Lukasz Olejnik
@lukOlejnik
Followers
14K
Following
4K
Media
5K
Statuses
18K
Security&Privacy. Data protection. Research. Engineering.Analyst.Policy. W3C. Consultant. Book author. (perhaps happy to work for you?). Ph.D, LL.M. @warstudies
Brussels / London / EU
Joined March 2013
I’ve had a busy last year working and publishing in cybersecurity and data protection, and I’m looking forward to new opportunities. If you could use expertise in cybersecurity, risk assessment, privacy regulations (GDPR and more), and standards, . 1/2.
1
4
9
They HACKED A TRAIN. For real. Train operators asked for this to see why their trains didn't run after servicing. Turns out that vendor/producer implemented a geofence lock for trains serviced somewhere else. Amazing story, one of the best hacks in 2023.
30
902
4K
Wow. France wants to make private companies liable for security defects in products. After end of of support - to make source code available. France will take the discussion on the international level.
35
1K
2K
Apple introduces homomorphic encryption via Swift. A cryptographic technique that enables computations to be done on encrypted data without revealing the underlying unencrypted data in th process. For example during cloud computations. In short, the building blocks of
42
296
2K
Emojis can be used to deliver malicious payloads (i.e. to hack systems). Clever.
15
266
1K
Breaking RSA private keys without ridiculously powerful computers due to implementation errors introduced by hardware bugs. "these invalid signatures and vulnerable devices are surprisingly common"
13
295
1K
Critical bug in Windows systems. It is possible to take control of the system via Wi-Fi. The user does not have to do anything. All he needs is for someone within range of his wifi to want to hack him. The attack is simple, repeatable, reliable.
21
262
1K
Hi there! European Parliament has just passed end-to-end encryption and no backdoors in #ePrivacy Regulation. And how's your day?
14
725
913
Do not browse the web in in-app browsers (e.g. in apps like Facebook, Instagram, TikTok). Experience is bad. Those apps also INJECT TRACKING INSTRUCTIONS. They control every interaction, all that is typed, clicked. Browse with normal web browsers.
12
411
930
Chinese hackers (actually, cyber operators) gained control to shut down U.S. ports, power grids, and other critical infrastructure. Intrusions were severe, with key details lost permanently due to erased logs and inadequate tracking.
13
223
829
Signal is testing username feature. This would mean that you would not have to provide your phone number to people you want to contact. You will be able to set your phone number as private and not share it.
30
133
758
This is a huge world precedent. Not even Stasi or other communist country "security services" had a DIRECT LINE into people's lives, essentially their minds.
Here. I said it in @Telegraph. Any kind of data may be potentially targeted. Apple's system is a world-precedent in the area of remote inspection of private data/files. This is a huge power/capability.
11
204
545
Meta/Facebook was fined a record #GDPR EUR 1.2 BILLION for violating European privacy rules. The company has now been given a DEADLINE to stop the transfer of user data to the United States. This (if nothing changes) means SHUTDOWN OF Facebook in Europe.
16
129
570
Security vulnerability in. qsort. Yes, the glibc's sort algorithm. It's all over the place on systems running the Internet. "All versions from at least September 1992 are affected". That makes it a more 32 years old bug.
13
153
512
@VeraJourova With all due respect, today you mentioned breaking, exactly. As for the infrastructure, it would be an inefficient solution, easy to bypass (& ineffective), but introducing a dangerous precedent. Extending the scanning to other content would then be really simple. #ChatControl.
So here's @EU_Commission's VP @VeraJourova speaking that the #ChatControl regulation is designed to break encryption (captioned. Mass, untargeted surveillance. Oh and by the way, the European Court of Human Rights has a verdict that untargeted encryption breaking is illegal.
10
47
441
LastPass breach is much more serious than the official Breach Notice wants you to know. It is, however, very smartly crafted. Essentially cybersecurity/privacy PR. Decrypted here.
12
131
430
Russia cyber intelligence service hijacked a BMW advert, lowered its price, disseminates it at other embassies trying to spread malware.
11
158
422
14
250
373
Thanks to (stolen/“liberated”) Apple's AirPods, you can track the movements of Russian troops regrouping. The beauty of modern information technology :).
6
142
335
This Android 9 privacy addition is great. Unique wifi MAC for each wifi network. Limits tracking and profiling. Especially handy for public wifis. Enable it.
9
171
332
European Court of Human Rights delivers a landmark ruling that data retention is unlawful, and end-to-end encryption is upheld as a right in a democratic society. This ruling puts fundamental limitations on any European Union attempts, too.
6
166
330
Poland-Ukraine cooperation agreement signed. Poland gives security guarantees to Ukraine in the event of future Russian aggression. But also in the event of intensification of current ones.
6
75
296
Users of glassess beware! You may be leaking secret data during Zoom/Skype/etc videoconferences. Screen reflected in glasses, then visible during a videoconferencing. School-grade physics/optics sufficient to understand the exploit equations.
5
99
288
Apple/Safari Intelligent Tracking Prevention is a mechanism intended to improve privacy. It was found to have privacy vulnerabilities allowing sites to track the user (and fingerprint), and to stealing web browser history of a user. Incredible find.
2
131
276
List of 33 targets in Greece of the Predator hacking/surveillance tool published. Minister of finance, foreign affairs, former ministers, journalists . Allegedly, of course, unconfirmed. Domestic political issue. Let's wish them fun .
5
140
270
I analyse the French review of cybersecurity strategy. Interesting document. Hack-back, liability of products, retaliatory actions following a cyberattack, and more. Pretty good strategic document.
9
181
262
New directions in ransomware? I didn’t know this one. :)
6
37
258
This also shows how reverse engineering may help in competition proceedings. The acts of the producer - locking up the trains to make them unusable if services in other servicing stations - how else to call this. .
1
12
240
German Federal Office for Information Security issues a cybersecurity warning from the use of Kaspersky antivirus? Apparently Germany says that Kaspersky products "may be used in cyber operations"? Wow.
21
142
222
Singapore stops its "Smart Nation" (connected and intelligent "everything") project following a data breach of 1.5M patients. #GDPR
8
243
229
Security flaw in Apple M1/M2 processor architecture. Information leaks. Encryption keys can be stolen. Cannot be fixed at the processor level (might be mitigated in software implementations). Perhaps a good idea to hold off on hardware purchases of M1/2/?
7
51
229
Some post-quantum cryptography system broken (Supersingular Isogeny Diffie–Hellman protocol). Attack works in practice, taking "one hour on a single core". That was fast. Highlights the importance of studying those prior to mass deployment/transition.
5
90
222
Chrome suddenly introduced automatic browser sign-in. Consent, user awareness, dark patterns? I provide a case study through privacy lens. #GDPR
8
154
201
NIST publishes standards for next-generation cryptography (cipher, digital signature) understood as resistant to attacks with future quantum computers. Migration will not be a piece of cake, but there’s time.
6
80
210
First reported human casualties/injuries following cyber attacks (on industrial systems, power production)? If confirmed, that would be something.
3
166
179
Exfiltrating private data like browsing history using browser ambient light sensors. My work with @arturjanc
2
195
187
Apple will let users verify if the person they speak to over iMessages is really the person, or maybe the account is hijacked. Via implementation of COSIK, key transparency/verification cryptographic protocol. Some serious cryptographic engineering here.
4
70
195
Mozilla is completely removing Firefox support for battery level readout by websites, citing privacy concerns.
Web scripts using battery level readouts to track users. Privacy analysis of @w3c Battery Status API
6
175
170
The Chinese Computer Emergency Response Center announced that a U.S. intelligence agency hacked an advanced materials unit and an energy-focused company, stealing important trade secrets and intellectual property via trojans.
9
58
181
Google has unveiled an LLM model that, by monitoring phone calls, will be able to warn of suspected fraud. Great!. However, this also means that technical capabilities have already been, or are being developed to monitor calls, creation, writing texts or documents, for example
4
80
176
Dangerous Linux kernel privacy vulnerability in TCP/IP implementation. User fingerprinting. Attack could be deployed on a malicious website! Tracking devices across browsers, browser privacy modes, containers, networks. Very serious. Privacy is hard #GDPR
2
74
172
So here's @EU_Commission's VP @VeraJourova speaking that the #ChatControl regulation is designed to break encryption (captioned. Mass, untargeted surveillance. Oh and by the way, the European Court of Human Rights has a verdict that untargeted encryption breaking is illegal.
10
71
159
Smartphones today are prepared to process/collect some very sensitive, if private, information. For example, full support for tracking sexual activity. First, Android. For example: getProtectionUsed. #GDPR )
8
55
159
Critical cryptographic vulnerabilities found in a popular end-to-end encryption library Matrix. Attacks are possible and demonstrated. This work is among the most impactful security research this year. It shows that designing secure protocols is tough.
2
71
155
My analysis of @ICRC report selection. Cyberoperations. What impacts on exploit cost? Why supply chain attacks are a risk? Targeting health care (lethal cyberattacks; can you even detect?), ICS. Armed conflict context. How to move forward? #CyberICRC
3
75
155
I analyse the recent French document interpreting international law to cyberattacks and cyberwarfare. Interesting. Contradicts some long-held belief. Will other States follow in transparency?
4
101
150
iPhone apps are collecting quite some A LOT OF user private data. Extremely verbose, allowing to fingerprint, perhaps even track users. Context from my works. About privacy risks of light data: Risks of battery information:
This screenshot shows the app analytics data sent by two different iOS apps: @duolingo and @Tinder. What's the likelihood that both apps are installed on the same device? 💯? 🤯. Both apps use @unity Ads. The data in the screenshot is collected by the Unity Ads framework included
5
65
150
Will AI destroy the quality of search engines? May it disrupt our ability to perceive reality? We’ll search for things that do not exist, and find them generated. We will believe that things which do not exist, do exist? For example, a dissemination of fake content. (Via Reddit)
9
55
156
Longer description of the train hacking (controller software reverse engineering) story.
2
13
147
Every macOS/iPhone (2020+) susceptible to information leak, for example GMail password theft. By visiting a website from Safari/Firefox. CPU architecture attack. Great research!
1
48
150
My article, analysis, op-ed in @WIRED about smartphone apps letting Ukrainians report Russian forces. Such capability blurs the lines between civilians (to be protected by international humanitarian law) and combattants, the core principle of distinction.
17
62
140
I made a Spreadsheet with InfoSec account names!.Add yourself here: The list is here:
5
43
141
In Australia, the new cybersecurity laws will enable the Secretary (effective immediately) will be able to order a company to install specified software and keep the computer connected to internet. Fines for non-compliance.
10
67
145
Exfiltrating data via power lines. Very interesting and cool covert channel. Bypasses air-gaps. 1000b/s.
5
102
146
My opinion article in @WIRED about an element in India's data protection law proposal that might threaten privacy (and security) research. Outright banning re-identification, without proper considerations, may weaken data protection and systems security.
5
104
146
My book Philosophy of Cybersecurity tackles a broad domain from systems, user's security, healthcare, critical infrastructure, to policy and politics matters, international law, and cyberwarfare. Carefully written, with examples, scenarios. Happy readings!
3
43
143
"Below approximately 80% state of charge, both wired and wireless charging side-channels observed in this experiment do not leak information. consistently classify traces with a battery state 90%". Privacy-preserving advice: have less than 80% battery charge? :-)
3
22
138
Demonstration of forging physical keys ('Yale'-type) using the sound of door unlocking. Neat! Unlock doors slowly, carefully, quietly? ;-)
2
83
138
User accounts are being taken over on TikTok. Including CNN, Paris Hilton, Sony's accounts. The exploit has to do with opening the direct/private messages. It is not necessary to click on anything. It is better to avoid DMs for a while.
3
99
132
UK will conduct offensive cyberattacks against hostile states that will try to harm the UK "we have a right under international law". First such official announcement of the Ministry of Defence (secretary). Will massively develop offensive cyber forces.
7
95
133
Hacker took control of the control of 4 million photovoltaic panels in the Netherlands. It turned out to be very simple. Cyber security of renewable energy sources is going to be a problem. New requirements and regulations will have to be developed.
3
74
133
My life story, or life with a disability. I have a hearing impairment. I am a person with a disability. I explain what it is about. Why did I write this? Because I hope it will be useful to at least one person.
11
38
139
Crisis on cybersecurity exploits market? Prices of security breach tools are rising. As much as $50k for WinZip, $7 million for zero-day for iPhone, $5m for Android up to $5m for "hardware" running on WhatsApp and iMessage. Higher cost = better security
4
38
136
Today, Poland is formally forming a cyber army. With full spectrum aim: defence, reconnaissance (ISR), offensive operations. The overarching context is quite. broad, but the current atmosphere in the region is focused on a specific single threat.
6
43
124
Sabotaged npm node-ipc package. Supply-chain compromise initiated by the package developer. Targets systems in Belarus and Russia. It could replace contents of files with a ❤️ emoji. Affects other popular software like Vue.js. Unexpected in software.
4
52
119
Here. I said it in @Telegraph. Any kind of data may be potentially targeted. Apple's system is a world-precedent in the area of remote inspection of private data/files. This is a huge power/capability.
My comment in @Telegraph about Apple's new tech to scan images on user's devices for illegal content. Such a 'surprise feature' makes you wonder what may or may not come in the future, and what are really the security and privacy guarantees.
4
49
125
EW (?) operation against train system in Poland. Hijacked frequencies cause disruption (emergency RADIO-STOP signal emitted), and. Russian national anthem, and Putin's speech. Developing. Weird things start to happen. Requires physical proximity.
Komunikat ❗️ .W nocy z piątku na sobotę w województwie zachodniopomorskim odnotowano nieuprawnione nadawanie sygnału radio-stop. Niezwłocznie działania podjęły odpowiednie służby. Nie ma zagrożenia dla pasażerów kolei. Efektem zdarzenia są wyłącznie zmiany w kursowaniu pociągów👇
5
86
130
Is Google undoing a decade of progress on privacy? Their new policy allows invasive device fingerprinting for tracking user activity. Here’s my deep dive into what this means for privacy—and the future of AI.
7
43
134
Negative Pressure Room is a technical-legal-sanity requirement for biolabs or infectious-control hospitals to prevent pathogens being leaked out. Now an attack is demonstrated to fool the sensors into turning it off . with specially crafted sound. Scary!
6
52
119
Apple has detected a privacy abuse against Safari users. Subsequently addresses a privacy risk arising from HTTPS Strict Transport Security when abused as a supercookie.
5
100
122
European Parliament intends to ship end-to-end encryption in #ePrivacy and prohibition of backdoors. Great!
4
105
113
Google/Chrome is deprecating and removing third-party cookies. So it has begun. End of the line for 3rd-party cookies is near. You will not be missed. #GDPR #DigitalServicesAct #privacy #dataprotection
User tracking on the web will be increasingly phased out. It will also be made more unwelcome, and illegal, than it is today. The political process to arrive there is in motion. Some technology companies feel this evolution and are preparing for this.
3
58
126
‼️BREAKTHROUGH? First quantum computer with a programmable processor based on encoded 48 logical qubits operating with up to 280 physical qubits, with error correction. Are we nearing the era of useful quantum computation? If this is real, maybe soon?
8
46
122
"Researchers developed a method to deliver a Facebook ad campaign to just one person out of 1.5 billion" "based only on the user’s interests", so on personal data (despite authors claiming otherwise!) . Ultra- targeting. #GDPR #ePrivacy #DigitalServicesAct
9
82
112
Google Maps stops censoring/blurring photos of military/etc facilities in Russia. Symbolic, as for intelligence/militaries it was, of course, no secret for a long time, with today's satellite imaging technology. But feel free to look for nuclear launchpads
1
62
119
US Special Ops Command to fund new science-tech efforts in cybersecurity. Development of new operations capabilities. Including development of destructive cyber payloads, engaging SCADAs, bypassing air-gaps. "next generation effects". Whoa tools!
7
60
118
So here’s me giving my book Philosophy of Cybersecurity to the renowned cybersecurity thought leader (and haxor) @thegrugq. Thank you for a professional exchange of views!
4
6
119
My article with @gynvael in one of the most 31337 hacker/programming magazines out there! So you want to execute shellcode from Python? We got you covered! @pagedout_zine
1
29
124
Lithuanian Defense Minister instructed citizens to avoid buying Chinese smartphones. He also advised that one should be thrown out. No joke: built-in technical censorship "features"! Government report points to source-code functions
4
82
113
First big case is in! Insurer lost a court battle: had to pay $1.4 billion to Merck, to cover the losses of the (allegedly) Russian NotPetya destructive wiper cyberattack, first released in Ukraine (2017). NotPetya was not "war".
Insurers increasingly formalising exclusion of cyberattack coverage. The Mondelez vs Zurich Insurance case where insurer refused coverege following #NotPetya infection citing "war-like activity" exclusion is known.
4
62
104
If you have a bad day, remember that Poland's top chief of Police apparently fired (by an 'accident') a grenade launcher RGW-90/Pallad-D. In his office. The result is structural damage to the building, the Main Police headquarters. Not even making this up. You CAN'T make this up.
Allegedly, a grenade launcher 'accidentally' fires in the center of Warsaw. In the main police department, by the way. It was a gift from Ukraine. I have no idea how that was possible.
11
30
112
Russian FSB conducted an operation against ransomware REvil group, at the request of the USA. Money/resources seized, people arrested. So, it signals cooperation between USA and Russia on the grounds of cybersecurity at least?
6
44
110
My privacy analysis of Progressive Web Applications (web app manifest). Interesting user tracking and cookie respawning potential/risk; transparency. Progressive Web Apprehension. #PWA #PWApprehension
2
66
115
Attempted cyberattack/operation aimed at Ukrainian media organizations (radio stations, newspapers, news agencies, etc.). Suspected Sandworm group trying to exploit CVE-2022-30190 (fresh, remote code execution vulnerability via Office/Word)
2
57
112
"Poland, at the request of Ukraine, will encourage Ukrainian citizens to return to Ukraine to serve in the Ukrainian Armed Forces".
2
12
106
I had a look at W3C Payment Request API. Result of my privacy analysis: fingerprinting, incognito mode detection.
1
66
107
France openly says: it will build information operations capabilities. Offensive doctrine ready. The military will only engage in information operations outside the French territory. Against people or States. This is about "winning the war before the war".
5
64
103
French DPA fines Electricite de France, France's largest electricity provider €600,000. Hashed passwords without a 128-bit random salt and use of MD5 is a violation of #GDPR security requirements.
2
56
102
Still not too late to have end-to-end encryption in 5G. Key meeting in December. European law enforcement agencies views encryption as a problem and think about influencing?
3
79
109
Actual platform, unveiled yesterday by Palantir, using AI/LLM to plan military activities. Using artificial intelligence methods. AI in the military is a REVOLUTION. HUGE POSSIBILITIES. Allegedly assesses operations compliance with laws of war.
8
34
107