Omegle: Hasta La Vista
November 30, 2023
This essay is the work of a dumb dinobaby. No smart software required.
In the Internet’s early days, users could sign into chatrooms and talk with strangers. While chatrooms have fallen out of favor, the idea of talking with strangers hung on but now it’s accompanied by video. Chat Roulette and Omegle are popular chatting applications that allow users to video chat with random individuals. The apps are notorious for pranks and NSFW content, including child sexual abuse. The Independent shared a story about one of the two: “Omegle Anonymous Chat App Shuts Down After 14 Years.”
Omegle had a simple concept: sign in, be connected to another random person, and video chat for as long as you like. Leif K-Brooks launched the chat platform with good intentions in 2009, but it didn’t take long for bad actors to infiltrate it. K-Brooks tried to stop criminal activities on Omegle with features, such as the “monitored chats” with moderators. They didn’t work and Omegle continued to receive flack. K-Brooks doesn’t want to deal with the criticism anymore:
“The intensity of the fight over use of the site had forced him to decide to shut it down, he said, and it will stop working straight away. ‘As much as I wish circumstances were different, the stress and expense of this fight – coupled with the existing stress and expense of operating Omegle, and fighting its misuse – are simply too much. Operating Omegle is no longer sustainable, financially nor psychologically. Frankly, I don’t want to have a heart attack in my 30s,’ wrote Leif K-Brooks, who has run the website since founding it.”
Omegle’s popularity rose during the pandemic. The sudden popularity surge highlighted the criminal acts on the video chat platform. K-Brooks believes that his critics used fear to shut down the Web site. He also acknowledged that people are quicker to attack and slower to recognize shared humanity. He theorizes that social media platforms are being labeled negatively because of small groups of bad actors.
Whitney Grace, November 30, 2023
Who Benefits from Advertising Tracking Technology? Teens, Bad Actors, You?
November 23, 2023
This essay is the work of a dumb humanoid. No smart software required.
Don’t get me wrong. I absolutely love advertising. When I click to Sling’s or Tubi’s free TV, a YouTube video about an innovation in physics, or visit the UK’s Daily Mail — I see just a little bit of content. The rest, it seems to this dinobaby, to be advertising. For some reason, YouTube this morning (November 17, 2023) is showing me ads for a video game or undergarments for a female-oriented person before I can watch an update on the solemnity of Judge Engoran’s courtroom.
However, there are some people who are not “into” advertising. I want to point out that these individuals are in the minority; otherwise, people flooded with advertising would not disconnect or navigate to a somewhat less mercantile souk. Yes, a few exist; for example, government Web sites. (I acknowledge that some governments’ Web sites are advertising, but there’s not much I can do about that fusion of pitches and objective information about the location of a nation’s embassy.)
But to the matter at hand. I read a PDF titled “Europe’s Hidden Security Crisis.” The document is a position paper, a white paper, or a special report. The terminology varies depending on the entities involved in the assembly of the information. The group apparently nudging the intrepid authors to reveal the “hidden security crisis” could be the Irish Council for Civil Liberties. I know zero about the group, and I know even less about the authors, Dr. Johnny Ryan and Wolfie Christl. Dr. Ryan has written for the newspaper which looks like a magazine, and Mr. Christl is a principal of Cracked Labs.
So what’s the “hidden security crisis”? There is a special operation underway in Ukraine. The open source information crowd is documenting assorted facts and developments on X.com. We have the public Telegram channels outputting a wealth of information about the special operation and the other unhappy circumstances in Europe. We have the Europol reports about cyber crime, takedowns, and multi-nation operations. I receive in my newsfeed pointers to “real” news about a wide range of illegal activities. In short, what’s hidden?
An evil Web bug is capturing information about a computer user. She is not afraid. She is unaware… apparently. Thanks Microsoft Bing. Ooops. Strike that. Thanks, Copilot. Good Grinch. Did you accidentally replicate a beloved character or just think it up?
The report focuses on what I have identified as my first love — commercial messaging aka advertising.
The “hidden”, I think, refers to data collected when people navigate to a Web site and click, drag a cursor, or hover on a particular region. Those data along with date, time, browser used, and similar information are knitted together into a tidy bundle. These data can be used to have other commercial messages follow a person to another Web site, trigger an email urging the surfer to buy more or just buy something, or populate one of the cross tabulation companies’ databases.
The write up uses the lingo RTB or real time bidding to describe the data collection. The report states:
Our investigation highlights a widespread trade in data about sensitive European personnel and leaders that exposes them to blackmail, hacking and compromise, and undermines the security of their organizations and institutions. These data flow from Real-Time Bidding (RTB), an advertising technology that is active on almost all websites and apps. RTB involves the broadcasting of sensitive data about people using those websites and apps to large numbers of other entities, without security measures to protect the data. This occurs billions of times a day. Our examination of tens of thousands of pages of RTB data reveals that EU military personnel and political decision makers are targeted using RTB.
In the US, the sale of data gathered via advertising cookies, beacons, and related technologies is a business with nearly 1,000 vendors offering data. I am not sure about the “hidden” idea, however. If the term applies to an average Web user, most of those folks do not know about changing defaults. That is not a hidden function; that is an indication of the knowledge the user has about a specific software.
If you are interested in the report, navigate to this link. You may find the “security crisis” interesting. If not, keep in mind that one can eliminate such tracking with fairly straightforward preventative measures. For me, I love advertising. I know the beacons and bugs want to do the right thing: Capture and profile me to the nth degree. Advertising! It is wonderful and its data exhaust informative and useful.
Stephen E Arnold, November 23, 2023
Is Your Phone Secure? Think Before Answering, Please
November 21, 2023
This essay is the work of a dumb dinobaby. No smart software required.
I am not going to offer my observations and comments. The article, its information, and the list of companies from The Times of India’s “11 Dangerous Spywares Used Globally: Pegasus, Hermit, FinFisher and More” speaks for itself. The main point of the write up is that mobile phone security should be considered in the harsh light of digital reality. The write up provides a list of outfits and components which can be used to listen to conversations, intercept text and online activity, as well as exfiltrate geolocation data, contact lists, logfiles, and imagery. Some will say, “This type of software should be outlawed.” I have no comment.
Are there bugs waiting to compromise your mobile device? Yep. Thanks, MSFT Copilot. You have a knack for capturing the type of bugs with which many are familiar.
Here’s the list. I have alphabetized by the name of the malware and provided a possible entity name for the owner:
- Candid. Maybe a Verint product? (Believed to be another product developed by former Israeli cyber warfare professionals)
- Chrysaor. (Some believe it was created by NSO Group or NSO Group former employees)
- Dark Tequila. (Requires access to the targeted device or for the user to perform an action. More advanced methods require no access to the device nor for the user to click)
- FinFisher. Gamma Group (The code is “in the wild” and the the German unit may be on vacation or working under a different name in the UK)
- Hawkeye, Predator, or Predator Pain (Organization owning the software is not known to this dinobaby)
- Hermit. RCS Lab (Does RCS mean “remote control service”?)
- Pegasus. NSO Group Pegasus (now with a new president who worked at NSA and Homeland Security)
- RATs (Remote Access Trojans) This is a general class of malware. Many variants.
- Sofacy. APT28 (allegedly)
- XKeyscore (allegedly developed by a US government agency)
Is the list complete? No.
Stephen E Arnold, November 21, 2023
Why Suck Up Health Care Data? Maybe for Cyber Fraud?
November 20, 2023
This essay is the work of a dumb humanoid. No smart software required.
In the US, medical care is an adventure. Last year, my “wellness” check up required a visit to another specialist. I showed up at the appointed place on the day and time my printed form stipulated. I stood in line for 10 minutes as two “intake” professionals struggled to match those seeking examinations with the information available to the check in desk staff. The intake professional called my name and said, “You are not a female.” I said, “That’s is correct.” The intake professional replied, “We have the medical records from your primary care physician for a female named Tina.” Nice Health Insurance Portability and Accountability Act compliance, right?
A moose in Maine learns that its veterinary data have been compromised by bad actors, probably from a country in which the principal language is not moose grunts. With those data, the shocked moose can be located using geographic data in his health record. Plus, the moose’s credit card data is now on the loose. If the moose in Maine is scared, what about the humanoids with the fascinating nasal phonemes?
That same health care outfit reported that it was compromised and was a victim of a hacker. The health care outfit floundered around and now, months later, struggles to update prescriptions and keep appointments straight. How’s that for security? In my book, that’s about par for health care managers who [a] know zero about confidentiality requirements and [b] even less about system security. Horrified? You can read more about this one-horse travesty in “Norton Healthcare Cyber Attack Highlights Record Year for Data Breaches Nationwide.” I wonder if the grandparents of the Norton operation were participants on Major Bowes’ Amateur Hour radio show?
Norton Healthcare was a poster child for the Commonwealth of Kentucky. But the great state of Maine (yep, the one with moose, lovable black flies, and citizens who push New York real estate agents’ vehicles into bays) managed to lose the personal data for 2,192,515 people. You can read about that “minor” security glitch in the Office of the Maine Attorney General’s Data Breach Notification.
What possible use is health care data? Let me identify a handful of bad actor scenarios enabled by inept security practices. Note, please, that these are worse than being labeled a girl or failing to protect the personal information of what could be most of the humans and probably some of the moose in Maine.
- Identity theft. Those newborns and entries identified as deceased can be converted into some personas for a range of applications, like applying for Social Security numbers, passports, or government benefits
- Access to bank accounts. With a complete array of information, a bad actor can engage in a number of maneuvers designed to withdraw or transfer funds
- Bundle up the biological data and sell it via one of the private Telegram channels focused on such useful information. Bioweapon researchers could find some of the data fascinating.
Why am I focusing on health care data? Here are the reasons:
- Enforcement of existing security guidelines seems to be lax. Perhaps it is time to conduct audits and penalize those outfits which find security easy to talk about but difficult to do?
- Should one or more Inspector Generals’ offices conduct some data collection into the practices of state and Federal health care security professionals, their competencies, and their on-the-job performance? Some humans and probably a moose or two in Maine might find this idea timely.
- Should the vendors of health care security systems demonstrate to one of the numerous Federal cyber watch dog groups the efficacy of their systems and then allow one or more of the Federal agencies to probe those systems to verify that the systems do, in fact, actually work?
Without meaningful penalties for security failures, it may be easier to post health care data on a Wikipedia page and quit the crazy charade that health information is secure.
Stephen E Arnold, November 20, 2023
Smart Software for Cyber Security Mavens (Good and Bad Mavens)
November 17, 2023
This essay is the work of a dumb humanoid. No smart software required.
One of my research team (who wishes to maintain a low profile) called my attention to the “Awesome GPTs (Agents) for Cybersecurity.” The list on GitHub says:
The "Awesome GPTs (Agents) Repo" represents an initial effort to compile a comprehensive list of GPT agents focused on cybersecurity (offensive and defensive), created by the community. Please note, this repository is a community-driven project and may not list all existing GPT agents in cybersecurity. Contributions are welcome – feel free to add your own creations!
Open source cyber security tools and smart software can be used by good actors to make people safe. The tools can be used by less good actors to create some interesting situations for cyber security professionals, the elderly, and clueless organizations. Thanks, Microsoft Bing. Does MSFT use these tools to keep people safe or unsafe?
When I viewed the list, it contained more than 30 items. Let me highlight three, and invite you to check out the other 30 at the link to the repository:
- The Threat Intel Bot. This is a specialized GPT for advanced persistent threat intelligence
- The Message Header Analyzer. This dissects email headers for “insights.”
- Hacker Art. The software generates hacker art and nifty profile pictures.
Several observations:
- More tools and services will be forthcoming; thus, the list will grow
- Bad actors and good actors will find software to help them accomplish their objectives.
- A for fee bundle of these will be assembled and offered for sale, probably on eBay or Etsy. (Too bad fr0gger.)
Useful list!
Stephen E Arnold, November 17, 2023
xx
test
AI Is a Rainmaker for Bad Actors
November 16, 2023
This essay is the work of a dumb dinobaby. No smart software required.
How has smart software, readily available as open source code and low-cost online services, affected cyber crime? Please, select from one of the following answers. No cheating allowed.
[a] Bad actors love smart software.
[b] Criminals are exploiting smart orchestration and business process tools to automate phishing.
[c] Online fraudsters have found that launching repeated breaching attempts is faster and easier when AI is used to adapt to server responses.
[d] Finding mules for drug and human trafficking is easier than ever because social media requests for interested parties can be cranked out at high speed 24×7.
“Well, Slim, your idea to use that new fangled smart software to steal financial data is working. Sittin’ here counting the money raining down on us is a heck of a lot easier than robbing old ladies in the Trader Joe’s parking lot,” says the bad actor with the coffin nail of death in his mouth and the ill-gotten gains in his hands. Thanks, Copilot, you are producing nice cartoons today.
And the correct answer is … a, b, c, and d.
For some supporting information, navigate to “Deepfake Fraud Attempts Are Up 3000% in 2023. Here’s Why.” The write up reports:
Face-swapping apps are the most common example. The most basic versions crudely paste one face on top of another to create a “cheapfake.” More sophisticated systems use AI to morph and blend a source face onto a target, but these require greater resources and skills. The simple software, meanwhile, is easy to run and cheap or even free. An array of forgeries can then be simultaneously used in multiple attacks.
I like the phrase “cheap fakes.”
Several observations:
- Bad actors, unencumbered by bureaucracy, can download, test, tune, and deploy smart criminal actions more quickly than law enforcement can thwart them
- Existing cyber security systems are vulnerable to some smart attacks because AI can adapt and try different avenues
- Large volumes of automated content can be created and emailed without the hassle of manual content creation
- Cyber security vendors operate in “react mode”; that is, once a problem is discovered then the good actors will develop a defense. The advantage goes to those with a good offense, not a good defense.
Net net: 2024 will be fraught with security issues.
Stephen E Arnold, November 17, 2023
SolarWinds: Huffing and Puffing in a Hot Wind on a Sunny Day
November 16, 2023
This essay is the work of a dumb humanoid. No smart software required.
Remember the SolarWinds’ misstep? Time has a way deleting memories of security kerfuffles. Who wants to recall ransomware, loss of data, and the general embarrassment of getting publicity for the failure of existing security systems? Not too many. A few victims let off steam by blaming their cyber vendors. Others — well, one — relieve their frustrations by emulating a crazed pit bull chasing an M1 A2 battle tank. The pit bull learns that the M1 A2 is not going to stop and wait for the pit bull to stop barking and snarling. The tank grinds forward, possibly over Solar (an unlikely name for a pit bull in my opinion).
The slick business professional speaks to a group of government workers gathered outside on the sidewalk of 100 F Street NW. The talker is semi-shouting, “Your agency is incompetent. You are unqualified. My company knows how to manage our business, security, and personnel affairs.” I am confident this positive talk will win the hearts and minds of the GS-13s listening. Thanks, Microsoft Bing. You obviously have some experience with government behaviors.
I read “SolarWinds Says SEC Sucks: Watchdog Lacks Competence to Regulate Cybersecurity.” The headline attributes the statement to a company. My hunch is that the criticism of the SEC is likely someone other than the firm’s legal counsel, the firm’s CFO, or its PR team.
The main idea, of course, is that SolarWinds should not be sued by the US Securities & Exchange Commission. The SEC does have special agents, but no criminal authority. However, like many US government agencies and their Offices of Inspector General, the investigators can make life interesting for those in whom the US government agency has an interest. (Tip: I will now offer an insider tip. Avoid getting crossways with a US government agency. The people may change but the “desks” persist through time along with documentation of actions. The business processes in the US government mean that people and organizations of interest can be the subject to scrutiny. Like the poem says, “Time cannot wither nor custom spoil the investigators’ persistence.”)
The write up presents information obtained from a public blog post by the victim of a cyber incident. I call the incident a misstep because I am not sure how many organizations, software systems, people, and data elements were negatively whacked by the bad actors. In general, the idea is that a bad actor should not be able to compromise commercial outfits.
The write up reports:
SolarWinds has come out guns blazing to defend itself following the US Securities and Exchange Commission’s announcement that it will be suing both the IT software maker and its CISO over the 2020 SUNBURST cyberattack.
The vendor said the SEC’s lawsuit is "fundamentally flawed," both from a legal and factual perspective, and that it will be defending the charges "vigorously." A lengthy blog post, published on Wednesday, dissected some of the SEC’s allegations, which it evidently believes to be false. The first of which was that SolarWinds lacked adequate security controls before the SUNBURST attack took place.
The right to criticize is baked into the ethos of the US of A. The cited article includes this quote from the SolarWinds’ statement about the US Securities & Exchange Commission:
It later went on to accuse the regulator of overreaching and "twisting the facts" in a bid to expand its regulatory footprint, as well as claiming the body "lacks the authority or competence to regulate public companies’ cybersecurity. The SEC’s cybersecurity-related capabilities were again questioned when SolarWinds addressed the allegations that it didn’t follow the NIST Cybersecurity Framework (CSF) at the time of the attack.
SolarWinds feels strongly about the SEC and its expertise. I have several observations to offer:
- Annoying regulators and investigators is not perceived in some government agencies as a smooth move
- SolarWinds may find that its strong words may be recast in the form of questions in the legal forum which appears to be roaring down the rails
- The SolarWinds’ cyber security professionals on staff and the cyber security vendors whose super duper bad actor stoppers appear to have an opportunity to explain their view of what I call a “misstep.”
Do I have an opinion? Sure. You have read it in my blog posts or heard me say it in my law enforcement lectures, most recently at the Massachusetts / New York Association of Crime Analysts’ meeting in Boston the first week of October 2023.
Cyber security is easier to describe in marketing collateral than do in real life. The SolarWinds’ misstep is an interesting case example of reality being different from the expectation.
Stephen E Arnold, November 16, 2023
AI Makes Cyberattacks Worse. No Fooling?
November 7, 2023
This essay is the work of a dumb humanoid. No smart software required.
Why does everyone appear to be surprised by the potential dangers of cyber attacks? Science fiction writers and even the crazy conspiracy theorists with their tin foil hats predicted that technology would outpace humanity one day. Tech Radar wrote an article about how AI like ChatGPT makes cyber attacks more dangerous than ever: “AI Is Making Cyberattacks Even Smarter And More Dangerous.”
Tech experts want to know how humans and AI algorithms compare when it comes to creating scams. IBM’s Security Intelligence X-Force team accepted the challenge with an experiment about phishing emails. They compared human written phishing emails against those ChatGPT wrote. IBM’s X-Force team discovered that the human written emails had higher clicks rates, giving them a slight edge over the ChatGPT. It was a very slight edge that proves AI algorithms aren’t far from competing and outpacing human scammers.
Human written phishing scams have higher click rates, because of emotional intelligence, personalization, and ability to connect with their victims.
“All of these factors can be easily tweaked with minimal human input, making AI’s work extremely valuable. It is also worth noting that the X-Force team could get a generative AI model to write a convincing phishing email in just five minutes from five prompts – manually writing such an email would take the team about 16 hours. ‘While X-Force has not witnessed the wide-scale use of generative AI in current campaigns, tools such as WormGPT, which were built to be unrestricted or semi-restricted LLMs were observed for sale on various forums advertising phishing capabilities – showing that attackers are testing AI’s use in phishing campaigns,’ the researchers concluded.”
It’s only a matter of time before the bad actors learn how to train the algorithms to be as convincing as their human creators. White hat hackers have a lot of potential to earn big bucks as venture startups.
Whitney Grace, November 7, 2023
Cyber Security Professionals May Need Worry Beads. Good Worry Beads
November 1, 2023
This essay is the work of a dumb humanoid. No smart software required.
I read “SEC Charges SolarWinds and Its CISO With Fraud and Cybersecurity Failures.” Let’s assume the write up is accurate or — to hit today’s target for excellence — the article is close enough for horseshoes. Armed with this assumption, will cyber security professionals find that their employers or customers will be taking a closer look at the actual efficacy of the digital fences and news flows that keep bad actors outside the barn?
A very happy bad actor laughs after penetrating a corporate security system cackles in a Starbucks: “Hey, that was easy. When will these people wake up that you should not have fired me.” Thanks, MidJourney, not exactly what I wanted but good enough, the new standard of excellence.
The write up suggests that the answer may be a less than quiet yes. I noted this statement in the write up:
According to the complaint filed by the SEC, Austin, Texas-based SolarWinds and Brown [top cyber dog at SolarWinds] are accused of deceiving investors by overstating the company’s cybersecurity practices while understating or failing to disclose known risks. The SEC alleges that SolarWinds misled investors by disclosing only vague and hypothetical risks while internally acknowledging specific cybersecurity deficiencies and escalating threats.
The shoe hit the floor, if the write up is on the money:
A key piece of evidence cited in the complaint is a 2018 internal presentation prepared by a SolarWinds engineer [an employee who stated something senior management does not enjoy knowing] that was shared internally, including with Brown. The presentation stated that SolarWinds’ remote access setup was “not very secure” and that exploiting the vulnerability could lead to “major reputation and financial loss” for the company. Similarly, presentations by Brown in 2018 and 2019 indicated concerns about the company’s cybersecurity posture.
From my point of view, there are several items to jot down on a 4×6 inch notecard and tape on the wall:
- The “truth” is often at odds with what senior managers want to believe, think they know, or want to learn. Ignorance is bliss, just not a good excuse after a modest misstep.
- There are more companies involved in the foul up than the news sources have identified. Far be it from me to suggest that highly regarded big-time software companies do a C minus job engineering their security. Keep in mind that most senior managers — even at high tech firms — are out of the technology loop no matter what the LinkedIn biography says or employees believe. Accountants and MBA are good at some things, bad at others. Cyber security is in the “bad” ledger.
- The marketing collateral for most cyber security, threat intelligence services, and predictive alerting services talks about a sci-fi world, not the here and now of computer science students given penetration assignments from nifty places like Estonia and Romania, among others. There are disaffected employees who want to leave their former employers a digital hickey. There are developers, hired via a respected gig matcher, who will do whatever an anonymous customer requires for hard cash or a crypto payment. Most companies have no idea how or where the problem originates.
- Think about insider threats, particularly when insiders include contractors, interns, employees who are unloved, or consulting firm with a sketchy wizard gathering data inside of a commercial operation.
Sure, cyber security just works. Yeah, right. Maybe this alleged action toward a security professional will create some discomfort and a few troubled dreams. Will there be immediate and direct change? Nope. But the PowerPoint decks will be edited. The software will not be fixed up as quickly. That’s expensive and may not be possible with a cyber security firm’s current technical staff and financial resources.
Stephen E Arnold, November 1, 2023
Quantum Security? Yep, Someday
October 24, 2023
![Vea4_thumb_thumb_thumb_thumb_thumb_t[2]](https://arnoldit.com/wordpress/wp-content/uploads/2023/10/Vea4_thumb_thumb_thumb_thumb_thumb_t2-27.gif "Vea4_thumb_thumb_thumb_thumb_thumb_t[2]")
Note: This essay is the work of a real and still-alive dinobaby. No smart software involved, just a dumb humanoid.
How is this for a brilliant statistical item: “61% of Firms Worry They Are Unprepared for Security Risks in Quantum Era.”
The write up reports with apparent seriousness:
Some 61% have expressed concern their organization is not and will not be prepared to handle security implications that may surface in a post-quantum computing future, according to a survey conducted by Ponemon Institute. Commissioned by DigiCert, the study polled 1,426 IT and cybersecurity professionals who have knowledge of their company’s approach to post-quantum cryptography. Among them were 605 from the US, 428 in EMEA, and 393 across Asia-Pacific.
Apparently some people missed one of the largest security lapses since 9/11. Israel’s high profile smart cyber security capabilities was on leave. The result is what is labeled as the Israel Hamas war. If the most sophisticated cyber security outfits in Tel Aviv cannot effectively monitor social media, the Web, and intercepted signals for information about an attack more than a year in planning, what about the average commercial operation? What about government agencies? What about NGOs?
Boo, I am the quantum bully. Are you afraid yet? Thanks, MidJourney. Terrible cartoon but close enough for horse shoes.
Yet I am to accept that 61 percent of the survey sample is concerned about quantum compromises? My hunch is that the survey sample respondent checked a box. The other survey questions did not ferret out data about false belief that current technology makes these folks vulnerable.
I don’t know where the error has spread. Was it the survey design? The sample selection? The interpretation of the data? The lax vetting of the survey results by ZDNet? Or, maybe a Fiverr.com contractor doing the work for a couple of hundred dollars?
Quantum when today’s vanilla services fail? Wow, some people are thinking about the future, assuming today is peachy keen in the cyber security department. Marketers are amazing when the statement, “Let’s do a survey,” and off to the races and lunch the folks go.
Stephen E Arnold, October 24, 2023
-
- Subscribe to Beyond Search
Feature archive
News archive
-
