Best Infosec-Related Long Reads for the Week, 9/16/23

Best Infosec-Related Long Reads for the Week, 9/16/23

'Insane' and unstoppable new spyware tool, Buenos Aires' dystopian facial recognition system, State Department's early cyber warning system, UK lord's fight to protect E2E, NIST's CSF 2.0 is a bust

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at We’ll gladly credit you with a hat tip. Happy reading!

man wearing white sweater while reading book

Revealed: Israeli Cyber Firms Have Developed an 'Insane' New Spyware Tool. No Defense Exists

Haaretz’s Omer Benjakob walks through an investigation by Haaretz Magazine and the paper’s National Security & Cyber digital investigation desk of how “a new and disturbing cyber and espionage industry” has come into being in Israel that turns advertisements “into tools of war on the digital battlefield,” leveraging ads for offensive purposes, including spyware infections.

One of these companies is Insanet, whose existence is being made public here for the first time. As its name suggests, it possesses insane capabilities, according to sources in the industry. Founded by a number of well-known entrepreneurs in the fields of offensive cyber and digital intelligence, the company is owned by former ranking members of the defense establishment, including a past head of the National Security Council, Dani Arditi. The investigation reveals that the company has developed technology that exploits ads both for tracking and for infection. It’s not by chance that the company has named their product Sherlock.

The company’s personnel also succeeded in obtaining authorization from the Defense Ministry to sell their technology globally. Insanet has already sold the capability to one country that is not a democracy.

According to the findings of the investigation, this is the first case in the world where a system of this sort is being sold as technology, as opposed to a service. Another Israeli firm, Rayzone, has developed a similar product and this year received approval in principle to sell it to its clients in Western countries, though in practice this has not happened yet.

What’s most disturbing is that currently there are no defenses against these technologies, and it’s not clear whether they can be blocked at all. Over the years, tech firms like Apple and Google have blocked hundreds of breaches through which spyware like Pegasus was able to infiltrate devices. Just this week, Apple’s digital wallet was exploited to send a message to users’ iPhones containing an image with a malicious code. That security breach was blocked. But even the smartest and most advanced defenses of Apple, Google and Microsoft currently lack the capacity to block this sort of infection. Until today, their advertising systems, which have countless defense mechanisms in place, were considered completely safe.

The Twisted Eye in the Sky Over Buenos Aires

In Wired, Karen Naundorf, the South America Correspondent for Swiss Television (SRF), delves into the abuses of Buenos Aires’ widespread facial recognition system, ostensibly designed by law to be used to search for Argentina’s estimated 40,000 fugitives from the law but in reality has been used to spy on blameless citizens and feed a massive database.

After almost a week in custody, without natural light, Ibarrola was taken to a court in the city where the crime had taken place: Bahía Blanca, 600 kilometers (373 miles) southeast of Buenos Aires. Shortly before they could take him to jail, a prosecutor noticed the mix-up: A different Guillermo Ibarrola, one slightly older, had committed the robbery. Minutes later, Ibarrola—the innocent Ibarrola— got his shoelaces back, a coffee to go, and a bus ticket home. “Someone had entered my ID number instead of the one of the Guillermo they were looking for. The facial recognition system worked correctly, the database was wrong,” Ibarrola says. “For them, it is just a data entry mistake. But we are talking about a person's life.”

Seventy-five percent of the Argentine capital area is under video surveillance, which the government proudly advertises on billboards. But the facial recognition system is being criticized after at least 140 other database errors led to police checks or arrests since the system went live in 2019—and before it was shut down with the Covid-19 lockdown in March 2020, according to city officials. Ibarrola’s arrest was one of the first.

Activists decided to sue the city government and scored a first success: In April 2022, a judge decided to keep the system turned off. Since then, the City of Buenos Aires has been fighting to get it back in use. It's not clear yet who will win the dispute: those calling for tighter controls on a powerful surveillance tool, or the city government, which is convinced that the system is indispensable for the safety of its citizens. By law, it may only be used to look for people who have an arrest warrant against them: Argentina's “most wanted.” This list is supposedly updated on a daily basis.

All thanks to ‘Big Yellow Taxi’: How State discovered Chinese hackers reading its emails

Politico’s John Sakellariadis and Maggie Miller explain how the US State Department detected a hack by a Chinese espionage group in June because a Department cybersecurity expert spearheaded an effort to implant a custom warning mechanism into the agency’s network more than two years ago.

The State Department was the first to report the activity to the U.S. government and to Microsoft. The firm has said the hackers used a powerful digital key they stole via a cascade of internal security mishaps to breach more than two dozen organizations globally, and at least 10 within the U.S. — none of which spotted the intrusion until the State Department did.

The analyst who built this, whom the State Department officials would not name, did “hero work,” said Kelly Fletcher, the agency’s chief information officer and head of the bureau of information resource management.

The State Department’s actions likely prevented Beijing from gaining more extensive access to the private communications of key U.S. officials amid an intense period of diplomacy between the world’s two largest economies.

Since the State Department caught the hack, Raimondo, Secretary of State Antony Blinken, Treasury Secretary Janet Yellen and U.S. climate envoy John Kerry have all traveled to China.

Meet the Facebook lobbyist-turned-lord fighting Britain’s encryption crackdown

Politico’s Vincent Manancourt profiles Richard Allan, a “Facebook lobbyist-turned-lord,” who is toiling to remove from the UK’s controversial Online Safety Bill U.K. a provision that would allow regulator Ofcom to force digital service providers to monitor messages for content linked to child sexual abuse and terrorism, posing an existential threat to end-to-end encryption protection.

Allan, a genial, white-bearded quinquagenarian who previously spent more than a decade as Facebook’s top EU lobbyist before recruiting Clegg, a former U.K. deputy prime minister, to the company, has already tried, and failed, to get the government to apply more safeguards to the proposed powers, which would allow U.K. comms regulator Ofcom to force digital service providers to monitor messages for content linked to child sexual abuse and terrorism.

Allan’s friends in tech are similarly perturbed.

Signal’s Whittaker has said she’d rather her service was blocked in the United Kingdom than slap monitoring tech on the apps. Will Cathcart of Meta-owned WhatsApp has hinted the service would make the same call. They say any move to scan message content poses an existential threat to the end-to-end encryption that protects messaging platforms like theirs from prying eyes.

On Wednesday, Whittaker and other privacy campaigners falsely claimed that London was pulling back from its bid to access encrypted messages — claims that were swiftly rebuffed by senior government ministers.

“The tech companies make a good case that client-side scanning would effectively break encryption,” said Allan, referring to the technique most often proposed as a way to monitor for illegal content in encrypted environments. It involves scanning messages and images on people’s device before they are sent via end-to-end encryption.

A Review of NIST’s Draft Cybersecurity Framework 2.0

In Lawfare blog, Melanie J. Teplinsky, an adjunct professor at American University, Washington College of Law (WCL), deconstructs the 2.0 update to NIST’s “gold standard” cybersecurity framework (CSF) and argues, among other things, that due to its lack of easy-to-understand, real-world implementation guidance, it is unlikely to improve the nation’s cyber posture fundamentally.

Unfortunately, the framework’s high-level guidance is too general to be implemented, and its “implementation guidance” is too technical to be of practical use to most organizations absent expert help. (In this regard, it is worth noting that although the CSF originally was designed for critical infrastructure, as a practical matter it has been widely adopted, and CSF 2.0 is explicitly designed to be used by organizations of all sizes and sectors.)

CSF 2.0 is unlikely to solve the pressing cybersecurity problems facing U.S. schools, hospitals, and the many other “target rich, resource poor” organizations that find themselves on the front lines of the cyber fight. NIST’s CSF 2.0 draft leaves these organizations largely responsible for their own cybersecurity, even in the face of significant cyber threats from the nation’s most capable cyber adversaries (that is, China, Russia, North Korea, Iran, and organized crime syndicates). Last year, for example, educational institutions suffered nearly $9.45 billion in downtime alone due to ransomware, yet few such institutions have the requisite knowledge, resources, and budget to use the NIST framework to develop a cybersecurity program capable of staving off sophisticated ransomware syndicates. The administration’s newly launched effort to shore up the cybersecurity of K-12 schools implicitly recognizes this reality. While it nods to the NIST framework, it seeks, among other things, to leverage expertise and investment from Amazon Web Services, Google, Cloudflare, and other large educational technology providers and vendors to protect schools. Generating effective cyber resilience in the face of proliferating cyber threats will require more such concerted efforts to leverage expertise and investment for the benefit of vulnerable organizations.

Read more