TechLetters #55 - cyber insurers don't want to help in cyber war? log4j havoc; cyber operations vs ransomware; hacked cheese; nuclear weapons and AI for targeting.
Éditorial
Cyber insurance and cyberwarfare deserves careful analysis. And skepticism.
I explain why here.
Security
Ops vs ransomware. US military engaged in offensive cyber operations vs (non-military) cybercriminals.
Tech & Legal vs cybercriminals. Legal proceedings aimed at cybercriminals “Google has filed a lawsuit against two individuals believed to be located in Russia for operating the Glupteba Botnet and its various criminal schemes”.
Google Threat Intelligence. Report.
Log4j bug. Remote code execution (a.k.a. "zero-click") in log4j. Java. This library is in broad use. This might be ugly in many corporate settings (services of Steam, Apple iCloud, Minecraft already found to be vulnerable, as well as lots of Cisco products). Worth checking if there is "{jndi:ldap//" in the server logs. Expect quite a few systems getting hacked with this. A web worm (automatically spreading malware) can also be made from it. List of attackers using this is growing (over 150 now). You’ve got crypto miners, botnets and other attacks. In the meantime, you may generate some annoying response to the attempts to use this bug.
Cheesecake, hacked. Cyberattack shuts down cheese manufacturer. Affected, among others, bagel shops and bakeries: "aggravated the cream cheese situation in the country", "we can’t make a cheesecake". Ruthless cyberwar!
Ransomware effects in practice. Timeline and incident description: Conti ransomware at HSE. It was not a purposeful disruption/destruction operation. Had this been the target, the severity would be grave. But it hand tangible negative impacts. “Impact example: “Staff is (sic) fatigued as they continue to deal with the pandemic, along with IT issues and workarounds”. “It has had an impact on staff – the two serious issues coming one after the other, we haven’t experienced anything like it before”.”. “On 18 March 2021, a HSE staff member interacted with a malicious Microsoft Office Excel file attached to a phishing email. This resulted in a Malware infection of the Patient Zero Workstation”
Privacy
Technology Policy
Competition for modern times. EU and US join forces in digital competition investigations for technology sector: "competition agencies now must more regularly consider network effects, the role of massive amounts of data, interoperability".
Other
FB ads. "Facebook’s detection of political ads is flawed: Facebook misses more ads than they detect, and over half of those detected ads are incorrectly flagged. This enables advertisers to violate policies"
Amazon fined. Europe vs Big Tech. Italy fined Amazon. €1.13bn. Antitrust proceeding. Violation of article 102 TFEU (abuse of dominant position in a self-preferencing case).
Nuclear weapons. Semi-autonomous doomsday nuclear machine is real?
AI targeting. In military settings. “An experimental target recognition program performed well when all of the conditions were perfect, but a subtle tweak sent its performance into a dramatic nosedive … AI was fed data from a sensor that looked for a single surface-to-surface missile at an oblique angle, Simpson said. Then it was fed data from another sensor that looked for multiple missiles at a near-vertical angle. … the algorithm was only right 25 percent of the time “It was confident that it was right 90 percent of the time, so it was confidently wrong””
In case you feel it's worth it to forward this letter further, I leave this thingy below:
You may also share here: