Best Infosec-Related Long (and Longish) Reads of the Week, 3/18/23

Many stadiums use facial recognition, Cambodia eyes broad cyber law, Secret chip deals for Russia, LinkedIn's spies and scammers, "Cybercrime" is too broad, Biden's cyber strategy is too narrow

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form (and long-ish) infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

Here Are the Stadiums That Are Keeping Track of Your Face

Georgia Gee in Slate reveals how facial recognition technology in sports stadiums goes far beyond Madison Square Garden, infamous for removing an attorney from a Knicks game in December after getting flagged by facial recognition software, documenting twenty other venues that use the technology on their attendees.

Facial recognition technology is in high demand by sports teams. A 2021 study of 40 venue directors representing teams from Major League Baseball, Major League Soccer, the National Basketball Association, the National Football League, and the National Hockey League indicated that the software was on the top of the wish lists for venues.

Christian Lau, chief technology officer of the Los Angeles Football Club and BMO Stadium, told the Wall Street Journal in 2020: “Our plan is to move everything to face.” The following year, BMO began using facial recognition technology from California-based Alcatraz AI. The company’s “Rock” system can also be used to ascertain whether certain people should be allowed to enter specific spaces, including medical facilities.

Other providers—like Trueface, which claims to be the “fastest face recognition in the world”—have moved into enabling payments and verifying customers’ ages in stadiums. Their software is used by TendedBar, an “automated cocktail bar,” which touts the efficiency of scanning faces over checking ID cards, while giving “insight and analytics from anywhere.” The cashless opt-in machines—a combination of a soda dispensary and self-checkout system—have been installed at venues including Circuit of the Americas in Austin and TIAA Bank Field in Jacksonville, Florida. A TendedBar representative said that 10 stadiums across the country use their machines. Once a customer signs up at one location and their age is verified, they have access to the machines in all other stadiums.

Leaked law proposal would give Cambodia expanded powers to censor critics

Fiona Kelliher has this scoop in Rest of World on the draft of a new cybersecurity law in Cambodia dated September 2, 2022, that significantly expands the government’s ability “to seize computer systems from companies, initiate searches during loosely defined cybersecurity incidents, and prosecute those who don’t comply.”

The document is marked “confidential” and dated September 2, 2022. Laid out over 13 pages, the law would allow the government to seize operating systems and copy and filter data from entities unable to mitigate the impacts of a “cybersecurity threat or cybersecurity incident at the critical level” — defined broadly as an event that could cause “significant harm” to “national security, national defense, foreign relations, the economy, public health, safety or public order.”

“Any person” who “opposes the performance of duties” of the ministry or security committee could face imprisonment up to a year under obstruction or incitement charges, and be fined up to 150,000,000 riel (about $37,000) — around double the annual salary for a company executive in Cambodia. It would also use a “Digital Security Committee” under the ministry to prevent and respond to cybersecurity attacks.

Web of Secret Chip Deals Allegedly Help US Tech Flow to Russia

Bloomberg News offers this piece with no bylines detailing how US authorities suspect that Artem Uss, the son of a Siberian governor and the most politically connected Russian to be indicted by the US, is at the center of a suspected secret supply chain that prosecutors say used American technology to support President Vladimir Putin’s war in Ukraine. Uss was arrested last year on charges that he and his associates defrauded the US and its companies and violated sanctions by selling sensitive technologies from the US to Russia via intermediaries in non-sanctioned countries.

Court documents from the Uss case and others like it show how Russia allegedly built a secret pipeline for years before the war to ensure the supply of semiconductors to the country despite US controls. Those well-honed tactics are now helping Russian operators rebuild dismantled networks and deceive publicly listed US tech companies, according to customs data, indictments and people familiar with the matter, who weren’t authorized to speak to the media.

American prosecutors haven’t identified the semiconductor manufacturers who may have sold to Uss’s team unwittingly, and he is now under house arrest in Milan.

Even so, US and EU officials say that Russia is still able to get chips and technology for military use through other networks. Customs data analyzed by the British think tank Royal United Services Institute and seen by Bloomberg also show that semiconductors made by large companies including Analog Devices Inc., Texas Instruments Inc., and Microchip Technology Inc. have been getting to Russia via third-party firms in other parts of the world for months after the war started. The companies say they follow the law, don’t sell to Russia and they haven’t authorized the sale of their products there.

“We should be assuming that much of our sensitive technologies are making their way into the wrong hands,” said Nazak Nikakhtar, a partner and chair of the national security practice at Washington-based law firm Wiley Rein LLP, who served as a senior official at the US Department of Commerce. “The third-party intermediary problem is a fairly easy and significant loophole.”

A Spy Wants to Connect With You on LinkedIn

Jennifer Conrad and Matt Burgess in Wired delve into how nation-state actors and scammers use fake LinkedIn profiles to target legitimate users, including journalists, to gather information and even attempt to install malware.

In late February, soon after we told LinkedIn about suspicious accounts linked to WIRED, approximately 250 accounts were removed from WIRED’s page. The total employee count dropped to 225, with 15 people based in India—more in line with the real number of employees. The purpose of these removed accounts remains a mystery.

“If people were using fake accounts to impersonate WIRED journalists, that would be a major issue. In the disinformation space, we have seen propagandists pretend to be journalists to gain credibility with their target audiences,” says Josh Goldstein, a research fellow with the CyberAI Project at Georgetown University’s Center for Security and Emerging Technology. “But the accounts you shared with me don’t seem to be of that type.”

Without more information, Goldstein says, it’s impossible to know what the fake accounts linked to WIRED may have been up to. Oscar Rodriguez, LinkedIn’s vice president in charge of trust, privacy, and equity, says the company does not go into detail about why it removes specific accounts. But he says many of the accounts linked to WIRED were dormant.

The World’s Real ‘Cybercrime’ Problem

Wired’s Andrew Couts and Dhruv Mehrotra in Wired explain how the term “cybercrime” is an overbroad and meaningless legal concept that troubles civil liberties advocates and might be enshrined in a UN international cybercrime treaty currently in negotiations.

The push for an international cybercrime treaty originated with what might seem like an unlikely source: Russia. In 2019, 88 UN member countries voted in favor of a Moscow-led resolution to create a working group—the so-called Ad Hoc Intergovernmental Committee—that would craft a cybercrime treaty. Cosponsored by China, Myanmar, Cambodia, Iran, Syria, Belarus, Nicaragua, and Venezuela, the resolution broadly defined cybercrime as “the use of information and communications technologies for criminal purposes.”

Even as the resolution passed, critics predicted the creation of such a treaty would focus not on network intrusions, spreading malware, or stealing data but on issues more pressing for authoritarian regimes: sovereign control over the internet and the suppression of speech that clashes with government priorities.

More than three years and four full rounds of negotiations later, the critics’ warnings have come to fruition. Human rights nonprofit Article 19 counted 34 types of crime in draft proposals for the new UN cybercrime treaty that would fall into the larger “cybercrime” bucket. That’s dozens more than any other cybercrime-related UN agreement, including the Budapest Convention on Cybercrime, a 2001 treaty that expands international cooperation between law enforcement agencies investigating and prosecuting certain crimes, such as hacking into a computer network, and is the current international standard.

PENTAGON ANALYST KEPT INTEL JOB AFTER JOINING JAN. 6 MOB, PLANNED TO KIDNAP JEWISH LEADERS

James Risen in The Intercept tells the story of how an apocalyptic far-right extremist named Hatchet Speed, a self-described member of the Proud Boys, kept his job as a defense and intelligence contractor for the Pentagon even after he joined the mob on January 6, amassed a huge arsenal of weapons and began to think about kidnapping Jewish leaders.

He wasn’t arrested until 18 months after the insurrection, and no investigation has been conducted to determine whether he compromised classified information, a Navy spokesperson said. Officials at the Office of the Director of National Intelligence declined to comment on any possible damage to U.S. intelligence resulting from Speed’s decadeslong access to classified information.

A spokesperson for Accenture Federal Services, which now owns Speed’s former employer, Novetta, and which has classified contracts with the Defense Department and the intelligence community, including U.S. Cyber Command, did not respond to requests for comment.

Finally, more than a year after the Capitol riot, the FBI launched an investigation of Speed. The Bureau of Alcohol, Tobacco, Firearms, and Explosives was also involved, which suggests that records of Speed’s massive weapons purchases and his efforts to acquire unregistered silencers in the immediate aftermath of January 6 may have prompted the inquiry. In February 2022, an undercover FBI agent posing as a like-minded, right-wing gun enthusiast began meeting with Speed. That March, the Navy, aware of the FBI investigation, removed Speed’s access to sensitive Navy facilities and gave him what amounted to a fake job with Naval Warfare Space Field Activity at the National Reconnaissance Office, the agency that develops America’s spy satellites. Speed, who previously held a Top Secret/Sensitive Compartmented Information clearance, was not given access to NRO’s buildings nor its systems, a spokesperson for the NRO said. In addition to the FBI probe, Speed was also under investigation for two personnel-related cases within the Navy, a spokesperson said.

Building From the 2023 National Cybersecurity Strategy: Reshaping the Terrain of Cyberspace

Trey Herr, Jenny Jun, Emma Schroeder, and Stewart Scott argue in Lawfare blog that the Biden administration’s new National Cybersecurity Strategy, as good as it is, doesn’t go far enough to redress the inherent vulnerabilities in the digital ecosystem and avoids rigorous discussion of altering the cyber terrain to tackle obvious market failures.

The new strategy’s approach engages on a deep level with symptoms—namely bad incentives, autocrats, and broken markets—but with causes on a more shallow one. What would the alternative have looked like in the context of the national cybersecurity strategy? For one, such a strategy would identify important areas to shift responsibility to and realign investment with. It would explicitly discuss plans for action instead of passing mentions. It would commit to press Congress for serious investments in the security of widely used digital infrastructure, including open-source software, rather than just pledging to move an ill-defined burden. Rather than stopping at lamenting and studying the malicious co-opting of U.S.-based cloud infrastructure, such a strategy would explore how to use government procurement authority, executive convening power, and existing market regulatory tools together to push cloud service providers to address recurring sources of insecurity and poor design. Further, it would address the considerable influence of cloud service and social media platform providers on the layout and security of the internet now, much more so than a decade ago. And it would leverage several of the authorities called upon to stimulate the development of better digital-identity services and fund more secure digital technologies to push wider use of memory-safe languages and close off entire avenues of malicious activity.