TechSec’s Bi-Weekly Tech News Digest: May 06, 2022

By Daniel Haltmeier

Dear Reader,

Welcome to the fifth bi-weekly Tech News Digest, provided by the GISA Technology and Security Initiative (TechSec). Our goal here is to give you an easy-to-read update of what has been happening lately in the world of technology and security. To do so, we pick the top news stories from the last two weeks and present a short summary. Should you be interested in knowing more, just follow the links below the respective paragraphs.

India passes new Data Law making VPNs less “private”

People who use Virtual Private Networks (VPNs) are not all criminals; many have a legitimate interest to hide their online activities. Usually, VPN’s are used to avoid detection by the state and its various institutions that might be interested in knowing what a particular user is doing online. VPNs can provide the necessary privacy and are in most cases provided by private companies. Indian users of VPNs could however soon lose the secrecy of their online sessions.

The Indian government has recently passed a new Data Law that forces private VPN providers to gather user data and store it for at least five years. The measure is being justified with the need for access to data to combat cybercrime. However, many users and, crucially, VPN companies are not convinced and see this as an unprecedented infringement upon Indian citizens’ digital rights. This is partially due to the fact that this data law has only been the latest step in a marathon of government crackdowns on different essential elements to a free and open democracy, including journalists and NGOs. Many VPN companies are therefore preparing for a fight against the government and may ignore the governmental directive entirely, continuing to provide no-log services. On the downside, many companies who do not comply with the directive may be forced to leave the Indian market in the long run. In any case, the losers of this whole episode are the Indian citizens, Indian internet freedom and Indian democracy. 

Read more about this on WIRED, THE INDEPENDENT and MEDIANAMA.

Do you know where your personal data ends up? No? Facebook doesn’t either.

Another week, another Facebook leak. All users of any social media would probably like to know where their personal data ends up. But it might come as a surprise to many that even one of the major social media platforms itself (Facebook) has the same doubts. Leaked documents show that Facebook has no idea where all the collected personal data of users ends up. 

Facebook is only worth its money (and is making money) because of your personal data (assuming that you’re a Facebook or Instagram user). Well, your personal data and that of many others. However, even the slowest governments have by now understood the downsides of having a company that can use personal data of all users without any restrictions. Many governments have therefore introduced regulations on how social media platforms must handle the personal data of users and now… well, now Facebook has absolutely no idea how to comply with these regulations. Why? Because in reality Facebook doesn’t know where the personal data goes once it has been collected. Even worse, Facebook isn’t even able to fully explain how its own system uses the data. Hence, if Facebook wants to comply with new regulations, the privacy engineers working on the platform still have a lot of work ahead (as they themselves say in a leaked document).

Read more about this on VICE (Podcast or Article) and THE NEW YORK POST. 

Small Drones – Big effect

We are way beyond the point in time when drones were just military equipment. By now, everyone can buy a small drone that has basic surveillance capabilities such as a camera with a live-stream feed to the “pilot”. These sorts of drones are now back at their historic origin: in the hands of the military, or more precisely in the hands of Ukrainian soldiers defending their territory against Russian invaders. 

Drones are used for many different tasks in the Ukraine war. They aid in intelligence gathering such as enemy troop movements, in directing and correcting artillery fire, search and rescue operations or producing images depicting the sheer brutality of the war. Ukrainian soldiers are not the only ones using small drones that could fit in a handbag. Journalists have used them to show the level of destruction in Mariupol. Video footage taken with small drones in Bucha and depicting how Russian troops shoot innocent civilians could serve as evidence for accountability after the conflict ends. However, Ukraine’s information offensive to influence the war narrative has also benefited from small drone footage, for example by showing the bombardment of Russian positions or a particularly humiliating video of Russian soldiers being left behind, running after their trucks and falling in the snow. While the use of small drones in conflict is nothing new, the scale of their use is. 

On the downside, civilians (such as aid workers or journalists) who use drones in a conflict zone might be mistaken for combatants using the drones for military purposes. If both civilians and soldiers use the same commercial drones for different purposes, the enemy will be unable to distinguish them. This puts civilians at risk of being mistaken as a valid target that can be engaged and killed, which raises serious questions for humanitarian law.

Read more about this on WIRED and DW.

Russia is not only suffering losses on the battlefield but also online

In the Russia-Ukraine war a lot has not been going according to Russian plans. One element of their plan that has gone completely wrong is that instead of seeing a Moscow-led cyberwar, we are currently witnessing hacktivists and criminals wreaking havoc in Russia. This is the case despite the fact that for years now, Russian hackers have been some of the most feared worldwide. 

Hacktivist groups such as Anonymous, Ukraine’s Volunteer IT Army or criminal groups are targeting Russia and creating losses for them even off the battlefield. Activities can include data theft, web defacement and many other forms of cyber operations. The main target is the government. Thus, hacktivists have stolen and published decades of Russian government emails, passwords and other sensitive data. These hacktivist activities do not only support the Ukrainian war effort by discrediting Russia but can also reveal important information about Russian crackdowns on political dissidents. 

While individual networks could be thought of as the “victims” of such attacks, the main victim is the myth of Russian cyber-superiority. However, Russia still has offensive cyber capabilities and one should not underestimate the consequences their use could cause. 

Read more about this on THE WASHINGTON POST. 

IHEID Phishing Attack was just an exercise

Before we end this wrap-up of tech news, we have one last piece of information related to the IHEID phishing email that all students and faculty received on Monday, May 2nd. According to the IT ServiceDesk of the institute, the phishing attack was just an exercise; the IT department of the Geneva Graduate Institute commissioned their IT security provider to carry out a simulated attack. According to the IT department, this is also why they took 6 hours to send a warning mail about the incident to all students. For students and other members of the institute community there is therefore no reason for panic; even if you clicked on the link your data is safe. However, you might want to have a quick look at TechSec’s Instagram Page to see a few tips on how to spot phishing mails in the future. 

If you would like to hear more tech news, participate in events related to technology and security or learn practical technology skills, consider following us on Instagram, LinkedIn or join our Initiative as a member!