Developing Nations Eager to Practice Cyber Surveillance
April 28, 2016
Is it any surprise that emerging nations want in on the ability to spy on their citizens? That’s what all the cool governments are doing, after all. Indian Strategic Studies reports, “Even Developing Nations Want Cyber Spying Capabilities.” Writer Emilio Iasiello sets the stage—he contrasts efforts by developed nations to establish restrictions versus developing countries’ increased interest in cyber espionage tools.
On one hand, we could take heart from statements like this letter and this summary from the UN, and the “cyber sanctions” authority the U.S. Department of Treasury can now wield against foreign cyber attackers. At the same time, we may uneasily observe the growing popularity of FinFisher, a site which sells spyware to governments and law enforcement agencies. A data breach against FinFisher’s parent company, Gamma International, revealed the site’s customer list. Notable client governments include Bangladesh, Kenya, Macedonia, and Paraguay. Iasiello writes:
“While these states may not use these capabilities in order to conduct cyber espionage, some of the governments exposed in the data breach are those that Reporters without Borders have identified as ‘Enemies of the Internet’ for their penchant for censorship, information control, surveillance, and enforcing draconian legislation to curb free speech. National security is the reason many of these governments provide in ratcheting up authoritarian practices, particularly against online activities. Indeed, even France, which is typically associated with liberalism, has implemented strict laws fringing on human rights. In December 2013, the Military Programming Law empowered authorities to surveil phone and Internet communications without having to obtain legal permission. After the recent terrorist attacks in Paris, French law enforcement wants to add addendums to a proposed law that blocks the use of the TOR anonymity network, as well as forbids the provision of free Wi-Fi during states of emergency. To put it in context, China, one of the more aggressive state actors monitoring Internet activity, blocks TOR as well for its own security interests.”
The article compares governments’ cyber spying and other bad online behavior to Pandora’s box. Are resolutions against such practices too little too late?
Cynthia Murrell, April 28, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
FinFisher How To: The Hacking Team
April 27, 2016
The idea is that math and science club types are competitive. Sure, many did not grasp fencing foils or head to the table tennis club. But the old competitive spark is there. To get a sense of how one outfit (FinFisher) hacked into another outfit (Hacking Team) point your browser at “Hack Back.” I want to raise several questions:
- Do these companies compete for law enforcement and intelligence contracts?
- Why did the “60 Minutes” report about hacking which aired on April 17, 2016, not mention FinFisher? Did “60 Minutes” “real” journalists overlook this company?
- Can either of these companies retrieve data from mobile phones?
- Who owns Gamma Group?
Ah, gentle reader, many questions.
Stephen E Arnold, April 27, 2016
Research Outlines Overview of Dark Web Landscape
April 27, 2016
The Dark Web continues to be a subject of study. Coin Desk published an article, Bitcoin Remains Most Popular Digital Currency on Dark Web, reporting on a study from two professors in the Department of War Studies at King’s College London. Their research found that Dark Web sites offered illegal goods and services in 12 categories, such as arms, drugs, and finance. As may be expected, the results revealed bitcoin to be the preferred digital currency of hidden-services commerce. We learned,
“The report, “Cryptopolitik and the Darknet,” which appeared in the February-March edition of Survival: Global Politics and Strategy, analyzed about 300,000 web addresses, identifying 5,205 live websites, out of which 2,723 were classified as illicit with a “high degree of confidence.” Of those, each was placed in one of twelve categories, including drugs, arms, and finance. The drugs category was the most frequently identified, with 423 websites, followed by finance with 327 websites. 1,021 websites were categorized as “other” by the research team. Among the financial websites identified as illicit, there were three categories: bitcoin-based methods for money-laundering, stolen credit card numbers and trade in counterfeit currency.”
In addition to this overview of the Dark Web landscape, the article also points out previous research which pokes holes in the conceptualization of the Dark Web as completely anonymous. An attack costing $2,500 is the price of busting a bitcoin user. Playing defense, a coin-mixing service called CleanCoin, helps bitcoin users remain traceless. What will be the next move?
Megan Feil, April 27, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Bold Hackers
April 27, 2016
It looks like some hackers are no longer afraid of the proverbial light, we learn from “Sony Hackers Still Active, ‘Darkhotel’ Checks Out of Hotel Hacking” at InformationWeek. Writer Kelly Jackson Higgins cites Kaspersky security researcher Juan Andres Guerrero-Saade, who observes that those behind the 2014 Sony hack, thought to be based in North Korea, did not vanish from the scene after that infamous attack. Higgins continues:
“There has been a noticeable shift in how some advanced threat groups such as this respond after being publicly outed by security researchers. Historically, cyber espionage gangs would go dark. ‘They would immediately shut down their infrastructure when they were reported on,’ said Kurt Baumgartner, principal security researcher with Kaspersky Lab. ‘You just didn’t see the return of an actor sometimes for years at a time.’
“But Baumgartner says he’s seen a dramatic shift in the past few years in how these groups react to publicity. Take Darkhotel, the Korean-speaking attack group known for hacking into WiFi networks at luxury hotels in order to target corporate and government executives. Darkhotel is no longer waging hotel-targeted attacks — but they aren’t hiding out, either.
“In July, Darkhotel was spotted employing a zero-day Adobe Flash exploit pilfered from the HackingTeam breach. ‘Within 48 hours, they took the Flash exploit down … They left a loosely configured server’ exposed, however, he told Dark Reading. ‘That’s unusual for an APT [advanced persistent threat] group.’”
Seeming to care little about public exposure, Darkhotel has moved on to other projects, like reportedly using Webmail to attack targets in Southeast Asia.
On the other hand, one group which experts had expected to see more of has remained dark for some time. We learn:
“Kaspersky Lab still hasn’t seen any sign of the so-called Equation Group, the nation-state threat actor operation that the security firm exposed early last year and that fell off its radar screen in January of 2014. The Equation Group, which has ties to Stuxnet and Flame as well as clues that point to a US connection, was found with advanced tools and techniques including the ability to hack air gapped computers, and to reprogram victims’ hard drives so its malware can’t be detected nor erased. While Kaspersky Lab stopped short of attributing the group to the National Security Agency (NSA), security experts say all signs indicate that the Equation Group equals the NSA.”
The Kaspersky team doesn’t think for a minute that this group has stopped operating, but believe they’ve changed up their communications. Whether a group continues to lurk in the shadows or walks boldly in the open may be cultural, they say; those in the Far East seem to care less about leaving tracks. Interesting.
Cynthia Murrell, April 27, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Duck Duck Go as a Privacy Conscious Google Alternative
April 26, 2016
Those frustrated with Google may have an alternative. Going over to the duck side: A week with Duck Duck Go from Search Engine Watch shares a thorough first-hand account of using Duck Duck Go for a week. User privacy protection seems to be the hallmark of the search service and there is even an option to enable Tor in its mobile app. Features are comparable, such as one designed to compete with Google’s Knowledge Graph called Instant Answers. As an open source product, Instant Answers is built up by community contributions. As far as seamless, intuitive search, the post concludes,
“The question is, am I indignant enough about Google’s knowledge of my browsing habits (and everyone else’s that feed its all-knowing algorithms) to trade the convenience of instantly finding what I’m after for that extra measure of privacy online? My assessment of DuckDuckGo after spending a week in the pond is that it’s a search engine for the long term. To get the most out of using it, you have to make a conscious change in your online habits, rather than just expecting to switch one search engine for another and get the same results.”
Will a majority of users replace “Googling” with “Ducking” anytime soon? Time will tell, and it will be an interesting saga to see unfold. I suppose we could track the evolution on Knowledge Graph and Instant Answers to see the competing narratives unfold.
Megan Feil, April 26, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Project Cumulus Tracks Stolen Credentials
April 26, 2016
Ever wonder how far stolen information can go on the Dark Web? If so, check out “Project Cumulus—Tracking Fake Phished Credentials Leaked to Dark Web” at Security Affairs. Researchers at Bitglass baited the hook and tracked the mock data. Writer Pierluigi Paganini explains:
“The researchers created a fake identity for employees of a ghostly retail bank, along with a functional web portal for the financial institution, and a Google Drive account. The experts also associated the identities with real credit-card data, then leaked ‘phished’ Google Apps credentials to the Dark Web and tracked the activity on these accounts. The results were intriguing, the leaked data were accessed in 30 countries across six continents in just two weeks. Leaked data were viewed more than 1,000 times and downloaded 47 times, in just 24 hours the experts observed three Google Drive login attempts and five bank login attempts. Within 48 hours of the initial leak, files were downloaded, and the account was viewed hundreds of times over the course of a month, with many hackers successfully accessing the victim’s other online accounts.”
Yikes. A few other interesting Project Cumulus findings: More than 1400 hackers viewed the credentials; one tenth of those tried to log into the faux-bank’s web portal; and 68% of the hackers accessed Google Drive through the Tor network. See the article for more details. Paganini concludes with a reminder to avoid reusing login credentials, especially now that we see just how far stolen credentials can quickly travel.
Cynthia Murrell, April 26, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Research MapsThreat Actors of the Dark Web
April 25, 2016
Known as the Dark Web, a vast amount of sites exist requiring specialized software, Tor is most commonly used, to access them. Now, the first map of the Dark Web has launched, according to Peeling Back the Onion Part 1: Mapping the #DarkWeb from Zero Day Lab. A partner of Zero Day Lab, Intelliagg is a threat intelligence service, which launched this map. While analyzing over 30,000 top-level sites, their research found English as the most common language and file sharing and leaked data were the most common hidden marketplaces, followed by financial fraud. Hacking comprised only three percent of sites studied. The write-up describes the importance of this map,
“Until recently it had been difficult to understand the relationships between hidden services and more importantly the classification of these sites. As a security researcher, understanding hidden services such as private chat forums and closed sites, and how these are used to plan and discuss potential campaigns such as DDoS, ransom attacks, kidnapping, hacking, and trading of vulnerabilities and leaked data; is key to protecting our clients through proactive threat intelligence. Mapping these sites back to Threat Actors (groups), is even more crucial as this helps us build a database on the Capability, Infrastructure, and Motivations of the adversary.”
Quite an interesting study, both in topic and methods which consisted of a combination of human and machine learning information gathering. Additionally, this research produced an interactive map. Next, how about a map that shows the threat actors and their sites?
Megan Feil, April 25, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Webinjection Code a Key to Security
April 25, 2016
The heady days of open cybercrime discussions on the Dark Web are over, thanks to increasing investigation by law-enforcement. However, CaaS vendors still sell products like exploit kits, custom spam, and access to infected endpoints to those who know where to look. Security Intelligence discusses one of the most popular commodities, webinjection resources, in its article, “Dark Web Suppliers and Organized Cybercrime Gigs.” Reporter Limor Kessem explains:
“Webinjections are code snippets that financial malware can force into otherwise legitimate Web pages by hooking the Internet browser. Once a browser has been compromised by the malware, attackers can use these injections to modify what infected users see on their bank’s pages or insert additional data input fields into legitimate login pages in order to steal information or mislead unsuspecting users.
“Whether made up of HTML code or JavaScript, webinjections are probably the most powerful social engineering tool available to cybercriminals who operate banking Trojan botnets.
“To be considered both high-quality and effective, these webinjections have to seamlessly integrate with the malware’s injection mechanism, display social engineering that corresponds with the target bank’s authentication and transaction authorization schemes and have the perfect look and feel to fool even the keenest customer eye.”
Citing IBM X-Force research, Kessem says there seem to be only a few target-specific webinjection experts operating on the Dark Web. Even cybercriminals who develop their own malware are outsourcing the webinjection code to one of these specialists. This means, of course, that attacks from different groups often contain similar or identical webinjection code. IBM researchers have already used their findings about one such vendor to build specific “indicators of compromise,” which can be integrated into IBM Security products. The article concludes with a suggestion:
“Security professionals can further extend this knowledge to other platforms, like SIEM and intrusion prevention systems, by writing custom rules using information about injections shared on platforms like X-Force Exchange.”
Cynthia Murrell, April 25, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Local News Station Produces Dark Web Story
April 22, 2016
The Dark Web continues to emerge as a subject of media interest for growing audiences. An article, Dark Web Makes Illegal Drug, Gun Purchases Hard To Trace from Chicago CBS also appears to have been shared as a news segment recently. Offering some light education on the topic, the story explains the anonymity possible for criminal activity using the Dark Web and Bitcoin. The post describes how these tools are typically used,
“Within seconds of exploring the deep web we found over 15,000 sales for drugs including heroin, cocaine and marijuana. In addition to the drugs we found fake Illinois drivers licenses, credit card and bank information and dangerous weapons. “We have what looks to be an assault rifle, AK 47,” said Petefish. That assault rifle AK 47 was selling for 10 bitcoin which would be about $4,000. You can buy bitcoins at bitcoin ATM machines using cash, leaving very little trace of your identity. Bitcoin currency along with the anonymity and encryption used on the dark web makes it harder for authorities to catch criminals, but not impossible.”
As expected, this piece touches on the infamous Silk Road case along with some nearby cases involving local police. While the Dark Web and cybercrime has been on our radar for quite some time, it appears mainstream media interest around the topic is slowly growing. Perhaps those with risk to be affected, such as businesses, government and law enforcement agencies will also continue catching on to the issues surrounding the Dark Web.
Megan Feil, April 22, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Google Removes Pirate Links
April 21, 2016
A few weeks ago, YouTube was abuzz with discontent from some of its most popular YouTube stars. Their channels had been shut down die to copyright claims by third parties, even thought the content in question fell under the Fair Use defense. YouTube is not the only one who has to deal with copyright claims. TorrentFreak reports that “Google Asked To Remove 100,000 ‘Pirate Links’ Every Hour.”
Google handles on average two million DMCA takedown notices from copyright holders about pirated content. TorrentFreak discovered that the number has doubled since 2015 and quadrupled since 2014. The amount beats down to one hundred thousand per hour. If the rate continues it will deal with one billion DMCA notices this year, while it had previously taken a decade to reach this number.
“While not all takedown requests are accurate, the majority of the reported links are. As a result many popular pirate sites are now less visible in Google’s search results, since Google downranks sites for which it receives a high number of takedown requests. In a submission to the Intellectual Property Enforcement Coordinator a few months ago Google stated that the continued removal surge doesn’t influence its takedown speeds.”
Google does not take broad sweeping actions, such as removing entire domain names from search indexes, as it does not want to become a censorship board. The copyright holders, though, are angry and want Google to promote only legal services over the hundreds of thousands of Web sites that pop up with illegal content. The battle is compared to an endless whack-a-mole game.
Pirated content does harm the economy, but the numbers are far less than how the huge copyright holders claim. The smaller people who launch DMCA takedowns, they are hurt more. YouTube stars, on the other hand, are the butt of an unfunny joke and it would be wise for rules to be revised.
Whitney Grace, April 21, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
-
- Subscribe to Beyond Search
Feature archive
News archive
-
