Bold Hackers
April 27, 2016
It looks like some hackers are no longer afraid of the proverbial light, we learn from “Sony Hackers Still Active, ‘Darkhotel’ Checks Out of Hotel Hacking” at InformationWeek. Writer Kelly Jackson Higgins cites Kaspersky security researcher Juan Andres Guerrero-Saade, who observes that those behind the 2014 Sony hack, thought to be based in North Korea, did not vanish from the scene after that infamous attack. Higgins continues:
“There has been a noticeable shift in how some advanced threat groups such as this respond after being publicly outed by security researchers. Historically, cyber espionage gangs would go dark. ‘They would immediately shut down their infrastructure when they were reported on,’ said Kurt Baumgartner, principal security researcher with Kaspersky Lab. ‘You just didn’t see the return of an actor sometimes for years at a time.’
“But Baumgartner says he’s seen a dramatic shift in the past few years in how these groups react to publicity. Take Darkhotel, the Korean-speaking attack group known for hacking into WiFi networks at luxury hotels in order to target corporate and government executives. Darkhotel is no longer waging hotel-targeted attacks — but they aren’t hiding out, either.
“In July, Darkhotel was spotted employing a zero-day Adobe Flash exploit pilfered from the HackingTeam breach. ‘Within 48 hours, they took the Flash exploit down … They left a loosely configured server’ exposed, however, he told Dark Reading. ‘That’s unusual for an APT [advanced persistent threat] group.’”
Seeming to care little about public exposure, Darkhotel has moved on to other projects, like reportedly using Webmail to attack targets in Southeast Asia.
On the other hand, one group which experts had expected to see more of has remained dark for some time. We learn:
“Kaspersky Lab still hasn’t seen any sign of the so-called Equation Group, the nation-state threat actor operation that the security firm exposed early last year and that fell off its radar screen in January of 2014. The Equation Group, which has ties to Stuxnet and Flame as well as clues that point to a US connection, was found with advanced tools and techniques including the ability to hack air gapped computers, and to reprogram victims’ hard drives so its malware can’t be detected nor erased. While Kaspersky Lab stopped short of attributing the group to the National Security Agency (NSA), security experts say all signs indicate that the Equation Group equals the NSA.”
The Kaspersky team doesn’t think for a minute that this group has stopped operating, but believe they’ve changed up their communications. Whether a group continues to lurk in the shadows or walks boldly in the open may be cultural, they say; those in the Far East seem to care less about leaving tracks. Interesting.
Cynthia Murrell, April 27, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Google and Its Hidden Costs
April 26, 2016
I read “Alphabet: Sunk by Hidden Costs.” (You will have to register or maybe pay to read the source article containing the MBA analysis.) I was a bit surprised at the notion of hidden costs. Money comes in. Money goes out. The only reason money is hidden relates to the popular human pass time of not keeping track of what people, products, etc. cost and making a comprehensible notation of who authorized the expenditure, when, and why. Without this information, money is not hidden. Money is just ignored. Cash flow or venture funding is okay. We will be fine.
The write up points out that Google’s financial results were hooked to “some hidden costs.” The write up points out:
One place to blame for the bigger than expected loss is the Other Bets category. The loss in these long shot investments surged to $802 million from only $633 million last year. The operating loss was only $140 million higher than last year when excluding the stock-based compensation. Surely, analysts factored in larger losses from this sector.
“Surely.”
The Alphabet Google has its math and science club projects. Is the “money is plentiful” concept a mismatch with the spending for cheating death, Loon balloons, and dealing with legal hassles?
Hidden costs underscore management and detail behaviors. MBA speak may not make the problem go away. Google’s failure rate with start ups may follow a normal distribution. Hidden money just underscores the risk associated with these ventures.
Stephen E Arnold, April 26, 2016
Duck Duck Go as a Privacy Conscious Google Alternative
April 26, 2016
Those frustrated with Google may have an alternative. Going over to the duck side: A week with Duck Duck Go from Search Engine Watch shares a thorough first-hand account of using Duck Duck Go for a week. User privacy protection seems to be the hallmark of the search service and there is even an option to enable Tor in its mobile app. Features are comparable, such as one designed to compete with Google’s Knowledge Graph called Instant Answers. As an open source product, Instant Answers is built up by community contributions. As far as seamless, intuitive search, the post concludes,
“The question is, am I indignant enough about Google’s knowledge of my browsing habits (and everyone else’s that feed its all-knowing algorithms) to trade the convenience of instantly finding what I’m after for that extra measure of privacy online? My assessment of DuckDuckGo after spending a week in the pond is that it’s a search engine for the long term. To get the most out of using it, you have to make a conscious change in your online habits, rather than just expecting to switch one search engine for another and get the same results.”
Will a majority of users replace “Googling” with “Ducking” anytime soon? Time will tell, and it will be an interesting saga to see unfold. I suppose we could track the evolution on Knowledge Graph and Instant Answers to see the competing narratives unfold.
Megan Feil, April 26, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Project Cumulus Tracks Stolen Credentials
April 26, 2016
Ever wonder how far stolen information can go on the Dark Web? If so, check out “Project Cumulus—Tracking Fake Phished Credentials Leaked to Dark Web” at Security Affairs. Researchers at Bitglass baited the hook and tracked the mock data. Writer Pierluigi Paganini explains:
“The researchers created a fake identity for employees of a ghostly retail bank, along with a functional web portal for the financial institution, and a Google Drive account. The experts also associated the identities with real credit-card data, then leaked ‘phished’ Google Apps credentials to the Dark Web and tracked the activity on these accounts. The results were intriguing, the leaked data were accessed in 30 countries across six continents in just two weeks. Leaked data were viewed more than 1,000 times and downloaded 47 times, in just 24 hours the experts observed three Google Drive login attempts and five bank login attempts. Within 48 hours of the initial leak, files were downloaded, and the account was viewed hundreds of times over the course of a month, with many hackers successfully accessing the victim’s other online accounts.”
Yikes. A few other interesting Project Cumulus findings: More than 1400 hackers viewed the credentials; one tenth of those tried to log into the faux-bank’s web portal; and 68% of the hackers accessed Google Drive through the Tor network. See the article for more details. Paganini concludes with a reminder to avoid reusing login credentials, especially now that we see just how far stolen credentials can quickly travel.
Cynthia Murrell, April 26, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Unicorn Land: Warm Hot Chocolate and a Nap May Not Help
April 25, 2016
In the heady world of the unicorn, there are not too many search and content processing companies. I do read open source information about Palantir Technologies. Heck, I might even wrap up my notes about Palantir Gotham and make them available to someone with a yen to know more about a company which embraces secrecy but has a YouTube channel explaining how its system works.
I was poking around for open source information about how Palantir ensures that a person with a secret clearance does not “see” information classified at a higher level of access. From what I have read, the magic is in time stamps, open source content management, and some middleware. I took a break from reading the revelations from a person in the UK who idled away commute time writing about Palantir and noted “On the Road to Recap: Why the Unicorn Financing Market Just Became Dangerous for All Involved.”
I enjoy “all” type write ups. As I worked through the 5,600 word write up, I decided not to poke fun at the logic of “all” and jotted down the points which struck me as new information and the comments which I thought might be germane to Palantir, a company which (as I document in my Palantir Notebook) has successfully fast cycles of financing between 2003 and 2015 when the pace appears to have slowed.
There is no direct connection between the On the Road to Recap article and Palantir, and I certainly don’t want to draw explicit parallels. In this blog post, let me highlight some of the passages from the source article and emphasize that you might want to read the original article. If you are interested in search and content processing vendors like Attivio, Coveo, Sinequa, Smartlogic, and others of their ilk, some of the “pressures” identified in the source article are likely to apply. If the write up is on the money, I am certainly delighted to be in rural Kentucky thinking about what to have for lunch.
The first point I noted was new information to me. You, gentle reader, may be MBAized and conversant with the notion of understanding the lay of the land; to wit:
most participants in the ecosystem have exposure to and responsibility for specific company performance, which is exactly why the changing landscape is important to understand.
Ah, reality. I know that many search and content processing vendors operate without taking a big picture view. The focus is on what I call “what can we say to close a deal right now” type thinking. The write up roasts that business school chestnut of understanding life as it is, not as a marketer believes it to be.
I noted this statement in the source article:
Late 2015 also brought the arrival of “mutual fund markdowns.” Many Unicorns had taken private fundraising dollars from mutual funds. These mutual funds “mark-to-market” every day, and fund managers are compensated periodically on this performance. As a result, most firms have independent internal groups that periodically analyze valuations. With the public markets down, these groups began writing down Unicorn valuations. Once more, the fantasy began to come apart. The last round is not the permanent price, and being private does not mean you get a free pass on scrutiny.
Write downs, to me, mean one might lose one’s money.
I then learned a new term, dirty term sheets. Here’s the definition I highlighted in a bilious yellow marker hue:
“Dirty” or structured term sheets are proposed investments where the majority of the economic gains for the investor come not from the headline valuation, but rather through a series of dirty terms that are hidden deeper in the document. This allows the Shark to meet the valuation “ask” of the entrepreneur and VC board member, all the while knowing that they will make excellent returns, even at exits that are far below the cover valuation. Examples of dirty terms include guaranteed IPO returns, ratchets, PIK Dividends, series-based M&A vetoes, and superior preferences or liquidity rights. The typical Silicon Valley term sheet does not include such terms. The reason these terms can produce returns by themselves is that they set the stage for a rejiggering of the capitalization table at some point in the future. This is why the founder and their VC BOD member can still hold onto the illusion that everything is fine. The adjustment does not happen now, it will happen later.
I like rejiggering. I have experienced used car sales professionals rejiggering numbers for a person who once worked for me. Not a good experience as I recall.
I then circled this passage:
One of the shocking realities that is present in many of these “investment opportunities” is a relative absence of pertinent financial information. One would think that these opportunities which are often sold as “pre-IPO” rounds would have something close to the data you might see in an S-1. But often, the financial information is quite limited. And when it is included, it may be presented in a way that is inconsistent with GAAP standards. As an example, most Unicorn CEOs still have no idea that discounts, coupons, and subsidies are contra-revenue.
So what’s this have to do in my addled brain with Palantir? I had three thoughts, which are my opinion, and you may ignore them. In fact, why not stop reading now.
- Palantir is a unicorn and it may be experiencing increased pressure to generate a right now pay out to its stakeholders. One way Palantir can do this is to split its “secret” business from its Metropolitan business for banks. The “secret” business remains private, and the Metropolitan business becomes an IPO play. The idea is to get some money to keep those who pumped more than $700 million into the company since 2003 sort of happy.
- Palantir has to find a way to thwart those in its “secret” work from squeezing Palantir into a niche and then marginalizing the company. There are some outfits who would enjoy becoming the go-to solution for near real time operational intelligence analysis. Some outfits are big (Oracle and IBM), and others are much, much smaller (Digital Reasoning and Modus Operandi). If Palantir pulls off this play, then the government contract cash can be used to provide a sugar boost to those who want some fungible evidence of a big, big pay day.
- Palantir has to amp up its marketing, contain overhead, and expand its revenue from non government licenses and consulting.
Is Palantir’s management up to this task? The good news is that Palantir has not done the “let’s hire a Google wizard” to run the company. The bad news is that Palantir had an interesting run of management actions which resulted in a bit of a legal hassle with i2 Group before IBM bought it.
I will continue looking for information about Gotham’s security system and method. In the back of my mind will be the information and comments in On the Road to Recap.
Stephen E Arnold, April 25, 2016
Research MapsThreat Actors of the Dark Web
April 25, 2016
Known as the Dark Web, a vast amount of sites exist requiring specialized software, Tor is most commonly used, to access them. Now, the first map of the Dark Web has launched, according to Peeling Back the Onion Part 1: Mapping the #DarkWeb from Zero Day Lab. A partner of Zero Day Lab, Intelliagg is a threat intelligence service, which launched this map. While analyzing over 30,000 top-level sites, their research found English as the most common language and file sharing and leaked data were the most common hidden marketplaces, followed by financial fraud. Hacking comprised only three percent of sites studied. The write-up describes the importance of this map,
“Until recently it had been difficult to understand the relationships between hidden services and more importantly the classification of these sites. As a security researcher, understanding hidden services such as private chat forums and closed sites, and how these are used to plan and discuss potential campaigns such as DDoS, ransom attacks, kidnapping, hacking, and trading of vulnerabilities and leaked data; is key to protecting our clients through proactive threat intelligence. Mapping these sites back to Threat Actors (groups), is even more crucial as this helps us build a database on the Capability, Infrastructure, and Motivations of the adversary.”
Quite an interesting study, both in topic and methods which consisted of a combination of human and machine learning information gathering. Additionally, this research produced an interactive map. Next, how about a map that shows the threat actors and their sites?
Megan Feil, April 25, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Webinjection Code a Key to Security
April 25, 2016
The heady days of open cybercrime discussions on the Dark Web are over, thanks to increasing investigation by law-enforcement. However, CaaS vendors still sell products like exploit kits, custom spam, and access to infected endpoints to those who know where to look. Security Intelligence discusses one of the most popular commodities, webinjection resources, in its article, “Dark Web Suppliers and Organized Cybercrime Gigs.” Reporter Limor Kessem explains:
“Webinjections are code snippets that financial malware can force into otherwise legitimate Web pages by hooking the Internet browser. Once a browser has been compromised by the malware, attackers can use these injections to modify what infected users see on their bank’s pages or insert additional data input fields into legitimate login pages in order to steal information or mislead unsuspecting users.
“Whether made up of HTML code or JavaScript, webinjections are probably the most powerful social engineering tool available to cybercriminals who operate banking Trojan botnets.
“To be considered both high-quality and effective, these webinjections have to seamlessly integrate with the malware’s injection mechanism, display social engineering that corresponds with the target bank’s authentication and transaction authorization schemes and have the perfect look and feel to fool even the keenest customer eye.”
Citing IBM X-Force research, Kessem says there seem to be only a few target-specific webinjection experts operating on the Dark Web. Even cybercriminals who develop their own malware are outsourcing the webinjection code to one of these specialists. This means, of course, that attacks from different groups often contain similar or identical webinjection code. IBM researchers have already used their findings about one such vendor to build specific “indicators of compromise,” which can be integrated into IBM Security products. The article concludes with a suggestion:
“Security professionals can further extend this knowledge to other platforms, like SIEM and intrusion prevention systems, by writing custom rules using information about injections shared on platforms like X-Force Exchange.”
Cynthia Murrell, April 25, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Google. No One Can Stop It. No One. No One. Aaaargh.
April 24, 2016
When I was a wee lad in days when admission to a motion picture was 25 cents, I recall watching with eyeballs wide open The Blob. Look at the poster for the film which flickered across the silver screen in 1958:
The words chosen to promote the film were “indescribable,” “indestructible,” and “Nothing can stop it.”
I read “If the Eurocrats Don’t Take on Google, No One Will Be Able to Stop It.” I find it interesting that the shock and awe words used by a promotion team in 1958 have become the currency of “real” journalism and punditry. Nothing can stop it lacks only an exclamation point.
The write up, wittingly or unwittingly, evokes “the molten meteor” as a metaphor for Google. The article reminded me:
If the commission decides that Google has indeed broken European competition law, then it can levy fines of up to 10% of the company’s annual global revenue for each of the charges. Given that Google’s global sales last year came to nearly $75bn, we’re talking about a possible fine of $15bn (£10.5bn). Even by Google standards, that’s serious money. And it’s not exactly an idle threat: in the past, the Eurocrats have taken more than a billion dollars off both Microsoft and Intel for such violations.
Money. The molten meteor cannot ignore that financial blood bank contribution. Imagine. Messrs. Brin and Page losing color and wheezing toward a Foosball game in the Alphabet Google offices in Mountain View. Frightening.
The legal system lacks a Steve McQueen it seems. The forces of good (the European Commission) has to find a way to stop the Alphabet Google from spelling doom. The article whines:
Once upon a time, we relied on the state to do this on our behalf – to cut monopolies down to size, to keep corporate power in check. The strange thing about the digital world is that states now seem unequal to this task. At the moment, the EC is the only game in town. Which makes one wonder if the Brexit enthusiasts have thought of that.
The Google has been doing exactly one thing consistently for more than 15 years. To stop the Google is an interesting thought. I am not confident that fines will do the trick. After cranking out three monographs about the Google between 2004 and 2009, it is pretty clear that the Google is falling victim to flawed reproduction of its own DNA. The death of the Alphabet Google will come from within the company itself. Regulators may find themselves looking in the mirror and see Mr. McQueen, but my research suggested:
- The shift to mobile is putting new stresses upon the governance structure of the Google
- The endless photocopying of the company’s online ad DNA is producing fuzzier and fuzzier systems and methods. I ran a query and had to work to spot an objective result. Try this query yourself from your laptop and then from your mobile phone: “Manhattan lawyers.” What’s an ad?
- The founders, once passionate about search, are now involved in math and science club projects like solving death.
- Users make the Google and the users are less and less aware of options. Online services coalesce into monopolies and the process has been chugging along for more than 15 years.
I like the zing of the “Nothing can stop it.” But the Alphabet Google thing is not forever no matter what regulators and alarmists assert. The blob did not die. It was put on ice. With the situation facing the European Community, I don’t think a suitable cooling system is available at this time. A small USB fan maybe?
Stephen E Arnold, April 24, 2016
Graceful, Tasteful Essay about Gawker and Hulk Hogan
April 24, 2016
Short honk: I am certainly no expert in “real” journalism. I am not an “academic.” I just paddle around the duck pond in rural Kentucky. I like to highlight interesting writing. An essay caught my attention because it had an interesting, although confusing, title; to wit:
When I read it, I thought about “If you prick us, do we not bleed?” Wrong. the write up uses a Shakespeare-echoing in a thoroughly modern Millie way. The write up discusses the US Constitution, the US legal system, and the behaviors of two notable persons.
Quite graceful, tasteful essay. I wish I could write with this elegant blend of colloquial phrase and rich metaphor. How many middle school teachers will use this particular personal essay as an illustration of a personal opinion? Lots? Only in New York?
Stephen E Arnold, April 24, 2016
Expert System: Inspired by Endeca
April 23, 2016
Years ago I listened to Endeca (now owned by Oracle) extol the virtues of its various tools. The idea was that the tools made it somewhat easier to get Endeca up and running. The original patents for Endeca reveal the computational blender which the Endeca method required. Endeca shifted from licensing software to bundling consulting with a software license. Setting up Endeca required MBAs, patience, and money. Endeca rose to generate more than $120 million in revenues before its sale to Oracle. Today Endeca is still available, and the Endeca patents—particularly 7035864—reveal how Endeca pulled off its facets. Today Endeca has lost a bit of its spit and polish, a process that began when Autonomy blasted past the firm in the early 2000s.
Endeca rolled out its “studio” a decade ago. I recall that Business Objects had a “studio.” The idea behind a studio was to make the complex task of creating something an end user could use without much training. But the studio was not aimed at an end user. The studio was a product for a developer, who found the tortuous, proprietary methods complex and difficult to learn. A studio would unleash the developers and, of course, propel the vendors with studios to new revenue heights.
Studio is back. This time, if the information in “Expert System Releases Cogito Studio for Combining the Advantages of Semantic Technology with Deep Learning,” is accurate. The spin is that semantic technology and deep learning—two buzzwords near and dear to the heart of those in search of the next big thing—will be a boon. Who is the intended user? Well, developers. These folks are learning that the marketing talk is a heck of a lot easier than designing, coding, debugging, stabilizing, and then generating useful outputs is quite difficult work.
According to the Expert System announcement:
The new release of Cogito Studio is the result of the hard work and dedication of our labs, which are focused on developing products that are both powerful and easy to use,” said Marco Varone, President and CTO, Expert System. “We believe that we can make significant contributions to the field of artificial intelligence. In our vision of AI, typical deep learning algorithms for automatic learning and knowledge extraction can be made more effective when combined with algorithms based on a comprehension of text and on knowledge structured in a manner similar to that of humans.”
Does this strike you as vague?
Expert System is an Italian, high tech outfit, which was founded in 1989. That’s almost a decade before the Endeca system poked its moist nose into the world of search. Fellow travelers from this era include Fulcrum Technologies and ISYS Search Software. Both of these companies’ technology are still available today.
Thus, it makes sense that the idea of a “studio” becomes a way to chop away at the complexity of Expert System-type systems.
According to Google Finance, Expert System’s stock is trending upwards.
That’s a good sign. My hunch is that announcements about “studios” wrapped in lingo like semantics and Big Data are a good thing.
Stephen E Arnold, April 23, 2016