TikTok, Exchange Server, and the Vice Society: Attacking the Russian War on Nuclear Forces and the Ukraine’s Nuclear Warfare
Brooke Oberwetter, a TikTok spokesman, said that the company is disappointed that Congress has moved to ban TikTok on government devices, calling the action a political gesture that will not advance national security interests.
Despite these initiatives, momentum to ban the app has only grown following revelations that ByteDance employees have repeatedly accessed the data of US users over the last few years.
As Russia’s war in Ukraine drags on, Ukrainian forces have proved resilient and mounted increasingly intense counterattacks on Kremlin forces. But as the conflict evolves, it is entering an ominous phase of drone warfare. Russia has begun launching a series of recent attacks using Iranian “suicide drones” to inflict damage that is difficult to defend against. With NATO officials watching closely for any signs of a Russian move to use atomic weapons, we examine what indicators the global community has on whether or not Russia is planning to use a nuclear weapon.
Meanwhile, an unrelenting string of deeply problematic vulnerabilities in Microsoft’s Exchange Server on-premises email hosting service has left researchers to raise the alarm that the platform isn’t getting the development resources it needs anymore, and customers should seriously consider migrating to cloud email hosting. New research looks at how the custodians of the online encyclopedia ferret out state-sponsored misinformation.
According to researchers this week, the gangs like the Vice Society maximize their profits by investing very little in technical innovation, which makes them less vulnerable to cyberattacks. Instead, they simply run the most sparse and unremarkable operations they can to target under-funded sectors like health care and education. If you’re looking to do something for your personal security, we’ve got a guide to ditching passwords and setting up “passkeys” on Android and Google Chrome.
What Have We Learned About the Microsoft Cryptanalysis and the Associated Risks of Misconfigurations in Cloud Service Providers?
But wait, there’s more! Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines to read the full story. Stay safe out there.
Microsoft stated that a misconfiguration exposed some prospective customers of its cloud services. The leak was quickly closed by Microsoft after researchers at the threat intelligence firm disclosed it to them. SOCRadar said in a report that the exposed information stretched back to as far as 2017 and up to August of this year. The data was linked to more than 62,000 organizations from around the world. Microsoft said the exposed details included names, company names, phone numbers, email addresses, email content, and files sent between potential customers and Microsoft or one of its authorized partners. Cloud misconfigurations are a longstanding security risk that has led to countless exposures.
Source: https://www.wired.com/story/tiktok-bytedance-americans-data-security-roundup/
Security Labels for Internet of Things Devices: Implications for Iran and China, and for the United States and for Soccer in the 2022 World Cup
There are no easy answers to improve the longstanding security dumpster fire created by cheap, undefended internet of things devices in homes and businesses around the world. But after years of problems, countries like Singapore and Germany have found that adding security labels to internet-connected video cameras, printers, toothbrushes, and more. The labels help consumers understand the protections built into different devices, and give manufacturers incentive to improve their practices and get a gold seal. This week, the United States took a step in this direction. The White House is considering a labeling scheme that is similar to EnergyStar for security of the internet of things. The administration held a summit this week to discuss standards and guidelines for the labels. “A labeling program to secure such devices would provide American consumers with the peace of mind that the technology being brought into their homes is safe, and incentivize manufacturers to meet higher cybersecurity standards, and retailers to market secure devices,” National Security Council spokesperson Adrienne Watson said in a statement.
Sources told The Washington Post this week that sensitive information related to Iran‘s nuclear program and the United States’ own intelligence operations in China were included in documents seized by the FBI this summer at former President Trump‘s Mar-a-Lago estate in Florida. “Unauthorized disclosures of specific information in the documents would pose multiple risks, experts say. The Post wrote that people helping US intelligence could be at risk. The information could also potentially motivate retaliation by other countries against the US.
A Russian challenger was beaten in an election to run the International Telecommunications Union, an important international standards body tasked with cross-border communications. Meanwhile, though, we took a look at the fragility of the world’s internet infrastructure and the vulnerability of crucial undersea cables.
The new legal climate in the U.S. for abortion access is promoting a culture of community gossip, a hallmark of authoritarian states that encourage neighbors and friends to report wrongdoing. Soccer stadiums are being monitored more and more around the world. The eight stadiums in use during the 2022 World Cup in Qatar, for example, will be packed with more than 15,000 cameras to monitor spectators and to conduct biometric scanning.
How far can you go with the Rust? Liz is having a hard time in the light of a phone-hacked UK prime minister
The Rust programming language is offering hope to those who want a secure programming language that a lot of common vulnerabilities will be eliminated. We have a list of important vulnerabilities that you canpatch right now.
Liz is having a hard time. Soon after her historically brief stint as the UK prime minister, the Mail on Sunday reported that agents working on behalf of Russia had hacked her personal cell phone when she was foreign minister. The breach allegedly allowed these Russian operatives to intercept messages between Truss and officials in other countries, including messages about Ukraine. The Mail report further claims that former prime minister Boris Johnson and cabinet secretary Simon Case suppressed the breach. While the breach remains unconfirmed, Labor Party officials are calling for an “urgent investigation” into their Conservative opponents. The Labor Party’s shadow home secretary said last weekend that there were important national security issues raised by the attack on our country by a hostile state. “There are also serious security questions around why and how this information has been leaked or released right now, which must also be urgently investigated.”
Source: https://www.wired.com/story/tiktok-eu-privacy-policy-security-roundup/
The Times of Jack Dorsey: The Cash App is Bringing Down the Heat: A National Center for Missing and Exploited Children’s Rights
Another of Jack Dorsey’s corporate creations is facing new heat this week. According to a Forbes investigation, the Cash App is helping fuel sex trafficking in the US and elsewhere. Based on police records, “hundreds of court filings,” and claims by former Cash App employees, the investigation found rampant use of the Cash App in sex trafficking and other crimes. According to the company’s owner, Block Inc., they do not tolerate illegal activity on the Cash App and have staff dedicated to working with law enforcement. Meanwhile, the National Center for Missing and Exploited Children says that although rival payment platforms like PayPal provide the the center with tips about potential child abuse facilitated by their services, Forbes writes, “Block hasn’t provided any tips, ever.”
A US Treasury Department report says that US financial institutions processed more than one billion dollars worth of payments for ransomware in the next two years. There is a summit taking place in the White House to combat the rise of a type of Malware that can be used to lock up a target’s files and hold them for a fee if they don’t pay. Himamauli Das, acting director of the Treasury Department’s Financial Crimes Enforcement Network, said in a statement that “ransomware—including attacks perpetrated by Russian-linked actors—remain a serious threat to our national and economic security. While $1.2 billion in payments is already painful enough, the number does not take into account the costs and other financial consequences that come with a ransomware attack outside of the payment itself.
The company that owns TikTok has Chinese ownership. Schumer said in the interview that some people in the Commerce Committee are looking into it. Where they come out is something we will see.
The proposed legislation would “block and prohibit all transactions” in the United States by social media companies with at least one million monthly users that are based in, or under the “substantial influence” of, countries that are considered foreign adversaries, including China, Russia, Iran, North Korea, Cuba and Venezuela.
Any ban on TikToks would likely result in a lengthy legal battle. Two federal judges halted President Trump’s effort to shutter TikTok, citing free speech violations and executive overreach.
The posturing comes at a pivotal moment in the years-long negotiations between TikTok and the US government on a potential deal that aims to address national security concerns and allow the app’s continued use in the US.
Oberwetter said that the deal will meaningfully address security concerns that have been raised at the federal and state level. “These plans were developed under national security agencies’ direction and are being implemented in order to further secure our platform in the United States, and we will continue to brief lawmakers on them.”
TikTok: A Critical Review of the State of the Media and its Impact on Public Policy, Privacy and Data Security in the U.S.
A version of this article first appeared in the “Reliable Sources” newsletter. Sign up for the daily digest chronicling the evolving media landscape here.
But its widespread usage across the U.S. is alarming government officials. In November, Christopher Wray told legislators that the app could be used to control users’ devices.
The Senate bill gives exceptions for law enforcement, national security interests, and security researchers.
TikTok is used by more than 100 million active users in the U.S., and its ability to create instant viral hits has put it at the forefront of internet culture, however concerns about data security have lingered.
The administration has two approaches to TikTok, one embracing the app as a vital conduit to the public and the other afraid of the app being a tool of foreign influence. TikTok has made a mockery of American culture in its own image, from media to music to meme to celebrity. The author Colleen Hoover’s novel TikTok was the most-used book this year, with more books sold than the Bible. TikTok coined “quiet quitting,” one of the hallmark phrases of 2022, and introduced a whole new dialect of algospeak — “seggs,” “unalive,” “le dollar bean” — that is now spreading across pop culture. Corporations and brands have turned billions of dollars of advertising to the platform in recognition of it’s reach, which can turn a decades-old product into a must-have item. Last year, TikTok had more site visits than Google, and more watch minutes in the United States than YouTube. It took Facebook nine years to reach a billion users, but it took TikTok five.
The ByteDance Communications Committee: Implications for Social Media Leaks in the United States and in the U.S.
The company said employees in China accessed the data of Americans who were reporting on company leaks.
The ban on federal government devices is an incremental restriction, since most drastic measures have been stopped by the courts.
“I think some concern about TikTok is warranted,” said Julian McAuley, a professor of computer science at the University of California San Diego, who noted that the main difference between TikTok and other social media apps is that TikTok is much more driven by user-specific recommendations.
There is no easy way to determine if the ByteDance claims that it maintains its operations in the United States separately are true.
“I think it is overblown to what extent they know about users on a individual level,” he said.
The committee could set a wider TikTok ban in motion, or it can force the app to be sold to an American company, something the Chinese government will likely forcefully oppose, as it did when such a sale was floated during the Trump years.
Another possible resolution is that the committee is satisfied with the steps TikTok has taken to ensure there is a firewall between U.S. user data and ByteDance employees in Beijing and the Chinese government.
The secretive deliberations happen behind closed doors. It is not clear when the committee will wrap up its investigation or which way it is leaning.
Can We Keep Using TikTok to Protect Our Privacy in the Presence of China’s Government? A Comment on U.S. Sensitive Laws
Nebraska has had a ban on all state devices since 2020. The Florida Department of Financial Services is also involved in that. Louisiana and West Virginia each announced partial bans.
The national intelligence law of China requires Chinese companies to give customer information related to national security. TikTok has a lot more user information than other popular social media apps. There is not a shred of evidence that ByteDance turned over this information to the Chinese government. ByteDance admitted in an episode that it had fired some employees for snooping on American’s private information, including that of journalists, collected through TikTok.
It is a question of whether you can design a service like TikTok that is owned by a Chinese government in a way that protects it from the demands of China’s government. I don’t believe anything on site this week really spoke to that.
“I think it makes sense for the US soldiers to be told not to use the app because it may show their location to other entities,” said Chander. “But that’s also true of the weather app and then lots of other apps that are existing in your phone, whether they’re owned by China or not.”
Ryan Calo is a professor at the University of Washington. He says that, while data privacy in the United States still needs much improvement, the proposed legislation is more about geopolitical tensions and less about TikTok specifically.
“The truth of the matter is, if the sophisticated Chinese intelligence sector wanted to gather information on particular state employees in the United States, it wouldn’t probably have to go through TikTok.”
“You can say that a foreign government is a threat and I’ll protect you from that foreign government,” he says. We should be a little bit careful about how that can be politicized in a way that far exceeds the actual threat in order to achieve political ends.
What Can We Do About Technology Privacy? The Case of the Tik Tok Sensitive Campaign in the U.S. Public Interest Lobbying
Both Chander and Calo are skeptical that an outright TikTok ban would gain much political momentum, and both argue that even if it were to move forward, banning a communication platform would raise First Amendment concerns. But Calo believes the conversation could push policy in a positive direction for Americans.
“I think that we’re right in the United States to be finally thinking about the consequences of having so much commercial surveillance taking place of U.S. citizens and residents,” he said. “And we should do something to address it, but not in this ad hoc posturing way, but by passing comprehensive privacy rules or laws, which is something that, for example, the Federal Trade Commission seems very interested in doing.”
But it isn’t just lobbying that has made some of these bills difficult to pass. It’s much more challenging to impose sweeping regulations on an entire industry than it is to pass a bill governing how the US government handles its own technology.
The stark difference shows how simple narratives, well-funded lobbying and policy questions can make or break a bill. It gives a glimpse of how a few Big Tech companies retain their dominance in the market and remain important in the lives of many US households.
Is China’s National Security Law Enough to Protect its Users? The Case of Amazon, Google, ByteDance and the U.S. Small Tech (AICOA)
There is no evidence of that actually happening. Security experts and policymakers have said that China’s national security laws make it possible for it to happen, even though there is no evidence to support that claim. Those concerns were renewed after a report this year suggested US user data had been repeatedly accessed by China-based employees. TikTok has disagreed with the report.
Beckerman told CNN on Tuesday that the issues can be solved by the ongoing government negotiations.
In 2019, ByteDance had 17 lobbyists and spent $270,000 on lobbying, according to public records gathered by the transparency group OpenSecrets. By the end of last year, its lobbyist count had more than doubled and the company had spent nearly $5.2 million on lobbying.
Last year, the internet industry’s biggest lobbyist was Meta, who spent $20 million. Next was Amazon at $19 million, followed by Google at almost $10 million. It was number four on the list and it was the parent that spent nearly 50 million dollars in lobbying.
One of those bills, the American Innovation and Choice Online Act (AICOA), would erect new barriers between tech platforms’ various lines of business, preventing Amazon, for example, from being able to compete with third-party sellers on its own marketplace. That legislation was a product of a 16-month House antitrust investigation into the tech industry that concluded, in 2020, that many of the biggest tech companies were effectively monopolies.
A bill that would have forced tech giants to pay a larger share of ad revenues to news organizations was passed this month. But the legislation stumbled after Meta warned it could have to drop news content from its platforms altogether if the bill passed.
Source: https://www.cnn.com/2022/12/22/tech/washington-tiktok-big-tech/index.html
A Democratic Senator’s View of Twitter, Apple, and Google: “Project Texas” as a Security Plan for TikTok, a Silicon Valley App
Silicon Valley players have successfully defended their turf in Washington, trying to prevent lawmakers from attacking them.
The rules the government may impose on tech platforms have thrown into doubt how those rules will affect different parts of the economy from small businesses to individual users.
The First Amendment may be raised in some instances, such as when the tech industry’s decades-old content moderation liability shield is revised. Democrats have said Section 230 should be changed because it gives social media companies a pass to leave some hate speech and offensive content unaddressed, while Republicans have called for changes to the law so that platforms can be pressured to remove less content.
The cross-cutting politics and the technical challenges of regulating an entire sector of technology, not to mention the potential consequences for the economy of screwing it up, have combined to make it genuinely difficult for lawmakers to reach an accord.
Establishing a Republican brand is important. A central tenet of what unites Republicans now is taking a strong stance [and] standing up to China,” says Thad Kousser, professor of political science at U.C. San Diego.
The CEO of TikTok will be in users feeds to warn them about a looming ban ahead of the congressional hearing. Chew posted a minute-long video to the ByteDance subsidiary’s official TikTok account, rallying users to defend the app.
Earlier this month, Sen. Mark Warner (D-VA), chair of the Senate Intelligence Committee, was reportedly considering offering a bill to ban a broader “category of applications” that could be applied to other apps that pose security risks, according to Axios.
The app was under attack when the former President signed an executive order to ban the app, but Byte Dance sued and it did not go through.
Sen. Michael Bennet (D-CO) demanded that Apple and Google “immediately” remove TikTok from their app stores in a letter addressed to the companies’ chief executives, Tim Cook and Sundar Pichai, Thursday.
At a media briefing on Tuesday at its Los Angeles office, top TikTok officials described a data security plan, dubbed “Project Texas” because it relies on Austin-based software company Oracle.
As a result of the government telling federal employees that they can no longer use their work phones for TikTok, many Canadians will consider the security of their own data and choose to use other forms of communication.
The Times of Apple: How the US-China Trade War Has Been Broken during the Indian-U.S. TikTok Decree
Unlike Google, Apple has a lot to lose regarding its relationship with both the US and China. Much of Cook’s success at Apple can be attributed to his ability to maintain working relationships with the Chinese government and manufacturers.
Observers want Washington to take action. Mira Ricardel is a former deputy national security adviser at the White House and now works for the Chertoff Group. There is a unanimous view that will lead to something. Here is a glimpse of what it might look like.
India’s TikTok blockade is permeable. A few small ISPs permit access, according to NetBlocks. And Ram Sundara Raman, lead developer for the University of Michigan’s Censored Planet project, says he was able to watch videos during a visit to India using the app he had downloaded in the US. The ban has forced many Indians to go to other services, like Facebook, in order to stay connected, which has caused turmoil for business owners who built businesses on TikTok.
Trump’s order would have immediately banned app stores from distributing TikTok, and nearly two months later would have prevented cloud providers from doing business with the company. People or companies could have been fined or imprisoned for dodging the order. “We wanted to start at the root, where it comes into the US, and extract it that way,” says Ivan Kanapathy, who was China director for Trump’s National Security Council and is now vice president at policy consultancy Beacon Global Strategies.
A charm offensive that included rapid-fire meetings with the CEO of TikTok in Washington and a first-ever tour to members of the media of its corporate campus has been launched by the company.
Adam Segal, an expert on Chinese technology policy for the Council on Foreign Relations, said there’s a lot of performative action going on. “It’s a desire to show toughness on China,” he said.
There’s a lot of resentment towards social media that’s easier to vent on Chinese-owned TikTok right now than it is.
During the Trump administration, it was necessary for the company to find a U.S. cloud server in order to continue to use TikTok.
The TikTok app could be sold without Chinese nationals, according to the China Foreign Trade Commission (TeVK) data security expert
TikTok officials said on Tuesday that USDS is expected to hire over two thousand people who have undergone high-level background checks. None of those hired would be Chinese nationals.
Still, aggregate data, like what kind of content is trending on the app or in what regions certain kind of videos are popular, can be analyzed by corporate employees in Beijing who would need to be granted special permission from the U.S. data security team.
The plan addresses many of the major security concerns U.S. officials have, said Jim Lewis, a cybersecurity expert at the Center for Strategic and International Studies, but that is no guarantee it will be approved.
“The Oracle plan would work,” Lewis said. This kind of thing is relatively common. TikTok has become so emotional, however, that a reasonable solution may not be enough.”
A sale would face significant challenges, starting with a steep price tag that few tech firms could afford. It is believed that TikTok is worth tens of billions of dollars. There are legal challenges that might result from a forced reduction in size. On top of that, selling TikTok could constitute a violation of China’s export control laws, said Segal from the Council on Foreign Relations.
The Project Texas Project: Exploring Data Security in the U.S., as outlined by a Keynote Address to Senator Mike Rounds
Segal believes that the deal will resolve the bulk of the data security concerns by allowing the inspection of its algorithm and transferring U.S. user data to a third party.
Many details about Project Texas have trickled out in the Wall Street Journal, the New York Times and Reuters, but Tuesday’s gathering marked one of the first times the company has given an official briefing on the plan.
TikTok is planning on opening these centers in Washington, Dublin and Singapore and provide tours to journalists, lawmakers and civil society groups in order to give a glimpse at how the secretive app operates.
People were put in a position where they had to determine if a video violated TikTok’s rules or not.
Visitors who sign non-disclosure agreements can review TikTok’s entire source code in the server rooms, however journalists are not given the opportunity to do this.
The content moderation game brought home just how difficult it can be for the thousands of people who have to make trade-offs every day on an endless pile of videos, but it was mostly beside the point.
According to a TikTok spokesman, they hope by sharing details of our comprehensive plans with the full Committee, Congress can take a deliberative approach to the issues at hand.
“If you’re certainly willing to fly a balloon over your continental airspace—and have people see it with a naked eye—what would make you not weaponize data? Marco Rubio is a Republican from Florida and a vice chair of the Senate Intelligence Committee.
“There’s no question about the fact that they are trying to gather as much data as they can about all aspects of our country, and even the most minuscule, small items can add up to providing them with more data,” says Republican senator Mike Rounds of South Dakota. There are a lot of data that will never be used, but it is the small pieces that add up. They are doing something about it. They are patient. But they clearly see us as a threat, and they’re collecting data.”
After interviewing Chew in Senator Michael Bennet’s office last week, he told reporters that none of the suggestions were relevant to his concerns.
The Canadian Privacy and Security Threat against TikTok: Implications for the U.S. Government and the Defence of a Comprehensive National Security Plan
TORONTO — Canada announced Monday it is banning TikTok from all government-issued mobile devices, reflecting widening worries from Western officials over the Chinese-owned video sharing app.
The app is under investigation by Canada’s federal privacy watchdog and its provincial counterparts in British Columbia, Alberta, and Quebec.
Recent media reports have also raised concerns about potential Chinese interference in recent Canadian elections, prompting opposition parties to call for a public inquiry into alleged foreign election interference.
Gen. Nakasone testified before the Senate armed services committee that when there is a large amount of listening, you can turn off the message.
“Our status has been debated in public in a way that is divorced from the facts of that agreement and what we’ve achieved already. Brooke Oberwetter said in statement that they will continue to deliver a comprehensive national security plan for the American people.
A bipartisan Senate bill that Virginia Democrat Mark Warner and South Dakota Republican John Thune are expected to unveil on Tuesday would give the Commerce Department authority to develop “mitigation measures,” up to and including a ban, to meet the risk posed by foreign-linked technologies.
Unlike the US government which is pushing for a ban on equipment made byHuawei, US officials rarely give any details about the evidence they want the public to see.
“People are always looking for the smoking gun in these technologies,” NSA Cybersecurity Director Rob Joyce told reporters in December. “I characterize it much more as a loaded gun.”
TikTok: The Rise and Fall of the China-American Technicolor Bubble in the Twenty-Year Interaction Between the U.S. and China
TikTok has 7,000 American employees, which is less than the 10,000 or more that TikTok intended for in 2020 but a big leap over the 1,400 US employees that year.
Republican Rep. Michael McCaul has called TikTok a “spy balloon in your phone,” and fellow Republican Congressman Mike Gallagher has called TikTok “digital fentanyl.”
Federal officials worry about China’s technological prowess as the U.S. and China have been on the rise in recent years. Washington also is watching China conduct military displays in the South China Sea and the Taiwan Strait, not to mention China’s surveillance balloon traversing across the U.S.