TechLetters #120 - ChatGPT data breach. Windows hacking via ICMP. GitHub RSA keys leak. Propagand claimaing that industrial systems are hacked (not). Correcting misinformation is difficult.
Security
Windows Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability. "attacker could send a low-level protocol error containing a fragmented IP packet inside another ICMP packet in its header to the target machine". Quite critical.
UK devises a cyber resilience & cybersecurity strategy for national healthcare NHS. Impressive diagnosis & plan. Probably the first in a world such comprehensive cybersecurity strategy for healthcare. Built on real case studies. It will be made concrete later on. One potential weakness of the strategy seems to be not accounting for legacy systems/software, including cybersecurity of medical devices or forensic capability. Perhaps this level of detail may be defined later on.
GitHub RSA SSH private key leaked."GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository". Happens… Wait, what?
Threat groups are interested in hacking industrial control systems. Well, that’s what they claim. Being interested does not mean being capable of. What's claimed unilaterally is not necessarily true. So be careful. It may be overstated, or an information operation, propaganda. Just because someone said something, doesn't mean it's true. "In most cases, claims are exaggerated or unsubstantiated. The number of false claims is at times challenging to debunk". Works as follow: 1) create messages/story credible technically, 2) spread in various places such as social media, 3) some previous 'credibility' helps, it does not need to be in hacking industrial systems, 4) try to get the media interested, some will catch the bait, maybe? https://www.mandiant.com/resources/blog/hacktivists-targeting-ot-systems
Privacy
ChatGPT data breach. Users were able to see the title of conversations of other users. "allowed some users to see titles from another active user’s chat history. It’s also possible that the first message of a newly-created conversation was visible in someone else’s chat history", and payment information leak for some fraction of users. AI or not, cybersecurity and privacy is still important.
Technology Policy
Other
Correction of misinformation is very difficult. People turn out to be quite resistant to changing their opinions. Furthermore, people consider that they wouldn't buy into disinformation/propaganda. They consider that the problem is because rather than them, "the others" (other people) believe misinformation. You see, it is those "others" that are naive. Dr Goebbels approves.
In case you feel it's worth it to forward this content further:
If you’d like to share: