Best Infosec-Related Long Reads of the Week, 6/24/23

Gripping tale of Huawei corporate espionage, Iranian misinformation groups are infiltrating Israel, Cars suck up a vast amount of data, Data labeling by a growing underclass fuels AI

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

When a Huawei Bid Turned Into a Hunt for a Corporate Mole

A detailed investigation by Bloomberg’s Jordan Robertson and Drake Bennett presents spins a gripping tale of how the Chinese telecom tech giant Huawei used a corporate mole to infiltrate TDC, Denmark’s dominant telecommunications company deciding whether to hand a $200 million 5G contract to Huawei or its rival Ericsson and ultimately compromised TDC’s offices and spied on TDC decision-makers.

A forensic analysis of Goldstein’s Lenovo laptop provided clues about what happened at that meeting. Early that morning, Goldstein had opened a folder on his computer containing five PowerPoint presentations meant for TDC’s board and the 5G committee. Then he’d opened a file containing Ericsson’s final offer. Neither Goldstein nor his boss, Pastwa, were on the committee, but TDC’s security team found that Pastwa had the documents and had emailed them to Goldstein. When the investigators requested CCTV footage from the company’s physical security department, it showed Goldstein leaving the building for coffee with Lan, a laptop under his arm. Within 24 hours of that meeting, Lan had submitted Huawei’s emergency revised bid, its total just a shade lower than Ericsson’s.

It was at this point that the security team began to suspect someone was monitoring them, too. A sweep of the company boardroom turned up multiple long-range microphones that, while compatible with the existing audio conferencing equipment, were not part of the original system–no one knew who’d installed them or why. The investigators decided to relocate. On March 18, the day TDC publicly announced that Ericsson had won the contract, the security team moved into the offices of one of the company’s law firms, Plesner, in a brown high-rise on Copenhagen’s northern harbor. They took a corner space on the 15th floor. There were now more than a dozen investigators, including digital forensics experts from the international firm FTI Consulting, and multiple attorneys from Plesner. Most of their work entailed inspecting phones and laptops for signs of tampering. Every evening they boxed up the equipment in black military-style security crates, drove them to a Danske Bank branch downtown and wheeled them into a vault.

The day the TDC team set up in Plesner’s offices, the law firm’s IT systems came under a denial-of-service hacking attack. For a little more than a half-hour, “virtually no traffic could come out of Plesner’s network,” one internal report stated. The following evening, when one of the investigators was out with friends, he noticed a young woman taking photos of him. When he went to confront her, she hurried away. Then another woman sat down next to his group and appeared to listen in on their conversation. A few nights later he saw a man outside his apartment trying to peer inside. Around that time, Aalose’s vacation home was broken into. The security team assigned Kirkby and Aalose, who jointly oversaw the leak investigation, round-the-clock security details.

At 12:20 a.m. on March 20, a security guard patrolling the Plesner offices noticed lights floating outside the 15th-floor room where TDC’s team had been working. Peering into the glare, he saw a large drone. For 10 minutes it remained there, flying up, down and sideways. Then it descended out of sight. Upon learning of the incident the following morning, the TDC investigators realized they’d failed to close the shades in the office. There was a wall-size whiteboard facing the windows on which they’d been tracing all of their leads, and it would have been in full view.

Iranian Influence Groups Are Attempting to Deepen Social Rifts in Israel

Omer Benjakob, Bar Peleg, and Josh Breiner in Haaretz delve into the rise of Iranian influence operations in Israel that aim to collect information about and manipulate activists related to a judicial overhaul on both the left and right to intensify the division in Israeli public discourse.

To date, the investigators have identified two main influence networks: No Voice and The Hunters (Hatzayadim). Presumably, one supports the protest and the other opposes it – but in fact, both groups seem to be operated by the same foreign entity to foster chaos and incitement among the Israeli public. Another network that aroused their suspicion was Traitors’ Trial (Mishpat Bogdim), which they say is connected to The Hunters through No Voice.

The Traitors group used similar tactics against left-wing activists, when it published details about policemen under the caption “Traitors,” and was even able to influence National Security Minister Itamar Ben-Gvir who echoed the misinformation. The minister attributed it to opponents of the judicial overhaul – and didn’t retract his words even after it became evident that a foreign country is behind the group.

“Israel is in a turbulent period,” says Nitsan Yasur, an expert analyst of influence campaigns on social media who was also involved in the investigation. “Outside entities identify the rifts and are trying to deepen them by means of influence networks. The foreign entities neither support nor oppose the changes, they’re trying to influence the discourse, to widen the rifts, to collect information, to spur local citizens to action and even to violence by means of messages that are adapted to every group and community,” Yasur said.

How Your New Car Tracks You

Wired’s Matt Burgess ran a test of ten of the most popular cars using US-based automotive firm Privacy4Cars, which released a new tool, dubbed the Vehicle Privacy Report, that reveals how much information on your car can be accessed and discovered that the cars collect a vast amount of information from driver’s license numbers to saved locations to driving behavior.

Toyota (Tacoma, Camry, RAV4, Highlander)

Four Toyota models were in our pick of the most popular US vehicles in recent years: the Toyota Tacoma, Toyota Camry, Toyota RAV4, and Toyota Highlander. As with all of the vehicles in this article, the privacy documentation analyzed by the Vehicle Privacy Tool is the same for each 2022 model—some older cars may collect less data.

Broadly, all manufacturers are likely to collect personal information that can be classed as an identifier. These include your name, address, driving license number, phone number, email, and other information. Toyota is no different. The Privacy4Cars tool analyzed four publicly available documents from Toyota, which total around 31,000 words. One key document is the company’s connected services privacy notice, which details what information your car may collect.

As well as information about who you are, Toyota can also collect your “driving behavior.” This includes information such as your “acceleration and speed, steering, and braking functionality, and travel direction.” It may also gather your in-vehicle preferences, favorite locations saved on its systems, and images gathered by external cameras or sensors.

Some models of Toyota can also scan your face for face recognition when you enter one of its vehicles. Corey Proffitt, a senior manager for connected communications at Toyota, says this can verify a driver’s identity and the profile that is stored on a vehicle. “This data is not readable by humans, and any facial features are only stored on the vehicle and not transmitted to Toyota,” Proffitt says.

The Vehicle Privacy Tool says Toyota’s documents are “silent” on whether the company collects data from people’s phones that are synced with its vehicles. Proffitt says it doesn’t collect this data, except for “using an identifier for the sole purpose of connecting a user’s profile on the Toyota/Lexus app with a vehicle” if a profile has been set up. “Any synchronization of contact info and call history for Bluetooth purposes remains on the vehicle and is not sent to Toyota,” Proffitt says.

They say people can “turn off all data transmission on their vehicle.” To do this, you can decline consent for connected services on its privacy hub or contact Toyota customer service.

AI Is a Lot of Work

In The Verge, investigative editor John Dzieza reveals that a massive underclass is emerging to label and clarify data to fuel AI systems, with little known about the information shaping AI systems and even less known about the people doing the shaping.

Over the past six months, I spoke with more than two dozen annotators from around the world, and while many of them were training cutting-edge chatbots, just as many were doing the mundane manual labor required to keep AI running. There are people classifying the emotional content of TikTok videos, new variants of email spam, and the precise sexual provocativeness of online ads. Others are looking at credit-card transactions and figuring out what sort of purchase they relate to or checking e-commerce recommendations and deciding whether that shirt is really something you might like after buying that other shirt. Humans are correcting customer-service chatbots, listening to Alexa requests, and categorizing the emotions of people on video calls. They are labeling food so that smart refrigerators don’t get confused by new packaging, checking automated security cameras before sounding alarms, and identifying corn for baffled autonomous tractors.

“There’s an entire supply chain,” said Sonam Jindal, the program and research lead of the nonprofit Partnership on AI. “The general perception in the industry is that this work isn’t a critical part of development and isn’t going to be needed for long. All the excitement is around building artificial intelligence, and once we build that, it won’t be needed anymore, so why think about it? But it’s infrastructure for AI. Human intelligence is the basis of artificial intelligence, and we need to be valuing these as real jobs in the AI economy that are going to be here for a while.”

The data vendors behind familiar names like OpenAI, Google, and Microsoft come in different forms. There are private outsourcing companies with call-center-like offices, such as the Kenya- and Nepal-based CloudFactory, where Joe annotated for $1.20 an hour before switching to Remotasks. There are also “crowdworking” sites like Mechanical Turk and Clickworker where anyone can sign up to perform tasks. In the middle are services like Scale AI. Anyone can sign up, but everyone has to pass qualification exams and training courses and undergo performance monitoring. Annotation is big business. Scale, founded in 2016 by then-19-year-old Alexandr Wang, was valued in 2021 at $7.3 billion, making him what Forbes called “the youngest self-made billionaire,” though the magazine noted in a recent profile that his stake has fallen on secondary markets since then.