TechLetters #28 - HSE ransomware incident - and how to manage such incidents politically, Privacy Sandbox entropy decrease, Germany throws money at quantum stuff, privacy and competition, magnets
Éditorial
How to manage a significant cybersecurity event on the political level? Good question. We see this on the example of Ireland - just in a very realistic scenario involving a true breach of the public healthcare system, with a risk of patient data leak. Occasions for s uch observations are very rare. This time many things are clearly visible, because they involve the public, prominently.
It’s an unfortunate event, but others may learn by studying it. For this reason, it would be nice to have some clarity.
Security
Irish HSE ransomware incident. The case I described previously continued. There’s a risk that patient date would be leaked by the attackers. “Russian Embassy in Dublin condemned the cyberattack and suggested Moscow is ready to look into the matter if approached”, and they have been approached. The HSE ransomware infection event is becoming an interesting case study of how a significant incident is being managed at the political level. Now another Minister repeated that ransom will not be paid (even though no request came). Was that additional signalling to the threat group? Perhaps due to the risk of earning bad PR, the ransomware gang provided a data decryptor to HSE. They still threaten to make the stolen data public. The decryption tool has been improved.
Internet Explorer is out. Internet Explorer's demise is set for 15.06.2022. An end of an era, and a web security improvement.
$40m ransom. This insurance company got a request to pay $40 million. Is it among the current records? “The average payment in 2020 was $312,493”.
Airplane travel operational security? A Belarusian opposition activist has been arrested directly from the plane. Problem? The plane was a passenger plane (Ryanair airlines) forced-diverted by Belarusian military jet fighter (Mig-29) to land in Belarus. The plane did not plan to land there, of course. This (e.g.) is a very rare event highlighting low risk scenarios. Because how and when should one assume that this may or may not happen?
Privacy
Chrome UA cut. New Privacy Sandbox update: Chrome will continue working on decreasing the identifiability of user-agent strings (link1, link2). This is a privacy-improving change, because IP addresses and User-Agent strings are highly identifying information.
E2EE issues. Home Affairs Commissioner Ylva Johansson is concerned with end-to-end encrypted communication
Privacy and anti-competition joined forces. The UK ICO (Data protection authority) and Competitions and Markets Authority joined forces. It’s a convergence of data protection and anti-competition proceedings. First field of collaboration: Google’s Privacy Sandbox.
Vaccinated, tracked. The UK tracked vaccinated persons with the use of telecoms logs. "Vaccination event" was assumed as "being close to vaccination center", which sounds a bit error prone. It’s said that the test respected GDPR, but unclear how. Details or the privacy impact assessment was not published.
Technology Policy
Quantum Germany. Germany is entering the quantum technologies race, with a funding of 2bn euros allocated for quantum technologies. They aim to build a quantum computer within the next 5 years. The key will be the people.
TikTok and mass protests. Is it possible to use TikTok as a tool to organise mass protests? Technically yes.
Other
Big magnets. CERN will be installing 11-T superconducting magnets to build High Luminosity LHC.
In case you feel it's worth it to forward this letter further, I leave this thingy below: