TechSec’s Bi-Weekly Tech News Digest: April 8, 2022

By Daniel Haltmeier

Dear Reader,

Welcome to the third bi-weekly Tech News Digest, provided by the GISA Technology and Security Initiative (TechSec). Our goal here is to give you an easy to read update of what has been happening lately in the world of technology and security. To do so, we pick the top news stories from the last two weeks and present a short summary. Should you be interested in knowing more, just follow the links below the respective paragraphs.

Is your face a part of the future European facial recognition database?

European lawmakers have started discussing the unification of national police force photo databases across Europe, thus creating a single system with millions of faces (maybe including yours and mine?). 

Under the current system, a national police force that investigates a suspect located in a different European country can ask that country to check their national databases (DNA, fingerprints or facial recognition). But what if the investigating police force could just do that themselves, no matter where the suspect is as long as he/she is in Europe? This proposal is currently being discussed as one element of the EU Prüm II proposal. 

The Prüm I agreement laid the foundation for cross-border cooperation of European police forces and should now, according to the EU’s plans, be expanded with the Prüm II data-sharing proposals. The idea is to have a more “automatic” access of all European police forces to important databases. While facial recognition data sharing is not the only element in this proposal, it is the most controversial one.  

In the last weeks, criticism of this plan has increased, especially from NGOs who are concerned about how Prüm II could normalize the large-scale use of facial recognition by police forces in Europe. Interestingly, even the European data protection supervisor (responsible for overseeing how EU bodies use data) criticized the expansion of Prüm. 

Read more about this on WIRED. 

Thousands of Amazon Satellites are soon going to orbit earth

Amazon will send thousands of satellites into low-earth orbit in an attempt to rival Elon Musk’s Starlink initiative, thus offering satellite supported high-speed internet services to remote locations around the globe. This project, called “Project Kuiper”, will be implemented with a total of 83 rocket launches over the next few years. To give you an idea: Musk’s Starlink will send around 30’000 satellites to low-earth orbit and Project Kuiper will add at least another 3’000 to that. The problem: Starlink and Project Kuiper are not the only initiatives of this kind and low-earth orbit is starting to suffer from congestion.

The congestion of low-earth orbit is inhibiting the work of astronomers who increasingly see light reflections of satellites instead of stars and asteroids. An additional risk is that satellites from different systems could collide and create out-of-control space junk. While the access to satellite supported high-speed internet has proven useful in the Ukraine crisis, we might want to start considering the downsides to sending thousands of satellites to an already congested space. 

Read more about this on BBC and EURONEWS. 

US successfully tests a hypersonic missile and tells nobody about it 

Speaking of rockets, let’s come to their evil twin: missiles. It has been reported that Russia successfully used hypersonic missiles in the Ukraine war. Hypersonic missiles are one of the latest military technologies where great powers have engaged in an arms race and the US has been falling behind Russia and China who have both conducted a lot more tests of such missiles than the US in recent years. The reason why hypersonic missiles are so important from a military perspective is that they are much faster than conventional ones and thus difficult to detect. The risk is that these missiles can beat current missile defense systems because of their sheer speed. 

It has now been reported that the US has successfully tested a hypersonic missile mid-March, but kept it quiet so as to not escalate tensions with Russia. The test came only days after Russia’s use of hypersonic missiles in its unjustifiable war against Ukraine. According to US officials, the now tested US system is more sophisticated than the Russian one, which is just a modification of the conventional Iskander missile.

Read more about this on CNN and BREAKING DEFENSE.

Multi-Factor Authentication isn’t that safe after all 

You might have already read this story if you follow us on our social media channels or joined the TechSec initiative as a member, because this was our Top News Story last week. For a long time, multi-factor authentication (MFA) has been celebrated as a breakthrough in cybersecurity and protecting users of many services from unauthorized access. But now it seems that MFA is not the perfect miracle we had all hoped for.

There are different forms of MFA and the weaker ones are not holding hackers back as expected. These weaker forms of MFA are the ones using SMS or special mobile apps (e.g. Google Authenticator) for the second step of authentication while the stronger ones would use fingerprints or cameras. The problem: A large part of MFA still relies on these weaker forms of MFA but this is being bypassed not only by specialist hackers but even by script kiddies. 

Bypassing MFA is not that difficult. Hackers are simply annoying the legitimate user by sending so many authentication requests to their devices until they accept the request just to make it stop. This technique is called prompt-bombing and it goes to show that the old saying in cybersecurity is still true: The greatest risk to security is the user. For this reason, strong MFA would use built-in technological solutions for the second authentication step and doesn’t rely on the user itself. Recent hacks have however shown that not even this strong MFA is an absolute barricade for malicious actors. 

Despite this bad news, we should maintain MFA as a security standard. Some form of MFA is better than no MFA and although it might not stop all hackers, it can stop some of them. The question is: if MFA is not enough, how do we complement it? Educating the users on best practices might be a good starting point. 

Read more about this on WIRED. 

If you would like to hear more tech news, participate in events related to technology and security or learn practical technology skills, consider following us on Instagram, LinkedIn or join our Initiative as a member!