TechLetters #103 - Ransomware hits hospitals; Google terminated U.S. information operation; Cyber operation hold-at-risk’ strategy; Is digitisation of the Red Cross emblem a risk?
Permissions Policy is a very useful security/privacy feature. Allows granular/global disabling of access to sensitive web browser features. For example disabling the triggering of full screen or geolocation. Helps with technology development, but it may also help with data protection compliance. Useful in standard privacy engineering checklist. My analysis here.
Oh and by the way, my Mastodon is here.
Security
Excellent Microsoft Threat Landscape 2022 report. However, one reservation: they apparently call what’s happening in Ukraine as ‘hybrid war’, for some reason. This is unfortunate. That’s not the case. What’s happening in Ukraine is the plain old war. (r)
Ransomware hit a communication platform used by the Australia's army. Possible data leakage of 40,000 military personnel? The actual defence systems are not touched. It is an external system.
Google terminated US information operation. Takedown of YouTube channels,Ads accounts, Blogger blogs, blocked domains from Google News. Coordinated influence operations linked to the US, sharing content in English, Arabic, Persian, and Russian that was promoting U.S. foreign affairs.
Critical security bugs in some versions of (important) OpenSSL. Affected servers must be updated to 3.0.7. Code can be executed. Initial comments by some knowledgeable folks is that the sky is not falling. But this thing is important for internet security. One fix demonstrated here. List of vulnerable software. Proof of concept that may crash the server.
Another hospital hit with a cyberattack suspends operation. Osaka General Medical Center. Impact: 865 beds, 1000 patients affected, nearly impossible to check details of the patients’ medical histories. Cyberattack on a major hospital in Poland. As often happens in such situations, diagnostics is hit (radiology/ tomography, etc.) - treatments cancelled. "prescriptions and referrals are written on paper"
Hacking a quantum computer. Quantum computers are increasingly available via (traditional) cloud setups (IBM/Amazon/Microsoft/etc): Quantum Computing as a Service. This introduces risk and attack surface. One solution to such quantum information leaks in Quantum Computing as a Service is resetting the state of quantum registers between various program executions. It turns out that the current quantum computers, like those in IBM Q cloud, are vulnerable. IBM Q is demonstrably found to be vulnerable to information leaks. Therefore, quantum computers already are getting hacked. Of course security is not the priority of the current infrastructure, which cannot yet deliver usable computations. But this is still interesting. It’s also about what is the architecture that is being designed for the future.
Countries are acquiring cyber capabilities which can ‘hold-at-risk’ the networks other countries rely on. ‘To ‘hold-at-risk’ is to demonstrate the capability to overcome the defences of another country, to undermine confidence’.
50-year paper about the need of building security into design. This paper is from ... 1972. Foundational work about cybersecurity. The need to build security in the design of the system. "The approach to obtaining a secure system involves first defining what threats the system is to be secure against, and then defining a conceptual design that can be shown to provide the required protection.". 50 years old work. And I still remember the confused faces of some people when I was saying that privacy should be built "by design".
Privacy
An overview of four privacy enhancing technologies. Here.
TikTok data can be inspected in China. “allow certain employees within our corporate group located in Brazil, Canada, China, Israel, Japan, Malaysia, Philippines, Singapore, South Korea, and the United States remote access to TikTok European user data”. New privacy policy. New policy here
Technology Policy
One man has control over Ukraine’s battlefield communication infrastructure/advantage. Like it or not.
“Digital protection” emblem considered by International Committee of the Red Cross. To mark some IT systems as protected, so to be skipped/avoided when conducting cyber operations/attacks. It's not meant as 'a replacement' for technical protections (cybersecurity), of course. That would need (perhaps) some legal changes, like a new Protocol additional to the Geneva Conventions to come. This is not really a precedent. Distinctive signals are already defined for other forms: flashing blue lights (for airplanes), radio signals, also electronic. So could it be useful also in digital/computing settings? Would malware realistically skip such targets? Example case: "... the commander directs programmers to review procedures and program cyber capabilities with a view to ensuring that no harm comes to systems marked by a ‘digital emblem’.". Meaning: it’s only for identification, not protection. Obviously, marking a system with an emblem would not be a cybersecurity measure. As for the misuse - in fact, misusing the emblem would be a war crime. Now, what may be the risks of marking an infrastructure with an emblem? Could they be specially targeted due to that marking in itself (i.e. malware targeting them specifically)? Would cyber operators even want to use this information if it would/could disclose their activities when so doing? Probably not. So it must be ‘invicible’. Considered solutions: special file, DNS, IP address, certificates. It sounds like no approach seems to be proper. Lastly, there remains also a big challenge is - how to define it? Technologies change. With light, radio, electronic - it is written in the treaty, set in stone. With a digital signal, it would have to remain quite open. This is not how Geneva Conventions worked. The need of pluggability...? Is it even possible? Let’s wait and see.
Other
Drones play a key role in the war in Ukraine. Both sides use large numbers of them for intelligence gathering, corrections for artillery fires, and bombardment. Lots of them needed (duration of life is short).
Job cuts and freezes at tech firms. Well…
In case you feel it's worth it to forward this content further:
If you’d like to share: