Posts

Tatouage des données de santé, health data

Encrypting and watermarking health data to protect it

As medicine and genetics make increasing use of data science and AI, the question of how to protect this sensitive information is becoming increasingly important to all those involved in health. A team from the LaTIM laboratory is working on these issues, with solutions such as encryption and watermarking. It has just been accredited by Inserm.

The original version of this article has been published on the website of IMT Atlantique

Securing medical data

Securing medical data, preventing it from being misused for commercial or malicious purposes, from being distorted or even destroyed has become a major challenge for both health players and public authorities. This is particularly relevant at a time when progress in medicine (and genetics) is increasingly based on the use of huge quantities of data, particularly with the rise of artificial intelligence. Several recent incidents (cyber-attacks, data leaks, etc.) have highlighted the urgent need to act against this type of risk. The issue also concerns each and every one of us: no one wants their medical information to be accessible to everyone.

Health data, which is particularly sensitive, can be sold at a higher price than bank data,” points out Gouenou Coatrieux, a teacher-researcher at LaTIM (the Medical Information Processing Laboratory, shared by IMT Atlantique, the University of Western Brittany (UBO) and Inserm), who is working on this subject in conjunction with Brest University Hospital. To enable this data to be shared while also limiting the risks, LaTIM are usnig two techniques: secure computing and watermarking.

Secure computing, which combines a set of cryptographic techniques for distributed computing along with other approaches, ensures confidentiality: the externalized data is coded in such a way that it is possible to continue to perform calculations on it. The research organisation that receives the data – be it a public laboratory or private company – can study it, but doesn’t have access to its initial version, which it cannot reconstruct. They therefore remain protected.

a

Gouenou Coatrieux, teacher-researcher at LaTIM
(Laboratoire de traitement de l’information médicale, common to IMT Atlantique, Université de Bretagne occidentale (UBO) and Inserm

Discreet but effective tattooing

Tattooing involves introducing a minor and imperceptible modification into medical images or data entrusted to a third party. “We simply modify a few pixels on an image, for example to change the colour a little, a subtle change that makes it possible to code a message,” explains Gouenou Coatrieux. We can thus tattoo the identifier of the last person to access the data. This method does not prevent the file from being used, but if a problem occurs, it makes it very easy to identify the person who leaked it. The tattoo thus guarantees traceability. It also creates a form of dissuasion, because users are informed of this device. This technique has long been used to combat digital video piracy. Encryption and tattooing can also be combined: this is called crypto-tattooing.

Initially, LaTIM team was interested in the protection of medical images. A joint laboratory was thus created with Medecom, a Breton company specialising in this field, which produces software dedicated to radiology.

Multiple fields of application

Subsequently, LaTIM extended its field of research to the entire field of cyber-health. This work has led to the filing of several patents. A former doctoral student and engineer from the school has also founded a company, WaToo, specialising in data tagging. A Cyber Health team at LaTIM, the first in this field, has just been accredited by Inserm. This multidisciplinary team includes researchers, research engineers, doctoral students and post-docs, and includes several fields of application: protection of medical images and genetic data, and ‘big data’ in health. In particular, it works on the databases used for AI and deep learning, and on the security of treatments that use AI. “For all these subjects, we need to be in constant contact with health and genetics specialists,” stresses Gouenou Coatrieux, head of the new entity. We also take into account standards in the field such as DICOM, the international standard for medical imaging, and legal issues such as those relating to privacy rights with the application of European RGPD regulations.

The Cyber Health team recently contributed to a project called PrivGen, selected by the Labex (laboratory of excellence) CominLabs. The ongoing work which started with PrivGen aims to identify markers of certain diseases in a secure manner, by comparing the genomes of patients with those of healthy people, and to analyse some of the patients’ genomes. But the volumes of data and the computing power required to analyse them are so large that they have to be shared and taken out of their original information systems and sent to supercomputers. “This data sharing creates an additional risk of leakage or disclosure,” warns the researcher. “PrivGen’s partners are currently working to find a technical solution to secure the treatments, in particular to prevent patient identification”.

Towards the launch of a chaire (French research consortium)

An industrial chaire called Cybaile, dedicated to cybersecurity for trusted artificial intelligence in health, will also be launched next fall. LaTIM will partner with three other organizations: Thales group, Sophia Genetics and the start-up Aiintense, a specialist in neuroscience data. With the support of Inserm, and with the backing of the Regional Council of Brittany, it will focus in particular on securing the learning of AI models in health, in order to help with decision-making – screening, diagnoses, and treatment advice. “If we have a large amount of data, and therefore representations of the disease, we can use AI to detect signs of anomalies and set up decision support systems,” says Gouenou Coatrieux. “In ophthalmology, for example, we rely on a large quantity of images of the back of the eye to identify or detect pathologies and treat them better.

cybersécurité, attaques informatiques, attacks

Governments, banks, and hospitals: all victims of cyber-attacks

Hervé Debar, Télécom SudParis – Institut Mines-Télécom

Cyber-attacks are not a new phenomenon. The first computer worm distributed via the Internet, known as the “Morris worm” after its creator, infected 10% of the 60,000 computers connected to the Internet at the time.

Published back in 1989, the novel The Cuckoo’s Egg was based on a true story of computer espionage. Since then, there have been any number of malicious events, whose multiple causes have evolved over time. The initial motivation of many hackers was their curiosity about this new technology that was largely out of the reach of ordinary people at the time. This curiosity was replaced by the lure of financial reward, leading firstly to messaging campaigns encouraging people to buy products online, and subsequently followed by denial-of-service attacks.

Over the past few years, there have been three main motivations:

  • Direct financial gain, most notably through the use of ransomware, which has claimed many victims.
  • Espionage and information-gathering, mostly state-sponsored, but also in the private sphere.
  • Data collection and manipulation (normally personal data) for propaganda or control purposes.

These motivations have been associated with two types of attack: targeted attacks, where hackers select their targets and find ways to penetrate their systems, and large-scale attacks, where the attacker’s aim is to claim as many victims as possible over an extended period of time, as their gains are directly proportional to their number of victims.

The era of ransomware

Ransomware is a type of malware which gains access to a victim’s computer through a back door before encrypting their files. A message is then displayed demanding a ransom in exchange for decrypting these files.

Kaseya cash register software

In July 2021, an attack was launched against Kaseya cash register software, which is used by several store chains. It affected the Cloud part of the service and shut down the payment systems of several retail chains.

The Colonial Pipeline attack

One recent example is the attack on the Colonial Pipeline, an oil pipeline which supplies the eastern United States. The attack took down the software used to control the flow of oil through the pipeline, leading to fuel shortages at petrol stations and airports.

This is a striking example because it affected a visible infrastructure and had a significant economic impact. However, other infrastructure – in banks, factories, and hospitals – regularly fall victim to this phenomenon. It should also be noted that these attacks are very often destructive, and that paying the ransom is not always sufficient to guarantee the recovery of one’s files.

Unfortunately, such attacks look set to continue, at least in the short-term, given the financial rewards for the perpetrators: some victims pay the ransom despite the legal and ethical questions this raises. Insurance mechanisms protecting against cyber-crime may have a detrimental effect, as the payment of ransoms only encourages hackers to continue. Governments have also introduced controls on cryptocurrencies, which are often used to pay these ransoms, in order to make payments more difficult. Paradoxically, however, payments made using cryptocurrency can be traced in a way that would be impossible with traditional methods of payment. We can therefore hope that this type of attack will become less profitable and riskier for hackers, leading to a reduction in this type of phenomenon.

Targeted, state-sponsored attacks

Infrastructure, including sovereign infrastructure (economy, finance, justice, etc.), is frequently controlled by digital systems. As a result, we have seen the development of new practices, sponsored either by governments or extremely powerful players, which implement sophisticated methods over an extended time frame in order to attain their objectives. Documented examples include the Stuxnet/Flame attack on Iran’s nuclear program, and the SolarWinds software hack.

SolarWinds

The attack targeting Orion and its SolarWinds software is a textbook example of the degree of complexity that can be employed by certain perpetrators during an attack. As a network management tool, SolarWinds plays a pivotal role in the running of computer systems and is used by many major companies as well as the American government.

The initial attack took place between January and September of 2019, targeting the SolarWinds compilation environment. Between the fall of 2019 and February 2020, the attacker interacted with this environment, embedding additional features. In February 2020, this interaction enabled the introduction of a Trojan horse called “Sunburst”, which was subsequently incorporated into SolarWinds’ updates. In this way, it became embedded in all of Orion’s clients’ systems, infecting as many as 18,000 organizations. The exploitation phase began in late 2020 when further malicious codes downloaded by Sunburst were injected, and the hacker eventually managed to breach the Office365 cloud used by the compromised companies. Malicious activity was first detected in December 2020, with the theft of software tools from the company FireEye.

This has continued throughout 2021 and has had significant impacts, underlining both the complexity and the longevity of certain types of attack. American intelligence agencies believe this attack to be the work of SVR, Russia’s foreign intelligence service, which has denied this accusation. It is likely that the strategic importance of certain targets will lead to future developments of this type of deep, targeted attack. The vital role played by digital tools in the running of our critical infrastructure will doubtless encourage states to develop cyber weapons, a phenomenon that is likely to increase in the coming years.

Social control

Revelations surrounding the Pegasus software developed by NSO have shown that certain countries can benefit significantly from compromising their adversaries’ IT equipment (including smartphones).

The example of Tetris

Tetris is the name given to a tool used (potentially by the Chinese government) to infiltrate online chat rooms and reveal the identities of possible opponents. This tool has been used on 58 sites and uses relatively complex methods to steal visitors’ identities.

“Zero-click” attacks

The Pegasus revelations shed light on what are known as “zero-click” attacks. Many attacks on messaging clients or browsers assume that an attacker will click a link, and that this click will then cause the victim to be infected. With zero-click attacks, targets are infected without any activity on their part. One ongoing example of this hack is the ForcedEntry or CVE-2021-30860 vulnerability, which has affected the iMessage app on iPhones.

Like many others, this application accepts data in a wide range of formats and must carry out a range of complex operations in order to present it to users in an elegant way, despite its reduced display format. This complexity has extended the opportunities for attacks. An attacker who knows a victim’s phone number can send them a malicious message, which will trigger an infection as it is processed by the phone. Certain vulnerabilities even make it possible to delete any traces (at least visible traces) that the message was received, in order to avoid alerting the target.

Despite the efforts to make IT platforms harder to hack, it is likely that certain states and private companies will remain capable of hacking into IT systems and connected objects, either directly (via smartphones, for example) or via the cloud services to which they are connected (e.g. voice assistants). This takes us into the world of politics, and indeed geopolitics.

The biggest problem with cyber-attacks remains identifying the origin of the attack and who was behind it. This is made even more difficult by attackers trying to cover their tracks, which the Internet gives them multiple opportunities to do.

How can you prevent an attack?

The best way of preventing an attack is to install the latest updates for systems and applications, and perhaps ensure that they are installed automatically. The majority of computers, phones and tablets can be updated on a monthly basis, or perhaps even more frequently. Another way is to activate existing means of protection such as firewalls or anti-virus software, which will eliminate most threats.

Saving your work on a regular basis is essential, whether onto a hard drive or in the Cloud, as is disconnecting from these back-ups once they have been completed. Back-up copies are only useful if they are kept separate from your computer, otherwise ransomware will attack your back-up drive as well as your main drive. Backing up twice, or saving key information such as the passwords to your main applications (messenger accounts, online banking, etc.) in paper form, is another must.

Digital tools should also be used with caution. Follow this simple rule of thumb: if it seems too good to be true in the real world, then there is every chance that it is also the case in the virtual world. By paying attention to any messages that appear on our screens and looking out for spelling mistakes or odd turns of phrase, we can often identify unusual behavior on the part of our computers and tablets and check their status.

Lastly, users must be aware that certain activities are risky. Unofficial app stores or downloads of executables in order to obtain software without a license often contain malware. VPNs, which are widely used to watch channels from other regions, are also popular attack vectors.

What should you do if your data is compromised?

Being compromised or hacked is highly stressful, and hackers constantly try to make their victims feel even more stressed by putting pressure on them or by sending them alarming messages. It is crucial to keep a cool head and find a second device, such as a computer or a phone, which you can use to find a tool that will enable you to work on the compromised machine.

It is essential to return to a situation in which the compromised machine is healthy again. This means a full system recovery, without trying to retrieve anything from the previous installation in order to prevent the risk of reinfection. Before recovery, you must analyze your back-up to make that sure no malicious code has been transferred to it. This makes it useful to know where the infection came from in the first place.

Unfortunately, the loss of a few hours of work has to be accepted, and you simply have to find the quickest and safest way of getting up and running again. Paying a ransom is often pointless, given that many ransomware programs are incapable of decrypting files. When decryption is possible, you can often find a free program to do it, provided by security software developers. This teaches us to back up our work more frequently and more extensively.

Finally, if you lack in-house cybersecurity expertise, it is highly beneficial to obtain assistance with the development of an approach that includes risk analyses, the implementation of protective mechanisms, the exclusive use of certified cloud services, and the performance of regular audits carried out by certified professionals capable of detecting and handling cybersecurity incidents.

Hervé Debar, Director of Research and PhDs, Deputy Director of Télécom SudParis.

This article has been republished from The Conversation under a Creative Commons licence. Read the original article (in French).

zero-click attacks

Zero-click attacks: spying in the smartphone era

Zero-click attacks exploit security breaches in smartphones in order to hack into a target’s device without the target having to do anything. They are now a threat to everyone, from governments to medium-sized companies.

“Zero-click attacks are not a new phenomenon”, says Hervé Debar, a researcher in cybersecurity at Télécom SudParis. “In 1988 the first computer worm, named the “Morris worm” after its creator, infected 6,000 computers in the USA (10% of the internet at the time) without any human intervention, causing damage estimated at several million dollars.” By connecting to messenger servers which were open access by necessity, this program exploited weaknesses in server software, infecting it. It could be argued that this was one of the very first zero-click attacks, a type of attack which exploits security breaches in target devices without the victim having to do anything.

There are two reasons why this type of attack is now so easy to carry out on smartphones. Firstly, the protective mechanisms for these devices are not as effective as those on computers. Secondly, more complex processes are required in order to present videos and images, meaning that the codes enabling such content to be displayed are often more complex than those on computers. This makes it easier for attackers to hack in and exploit security breaches in order to spread malware. As Hervé Debar explains, “attackers must, however, know certain information about their target – such as their mobile number or their IP address – in order to identify their phone. This is a targeted type of attack which is difficult to deploy on a larger scale as this would require collecting data on many users.”

Zero-click attacks tend to follow the same pattern: the attacker sends a message to their target containing specific content which is received in an app. This may be a sound file, an image, a video, a gif or a pdf file containing malware. Once the message has been received, the recipient’s phone processes it using apps to display the content without the user having to click on it. While these applications are running, the attacker exploits breaches in their code in order to run programs resulting in spy software being installed on the target device, without the victim knowing.

Zero-days: vulnerabilities with economic and political impact

Breaches exploited in zero-click attacks are known as “zero-days”, vulnerabilities which are unknown to the manufacturer or which have yet to be corrected. There is now a global market for the detection of these vulnerabilities: the zero-day market, which is made up of companies looking for hackers to identify these breaches. Once the breach has been identified, the hacker will produce a document explaining it in detail, with the company who commissioned the document often paying several thousand dollars to get their hands on it. In some cases the manufacturer themselves might buy such a document in an attempt to rectify the breach. But it may also be bought by another company looking to sell the breach to their clients – often governments – for espionage purposes. According to Hervé Debar, between 100 and 1,000 vulnerabilities are detected on devices each year. 

Zero-click attacks are regularly carried out for theft or espionage purposes. For theft, the aim may be to validate a payment made by the victim in order to divert their money. For espionage, the goal might be to recover sensitive data about a specific individual. The most recent example was the Pegasus affair, which affected around 50,000 potential victims, including politicians and media figures. “These attacks may be a way of uncovering secret information about industrial, economic or political projects. Whoever is responsible is able to conceal themselves and to make it difficult to identify the origin of the attack, which is why they’re so dangerous”, stresses Hervé Debar. But it is not only governments and multinationals who are affected by this sort of attack – small and medium-sized companies are too. They are particularly vulnerable in that, owing to a lack of financial resources, they don’t have IT professionals running their systems, unlike major organisations.

Also read on I’MTech Cybersecurity: high costs for companies

More secure computer languages

But there are things that can be done to limit the risk of such attacks affecting you. According to Hervé Debar, “the first thing to do is use your common sense. Too many people fall into the trap of opening suspicious messages.” Personal phones should also be kept separate from work phones, as this prevents attackers from gaining access to all of a victim’s data. Another handy tip is to back up your files onto an external hard drive. “By transferring your data onto an external hard drive, it won’t only be available on the network. In the event of an attack, you will safely be able to recover your data, provided you disconnected the disc after backing up.” To protect against attacks, organisations may also choose to set up intrusion detection systems (IDS) or intrusion prevention systems (IPS) in order to monitor flows of data and access to information.

In the fight against cyber-attacks, researchers have developed alternative computing languages. Ada, a programming language which dates back to the 1980s, is now used in the aeronautic industry, in railways and in aviation safety. For the past ten years or so the computing language Rust has been used to solve problems linked to the management of buffer memory which were often encountered with C and C++, languages widely used in the development of operating systems. “These new languages are better controlled than traditional programming languages. They feature automatic protective mechanisms to prevent errors committed by programmers, eliminating certain breaches and certain types of attack.” However, “writing programs takes time, requiring significant financial investment on the part of companies, which they aren’t always willing to provide. This can result in programming errors leading to breaches which can be exploited by malicious individuals or organisations.”

Rémy Fauvel

IMPETUS: towards improved urban safety and security

How can traffic and public transport be managed more effectively in a city, while controlling pollution, ensuring the safety of users and at the same time, taking into account ethical issues related to the use of data and mechanisms to ensure its protection? This is the challenge facing IMPETUS, a €9.3 million project receiving funding of €7.9 million from the Horizon 2020 programme of the European Union[1]. The two-year project launched in September 2020 will develop a tool to increase cities’ resilience to security-related events in public areas. An interview with Gilles Dusserre, a researcher at IMT Mines Alès, a partner in the project.

What was the overall context in which the IMPETUS project was developed?

Gilles Dusserre The IMPETUS project was the result of my encounter with Matthieu Branlat, the scientific coordinator of IMPETUS, who is a researcher at SINTEF (Norwegian Foundation for Scientific and Industrial Research) which supports research and development activities. Matthieu and I have been working together for many years. As part of the eNOTICE European project, he came to take part in a use case organized by IMT Mines Alès on health emergencies and the resilience of hospital organizations. Furthermore, IMPETUS is the concrete outcome of efforts made by research teams at Télécom SudParis and IMT Mines Alès for years to promote joint R&D opportunities between IMT schools.

What are the security issues in smart cities?

GD A smart city can be described as an interconnected urban network of sensors, such as cameras and environmental sensors; it offers a multitude of valuable big data. In addition to better managing traffic and public transport and controlling pollution, this data allows for better police surveillance, adequate crowd control. But these smart systems increase the risk of unethical use of personal data, in particular given the growing use of AI (artificial intelligence) combined with video surveillance networks. Moreover, they increase the attack surface for a city since several interconnected IoT (Internet of Things) and cloud systems control critical infrastructure such as transport, energy, water supply and hospitals (which play a central role in current problems). These two types of risks associated with new security technologies are taken very seriously by the project: a significant part of its activities is dedicated to the impact of the use of these technologies on operational, ethical and cybersecurity aspects. We have groups within the project and external actors overseeing ethical and data privacy issues. They work with project management to ensure that the solutions we develop and deploy adhere to ethical principles and data privacy regulations. Guidelines and other decision-making tools will also be developed for cities to help them identify and take into account the ethical and legal aspects related to the use of intelligent systems in security operations.

What is the goal of IMPETUS?

GD In order to respond to these increasing threats for smart cities, the IMPETUS project will develop an integrated toolbox that covers the entire physical and cybersecurity value chain. The tools will advance the state of the art in several key areas such as detection (social media, web-based threats), simulation and analysis (AI-based tests) and intervention (human-machine interface and eye tracking, optimization of the physical and cyber response based on AI). Although the toolbox will be tailored to the needs of smart city operators, many of the technological components and best practices will be transferable to other types of critical infrastructure.

What expertise are researchers from IMT schools contributing to the project?  

GD The work carried out by Hervé Debar‘s team at Télécom SudParis, in connection with researchers at IMT Mines Alès, resulted in the creation of the overall architecture of the IMPETUS platform, which will integrate the various modules of smart city as proposed in the project. Within this framework, the specification of the various system components, and the system as a whole, will be designed to meet the requirements of the final users (cities of Oslo and Padua), but also to be scalable to future needs.

What technological barriers must be overcome?

GD The architecture has to be modular, so that each individual component can be independently upgraded by the provider of the technology involved. The architecture also has to be integrated, which means that the various IMPETUS modules can exchange information, thereby providing significant added value compared to independent smart city and security solutions that work as silos.  

To provide greater flexibility and efficiency in terms of collecting, analyzing, storing and access to data, the IMPETUS platform architecture will combine IoT and cloud computing approaches. Such an approach will reduce the risks associated with an excessive centralization of large amounts of smart city data and is in line with the expected changes in communication infrastructure, which will be explored at a later date.  

This task will also develop a testing plan. The plan will include the prerequisites, the execution of tests, and the expected results. The acceptance criteria will be defined based on the priority and percentage of successful test cases. In close collaboration with the University of Nimes, IMT Mines Alès will work on innovative approach to environmental risks, in particular related to chemical or biological agents, and to hazard assessment processes.

The consortium includes 17 partners and 11 EU member states and associated countries. What are their respective roles?

GD The consortium was formed to bring together a group of 17 organizations that are complementary in terms of basic knowledge, technical skills, ability to create new knowledge, business experience and expertise. The consortium comprises a complementary group of academic institutions (universities) and research organizations, innovative SMEs, industry representatives, NGOs and final users.

The work is divided into a set of interdependent work packages. It involves interdisciplinary innovation activities that require a high level of collaboration. The overall strategy consists of an iterative exploration, an assessment and a validation, involving the final users at every step.

[1] This project receives funding from Horizon 2020, the European Union’s Framework Programme for Research and Innovation (H2020) under grant agreement N° 883286. Learn more about IMPETUS.