TechLetters #31 - SVR hacks Holland, US/AU hacks cyber criminals, ransom payments, weapons systems cybersecurity; privacy, AI; quantum.
Éditorial
Next week will be fascinating, with cybersecurity discussed at the top of the top, the Biden-Putin meeting in Geneva. Also next week, the International Committee of the Red Cross is releasing a report on military cyber operations. The two events, of course, are not related (coincidence). But they are both considering certain facets of cyber warfare.
Some of these ‘facets’ will be felt by all of us, sooner or later.
Security
SVR in. Dutch police systems allegedly compromised/hacked by the Russian intelligence services. The hack happened via the systems of Dutch Police Academy, which was behind the right firewall to access the systems of interest. But there were more attempts: “Russian hackers drove a car with hacking equipment near the National Public Prosecutor's Office in Rotterdam”. Reminder: Dutch secret service AIVD hacked Russian secret service SVR, in 2014.
Deploying fake secure instant messengers for profit. U.S. and Australian authorities ran a “secure Swiss instant messenger” '“used by criminals … leading to hundreds of arrests of suspected organised crime figures in 18 countries”. It’s about “An0m” app, “which is popular with organised crime networks”. (link1, link2, link3)
Hacking criminals to regain ransom. FBI hacked some system used by cybercriminals and recovered the ransom (“63.7 bitcoins currently valued at approximately $2.3 million”) paid for the unlocking of Colonial Pipeline systems. (link, link2)
JBS paid 11m. Meanwhile, the meat-conglomerate JBS paid $11m "ransom" to cybercriminals. There is/was maybee the risk of meat shortages on the market.
Chrome ups browser security. In various places. (1) Web browser extensions (with a more trusted installation process). (2) for downloaded files (which are automatically scanned for malware).
TLS Alpaca’d. Interesting security weakness identified in the TLS.
US weapons systems cybersecurity. Very long document. “According to DOD Directive 5000.01, security, cybersecurity, and protection of critical technologies at all phases of acquisition are the foundation for uncompromised delivery and sustainment of warfighting capability”, examples include the Conventional Prompt Strike ("non-nuclear hypersonic weapon system"), where it is being noted that: "program office noted that it has identified known cyber vulnerabilities". Cybersecurity vulnerabilities reported in a serious weapons system. (Weapons Systems Annual Assessment). My analysis of weapons systems cybersecurity here.
Recovering encryption keys with AI. “the security community generally agrees that it is indeed possible to recover secret keys from almost any implementation, even if the algorithm itself is secure, thanks to side-channel attacks … this practical guide that shows you, step by step, how to train and use a TensorFlow model to recover AES keys from a TinyAES implementation running on an ARM CPU (STM32F415) from its power consumption traces”
Privacy
More privacy from Apple. “Hide e-mail address” when giving it in various places, as well as privacy-proofing email in general “Mail Privacy Protection stops senders from using invisible pixels to collect information about the user. The new feature helps users prevent senders from knowing when they open an email, and masks their IP address so it can’t be linked to other online activity or used to determine their location.”. (link1). Privacy in e-mail has been long neglected. There’s also “Private Relay”, which is apparently a host of proxy servers. Not available in China, Belarus, Colombia, Egypt, Kazakhstan, Saudi Arabia, South Africa, Turkmenistan, Uganda and the Philippines.
Technology Policy
Quicksort birthday. Quicksort, the legendary sorting algorithm, turned 60.
AI-assisted Covid detection flaws. The AI/ML model learned spurious correlations, based on trash-features. “Our findings in this study support the troubling possibility that these models fail to learn the true underlying pathology reflecting the presence of COVID-19 and instead leverage spurious associations between the presence or absence of COVID-19 and radiographic features that reflect variations in image acquisition, that is, ‘shortcuts’10. Although such spurious associations may arise in any dataset, we have observed that many recent ML models for radiographic detection of COVID-19 were trained using data with the potential for near worst-case confounding.” (link)
Quantum future. Be careful about articles or people claiming that quantum computing will do “this or that”. Today, especially policymakers are prone top the hype. "quantum computer that’s big and reliable is still a long way off", “When you read about the latest experiment with 50 or 60 physical qubits, it’s important to understand that the qubits aren’t error-corrected. Until they are, we don’t expect to be able to scale beyond a few hundred qubits” (link)
TikTok and WeChat band rescinded in US. Biden’s administration reversed some technology bans. There will be some other risk management/assessment process.
Competition and Privacy of new Ads Technologies. UK Competition and Markets Authority will take an active part in the redesign of the future privacy ads system, Google's Privacy Sandbox. "Google’s proposals would have impacts on both competition and privacy". Google already replied stating some commitments. This is a billion-dollar discussion here.
Cybersecurity at the top of international relations. USA and UK reaffirmed cybersecurity as a priority in their New Atlantic Charter. Is anybody else joining the party? Well, Biden and Putin discuss it next week in Geneva.
In case you feel it's worth it to forward this letter further, I leave this thingy below: