CyberOSINT banner

Money Laundering: Digital Currency or Old Fashioned Methods?

November 27, 2015

Online is zeros and ones. I worked for a number of years for a fellow with lots of money who explained, “Money is information.” He was mostly correct. However, in the world of big time money laundering, online does not yet have the NFL lineman muscles to do the entire job of keeping financial transactions secret.

The challenge with digital currencies boils down to a search and retrieval problem. Actionable information is embedded in transaction data. Bad actors may not be Bitcoin fans for certain types of unregulated cash transfer tasks.

Navigate to “‘White Gloves,’ ‘VIP Boxes:’ How It’s Done at China’s Underground Banks,” which does a good job of explaining how more traditional money laundering is handled. Bitcoin is okay for moving assets if one has the time, the operational security, and expertise to make the system work.

For folks with JP Morgan-style funds, something more robust and reliable may be needed. Oh, the ability to keep the activity hard to find, hidden from regulators and tax authorities, and reliable is important.

The article states:

In one case Xinhua highlighted this week, state investigators accused a longtime general manager, surnamed Dai, in a state-owned engineering company, Beijing-based China Harbour Engineering, of helping to move $3 million of corruption-tainted gains via a Chinese underground bank onshore. The underground bank used a technique that regulators called an “audit hedge,” essentially depositing 18 million yuan in Mr. Dai’s onshore account in exchange for an equivalent amount of foreign exchange placed in the underground bank’s offshore account. No money crosses the border physically or electronically, making the transaction almost perfectly undetectable — hence “a hedge against audits.”

Another method is an old fave: Shell accounts. The article stated:

In Ningxia, a small northwestern region home to China’s Hui ethnic minority, criminal gangs in the provincial capital Yinchuan set up 12 trading shells that did nothing but generate false export data as a means to move money in or out of the country under the guise of legitimate corporate payments, according to Xinhua. Companies are allowed to move foreign exchange exceeding China’s $50,000 annual limit for legitimate purposes. Police found that the gangs marked the funds that moved through their shell accounts as “national export incentive awards” obtained from the Yinchuan City Bureau of Finance. Investigators alleged that the gangs used the scheme to defraud the Ningxia government since 2013 of export incentives worth 38.6 million yuan ($6 million). Export scams like these usually facilitate illegally moving funds onshore, rather than offshore. China controls foreign exchange coming onshore just as it does money trying to move offshore. The Ningxia case stemmed from 2013, when China was experiencing a high level of net capital inflows.

When will digital currencies facilitate money laundering on this supersized scale? Not surprisingly, verifiable data about the volume of money laundering via digital currencies is tough to obtain.

I would point out that old fashioned methods still have their use. Investigators, therefore, have to rely on useful software like Maltego and add ins and have the resources to dig out information the old fashioned way. This is not just feet on the street; it is humans pulling information threads.

Stephen E Arnold, November 27, 2015

IBM and Digital Piracy: Just Three Ways?

November 27, 2015

I read “Preventing Digital Piracy: 3 Ways to Use Big Data to Protect Content.” I love making complicated issues really easy. Remember the first version of the spreadsheet? Easy. Just get a terminal, wrangle the team to install LANPAR, and have at it. Easy as 1-2-3, which came after VisiCalc.

Ah, LANPAR. You remember that, right. I have fond memories of Language for Programming Arrays at Random, don’t you? I still think the approach embodied in that software was a heck of a lot more user friendly than filling in tiny rectangular areas with a No. 4 pencil and adding and subtracting columns using an adding machine.

IBM has cracked digital piracy by preventing it. Now I find that notion fascinating. On a recent trip, I noted that stolen software and movies were more difficult to find. However, a question or two of the helpful folks at a computer store in Cape Town revealed a number of tips for snagging digital content. One involved a visit to a storefront in a township. Magic. Downloaded stuff on a USB stick. Cheap, fast, unmonitored.

IBM’s solution involve streaming data. Okay, but maybe streaming for some content is not available; for example, a list of firms identified by an intelligence agency as “up and comers.”

IBM also wants me to build a real time feedback loop. That sounds great, but the angle is not rules. The IBM approach is social media. This fix also involves live streaming. Not too useful when the content is not designed to entertain.

The third step wants me to perform due diligence. I am okay with this, but then what? When I worked at a blue chip consulting firm, the teams provided specific recommendations. The due diligence is useless without informed, affordable options and the resources to implement, maintain, and tune the monitoring activity.

I am not sure what IBM expects me to do with these three steps. My initial reaction is that I would do what charm school at Booz, Allen taught decades ago; that is, figure out the problem, identify the options, and implement the approach that had the highest probability of resolving the issue. The job is not to generalize. Proper scope helps ensure success.

If I wanted to prevent digital privacy, I would look to companies which have sophisticated, automatable methods to identify and remediate issues.

IBM, for example, does not possess the functionality of a company like Terbium Labs. There are other innovators dealing with leaking data. I could use LANPAR to do certain types of spreadsheet work. But why? Forward looking solutions do more than offer trivial 1-2-3.

Stephen E Arnold, November 27, 2015

Insight into Hacking Team

November 25, 2015

Short honk: Curious about the world of exploits available to governments and other authorized entities? You may find “Metadata Investigation: Inside Hacking Team” interesting.” Keep in mind that “metadata” means indexes, entity extraction, and other controlled and uncontrolled data content. The report from Share Lab was online on November 23, 2015, when I last checked the link. I discuss Hacking Team and several other firms in my forthcoming monograph about the Dark Web.

Stephen E Arnold, November 25, 2015

Profile of the Equation Group

November 25, 2015

Short honk: I overlooked a link from one of the goslings from early 2015. The Kaspersky report about the Equation Group triggered some media commentary. The report, quite to my surprise, is still available online (or it was when I verified the link on November 23, 2015). If you are interested in information access using unconventional or at least not Emily Post approved methods, you can download “Equation Group: Questions and Answers”, Version 1.5 from Secure List.

Stephen E Arnold, November 25, 2015

Improper Information Access: A Way to Make Some Money

November 24, 2015

I read “Zerodium Revealed Prices” (original is in Russian). the main point of the write up is that exploits or hacks are available for a price. Some of these are attacks which may not be documented by the white hat folks who monitor the exploit and malware suburbs connected to the information highway.

The paragraph I noted explained what Zerodium will pay for a fresh, juicy exploit.


Here’s the explanation. Please, recognize that Russian, unlike one of my relative’s language skills, is not my go to language:

For a remote control access exploit which intercepts the victim’s computer through Safari or Microsoft’s browser company is willing to pay $ 50 000. A more sophisticated “entry point” is considered Chrome: for the attack through Zerodium pays $ 80,000. Zerodium will pay $5,000 for a vulnerability in WordPress, Joomla and Drupal. Breaking the TorBrowser can earn the programmer about $30.000… A remote exploit bypassing the protection Android or Windows Phone, will bring its author a $100,000. A working exploit of iOS will earn the developer $500,000.

Zerodium explains itself this way:

Zerodium is a privately held and venture backed startup, founded by cybersecurity veterans with unparalleled experience in advanced vulnerability research and exploitation. We’ve created
Zerodium to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.

The company’s logo is nifty too:


The purple OD emphasizes the zero day angle. Are exploits search and information access? Yep, they can be. Not advocating, just stating a fact.

Stephen E Arnold, November 24, 2015

The Art of Martec Content via a Renaissance Diagram

November 22, 2015

I love diagrams which explain content processing. I am ecstatic when a diagram explains information, artificial intelligence, and so much more. I feel as if I were a person from the Renaissance lowered into Nero’s house to see for the first time the frescos. Revelation. Perhaps this diagram points to a modern day Leonardo.

Navigate to “Marketing Data Technology: Making Sense of the Puzzle.” I admire the notion that marketing technology produces data. I love that tracking stuff, the spyware, the malware, and the rest of the goodies sales professionals use to craft their masterpieces. The idea that the data comprise a puzzle is a stroke of brilliance.

How does one convert data into a sale? Martec, marcom, or some other mar on one’s life?

Here’s the diagram. You can view a larger size at this link:

Marketing Data Technology Map

Notice the “space” is divided into four areas: discover, decide, activate, and automate. Notice that there are many functions in each area; for example, divide includes information delivery, insight real time, and marketing performance. Then notice that the diagram includes a complex diagram with a backbone, a data lake, the Web social media, and acronyms which mean nothing to me. There are like the artistic flourishes on the that hack’s paintings in the Sistine Chapel. The touches delight the eye, but no one cares about the details.

Now, I presume, you know how to make sense of the martec puzzle.

I find this type of diagram entertaining. I am not sure if it is a doodle or the Theory of Relativity for marketing professionals. Check out the original. I am still chuckling.

Stephen E Arnold, November 22, 2015

Billing and Meetings Remain Easier Than Usable Digital Systems

November 11, 2015

I have bumped against digital initiatives in government and industry a number of times. The experience and understanding I gained were indispensible. Do you remember the “paperless office”? The person attributed with creating this nifty bit of jargon was, if memory serves me, Harvey Poppel. I worked with the fellow who coined this term. He also built a piano. He became an investment wizard.

Later I met a person deeply involved with reducing paperwork in the US government. The fellow, an authoritative individual, ran an advertising and marketing company in Manhattan. I recall that he was proud of his work on implementing strategies to reduce dead tree paper in the US government. I am not sure what happened to him or his initiative. I know that he went on to name a new basketball arena, selecting a word in use as the name of a popular vitamin pill.

Then a mutual acquaintance explained the efforts of an expert who wrote a book about Federal digitalization. I enjoyed his anecdotes. I was, at the time, working as an advisor to a government unit involved in digital activities, but the outfit ran on paper. Without paper, the Lotus Notes system could not be relied upon to make the emails and information about the project available. The fix? Print the stuff on paper. The idea was to go digital, but the information highway was built on laser printer paper.

I thought about these interactions when I read “A Decade into a Project to Digitize U.S. Immigration Forms, Just 1 is Online.” (If the link is dead, please, contact the dead tree publisher, not me.)

According the article:

Heaving under mountains of paperwork, the government has spent more than $1 billion trying to replace its antiquated approach to managing immigration with a system of digitized records, online applications and a full suite of nearly 100 electronic forms. A decade in, all that officials have to show for the effort is a single form that’s now available for online applications and a single type of fee that immigrants pay electronically. The 94 other forms can be filed only with paper.

I am not surprised. The article uses the word “mismanaged” to describe the process upon which the development wheels would turn.

The write up included a quote to note:

“You’re going on 11 years into this project, they only have one form, and we’re still a paper-based agency,’’ said Kenneth Palinkas, former president of the union that represents employees at the immigration agency. “It’s a huge albatross around our necks.”

What’s interesting is that those involved seem to be trying very hard to implement a process which puts data in a database, displays information online, and reduces the need for paper, the stuff from dead trees.

The article suggests that one vendor (IBM) was involved in the process:

IBM had as many as 500 people at one time working on the project. But the company and agency clashed. Agency officials, for their part, held IBM responsible for much of the subsequent failure, documents show.

The company’s initial approach proved especially controversial. Known as “Waterfall,” this approach involved developing the system in relatively long, cascading phases, resulting in a years-long wait for a final product. Current and former federal officials acknowledged in interviews that this method of carrying out IT projects was considered outdated by 2008.

Several observations are warranted, but these are unlikely to be particularly life affirming:

  1. The management process is usually not focused on delivering a functioning system. The management process is designed to permit billing and cause meetings. The actual work appears to be cut off from these administrative targets of having something to do and sending invoices for services rendered.
  2. Like other interesting government projects such as the upgrading of the IRS or the air traffic control system, figuring out what to do and how to do it are sufficiently complex that everyone involved dives into details, political considerations, and briefings. Nothing much comes from these activities, but they constitute “work” so day to day, week to week, month to month, and year to year process becomes its own goal. The new system remains an abstraction.
  3. No one working on a government project, including government professionals and contractors, has responsibility to deliver a solution. Projects become a collection of fixes, which are often demonstrations of a small scale function. The idea that a comprehensive system will actually deliver a function results in software quite similar to the famous service.

I am tempted to mention other US government initiatives. I won’t. Shift to the United Kingdom. That country has been working on its National Health Service systems for many years. How similar have been the initiatives to improve usability, functionality, and various reductions. These have ranged from cost reduction to waiting time reduction.  The project is not that different from US government efforts.

What’s the fix?

Let me point out that digitization, computerization, and other Latinate nominatives are fated to remain in a state of incompletion. How can one finish when when the process, not the result, is the single most important objective.

I heard that some units of Angela Merkel’s government are now using traditional typewriters. Ah, progress.

Stephen E Arnold, November 11, 2015

Self Deception and Web Search

November 6, 2015

It never occurred to me that humans would fool themselves via Web search. I assumed falsely that an individual seeking information would obtain a knowledge pile by reading, conversation with others, and analysis. The idea of using a Web search to get smart never struck me as a good idea. Use of commercial databases to obtain information was a habit I formed at good old Booz, Allen & Hamilton. Ellen Shedlarz, the ace information professional, sort of tolerated my use of the then-expensive, tough to use online services. Favorites sources of information for me in the late 1970s were Compendex, ChemAbs, and my old favorite ABI INFORM.

Imagine my surprise when I read “Googling Stuff Can Cause us to Overestimate our Own Knowledge.” The write up reported:

The main takeaway message of this research is that when we’re called on to provide information without the internet’s help, we need to be aware that we might possess a false sense of security. The most obvious example of how we should apply this is in the run up to a school or university examination. If we only ever prepare for examinations with the internet on hand and don’t take closed book mock tests without the internet’s help, we might not realize until it is too late that information that we think is in our heads actually isn’t.

There you go. False confidence or the Google effect.

From my point of view, the issue is not confined to a particular Web search system. The assumption that anyone can get smart via a query, reading some documents, and answer a question is just one manifestation of entitlement.

The person seeking information assumes that his or her skills are up to the task of figuring out what’s correct, what’s baloney, and what’s important is a facet of the gold star mentality. Everyone gets a reward for going through the motions. Participate in a race. That’s the same as winning the race. Answer some multiple choice questions. That’s the same as working out a math problem in long hand.

Unfortunately it takes real work to learn something, understand it, and apply it to achieve a desired result.

Locating a restaurant via a voice search is nifty, but if the restaurant is a rat hole, one’s tummy may rebel.

Search and retrieval is work. Quick example.

In a casual conversation with a doctoral student, I mentioned the Dark Web.

The student told me, “Yes, I plan to dive into the Dark Web and maybe do a training program for executives.”

Good idea, but the person with whom I was speaking has some interesting characteristics:

  • No programming or technical expertise
  • No substantive background in security
  • No awareness of the risks associated with poking around in hidden Web sites.

However, the person has the entitlement quality. The assumption that an unfamiliar topic can be figured out quickly and easily. What could possibly go wrong?

One possibility: Accessing a Dark Web site operated by a law enforcement or intelligence entity.

As I asked, what could possibly go wrong?

Stephen E Arnold, November 6, 2015

Why Search May Be Doomed

November 4, 2015

Crafting a query takes mental effort. If the data in “Averatge US Teen Watches nearly Seven Hours of Media Daily” is accurate, mental effort may not be high on the list of US teens as they age.

With smart software poised to deliver information to a user without the user having to think, my hunch is that these folks will not be able to figure out what’s correct, what’s relevant, and what’s factual.

Great news for those in control of information streams. Bad news looms for other folks.

The write up reports:

Children ages 13 to 18 spend six hours and 40 minutes a day, on average, with screen-based media, with almost half of that taking place through mobile devices, the study found. On any given day, 18 percent of teens are using more than 10 hours of screen media, although some of those hours might take place at the same time – texting, for instance, while watching a television show.

On the bright side, there are many hours which teens are not sucking up digital media. I assume that the marketers will find a way to boost this six hour per day figure.

I noted this passage too:

Screen media is more often used for passive entertainment than for creative ventures, but this entertainment is highly fragmented, the study found.

Consolidation into monopolies may solve this problem. Great news for Amazon-, Apple-. and Google-type outfits. Marketers can target light users and readers in a push to get these digital duds into pure consuming mode.

Stephen E Arnold, November 4, 2015

SEC Cracks Down on News Release Interceptors

September 15, 2015

What’s better than a flash trade? I would suggest perusing news releases before the news releases are released. “SEC Takes $30m Pound of Flesh in Newswire-Hacking Scandal” reveals that the US Securities and Exchange Commission frowns on “trading on info swiped from press releases before they were made public.”

The write up reveals:

According to the SEC, two Ukrainian hackers compromised the wire services and then fed the stolen information to dozens of investors who made illegal (and highly lucrative) trades. The defendants are accused of violating the US Securities Act and the US Exchange Act.

Interesting. Will the SEC expand its crusade to ensure that news releases remain off limits to those who would exploit the financial system?

My hunch is that Martha Stewart type investigations and prosecutions are more appealing to some enforcement outfits. I have heard that there is a revolving door between certain financial outfits and US government positions. Chasing Ukrainians does not modify standard operating procedures. Do I have a pending folder named “hold ‘er”? I will check.

Stephen E Arnold, September 15, 2015

Next Page »