TechLetters #44 - China blockade of k-pop from their cyberspace; Recovering sound from LED activity; UK to reform/weaken(?) their data protection rules; OWASP Top10
Security
Defeating browser Site Isolation. With Spook. “the absence of published attacks does not indicate that the risk is mitigated. We present Spook.js, a JavaScript-based Spectre attack that can read from the entire address space of the attacking webpage. We further investigate the implementation of strict site isolation in Chrome, and demonstrate limitations that allow Spook.js to read sensitive information from other webpages”.
Top 10 web security issues. New edition of OWASP’s list.
Cyberattacks on German parliament. Formal investigation relating to (an alleged) Russian cyberattack on the German parliament. "trying to gain access to private e-mail accounts". In 2021/2020, same group executed similar operations in the Baltics and Poland. Russia denied with a few interesting twists, for example saying that it’s "unsubstantiated and have an obvious foreign policy motive", or "informational PR story in the context of the internal political struggle in Germany".
New directions in technical eavesdropping. Recovering sound from LED activity! "optical correlation between the sound that is played by connected speakers and the intensity of their power indicator LED". “sound recovery by analyzing optical emanations obtained from a device’s power indicator LED. We show that the power indicator LED of various devices leaks information regarding the sound played by connected speakers. This occurs in devices whose power indicator LED is connected directly to the device’s power line and lack integrated voltage stabilizers. As a result, the optical response (intensity) of the power indicator LED of such devices is correlative to the power consumed by the device. This fact can be exploited to recover sound from the connected speakers directly, by obtaining optical measurements via an electro-optical sensor directed at the speakers’ power indicator LED, or indirectly, by obtaining optical measurements via an electro-optical sensor directed at the power indicator LED of the device used to supply power to the speakers (e.g., USB hub, microcontrollers).”
Cyberattack-driven railway paralysis in New York or Berlin? Threat intel company warns that similar cyberattacks to the ones that happened in Iran (paralysis of railway system computers/etc) could take place in New York and Berlin "next month". “Cases like this, where said threat actors go ahead and do X, Y, Z, ought to raise our collective level of anxiety. As we said in the opening statement, this attack happened in Iran, but next month an equivalent attack could be launched by some other group targeting New York, and Berlin the month after that”. But don’t loose your sleep about this. Just because it can happen, does not mean it will.
Privacy
UK DPA dislikes cookie popups. Who likes them? Nobody. But at stake is the interference with users' devices without user's consent or awareness. Meanwhile, the UK DPA ICO is calling "to work together to overhaul cookie consent pop-ups". Is this a ground preparation for the upcoming (announced) weakening of UK's data protection regime?
UK Data Protection Reform. UK's disclosed plans about the changing (weakening?) of privacy regulations. First, the data protection authority will be tasked "to help drive economic growth and innovation and strengthen public trust in use of data”. Second, "government wants to remove barriers to data use"? The government is using a specific case of cookie popups as a pretext for the broad overhaul (“Data is one of the most important resources in the world and we want our laws to be based on common sense, not box-ticking”). The Government will also inspect and respond to the Competition and Market's Authority investigation linked to online ads and Google’s Privacy Sandbox. It is unclear if this will be a pro-privacy response. “We will respond to the Competition and Market Authority’s online platforms and digital advertising report and consider how its findings inform the establishment of a pro-competition digital markets unit.”, under “Data Availability”.
Technology Policy
Apple's App Store rules go down. “The decision orders Apple to stop barring developers from providing buttons or links in their apps that direct customers to other ways to pay outside of Apple's own in-app purchase system, which charges developers commissions of up to 30%” (link)
China’s digital Leninism vs k-pop. China (Xi) at war with Korean pop band BTS. Popular in China and that's a problem for leaders because groups of youth organize easily. Campaign of "cleaning youth culture". Suspended the band's fan page. Music and informational sovereignty? This is not a joke: it is pretty serious. China's "cybersecurity control" has also closed related accounts on Weibo. Official Reason: publishing "irrational star-chasing behavior". Inline: there is only one army in China? Chinese platforms Tencent, Weibo, Douyin (TikTok) have agreed to impose "self-discipline" to provide a "healthy" "cyberspace environment". Government cyber regulator will no longer accept the spread of "chaotic" culture, such as k-pop. Government knows best what's good for citizens?
In case you feel it's worth it to forward this letter further, I leave this thingy below:
You may also share here: