Best Infosec-Related Long Reads of the Week, 6/17/23

Spying on prisoners' heartbeats, Cops abusing anti-porn app, Sending suicide hotline caller's data to Facebook, Shady chips inside the Navy, NASA and NATO, Updating SP 800-171, plus a bonus long read

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

This Surveillance System Tracks Inmates Down to Their Heart Rate

Wired’s Matt Burgess reveals that the Fulton County Sheriff’s Office in Atlanta, Georgia is in the process of rolling out a new surveillance system by Georgia-based firm Talitrix, which, to the dismay of privacy advocates, tracks an inmate’s heartbeat, determines their location every 30 seconds, and creates 3D images showing who comes into contact with whom,

Screenshots of a dashboard of Talitrix’s software, which is called Inside the Walls, show correction officers can see how many inmates are within each area of the jail at any time, names of inmates, their jail-cell numbers, and heart rate details—including the last recorded rate and a graph over time. It shows the number of hours an inmate has been in their cell, compared to outside of it. A tab within the software lists alerts that have issued for inmates when their heart rate has dropped or spiked.

One option within the system is a 3D reconstruction of the jail facility, dubbed a “facility replay.” This shows where inmates, represented by generic human characters, are standing at a given time. Screenshots in a Powerpoint slide show inmates standing near each other.

“I think it’s a terrifying leap forward in terms of using technology to manage the jail population,” says James Kilgore, a media fellow at nonprofit MediaJustice, who has written about electronic monitoring and spent six years incarcerated. “It’s just legitimizing gathering all kinds of biometric data on people that really had nothing to do with people being in jail,” says Kilgore, who reviewed the documents at WIRED’s request. “I just fear what can happen if all of a sudden, the Talitrix says that your heartbeat is going 140 beats per minute, when it isn’t,” Kilgore adds. “And what they’re going to do to you, in response to all that data that they used.”

An Anti-Porn App Put Him in Jail and His Family Under Surveillance

Dhruv Mehrotra in Wired delves into an anti-pornography app called Covenant Eyes that, contrary to its developer’s intent, was used by the probation department in Indiana’s Monroe County to surveil not only a man charged with possession of child sexual abuse material, which he denies, but also the devices of everyone in their family.

Covenant Eyes doesn’t permit its software to be used in a “premeditated legal setting,” such as monitoring people on probation, according to its terms of service. But public spending documents, court records, and interviews show that courts in at least five US states have used Covenant Eyes to surveil the devices of people who are awaiting trial or released on parole.

Neither Covenant Eyes nor multiple officials in Monroe County responded to repeated requests for comment and detailed questions about the app’s monitoring.

While the use of Covenant Eyes in a criminal-legal setting likely only represents a tiny fraction of the hundreds of thousands of people under court-ordered electronic surveillance, the stakes are still high for those required to use it. The app’s accuracy could determine whether a loved one lives at home or behind bars. Legal experts say that its use raises serious constitutional and due process concerns.

“This is the most extreme type of monitoring that I’ve seen,” says Pilar Weiss, founder of the National Bail Fund Network, a network of over 90 community bail and bond funds across the United States. “It’s part of a disturbing trend where deep surveillance and social control applications are used pretrial with little oversight.”

Suicide Hotlines Promise Anonymity. Dozens of Their Websites Send Sensitive Data to Facebook

Colin Lecher and Jon Keegan in the Markup, co-published by STAT, discovered that dozens of websites tied to the national mental health crisis 988 hotline, which launched last summer, have been quietly sending sensitive visitor data to Facebook using a tool called the Meta Pixel.

Dozens of websites tied to the national mental health crisis 988 hotline, which launched last summer, transmit the data through a tool called the Meta Pixel, according to testing conducted by The Markup. That data often included signals to Facebook when visitors attempted to dial for mental health emergencies by tapping on dedicated call buttons on the websites.

In some cases, filling out contact forms on the sites transmitted hashed but easily unscrambled names and email addresses to Facebook.

The Markup tested 186 local crisis center websites under the umbrella of the national 988 Suicide and Crisis Lifeline. Calls to the national 988 line are routed to these centers based on the area code of the caller. The organizations often also operate their own crisis lines and provide other social services to their communities.

The Markup’s testing revealed that more than 30 crisis center websites employed the Meta Pixel, formerly called the Facebook Pixel. The pixel, a short snippet of code included on a webpage that enables advertising on Facebook, is a free and widely used tool. A 2020 Markup investigation found that 30 percent of the web’s most popular sites use it.

The pixels The Markup found tracked visitor behavior to different degrees. All of the sites recorded that a visitor had viewed the homepage, while others captured more potentially sensitive information.

How a Shady Chinese Firm’s Encryption Chips Got Inside the US Navy, NATO, and NASA

Wired’s Andy Greenberg reports that thanks to the complexity of the hardware supply chain, encryption chips sold by Hangzhou, China-based encryption chip manufacturer Hualan Microelectronics, also known as Sage Microelectronics, despite being added to the Commerce Department’s trade restriction list, still supplies encryption microcontroller chips to Western manufacturers of encrypted hard drives, including several that list as customers on their websites Western governments' aerospace, military, and intelligence agencies.

The disconnect between the Commerce Department’s warnings and Western government customers means that chips sold by Hualan’s subsidiary have ended up deep inside sensitive Western information networks, perhaps due to the ambiguity of their Initio branding and its Taiwanese origin prior to 2016. The chip vendor’s Chinese ownership has raised fears among security researchers and China-focused national security analysts that they could have a hidden backdoor that would allow China’s government to stealthily decrypt Western agencies’ secrets. And while no such backdoor has been found, security researchers warn that if one did exist, it would be virtually impossible to detect it.

“If a company is on the Entity List with a specific warning like this one, it’s because the US government says this company is actively supporting another country’s military development,” says Dakota Cary, a China-focused research fellow at the Atlantic Council, a Washington, DC-based think tank. “It's saying you should not be purchasing from them, not just because the money you’re spending is going to a company that will use those proceeds in the furtherance of another country’s military objectives, but because you can’t trust the product.”

Technically, the Entity List is an “export control” list, says Emily Weinstein, a researcher at Georgetown University's Center for Security and Emerging Technology. That means US organizations are forbidden from exporting components to companies on the list, rather than importing components from them. But Cary, Weinstein, and the Commerce Department note that it's often used as a de facto warning to US customers not to buy from a listed foreign company, either. Both networking firm Huawei and drone-maker DJI have been added to the list, for instance, for their alleged ties to the Chinese military. “It’s used somewhat as a blacklist,” says Weinstein. “The Entity List should be a red or maybe a yellow alert to anyone in the US government who’s working with this company to take a second look at this.”

Proposed NIST Updates and Data Incident Response Planning

John Butler, director for cyber/E&O with the CNA Insurance Companies, and Steven G. Stransky, a partner at Thompson Hine LLP and the co-chair of its Privacy and Cybersecurity practice group, walk through in Lawfare Blog the National Institute of Standards and Technology’s (NIST) proposed update of its Special Publication (SP) 800-171, which lays out technical, physical, and administrative security controls designed to protect sensitive data in nonfederal government information technology environments.

The proposed changes to SP 800-171 focus on, among other areas, aligning the security controls therein with other NIST guidelines applicable to the federal government and describing these controls with more granularity to remove ambiguity and improve implementation effectiveness. Although not a core focus, the proposed SP 800-171 updates address data security incident response (IR), which is important for businesses to understand given the current cybersecurity threat landscape. In particular, the proposed changes seek to clarify the IR plans and controls that organizations should implement and specifically delineate the following measurable parameters:

These updates provide clarity for how organizations should address their IR planning, especially in the areas of testing and training. For instance, the NIST proposal reiterates the importance of using checklists, tabletop exercises, and other simulations to test an IR plan. It also adds new guidance concerning how organizations can use qualitative and quantitative data aids in determining the effectiveness of IR processes. This framework is particularly important for multinational companies and other larger organizations that have key IT resources spread across various jurisdictions and time zones. They should test and measure the speed with which they can launch their IR teams and deploy digital forensic and other IR security tools, and should seek to identify ways to improve the efficiency and effectiveness of their recovery.

A storefront for robots

In this bonus, somewhat off-topic, long read, Mia Sato explains in The Verge how Google search engine optimization (SEO) is forcing business owners to spend time and money to fill their pages with basically useless text to feed an ever-changing search algorithm in a Darwinian struggle to survive on the internet, a grinding task that will only fill Google search content with more garbage with the advent of artificial intelligence applications.

I came across the “Butt-Lifting Leggings/Scrunchars Tights” blog over the course of a weeklong internet search for black, flared leggings — an item that, in theory, shouldn’t be complicated to find but is also fairly specific.

A Google search for “black flare leggings” reminds me why I hardly ever shop from retailers anymore and, if I do, why I tend to stick to the same brands: search results are a nightmare.

A dizzying number of sponsored products populate the top of the page, a funhouse of mirrors reflecting dismembered legs walking or standing, hips resting to one side. More sponsored retailers — plus a couple organic links — follow before a slew of images tagged with relevant keywords pop up. Next, a panel of search queries that Google has deemed relevant: “What are flared leggings called?” “What is the difference between flare and super flare leggings?” “Are flared leggings still in style?” If Google’s own experiments with generative AI in Search continue, the benefit of loading sites with content catering to these search phrases might evaporate in the future. All said and done, there are only a handful of direct, unsponsored links to leggings on the first page of results.

The butt scrunch leggings blog, like most SEO filler, lives in a forgotten section of a website where normal humans do not venture. The content doesn’t have to make sense, but reading it is uncanny, hilarious, and a little threatening.

“Tights having a scrunching effect are known as butt-lifting leggings or scrunch tights,” the blog begins. “So this article is for you if you’re looking for tights that go into your ass!” The post is a wall of unformatted text, links to products, and subsections with titles like “Which pair of leggings should I pick,” “What is so unique about crossover leggings,” and “Leggings with an ass opening.”

This is the type of content publishers, brands, and mom-and-pop businesses spend an untold number of hours on, and on which a booming SEO economy full of hackers and hucksters make promises ranging from confirmed to apocryphal. The industries that rely heavily on Search — online shops, digital publishers, restaurants, doctors and dentists, plumbers and electricians — are in a holding pattern, churning out more and more text and tags and keywords just to be seen.