Skip to content

Security Bytes - Issue 23

Jim Tiller is the Chief Information Security Officer at Nash Squared. With over two decades of information security experience, Jim is an internationally recognized cybersecurity authority on cyber risk management, security technology, industry leadership, and multiple patent-winning recognition for innovation in security solutions.

Hi all,

Quick updates

This week we touch on news surrounding ethics in AI, or the lack thereof; US government take baby steps on supply chain risk - hey uncle Sam, step it up! And crypto washer gets busted, but it's small potatoes and we ask the hard questions no one wants to. Finally, not an actual writing, but a recommendation to look more into Mexico and Latin America.


Ethics is the New Frontier

At birth of the Internet it was all about access to information – the information revolution. This soon developed into a focus on privacy, which of course was underpinned by cybersecurity reflecting the fact that the information revolution had far reaching implications that we’re not fully explored and certainly not fully understood. Now, we’re facing the AI revolution and the great things we do today will (may) represent equally great challenges and global implications in the near future. This week Microsoft let go their ethical AI team as part of a 10,000 employee lay off just as they pour massive investment into OpenAI. Think about this in the context of everything you’ve heard about AI, such as developing racism and bias in job search functions. Ethics will be the new frontier. We’ll fully feel the pang of the illusion of privacy and cybersecurity as our interactions online will be consumed by virtual people. As we hear things like there will be more deceased people on Facebook than real people, I will say here and now virtual people will exceed real people on the Internet by 2030… but… how will you know?

Article - https://techcrunch.com/2023/03/13/microsoft-lays-off-an-ethical-ai-team-as-it-doubles-down-on-openai/

 

Droning on About Drones

Ok, let’s call it what it is… the Chinese flew a device across the entire USA before it was shot down by a $432k missile fired from a multi-billion dollar jet, crashing in the Atlantic. First, why did it make it all-the-way-across? But I digress. Now the US government is expanding on the China-Drone platform, not unlike the TikTok push, asking the CISA to investigate more deeply the risks posed by Chinese made drones in the market. Let me start by saying I’m not against this… there is an endless plethora of examples of maliciously embedded code or capabilities going far back in the technical space. Google Project Gunman or look at “the thing” created by Theremin (under duress I might add). But what I am saying is you need to do more. TikTok isn’t the only app that’s on phones in sensitive places! Chinese make a lot of electronics beyond drones. Supply chain security is one of the greatest risks facing organizations and governments alike. Embrace it, own it, get ahead of it.

Letter - https://www.warner.senate.gov/public/_cache/files/c/8/c8dbcd57-7d3c-4842-85f2-466dc2b70f66/B56DAFD9C216FD3E54239A3E14E281EF.final-2023.03.15-letter-to-cisa-re-dji.pdf

The Thing - https://www.cryptomuseum.com/covert/bugs/thing/

Project Gunman - https://media.defense.gov/2021/Jul/13/2002761779/-1/-1/0/LEARNINGFROMTHEENEMYGUNMAN.PDF

 

Too Big to Fail

Europol announced that German and US officials, supported by Europol took down one of the darkweb’s largest crypto washers, ChipMixer, used to launder 2.73 Billion Euros and they seized more than 44 million euros in bitcoin. The US DOJ arrested a 49 year old Vietnamese man, Minh Quốc Nguyễn, suspected to be behind the service. This is progress, much needed progress, but I want you to think about two things…

First, you know, and I know that while these are big numbers, it’s just a drop in the bucket of what’s really happening out there. And like how information concerning massive million-dollar hacks are so common now they hardly capture your attention, this flow of information from law enforcement agencies will soon suffer the same fate, sadly.

Finally, and admittedly a bit curmudgeonly on my part, it’s important to understand that the tools, technologies, and capabilities to trace, identify, and take action by law enforcement globally within the darkweb and across all the various crypto blockchains have been in place for – wait for it – years, as in over a decade. So, could law enforcement have recovered your ransom? Potentially... actually, very likely. If so, why not? Why expose to the apocalyptically massive crime community you can follow their every move? That’s worth billions in intelligence. There is a Sun Tzu quote works perfect to explain why we’re just seeing this now, “Let your plans be dark and impenetrable as the night, and when you move, fall like a thunderbolt.” The questions now are, 1) too little, too late?, and 2) was the intelligence worth it?

Press release - https://www.europol.europa.eu/media-press/newsroom/news/one-of-darkwebs-largest-cryptocurrency-laundromats-washed-out

 

Side Bar

For additional reading – because I could write a book on this – definitely look into what’s happening in Mexico and Latin America. Look at the hacktivist group Guacamaya and explore the millions of official government and police documentation that exposes not only the broad use of Pegasus spyware, but looks to expose other police “behaviors”, such as the helmet cam vid. Start here https://ejercitoespia.r3d.mx/ and here https://forbiddenstories.org/the-struggle-of-one-territory-must-be-the-struggle-of-all/. And here is a vid they published showing how they hacked into a government system, which actually shows how bad their target’s security is https://enlacehacktivista.org/hackback2.webm. But if you just want the basics, listen to “Click Here" podcast, episodes Enemy of the State, parts 1 and 2.