Crypto
Infosec in brief Apple has responded to the UK government’s demand for access to its customers’ data stored in iCloud by deciding to turn off its Advanced Data Protection (ADP) at-rest end-to-end encryption service for UK users.
Cupertino’s decision came after a row that began earlier this month amid reports that the UK Home Office had requested a backdoor to access data belonging to UK citizens under the auspices of the Investigatory Powers Bill.
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy,” Apple told The Register in a statement.
The end-to-end encryption afforded by ADP is therefore off the table for UK residents, meaning both Apple and law enforcement agencies that secure a subpoena or some other suitable court order will be able to obtain requested iCloud-hosted data without the need for direct backdoor access.
Apple noted that some data stored in iCloud is still protected by its encryption, including health info, iMessages, and FaceTime calls. iCloud backups, storage, photos, notes, reminders, Safari bookmarks, Siri shortcuts, Wallet passes, voice memos, and Freeform digital whiteboard files, however, will no longer be end-to-end protected at rest, meaning they can be read by Apple and those who subpoena it.
And to be clear: This is all about people’s data stored in iCloud, encrypted in such a way that not even Apple can unlock; it’s not about communications in transit, which remains protected.
Apple won’t turn off ADP. UK customers who attempt to enable the feature will now see an error message, while those who currently use it will be given a limited time to disable the feature. Access to iCloud will be blocked for those who don’t turn off ADP.
“As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will,” Apple said. Instead, customers in the UK will simply have to make do with lesser security than the iGiant advocate as best practise.
$1.4 billion crypto-heist hits Bybit
Over $1.4 billion worth of Ethereum-based tokens were stolen last week from a wallet belonging to cryptocurrency exchange Bybit.
CEO Ben Zhou explained the incident took place when Bybit made a transfer from a cold wallet to a warm wallet.
But unbeknown to Bybit, the payload of that transaction was obfuscated or spoofed. It is suspected North Korea took the money.
A version of events we’ve seen on crypto-centric news services suggests that Bybit staff were fooled into authorizing transactions, perhaps after phishing directed them to a fake website.
“The signing message was to change the smart contract logic of our ETH cold wallet. This resulted Hacker took control of the specific ETH cold wallet we signed and transferred all ETH in the cold wallet to this unidentified address,” Zhou wrote.
The CEO has reassured clients Bybit “is Solvent even if this hack loss is not recovered, all of clients assets are 1 to 1 backed, we can cover the loss.”
The company nonetheless saw over 350,000 requests to withdraw investments, and Zhou said Bybit successfully processed 99.994 percent of them. The CEO also shared the output of his wearable fitness monitor so customers could understand his stress levels.
Eagle-eyed Coast Guardian minimizes billing breach
Members of the US Coast Guard (USCG) have an unnamed hero to thank for minimizing the impact of a breach of its payroll systems.
According to a USCG spokesperson who spoke to The Register, the branch is currently investigating a data breach within its personnel and payroll system that has involved the compromise of banking account details for some of its members. The incident has led to delays in processing the pay of 1,135 of its troops, but the branch declined to go into details as to what happened.
“The Coast Guard Investigative Service and Coast Guard Cyber Command are leading an exhaustive investigation to determine the source and impact of the breach, and will ensure it is resolved as soon as possible,” a spokesperson told us.
But it could have been worse.
“Due to the diligence of a junior Petty Officer who reported anomalous activity affecting their account to the Coast Guard Cyber Command, we were able to minimize the impact of the breach,” the USCG told us. We salute you, coastie.
Critical vulnerabilities of the week: Atlassian patching time
Atlassian last week warned of seven high severity and five critical vulnerabilities, including one that breaks authentication and session management in the company’s Crowd SSO product for both datacenter and server setups.
That vulnerability, CVE-2024-50379 (CVSS 9.8), is found in the org.apache.tomcat:tomcat-cataline dependency and allows an unauthenticated attacker to expose assets in secure environments without user interaction.
SEC spins up crypto crime unit
There’s a new sheriff in town, fixin’ to shoot down crypto crime and protect retail investors from fraud: The US Securities and Exchange Commission’s Cyber and Emerging Technologies Unit (CETU).
The unit, announced last week, replaces the Crypto Assets and Cyber Unit and will be made up of 30 fraud experts and lawyers from the SEC, operating under a remit to stop fraud and protect the average citizen.
“The unit will not only protect investors but will also facilitate capital formation and market efficiency by clearing the way for innovation to grow,” said acting SEC chairman Mark Uyeda. “It will root out th
