Best Infosec-Related Long Reads of the Week, 7/29/23

How Signal became the go-to privacy app, LAC nations need cybersecurity support, Hunting down a Twitter scammer, Cyber insurers need capital access, Mass. push to ban cop facial recognition use

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

How Signal Walks the Line Between Anarchism and Pragmatism

Programmer and writer Kai Ye in Wired tells the story of how Signal, a tiny organization with virtually no marketing budget, has become synonymous with private communications and how Moxie Marlinspike, the charismatic face of Signal, became the driving force for end-to-end encrypted communications.

RELEASED AFTER WHATSAPP  set the standards for messaging, Signal’s problem has always been how to keep up with its competition—a fine dance between mimicry (so as to seem familiar to new users) and innovation (to poach users from its competitors). Signal started off by copying WhatsApp's user experience, while at the same time pioneering end-to-end encryption, a feature that WhatsApp turned around and copied from Signal. Throughout this evolutionary dance, Signal has managed to maintain an unusual focus on the autonomy of the individual, a wariness of state authority, and an aversion to making money, characteristics that are recognizably anarchist.

Because a small fringe of cypherpunks, Marlinspike included, came to see cryptography as a way to remedy the imbalance of power between the individual and the state, Signal focused on getting end-to-end encryption on messages and calls absolutely right. With Signal, no one can read your messages. Amazon can’t, the US government can’t, Signal can’t. The same is true for voice calls and metadata: A user’s address book and group chat titles are just as safe. Signal knows basically nothing about you, other than your phone number (which is not mapped to your username), the time you created your account, and the time you last used the app. Your data can’t be sold to others or cause ads to follow you around on the internet. Using Signal is just like talking with your friend in the kitchen.

Because Signal is committed to retaining as little metadata as possible, that makes it hard for it to implement new features that are standard to other apps. Signal is essentially footing the cost of this commitment in engineer-hours, since implementing popular features like group chats, address books, and stickers all required doing novel research in cryptography. That Signal built them anyway is a testament to its desire for mass appeal.

Cybersecurity: The Next Frontier of U.S.-China Competition in the Americas

In America’s Quarterly, Randy Pestana, associate director for cybersecurity policy at Florida International University’s Jack D. Gordon Institute for Public Policy, argues that the US should do more to shield Latin America and the Caribbean (LAC) from cyber threats given that only half of the LAC countries have established a cybersecurity strategy, and even fewer have adopted cybersecurity-related legislation.

This situation is a significant concern for the U.S., which has a vested interest in fostering LAC’s digital safety. Simply put, a prosperous and secure LAC strengthens the Americas as a whole. In the context of the great power competition with China, democratic countries may be inclined to look to the U.S. for help given its broader range of cybersecurity investments, but many also face a delicate dilemma: Should they wait for Washington’s support to come through for large ticket items such as information and communication technologies (ICTs) and infrastructure development — or should they take the flurry of resources provided in the short term by China?

Indeed, from the Chinese perspective, the ICT sector has emerged as a primary area of investment to challenge U.S. influence in LAC. Chinese companies, such as Huawei, have made significant investments in deploying 4G and 5G networks across the region, with notable projects in Brazil, Chile, and Mexico. For instance, in Brazil, the Huawei ICT Academy Program has gained traction, with more than 90 universities and educational institutions joining and approximately 36,000 students trained since 2013. This foothold has enabled Beijing to further expand its presence in cloud computing, digital transformation, and e-commerce, particularly focusing on data-heavy investments. One of the major concerns expressed by the U.S. relates to China’s Data Security Law, which governs the “collection, storage, use, processing, transmission, provision, and disclosure” of data within China. These concerns primarily revolve around how Chinese companies handle this data and the potential for user data, regardless of its country of origin, to come under the control of the Chinese government.

Note: The entire latest issue of America’s Quarterly is devoted to cybersecurity with other long form pieces well worth reading, including:

• NEW AQ: Hacker’s Paradise: Why Latin America Is So Vulnerable
• The Dramatic Cyberattack That Put Latin America on Alert
• Susan Segal: Latin America’s Cyber Issues Need Attention from the Top
• Why Is Latin America So Vulnerable to Cyberattacks? We Ran the Numbers.

Twitter Scammers Stole $1,000 From My Friend—So I Hunted Them Down

Cybersecurity threat researcher Selena Larson tells the tale in Wired of scammers duping her friend Tim Utzig when someone hijacked the Twitter account of Baltimore sports reporter Roch Kubatko to offer a bogus laptop for sale and how, with the help of a social engineering expert “Steve,” she tracked them down.

Steve was enraged that Utzig had been swindled, and offered to help. But all we had was a phone number. So he contacted the number and told the person on the other end that he was interested in buying laptops. Immediately, he received a text from a different number: “Are you looking for laptops?”

Throughout the conversation, Steve said he was willing to pay via Bitcoin, Cash App, or Zelle. Bitcoin wallet information is useful because all transactions are stored on the blockchain, and you can use it to “follow the money” and identify how much money accounts have made. It’s also possible to cross-reference blockchain accounts with other data sets such as open-source reporting or private threat data to identify related fraudulent activity. Cash App and PayPal are also useful data points because users must provide a lot of personal information including phone numbers, email addresses, usernames, and possibly bank accounts. And Zelle is tied to a bank account, making the information very useful to fraud investigators.

Typically, Steve is able to get at least one of these accounts from the threat actors he interacts with—in this case, we got three.

By claiming he didn’t have enough money in one of his accounts, and that another was not working, Steve got the scammers to send him links to multiple payment accounts. The accounts all had different usernames, suggesting they belonged to different people. In fact, Steve was able to link the usernames and phone numbers from the payment apps to three different people and their suspected real names. He found LinkedIn profiles; Twitter, Facebook, TikTok, Snap, and Instagram accounts; Poshmark accounts; dating profiles; a Soundcloud; and personal websites. By pivoting on this data and information provided on their various social and public profiles, Steve was then able to link the individuals to physical addresses in the eastern US.

If Cyber Is Uninsurable, the United States Has a Major Strategy Problem

Tom Johansmeyer, a Ph.D. candidate at the University of Kent, Canterbury, warns that the collapse of the cyber insurance market, which some observers have predicted, would be catastrophic and argues that access to capital is essential to ensuring the continued viability of cyber insurance.

New sources of capital will be crucial to remedying this problem. Insurers have relied heavily on reinsurers to help them grow. Existing reinsurers are constrained in how much more capital they can allocate to cyber risks, and new entrants have come into the market cautiously, with small commitments. Even sufficient growth among existing reinsurers to meet the needs of insurers could be problematic. According to one U.S. cyber insurance executive, “From just the way the market is structured right now, one reinsurer could have seven bites at the same apple for a large enough client.” The cyber reinsurance market is highly concentrated, although not to the extent it was even a year ago. Still, there is a concern that too few companies could bear too much of the burden. Even if a major cyber event did not pose a solvency risk (which it likely wouldn’t, due to the other risk management measures described earlier in this article), it could still result in enough change in risk appetite to make the economics of such coverage untenable.

More capital could come from the insurance-linked securities (ILS) market, which comprises specialist investment managers who allocate capital to insurance risks. The overwhelming majority of the sector’s $104.9 billion is currently allocated to property-catastrophe risks, but the sector has begun to participate in the cyber insurance market. From an estimated seven participants in early 2022, at least 10 now have experience with cyber ILS. Several of the cyber insurance executives interviewed, in fact, have used support from this market. The potential role of ILS in the cyber insurance market is still evolving, but the potential is clearer than it was even a year and a half ago.

The movement to limit face recognition tech might finally get a win

MIT Tech Review’s Tate Ryan-Mosley delves into how a proposed Massachusetts state law to limit police use of facial recognition technology could re-energize the movement to ban the technology, which public interest advocates, academics, and some tech companies say is a threat to civil liberties or, if it fails, dampen prospects for further federal or state bans.

Not everyone is thrilled with the Massachusetts standard. Police groups remain opposed to the bill. Some activists don’t think such regulations are enough. Meanwhile, the sweeping face recognition laws that some anticipated on a national scale in 2020 have not been passed.

So what happened between 2020 and 2023? During the three years that Massachusetts spent debating, lobbying, and drafting, the national debate moved from police reform to rising crime, triggering political whiplash. As the pendulum of public opinion swung, face recognition became a bargaining chip between policymakers, police, tech companies, and advocates. Perhaps importantly, we also got accustomed to face recognition technology in our lives and public spaces.

Law enforcement groups nationally are becoming increasingly vocal about the value of face recognition to their work. For example, in Austin, Texas, which has banned the technology, Police Chief Joseph Chacon wishes he had access to it in order to make up for staffing shortages, he told MIT Technology Review in an interview.

Some activists, including Caitlin Seeley George, director of campaigns and operations at Fight for the Future, say that police groups across the country have used similar arguments in an effort to limit face recognition bans.

“This narrative about [an] increase in crime that was used to fight the defund movement has also been used to fight efforts to take away technologies that police argue they can use to address their alleged increasing crime stats,” she says.