With the amount of sensitive information stored on their servers, cloud providers take security very seriously. However, many cloud services actually use third-party servers like Amazon Web Services or Microsoft Azure to run their platform. Even for those with their own servers, the hardware is made by and supplied by third-parties. In light of security concerns, Apple is taking it to the next level and designing their own servers.
Right now, Apple uses Amazon, Microsoft and Google servers to help run iCloud in addition to their own hardware. While it might seem prudent to do everything in-house to keep things secure, Apple wants their servers to be designed themselves. As we know from Edward Snowden’s revelations, the NSA, and probably other spy agencies are prone to intercepting hardware mid-shipment and tampering with the hardware. Cisco for instance, has been one own past target and with Apple’s legal fight against the FBI, they may have been moved up the list.
By designing their own hardware, Apple will be able to make sure that everything is where it is supposed to be and no hardware has been added to it. With the massive scale of iCloud, Apple will be able to easily have whole manufacturing runs dedicated to them. Still, with their massive user base, running that many servers will be will a challenge for Apple. Nonetheless, Apple may soon get the total hardware control truly needed for true security.
Today it has been announced that computer and smartphone hacks used by the intelligence agency GCHQ are legal according to the UK’s Investigatory Powers Tribunal. The inquiry was launched after the extents of the agency’s hacking was uncovered by whistleblower Edward Snowdon, which led to GCHQ revealing that they had agents hack into devices both within the UK and aboard.
At the conclusion of the inquiry, the senior judges on the panel ruled that they were satisfied that GCHQ’s ability to forcefully gain access to devices in order to gather intelligence was striking a proper balance between safeguarding the privacy of individuals and the ability to investigate crime and protect the public. Understandably, Privacy International, the civil liberties group who launched the investigation said they were “disappointed” with the outcome and would continue to combat state-sponsored hacking.
GCHQ’s hacking efforts were reported to the tribunal as covering computers, smartphones, servers, routers and more. They were told that it was possible for the hackers to remotely enable microphones and cameras, log keyboard input, install malware, track locations and even copy documents from target devices. Currently, the only restrictions on hacking in place are laid out in the Home Office’s code of practice for hacking, or “equipment interference”, which is set to be expanded as part of the Government’s Investigatory Powers bill which is currently being drafted. These documents dictate that a warrant must be issued before any hacks can take place. The judges agreed that these codes had the right balance between the “urgent need for the Intelligence Agencies to safeguard the public and the protection of an individual’s privacy and/or freedom of expression”. These restrictions did not exist when the investigation was originally launched, however, which brings GCHQ’s previous actions into question.
Once again, the cyber security and privacy of citizens are under threat from government agencies, who strive to increase their own power and supposedly the safety of their people at the cost of their freedom. While in future GCHQ’s hacking is expected to be kept in check by codified legal rules, the fact that their previous actions were ruled to be lawful could set a dangerous precedent if a security agency tried to take advantage of the circumstance to work outside these laws.
On Friday, a number of Twitter users received a notification from the social networking platform, explaining that their accounts had been the target of state-sponsored actors. Unsurprisingly, the supposed targets of these attacks were mass surveillance researchers and security professionals.
The incident was surprising for users of Twitter, as until the notifications went out at 17:30 EST, Twitters notification service regarding state-sponsored attacks had never before been seen, let alone mentioned by Twitter. Fortunately for those affected, Twitter assures in the notification email that they believe that only email addresses, IP addresses, and phone numbers could have been taken by a breach, and even then, could not confirm that any data had been taken. The compromising of a single social media account can be a big deal though, with some users holding multiple Twitter accounts for different purposes, and using personal details and account credentials could yield access to other sites too.
Twitter is yet to release any further information beyond the notification letter, however people have begun theorizing what could be taking place, with Jacob Appelbaum, a key member of the Tor Project taking the effort to keep up a list of sorts of the individuals receiving the notifications. He questioned in a tweet whether Twitter had been “owned” or hacked. More information and theorycrafting on the topic has come under the hashtag #StateSponsoredActors which also discusses Twitter’s blocking of a number of accounts used through the Tor service.
Twitter is not the only online service with warnings against incidents with state attackers, with Google having one in place and Facebook having launched theirs back in October, which immediately identified attacks on US Government employees.