TechLetters #30 - the cost of a cyberattack; retaliation vs cybercriminals?; Europe wants to demand web browser changes; deadly autonomous loitering munitions in use
Security
Costs of cyberattack. The cost of processing of the HSE cyberattack is estimated to go beyond €100m. "in our political culture, there is no incentive to plan for the future". Among the impacts is putting the services back 30-40 years. And here’s a photo of the Irish military during post-ransomware data recovery process
UK on cyber. UK’s views about the applicability of international law to cyberspace is now public.
Cyberattacks vs ransomware? Article discusses a potential retaliation on behalf of the US military: “Biden will have some decisions to make, current and former officials said, including whether to order offensive action by U.S. Cyber Command, the military hackers based at Fort Meade, Maryland, who wield cyber weapons that can take down networks and turn computers into bricks.” (link). Reinstalling such computers and networks would still be very quick.
Remember Colonial Pipeline? We now know more how the attackers entered the systems. It was a (1) result of a single compromised password, it (2) allowed to remotely access the company’s computer network via a VPN in a system, (3) the VPN system didn’t use multifactor authentication. Oh and (4) the password happened to be found in an online-accessible database of breached passwords, (5) the account was not even used any more. Pipeline was shut down out of precaution. It was a costly (estimated at millions of dollars) account mismanagement practice.
French cyber explosion? A French database of industrial incidents lists an incident of an explosion at a chemical plant. “A motorist, seeing a “cloud of smoke”, contacted the fire brigade. A crater a little over 1 m in diameter is visible on the ground … The volume of biomethane released is evaluated at more than 3,500 Nm³. Safety devices integrated into the automation controlling a valve did not function. This failure is investigated by the operator (PLC failure). A communication fault with the remote installation supervision site due to a cut in the Internet network also compromised the sending of an SMS alarm to the operator.”. The database lists it as a “ incident cybersécurité”, which may mean here security or safety. Safety system did not function, and an SMS alert did not execute.
Anyway, no more details given and I prefer not to draw unwarranted conclusions, but a potential indecent with physical effects (explosion) certainly sounds interesting. It appears the incident has been covered in the local press but without details, and the image provided does not offer much.
Privacy
Differential privacy and attacks on Census data. Interesting article.
Huawei OS. Huawei launched their own operating system, Harmony. In terms of privacy, it references GDPR. Anyway, probably among the most significant technological-geopolitical developments in 2021. We’ll know in 2025 where it led.
Google to phase out Advertiser ID on Androids? Some news: “Starting in late 2021, when a user opts out of interest-based advertising or ads personalization, the advertising identifier will not be available. You will receive a string of zeros in place of the identifier.”. Catchup with a similar model in iOS ads ID.
European Commission wants to change how web browsers work. European Commission intends to unify national digital applications, but the proposal has some hidden functionalities. For example the requirement towards web browsers to honor certain websites as ‘more trusted’ (via some certification system), and a requirement to compel web browsers to build user interfaces displaying this fact. Such ideas were very controversial.
Technology Policy
Other
LAWS in use? Reports of a potential lethal autonomous weapons system in use. Turkish STM Kargu-2 autonomous drone may have found and engaged a target...? UN report is here.
were subsequently hunted down and remotely engaged by the unmanned combat aerial vehicles or the lethal autonomous weapons systems such as the STM Kargu-2 (see annex 30) and other loitering munitions. The lethal autonomous weapons systems were programmed to attack targets without requiring data connectivity between the operator and the munition: in effect, a true “fire, forget and find” capability
Loitering munitions/UAVs are apparently the new deal.
WebExtensions Standards. Web browser vendors joined forces within the W3C Group to work on common standards in web browser extensions. This also means common standards of security and privacy.
Microbial fingerprint. DNA on your shoe is likely enough to identify where you live. Full paper here.
In case you feel it's worth it to forward this letter further, I leave this thingy below: