Potential Tor Browser Vulnerability Reported

December 19, 2016

Over at Hacker Noon, blogger “movrcx” reveals a potential vulnerability chain that he says threatens the entire Tor Browser ecosystem in, “Tor Browser Exposed: Anti-Privacy Implantation at Mass Scale.” Movrcx says the potential avenue for a massive hack has existed for some time, but taking advantage of these vulnerabilities would require around $100,000. This could explain why movrcx’s predicted attack seems not to have taken place. Yet. The write-up summarizes the technique:

Anti-Privacy Implantation at Mass Scale: At a high-level the attack path can be described by the following:

*Attacker gains custody of an addons.mozilla.org TLS certificate (wildcard preferred)

*Attacker begins deployment of malicious exit nodes

*Attacker intercepts the NoScript extension update traffic for addons.mozilla.org

*Attacker returns a malicious update metadata file for NoScript to the requesting Tor Browser

*The malicious extension payload is downloaded and then silently installed without user interaction

*At this point remote code execution is gained

*The attacker may use an additional stage to further implant additional software on the machine or to cover any signs of exploitation

This attack can be demonstrated by using Burp Suite and a custom compiled version of the Tor Browser which includes a hardcoded root certificate authority for transparent man-in-the-middle attacks.

See the article for movrcx’s evidence, reasoning, and technical details. He emphasizes that he is revealing this information in the hope that measures will be taken to nullify the potential attack chain. Preferably before some state or criminal group decides to invest in leveraging it.

Cynthia Murrell, December 19, 2016

A Crisis of Confidence

December 14, 2016

I remember a time, long ago, when my family was confident that newspapers and TV reporters were telling us most of the objective facts most of the time. We also had faith that, though flawed human beings, most  representatives in Congress were honestly working hard for (what they saw as) positive change. Such confidence, it seems, has gone the way of pet rocks and parachute pants. The Washington Examiner reports, “Fishwrap: Confidence in Newspapers, TV News Hits Bottom.” The brief write-up gives the highlights of a recent Gallup survey. Writer Paul Bedard tells us:

Gallup found that just 20 percent have confidence in newspapers, a 10-point drop in 10 years. TV news saw an identical 10-point drop, from 31 percent to 21 percent. But it could be worse. Of all the institutions Gallup surveyed on, Congress is at the bottom, with just 9 percent having confidence in America’s elected leaders, a finding that is clearly impacting the direction and tone of the 2016 elections. And Americans aren’t putting their faith in religion. Gallup found that confidence in organized religion dropped below 50 percent, to an all-time low of 41 percent.

Last decade’s financial crisis, the brunt of which many are still feeling, has prompted us to also lose faith in our banks (confidence dropped from 49 percent in 2006 to just 27 percent this year). There is one institution in which Americans still place our confidence—the military. Some 73 percent of are confident of that institution, a level that has been constant over the last decade. Could that have anything to do with the outsized share of tax revenue that segment consistently rakes in? Nah, that can’t be it.

Cynthia Murrell, December 14, 2016

The One Percent Have Privately Disappeared

December 8, 2016

People like to think that their lives are not always monitored, especially inside their domiciles.  However, if you have installed any type of security camera, especially a baby monitor, the bad news is that they are easily hacked.  Malware can also be downloaded onto a computer to spy on you through the built-in camera.  Mark Zuckerberg  coves his laptop’s camera with a piece of electrical tape.  With all the conveniences to spy on the average individual, it is not surprising that the rich one percent are literally buying their privacy by disappearing.  FT.com takes a look about, “How The Super-Rich Are Making Their Homes ‘Invisible.’”

The article opens with a description about how an entire high-end California neighborhood exists, but it is digitally “invisible” on Google Street View.  Celebrities live in this affluent California neighborhood and the management company does not even give interviews.  Privacy is one of the greatest luxuries one can buy in this age and the demand will grow as mobile Internet usages increases.  The use of cameras is proportional to Internet usage.

People who buy privacy by hiding their homes want to avoid prying eyes, such a paparazzi and protect themselves from burglars.  The same type of people who buy privacy are also being discreet about their wealth.  They do not flaunt it, unlike previous eras.  In the business sector, more and more clients want to remain anonymous so corporations are creating shell businesses to protect their identities.

There is an entire market for home designs that hide the actual building from prying eyes.  The ultimate way to disappear, however, is to live off the grid:

For extra stealth, property owners can take their homes off the grid — generating their own electricity and water supply avoids tell-tale pipes and wires heading on to their land. Self-sufficient communities have become increasingly popular for privacy, as well as ecological, reasons; some estimates suggest that 180,000 households are living off the grid in the US alone.

Those people who live off the grid will also survive during a zombie apocalypse, but I digress.

It is understandable that celebrities and others in the public eye require more privacy than the average citizen, but we all deserve the same privacy rights.  But it brings up another question: information needs to be found in order to be used.  Why should some be able to disappear while others cannot?

Whitney Grace, December 8, 2016

Sugar Polluted Scientific Research

October 19, 2016

If your diet includes too much sugar, it is a good idea to cut back on the amount you consume.  If also turns out if you have too much sugar in your research, the sugar industry will bribe you to hide the facts.  Stat News reports that even objective academic research is not immune from corporate bribes in the article, “Sugar Industry Secretly Paid For Favorable Harvard Research.”

In the 1960s, Harvard nutritionists published two reviews in medical journals that downplayed the role sugar played in coronary heart disease.  The sugar industry paid Harvard to report favorable results in scientific studies.  Dr. Cristin Kearns published a paper in JAMA Internal Medicine about her research into the Harvard sugar conspiracy.

Through her research, she discovered that Harvard nutrionists Dr. Fredrick Stare and Mark Hegsted worked with the Sugar Research Foundation to write a literature review that countered early research that linked sucrose to coronary heart disease.  This research would later help the sugar industry increase its market share by convincing Americans to eat a low-fat diet.

Dr. Walter Willett, who knew Hegsted and now runs the nutrition department at Harvard’s public health school, defended him as a principled scientist…‘However, by taking industry funding for the review, and having regular communications during the review with the sugar industry,’ Willett acknowledged, it ‘put him [Hegsted] in a position where his conclusions could be questioned. It is also possible that these relationships could induce some subtle bias, even if unconscious,’ he added.

In other words, corporate funded research can skew scientific data so that it favors their bottom dollar.  This fiasco happened in the 1960s, have things gotten worse or better?  With the big competition for funding and space in scientific journals, the answer appears to be yes.

Whitney Grace, October 19, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

You Too Can Be an Expert Searcher

October 4, 2016

One would think that in the days of instant information, we all would be expert searchers and know how to find any fact.  The problem is that most people type entire questions into search engines and allow natural language processing to do the hard labor.  There is a smarter way to search than lazy question typing and Geek Squad has an search literacy guide you might find useful: “Search Engine Secrets: Find More With Google’s Hidden Features.”

What very few people know (except us search gurus) is that search engines have hidden tricks you can use you find your results quicker and make search easier.  While Google is the standard search engine and all these tricks are geared towards that search engine, they will also work with other ones.  The standard way to search is by typing a query into the search bar and some of these typing tricks are old school, such as using parentheses for an exact phrase, searching one specific Web site, wildcards, Boolean operators, and using a minus sigh (-) to exclude terms.

Searching for pictures is a much newer search form and is usually done by clicking on the image search on a search engine.  However, did you know that most search engines have the option to search with an image itself?  With Google, simply drag and drop an image into the search bar to start the process.  There are also delimiters on image search to filter results by specifics, such as GIFs, size, color, and others

Even newer than image search is vocal search with a microphone.  Usually, voice search is employed with a digital assistant like Cortana and Siri.  Some voice search commands are:

  •  Find a movie: What movies are playing tonight? or Where’s Independence Day playing?
  • Find nearby places: Where’s the closest cafe?
  • Find the time: What time is it in Melbourne?
  • Answer trivia questions: Where was Albert Einstein born? or How old is Beyonce?
  • Translate words or phrases: How do you say milk in Spanish?
  • Define a word: What does existentialism mean?
  • Convert between units: What’s 16 ounces in grams?
  • Solve a math problem: What’s the square root of 2,209?

Book a restaurant table: Book a table for two at Dorsia on Wednesday night.

The only problem is that only the typing tricks transfer to professional research.  They are used at universities, research institutes, and even large companies.  The biggest problem is that people do not know how to use them in those organizations.

Whitney Grace, October 4, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

Revenue Takes a Backseat to Patent Filings at IBM

September 9, 2016

The post on Slashdot titled IBM Has Been Awarded an Average of 24 Patents Per Day So Far in 2016 compares the patent development emphasis of major companies, with IBM coming out on top with 3,617 patent awards so far in 2016, according to a Quartz report. Patents are the bi-product of IBM’s focus on scientific research, as the report finds,

The company is in the middle of a painful reinvention, that sees the company shifting further away from hardware sales into cloud computing, analytics, and AI services. It’s also plugging away on a myriad of fundamental scientific research projects — many of which could revolutionize the world if they can come to fruition — which is where many of its patent applications originate. IBM accounted for about 1% of all US patents awarded in 2015.

Samsung claimed a close second (with just over 3,000 patents), and on the next rung down sits Google (with roughly 1,500 patents for the same period), Intel, Qualcomm, Microsoft, and Apple. Keep in mind though, that IBM and Samsung have been awarded more than twice as many patents as Google and the others, making it an unstoppable patent machine. You may well ask, what about revenue? They will get back to you on that score later.

Chelsea Kerwin, September 9, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
There is a Louisville, Kentucky Hidden Web/Dark Web meet up on September 27, 2016.
Information is at this link: https://www.meetup.com/Louisville-Hidden-Dark-Web-Meetup/events/233599645/

Cairo Authorities Perform Bitcoin Sting

September 8, 2016

Egyptian authorities refuse to let a 30-year-old dentist get away with trading in digital currency, despite there being no law on the books to prohibit the practice.  The Merkle informs us, “Egyptian Dentist Apprehended in Bitcoin Sting Operation in Cairo.” Reporter Traderman reveals:

According to today’s post on the facebook page of The Ministry of the Interior, Mr. Ahmed was captured with $13,900 in cash, as well as a cellular phone and a smart tablet that were used in the trading operation. Authorities setup Ahmed by contacting him about a potential deal on LocalBitcoins, where Ahmed was selling the digital currency for $570 per coin.

The investigation was carried out with the cooperation of the Cairo Department of Public Safety and the Cairo Security Directorate. Mr. Ahmed has apparently confessed to trading bitcoin, but it is unclear what specific law Mr. Ahmed was breaking, as there are no regulations on digital currencies in Egypt.

The write-up tells us manufacturer AMECO, based in Cairo, has been accepting bitcoin apparently unmolested since 2014. Traderman also notes that, as of their writing, about seven Egyptian bitcoin vendors operating on LocalBitcoins, all of whom seem to be running modest operations. It will be interesting to see whether law-enforcement continues to crack down on bitcoin within their borders, and, if so, what justification authorities may offer. Perhaps they will go so far as to pass a law.

Cynthia Murrell, September 8, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
There is a Louisville, Kentucky Hidden Web/Dark Web meet up on September 27, 2016.
Information is at this link: https://www.meetup.com/Louisville-Hidden-Dark-Web-Meetup/events/233599645/

Facebook vs. LinkedIn for Job Hunters

August 4, 2016

The article on Lifehacker titled Facebook Can Be Just As Important AS LinkedIn For Finding a Job emphasizes the importance of industry connections. As everyone knows, trying to a find a job online is like trying to date online. A huge number of job postings are scams, schemes, or utter bollox. Navigating these toads and finding the job equivalent to Prince Charming is frustrating, which is why Facebook might offer a happy alternative. The article states,

“As business site Entrepreneur points out, the role Facebook plays in helping people find jobs shouldn’t be surprising. Any time you can connect with someone who works in your industry, that’s one more person who could potentially help you get a job. Research from Facebook itself shows that both strong and weak ties on the site can lead to jobs… Well, weak ties are important collectively because of their quantity, but strong ties are important individually because of their quality.”

Obviously, knowing someone in the industry you seek to work in is the key to finding and getting a job. But a site like Facebook is much easier to exploit than LinkedIn because more people use it and more people check it. LinkedIn’s endless emails eventually become white noise, but scrolling through Facebook’s Newsfeed is an infinite source of time-wasting pleasure for the bulk of users. Time to put the networking back into social networking, job seekers.

 

Chelsea Kerwin, August 4, 2016

Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

 

Salesforce Blackout

July 27, 2016

Salesforce.com is a cloud computing company with the majority of its profits coming from customer relationship management and acquiring commercial social networking apps.  According to PC World, Salesforce recently had a blackout and the details were told in: “Salesforce Outage Continues In Some Parts Of The US.”  In early May, Salesforce was down for over twelve hours due to a file integrity issue in the NA14 database.

The outage occurred in the morning with limited services restored later in the evening. Salesforce divides its customers into instances.  The NA14 instance is located in North America as many of the customers who complained via Twitter are located in the US.

The exact details were:

“The database failure happened after “a successful site switch” of the NA14 instance “to resolve a service disruption that occurred between 00:47 to 02:39 UTC on May 10, 2016 due to a failure in the power distribution in the primary data center,” the company said.  Later on Tuesday, Salesforce continued to report that users were still unable to access the service. It said it did not believe “at this point” that it would be able to repair the file integrity issue. Instead, it had shifted its focus to recovering from a prior backup, which had not been affected by the file integrity issues.”

It is to be expected that power outages like this would happen and they will reoccur in the future.  Technology is only as reliable as the best circuit breaker and electricity flows.  This is why it is recommended to back up your files in more than one place.

 

Whitney Grace, July 27, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

Oracle v Google Copyright Trial in Progress

July 22, 2016

The battle between Google and Oracle over Android’s use of Java has gone to federal court, and the trial is expected to conclude in June. CBS San Francisco Bay Area reports, “Former Google CEO Testifies in Oracle-Google Copyright Trial.” The brief write-up reveals the very simple defense of Eric Schmidt, who was Google’s CEO while Android was being developed (and is now CEO of Google’s young parent company, Alphabet): “We believed our approach was appropriate and permitted,” he stated.

Java was developed back in the ‘90s by Sun Microsystems, which was bought by Oracle in 2010. Google freely admits using Java in the development of Android, but they assert it counts as fair use—the legal doctrine that allows limited use of copyrighted material if it is sufficiently transformed or repurposed. Oracle disagrees, though Schmidt maintains Sun Microsystems saw it his way back in the day. The article tells us:

“Schmidt told the jury that when Google was developing Android nine years ago, he didn’t believe the company needed a license from Sun for the APIs. “We believed our approach was appropriate and permitted,” he said.

“Under questioning from Google attorney Robert Van Nest, Schmidt said that in 2007, Sun’s chief executive officer Jonathan Schwartz knew Google was building Android with Java, never expressed disapproval and never said Google needed a license from Sun.

“In cross-examination by Oracle attorney Peter Bicks, Schmidt acknowledged that he had said in 2007 that Google was under pressure to compete with the Apple Inc.’s newly released iPhone.”

Yes it was, the kind of pressure that can erode objectivity. Did Google go beyond fair use in this case? The federal court will soon decide.

 

 

Cynthia Murrell, July 22, 2016

Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph

There is a Louisville, Kentucky Hidden Web/Dark
Web meet up on July 26, 2016.
Information is at this link: http://bit.ly/29tVKpx.

 

« Previous PageNext Page »

  • Archives

  • Recent Posts

  • Meta