Best Infosec-Related Long Reads for the Week of 12/16/23

This is not the first time Khare has flexed his legal muscles and managed to threaten reporters into removing his name from stories about the hack-for-hire industry.

Across the pond, Khare had his name removed from a joint investigation between The Sunday Times and the nonprofit Bureau of Investigative Journalism, titled, “Caught on camera: confessions of the hackers for hire.” Three paragraphs that reported on Khare were removed from both publications following legal threats on his behalf, according to two people familiar with the situation. Luxembourg-based Paperjam, a French-language business news outlet, dramatically altered its story “after discussions with Mr. Khare’s advisors,” removing references to his alleged links to cyber-mercenary activity.

In Switzerland, meanwhile, lawyers acting for Khare managed to take out an injunction that forced the Swiss Radio and Television’s investigative team (SRF Investigativ) to scrub the tech entrepreneur’s name from a story alleging that Appin assisted the Qatari government in spying on FIFA officials ahead of the 2022 World Cup. An editor’s note now added to that story reads: “On November 6, 2022, this publication was amended due to an interim court order. The name of the entrepreneur concerned has been removed from the publication.”

Clare Locke also sent legal threats on behalf of Khare to The New Yorker as the magazine worked on a story about India’s hack-for-hire industry, Semafor reported. Khare’s efforts also appear to have gotten similar stories about him killed in India-based outlets including The Times of India and The Scroll.

The Europol task force has met twice a year since 2014 to accelerate investigations to identify victims, most recently in November. It has almost tripled in size to 33 investigators representing 26 countries including Germany, Australia and the United States.

“You might recognize things that are in the images or you might recognize the sounds in the background or the voices. If you do that together with multiple nationalities in one room, it can be really effective,” said Marijn Schuurbiers, head of operations at Europol’s European Cybercrime Centre (EC3).

Still, too often detectives feel like they’re swimming against the tide, as the amount of child sexual abuse material circulating online surges.

Europol created a database in 2016 and this system now holds 85 million unique photos and videos of children, many found on pedophile forums on the “dark web” — the part of the internet that isn’t publicly searchable and requires special software to browse.

“We can work hours and hours on end and we’re still scratching the surface. It’s terrifying,” said Mary, a national police officer from a non-EU country with 17 years of experience. She requested not to use her last name to protect her identity while doing investigative work.

The task force in November went through 432 files, each containing tens of thousands of images, and found the most likely country for 285 of the children abused in the images. Police believe it likely identified 74 of the victims, three of whom were rescued by the time of publication. Two offenders were arrested.

From bases in Cambodia, Laos and Myanmar, the gangs coerce their captives into carrying out complicated online scams that prey on the lonely and vulnerable around the world. Typically, such hoaxes involve using fake online identities to draw people into fictitious romantic relationships, then tricking them into handing over large sums of money in bogus cryptocurrency schemes.

The scam is known as “pig butchering,” for the process involved in gaining the trust of its targets, which can take weeks — fattening up the pig, so to speak — before going in for the kill.

Many of the people who have been abducted and forced to work for the scam gangs are Chinese, because the groups initially focused on stealing from people in China. But the gangs’ targets have expanded internationally. In the United States, the F.B.I. reported that in 2022, Americans lost more than $2 billion to “pig butchering” and other investment scams. Increasingly, people from India, the Philippines and more than a dozen other countries have also been trafficked to work for scam gangs, prompting Interpol to declare the trend a global security threat.

The criminal groups try to break their captives with a mix of violence and twisted logic. Those who disobey are beaten. Once they start working, the victims are often led to believe that they have become complicit in the crime and would face jail time if they returned to their countries. The gangs often take away the abductees’ passports and let their visas expire, creating immigration complications.

Reuters examined the details of the San Francisco case and another one involving alleged stalking through Tesla technology but could not quantify the scope of such abuse. Tesla has encountered at least one other case of stalking through its vehicle app, according to a Tesla employee’s testimony in the San Francisco woman’s lawsuit. Some attorneys, private investigators and anti-abuse advocates said in interviews that they knew of similar cases but declined to provide details, citing privacy and security concerns.

Tesla did not respond to requests for comment. Radford and the San Francisco Police Department did not comment on the investigation.

The San Francisco case offers insight into the complex considerations these technologies pose for auto companies and law enforcement. Other automakers offer similar tracking and remote-access features, and an industry group has acknowledged the need for protections to ensure car technology doesn’t become a tool for abuse.

The Alliance for Automotive Innovation (AAI), a technology-focused trade group for automakers and suppliers, in 2021 cited spousal violence as a reason why California regulators should not require carmakers to release location or other personal data in most cases under a new state privacy law. The law sought to give consumers broadly the right to access their personal data being tracked by companies. The auto group argued some car owners might improperly request personal data on other drivers of the same vehicle.

Disclosing location-tracking data to an abuser could create “the potential for significant harm,” wrote the AAI. The group’s membership includes many major automakers, but not Tesla.

Here’s how the nightly operation would go down, according to interviews with Johnson, law-enforcement officials and some of the victims:

Pinpoint the victim. Dimly lit and full of people, bars became his ideal location. College-age men became his ideal target. “They’re already drunk and don’t know what’s going on for real,” Johnson said. Women, he said, tended to be more guarded and alert to suspicious behavior.

Get the passcode. Friendly and energetic, that’s how victims described Johnson. Some told me he approached them offering drugs. Others said Johnson would tell them he was a rapper and wanted to add them on Snapchat. After talking for a bit, they would hand over the phone to Johnson, thinking he’d just input his info and hand it right back.

“I say, ‘Hey, your phone is locked. What’s the passcode?’ They say, ‘2-3-4-5-6,’ or something. And then I just remember it,” Johnson described. Sometimes he would record people typing their passcodes.

Once the phone was in his hand, he’d leave with it or pass it to someone else in the crew.

Lock them out—fast. Within minutes of taking the iPhones, Johnson was in the Settings menu, changing the Apple ID password. He’d then use the new password to turn off Find My iPhone so victims couldn’t log in on some other phone or computer to remotely locate—and even erase—the stolen device.

Glauner’s alleged scheme was not sophisticated in the slightest: he used a ProtonMail account, not a government email, to make the request, and used the name of a police officer that didn’t actually work for the police department he impersonated, according to court records. Despite those red flags, Verizon still provided the sensitive data to Glauner.

Remarkably, in a text message to Poppy sent during the fallout of the data transfer, a Verizon representative told Poppy that the corporation was a victim too. “Whoever this is also victimized us,” the Verizon representative wrote, according to a copy of the message Poppy shared with 404 Media. “We are taking every step possible to work with the police so they can identify them.”

In the interview with 404 Media, Poppy pointed out that Verizon is a multi-billion dollar company and yet still made this mistake. “They need to get their shit together,” she said.

Poppy’s story highlights the very real human cost of a massive failure on Verizon’s part. More broadly, it highlights the increasing problem of criminals filing fraudulent emergency data requests (EDRs) with tech companies and telecoms as a way to trick them into handing over their targets’ data. Other criminals who discuss the practice are often part of wider criminal groups that rob, shoot, and attack one another and outside victims, according to Telegram messages reviewed by 404 Media. Senators have written to tech companies for information on the problem of fake EDRs, and one company has emerged which attempts to mitigate the problem by vetting requests from police departments. And yet, the issue remains.

Most people at the B.L. don’t use the books. The building has more than a million visitors a year, and most come on school trips, or for the exhibitions, cafés, and free Wi-Fi. (The corridors and landings between the reading rooms are lined with tables and desks: a luminescent crowd-scape of screens, students, and London freelance energy.) That side of the library is pretty much back to normal. Although the Web site is still down, the B.L. has been using a blog to convey essential information, and there is a rudimentary Wi-Fi sign-up page. At the entrance of the Alan Turing Institute, a data-science and A.I.-research center, which is housed in the library, I noticed a brightly decorated wall, covered in computer-related expressions: F is for Fakes. P is for Phishing. A teen-ager was inspecting an M4 Enigma machine, used to encrypt messages between German U-boats and their naval bases during the Second World War in 4,134 million million million possible ways. It was possible not to know that anything was wrong.

But, for those who rely on the B.L.’s collections, and, more broadly, its distribution of free, digital information to the British educational system, the ramifications of the cyberattack have been dire. Outside the Maps Room, which offers access to four and a half million documents, going back to the fifteenth century, a display read, “Disruption to certain services is now expected to persist for several months.” Inside, the reading room was empty except for two security guards and a librarian standing on a chair. (It was impossible to hand over precious materials without electronic monitoring.) “It’s like this all day now,” one of the guards said. He thought the library might be up and running by Easter. Daniel Starza Smith, a John Donne scholar at King’s College London, found his way to academia after losing himself in the Conway Papers, a seventeenth-century-manuscript archive in the B.L. “You can sit there for weeks on end and order up everything you could ever want,” he told me. “And to have that taken away, it’s such a wrench and so psychologically disorientating as a researcher.” In “The Library of Babel,” the short story by Jorge Luis Borges, the thrill of a library that contains every possible book is succeeded by “a similarly disproportionate depression,” when its readers realize that the place is totally unnavigable. “The word that gets overused in many other contexts but is absolutely applicable here is Borgesian,” Smith said. “It is like the literalization of a Borgesian library problem. . . . You can access everything but you can’t access anything. ”

WIRED interviews with 20 current and former employees of Meta and Google who worked on privacy initiatives show that internal reviews forced by consent decrees have sometimes blocked unnecessary harvesting and access of users’ data. But current and former privacy workers, from low-level staff to top executives, increasingly view the agreements as outdated and inadequate. Their hope is that US lawmakers engineer a solution that helps authorities keep pace with advances in technology and constrain the behavior of far more companies.

Congress does not look likely to act soon, leaving the privacy of hundreds of millions of people who entrust personal data to Google and Meta backstopped by the two consent decrees, static barriers of last resort serving into an ever-dynamic era of big tech dominance they were never designed to contain. The FTC is undertaking an ambitious effort to modernize its deal with Meta, but appeals by the company could drag the process out for years and kill the prospect of future decrees.

While Meta, Google, and a handful of other companies subject to consent decrees are bound by at least some rules, the majority of tech companies remain unfettered by any substantial federal rules to protect the data of all their users, including some serving more than a billion people globally, such as TikTok and Apple. Amazon entered its first agreement this year, and it covers just its Alexa virtual assistant after allegations that the service infringed on children’s privacy.

So the IRGC is exploiting the very weaknesses that the states and the water system groups argued a few months ago need not be considered when assessing the equipment and operations of water systems.

So far, Biden administration cybersecurity rules on pipelines, railroads, and the aviation sector, issued under statutes that talk about safety and reliability but do not specifically mention cybersecurity, have stood. The courts’ hostility to federal regulation, epitomized by the Supreme Court’s 2021 ruling that an agency cannot address big problems unless Congress expressly grants it the authority to do so, has probably slowed down the Biden administration’s efforts to adopt cybersecurity rules for other sectors. It certainly must have influenced the government’s decision to throw in the towel on the EPA memo. To its credit, the administration continues to look for ways to strengthen the cybersecurity of critical infrastructure. Just on Dec. 6, the Department of Health and Human Services issued a cybersecurity plan indicating that it will use existing authority to establish cybersecurity requirements for hospitals receiving Medicare and Medicaid payments.

However, to swiftly and unequivocally move forward on cybersecurity, congressional action is needed. Comprehensive cybersecurity legislation is not conceivable when anti-regulatory sentiment still holds strong sway on Capitol Hill (not to mention other sources of dysfunction). But Congress did act just last December to give the Food and Drug Administration specific authority to issue cybersecurity standards for connected medical devices.

Ironically, the American Water Works Association, which argued against the EPA memo, has called for federal legislation to establish a regulatory regime for drinking and wastewater systems. Their proposal is for an industry-led private organization that would develop cybersecurity requirements, subject to EPA approval, and enforce them, subject to EPA oversight. The concept is patterned after a system long in place under the 2005 Energy Policy Act for the bulk electric power industry. The Cyberspace Solarium Commission staff translated the concept to legislative language, but so far no such legislation has been introduced. Do the trade associations and their allies, having demonstrated their ability to block EPA action, have the will and the juice to get anything through Congress?