Best Infosec-Related Long Reads of the Week, 4/15/23

Bitcoin is not anonymous, Thieves are stealing federal benefits, SIM swapping that originates with stolen credit cards, Ethical hacker implants chips into his body, Google's plan to kill cookies, more

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long form infosec-related pieces that we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

The U.S. Cracked a $3.4 Billion Crypto Heist—and Bitcoin’s Anonymity

The Wall Street Journal’s Robert McMillan explains how Bitcoin’s supposed anonymity is no longer true, if it ever was, with federal authorities using new tools to pierce the veil of criminal blockchain transactions by tracing the permanent and open online ledgers inherent in cryptocurrency transactions.

When bitcoins are stolen, the criminal is now “like a guy that robbed a bank in the snow,” said Matthew Price, a former IRS investigator who now runs investigations for cryptocurrency exchange Binance Inc. The criminal’s name might be unknown, he said, but digital breadcrumbs, like footprints in the snow, remain for authorities to follow.

Federal investigators have used blockchain-tracing techniques to shut down a child-pornography website, disrupt funding for terrorist organizations and, in the Justice Department’s largest-ever financial seizure, retrieved $3.6 billion from a New York couple charged with laundering the proceeds of the 2016 hack of cryptocurrency exchange Bitfinex. With each case, more accounts are added to the government’s blockchain address book.

These advances make it difficult for criminals to convert their spoils to cash. After government officials publish wallet addresses connected to crooks, no legitimate cryptocurrency exchange wants to do business with them, fearing legal consequences.

Last year, a group that U.S. officials linked to North Korea stole about $720 million by hacking two cryptocurrency services—Harmony’s Horizon Bridge and Sky Mavis’s Ronin Network. In February, the FBI published a list of wallet addresses linked to the $100 million Horizon Bridge theft, effectively stonewalling hackers from withdrawing cash through legitimate exchanges.

Stolen, cloned and sold: Inside the digital black market for SNAP benefits

In The Baltimore Banner, Brenna Smith, Nick Thieme, and Brenda Wintrode reveal how criminals purchase stolen federal food assistance and other benefits programs by buying information online, printing the data onto cloned debit cards, and cashing out.

Criminals are selling stolen EBT information online in a variety of ways — through social media, messaging boards and the dark web.

But often, according to a Georgia State University criminology professor David Maimon, criminals are turning to encrypted messaging services like Telegram, where any of the app’s 55 million users can view public channels dedicated to selling stolen information.

Maimon said that cybercriminals have come to rely on these applications because they are accessible, easy to use and hard to censor. And, for those same reasons, it’s difficult to grasp the total scope of this economy, he added.

“Sky’s the limit with respect to what we’re seeing there,” Maimon said.

The Baltimore Banner analyzed 26 Telegram channels and found about 50,000 posts selling EBT information from 2020 to 2023. The posts usually did not specify a specific state, but The Banner identified about 2,500 posts related to Maryland. These posts included listings for EBT information, credit card data, and unemployment benefits.

My phone, my credit card, my hacker, and me

Business Insider report Avery Hartmans tells the story of how her Verizon phone got SIM swapped by a hacker who stole her new credit card in the mail and then used a fake ID to gain control over her mobile account, all the while racking up $10,000 in charges on her physical card in real-world retail stores in Columbus, Ohio, hundreds of miles away from her New York City home.

Whoever hacked my identity, it makes sense that they started with my credit card. That explained why they decided to SIM swap my phone in the first place — so they could intercept the fraud alerts and use my card with impunity. And because they stole my card out of the mail, they had my address, which made it easy to gin up a fake ID to show Verizon. Once they were in control of my phone number, it was just a race against time to swing by the Apple store and Gucci and Psycho Bunny before I discovered the hack and blocked their access to my accounts.

It's also clear that my identity theft was made possible, in no small part, by the very companies and officials who were supposed to prevent it. Verizon accepted a fake ID, and then refused to assist me by confirming that the attack had taken place. Chase tried to charge me for $10,000 in purchases I never made. The police were too overwhelmed to investigate. Gucci couldn't even be bothered to provide me with a phone number for one of its stores. The hacker might have committed the crime, but corporate America was an accessory after the fact.

The cyborg hacker who can infiltrate your phone or office by waving his hand

William McCurdy in the Evening Standard offers a profile of Len Noe, an ethical hacker at CyberArk who has undergone multiple surgeries to have eight specialist security chips implanted into his body to demonstrate their offensive capabilities in the wild.

If you hand Len your phone — for instance, by asking to make a quick emergency call — he can use the Near-field communication (NFC) chip that is inside the back of his hand to instantly pull up a website injected with what is known as BeEF (The Browser Exploitation Framework). This will rapidly install some malicious code on your phone, giving him complete access to it.

Almost all modern smartphones have an NFC chip, which is the underlying tech that allows contactless apps such as Google Pay and Apple Pay to work. In my case, Len was able to take control of the phone in less than 30 seconds. Thankfully, iPhones are currently invulnerable to this, as they use a different type of chip, but Android owners are susceptible to cyborg attacks.

Though this sort of hack is not something that the average Londoner needs to worry about (yet), Len does think that they could be used for targeted attacks by government agencies like MI5 or by large hacking groups such as Cozy Bear. This is the clear direction of travel.

Inside Google's Plan to Kill the Cookie

Gizmodo’s Thomas Germain takes a deeper dive into Google’s controversial Privacy Sandbox, which aims to eliminate tracking cookies, by interviewing Privacy Sandbox leader Victor Wong,

TG: Speaking of regulatory bodies, I want to touch on the W3C, which is the main international standards organization for the web, which counts Google among its members. The W3C isn’t exactly hostile to industry, but they came out against Privacy Sandbox because, ironically, they said it’s not private enough. That had to sting.

VW: There are a lot of parts to this. We participate in many forums and W3C is just one of them, and they’re all meant to provide transparency. And the dialog forum is not too dissimilar to the United Nations. On a global scale, we’re working together with many different parties, some of which have different ideas about the best direction for the world to take. When you have multiple stakeholders with different motivations coming together, there will be disagreements.

We need standardization across different browsers and different parts of the web community so you don’t end up with a fractured Internet, essentially. So standardization is always our goal, but that position takes time. Just like anything that goes to the UN, there are going to be moments where people disagree. We think it’s important to launch these solutions and show results, to convince people of data and the actual empirical experience of users. Getting that sort of feedback is critical because it helps us improve our overall thinking, and we’ve used that kind of feedback to make changes to our proposals, and we’re going to work with those partners over the long term. But again, like we’re going to do what we think is right for the users in the web ecosystem.

Tackling Software Supply Chain Security: A Toolbox for Policymakers

Andreas Kuehn, a Senior Fellow at the Observer Research Foundation America, and Alexandra Paulus, Project Director for Cybersecurity Policy and Resilience at Stiftung Neue Verantwortung, offer in Lawfare Blog a toolbox for policymakers to bolster software supply chain security beyond the measures already introduced by the Biden administration.

As software vulnerabilities abound, the past years have seen an increasing number of voluntary and mandatory measures developed by industry and governments. While these efforts point in the right direction to improve software supply chain security, there is still a long way until widespread adoption. Keeping in mind that maturity of software supply chain security efforts varies across industry sectors and countries, policymakers are well advised to carefully consider where they should prioritize their efforts. Governments should focus efforts on three critical sets of actions in order to effectively manage and mitigate supply chain risk and enhance supply chain security. The public and private sectors must have a shared understanding, informed by a strategy, in order to implement these priority actions in a coordinated manner that is guided by ample political leadership. Depending on where a given country’s policy stands on software supply chain security as well as how salient the issue is and how many resources and capabilities are available, policymakers may tackle these three sets of actions one after the other or choose the one that best suits their needs.