An Algorithm to Pinpoint Human Traffickers

May 4, 2021

We love applications of machine learning that actually benefit society. Here is one that may soon be “Taking Down Human Traffickers Through Online Ads,” reports the Eurasia Review. The algorithm began as a way to spot anomalies (like typos) in data but has evolved into something more. Now dubbed InfoShield, it was tweaked by researchers at Carnegie Mellon University and McGill University. The team presented a paper on its findings at the most recent IEEE International Conference on Data Engineering. We learn:

“The algorithm scans and clusters similarities in text and could help law enforcement direct their investigations and better identify human traffickers and their victims, said Christos Faloutsos, the Fredkin Professor in Artificial Intelligence at CMU’s School of Computer Science, who led the team. ‘Our algorithm can put the millions of advertisements together and highlight the common parts,’ Faloutsos said. ‘If they have a lot of things in common, it’s not guaranteed, but it’s highly likely that it is something suspicious.’”

According to the International Labor Organization, ads for four or more escorts penned by the same writer indicate the sort of organized activity associated with human trafficking. The similarities detected by InfoShield can pinpoint such common authorship. The organization also states that 55% of the estimated 24.9 million people trapped in forced labor are women and girls trafficked in the commercial sex industry. Online ads are the main way their captors attract customers. The write-up continues:

“To test InfoShield, the team ran it on a set of escort listings in which experts had already identified trafficking ads. The team found that InfoShield outperformed other algorithms at identifying the trafficking ads, flagging them with 85% precision.”

The researchers ran into a snag when it came to having peers verify their results. Due to the sensitive nature of their subject, they could neither share their data nor publish examples of the similarities InfoShield identified. Happily, they found a substitute data sample—tweets posted by Twitter bots presented a similar pattern of organized activity. We’re told:

“Among tweets, InfoShield outperformed other state-of-the-art algorithms at detecting bots. Vajiac said this finding was a surprise, given that other algorithms take into account Twitter-specific metrics such as the number of followers, retweets and likes, and InfoShield did not. The algorithm instead relied solely on the text of the tweets to determine bot or not.”

That does sound promising. We hope authorities can use InfoShield to find and prosecute many, many human traffickers and free their victims.

Cynthia Murrell, May 4, 2021

DarkCyber for May 4, 2021, Now Available

May 4, 2021

The 9th 2021 DarkCyber video is now available on the Beyond Search Web site. Will the link work? If it doesn’t, the Facebook link can assist you. The original version of this 9th program contained video content from an interesting Dark Web site selling malware and footage from the PR department of the university which developed the kid-friendly Snakebot. Got kids? You will definitely want a Snakebot, but the DarkCyber team thinks that US Navy Seals will be in line to get duffle of Snakebots too. These are good for surveillance and termination tasks.

Plus, this 9th program of 2021 addresses five other stories, not counting the Snakebot quick bite. These are: [1] Two notable take downs, [2] iPhone access via the Lightning Port, [3] Instant messaging apps may not be secure, [4] VPNs are now themselves targets of malware, and [5] Microsoft security with a gust of SolarWinds.

The complete program is available — believe it or not — on Tess Arnold’s Facebook page. You can view the video with video inserts of surfing a Dark Web site and the kindergarten swimmer friendly Snakebot at this link: https://bit.ly/2PLjOLz. If you want the YouTube approved version without the video inserts, navigate to this link.

DarkCyber is produced by Stephen E Arnold, publisher of Beyond Search. You can access the current video plus supplemental stories on the Beyond Search blog at www.arnoldit.com/wordpress.

We think smart filtering is the cat’s pajamas, particularly for videos intended for law enforcement, intelligence, and cyber security professionals. Smart software crafted in the Googleplex is on the job.

Kenny Toth, May 4, 2021

Ransomware: A Great Lakes of Sitting Ducks

April 29, 2021

I read “No Ransomware Silver Bullet, Crooks Out of Reach.” The explicit point in the write up is that ransomware is a big deal and there’s no fix in sight. The implicit point is that existing cyber security systems don’t work. In the sunshine of SolarWinds, I assumed there was cyber security progress. Yeah, sorry.

The write up states:

The U.S. government now deems ransomware a national security threat. The FBI has just created a task force to tackle it.

The bad actors are slick operators; for example:

Some top ransomware criminals fancy themselves software service professionals. They take pride in their “customer service,” providing “help desks” that assist paying victims in file decryption. And they tend to keep their word. They have brands to protect, after all.

What’s the fix?

Committee meetings, recommendations, legislative action – these are good ideas.

In short, there is a veritable Great Lakes filled with sitting ducks. Have you tried to herd ducks? I have. Tough work. Marketing, reports, and hearings are much easier. Quack, quack, quack.

Stephen E Arnold, April 29, 2021

Cyber Security Quote to Note: Seeing Is Important

April 28, 2021

I read a Washington Post article with a somewhat misleading title. The main point of the write up is that the US Department of Defense began using a large block of IP addresses in January 2021. These reason for the shift from dormant holding to active use of the Internet addresses related to cyber security. That’s the explanation in the write up. In the news story there was an important statement attributed to an anonymous source (a very popular way to report “real” news). Here’s the quote:

If you can’t see it, you can’t defend it.

In my opinion this is accurate. The statement underscores what I have commented upon in this blog and in my DarkCyber bimonthly video program DarkCyber. The SolarWinds and more recent security missteps have been missed by the commercial and governmental systems designed to spot cyber attacks and malware.

Having more traffic to monitor is a good thing. The problem is what I call the 21st century horse and barn situation. Here it is again:

Barn burned. Horses gone. Globus (Russia) retail space constructed where the hay used to be stored.

Better late than never? Yeah, sure.

Stephen E Arnold, April 28, 2021

Signal and Cellebrite: Raising Difficult Questions

April 22, 2021

Signal published an summary of its exploration of the Cellebrite software. Founded in Israel and now owned by the Japanese company Sun Corporation, Cellebrite is a frequent exhibitor, speaker, and training sponsor at law enforcement and intelligence conferences. There are units and subsidiaries of the company, which are not germane to this short blog post. The company’s main business is to provide specialized services to make sense of data on mobile devices. Yes, there are other use cases for the company’s technology, but phones are a magnet at the present time.

Exploiting Vulnerabilities in Cellebrite UFED and Physical Analyzer from an App’s Perspective” makes clear that Cellebrite’s software is probably neither better nor worse than the SolarWinds, Microsoft Exchange Server, or other vendors’ software. Software has bugs, and once those bugs are discovered and put into circulation via a friendly post on a Dark Web pastesite or a comment in a tweet, it’s party time for some people.

Signal’s trope is that the Cellebrite “package” fell off a truck. I am not sure how many of those in my National Cyber Crime 2021 lectures will find that explanation credible, but some people are skeptics. Signal says:

[Cellebrite’s] products have often been linked to the persecution of imprisoned journalists and activists around the world, but less has been written about what their software actually does or how it works. Let’s take a closer look. In particular, their software is often associated with bypassing security, so let’s take some time to examine the security of their own software.

The write up then points out vulnerabilities. The information may be very useful to bad actors who want to configure their mobile devices to defeat the Cellebrite system and method. As readers of this blog may recall, I am not a big fan of disclosures about specialized software for certain government entities. Others — like the Signal analysts — have a different view point. I am not going to get involved in a discussion of this issue.

What I want to point out is that the Signal write up, if accurate, is another example of a specialized services vendor doing the MBA thing of over promising, overselling, and over marketing a cyber security solution.

In the context of the cyber security threat intelligence services which failed to notice the not-so-trivial SolarWinds, Microsoft Exchange Server, and Pulse Secure cyber missteps — the Signal essay is important.

Let me express my concern in questions:

What if the cyber security products and services are not able to provide security? What if the indexes of the Dark Web are not up to date and complete so queries return misleading results? What if the auto-generate alerts are based on flawed  methods?

The cyber vendors and their customers are likely to respond, “Our products are more than 95 percent effective.” That may be accurate in some controlled situations. But at the present time, the breaches and the Signal analysis may form the outlines of a cyber environment in which expensive cyber tools are little more than plastic hammers and saws. Expensive plastic tools which break when subjective to real world work.

Stephen E Arnold, April 22, 2021

DarkCyber for April 20, 2021, Now Available

April 20, 2021

The DarkCyber video news program for April 20, 2021, is now available on Beyond Search or at this link. The program covers cyber crime, lesser known online services, and related technologies. DarkCyber appears twice each month and contains no sponsored content or advertising.

This week’s program includes five stories:

  1. Policeware marketing, unchanged since 1980, is given the investigative news treatment. Interesting but not news and not unusual
  2. Caller ID spoofing solutions for programmers and general mobile phone users
  3. The sounds of silence: How large companies are explaining security lapses
  4. Cisco Systems explains who cares about privacy
  5. Russia’s most advanced drone looks like a 40 year old US aircraft, just with artificial intelligence.

The DarkCyber video news program is produced by Stephen E Arnold, publisher of Beyond Search and author of CyberOSINT: Next Generation Information Access. The stories are selected and written by the team which assembled The Dark Web Notebook: A Guide for Law Enforcement.

Kenny Toth, April 20, 2021

DarkCyber for April 6, 2021, Now Available

April 6, 2021

DarkCyber is a twice-a-month video news program about the Dark Web, cyber crime, and lesser known Internet services. You can view the program at this link.

This program covers five stories:

  1. Banjo, founded by a controversial figure, has been given an overhaul. There’s new management and a new name. The challenge? Turn the off tune Banjo into a sweet revenue song.
  2. The Dark Web is not a hot bed of innovation. In fact, it’s stagnant, and law enforcement has figured out its technology and is pursuing persons of interest. A “new” Dark Web-like datasphere is now emerging. Robust encrypted messaging apps allow bad actors to make deals, pay for goods and services, and locate fellow travelers more easily and quickly than ever before.
  3. User tracking is a generator of high value information. Some believe that user tracking is benign or nothing about which to worry. That’s not exactly the situation when third-party and primary data are gathered, cross-correlated, and analyzed. Finding an insider who can be compromised has never been easier.
  4. New cyber crime reports are flowing in the aftermath of the Solarwinds’ and Microsoft Exchange Server fiascos. What’s interesting that two of these reports reveal information which provides useful insight into what the bad actors did to compromise thousands of systems.
  5. The final story reports about the world’s first drone which makes it possible for law enforcement and intelligence operatives to conduct a video conference with a bad actor near the drone. The innovative device can also smash through tempered glass to gather information about persons of interest.

DarkCyber is produced by Stephen E Arnold. The program is a production of Beyond Search and Arnold Information Technology. Mr. Arnold is the author of CyberOSINT and The Dark Web Notebook. He will be lecturing at the 2021 National Cyber Crime Conference.

Kenny Toth, April 6, 2021

The Value of Threat Data: An Interesting Viewpoint

March 29, 2021

Security is not job one in the cyber security business. Making sales and applying technology to offensive cyber actions are more important. Over the past couple of decades, security for users of mainstream enterprise applications and operating systems has been a puppet show. No one wants to make these digital ecosystems too secure; otherwise, it would be more difficult, expensive, and slow to compromise these systems when used by adversaries. This is a viewpoint not widely known by some professionals, even those in the cyber security business. Don’t agree. That’s okay with me. I would invite those who take exception to reflect on the failure of modern cyber security systems, including threat intelligence systems, to prevent SolarWinds and Microsoft Exchange security breaches. Both are reasonably serious, and both illustrate the future of cyber operations for the foreseeable future. Just because the mainstream pundit-verse is not talking about these security breaches does not mean the problem is solved. It is not.

Threat Data Helps Enterprises Strengthen Security” describes a different point of view. I am not confident that the data in the write up have factored in the very loud signals from the SolarWinds and Microsoft Exchange missteps. Maybe “collapses” is a more appropriate word.

The write up states:

Benefits of threat data feeds include; adding unique data to better inform security (71 percent), increasing preventive blocking to ensure better defense (63 percent), reducing the mean time to detect and remediate an attack (55 percent), and reducing the time spent researching false positives (51 percent). On the downside 56 percent of respondents also say threat feeds deliver data that is often too voluminous or complex to provide timely and actionable intelligence.

Let’s consider these statements.

First, with regard to benefits, knowing about what exactly? The abject failure of the cyber security defenses for the SolarWinds and Microsoft Exchange problems did zero to prevent the attacks. Victims are not 100 percent sure that recently “sanitized” systems are free from backdoors and malware. The fact that more than half of those in the survey believe that getting threat intelligence is good says more about the power of marketing and the need to cyber security professionals to do something to demonstrate to their superiors that they are on the ball. Yeah, reading about Fullz on the Dark Web may be good for a meeting with the boss, but it does and did zero for the recent, global security lapses. Organizations are in a state of engineered vulnerability, and threat intelligence is not going to address that simple fact.

Next, what about the information in the threat feeds. Like the headlines in a supermarket tabloid or a TikTok video, titillation snags attention. The problem, however, is that despite the high powered systems from developers from Herliya to Mountain View, information flows generate a sense of false security.

A single person at FireEye noticed an anomaly. That single person poked around. What did that individual find: Something in a threat feed, a snappy graphic from a $100,000 visualization tool, or specific information about a malware attack? Nope, zippy items and factoids. Links to Dark Web sites add spice.

The write up says:

Each of the organizations surveyed faced an average of 28 cyber attacks in the past two years. On average, respondents say 38 percent of these attacks were not stopped because security teams lacked timely and actionable data. Respondents also report that 50 percent of all attacks can be stopped using timely and actionable intelligence.

SolarWinds went undetected for possibly longer than 18 months. Attacks one knows about are one thing. The painful reality of SolarWinds and Microsoft Exchange breaches are another. Marketing won’t make the reality different.

Stephen E Arnold, March 29, 2021

DarkCyber for March 23, 2021, Now Available

March 23, 2021

DarkCyber for March 23, 2021, is now available at this link.

The March 23, 2021, program contains four stories.

The feature is an interview with the director of GovWizely, Erik Arnold. A former Lycos and Vivisimo executive, Mr. Arnold was a principal researcher on a study about the SolarWinds’ breach. The client for this report was an investment firm. The focus, therefore, was different from the obfuscation and marketing reports generated by cyber security firms and consultants.

Some of the report’s more interesting finding are discussed in the video. A more comprehensive review of the SolarWinds’ breach will be provided on March 25, 2021. Mr. Arnold will conduct an informational webinar on March 25, 2021, at 11 am Eastern time. Registration is required, but there is not charge for the one hour program. You can sign up at https://www.govwizely.com/contact/.

Other stories in the March 23, 2021, program are:

  • A look at the management and credibility challenges the Microsoft Exchange Server security lapses create
  • How anyone can implement an email tracking function. Three commercial services are mentioned and a GitHub repository is provided for those who want to reuse open source surveillance and monitoring code
  • The Russian GROM. This is a weapons capable drone which has been upgraded to carry 10 mini-drones. Each mini-drone can perform kinetic (micro munition)  or reconnaissance functions. The 10 drones can function as a swarm, coordinated via artificial intelligence to adapt to changing battled conditions.

DarkCyber is a video news program published twice each month. The videos are available on YouTube. The video news program covers the Dark Web, cyber crime, and lesser known Internet services. The producer is Stephen E Arnold, publisher of Beyond Search which is available at www.arnoldit.com/wordpress.

Kenny Toth, March 23, 2021

Was Super Yacht Go a Digital Victim?

March 16, 2021

Modern yachts are connected to the Internet. I know very little about the specialized systems used to monitor these vessels. One interesting idea was articulated by eSysman Super Yachts via his YouTube video for March 12, 2021. You can view the program at this link. The point which snagged my attention was the observation that the boat’s controls behaved in an unusual manner. Furthermore, according to statements reported by media, the captain was unable to implement a manual override. When the helm’s instructions were not processed, no alarms sounded.  Consequently the captain had to decide whether to crash into a bridge or into a pier. The captain choose the pier. No one was injured and the boat can be repaired.

The key question: Have cyber criminals compromised super yachts’ computerized control systems?

No answers yet. But in the “wake” of SolarWinds and Exchange missteps, the possibility must be considered. Odysseus thought he had problems, but he was dealing with more tractable gods, not digital monsters.

Stephen E Arnold, March 16, 2021

Next Page »

  • Archives

  • Recent Posts

  • Meta