Clear Web Black Hat Forum
October 22, 2019
DarkCyber noted that Black Hat Forum is online. This is a site which offers information and educational information. The focus is on activities which appear to be skewed to illegalities.
Here’s the splash page (October 15, 2019):
Among the topics listed for users/members are:
- Anonymity for fake IDs and passports
- Carders Home
- Crackers Crew
- Hackers Crew
- Programming information
- VIP Black Hats (a special section which requires qualifying as a VIP on the site)
- XXX and Other Off topic Discuss [sic]
There is also a marketplace with a section for buyers and sellers.
DarkCyber’s review of the site reveals that it contains information that is often difficult to find on the Clear or Regular.
The DNS information is sketchy:
How long will the site remain online? Good question.
Stephen E Arnold, October 22, 2019
Amazon: Specialist in Complexity
October 22, 2019
The word “complexification” is tailor made for Amazon. A couple of examples might be helpful, right?
- Third party sellers provide expired food. Something’s wrong it seems. Complexification of the vendor vetting, product vetting, and warehouse vetting processes might be a reason. (I am setting aside “profit at all costs” because who wants to rain on the Amazon bulldozer.
- AWS services. Really, who can name the different types of Amazon databases. There’s an Oracle killer, an unstructured data killer, there’s an Amazon blockchain solution that’s just perfect for Dubai. Can’t keep ‘em straight? Take a cheap course in how to speak Amazon, you dynamo, you.
- Return authorizations. Use Opera? Well, the labels don’t print correctly. Call a human? It is helpful to speak two or three languages other than English. English as she is spoken at Amazon is — well, let’s think about it this way — may not be what talking heads on CNBC speak.
But the most interesting complexity problem concerns Twitch. Twitch may be a problem for YouTube and — get this, gentle reader — Facebook.
The hitch in the git along was summarized this way by Verge’s interview with Emmett Shear, the big Twitcher. Here’s the passage I noted:
The changes are coming, Shear said, because the company didn’t think it was doing well enough when it talked to streamers about moderating their channels. There were streamers with teams that had everything working, but there were also streamers who felt overwhelmed and like they couldn’t figure out how to use all of Twitch’s moderation tools. “It popped as a problem,” Shear said. “We decided we had to do better. And I think it’s a big step in the right direction.” Twitch’s moderation philosophy, in general, comprises two parts: enforcement works on the level of the individual and on the level of the platform.
Okay, complexity, two tier moderation, and a lack of “transparency.” Transparency is an interesting word because it suggests making stuff clear. A lack of transparency means stuff is not clear.
Complexity?
Yes.
In my recent lecture at the TechnoSecurity & Digital Forensics Conference I offered a few examples of Twitch’s challenges:
- Streaming gambling with links to donate money to the gamblers and tips for getting an advantage
- SweetSaltyPeach’s soft excitement morphing into RachelKay’s really dull doing nothing but providing a momentary glimpse of the old formula for success
- A first run movie available via a stream.
Net net: Amazon’s fatal flaw may be its burgeoning complexity. Not even Bezos billions can make some things simple, clear, and easy to understand.
If Twitchers can’t figure out what to do, what will lesser mortals in government agencies achieve? Let’s watch Dubai for clues.
Stephen E Arnold, October 21, 2019
What Is Facebook Doing With User Data?
October 21, 2019
We have a message to Facebook, what the heck is going on with how you treat user data?
ITV shares in “Facebook Introduces ‘Clear History’ Tool But Your Data Won’t Be Deleted” that Facebook is rolling out a new feature that will disconnect, but not delete, user browsing history from its servers. The new feature is called the Of-Facebook Activity and provides a summary about third party apps and Web sites that report your activities to Facebook. This allows Facebook to send users targeted ads from desired products to political campaigns. Users can now opt out so Facebook will not access their browsing history.
When users turn on the Off-Facebook Activity, Facebook will still receive data, but personal information will be removed from it. Browsing history will not be used to send users targeted ads. Facebook wants to continue harvesting data, so they carefully selected the term “clear history” to communicate that data will not be deleted, just cleared of personal information. Facebook claims they need the information to share with businesses about their ad campaigns effectiveness. What does this mean for Facebook?
“With this tool, Facebook will no longer be able to target specific ads to their users, and the social media platform admitted in a blog post, the feature “could have some impact” on Facebook’s business. But it added “giving people control over their data is more important.””
Even though Facebook used the term “clear history” it is misleading and most people will not read the fine print about it. It is great that Facebook is giving users a report about how their information is shared with third parties, but why not give it a different name like “anonymous mode” or “privacy mode.”
Whitney Grace, October 21, 2019
Severless Framework: Good or Bad?
October 21, 2019
For any readers who have wondered whether the Serverless Framework is a good option for them, blogger Einar Egilsson provides a case study in his post, “Serverless: 15% Slower and 8x More Expensive.” Egilsson explains exactly what he tried and why Serverless was less than helpful, for his purposes at CardGames.io anyway. He describes his original setup, how he approached the shift (using this tutorial), how he tested the performance, and, last but not least, the pricing involved. See the write-up for all those details. The post concludes:
“I’m sure there are cases where API Gateway and Lambda are better than Elastic Beanstalk. I guess our use case is just not one of them. Maybe if you’re using API Keys, rate limiting and other stuff API Gateway provides then it makes sense to pay 3.50$ for a million requests. For us it would have been better if we could just put a normal load balancer in front of Lambda. As far as I know that’s not possible, API Gateway is necessary for http access to Lambda. But even if we were just paying for Lambda, at 10$ a day we would be paying 300$ a month instead of 164$. We have a lot of requests, but each request does very little, it’s basically one database call per request. Maybe heavier requests that use more compute time would be better served with Lambda, where you pay per 100ms of compute time. Below is a report for one request, you can see we’re using 3.50ms of compute time and being billed for 100ms, which seems like a big waste. Finally, I’m not trying to bash API Gateway, Lambda or serverless in general here, just showing that for some workloads they are a lot more expensive than boring old EC2 and Elastic Beanstalk. So that’s what we’re sticking with.”
Since the original was posted, Egilsson has amended it. Apparently, he learned a lot from the comments about what he could have done better—like using an Application Load Balancer instead of the API Gateway and upgrading to a newer instance type, for example. The software is still not right for his site, he notes, but at least he can admit, with good humor, where he went wrong.
Cynthia Murrell, October 21, 2019
FANG Alert: Government Scrutiny Increases
October 21, 2019
Certain Tech Giants Under Scrutiny for Potential Anti-Competitive Practices
Apparently, the feds have been asking Oracle for dirt on their rival. The Register reports, “Oracle: Yeah, We’ve Had a Bunch of G-Men Come Sniffing Around Asking Questions About Google.” Writer John Oates reveals:
“The two tech titans have been engaged in a bitter, eight-year long battle over the disputed use of Java code in Google’s Android mobile operating system. … Ken Glueck, veep at Oracle, told Reuters that the company had been contacted by Texan investigators, the House of Representatives Judiciary Committee and the Justice Department, all of which sought information about Google and alleged violations of antitrust law.”
But it is not just Oracle being pumped for information, and it is not just about Google. Oates continues:
“Anonymous sources quoted in the same story said the House Judiciary Committee has been asking around small firms it reckons may have been damaged by tech giants’ business practices, but added that some may wait until the committee issues legally binding subpoenas because they believe that would leave them less at risk of retaliation. The committee is waiting to see how much information it can collect voluntarily before issuing legal demands.”
This news comes amid a push by the DOJ, the House Judiciary Committee, and agencies in 48 states to ferret out anti-competitive practices at Google, Amazon, Facebook, and Apple. It looks like those companies’ lawyers are about to be very busy.
Cynthia Murrell, October 21, 2019
Thin is In: Just Not for Software
October 20, 2019
Editor’s Note: This item is neither search nor cyber crime. DarkCyber found it interesting.
Scientific studies and research cannot be trusted depending on who conducts the study and who sponsors it, such as a big pharmaceutical company. Some organizations, however, do release unbiased studies that are simply the facts and research observations. The Guardian reports on a study that proves exercise does help older humans, “Older Adults Can Boost Longevity ‘With Just A Little Exercise.’”
According to the study, even a little activity such as washing the dishes, moving from one part oft house to another, and even walking to the water closet fends off death. Sedentary lifestyles have been proven through multiple studies to increase the chance for many diseases, including heart failure. A Norwegian study backs up the previous confirmed research, but this specific study concentrates on the elderly.
“It is important for elderly people, who might not be able to do much moderate-intensity activity, that just moving around and doing light-intensity [activity] [will have] strong effects and is beneficial,” said Ulf Ekelund, a professor and first author of the study at the Norwegian School of Sport Sciences. However, the study finds that there is more “bang for your buck” if you engage in intense activity compared with light activity. A short stint of intense activity is viewed as beneficial as much longer periods of lesser activity.”
The Norwegian study released by the BMJ followed 36,000 people for five to six years with an average age of sixty-three years. During the study there were a total of 2,149 deaths. Participants were divided into four groups based on their active time, risk of death, with other factors taken into consideration such as sex, body-mass, socioeconomic status, and BMI. Participants who had the most intense physical activity, about 380 minutes a day, were 62% lower death rate than other groups.
The death rate increased for less physical activity in the other test groups. It is better to be physical than sitting around all day. No one messed with this study, including governments and big pharmaceutical companies. We need more tests conducted in this manner.
Now about that 65 megabyte download for Google Lens?
Whitney Grace, October 20, 2019
Supremely Secure?
October 19, 2019
Suprema is a South Korean security company that specializes in cyber security. One of Suprema’s products are a line of fingerprint readers. The BBC reports that the company was hacked, “Biostar 2: Suprema Plays Down Fingerprint Leak Report.” A cyber security research group hacked Suprema’s Biostar 2, accessed customer information, then alerted Suprema to the leak.
The cyber security research group’s action was benign, but it did point to a flaw in the system and Suprema was not happy. Suprema assured their clients that none of the information was breached and that the amount of customers affected was very small. A South Korean police force was worried they were among the potential victims, but apparently no biometrics systems were exposed.
“The dispute over how big the leak was can be explained by the fact the researchers say they did not, for ethical reasons, attempt to download all the fingerprint files.Rather, they had taken “hundreds” of samples of data, said Mr Rotem. And these appeared to encode fingerprint patterns from a random selection of accounts in the Biostar 2 dataset. They then used Suprema’s software to convert about half a dozen examples into visible fingerprint patterns. From this, they estimated the dataset contained “at least over a million” fingerprint patterns in total. “We have evidence that biometric data was leaked,” Mr Rotem told BBC News.”
The actual data sets were not downloaded due to ethnical reasons. The research team actually did Suprema a favor by pointing out the crack before bad actors access the system, but Suprema would have preferred that one of their system regulators had discovered the issue. It should not matter who found the leak, because customers were at stake. Suprema sells security, but does not practice it.
Whitney Grace, October 19, 2019
Open Source Fact Checking Service
October 18, 2019
Misinformation is not new, neither is the wide, mass distribution of it. The problem nowadays is the plethora, amount, and platforms available to spread the misinformation. Another problem is that people who believe and spread misinformation can now find each other and congregate. It is important to verify facts, but with so many sources claiming to post the truth (online and off line) how can you check?
Reddit is one platform where misinformation spreads, however, it is gathering place for people to find truth and check facts. One of their popular threads is the “Ask Me Anything (AMA)” and recently they had one with Yaz Sinan. In his AMA titled, “I Built A Platform For Journalism With ‘Open Source’ Fact Checking. In The Age Of Information (And Misinformation (Overload), The Goal Is To Help The Best Journalists Stand Out By Making Their Fact Checking Process Fully Transparent And Reviewable.”
Yaz Sinan is a programmer living in Toronto, Canada. For the past three years, he has built fact checking tools. To test his tools, he has participated in over 500 fact checks. Sinan dubbed his platform Sourced Fact and the best thing about it is that it is open source! Sinan built this platform, because there are many projects in production intending to battle misinformation. Sinan does not think the projects will be able to keep up. His belief is that t takes more energy to refute BS than the energy to produce it.
Sourced Fact takes a different approach than other projects, because journalists upload their articles and annotate their articles with verified checks for readers. Sinan wants to make it easy for journalists to “show their work,” readers can review them, and it will make the journalists stand out from their peers. Sinan approaches Sourced Fact with an open mind and a lot of common sense:
“– This approach only works for journalism covering information based on publicly reviewable evidence. This includes legislation, public government initiatives, whistle blower documents, and scientific data. This isn’t a good fit for journalism based on undocumented sources.
– This approach doesn’t eliminate bias. One can provide completely accurate facts and still introduce bias by omitting facts that don’t agree with their views. I do think however that helping the accurate provable facts stand out from everything else would still be a meaningful improvement to what we have today.
– – I don’t expect the average reader to click into and explore the evidence for every claim. Just like the average consumer of open source code rarely reads the code. The point though is that it’s out there for anyone who wants to check it, so whoever wants to double check can do so anytime.”
I want Sinan’s platform to become an industry standard for news outlets around the world, particularly the United States. Sinan, please apply for grants to make your genius Sourced Fact work!
Whitney Grace, October 18, 2019
Project Zero Targets Who? What? Why?
October 18, 2019
Google is not one to keep its eyes on its own work, as the effective Project Zero demonstrates. That initiative’s researchers (a.k.a. hackers) seek out zero-day vulnerabilities in software created by Google and many other companies. Vice examines Project Zero in its article, “How Google Changed the Secretive Market for the Most Dangerous Hacks in the World.”
Since its launch in 2014, Project Zero reports it has found and helped fix more than 1,500 vulnerabilities. More than 300 of these were in Apple products, over 500 in Microsoft’s, and more than 200 in Adobe Flash, to give just a few examples. One of these researchers was part of the team that found the Intel chips’ Spectre and Meltdown vulnerabilities. The project has also influenced the cybersecurity industry in more general ways. Reporter Lorenzo Franceschi-Bicchierai writes:
“For one, Project Zero has normalized something that years ago was more controversial: a strict 90-day deadline for companies that receive its bug reports to patch the vulnerabilities. If they don’t patch in that time frame, Google drops the bugs itself. Microsoft, in particular, was not a fan of this policy at the beginning. Today, most companies that interact with Project Zero respect that 90-day deadline as an industry standard, a tidal change in the always controversial debate on the so-called ‘responsible disclosure’—the idea that security researchers who find vulnerabilities should first disclose them to the affected company, so that it can fix them before the bugs are exploited by hackers. According to its own tally, around 95 percent of bugs reported by Project Zero get patched within that deadline.”
Then there is the effect on what the article calls the “insecurity industry,” companies like Azimuth Security and NSO Group that also seek out zero-day vulnerabilities, but for a different reason. We’re told:
“Instead of reporting the vulnerabilities to the companies who own the software, these companies sell them to governments who turn them into tools to hack and surveil targets. ‘F— those guys,’ said a researcher who works for a company that does offensive security, referring to Project Zero. ‘They don’t make the world safer.’ The researcher … said that zero-day vulnerabilities are sometimes used to go after terrorists or dangerous criminals. So when Project Zero kills those bugs, it may be killing tools used by intelligence agencies to go after the bad guys, according to the researcher.”
That is one perspective, but one with which many security experts disagree. See the article for more on that dispute. There is no doubt companies the world over have benefited from Project Zero’s work, but what does Google get out of the effort? Good press is one thing, of course, but Franceschi-Bicchierai suggests another motive—the excuse to poke around in its competitors’ software and reveal their weaknesses. Whatever the motivations, Project Zero now seems entrenched in the cybersecurity landscape.
Now what about the timing of the announcement about Apple iPhone vulnerability and downplaying Android phone issues?
Minor issue, right?
Cynthia Murrell, October 18, 2019
Cloudy Enough Already
October 18, 2019
Cloud services have quickly become the norm, but businesses stand to lose money if they implement them without a good plan. IT ProPortal reports, “Business Are Wasting Millions on Unused Cloud Services.” Writer Sead Fadilpaši? cites a recent report from the European Insight Intelligent Technology Index that polled 1,000 European businesses. He writes:
“The report states that more than $36 million are being spent on cloud services a year. Out of that number, almost a third (30 per cent – $10.9m) gets spent on services that end up not being utilised.
When managing how they spend their money on cloud-based services, the respondents have identified three main challenges, which include determining best-fit workloads for public, private and hybrid clouds, planning and allocating budget for cloud consumption, and a lack of visibility of used services at the cst centre, workload and application level.
“‘Cloud continues to be a mission-critical enabler for agile and digital business, but it needs the right approach,’ commented Wolfgang Ebermann, President, Insight EMEA. ‘A robust operating model, that provides oversight and continual optimisation of cloud environments, is critical. Under-utilised technology has been a problem for decades, so it’s not surprising to see the problem spread to the cloud. However, by putting the right controls in place, organisations can optimise cloud consumption and ensure they only pay for services they are using.’”
The report also indicates businesses will continue to invest in new technologies, largely to put the best tech in the hands of their talented employees. That makes sense—but to avoid wasting money, companies must take the time to implement these tools efficiently.
Cynthia Murrell, October 18, 2019
-
- Subscribe to Beyond Search
Feature archive
News archive
-
