Best Infosec-Related Long Reads for the Week, 9/16/23

One of these companies is Insanet, whose existence is being made public here for the first time. As its name suggests, it possesses insane capabilities, according to sources in the industry. Founded by a number of well-known entrepreneurs in the fields of offensive cyber and digital intelligence, the company is owned by former ranking members of the defense establishment, including a past head of the National Security Council, Dani Arditi. The investigation reveals that the company has developed technology that exploits ads both for tracking and for infection. It’s not by chance that the company has named their product Sherlock.

The company’s personnel also succeeded in obtaining authorization from the Defense Ministry to sell their technology globally. Insanet has already sold the capability to one country that is not a democracy.

According to the findings of the investigation, this is the first case in the world where a system of this sort is being sold as technology, as opposed to a service. Another Israeli firm, Rayzone, has developed a similar product and this year received approval in principle to sell it to its clients in Western countries, though in practice this has not happened yet.

What’s most disturbing is that currently there are no defenses against these technologies, and it’s not clear whether they can be blocked at all. Over the years, tech firms like Apple and Google have blocked hundreds of breaches through which spyware like Pegasus was able to infiltrate devices. Just this week, Apple’s digital wallet was exploited to send a message to users’ iPhones containing an image with a malicious code. That security breach was blocked. But even the smartest and most advanced defenses of Apple, Google and Microsoft currently lack the capacity to block this sort of infection. Until today, their advertising systems, which have countless defense mechanisms in place, were considered completely safe.

After almost a week in custody, without natural light, Ibarrola was taken to a court in the city where the crime had taken place: Bahía Blanca, 600 kilometers (373 miles) southeast of Buenos Aires. Shortly before they could take him to jail, a prosecutor noticed the mix-up: A different Guillermo Ibarrola, one slightly older, had committed the robbery. Minutes later, Ibarrola—the innocent Ibarrola— got his shoelaces back, a coffee to go, and a bus ticket home. “Someone had entered my ID number instead of the one of the Guillermo they were looking for. The facial recognition system worked correctly, the database was wrong,” Ibarrola says. “For them, it is just a data entry mistake. But we are talking about a person's life.”

Seventy-five percent of the Argentine capital area is under video surveillance, which the government proudly advertises on billboards. But the facial recognition system is being criticized after at least 140 other database errors led to police checks or arrests since the system went live in 2019—and before it was shut down with the Covid-19 lockdown in March 2020, according to city officials. Ibarrola’s arrest was one of the first.

Activists decided to sue the city government and scored a first success: In April 2022, a judge decided to keep the system turned off. Since then, the City of Buenos Aires has been fighting to get it back in use. It's not clear yet who will win the dispute: those calling for tighter controls on a powerful surveillance tool, or the city government, which is convinced that the system is indispensable for the safety of its citizens. By law, it may only be used to look for people who have an arrest warrant against them: Argentina's “most wanted.” This list is supposedly updated on a daily basis.

The State Department was the first to report the activity to the U.S. government and to Microsoft. The firm has said the hackers used a powerful digital key they stole via a cascade of internal security mishaps to breach more than two dozen organizations globally, and at least 10 within the U.S. — none of which spotted the intrusion until the State Department did.

The analyst who built this, whom the State Department officials would not name, did “hero work,” said Kelly Fletcher, the agency’s chief information officer and head of the bureau of information resource management.

The State Department’s actions likely prevented Beijing from gaining more extensive access to the private communications of key U.S. officials amid an intense period of diplomacy between the world’s two largest economies.

Since the State Department caught the hack, Raimondo, Secretary of State Antony Blinken, Treasury Secretary Janet Yellen and U.S. climate envoy John Kerry have all traveled to China.

Allan, a genial, white-bearded quinquagenarian who previously spent more than a decade as Facebook’s top EU lobbyist before recruiting Clegg, a former U.K. deputy prime minister, to the company, has already tried, and failed, to get the government to apply more safeguards to the proposed powers, which would allow U.K. comms regulator Ofcom to force digital service providers to monitor messages for content linked to child sexual abuse and terrorism.

Allan’s friends in tech are similarly perturbed.

Signal’s Whittaker has said she’d rather her service was blocked in the United Kingdom than slap monitoring tech on the apps. Will Cathcart of Meta-owned WhatsApp has hinted the service would make the same call. They say any move to scan message content poses an existential threat to the end-to-end encryption that protects messaging platforms like theirs from prying eyes.

On Wednesday, Whittaker and other privacy campaigners falsely claimed that London was pulling back from its bid to access encrypted messages — claims that were swiftly rebuffed by senior government ministers.

“The tech companies make a good case that client-side scanning would effectively break encryption,” said Allan, referring to the technique most often proposed as a way to monitor for illegal content in encrypted environments. It involves scanning messages and images on people’s device before they are sent via end-to-end encryption.

Unfortunately, the framework’s high-level guidance is too general to be implemented, and its “implementation guidance” is too technical to be of practical use to most organizations absent expert help. (In this regard, it is worth noting that although the CSF originally was designed for critical infrastructure, as a practical matter it has been widely adopted, and CSF 2.0 is explicitly designed to be used by organizations of all sizes and sectors.)

CSF 2.0 is unlikely to solve the pressing cybersecurity problems facing U.S. schools, hospitals, and the many other “target rich, resource poor” organizations that find themselves on the front lines of the cyber fight. NIST’s CSF 2.0 draft leaves these organizations largely responsible for their own cybersecurity, even in the face of significant cyber threats from the nation’s most capable cyber adversaries (that is, China, Russia, North Korea, Iran, and organized crime syndicates). Last year, for example, educational institutions suffered nearly $9.45 billion in downtime alone due to ransomware, yet few such institutions have the requisite knowledge, resources, and budget to use the NIST framework to develop a cybersecurity program capable of staving off sophisticated ransomware syndicates. The administration’s newly launched effort to shore up the cybersecurity of K-12 schools implicitly recognizes this reality. While it nods to the NIST framework, it seeks, among other things, to leverage expertise and investment from Amazon Web Services, Google, Cloudflare, and other large educational technology providers and vendors to protect schools. Generating effective cyber resilience in the face of proliferating cyber threats will require more such concerted efforts to leverage expertise and investment for the benefit of vulnerable organizations.