TechLetters #22 - leaks, backdoors, new privacy mechanisms to come
Security
Smartphone supply-chain infection. Germany is living with a major controversy. Important smartphone vendor sets were infected (pre-installed) with malware that may end up controlling user’s accounts (including, WhatsApp).
The consequences are serious for the device owners:
Browser windows suddenly open with advertisements or redirect to gambling sites
WhatsApp accounts are blocked (due to critical activities)
Facebook accounts may be taken over completely
SMS messages may be sent automatically
The device goes into “do not disturb” mode
The battery is drained quickly
The smartphone becomes slow
EC cyberattack. Apparently some institutions of the European Union are being targeted with cyberattacks. Not the first time, of course. But this time reported in public.
Backdooring encryption. “How to backdoor a cipher” is a pretty complex scientific work.
(…) Once that the backdoor is instigated, the rest of the algorithm can further be strengthened to make sure that it is secure, but in a way that does not invalidate the backdoor property. If done properly, it would be nearly impossible for a cryptanalyst to detect this unique deterministic linear property
India’s weakness to China’s cyberattacks? India considers its cybersecurity stance as lower than China's cyberattack capability. Such announcements by a policymakers are very rare.
Accepting that there is a capability differential between India and China, Chief of Defence Staff (CDS) General Bipin Rawat on Wednesday said the biggest differential lies in the cyber field and China is “capable of launching cyberattacks on us and it can disrupt a large number of systems”.
Phishing trends. With PDF files.
it is important to verify and double check the files you receive unexpectedly, even if they are from an entity that you know and trust. For example, why was your account locked out of nowhere, or why did someone share a file with you when you least expected it?
Privacy
Facebook data leak. A big dataset containing information concerning over 500M Facebook’s users has been posted online. Contains names, Facebook id, and sometimes phone numbers and email addresses. This is problematic even if the dataset is public. Irish Data Protection Commission is concerned and it was not informed by Facebook. Facebook does not want to inform users about this incident. What’s worrying in this statement is this: “it also took into account that users could not fix the issue”. But this is beside the point in the case of GDPR breach notification. That’s not the point for “users being able to fix the issue”. Then another dataset (of unknown size) leaked, and all the silence is even bigger.
First-party sets? W3C Technical Architecture Group is very skeptical about the planned part of Google’s Privacy Sandbox, the First-Party Sets mechanism. “For the reasons outlined here, we consider the First Party Sets proposal harmful to the web in its current form. This proposal undermines the concept of origin, and we see origin as a load-bearing structural pillar of web architecture”.
Cookie replacement. Another initiative claiming to offer a cookie replacement that "respects privacy and market competition". It claims it gets rid of "cookie consent popup box". Caution advised. It’s apparently using first-party cookies in tandem with HTTP redirects. At least upon first sight this looks fragile. Unsure about privacy properties. Will web browsers want to block this scheme by default?
Technology Policy
AI scam? “The pandemic is being used as a pretext to push unproven artificial-intelligence tools into workplaces and schools … We can no longer allow emotion-recognition technologies to go unregulated. It is time for legislative protection from unproven uses of these tools in all domains — education, health care, employment and criminal justice”
Other
What’s your washing machine downloading? An example of a washing machine desiring to download 1TB of data. Also, an example of a drying machine is sending/receiving gigabytes of data. Sometimes it may make us having bad feelings about Internet of Things. Solution: disconnect from the internet? Keep in mind that such appliances will at some point stop receiving security updates. Then what?
Natanz power goes down. Blackout at Iranian nuclear site? It's the former Stuxnet site. "many Israeli media outlets offered the same assessment that a cyberattack darkened Natanz". Warning: cause not known. https://apnews.com/article/358384f03b1ef6b65f4264bf9a59a458
In case you feel it's worth it to forward this letter further, I leave this thingy below: