TechLetters #16
Welcome to the 16th letter
Éditorial
Short story. That feeling when you see large-scale data leaks, somewhat abuses and misuses, somewhat targeting one particular web browser type? Well, that feeling is summarised here.
Security
Grants leak. Dutch institution granting scientific funding got hacked by DopplePaymer. Data stolen. Cybercriminals are publishing internal data. Like scientific grant applications. This will be a very puzzling transparency.
French cyber. The french new cybersecurity strategy views certain cyberattacks as preparing grounds for future conflicts (the language certainly sounds war-like). France will allocate €720M to improve the landscape. This is apparently an update of a 2015 strategy, the results of which are nowhere summarised.
New ransomware. “Babuk ransomware is a new ransomware threat discovered in 2021 that attacked at least five big enterprises, with one already paying the criminals $85,000 after negotiations … adopted the same strategies as other ransomware groups and has leaked the stolen data. ”. Interesting detail: the malware operators apparently promise not to attack hospitals, “except plastic surgery clinics and private dental clinics”. A white-list approach. But other infrastructure critical for the survival of civilian populations not listed). Link.
“Legitimate” software backdoors? “The vulnerability lies in the fact that Studio 5000 Logix Designer software may allow a secret cryptographic key to be discovered. This key is used to verify communication between Rockwell Logix controllers and their engineering stations. If successfully exploited, this vulnerability could allow a remote, unauthenticated attacker to bypass this verification mechanism and connect to Logix controllers.”. This is a grave security vulnerability that allows the hacking of industrial compounds. “Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to bypass the verification mechanism and connect with Logix controllers. Additionally, this vulnerability could enable an unauthorized third-party tool to alter the controller’s configuration and/or application code., “unauthenticated attacker could bypass this verification mechanism and authenticate with Logix controllers”
Privacy
CNAME of the game. In latest research paper, we (myself+KULeuven team) show that a less known web tracking method bypasses many anti-tracking measures, and leads to broad data leaks (and security vulnerabilities). My description highlighting the security, privacy, and regulatory risks is here. Paper accepted to Privacy Enhancing Technologies Symposium 2021 is here. I’m very happy with this work which greatly complement my observations from 2014.
The use of CNAME cloaking is introducing web security bugs that let compromise/hack unsuspecting users. Websites could misuse the bugs to compromise the security of web users, systematically. It’s a systemic issue in the case of a few trackers.
The use of the CNAME cloaking technique leads to massive cookie leaks. In 95% of cases of websites using this technique, we found cookies leaking to external tracker servers in an unsanctioned manner, invisible to the user. In some cases, we confirm that the leaked cookies contain private/sensitive data. All these likely trigger the violation of data protection regimes such as the GDPR, or maybe even the CCPA.
We report that this tracking technique is prevalent on popular websites. We find it on 9.98% of the top 10,000 websites. The use of this method is rising (21% up, over the past 22 months). We detect 13 providers of such tracking “services” on 10,474 websites. This scheme leads to data leaks on 95% of the websites employing it. Such data leaks sometimes involve unambiguously private data. GDPR alert lights should be flashing red.
Technology Policy
Additional CO2. Bitcoin already consumes more electricity than the Netherlands, and is on track to reach (surpass?) the total electricity of world’s data centres. Meanwhile, some big companies support (invest) in this scheme. Eat this, environmentalism and Green Deal!
Other
Chip geopolitics. “Would China invade Taiwan for TSMC” (globally-significant chip producer) sounds provocatively enough not to write more, but: “TSMC is usually the only viable partner. Examples include Tesla for electric and self-driving cars, Amazon for cloud computing, Alibaba and Intel for artificial intelligence chips, Qualcomm and Unisoc for mobile chipsets, and Xilinx for chips used in F-35 fighter jets”. It’s fair to say that technology policy is a deep and rich topic...
That’s it this time, thanks!
In case you feel it's worth it to forward this letter further, I leave this thingy below: