Compiled by Walt Manning
CEO, Techno-Crime Institute
newsletter@technocrime.com
https://technocrime.com
This newsletter is distributed to everyone on our mailing list and provides links and insights regarding techno-crimes, investigations, security, and privacy.
Contents in this issue:
- The Privacy Dilemma: How Autonomous Cars May Impact Your Personal Data
- How an AI tool could crack your passwords in seconds
- 40% of IT security pros say they’ve been told not to report a data leak
- AI clones teen girl’s voice in $1M kidnapping scam: ‘I’ve got your daughter’
- Louisiana Man Uses Digital Driver’s License to Defraud Credit Unions & Banks
- Messaging companies warn UK over law impacting end-to-end encryption
- Scheduled Speaking Engagements
______________________________________________
The Privacy Dilemma: How Autonomous Cars May Impact Your Personal Data
(Apr. 19, 2023)
Could our smart connected cars be spying on us?
Most people don’t realize the number of microprocessors and sensors that come with current vehicles.
The car you drive today contains so much technology that it may be your most sophisticated item, even more than your computing devices.
Many recent models can contain hundreds of sensors to monitor various vehicle functions so problems can be reported to the driver immediately.
Newer cars also have multiple microprocessors to make sense of the data reported by the many installed sensors.
Millions of lines of software code control all of this technology. Did you know that a growing percentage of vehicle recalls are due to software issues?
Vehicles may also use connections to satellite radio or emergency support systems.
This enhanced technology provides us with many valuable services, conveniences, and even entertainment.
But the technology in most cars has little, if any, security. Many vehicles can be hacked, and some can be taken over remotely.
But have you considered the data your car is collecting and how it could put your privacy at risk?
From the linked article by Robin Mitchell, published by electropages:
“In the case of vehicle cameras, many thousands of drivers have been recorded by their vehicles without their knowledge, including Tesla CEO Elon Musk. These cameras have the ability to capture high-definition images, regardless of where the vehicle is parked, and in many cases, store this information on a local storage device. As such vehicles usually have some kind of cloud connectivity, a hacker only needs to find a weak spot in the connection (either from the vehicle directly or the cloud service itself), to access video and image files. In fact, this attack was used on one unsuspecting Tesla driver who was caught fully nude while quickly fetching items from the car.”
“Finally, the inclusion of microphones both externally and internally allows modern cars to potentially record conversations (this is already an issue with dashcams). While 90% of conversations are arguably boring, it is very easy to have a personal conversation with someone whose contents could be damaging either to those having the conversation or others mentioned in the conversation.”
You need to be aware of the data that your car is possibly collecting. But looking at the current situation from an investigator’s perspective, could any of this data be useful for an investigation?
Do the benefits of technology in vehicles outweigh the privacy and security risks?
______________________________________________
How an AI tool could crack your passwords in seconds
(Apr. 10, 2023)
https://www.zdnet.com/article/how-an-ai-tool-could-crack-your-passwords-in-seconds/
In the last newsletter, you read about how artificial intelligence has been used to mimic a voice to get past voice authentication used to secure a bank account.
But another type of AI can be used to crack passwords, which makes password management even more critical than it has been.
“To determine how long it would take to crack 15,600,000 common passwords via artificial intelligence, Home Security Heroes enlisted an AI tool known as PassGAN. A combination of the terms “password” and GAN (Generative Adversarial Network), PassGAN is able to master the art of password cracking not through the usual manual processes but by analyzing real passwords from actual leaks. Such an automated method threatens to help the bad guys crack passwords faster and more efficiently.
Looking at all the common passwords, Home Security Heroes found that 81% of them could be cracked in less than a month, 71% in less than a day, 65% in less than an hour, and 51% in less than a minute.”
Given that this new technology will make it easier for techno-criminals to hack your password, the article provides the following recommendations:
“Use strong password patterns: The longer and stronger your password, the more resistant it will be against cracking. This means using at least 15 characters, having at least two letters (uppercase and lowercase) as well as numbers and symbols, and avoiding obvious patterns such as real words.
Change your password regularly: Maybe you’re concerned that someone has accessed one of your accounts. Or perhaps you shared your password with the wrong person. Whatever the reason, you’ll want to change a password periodically to guard against its use and abuse.
Don’t use the same password across multiple accounts: If you repeat the same password across different sites, and a hacker obtains it for one site, what will happen? That hacker can use that cracked password to compromise your other accounts.”
“Use a password manager. Creating, remembering, and applying a long and complex password for each account is virtually impossible without assistance. Until passwordless options become universal, a password manager is still your best bet for juggling all the unique passwords for all your accounts.”
I would add my recommendation to use multi-factor authentication (MFA) whenever possible. I do not recommend using SMS (text) messaging, where a website sends you a numeric code via a text message. Use an authenticator app that generates a random code that changes every few seconds. PCMag provides their recommendations for 2023 here.
¸______________________________________________
40% of IT security pros say they’ve been told not to report a data leak
(Apr. 5, 2023)
https://businessresources.bitdefender.com/bitdefender-2023-cybersecurity-assessment
Laws requiring notifications regarding data breaches have existed for several years.
The requirements vary depending on the type of organization and the nature of the stolen data, and may also differ depending on where the breach occurred.
Requirements in other countries can be significantly different than in the United States, and even within the U.S. the laws of individual states may impose additional obligations.
But legislation and regulations are only as good as the rate of compliance.
The Bitdefender 2023 Cybersecurity Assessment surveyed “400 IT and security professionals globally, ranging from IT managers to CISOs, in various industry sectors working in organizations with 1,000+ employees to discover the biggest cybersecurity challenges businesses face in 2023”.
One of the key findings in this report is concerning but not shocking:
“Surprisingly, many impacted organizations say they have been told to keep the data leak confidential despite their obligation to report it. Over 40% of security professionals surveyed said they had been told to keep a breach under wraps, which again increases (to 71%) among US-based respondents. Comparatively, just 15% of respondents in Germany and 27% in France said they had kept a data breach confidential when they knew it should be reported.”
In my opinion, there are several problems with data breach reporting today.
Too many senior executives, board members, and managers still view cybersecurity as a cost center and as a drag on revenue and profits and fail to provide enough resources to either prevent or discourage data breaches.
Then, when their organization experiences a breach, there are no consequences for the people who make these decisions.
We need to change laws to hold them accountable to the point where they think twice about their cybersecurity.
Let’s consider criminal negligence charges, and if a manager instructs an employee to cover up a data breach in violation of the reporting laws, there should be an option to prosecute that manager criminally.
In addition, individual liability should be an option for civil damages suffered by victims of cybersecurity mismanagement. Every senior management member should be exposed to lawsuits if their actions regarding cybersecurity are found to be careless and a contributing factor to a data breach.
To me, this is no different than covering up a crime that has been committed and it only increases the magnitude of potential damages for victims whose data has been stolen.
When will we start treating data breaches and cybersecurity as a priority? Not until we have significant consequences to incentivize people to take this problem seriously.
______________________________________________
AI clones teen girl’s voice in $1M kidnapping scam: ‘I’ve got your daughter’
(Apr. 12, 2023)
https://nypost.com/2023/04/12/ai-clones-teen-girls-voice-in-1m-kidnapping-scam/
Deepfake kidnapping calls seem to be appearing in the media more than ever.
This New York Post article details the emotional impact on one mother who received a call:
“Artificial intelligence has taken phone scams to a frightening new level.
An Arizona mom claims that scammers used AI to clone her daughter’s voice so they could demand a $1 million ransom from her as part of a terrifying new voice scheme.
“I never doubted for one second it was her,” distraught mother Jennifer DeStefano told WKYT while recalling the bone-chilling incident. “That’s the freaky part that really got me to my core.”
This bombshell comes amid a rise in “caller-ID spoofing” schemes, in which scammers claim they’ve taken the recipient’s relative hostage and will harm them if they aren’t paid a specified amount of money.”
You might think the technology to clone a voice is expensive and complicated.
But you’re mistaken.
When I prepared my 2023 ACFE Fraud Conference presentation, I used one of these AI platforms to clone my wife’s voice.
To create the voice clone, I set up a Zoom call with Barbara so I could record the call. I had Barbara read a brief script for one of the characters in my hypothetical case.
I then exported 19 seconds of the audio from Barbara’s voice to an AI platform and cloned her voice.
Once the clone had been created, I could then type in anything I wanted her cloned voice to say. The platform even allows a user to adjust the expressiveness of the output, along with how close I wanted the result to sound to Barbara’s authentic voice.
The results surprised even me.
After I had finished the experiment, I received a call from a television consumer affairs reporter who said she wanted to do a story on these deepfake kidnapping crimes.
After the interview, the reporter asked whether I would clone her voice to use in her report. She sent me the recording of our Zoom call interview, and within 15 minutes, I isolated the audio of her speech during the call.
She gave me two scripts to have her cloned voice say.
First script:
“Hey! It’s XXXXX. I need a favor. Can you please text me a picture you have of me? Any one works. I’m working on a project for work.”
Second script:
“I’ve been kidnapped! Please send the money now! My life is in danger! Help me, please!”
I generated several versions for each script and sent her a link over three weeks ago.
I haven’t heard from her since.
I wonder if the results were too realistic and frightening for them to put on the air.
If you would like to see how this process works, come to see my presentation at the ACFE Fraud Conference in June (link below).
______________________________________________
Louisiana Man Uses Digital Driver’s License to Defraud Credit Unions & Banks
(Mar. 10, 2023)
Some people will tell you that the future of identity verification is a secure mobile app. If we all used this technology, we would not need to obtain and carry physical identification cards.
That may be true in the future, but there are always bugs to be worked out when governments transition from an older legacy system to new digital technology.
In 2018, six states in the U.S. announced that they would try a new system for digital driver’s licenses. Most systems would be based on encrypted mobile apps and use facial recognition to access the data stored in the app.
However, as we all know, techno-criminals will find a way to adapt:
“In Louisiana, a man on probation for multiple counts of bank fraud added to his tally, using a state-issued mobile digital driver’s license app to open accounts at as many as nine banks and credit unions. Robert Lee Daniel III also secured a $41,844 loan to purchase a pickup truck, lied about his income, and deposited thousands of dollars in fraudulent checks.
Daniel did all of it using a mobile driver’s license (mDL) he’d secured by using stolen credentials that he knew belonged to a real person, who authorities identified as A.S.M., an inmate at a Louisiana prison. Once Daniel had the mDL downloaded onto his smartphone via the LA Wallet digital identity app, he could apply for accounts in A.S.M’s name.
Daniel has been sentenced to 65 months in prison and, following his release, a period of supervised release to last three years.”
As this case shows, a techno-criminal doesn’t have to be an expert to use technology to commit a crime.
______________________________________________
Messaging companies warn UK over law impacting end-to-end encryption
(Apr. 18, 2023)
https://therecord.media/messenger-companies-uk-end-to-end-encryption-bill?_hsmi=254839989
For decades there has been a debate about the use of encryption.
Government intelligence and law enforcement agencies argue that end-to-end encryption prevents them from protecting against terrorist attacks and will block law enforcement from obtaining digital evidence needed for criminal investigations.
If criminals and terrorists all used unbreakable encryption, this position could be valid.
On the other side of the argument are cybersecurity, cryptography, and privacy advocates, who say that secure and unbreakable encryption shouldn’t have a “back door” to provide access to any outsider, even for legitimate purposes.
I see the frustration from both sides of the debate.
A potential new law in the United Kingdom, the “Online Safety Bill,” was first proposed under a different name over two years ago, and the current version is still being debated.
“The current draft of the bill, which is being scrutinized in the House of Lords from Wednesday onwards, includes a provision obliging technology companies to identify illegal content being distributed over their platforms, such as images of child sexual abuse.
For companies that provide end-to-end encryption, however, there is no way to identify this content as it transits through the company’s infrastructure.
As a solution, the British government has suggested that these businesses use accredited client-side scanning technology, which monitors users’ messages for this content before encrypting it.
The open letter describes the technology as “nullifying the purpose of end-to-end encryption … and compromising the privacy of all users.” WhatsApp and Signal previously threatened to leave the United Kingdom rather than be bound by the law.
Client-side scanning systems have become a favorite idea for governments seeking to address the spread of child abuse images online without outright banning end-to-end encryption.”
“Client-side scanning” systems usually mean that the content is reviewed before it is encrypted to identify any “objectionable” content, such as child pornography (the example most cited by law enforcement). But these systems would scan through all data not already encrypted.
Who will define what is “objectionable?”
The proposed UK legislation puts the compliance burden on the companies that provide the encryption or carry encrypted traffic. But many of these companies never have access to encrypted content. They don’t have the decryption key to access a user’s data.
This is also known as “zero-knowledge encryption” and is offered by many providers.
I’m not sure that I have much confidence in the ability of companies like Alphabet (Google) or Meta (Facebook, Instagram, and WhatsApp) to monitor everyone’s activities to determine if something is inappropriate or illegal.
These issues related to the use of encryption won’t go away. If anything, encryption technology will only become more complicated as new products and services develop.
Your best option today is to educate yourself about encryption and use this knowledge to protect your personal and business data while also having a plan in place should you encounter encryption in an investigation.
Could the data you need be available from another source that is not encrypted, such as a backup copy of the data?
What are the limitations in the legal jurisdiction where the data might be stored, and what will you need to do to obtain access?
In addition to knowing how encryption might impact your digital evidence, you should also consider how encryption can be used to protect your investigative data to ensure it remains secure and confidential.
New laws related to digital privacy are being enacted in many legal jurisdictions today. You’ll need to keep up with these developments to know your options during an investigation involving encryption technology.
______________________________________________
Scheduled Speaking Engagements
I’ll speak at the 34th ACFE Global Fraud Conference in Seattle, Washington, on Monday, June 12th, at 3:25 pm. The presentation title is “Digital Alibis: Will You Be Able to Extract the Truth from a Digital Mirage?”
I’m scheduled to give an all-day training seminar about various aspects of techno-crime investigations on Wednesday, September 20th, for the ACFE Las Vegas Chapter in Las Vegas, Nevada. Contact me if you would like more details regarding the specific topics.
______________________________________________
The Techno-Crime Newsletter is a free monthly newsletter providing information and opinions about techno-crimes, cybersecurity tools and techniques, privacy, and operational security for investigators. To subscribe or to read past issues, see The Techno-Crime Newsletter Archive web page.
Please feel free to forward this newsletter to anyone who will find the information interesting or useful. You also have our permission to reprint The Techno-Crime Newsletter, as long the entire newsletter is reprinted.
Walt Manning is an investigations futurist who researches how technology is transforming crime and how governments, legal systems, law enforcement, and investigations will need to evolve to meet these new challenges. Walt started his career in law enforcement with the Dallas Police Department and then went on to manage e-discovery and digital forensics services for major criminal and civil litigation matters worldwide. He is the author of the thought-provoking book Techno-Crimes and the Evolution of Investigations, where he explains why technology will force investigations to evolve. Walt is an internationally recognized speaker and author known for his ability to identify current and impending threats from technology and advise his clients and audiences about ways to minimize their risk. In addition to many published articles, he has been interviewed and widely quoted in the media as an expert on topics related to technology crime and investigations.
Copyright © 2023 by The Techno-Crime Institute Ltd.
