TechLetters #146 - ICRC hacktivist rules and wut-compliance; major Linux vulnerability; deepfakes in Slovakia elections; Network traffic privacy improvement with Encrypted Client Hello

Édito

International Committee of the Red Cross proposed rules for hacktivists/States(?). According to the rules:

1. Do not direct cyber-attacks against civilian objects

2. Do not use malware or other tools or techniques that spread automatically and damage military objectives and civilian objects indiscriminately

3. When planning a cyber-attack against a military objective, do everything feasible to avoid or minimise the effects your operation may have on civilians

4. Do not conduct any cyber-operation against medical and humanitarian facilities

5. Do not conduct any cyber-attack against objects indispensable to the survival of the population or that can release dangerous forces

6. Do not make threats of violence to spread terror among the civilian population

7. Do not incite violations of international humanitarian law

8. Comply with these rules even if the enemy does not

BBC asked some politically-involved “groups” what they think of it. They apparently didn't have much to say, at least initially. However, amusingly, not long afterwards the two groups (Russian, Ukrainian) responsible for basic-cyber-events vowed to comply by the rules. That could obviously be read as a success of the ICRC action. Except for the small detail that adopting a metric of interpreting a vow by the two groups of the kind, that is, actors likely incapable of (or not aiming for doing so, which for the needs of this analysis makes no difference) conducting activities in line with those on the ICRC-point-list (at least points: 1, 2, 3, and impactful 4) would be an improper analysis. Why? This is because the term of ‘attack’ threshold is not the same as the term ‘cyberattack’, which is used widely. And I’ll cite my book here:

And this: “For the most part, the cyberattacks we hear about are not attacks in such a strict sense”. In other words, to interpret such vows would necessitate adopting a specific terminology that is strict. This may be highly counter-intuitive for laypeople not proficient in such intricacies - and so, prone to mistakes. It so happens that such an interpretation of the term attack (that, is, not used in laypeople understanding, but proper international law rigor) does not relate to the activities typically understood as within the reach of hacktivists. In particular, those made by hacktivists in that conflict (perhaps except for the points 6, 7, 8). In fact, hacktivists usually (or never) have such capabilities (that’s also why they are called hacktivists). So why did those groups announce compliance, then? The explanation is likely quite simple but I leave it as an exercise for the reader (hint: the answer is not far away).

Still, there’s another problem with these 8 rules. It isn’t clear to what exact degree they are… based on international humanitarian law? Take point (4) for example. It would prohibit any activity (“operation”, not an “attack” - some preceding points consider “attacks”, while operations may be defensive, reconnaissance, etc.) against systems such as hospitals. But the problem is that universally-accepted interpretation of International Humanitarian Law requires to know the details of the potentially targeted systems - this may be done through e.g. reconnaissance/intelligence, so an operation. Prohibiting it would require - what? - sending a human to do this? Is this sustainable, or realistic? Another point of concern is that those rules would apply during wartime. So it would then seem that… there’s more protection/prohibitions than during… peacetime? Quite a paradox.

Security

EVERY (well, almost) Linux distribution has a major local root privilege escalation vulnerability. Exploitable. How fun. "exploitation works against almost all of the SUID-root programs that are installed by default".

Red Cross emblem misused in cyberattacks. Malware spread using the Red Cross blood donation pretext. The misuse of such an emblem is illegal in itself. But also: "a targeted cyberattack against people related to the Red Cross". So the operation is explicitly targeting Red Cross people, too. Not good. During armed conflicts, such an abuse could even amount to war crimes.

Targeting jobseekers. Employees tend to be open to new opportunities. Cyber operators take advantage over this. They send “files” to “candidates”. Upon opening, the user is hacked. Data is stolen (of existing employer?). Payload can only be decrypted on the victim’s machine! While the precise targeting is limiting the risk to any bystandwers, any employee seeking work may still be under risk if it’s normalized that employees run custom programs.

Google rolling post-quantum cryptography. In internal systems.

Post-quantum algorithms broken, again. Nice cryptanalysis of post-quantum encryption protocols. Of additional note: “possible to backdoor M-SIDH and FESTA by choosing system parameters that look inconspicuous”. Caution advised when rolling new type of cryptography in sensitive applications.

Top Ten Cybersecurity misconfiguration according to NSA. The list: Default configurations of software and applications

1. Improper separation of user/administrator privilege

2. Insufficient internal network monitoring

3. Lack of network segmentation

4. Poor patch management

5. Bypass of system access controls

6. Weak or misconfigured multifactor authentication (MFA) methods

7. Insufficient access control lists (ACLs) on network shares and services

8. Poor credential hygiene

9. Unrestricted code execution

Deepfake used in Slovak elections. A phone conversation between a politician and a known journalist is marked as heavily manipulated, it purported that the elections was rigged.

Privacy

Fixing network traffic monitoring. One currently critical solution is the Encrypted Client Hello. Large-scale change hiding the website name during HTTPS connection. Improves privacy, finally files a hole that allowed traffic monitoring and discovery of user’s browser websites on the network level. I spent a lot of my research work on studying the risks of web browsing history leaks. I’m happy to say that after more than 20 years, the issue is now near to being fixed. The feature is in Chrome, and Firefox.

Privacy analysis of Topics API. "we find that the Topics API mitigates but cannot prevent re-identification to take place, as there is a sizeable chance that a user’s profile is unique within a website’s audience. Consequently, the probability of correct re-identification can reach 15 − 17%”.

Meta to give users in the EU a choice. Display ads or pay a $14 monthly fee for Instagram. Or $17 for Facebook and Instagram. TikTok is testing a similar system.

Technology Policy

European Commission announced CRITICAL TECHNOLOGIES. Advanced Semiconductors technologies (microelectronics, photonics, high frequency chips, semiconductor manufacturing equipment); Artificial Intelligence technologies (high performance computing, cloud and edge computing, data analytics, computer vision, language processing, object recognition); Quantum technologies (quantum computing, quantum cryptography, quantum communications, quantum sensing and radar); Biotechnologies. Unclear why quantum cryptography/ quantum communications are listed as "critical". Future-relevant, sure. But is it really “critical”? It is a niche. Recommendations of other tech follow, some seem to be more important.

US court prohibits US Government communication with social media companies concerning content moderation. It applies to the US president administration, the Surgeon General, the CDC, the FBI, and CISA (cybersecurity agency). It’s about communications with social media companies about content related to Covid-19 and elections that the government views as misinformation.

Regulating autonomous weapons systems. United Nations Secretary General and International Committee of the Red Cross chief call on States to create binding treaty/rules regulating the uses of autonomous weapons systems ("AI", but actually beyond that). "have the potential to significantly change the way wars are fought and contribute to global instability and heightened international tensions"

Other

Meta/Facebook uses users' Facebook posts and Instagram photos to train their AI models. They have it all for free. Furthermore, soon they will want to pay a fee for using Facebook/Instagram.

Microsoft to release an AI chip. Net month. Will it cut the cost of Nvidia chips purchases?

---

If you’d like to share: