CyberOSINT banner

Profile of the Equation Group

November 25, 2015

Short honk: I overlooked a link from one of the goslings from early 2015. The Kaspersky report about the Equation Group triggered some media commentary. The report, quite to my surprise, is still available online (or it was when I verified the link on November 23, 2015). If you are interested in information access using unconventional or at least not Emily Post approved methods, you can download “Equation Group: Questions and Answers”, Version 1.5 from Secure List.

Stephen E Arnold, November 25, 2015

Improper Information Access: A Way to Make Some Money

November 24, 2015

I read “Zerodium Revealed Prices” (original is in Russian). the main point of the write up is that exploits or hacks are available for a price. Some of these are attacks which may not be documented by the white hat folks who monitor the exploit and malware suburbs connected to the information highway.

The paragraph I noted explained what Zerodium will pay for a fresh, juicy exploit.


Here’s the explanation. Please, recognize that Russian, unlike one of my relative’s language skills, is not my go to language:

For a remote control access exploit which intercepts the victim’s computer through Safari or Microsoft’s browser company is willing to pay $ 50 000. A more sophisticated “entry point” is considered Chrome: for the attack through Zerodium pays $ 80,000. Zerodium will pay $5,000 for a vulnerability in WordPress, Joomla and Drupal. Breaking the TorBrowser can earn the programmer about $30.000… A remote exploit bypassing the protection Android or Windows Phone, will bring its author a $100,000. A working exploit of iOS will earn the developer $500,000.

Zerodium explains itself this way:

Zerodium is a privately held and venture backed startup, founded by cybersecurity veterans with unparalleled experience in advanced vulnerability research and exploitation. We’ve created
Zerodium to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.

The company’s logo is nifty too:


The purple OD emphasizes the zero day angle. Are exploits search and information access? Yep, they can be. Not advocating, just stating a fact.

Stephen E Arnold, November 24, 2015

No Mole, Just Data

November 23, 2015

It all comes down to putting together the pieces, we learn from Salon’s article, “How to Explain the KGB’s Aazing Success Identifying CIA Agents in the Field?” For years, the CIA was convinced there was a Soviet mole in their midst; how else to explain the uncanny knack of the 20th Century’s KGB to identify CIA agents? Now we know it was due to the brilliance of one data-savvy KGB agent, Yuri Totrov, who analyzed U.S. government’s personnel data to separate the spies from the rest of our workers overseas. The technique was very effective, and all without the benefit of today’s analytics engines.

Totrov began by searching the KGB’s own data, and that of allies like Cuba, for patterns in known CIA agent postings. He also gleaned a lot if info from  publicly available U.S. literature and from local police. Totrov was able to derive 26 “unchanging indicators” that would pinpoint a CIA agent, as well as many other markers less universal but useful. Things like CIA agents driving the same car and renting the same apartment as their immediate predecessors. Apparently, logistics agents back at Langley did not foresee that such consistency, though cost-effective, could be used against us.

Reporter Jonathan Haslam elaborates:

“Thus one productive line of inquiry quickly yielded evidence: the differences in the way agency officers undercover as diplomats were treated from genuine foreign service officers (FSOs). The pay scale at entry was much higher for a CIA officer; after three to four years abroad a genuine FSO could return home, whereas an agency employee could not; real FSOs had to be recruited between the ages of 21 and 31, whereas this did not apply to an agency officer; only real FSOs had to attend the Institute of Foreign Service for three months before entering the service; naturalized Americans could not become FSOs for at least nine years but they could become agency employees; when agency officers returned home, they did not normally appear in State Department listings; should they appear they were classified as research and planning, research and intelligence, consular or chancery for security affairs; unlike FSOs, agency officers could change their place of work for no apparent reason; their published biographies contained obvious gaps; agency officers could be relocated within the country to which they were posted, FSOs were not; agency officers usually had more than one working foreign language; their cover was usually as a ‘political’ or ‘consular’ official (often vice-consul); internal embassy reorganizations usually left agency personnel untouched, whether their rank, their office space or their telephones; their offices were located in restricted zones within the embassy; they would appear on the streets during the working day using public telephone boxes; they would arrange meetings for the evening, out of town, usually around 7.30 p.m. or 8.00 p.m.; and whereas FSOs had to observe strict rules about attending dinner, agency officers could come and go as they pleased.”

In the era of Big Data, it seems like common sense to expect such deviations to be noticed and correlated, but it was not always so obvious. Nevertheless, Totrov’s methods did cause embarrassment for the agency when they were revealed. Surely, the CIA has changed their logistic ways dramatically since then to avoid such discernable patterns. Right?

Cynthia Murrell, November 23, 2015

Sponsored by, publisher of the CyberOSINT monograph


ACA Application Process Still Vulnerable to Fraudulent Documents

November 20, 2015

The post on Slashdot titled Affordable Care Act Exchanges Fail to Detect Counterfeit Documentation relates the ongoing issue of document verification within the Affordable Care Act (ACA) process. The Government Accountability Office) GAO submitted fake applications to test the controls at the state and federal level for application and enrollment in the ACA. The article states,

“Ten fictitious applicants were created to test whether verification steps including validating an applicant’s Social Security number, verifying citizenship, and verifying household income were completed properly. In order to test these controls, GAO’s test applications provided fraudulent documentation: “For each of the 10 undercover applications where we obtained qualified health-plan coverage, the respective marketplace directed that our applicants submit supplementary documentation we provided counterfeit follow-up documentation, such as fictitious Social Security cards with impossible Social Security numbers, for all 10…”

The GAO report itself mentions that eight of the ten fakes were failed at first, but later accepted. It shows that among the various ways that the fake applications were fraudulent included not only “impossible” Social Security Numbers, but also duplicate enrollments, and lack of employer-sponsored coverage. Ultimately, the report concludes that the ACA is still “vulnerable.” Granted, this is why the GOA conducted the audit of the system, to catch issues. The article provides no details on what new controls and fixes are being implemented.
Chelsea Kerwin, November 20, 2015

Sponsored by, publisher of the CyberOSINT monograph

Facebook Acts in Its Own Best Interest

November 19, 2015

The article titled Petition: Facebook Betrayed Us By Secretly Lobbying for Surveillance Bill on BoingBoing complains that Facebook has been somewhat two-faced regarding privacy laws and cyber surveillance. The article claims that Facebook publicly opposed the Cybersercurity Information Sharing Act (CISA) while secretly lobbying to push it through. The article explains,

“Facebook has come under public fire for its permissive use of user data and pioneering privacy-invasive experiments in the past. They have also supported previous versions of the cybersecurity info-sharing bills, and their chief Senate lobbyist, Myriah Jordan, worked as General Counsel for CISA’s sponsor, Senator Richard Burr, immediately before moving to Facebook. Facebook has declined to take a public position on CISA, but in recent days sources have confirmed that in fact Facebook is quietly lobbying the Senate to pass it.”

This quotation does beg the question of why anyone would believe that Facebook opposes CISA, given its history. It is, after all, a public company that will earn money in any acceptable way it can. The petition to make Facebook be more transparent about its position on CISA seems more like a request for an apology from a company for being a company than anything else.

Chelsea Kerwin, November 19, 2015

Sponsored by, publisher of the CyberOSINT monograph

Career Advice from Successful Googlers

November 18, 2015

A few words of wisdom from a Google veteran went from Quora query to Huffington Post article in, “What It Takes to Rise the Ranks at Google: Advice from a Senior Staff Engineer.” The original question was, “How hard is it to make Senior Engineer at Google.” HuffPo senior editor Nico Pitney reproduces the most popular response, that of senior engineer Carlos Pizano. Pizano lists some of his education and pre-Google experience, and gives some credit to plain luck, but here’s the part that makes this good guidance for approaching many jobs:

“I happen to be a believer of specialization, so becoming ‘the person’ on a given subject helped me a lot. Huge swaths of core technology key to Google’s success I know nothing about, of some things I know all there is to know … or at least my answers on the particular subject were the best to be found at Google. Finally, I never focused on my career. I tried to help everybody that needed advice, even fixing their code when they let me and was always ready to spread the knowledge. Coming up with projects but giving them to eager, younger people. Shine the light on other’s accomplishments. All that comes back to you when performance review season comes.”

Knowing your stuff and helping others—yes, that will go a long way indeed. For more engineers’ advice, some of which is more Google-specific, navigate to the list of responses here.

Cynthia Murrell, November 18, 2015

Sponsored by, publisher of the CyberOSINT monograph


Icann Is an I Won’t

November 16, 2015

Have you ever heard of Icann?  You are probably like many people within the United States and have not heard of the non-profit private company.  What does Icann do?  Icann is responsible for Internet protocol addresses (IP) and coordinating domain names, so basically the company is responsible for a huge portion of the Internet.  According to The Guardian in “The Internet Is Run By An Unaccountable Private Company. This Is A Problem,” the US supposedly runs the Icann but its role is mostly clerical and by September 30, 2015 it was supposed to hand the reins over to someone else.

The “else” is the biggest question.  The Icann community spent hours trying to figure out who would manage the company, but they ran into a huge brick wall.  The biggest issue is that the volunteers want Icann to have more accountability, which does not seem feasible. Icann’s directors cannot be fired, except by each other.  Finances are another problem with possible governance risks and corruption.

A supposed solution is to create a membership organization, a common business model for non-profits and will give power to the community.  Icann’s directors are not too happy and have been allowed to add their own opinions.  Decisions are not being made at Icann and with the new presidential election the entire power shift could be off.  It is not the worst that could happen:

“But there’s much more at stake. Icann’s board – as ultimate authority in this little company running global internet resources, and answerable (in fact, and in law) to no one – does have the power to reject the community’s proposals. But not everything that can be done, should be done. If the board blunders on, it will alienate those volunteers who are the beating heart of multi-stakeholder governance. It will also perfectly illustrate why change is required.”

The board has all the power and the do not have anyone to hold them accountable.  Icann directors just have to stall long enough to keep things the same and they will be able to give themselves more raises.

Whitney Grace, November 16, 2015
Sponsored by, publisher of the CyberOSINT monograph

Expect Disruption from Future Technology

November 13, 2015

A dystopian future where technology has made humanity obsolete is a theme older than the Industrial Revolution.  History has proven that while some jobs are phased out thanks to technology more jobs are created by it, after all someone needs to monitor and make the machines.  As technology grows and makes computing systems capable of reason, startups are making temporary gigs permanent jobs, and 3D printing makes it possible to make any object, the obsolete humanity idea does not seem so far-fetched.  Kurzweilai shares a possible future with “The SAP Future Series: Digital Technology’s Exponential Growth Curve Foretells Avalanche Of Business Disruption.”

While technology has improved lives of countless people, it is disrupting industries.  These facts prove to be insightful into how disruptive:

  • In 2015 Airbnb will become the largest hotel chain in the world, launched in 2008, with more than 850,000 rooms, and without owning any hotels.
  • From 2012 to 2014, Uber consumed 65% of San Francisco’s taxi business.
  • Advances in artificial intelligence and robotics put 47% of US employment — over 60 million jobs — at high risk of being replaced in the next decade.
  • 10 million new autonomous vehicles per year may be entering US highways by 2030.
  • Today’s sensors are 1 billion times better — 1000x lighter, 1000x cheaper, 1000x the resolution — than only 40 years ago. By 2030, 100 trillion sensors could be operational worldwide.
  • DNA sequencing cost dropped precipitously — from $1 billion to $5,000 —  in 15 years. By 2020 could be $0.01.
  • In 2000 it took $5,000,000 to launch an internet start-up. Today the cost is less than $5,000.

Using a series of videos, SAP explains how disruption will change the job market, project management, learning, and even predicting future growth.  Rather than continuing the dystopia future projections, SAP positions itself to offer hope and ways to adapt for your success.  Humanity will be facing huge changes because of technology in the near future, but our successful ability to adapt always helps us evolve.

3DWhitney Grace, November 13, 2015

Sponsored by, publisher of the CyberOSINT monograph



Google Takes Aim at Internet Crime

November 12, 2015

Google has a plan to thwart Internet crime: make it too expensive to be worth it. The company’s Online Security Blog examines the issue in “New Research: The Underground Market Fueling For-Profit Abuse.” The research was presented last June at the Workshop on the Economics of Information Security 2015; I recommend those interested check out the full report here.

The post describes the global online black market that has grown over the last ten years or so, where criminals trade in such items as stolen records, exploit kits, scam hosting, and access to compromised computers. The profit centers which transfer the shady funds rest upon an infrastructure, the pieces of which cost money. Google plans to do what it can to increase those costs. The write-up explains:

“Client and server-side security has dominated industry’s response to digital abuse over the last decade. The spectrum of solutions—automated software updates, personal anti-virus, network packet scanners, firewalls, spam filters, password managers, and two-factor authentication to name a few—all attempt to reduce the attack surface that criminals can penetrate. While these safeguards have significantly improved user security, they create an arms race: criminals adapt or find the subset of systems that remain vulnerable and resume operation.

“To overcome this reactive defense cycle, we are improving our approach to abuse fighting to also strike at the support infrastructure, financial centers, and actors that incentivize abuse. By exploring the value chain required to bulk register accounts, we were able to make Google accounts 30–40% more expensive on the black market. Success stories from our academic partners include disrupting payment processing for illegal pharmacies and counterfeit software outlets advertised by spam, cutting off access to fake accounts that pollute online services, and disabling the command and control infrastructure of botnets.”

Each of the links in the above quote goes to an in-depth paper, so there’s plenty of material to check out there. Society has been trying for centuries to put black markets out of business. Will the effort be more successful in the virtual realm?

Cynthia Murrell, November 12, 2015

Sponsored by, publisher of the CyberOSINT monograph

Amazon Punches Business Intelligence

November 11, 2015

Amazon already gave technology a punch when it launched AWS, but now it is releasing a business intelligence application that will change the face of business operations or so Amazon hopes.  ZDNet describes Amazon’s newest endeavor in “AWS QuickSight Will Disrupt Business Intelligence, Analytics Markets.”  The market is already saturated with business intelligence technology vendors, but Amazon’s new AWS QuickSight will cause another market upheaval.

“This month is no exception: Amazon crashed the party by announcing QuickSight, a new BI and analytics data management platform. BI pros will need to pay close attention, because this new platform is inexpensive, highly scalable, and has the potential to disrupt the BI vendor landscape. QuickSight is based on AWS’ cloud infrastructure, so it shares AWS characteristics like elasticity, abstracted complexity, and a pay-per-use consumption model.”

Another monkey wrench for business intelligence vendors is that AWS QuickSight’s prices are not only reasonable, but are borderline scandalous: standard for $9/month per user or enterprise edition for $18/month per user.

Keep in mind, however, that AWS QuickSight is the newest shiny object on the business intelligence market, so it will have out-of-the-box problems, long-term ramifications are unknown, and reliance on database models and schemas.  Do not forget that most business intelligence solutions do not resolve all issues, including ease of use and comprehensiveness.  It might be better to wait until all the bugs are worked out of the system, unless you do not mind being a guinea pig.

Whitney Grace, November 11, 2015
Sponsored by, publisher of the CyberOSINT monograph


Next Page »