DNI Gabbard Believes E2EE Backdoors Violate Privacy; Researchers Propose Standardized Memory Safety; CCPA Shuts Down Unregistered Data Broker

Director of National Intelligence Tulsi Gabbard has responded to the February 13 missive from Senator Ron Wyden (D-Ore.) and Representative Andy Biggs (R-Ariz.) that urged action and answers to inquiries in light of reports that the UK government ordered a backdoor into Apple users' encrypted cloud data. Gabbard states that such an order "would be a clear and egregious violation of AmericansÕ privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors," also saying she was not aware of the order before media reported it. She has asked several US intelligence and defense agencies "to provide insights," and has requested investigation into the legal and intelligence implications of such an order. Under the Clarifying Lawful Overseas Use of Data (CLOUD) Act, the UK may not issue demands for data belonging to "US persons," and vice versa. Tim Stevens and Andrew Dwyer, "two of Britain's leading cybersecurity academics," say the UK government's silence on the order's existence is neither sustainable nor justifiable, urging responsible transparency. Apple withdrew their Advanced Data Protection (ADP) service from the UK on February 24, 2025, offering only Standard Data Protection for "iCloud Backup; iCloud Drive; Photos; Notes; Reminders; Safari Bookmarks; Siri Shortcuts; Voice Memos; Wallet Passes; and Freeform."

A paper authored by 21 security researchers and other experts 'explore[s] memory-safety standardization, which [they] argue is an essential step to promoting universal strong memory safety in government and industry, and, in turn, to ensure access to more secure software for all.' The paper 'propose[s] potential approaches to standardization - likely a task not limited to any one institution or standards body Ð and conclude[s] with an illustrative universal memory-safety adoption timeline proposing a realistic path to universal adoption given suitable incentivization.' (The first link (PDF) is the extended version of the paper posted by Communications of the Association for Computing Machinery.)

The California Privacy Protection Agency (CPPA) has ordered data broker Background Alert, Inc. to shut down for three years as a penalty for failing to register and pay annual fees as required by California's Delete Act. Failure to comply with the penalty will result in a fine. In October of last year, CPPA announced 'a public investigative sweep of data broker registration compliance under the Delete Act.' Businesses operating as data brokers in 2024 had until January 31, 2025 to register. CPPA also brought enforcement action against Jerico Pictures d.b.a National Public Data for failing to register in a timely manner last year.

On Wednesday, February 26, 2025, Mozilla announced new terms of use (TOU) for the Firefox web browser, effective February 28, which elicited criticism from users over a now-modified clause perhaps implying Mozilla owns users' data: "When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox." However, the company has since amended the text to specify the TOU "does not give Mozilla any ownership" in users' content, maintaining the same license "for the purpose of doing as [users] request" with input data. All former explicit promises to never sell user data, and to protect users from advertisers who do, have been removed from the browser's FAQ. Ajit Varma, Mozilla's VP of Product, states that the company can no longer make definitive statements due to certain local legal definitions of "sale," such as in the California Consumer Privacy Act (CCPA). Mozilla states "data that we share with our partners (which we need to do to make Firefox commercially viable) is stripped of any identifying information, or shared only in the aggregate, or is put through our privacy preserving technologies."

Amnesty International has uncovered evidence that a zero-day exploit sold by Cellebrite has been used to spy on an activist in Serbia. Amnesty's 'technical blog post provides a detailed analysis of how the Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite.' In a December 2024 report, Amnesty 'documented widespread misuse of Cellebrite's technology by Serbian authorities.' In response, Cellebrite announced on February 25, 'We found it appropriate to stop the use of our products by the relevant customers at this time.'

A report from the US Multi-State Information Sharing and Analysis Center (MS-ISAC) describes the threats facing US state, local, tribal, and territorial (SLTT) governments in defending the country's critical infrastructure. The report urges SLTT to adopt a 'whole-of-state' cybersecurity practice to protect the country's critical infrastructure. The report notes that 'Adversaries attack SLTT organizations through cyber, physical, and foreign malign influence operations to reap financial rewards, disrupt operations, sow discord, and erode public trust,Ó and lists priorities and critical services for the future, including 'enhanc[ing] resilience of critical infrastructure through consolidated and coordinated information sharing; build[ing] trust in public institutions through communication, public engagement, and transparency; strengthen[ing] overall security with targeted resources and scalable solutions for small and rural communities; mitigat[ing] insider threats to reduce risk and enhance trust; and invest[ing] in drivers of workforce productivity, development, recruitment, and retention to address talent shortages.'

The Cybersecurity and Infrastructure Security Agency (CISA) has added two high-severity flaws to the Known Exploited Vulnerabilities (KEV) catalog, one affecting Windows systems and the other affecting Cisco routers. CVE-2018-8639, CVSS score 7.8, allows an attacker logged on to a Windows system to run arbitrary code in kernel mode by exploiting the Win32k component's failure to properly handle objects in memory, leading to privilege elevation; this affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, and Windows 10 Servers. CVE-2023-20118, CVSS score 7.2, allows a remote attacker with administrative credentials to gain root-level privileges, access data, and execute arbitrary commands on Cisco routers by exploiting improper validation of user input within incoming HTTP packets, using a crafted HTTP request to the web-based management interface; this affects Cisco Small Business Router models RV016, RV042, RV042G, RV082, RV320, and RV325. Cisco's advisory recommends device migration, stating that they have not and will not release updates to address the flaw, and there are no workarounds. CISA has not provided details on the known exploitation of either flaw.

The CERT Coordination Center at Carnegie Mellon University has published a vulnerability note describing five memory vulnerabilities in Paragon Partition Manager's BioNTdrv.sys driver. At least one of the vulnerabilities is being actively exploited. The flaws affect versions older than 2.0.0. The vulnerabilities could be exploited to gain elevated privileges or create denial-of-service conditions. Additionally, 'an attacker can leverage a Bring Your Own Vulnerable Driver (BYOVD) technique to exploit systems even if Paragon Partition Manager is not installed.' Users are urged to ensure that they are running the most current version of BioNTdrv.sys driver.

After detecting anomalous activity on a server containing log files, the Rubrik Security team discovered than an intruder accessed an undisclosed number those files. Rubrik writes that 'Out of an abundance of caution, we have rotated keys to mitigate any residual risk.' Rubrik is a cybersecurity company that offers data protection, data threat analytics, data security posture services, and recovery.

Anne Arundel County in Maryland is still struggling to recover from a ransomware attack that infected the county's systems more than a week ago. Palau's Health Ministry has recovered from a ransomware attack launched by a cyberthreat actor group known as Qilin. The same group has claimed responsibility for attacks on an oncology hospital in Japan and on US media company Lee Enterprises.