VPNs Possibly Aid Chinese Intelligence
February 18, 2019
China’s military and intelligence might has grown by leaps and bounds. By some estimates, it leads the world in many categories of defense. While there’s no conclusive evidence, the amount of information being harvested by Chinese online companies is staggering and could prove a connection, as we discovered in a recent Tech In Asia story, “Facebook’s Research App Isn’t The Only VPN To Mine User Data.”
According to the story:
“VPNs are supposed to help you protect your data. But the Facebook flap shows that there’s one party that has full access to everything you’re doing: the VPN provider itself. And it’s a concern with several Chinese-owned VPNs, which reportedly send data back to China.”
With enormous streams of data flowing back to China and the potential for it to be used by intel communities, it’s no shock that the Pentagon recently began revising its artificial intelligence strategy. This comes because China and Russia, specifically, are beginning to chip away at America’s technological edge. It’s exciting to see the US intelligence community take a greater stake on AI and its related strains. We hope this is the beginning of a boom in the industry.
Patrick Roland, February 18, 2019
Zerodium Boosts Payouts for Zero Day Exploits to US$2 Million
January 14, 2019
The Hacker News reported that Zerodium will pay up to $2 million for an iPhone zero day exploit. The idea is that the market for iPhone hacks is robust even if Apple is struggling to hits its internal sales targets. The write up states:
Zerodium—a startup by the infamous French-based company Vupen that buys and sells zero-day exploits to government agencies around the world—said it would now pay up to $2 million for remote iOS jailbreaks and $1 million for exploits that target secure messaging apps.
The big payout is for a remote hack which jailbreaks an iPhone. The idea is that an entity can access an iPhone remotely and perform actions on that iPhone with having direct physical access to the device. The approach is known as a “zero click” exploit; that is, no user interaction required.
The company is also offering a payout of $1 million for WhatsApp exploits.
The reason? Hacker News explains:
The hike in the price is in line with demand and the tougher security of the latest operating systems and messaging apps, as well as to attract more researchers, hackers and bug hunters to seek complex exploit chains.
DarkCyber anticipates more price increases as bad actors shift to encrypted messaging for certain types of communications and transactions.
Stephen E Arnold, January 14, 2019
Data Protection: Many Vendors, Many Incidents
January 4, 2019
This is one of our DarkCyber news items.
Search engines are getting smarter and better, especially since they began to incorporate social media in their indexing. It is harder than ever to protect personal information, then there is the rising Dark Web fear. While there are services out there that say they can monitor the Dark Web and the vanilla Web to protect your information there are things you can do to protect yourself. TechRadar shares some tips in the article, “AI And The Next Generation Of Search Engines.”
The article focuses on Xiliab’s Frank Cha, who works on South Korea’s largest AI developer. Xiliab recently developed the DataXchain data trading platform that is described as the search engine of the future. Cha explained why DataXchain is the search engine of the future:
“Dataxchain engine is the next generation of data trading engine which enables not only data processing such as automatic data collection, classification, tagging, and curation but also enables data transactions. These transactions are directly applied to human development without human intervention by pre-processing data matching and deep learning engine. These trials can be accessed to the implicit knowledge through the intervention of people that the traditional search engine already had.”
Cha stresses the biggest challenge with DataXchain is creating connections with clients. He said, “When this connection becomes a chain, we will be able to exchange value for private data of each individual or organization and it will bring innovation to sophisticated AI in dataXchain…”
It is also being for national defense, which can be translated into protecting an individual’s data without changing the algorithm.
It is a basic interview without much meat about how to protect your data. Defensive forces can use the same algorithm as regular people, but that does not sound reassuring. How about speaking in layman’s terms?
With many competitors why are their so many successful breaches?
Whitney Grace, January 4, 2019
About Those VPNs
December 26, 2018
News and chatter about VPNs are plentiful. We noted a flurry of stories about Chinese ownership of VPNs. We receive incredible deals for VPNs which are almost too good to be true. We noted this write up from AT&T (a former Baby Bell) and its Alienvault unit: “The Dangers of Free VPNs.”
The idea behind a VPN is hiding traffic from those able to gain access to that traffic. But there is a VPN provider in the mix. From that classic man in the middle position, the VPN may not be as secure as the user thinks.
The AT&T Alienvault viewpoint is slightly different: VPNs are the cat’s pajamas as long as the VPN is AT&T’s.
We learned from the write up:
Technically, VPN providers have the capacity to see everything you do while connected. If it really wanted to, a VPN company could see what videos you watched, read emails you send, or monitor your search history.
The write up points out without reference to lawful intercept orders, national security letters, and the ho hum everyday work in cheerful Ashburn, Virginia:
Thankfully, reputable providers don’t do this. A good provider shouldn’t take any logs of your activity, which means that although they could theoretically access your data, they discard it instead. These “no-log” companies don’t keep copies of your data, so even if they get subpoenaed by a government agency, they have no data that they can hand over. VPN providers may take different types of logs, so you need to be careful when reading the fine print of any potential provider. These logs can include your traffic, DNS requests, timestamps, bandwidth and IP address.
The write up includes a “How do I love thee” approach to the dangers of free VPNs.
Net net: Be scared. Just navigate to this link. AT&T provides VPN service with the goodness one expects.
By the way, note the reference to “logs.” Many gizmos in a data center offering VPN services maintain logs. Processing these auto generated files can yield quite useful information. Perhaps that’s why there are free and low cost services.
Zero logs strikes Beyond Search as something that is easy to say but undesirable and possibly difficult to achieve.
Are VPNs secure? Is Tor?
In January 2019, Beyond Search will cover more dark cyber related content. More news is forthcoming. Let’s face it enterprise search is a done deal. The Beyond Search goose is migrating to search related content plus adjacent issues like AT&T promoting its cheerful, unmonitored, we’re really great approach to online.
Stephen E Arnold, December 26, 2018
Search for a Person in China: Three Seconds and You Are Good to Go
December 26, 2018
I read “Welcome to Dystopia : China Introduces AI Powered Tracking Uniform in Schools.” The article explains that “China has started to introduce school uniforms which track pupils all the time.”
The “all” is problematic. A student equipped with the new uniform has to take it off, presumably for normal body maintenance and the inevitable cleaning process.
The overstatement, I assume, is designed to make the point that China is going to keep social order using smart software and other tools.
The new uniform “comes with two chips embedded in the shoulder areas and works with an AI-powered school entrance system, which is equipped with facial recognition cameras.”
Combined with other monitoring gizmos, the question, “Where’s Wong? can be answered in a jiffy. The write up explains:
The entrance system, powered by facial recognition camera, can capture a 20-second-long video of each pupil going in or coming out of the school. The footage will be uploaded onto an app in real time for teachers and parents to watch.An alarm will go off if the school gate detects any pupil who leaves the school without permission,
The article suggests that location and identification takes seconds.
One presumes the search results will be objective and ad free.
Stephen E Arnold, December 26, 2018
Health Data: A Growing Challenge
November 30, 2018
While the world wrings its hands over the idea of social media sharing their data and having security breaches, a much larger problem lurks in the shadows. We are talking about the absurdly high number of health care data breaches, which contain far more sensitive data. We learned more from a recent Healthcare Analytics News story, “Yes, Healthcare’s Data Breach Really Is That Bad.”
According to the story:
“Healthcare providers were hit the hardest, reporting 1,503 data breaches compromising 37.1 million records during the period in question. The number of incidents made up 70 percent of all data breaches included in the tally. But health plans, which reported 278 data breaches, reported 110.4 million exposed records, or 63 percent of the pie, according to the findings.”
Why are criminals doing all this? It’s not just to set up a new credit card in your name. According to Forbes, this recent rash of theft is tied to fraudulent medication and even procedures being acquired, as well as receiving Medicare and Medicaid benefits.
News about the data breach at Atrium Health billing lost data for an estimate 2.65 million patients.
More challenges to come we fear.
Patrick Roland, November 30, 2018
Dongles, Security, and Keys: A New but Familiar Tune
November 22, 2018
Part of Google’s new product lineup is the Titan Security Key, selling for only $50. The Hacker News shares more information on the Titan Security Key in the article, “Google ‘Titan Security Key’ Is Now On Sale For $50.” Google first announced the security key at the Google Cloud Next 2018 convention.
The Titan Security Key is similar to Yubico’s YubiKey. It offers hardware-based two factor authentication for online accounts with the highest level of protection from phishing. The full kit offers a USB security key, Bluetooth security key, USB-C to USB-A adapter, and USB-C to USB-A connecting cable. The Titan Security Key is based on the FIDO (Fast IDentity Online) Alliance, U2F protocol and uses Google developed secure element and firmware. It adds another security level on top of passwords, an idea similar to the Tor browser. It is compliant with many popular browsers, email services, social media, and cloud services.
As more aspects of people’s lives migrate online, security is more important than ever. Tools like the Titan Security Key provide an extra level of security at a nominal price:
“According to Google, the FIDO-compatible hardware-based security keys are thought to be more safe and efficient at preventing phishing, man-in-the-middle (MITM) and other types of account-takeover attacks than other 2FA methods requiring SMS, for example. This is because even if an attacker manages to compromise your online account credentials, log into your account is impossible without the physical key. Last month, Google said it started requiring its 85,000 employees to use Titan Security Keys internally for months last year, and the company said since then none of them had fallen victim to any phishing attack.”
The Google Titan Security Key appears to be a simple and cheap way to ensure more security for individuals. One of the problems people face with online security is the lack of understanding, cost, and finding an effective product. Google appears to have created a great solution, but the one problem is that China made the Titan Security Key. China has all the schematics for the device and China is a hotbed for phishing attacks.
Microsoft, another me too outfit, has jumped on the bandwagon for dongles. Microsoft now offers native FIDO key login for Windows 10. What about losing a dongle?
Back to square one?
Whitney Grace, November 22, 2018
Microsoft: Nibbling at Crime Fighting
November 20, 2018
Every year cyber crime is one the rise and digital security experts are always trying to stay one click ahead of their assailants. Microsoft is not the world’s leading expert in cyber security, but the company is investing in it. Fortune’s article, “Microsoft Pours Millions Into Startup That Nails Cybercriminals” explains more about the investment.
Microsoft invested $6.2 million in Hyas, a startup that specializes in identifying and taking down cybercriminals. Hyas’s CEO described his company’s mission as tracking down bad actors to their exact location so law enforcement can arrest them.
“In 2014, Davis founded Hyas, his third startup, out of his basement on Vancouver Island, Canada. The firm sells subscriptions to digital forensics software—called “Comox” after a town in the company’s home region of British Columbia—that helps security analysts investigate breaches.
We noted this statement:
‘Hyas is going beyond threat detection and providing the attribution tools required to actually identify and prosecute cybercriminals,’ said Matthew Goldstein, a partner at Microsoft’s M12, in a statement. He said that Hyas’s tech ‘will help take bad actors off the Internet, and lead to an overall decrease in cybercrime globally.’”
Hyas works based on its relationships with infrastructure providers and combining the insights it receives from the infrastructure providers with malware analysis, threat intelligence, and mobile data. Davis plans to use Microsoft’s investment to increase its new products and offer Hyas services to a more diverse clientele.
Whitney Grace, November 20, 2018
Google: A New Challenge from Code Piracy?
November 5, 2018
With Google charging for its Android apps and services, one question is, “Will Google’s software be pirated?” The question seems as if it comes from the early days of MS DOS and software piracy of floppy discs.
Google has spent much of its two-decade life in the crosshairs of some enemy or another. Whether it was from rival search engines, advertisers, or other media. However, a new battle recently used their own fire in the fight. We learned more from a CNBC story, “Chinese Firm Touting ‘Innovative’ Software Used Parts of Google Code.”
According to the story:
“Redcore, a Chinese start-up said it has developed “core technology” with “independent intellectual property rights” in regards to its browser. “But eagle-eyed users on Chinese social media spotted traces of Chrome in the installation directory of Redcore’s browser. There was a file in the directory called “Chrome.exe” and some image files of Google’s browser.”
This is not the only time Google has had to battle off theft issues with its software. However, more often than not, it’s people using Google for theft. Such as how they only recently found a way to detect and stop people using Chrome to steal wi-fi network information. The online ad giant seems to be aware of the target on its back and the archers taking aim.
Security lapses, pirated code, and interesting management decisions—worth watching the Google.
Patrick Roland, November 5, 2018
Facebook: Interesting Real News Filtering
September 29, 2018
Here in Harrod’s Creek, it is difficult to determine what is accurate and what is not. For example, allegedly a university president fiddled his pay. Then we had rumors of a novel way to recruit basketball players. News about these events were filtered because, hey, basketball is a big deal along with interesting real estate deals in River City.
We read “Facebook Users Unable to Post Story about Huge Facebook Hack on Facebook.” A real news outfit in London noticed that stories about Facebook’s most recent security lapse were not appearing on Facebook.
Another real news outfit reported that some Facebook users saw this message:
“Action Blocked: Our security systems have detected that a lot of people are posting the same content, which could mean that it’s spam. Please try a different post.”
Facebook fans suggested that Facebook was not blocking a story which might put Facebook in a bad light.
Here in rural Kentucky we know that no Silicon Valley company would filter news about its own security problems.
Facebook is a fine outfit. Obviously the news about the security lapse was fake; otherwise, why would the information be blocked?
Just a misunderstanding which the 50 million plus people affected are certain to understand. What’s the big deal with regaining access to one’s account?
The Facebook service is free and just wonderful. Really wonderful.
Stephen E Arnold, September 29, 2018
-
- Subscribe to Beyond Search
Feature archive
News archive
-
