[HN Gopher] Apple will notify users about state-sponsored cybers...
___________________________________________________________________
Apple will notify users about state-sponsored cybersecurity threats
Author : evercast
Score : 308 points
Date : 2021-11-24 18:56 UTC (4 hours ago)
(HTM) web link (support.apple.com)
(TXT) w3m dump (support.apple.com)
| bsd44 wrote:
| "If Apple discovers activity consistent with a state-sponsored
| attack"
|
| I am really interested in understanding more about a "state-
| sponsored attack" as someone who works in Ops and has experience
| in CyberSec. All these years working in the industry and I had no
| idea you could identify an "attack" that easily.
| floatingatoll wrote:
| See also: _Apple sues NSO Group to curb the abuse of state-
| sponsored spyware_ (apple.com)
| https://news.ycombinator.com/item?id=29320986
| jaegerpicker wrote:
| For a company with the resources of Apple? I'd imagine their
| Threat Hunting/Identification and classification systems are
| top notch. There are a number of know taxonomies for different
| attacks around and I'm quite sure Apple has some automation
| around identifying those attacks. It even addresses that many
| will be false positives. Example taxonomy: https://us-
| cert.cisa.gov/CISA-National-Cyber-Incident-Scorin...
| _jal wrote:
| Where do you see the word 'easily' in Apple's statement?
|
| If the complaint is that attribution is sometimes sketchy, so?
| Sometimes it isn't.
| kube-system wrote:
| It's not easy.
|
| > Unlike traditional cybercriminals, state-sponsored attackers
| apply exceptional resources to target a very small number of
| specific individuals and their devices, which makes these
| attacks much harder to detect and prevent.
|
| > State-sponsored attackers are very well-funded and
| sophisticated, and their attacks evolve over time. Detecting
| such attacks relies on threat intelligence signals that are
| often imperfect and incomplete. It's possible that some Apple
| threat notifications may be false alarms, or that some attacks
| are not detected.
|
| Identifying the source of these attacks is often done by
| analyzing the tools and techniques, in comparison to other
| known tools and methods, and/or by information gathered in meat
| space.
| atmosx wrote:
| I believe it has to do with phishing attempts by known tools
| (NSO's Pegasus). If anyone has the resources to fend them off,
| fingerprint them, etc it is Apple, Microsoft and Google.
| gambiting wrote:
| Will it let them know that their own phone has decided that they
| are a potential pedophile and their photos will be sent
| unencrypted to some tech centre god knows where where someone
| will decide whether to report them to authorities or not? Or is
| that ok to keep secret?
| calebm wrote:
| https://en.wikipedia.org/wiki/Advanced_persistent_threat
| notkurt wrote:
| Has anyone put forward some theories as to how they are pulling
| this off? Are they tapping into iMessage Metadata, scanning crash
| logs, or something along those lines? While I totally understand
| the need for them to keep how they are doing this private, I do
| find it slightly concerning. Unless they are just flagging
| suspicious iCloud login attempts. If it's relating to crash logs,
| it would be nice to know as I'm sure a bunch of privacy focused
| users have that disabled.
| marcan_42 wrote:
| I assume they have iMessage metadata on what accounts the NSO
| accounts talked to. The contents are E2E encrypted, but unless
| they have explicitly promised not to keep logs, they probably
| have the metadata logged.
| gjsman-1000 wrote:
| Apple claims in their lawsuit that they have over 100 false
| iCloud accounts that were created, and is confident in their
| identities to the degree they are going to use them for
| standing to prove that NSO signed a legal agreement in the
| lawsuit.
|
| In which case, NSO f!@#ed up and left iCloud Messages Backup
| enabled, which stores unencrypted copies of the End-to-End
| messages and makes it trivial for Apple to alert any person
| that these accounts messaged to. That's one possibility.
| smoldesu wrote:
| Because the NSO group _definitely_ used iMessage to
| communicate with one another...
| TheGeminon wrote:
| This is more likely targeting phishing messages coming
| from NSO Group to victims, rather than communication
| between NSO members.
| HatchedLake721 wrote:
| Not with one another. With targets
| [deleted]
| randyrand wrote:
| It's likely much more manual that.
|
| They admit themselves that these attacks are not easy to
| detect.
| ben_palaskas wrote:
| completely and absolutely based. I have ambivalent feelings about
| apple
| BluSyn wrote:
| I see a lot of pessimism in the comments. But I think this is a
| great step in the right direction.
|
| Other companies should take note. More of this, please!
| Terry_Roll wrote:
| I think you can spot when your phone has been hacked, for
| example the mobile phone carriers can spot the traffic and slow
| down the communication making it obvious things are not working
| properly. Take using the AirBnB app, you put in a criteria, the
| results come back then the spooky hackers wipe the results and
| give you a list of their "safehouse" Airbnb locations meaning
| all you can do is book into one of their safe houses. The fact
| you see the AirBnB results get wiped and then slowly other
| results not really matching your criteria appearing should tell
| you, you could be booking into a safe house.
|
| Dating apps/websites is another way to get into a relationship
| with "undercover" investigators and I dont think most people
| are aware that any crime ever committed since birth can be
| prosecuted so as no one can predict what legislation might be
| hitting the books in the future, it might be hard to keep your
| nose clean.
|
| I think most people are aware of dodgy text messages which
| tends to be the start of malware entering your phone.
| varjag wrote:
| Google does this for some time at least.
|
| I received an imminent advanced security threat notification
| back in January 2019. Urging me to get one of those 2fa dongles
| (which I did). And just as well, because the next month my
| account was locked due to an attempted unathorized access.
|
| (whoever works on this at Google, thank you)
| jsnell wrote:
| Apple is like the last company in that space to do this. Google
| has had these warnings since 2012. Facebook, Microsoft and
| Twitter since 2015.
|
| (I agree that it's great that Apple is finally doing this. But
| it seems entirely par for the course for them to be a decade
| late and still get the credit.)
| punnerud wrote:
| I have never seen any warnings from Google or Facebook if I
| automate against my own accounts, and dumping the data. Only
| on sign-in attempts. That kind of warning is very limited,
| and Apple also have them.
|
| It seems like Apple now have introduced 'honey pots' and
| other techniques to discover if there already is someone with
| access to your account/device, and that is a big deal and
| good news. And something I have never seen from any of the
| other big companies.
| concinds wrote:
| The warning is for government-sponsored attacks, not any
| kind of automation.
|
| https://blog.google/threat-analysis-group/updates-about-
| gove...
| smoldesu wrote:
| I might care if Apple had a history of protecting US citizens
| from their own government, or shielding Chinese users from
| their own tyrannical surveillance systems.
| onethought wrote:
| ??? Are you referring to the storing of encryption keys for
| iCloud in country?
| smoldesu wrote:
| No, I'm referring to Apple's continued cooperation with
| surveillance agencies across the United States and all
| associated governments through the FIVE EYES program. The
| fact that your Macbook's security keys are trivial for the
| government to acquire is besides the point, but potentially
| germane if you, well, trusted your laptop in the first
| place.
| onethought wrote:
| Can you provide citation for this? Also how they are
| different from any other tech company?
|
| My MacBooks security keys are not trivial to acquire
| because they aren't in icloud.
|
| In some of the countries in five eyes nations, you don't
| have a choice about cooperating or not.
|
| But what do 5 eyes have to do with Chinese users?
| smoldesu wrote:
| > Can you provide citation for this?
|
| Apple's cooperation with PRISM[0] is well documented[1],
| but if you want to find the particularly damning details
| you'll need to do your own research. The dust has settled
| since the Snowden revelations, and many mentions of the
| program have been sterilized.
|
| > Also how they are different from any other tech
| company?
|
| It's not. But the claim that Apple puts extra effort into
| protecting you from your government is comical,
| especially if you live in a first-world country. It's
| also a false dichotomy, since there are definitely more
| secure devices you could be using. They're just not being
| manufactured by the largest, most valuable companies in
| the world.
|
| > My MacBooks security keys are not trivial to acquire
| because they aren't in icloud.
|
| That is indeed what the US would like you to think. It's
| no coincidence that Macbooks force you to use NIST-
| designed crypto for all of their services though, and if
| you've got a healthy degree of skepticism towards the
| same institute that backdoored Dual_EC_DRBG, it's safe to
| assume the rest of these ciphers are also vulnerable to
| differential cryptanalysis. Or just take what the NSA
| says at face value, that certainly won't cause any
| problems in the future. /s
|
| > But what do 5 eyes have to do with Chinese users?
|
| Also nothing, they have their own bespoke surveillance
| program since China cannot cooperate with the US like
| Britain or Canada can. In lieu of being able to break
| their encryption, China demanded that all of Apple's
| domestic data get stored on domestic servers. While
| Google, Microsoft, Yahoo and every other big tech company
| shied away from that kind of compliance with a known
| abuser of human rights, Apple happily complied with the
| request.
|
| [0] https://www.theguardian.com/world/2013/jun/06/us-
| tech-giants...
|
| [1] https://web.archive.org/web/20130609061546/https://ww
| w.culto...
| jsnell wrote:
| > Apple's cooperation with PRISM[0] is well documented[1]
|
| Neither of your links documents any kind of cooperation,
| let alone documenting it well.
| gjsman-1000 wrote:
| I shouldn't be arguing with the trolls - but in case
| anyone was curious about these (nonsense) allegations:
|
| Your links do not document cooperation with PRISM other
| than that the NSA believed they got information from
| them, which is very different. For all we know, it could
| have been the NSA abusing an API endpoint. Also, it said
| that it got lots of stuff like email, address, and so on
| _when all of these services were combined_ which made it
| PRISM.
|
| For all we know, it could have been checking the emails
| from Apple (because of FaceTime), getting address from
| Facebook, using address to look up other info on
| LinkedIn, and so forth. If anything, PRISM shows NSA
| abuse of services more than intentional compliance.
|
| > definitely more secure devices you could be using.
|
| I hate that I have to say this, but _Linux phones are not
| more secure_. They do have a company they don 't phone-
| home to, but if a Linux phone was found on the side of
| the road, I have no doubt that the NSA would find a way
| in (unlike the iPhone, which as lately as the Rittenhouse
| trial, the latest model has not been cracked and the
| government ultimately struck a deal with the defense for
| a PIN code).
|
| Linux phones are only secure _by obscurity_ in that less
| research has been done on them and they are less common -
| but if government agencies were (or are) putting some
| research cash into them, I would not be surprised if they
| burst open from a million attacks that iPhones and
| Androids have found and fixed over the last decade.
|
| > It's no coincidence that MacBooks force you to use
| NIST-designed crypto
|
| Stop being conspiratorial - almost _everyone_ , including
| many companies outside the US, use Curve25519 or P-256,
| and a big reason why is that the algorithm is very _fast_
| to calculate while being reasonably secure, which is a
| plus for fast encryption. Also, nobody has seriously
| alleged that Curve25519 is backdoor, unlike Dual_EC_DRBG
| which was suspect almost immediately. Also, NIST did not
| invent Dual_EC_DRBG. The NSA did and submitted it to NIST
| as a standard which NIST reluctantly accepted.
|
| > Shied away from that kind of compliance with a known
| abuser of human rights
|
| Yes - but Microsoft, Google, etc still make their phones
| in the same factories, and the reason they didn't hand
| over the server keys was because they don't really offer
| any services in China. Google doesn't work in China, and
| Microsoft's involvement is minor and China doesn't care
| because Windows doesn't encrypt data unless you have the
| Pro version and it's switched on. Also, your bias is
| showing in your use of Apple "happily" complying. How do
| you know that?
|
| I can go on.
| gjsman-1000 wrote:
| You shouldn't argue with @smoldesu, he has a history of
| trying to troll and spread FUD about Apple at every
| possible opportunity, even on completely unrelated
| topics. It's so ridiculous, a complaint about it is the
| #1 result on Google if you type "smoldesu" in. They also
| are not typically the most factual of complaints but they
| aren't interested in corrections. Beats me why the mods
| haven't sent warnings.
| ridaj wrote:
| Google's been doing this since at least 2012
| http://arstechnica.com/information-technology/2012/06/google...
| trasz wrote:
| Does this include US-sponsored threats?
| protomyth wrote:
| Why do I get the feeling that if the state is China, then it
| won't get reported as such. I assume their supply chain is more
| important.
| majou wrote:
| China has their own iCloud servers and keys, from what I
| understand they're happy enough with that.
| temac wrote:
| Also if the state if USA...
| zepto wrote:
| https://www.apple.com/legal/transparency/us.html
|
| Contains the canary: "To date, Apple has not received any
| orders for bulk data."
| grlass wrote:
| that appears to only be connected to requests under those
| specific acts.
|
| Otherwise, given their involvement in the PRISM program [1]
| I don't see how we can take that canary seriously.
|
| [1]
| https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
| zepto wrote:
| The specific acts include FISA requests.
| [deleted]
| questiondev wrote:
| except in china, i pray that the people of the free world unite
| from within all countries and say enough is enough to their
| oppressors. it is wild to think that we still have ill actors in
| high ranks that are from bloodlines upon bloodlines of
| "ownership" of nations. there really still is a ruling class that
| has existed forever, sounds like a conspiracy until you look at
| who is buddies with who
| imarid wrote:
| I know of one case of a Polish prosecutor who does not obey (do
| not want to bend the law) Zbigniew Ziobro, who is both the
| minister of justice and the prosecutor general. She received a
| notification from Apple just today.
|
| Source:
| https://mobile.twitter.com/e_wrzosek/status/1463551631648251...
| pomian wrote:
| I think you need to add a translation of the tweet. Because it
| sounds as if he didn't obey Apple's warning. Yet I think he
| approves of Apple's s notification. It is the government who he
| wasn't obeying? So the government installed the spyware?
| awestley wrote:
| Translates to: "I just received an alert @AppleSupport about
| a possible cyberattack on my phone from state services. With
| the indication that I may be targeted for what I am doing or
| who I am. I will take the warning seriously because it was
| preceded by other incidents @ZiobroPL is this a coincidence?"
| dillondoyle wrote:
| Is it concerning to any security people with more knowledge
| than me that this is sent via iMessage?!
| avree wrote:
| iMessage is extremely secure and utilizes end-to-end
| encryption, why is this concerning to you?
| aroman wrote:
| And it has spam problems:
| https://www.wired.com/2014/08/apples-imessage-is-being-
| taken...
|
| The problem is authenticity and authority, not encryption.
| How can the user know this message really came from Apple
| and not a spammer?
| [deleted]
| simondotau wrote:
| That article is seven years old and in no way reflects
| current reality. In fact it has _never_ reflected my own
| experience or that of anyone I know, where iMessage spam
| has been near enough to non-existent.
|
| And even if there were a spam problem, the risk is mostly
| on the upside anyway. It would only be an issue if
| iMessage got a reputation for flooding people with
| admonishments to take security seriously, purportedly
| from Apple.
| natch wrote:
| >How can the user know
|
| Read the document of the original top post (the document
| from Apple).
|
| The answer to your question is right there in the
| document.
| cblconfederate wrote:
| What if it is illegal to do so?
| bell-cot wrote:
| From a pragmatic user's point of view, that would look just
| like "Apple didn't happen to notice that I was a target of
| state-sponsored activity". Recent headlines do not suggest that
| Apple's cyberdefenses are all that great against state-
| sponsored stuff.
|
| From a more philosophical point of view - expecting a large
| corporation to go mano a mano on your behalf, against a major
| state security organization...that's right up there with
| expecting Santa Claus to punish all the evil spies for being
| naughty.
| atmosx wrote:
| And yet, in the contact tracing case both Apple and Google
| refused to give data and control to EU governments. I believe
| the contact tracing app was used against protesters in
| rallies about BLM though, by the FBI IIRC.
| jaegerpicker wrote:
| I wonder if this could be used to expose those that are in
| sensitive position. IE offer attacks at people you think are in
| important positions and watch how they react to the news. For
| example if you work somewhere sensitive and you have an accounts
| not tied the Apple account. The State Sponsored group is probably
| good enough to see your traffic patterns and to see if they
| change after you have been notified. Not that I think Apple
| shouldn't do this but I can see someone being crafty and trying
| to take advantage of this. There are always trade offs in
| security!
| [deleted]
| Epitom3 wrote:
| "trust me bro"
| varispeed wrote:
| It's only possible because Apple is too big too fail. Probably
| they won't notify about the US snooping, but smaller countries
| often have smaller budgets that this company, so they can't
| really do anything about Apple pulling strings. It's a shame that
| smaller companies cannot do that without risking being closed
| down.
| boomboomsubban wrote:
| So something like PRISM that targets everybody won't trigger a
| warning?
| schleck8 wrote:
| It's rare that programmes like PRISM surface publicly. I don't
| see how Apple would gather top secret intel on national
| surveillance programmes on their own, so there is a good chance
| they aren't even aware.
| [deleted]
| funnyflamigo wrote:
| I doubt it.
|
| Keep in mind this will only work for non-court-gag-ordered
| instances. If the US subpoenas Apple about an individual they
| won't be allowed to notify them.
|
| I have no idea how this applies to other countries.
|
| I think this is more like: "We noticed unusual API usage and we
| don't have a gag order so whatever it is, it's not likely to be
| good"
| atmosx wrote:
| Probably related:
| https://www.apple.com/gr/newsroom/2021/11/apple-sues-nso-gro...
| thih9 wrote:
| I'm surprised to see protection against state sponsored attacks
| implemented by a company as big as Apple. Is any other
| 'mainstream' company offering a similar feature?
|
| Warrant canary [0] comes to mind, but that is usually a message
| to all users, as opposed to notifying an individual user.
|
| [0]: https://en.wikipedia.org/wiki/Warrant_canary
| varispeed wrote:
| > by a company as big as Apple
|
| Would smaller company stand a chance against very much any
| state? If men in suits taken a CEO of a big company for "a
| talk" in the forest there would be a lot of fuss in the media,
| whereas small company would probably be scared to bits and
| never said a word.
| melony wrote:
| A talk in the forest is for poor countries like Belarus. Rich
| countries just call their local SEC and IRS.
| suprfsat wrote:
| Gmail does it https://blog.google/threat-analysis-
| group/updates-about-gove...
| RL_Quine wrote:
| Yeah, I loved having my work gmail account peppered with a
| giant red banner warmomg "THIS ACCOUNT IS THE TARGET OF STATE
| SPONSORED HACKERS". That was fun. We didn't really know how
| to respond or attempt to mitigate such a warning so, left it
| ignored.
| ridaj wrote:
| Respond by using 2fa if you weren't already, not signing
| into the account from untrusted devices, checking OAuth
| grants for apps you don't recognize, not using same pw
| elsewhere
| schleck8 wrote:
| It's one of the largest enterprises against state-funded
| specialists and intelligence agencies, this will be an
| interesting arms race.
| zenlf wrote:
| Unless, it's Chinese government. In that case, Apple handle over
| their control over database to Guizhou-Cloud Big Data
| jetsetgo wrote:
| Or US. It's already running. So default.
| funman7 wrote:
| What if you opted in to the terms of the Chinese App Store then
| switch to USA.
| diegorbaquero wrote:
| You are asked to accept new ones when changing store location
| nabakin wrote:
| Now if only Apple wouldn't search for CSAM on device, allowed
| repair shops to get the parts they need from the manufacturer,
| and provided schematics for repair shops. If they did those
| things, I might actually buy an iPhone.
| kube-system wrote:
| I see a lot of people in the comments conflating legal requests
| and attacks. Regardless of your opinion on either of those
| issues, they _are_ different things.
| fsflover wrote:
| NSA surveillance is illegal. Will we be notified?
| kube-system wrote:
| By "legal request" I mean requests made through channels of
| the law. These things aren't "attacks" because they're
| functionally not attacks. 'Cooperation' is the antithetical
| to 'attack'.
|
| For example, when China demanded that iCloud for Chinese
| users was handed over to GCBD[0], and Apple complied, it was
| not, in any way, something that would be accurately described
| as an "attack". Apple cooperated with the demands that the
| legal environment presented.
|
| [0] https://www.apple.com/legal/internet-
| services/icloud/en/gcbd...
| [deleted]
| FridayoLeary wrote:
| Even if the state in question is the USA? I think Apple should be
| clear if there are any states whose attacks they might ignore,
| for the sake of privacy, of course.
| lurchpop wrote:
| What if the state is the US demanding data using NSLs or dragnet
| warrants?
___________________________________________________________________
(page generated 2021-11-24 23:00 UTC)