TechLetters #18 - cyberattacks on weapons systems; on parliaments; cybersecurity bugs in core internet software; unconventional risks facing cloud storage
Welcome to TechLetters.
Éditorial
Some cyber risks are prevalent. Other are niche but perhaps high-stakes.
I recently wrote an opinion article in Wired about such a potential cybersecurity risk, specifically - cyber risk of weapons systems.
I strived not to overhype things. It’s based on facts.
This remains the puzzling part: “instances that may have been unsuccessful attacks on critical weapons systems via malicious insertion.”
Potential risk of cyberattacks on military systems were not the interest of peace-defence discussions within the United Nations Open Ended Working Group on cybersecurity, who preferred to focus on other topics.
Security
MS DNS bug. Very serious security vulnerability in Microsoft's DNS server " the set of possible attackers extends beyond the other options listed, up to and including the entire Internet. Such a vulnerability is often termed 'remotely exploitable'"
Norway parliament hacked. Norway's parliament was compromised using the recently disclosed vulnerabilities in Microsoft's Exchange Server. Currently no link to another cyberattack when Norway's parliament was also hacked in 2020. Seems they are getting owned frequently.
MS Exchange bug exploited widely. By at least 10 APT groups. Impressive proliferation count. Are these the Winter Olympic Games in hacking?
Critical security bugs in F5 gear. “remote code execution (RCE) vulnerabilities—CVE-2021-22986, CVE-2021-22987—impacting BIG-IP and BIG-IQ devices. An attacker could exploit these vulnerabilities to take control of an affected system’”. Force5 hardware-software sits in some sensitive places.
Cyber influence campaigns to use deepfakes, soon. “Malicious Actors Almost Certainly Will Leverage Synthetic Content for Cyber and Foreign Influence Operations”. Automatically generated content to be in broad use, soon? “While traditional techniques like Photoshop can be used to create synthetic content, this report highlights techniques based on artificial intelligence (AI) or machine learning (ML) technologies. These techniques are known popularly as deepfakes or GAN”
Spectre. Practical Spectre attack impacting the web is here. Demonstrated website ability to use this technique to steal the data belonging to other websites that the user is visiting. Violates web security principles.
Privacy
Sharing web browsing history? Telecom operators T-Mobile will be sharing its users web browsing histories. Our research indicates that web browsing histories are private, personal data. Anonymising this is tough or impossible.
Technology Policy
AI did not play a role in Covid response? UK policymakers are surprised that "artificial intelligence" methods did not play a role in the Covid-19 crisis response/management, but "conventional data analysis" did. I’m not surprised, most useful analyses could indeed be done with the “typical” data analysis, there is/was no need to artificially apply artificial intelligence.
Russia is threatening to shutdown Twitter access in Russia. For now, speed is reduced. "slowing down will be applied to 100% of mobile devices and on 50% of non-mobile devices". https://www.reuters.com/article/us-russia-twitter/russia-slows-twitters-speed-over-failure-to-remove-banned-content-idUSKBN2B20ME
Other
Can data be torched? Experimentally tested now. Yes, data centres are flammable.
That’s it this time, thanks!
In case you feel it's worth it to forward this letter further, I leave this thingy below: