TechLetters #57 - Log4j still. UK Cyber Strategy. Surveillance firms targeting internet users. Colonial pipeline hack led to price spikes. GDPR: Grindr fined, Clearviev ordered to stop.
Security
Log4j continued. Patch is completely disabling log4j functionality. Already used by ransomware and RAT. And another log4j security issue: “If a string substitution is attempted on the following string, it will trigger an infinite recursion, and the application will crash: ${${::-${::-$${::-j}}}}”, another patch. The vulnerability turned out to be much more severe: full remote code execution.
UK Cyber Strategy. New UK National Cyber Strategy unveiled. UK wants to become a cyber power: "cyber power is distinct from more traditional forms of power", "we have invested significantly in our offensive cyber capabilities", "integrate cyber operations into allied operations across all domains: land, sea, air, space and cyberspace". Also: cyber operations to deliver "real world effect" (Physical effects?) "We will also counter the proliferation of high-end cyber capabilities". Technologies vital to Cyber Power: 5G/6G, blockchain, AI, quantum technologies, IoT, semiconductors, cryptography.
Seven “cyber” firms. Facebook warns 50,000 users that they have been the targets of surveillance companies. Six companies are named. Services offer hack-for-hire cyber ops services. For money. In a way, cyber mercenaries. Yes, they hacked their targets when needed. “Meta has issued cease-and-desist warnings against six companies”
Phishing attacks on multi-factor authentication. Phishing kits support this. “may cost from $50 to several hundred dollars”.
Monetary effects. Cyberattack on Colonial Pipeline had some impacts on gas prices: "pipeline shutdown on May 7 led to an average increase of 4 cents per gallon in affected areas during the rest of the month".
Privacy
Grindr GDPR fined. Norway's data protection authority fines Grindr €6.33m #GDPR. "disclosed personal information about users to third parties for behavior-based marketing without a legal basis". Disclosed "special category of information". "Invalid consents" in use. Used the GDPR legal test for consent: “withdrawal must be as easy as to give consent”. This was not the case. That's the best GDPR test out there - can easily be checked mechanically. So: a fine. Impressive decision here.
Clearview ordered to stop. French DPA CNIL decided in a Clearview case issue a BAN on processing data (and order to delete the held data). Two breaches, including the rights of datas subjects, processing unlawful.
Technology Policy
Facebook and propaganda. “It’s not our fault”? Facebook exec “insists that political and COVID-19 misinformation are societal problems rather than issues … magnified by social networks”. But the deliberate and knowingly not conducting risk assessments of tech/products is about something else. “Individual humans are the ones who choose to believe or not believe a thing”? That’s not how effective propaganda works and functions. Responsible directors should know this.
Other
In case you feel it's worth it to forward this letter further, I leave this thingy below:
You may also share here: