TechLetters #26 - Privacy Sandbox in European Parliament, Chinese technological sovereignty, SVR cyberattacks, cyberattacks on pipelines, competition in hacking real people
Éditorial
Security
NIS2 update. Active cyber defence planned for endorsement at the European Parliament level of the NIS2 cybersecurity regulation. Not an euphemisms - this is not an invitation to conduct any offensive activities.
Industrial facility cyberattack. Largest American pipeline fuel struct. Colonial Pipeline "has shut its entire network after a cyber attack, shut its main gasoline and distillate lines". (link1), (company release).
UK and US call out SVR. "...on multiple occasions, SVR actors used Cobalt Strike, a commercial Red Team command and control framework, to carry out their operations after initial exploitation ...". It's a major change. Announcements no longer use funny names (‘Something Something Kitten’ or ‘APT12345’) to name actors. The actual (alleged) actor name is used. (UK link, US link)
Privacy
Disqus GDPR fined. “The processing activities in the present case impacts both the data subjects’ fundamental right to data protection pursuant to Article 8 of the European Convention on Human Rights (“ECHR”), as well as their fundamental freedom of expression and information Article 10 ECHR.”. Very clear explanation.
Contest to hack real people? China-organised contest in software exploitation delivered a bunch of 0days. These tools were then used against people - to hack iPhones of targets, for example. “In an interview with the Chinese news site Sina, Zhou Hongyi said that performing well in such events represented merely an “imaginary” success. Zhou warned that once Chinese hackers show off vulnerabilities at overseas competitions, they can “no longer be used.” Instead, he argued, the hackers and their knowledge should “stay in China” so that they could recognize the true importance and “strategic value” of the software vulnerabilities” (link). In many respects, an impressive development. Underlines the humanitarian risks and dimensions of technology. Here, exploitation/hacking contests, and the tools used against targets.
European Parliament discovered Privacy Sandbox. And is asking questions to the EU Commission. “Whether or not it views such technologies as being a way of bypassing existing legislation designed to combat the monitoring of users by means of cookies, without their knowing this?”
Twitter tipping. Twitter introduce an option of tipping/supporting people. The process may reveal some information like the home address of the tipping person.
iPhone tracking opt-in. "Only 12% of iPhone users have actively chosen to opt into app tracking after updating their device to iOS 14.5" (link)
Technology Policy
Chinese companies invest in technological sovereignty. “YMTC is seeking to learn as much as it can about the origin of everything that goes into its products, from production equipment and chemicals to the tiny lenses, screws, nuts and bearings in chipmaking machinery and production lines, multiple sources familiar with the matter said. The audit extends not only to YMTC's own production lines, but also to suppliers, suppliers' suppliers, and so on. … Each supplier is assigned a score for geopolitical risk … American-made parts are scored highest for risk, followed by parts bought from Japan, Europe and those made locally ” (link)
Other
AI infrastructure for self-driving cars. Interesting presentation.
Quantum computing. 62-qubit quantum computer in use.
In case you feel it's worth it to forward this letter further, I leave this thingy below: