Best Infosec-Related Long Reads of the Week, 4/1/23

War over internet cables, Finding an Instagram scammer, Jailbreaking ChatGPT, HOAs license plate scanners, Facial recognition's false arrest, DPRK's $14m ATM theft, Hackers expose smear campaign, more

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form infosec pieces and related articles that we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

U.S. and China wage war beneath the waves – over internet cables

Reuters’ Joe Brock offers this in-depth examination of how subsea cables, which carry the world’s data, have become a battleground between Washington and Beijing, with the US, fearful of China’s spying capabilities, intervening in six private undersea cable deals in the Asia-Pacific region over the past four years.

A Chinese company that has quickly emerged as a force in the subsea cable-building industry – HMN Technologies Co Ltd – was on the brink of snagging that contract three years ago. The client for the cable was a consortium of more than a dozen global firms. Three of China’s state-owned carriers – China Telecommunications Corporation (China Telecom), China Mobile Limited and China United Network Communications Group Co Ltd (China Unicom) – had committed funding as members of the consortium, which also included U.S.-based Microsoft Corp and French telecom firm Orange SA, according to six people involved in the deal.

HMN Tech, whose predecessor company was majority-owned by Chinese telecom giant Huawei Technologies Co Ltd,  was selected in early 2020 to manufacture and lay the cable, the people said, due in part to hefty subsidies from Beijing that lowered the cost. HMN Tech’s bid of $500 million was roughly a third cheaper than the initial proposal submitted to the cable consortium by New Jersey-based SubCom, the people said.

The Singapore-to-France cable would have been HMN Tech’s biggest such project to date, cementing it as the world’s fastest-rising subsea cable builder, and extending the global reach of the three Chinese telecom firms that had intended to invest in it.

But the U.S. government, concerned about the potential for Chinese spying on these sensitive communications cables, ran a successful campaign to flip the contract to SubCom through incentives and pressure on consortium members.

A Scammer Who Tricks Instagram Into Banning Influencers Has Never Been Identified. We May Have Found Him.

ProPublica’s Craig Silverman and Bianca Fortis tell the tale of how they tracked down a mysterious Instagram fraudster called OBN, who claims he made hundreds of thousands of dollars by exploiting Instagram’s security gaps.

Despite his frequent activity on Telegram and Instagram, and the shoutouts from major podcasts and influencers, OBN’s true identity — and even whether the account is run by one person or more than one — has remained a mystery.

ProPublica’s investigation led to one person who either is OBN or is closely linked to him: 20-year-old Edwin Reyes-Martinez, who lives with his mother in an apartment complex roughly 13 miles north of the Las Vegas strip.

Numerous clues connected Reyes-Martinez to OBN. Victims said OBN told them to send money to a bank account in the name of Edwin Reyes, or via an email address, ermtz030@icloud.com, that included Reyes-Martinez’s initials. That address also matched a partially redacted email, 030@icloud.com, that’s listed in the Las Vegas police letter OBN posted on Telegram.

A similar string of letters and numbers appears in a Twitter username, @ermtz030. That account bears Reyes-Martinez’s name and photo and features videos filmed inside a white Lamborghini. Although the videos don’t show the driver’s face, he is wearing a gold ring that resembles one worn by Reyes-Martinez in photos from his Facebook account. Another Facebook photo showed Reyes-Martinez posing in front of a white Lamborghini similar to the one featured in OBN’s Telegram profile.

The Amateurs Jailbreaking GPT Say They're Preventing a Closed-Source AI Dystopia

Motherboard’s Chloe Xiang looks at ChatGPT jailbreakers who work to stress-test GPT models with each release and see themselves as warriors against OpenAI's increasingly closed policies.

It's for this reason that Alex Albert, a computer science student at the University of Washington, created Jailbreak Chat, a site that hosts a collection of ChatGPT jailbreaks. He said that the site was created to provide the jailbreak community with a centralized repository so people could easily view jailbreaks and iterate on them, and to allow people to test the models.

“In my opinion, the more people testing the models, the better. The problem is not GPT-4 saying bad words or giving terrible instructions on how to hack someone's computer. No, instead the problem is when GPT-X is released and we are unable to discern its values since they are being decided behind the closed doors of AI companies,” Albert told Motherboard. “We need to start a mainstream discourse about these models and what our society will look like in 5 years as they continue to evolve. Many of the problems that will arise are things we can extrapolate from today so we should start thinking about them.”

LICENSE PLATE SURVEILLANCE, COURTESY OF YOUR HOMEOWNERS ASSOCIATION

Investigative journalist Georgia Gee in The Intercept delves into how license plate scanning company Flock Safety has targeted homeowners associations, or HOAs, in partnership with police departments to gain access into gated, private areas, normally out of the cops’ reach.

Over 200 HOAs nationwide have bought and installed Flock’s license plate readers, according to an Intercept investigation, the most comprehensive count to date. HOAs are private entities and therefore are not subject to public records requests or regulation.

“What are the consequences if somebody abuses the system?” said Dave Maass, director of investigations at the Electronic Frontier Foundation. “There are repercussions of having this data, and you don’t have that kind of accountability when it comes to a homeowners association.”

The readers can be hooked up to Flock’s search network, which allows police to track cars within their own neighborhoods, as well as access a nationwide system of license plate readers that scan approximately a billion images of vehicles a month. Law enforcement agencies with cameras can also create their own “hot lists” of plate numbers that generate alarms when scanned and will run them in state police watchlists and the FBI’s primary criminal database, the National Crime Information Center.

‘Thousands of Dollars for Something I Didn’t Do’

The New York Times’ Kashmir Hill and Ryan Mac recount the shameful experience of Randal Quran Reid, a transportation analyst, who was arrested by police in Georgia for crimes in Baton Rouge and Jefferson Parish, Louisiana, he didn’t commit due to a faulty match of Clearview AI’s facial recognition system.

His parents made phone calls, hired lawyers and spent thousands of dollars to figure out why the police thought he was responsible for the crime, eventually discovering it was because Mr. Reid bore a resemblance to a suspect who had been recorded by a surveillance camera. The case eventually fell apart and the warrants were recalled, but only after Mr. Reid spent six days in jail and missed a week of work.

Mr. Reid’s wrongful arrest appears to be the result of a cascade of technologies — beginning with a bad facial recognition match — that are intended to make policing more effective and efficient but can also make it far too easy to apprehend the wrong person for a crime. None of the technologies are mentioned in official documents, and Mr. Reid was not told exactly why he had been arrested, a typical but troubling practice, according to legal experts and public defenders.

“In a democratic society, we should know what tools are being used to police us,” said Jennifer Granick, a lawyer at the American Civil Liberties Union.

Lazarus Heist: The intercontinental ATM theft that netted $14m in two hours

The BBC’s Jean Lee, Geoff White, and Viv Jones tell the story of the meticulously planned and audacious theft by North Korea’s Lazarus hacking group of $14 million from ATMs in 28 different countries in just two hours and 13 minutes, tricking innocent people into becoming money mules by telling them they were extras in a Bollywood film.

It was an audacious crime characterised by its grand scale and meticulous synchronisation. Criminals had plundered ATMs in 28 different countries, including the United States, the UK, the United Arab Emirates and Russia. It all happened in the space of just two hours and 13 minutes - an extraordinary global flash mob of crime.

Eventually, investigators would trace its origins back to a shadowy group of hackers who had pulled off a succession of previous stings seemingly at the behest of the North Korean state.

But before they knew the wider picture, investigators at the Maharashtra cyber-crime unit were amazed to see CCTV footage of dozens of men walking up to a series of cashpoints, inserting bank cards and stuffing the notes into bags.

"We were not aware of a money mule network like this," says Insp Gen Brijesh Singh, who led the investigation.

One gang had a handler who was monitoring the ATM transactions in real time on a laptop, Singh says. CCTV footage showed that whenever a money mule had tried to keep some of the cash for himself, the handler would spot it and gave him a hard slap.

Using the CCTV footage as well as mobile phone data from the areas near the ATMs, the Indian investigators were able to arrest 18 suspects in the weeks after the raid. Most are now in prison, awaiting trial.

Singh says these men weren't hardened crooks. Among those arrested were a waiter, a driver and a shoe-maker. Another had a pharmacy degree.

The Dirty Secrets of a Smear Campaign

The New Yorker’s David D. Kirkpatrick offers a labyrinthine story about how hackers handed American citizen Hazim Nada, a physicist who had become a successful entrepreneur, terabytes of files exposing a covert smear campaign against him by Sheikh Mohammed bin Zayed, the ruler of the United Arab Emirates, which destroyed Nada’s business and marriage.

That is when he received an encrypted message from an unfamiliar French number. The sender, who refused to give a name, claimed to speak for a group of vigilante hackers who had penetrated the online accounts of Alp Services. As proof, the sender presented Nada with a copy of the threatening e-mail that he’d sent to the Alp in-box. His head was spinning: Was this a ruse by Alp itself? Then the contact showed Nada internal Alp e-mails directing operatives to write the online articles calling him an extremist. Nada could scarcely control his rage. “If I did not have a family, I think I would have gotten a gun and driven all the way to Geneva,” he told me.

The hackers sent him messages in an idiosyncratic English sprinkled with French and Italian cognates, and the style varied over time. Nada assumed that he was dealing with a group of Europeans. “The guys,” as Nada thought of them, sometimes sounded righteous, as if they were activists out to expose Brero’s wrongdoing, but their main motive was clear. “They asked me to pay them,” Nada told me. Had the hackers targeted Alp as part of some unrelated dispute and then discovered something that they thought they could sell? Or had they targeted a Geneva private detective on the hunch that he must hold valuable secrets?

Either way, they offered to sell Nada their Alp files—terabytes of stolen material, including e-mails, proposals and reports, photographs, invoices, and recorded phone calls—for thirty million dollars in crypto. He told the hackers that he was neither willing nor able to pay them for their information, but the messages kept coming. After about two weeks, the hackers made a different request: they wanted Nada to act as a messenger, relaying their sales pitch to a wealthier potential buyer. Thieves were pressing Nada to fence their stolen treasure. Yet the chance for revenge was hard to resist.

Facial recognition is helping Putin curb dissent with the aid of U.S. tech

Reuters’ Lena Masri reviewed more than 2,000 court cases showing how much Russia uses facial recognition to target and arrest Kremlin opponents, often with technology supplied by US companies.

It’s no secret that the Russian government uses facial recognition to keep an eye on citizens. In 2017, the city of Moscow announced the launch of one of the world’s largest facial recognition video surveillance networks. In a news release at the time, Moscow’s Department of Information Technologies said 160,000 cameras across the city - more than 3,000 of them connected to the facial recognition system - would help law enforcement.

Now a Reuters review of more than 2,000 court cases shows these cameras have played an important role in the arrests of hundreds of protesters. Most of these people were detained in 2021 after they joined anti-government demonstrations, court records show. But after Russia invaded Ukraine in February 2022, authorities began using facial recognition to prevent people from protesting in the first place, according to interviews with more than two dozen detainees and information gathered by a Russian monitoring group. Facial recognition is now helping police to identify and sweep up the Kremlin’s opponents as a preventive measure, whenever they choose.

“It’s a new practice, which is being used to chilling effect, especially in Moscow where protests have been the largest and where people know that they are being watched by facial recognition cameras,” said Daria Korolenko, a lawyer with OVD-Info, an independent human rights group that monitors repression in Russia.

Western technology has aided the crackdown. The facial recognition system in Moscow is powered by algorithms produced by one Belarusian company and three Russian firms. At least three of the companies have used chips from U.S. firms Nvidia Corp or Intel Corp in conjunction with their algorithms, Reuters found. There is no suggestion that Nvidia or Intel have breached sanctions.

Enforcement of Cybersecurity Regulations: Part 2

Jim Dempsey, Berkeley law school lecturer and senior policy advisor at the Stanford Cyber Policy Center, offers this second article in a three-part series on cybersecurity enforcement, examining how third-party audits are often misunderstood.

In the context of assessing compliance with standards (whether financial, manufacturing, or cybersecurity), the term “third-party” is often misused. An internal audit is a first-party audit. A second-party audit is performed by or on behalf of an entity in a commercial relationship with the audited entity, such as when a clothing brand audits the factories it buys garments from for compliance with labor and safety laws. (These audits can be quite strict, because the reputation of the brand is on the line.) Strictly speaking, a third-party audit is conducted by an external auditor with no interest in the cost, timeliness, or outcome of the audit. A true third-party auditor is not paid by the auditee. Where the auditor is chosen and paid by the auditee, there may be little difference in incentive structure between an employee and a contractor. Many third-party audits, therefore, should really be thought of as first-party. Still, labeling any external audit as “third-party” persists.

In a 2002 article, business school professors Max H. Bazerman and Don A. Moore and economist George Loewenstein outlined why external auditors selected and paid by the audited entity often perform bad audits. It begins with “attachment bias”—the internalized concern of auditors that “client companies fire accounting firms that deliver unfavorable audits.” Other factors identified by Bazerman and his colleagues are remarkably pertinent to auditing in the cybersecurity context. For one, they concluded that bias thrives in a context of ambiguity. In the cybersecurity context, where outcomes are by and large unmeasurable, security is inherently risk based and contextual, leaving a lot of room for ambiguity. Throw in the fact that auditors may hesitate to issue critical audit reports because the adverse consequences of doing so—damage to the relationship, potential loss of the contract—are immediate, while the costs of a report glossing over deficiencies—the chances of a breach occurring due to defects that were not called out and remediated—are distant and uncertain, and you have a recipe for overly generous assessments.