TechLetters #65 - Armed conflict cyber, Privacy Sandbox for Android, maybe. Breach of humanitarian data. Smartphone users usage is unique and can be used to track them
Security
Armed conflict cyber. "cyber component of the Russian offensive is likely to begin just before an aerial bombing or missile attacks and would be likely to continue throughout the conflict." (link)
CYBER AGGRESSION? US Secretary of Defence says that the US is expecting a rise of cyberattacks prior to a land invasion/aggression/whatever. Also said that should the US is cyberattacked, there will be a response. “We would expect to see, before any attack we'd -- we'd expect to see cyber attacks, false-flag activities and a -- and a -- and a number of others -- increasing rhetoric in the information space, and we're beginning to see more and more of that. In terms of a response to the cyber attack, if someone attacks the United States of America, then certainly, we will -- we will hold that -- that element responsible“
The reported “biggest cyberattacks on Ukraine” that did not happen. Well, they (DDoS) did, they just weren’t an issue. Clarification that the recent cyberattacks on Ukraine were rather a non-event, and insignificant. So no need to overreact. Western policymakers, and their advisors, should really start getting how things work. Especially in a risk of an actual armed conflict happening. This is not a time for behaving funny. The US and UK has blamed Russia for the DDoS, mentioning “technical evidence”.
ICRC cyberattack/breach. More information about the cyberattack on ICRC (data breach of >500k vulnerable people). "deplorable situation to the people we are entrusted to protect and assist". "The attack was targeted". Highly targeted (targeting specific MAC address of concrete machines), and using non-public tools. "specifically crafted to bypass our anti-malware solutions". 70 days dwell time. Used CVE-2021-40539 for entry.
Cyberattack effects. Impact of a cyberattack/ransomware incident against Irish public health service HSE might be on par with covid-19 impacts?
Privacy
Privacy Sandbox for Android. Google announces transfer of Privacy Sandbox ("privacy-preserving advertising systems") to Android "limit sharing of user data with third parties and operate without cross-app identifiers, including advertising ID". Huge news for privacy, and competition. What does it mean? Advertising ID will be purged. They transfer web-centric Privacy Sandbox proposals to the mobile ecosystem (Android 13), details here. Relevant tech proposal (privacy-preserving ad targeting) is this one. The devil will be in the details: how tight is the isolation? For example what are the limits on the sell-site and buy-side reporting? User data flows? Can we trust the "trusted servers"? Why? My proposal concerning Privacy Sandbox governance scheme stands.
Users smartphone uses are unique to them. Implications for privacy. "potential to narrow down a subject pool of 10 individuals from their daily use data with a three in four success rate". Even without a dedicated app ID. Implications for OS privacy design. “an app that is granted access to a smartphone’s standard activity logging could render a reasonable prediction about a user’s identity even when they are logged out of their account. Similarly, if an app receives usage data from several third-party apps, our findings show that this can be used to profile a user and provide a signature that is separate from the device ID or username”.
Technology Policy
UK to create Advanced Research and Invention Agency Bill. Assumed equivalent of the old US ARPA which contributed to the creation of internet, and other stuff.
Other
Covid measures against flu. Seems that one flu variant has gone extinct.
In case you feel it's worth it to forward this content further:
If you’d like to share: