DarkCyber for April 6, 2021, Now Available

April 6, 2021

DarkCyber is a twice-a-month video news program about the Dark Web, cyber crime, and lesser known Internet services. You can view the program at this link.

This program covers five stories:

  1. Banjo, founded by a controversial figure, has been given an overhaul. There’s new management and a new name. The challenge? Turn the off tune Banjo into a sweet revenue song.
  2. The Dark Web is not a hot bed of innovation. In fact, it’s stagnant, and law enforcement has figured out its technology and is pursuing persons of interest. A “new” Dark Web-like datasphere is now emerging. Robust encrypted messaging apps allow bad actors to make deals, pay for goods and services, and locate fellow travelers more easily and quickly than ever before.
  3. User tracking is a generator of high value information. Some believe that user tracking is benign or nothing about which to worry. That’s not exactly the situation when third-party and primary data are gathered, cross-correlated, and analyzed. Finding an insider who can be compromised has never been easier.
  4. New cyber crime reports are flowing in the aftermath of the Solarwinds’ and Microsoft Exchange Server fiascos. What’s interesting that two of these reports reveal information which provides useful insight into what the bad actors did to compromise thousands of systems.
  5. The final story reports about the world’s first drone which makes it possible for law enforcement and intelligence operatives to conduct a video conference with a bad actor near the drone. The innovative device can also smash through tempered glass to gather information about persons of interest.

DarkCyber is produced by Stephen E Arnold. The program is a production of Beyond Search and Arnold Information Technology. Mr. Arnold is the author of CyberOSINT and The Dark Web Notebook. He will be lecturing at the 2021 National Cyber Crime Conference.

Kenny Toth, April 6, 2021

The Value of Threat Data: An Interesting Viewpoint

March 29, 2021

Security is not job one in the cyber security business. Making sales and applying technology to offensive cyber actions are more important. Over the past couple of decades, security for users of mainstream enterprise applications and operating systems has been a puppet show. No one wants to make these digital ecosystems too secure; otherwise, it would be more difficult, expensive, and slow to compromise these systems when used by adversaries. This is a viewpoint not widely known by some professionals, even those in the cyber security business. Don’t agree. That’s okay with me. I would invite those who take exception to reflect on the failure of modern cyber security systems, including threat intelligence systems, to prevent SolarWinds and Microsoft Exchange security breaches. Both are reasonably serious, and both illustrate the future of cyber operations for the foreseeable future. Just because the mainstream pundit-verse is not talking about these security breaches does not mean the problem is solved. It is not.

Threat Data Helps Enterprises Strengthen Security” describes a different point of view. I am not confident that the data in the write up have factored in the very loud signals from the SolarWinds and Microsoft Exchange missteps. Maybe “collapses” is a more appropriate word.

The write up states:

Benefits of threat data feeds include; adding unique data to better inform security (71 percent), increasing preventive blocking to ensure better defense (63 percent), reducing the mean time to detect and remediate an attack (55 percent), and reducing the time spent researching false positives (51 percent). On the downside 56 percent of respondents also say threat feeds deliver data that is often too voluminous or complex to provide timely and actionable intelligence.

Let’s consider these statements.

First, with regard to benefits, knowing about what exactly? The abject failure of the cyber security defenses for the SolarWinds and Microsoft Exchange problems did zero to prevent the attacks. Victims are not 100 percent sure that recently “sanitized” systems are free from backdoors and malware. The fact that more than half of those in the survey believe that getting threat intelligence is good says more about the power of marketing and the need to cyber security professionals to do something to demonstrate to their superiors that they are on the ball. Yeah, reading about Fullz on the Dark Web may be good for a meeting with the boss, but it does and did zero for the recent, global security lapses. Organizations are in a state of engineered vulnerability, and threat intelligence is not going to address that simple fact.

Next, what about the information in the threat feeds. Like the headlines in a supermarket tabloid or a TikTok video, titillation snags attention. The problem, however, is that despite the high powered systems from developers from Herliya to Mountain View, information flows generate a sense of false security.

A single person at FireEye noticed an anomaly. That single person poked around. What did that individual find: Something in a threat feed, a snappy graphic from a $100,000 visualization tool, or specific information about a malware attack? Nope, zippy items and factoids. Links to Dark Web sites add spice.

The write up says:

Each of the organizations surveyed faced an average of 28 cyber attacks in the past two years. On average, respondents say 38 percent of these attacks were not stopped because security teams lacked timely and actionable data. Respondents also report that 50 percent of all attacks can be stopped using timely and actionable intelligence.

SolarWinds went undetected for possibly longer than 18 months. Attacks one knows about are one thing. The painful reality of SolarWinds and Microsoft Exchange breaches are another. Marketing won’t make the reality different.

Stephen E Arnold, March 29, 2021

DarkCyber for March 23, 2021, Now Available

March 23, 2021

DarkCyber for March 23, 2021, is now available at this link.

The March 23, 2021, program contains four stories.

The feature is an interview with the director of GovWizely, Erik Arnold. A former Lycos and Vivisimo executive, Mr. Arnold was a principal researcher on a study about the SolarWinds’ breach. The client for this report was an investment firm. The focus, therefore, was different from the obfuscation and marketing reports generated by cyber security firms and consultants.

Some of the report’s more interesting finding are discussed in the video. A more comprehensive review of the SolarWinds’ breach will be provided on March 25, 2021. Mr. Arnold will conduct an informational webinar on March 25, 2021, at 11 am Eastern time. Registration is required, but there is not charge for the one hour program. You can sign up at https://www.govwizely.com/contact/.

Other stories in the March 23, 2021, program are:

  • A look at the management and credibility challenges the Microsoft Exchange Server security lapses create
  • How anyone can implement an email tracking function. Three commercial services are mentioned and a GitHub repository is provided for those who want to reuse open source surveillance and monitoring code
  • The Russian GROM. This is a weapons capable drone which has been upgraded to carry 10 mini-drones. Each mini-drone can perform kinetic (micro munition)  or reconnaissance functions. The 10 drones can function as a swarm, coordinated via artificial intelligence to adapt to changing battled conditions.

DarkCyber is a video news program published twice each month. The videos are available on YouTube. The video news program covers the Dark Web, cyber crime, and lesser known Internet services. The producer is Stephen E Arnold, publisher of Beyond Search which is available at www.arnoldit.com/wordpress.

Kenny Toth, March 23, 2021

Was Super Yacht Go a Digital Victim?

March 16, 2021

Modern yachts are connected to the Internet. I know very little about the specialized systems used to monitor these vessels. One interesting idea was articulated by eSysman Super Yachts via his YouTube video for March 12, 2021. You can view the program at this link. The point which snagged my attention was the observation that the boat’s controls behaved in an unusual manner. Furthermore, according to statements reported by media, the captain was unable to implement a manual override. When the helm’s instructions were not processed, no alarms sounded.  Consequently the captain had to decide whether to crash into a bridge or into a pier. The captain choose the pier. No one was injured and the boat can be repaired.

The key question: Have cyber criminals compromised super yachts’ computerized control systems?

No answers yet. But in the “wake” of SolarWinds and Exchange missteps, the possibility must be considered. Odysseus thought he had problems, but he was dealing with more tractable gods, not digital monsters.

Stephen E Arnold, March 16, 2021

Cybersecurity Giant Vendor Fail Is Official: No Easy Fix

March 15, 2021

The marketing claims were hot air, it seems. The New York Times reports “White House Weighs New Cybersecurity Approach after Failure to Detect Hacks.” Let me be clear. Organizations spending money for advanced, artificially intelligent, and proactive methods for dealing with cyber attacks face some difficult circumstances. First, the cash is gone. Second, the fix is neither quick nor easy. Third, boards of directors and those with oversight will ask difficult questions to which there are no reassuring answers; for example, “What information has been lost exactly?”

The answer: “No one knows.”

The NYT states:

… The hacks were detected long after they had begun not by any government agency but by private computer security firms.

Let’s be clear. The SolarWinds’ misstep was detected because a single human chased down an anomaly related to allowing access to a single mobile phone.

Several observations are warranted:

  1. Cybersecurity vendors have been peddling systems which don’t work
  2. Companies are licensing these systems and assuming that their data are protected. The assumption is flawed and reflects poorly on the managers making these decisions.
  3. The lack of information about the inherent flaws in the Microsoft software build and updating processes, the mechanisms for generating “on the fly” builds of open source enabled code, and the indifference of developers to verifying that library code is free from malicious manipulation underscores systemic failures.

Remediating the issue will take more than BrightTALK security videos, more than conference presentations filled with buzzwords and glittering generalities, and more than irresponsible executives chasing big paydays.

The failure in technical education coupled with the disastrous erosion of responsible engineering practices has created “intrusions.”

Yes, intrusions and other impacts as well.

Stephen E Arnold, March 15, 2021

DarkCyber for March 9, 2021, Now Available

March 9, 2021

This week’s DarkCyber is available on YouTube. The program includes two stories. The first is a summary of our SolarWinds’ research project. An investment firm commissioned a report to answer this question, “What are some companies that will benefit from the breach of SolarWinds’ Orion enterprise software?” The second story describes a loitering drone which has seen action in a recent hot fire skirmish.

The SolarWinds’ story comes at the breach of SolarWinds’ Orion product from a different angle. Most of the existing studies focus on what happened and what organizations are affected. Those reports fall into several broad categories: [1] Technobabble. These are explanations ignoring the obvious fact that non of the installed cyber security systems spotted the SolarWinds’ malware for more than six months, maybe more. [2] After action reports identifying issues with how SolarWinds and many other organizations software are assembled; for example, the use of open source libraries without making sure these libraries do not contain malware and managing basic security processes. [3] Academic / technical discussions of the specific types of malware used in the breach. (The reality is that the malware was based on existing exploits and used methods frequently discussed on hacker forums.)

In the course of our exploration of the hack, we learned that the existing, easily findable information provided a road map for the bad actors. Instead of lightning flashes of genius, the bad actors learned from a range of sources. We mention some of these in this video summary of portions of our research. Then we looked at SolarWinds itself. In this video summary, we provide a snapshot of the distraction factors at SolarWinds in the months leading up to the discovery of the breach. We identify the numerous balls SolarWinds’ executives were juggling. Obviously the firm’s security ball was fumbled by the juggler. The video summary identifies the types of commercial and open source software enabling the breach. One interesting finding is that Microsoft GitHub is the “home” for many useful tools. Some of these were likely to have facilitated certain functions added to existing malware. The final part of the video summary reveals the major findings of our research and analysis process.  A more comprehensive and detailed version of this summary will be presented to units of the US government in March. Some of the information will be provided to the attendees at the US 2021 National Cyber Crime Conference. The DarkCyber video summary, we believe, is useful.

There is no written report available to the public. However, if you want a comprehensive briefing about the report, please, write us at darkcyber333 at yandex dot com. There is a charge for the one hour Zoom briefing and a 30 minute question-and-answer session following the formal presentation.

The second story documents the steady advance of artificial intelligence deployed in autonomous kamikaze drones.

Kenny Toth, March 9, 2021

Telegram Appeals to Diverse Constituencies

February 25, 2021

Other than heated conflicts between US political parties, the recent coup happened because of the mass spread of conspiracy theories propagated by social media. Social media platforms, including YouTube, Facebook, Twitter, and Instagram, were used to communicate right wing extremist misinformation. In the past, it was difficult for bad acting extremists to pool their “knowledge” and meet liked minded individuals, but the Internet fixed that.

Many social media platforms kicked right wing extremists off their platform, because of crackdowns that followed post-coup. According to Vox’s article, “Why Right-Wing Extremists’ New Favorite Platform Is So Dangerous” the bad actors already found another tool to communicate. Telegram is a Dubai-based platform and only 2% of its users were US-based until the coup attempt. Now Telegram boasts 25 million new US users. Why do bad actors love Telegram?

“Telegram is currently the most downloaded app in the Google Play Store, having unseated Signal for the top spot in the United States. Telegram’s specific combination of features, however, make it especially popular among American right-wing extremists, who have joined the platform in droves after being kicked off of Twitter, Facebook, and Parler. The latter is another extremist favorite and was recently kicked off the internet, though it’s now back in a very limited form.”

Telegram has three components: private and public channels that only a limited number of people can follow, groups where up to 200,,000 can communicate, and Secret Chats-one-on-one encrypted conversations.

Some bad actors can reach larger groups to spread misinformation and they can do so anonymously. Telegram does not monitor its content, but after its been used to incite violence its developers did crackdown on some of the channels. Telegram is popular for another reason: It is a reasonably reliable app.

Since Telegram is not US-based it does not need to comply to the country’s standards, but we have heard that the company has a relationship with Mr. Putin’s telecommunications agency. Other countries may find it slightly more challenging to monitor.

Whitney Grace, February 25, 2021

DarkCyber for February 23, 2021 Is Now Available

February 23, 2021

DarkCyber, Series 3, Number 4 includes five stories. The first summarizes the value of an electronic game’s software. Think millions. The second explains that Lokinet is now operating under the brand Oxen. The idea is that the secure services’ offerings are “beefier.” The third story provides an example of how smaller cyber security startups can make valuable contributions in the post-SolarWinds’ era. The fourth story highlights a story about the US government’s getting close to an important security implementation, only to lose track of the mission. And the final story provides some drone dope about the use of unmanned aerial systems on Super Bowl Sunday as FBI agents monitored an FAA imposed no fly zone. You could download the video at this url after we uploaded it to YouTube.

But…

YouTube notified Stephen E Arnold that his interview with Robert David Steele, a former CIA professional, was removed from YouTube. The reason was “bullying.” Mr. Arnold is 76 or 77, and he talked with Mr. Steele about the Jeffrey Epstein allegations. Mr. Epstein was on the radar of Mr. Steele because the legal allegations were of interest to an international tribunal about human trafficking and child sex crime. Mr. Steele is a director of that tribunal. Bullying about a deceased person allegedly involved in a decades long criminal activity? What? 

What’s even more interesting is that the DarkCyber videos, which appear every 14 days focus on law enforcement, intelligence, and cyber crime issues. One law enforcement professional told Mr. Arnold after his Dark Web lecture at the National Cyber Crime Conference in 2020, you make it clear that investigators have to embrace new technology and not wait for budgets to accommodate more specialists.

Mr. Arnold told me that he did not click the bright red button wanting Google / YouTube to entertain an appeal. I am not certain about his reasoning, but I assume that Mr. Arnold, who was an advisor to the world’s largest online search system, was indifferent to the censorship. My perception is that Mr. Arnold recognizes that Alphabet, Google, and YouTube are overwhelmed with management challenges, struggling to figure out how to deal with copyright violations, hate content, and sexually related information. Furthermore, Alphabet, Google, and YouTube face persistent legal challenges, employee outcries about discrimination, and ageing systems and methods.

What does this mean? In early March 2021, we will announce other video services which will make the DarkCyber video programs available.

The DarkCyber team is composed of individuals who are not bullies. If anything, the group is more accurately characterized as researchers and analysts who prefer the libraries of days gone by to the zip zip world of thumbtypers, smart software, and censorship of content related to law enforcement and intelligence professionals.

Mr. Arnold was discussing online clickfraud at lunch next week. Would that make an interesting subject for a DarkCyber story? With two firms controlling more than two thirds of the online advertising, click fraud is a hot potato topic. How does it happen? What’s done to prevent it? What’s the cost to the advertisers? What are the legal consequences of the activity?

Kenny Toth, February 23, 2021

Come On, Man: Hackers Seeking Legal Immunity

February 3, 2021

The hacking industry is thriving and there are companies labeled private sector offensive actors (PSOAs) selling cyberweapons enabling their customers to become hackers. PSOAs are nasty bad actor groups and they are trying to gain legal immunity to avoid criminal charges. Microsoft has more details in the story, “Cyber Mercenaries Don’t Deserve Immunity.”

One of these PSOAs trying to gain legal immunity is the NSO Group. The NSO Group sells cyberweapons to governments and the company argues its afforded the same legal immunity as its customers. Microsoft President Brad Smith stated the NSO Group’s business model is dangerous. It would allow other PSOAs to skirt laws and avoid any repercussions from their cyberweapons.

The biggest worry is that PSOAs’ technology could fall into the wrong hands and be used for nefarious deeds. Another worry is that if the NSO Group is granted sovereign immunity their actions will be profit driven rather than for the common good:

“Second, private-sector companies creating these weapons are not subject to the same constraints as governments. Many governments with offensive cyber capabilities are subject to international laws, diplomatic consequences and the need to protect their own citizens and economic interests from the indiscriminate use of these weapons. Additionally, some governments – like the United States – may share high-consequence vulnerabilities they discover with impacted technology providers so the providers can patch the vulnerability and protect their customers. Private actors like the NSO Group are only incented to keep these vulnerabilities to themselves so they can profit from them, and the exploits they create are constantly recycled by governments and cybercriminals once they get into the wild.”

Human rights are another concern, because governments run by bad actors can use the cyberweapons to harm their citizens. Anyone who fights for human rights could be tracked and have their information stolen. This could ultimately lead to their deaths.

The NSO Group and PSOAs must be held to the same standards as other private companies. If their products are used by bad actors with the PSOAs’ knowledge they must be held liable.

Whitney Grace, February 3, 2021

DarkCyber for January 26, 2021, Now Available

January 26, 2021

DarkCyber is a twice-a-month video news program. The stories cover cyber crime, lesser known Internet services, and online. The feature in the January 26, 2021, program is a conversation between Ric Manning, a former Gannett technology columnist and author, and Stephen E Arnold, author of CyberOSINT: Next Generation Information Access. Arnold and Manning talk about the online implications of deplatforming users. Manning points out that protections extended to online platforms free the managers from the constraints in which other media are enmeshed. Arnold points out that government involvement is likely to take place and have significant unforeseen consequences.

Others stories in this program are the deanonymization of digital currency users, a book of algorithms selected for their usefulness in intelligence analysis, and our mini-feature about drones. This week, learn about the flying ginsu knife.

You can view the video at www.arnoldit.com/wordpress or at this url on YouTube.

Kenny Toth, January 26, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta