Considering an Epistemology of the Dark Web
May 31, 2016
The comparisons of Nucleus to Silk Road are rolling in. An article from Naked Security by Sophos recently published Dark Web marketplace “Nucleus” vanishes – and no one knows why. This piece echoes the questions those following this story have wondered. Was it attacked by ransomware? Maybe they were busted? The article also offers the low-down on how Tor works to explain why accurate investigations into the Dark Web are challenging. We learned,
“That’s why Tor also supports so-called hidden services, which have special URLs ending .onion, where your anonymised network requests are not only bounced around inside the Tor network, but also processed and answered from inside Tor. This makes it hard to find the servers behind a hidden service, which in turn makes it hard to block that service, even if it’s clearly breaking the law by selling firearms improperly or trafficking in illegal drugs. This, in turn, means it’s hard to measure what’s really going on in the Dark Web, and how many underground marketplaces exist to bring buyers and sellers together.”
We found it refreshing this piece reiterated how data about the Dark Web is not easy to pinpoint. From several tens of thousands of Dark Web sites to much lower counts, many cybersecurity groups and researchers seem certain they have the right number. But to continue on the endless hypotheses train related to the nucleus disappearance, we’ll weigh in. Maybe law enforcement outside the US operated the site? Just a thought.
Megan Feil, May 31, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
European Cybersecurity Companies
May 8, 2016
We’ve run across an interesting list of companies at Let’s Talk Payments, “Europe’s Elite Cybersecurity Club.” The bare-bones roster names and links to 28 cybersecurity companies, with a brief description of each. See the original for the descriptions, but here are their entries:
SpamTitan, Gemalto, Avira, itWatch, BT, Sophos, DFLabs, ImmuniWeb, Silent Circle, Deep-Secure, SentryBay , AVG Technologies, Clearswift, ESNC, DriveLock, BitDefender, neXus, Thales, Cryptovision, Secunia, Osirium, Qosmos, Digital Shadows, F-Secure, Smoothwall, Brainloop, TrulyProtect, and Enorasys Security Analytics
It is a fine list as far as it goes, but we notice it is not exactly complete. For example, where is FinFisher’s parent company, Gamma International? Still, the list is a concise and valuable source for anyone interested in learning more about these companies.
Cynthia Murrell, May 8, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
How Hackers Hire
May 7, 2016
Ever wonder how hackers fill job openings, search-related or otherwise? A discussion at the forum tehPARADOX.COM considers, “How Hackers Recruit New Talent.” Poster MorningLightMountain cites a recent study by cybersecurity firm Digital Shadows, which reportedly examined around 100 million websites, both on the surface web and on the dark web, for recruiting practices. We learn:
“The researchers found that the process hackers use to recruit new hires mirrors the one most job-seekers are used to. (The interview, for example, isn’t gone—it just might involve some anonymizing technology.) Just like in any other industry, hackers looking for fresh talent start by exploring their network, says Rick Holland, the vice president of strategy at Digital Shadows. ‘Reputation is really, really key,’ Holland says, so a candidate who comes highly recommended from a trusted peer is off to a great start. When hiring criminals, reputation isn’t just about who gets the job done best: There’s an omnipresent danger that the particularly eager candidate on the other end of the line is actually an undercover FBI agent. A few well-placed references can help allay those fears.”
Recruiters, we’re told, frequently advertise on hacker forums. These groups reach many potential recruits and are often password-protected. However, it is pretty easy to trace anyone who logs into one without bothering to anonymize their traffic. Another option is to advertise on the dark web— researchers say they even found a “sort of Monster.com for cybercrime” there.
The post goes on to discuss job requirements, interviews, and probationary periods. We’re reminded that, no matter how many advanced cybersecurity tools get pushed to market, most attack are pretty basic; they involve approaches like denial-of-service and SQL injection. So, MorningLightMountain advises, any job-seeking hackers should be good to go if they just keep up those skills.
Cynthia Murrell, May 7, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Bold Hackers
April 27, 2016
It looks like some hackers are no longer afraid of the proverbial light, we learn from “Sony Hackers Still Active, ‘Darkhotel’ Checks Out of Hotel Hacking” at InformationWeek. Writer Kelly Jackson Higgins cites Kaspersky security researcher Juan Andres Guerrero-Saade, who observes that those behind the 2014 Sony hack, thought to be based in North Korea, did not vanish from the scene after that infamous attack. Higgins continues:
“There has been a noticeable shift in how some advanced threat groups such as this respond after being publicly outed by security researchers. Historically, cyber espionage gangs would go dark. ‘They would immediately shut down their infrastructure when they were reported on,’ said Kurt Baumgartner, principal security researcher with Kaspersky Lab. ‘You just didn’t see the return of an actor sometimes for years at a time.’
“But Baumgartner says he’s seen a dramatic shift in the past few years in how these groups react to publicity. Take Darkhotel, the Korean-speaking attack group known for hacking into WiFi networks at luxury hotels in order to target corporate and government executives. Darkhotel is no longer waging hotel-targeted attacks — but they aren’t hiding out, either.
“In July, Darkhotel was spotted employing a zero-day Adobe Flash exploit pilfered from the HackingTeam breach. ‘Within 48 hours, they took the Flash exploit down … They left a loosely configured server’ exposed, however, he told Dark Reading. ‘That’s unusual for an APT [advanced persistent threat] group.’”
Seeming to care little about public exposure, Darkhotel has moved on to other projects, like reportedly using Webmail to attack targets in Southeast Asia.
On the other hand, one group which experts had expected to see more of has remained dark for some time. We learn:
“Kaspersky Lab still hasn’t seen any sign of the so-called Equation Group, the nation-state threat actor operation that the security firm exposed early last year and that fell off its radar screen in January of 2014. The Equation Group, which has ties to Stuxnet and Flame as well as clues that point to a US connection, was found with advanced tools and techniques including the ability to hack air gapped computers, and to reprogram victims’ hard drives so its malware can’t be detected nor erased. While Kaspersky Lab stopped short of attributing the group to the National Security Agency (NSA), security experts say all signs indicate that the Equation Group equals the NSA.”
The Kaspersky team doesn’t think for a minute that this group has stopped operating, but believe they’ve changed up their communications. Whether a group continues to lurk in the shadows or walks boldly in the open may be cultural, they say; those in the Far East seem to care less about leaving tracks. Interesting.
Cynthia Murrell, April 27, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Webinjection Code a Key to Security
April 25, 2016
The heady days of open cybercrime discussions on the Dark Web are over, thanks to increasing investigation by law-enforcement. However, CaaS vendors still sell products like exploit kits, custom spam, and access to infected endpoints to those who know where to look. Security Intelligence discusses one of the most popular commodities, webinjection resources, in its article, “Dark Web Suppliers and Organized Cybercrime Gigs.” Reporter Limor Kessem explains:
“Webinjections are code snippets that financial malware can force into otherwise legitimate Web pages by hooking the Internet browser. Once a browser has been compromised by the malware, attackers can use these injections to modify what infected users see on their bank’s pages or insert additional data input fields into legitimate login pages in order to steal information or mislead unsuspecting users.
“Whether made up of HTML code or JavaScript, webinjections are probably the most powerful social engineering tool available to cybercriminals who operate banking Trojan botnets.
“To be considered both high-quality and effective, these webinjections have to seamlessly integrate with the malware’s injection mechanism, display social engineering that corresponds with the target bank’s authentication and transaction authorization schemes and have the perfect look and feel to fool even the keenest customer eye.”
Citing IBM X-Force research, Kessem says there seem to be only a few target-specific webinjection experts operating on the Dark Web. Even cybercriminals who develop their own malware are outsourcing the webinjection code to one of these specialists. This means, of course, that attacks from different groups often contain similar or identical webinjection code. IBM researchers have already used their findings about one such vendor to build specific “indicators of compromise,” which can be integrated into IBM Security products. The article concludes with a suggestion:
“Security professionals can further extend this knowledge to other platforms, like SIEM and intrusion prevention systems, by writing custom rules using information about injections shared on platforms like X-Force Exchange.”
Cynthia Murrell, April 25, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Cybercriminal Talent Recruitment Moves Swiftly on the Dark Web
April 8, 2016
No matter the industry, it’s tough to recruit and keep talent. As the Skills shortage hits hackers published by Infosecurity Magazine reports, cybercriminals are no exception. Research conducted by Digital Shadows shows an application process exists not entirely dissimilar from that of tradition careers. The jobs include malware writers, exploit developers, and botnet operators. The article explains how Dark Web talent is recruited,
“This includes job ads on forums or boards, and weeding out people with no legitimate technical skills. The research found that the recruitment process often requires strong due diligence to ensure that the proper candidates come through the process. Speaking to Infosecurity, Digital
Shadows’ Vice President of Strategy Rick Holland said that in the untrusted environment of the attacker, reputation is as significant as in the online world and if someone does a bad job, then script kiddies and those who have inflated their abilities will be called out.”
One key difference cited is the hiring timeline; the Dark Web moves quickly. As you might imagine, apparently only a short window of opportunity to cash in stolen credit cards. The sense of urgency related to many Dark Web activities suggests speedier cybersecurity solutions are on the scene. As cybercrime-as-a-service expands, criminals’ efforts and attacks will only be swifter.
Megan Feil, April 8, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
UK Cybersecurity Director Outlines Agencys Failures in Ongoing Cyberwar
April 8, 2016
The article titled GCHQ: Spy Chief Admits UK Agency Losing Cyberwar Despite £860M Funding Boost on International Business Times examines the surprisingly frank confession made by Alex Dewdney, a director at the Government Communications Headquarters (GCHQ). He stated that in spite of the £860M funneled into cybersecurity over the past five years, the UK is unequivocally losing the fight. The article details,
“To fight the growing threat from cybercriminals chancellor George Osborne recently confirmed that, in the next funding round, spending will rocket to more than £3.2bn. To highlight the scale of the problem now faced by GCHQ, Osborne claimed the agency was now actively monitoring “cyber threats from high-end adversaries” against 450 companies across the UK aerospace, defence, energy, water, finance, transport and telecoms sectors.”
The article makes it clear that search and other tools are not getting the job done. But a major part of the problem is resource allocation and petty bureaucratic behavior. The money being poured into cybersecurity is not going towards updating the “legacy” computer systems still in place within GCHQ, although those outdated systems represent major vulnerabilities. Dewdney argues that without basic steps like migrating to an improved, current software, the agency has no hope of successfully mitigating the security risks.
Chelsea Kerwin, April 8, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
If You See Something, Say Something Adopts New Cybersecurity Meaning
March 4, 2016
A post-9/11 campaign for increasing security awareness will inform a similar public service announcement campaign to bring cybersecurity top of mind. See something suspicious online? Homeland Security wants to know about it published by NextGov reports on this 2016 Department of Homeland Security initiative. The decision to launch this campaign comes from an IDC recommendation; the US lacks a culture of cybersecurity concern, unlike Israel, according to the article. While $1 million is allotted for this campaign, the article describes bigger future plans,
“Last week, the Obama administration rolled out a new Cybersecurity National Action Plan, which establishes a new public commission on cybersecurity and proposes billions in new funding to upgrade hard-to-secure legacy IT systems in use at federal agencies, among several other steps.”
This year’s cybersecurity public and private sector awareness campaign was modeled after the “If You See Something, Say Something” campaign rolled out after September 11. However, this is not Homeland Security’s first attempt at educating the public about cybersecurity. The department has sponsored October as National Cybersecurity Awareness Month since 2004. As the article mentions, previous educational efforts have not appeared to influence culture. It would be interesting to know what metrics they are using to make that claim.
Megan Feil, March 4, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Facebook Acts in Its Own Best Interest
November 19, 2015
The article titled Petition: Facebook Betrayed Us By Secretly Lobbying for Surveillance Bill on BoingBoing complains that Facebook has been somewhat two-faced regarding privacy laws and cyber surveillance. The article claims that Facebook publicly opposed the Cybersercurity Information Sharing Act (CISA) while secretly lobbying to push it through. The article explains,
“Facebook has come under public fire for its permissive use of user data and pioneering privacy-invasive experiments in the past. They have also supported previous versions of the cybersecurity info-sharing bills, and their chief Senate lobbyist, Myriah Jordan, worked as General Counsel for CISA’s sponsor, Senator Richard Burr, immediately before moving to Facebook. Facebook has declined to take a public position on CISA, but in recent days sources have confirmed that in fact Facebook is quietly lobbying the Senate to pass it.”
This quotation does beg the question of why anyone would believe that Facebook opposes CISA, given its history. It is, after all, a public company that will earn money in any acceptable way it can. The petition to make Facebook be more transparent about its position on CISA seems more like a request for an apology from a company for being a company than anything else.
Chelsea Kerwin, November 19, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
-
- Subscribe to Beyond Search
Feature archive
News archive
-
