shift change 01-10-2024

Welcome to your shift change, reports from the off-going watch to the oncoming on anything interesting in privacy, security, or intelligence.

1. Russia hacks Ukraine, burns access to a major intelligence asset, and Ukraine…hacks back.

Russia did this :

Kyivstar, Ukraine’s largest mobile network operator, was knocked offline by Russian spies last month in what appeared to be the largest cyber attack since Moscow launched its war on the country in February 2022.

Russian hackers were inside Kyivstar's systems for months before the attack, Ukraine's cyber spy chief, Illia Vitiuk, told Reuters last week. The hack caused "disastrous" destruction at the company, he said.

So Ukraine did this:

Hackers linked to Ukraine’s main spy agency have breached computer systems at a Moscow-based internet provider in retaliation for a Russian cyber attack against Ukrainian telecom giant Kyivstar, a source with direct knowledge of the operation told Reuters on Tuesday.

The hacking group, dubbed "Blackjack", has previously been linked to the Security Service of Ukraine (SBU). The hackers deleted 20 terrabytes of data at M9 Telecom, a small Russian internet and TV provider, leaving some Moscow residents without internet, the source said.

So it’s Blackjack (Ukraine) versus Sandstorm (Russia) in a battle of burning sources, methods, and access to critical infrastructure to ruin each other’s IT departments for a few days. These feel like short term decisions more for the news headlines than productive in-the-long-run, but there is always friction between protecting intelligence sources and methods and using the access those sources and methods provided you to try and harm your adversaries ability to harm you. Ukraine responding, or more importantly, showing it has the ability to respond in kind, makes sense—but why did Russia’s incentive to use Sandworm’s access override the incentive to keep that access in one of Ukraine’s largest telecommunication providers, and all the data that access comes with? 

The “why’s” of these moves are more important for the long term strategic understanding of Ukrainian and Russian decision making than the impact of either hack, at least without more.

2. Bitcoin scammers take over the SEC’s exTwitter account—good thing the SEC doesn’t have to file a report about itself to itself.

3. Large language models are getting better at handling language, increasing the difficulty of spotting a scam or phishing attempt based on bad syntax or grammar, don’t trust me—trust NSA and Rob Joyce:

“One of the first things they’re doing is they’re just generating better English-language outreach to their victims, whether it’s phishing emails or something much more elaborative in the case of malign influence,” he said.

Joyce didn’t name any specific AI company, but he said the issue is widespread.

“They’re all subscribed to the big-name companies that we would expect, all of the generative AI models out there,” he said.

4. New Jersey gets a consumer privacy law—but no private right of action, which means you have no rights because someone else has to decide you have them and you’ve been harmed and that means they need to care, which means Attorneys General and judges…so good luck! If you want a quick razor (like Occam’s or Hanlon’s) for privacy laws, see if they have any private right of action or if all your rights sit in a desk drawer of a state AG…there’s your razor.

Consumer Protection commends the bill, but also says “we see room for improvement, particularly relating to the bill’s data minimization and enforcement provisions.” Companies despise private rights of action because it means potential new law suits from individuals, Attorney Generals love new statutory authority they will be too busy and underfunded to use because if they use it once they will run on being consumer advocates, and companies love knowing AGs will be wildly underfunded and understaffed to use the authorities, so everyone is happy except: the consumers.

5. Are hospitals protected? The Biden administration wants hospitals (at least those who want that sweet, sweet Medicare and Medicaid cash) upping-their-game, which really just means the HIPAA security rule clearly is not working to meet the need, or we as a society are not allocating enough money to make it work.

6. The FTC orders X-mode to stop selling location data it has collected, and destroy it.

Federal privacy protections, now, please!

The FTC has been cracking down on health privacy violations after the U.S. Supreme Court ruled there is no constitutional right to an abortion when it overturned Roe v. Wade in 2022. A Biden executive order in July 2022 directed federal agencies to protect people’s privacy related to reproductive health care services.

With no federal law against selling location data from smartphones, cars, computers and other connected devices, companies are able to collect and share people’s whereabouts, which can track individuals to their homes, workplaces and other sites.

7. Browser opt-out in Colorado, momentum builds for universal or portable control for internet browser settings.

Colorado joins California, and (once enacted) New Jersey in requiring internet browsers to respect universal opt out systems, though again, good luck enforcing it without your state AG caring. Right now it is just one system, the Global Privacy Control, but others will likely follow.

## The shift change is a collection of timely stories of interest in the security, privacy, and intelligence worlds. Thanks for reading, and feel free to reach out to will@signaltonoise.fyi for any questions, comments, or thoughts on items you’d like to see highlighted.