Welcome to The Cybersecurity 202! I, for one, am very pleased that the “Betty Whiteout” snowplow will soon be clearing roads in southern Minnesota. Here are details from the Minneapolis Star Tribune.
Apple struck out on this round of the antitrust fight
Apple insists an antitrust bill that would force it to give up tight control over which apps iPhone users can download could have devastating consequences for cybersecurity.
But some cyber practitioners are skeptical – and senators aren’t backing down.
The Senate Judiciary Committee voted 20 to 2 yesterday to approve a bill that would force Apple and Google to allow customers to load competing app stores onto their phones. In so doing, they bucked Apple’s warnings that the change would raise the chances of customers downloading apps loaded with malicious software that could steal their personal information, as Cat Zakrzewski reports.
If the bill becomes law, it would mark one of the biggest moves in the past decade to rein in the power of tech giants. And as Big Tech firms push back against a wave of such antitrust reforms, cybersecurity is increasingly part of the battle space.
In addition to the app store measure, tech firms are fighting against a proposal to bar them from privileging their own products against rivals — a reform they say could advantage companies from adversary nations that would run roughshod over U.S. citizens’ security and privacy.
The argument: Apple has argued in a series of documents that the company goes to extreme lengths to vet the security and privacy protections of apps in its app store — vetting that other companies can’t be trusted to do nearly so thoroughly.
- The company said in a June 2021 presentation that a staff of roughly 500 security experts reviews 100,000 new apps and updates each week.
- The company has rejected more than 1 million apps and an equal number of updates that weren’t up to snuff, it said.
Industry groups backed by big tech have generally supported Apple's claims. Consumer and digital rights advocates have accused the tech giant of using security arguments to support its bottom line.
Apple strictly bars outside apps from being downloaded to iPhones — a system known as “sideloading.” Google allows outside apps on smartphones that run its Android operating system but pop-ups warn consumers the apps haven’t been vetted for security.
Some cyber experts are don't buy Apple’s claims.
Noted security technologist and Harvard University lecturer Bruce Schneier called Apple’s claims “self-interested, oversimplified, and dishonest,” in a letter to the Judiciary Committee.
Alternate app stores could offer equal or better security than what Apple offers he said. If people do download malicious apps from outside Apple’s ecosystem, the company could still take security measures that prevent those apps from doing harm, he said.
Apple’s arguments also ignore a key fact — that many iPhone users who currently want to download apps that aren’t approved by Apple simply jailbreak their phones, Jake Williams, a former NSA cyber pro, told me. That process of removing the phone’s software restrictions results in far less security, said Williams, who’s a security analyst at the SANS Institute.
For non-jailbroken phones, there are definite security advantages to Apple having full control over its app ecosystem, Williams told me. But he believes the security advantage is not so great that it outweighs the advantage to consumers of having more app store options, Williams said.
More from Williams:
Walled gardens only stop (some) scammers. You can't convince me walled garden app stores are necessary for everyday security/privacy concerns.— Jake Williams (@MalwareJake) February 3, 2022
Apple could have compromised years ago by unlocking secondary app stores, but requiring users to explicitly enable them. https://t.co/a6RCmtTut1
Members of Congress appeared open to Apple's concerns, although they ultimately voted for the antitrust bill.
The bills sponsors, Sens. Richard Blumenthal (D-Conn.) and Marsha Blackburn (R-Tenn.), addressed some of Apple’s concerns. They added language stating that platforms can remove apps they can prove are malicious or fraudulent and provide information about the risks of downloading third-party apps.
But they pushed back on going further, defeating an amendment from Sen. John Cornyn (R-Texas) that would have allowed platforms to bar any apps they say “raise significant cybersecurity risks or otherwise harm users.”
According to Cornyn, the amendment’s aim was to “say that you’re not required to open your product to competition by something that will actually unload malware onto your device.”
But Blumenthal argued it would effectively give Apple and other app store providers free rein to block apps for competitive reasons and claim it was about cybersecurity.
“Anyone, whether it's Apple or Google wanting to defeat a claim here would simply say, ‘oh, cybersecurity risk’ and there would be no real protections,” he said.
Sens. Dianne Feinstein (D-Calif.) and Alex Padilla (D-Calif.) also expressed some reservations about the measure but voted to move it forward. There's a similar House bill but it's not clear when the bill might be debated by the full House or Senate.
The U.S. government accused Russia of prepping a disinformation campaign to justify Ukraine invasion
The plan centered on a phony video that would appear to show an attack against Russian-speaking people or Russian territory by Ukrainian forces, Ellen Nakashima, Shane Harris, Ashley Parker and John Hudson report.
“We believe that Russia would produce a very graphic propaganda video, which would include corpses and actors that would be depicting mourners and images of destroyed locations, as well as military equipment at the hands of Ukraine or the West, even to the point where some of this equipment would be made to look like it was Western supplied,” Defense Department press secretary John Kirby said. Such a disinformation operation would be “right out of their playbook,” Kirby said.
The Kremlin dismissed the accusation.
The Biden administration and U.K. government have accused Russia of planning operations to destabilize Ukraine, like launching a “false flag” attack and blaming it on Kyiv or installing a Russia-friendly government in Ukraine. They haven’t released the underlying evidence behind the claims.
Cyberattacks hit oil terminals across Europe
More than a dozen oil storing terminals have been hit, including 11 in Germany, S&P Global’s Rowan Staden-Coats and Eklavya Gupte report. Many tankers have been rerouted because loading and unloading at the terminals is largely automated.
Some of the disruptions came after terminal operator SEA-invest said “several” of its terminals were hit in a Jan. 30 cyberattack. The company operates terminals across Belgium and northwest Europe.
The attacks expose vulnerabilities in European energy infrastructure as the continent prepares for potential cyberattacks amid a feared Russian invasion of Ukraine.
Germany has also been hit, with “some German oil terminals and storage sites … continuing to operate at limited capacity following a Jan. 29 cyberattack targeting energy company Mabanaft Group and storage company Oiltanking Group,” Staden-Coats and Gupte write. “These incidents have affected the supply of some oil products in Germany, Europe's biggest oil consumer, especially in the key port of Hamburg.”
The hackers who hit the German companies appear to be related to the DarkSide ransomware gang, which is best known for attacking Colonial Pipeline last year, Emsisoft’s Brett Callow told Bloomberg News’s Ryan Gallagher.
European cybersecurity officials don’t think the cyberattacks across Belgium, the Netherlands and Germany are connected, the Record’s Adam Janofsky reports. But they’re still investigating.
Hacking revelations could delay corruption trial of Israel’s former leader
Israeli police acknowledged to the State Prosecutor's Office that they hacked a phone belonging to Shlomo Filber, a key witness in the corruption case against former Israeli prime minister Benjamin Netanyahu, Haaretz’s Netael Bandel reports.
Now, Netanyahu’s lawyers have asked the court to order the government to hand over information that the police got through spyware. Filber is set to testify in two weeks, and a court on Monday will probably have to decide whether to pause the trial until police and prosecutors can explain the extent to which phone hacking was used, the Times of Israel reports.
Israeli police have claimed that investigators were never actually given the hacked data, the outlet reports. Israeli police said they would continue to “cooperate fully and transparently” with the Israeli attorney general’s investigators who are examining police spyware use.
In other Israel news: The country is reportedly freezing exports of some cyber products and is not renewing expiring export licenses for some products to countries in the Middle East, the Times of Israel reports. Israeli media reports didn’t mention whether exports of NSO Group spyware would be affected by the move, the outlet reports.
National security watch
- The International Institute for Strategic Studies has proposed a new model for assessing the maturity of military cyber forces.
On the move
The Department of Homeland Security has announced the members of a new Cyber Safety Review Board, which will investigate major cybersecurity incidents. The group's first mission will be to analyze what led to the widespread log4j vulnerability. The outside members of the board include:
- Google senior director for security engineering Heather Adkins
- Silverado Policy Accelerator chairman Dmitri Alperovitch
- Luta Security CEO Katie Moussouris
- Verizon Threat Research Advisory Center managing director Chris Novak
- Center for Internet Security Senior Vice President Tony Sager
- Microsoft Digital Crimes Unit assistant general counsel Kemba Walden
- Palo Alto Networks Unit 42 Senior Vice President Wendi Whitmore
- Yevheniya Kravchuk, the deputy chairwoman of the Ukrainian Parliament’s humanitarian and information policy committee, discusses Russian disinformation at a Transatlantic Task Force on Ukraine event on Tuesday at 10 a.m.
- The Securities and Exchange Commission is set to consider new cybersecurity rules for investment advisers and companies at a meeting on Wednesday at 10 a.m.
- INSF and WCAPS host an event on challenges and opportunities for Black women in the intelligence community on Thursday at 11 a.m.
Secure log off
I also liked second-place finisher Ctrl Salt Delete. Thanks for reading. See you Monday.