Best Infosec-Related Long Reads of the Week, 8/12/23

SIM-swapping gamers' betrayal, Another false arrest from facial recognition, Identifying the most sexually predacious apps, Sweden's fight against disinformation, Yandex's privacy threat, more

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

Teen Gamers Swiped $24 Million in Crypto, Then Turned on Each Other

Bloomberg’s Margi Murphy and Drake Bennett tell an intricate story of prominent crypto investor and marketer Michael Terpin, who became obsessed with a group of teen gamers, *including Joseph O’Connor, convicted earlier this year in a celebrity Twitter crypto scam), who stole $24 million in cryptocurrency from him during a SIM-swapping attack, ultimately turning on one another as the legal net tightened around them.

On Truglia’s sofa, as David blasted his way through Fortnite, they went over the clattering of David’s digital firearms. Their posse wasn’t exactly a band of brothers. They seemed to take gleeful satisfaction in ripping off one another. That spring, Truglia had paid $30,000 for some of the guys to arrange a VIP trip to the Coachella music festival in California, only to have them withhold the address of the opulent house that came with it. He’d been left without a place to stay, the others taunting him with tales of how the rapper Post Malone and the model Hailey Bieber stopped by the house for an after-party. More recently, David had brokered a deal for one of the crew to buy Truglia’s Bentley, only for Truglia to take the payment and keep the car.

David was also secretly recording their conversation on his phone that night in Truglia’s apartment. As they talked, he steered the conversation toward the origins of Truglia’s money. He’d heard Truglia boast about SIM swapping, and about a different crew he socialized with online. David would later swear in an affidavit that Truglia had even taken him to an AT&T store and tried to get an employee to do a SIM swap right there. It had failed, David recalled, only because Truglia wasn’t willing to pay the outstanding balance on his target’s account.

“Who was the biggest guy you SIM swapped?” David can be heard asking on his recording from Truglia’s apartment. “The guy who is suing AT&T?”

“Michael Terpin,” Truglia said. The memory made him laugh. “He was having a fantastic day. He went to bed thinking ‘Wow, I had $24 million in this account,’ ” Truglia said. “That was funny.”

Eight Months Pregnant and Arrested After False Facial Recognition Match

The New York Times’ Kashmir Hill tells the story of how eight-months pregnant Porcha Woodruff was mistakenly arrested for robbery and carjacking after the Detroit Police Department ran an image from surveillance video through a system from a facial recognition vendor called DataWorks Plus that incorrectly matched Woodruff’s mug shot from a 2015 incident when she was pulled over for driving without a license, which the victim also mistakenly identified as his assailant.

Gary Wells, a psychology professor who has studied the reliability of eyewitness identifications, said pairing facial recognition technology with an eyewitness identification should not be the basis for charging someone with a crime. Even if that similar-looking person is innocent, an eyewitness who is asked to make the same comparison is likely to repeat the mistake made by the computer.

“It is circular and dangerous,” Dr. Wells said. “You’ve got a very powerful tool that, if it searches enough faces, will always yield people who look like the person on the surveillance image.”

Dr. Wells said the technology compounds an existing problem with eyewitnesses. “They assume when you show them a six-pack, the real person is there,” he said.

Amid Sextortion’s Rise, Computer Scientists Tap A.I. to Identify Risky Apps

In the New York Times, tech reporter Tripp Mickle reports how Brian Levine, a computer scientist at the University of Massachusetts Amherst, and a team of researchers have built a searchable website called the App Danger Project, which provides clear guidance on the safety of social networking apps, identifying user reviews about sexual predators and providing safety assessments of apps with negative reviews.

Predators are increasingly weaponizing apps and online services to collect explicit images. Last year, law enforcement received 7,000 reports of children and teenagers who were coerced into sending nude images and then blackmailed for photographs or money. The F.B.I. declined to say how many of those reports were credible. The incidents, which are called sextortion, more than doubled during the pandemic.

Because Apple’s and Google’s app stores don’t offer keyword searches, Mr. Levine said, it can be difficult for parents to find warnings of inappropriate sexual conduct. He envisions the App Danger Project, which is free, complementing other services that vet products’ suitability for children, like Common Sense Media, by identifying apps that aren’t doing enough to police users. He doesn’t plan to profit off the site but is encouraging donations to the University of Massachusetts to offset its costs.

Mr. Levine and a dozen computer scientists investigated the number of reviews that warned of child sexual abuse across more than 550 social networking apps distributed by Apple and Google. They found that a fifth of those apps had two or more complaints of child sexual abuse material and that 81 offerings across the App and Play stores had seven or more of those types of reviews.

Sweden Is Not Staying Neutral in Russia’s Information War

The New York Times's Steven Lee Myers explains how Sweden’s new Psychological Defense Agency is fighting a wave of Russian disinformation that has targeted the country to undermine its bid to join the NATO alliance.

Other countries have scrambled in recent years to counter foreign influence operations, including France, which has created a similar agency, but Sweden is now on the front lines of a fight over the country’s security, its social cohesion and even its democratic foundations. Russia’s invasion of Ukraine — and Sweden’s subsequent decision to seek NATO membership — have put the country in the Russian cross hairs.

The work of the Psychological Defense Agency could become a model for how democratic governments can fight back — or a symbol of how ineffective they are against determined authoritarian adversaries.

Sweden’s prime minister, Ulf Kristersson, who has led a coalition government since elections last fall, said that “states and statelike actors” were “actively exploiting” the protests in Sweden. In a statement with Denmark’s leader late last month, he said that Sweden faced “the most serious security situation since the Second World War.”

Leaked Yandex Code Breaks Open the Creepy Black Box of Online Advertising

Wired’s Matt Burgess explains how an analysis by Kaileigh McCrea, a privacy engineer at cybersecurity firm Confiant, of the source code leak of Yandex, Russia’s “Google,” on the hacking site BreachForums, sheds light on how the massive amounts of data Yandex collects on users for advertising sparks serious privacy concerns.

The source code shows AppMetrica collecting data on people’s precise location, including their altitude, direction, and the speed they may be traveling. McCrea questions how useful this is for advertising. It also grabs the names of the Wi-Fi networks people are connecting to. This is fed into Crypta, with the Wi-Fi network name being linked to a person’s overall Yandex ID, the researcher says. At times, its systems attempt to link multiple different IDs together.

“The amount of data that Yandex has through the Metrica is so huge, it's just impossible to even imagine it,” says Grigory Bakunov, a former Yandex engineer and deputy CTO who left the company in 2019. “It's enough to build any grouping, or segmentation of the audience.” The segments created by Crypta appear to be highly specific and show how powerful data about our online lives is when it is aggregated. There are advertising segments for people who use Yandex’s Alice smart speaker, “film lovers” can be grouped by their favorite genre, there are laptop users, people who “searched Radisson on maps,” and mobile gamers who show a long-term interest.

Election Interference Demands a Collective Defense

In Foreign Affairs, Richard Fontaine, CEO of the Center for a New American Security, argues that it’s time for democracies around the world to form a global defense mechanism against election interference akin to Article 5 of the North Atlantic Treaty to come to the aid of one another in the event of an attack.

Given the high potential benefits and low cost of meddling in democratic processes, democracies should expect more of it. Fortunately, policymakers are much more aware of the problem of foreign interference than they were in 2016. They also recognize that a multifaceted approach to defense and deterrence is required. But there is still a big gap between what is being done and what needs to be done. Last year, for example, a European Parliament report found that its member states “appear to lack the appropriate and the sufficient means to be able to better prevent, detect, attribute, counter, and sanction these threats.”

Missing among the attempts to combat foreign political interference is any significant mechanism for international collaboration. Many democracies share the same threat, but too often each defends itself individually, if at all. Democracies must actively cooperate by exchanging threat information, identifying areas of vulnerability, monitoring foreign activity, and sharing best approaches for deterring and defending against interference.

Even this kind of loose coordination, however, will likely prove insufficient to deal with the sharply increased threat of foreign interference in democratic practice. Even strong individual responses from targeted countries have not deterred new attacks. Democracies must go further. They should agree to devise a multilateral approach to ensure that interference elicits a collective reaction.