Best Infosec-Related Long Reads of the Week, 5/13/23
Swiss surveillance mastermind, Regional disasters of hospital attacks, Dark Avenger's virus journey, Silk Road hacker's story, Rip and replace pain, Apple II software Piracy, Mafia's favorite phone
Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!
Global Surveillance: The Secretive Swiss Dealer Enabling Israeli Spy Firms
Crofton Black and Omer Benjakob in Haaretz tell the story of Andreas Fink, a Swiss telecom expert who went from outspoken privacy advocate and ally of Julian Assange to masterminding a global surveillance infrastructure that he has placed at the disposal of governments and companies.
Exclusive documents and data from multiple telecom industry sources, gathered by Lighthouse Reports and partners over more than a year of investigation, reveal how Fink's systems have served as a conduit for probing and attacking phone networks across the globe, especially in the global south. In the last six months traces of these attacks have been flashing red in Africa and Europe, in the Americas and South East Asia.
For example, one of Fink’s systems was seen in the system used by the Israeli hacker-for-hire and disinformation group Team Jorge as part of their operations, which required access to the global cellular network. An international investigation led by Haaretz and published three months ago revealed that Team Jorge offered mass-social-media manipulation, election interference and even hijacking email, Telegram and web accounts. In the past, over 20 members of the Israeli crypto community had their Telegram accounts hacked in a similar manner by someone using Fink’s infrastructure.
When contacted by this investigation, Fink admitted to working with companies and “legally entitled government agencies” as a provider of surveillance services. He denied knowledge of some incidents detailed in this investigation, in which data shows that his systems had been used to breach people’s internet accounts, saying that he found no records of them. And he denied that his systems could have participated in the surveillance of Fredid Román in Mexico.
The Swiss said he offers his customers the ability to use a highly customisable interface, called Venotex, to send tracking requests via a roster of phone network access points that he maintains, and gave details of a surveillance operation that he had conducted in the Democratic Republic of the Congo at the behest of government officials. Venotex was the system seemingly linked to the software used by Team Jorge. Fink denied working with Team Jorge, but confirmed a “customer” had once wanted to pay him through a company owned by them.
Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US
Three doctors, Christian Dameff, MD, Jeffrey Tully, MD, and Theodore C. Chan, MD, published this study in the Journal of American Medicine that examined two academic urban emergency departments (EDs) adjacent to a healthcare delivery organization (HDO) under a month-long ransomware attack and concluded that ransomware is associated with greater disruptions to regional hospitals and should be treated as disasters, necessitating coordinated planning and response efforts.
Hospital systems infected with ransomware can likely reduce regional effects by developing cyberattack-specific emergency operations plans to minimize recovery times in addition to engaging regional partners to proactively plan for and drill for cyberattacks. Real-time information sharing on cyber threat actors and methods can reduce the risk of spread among HDOs. Risks to specific patient populations, such as those with trauma, stroke, or myocardial infarction, should be anticipated, and measures to rapidly facilitate transfers among hospitals should be prioritized. Prolonged regional effects may necessitate consideration of reducing elective surgical cases and other extraordinary measures.
Increasing cyberattack prevention efforts and operational resiliency across all health care systems should be a high national priority. Further study on the association of cyberattacks with patient safety and quality of care is needed, although significant barriers to data collection and reporting remain given the reliance on affected electronic adverse event monitoring systems and HDO legal liability concerns.
On the trail of the Dark Avenger: the most dangerous virus writer in the world
Yale Law professor Scott J. Shapiro in The Guardian tells the story of how a computer virus known as Vienna escaped the computer of Bulgarian researcher Teodor Prevalsky and was refined in 1989 by someone known as the Dark Avenger to become one of the world’s most dangerous viruses, who went on to become one of the world’s most prolific virus writers.
Because computer-virus writing was a relatively new phenomenon, social scientists had not studied virus writers. Sensational reports from the media drove a stereotype. “The virus writer has been characterised by some as a bad, evil, depraved, maniac, terrorist, technopathic, genius-gone-mad sociopath,” Sarah Gordon reported in 1994. She set out to discover whether this stereotype was true.
Gordon was shocked when Dark Avenger dedicated his demo virus attached to the mutation engine to her. She reached out to him but got a dismissive response, routed through an intermediary: “You should see a doctor. Normal women don’t spend their time talking about computer viruses.”
Undeterred, she laboriously composed a message in Bulgarian asking Dark Avenger whether he would answer some questions. She passed it to an American security researcher who was in regular contact with him. He quickly responded. Soon they were corresponding over the internet.
Gordon and Dark Avenger communicated for five months. She has never made those messages public, except for excerpts that she published in 1993 (with Dark Avenger’s permission). These snippets are revealing. They show that Dark Avenger expressed remorse for his behaviour and considered the moral consequences of his actions. They also showed that he was belligerent, resentful and prone to blaming his victims. Gordon’s main area of questioning concerned motivation. Why did Dark Avenger write destructive viruses? And why did he seem so unconcerned by the damage he was causing?
$3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story
Elias Ahonen in Cointelegraph Magazine walks through how James Zhong, who stole $3.4 billion in Bitcoin from the notorious dark web marketplace Silk Road, was caught and ended up with a prison sentence of only a year.
Despite his VPNs and encryption and various attempts to hide the Silk Road coins, Zhong must have slipped up at some point, as the IRS was able to track him by his IP address — a unique identifier assigned to each device that connects to the internet. This IP address was then matched to records held with Zhong’s internet service provider as well as an exchange where he sent some coins to be traded, presumably obtained by a warrant requiring these records to be released.
The successful recovery of the Bitcoin came down to identifying the movements of the coins in question and following them to an exchange where Zhong had deposited and sold 119 BTC, worth somewhere in the region of $1 million, in 2019. Despite attempts to mix and obfuscate, the coins’ connection to Zhong and Silk Road was confirmed by a transfer of a mere 0.07750842 BTC — around $1,000 — in leftover change that was sent from Zhong’s account to a Bitcoin address previously used to move 1,000 BTC of Silk Road funds.
This suggests that Zhong was caught — losing him $3.4 billion — due to laziness in reusing an address instead of creating a new one, or perhaps even for worrying about 0.08 BTC when selling 118 BTC, to begin with. The Swan Bitcoin exchange, for example, explicitly discourages users from reusing addresses due to “negative implications such as diminished privacy and diminished security,” which Zhong’s case appears to demonstrate.
And so, a search warrant was issued and executed about two years later, in November 2021.
‘Rip and Replace’: The Tech Cold War Is Upending Wireless Carriers
The New York Times’s Cecilia Kang explains how the US policy of ripping and replacing gear from Chinese suppliers Huawei and ZTE out of phone carrier infrastructure due to fears of spying wreaking havoc at small wireless carriers across the US.
In southern Alabama’s Black Belt region, known for its historical cotton plantations and paper mills, complying with rip-and-replace has been a central initiative at Pine Belt Cellular, one of the few wireless carriers for 2,000 homes and businesses in five counties.
The company was founded in 1958 by James Nettles, a country doctor in Arlington who installed phone lines into the homes of patients so they could call him for home visits.
After James Nettles’s son, John Nettles, joined the phone business in 1988, the family expanded into wireless service with federal grants. In 2011, John Nettles took additional F.C.C. subsidies and upgraded Pine Belt’s network to include broadband for fast internet service.
Six equipment manufacturers pitched their gear to him, he said. Mr. Nettles chose ZTE because the company offered equipment at less than half the cost of other bids. Pine Belt initially bought $5 million in ZTE equipment, including hundreds of antennas, radios and other gear for its 67 cell towers.
The F.C.C. “told me to find the cheapest equipment, and no one thought twice about ZTE being Chinese,” he said.
But since restrictions on ZTE gear were introduced, Mr. Nettles has spent most of his time trying to replace it with equipment from Western companies like Nokia and Microsoft.
‘Don’t Copy That Floppy’: The Untold History of Apple II Software Piracy
Computer and video game professor Laine Nooney offers in Motherboard this excerpt from her new book, The Apple II Age: How the Computer Became Personal that recounts one of the earliest copy protection battles of the PC era that began in March 1981 when Robert Tripp, publisher of the MICRO: The 6502 Journal, accepted an ad for a disk copy utility program called Locksmith, sparking a backlash from software publishers.
Understanding why a group of software publishers might threaten to ruin a niche microcomputer hobbyist magazine over another company’s ad requires understanding the tangled net of industrial tensions that emerged between the producers and the consumers of microcomputer software in the early 1980s. As a consumer microcomputing market began to flourish, developers became alert to the risks software piracy posed to their burgeoning industry. If no one paid for software, they worried, who would bother to write it, and how would the industry grow?
Thus began the drama of copy protection, an industrial loss prevention practice wherein companies used a combination of hardware and software techniques to scramble the data on software media formats, typically 5.25-inch floppy disks, so that copying the disk was no longer possible by conventional means. While the goal of this subtle bit of friction was to throttle piracy, it also prevented users from creating backup copies of software they legally owned, or otherwise accessing the code itself.
Copy protection centralizes unique tensions around the status of software in the early 1980s, particularly with regard to its ownership. Was software a good or a service? Did users have a right to access the code itself or only its end result? Was preventing users from making backup copies a form of industrial overreach or even consumer abuse? No computer enthusiast magazine of the period, and no software publisher or consumer, went untouched by the roiling debate over copy protection.
Inside the Italian Mafia’s Encrypted Phone of Choice
Motherboard’s Joseph Cox reveals how a collaboration between Motherboard, lavialibera, and IrpiMedia exposed a firm called No. 1 Business Communication, which is the Italian mafia’s encrypted phone of choice.
Last week, European authorities arrested 132 members of the ‘Ndrangheta, the infamous mafia organization that Bruzzaniti was part of. The 'Ndrangheta is accused of top-tier cocaine trafficking from South America, weapons smuggling out of Pakistan, money laundering across Europe, and a series of other crimes around the world, according to a press release from Europol. A Europol spokesperson told Motherboard that the operation was a result of intelligence from Sky and another hacked network called Encrochat.
As part of those arrests, Italian courts unsealed another cache of documents which say that the content of a mafioso’s encrypted messages on No. 1 BC were “not intercepted.” Bruzzaniti remains a fugitive.
Intercepted messages from Sky included in court records also show an Albanian organized crime group discussing No. 1 BC, explaining they paid over 10,000 Euros for around half a dozen phones. This group believed that No. 1 BC was more secure than Sky at the time, according to the court records.
“We need 8 pieces,” one of their messages reads.
Names linked to No. 1 BC identified as part of this investigation include a high profile American investor and businessman, a Ukrainian technologist, and a convicted drug trafficker and money launderer. The investigation paints a picture of an organization that has existed in the shadows for years, but which recently gathered more significance among organized criminals after law enforcement agencies knocked out No. 1 BC’s main competitors, like Sky and Encrochat.
Europe’s Moral Crusader Lays Down the Law on Encryption
Wired’s Morgan Meaker profiles Swedish politician Ylva Johansson, the EU commissioner in charge of home affairs, who is the architect of a deeply controversial new bill that proposes ways to force tech companies, including those with encrypted platforms, in a battle against child sexual abuse material.
Arrayed against her is a fierce coalition of privacy advocates, American YouTubers, German soccer fans, and tech executives who argue that the proposal would severely impact online privacy. They call it the “chat control” bill and warn that it would open dangerous backdoors into encrypted apps. Because Johansson has made herself the face of this bill, criticism is lobbed at her personally. “Either she’s stupid or she’s evil,” says Jan Jonsson, CEO of Swedish VPN service Mullvad. In February, she was given a dubious “prize” at the Dutch Big Brother Awards, an event organized by digital rights group Bits of Freedom, which identifies heroes and villains in the fight for privacy. Johansson was firmly in the latter category, winning a public vote for the individual who has most threatened individual privacy.
The award ceremony took place on Johansson’s birthday. But she still attended—virtually, at least—and gave an acceptance speech. She says she doesn’t care about the criticism. “I think I have a moral obligation to act,” she told WIRED in March. “If I don’t, who am I? I will be a little mouse. I will be nothing.”