Bank App Does Not Play Well with Tor Browser
December 22, 2016
Bank apps are a convenient way to access and keep track of your accounts. They are mainly used on mobile devices and are advertised for the user on the go. One UK bank app, however, refuses to play nice with devices that have the Tor browser, reports the Register in the article, “Tor Torpedoed! Tesco Bank App Won’t Run With Privacy Tool Installed.”
Tesco is a popular bank present in supermarkets, but if you want to protect your online privacy by using the Tor browser on your mobile device the Tesco app will not work on said device. Marcus Davage, the mainframe database administrator, alerted Tesco patrons that in order to use the Tesco app, they needed to delete the Tor browser. Why is this happening?
The issue appears to be related to security. Tesco’s help site notes that the Android app checks for malware and other possible security risks (such as the phone being rooted) upon launching and, in this case, the Tor software triggers an alert. The Tor Project makes two apps for Android, the aforementioned Orbot and the Orfox browser, both of which allow users to encrypt their data traffic using the Tor network. According to the Play Store, Orbot has been downloaded more than five million times by Android users.
App developers need to take into account that the Tor browser is not malware. Many users are concerned with their online privacy and protecting their personal information, so Tor needs to be recognized as a safe application.
Whitney Grace, December 22, 2016
For Sale: Government Web Sites at a Bargain
December 21, 2016
We trust that government Web sites are safe and secure with our information as well as the data that keeps our countries running. We also expect that government Web sites have top of the line security software and if they did get hacked, they would be able to rectify the situation in minutes. Sadly, this is not the case says Computer World, because they posted an article entitled, “A Black Market Is Selling Access To Hacked Government Servers For $6.”
If you want to access a government server or Web site, all you need to do is download the Tor browser, access the xDedic marketplace on the Dark Web, and browse their catalog of endless government resources for sale. What is alarming is that some of these Web sites are being sold for as little as six dollars!
How did the xDedic “merchants” get access to these supposed secure government sites? It was through basic trial and error using different passwords until they scored a hit. Security firm Kaspersky Lab weighs in:
It is a hacker’s dream, simplifying access to victims, making it cheaper and faster, and opening up new possibilities for both cybercriminals and advanced threat actors,’ Kaspersky said.
Criminal hackers can use the servers to send spam, steal data such as credit card information, and launch other types of attack…Once buyers have done their work, the merchants put the server back up for sale. The inventory is constantly evolving.
It is believed that the people who built the xDedic are Russian-speakers, possibly from a country with that as a language. The Web site is selling mostly government site info from the Europe, Asia, and South America. The majority of the Web sites are marked as “other”, however. Kaspersky track down some of the victims and notified them of the stolen information.
The damage is already done. Governments should be investing in secure Web software and testing to see if they can hack into them to prevent future attacks. The Dark Web scores again.
Whitney Grace, December 21, 2016
Healthcare Technology as a Target for Cyberthreats
December 20, 2016
Will the healthcare industry become the target of cyber threats? Security Affairs released a story, Data breaches in the healthcare sector are fueling the dark web, which explains medical records are among the most challenging data sources to secure. One hacker reportedly announced on the Dark Web he had over one million medical records for sale. The going rate is about $60 per record. According to the Brookings Institute, more than 155 medical records have been hacked since 2009. We learned,
The healthcare sector is a labyrinth of governance and compliance with risk mitigations squarely focused on the privacy of patient data. We in the industry have accepted the norm that “security is not convenient” but for those in the healthcare industry, inconvenience can have a catastrophic impact on a hospital, including the loss of a patient’s life. Besides patient records, there’s a multitude of other services critical to patient health and wellbeing wrapped by an intricate web of cutting-edge and legacy technologies making it perhaps the most challenging environment to secure. This may explain the rise in attacks against healthcare providers in the last six months.
When it comes to prioritizing secure healthcare technology projects in healthcare organizations, many other more immediate and short-term projects are likely to take precedence. Besides that barrier, a shortage of healthcare technology talent poses another potential problem.
Megan Feil, December 20, 2016
In Pursuit of Better News Online
December 20, 2016
Since the death of what we used to call “newspapers,” Facebook and Twitter have been gradually encroaching on the news business. In fact, Facebook recently faced criticism for the ways it has managed its Trending news stories. Now, the two social media firms seem to be taking responsibility for their roles, having joined an alliance of organizations committed to more competent news delivery. The write-up, “Facebook, Twitter Join Coalition to Improve Online News” at Yahoo News informs us about the initiative:
First Draft News, which is backed by Google [specifically Google News Lab], announced Tuesday that some 20 news organizations will be part of its partner network to share information on best practices for journalism in the online age. Jenni Sargent, managing director of First Draft, said the partner network will help advance the organization’s goal of improving news online and on social networks.
Filtering out false information can be hard. Even if news organizations only share fact-checked and verified stories, everyone is a publisher and a potential source,’ she said in a blog post. ‘We are not going to solve these problems overnight, but we’re certainly not going to solve them as individual organizations.
Sargent said the coalition will develop training programs and ‘a collaborative verification platform,’ as well as a voluntary code of practice for online news.
We’re told First Draft has been pursuing several projects since it was launched last year, like working with YouTube to verify user-generated videos. The article shares their list of participants; it includes news organizations from the New York Times to BuzzFeed, as well as other interested parties, like Amnesty International and the International Fact-Checking Network. Will this coalition succeed in restoring the public’s trust in our news sources? We can hope.
Cynthia Murrell, December 20, 2016
Cybersecurity Technology and the Hacking Back Movement
December 19, 2016
Anti-surveillance hacker, Phineas Fisher, was covered in a recent Vice Motherboard article called, Hacker ‘Phineas Fisher’ Speaks on Camera for the First Time—Through a Puppet. He broke into Hacking Team, one of the companies Vice called cyber mercenaries. Hacking team and other firms sels hacking and surveillance tools to police and intelligence agencies worldwide. The article quotes Fisher saying,
I imagine I’m not all that different from Hacking Team employees, I got the same addiction to that electronic pulse and the beauty of the baud [a reference to the famous Hacker’s manifesto]. I just had way different experiences growing up. ACAB [All Cops Are Bastards] is written on the walls, I imagine if you come from a background where you see police as largely a force for good then writing hacking tools for them makes some sense, but then Citizen Lab provides clear evidence it’s being used mostly for comic-book villain level of evil. Things like spying on journalists, dissidents, political opposition etc, and they just kind of ignore that and keep on working. So yeah, I guess no morals, but most people in their situation would do the same. It’s easy to rationalize things when it makes lots of money and your social circle, supporting your family etc depends on it.
The topics of ethical and unethical hacking were discussed in this article; Fisher states the tools used by Hacking Team were largely used for targeting political dissidents and journalists. Another interesting point to note is that his evaluation of Hacking Team’s software is that it “works well enough for what it’s used for” but the real value it offers is “packaging it in some point-and-click way.” An intuitive user experience remains key.
Megan Feil, December 19, 2016
Potential Tor Browser Vulnerability Reported
December 19, 2016
Over at Hacker Noon, blogger “movrcx” reveals a potential vulnerability chain that he says threatens the entire Tor Browser ecosystem in, “Tor Browser Exposed: Anti-Privacy Implantation at Mass Scale.” Movrcx says the potential avenue for a massive hack has existed for some time, but taking advantage of these vulnerabilities would require around $100,000. This could explain why movrcx’s predicted attack seems not to have taken place. Yet. The write-up summarizes the technique:
Anti-Privacy Implantation at Mass Scale: At a high-level the attack path can be described by the following:
*Attacker gains custody of an addons.mozilla.org TLS certificate (wildcard preferred)
*Attacker begins deployment of malicious exit nodes
*Attacker intercepts the NoScript extension update traffic for addons.mozilla.org
*Attacker returns a malicious update metadata file for NoScript to the requesting Tor Browser
*The malicious extension payload is downloaded and then silently installed without user interaction
*At this point remote code execution is gained
*The attacker may use an additional stage to further implant additional software on the machine or to cover any signs of exploitation
This attack can be demonstrated by using Burp Suite and a custom compiled version of the Tor Browser which includes a hardcoded root certificate authority for transparent man-in-the-middle attacks.
See the article for movrcx’s evidence, reasoning, and technical details. He emphasizes that he is revealing this information in the hope that measures will be taken to nullify the potential attack chain. Preferably before some state or criminal group decides to invest in leveraging it.
Cynthia Murrell, December 19, 2016
Yahoot: A Master of Disaster Management
December 16, 2016
I have a Yahoot (sorry, I meant Yahoo) email account. I have refused to change the password in order to see what nefarious behaviors manifest themselves. So far, the only bad guys in the picture are Yahoot’s merrie band of wizards, lead by the Purple Privacy Eater, Marissa Mayer. Ms. Mayer was a Xoogler. Now I am able to paint a mental picture about why she left Googzilla for the outfit Terry Semel tried to convert to a media company. Prescient guy. Get out of online. Do sitcoms.
I read “Verizon Demands a Better Deal After Yahoo’s Latest Historic Hack.” The main idea of that write up is that the former Baby Bell wants to do the Trump thing: A better deal. That seems reasonable. Yahoo managed to fumble the security ball, delivering an alleged one billion customers’ details to alleged bad actors. There are even “real” journalists who allege that the Yahooligans’ secrets are for sale on the Dark Web.
And what personal data slipped through the former Googler’s fingers? The write up knows and, therefore, reported:
Yahoo said late on Wednesday [December 14, 2016] that it had uncovered a 2013 cyber attack that compromised data of more than 1 billion user accounts, the largest known breach on record. It said the data stolen may have included names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers.
Fortune, whose journalists do not surf the Dark Web like the clever folks at the New York Times, used “real” journalistic methods and revealed:
Verizon is said to have threatened to go to court to get out of the deal if it is not repriced.
There you go. Verizon may be rethinking its clever move to buy the Purple Haze machine for about $5 billion. Knock the price down, and maybe the Baby Bell will [a] ante up some cash, [b] replace the Xoogler with a person who can keep Yahoot from becoming more of a master of disaster than it is, and [c] blend the wizardry of AOL with the Yahooligans’ approach to technology. In my 73 years, I have not previously witnessed the rubble-ization of a publicly traded Sillycon Valley company in quite this way. Business school case study? For sure.
The real news outfit’s write up adds:
The U.S. No. 1 wireless carrier still expects to go through with the deal, but is looking for “major concessions” in light of the most recent breach, according to another person familiar with the situation.
Will Yahoo enter the online security business? The company now has mind share. Governance? Exemplary management team? Technical chops? That’s a $5 billion dollar question from a company that spurned Microsoft’s even more robust offer. Right, the same outfit which fumbled the pay to play for traffic business. Right now Terry Semel looks like a managerial paragon.
Yahoooot!
Stephen E Arnold, December 16, 2016
Nobody Really Knows What Goes on over Dark Web
December 16, 2016
While the mainstream media believes that the Dark Web is full of dark actors, research by digital security firms says that most content is legal. It only says one thing; the Dark Web is still a mystery.
The SC Magazine in an article titled Technology Helping Malicious Business on the Dark Web Grow says:
The Dark Web has long had an ominous appeal to Netizens with more illicit leanings and interests. But given a broadening reach and new technologies to access this part of the web and obfuscate dealings here, the base of dark web buyers and sellers is likely growing.
On the other hand, the article also says:
But despite its obvious and well-earned reputation for its more sinister side, at least one researcher says that as the dark web expands, the majority of what’s there is actually legal. In its recent study, intelligence firm Terbium Labs found that nearly 55 percent of all the content on the dark web is legal in nature, meaning that it may be legal pornography, or controversial discussions, but it’s not explicitly illegal by U.S. law.
The truth might be entirely different. The Open Web is equally utilized by criminals for carrying out their illegal activities. The Dark Web, accessible only through Tor Browser allows anyone to surf the web anonymously. We may never fully know if the Dark Web is the mainstay of criminals or of individuals who want to do their work under the cloak of anonymity. Till then, it’s just a guessing game.
Vishal Ingole, December 16, 2016
Victims of Their Own Foolishness
December 15, 2016
Incidences of law enforcement agencies arresting criminals for selling their services on Dark Web are increasing. However, their success can be attributed to the foolishness of the criminals, rather than technological superiority.
Cyber In Sight in a news report titled IcyEagle: A Look at the Arrest of an Alleged Dark Web Vendor, the reporter says:
the exact picture of how law enforcement has managed to track down and identify Glende remains unclear, the details released so far, provide an interesting behind the scenes view of the cybercrime-related postings we often highlight on this blog.
The suspect in this case inadvertently gave details of his service offerings on AlphaBay. Cops were able to zero on his location and managed to put him under arrest for drug peddling. The report reveals further:
An undercover officer purchased stolen bank account information from IcyEagle in March and April 2016, according to the indictment. Interestingly, Glende was also arrested by local police for selling drugs around the same time. A tip from U.S. Postal Inspectors led to police officers finding a “trove” of drugs at his Minnesota home in March.
It is thus apparent that the criminals, in general, are of the opinion that since they are selling on Dark Web, they are untraceable, which clearly is not the case. The trace, however, was possible only because the suspect handed it over himself. Hackers and real cyber criminals are still out of the ambit of law enforcement agencies, which needs to change soon.
Vishal Ingole, December 15, 2016
Googles Bid for AI Dominance
December 14, 2016
Google‘s dominance on our digital lives cannot be refuted. The tech giant envisages that the future of computing will be Artificial Intelligence (AI), and the search engine leader is all set to dominate it once again.
Arabian Business in a feature article titled Inside Google’s Brave New World, the author says:
The $500bn technology giant is extending its reach into hardware and artificial intelligence, ultimately aiming to create a sophisticated robot that can communicate with smart-device users to get things done.
The efforts can be seen in the form of company restructuring and focus on developing products and hardware that can host its sophisticated AI-powered algorithms. From wearable devices to in-home products like Google Home, the company is not writing powerful algorithms to answer user queries but is also building the hardware that will seamlessly integrate with the AI.
Though these advances might mean more revenue for the company and its shareholders, with Google controlling every aspect of our working lives, the company also needs to address the privacy concerns with equal zeal. As the author points out:
However, with this comes huge responsibility and a host of ethical and other policy issues such as data privacy and cybersecurity, which Google says its teams are working to resolve on a day-to-day basis.
Apart from Google, other tech companies like Amazon, Microsoft, Facebook and Apple too are in the race for AI dominance. However, the privacy concerns remain there too as the end user never knows, how and where the data collected will be used.
Vishal Ingole, December 14, 2016
-
- Subscribe to Beyond Search
Feature archive
News archive
-
