TechLetters #61 - Google's Differential Privacy not so private. Apple's Safari leaking visited sites. Telecoms against Private Relay. Cyberattacks on Ukraine: info ops & destructive(?)
Security
USA warns against Russian cyberattacks. Well, they do.
WEF cyber. Cybersecurity top the risk charts of WEF. Including the potential for technological breakdowns, but also interstate conflict.
(1) Cyberattacks on Ukraine. Some cyberattacks on Ukrainian government websites happened. Seems to be a clear political message to the society "warnin to "be afraid and expect the worst"". This is a cyber-enabled information operation. At least some information content are playing on historical conflicts and the troubled history between neighbouring nations. The communication suggests this overtly.
(2) Cyberattacks on Ukraine. Destructive cyberattack targeting entities on Ukraine. “intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom”.
Russian and American cooperation. Russian FSB conducted an operation against ransomware REvil group, at the request of the USA. Money/resources seized, people arrested. Signals cooperation between USA and Russia in context of cybersecurity?
Privacy
Web browser history leaking from Safari. Privacy bug in Apple’s Safari identified in IndexedDB. “In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy. Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session”. “It lets arbitrary websites learn what websites the user visits in different tabs or windows”. Web browser history is sensitive.
Data protection enforcement against Europol. European Data Protection Supervisor orders Europol the deletion of data concerning individuals without link to criminal activity, and "notify the erasure of the datasets to the third parties".
Attack on Google's differential privacy model. Google shared 'anonymous' aggregated data from 300M Maps, privacy-proofed with differential privacy saying that it "raises no privacy concern". It turns out that the privacy guarantees are less solid than claimed. "Level of certainty of their attacker is likely higher than 90% for a typical user", "We show the empirical risk to be higher than the 16% bound as soon as the victim took more than three unique trips over". Membership attacks possible. Significant privacy loss. Google agrees with the privacy audit, but has some reservations: “the unit of privacy that is protected with the promised differential privacy guarantees is not an individual’s contribution to the entire dataset, but rather whether the individual made a trip from A to B during week W.”
Private Relay blocked. Some telecom operators in Europe and in USA dislike Apple’s Private Relay. They state some reasons (alleged difficulty to manage telecom network, alleged difficulty to respect parental settings), but in general it should be a user’s choice.
China’s data protection law. Official English version of the Personal Information Protection Law of the People's Republic of China.
AWS security. Security vulnerabilities identified in AWS infrastructure "attacker could abuse this vulnerability to bypass tenant boundaries, giving them privileged access to any resource in AWS".
Technology Policy
Nigeria has lifted its Twitter ban. From the entire website to which citizens of the country will again be able to connect. Access was blocked after the president's tweet was deleted. Sometimes selfish politicians act like a bull in a china shop. Unfortunately, people suffer.
In case you feel it's worth it to forward this letter further, I leave this thingy below:
You may also share here: