(De)Central Intelligence and Two Bucks

This week I offer a quick news snippet about data privacy in the UK based on a report from the ICO. However, this week I get a little thoughtful on the state of cyber security and the future leveraging a handful of news items. Sometimes you just have to step back and ponder.

UK Privacy Wrist Slap List

The UK’s data protection regulator, the Information Commissioner’s Office (ICO), published details of over 25 data privacy incidents in 2022 that we bad enough to get reprimanded, but not so much to get fined. It’s worth scanning some of these reprimands because some include issues concerning domestic abuse victims to someone getting wrongfully arrested for images concerning children. Makes one think… what is fine-worthy? It’s also fascinating to see some of the causes and security practices, such as “tuning off logging”. Nevertheless, it’s interesting to get a peak into how information can be exposed, what may have led to it happening, and even some ramifications.?

Great summary - https://therecord.media/uk-privacy-watchdog-reveals-more-than-two-dozen-data-breach-incidents/

The actual report - https://ico.org.uk/action-weve-taken/reprimands/

Intelligent Mars Bar

It’s hard to fully appreciate the level of intelligence capabilities the average human has at their disposal today. We do things everyday that would have been unthinkable and relegated to only the deepest crevasses of the CIA during the cold war and even into the 90’s. Many of these have been discussed in this newsletter, most notable Pegasus and similar cyber weapons that are relatively easy to obtain. In the old days OSINT was, well, difficult. Today there are dozens of highly effective opensource tools and countless sites that can be used to pick apart people and companies. So, how do people protect themselves from capabilities that until recently were only available to agencies? Picked from this week’s news, take for example two women suing Apple because their ex-boyfriends were using Apple AirTags to track them. Keep in mind that AirTags are interacting with Apple devices all around you all the time; meaning while sitting in a coffee shop every iPhone you see, and all the ones 100 meters outside the coffee shop you can’t are getting pinged with your location… and visa versa… by design. Wow, could you imagine having that capability in 1989 for less than $30 while working in an intelligence agency? Of course, one of the more truly interesting devices right under your nose is the Raspberry Pi. Reported this week that Raspberry Pi hired a former surveillance officer for the UK Special Operations who specialized in the development of spying devices for the police and has kicked off by embedding a Raspberry Pi Pico W into a piece of chocolate. What does it mean when an organization hires such a skill? There is a cornucopia of highly effective micro computers that cost less than $4 and can be programed in minutes to do pretty crazy stuff – and if you’re thinking like a criminal… well, put 2 and 2 together.

Raspberry Pi hire - https://www.raspberrypi.com/news/meet-raspberry-pis-maker-in-residence-toby-roberts/

AirTag suit - https://www.cbsnews.com/news/apple-airtags-women-stalking-lawsuit/

Raspberry Chocolate - https://www.theregister.com/2022/12/09/rpi_maker_in_residence_police

What’s a Pico? - https://www.raspberrypi.com/products/raspberry-pi-pico/

OSINT Framework - https://osintframework.com/

TikTok Update

This week Texas joined Maryland, South Dakota, South Carolina, and Nebraska in banning TikTok on government devices due to concerns of data collection by the Chinese government. TikTok has responded with these bans are unfounded and have offered states like Texas to house all data within the State. This, of course, started in the US years ago with the Military and government agencies banning the app back in 2020. And earlier this year emphasis of concerns for military soldiers using the app. So, the elephant is the room is – Are they collecting data or is this an over rotation? Here’s my $0.02… There are so many ways to collect data about you, very intimate data, by so many organizations through your phone that one app isn’t really going to move the needle. There’s a reason SCIFs (pronounced, “skiff”) exist and why cellphones are sequestered at any meaningful conversation. I think data is being collected, but banning an app seems like a finger in the crack of a failing dam. We need to think more broadly.

News on ban - https://www.cbsnews.com/news/tiktok-ban-state-government-devices-texas-maryland-south-dakota-south-carolina/

US Government ban - https://www.businessinsider.com/us-government-agencies-have-banned-tiktok-app-2020-2

Troop concerns - https://www.militarytimes.com/pay-benefits/2022/07/14/troops-use-of-tiktok-may-be-national-security-threat-fcc-commissioner-says/

What’s a SCIF - https://scifglobal.com/scif-definition-what-is-a-scif/

It’s All Connected for $2

Making a mole hill into a mountain? You decide. I speculated some years ago that cybersecurity would morph into fraud management and from there almost a police state. Meaning, core aspects of crime will materialize and expand dramatically in cyberspace greatly changing the role of individuals and corporations relative to digitally based crime. A recent article reminded me of this growing aspect, which highlighted the manipulation of executive’s email in publicly traded organization to make it appear like insider trading and then hold that executive ransom. This isn’t necessarily a new tactic… there are examples of attackers placing undesirable media on people’s computer, but this represents a new target and extortion strategy reminiscent of traditional crime. Add to that reports concerning fraud against young people have grown more than 1000% in a year while attacks against the elderly continues to grow. It doesn’t help ransomware payments are funding everything from rouge nation states to criminal organizations perpetrating crimes such as human trafficking. It’s no surprise that corporate accounts are selling for $2 a pop on dark web markets to feed the demand for business email compromises (BEC) because it’s very lucrative and offers many forms of fraud and crime. The evolution of cybersecurity with respect to crime and geopolitical dynamics is why organizations like CISA exist. It makes one wonder what this will all look like in the coming years. It’s one thing to say the government is interested in utility sector security -for obvious nation security - but what about a company that makes chairs, desks, coffee, chainsaws, books, tires and the like? They all use computing systems that represent a “social” risk. This is being reflected in an increasing number of governments and agencies demanding more insights into incidents and attacks, while insurance companies ponder systemic issues related to cloud computing. At what point does cybersecurity become “federalized”? Just how law enforcement evolved from social and group self-governance in villages to today’s established legislatively defined agencies, are we going to see deeper levels of centralized security?

Article about insider trading “hack” - https://krebsonsecurity.com/2022/12/new-ransom-payment-schemes-target-executives-telemedicine/

Article about $2 BEC - https://www.bleepingcomputer.com/news/security/automated-dark-web-markets-sell-corporate-email-accounts-for-2/