Feedback & Followups
Listener Thomas Cooper Question — Is TikTok a National Security Threat?
TL;DR — nope
We got some listener feedback asking about the US’s proposed ban on TikTok on national security grounds.
This is very much an opinion piece by Bart — there aren’t enough hard facts for this to be anything else.
The argument for the ban is that TikTok is a Chinese company, so, in theory, the Chinese government could order them to hand over data to them. The argument isn’t that this is happening, but that this could happen. There’s no way to disprove that, but that doesn’t make it a good argument. As Bertrand Russell famously said, “I can’t prove there isn’t a Tea Pot in orbit around Mars, but that doesn’t mean there is!”
The way I think of TikTok is as a Chinese wanna-be Facebook. The data they can collect is similar, but since they’re not as all-pervasive, they’ll be less effective at data hoovering than Facebook is.
To be clear, there is zero evidence TikTok share anything with the Chinese Government, but for the sake of argument, let’s pretend they share everything. What would that mean?
With the exception of a few edge cases like political leaders, it would pose no direct danger. If I were the President of America on a secret mission to visit the troops in a war zone I’d be darn careful not to use any social media, because giving away my location could be very dangerous indeed!
Leaving aside the edge cases, all that’s left is soft power, specifically:
- Intelligence gathering — what do typical Americans do? What views are common? What does the average American like?
- Censorship — TikTok could be (and probably has been) ordered to block content referencing things the Chinese government find objectionable, like their persecution of the Uyghurs or the Tiananmen Square massacre
- Propaganda — the algorithms could be tweaked to push content the Chinese government do like.
I can’t see a substantial difference between a European using Facebook, and an American using TikTok. We know the American government has secret courts it uses to force companies to hand over data to the government, and we suspect the Chinese government do too.
So, is TikTok a problem? IMO, yes, but no more or less so than Facebook!
Followups
- COVID Update
- Apple & Google are banning the location data collection API X-Mode which was one of the focuses of an article recently linked to under Interesting Insights — www.imore.com/…
- The original article: How the U.S. Military Buys Location Data from Ordinary Apps — www.vice.com/…
- Wavlink have released a firmware update for the Jetstream routers sold by Walmart they claim removes the back door we reported on time. The claim has not been independently verified yet (Editorial by Bart: if I owned one of these routers I would still not trust it, and still throw it in the bin) — www.macobserver.com/…
- More Social Media Service Improvements:
- 🇺🇸 Twitter has updated it’s warning labels on false election claims to say ‘Election officials have certified Joe Biden as the winner of the U.S. Presidential election’ — twitter.com/…
- Private Messenger ‘Signal’ Adds Encrypted Group Video Calls — www.macobserver.com/…
- WhatsApp bringing video and audio calls to desktop and web client — www.imore.com/…
- 🎄Zoom is offering unlimited video calling this Christmas — www.imore.com/…
- Apple have rolled so-called privacy nutrition labels in their app stores as promised. Apple also took the opportunity to improve their privacy page — www.imore.com/…
- Understanding Apple’s New App Privacy Information — www.intego.com/…
- WhatsApp immediately complained that because Apple’s Messages app is pre-installed it doesn’t show in the App Store, so it has no labels. Apple have promised to add labels for their standard apps to their website — www.imore.com/… & www.imore.com/…
- Facebook, Facebook Messenger top iOS 14 tracking charts — www.imore.com/… & Apple’s new privacy feature reveals astonishing cost of using Facebook — www.imore.com/…
- Apple’s Craig Federighi says it wants others to copy its App Store privacy labels — www.imore.com/…
Deep Dive(s)
🇺🇸 Deep Dive 1 — The SolarWinds Attack on the US Government
On the 17th of December, the US Cybersecurity & Infrastructure Security Agency (CISA) released an alert detailing a long-running attack by an advanced persistent thread (APT) against US ‘government agencies, critical infrastructure, and private sector organizations’. At least as far back as March 2020, an APT (generally a euphemism for state-sponsored hackers) has been successfully infiltrating the US government, etc. We can’t know for certain, but the consensus in the security community seems to be pointing the finger at Russia.
A big part of this attack has been the successful injection of malware into the third-party network monitoring and management platform Orion sold by US software company SolarWinds and widely used in large organisations. The attackers infiltrated SolarWinds so deeply that they were able to get their malicious code incorporated into the software distributed through SolarWinds’ standard software update processes. This is what is referred to as a supply chain attack. This is difficult to pull off, but very powerful, because it turns ‘stay patched to stay secure’ into ‘stay patched to get hacked’!
The reason this activity has gone unnoticed until now is that the APT used the new powers at their disposal very judiciously — this kind of access us extremely valuable, so you want to focus on the highest possible value targets before your cover is blown, and you want to do as little obvious damage as possible for as long as possible so you don’t come to anyone’s attention for as long as possible. So, while all fully patched users of Orion had a hypothetical back door into their systems, most of those back doors were never opened.
The most recent update from the CISA suggests this attack involved other vectors of exploitation, i.e. other lines of attack, not just Orion, and, it may have been going on from before March. The details are still very hazy, and CISA have promised more updates as they learn more.
CISA issued only its 5th ever emergency order on the 17th, ordering all US government agencies to power down their Orion appliances ASAP, and to start examining their networks for evidence of infiltration by checking their logs for a list of specific Indicators of Compromise, or IOCs.
Because of how this attack worked, simply patching Orion doesn’t solve the problem at all. Orion was just a proverbial beach-head, giving the attackers a powerful entry point into a network from where they can burrow in properly.
Like an AV on your desktop computer has to be given highly privileged access within your OS to do its job, a system like Orion needs very highly-privileged access to the network, and to key Windows servers to do its job. One of the things the attackers did was to leverage the level of access Orion had to steal the private keys for vitally important security protocols, and use those to forge valid but unauthorised digital access tokens. These tokens could be used to directly access data like files, account details, or email messages via APIs, or to reset passwords on key system accounts, or create entirely new privileged accounts. In some cases the attackers even added entirely new federated identity provides to the network, tricking all servers on the network into trusting accounts issued by a server controlled by the attackers!
Listener Lynda asked if the Orion vulnerability affected Windows or Macs, or if it was just servers. That’s not really a relevant question when it comes to this kind of attack. This is not like a malicious version or Word or something, this is a compromise of a domain-level service that does run on specific Windows servers in a very literal sense, but it effectively infects the entire Windows domain.
Once your network is compromised as deeply as the victims of this attack have been compromised, it’s an absolutely Herculean task to get the attackers out completely. Like treating a cancer that’s spread throughout the body, if you miss just one device in a corner somewhere, the attackers can lay dormant for weeks, months, or even years, before slowly and carefully starting to infest your network again. The list of required actions in the various CISA documents is sobering — if you know anyone working in US government IT, buy them a coffee, they’ll need it!
A smaller part of this story is that the security company FireEye was also attacked by this ATP, and some of their internal red team hacking tools were stolen. To protect the community FireEye have open-sourced the tools and released advice for detecting their use, neutering their effectiveness. FireEye were also keen to point out that none of the stolen tools exploit any currently un-patched vulnerabilities.
Another smaller detail is that in some cases the attackers were able to spread beyond the victim’s local Windows domain, and up into the victim’s Office365 tenancy too. There were some initial reports that Microsoft’s own servers were compromised, but that doesn’t seem to be correct, and Microsoft are insistent that they have not been compromised.
The bottom line is that this is going to take a very long time indeed to deal with, and, that we’ve only discovered the tip of the iceberg in terms of the damage done. Over the coming days and weeks expect to hear news reports that the attacks started earlier, affected more systems in more organisations, and did more damage than we currently know.
Links
- Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations — us-cert.cisa.gov/…
- Emergency Directive 21-01 — cyber.dhs.gov/…
- U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise — krebsonsecurity.com/…
- SolarWinds Hack Could Affect 18K Customers — krebsonsecurity.com/…
- FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community — www.fireeye.com/…
- Important steps for customers to protect themselves from recent nation-state cyberattacks — blogs.microsoft.com/…
Deep Dive 2 — Facebook’s PR Campaign Against Apple’s Up-Coming Tracking Transparency Feature
As a reminder, at WWDC this summer Apple announced that it would be adding a feature to iOS to make access to a device’s tracking ID for advertisers opt-in instead of opt-out. Apps could still use the ID to facilitate cross-app tracking, but only with explicit consent from the user.
This new level of transparency is deeply worrying to Facebook because their business model depends on clandestine tracking. Facebook know users would find the level of tracking they do creepy if they knew about it, and Apple’s change will ensure people will know, and, will have a chance to opt-out.
Facebook are painting this forced honesty as a ban on tracking, which is interesting. It shows they know what they are doing now would not be sustainable if people knew about it.
To that end Facebook ran two full-page newspaper ads in the US arguing that Apple’s move to shine a light on tracking amounts to an attack on small businesses and that Facebook are the good-guys, standing up for all those little guys. They also argue that because of COVID Apple should not go ahead with their change.
Apple replied with a simple message pointing out that they’re not blocking anything, and simply giving users information and choices, and showing a sample dialogue box.
While the flash-point for this campaign is the pending release of the app tracking transparency feature in iOS, Facebook and indeed the entire ad industry are still reeling from the improved tracking protections Apple has been adding to Safari over the past few years.
In related news, US publishers also signed on to Epic’s Coalition for App Fairness, again, over fears of tracking-based ad revenue going away.
Links
- Facebook slams Apple’s new privacy measures in full-page newspaper ads — www.imore.com/…
- Facebook says Apple’s anti-tracking measures about ‘profit, not privacy’ — www.imore.com/…
- Facebook Warns of iOS 14 Privacy With App Banners — www.macobserver.com/…
- Facebook alerts businesses how Apple’s privacy protections will affect ads — www.imore.com/…
- Apple responds to Facebook’s attack ad, says users deserve privacy choices — www.imore.com/…
- Facebook Runs Second Full-Page Ad Criticizing Apple, Says Opt-In Tracking Will Make the Internet Worse — www.macrumors.com/…
- Mozilla throws weight behind Apple iOS 14 anti-tracking plans — www.imore.com/…
- Related: US Publishers Join Coalition for App Fairness Against Apple — www.macobserver.com/…
- Opinion: Facebook can’t hide its disregard for our privacy behind small businesses — www.imore.com/…
❗ Action Alerts
- This month’s Patch Tuesday saw critical and important patches for Windows 10 and Office from Microsoft, and Lightroom from Adobe — krebsonsecurity.com/…
- Adobe released patches for Acrobat & Reader a day after Patch Tuesday — us-cert.cisa.gov/…
- Apple updated just about everything — us-cert.cisa.gov/…
Worthy Warnings
- Spotify resets passwords after a security bug exposed users’ private account information — techcrunch.com/…
- A copy of a letter sent to affected users: beta.documentcloud.org/…
- “Is it you in the video?” – don’t fall for this Messenger scam — nakedsecurity.sophos.com/…
Notable News
- 🇺🇸 The Federal Trade Commission and 48 states have filed an anti-trust suit against Facebook alleging that their acquisitions of Instagram and WhatsApp were anti-competitive, and requesting they be broken up — www.imore.com/…
- 🇺🇸 Texas Accuses Google and Facebook of an Illegal Conspiracy — www.wired.com/…
- 🇪🇺 The European Commission has released new guidelines requesting search companies and companies operating stores “identify the algorithmic parameters that determine ranking and to share them with companies”. ATM these are just guidelines, but the Commission followed up with proposed legislation (see next story) a few days later — uk.reuters.com/…
- 🇪🇺 The European Commission has published two pieces of draft legislation to regulating large tech companies — www.reuters.com/…, www.forbes.com/…
- The Digital Markets Act (DMA) lays down rules regulating the behaviour of ‘online gatekeepers’ to make sure their market places are fair (think search results, online stores, and app stores). The act includes a fine of up to 10% of global revenue.
- The Digital Services Act (DSA) lays down rules for platform operators around illegal content and allows for fines of up to 6% of global revenue (think news and social media companies).
- 🇪🇺 🇬🇧 Facebook’s UK users will lose EU privacy protections next year – The Verge
- Microsoft, Sony and Nintendo agree to shared safety standards across gaming — www.imore.com/…
- Apple, Google, Microsoft, and Mozilla ban Kazakhstan’s MitM HTTPS certificate — www.zdnet.com/…
- 🇦🇺 Australia sues Facebook over its use of Onavo to snoop — techcrunch.com/…
- 🇪🇺 🇮🇪 Twitter gets slapped with $550K fine in Ireland for violating EU’s data privacy law — www.imore.com/…
Top Tips
Interesting Insights
- Apple’s Craig Federighi was one of the keynote speakers at the European Data Protection & Privacy Conference. He described Apple’s four privacy principles very clearly — www.macrumors.com/… (🎦 video embedded in post, Craig starts at the 49 minute mark)
- Here’s How Shopping Scams On Facebook Are Ripping Off Thousands of Customers, With The Money Flowing Overseas — time.com/…
- I think I know how a kid spent $16k on in-game rings & he can’t blame Apple — www.imore.com/…
Palate Cleansers
- 🎧 An excellent episode from Nilay Patel’s new podcast decoder which gives a great insight into how advertising actually works from the POV of a company trying to sell a product: How the @!#$ does advertising work, with Cadillac CMO Melissa Grady — Decoder with Nilay Patel — Overcast — overcast.fm/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
Emoji | Meaning |
---|---|
🎧 | A link to audio content, probably a podcast. |
❗ | A call to action. |
flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
📊 | A link to graphical content, probably a chart, graph, or diagram. |
🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
💵 | A link to an article behind a paywall. |
📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |