_{hello world [what’s up]}

Hey cartomancers! Welcome to 2024. New years tend to bring new challenges for folks like us - new technology for us to protect, new regulations to consider, new attacks, new scams. Thank goodness new years can also bring new opportunities. Let’s hear it for optimism.

Note: The futurecast is still pre-launch - “official” launch will be mid-to-late January. Thanks for the feedback y’all have been providing!

In today’s email:

• Fresh numbers: Catch up on some of those year end wrap-ups - on the fraud ecosystem, what Google’s seeing as far as coordinated influence ops, and EFF’s take on 2023’s privacy & online rights highlights (and lowlights)

• News nuggets: Including at least one item about AI, because no newsletter would be complete without it, but also looking at China & Myanmar’s conflict on online scams, attacks on cryptocurrency exchanges, and some vuln prioritization frameworks get extended to start covering LLMs (see, some AI for you)

• 2024 predictions: Including one from Cartomancy Labs and one (partial, non-spoilery - yet) via literal cartomancy

_{training data [what’s news]}

A couple of standout year-end reports to check-out. 

Coordinated influence ops: Google’s excellent Transparency Report (a combination of real-time and published reports that details impacts of policy on Google’s operating procedures and how the internet giant responds to/manages incoming requests for information from law enforcement (and more), is always available. But don’t sleep on the Threat Analysis Group’s Q4 bulletin which gives more insight into their research into (and action taken) on coordinated influence op campaigns in Q4, 2023. This gives both numbers (of YouTube channels) and (a very brief) explanation of why the channels were taken down.

Fraud-related Threat Landscape: Recorded future’s deep dive into fraud-related threat intelligence in 2023 yields some unsurprising truths and also trends worth noting for fraud teams. In addition to the infographic summary, a full report is also available - some highlights below:

• The number of cards posted for sale on dark web carding forums is up over 2022, researchers found 119 million stolen payment cards posted online this year

• Restaurants, bars, and online ordering platforms continue to be targeted to breach payment card data in bulk, while phishing and online scams still prominent as a method to get card data from individuals.

• Telegram channels are an important source and trading platform for fraudsters & scammers (check fraud, card fraud, testing bots).

• 3DS bypasses are getting more popular, affecting 7,000 payment card BINs from over 200 card issuers.

• Fraudsters seek to leverage Generative AI to support their social engineering techniques, so expect to hear more about this in 2024.

Privacy & Online rights: The Electronic Frontier Foundation keeps running tabs on new laws that might affect privacy and digital rights, but also has a series of end-of-year summaries (posted around the time they are also running their year-end giving campaigns). Check out EFF’s 2023 Year in Review, Taking Back the Web with Decentralization, and The U.S. Supreme Court’s Busy Year of Free Speech and Tech Cases. Or head to their webpage to see the entire series of year-end wrap-ups. it’s a pretty interesting collection of analyses. 

Okay, reports are what I want to look at first due to All That Data, but here are some of the straight-up news articles that might pique your interest:

Myanmar’s Online Scams, Fraud, Trafficking: The relationship between criminal enterprises and trafficking is fairly clearly developed, although a lot of the details are cloaked in shadow. Distinctions between sweatshops and forced labor also get a bit blurry, and this evolving situation in Myanmar documented by the NY Times (followed by other outlets with less paywalls including CNN, Reuters, Radio Free Asia) shows some of the economic underbelly of authoritarianism.

• CNN reports that “in heavily guarded compounds controlled by local warlords, tens of thousands of people, mainly Chinese, have been trapped and forced by criminal gangs to defraud strangers with sophisticated schemes over the internet”.

• And after repeated requests from Beijing to the Mynamar junta to crackdown on these behaviors went unheard, China decided to get proactive. In late November, China’s Ministry of Public security announced they had apprehended more than 31,000 Chinese nationals (including Chinese 1,500 fugitives)  linked to the Myanmar online fraud gangs.

• The NYTimes article includes some first person accounts of a person tricked into one of these labor camps, and what he saw and did before escaping (7 Months Inside an Online Scam Labor Camp).

Hacking Cryptocurrency/Blockchain: The successful attack and exploitation of two decentralized crytpocurrency exchanges - plus references to bridging schemes, token-swap scams, and money laundering - are described in this press release from the U.S. Attorney's Office (Southern District of New York) on a recent suit.

• The attacker (a security engineer whose skillset included reversing of smart contracts and auditing blockchain technology) was accused and ultimately pled guilty to executing attacks on Crypto Exchange and also Nirvana Finance.

• In the suit, one of the attacks is described - the engineer exploited  a vulnerability in one of Crypto Exchange’s smart contracts – and then inserted fake pricing data that caused the smart contract to generate roughly $9 million dollars’ worth of inflated (fraudulent) fees. Interestingly, after swiping the $9 mil, the engineer communicated with the Crypto Exchange and agreed to return the funds (except for $1.5M of it), if the company agreed not to pull in law enforcement.

• Of the case - the first ever arrest involving an attack on a smart contract - U.S. Attorney Damian Williams said: “In total, [the defendent] used his technical knowhow to steal over $12 million and tried to cover his tracks by swapping stolen crypto for Monero, using cryptocurrency mixers, hopping across blockchains, and utilizing overseas crypto exchanges.“

Vulnerability Management, LLMs: With all of the hootin’ and hollerin’ and hype for generative AI and LLMs, it is nice to see security folks doing what we do - and starting the process of bridging from our existing frameworks and techniques for spotting and classifying vulns/potential exploits to these new technologies. Building on the momentum of the OWASP Top 10 for Large Language Model Applications, Bugcrowd recently announced updates to their VRT (Vulnerability Rating Taxonomy, a shared set of risk priority ratings) specific to LLM-related vulnerabilities. This is meant to be helpful both for the bug hunters and the bounty program owners, so they can start to classify and target LLM-related bugs/vulns using a common understanding of severity.

_{hypotheses & futurecastings [what’s possible]}

Prediction Soup: I can’t open my browser without getting a slew of 2024 predictions, so here are a few of those for your reading pleasure. I suppose the last 3 links aren’t predictions per se? But they go along with the “pay attention in 2024” theme of predictions.

• 5 pivotal cybersecurity trends for 2024 (Help Net Security)

• Five bold cybersecurity predictions for 2024 (VentureBeat)

• Top 10 Cybersecurity Predictions for 2024 and Beyond (Infosecurity)

• 16 Cybersecurity leaders predict how gen AI will improve cybersecurity in 2024 (VentureBeat)

• Cybersecurity guru Mikko Hyppönen’s 5 most fearsome AI threats for 2024 (TNW)

• Top 5 compliance deadlines for cybersecurity pros in 2024 (SC Media)

• I Securely Resolve: CISOs, IT Security Leaders Share 2024 Resolutions (Dark Reading)

• What VCs are looking for in the next wave of cybersecurity startups (TechCrunch)

I predict stuff, too: Speaking of year-end wrap-ups and futurecasting, I provided some ideas to IANS (where I am a faculty member) and also to the CISO Talk podcast/vlog, where I got to riff with Jennifer Minella, Dan Glass, and Mitch Ashley. The IANS link includes some embedded video, and of course you can check out CISO talk at the link below.

Literal Cartomancy: One more thing: Caroline Wong (Cobalt.io) and I had a conversation at the end of 2023 (it’s not published yet, but when it comes out via the Humans of Infosec podcast, I’ll let you know). One of the fun things we did was “pull a card” for the cybersecurity industry. I won’t spoil the details of the card that was pulled and the analysis thereof (oh, I’ll definitely get into it with you after the episode goes live), but the card I pulled had a winged unicorn and a bunch of sharp objects on it. Based on that alone - what do YOU think cyber (as an industry) has in store in 2024? [more to come on this one, friends]

_{find more cartomancy [what’s happening]}

/

_{tyyl [what’s next]}

Thanks for reading to the end of this set of lab notes. I’m thrilled to have some fellow travelers mapping out where we’ve been, philosophizing about where we want to be, and building the paths to get us where we’re going.

See you next time on the Futurecast!

Allison

@selenakyle