Robin’s Newsletter #165

15 August 2021. Volume 4, Issue 33
Apple's damage-control on CSAM. Belarus' state security doxxing. Code poisoning ML models.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Apple scrambles to contain fallout of new CSAM features

Apple’s plans to tackle child sexual abuse material (CSAM) (vol. 4, iss. 32) on its platforms, namely iCloud and iMessage, has faced significant backlash and confusion. The protests also came internally, with Reuters reporting internal Apple communication tools having over 800 messages with concerns over the features and how they were introduced.

Craig Federighi, senior vice president of software engineering at Apple, has given a lengthy video interview with The Wall Street Journal to try and clear up the confusion, though the piece is largely a consumer damage control piece rather than correcting a fundamental misunderstanding in the technical architecture being proposed.

“So to be clear, we’re not actually looking for child pornography on iPhones,” says Federighi, before explaining that Apple is “finding illegal images… stored in iCloud.” That’s stretching the semantics pretty far: photos are scanned and compared on iPhone against known sexual abuse material at the point of being uploaded to iCloud. The ‘finding’ bit comes in that only when approximately 30 such file uploads are detected does Apple get notified and go looking to verify the suspicions, and it does that investigation on the files stored in iCloud.

In updated documentation, Apple also said it “will refuse any such demands [to use the feature for non-CSAM purposes],” continuing “We have faced demands to build and deploy government-mandated changes that degrade the privacy of users before, and have steadfastly refused those demands. We will continue to refuse them in the future.”

It’s pretty unclear though how the company can keep that promise if faced with national legislation or duly authorised court orders. The alternative is, presumably, to pull out of, or disable features, in a given market. It seems unlikely that Apple as a commercial organisation would want to cease sales in China, for example.

Alex Stamos, former Chief Security Officer involved in child safety at Facebook, has a good thread on Twitter about the problem space and why some of Apple’s decisions may be bad. One of the things I found surprising was his quote that researchers estimate the 3-5% of males harbour pedophiliac tendencies, though how many of those also possess CSAM was unclear. Matt Tait also has an interesting thread on the topic.

”[T]here are no easy answers here. I find myself constantly torn between wanting everybody to have access to cryptographic privacy and the reality of the scale and depth of harm that has been enabled by modern comms technologies. Nuanced opinions are OK on this.” — Alex Stamos @alexstamos@pwnallthethings

Interesting stats

$9,640 mean price charged by ‘network access brokers’ to corporate networks on cybercrime forums, according to research by IntSights

Varonis has compiled a list of 134 cyber stats for 2021, some of which have previously been featured here

Other newsy bits

Data on Belarus’ state security agents leaked by ‘cyberpartisans’

An ‘apolitical’ group has compromised Belarusian government systems and stolen data and records of security services personnel, along with other sensitive information on the locations of safe houses and vehicles registrations. The group are seeking to ‘disrupt’ the Lukashenka regime by de-anonymising and doxxing KGB leadership (such as releasing the passport of KGB Chairman Ivan Tertel) and rank-and-file agents engaged in the alleged kidnap and torture of protestors. If proven, it would mark a significant breach of operational security for a covert security service, and potentially have a chilling effect on the actions of agents fearing repercussions following any change of regime. (H/T Risky Business)

Cyber Runway accelerator launched

Cyber Runway, a Department for Digital, Culture, Media and Sport (DCMS)-backed cyber accelerator launched this week. It brings together previous programmes HutZero, Cyber 101 and Tech Nation’s Cyber Accelerator and will be delivered by Plexal, CyLon, Deloitte and The Centre for Secure Information Technologies (CSIT). Cyber Runway intends 30% of companies supported to be female-led with 15% of founders coming from Black, Asian or minority ethnic backgrounds.

Code poisoning machine learning models

Eugene Bagdasaryan and Vitaly Shmatikov at Cornell University have some interesting research on ‘code poisoning’ attacks against machine learning models. The attack is ‘blind’ (in that the attacker doesn’t get access to the model or code) and instead works during the training period. In their paper, they show how it’s possible to always classify movies containing a specific actor’s name as positive, regardless of the sentiment of the review. Interesting research into the area of algorithm and model integrity, which I think will only become more important.

In brief

Attacks, incidents & breaches

  • Attacker steals $600M in cryptocurrency from an exchange, is slowly returning claiming it was ‘to keep [the funds] safe’ and ‘for fun’
  • Games developer Crytek victim of Egregor ransomware and data breach
  • Accenture says ‘no impact’ from ransomware incident, with leaked files appearing to be mostly marketing materials, as TI vendor estimates 2,500 devices were infected

Threat intel

  • Ransomware groups ‘pounce’ on PrintNightmare vulnerability to compromise company networks
  • Chinese group trying to throw investigations of their scent with crude mentions of Iran and use of Arabic error messages, says Mandiant
  • Phishing group used Morse Code to obfuscate part of their campaign files and avoid detection 
  • One million payment cards dumped to promote All World Cards carding marketplace
  • Linux crypto-mining malware downloads CPU drivers and disables hardware prefetching to improve performance
  • SynAck ransomware group releases decryption keys as part of a rebrand to El_Cometa and launch of new ransomware-as-a-service model 


  • Zero-day vulnerabilities in Trend Micro’s Apex One endpoint detection and response platform were being used to gain control of systems by attackers
  • Vulnerabilities in TCP and ‘middleboxes’ (like firewalls, load balancers, etc) can be used in DDoS amplification attacks that were previously thought impossible

Security engineering

  • Summary of new security tools released at Black Hat ranging from auditing AWS IAM, to securing IoT to phishing and everything in between  - Google has released an ‘unattended projects tool’ to identify and remove unused and abandoned cloud services. Retailer Decathlon used it and cleaned up over 750 projects “and no one complained”. This type of tech hygiene is an important part of maintaining security posture
  • GitHub has deprecated using account passwords for authenticating Git operations
  • Guide on how to set up Office 365 report phishing button to forward copies to UK NCSC’s suspicious email reporting service  - USB drives, followed by Gmail and Dropbox top three methods for insiders to swipe corporate info, according to Code42

Internet of Things

Public policy

  • China drafting policy requiring autonomous vehicle data to remain within its jurisdiction
  • The United Nations calls for a moratorium on the sale of surveillance tech, like NSO Group’s Pegasus, calling on the international community to “develop a robust regulatory framework to prevent, mitigate and redress the negative human rights impact of surveillance technology”

Law enforcement

  • 23 charged over pan-European business email compromise and advance-payment fraud scheme following coordinated raids in Netherlands, Romania and Ireland
  • Two plead guilty to roles in money laundering QQAAZZ cybercrime group

Mergers, acquisitions and investments

  • NortonLifeLock and Avast announce merger which values the latter at over $8BN, with the combined company claiming over 500M users and expecting $280M of annual cost savings,

And finally

Mike Lindell’s ‘cyber guy’ admits pcaps are ‘illegitimate’

In a turn of events that should not come as a surprise to anyone, the Cyber Symposium organised by MyPillow CEO Mike Lindell in Sioux Falls this week has come to nothing. The event was slated to reveal the “irrefutable” evidence that Lindell had obtained that allegedly showed Chinese manipulation of votes cast in the 2020 US presidential election. The packet captures (pcaps) promised did not materialise and Lindell’s ‘lead cyber expert’ dismissed the evidence at the conference’s close. (Props to Rob Graham’s attendance and live-tweeting of the event!)


  Robin's Newsletter - Volume 4

  Apple Chiled sexual abuse Cryptography iCloud iCloud Photos Cyber Runway Belarus Doxxing Machine Learning (ML) Code poisoning