Countries Want Technological Backdoors

December 11, 2019

“Think of the children” is usually a weak claim people use to justify questionable actions, but law enforcement officials across the world are protecting children the correct way by teaming together to prevent child exploitation on the Internet. Ars Technica shares the story in the article, “Think Of The Children: FBI Sought Interpol Statement Against End-To-End Crypto.” Law enforcement officials, including the US Department of Justice, want there to be backdoors in technology for warranted search and surveillance.

US Attorney General William Barr and his UK and Australian peers asked Facebook to delay its plan to use end-to-end encrypt for all its company’s messaging tools. The FBI and the Department of Justice are encouraged other international law enforcement organizations to join their plea at the International Criminal Police Organization’s 37th Meeting of the Interpol Specialists Groups Group on Crimes Against Children. Delaying end-to-end encryption would find child sexual exploitation. Interpol has not officially supported the delay plea yet.

“The draft resolution went on to lay responsibility for child exploitation upon the tech industry: ‘The current path towards default end-to-end encryption, with no provision for lawful access, does not allow for the protection of the world’s children from sexual exploitation. Technology providers must act and design their services in a way that protects user privacy, on the one hand, while providing user safety, on the other hand. Failure to allow for Lawful Access on their platforms and products, provides a safe haven to offenders utilizing these to sexually exploit children, and inhibits our global law enforcement efforts to protect children.’”

Barr and his peers want technology experts should to agree with them about backdoors. Facebook and other social media companies already comply by terms in the CLOUD Act, a law to provide law officials with data no matter in the world it is located. Barr claims that if Facebook and other companies do not comply, they are allowing children to be exploited further. Research has shown, however, that encryption has had little effect on impeding law officials.

Facebook and other companies state there is not a backdoor skeleton key to any technology and if they did design one it would put people at risk.

Law enforcement officials have the right mindset, but they are missing the essential purpose of encryption and how a backdoor could be exploited by bad actors, including those who harm children.

Whitney Grace, December 11, 2019

Swedish Ethical Hackers Raise More Funding

December 9, 2019

Have you ever heard the cyber security terms white hat and black hat? They are metaphors for types of hacking. The terms originate from old western movies, where the good cowboys wore white hats while the villains had black ones. In reference to hacking, the black hat hackers are bad actors and the white hat hackers are ethical. Ethical hackers had a big score in Sweden says Bisman Area News in the article, “Detectify Raises Additional €21M For Its Ethical Hacking Network.”

Detectify is a Swedish cybersecurity startup that developed a powerful Web site vulnerability scanner. Detectify has raised another €21 million in funding; Balderton Capital led the fundraising with investors Inventure, Insight Partners, and Paua Ventures. The startup plans to use the funding to hire more white hat hackers to accelerate the company’s growth.

Detectify was founded in 2013 by elite white hat hackers. The team’s scanner is a Web site security tool that is automated to scan Web sites and discover vulnerabilities so users can remain on top of the security. The scanner’s most unique feature is that it is powered and updated by an ethical hacker network a.k.a. crowdsourcing.

Detectify used its first funding round in a clever and innovative way:

“As we explained when the startup raised its €5 million Series A round, this sees top-ranked security researchers submit vulnerabilities that are then built into the Detectify scanner and used in customers’ security tests. The clever part is that researchers get paid every time their submitted module identifies a vulnerability on a customer’s website. In other words, incentives are kept aligned, giving Detectify a potential advantage and greater scale compared to similar website security automation tools.”

The company gained clients in the US, including Spotify, Trello, and King. Detectify plans to continue its expansion by relying on talent acquisitions and crowdsourcing.

Whitney Grace, December 9, 2019, 2019

Turkey Surveillance: No, Not the Bird Watching Context

November 20, 2019

A company that makes surveillance software and sells it assorted governments, FinFisher, is fighting back against Netzpolitik, a website working to hold such companies accountable. Bloomberg declares, “Clash Over Surveillance Software Turns Personal in Germany.” Netzpolitik and several advocacy groups filed a criminal complaint against FinFisher, alleging it had sold its spyware to Turkey without the required German federal license. Such complaints are not new, but this one named names within FinFisher as responsible parties. An investigation has been opened by Munich prosecutors.

Not only does FinFisher deny supplying Turkey with spyware, it also claims Netzpolitik is unjustly prejudicing the investigation. It issued a cease-and-desist letter demanding an article about the Turkey allegations be taken down. Though the site’s owner insists the reporting is accurate, he removed the article to avoid the legal fight and a potential injunction. Reporter Ryan Gallagher writes:

“Netzpolitik filed the complaint against FinFisher in collaboration with Reporters Without Borders Germany, the Society for Civil Rights and the European Center for Constitutional and Human Rights. It alleges that covert operators of FinFisher’s technology set up a fake Turkish-language opposition website and Twitter accounts that were used to lure government critics into clicking on a malicious link. It isn’t clear who created the website and social media profiles. FinFisher says it ‘partners exclusively with Law Enforcement and Intelligence Agencies,’ according to its website.

“People who clicked the link — sent through the fake Twitter accounts to supporters of the opposition Republican People’s Party — were prompted to download an Android application that was in fact surveillance software, which would monitor their calls, text messages, photos, and location data, according to a technical report published by the digital rights group Access Now. Source code found on the website used to target the Turkish activists was ‘practically identical’ to the source code of FinSpy, surveillance software developed by FinFisher, the complaint alleges.”

FinFisher is no stranger to scrutiny. News articles have been written, advocacy group reports have been issued, and a WikiLeaks data release has been lobbed. Just recently, Reuters linked the company’s tech to an Uzbekistan agency’s effort to spy on activists and journalists. FinFisher claims it no longer trucks with governments outside the EU unless they are an “EU-001” designated country. (That list includes the likes of Australia, Canada, Japan, New Zealand, Norway, Switzerland, and the U.S.) Though other countries may retain old versions of the technology, AccessNow’s chief technologist notes that licensing restrictions and required updates would make them difficult or impossible to use without FinFisher’s support.

Cynthia Murrell, November 20, 2019

China Public Security Expo: Emotion Detection a Hot Surveillance Trend

November 4, 2019

DarkCyber loves hot trends, particularly when the technology is not particularly reliable. The idea is that smart software looks at one’s image and decides if the image is suggestive of a bad actor or a person of interest.

We noted a Boing Boing article called “Report from a Massive Chinese Surveillance Tech Expo, Where Junk-Science Emotion Recognition Rules.” That write up pointed to a series of tweets with pictures posted by Sue-Lin Wong, a journalist.

You can find the tweets and images of the event at this link.

Some of the assertions and factoids I noted in the tweets include:

  • China is using emotion detection in some surveillance systems at this time
  • Facial recognition developers are starting to bump into outfits like Huawei, which are poking around the technology which might fit nicely into some Huawei systems
  • Emotion detection has many applications, schools, dormitories, data mining, health care
  • Smart prisons and smart beds are getting attention
  • Unclassified miniature cameras were exhibited; for example, glasses with a camera in the nose piece frame.

DarkCyber does not think it will be productive to call an agent of the government wearing spy glasses a glasshole.

Stephen E Arnold, November 3, 2019

Another Cyber Firm Reports about Impending Doom

October 29, 2019

Identity intelligence firm 4iQ summarizes the results of recent research in the write-up, “Identity Protection & Data Breach Survey.” They polled 2,300 participants regarding data breaches and identity protection issues. You can see a slide show of the results here that presents the results in graph-form.

Researchers found that fewer than half the respondents had been notified they were victims of a breach. Most of them were offered identity protections services as a result, but about half of those felt that fell short of adequately addressing the problem. We also learn:

“*Nearly 40% of respondents believe they have already suffered identity theft and more than half of respondents, 55%, believe that it’s likely their personally identifiable information (PII) is already in the hands of criminals. As a result, 62% of respondents are concerned that their PII could be used by someone to commit fraud.

*More than half, 52%, of respondents said they would expect their own online security error to negatively or very negatively affect their standing with their employer—an additional stress for working Americans—so it’s not surprising then, that 60% of respondents believe there’s a ‘blame-the-victim’ problem with cybercrime.

*A strong majority, 63%, are concerned that prior breaches could lead to future identity fraud, and 37% believe they have already been a victim of fraud as a result of a cybercrime incident.”

As for protecting personal identifiable information, 75% feel their employers are doing a fair to excellent job, but only 42% feel the government is do so effectively. They feel even less confident about their personal efforts, however, with only 15% calling themselves “very effective” (23% rated their employers as “very effective”).

On that last point, 4iQ states it demonstrates that “everyday consumers may feel unprepared to contend with the threats presented by cybercrime,” which is not surprising from a company that sells solutions to that problem. We know there are free and low-cost measures individuals can take to boost their own security, but some will be willing to pay for extra reassurance on top of those precautions. Based in Los Altos, California, 4iQ was founded in 2016.

Cynthia Murrell, October 29, 2019

DarkCyber for August 20, 2019, Now Available

August 20, 2019

DarkCyber for August 20, 2019, is now available at www.arnoldit.com/wordpress and on Vimeo at https://www.vimeo.com/354476523 .
The program is a production of Stephen E Arnold. It is the only weekly video news shows focusing on the Dark Web, cybercrime, and lesser known Internet services.

The story line up this week includes a feature about Anduril Technologies’ surveillance system for border monitoring. The show also includes a critique of a public report about robocalling and a comment about the increasingly loud calls for backdoors to mobile phones and encrypted messages by law enforcement in the US and other countries.

The feature story this week is about Anduril Industries, the company which is developing systems for the Department of Defense’s Project Maven. The company was founded in 2017 by Palmer Luckey. After creating the virtual reality product Oculus Rift, Luckey sold the company to Facebook. He then founded Anduril to develop next generation surveillance products and systems. His clients include US government agencies like the Department of Homeland Security. Anduril’s innovations allow software to monitor, analyze, and make decisions. These decisions can be taken without human involved, take place automatically, or employ human-machine interactions. The system can process data from digital cameras and specialized devices. These data are then federated and analyzed by the firm’s proprietary algorithms. The system can, for example, identify a herd of cattle as well as a group of people approaching a border. Anduril, however, is able to differentiate between the animals and the humans. If detection occurs at an Anduril monitoring tower, Anduril drones can also scan the area. If multiple Anduril drones are deployed in the area in which the anomaly was detected, the resolution of the system increases. In effect, Anduril has developed a way for surveillance to deliver detection, analysis, and increased resolution. An operator can immerse himself or herself in a virtual reality presentation of what the drones and the monitoring devices “see”. Anduril’s approach to US government work stands in direct contrast to that of Google. Google refused to work on Project Maven yet funded an educational artificial intelligence center in mainland China. Anduril welcomes US government work. One of the investors in Anduril suggested that Google’s attitude toward the US government could be interpreted as treasonous.

Two other stories round out this week’s episode.

Law enforcement agencies in the US and other Five Eyes member countries continue their call for a way for government agencies to access devices and messages by persons of interest. The “growing dark” problem in the US made headlines. Law enforcement investigating the Dayton, Ohio, killings have been unable to access the alleged shooter’s mobile phone data. DarkCyber anticipates increasingly loud calls for legislation to make it mandatory for technology companies to cooperate with law enforcement when courts permit access to mobile devices.

DarkCyber calls attention to an article which provides a road map for an individual who wants to run a robocall operation. The details of the method are reviewed. Plus, DarkCyber names two services which allow a robocall spammer to set up an operation with a few clicks online. One of these services includes a “press one feature” which allows the robocaller to charge the individual who happens to answer the telephone. DarkCyber finds these types of “how to” articles somewhat troubling. The information may encourage some individuals to launch a robocall business and runs scams anonymously.

A new multi part series about Amazon policeware initiative begins on November 5, 2019. DarkCyber programs are available on Vimeo.com and YouTube.com.

Note that DarkCyber will begin a new series of programs on November 5, 2019. The current series or “season” ends on August 27, 2019. We are developing the new series now. It’s about everyone favorite online bookstore with an emphasis on policeware and intelware.

Kenny Toth, August 20, 2019

Cyber Security and Its Soft Underbelly

August 18, 2019

DarkCyber found “We Asked Def Con Attendees Why People Are Still Getting Hacked” quite interesting. The write up presents information from different individuals and sources about the surprising ineffectiveness of cyber security. Significant money, dozens of start ups, and some mouth watering marketing have been generated. But the big question, “Why are people still getting hacked?” remains perched on a power line like a digital bird of prey.

Here are a couple of statements from the write up which DarkCyber finds interesting:

As the [cyber security] industry matures, it’s becoming clear that it must be held accountable for a lack of diversity and a sometimes toxic and misogynistic culture.

This theme does sound familiar. Perhaps the opportunity to make money and do some “real coding” is in a business sector where the investment dollars are flowing and the personal payoffs are possibly higher.

Why are people getting hacked? DarkCyber noted a couple of points which are difficult to deflect:

  1. People will always get hacked. This answer to the question is the digital equivalent of “just because.”
  2. People are the weak link: Loose lips, friends, being human. This answer to the question is related to “just because.”
  3. People don’t update their systems. Yep, humans again.

What’s the fix? Teach those humans what to do.

Perhaps a better question is, “What’s the business sector with more potential for a coder who is not interested is displaying pizza joint icons on a mobile map?”

The answer is cyber security. The write up explains the answer this way:

There’s more money pouring into cybersecurity than ever, but we continue to see high-profile (and devastating) hacks. At the same time, cybersecurity as an industry is no longer made up of lone coders and small, grey-hat hacking groups; it’s a gigantic industry with startups worth billions of dollars.

Is it possible that the incentive to “fix” cyber security is that there is easy money, fearful customers, and uncertain outcomes for those breached.

FUD worked for IBM, and it may be working for the cyber security sector today and it may be the horse to back in the race to big paydays tomorrow.

But those pesky humans—still a problem.

Stephen E Arnold, August 18, 2019

DarkCyber for August 6, 2019, Now Available

August 6, 2019

DarkCyber for August 6, 2019, is now available at www.arnoldit.com/wordpress and on Vimeo at https://www.vimeo.com/351872293. The program is a production of Stephen E Arnold. It is the only weekly video news shows focusing on the Dark Web, cybercrime, and lesser known Internet services.

DarkCyber (August 6, 2019) explores reports about four high-profile leaks of confidential or secret information. Each “leak” has unique attributes, and some leaks may be nothing more than attempts to generate publicity, cause embarrassment to a firm, or a clever repurposing of publicly available but little known information. Lockheed Martin made available in a blog about automobiles data related to its innovative propulsion system. The fusion approach is better suited to military applications. The audience for the “leak” may be US government officials. The second leak explains that the breach of a Russian contractor providing technical services to the Russian government may be politically-motivated. The information could be part of an effort to criticize Vladimir Putin. The third example is the disclosure of “secret” Palantir Technologies’ documents. This information may create friction for the rumored Palantir INITIAL PUBLIC OFFERING. The final secret is the startling but unverified assertion that the NSO Group, an Israeli cyber security firm, can compromise the security of major cloud providers like Amazon and Apple, among others. The DarkCyber conclusion from this spate of “leak” stories is that the motivations for each leak are different. In short, leaking secrets may be political, personal, or just marketing.

Other stories in this week’s DarkCyber include:

A report about Kazakhstan stepped up surveillance activities. Monitoring of mobile devices in underway in the capital city. DarkCyber reports that the system may be deployed to other Kazakh cities. The approach appears to be influenced by China’s methods; namely, installing malware on mobile devices and manipulating Internet routing.

DarkCyber explains that F Secure offers a free service to individuals who want to know about their personal information. The Data Discovery Portal makes it possible for a person to plug in an email. The system will then display some of the personal information major online services have in their database about that person.

DarkCyber’s final story points out that online drug merchants are using old-school identity verification methods. With postal services intercepting a larger number of drug packages sent via the mail, physical hand offs of the contraband are necessary. The method used relies on the serial number on currency. When the recipient provides the number, the “drug mule” verifies that number on a printed bank note.

DarkCyber videos appears each week through the September 30, 2019. A new series of videos will begin on November 1, 2019. Programs are available on Vimeo.com and YouTube.com.

Kenny Toth, August 6, 2019

Capital One and Surprising Consequences

August 4, 2019

DarkCyber noted the ZDNet article “GitHub Sued for Aiding Hacking in Capital One Breach.” According to the “real news” outfit:

While Capital One is named in the lawsuit because it was its data that the hacker stole, GitHub was also included because the hacker posted some of the stolen information on the code-sharing site.

Github (now owned by Microsoft) allegedly failed to detect the stolen data. Github did not block the posting of Social Security numbers. These follow a specific pattern. Many text parsing methods identify and index the pattern and link the number to other data objects.

What law did Github violate? Management lapses are not usually the stuff that makes for a good legal drama, at least on “Law and Order” reruns. The write up reports:

The lawsuit alleges that by allowing the hacker to store information on its servers, GitHub violated the federal Wiretap Act.

DarkCyber thanks ZDNet for including a link to the complaint.

Lawyers, gotta love ‘em because we have a former Amazon employee, a financial institution with a remarkable track record of security issues, and a company owned by Microsoft. What about the people affected? Oh, them. What if Github is “guilty”? Perhaps a new chapter in open source and public posting sites begins?

Stephen E Arnold, August 4, 2019

Capital One, Amazon, Cats, and the Common Infrastructure Play

July 31, 2019

I read “Hacking Suspect Acted Oddly Online.” (Note: the online story is paywalled by Rupert Murdoch. You may  be able to get a peek at the dead tree version of this story in the Wall Street Journal for July 31, 2019.) Yep, Internet cat angle, self incrimination, and public content dissemination. That’s a plot hook which may make a great Lifetime or Netflix program. Amazon is likely to pass on funding the film version of this now familiar story.

Here’s the plot:

There’s the distraught financial institution, in this case, the lovable Capital One. This is the outfit known for “what’s in your pocket”? Good question. The financial outfit teamed up with Amazon in 2015, and according to the “real news” outfit:

In 2015, Capital One Chief Information Officer Rob Alexander said, “The financial services industry attracts some of the worst cyber criminals. So we worked closely with the Amazon team to develop a security model, which we believe enables us to operate more securely in the public cloud than we can even in our own data centers.”

That sounds darned good, but data affecting about 100 million people was breached. That number has not been verified to my satisfaction, and DarkCyber awaits additional data. But 100 million is a good enough number for the story.

Next we have a protagonist with some employment history at Amazon. Remember that this is the cloud service which was in the chain of data compromise. But — and this is important — Amazon was not at fault. The security problem was a is configured bit of “infrastructure.” Plus, the infrastructure which was the point of weakness is “common to both cloud and on premises data center environments.”

The story ends with a suspect. If the program becomes a mini series, we will follow the protagonist with empathy for cats through a trial, and perhaps a variation on the story weaving of “Orange Is the New Black.”

What’s missing from the analysis in the “real news” outlets? Here in Harrod’s Creek, Kentucky, we think of Amazon as an outfit with nifty white Mercedes Benz vans and fast moving van drivers.

But a couple of the pundits lounging in the convenience story / tavern floated some ideas:

  1. Why is Amazon not providing a system to address misconfiguration? It seems that 100 million people are now aware of this dropped ball.
  2. Why is an Amazon person, presumably with Amazon expertise, behaving in a manner that appears problematic? If the person was hired, what’s the flaw in the Amazon hiring process? If the person was terminated for a germane reason, why was the person not given appropriate “support” to make the transition from Amazonian to a person with unusual online activities? How does Amazon prevent information from being used by a former employee? What can be improved? Are there other former Amazon employees who are able to behave in an allegedly problematic way?
  3. Why is the problem “common” to use Capital One’s alleged word quoted in the WSJ story? There are dozens upon dozens of firms which are marketing themselves as cyber safeguard providers. Are these services used by Amazon, or is Amazon relying on home grown solutions. There are indeed Amazon’s own security tools. But are these findable, usable, reliable, and efficacious? Security may be lost in the thicket of proliferating Amazon products, services, and features. In effect, is it possible that Amazon is not doing enough to prevent such security lapses associated closely with its cloud solutions.

Stepping back, let’s think about this incident in a cinematic way:

  1. A giant company offering services which are so complex that problems are likely to result from component interactions, blundering customers, and former employees with a behavior quirk.
  2. A financial services firm confident of its technical competence. (Note that this financial firm with a previous compliance allegation which seemed to pivot on money laundering and ended with a $100 million fine. See “Compliance Weaknesses Cost Capital One $100M”, October 23, 2018. You will have to pay to view this allegedly accurate write up.
  3. A protagonist who seemed to send up distress flags via online communication channels.

What’s the big story?

Maybe there’s a “heart of darkness” with regard to security within the Amazon jungle.

To which jungle was Joseph Conrad, author of the “Heart of Darkness” referring?

“Nowhere did we stop long enough to get a particularized impression, but the general sense of vague and oppressive wonder grew upon me. It was like a weary pilgrimage amongst hints for nightmares.”

Psychological, digital, or financial? With the JEDI contract award fast approaching, will the procurement officials interpret the Capital One breach as a glimpse of the future. Maybe Oracle is correct in its view of Amazon?

Stephen E Arnold, July 31, 2019

Next Page »

  • Archives

  • Recent Posts

  • Meta