Robin’s Newsletter #349

23 February 2025. Volume 8, Issue 8
Apple disables ADP in UK amidst E2EE fight with UK gov. Trump seeks control of independent agencies. $1.4B stolen from Bybit cryptocurrency exchange.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Need to Know, 23rd February 2025

  • Apple disables Advanced Data Protection in UK (This Week)
  • Thailand to take 7,000 rescued from Myanmar scam call centres (Five Things)
  • Chat logs of Black Basta ransomware gang leaked (And Finally)
  • Trump seeks control of previously independent FTC, FCC, SEC, and other agencies (Five Things)
  • $1.4B stolen from Bybit cryptocurrency exchange (Five Things)

Apple disables Advanced Data Protection in UK market

  • Apple vs UK gov: Apple has disabled its Advanced Data Protection features in the UK. It follows the reporting of a secret Home Office technical notice requiring Apple to develop a backdoor to ADP encryption so that UK law enforcement or intelligence agencies may access user data.
  • ADP provides end-to-end encryption (E2EE) to users’ notes, photos, and other documents, meaning they are encrypted on a user’s device and only the scrambled data is transmitted to Apple’s servers. Because the encryption and associated keys occur on the user’s device, Apple cannot access this data. 
  • The Data ‘in transit’ between Apple’s servers and a user’s device will continue to be encrypted. However, the ‘at rest’ copies of data stored in Apple’s iCloud service will not.  Law enforcement has found it easier to pursue iCloud backups — handily centralised copies of a user’s photos, documents, etc. — rather than gaining access to a user’s device itself. Such access in the UK has and will continue to require a warrant and is typically cited as being necessary to investigate child sexual abuse and terrorism. 
  • The UK government demanded Apple provide a mechanism to access these encrypted backups globally. Apple is refusing on a point of principle that it has “never built a back door or master key to any of our products or services and we never will.” If Apple acquiesced to the demands, it would likely see other, probably less democratic, regimes queuing up to request similar treatment and access to data. This makes it an odd request from the UK government, which has argued against cyber norms proposed by countries such as Russia on the grounds of potential abuse.
  • There is much absolutism doing the rounds on social media. Removing ADP in and of itself does not make a typical user’s photos more accessible to cybercriminals. It is, however, a pretty unprecedented and significant move by Apple, as they bring a PR fight in lieu (or perhaps parallel to) a legal challenge.
  • Ultimately, encryption is good, privacy is important, and so is catching criminals, and this needs a nuanced debate. BBC, TECHCRUNCH

Interesting Stats

$16 billion in cryptocurrency activity last year was linked to US-sanctioned entities, according to Chainalysis. LINK

$4.9 trillion in IT spending this year, says Forester, who expect  $2 trillion of that to come from the US market for the first time. (US GDP approached $28 trillion in 2023, which would make tech spend around 7%) LINK

Five things

  1. Bye Bybit: Bybit CEO Ben Zhou has confirmed that attackers have stolen $1.4 billion worth of Ethereum from the cryptocurrency exchange. The perpetrators made off with a total of 401,000 ETH coins in what some describe as the “largest single theft of all time”. Bybit held the cryptocurrency in a so-called ‘cold wallet’ which is not meant to be connected to the Internet (a precaution to prevent this exact sort of large losses). It’s unclear at this time how the attackers gain access to the keys necessary to move the funds. North Korea’s Lazarus group are well known for targeting cryptocurrency platforms as a way to generate income that supports, amongst other things, their country’s nuclear weapons programme. LINK

  2. Lee Enterprises says that an early February ransomware attack is likely to have a ‘material impact’ on its bottom line. The US media group has struggled to print publications in some markets. In a Securities and Exchange Commission filing, the company said that attackers had encrypted “critical applications” and stolen data. Lee Enterprises, which publishes 72 newspapers and almost 350 other publications, says “core products are being distributed in the normal cadence”, but that ‘weekly and ancillary products’ will see a “phased recovery over the next several weeks.” LINK

  3. Ghost tap: A great read from Brian Krebs on how Chinese gangs are running scams to add stolen card details to digital wallets, then selling the handsets loaded up with numerous Apple/Google Pay-enabled cards to fraudsters. At its core, smishing (SMS-phishing) kits are used to obtain the verification keys sent by a victim’s bank to authorise the addition of a digital card. The gangs also offer an Android app that will proxy NFC payments through to their farm of devices. LINK

  4. Scam centres: Thailand will take in 7,000 people rescued from scam call centres operating in Myanmar, following a crackdown on the activity that included Thai authorities disrupting power and internet connectivity to the bordering region. Organised criminal gangs abduct people from the South East Asian region and force them to work in call centres running business email compromise and romance scams. The United Nations estimates that 120,000 people have been trafficked into Myanmar’s scam networks. LINK

  5. Unindependence day: President Trump has issued an executive order declaring that independent US agencies, including the Federal Trade Commission (FTC), Federal Communications Commission (FCC), and Securities and Exchange Commission (SEC), will now answer to him. The order also said that these agencies should not challenge Trump’s view of the law: “No employee of the executive branch acting in their official capacity may advance an interpretation of the law as the position of the United States that contravenes the President or the Attorney General’s opinion.” With legislation so hard to get through Congress, the details of regulations are often left to these bodies to draft, and many of them have advanced cyber regulation for their sector or purview in recent years. What this will mean for a huge range of US cyber policy, programmes, and regulations is unclear. LINK

In brief

  • 🪲 Vulnerabilities: A trio of firewall vulns this week: Palo Alto Networks says a vulnerability affecting its firewalls is under active exploitation, Juniper has patched a critical authentication bypass vulnerability in its Session Smart routers, CISA has added a SonicWall authentication flaw to its list of known exploited vulnerabilities. PALO (ADVISORY), JUNIPER (ADVISORY), SONICWALL (ADVISORY)

  • 💰 Industry news: CrowdStrike Chief Security Officer Shawn Henry will retire from his current role at the end of March and take up a position as advisor to the CEO. CyberArk is set to acquire an identity governance startup, Zilla, for up to $75 million. CROWDSTRIKE, CYBERARK

And finally

  • The Black Basta ransomware group has suffered a breach, with 200,000 chat messages published online showing how the cybercrime group operates and misgivings among its members. The person who leaked the chat messages said it was in retaliation for the group targeting a Russian bank. Typically, cybercrime groups like Black Basta operate from countries like Russia that turn a blind eye to the activity or where law enforcement may be paid off. The chat messages also show that Western law enforcement actions to disrupt and arrest key individuals are effective at sowing distrust amongst such gangs. LINK
Robin
  Apple Investigatory Powers Act End-to-End Encryption (E2EE) Back door Surveillance Bybit Cryptocurrency Black Basta Ransomware Ghost Tap Myanmar Thailand Scam Call Centres Romance Scams United States of America Cyber Policy Robin's Newsletter - Volume 8
Next:
Robin’s Newsletter #350
Previous:
Robin’s Newsletter #348