TechLetters #69 - Cyber and information warfare in war in Ukraine. Web browser 0days on the rise. Fake fact-checkers. Facebook GDPR fine, AI-created chemical weapons?
Security
Sabotaged npm node-ipc package. Supply-chain compromise initiated by the package developer. Targets systems in Belarus and Russia (it geolocates the local system with a network call). It could replace contents of files with a ❤️ emoji. Affects other popular software like Vue.js. Unexpected behaviour in software. Generally, when you install software - you expect it to work and be trusted. And that’s the issue, trust. It is a very popular package. Russian Sberbank recommended users to stop installing software updates, fearing “sabotage”. Issued in general, a controversial recommendation.
Web browser zero-days on the rise. Interesting take: “we believe we’re seeing more exploits due to evolved attacker focus. There are two reasons to suspect attackers might be choosing to attack Chrome more than they did in the past”. “an attacker generally now has to use more bugs than they previously did. For exactly the same level of attacker success, we’d see more in-the-wild bugs reported over time, as we add more layers of defense that the attacker needs to bypass … there’s simply the fact that software has bugs. Some fraction of those bugs are exploitable.”
Russia expects to continue the dialogue with USA on cybersecurity. And keep it “professional” and “depoliticised”.
European banks will isolate their Russia-based systems. To "reduce their vulnerability to cyberattacks following the invasion of Ukraine". Kill-switches deployed. But can these be fast enough?
China allegedly intercepted America's cyber weapons. Well, intelligence tools. However, maybe this is not the case. It’s actually an old and well-known tool posted in 2016. So the actual question is: why speaking about it like that over official channels. Particularly, why speaking about it now?
Germany about Kaspersky. German Federal Office for Information SecurityGerman issues a cybersecurity warning from the use of Kaspersky antivirus. BSI says that Kaspersky products "may be used in cyber operations"?
Cyberwarfare on Ukraine. "Russia is attacking not just with missiles and with bombs, but with cyber weapons". On Tuesday, 85% of its modems were still down. It will take weeks to fully repair.
Fake “fact-checkers” spread Russian war propaganda. They verify “truth” to be “fake”. “One purported to debunk false footage of explosions in Kyiv, while others claimed to reveal that Ukrainians were circulating old videos of unrelated explosions and mislabeling them as recent. Some of the videos claim to debunk efforts by Ukrainians to falsely label military vehicles as belonging to the Russian military … They’re trying to make people think that when you see destroyed Russian military hardware, you should be suspicious of that”.
Reportedly UK used ad infrastructures to direct 'war awareness messages' to the Russian population. Information operations.
Information operations lever switched. "former COVID conspiracy theorists pivoted to pro-Russia talking points in European countries like France, Germany, Spain, Switzerland and the Czech Republic"
Privacy
Irish DPA fines €17m on Meta/Facebook. "failed to have in place appropriate technical and organisational measures to demonstrate the security measures to protect users’ data"
Technology Policy
Other
Achievement of AI. It took only 6 hours for the AI model to propose 40,000 types of chemical weapons. For the sake of simplicity, the ones based on VX gas. A real problem. Methods for such design/calculations are widely available. To all...
the genie is out of the medicine bottle when it comes to repurposing our machine learning. We must now ask: what are the implications? Our own commercial tools, as well as open-source software tools and many datasets that populate public databases, are available with no oversight. If the threat of harm, or actual harm, occurs with ties back to machine learning, what impact will this have on how this technology is perceived? Will hype in the press on AI-designed drugs suddenly flip to concern about AI-designed toxins, public shaming and decreased investment in these technologies?
In case you feel it's worth it to forward this content further:
If you’d like to share: