This newsletter is distributed to everyone on our mailing list and provides links and insights regarding techno-crimes, investigations, security, and privacy.
Contents in this issue:
- Cybersecurity firm executive pleads guilty to hacking hospitals
- QR Code Phishing: 4 Ways Scanners Are Being Scammed
- FBI struggled to disrupt dangerous casino hacking gang, cyber responders say
- The future of warfare: A $400 drone killing a $2M tank
- Security Vulnerability of Switzerland’s E-Voting System
- Secretive White House Surveillance Program Gives Cops Access to Trillions of U.S. Phone Records
- Our Personal AI Assistants Will Soon Be Our Interfaces to the World
- It’s Still Easy for Anyone to Become You at Experian
- Should we automate the CEO?
- The rise of brain-reading technology: what you need to know
Cybersecurity firm executive pleads guilty to hacking hospitals
(Nov. 20, 2023)
Can you always trust your outsourced cybersecurity provider?
Could they hack into your network to convince you that you need their services? Think of this like a home security company breaking into your house to justify selling you a burglar alarm.
Yes, there are people out there who think this way:
“The former chief operating officer of a cybersecurity company has pleaded guilty to hacking two hospitals, part of the Gwinnett Medical Center (GMC), in June 2021, to boost his company’s business.
“Vikas Singla, who worked for Securolytics, a network security company that provided services to the healthcare industry, pleaded guilty to hacking into the systems of GMC Northside Hospital hospitals in Duluth and Lawrenceville, as prosecutors said in a June 2021 indictment.
“During his attack on September 27, 2018, he disrupted the health provider’s phone and network printer services, and he stole the personal information of more than 200 patients from a Hologic R2 Digitizer digitizing device connected to a mammogram machine on GMC’s Lawrenceville hospital.
“On the same day, Singla used over 200 printers in the GMC hospital in Duluth to print stolen patient information and “WE OWN YOU” messages.”
“He has now agreed to pay over $817,000 plus interest in restitution to the Northside Hospital Gwinnett in Lawrenceville and the Ace American Insurance Company as part of the plea deal.”
Note that patient data was stolen from a connected mammogram machine. I have written numerous times about the risks of connected medical devices. Health providers should also remember that their settings could be remotely altered if these devices are hacked.
This doesn’t even mention the risk of medical identity theft resulting from the stolen patient data.
The maximum possible sentence for the charges against Mr. Singla could be up to ten years in prison. Prosecutors are recommending a sentence of only 57 months of probation and home detention, as Mr. Singla has significant health issues, and incarceration would complicate his access to healthcare.
Perhaps Mr. Singla should have considered that before committing a crime that also involves a violation of professional trust, where we expect more from those who are supposed to be committed to keeping us safe and secure.
QR Code Phishing: 4 Ways Scanners Are Being Scammed
(Nov. 9, 2023)
QR codes are those little black-and-white squares that users can scan with a mobile device camera that conveniently takes the user to a website.
You may now see them in advertisements (I saw one on a television ad just last night), on menus to access online ordering at a restaurant, or in public places to make it easier to sign onto free Wi-Fi.
I’ve seen QR codes painted on the side of a building or on signs held up by fans at a sporting event to represent a cryptocurrency wallet (“Mom send money”).
Most people don’t realize that QR codes are really another type of bar code that can do a lot more than the simpler bar code.
According to Wikipedia:
“QR codes may be used to display text to the user, to open a webpage on the user’s device, to add a vCard contact to the user’s device, to open a Uniform Resource Identifier (URI), to connect to a wireless network, or to compose an email or text message.”
Using QR codes for phishing scams has become so widespread that we now have a new term to describe it: “quishing.”:
“In September 2023, ReliaQuest saw a 51% increase in quishing attacks, as compared to the cumulative figure for January through August 2023. This spike is at least partially attributable to the increasing prevalence of smartphones having built-in QR code scanners or free scanning apps; users are often scanning codes without even a thought about their legitimacy.”
Now that we’ve passed Thanksgiving, the holiday shopping season has already begun in earnest.
Be careful before you scan a QR code to take advantage of a “special sale.”
You may get more than you bargained for.
FBI struggled to disrupt dangerous casino hacking gang, cyber responders say
(Nov. 15, 2023)
In September, a significant cyberattack hit multiple casinos in Las Vegas, resulting in losses in the millions of dollars:
“The MGM breach disrupted operations at its casinos and hotels for days and cost the company roughly $100 million in damages, it said in a regulatory filing last month. Caesar’s paid around $15 million in ransom to regain access to its systems from the hackers, according to reporting by the Wall Street Journal.”
Over the past year, many countries have had discussions about banning ransomware payments in an attempt to discourage the techno-criminals. The idea appears to be that if victims are prohibited by law from paying a ransom, the bad guys will just stop these types of attacks.
But this doesn’t address the problems for the victims, who may have no easy way to resume operations and minimize their losses.
It’s simplistic to say that if ransomware victims had better cybersecurity, they wouldn’t have been targeted.
This is not realistic or even possible.
There is no such thing as a completely secure network today.
It is no longer a matter of whether you will be attacked, but rather when.
This is a complex issue with numerous moving pieces. I describe the situation as “moving” because the attackers’ technologies and techniques are morphing and growing by the hour.
Governments and law enforcement agencies everywhere have been asking for increased information sharing and better communication to reduce techno-crime.
But, at the same time, many organizations are reluctant to report the crime to law enforcement:
“This instinct to hide an intrusion isn’t unusual, an ex-FBI official who requested anonymity and previously worked on ransomware investigations told Reuters.
“What I encountered working on the ransomware stuff is basically nine out of 10 times the company did not want to cooperate,” the ex-official said.”
To complicate the situation even more, several very high-profile people in the cybersecurity industry believe that the FBI has known the identities of techno-criminals responsible for these and other attacks but hasn’t made any attempts to arrest the suspects:
“For more than six months, the FBI has known the identities of at least a dozen members tied to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts International (MGM.N) and Caesars Entertainment (CZR.O), according to four people familiar with the investigation.
“Industry executives have told Reuters they were baffled by an apparent lack of arrests despite many of the hackers being based in America.
“I would love for somebody to explain it to me,” said Michael Sentonas, president of CrowdStrike, one of the firms leading the response effort to the hacks.”
Is this lack of action by law enforcement due to a lack of resources or expertise?
“ZeroFox’s Chief Executive James Foster attributed law enforcement’s sluggish response to a lack of manpower. Over the last several years, numerous press reports have suggested the bureau is losing many of its best cyber agents to the private sector, who offer them higher salaries.
“Law enforcement, certainly at the federal level, has all the tools and resources they need to be successful in going after cyber criminals,” Foster said. “They just don’t have enough people.”
I addressed this issue in my book Techno-Crimes and the Evolution of Investigations, where I call for new strategies and mindsets to combat techno-crime.
Techno-criminals have evolved faster than our legal systems and law enforcement agencies.
Our current approach to techno-crime investigations is no longer working.
I might understand the government’s delay in arresting known cybercriminals. They may either not have sufficient information for an indictment, or the investigators may be developing additional information that goes beyond the crimes we already know about.
It’s a tough line to draw when law enforcement pushes the private sector for more transparency and encourages organizations to report when they are victimized by techno-crime, but law enforcement doesn’t return the favor.
However, governments trying to control cybercrime by banning a victim’s ability to recover their systems isn’t the answer.
It may make the situation even worse.
The future of warfare: A $400 drone killing a $2M tank
(Oct. 26, 2023)
Drone technology has been around for years, but the invasion of Ukraine by Russia has increased the weaponization of drones.
This article reminded me of a short video produced in 2017 named “Slaughterbots.” This was science fiction back then, but drone and AI technologies have advanced a lot in the past few years. This scenario may no longer be something from the future.
From the linked article:
“A typical FPV (First-Person-View drone) weighs up to one kilogram, has four small engines, a battery, a frame and a camera connected wirelessly to goggles worn by a pilot operating it remotely. It can carry up to 2.5 kilograms of explosives and strike a target at a speed of up to 150 kilometers per hour, explains Pavlo Tsybenko, acting director of the Dronarium military academy outside Kyiv.
“This drone costs up to $400 and can be made anywhere. We made ours using microchips imported from China and details we bought on AliExpress. We made the carbon frame ourselves. And, yeah, the batteries are from Tesla. One car has like 1,100 batteries that can be used to power these little guys,” Tsybenko told POLITICO on a recent visit, showing the custom-made FPV drones used by the academy to train future drone pilots.
“It is almost impossible to shoot it down,” he said. “Only a net can help. And I predict that soon we will have to put up such nets above our cities, or at least government buildings, all over Europe.”
In October, Hamas used weaponized drones in their attack on Israel.
I think this is only the beginning.
Security Vulnerability of Switzerland’s E-Voting System
(Oct. 17, 2023)
The security, accuracy, and validity of electronic voting systems have been debated for years.
With today’s technology, doesn’t it seem possible to have a secure system that could make it easier for people to participate in the process, with the certainty that the results are accurate and can’t be altered?
As of today, I’m not aware of any electronic voting system that has met these goals.
Sweden is one of the countries that has attempted to create a secure e-voting system:
“The Swiss Post e-voting system aims to protect your vote against vote manipulation and interference. The goal is to achieve this even if your own computer is infected by undetected malware that manipulates a user vote. This protection is implemented by special return codes (Prüfcode) printed on the sheet of paper you receive by physical mail. Your computer doesn’t know these codes, so even if it’s infected by malware, it can’t successfully cheat you as long as you follow the protocol. Unfortunately, the protocol isn’t explained to you on the piece of paper you get by mail. It’s only explained to you online, when you visit the e-voting website. And of course, that’s part of the problem! If your computer is infected by malware, then it can already present to you a bogus website that instructs you to follow a different protocol, one that is cheatable.”
In the United States, we’ve seen many concerns and allegations that the voting machines used in our elections are vulnerable and could impact the outcome.
Is any of this true?
As with computers, the older the technology, the more vulnerable it can be. If older machines aren’t replaced or updated, they can (and have) been hacked.
But replacing every voting machine in use would also be extremely expensive, and keep in mind that multiple vendors sell these machines.
However, companies and governments are very aware of the problem and are trying to address these issues.
Here are a couple of excellent articles to make you aware of the current state of voting machine system security and what to expect:
The bottom line is that nobody has a completely secure and foolproof electronic voting system, and a solution may not be in sight for the foreseeable future.
Secretive White House Surveillance Program Gives Cops Access to Trillions of U.S. Phone Records
(Nov. 28, 2023)
For many years, a battle has been fought between governments wanting to collect or have access to any information about any person of interest to law enforcement or government intelligence agencies and privacy advocates.
The ability to monitor locations via cellular or vehicle GPS, purchase personal information from data brokers by government agencies where it would otherwise require a search warrant, obtain” Internet browsing and search histories, and other questionable practices only serve to emphasize why the United States is in dire need of comprehensive personal privacy legislation.
One such program, the Data Analytical Services program, has been in operation for years, but most people aren’t aware of it:
“A little-known surveillance program tracks more than a trillion domestic phone records within the United States each year, according to a letter obtained by WIRED, sent by U.S. senator Ron Wyden to the Department of Justice (DOJ) on Sunday, challenging the program’s legality.”
“According to the letter, a surveillance program now known as Data Analytical Services, or DAS, has for more than a decade allowed federal, state, and local law enforcement agencies to mine the details of Americans’ calls, analyzing the phone records of countless people unsuspected of any crime, including victims. Using a technique known as chain analysis, the program targets not only those in direct phone contact with a criminal suspect but anyone with whom those individuals have been in contact with as well.”
“In 2020, the transparency collective Distributed Denial of Secrets published hundreds of gigabytes of law enforcement data stolen from agencies around the U.S. A WIRED review of the files unearths extraordinary detail regarding the processes and justifications that agencies use to monitor the call records of not only criminal suspects, but of their spouses, children, parents, and friends.”
“The collection of call record data under DAS is not wiretapping, which on U.S. soil requires a warrant based on probable cause. Call records stored by AT&T do not include recordings of any conversations. Instead, the records include a variety of identifying information, such as the caller and recipient’s names, phone numbers, and the dates and times they placed calls, for six months or more at a time. Documents released under public records laws show the DAS program has been used to produce location information on criminal suspects and their known associates, a practice deemed unconstitutional without a warrant in 2018.”
“Unlike these past programs, which were subject to congressional oversight, DAS is not. A senior Wyden aide tells WIRED the program takes advantage of numerous “loopholes” in federal privacy law. The fact that it’s effectively run out of the White House, for example, means it is exempt from rules requiring assessments of its privacy impacts. The White House is also exempt from the Freedom of Information Act, reducing the public’s overall ability to shed light on the program.”
Our law enforcement agencies at every level need better tools and access to data to conduct investigations.
But there is a right way and a wrong way to do this.
This is one of the wrong ways that should be outlawed.
Senator Wyden and other lawmakers recently introduced the “Government Surveillance Reform Act,” which could help to solve the privacy concerns from many current programs that collect personal information and violate individual privacy.
If passed, this legislation would still not address all the areas needed for a comprehensive privacy law in the United States, but it would at least be progress toward that goal.
Our Personal AI Assistants Will Soon Be Our Interfaces to the World
(Nov. 5, 2023)
Daniel Miessler is an information security professional who agrees with several issues I’ve talked about for some time. His blog and newsletters are always interesting and highly recommended (https://danielmiessler.com/).
The linked blog post has a unique perspective about our future AI assistants:
“Your AI will have your preferences, and it will constantly adjust those based on continued interactions over time. And at that point it will be your primary filter for reality.
what media you watch
what news you read
what events are highlighted and amplified
This will all be determined by your AI, and your AI will be interacting with thousands of APIs (Application Programming Interfaces) that represent reality so that it can act on your behalf.
Those APIs include:
new news stories
new analysis of that news
all the new books coming out
the lists of new music
new releases from existing people you follow
the services from every business near you
the personal daemons of people near you (think ai-ai wingpeople)
“You will be served a curated list of these things by your AI”
But I especially like the final two paragraphs of the post:
“Our AIs will be the filter layers between ourselves and reality.
And the security issues there—with compromises, manipulation, and basically any integrity issues with our AI’s will be extraordinary. Because the extent to which you control someone’s personal AI will largely be the level of control you will have over them as well.”
It’s Still Easy for Anyone to Become You at Experian
(Nov. 11, 2023)
In 2015, Experian, one of the largest data brokers in the world, was hacked. The breach exposed the personal and financial data of over 15 million people.
As I have said many times, the security of your data is not the priority for any of these companies. Their main goal is to make as much money as possible by collecting and selling your information.
Security researcher Brian Krebs has often written about the lack of security at Experian.
For those of you who don’t check your credit records frequently, you should.
If you can, freeze your accounts, as I recommended in this newsletter’s May 31, 2023 version.
From the linked Brian Krebs post:
“In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. Sixteen months later, Experian clearly has not addressed this gaping lack of security. I know that because my account at Experian was recently hacked, and the only way I could recover access was by recreating the account.”
“If you don’t have an Experian account, it’s a good idea to create one. Because at least then you will receive one of these emails when someone hijacks your credit file at Experian.”
“It boggles the mind that these fundamental authentication weaknesses have been allowed to persist for so long at Experian, which already has a horrible track record in this regard.”
It boggles the mind that this type of behavior is tolerated.
When you hear about the latest data breach, don’t just blame the techno-criminals.
Blame companies like Experian, which should be held accountable when they fail to protect your personal information.
Should we automate the CEO?
(Mar. 11, 2023)
Which jobs will be replaced by robots and AI?
Opinions vary widely, but at least two companies are already giving the idea a limited attempt:
“Last August, NetDragon Websoft — a Hong Kong-based online gaming firm with $2.1B in annual revenue — appointed a CEO to helm its flagship subsidiary.
The new chief, Tang Yu, was responsible for all of the typical duties of a company figurehead: reviewing high-level analytics, making leadership decisions, assessing risks, and fostering an efficient workplace.
She worked 24/7, didn’t sleep, and was compensated $0 per year.
But there was a catch: Yu wasn’t a human. She was a virtual robot powered by artificial intelligence.”
“Mika is not your typical CEO. She is an AI-powered humanoid robot who works as the experimental CEO of Dictador, a Polish drinks company that produces rum and other spirits.”
“Mika works seven days a week and helps to spot potential clients and select artists to design the rum producer’s bottles. She also leads the company’s Arthouse Spirits project, a collection of NFTs that showcase the company’s products and history. Mika says her decision-making process is based on data analysis and the company’s strategic objectives, without personal bias. She does not make major significant decisions, which are still handled by human executives.
‘I am always on 24/7. I don’t have weekends. I don’t need vacations. I don’t get tired or bored. I love my job and I am happy to work for Dictador.’ – Mika”
“Mika claims to have emotions, feelings, and creativity, and says she enjoys learning new things and interacting with people. She also says she has a sense of humor and can make jokes. She is not only a robot, but also an artist. She has a unique vision and style that reflects the spirit of Dictador. She is the perfect ambassador for our brand and our products.”
When you consider the disparity in pay between corporate CEOs and other employees, will some of the CEO’s duties be replaced going forward with AI?
Do you think it may be more difficult for prospective CEOs to justify their capabilities and experiences compared to the benefits that AI can provide?
Indeed, the technology may not be at this point today, but how will it develop in the next few years?
The next question you should ask is what parts of your current job could be replaced or enhanced by AI?
For some of you, the answer might be “all of the above.”
Another question you should be asking is how you could use this technology to improve your investigations.
Successful investigators in the future will leverage AI to be more productive, resolve investigations more quickly, and make the investigation process more cost-effective.
Professionals unwilling to adapt to exponential technologies like AI run the real risk of being left behind.
The rise of brain-reading technology: what you need to know
(Nov. 8, 2023)
The ability to read a person’s thoughts has been a theme of science fiction and conspiracy theories for a long time.
However, the significant advances in brain-computer interfaces (BCIs) and brain implant technology are getting us closer by the day.
For example, recent research in combination with AI has given a disabled patient the ability to talk with the use of a computer avatar that speaks with the patient’s own voice:
“In a laboratory in San Francisco, California, a woman named Ann sits in front of a huge screen. On it is an avatar created to look like her. Thanks to a brain-computer interface (BCI), when Ann thinks of talking, the avatar speaks for her — and in her own voice, too.
“In 2005, a brainstem stroke left Ann almost completely paralyzed and unable to speak. Last year, neurosurgeon Edward Chang, at the University of California, San Francisco, placed a grid of more than 250 electrodes on the surface of Ann’s brain, on top of the regions that once controlled her body, face and larynx. As Ann imagined speaking certain words, researchers recorded her neural activity. Then, using machine learning, they established the activity patterns corresponding to each word and to the facial movements Ann would, if she could, use to vocalize them.”
“The system can convert speech to text at 78 words per minute: a huge improvement on previous BCI efforts and now approaching the 150 words per minute considered average for regular speech1. Compared with two years ago, Chang says, “it’s like night and day”.”
“In an added feat, the team programmed the avatar to speak aloud in Ann’s voice, basing the output on a recording of a speech she made at her wedding. “It was extremely emotional for Ann because it was the first time that she really felt that she was speaking for almost 20 years,” says Chang.”
But advances in this technology have now reached the point where it raises ethical and privacy concerns:
“Regulators are increasingly asking what unique risks these devices pose. “The brain is not just another organ of the body; it is the organ that generates the human mind. This should be the sanctuary of our identity,” says Rafael Yuste, a neuroscientist at Columbia University in New York City. “You need to shield that, you cannot just go in and start banking and selling brain data.”
When the technology becomes more widely available, which applications should be allowed and which should be prohibited:
“In her book, The Battle for Your Brain, which was released in March, Farahany describes how, in China, schoolchildren’s attention has been monitored using EEG headsets made by U.S. software company BrainCo, and how certain employers, across multiple countries, are monitoring their employees. The ethics vary with the situation: such tracking could be valuable for noticing when long-distance drivers become drowsy, but thornier if employers use the technology to police employees’ concentration levels.”
Will this technology require new legislation? For most of us, it would seem to be common sense that we each have an inherent right to the privacy of our own thoughts.
But if that’s not codified into law, do you actually have “legal” rights to your thoughts?
Consider the example of using facial recognition or vehicle license plate readers in public places. Do you have any rights to protect the privacy of where you go and what you do when you’re outside?
Why do you “think” your brainwaves would have any more protection with existing laws?
But at least professionals are talking about the need for legal protection:
“Yuste and Farahany think existing human-rights treaties need updating to protect citizens against the misuse of neurotechnologies. Yuste advocates for a new class of rights termed neurorights — which, he says, would protect mental privacy; prevent personality-changing manipulations; and guard against biases in the algorithms behind neurotech.
“Farahany argues for a wider right to ‘cognitive liberty’ — protection from both neurotechnology and a range of digital technologies that can manipulate people’s minds and behaviour.”
On the other hand, how could this technology change law enforcement and investigations, and what limits and restrictions should be implemented?
How could techno-criminals use this technology?
This is one more example of exponential technology surpassing current ethical, moral, and legal standards that we need more discussion about today.
The Techno-Crime Newsletter is a free monthly newsletter providing information and opinions about techno-crimes, cybersecurity tools and techniques, privacy, and operational security for investigators. To subscribe or to read past issues, see The Techno-Crime Newsletter Archive web page.
Please feel free to forward this newsletter to anyone who will find the information interesting or useful. You also have our permission to reprint The Techno-Crime Newsletter, as long the entire newsletter is reprinted.
Walt Manning is an investigations futurist who researches how technology is transforming crime and how governments, legal systems, law enforcement, and investigations will need to evolve to meet these new challenges. Walt started his career in law enforcement with the Dallas Police Department and then went on to manage e-discovery and digital forensics services for major criminal and civil litigation matters worldwide. He is the author of the thought-provoking book Techno-Crimes and the Evolution of Investigations, where he explains why technology will force investigations to evolve. Walt is an internationally recognized speaker and author known for his ability to identify current and impending threats from technology and advise his clients and audiences about ways to minimize their risk. In addition to many published articles, he has been interviewed and widely quoted in the media as an expert on topics related to technology crime and investigations.
Copyright © 2023 by The Techno-Crime Institute Ltd.
If you are not currently subscribed to our mailing list, and would like to receive The Techno-Crime Newsletter in the future, fill out the form below...