Encryption and Decryption: A Difficult Global Problem

January 10, 2018

I read “FBI’s Wray Calls for Significant Innovation’ in Accessing Encrypted Data.” The story echoed a statement which appeared in one of the technical product sheets from a company few people reading generalized online content have heard about.

The firm is Shoghi, and it is based in India. The main business of the firm is designing and licensing hardware and software for military and law enforcement use. The company can acquire data from a range of sources, including undersea cables. In the company’s description of its https intercept service, I noted this statement:

“Interception of this secure HTTPS traffic is possible at various point but it is normally not possible to achieve the decryption of the HTTPS traffic due to the secrecy algorithms used for encryption of the data.”

HTTPS poses a challenge. Encrypted hardware poses a problem. The volume of data continues to increase.

When a major lawful intercept company is quite explicit about the difference between intercept (capture) and being able to “read” the information, the problem is not confined to the US. Shoghi has as customers more than 65 countries and, it appears, each has the same problem.

Jumping back to the Fox story and Mr. Wray’s call for innovation, I want to point out that:

  1. The problem is not just the FBI’s; it is a problem for many authorities
  2. The “weakening” of the Internet is a powerful argument; however, as the fabric of security continues to fray from insider and outsider activities continues to capture headlines, the Internet has not become weak. The Internet is what it was designed to be: Robust in delivering packets and weak in terms of inherent security.
  3. The technical innovation referenced in the write up is what Shoghi wants its licensees to do: Figure out how to make sense of the captured data.
  4. The solution may reside with specialist firms which have developed technologies which perform date and time stamp analysis, clustering, digital fingerprinting of handles (user names), link analyses, and other text processing methods.

To sum up, Mr. Wray has identified a problem. Keep in mind that it is one that exists for countries other than the US. From my point of view, identifying specialists with non-intuitive ways of approaching the encryption problem warrant additional funding in the efforts to crack this “problem.”

My Dark Web Notebook team has compiled a list of companies with orthogonal approaches. We do make this information available on a fee basis. If you are interested, write benkent2020 at yahoo dot com for more information. Also, the January 23, 2018 “Dark Cyber” video includes a segment about the encryption problem for lawful intercept and surveillance vendors.

Stephen E Arnold, January 10, 2018

Machine Learning Becomes Major Battle Ground

December 14, 2017

It has been known for a while that machine learning is the next great platform for tech visionaries to master. While this ground level opportunity gives many a chance to make a mark, the big names in tech are catching up quick. We got a hint about this competition from the recent Recorded Future press release, “Recorded Future Expands Automated Threat Intelligence Solution With Analyst-Originated Intelligence.”

According to the story:

By adding current and finished threat intelligence to the broadest compilation of machine learning and natural language processing generated intelligence, only Recorded Future can provide organizations with the relevant expert insights and analysis they need for operational improvements and targeted risk reduction.

 

This new analyst-originated information provides customers with access to new insight as well as additional third-party intelligence research on threat actors, vulnerabilities, malware, and other indicators of compromise (IOCs). It is available in multiple formats to suit the diverse needs of customers.

Recorded Future has a bright future, no doubt about it. But we’d be leery of putting all our money on this horse. At this very moment, Amazon is gearing up to get a serious foothold in the world of machine learning. Seeing the merchandising giant getting into this arena is a terrifying threat to any startup. Be on the lookout.

Patrick Roland, December 14, 2017

Instant Messaging Security Is Becoming a Serious Issue

November 29, 2017

It might sound like a problem from twenty years ago, but the security of instant messages is a serious concern. We didn’t even know it was a thing, but once we started digging—yikes. We started this journey with the Make Use Of article, “Signal Desktop Brings Secure Messaging to Your PC.”

According to the story:

Signal, the messaging app which values privacy above all else, now has a standalone desktop app. Signal Desktop, which is available for Windows, MacOS, and Linux, replaces the Signal Chrome app. The app itself isn’t very different, but having a dedicated desktop offering is always welcome.

 

While most of the big messaging apps are starting to take your privacy seriously, Signal has made this its number one priority. This has made it popular with people for whom privacy is of the utmost importance, such as politicians and journalists. All of whom can now use Signal Desktop.

Sounds like Signal is hitting the desktop market just in time. A recent study found that doctors are sharing sensitive patient information via instant messaging software. Whoa. If anything should be secure, it’s that. Let’s hope they get onboard soon.

Patrick Roland, November 29, 2017

Experts Desperately Seeking the Secret to Big Data Security

November 28, 2017

As machine learning and AI becomes a more prevalent factor in our day-to-day life, the daily risk of a security breach threatens. This is a major concern for AI experts and you should be concerned too. We learned how scary the fight feels from a recent Tech Target article, “Machine Learning’s Training is Security Vulnerable.”

According to the story:

To tune machine learning algorithms, developers often turn to the internet for training data — it is, after all, a virtual treasure trove of the stuff. Open APIs from Twitter and Reddit, for example, are popular training data resources. Developers scrub them of problematic content and language, but the data-cleansing techniques are no match for the methods used by adversarial actors…

What could solve that risk? Some experts have been proposing a very interesting solution: a global security framework. While this seems like a great way to roadblock hackers, it may also pose a threat. As the Tech Target piece states, hacking technology usually moves at the same speed as a normal tech. So, a global security framework would look like a mighty tempting prize for hackers looking to cause global chaos. Proceed with caution!

Patrick Roland, November 28, 2017

AIs Newest Hurdle Happens When the Machines Hallucinate

November 27, 2017

Artificial Intelligence has long been thought of as an answer to airport security and other areas. The idea of intelligent machines finding the bad guys is a good one in theory. But what if the machines aren’t as clever as we think? A stunning new article in The Verge, “Google’s AI Thinks This Turtle is a Gun and That’s a Problem,” made us sit up and take notice.

As you can guess by the title, Google’s AI made a huge flub recently:

This 3D-printed turtle is an example of what’s known as an “adversarial image.” In the AI world, these are pictures engineered to trick machine vision software, incorporating special patterns that make AI systems flip out. Think of them as optical illusions for computers. You can make adversarial glasses that trick facial recognition systems into thinking you’re someone else, or can apply an adversarial pattern to a picture as a layer of near-invisible static. Humans won’t spot the difference, but to an AI it means that panda has suddenly turned into a pickup truck.

This adversarial image news is especially concerning when you consider how quickly airports are implementing this technology. Dubai International airport is already using self-driving carts for luggage. It’s only a matter of time until security screening goes the same way. You’d best hope they iron out adversarial image issues before we do.

Patrick Roland, November 27, 2017

Amazon: The New Old AT&T

November 22, 2017

I read “AWS Launches a Secret Region for the U.S. Intelligence Community.” The write up does a reasonable job of explaining that Amazon has become a feisty pup in the Big Dog in the upscale Potomac Fever Kennels.

The main idea, as I understand it, is that Amazon is offering online services tailored to agencies with requirements for extra security. Google is trying to play in this dog park as well, but Amazon seems to have the moxie to make headway.

I would point out that there are some facets to the story which a “real” journalist or a curious investor may want to explore; specifically:

  • AT&T of Ashburn fame may be feeling that the attitude of the Amazon youthful puppy AWS is bad news. AT&T with its attention focused on the bright lights of big media may be unable to deal with Amazon’s speed, agility, and reflexes. If this is accurate, this seemingly innocuous announcement with terms like “air gap” may presage a change in the fortunes of AT&T.
  • IBM Federal Systems, the traffic disaster in Gaithersburg, may feel the pinch as well. What happens if the young pup begins to take kibble from that Beltway player? A few acquisitions here and few acquisitions there and suddenly Amazon can have its way because the others in the kennel know that an alpha dog with tech savvy can be a problem?
  • The consulting environment may also change. For decades, outfits like my former employer, the Boozer, have geared up to bathe, groom, and keep healthy the old school online giants like AT&T, Verizon, et al. Now new skills sets may be required for the possible Big Dog. Where will Amazon “experts” come from? Like right now, gentle reader.

In short, this article states facts. But like many “real” news stories, there are deeper and possibly quite significant changes taking place. I wonder if anyone cares about these downstream changes.

Leftover telecom turkey anyone?

Stephen E Arnold, November 22, 2017

Ichan Makes It Easier to Access the Dark Web

November 17, 2017

A new search engine for the Dark Web may make that shady side of the Internet accessible to more people. A piece at DarkWebNews introduces us to “Ichidan: A New Darknet Search Engine.” Writer Richard tells us:

Ichidan is a brand new darknet search engine platform that lets users search and access Tor-powered ‘.onion’ sites. The format and interface of the platform bear much similitude with the conventional search engines like Bing and Google. However, the darknet search engine has been designed with an entirely different purpose. While Google was created with the aim of collecting user information and analyzing the behavior across several platforms, Ichidan specifically aims to render selfless services to the users who access the darknet and are looking for some particular Tor site to get the necessary information. Owing to its simplicity and ease of use, the darknet search engine has now managed to be an incredibly helpful tool for individuals using the dark web. Security research professionals, for instance, are quite happy with the services of this new darknet search engine.

The article notes that one way to use Ichan seems to be to pinpoint security vulnerabilities on Dark Web sites. A side effect of the platform’s rise is, perhaps ironically, its revelation that the number of Dark Web marketplaces has shrunk dramatically. Perhaps the Dark Web is no longer such a good place for criminals to do business as it once was.

Cynthia Murrell, November 17, 2017

More .NET Spying Issues

November 7, 2017

George Orwell, like many science fiction authors, imagined dystopian futures, but also the possibility of grander technology.  In his quintessential novel 1984, Orwell discussed the consequences of a society controlled by completely by the government and how an advanced spy network allowed the entity to do so.  While Orwell imagined this future, he probably could not conceive of how the technology would actually work.

Today we do and many consumers are victims of spying.

Technology companies state that the spying is unintentional, but do we really believe that?  Gitbhub had a post titled, “.NET Core Should Not Spy On Users By Default”  The .NET Core is a set of tools Microsoft developed and Microsoft has a history of spying on their users.  Remember how Windows 10 spied on users?  A Microsoft representative posted that the default spying protocol is actually a good thing, because

The data we collect does not identify individual users. We’re only interested in aggregate data that we can use to identify trends. The telemetry feature is configurable, so you can turn it on/off at any time. It is also scoped, only applying to tools usage, not the rest of the product. We think that this is a good trade-off and recognize that not everyone will like it. We do know, however, that many people will like the product improvements that will come from this insight.

Spying is spying, whether the data cannot be identified.  Also everything digital leaves a footprint somehow, so the representative is more than likely misspeaking (using double think?).  The spying option should never be a default unless an advisory is given to users and they allow it.  At least, Apple does it with all of their users.

Whitney Grace, November 7, 2017

Online Fraud: Loophole, Soft Freeze, Hard Freeze, or Just Business in 2017?

October 19, 2017

Consumer Alert: A credit freeze may not do what one expects.

After the Equifax data loss, I promptly put a credit freeze on my unwanted “credit rating” accounts.

As you know, a consumer (even one who writes books about online fraud and lectures to law enforcement and intelligence professionals) has zero choice with regard to dealing with Equifax, Transunion, and Experian. I thought the credit freeze meant that my personal financial information would not be released to third parties.

I learned from a cheerful person named Kelly Lurz, who presumed to write me a personal and confidential email, that there is a “hard” freeze of credit information and a “soft” freeze of credit information. I did not know that. In fact, after freezing the release of my credit details, none of the documentation I received from Equifax, Transunion, and Experian used this terminology. Quite an oversight in light of the security issues related to personal credit information.

Let me share the personal email with you, gentle reader. I received this email from an outfit doing business as Pearl Solutions, an automotive technology innovator. You can find out about this marketing company at this link. Kelly Lurz does not work at Pearl. She did know enough to tell me that she was not the sender of the “personal” email to my business email address. She was, in retrospect, quite a font of information with the hard and soft freeze data and the ability to shift the blame to an outfit named Pearl, the automotive technology innovator.

image

First, the email has as Volvo logo. My last interaction with the Volvo dealer in Louisville was an unpleasant one, a fact I communicated when I received a $900 invoice for an annual service check. The Volvo dealer just smiled and said, “That’s what it costs.” Now this outfit wants to buy or lease another Volvo? I don’t think so.

Second, the email is sending me a “personal” note and wants to make a “private” offer. In this era of online fraud, fake news, and general duplicity—I am going to get a personal note sent to me from noreply@pearlsolutions.com. What? Personal, private, pearl? This hit me like those Backpage.com ad for personal services we have analyzed in the course of our research for CyberOSINT and the Dark Web Notebook.

Third, the letter is signed by the aforementioned “Kelly Lurz.” I called Ms. Lurz, and she informed me that I was on a list, the letter really was not “personal,” was not “private”, and was nothing more than a pitch to dump my 18 month old automobile and move into a brand new Volvo. Well, a letter using the terms “personal” and “private” from a person named Kelly Lurz (a female, by the way, judging from her voice and LinkedIn page) struck me as stupid and perilously close to harassment of a 74 year old male who is quite happy with his automobile.

Fourth—and this is the big issue, even bigger than harassment-type terminology—is the logo of Experian, one of the credit agencies whose data I froze by providing proof of my identity and paying money for the aggregator to keep my information private. (I did not choose to give Experian my information; Experian collected the information and now charges me to keep it private. Nice business model because of the hard and soft freeze distinction.) Obviously the PIN number, the information about paying money to make my credit information available, and the new approach to security were confections, mere fabrications, digital illusions designed to create a new cash stream for the credit agencies.

Let me come back to Ms. Lurz’s explanation of the “hard freeze” and a “soft freeze.” Her company, a car dealer in Louisville, was using the “soft freeze” data and was, therefore, breaking no laws. Her LinkedIn profile suggests that she has a degree in elementary education, not law. She also has a degree in biology. That’s interesting, but not directly germane to understanding the bright white lines of financial regulations. I guess I am old fashioned but dissecting a frog falls short of the standard for interpretation of statutes.

With some forcefulness in her verbal statements to me, she told me that she knew I had a Mercedes and only “wanted to offer me an opportunity” to buy a new Volvo. Right, but she knew my business email, my financial status, the type of vehicle my wife drives, and where I lived. Right. A soft freeze.

But the email was Pearl’s not hers and not the Louisville Volvo dealership. As a direct result of here unwillingness to accept responsibility for using my personal information to sell me a car I do not want, I poked into Pearl, the automotive technology innovator. (I liked that catchphrase for a company engaged in the use of personal information to sell cars.)

I called the 800 number of Pearl, the automotive technology innovator, and went to a voice recording. I left a message with whoever the operator connected me to to the effect that I was going to write about this use of personal informati0n and include the email in my next lecture to law enforcement and intelligence professionals. The reason is that the confidential information about me is in the possession of: Volvo (see the letter), Kelly Lurz (sales person), Pearl, and Experian. So much for control.

At 640 pm Eastern on October 17, 2017, I received a phone call from an alleged Pearl employee. I pointed out that I was eating dinner. The Pearl professional sounded eager to speak with me, so I left the dinner group and spoke with the Pearl professional who represented the innovator in automotive technology. On a napkin, I noted these points conveyed by the Pearl professional:

  1. What Pearl is doing with financial data is legal. Furthermore, the Pearl professional promised to mail me the pertinent regulations. (Yes, Pearl has access to my email, but the promised information has not arrived.)
  2. The Pearl professional told me that I should really be talking to Experian because Pearl was not responsible for the information in the email.
  3. The Pearl professional told me that Ms. Lurz did not have access to information about the type of vehicle I had nor how I was paying for that vehicle. Unfortunately for the Pearl professional, Ms. Lurz did have that information. The possible falsehood caught my attention.
  4. The Pearl professional insisted that somewhere along the line I had provided permission for Pearl and Ms. Lurz to contact me.

Upon reflecting about this situation, I formulated several observations:

First, the “freeze” appears to mean nothing. Zilch. The credit entities release data of individuals who have taken the steps to “freeze” data and then ignore that request. I will include this information in my next law enforcement lecture when I address online identity theft.

Second, the email letter references two companies and one individual who is writing me a private and personal letter. I find this a quick way to increase online security vulnerabilities. Experian releases the data, Pearl converts it to direct mail spam, and Ms. Lurz has her name and contact information included in a personal and private communication. Good business practice or security nightmare? My view is that it is a security problem and an illustration of poor business judgment.

Third, the no replay email does little to create the impression that Pearl, the automotive technology innovator, is a legitimate operation. We have been examining the email addresses used by Dark Web vendors. The similarities of multiple identities, the obfuscation of the email, and the effort taken to mask the identity of who uses private information jumped out at us.

Fourth, Pearl and Ms. Lurz are not signing from the same hymnal. Doesn’t this suggest a certain looseness with the facts? The one thing the two humans had in common was an eagerness to blame someone else. Now that’s accepting responsibility for one’s action handled the millennial way!

What’s the fix?

I suggest that others take a closer look at the business practices of outfits like Volvo, Pearl, and the hapless Ms. Lurz. I don’t think she really wants to have a private and personal relationship with me even thought she wrote to me in that offensive manner.

What’s clear is that what these players are delivering are ersatz pearls. Sad. Sad. Sad. Too bad I take things “personal” and “private” to heart. Others don’t. Therefore, this sad, sad, sad business anecdote.

Stephen E Arnold, October 19, 2017

 

Equifax Hack Has Led to Oracle Toughening Up

October 19, 2017

According to a timely piece in SearchOracle, its parent company has muscled up in response to its recent troubles, according to the article, “Machine Learning and Analytics Among Key Oracle Security Moves.”

This comes on the heels of the infamous Equifax hack, which was made vulnerable due to a weakness in Apache Struts. To their credit, Oracle has owned up to the problem and made it public that they are not going to wilt in the face of criticism. In fact, they are doubling down:

Oracle’s effort to help IT teams reprioritize their defenses, he said, takes the form of a new unified model for organizing data, rolled out as part of an updated Oracle Management Cloud suite. Advanced machine learning and analytics will enable automated remediation of flaws like Struts…

The story continues:

(Oracle’s) approach to machine learning is uniquely its own, in the sense that it is being delivered as a core enhancement to existing offerings, and not as a stand-alone technology that is personalized by a mascot or nickname — a la Einstein from Salesforce or Watson from IBM.

We like that Oracle isn’t trying to throw the baby out with the bathwater, here. We agree, there are a lot of things to like and overhauling would not be the solution. Via analytical improvements, we suspect that Oracle will recover from the Equifax snafu and be stronger for it. They certainly sound like their focus is on that.

Patrick Roland, October 19, 2017

Next Page »

  • Archives

  • Recent Posts

  • Meta