TechLetters #102 - hacking biological laboratories to cause risks of deadly pathogens to escape. 22yo bug in SQLite. War hotlines. Missile strikes vs satellites to be legitimised?
Hacking biolabs. “Negative Pressure Room is a technical-legal-sanity requirement for biolabs or infectious-control hospitals to prevent pathogens being leaked out”. Now an attack is demonstrated to fool the sensors into turning it off ... with specially crafted sound. Very interesting security engineering research. Very impactful. "attacker can play the malicious music using public radios. If individuals place their radio near a pressure port, ... a good chance that the attack will be effective ... intentional leak of deadly microbes from NPRs may result in bioterrorism". The attack is tested on a real-world negative-pressure room in an actual biolab — it did work...
Can it be weaponised in an actual cyber operation? In this context, I must add that in the ICRC report on humanitarian consequences of cyber operations we did consider a risk of cyberattacks on virus labs... Such a cyber operation would amount to a potential use of a biological or a chemical attack. As such it would be illegal considering binding international law.
22-year exploitable security bug in SQLite. "SQLite is used in nearly everything, from naval warships to smartphones to other programming languages ... this bug may be difficult to reach in deployed applications, ". Difficult to exploit but when it’s possible, then it’s possible.
Cybersecurity in the UN. The West (USA&Co) wants to continue discussing cybersecurity in an expert group of United Nations and establishing a Program of Action. There's also an East (RussiaChina&Co) one, about some similar stuff (continue talks).
Europe's biggest copper smelter targeted as part of a wider cyberattack on the metals and mining industry. Shares down by 4%.
Data can be processed to fix software/system bugs. Critically important decision by the European Court of Justice about GDPR precision. Data can be processed to fix software/system bugs! Caveat: only for the duration of testing/fixing the issues. Judgment relevant for EVERY developer/DevOp/ security engineer/programmer/CTO, etc. In the relevant case, a Hungarian company created a test database with customer data. The question was whether “purpose limitation” precluded such uses. It did not, since the original data collection/storage purpose is compatible with fixing issues.
Signal to introduce username/nicknames and telephone number hiding? Article here. “It lays the groundwork for the introduction of usernames and phone number privacy which will offer new privacy controls around your phone number’s visibility on Signal … In order to support phone number privacy, we need to expand the contact discovery database”
On the needs of communication during conflict times. About US-Russia communication channels (military/decision-makers), to decrease the risk of miscalculation.
Missile strikes vs communication satellites? Russian official in United Nations said that "Western commercial satellites could become 'legitimate targets' [for strikes] if they were involved in the war in Ukraine". This may be read as either military (surveillance) satellites or the communication ones (Starlink). And that is unprecedented. No country has ever threatened such a move.
In case you feel it's worth it to forward this content further:
If you’d like to share: