Free As a Dark Pattern
August 27, 2020
A number of online services offer free products. DarkCyber has spotted a semi clever play used by a developer of “free” video editing software. Three-dimensional models were not on our radar. The “free” software constructs are now identified and monitored by our steam-powered intelligence system. (We operate from rural Kentucky. What did you expect? Reinforcement learning?)
“3D Printering: The World of Non-Free 3D Models Is Buyer Beware” contains some information. Let’s take a quick look at a couple of revelations which caught the DarkCyber team’s attention:
First, a company has developed what appears to be a fresh approach to direct sales. The write up explains:
A standout success is a site like Hero Forge, which allows users to create custom tabletop gaming miniatures with a web-based interface. Users can pay to download the STL of their creation, or pay for a printed version. Hero Forge is a proprietary system, but a highly successful one judging by their recent Kickstarter campaign.
Second, you can acquire 3D models via “begging for dollars.” The article explains that these are requests for money paid via Patreon. I assume PayPal may work too.
Third is a kit. The customer gets a 3D model when buying some physical good. The write up points out electrical parts, fasteners, or a “kit,” which DarkCyber assumes is a plastic bag with stuff in it.
The problem?
According to the write up, the problems are:
- Vendors don’t offer “test drives, fitting rooms, or refunds”
- Models have lousy design for manufacture. (DarkCyber assumes this means whatever emerges from the 3D printer is not going to carry water. Nice 3D printed thermos you have there, Wally.)
These two problems boil down to “quality.”
After reading the article, DarkCyber thinks that one could interpret the word “quality” as a synonym for “fraud.”
Dark patterns are becoming increasingly common. Let’s blame it on an error, an oversight, or, best of all, the pandemic.
Stephen E Arnold, August 27, 2020
The Possibilities of GPT-3 from OpenAI Are Being Explored
August 27, 2020
Unsurprisingly, hackers have taken notice of the possibilities presented by OpenAI’s text-generating software. WibestBroker News reports, “Fake Blog Posts Land at the Top of Hacker News.” The post was generated by college student Liam Porr, who found it easy to generate content with OpenAI’s latest iteration, GPT-3, that could fool readers into thinking it had been crafted by a person. Writer John Marley describes the software:
“GPT-3, like all deep learning systems, looks for patterns in data. To simplify, the program has been trained on a huge corpus of text mined for statistical regularities. These regularities are unknown to humans. Between the different nodes in GPT-3’s neural network, they are stored as billions of weighted connections. There’s no human input involved in this process. Without any guidance, the program looks and finds patterns.”
Rather than being unleashed upon the public at large, the software has been released to select researchers in a private beta. Marley continues:
“Porr is a computer science student at the University of California, Berkeley. He was able to find a PhD student who already had access to the API. The student agreed to work with him on the experiment. Porr wrote a script that gave GPT-3 a headline and intro for the blog post. It generated some versions of the post, and Porr chose one for the blog. He copy-pasted from GPT-3’s version with very little editing. The post went viral in a matter of a few hours and had more than 26,000 visitors. Porr wrote that only one person reached out to ask if the post was AI-generated. Albeit, several commenters did guess GPT-3 was the author. But, the community down voted those comments, Porr says.”
Little did the down-voters know. Poor reports he applied for his own access to the tool, but it has yet to be granted. Perhaps OpenAI is not too pleased with his post, he suggests. We wonder whether this blogger received any backlash from the software’s creators.
Cynthia Murrell, August 27, 2020
KnowBe4: Leveraging Mitnick
August 21, 2020
Many hackers practice their “art,” because they want to beat the system, make easy money, and challenge themselves. White hat hackers are praised for their Batman vigilante tactics, but the black hat hackers like Kevin Mitnick cannot even be classified as a Robin Hood. Fast Company article, “I Hired An Infamous Hacker-And It Was The Best Decision I Ever Made” tells Stu Sjourverman’s story about hiring Kevin Mitnick.
Mitnick is a typical child hacker prodigy, who learned about easy money through pirated software. He went to prison for a year, violated his parole, and was viewed as an antihero by some and villain by others. Either way, his background was controversial and yet Sjourverman decided to hire him. Sjourverman was forming a new company centered on “social engineering” or “hacking the human,” terms used to describe tricking people into clicking harmful links or downloading malware invested attachments. For his new cybersecurity company, Sjourverman knew he needed a hacker:
“That was a turning point for my startup, KnowBe4. By recruiting Mitnick, we gained invaluable insights about where employees are most vulnerable. We were able to use those insights to develop a practical platform where companies can see where their own employees stumble and, most importantly, train them to recognize and avoid potential pitfalls. This is essential for any business because if all other security options fail, employees become a company’s last line of defense—one unintentional blunder can infect the entire network and bring down the whole company.”
Mitnick’s infamous reputation also gave the new startup a type of legitimacy. Other players in the cybersecurity industry knew about Mitnick’s talents and using them for white hat tactics gave KnowBe4 an advantage over rivals. Mitnick also became the center of KnowBe4’s marketing strategy, because he was a reformed criminal, understood the hacker community, and gave the startup an edgy yet authentic identity.
Hiring Mitnick proved to be the necessary step to make KnowBe4 a reputable and profitable business. It is also a story about redemption, because Mitnick donned the white hat and left his criminal past behind.
Will KnowBe4’s marketing maintain its momentum? Cyber security firms appear to be embracing Madison Avenue techniques. Watch next week’s DarkCyber for a different take on NSO Group’s “in the spotlight” approach to generating cyber intelligence sales.
Whitney Grace, August 21, 2020
Data Loss: An Interesting Number
August 19, 2020
“Over 27 Billion Records Exposed in the First Half of 2020” contains some interesting assertions. One which caught my attention was:
Although reports of data breaches are down 52 percent in the first half of this year, the number of records exposed over the same period has soared to 27 billion.
The write up quotes an expert from Risk Based Security as saying:
“The striking differences between 2020 and prior years brings up many questions,” says Inga Goddijn, executive vice president at Risk Based Security. “Why is the breach count low compared to prior years? What is driving the growth in the number of records exposed? And perhaps most importantly, is this a permanent change in the data breach landscape?”
I am curious as well. Interpol’s August 2020 “Cybercrime: Covid-19 Impact” suggests that cybercrime is chugging along quite nicely.
DarkCyber’s question is:
With hundreds of cyber security firms offering everything from real time AI monitors to old fashioned and expensive humans, bad actors appear to be increasingly successful. How is that Garmin cyber security system working now? Any Amazon S3 buckets compromised recently? Is Self-Key’s statement that “the first quarter of 2020 has been one of the worst in data breach history with over 8 billion records exposed” accurate?
The numbers may be interesting but the question is, “Why are state-of-the-art, artificially intelligence cyber security systems performing in a way that suggests bad actors are experiencing a surfeit of target opportunities?
Stephen E Arnold, August 19, 2020
Synthetic Audio Scams a Growing Concern for Businesses
August 17, 2020
With evolving technology come evolving scams. In their White Papers section, managed-intelligence firm Nisos examines a growing trend in, “The Rise of Synthetic Audio Deepfakes.” During a recent investigation, the company analyzed the synthetic audio used in a fraud attempt. The bad actors had mimicked the voice of their client’s CEO, asking an employee to dial a number and “finalize an urgent business deal.” See the write-up for some technical details of that analysis. Fortunately, the worker did not fall for the trick and alerted their legal department instead. Some companies, however, are not so lucky. The article tells us:
“The most famous use of deep fake synthetic audio technology in criminal fraud was a September 2019 incident involving a British energy company. The criminals reportedly used voice-mimicking software to imitate the British executive’s speech and trick his subordinate into sending hundreds of thousands of dollars to a secret account. The managing director of this company, believing his boss was on the phone, followed orders to wire more than $240,000 to an account in Hungary.
“Symantec security researchers reported in February on three cases of audio deepfakes used against private companies by impersonating the voice of the business’s CEO. The criminals reportedly trained machine learning engines from audio obtained on conference calls, YouTube, social media updates and even TED talks, to copy the voice patterns of company bosses. They created audio deepfakes replicating the CEO’s voice and called senior members of the finance department to ask for funds to be sent urgently. There was no additional reporting on which companies these were, whether the techniques were successful, or whether Symantec was able to obtain recordings of the deepfakes themselves.”
As synthetic manipulation gets more sophisticated, these schemes will only get more difficult to recognize. However, they have a distinct weakness—they must manage to trick a subject into taking action. Businesses can protect themselves by adopting certain best practices. If a request seems suspicious, an employee should call the supposed source on a known number to confirm it was them; the technology is not (yet) able to mimic an entire phone call. Predetermined challenge questions, using information not known to the public, are also a good idea. A word to managers and executives—employees may hesitate to “challenge” what sounds like their boss. We advise you assure them you will not get irritated when they do so. (And follow through.)
Cynthia Murrell, August 17, 2020
The Child Protection System Catches Pedophiles
August 11, 2020
Child pornography plagues the Internet’s underbelly, the Dark Web, per-to-per sharing networks, and even simple Google search. Law enforcement officials want to protect children and stop the spread of child pornography, so a new software called Child Protection System was created. NBC News shares details in the article, “Inside the Surveillance Software Tracking Child Porn Offenders Across the Globe.”
The Child Protection System was designed by the Florida nonprofit Child Rescue Coalition. It is a forensic tool that scans file sharing networks and chatrooms to locate computers that download child pornography. It is programmed to search for over two hundred terms related to child sex abuse. These scans are then used as probable cause to gain search warrants. Child Protection System’s scans were used to arrest over 12,000 people. The software can search down to the county level and it also looks for images of children deemed twelve and under. It saves a lot of investigation time:
“ ‘The Child Protection System “has had a bigger effect for us than any tool anyone has ever created. It’s been huge,’ said Dennis Nicewander, assistant state attorney in Broward County, Florida, who has used the software to prosecute about 200 cases over the last decade. ‘They have made it so automated and simple that the guys are just sitting there waiting to be arrested.’ The Child Rescue Coalition gives its technology for free to law enforcement agencies, and it is used by about 8,500 investigators in all 50 states. It’s used in 95 other countries, including Canada, the U.K. and Brazil. Since 2010, the nonprofit has trained about 12,000 law enforcement investigators globally.”
The Child Rescue Coalition wants to partner with social media platforms, schools, and more in order to discover who is downloading child pornography. These platforms often contain information of people discussing suspicious behavior, but does not indicate criminal activities. If data from the Child Protection System and these platforms were cross-matched it might indicate possible bad actors.
Some assert that surveillance software is that it is breaking privacy laws. Handing over all this surveillance power to governments requires safeguards to protect individuals’ privacy.
Whitney Grace, August 11, 2020
Spear Fishing: The Key to the Garmin Ransomware Attack
August 11, 2020
DarkCyber is not too keen on widely disseminated explanations of criminal procedures. “How to’s” may provide the equivalent of a jail house education to some. The article “Crypto-Ransomware in Action: A Closer Look at the WastedLocker Hijack of Garmin” explains the attack on the an outfit specializing geo-technology. Think GPS in consumer gizmos, aircraft, and vehicle. The write up quotes Kaspersky, a security outfit with some interesting allegations clinging to its shirt tails, as noting:
“This incident only highlights that there is a growing trend of targeted crypto-ransomware attacks against large corporations—in contrast to the more widespread and popular ransomware campaigns of the past, like WannaCry and NotPetya. While there are fewer victims, these targeted attacks are typically more sophisticated and destructive. And there is no evidence to suggest that they will decline in the near future. Therefore, it’s critical that organizations stay on alert and take steps to protect themselves.” [Fedor Sinitsyn, security expert at Kaspersky]
Additional details on the attack are available in the technical analysis on the Kaspersky Web site at this link. The write up includes screenshots and code samples. The details include this statement:
It uses a “classic” AES+RSA cryptographic scheme which is strong and properly implemented, and therefore the files encrypted by this sample cannot be decrypted without the threat actors’ private RSA key. The Garmin incident is the next in a series of targeted attacks on large organizations involving crypto-ransomware. Unfortunately, there is no reason to believe that this trend will decline in the near future.
DarkCyber agrees. Jail house learning?
Stephen E Arnold, August 11, 2020
DarkCyber for August 11, 2020, Now Available
August 11, 2020
DarkCyber is a video news program about the Dark Web, cyber crime, and lesser known Internet services. The program for August 11, 2020, covers four stories. This week’s program is available on YouTube at this link. [Note below]
Stephen E Arnold, the producer of DarkCyber, illustrates how to jam Alexa’s surveillance components. When a white noise is not enough, Arnold points to a Web site which sells a wide array of jamming equipment. The video features a diagram of how a jamming device can disrupt mobile signals, Wi-Fi, and Bluetooth from a vehicle. If a basic mobile jammer is not suitable, Arnold provides information about a military-grade detection and jamming device with a comprehensive kill chain subsystem. Arnold reminds the viewer that use of some jamming devices can have unexpected consequences.
The second story addresses the TikTok dust up between the US and China. Arnold focuses on the trivializing of the TikTok threat by pundits. These individuals, in Arnold’s opinion, are not assessing the social engineering risks posed by a TikTok-type service. Data from a consumer app can pinpoint an individual who may be susceptible to cash inducements or threats to compromise the security of a workplace. TikTok videos may be silly, but the operators of the services are unlikely to be blind to the value of the data and its utility.
The third story considers iPhone hacking. Software, available via the regular Web, promises to hack an iPhone. If that approach does not work, there are hackers advertising iPhone hacking on the regular Internet. But what if the hack requires more aggressiveness? Arnold provides a link to a Dark Web site which makes clear that its operator will do anything for money. Can the iPhone be hacked? That depends on one’s willingness to believe information published on the Internet.
The final story focuses on the August 2020 Interpol report about cyber crime in the time of Covid. The report is available without charge, and its findings echo those of speakers at the 2020 National Cyber Crime Conference, held in July 2020. Arnold provides the url from which the new report can be downloaded without charge.
I wanted to point out that we will no longer post a copy of the video on Vimeo. That company sent an email demanding that Stephen E Arnold upgrade to a Pro account. Instead of saying, “We are raising prices,” Vimeo threatened Arnold with termination of his account because the free DarkCyber video is a commercial enterprise. Arnold wrote Vimeo twice pointing out that he retired in 2013, produces the video without financial support or sponsorship, and makes the content available to anyone interested in the Dark Web, cybercrime, and lesser known Internet services. Arnold told me,
“Millennial marketers at Vimeo thinks it is doing its job by making false accusations and then ignoring respectful questions about the fee change. Cancel culture to Vimeo, ‘You are history. This is your termination notice.’
We will give Facebook a whirl and include that url if the service allows easy access with a minimum of invasive surveillance, pop ups, and targeted advertising for WhatsApp.
Kenny Toth, August 11, 2020
Amazon Policeware: Fraud Detection
August 4, 2020
We spotted “Fraud Detector Launched on AWS Platform.” As one pre pandemic, face-to-face conference organizer told me, “No one cares about Amazon policeware. The future is quantum computing.”
Yeah, okay.
Amazon does not buy big booths at law enforcement and intelligence conferences. For now, that’s the responsibility of its partners. No booth, no attention at least for one super charged quantum cheerleader.
The write up states:
With Amazon Fraud Detector, customers use their historical data of both fraudulent and legitimate transactions to build, train, and deploy machine learning models that provide real-time, low-latency fraud risk predictions. To get started, customers upload historical event data (e.g. transactions, account registrations, loyalty points redemptions, etc.) to Amazon Simple Storage Service (Amazon S3), where it is encrypted in transit and at rest and used to customize the model’s training. Customers only need to provide any two attributes associated with an event (e.g. logins, new account creation, etc.) and can optionally add other data (e.g. billing address or phone number). Based upon the type of fraud customers want to predict, Amazon Fraud Detector will pre-process the data, select an algorithm, and train a model.
And what does an Amazon person whom remains within the Amazon box with the smile on the side say? The write up reports:
Customers of all sizes and across all industries have told us they spend a lot of time and effort trying to decrease the amount of fraud occurring on their websites and applications. By leveraging 20 years of experience detecting fraud coupled with powerful machine learning technology, we’re excited to bring customers Amazon Fraud Detector so they can automatically detect potential fraud, save time and money, and improve customer experiences—with no machine learning experience required.
Several observations:
- Combined with “other” financial data available within the AWS system, Amazon’s fraud detection system may be of interest to some significant financial services firms.
- The technology provides a glimpse of what AWS can support; for example, matching tax returns to “other” financial signals in order to flag interesting returns.
- The technical widgets in the AWS structure makes it possible for a clever partner to reinvent a mostly unknown financial task: Identification or flagging of medical financial data for fraud. Subrogation with the point-and-click Amazon interface? Maybe.
To sum up, we offer a one hour lecture about Amazon’s policeware initiative. I know “free” is compelling, but this lecture costs money. For details write darkcyber333 at yandex dot com. Note: The program is different from our Amazon lecture for the 2020 US National Cyber Crime Conference.
No, it is not about the Quantum Computer Revolutions, but we do discuss Amazon’s Quantum Ledger Database. It works. Some quantum computing demonstrations do not.
Stephen E Arnold, August 4, 2020
Tech Downturn May Boost the Spirits of Criminal Combines
August 4, 2020
DarkCyber noted “Developer, Data Science Jobs: US Tech Is Taking a Worse Hit Than Other Sectors.” The write up reports:
New US tech job postings started to fall behind other sectors in mid-May and have slowed down even more since then, according to Indeed. Overall job postings, as expected are down too, but only by 21% year on year versus 36% for the tech sector.
DarkCyber wants to point out that when legitimate technology jobs disappear, the technical professionals turn to gig sites to drum up business.
However, the unsuspecting professional seeking a job in networking, cyber security, or video streaming may accept a project from a company outside the US. That job, however, may be for an illegal video streaming operation run out of a store front in another country.
How does a US technical professional avoid doing work which may be ultimately to the benefit of a bad actor? Research and judgment.
Stephen E Arnold, August 4, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
