and Windows Shell (CVE-2022-30222).

The update further stands out for patching as many as 32 issues in the Azure Site Recovery business continuity service. Two of these flaws are related to remote code execution and the remaining 30 concern privilege escalation.

“Successful exploitation […] requires an attacker to compromise admin credentials to one of the VMs associated with the configuration server,” the company said, adding the flaws do not “allow disclosure of any confidential information, but could allow an attacker to modify data that could result in the service being unavailable.”

On top of that, Microsoft’s July update also contains fixes for four privilege escalation vulnerabilities in the Windows Print Spooler module (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226) after a brief respite in June 2022, underscoring what appears to be a never-ending stream of flaws plaguing the technology.

Rounding off the Patch Tuesday updates are two notable fixes for tampering vulnerabilities in the Windows Server Service (CVE-2022-30216) and Microsoft Defender for Endpoint (CVE-2022-33637) and three denial-of-service (DoS) flaws in Internet Information Services (CVE-2022-22025 and CVE-2022-22040) and Security Account Manager (CVE-2022-30208).

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

'+n+'...
'+a+"...
"}s+="",document.getElementById("result").innerHTML=s}}),t=!0)})}); //]]>

Read original article here