eBay: Sprinting Forward to Fight Online Sneaker Fraud
October 13, 2020
“EBay Launches Sneaker Authentication Service to Combat Counterfeit Sales” caught one of the DarkCyber research team’s attention. When I read the forwarded email about this Verge article, I wondered why the title wasn’t “Ebay Sprints Forward with a Sneaker Authentication Service.” I then realized that eBay has been in business for 25 years and product fraud has been around at least that long on the service. One of my friends who used to work in a British security service worked as an adviser to eBay. I recall that he mentioned that eBay online crime was a “stunner.” I assumed he meant that the amount of online crime was enough to startle an experienced investigator.
According to the Silicon Valley “real” news write up:
Collectible sneakers are big business.
I recall instances of robbery and murder for a pair of gym shoes. Yeah, that is a “real” news factoid. Murder amps up the perceived value of this particular apparel sector.
Here’s how the quarter century old digital market will deal with fake gym shoes:
As with its previously-announced watch authentication service, eBay has partnered with a third-party company, Sneaker Con, to authenticate items. When a sale is made, the buyer ships the sneakers to an “authentication facility” where they’re inspected to make sure they match the listing’s title, description, and images. If they pass the inspection, an eBay tag is attached to them, and they’re sent on to the buyer. The same process covers returns, to stop unscrupulous buyers from trying to return fake sneakers to legitimate sellers.
Sprinting to the future or stepping up slowly? DarkCyber thinks eBay is doing the speed walking associated with 75 year olds. Interpretation: Move slowly. Maybe “Ebay Limps Forward with a Sneaker Authentication Service.”
Stephen E Arnold, October 13, 2020
Domains Seized: What Companies Assisted the US Government?
October 13, 2020
The Straits Times’s article “US Seizes Iran Propaganda Websites” reported:
The US has seized 92 web domains used by Iran, including four which purported to be genuine English language news sites…Four of them, with the domain names “newsstand7.com”, “usjournal.net”, “usjournal.us”, and “twtoday.net”, were “operated by or on behalf” of Iran’s Islamic Revolutionary Guard Corps to influence United States domestic and foreign policy…
The article included an interesting factoid; to wit:
The sites were identified first with intelligence from Google and then also with help from Twitter and Facebook…
Interesting?
Stephen E Arnold, October 13, 2020
Facebook and Encryption
October 12, 2020
A number of experts have pointed to the information about Facebook’s contribution to child exploitation, human trafficking, and related activities. A good example is Robert David Steele’s “Betty Boop: Facebook Responsible for 94% of 69 Million Child Sex Abuse Images Reported by US Tech Firms.” DarkCyber notes “Five Eyes and Japan Call for Facebook Backdoor to Monitor Crime.” The point of that Nikkei Asia paywalled article is that encrypted messaging apps are conduits of information related to criminal activity.
Russia has taken some steps to deal with Telegram messaging traffic. Other countries, including Australia, Canada, England, New Zealand, and the United States express similar thoughts. Japan wants to “move closer” to these initiatives.
DarkCyber’s view is that the similarity of views among these countries is a response to a growing cyber crime challenge. The speed of instant messaging is one factor. The messaging apps’ growing robustness coverts what was Dark Web eCommerce within Tor to encrypted channels operating on the “open” Internet. Plus, the messaging apps allow users to create the equivalent of “chat groups” in which like minded individuals can share images and other information.
The call for a back door is getting louder. Providers of these software services may be reluctant to make changes. It is possible that change may be forced upon certain companies.
Stephen E Arnold, October 12, 2020
Work from Home: Stating the Obvious and a Newish Word
October 12, 2020
I read “Organizations Have Accrued Technical Debt in the Shift to Remote Work, and Now They Have to Face the Fallout.” Three facets of the article snagged my attention. The first was this observation attributed to a Security Awareness Advocate at KnowBe4, a information services firm:
“Many organizations have accrued a lot of technical debt, for lack of a better term, to get people working remotely,” said Malik. “They’ve enabled remote access to servers that they traditionally would never have given access to, or they might have relaxed some security rules. I heard of an organization that actually dropped 2FA to allow all of their employees to easily connect into the office, because they didn’t have enough resources to deploy 2FA to everyone, or train them up, or to deal with the number of tickets that would inevitably come in.
Okay, the obvious has been stated.
Second, the use of the phrase “technical debt” indicates that services firms want to make clear that taking one set of technologies and applying them to remote work has risks.
No kidding. News? Hardly. Reports from assorted cyber security companies have been pointing out that phishing has become a go-to mechanism for some time. A useful report is available from Interpol.
The third facet of the article was the use of the portmanteau “websem.” The coinage appears to be a combination of the word “webinar”, itself a modification of “seminar, and the now ubiquitous term “Web.”
Observations:
- Recycling Interpol data does not constitute an insight worthy of a consulting gig
- Whipping up jargon adds some froth to the Reddiwip analysis
Why not cite sources and use words WFH’ers will understand; for example, Zoom-eeting. Mammals braying, excitement, and snacks with toppings? The fallout? Plump targets for phishers.
Stephen E Arnold, October 12, 2020
Does Search Breed Fraud?
October 11, 2020
The question “Does search breed fraud?” is an interesting one. As far as I know, none of the big time MBA case studies address the topic. If any academic discipline knows about fraud, I believe it is those very same big time MBA programs.
“South Korean Search Giant Fined US $23 Million for Manipulating Results” reveals that Naver has channeled outfits with a penchant for results fiddling. The write up states:
The Korea Fair Trade Commission, the country’s antitrust regulator, ruled Naver altered algorithms on multiple occasions between 2012 and 2015 to raise its own items’ rankings above those of competitors.
Naver responded, according to the write up, with this statement:
“The core value of search service is presenting an outcome that matches the intentions of users,” it said in a statement, adding: “Naver has been chosen by many users thanks to our focus on this essential task.”
The pressure to generate revenue is significant. Engineers, who may be managed loosely or steered by the precepts of high school science club thought processes, can make tiny changes with significant impact. As a result, the manipulation can arise from a desire to get promoted, be cool, or land a bonus.
The implications can be profound. Google may be less evil because fiddling is an emergent behavior.
Stephen E Arnold, October 11, 2020
Email Scams: Chugging Along
October 2, 2020
Email scammers have not taken a break for the pandemic. Quite the opposite, the Montreal Gazette warns in, “Scamsters’ Phishing Expeditions Adding to our COVID Angst.” Writer Josh Freed describes a few frustrating fake emails he has had to field lately, including a very realistic one purportedly from Amazon about an expensive TV he had (not) ordered. The phisher-man included a number to call if, as they well knew, Reed had not made the purchase. Had he dialed that number, he was sure, he would have been prompted to enter his credit card information for a refund—and been ripped off instead. Other recent attempts on the author’s wallet were made in the names of the electric service, cable service, a credit card, and a bank he does not use. He relates the tale of the time he called a scammer’s bluff:
“Who are today’s scamsters, I wondered? So last week, after getting several phone messages from ‘Service Canada’ warning I’m being investigated for ‘major tax fraud,’ I decided to investigate. As instructed, I dialed back the Ontario number, prepared to meet my latest tormenters. The guy who answered had a strong East Indian accent. He introduced himself as Officer Christopher James, senior investigative chief of Service Canada, Badge #417J2954. He asked for my home address and SIN number, so I gave him fakes. …”
The rest is an amusing read if you’d like to smirk at an inept con man. Some scammers are more slick than this outfit, though, so readers are advised to take any unexpected email with a grain of salt. Reed writes:
“Overall, he was a pretty sad fraudster, but these scams are a real threat. According to the RCMP [Royal Canadian Mounted Police], they are successfully targeting many seniors. Lately, the most common scams are COVID-linked, offering fake virus tests, or home sanitation teams that will literally ‘clean out’ your home. So if anyone calls wanting to sanitize your house, just say no. And if you get advised any pricey OLED TVs are being delivered next day, ignore the message.”
Cynthia Murrell, October 2, 2020
Scammers Have Better Technology But Not New Ideas
September 30, 2020
Scammers are opportunists. They use anything and everything to con people out of their valuables and the Internet is the best tool in a scammer’s toolbox. Scammers might be armed with advanced technology, but their scam ideas are not. Because scammers are not original, they are predictable but sophisticated. The Journal of Cyber Policy wrote about scammers in “New Techniques, Same Old Phone Scams.”
A classic scam technique are “too good to be true offers” such as free vacations or investment opportunities. Scam artists make robocalls with these offers and they used to be detectable because they were from out of state numbers. Spoof technology, however, makes these robocalls using local area numbers, making it harder to detect the scams. In 2019, the Federal Trade Commission reported that people $667 million to scammers, mostly they were paid with gift cards.
Scammers’ sophistication levels are rising too. There are entire call centers in Asia and Africa dedicated to making scam calls. These call centers masquerade as reputable businesses such as Apple, Amazon, PayPal, banks, etc., and attempt to convince people that an account has been breached, late on payments, or their identity (ironically) was stolen. Companies and banks never randomly email or call asking to confirm sensitive information. They advise people to delete the emails or hang up on callers.
Another new scam is calling people claiming that a relative is facing legal action. This scam calls entire members of a family and when the person in question calls the scammer it turns out they need to share their social security number and date of birth. It is an excellent tactic, because it questions people’s reputation and makes them believe they are in legal trouble.
Scammers are using the same tactics as they have for centuries, but being wise to their ways prevents theft:
“As phone scams continue to evolve, it is helpful to know the warning signs. Always be wary of unsolicited callers, even if you are familiar with the company from which they claim to be calling. Scammers will use the threat of jail time or a fine to induce the victim into a state of fear — pressuring the victim into handing over sensitive information. If the caller requests financial or other sensitive information, hang up and call the company back directly (through a number you can verify) to inquire about this issue. The FCC Tip Card is a brief, yet valuable, resource that provides information on spoofing scams. It would also be wise to register your phone number with the National Do No Call Registry. Afterward, you shouldn’t receive telemarketing calls, and if you do, there’s a good chance they are a scam. As we continue to interact in this ever-evolving virtual world, we must remain on high alert against the deception of persistent fraudsters who are using new techniques for the same old phone scams.”
This is why it is important to read and watch the news, so you are aware of potential threats.
Whitney Grace, September 30, 2020
Thinking about Security: Before and Earlier, Not After and Later
September 30, 2020
Many factors stand in the way of trustworthy AI, not the least of which is the involvement of those for whom a raise, a bonus, or a promotion is involved. Then there is the thorny issue of bias built into machine learning. InformationWeek, however, looks at a few more straightforward threats in its article, “Dark Side of AI: How to Make Artificial Intelligence Trustworthy.”
Gartner VP and analyst Avivah Litan notes that, though AI is becoming more mainstream, security and privacy considerations still keep many companies away. They are right to be concerned—according to Garnter’s research, consumers believe responsibility lies with organizations that adopt AI technology, not the developers or vendors behind it. Litan describes two common ways bad actors attack AI systems: malicious inputs and query attacks. She writes:
“Malicious inputs to AI models can come in the form of adversarial AI, manipulated digital inputs or malicious physical inputs. Adversarial AI may come in the form of socially engineering humans using an AI-generated voice, which can be used for any type of crime and considered a ‘new’ form of phishing. For example, in March of last year, criminals used AI synthetic voice to impersonate a CEO’s voice and demand a fraudulent transfer of $243,000 to their own accounts….“Query attacks involve criminals sending queries to organizations’ AI models to figure out how it’s working and may come in the form of a black box or white box. Specifically, a black box query attack determines the uncommon, perturbated inputs to use for a desired output, such as financial gain or avoiding detection. Some academics have been able to fool leading translation models by manipulating the output, resulting in an incorrect translation. A white box query attack regenerates a training dataset to reproduce a similar model, which might result in valuable data being stolen. An example of such was when a voice recognition vendor fell victim to a new, foreign vendor counterfeiting their technology and then selling it, which resulted in the foreign vendor being able to capture market share based on stolen IP.”
Litan emphasizes it is important organizations get ahead of security concerns. Not only will building in security measures at the outset thwart costly and embarrassing attacks, it is also less expensive than trying to tack them on later. She recommends three specific measures: conduct a threat assessment and carefully control access to and monitoring of training data/ models; add AI-specific aspects to the standard software development life cycle (SDLC) controls; and protect and maintain data repositories to prevent data poisoning. See the article for elaboration of each of these points.
Cynthia Murrell, September 30, 2020
Hacking a Mere Drone? Up Your Ante
September 29, 2020
So many technology headlines are the stuff that science fiction is made of. The newest headline is a threat is something not only out of science fiction but also from the suspense genre says Los Angeles Air Force Base: “SMC Team Supports First Satellite Hacking Exercise.”
For a over the year, the Space and Missile Systems Center (SMC) experts in ground and satellite technology led a satellite hacking exercise. The event culminated in the Space Security Challenge 2020: Hack-A-Sat. The Special Programs Directorate and the Enterprise Corps Cross Mission Ground and Communications cyber operations team combined their forces for the exercise:
“This challenge asked security researchers, commonly known as hackers, from across the country and around the world to focus their skills and creativity in solving cybersecurity challenges on space systems. These white-hat ethical hackers are members of the research and security communities focused on legally and safely finding vulnerabilities for many different types of systems. This challenge focused on bridging the gap between space, cyber and security communities and growing these ecosystems.”
DEF CON controlled the exercise environment so the teams could practice their skills safely and securely. The competitors explored the satellite system, including the radio frequency communications, ground segments, and satellite bus. The Hack-A-Sat was basically war games with code. The purpose was to expose the experts to new systems they otherwise might not have access to.
The teams want to practice their skills in simulations and Hack-A-Sat events in preparation for real life events. The more real life scenarios the experts experience the more prepared they are to troubleshoot system errors and emergencies.
The Hack-A-Sat event is part of the future mission to the moon and defending the
United States from enemy threats. However, if the United States can undertake these exercises, bad acting countries can as well. It would be horrible if authoritarian governments discovered how to hack US satellites. The metaphor is scary but apt: could the equivalent of a 9/11 terror attack happen by satellite hacks?
Whitney Grace, September 29, 2020
Pastebin: And Its Purpose Is?
September 29, 2020
DarkCyber noted “Pastebin Adds Burn After Read and Password Protected Pastes to the Dismay of the Infosec Community.”
Here’s the passage one of the DarkCyber researchers noted before sending the item to me:
Named “Burn After Read” and “Password Protected Pastes,” the two new features allow Pastebin users to create pastes (pieces of text) that expire after a single read or pastes that are protected by a password.
“And the purpose of pastesites is?” is a question the write up does not answer. On the surface, sharing snips of text seems innocent enough.
The write up notes:
While some people use it to host pieces of code or text they wanted to share with a colleague, over the past decade, Pastebin has also turned into a de-facto hosting service for malicious code.
There are some other interesting use cases too. Years ago, DarkCyber learned about pastesite flexibility in information provided by Recorded Future, the predictive analytics outfit. Among the more interesting functions of Pastebin in particular and the dozens of other text hosting outfits was providing ONION addresses for unusual and interesting Dark Web destinations, among other types of content.
There’s a common sense suggestion in the write up too: Block pastesites.
Some law enforcement and intelligence professionals have a passing interest in Pastebin and similar sites. Pastebin has an Abuse Management and Threat Analysis team ready to assist LE and intel professionals with their requests. Sometimes the requests require documents, authorizations, and explanations. Speedy response is possible. But how “speedy” is speedy? That’s another good question ignored by the write up.
Stephen E Arnold, September 29, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
