Information Technology

It’s vital that all countries follow international rules and norms if deploying cyber weapons, but some nation states aren’t being responsible when it comes to how they use cyber powers, some of the UK’s top intelligence and cyber chiefs have warned.
In a rare joint appearance in public at Chatham House, Jeremy Fleming, director of GCHQ, the UK’s intelligence and security organisation, and General Sir Patrick Sanders, commander of UK Strategic Command, which leads on the cyber domain for the military, detailed how cyberspace is becoming an increasingly important area of military operations and international relations.

More on privacy

The discussion involving the two intelligence officials came just weeks after the UK announced the National Cyber Force, a new offensive unit to take on and disrupt activity by cyber criminals and nation-state hacking operations.
SEE: Cyberwar and the future of cybersecurity (free PDF download)
“The domain is changing very quickly and we need now as a nation to be building out from our defensive posture to take advantage of all those benefits that come from technology, but also be able to contest cyberspace,” said Fleming.
“To be a responsible cyber power, we need to defend the digital homeland, we need to be able to disrupt and compete in cyberspace and we need to do that in accordance with international law and internationally agreed norms,” he added.
Cyberattacks and hacking campaigns have become an increasingly common part of how countries attempt to gather intelligence – and the discussion took place just as it was revealed that Russian intelligence services were behind a large hacking campaign that compromised departments across the US government.

“The thing that’s changed for me most is the intensity and the range and the scale. And cyberspace is now not only the most contested domain that we operate in but it’s one where there’s a state of permanent perpetual confrontation,” said Sanders.
“Cyberspace has become a domain of operations. And so we have to, when we’re thinking about military operations, be able to exploit cyberspace, defend ourselves in cyberspace and crucially integrate effects of cyberspace with what we do on land, air and sea – and in space,” he added.
Both intelligence chiefs pointed out that while the use of cyber weapons is increasingly on the agenda for the UK – and they’ve already been deployed – it’s important that they’re used appropriately.
“When we apply force in cyberspace we’re guided by the same principals as when we use kinetic force; military necessity, proportionality, discrimination and humanity,” said Sanders.
“So the idea we’d construct some kind of a cyber weapon of mass destruction… and use that indiscriminately is directly counter to international law… but it’s contrary to our values and it’s counter-productive. We’re trying to establish norms in cyberspace.”
The world has already seen the unintended consequences of what happens when cyber weapons get out of control; May 2017’s WannaCry ransomware attack encrypted networks around the world and was followed just weeks afterwards by NotPetya wiping networks of organisations around the world – both used the same EternalBlue vulnerability that formed part of a leaked NSA hacking tool.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
North Korea was found to have launched WannaCry while the NotPetya attack has been attributed to the Russian military. Both attacks were designed to be self-perpetuating – and both are likely to have spread further out of control than those behind them would’ve liked.
“In those consequences, what we saw were tools that self-proliferated in a way that I am sure the states behind them had not intended. The question is how do we stop that sort of thing happening?,” said Fleming.
“The way in which we think about capability and the way in which we plan operations, the legal and statutory and oversight behind us mean we have a very different starting point to those states that have released those sort of capabilities. I’m aware of no responsible state that is designing tools that are self-proliferating in that way,” he added.
MORE ON CYBERSECURITY More

Over the weekend as the Sydney’s Northern Beaches went back into lockdown over a coronavirus cluster, the Australian government once again called on citizens to use its so-called digital sunscreen.
Last month, the government said the app was recording excellent performance thanks to using an updated Bluetooth protocol dubbed Herald.
“The protocol provides for excellent performance of all encounter logging under all phone conditions and will continue to work on more than 96% of Apple and Android phones,” Health Minister Greg Hunt and Minister for Government Services Stuart Robert said at the time.
The same duo was back at it over the weekend, as the Herald update hit the Apple and Google app stores.
“Recent cases of COVID-19 in our community are a stark reminder the pandemic is not over and Australians must remain vigilant and be COVIDSafe,” Hunt said.
“New South Wales contact tracers are using the COVIDSafe App as one of their tools to search for close contacts during the current Northern Beaches outbreak.
“Our public health official contact tracing teams are world-leading and are ready to manage any cases that may occur, however, the best way to ensure you and your family are protected is to remember to practise good hygiene, physical distancing, get tested, isolate if you need to and download, register and update the COVIDSafe App.”

Must read: Living with COVID-19 creates a privacy dilemma for us all
On Friday during an update on the Northern Beaches cluster, digital venue check-in systems were said to be helping contact tracers track the outbreak. NSW representatives did not mention the COVIDSafe app.
The new release prompted Jim Mussared — who has pointed out technical problems with COVIDSafe from the get go — to state the Digital Transformation Agency (DTA) has not responded to concerns raised before the update was pushed.
“So far we’ve seen a bunch of old bugs re-introduced, plus some new ones. Hope they can fix before the app store freeze,” he wrote on Monday.
“Our analysis found a few reasons why the Herald changes will be less efficient compared to ‘COVIDSafe Classic’. The DTA has refused to respond to any of the requests for evidence for their claims.
For an app that has cost millions to create and just shy of AU$7 million to promote, Mussared gets the government was not above asking for free labour.
“They even attempted to reach out to a few of us privately asking for free help on a different issue (with apparently no sense of irony). We provided (in great detail, including code snippets) and then they still managed to not fix the bug,” he said.
“I raised another serious security issue last night, and so far nobody is replying to their security contact.”

Coronavirus More

The United States Department of Justice (DoJ) unsealed a complaint and arrest warrant on Friday against Zoom’s now-sacked liaison with the Chinese government, Xinjiang Jin.
In his role at Zoom, Jin allegedly responded to requests from Beijing for information on users and meetings. He also allegedly ended meetings discussing topics that China found to be problematic. The DoJ said Jin handed information including names, email addresses, and IP addresses of people outside China that Beijing was interested in.
“As alleged in the complaint, between January 2019 to the present, Jin and others conspired to use Company-1’s systems in the United States to censor the political and religious speech of individuals located in the United States and around the world at the direction and under the control of officials of the PRC government,” the DoJ said.
“Among other actions taken at the direction of the PRC government, Jin and others terminated at least four video meetings hosted on Company-1’s networks commemorating the thirty-first anniversary of the Tiananmen Square massacre, most of which were organised and attended by U.S.-based participants, such as dissidents who had participated in and survived the 1989 protests.”
It is alleged that between May and June, Jin and others infiltrated Zoom meetings to gather evidence and fabricated evidence to get meetings ended and users banned.
“The fabricated evidence falsely asserted that the meetings included discussions of child abuse or exploitation, terrorism, racism or incitements to violence, and sometimes included screenshots of the purported participants’ user profiles featuring, for example, a masked person holding a flag resembling that of the Islamic State terrorist group,” the DoJ said.
“Jin used the complaints as evidence to persuade Company-1 executives based in the United States to terminate meetings and suspend or terminate the user accounts of the meeting hosts.”

The DoJ said Beijing used the information gathered to retaliate against those in the meeting or their China-based family members.
“PRC authorities temporarily detained at least one person who planned to speak during a commemoration meeting. In another case, PRC authorities visited family members of a participant in the meetings and directed them to tell the participant to cease speaking out against the PRC government and rather to support socialism and the CCP,” it said.
According to the complaint [PDF], Jin is charged with one count of conspiracy to commit interstate harassment and another count of unlawful conspiracy to transfer means of identification. If found guilty of both counts, he could face 10 years in prison.
Jin is currently not held in US custody. According to his Most Wanted page, the federal arrest warrant was issued on November 19.
Outing itself as Company-1 in the DoJ’s complaint, Zoom said it has fully cooperated with authorities, sacked Jin for violating company policies, and had other employees on “administrative leave” as it completes an internal investigation.
Zoom said in September last year that it was blocked in China by Beijing officials and the company wanted to get the block removed as soon as possible.
“We had not, at that point in our evolution, been forced to focus on societal or policy concerns,” the company said.
After meeting with Chinese authorities, the company agreed to having an “in-house contact for law enforcement requests”, as well as shifting data on Chinese users out of US data centres and into the Middle Kingdom.
“The plan included measures to comply with real ID and data localization requirements applicable in China, in a manner that is capable of audit and verification, as well as establishing a legal entity in China to meet China’s local legal and regulatory requirements,” Zoom said.
“The plan also references measures that we did not carry out, such as working with a local Chinese partner to develop technology that would analyze the content of meetings hosted in China to identify and report illegal activity and shut down meetings that violate Chinese law.”
The Chinese ban was lifted on 17 November 2019, Zoom said, and while conducting its investigation, it said it believed data was shared with Beijing on less than 10 individuals, and beyond that, neither Jin nor any other employees, have shared data with the Chinese government on users outside of China.
“While the complaint alleges that the former employee obtained Zoom account and user IDs associated with the Xinjiang region of China, our investigation shows that this data was anonymized, and at this time we do not have reason to believe that it was shared with the Chinese government,” it added.
Zoom added it was creating an insider threat program to flag suspicious employee behaviour.
Last week, The New York Times reported Alibaba had developed and promoted facial recognition software that could be used to continue China’s repression of its Uyghur population. The company subsequently removed any references to Uyghurs, said it was not used outside a test environment, and issued a statement saying it had removed any ethnic tag in the software.
The response mirrored that of Huawei earlier in the month when The Washington Post reported Huawei was testing automated “Uyghur alarms” that send alerts to Chinese authorities when Uyghurs are detected via its camera systems.
The Washington Post said a document it saw from Huawei’s website was removed by the company after comment was sought. Huawei reportedly said it was “simply a test” and not a product.
In June, Zoom finally got around to implementing a way to restrict bans by geography. The change followed the company banning a Chinese human-rights activist at the behest of Beijing, before reinstating the account.
Zoom said at the time it should have anticipated needing such a system.
“No company with significant business interests in China is immune from the coercive power of the Chinese Communist Party,” Assistant Attorney General for National Security John Demers said on Friday. 
“The Chinese Communist Party will use those within its reach to sap the tree of liberty, stifling free speech in China, the United States and elsewhere about the Party’s repression of the Chinese people.  For companies with operations in China … this reality may mean executives being coopted to further repressive activity at odds with the values that have allowed that company to flourish here.”
Acting United States Attorney Seth DuCharme, meanwhile, claimed US companies operating in China are forced to make a Faustian bargain with Beijing and have to deal with the insider threat of their own employees in the Middle Kingdom.
Related Coverage More

Image: Omar Al-Ghossen
At least 36 Al Jazeera journalists, producers, anchors, and executives, along with a journalist at London-based Al Araby TV, had their iPhones hacked using a no-user-interaction zero-day vulnerability in the iOS iMessage app, an academic research group said today.

Citizen Lab, a cybersecurity and human rights abuse research group at the University of Toronto, said the zero-day was part of an exploit chain named Kismet that was created and sold by NSO Group, a well-known vendor of spyware and surveillance products.
Researchers claim NSO sold the Kismet hacking tool to at least four entities, who used it in July and August 2020 to hack the personal iPhones of 36 Al Jazeera reports from all over the globe.
The Citizen Lab team believes it identified two of the four of the buyers in Saudi Arabia and the United Arab Emirates, linking the activity to two groups the organization has been tracking as Monarchy and Sneaky Kestrel.
Subsequent investigations discovered that the attacks had been going on since at least October 2019.
At the time the attacks were discovered, Citizen Lab said the Kismet exploit tool worked against Apple’s latest devices (i.e., iPhones 11 running iOS 13.5.1).
The zero-day stopped working this fall when Apple released iOS 14, which shipped with several security feature enhancements.

The academic research group notified Apple of the attacks, and said the OS maker was now investigating the report.
Regional politics and zero-days
Reached for comment today, December 20, an NSO Group spokesperson called the report “speculation” that lacked any evidence “supporting a connection to NSO.”
The company said it only sells surveillance tools to law enforcement agencies and that it is unable to determine what its customers do with its tools.
Citizen Lab has previously published multiple reports claiming that NSO-developed hacking tools have been used outside the scope of law enforcement investigations to track political rivals, dissidents, journalists, clergy, and activists in countries such as Morroco, Mexico, Saudi Arabia, Togo, Spain, the UAE, and others.
Al Jazeera, a Qatar-based news agency, is believed to have been targeted due to the strained political relations between Qatar and neighboring countries.
In 2017, four states (Saudi Arabia, the United Arab Emirates, Bahrain, and Egypt) cut off official diplomatic relations with Qatar, and Al Jazeera has published several reports critical of the four countries ever since. Its website is blocked in two of the four states — Saudi Arabia and the UAE.
The full 5,000-word Citizen Lab report on the Kismet exploit chain and iOS zero-day is available here. More

Today I was made aware of a document published by Apple that might really help someone out of a jam, so you should bookmark it for future reference. 
Titled “Device and Data Access when Personal Safety is At Risk,” this document highlights the steps that an Apple user can work through if they believe that their Apple ID has been compromised, or they want to rescind someone’s access to information that they previously allowed to have access, such as an ex or a family member.
Must read: Apple now shows you all the ways iOS apps track you

As you’d expect, it’s a very in-depth document, covering subjects such as how to secure a device and Apple ID, to how to check, and if needed, rescind, any data you’ve previously shared with another.
There are also three very useful checklists:
If you want to see if anyone else has access to your device or accounts
If you want to stop sharing with someone whom you previously shared with
If you want to make sure no one else can see your location
This document is a great resource, and worth sharing on social media — you never know, someone might be looking for this information — and keep a link to the document for future reference. More

Image: Mozilla
Firefox 85, scheduled to be released next month, in January 2021, will ship with a feature named Network Partitioning as a new form of anti-tracking protection.

ZDNet Recommends

The best VPNs for 2021
VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices for best VPNs in 2020 and how to get set up.
Read More

The feature is based on “Client-Side Storage Partitioning,” a new standard currently being developed by the World Wide Web Consortium’s Privacy Community Group.
“Network Partitioning is highly technical, but to simplify it somewhat; your browser has many ways it can save data from websites, not just via cookies,” privacy researcher Zach Edwards told ZDNet in an interview this week.
“These other storage mechanisms include the HTTP cache, image cache, favicon cache, font cache, CORS-preflight cache, and a variety of other caches and storage mechanisms that can be used to track people across websites.”
Edwards says all these data storage systems are shared among websites.
The difference is that Network Partitioning will allow Firefox to save resources like the cache, favicons, CSS files, images, and more, on a per-website basis, rather than together, in the same pool.
This makes it harder for websites and third-parties like ad and web analytics companies to track users since they can’t probe for the presence of other sites’ data in this shared pool.

According to Mozilla, the following network resources will be partitioned starting with Firefox 85:
HTTP cache 
Image cache 
Favicon cache 
Connection pooling 
StyleSheet cache 
DNS 
HTTP authentication 
Alt-Svc 
Speculative connections 
Font cache 
HSTS 
OCSP 
Intermediate CA cache 
TLS client certificates 
TLS session identifiers 
Prefetch 
Preconnect 
CORS-preflight cache 
But while Mozilla will be deploying the broadest user data “partitioning system” to date, the Firefox creator isn’t the first.
Edwards said the first browser maker to do so was Apple, in 2013, when it began partitioning the HTTP cache, and then followed through by partitioning even more user data storage systems years later, as part of its Tracking Prevention feature.
Google also partitioned the HTTP cache last month, with the release of Chrome 86, and the results began being felt right away, as Google Fonts lost some of its performance metrics as it couldn’t store fonts in the shared HTTP cache anymore.
The Mozilla team expects similar performance issues for sites loaded in Firefox, but it’s willing to take the hit just to improve the privacy of its users.
“Most policy makers and digital strategists are focused on the death of the 3rd party cookie, but there are a wide variety of other fingerprinting techniques and user tracking strategies that need to be broken by browsers,” Edwards also ZDNet, lauding Mozilla’s move.
PS: Mozilla also said that a side-effect of deploying Network Partitioning is that Firefox 85 will finally be able to block “supercookies” better, a type of browser cookie file that abuses various shared storage mediums to persist in browsers and allow advertisers to track user movements across the web. More

This marks the second time browsers makers had to intervene and block a certificate used by the Kazakhstan government to spy on its citizens. More

The list includes vendors banned from trading with US companies on the grounds of national security. More