Tactical AI: Research for the 21st Century
October 23, 2020
The company is Tactical Analysis Intelligence. The acronym is Tactical AI. The url is tactical-ai.com. Clever. Indexing systems will glom on the “ai” and the name suggests advanced technologies. The company’s business is, according to its Web site:
a premier boutique information search provider of numerous public and non-public internet sources. Our proprietary deep search system and monitoring service has a proven track record of providing businesses with the data they need to make informed, critical business decisions.
The company performs “deep Web search.” The idea is that when you search via Bing, Google, or Swisscow, you are doing shallow search. The company also delivers Dark Web breach monitoring. The idea is that the increasingly small Dark Web requires specialized skills.
I learned about this company via a link to its “white paper” or article called “Going Undercover for Your Company on the Dark Web? Read This First.” The article provides some information which leads some readers to the conclusion that Dark Web research requires an expert. That’s where Tactical Analysis Intelligence enters. The company’s article by the same name is a link to a Department of Justice document. That’s okay, just a surprise.
After scanning the company’s Web site, some librarians before the Great Disintermediation decimated their ranks should have had Tactical’s marketing know how.
Keep in mind that:
- Forums, discussion groups, and digital watering holes are no longer confined to the Dark Web
- The “regular” Web houses a surprising amount of information, including facts about companies which do classified work and do their level best to remain invisible; for example, ATA in Albuquerque, NM.
- Chat tools like WhatsApp, Telegram, and others have become alternatives now that the Dark Web is getting tinier.
What services provide access to threat intelligence from these sources? That’s a good question.
The experts in cyber open source intelligence might be able to help. Is it possible the author of CyberOSINT could offer some guidance? No, doubtful.
Stephen E Arnold, October 23, 2020
Dark Web Sites Losing Out to Encrypted Chat Apps?
October 14, 2020
With several Dark Web marketplaces falling to either law enforcement successes or to their own administrators’ “exit scams,” it was predicted vendors and buyers of illegal goods would shift to another alternative, one that promises end-to-end encryption. However, Bank Info Security explains “Why Encrypted Chat Apps Aren’t Replacing Darknet Markets.” To be sure, some criminals do use these apps, but they have been running into some disadvantages. Writer Mathew J. Schwartz specifies:
“One is the challenge of finding – or marketing – goods and services being provided via chat apps. Fear about the reliability of legitimate platforms – and of the risk of getting sold out – is another factor. ‘By trusting a legitimate third-party application’s encryption and anonymity policies, threat actors are placing their trust in non-criminals,’ the ‘Photon Research Team’ at digital risk protection firm Digital Shadows tells me. Criminals typically prefer to avoid such situations. … Chat platforms’ smaller scale can also be an unwelcome limitation for criminals because fewer customers means lower profits for sellers or chat-channel administrators. ‘Most instant messaging platforms tend to be smaller in terms of number of participants and also geographically focused or limited by language – limiting the reach,’ Raveed Laeb and Victoria Kivilevich, respectively product manager and threat intelligence analyst at Israeli cyber threat intelligence monitoring firm Kela, tell me. ‘Another limit is that many chat channels focus on one subject – meaning that one channel features drugs, another one offers enrolls and so on. Thus, it lowers potential profits for the channel’s admins,’ they say.”
It is true, legitimate encrypted apps have plenty of incentive to cooperate with the authorities. So why not build an alternative by criminals for criminals? Some have tried that, with networks like BlackBox, Phantom Secure, and EncroChat, all of which were summarily busted by law enforcement. There are likely more out there, but they may suffer the same fate.
In the end, it seems many dark-market vendors are sticking with the marketplaces. It makes sense in our view—we see the two avenues as complements to one another, anyway. Meanwhile, though, certain marketplaces are abandoning some of their traditional sellers: We’re told illegal drugs are being banned at these sites in favor of digitally transmittable products like malware, stolen databases, login credentials, and other cybercrime tools and services. There is the absence of complications caused by physical packages, but these products also exist in a grey area in many jurisdictions. (We note no mention is made of other items of high concern, like child pornography or weapons.) Schwartz supposes admins believe ceasing to market illegal drugs will make their sites smaller targets. Perhaps?
Cynthia Murrell, October 14, 2020
Scammers Have Better Technology But Not New Ideas
September 30, 2020
Scammers are opportunists. They use anything and everything to con people out of their valuables and the Internet is the best tool in a scammer’s toolbox. Scammers might be armed with advanced technology, but their scam ideas are not. Because scammers are not original, they are predictable but sophisticated. The Journal of Cyber Policy wrote about scammers in “New Techniques, Same Old Phone Scams.”
A classic scam technique are “too good to be true offers” such as free vacations or investment opportunities. Scam artists make robocalls with these offers and they used to be detectable because they were from out of state numbers. Spoof technology, however, makes these robocalls using local area numbers, making it harder to detect the scams. In 2019, the Federal Trade Commission reported that people $667 million to scammers, mostly they were paid with gift cards.
Scammers’ sophistication levels are rising too. There are entire call centers in Asia and Africa dedicated to making scam calls. These call centers masquerade as reputable businesses such as Apple, Amazon, PayPal, banks, etc., and attempt to convince people that an account has been breached, late on payments, or their identity (ironically) was stolen. Companies and banks never randomly email or call asking to confirm sensitive information. They advise people to delete the emails or hang up on callers.
Another new scam is calling people claiming that a relative is facing legal action. This scam calls entire members of a family and when the person in question calls the scammer it turns out they need to share their social security number and date of birth. It is an excellent tactic, because it questions people’s reputation and makes them believe they are in legal trouble.
Scammers are using the same tactics as they have for centuries, but being wise to their ways prevents theft:
“As phone scams continue to evolve, it is helpful to know the warning signs. Always be wary of unsolicited callers, even if you are familiar with the company from which they claim to be calling. Scammers will use the threat of jail time or a fine to induce the victim into a state of fear — pressuring the victim into handing over sensitive information. If the caller requests financial or other sensitive information, hang up and call the company back directly (through a number you can verify) to inquire about this issue. The FCC Tip Card is a brief, yet valuable, resource that provides information on spoofing scams. It would also be wise to register your phone number with the National Do No Call Registry. Afterward, you shouldn’t receive telemarketing calls, and if you do, there’s a good chance they are a scam. As we continue to interact in this ever-evolving virtual world, we must remain on high alert against the deception of persistent fraudsters who are using new techniques for the same old phone scams.”
This is why it is important to read and watch the news, so you are aware of potential threats.
Whitney Grace, September 30, 2020
Pastebin: And Its Purpose Is?
September 29, 2020
DarkCyber noted “Pastebin Adds Burn After Read and Password Protected Pastes to the Dismay of the Infosec Community.”
Here’s the passage one of the DarkCyber researchers noted before sending the item to me:
Named “Burn After Read” and “Password Protected Pastes,” the two new features allow Pastebin users to create pastes (pieces of text) that expire after a single read or pastes that are protected by a password.
“And the purpose of pastesites is?” is a question the write up does not answer. On the surface, sharing snips of text seems innocent enough.
The write up notes:
While some people use it to host pieces of code or text they wanted to share with a colleague, over the past decade, Pastebin has also turned into a de-facto hosting service for malicious code.
There are some other interesting use cases too. Years ago, DarkCyber learned about pastesite flexibility in information provided by Recorded Future, the predictive analytics outfit. Among the more interesting functions of Pastebin in particular and the dozens of other text hosting outfits was providing ONION addresses for unusual and interesting Dark Web destinations, among other types of content.
There’s a common sense suggestion in the write up too: Block pastesites.
Some law enforcement and intelligence professionals have a passing interest in Pastebin and similar sites. Pastebin has an Abuse Management and Threat Analysis team ready to assist LE and intel professionals with their requests. Sometimes the requests require documents, authorizations, and explanations. Speedy response is possible. But how “speedy” is speedy? That’s another good question ignored by the write up.
Stephen E Arnold, September 29, 2020
US and Cyber Proactivity
September 15, 2020
Kinetic assaults on the United States still pose a great risk, but even greater threats exist in digital spaces. Hacking, malware, viruses, and more could potentially damage the American way of life more than a physical attack. The Star Tribune reports that, “Military’s Top Cyber Official Defends More Aggressive Stance” on attacks taking place in the Internet. General Paul Nakasone defends the more aggressive stance, because the military has become more proactive in order to defeat sophisticated threats.
Nakasone stated that instead of having a “reactive, defensive posture” that military is meeting foreign adversaries online. Instead of waiting to be attacked, the military investigates potential threats and takes necessary action to stop them. Two examples of taking offensive action are:
“As an example, Nakasone cited a mission from last October in which Cyber Command dispatched an elite team of experts to Montenegro to join forces with the tiny Balkan state, which was targeted by Russia-linked hackers. The “hunt forward” mission not only helped defend an ally but was also an opportunity for the U.S. to improve its own cyber defenses before the 2020 election, Nakasone wrote. Cyber Command and NSA worked before the 2018 U.S. midterm election to protect against Russian meddling, he said, creating a task force that shared information about potential compromises and other threats, including how to counter trolls on social media.”
Arguably this prevented interferences in the US midterm elections and the plans are to prevent more possible threats for the 2020 presidential election.
Cyber Command was established in 2010 to defend against cyber attacks on the Department of Defense’s classified and unclassified networks. Cyber Command’s offensive strategy has changed from its original purpose to “proactively hunt for adversary malware on our own networks rather than simply waiting for an intrusion to be identified.” Cyber Command also shares information on malware as its discovered so its less of a threat.
Inaction often leads to attacks that could be avoided. If Cyber Command does nothing, then when an attack occurs people are upset. However, if Cyber Command is on the offensive it is seen as unnecessary aggression by certain parties. It is a catch-22, but also not.
Whitney Grace, September 15, 2020
DarkCyber for 8-25-20: Andrax Hacker Toolkit, NSO Group PR Push, Tor Under Attack, and Eagle Drone Killer
August 25, 2020
DarkCyber is a video news program produced by Stephen E Arnold, publisher of Beyond Search and DarkCyber. You can view this week’s program on YouTube or Facebook.
The program for August 25, 2020, contains four stories. The first focuses on a hacker’s toolkit called Andrax. The packager of this penetration testing bundle makes some bold claims. Security professionals who use highly-regard pentest systems from ImmunitySec are called “dumbs” and “lamers.” Clever or uninformed marketing? You have to determine the answer for yourself.
The second story summarizes highlights of Massachusetts Institute of Technology’s “Technology Review” interview with the founder of NSO Group. NSO Group–unlike most vendors of specialized software–has been the subject of media scrutiny. In the interview, the founder of NSO Group seems to suggest that he does not understand the intelware market. Even more interesting is MIT’s decision to publish the interview and give NSO Group more media exposure. DarkCyber asks a question others have not posed.
The third story reviews two surprising items of information from a Nusenu study or analysis. (Nusenu may be a security firm, a Web services vendor, or a single individual.) The first interesting revelation in the Nusenu report is that about 25 percent of Tor relay exit servers have been compromised by an unknown third party. The second juicy morsel is the identification of five Internet service providers who may be hosting Tor relay servers and other interesting services.
The final story zooms to a single eagle. The Michigan government learned that an expensive drone was destroyed by an eagle. If you want your own raptor to knock down surveillance drones, DarkCyber provides a company that will provide an organic c-UAS (counter unmanned aerial system).
Kenny Toth, August 25, 2020
Me Too, Me Too: Password Matching
August 7, 2020
Digital Shadows, founded in 2011, offered its Searchlight service. Terbium Labs, founded in 2013, offers its Matchlight services. Enzoic, founded in 2016, offered its password matching service. Scattered along the information highway are other cyber security firms offering variations on looking for compromised information on the Regular Web, the Dark Web, and in any other online source which the crawlers can reach. I mention these companies and their similar matching services because DarkCyber spotted “LogMeIn Introduces New Lastpass Security Dashboard and Dark Web Monitoring, Delivering a Complete Command Center for Managing Digital Security.” The write up states:
In addition to displaying weak and reused passwords, the new Security Dashboard now gives all LastPass users, regardless of tier, a full picture of their online security, providing complete control over their digital life and peace of mind that accounts are protected.
What’s interesting is that the capability to perform this type of LastPass check has been around for many years. Progress. People seeing the “light”? Some bad actors simply brute force passwords because many individuals prefer passwords from this list. The fact that strong passwords are not widely used contributes to bad actors’ success.
Stephen E Arnold, August 7, 2020
Messaging: Pushing the Envelope
July 31, 2020
In my lectures for the 2020 National Cyber Crime Conference, I discussed messaging as a rapidly evolving mechanism. Simple text has morphed into a viable alternative to a traditional Dark Web site. Via encrypted messaging services, individuals can join groups, locate products and services, and pay for them often with bitcoin or other digital currency. Although it is possible to compromise encrypted messages, the volume poses a significant problem for law enforcement. I pointed out that the developers of Telegram reached an agreement with Russia in order to prevent their messaging service from being blocked.
Another messaging service warrants some attention. The service is called Element. Element was formerly known as Riot and Vector, according to some individuals. The system is based on Matrix; that is, an open source protocol for real time communication. Element, like other modern messaging systems, encrypts data.
In an email from an individual who wishes to remain anonymous, the Element messaging service can interact with with other services, including the aforementioned Telegram. Is Element an alternative to Slack and similar programs like Microsoft Teams?
The answer is, “Could be.”
Slack and Teams are widely known and engaged in what may become an interesting legal tussle. Facebook, however, continues to push toward a unified messaging platform, offering features that make finding, buying, selling, and communicating a mostly one click process.
Element has the potential to become an open source alternative to encrypted messaging solutions from vendors like Facebook and Telegram.
In light of the capabilities of the US National Security Agency and the continuing efforts of the European Union to force providers to allow instream decryption, the resolution is likely to be political.
Until users of encrypted messaging services demand government respect for privacy, which is a Fourth Amendment issue in the US, governments will continue to pressure and possibly resort to what some may characterize as blackmail. The pressure may be unconstitutional in some countries and unwarranted in others.
Encrypted messaging has become the “new” Dark Web if the DarkCyber research team’s analysis is accurate. The issue is yet another one to add to the pile of contentious services for ubiquitous mobile devices.
For more information about the chat service, navigate to the Element information page.
Stephen E Arnold, July 31, 2020
DarkCyber for July 28, 2020, Now Available
July 28, 2020
The July 28, 2020, DarkCyber is now available. You can view the program on YouTube or on Vimeo.
DarkCyber reports about online, cyber crime, and lesser known Internet services. The July 28, 2020, program includes six stories. First, DarkCyber explains how the miniaturized surveillance device suitable for mounting on an insect moves its camera. With further miniaturization, a new type of drone swarm becomes practical. Second, DarkCyber explains that the value of a stolen personal financial instrument costs little. The vendors guarantee 80 percent success rate on their stolen personally identifiable information or fullz. Third, SIM card limits are in place in South Africa. Will such restrictions on the number of mobile SIM cards spread to other countries or are the limits already in place, just not understood. Fourth, Coinbase bought a bitcoin deanonymization company. Then Coinbase licensed the technology to the US Secret Service. Twitter denizens were not amused. Fifth, Microsoft released a road map to a specific type of malware. Then two years later the story was picked up, further disseminating what amounts to a how to. DarkCyber explains where to download the original document. The final story presents DarkCyber’s view of the management lapses which made the Twitter hack a reality. Adult management is now imperative at the social media company doing its best to create challenges for those who value civil discourse and an intact social fabric.
The delay between our June 9, 2020, video about artificial intelligence composing “real” music and today’s program is easy to explain. Stephen E Arnold, the 76 year old wobbling through life, had the DarkCyber and Beyond Search team working on his three presentations at the US National Cyber Crime Conference. These programs are available via the NCC contact point in the Massachusetts’ Attorney General Office.
The three lectures were:
- Amazon policeware, which we pre-recorded in the DarkCyber format
- A live lecture about investigative software
- A live lecture about Dark Web trends in 2020.
Based on data available to the DarkCyber team, the septuagenarian reached about 500 of the 2000 attendees. Go figure.
Kenny Toth, July 28, 2020
A Survey of Prices from the Dark Web
July 21, 2020
The Dark Web may not be the giant repository of badness that some popularizers of sci-fi assert, but it is a challenge for some enforcement professionals.
As important as our personal and financial information is to each of us, it can come as a surprise how cheaply some hacked data can be purchased on the Dark Web. After considerable research, Privacy Affairs illustrates this point in its “Dark Web Price Index 2020.” Reporter Miguel Gomez writes:
“The privacy offered by software such as TOR creates an environment where criminals can sell their wares on the dark web without the worry of law enforcement. What’s more, many will have heard the horror stories of people’s bank accounts being cleaned out, or their identity stolen and turning up in custody in Mexico. Again, not unjustified horror. You might be asking yourself, just how easy is it to obtain someone else’s personal information, documents, account details? We certainly were. Whilst there are many marketplaces on the dark web, there are even more forum posts warning of scammers. This makes verified prices difficult to obtain without ordering the items to find out, which of course we didn’t. Our methodology was to scan dark web marketplaces, forums, and websites, to create an index of the average prices for a range of specific products. We were only interested in products and services relating to personal data, counterfeit documents, and social media.”
The researchers compiled eye-opening lists of products and going rates; interested readers should navigate there to view the entire roster. A few examples: credit card details for an account with a balance of up to $5,000 for just 20 bucks; a hacked Twitter account for $49; a 24-hour-long DDoS attack against an unprotected website, at 10-50k requests per second, for $60. Considerably more expensive, though, are passports from the US, Canada, or Europe at $1,500 or quality malware attacks at 1,000 for $1,400 – $6,000.
The article includes a few interesting details alongside the prices, like the fact that vendors usually guaranteed 8 out of 10 stolen credit cards would pay off as advertised. Also, PayPal account details were very common and cheap, but actual transfers from a hacked account were more pricy. And apparently counterfeit bills are extremely common, with the highest quality ones costing about 30% of their fake value. They even come with a “UV pen test guarantee.” See the write-up for more curious, if concerning, details.
Cynthia Murrell, July 21, 2020