Twitter for Verification: The Crypto Approach
October 21, 2020
New York State’s Twitter Investigation Report explores the cybersecurity “incident” at Twitter and its implications for election security. If you don’t have a copy, you can view the document at this url. The main point of the document struck me as this statement from the document:
Given that Twitter is a publicly traded, $37 billion technology company, it was surprising how easily the Hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account.
With the Department of Financial Services’ report in mind, I found the information in “.Crypto Domain Owners Can Now Be Verified With Twitter Accounts for Safer Payments” interesting. Twitter and “safer” are not words I would associate. The write up reports:
Blockchain startup Unstoppable Domains and oracle network Chainlink have launched a new feature allowing individuals or entities with blockchain domains to authenticate themselves using their Twitter accounts. The feature is powered by Chainlink oracles, which connect each .crypto address from Unstoppable Domains to a public Twitter username. The firms said the Twitter authentication could help stem crimes in cryptocurrency payments such as phishing hacks.
In one of our Twitter tests, we created an account in the name of a now deceased pet. Tweets were happily disseminated automatically by the dog. Who knew that the dead dog’s Twitter account can reduce phishing attacks?
Twitter: Secure enough to deliver authentication? The company’s approach to business does not give me confidence in the firm’s systems and methods.
Stephen E Arnold, October 21, 2020
DarkCyber for October 20, 2020, Now Available
October 20, 2020
The October 20, 2020 DarkCyber video news program covers five stories. First, secure messaging apps have some vulnerabilities. These can be exploited, according to researchers in Europe. Second, QuinetiQ’s most recent cyber report provides some eye-opening information about exploit techniques and methods. Third, a free phishing tool is available on GitHub. With it, a bad actor can automate phishing attacks. Fourth, mobile phones can be remotely activated to work like spy cameras and audio transmitters. The final story explains that swarms of drones can be controlled from a mobile phone and a new crawling drone can deliver bio-weapons in a stealthy manner. DarkCyber is produced by Stephen E Arnold, author of CyberOSINT and the Dark Web Notebook. You can view the 11 minute program at this link. (The miniature centipede-like drone is a marvel.)
Kenny Toth, October 20, 2020
Dark Web Sites Losing Out to Encrypted Chat Apps?
October 14, 2020
With several Dark Web marketplaces falling to either law enforcement successes or to their own administrators’ “exit scams,” it was predicted vendors and buyers of illegal goods would shift to another alternative, one that promises end-to-end encryption. However, Bank Info Security explains “Why Encrypted Chat Apps Aren’t Replacing Darknet Markets.” To be sure, some criminals do use these apps, but they have been running into some disadvantages. Writer Mathew J. Schwartz specifies:
“One is the challenge of finding – or marketing – goods and services being provided via chat apps. Fear about the reliability of legitimate platforms – and of the risk of getting sold out – is another factor. ‘By trusting a legitimate third-party application’s encryption and anonymity policies, threat actors are placing their trust in non-criminals,’ the ‘Photon Research Team’ at digital risk protection firm Digital Shadows tells me. Criminals typically prefer to avoid such situations. … Chat platforms’ smaller scale can also be an unwelcome limitation for criminals because fewer customers means lower profits for sellers or chat-channel administrators. ‘Most instant messaging platforms tend to be smaller in terms of number of participants and also geographically focused or limited by language – limiting the reach,’ Raveed Laeb and Victoria Kivilevich, respectively product manager and threat intelligence analyst at Israeli cyber threat intelligence monitoring firm Kela, tell me. ‘Another limit is that many chat channels focus on one subject – meaning that one channel features drugs, another one offers enrolls and so on. Thus, it lowers potential profits for the channel’s admins,’ they say.”
It is true, legitimate encrypted apps have plenty of incentive to cooperate with the authorities. So why not build an alternative by criminals for criminals? Some have tried that, with networks like BlackBox, Phantom Secure, and EncroChat, all of which were summarily busted by law enforcement. There are likely more out there, but they may suffer the same fate.
In the end, it seems many dark-market vendors are sticking with the marketplaces. It makes sense in our view—we see the two avenues as complements to one another, anyway. Meanwhile, though, certain marketplaces are abandoning some of their traditional sellers: We’re told illegal drugs are being banned at these sites in favor of digitally transmittable products like malware, stolen databases, login credentials, and other cybercrime tools and services. There is the absence of complications caused by physical packages, but these products also exist in a grey area in many jurisdictions. (We note no mention is made of other items of high concern, like child pornography or weapons.) Schwartz supposes admins believe ceasing to market illegal drugs will make their sites smaller targets. Perhaps?
Cynthia Murrell, October 14, 2020
eBay: Sprinting Forward to Fight Online Sneaker Fraud
October 13, 2020
“EBay Launches Sneaker Authentication Service to Combat Counterfeit Sales” caught one of the DarkCyber research team’s attention. When I read the forwarded email about this Verge article, I wondered why the title wasn’t “Ebay Sprints Forward with a Sneaker Authentication Service.” I then realized that eBay has been in business for 25 years and product fraud has been around at least that long on the service. One of my friends who used to work in a British security service worked as an adviser to eBay. I recall that he mentioned that eBay online crime was a “stunner.” I assumed he meant that the amount of online crime was enough to startle an experienced investigator.
According to the Silicon Valley “real” news write up:
Collectible sneakers are big business.
I recall instances of robbery and murder for a pair of gym shoes. Yeah, that is a “real” news factoid. Murder amps up the perceived value of this particular apparel sector.
Here’s how the quarter century old digital market will deal with fake gym shoes:
As with its previously-announced watch authentication service, eBay has partnered with a third-party company, Sneaker Con, to authenticate items. When a sale is made, the buyer ships the sneakers to an “authentication facility” where they’re inspected to make sure they match the listing’s title, description, and images. If they pass the inspection, an eBay tag is attached to them, and they’re sent on to the buyer. The same process covers returns, to stop unscrupulous buyers from trying to return fake sneakers to legitimate sellers.
Sprinting to the future or stepping up slowly? DarkCyber thinks eBay is doing the speed walking associated with 75 year olds. Interpretation: Move slowly. Maybe “Ebay Limps Forward with a Sneaker Authentication Service.”
Stephen E Arnold, October 13, 2020
Domains Seized: What Companies Assisted the US Government?
October 13, 2020
The Straits Times’s article “US Seizes Iran Propaganda Websites” reported:
The US has seized 92 web domains used by Iran, including four which purported to be genuine English language news sites…Four of them, with the domain names “newsstand7.com”, “usjournal.net”, “usjournal.us”, and “twtoday.net”, were “operated by or on behalf” of Iran’s Islamic Revolutionary Guard Corps to influence United States domestic and foreign policy…
The article included an interesting factoid; to wit:
The sites were identified first with intelligence from Google and then also with help from Twitter and Facebook…
Interesting?
Stephen E Arnold, October 13, 2020
Facebook and Encryption
October 12, 2020
A number of experts have pointed to the information about Facebook’s contribution to child exploitation, human trafficking, and related activities. A good example is Robert David Steele’s “Betty Boop: Facebook Responsible for 94% of 69 Million Child Sex Abuse Images Reported by US Tech Firms.” DarkCyber notes “Five Eyes and Japan Call for Facebook Backdoor to Monitor Crime.” The point of that Nikkei Asia paywalled article is that encrypted messaging apps are conduits of information related to criminal activity.
Russia has taken some steps to deal with Telegram messaging traffic. Other countries, including Australia, Canada, England, New Zealand, and the United States express similar thoughts. Japan wants to “move closer” to these initiatives.
DarkCyber’s view is that the similarity of views among these countries is a response to a growing cyber crime challenge. The speed of instant messaging is one factor. The messaging apps’ growing robustness coverts what was Dark Web eCommerce within Tor to encrypted channels operating on the “open” Internet. Plus, the messaging apps allow users to create the equivalent of “chat groups” in which like minded individuals can share images and other information.
The call for a back door is getting louder. Providers of these software services may be reluctant to make changes. It is possible that change may be forced upon certain companies.
Stephen E Arnold, October 12, 2020
Work from Home: Stating the Obvious and a Newish Word
October 12, 2020
I read “Organizations Have Accrued Technical Debt in the Shift to Remote Work, and Now They Have to Face the Fallout.” Three facets of the article snagged my attention. The first was this observation attributed to a Security Awareness Advocate at KnowBe4, a information services firm:
“Many organizations have accrued a lot of technical debt, for lack of a better term, to get people working remotely,” said Malik. “They’ve enabled remote access to servers that they traditionally would never have given access to, or they might have relaxed some security rules. I heard of an organization that actually dropped 2FA to allow all of their employees to easily connect into the office, because they didn’t have enough resources to deploy 2FA to everyone, or train them up, or to deal with the number of tickets that would inevitably come in.
Okay, the obvious has been stated.
Second, the use of the phrase “technical debt” indicates that services firms want to make clear that taking one set of technologies and applying them to remote work has risks.
No kidding. News? Hardly. Reports from assorted cyber security companies have been pointing out that phishing has become a go-to mechanism for some time. A useful report is available from Interpol.
The third facet of the article was the use of the portmanteau “websem.” The coinage appears to be a combination of the word “webinar”, itself a modification of “seminar, and the now ubiquitous term “Web.”
Observations:
- Recycling Interpol data does not constitute an insight worthy of a consulting gig
- Whipping up jargon adds some froth to the Reddiwip analysis
Why not cite sources and use words WFH’ers will understand; for example, Zoom-eeting. Mammals braying, excitement, and snacks with toppings? The fallout? Plump targets for phishers.
Stephen E Arnold, October 12, 2020
Does Search Breed Fraud?
October 11, 2020
The question “Does search breed fraud?” is an interesting one. As far as I know, none of the big time MBA case studies address the topic. If any academic discipline knows about fraud, I believe it is those very same big time MBA programs.
“South Korean Search Giant Fined US $23 Million for Manipulating Results” reveals that Naver has channeled outfits with a penchant for results fiddling. The write up states:
The Korea Fair Trade Commission, the country’s antitrust regulator, ruled Naver altered algorithms on multiple occasions between 2012 and 2015 to raise its own items’ rankings above those of competitors.
Naver responded, according to the write up, with this statement:
“The core value of search service is presenting an outcome that matches the intentions of users,” it said in a statement, adding: “Naver has been chosen by many users thanks to our focus on this essential task.”
The pressure to generate revenue is significant. Engineers, who may be managed loosely or steered by the precepts of high school science club thought processes, can make tiny changes with significant impact. As a result, the manipulation can arise from a desire to get promoted, be cool, or land a bonus.
The implications can be profound. Google may be less evil because fiddling is an emergent behavior.
Stephen E Arnold, October 11, 2020
Email Scams: Chugging Along
October 2, 2020
Email scammers have not taken a break for the pandemic. Quite the opposite, the Montreal Gazette warns in, “Scamsters’ Phishing Expeditions Adding to our COVID Angst.” Writer Josh Freed describes a few frustrating fake emails he has had to field lately, including a very realistic one purportedly from Amazon about an expensive TV he had (not) ordered. The phisher-man included a number to call if, as they well knew, Reed had not made the purchase. Had he dialed that number, he was sure, he would have been prompted to enter his credit card information for a refund—and been ripped off instead. Other recent attempts on the author’s wallet were made in the names of the electric service, cable service, a credit card, and a bank he does not use. He relates the tale of the time he called a scammer’s bluff:
“Who are today’s scamsters, I wondered? So last week, after getting several phone messages from ‘Service Canada’ warning I’m being investigated for ‘major tax fraud,’ I decided to investigate. As instructed, I dialed back the Ontario number, prepared to meet my latest tormenters. The guy who answered had a strong East Indian accent. He introduced himself as Officer Christopher James, senior investigative chief of Service Canada, Badge #417J2954. He asked for my home address and SIN number, so I gave him fakes. …”
The rest is an amusing read if you’d like to smirk at an inept con man. Some scammers are more slick than this outfit, though, so readers are advised to take any unexpected email with a grain of salt. Reed writes:
“Overall, he was a pretty sad fraudster, but these scams are a real threat. According to the RCMP [Royal Canadian Mounted Police], they are successfully targeting many seniors. Lately, the most common scams are COVID-linked, offering fake virus tests, or home sanitation teams that will literally ‘clean out’ your home. So if anyone calls wanting to sanitize your house, just say no. And if you get advised any pricey OLED TVs are being delivered next day, ignore the message.”
Cynthia Murrell, October 2, 2020
Scammers Have Better Technology But Not New Ideas
September 30, 2020
Scammers are opportunists. They use anything and everything to con people out of their valuables and the Internet is the best tool in a scammer’s toolbox. Scammers might be armed with advanced technology, but their scam ideas are not. Because scammers are not original, they are predictable but sophisticated. The Journal of Cyber Policy wrote about scammers in “New Techniques, Same Old Phone Scams.”
A classic scam technique are “too good to be true offers” such as free vacations or investment opportunities. Scam artists make robocalls with these offers and they used to be detectable because they were from out of state numbers. Spoof technology, however, makes these robocalls using local area numbers, making it harder to detect the scams. In 2019, the Federal Trade Commission reported that people $667 million to scammers, mostly they were paid with gift cards.
Scammers’ sophistication levels are rising too. There are entire call centers in Asia and Africa dedicated to making scam calls. These call centers masquerade as reputable businesses such as Apple, Amazon, PayPal, banks, etc., and attempt to convince people that an account has been breached, late on payments, or their identity (ironically) was stolen. Companies and banks never randomly email or call asking to confirm sensitive information. They advise people to delete the emails or hang up on callers.
Another new scam is calling people claiming that a relative is facing legal action. This scam calls entire members of a family and when the person in question calls the scammer it turns out they need to share their social security number and date of birth. It is an excellent tactic, because it questions people’s reputation and makes them believe they are in legal trouble.
Scammers are using the same tactics as they have for centuries, but being wise to their ways prevents theft:
“As phone scams continue to evolve, it is helpful to know the warning signs. Always be wary of unsolicited callers, even if you are familiar with the company from which they claim to be calling. Scammers will use the threat of jail time or a fine to induce the victim into a state of fear — pressuring the victim into handing over sensitive information. If the caller requests financial or other sensitive information, hang up and call the company back directly (through a number you can verify) to inquire about this issue. The FCC Tip Card is a brief, yet valuable, resource that provides information on spoofing scams. It would also be wise to register your phone number with the National Do No Call Registry. Afterward, you shouldn’t receive telemarketing calls, and if you do, there’s a good chance they are a scam. As we continue to interact in this ever-evolving virtual world, we must remain on high alert against the deception of persistent fraudsters who are using new techniques for the same old phone scams.”
This is why it is important to read and watch the news, so you are aware of potential threats.
Whitney Grace, September 30, 2020
-
- Subscribe to Beyond Search
Feature archive
News archive
-
