Best Infosec-Related Long Reads of the Week, 12/10/22

Protecting society from spyware, The world of spyware maker Altrnativ, Spyware is out of control, Women rule at MI6, Lessons learned from the Uber breach, Could security firms become military targets?

Metacurity is pleased to offer our free and paid subscribers this weekly digest of long-form infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. Tell us what you think, and feel free to share your favorite long-reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

Protecting Society From Surveillance Spyware

Citizen Lab’s Ron Deibert has this piece in the Winter 2022 Issues of Science and Technology on how to deal with the mushrooming problem of commercial spyware, which is being supplied by an increasing number of vendors in an environment where the digital dynamic has shifted in favor of illiberal governments and their security agencies, helping to fuel the spread of a new kind of digital authoritarianism that crosses international borders.

Reflecting the urgency of the problem, some have advocated for an immediate worldwide moratorium on the sale and transfer of commercial spyware until safeguards are in place. But such a call is very unlikely to be implemented in practice. Illiberal governments are the least likely to cooperate, since they benefit the most from the existing Wild West marketplace. But even liberal democracies benefit from and contract with surveillance technology vendors for law enforcement and intelligence purposes, as the Edward Snowden disclosures showed. As long as even one government supports the industry, a global moratorium will remain little more than a rhetorical plea.

Leaked: The Altrnativ world of cybersurveillance

Elisa Braün and Jules Darmanin have this blockbuster series in Politico EU about far-reaching spyware purveyor, Altrnativ, founded by former digital privacy advocate Eric Leandri and how it works to dig up dirt on its powerful client’s competitors and peddles its services to some of the world’s worst human rights abusers.

Meeting with POLITICO in a downtown Paris café, Leandri claimed his company was working on “defense secrets.” He also acknowledged he had carried out the open-source intelligence investigations listed above. When it came to Altrnativ's African ambitions, however, he insisted he was not responsible for every offer that mentioned his company and that he had only participated in work involving open-source intelligence.

He also maintained his new line of business was consistent with work in the past, especially when it comes to promoting European technology over rivals from the United States, Israel and elsewhere.

"I continue to defend privacy very strongly,” Leandri said. "That does not stop me from being willing to compete with Palantir and to develop software that can manage huge amounts of data, because I believe that sovereignty of a country, a country like France, is important.”

How the Global Spyware Industry Spiraled Out of Control

Mark Mazzetti, Ronen Bergman, and Matina Stevis-Gridneff explain in the New York Times how their investigation into spyware company Intellexa, founded by Tal Dilian, a former general in Israeli military intelligence, uncovers a booming market for spyware despite the Biden’s administration efforts to crack down on this market.

Intellexa also looked out for opportunities that used to be in NSO’s domain. Ukraine had previously tried to acquire Pegasus, but the effort failed after the Israeli government blocked NSO from selling to Ukraine out of concern that doing so would harm Israel’s relationship with Russia.

Intellexa swooped in. The Times obtained a copy of a nine-page Intellexa pitch for Predator to a Ukrainian intelligence agency last year, the first full such commercial spyware proposal to be made public. The document, dated February 2021, brags about the capabilities of Predator and even offers a 24/7 help line.

For 13.6 million euros ($14.3 million) for the first year, Intellexa offered Ukraine a basic package of 20 simultaneous infections with Predator and a “magazine” of 400 hacks of domestic numbers, as well as training and a round-the-clock help center. If Ukraine wanted to use Predator on non-Ukrainian numbers, the price would go by an extra 3.5 million euros.

The secret lives of MI6’s top female spies

The Financial Times’s Helen Warrell examines how Britain’s Secret Intelligence Service (SIS), known as MI6, now has three out of its four Director-General positions filled by women and offers the first time female SIS officers have ever spoken on the record.

The low profile of these three senior officers is in keeping with the history of women in British intelligence. In the past, women have been overlooked, relegated to secretarial roles or, before the SIS era, deployed as “honeytraps” to ensnare or blackmail enemies. When Vernon Kell co-founded MI6’s precursor in 1909, he identified as his ideal recruits men “who could make notes on their shirt cuff while riding on horseback”. His views on women were less well-known, but it is said that he once commented: “I like my girls to have good legs.” Despite having proved themselves with significant skill and bravery during the second world war, women in MI6 and its sister agency MI5 struggled to progress and were not regularly recruited as intelligence officers until the late 1970s.

A blameless post-mortem of USA v. Joseph Sullivan

Security analyst and writer Ryan McGeehan delivers a detailed list of risk management he lessons learned when working for Uber’s CISO Joe Sullivan, who was ultimately, and according to McGeehan’s portrayal, unfairly convicted for failing to disclose a 2016 data breach to federal regulators.

The steps to communicate a severe incident to a larger committee are essential. Confused escalation was a hazard in this incident. The existing policy appointed a single lawyer for legal analysis. That created the perception of a decision-maker. We want to avoid confusion and relieve the point person of making a decision. Instead, they’re responsible for escalating to stakeholders and coordinating a decision.

Most importantly, define precisely what authorized activity is and how it relates to disclosure policies. Consider scenarios where good-faith research is disclosed that obtained user data. Policies that err toward disclosure are more straightforward when you plan where you’ll disclose ahead of time. Maybe they can be efficiently disclosed on a bug bounty platform, an engineering blog, or elsewhere. Near-miss issues can be disclosed without embarrassment so long as they have the right audience.

Cory Doctorow Wants You to Know What Computers Can and Can’t Do

The New Yorker’s Christopher Byrd interviews cyberpunk author and visionary tech critic Cory Doctorow on the dangers of big technology and the recent take-down of Big Tech companies.

There’s a guy named Ang Cui. He runs a thing called Red Balloon Security. But, in 2011, he was a grad student at N.Y.U., and he gave a security presentation at the Chaos Communication Congress called “Print Me if You Dare,” where he showed that he could update the firmware of an HP printer by sending it a poison document. You just give, like, the H.R. department a document called resume.doc. And when they print it the printer’s firmware is updated silently and undetectably: it scans all future documents for Social Security numbers, and credit-card numbers, and sends them to him. It opens a reverse shell to his computer, through the corporate firewall, and then it scans all the computers on your lan for known vulnerabilities and takes them over. It was just a little proof of concept; he never released it.

Security Firms Aiding Ukraine During War Could Be Considered Participants in Conflict

Cybersecurity journalist Kim Zetter argues that Microsoft and companies like Mandiant, Cisco, ESET, and Recorded Future, which have all provided services, tools, and threat intelligence to Ukraine, could be considered participants in the conflict and could become targets of Russia, who might view them as legitimate military targets.

Under the principle of distinction, parties involved in a conflict have to distinguish between military combatants and civilians, and the latter are expected to have protection from being directly attacked. But civilian individuals and companies risk pulling themselves and the country where they reside into a war if they engage in activity that could be interpreted as participation in hostilities — and the state where they reside doesn’t act to halt this activity.

“If [the U.S.] allows Microsoft to engage in activities that are assisting the Ukrainians, Microsoft doesn’t violate neutrality, it’s a violation of the United States by permitting its territory to be used in an un-neutral manner,” says Schmitt. “The Russians have a legal right under international law…to prevent that from occurring.”

But what constitutes assistance for military operations, or participation in hostilities, has not been clearly defined and is open to interpretation.

No, Tech Companies and Cybersecurity Firms Aren't Close to Becoming Direct Participants in the Conflict by Helping Ukraine

Cybersecurity expert Matt Tait, better known as PwnAllTheThings, departs from Zetter’s analysis, saying that it’s almost certainly the case that security firm executives and workers are not at risk of being considered participants in the Ukraine conflict.

To qualify as being a direct participant in hostilities, the individual must generally be engaged in specific acts that meet all three of the following criteria:

In other words, civilians, whether Ukrainian or foreign, are at risk of losing their IHL civilian protected status and could be directly targeted as if they were the Ukrainian military if they do something that meets all of these three criteria. For most cybersecurity firms working in Ukraine, all three will not be met, and meeting all three by accident is vanishingly unlikely.