Online Fraud: Loophole, Soft Freeze, Hard Freeze, or Just Business in 2017?

October 19, 2017

Consumer Alert: A credit freeze may not do what one expects.

After the Equifax data loss, I promptly put a credit freeze on my unwanted “credit rating” accounts.

As you know, a consumer (even one who writes books about online fraud and lectures to law enforcement and intelligence professionals) has zero choice with regard to dealing with Equifax, Transunion, and Experian. I thought the credit freeze meant that my personal financial information would not be released to third parties.

I learned from a cheerful person named Kelly Lurz, who presumed to write me a personal and confidential email, that there is a “hard” freeze of credit information and a “soft” freeze of credit information. I did not know that. In fact, after freezing the release of my credit details, none of the documentation I received from Equifax, Transunion, and Experian used this terminology. Quite an oversight in light of the security issues related to personal credit information.

Let me share the personal email with you, gentle reader. I received this email from an outfit doing business as Pearl Solutions, an automotive technology innovator. You can find out about this marketing company at this link. Kelly Lurz does not work at Pearl. She did know enough to tell me that she was not the sender of the “personal” email to my business email address. She was, in retrospect, quite a font of information with the hard and soft freeze data and the ability to shift the blame to an outfit named Pearl, the automotive technology innovator.


First, the email has as Volvo logo. My last interaction with the Volvo dealer in Louisville was an unpleasant one, a fact I communicated when I received a $900 invoice for an annual service check. The Volvo dealer just smiled and said, “That’s what it costs.” Now this outfit wants to buy or lease another Volvo? I don’t think so.

Second, the email is sending me a “personal” note and wants to make a “private” offer. In this era of online fraud, fake news, and general duplicity—I am going to get a personal note sent to me from What? Personal, private, pearl? This hit me like those ad for personal services we have analyzed in the course of our research for CyberOSINT and the Dark Web Notebook.

Third, the letter is signed by the aforementioned “Kelly Lurz.” I called Ms. Lurz, and she informed me that I was on a list, the letter really was not “personal,” was not “private”, and was nothing more than a pitch to dump my 18 month old automobile and move into a brand new Volvo. Well, a letter using the terms “personal” and “private” from a person named Kelly Lurz (a female, by the way, judging from her voice and LinkedIn page) struck me as stupid and perilously close to harassment of a 74 year old male who is quite happy with his automobile.

Fourth—and this is the big issue, even bigger than harassment-type terminology—is the logo of Experian, one of the credit agencies whose data I froze by providing proof of my identity and paying money for the aggregator to keep my information private. (I did not choose to give Experian my information; Experian collected the information and now charges me to keep it private. Nice business model because of the hard and soft freeze distinction.) Obviously the PIN number, the information about paying money to make my credit information available, and the new approach to security were confections, mere fabrications, digital illusions designed to create a new cash stream for the credit agencies.

Let me come back to Ms. Lurz’s explanation of the “hard freeze” and a “soft freeze.” Her company, a car dealer in Louisville, was using the “soft freeze” data and was, therefore, breaking no laws. Her LinkedIn profile suggests that she has a degree in elementary education, not law. She also has a degree in biology. That’s interesting, but not directly germane to understanding the bright white lines of financial regulations. I guess I am old fashioned but dissecting a frog falls short of the standard for interpretation of statutes.

With some forcefulness in her verbal statements to me, she told me that she knew I had a Mercedes and only “wanted to offer me an opportunity” to buy a new Volvo. Right, but she knew my business email, my financial status, the type of vehicle my wife drives, and where I lived. Right. A soft freeze.

But the email was Pearl’s not hers and not the Louisville Volvo dealership. As a direct result of here unwillingness to accept responsibility for using my personal information to sell me a car I do not want, I poked into Pearl, the automotive technology innovator. (I liked that catchphrase for a company engaged in the use of personal information to sell cars.)

I called the 800 number of Pearl, the automotive technology innovator, and went to a voice recording. I left a message with whoever the operator connected me to to the effect that I was going to write about this use of personal informati0n and include the email in my next lecture to law enforcement and intelligence professionals. The reason is that the confidential information about me is in the possession of: Volvo (see the letter), Kelly Lurz (sales person), Pearl, and Experian. So much for control.

At 640 pm Eastern on October 17, 2017, I received a phone call from an alleged Pearl employee. I pointed out that I was eating dinner. The Pearl professional sounded eager to speak with me, so I left the dinner group and spoke with the Pearl professional who represented the innovator in automotive technology. On a napkin, I noted these points conveyed by the Pearl professional:

  1. What Pearl is doing with financial data is legal. Furthermore, the Pearl professional promised to mail me the pertinent regulations. (Yes, Pearl has access to my email, but the promised information has not arrived.)
  2. The Pearl professional told me that I should really be talking to Experian because Pearl was not responsible for the information in the email.
  3. The Pearl professional told me that Ms. Lurz did not have access to information about the type of vehicle I had nor how I was paying for that vehicle. Unfortunately for the Pearl professional, Ms. Lurz did have that information. The possible falsehood caught my attention.
  4. The Pearl professional insisted that somewhere along the line I had provided permission for Pearl and Ms. Lurz to contact me.

Upon reflecting about this situation, I formulated several observations:

First, the “freeze” appears to mean nothing. Zilch. The credit entities release data of individuals who have taken the steps to “freeze” data and then ignore that request. I will include this information in my next law enforcement lecture when I address online identity theft.

Second, the email letter references two companies and one individual who is writing me a private and personal letter. I find this a quick way to increase online security vulnerabilities. Experian releases the data, Pearl converts it to direct mail spam, and Ms. Lurz has her name and contact information included in a personal and private communication. Good business practice or security nightmare? My view is that it is a security problem and an illustration of poor business judgment.

Third, the no replay email does little to create the impression that Pearl, the automotive technology innovator, is a legitimate operation. We have been examining the email addresses used by Dark Web vendors. The similarities of multiple identities, the obfuscation of the email, and the effort taken to mask the identity of who uses private information jumped out at us.

Fourth, Pearl and Ms. Lurz are not signing from the same hymnal. Doesn’t this suggest a certain looseness with the facts? The one thing the two humans had in common was an eagerness to blame someone else. Now that’s accepting responsibility for one’s action handled the millennial way!

What’s the fix?

I suggest that others take a closer look at the business practices of outfits like Volvo, Pearl, and the hapless Ms. Lurz. I don’t think she really wants to have a private and personal relationship with me even thought she wrote to me in that offensive manner.

What’s clear is that what these players are delivering are ersatz pearls. Sad. Sad. Sad. Too bad I take things “personal” and “private” to heart. Others don’t. Therefore, this sad, sad, sad business anecdote.

Stephen E Arnold, October 19, 2017


Equifax Hack Has Led to Oracle Toughening Up

October 19, 2017

According to a timely piece in SearchOracle, its parent company has muscled up in response to its recent troubles, according to the article, “Machine Learning and Analytics Among Key Oracle Security Moves.”

This comes on the heels of the infamous Equifax hack, which was made vulnerable due to a weakness in Apache Struts. To their credit, Oracle has owned up to the problem and made it public that they are not going to wilt in the face of criticism. In fact, they are doubling down:

Oracle’s effort to help IT teams reprioritize their defenses, he said, takes the form of a new unified model for organizing data, rolled out as part of an updated Oracle Management Cloud suite. Advanced machine learning and analytics will enable automated remediation of flaws like Struts…

The story continues:

(Oracle’s) approach to machine learning is uniquely its own, in the sense that it is being delivered as a core enhancement to existing offerings, and not as a stand-alone technology that is personalized by a mascot or nickname — a la Einstein from Salesforce or Watson from IBM.

We like that Oracle isn’t trying to throw the baby out with the bathwater, here. We agree, there are a lot of things to like and overhauling would not be the solution. Via analytical improvements, we suspect that Oracle will recover from the Equifax snafu and be stronger for it. They certainly sound like their focus is on that.

Patrick Roland, October 19, 2017

The Dark Potential Behind Neural Networks

September 27, 2017

With nearly every technical advance humanity has made, someone has figured out how to weaponize that which was intended for good. So too, it seems, with neural networks. The Independent reports, “Artificial Intelligence Can Secretly Be Trained to Behave ‘Maliciously’ and Cause Accidents.”  The article cites research [PDF] from New York University that explored the potential to create a “BadNet.” They found it was possible to modify a neural net’s code to the point where they could even cause tragic physical “accidents,” and that such changes would be difficult to detect. Writer Aatif Sulleyman explains:

Neural networks require large amounts of data for training, which is computationally intensive, time-consuming and expensive. Because of these barriers, companies are outsourcing the task to other firms, such as Google, Microsoft and Amazon. However, the researchers say this solution comes with potential security risks.


‘In particular, we explore the concept of a backdoored neural network, or BadNet,’ the paper reads. ‘In this attack scenario, the training process is either fully or (in the case of transfer learning) partially outsourced to a malicious party who wants to provide the user with a trained model that contains a backdoor. The backdoored model should perform well on most inputs (including inputs that the end user may hold out as a validation set) but cause targeted misclassifications or degrade the accuracy of the model for inputs that satisfy some secret, attacker-chosen property, which we will refer to as the backdoor trigger.’

Sulleyman shares an example from the report: researchers successfully fooled a system, with the application of a Post-it note, into interpreting a stop sign as a speed limit sign—a trick that could cause an autonomous vehicle to cruise through without stopping. Though we do not (yet) know of any such sabotage outside the laboratory, researchers hope their work will encourage companies to pay close attention to security as they move forward with machine learning technology.

Cynthia Murrell, September 27, 2017


Security: Whom Does One Trust?

September 19, 2017

I read “The Market Can’t – and Won’t – Deal with IT Security, It Must Be Regulated, Argues Bruce Schneier.” The write up is about online, which is of interest to me. I found the summary of the remarks of Bruce Schneier, a security expert, interesting.

The main point is that government must regulate security. I highlighted this passage:v”The market can’t fix this. Markets work because buyers choose between sellers, and sellers compete for buyers. In case you didn’t notice, you’re not Equifax’s customer. You’re its product.

Several questions occurred to me:

  1. Which government? Maybe the United Nations?
  2. What’s the enforcement mechanism? Is after-the-fact “punishment” feasible?
  3. What’s the end point of security regulation?

Here in rural Kentucky security boils down to keeping an eye on the two brothers who live in a broken down trailer next to the crazy people who have a collection of wild animals. The wild animals are less threatening than these fine examples of Appalachian oak.

In the larger world which includes a number of nation states which are difficult to influence, how are the regulations to be enforced. What if one of these frisky nation states is behind the headline making security breaches?

Answers to this question are likely to be cause for discussion. Talk is easy. Remediation may be a bit more difficult. Perhaps the barn has burned and the horses already converted to glue and dog food?

Fixes are hard. Talk, well, just talk.

Stephen E Arnold, September 19, 2017

Is China the New Los Angeles Trend Machine?

August 28, 2017

I was last in China in 2007 and then in Hong Kong in 2010. My information is, therefore, out of date. That’s no big whoop for me, since I am ready to tally 74 years in our thrilling world.

I read “In China You Now Have to Provide Your Real Identity If You Want to Comment Online.” The main point of the write up is that the free and open Internet is going the way of the dodo. The goal of “real name registration” is to make it easy for certain official to track down individuals without the expensive, time consuming, and sometimes messy “traditional” identity investigations.

I noted this passage:

So what exactly constitutes forbidden topics on the Chinese internet? An unnamed CAC official told a journalist the following when asked about the new rules (first translated by The Diplomat):

  1. opposing the principles of the constitution of China
  2. endangering national security, revealing state secrets, subverting state power, and undermining national reunification
  3. damaging national honor and interests
  4. inciting national hatred, ethnic discrimination, and undermining national unity
  5. undermining the state’s policies on religion or promoting cults and feudal superstitions
  6. spreading rumors or disrupting social order
  7. spreading obscenity, pornography, violence, or terror, or abetting a crime
  8. insulting or slandering others and infringing upon the lawful rights and interests of others
  9. violating any other laws and regulations

My reaction to the write up is that censorship, China-style, may be the latest trend to emerge from the Middle Kingdom. Once Los Angeles on the left coast generated the “in” fads which would then roll toward Harrod’s Creek.

My thought is that censorship may be the new black or whatever the hot color is for fall fashion. I am not particularly surprised because similar governmental actions seem to have emerged from the deliberative bodies in Russia, Turkey, and other countries. One African nation state just turned off the Internet, an Iran-style touch.

One idea struck me. Is now the time for individuals to generate an alternative or optional Internet identity. Creating a “legend” or an alternate Internet identity is important. Just ask the person who ran the illegal Dark Web site AlphaBay. The mistake that individual made was to use an identity which was not “clean.

The procedure for setting up a legend or clean Internet identity is not easy. There are a number of steps. Human mistakes can render a clean identity traceable; that is, dirty. If you are able to verify that you are working for a recognized law enforcement or intelligence entity, you can obtain a legend from the Beyond Search Overflight team. This is our WITSEC Light bundle. More comprehensive legends are also available to qualified LE and intel professionals.

To explore this package which contains an alias, matching email address, and other necessary elements like a Walmart pay as you go phone, just write darkwebnotebook at yandex dot com. Remember. We verify that you have a legitimate LE or intel role prior to providing the legend, a workable biography, and summary of what one has to do to build out the legend.

Those who do not qualify will have to look elsewhere for a way to deal with censorship constraints in countries other than the US. If the China censorship trend moves outward from that country, more than one online identity may be needed for some operations.

Stephen E Arnold, August 28, 2017

Is Your Fish Tank Spying on You?

August 17, 2017

The search for information never ends. We learned in the Darktrace Global Threat Report about a hacked fish tank. A smart fish tank was compromised. The fish tank was hacked. Darktrace’s technology speared the attempt. The bad guys have not yet been been converted to sushi.

Stephen E Arnold, August 17, 2017

TechnoSecurity & Digital Forensics Conference Info

July 20, 2017

I am giving two talks about the Dark Web at the September 2017 TechnoSecurity & Digital Forensics Conference. With the take down of AlphaBay and the attentions Dark Web sources of synthetic drugs are getting in the main stream media, the sessions will be of particular relevance to law enforcement, security, and intelligence professionals. My first talk is a quick start basics lecture. My second presentation focuses on free an and source tools and the commercial services which can flip on the lights in the Dark Web.

The conference has emerged as one of the most important resources for corporate network security professionals, federal, state and local law enforcement digital forensic specialists, and cybersecurity industry leaders from around the world. The purpose is to raise international awareness of developments, teaching, training, responsibilities, and ethics in the field of IT security and digital forensics. The event will feature more than 70 speakers, 60 sessions, 20 new product demonstrations, and 25 sponsors and exhibits. exhibits. For full details and to register, please visit

As a reader of Beyond Search, you qualify for a 30 percent discount. Just use the promotional code DKWB17 when you sign up online.

Stephen E Arnold, July 20, 2017

Darktrace Delivers Two Summer Sizzlers

July 17, 2017

Darktrace offers an enterprise immune system called Antigena. Based on the information gathered in the writing of the “Dark Web Notebook,” the system has a number of quite useful functions. The company’s remarkable technology can perform real time, in depth analyses of an insider’s online activities. Despite the summer downturn which sucks in many organizations, Darktrace has been active. First, the company secured an additional round of investment. This one is in the $75 million range. This brings the funding of the company to the neighborhood of $170 million, according to Crunchbase.

Details about the deal appear in this Outlook Series write up. I noted this statement:

The cyber security firm has raised a $75 million Series D financing round led by Insight Venture Partners, with participation from existing investors Summit Partners, KKR and TenEleven Ventures.

On another front, Darktrace has entered into a partnership with CITIC. This outfit plans to bring “next-generation cyber defense to businesses across Asia Pacific.” Not familiar with CITIC? You might want to refresh your memory bank. Beyond Search believes that this tie up may open the China market for Darktrace. If it does, Darktrace is likely to emerge as one of the top two or three cyber security firms in the world before the autumn leaves begin to fall.

Here in Harrod’s Creek we think about the promise of Darktrace against a background of erratic financial performance from Hewlett Packard. As you may recall, one of the spark plugs for Darktrace is Dr. Michael Lynch, the founder of Autonomy. HP bought Autonomy and found that its management culture was an antigen to its $11 billion investment. It is possible to search far and wide for an HP initiative which has delivered the type of financial lift that Darktrace has experienced.

Information about Darktrace is at A profile about this company appears in the Dark Web Notebook in the company of IBM Analyst’s Notebook, Google/In-Q-Tel Recorded Future, and Palantir Technologies Gotham. You can get these profile at this link:

Stephen E Arnold, July 17, 2107

Android VPN App Security Analyzed

July 12, 2017

Here’s an important warning for users of mobile devices—beware VPN apps in the Google Play store.  Thats the upshot of a white paper from Australian research organization CSIRO, “An Analysis of the Privacy and Security Risks of Android BPN Permission-Enabled Apps.” Researchers found, for example that 18% of VPN apps in the Google Play store do not actually encrypt anything, and 38% harbor malware of some sort.

The in-depth paper describes the investigation into four main areas of concern: third-party user tracking and permissions access; malware presence; traffic interception; and user awareness of potential risks. The researchers specify:

In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.

The paper concludes by recommending Android revamp their VPN permission model. It also describes most users as “naïve” to the realities of mobile VPN security. For anyone wishing to educate themselves on the issue, this paper is a good place to turn.

Cynthia Murrell, July 12, 2017

Google and Indian Government Spar over Authenticity of Google Maps

July 12, 2017

The Indian government has rejected the authenticity of maps used by popular navigation app Google Maps terming them as technically inaccurate.

Neowin in an article titled Indian Government Calls Google Maps “Inauthentic”; Asks Citizens to Use Their Solution says:

In an attack against the service, Surveyor General of India, Swarna Subba Rao said that the maps used by Google weren’t “authentic” and were “unreliable” with limited accuracy. She also stressed on how Survey of India’s own mapping data was qualitatively more accurate.

The bone of the contention seems to be Google’s inaccurate mapping of Kashmir, the northern territory disputed by Pakistan. Google was also denied permissions to map the country at street levels for Street View citing security concerns.

Considering the fact that Google has the largest user base in India, this seems to be a setback for the company. An official of the Indian government is recommending the use of their own maps for better topographical accuracy. However, the government approved maps are buggy and do not have a great interface like Google Maps.

Vishal Ingole, July 12, 2017


Next Page »

  • Archives

  • Recent Posts

  • Meta