ISMG Editors: $3B Crypto Seizure Shows Blockchain's SecurityAlso: New EU Report on Spyware; UK Cybersecurity Technical Director Bids Farewell
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including implications of the seizure of $3.36 billion in stolen bitcoin in Georgia, whether the EU is complicit in the spread of advanced spyware, and the departure of the U.K.'s Dr. Ian Levy, technical director of NCSC, with some important parting words.
The panelists - Anna Delaney, director, productions; Akshaya Asokan, consultant editor; Cal Harrison, editorial director; and Tony Morbin, executive news editor, EU - discuss:
- How a Georgia property developer who stole about 50,000 bitcoin from cybercrime dark web site Silk Road in 2012 pleaded guilty to wire fraud this week - and how the immutability of blockchain and good old detective work cracked the case;
- Highlights from a "farewell blog post" penned by U.K. National Cyber Security Center and GCHQ veteran Dr. Ian Levy, who is leaving his role as NCSC technical director;
- How a member of the European Parliament accused the European Union of complicity in the spread of advanced spyware within member states and across the globe.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Oct. 21 edition discussing what CISOs can learn from the verdict in the trial of the ex-Uber CSO and the Nov. 4 edition discussing how the ransomware ecosystem is fracturing.
Anna Delaney: Hello, I'm Anna Delaney and welcome back to the weekly edition of the ISMG Editors' Panel where I'm joined by fellow colleagues on the ISMG editorial team to evaluate and chew over the top cybersecurity news stories. Delighted this week to be joined by Tony Morbin, executive news editor for the EU; Editorial Director, Cal Harrison; and Consultant Editor, Akshaya Asokan. There was an interesting announcement from the DOJ this week related to a crime committed 10 years ago. Tell us about it.
Cal Harrison: Yeah, just a huge amount of money involved. Federal law enforcement finally caught up with a Georgia property developer after a fellow named Jimmy Zhong 10 years after he stole 50,000 bitcoin from Silk Road, the infamous cybercrime darknet site. He pleaded guilty on Monday in federal court, and forfeited the bitcoin, cash and 80% of his investments. At the time of the raid, this is interesting, the stolen cryptocurrency was worth about $3.36 billion. Today, thanks to market volatility, it's down to about $1 billion. The Justice Department says this was the second largest federal seizure of cryptocurrency, the largest being the 4.5 billion seeds from BitFenix, which was announced just earlier this year. All of this money is going to be retained by the government because it was stolen from Silk Road administrator Ross Ulbricht, also known as the Dread Pirate Roberts, which by the way, is a character in my favorite movie best movie of all time, The Princess Bride if . He overexerted serving life in prison for his involvement in that darknet market. Interesting thing about this hack was John figured out how to game the Silk Road's system by making deposits and withdrawals within milliseconds. For example, he could turn one $500 deposit into $2,500 and withdrawals within a second. He hid the funds in various wallets and stored the information in an underground safe and in a single board computer that was hidden and a popcorn tin underneath a pile of clothes in his closet. And I would suppose if there are any lessons to be learned from the cybercriminals for this one is to find a better hiding place for your stolen crypto.
Delaney: Cal, where would you hide $3 billion worth of stolen crypto?
Harrison: I've given it some thought. I would maybe put it on my desk because I can't ever seem to find anything on it.
Delaney: There's always the fear of hiding it in a place which is so good that you forget where it is. But Cal, what's the significance of this seizure from a law enforcement perspective?
Harrison: The interesting question. We talked to Ari Redbord, who is a ISMG contributor, former prosecutor and head of legal affairs and enforcement at TRM Labs, and he says the case is a real testament to the power of blockchain and how it helps investigators in unraveling this type of crime.
Ari Redbord: Interesting case for a number of reasons. One, the conduct occurred in 2012, which is significant. That was a long time ago. It was a lifetime ago when it comes to bitcoin. We were just hearing early days of bitcoin, I think the bitcoin pizza was purchased in 2012. So very early days of bitcoin. But what it shows on so many levels is the power of blockchains. And the unique characteristics that blockchains have to help investigators investigate fraud and financial crime. So the nature of blockchains, right? , these forever public ledgers - traceable, immutable, nothing ever changes, and every transaction is logged forever. So with those qualities allow for our investigators to use tools like TRM, to go back and trace and track the flow of funds over years. So, the technology may have not been there in 2012, may have not even been there in 2015, 2016, 2018. But today, investigators were able to go back or a year ago, and I'll get to that in a moment, we're able to go back and trace and track the flow of funds. So, this is sort of an "only in crypto" type of law enforcement action, because it allowed investigators to go back and trace across years in order to build a case. Another thing that was extraordinary about this is remember we talk about tools all the time. And capabilities, tools like TRM that allow law enforcement to track and trace the flow of funds. But we see here is that these are very powerful tools, but they're only one tool in a larger toolbox. And what we see here is ultimately, law enforcement, IRSCI, in particular, IRS Criminal Investigations, was able to execute a search warrant on a residence that belonged to the defendant, in this case, James Zhong and were ultimately able to find the evidence it needed to make its case. That search warrant was executed about a year ago. So, what I'm not involved in the case, and I wasn't involved in the case. But having been a prosecutor for about 11 years at DOJ, it is likely that over the last year, we've seen, , intense cooperation, the defendant sort of work with law enforcement to recover funds, to provide information about the laundering, and kind of help them get a clearer picture of this case. So much going on here but when I think about sort of the key takeaways is this case never happens in traditional world. This case is only enabled by those unique qualities of blockchains - open, transparent, immutable, and traceable and forever.
Harrison: Interesting points he made, you can almost see the parallel between how the technology developed with DNA evidence. And, how the technology to fight cybercrime has developed over the years and while we're seeing a case this old getting resolved. The other interesting point, I think was about how the investigators and prosecutors are using this to giving the criminals an opportunity to mitigate their sentences by cooperating and sharing their tactics. Investigators are certainly looking for ways to hone their skills and train new investigators. Just this past year, scammers sold about $14 billion in cryptocurrency and we've been seeing some troubling cases this year so this will hopefully contribute to the overall techniques and tactics that the investigators are using to defeat this type of cybercrime.
Delaney: It's a fascinating time to be working on crypto-related investigations. Thank you, Cal. Tony, U.K. National Cybersecurity Center and GCHQ veteran, Dr. Ian Levy is leaving what he describes as the best job in the world. And he's been working for government for over 22 years, I believe. He bid farewell with a stimulating, thought-provoking 6,000-word blog post. I think you're going to summarize it for us.
Tony Morbin: No, I'm just going to dip in and borrow one of the themes in his parting blog. As you say, he's leaving his role as technical director of U.K.'s NCSC, which is an offshoot of GCHQ. Now, it's a role he held at the U.K.'s government public facing cyber defense organization since its inception, shortly after the Snowden-NSA revelations dragged cybersecurity out from the shadows and into the spotlight. Now he was great at making some complex issues that we face appear simple. So do forgive me if my paraphrasing doesn't do him justice. But here goes: now, in kicks off with a quantum state superposition joke using a formula I won't even pretend that I can decipher. Other than that I get what he's saying is that cyber techies can be both simultaneously incredibly smart and incredibly dumb. The classic absent-minded professor who's maybe great in the lab, but less so when it comes to dealing with the non-tech world. And he tells a story about the World War II Boeing B-17 Flying Fortress aircraft, in which two similar looking controls sat side by side, one bringing down landing gear and the other controlling the wind flaps. It was eventually realized that this was the reason so many were lost on landing, as tired pilots at the end of an exhausting sortie hit the wrong switch causing the plane to crash. Of course, these controls are now different shapes, and they're far apart from each other. The aircraft world learned from its mistakes, and rather than blaming users for being unable to use badly designed safety features, and yet there are many in cybersecurity who do still talk about users being the biggest risk. They remind me, and this is where my picture comes in, of Basil Fawlty - the fictional hotel owner, who thought that the hotel would function so much better if it wasn't for having to put up with those awful guests. And as you can see the worried guests are being given a full dose in the picture. Now, as Ian points out, for all the tremendous ingenuity and creativity of the cybersecurity industry, we do continue to place ridiculous demands on users. And that's not just avoiding clicking links in emails or having poor password policies. And we implicitly expect arbitrarily complex implementations of technology to be perfect and vulnerability free in the long term. And then we break those who use the stuff that we build, when they fail to properly defend themselves from everything that hostile states can throw at them. Now, if I'm a physician, a car manufacturer, or retail owner, my priorities are healing, making or selling. They're not cybersecurity. I want cybersecurity specialists, professionals to take that worry away from me. Of course, that doesn't absolve me from some responsibility for security, no more than it absolves me from safety obligations. But I don't expect to have to learn a whole new profession to do my job. So what is reasonable? It's not reasonable to ask a 10 person software company to defend themselves from the Russians. But it is reasonable to ask a critical infrastructure company not to have their management systems connected to the internet with a password that school kids can crack. For cybersecurity to be scalable, long term, various security burdens need to be appropriately allocated with incentives for the correct management. The obvious person to manage the risk might not always be the best one. So make the change, move things around. As an aid to getting it right, or at least getting it better, Ian suggests a few recommendations. One, talk to people who aren't technical and listen to them. Stop blaming those without technical understanding when something goes wrong. Build stuff that works for most people most of the time, rather than going for the easy or the shiny thing and put ourselves in the shoes of users and ask if we're being sensible in our expectations. Now, as Ian says, we haven't got that right yet. But to end on a more positive note, I will say that personally within cybersecurity circles, I've heard far less blaming of users today than I did a decade ago. So at least we are headed in the right direction.
Delaney: Excellent. I think there's a lot of value in that blog post and it's funny he's often been described as a disrupter, hasn't he, Tony? But whoever comes next, has big shoes to fill, I feel.
Morbin: They do. I mean, as I say, it's that lovely combination of being a great, in-depth techie techie, whilst also being a communicator that can get the message across to a wider audience, but also, as demonstrated there have real empathy with that audience.
Delaney: For sure. Thank you for weaving in Basil Fawlty. First on the Editors' Panel. So Akshaya, this week, EU committee set up to investigate the questionable use of spyware across Europe presenting the initial findings of an investigation it started back in April this year. Could you just talk us through the findings?
Akshaya Asokan: The committee was initially formed in March to investigate the extent of spyware abuse within EU nations. And this was formed, especially after reports emerged that EU nations Poland, Greece, Hungary, Spain, had used their business to target its politicians, journalists and activists. So the committee began his investigation in April this year, and as part of their probe, its members who are mostly members of the European Parliament, visited these four nations, for fact finding purposes. But the interesting thing about the committee is that since it was launched, it has been highly politicized. Largely because a lot of the time these nations that have been investigated didn't want to be accountable or transparent about their use of spyware, by its own governments. So after that, so after much resistance and non-cooperation from the nations are being investigated, the committee finally presented their findings. This is not the final report yet. But this is just like a sum total of the investigative reports that they have done so far. So it presented the findings yesterday, and one of the things that they've said is that, U.S. complacency has played a large role. It's complacency from the end of EU nations, large organizations like the commission, parliament has played a big role in spyware to sort of mushroom and expand within EU. So the committee report says that within EU there are like 30 spyware companies that are active, and all of them are exploiting its features like common market, Schengen systems, and the EU regulated label, which just sort of act like, , credibility tag. So that's one interesting thing that the committee said yesterday. So this is not the final report yet. And this will be presented before the committee members for more amendments, and once that is finalized, which will be released towards the end of this month, and will be presented at the EU parliament.
Delaney: That's a great overview. And so I think there were other proposals, which included defining or states defining what national security is, which was interesting in the creation of a dedicated European Export Control Agency and a joint initiative with the U.S. to create common standards, and a blacklist of spyware vendors. And I know, Tony, you've reported on this or at least in the Editors' Panel in the past. I mean, isn't it impossible to regulate spyware use? Because it's always going to exist? What do you think?
Morbin: I think it's useful to regulate things. It's like saying is there any point having law enforcement when crimes are always going to exist? So you do have to regulate it, you have to put down the parameters of what's acceptable and what's not acceptable. And there will be states that don't sign up to it, just totally ignore it. There'll be states that sign up to it, and surreptitiously ignore it, but at least they can be held to account. But if there's no rules whatsoever, there is no holding anybody to account.
Delaney: Shall we wait and see in the next few months? Is that what's happening next?
Asokan: Yes. So there's a lot that the commission and other EU agencies need to do. So we'll see how their response will be like to the committee's finding.
Delaney: Excellent, well, thank you for that. And finally, we are seeing a wave of people in the infosec world leave Twitter, or threatening to leave the platform since Elon Musk took charge. Whether it's because the site will now charge users who want to be blue tick verified, or they don't trust it anymore, or have a disdain for Musk and his values. What are your thoughts? Have you left the platform as cybersecurity journalists? Or are you planning to leave? Are you thinking it's an overblown reaction?
Morbin: As a journalist, I'm going to have to go where the audience is. I don't think everyone is going to Mastodon. So although I probably will open a Mastodon account, because many techies are moving, it will be in addition to Twitter. Mastodon has its flaws, as well as does Twitter. With Twitter trying to get ourselves to increasingly identify ourselves more pay for the privilege and looking at other ways to monetize this, Mastodon has various issues such as people being tagged automatically and brought into a conversation where they weren't intended to be part of it. And there were likely to be other teething problems, partly because so many people are moving there. But as a journalist, it's going to be another channel rather than an alternative instead of channel.
Delaney: Mastodon has existed already for six years, but the influx of numbers have shot up.
Morbin: I saw a graph showing how they shot up when Elon Musk first said he was looking at taking over the channel. Then since he has taken it over and of course with the charging for the blue tick as well. So there is an uptick every time he messes with it.
Delaney: For sure. Akshaya?
Asokan: Like Tony said, for me, it will depend on where the audience is and a lot of the time the stories come from Twitter. And I do see it's still active. And so long as I'm still getting the stories on Twitter, I should be there. Also the other platform, it's not something that I'm familiar with.
Delaney: Staying on Twitter, for now. Cal?
Harrison: I'll probably follow the path of big influencers like you. I'm basically a lurker on Twitter, just as Tony and Akshaya were saying. , we use it as a way to keep up with the news and what people are saying. So it's one of the tools and the tool belt that I think we will continue to use. Also, it's a communication channel, as, if we need to get if we need to reach out to someone who's in the news, often Twitter is one of the only ways that we can do that. So anyway, I'll probably follow your lead.
Delaney: It's funny, I'm naturally swayed to LinkedIn these days or in recent years. Sort of, probably say more on that platform, but I still have my Twitter profile. It's good for reading others, and others tweets. Okay, well, let's see how that goes. Akshaya, Cal and Tony. It's been a pleasure. Thank you so much.
Morbin: Likewise, thanks very much.
Asokan: Thank you.
Harrison: You're welcome. Enjoyed it.
Delaney: Thank you so much for watching. Until next time.