TechLetters #107 - Probabilistic user tracking/ad matching abused. #GDPR boosting security by design of password. Remote code execution in bluetooth and ping. Cyberattacks and missile strikes.
Security
GDPR fine for bad password practices. French data protection authority fines Electricite de France, France's largest electricity provider with €600,000. Hashed passwords without a 128-bit random "salt" and the use of MD5 identified as a violation of GDPR article 32, which concerns security of data processing. It’s of course only partial reason behind such as fine. But it is nonetheless an interesting precedent explaining what are the legal password security requirements in 2022. Some may wonder: is the use of MD5 or unsalted hashes at other companies an infringement? Yes, it is. The tricky part: should such practices now be reported “within 72 hours” of identifying such a data protection breach? And additionally: if this was used between 2018 (GDPR enters into force) and, say, 2021, is the period still a territory for a GDPR-fine? Good luck in deciphering it! Who knows, perhaps it’s worth a €20.000.000?
Remote code execution in Linux kernel in Bluetooth stack. Since version 3.16.0 (2013). Does not sound like great news for Android devices, dishwashers, washing machines, and so on. Potential to exploit in the wild now unclear.
Remote code execution in ping. "The memory safety bugs described above can be triggered by a remote host". In FreeBSD.
Albania to prosecute people for (falling victim to the) “Iranian cyberattack”. So, they "asked for house arrest of five public employees they blame for not protecting the country from a cyberattack by alleged Iranian hackers", as they allegedly "failed to check the security of the system", and now ar "accused of 'abuse of post,'", and apparently facing 7 years or prison. Wait, do they really intend to hold officials responsible...? Interesting development, and it puts the early bizarre leaks that Albania would want to call for NATO article 5/self-defence... new light.
France transmitted its first in history diplomatic telegram (Paris-US) encrypted with post-quantum cryptography. The Ministry of Foreign affairs and the president hype it. But... Why would that be ground-breaking? Answer: it isn't. Quite a minor change. Their announcement also say that “ computer will soon be able to break the cryptography algorithms used today”, which (the “soon” part) is not at all certain today.
Russia is coordinating missile strikes with cyberattacks. Cyberattacks are now extended to NATO (Poland got hit). Russian propaganda seeks to amplify the intensity of popular dissent over energy and inflation across Europe. “IRIDIUM almost certainly collected intelligence on supply routes and logistics operations that could facilitate future attacks”. Seems that Microsoft AGAIN calls Ukraine war a 'hybrid war'. That is unfortunate as it is not the case! It seems that this is a systematic error in their reports, or they do this on purpose for some reason?
Officials on the island of Vanuatu continue using typewriters, pen and paper. Ransomware effectively paralyzed public services. You can trust as typewriter. Similar things tend to happen in other places, like in US Suffolk County recently. It just happens, such is life?
Privacy
€265 million GDPR fine for Facebook. For failing to prevent scraping, the collection of data made available by users. Article 25 breach ringed (data protection by design). That decision might be controversial. It’s because the fact that the data was basically... made available. Unless an API abuse/misuse was the case. Then indeed, a big service provider cannot curtail simple scraping to build big datasets? Meta/Facebook said in 2021:
One particular scraping technique that we have worked hard to combat is known as “phone number enumeration.” This involves using automated tools at scale to retrieve information about people based on their phone numbers.
Before a set of improvements we made in September 2019, scrapers found ways to abuse various contact discovery features we had which were designed to allow people to find and connect with their contacts on Facebook.
Anyway, more (high-value) GDPR fines to come this week?
Probabilistic ad matching considered harmful and with a significant abuse potential? As web browser increasingly phase out third-party cookies, the question is if the first-party cookie might become abused in ways that would further erode user privacy. There are some attempts to detect and defend from such tracking. "We found evidence of widespread abuse of first-party cookies on more than 93% of the tested websites by 1500+ distinct tracking domains".
Technology Policy
U.S. FCC bans the import of certain Chinese-made radio-equipped products. Like telecommunications equipment made by ZTE, video cameras, etc. Hard to imagine anyone to expect, in peacetime, a vendor to suddenly release a malicious software update with e.g. disruptive elements.
Other
In case you feel it's worth it to forward this content further:
If you’d like to share: