Newsletters

The Trump Administration's cavalier disregard for common sense security protocols is blatantly inviting serious security breaches. This week exposed the absence of any kind of security culture at the highest levels of the US national security community.

The story of how The Atlantic editor in chief was inadvertently added to a high-level US national security discussion covering plans for military action against Houthi rebels in Yemen has been well covered in the media, so we won't rehash it all.

In short, The Atlantic's Jeffrey Goldberg was added to a Signal group chat in which senior US officials discussed plans for military action against Houthi rebels in Yemen. The group chat included Vice President J.D. Vance, Defence Secretary Pete Hegseth, CIA Director John Ratcliffe and Director of National Intelligence Tulsi Gabbard, among others. 

Ukraine's state railway company says that a "massive targeted cyber attack" has taken down its online ticketing system over the weekend.

The incident took place on Sunday night. In a Facebook post, Ukrzaliznytsia blamed the incident on "the enemy," a term Ukrainians use to describe Russia.

The company's website is currently down, and officials are restoring from backups. The incident was very likely a data wiper attack, which Russian hackers have employed on numerous occasions since Russia's invasion in February 2022.

I'll start this newsletter edition by saying from the get-go that today's topic—the Year 2038 problem—isn't new at all.

It has a Wikipedia page dating back to 2005, a 2009 XKCD comic, and was at the center of a Guardian article back in 2014.

It was a tweet from security researcher Pedro Umbelino last week that reminded me of this problem and how close to its deadline we have gotten—because, yes, everyone gets old!

An anti-regime hacktivist group has claimed credit over a cyberattack that crippled the on-ship communication systems of 116 Iranian ships.

The ships are operated by the National Iranian Tanker Company (50) and the Islamic Republic of Iran Shipping Company (66).

According to Nariman Gharib, a London-based Iranian cyber espionage investigator, the alleged affected vessels are these ones.

China ramped up its name and shame cyber rhetoric this week when it identified and threatened four Taiwanese individuals it alleges are involved in cyber operations targeting the mainland. 

The four were named in a Chinese Ministry of State Security (MSS) Weixin post that published the names, passport-style photographs, birthdates, ID numbers and job titles within Taiwan's Information Communication Electronic Force Command (ICEFCOM). The unit was set up in 2017 and brings together the Ministry of National Defense's communication, cyber and electronic warfare units. 

This is the second time that the MSS has doxxed Taiwanese military hackers. In September of last year it published the identities of three other alleged cyber operators, but without some of the more granular identifying details.

China's main intelligence agency said on Monday that a branch of the Taiwanese military is behind an APT group known as PoisonIvy and GreenSpot.

China's Ministry of State Security (MSS) says a cyber warfare center (Network Environment Research and Analysis Center) inside the Taiwan Information, Communications, and Electronic Force Command (ICEFCOM) is behind the APT group's operations.

The MSS accused ICEFCOM of hacking Chinese government agencies, military targets, organizations in China's critical sectors, and private sector companies.

A threat actor compromised a popular GitHub Action and added malicious code that prints out secret tokens in project build logs.

The incident took place on Friday and impacted tj-actions/changed-files (hereinafter Changed-Files), an automated action used by over 23,000 GitHub projects.

The action works by analyzing pull requests and detecting what files. It is used in complex CI/CD pipelines to trigger other actions based on what files are changed. It is a basic but very important automation script, and the reason why it become one of GitHub's most popular actions.

The FBI says that cybercriminals are using free file format and document conversion tools to scrape personal data and deploy malware, and even ransomware.

The warning applies to online websites that convert files between different formats, but also apps that users download on their devices.

Reports of malware being added to a converted file have been around for over a decade, although no major security breach has ever been linked to a file converter.

We have consistently argued for TikTok to be banned in the US as it could be a powerful tool for the Chinese government to interfere with American political discourse. For US allies, a similar argument now applies to X. 

Commentators in Canada and the UK have already floated the idea of banning X. Meanwhile, in France, prosecutors have announced they've opened an investigation into X over alleged algorithmic bias. The investigation was launched after the prosecutor's office received complaints about X's interference in French democratic debate. 

X isn't TikTok, but in many ways it's actually worse. X actively promotes CEO Elon Musk's hard-right, fascist ideology, while interference on TikTok is mostly a theoretical risk. TikTok might be up to something and might improperly use its influence one day. Musk's interference on X, on the other hand, is as subtle as a brick to the head. 

A team of academics is conducting a large-scale public study to assess the real-world impact of the Rowhammer vulnerability.

First described in a 2014 research paper, Rowhammer is an attack that revolves around the concept of "hammering" a row of RAM memory cells with constant read or write operations. The constant process of turning memory cells on and off causes electrical interference on nearby memory cells, which academics say can be exploited to alter or leak memory data.

For the past decade, multiple teams of academics from all over the world have expanded the original attack to cover multiple technology platforms and optimize and speed up attacks, even showing theoretical web-based exploitation via JavaScript code and raw network packets. Researchers even bypassed some of the tech industry's Rowhammer protections.