Is This the End of the Deep Web?

“You are not safe, You cannot hide. We will find you, dismantle your organization and network. And we will prosecute you.” So stated Attorney General Jeff Sessions last Thursday when announcing the takedown of deep web sites, Alphabay and Hansa.

alpha seized

This was the correct statement to make when speaking of the deep web. It feeds the pre-existing and rampant paranoia which comes with participation in these markets. Back in May, I wrote a post about Alphabay and some of the troubles it was facing. At that time, a hacker, going by the name of Cipher0007, reported that he had found two security holes on the site that allowed him to read over 218,000 unencrypted messages between buyers and sellers. He had also found these holes on Hansa. Cipher0007 claimed that he was not a hacker. He simply looked for such security holes as a public service. Interestingly, about a month ago, just before the arrest of Alphabay administrator, Alexandre Cazes, on July 4th, Cipher0007 reported that he had found similar security problems in The Sanctuary Market.

It was possibly this announcement that made law enforcement authorities in the US and Europe admit their attacks on Alphabay and Hansa. They did this because Cipher0007’s announcement would fuel paranoia which would, then, drive members (potential criminals) away from deep web markets. The arrest of Cazes and the announcement by Cipher0007 probably funneled many deep web sellers and buyers to Hansa which was secretly under government control. Here, the government watched transactions while gathering information on members.

Even though the authorities only admit to being in control of Hansa for a month, they probably controlled it for much longer. They would not give up this control unless they felt that their cover had been compromised, which is what happened when Cipher0007 made his announcement. In fact, the holes Cipher0007 found may have already been found and exploited by law enforcement for some time. Despite having their cover blown, U.S. and European authorities were still able to collect hundreds of thousands of login credentials and delivery addresses used by deep web buyers and sellers. With this information, authorities would have been able to follow these buyers and sellers as they moved to other deep market sites, since many probably used the same login credentials on multiple sites. Sellers, who rely mainly on their reputations to attract buyers, would be especially damaged by the takedown of these major markets. If they wanted to keep selling, they would have to rebrand and begin rebuilding their reputations all over again. Some have already used forums to tell their customers where they are moving their markets to, which may not have been so wise.

But big time buyers and sellers face more difficulties than rebranding. Many of them will simply have to sit back and wait for that knock on the door from the F.B.I. There is panic in the deep web marketplaces. According to a post from an ex-Hansa employee, “there will be a bloodbath, a purge and any vendor on HANSA should immediately seize his operation, lawyer up and hide his trails.” The moderators on this forum site also give a guide on what all members should do to hide their deep net market (DNM) activities. They also refer to the DNM Bible, which gives information for all buyers and sellers who use deep net markets. Everyone is advised to lay low for a while as other markets may be compromised.

But will they? Many deep web users are simply more naïve than they should be. As I noted in my earlier post, many users of these deep market sites are looking for easy-to-use platforms and don’t take security seriously. As one European user noted on Reddit, “It just seems like these American kids want Amazon for drugs and that just doesn’t exist.” After the paranoia has abated somewhat, users will come back to these markets. As I wrote back in May, “denizens of deep web markets will not be leaving them soon. Here, hope and personal gratification inevitably triumph over paranoia. Too many people depend on these deep web markets for a variety of reasons. Let’s face it. Some may simply be drug addicts.”

But what if other markets are compromised as well? Much of the media is talking about the persistence of Dream Market; however, the moderator mentioned above and others state that it is probably compromised. I could not successfully log into it and some say this is because it is being heavily used. What does that tell you? Many market participants are trying to calm the panic. As one member observes, “the markets will come back and adapt with new security measures. They always do. There’s too much money involved for this niche to go away.” Another confirms this attitude. “Us veterans of the DNMs have been through this. We will roll with the punches and we will get through this!”

Beyond simply keeping the faith, there is a concerted effort in the community to promote sites with more complex security and browsers which appear to be safer than Tor. One site that has been getting a lot of mention is OpenBazaar. It uses no central server but rather numerous nodes to operate, much like Bittorrent does.


OpenBazaar Architecture (left) Compared with Traditional Market Site Architecture

Thus, no one can shut down the network by compromising the central server. Each computer in the group acts as a server.

OpenBazaar 2.0 is now compatible with the Tor browser, but for those looking for more security, some users recommend using the I2P browser. If you use these, a good VPN, and PGP encryption, you’d probably be safe on any deep web marketplace. However, most buyers and sellers won’t use these tools. This is because deep market participants want the easiest interface possible to buy and sell their goods and these new security layers don’t make for easy shopping.

Perhaps, those wishing to continue their deep web purchases should take the words of a deep market forum moderator more seriously.

“You can’t be too paranoid and be ordering off the dark net. If you are prone to anxiety or paranoia, take some time to seriously consider if ordering from the DNMs is really for you. Don’t have any illusions about it: this can be an exceptionally anxiety- and paranoia-inducing habit. You will be waiting an unknown period of time during which you have absolutely zero control over the situation as you await your order. You might find yourself worrying about every possible scenario where something could have gone wrong. There will be nowhere to turn to for comforting wisdom, and no one in the world will be able to actually tell you what is going on.”

 So does this recent takedown mean that this is the end of the deep web? In short, no. As soon as the panic subsides, new markets, perhaps with a few more safety features, will open. Eventually, these, too, will be infiltrated by law enforcement agencies and the whole scenario will play out once again. Nothing can keep drug users from their drugs. As Mark Twain said about his habit: “Quitting smoking is easy, I’ve done it hundreds of times.”

Posted in Uncategorized | Tagged , , , | Leave a comment

Hackers Beware: You are in the Crosshairs of the ‘Hunter’

You might be naive enough to think that, if a hacker does something bad to you, you can, in turn, do something bad to them. If a hacker holds your computer for ransom, for example, you might think you have the right to do the same to them or at least go after them and cause them some discomfort. If you believe this, however, you are not only mistaken, you are far more likely than the hacker to find yourself in prison. In the real world, you can carry a gun. In the cyber world, you cannot.

 You may think this is ridiculous, but there is some basis for this stance. It’s called, attribution. It’s very difficult for a victim to tell who the attacker actually is. Criminals may mask their origin in a number of ways. So, if you strike back, you might hit one of the devices they laundered their address through rather than theirs. It’s as if you defended yourself against a punch from an attacker by hitting his mother. If you make a mistake and disable the wrong computer or network, you could be accused of hacking. How would anyone know what your true motives were?

 Nonetheless, many believe that victims of cyber crimes should have more weapons at their disposal. Representative Tom Graves of Georgia is one of them. He has proposed the Active Cyber Defense Certainty Act to address this imbalance.  He wants to give the victim the opportunity to “gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network.” Admittedly, this is a little vague. The proposed act adds the following clarification. Such defense “does not include conduct that destroys the information stored on a computers [sic] of another; causes physical injury to another person; or creates a threat to the public health or safety.”

 So, apparently, you could hack into a computer of someone you feel is an attacker, look around for evidence that they attacked you, and give that information to law enforcement authorities. It seems the act will also allow you to “disrupt’ further attacks against you or your enterprise, but this is open to a wide range of interpretations, especially since you cannot destroy any information on the criminal’s computer.

 In a DDoS attack, one enterprise may be attacked by thousands, if not millions, of computers. So who do you hack back against? True, there is always some organizer behind a botnet attack, but, if cybersecurity experts can’t figure out who that is, how can the average guy running an IT department? In other words, though the proposed act does try to give victims more power, it ends up getting caught in the net of reality. In short, there is little that the average firm can do without either getting themselves into trouble or causing harm to innocent individuals. To add to the confusion, former FBI Director, James Comey, dissuaded companies from hacking back because they may trip over FBI employees who are trying to infiltrate the same computers. In other words, you may start by trying to unmask an attacker and end up being investigated by the FBI.

 Currently, individuals and enterprises have few options for turning the tables on hackers. What they do have are honeypots, honeynets, and sinkholes. These use points on a network that offer seemingly attractive data for hackers but which are, in fact, points of false data. Hackers looking for specific information may be lured in by the data and end up either getting nothing or giving up identifying information. Honeynets are whole false networks which can make it difficult for a hacker to get out of once they get into them. Sinkholes redirect attackers to another domain. Such architecture may frustrate hackers but does not really cause them harm. They are also hard to maintain and can be detected by good hackers. In short, they are expensive, passive, malware information collectors. They work only after an attack has already occurred.

 Recently, a new attack-detecting program has been getting some attention. It is more active and, to some extent, even proactive. That is, it can sometimes detect an attack even before it begins. This new defense strategy goes under the banner of Malware Hunter and is produced by the developers of the Shodan search engine. I have no connection to the firm. I simply see this as an interesting twist that may be tweaked into a new level of cyber defense. Call it a reverse search engine, if you like. Malware Hunter pretends to be an infected computer/device/network calling back home to its commander. Just like every mother can identify the cry of their own baby, malware command and control (C2) centers detect the specific cry of a device infected by their malware. By responding to such a cry, the commanders give away the servers upon which they lay in wait. They give away their locations, which is the last thing they want to do.

 mal hunter

But Malware Hunter does not shoot. It only hunts. Once it finds the C2, it hands the information over to others who may take more direct action. To date, it has found thousands of C2 locations. Those subscribing to the service can get this information and, if they are in charge of a company network, use it to block attacks before they ever occur. New remote access trojans (RATs) have been found before they began their nefarious careers because they were tricked into responding to fake calls created by Malware Hunter. The same C2s used by other RATs unwittingly responded to these calls, thus, giving themselves away. It is not a happy development for criminals.

 Below is an example of a server that delivers the RAT, DarkComet. It is a comprehensive description of this device, including a map showing its general location. This owner of the device probably has no idea it is being used as a server and may be an innocent victim. The device exists to serve up the RAT and then receive information that it can send on to the C2.

 darkcomet location

 If you were a network administrator, you could block communications with this server.

 Malware Hunter searches for open ports and accessible IoT devices. During such a search, Malware Hunter will find devices using default passwords. After receiving the results of one of these searches, I found a router still using a default password. I was offered to sign into it and did so.

 default password router.JPG

 This led me to a page where I could have reconfigured the router and changed the login information. However, this would have made life tough for a naive user in Thailand.

 router access

 Actually, it seems that I could arrange for remote access if I wanted to.

 remote access

 So, couldn’t hackers use aspects of Malware Hunter to further their attack strategies? After all, if attackers subscribed to Malware Hunter, they could find out if their servers have been uncovered, right? 

 Such uses are possible but, these negative points aside, programs like Malware Hunter may become more mainstream if the U.S. government allows firms and individuals to be more proactive in their responses to hacking. For the moment, hackers have the upper hand. The chances of getting caught are low and the chances of paying a price for their crimes are even lower. Malware Hunter might not catch the perpetrator outright, but it may disturb their peace of mind. It is a step in the right direction which could easily be upgraded with, perhaps, a little help from U.S. government intelligence software.  Such integration could allow victims to hack back with more precision and more devastation. In short, anything that endangers hacker anonymity is a step in the right direction



Posted in Uncategorized | Tagged , , | Leave a comment

Trolls: A Product of the Internet, Society, or a Psychological Disorder?

Let’s get straight to the point. Real trolls have serious psychological problems. That’s not just my opinion. It’s the opinion of experts who have researched the subject. People with psychological disorders have been around long before the internet was ever conceived of. The internet simply gives such people a way to satisfy the compulsions associated with their disorders in a way that is much safer than it would have been in the past. In the past, they would have had to face those they insulted, and that comes with some risks.

I mention ‘real trolls’ to differentiate them from people who simply exhibit temporary anger while on internet sites. According to a YouGov poll, 28% of Americans admitted to “trolling-like” behavior. This behavior included “malicious arguing with a stranger”. True, the anonymity of the internet may allow a person to express their anger more than they would in person, but this is different from troll behavior. Trolls do what they do to achieve a very different outcome. A person who argues with a stranger may really be angry at that person and somehow want to prove a point. A troll really doesn’t care if he or she proves a point or not.

So what is the actual percentage of Americans who are real trolls? The YouGov poll found that 12% of those taking the poll admitted to saying something so controversial that they were banned by moderators. This percentage seems closer to the true troll population. If we combine this finding with medical statistics on psychological disorders, we may begin to get some focus on an actual percentage of online trolls. One study found that “15% of the population — have at least one serious personality disorder”. But not all personality disorders are created equal. In other words, what personality disorders are most associated with trolls?

In an in-depth study of troll behavior published in 2014, it was found that troll behavior correlated positively with four psychological disorders: sadism, narcissism, psychopathology, and Machiavellianism. The study found that about 6% of internet users openly admitted that trolling gave them the most satisfaction. The authors of the study believed that the 6% figure probably under-represented the true number of trolls. However, the following graph shows which psychological problems were associated with that group.

troll psychology

The researchers found a particularly high correlation between trolling and sadism, in its many varieties. They state that this correlation is “so strong that it might be said that online trolls are prototypical everyday sadists.” They went on to observe that “we found clear evidence that sadists tend to troll because they enjoy it”…Both trolls and sadists feel sadistic glee at the distress of others. Sadists just want to have fun . . . and the Internet is their playground!”

So what percentage of Americans fit this particular demographic? According to one study sadistic personality traits and disorders (SPD) are prevalent in 8.1% of the population. Combine this with narcissists and other people with antisocial psychological disorders and you get a figure between 10 and 15%. This is the percentage of online Americans who take pleasure in causing others misery or who find that the internet gives them a way to feed their psychological disorders.

Not all of these sick individuals take pleasure in hurting people. Narcissists and psychopaths, for example, don’t take pleasure in hurting others because they simply cannot sympathize with them. However, narcissists may enjoy the attention they are getting on the internet. Narcissists will become angry if they encounter others who disagree with their opinions because their opinion represents the inflated image they have of themselves. These are the people who will argue ceaselessly with others on forum and social media sites.

Psychopaths cannot relate to the feelings of others any more than narcissists do, but they don’t care whether they are liked or not. They don’t need the attention that motivates narcissists. They are predatory. They seek certain goals at all costs. The frustration of not getting what they want will cause them to overstep any social norm in order to get it.

Different psychological disorders will drive those with them towards different internet sites. Narcissists prefer sites like Facebook. One study found that the “narcissists’ use of Facebook for attention-seeking and validation explained their greater likelihood of updating about their accomplishments and their diet and exercise routine.”

Psychopaths are groomers and charmers. Though they understand, logically, how emotions can be used to control people, they feel no emotions themselves. Psychologists refer to online psychopaths as, ‘ipredopaths’. According to them, “iPredopathy is an advanced stage characterological disorder describing any adolescent to adult male or female who skillfully uses Information and Communications Technology [ICT] to troll, identify, control and manipulate their human targets.”  They “experience no remorse or shame for the harm they cause others.” They target those who are “unsuspecting, vulnerable, (and) submissive”. These targets often include “internet-safety-ignorant children, older adults, unprepared businesses, and psychologically distressed adults.” Depending on their individual perversions, psychopaths can be found looking for victims on dating sites, gaming chat rooms, or forums. They are charming and, although they feel no emotions themselves, learn how to fake the emotions that can influence the actions and gain the trust of normal people. However, most of us don’t consider these people as trolls, in the regular use of the word. Trolls are those nasty individuals who are seeking to hurt or inflame the emotions of others. They are certainly not the charmers that psychopaths are.

So, what does a troll look like? First of all, they are predominantly male. One writer categorizes the average troll as “young, male and troubled”. That said, some of the most infamous trolls have been female. Lori Drew, posing as a young male called, Josh, pushed Megan Meier to commit suicide. The bad news is that nothing could have pleased this troll more. That’s just how it is. Other trolls have been convicted of attacking the parents of children who have tragically died, taking great delight in causing them even more misery. One researcher concluded that “It’s hard to get demographics on who trolls are, but you note that their targets are usually women, people of color and LGBT people, and sometimes Christians and Republicans.” Oddly, the people that the trolls attack may hold views that are similar to the troll’s own. It’s not the views that matter. It’s the pain that their comments can cause that gives their lives meaning.

Although trolls will attack any vulnerable individual, they “seem to find women – particularly feminists – more fun to harass.” The internet has added a new dimension to these attacks. Sadistic trolls will form groups and then concentrate on one woman for a sustained attack. The reason for this is that a massive troll attack is more difficult to moderate, meaning that the malevolent messages are more likely to get posted and stay on the site longer.

The internet also gives trolls anonymity and security. Most realize they will never get caught and, even if they are, they will never have to pay any serious penalties. The fact that they don’t confront their victims in person means it is easier to disassociate themselves from the victims. The victims don’t seem to be real people. Then, there’s desensitization. The average internet user is simply beginning to get used to trolls. Trolls have begun to think of their behavior as normal. That’s where the true problems begin.

The open dehumanizing of victims on the internet can result in a back propagation into society at large. The level of tolerance of hate speech on the internet can give some the impression that it is now allowable in non-cyber contexts. There are those who may get the impression that they can say whatever they want to whomever they want and expect no opposition. In fact, any opposition may startle or even outrage them.

In a climate where trolling behavior is grudgingly tolerated, more people may begin to participate in it. Troll behavior could extend beyond the usual base of people with psychological disorders to include those with borderline psychological disorders, or even people considered more or less normal. This increase in troll-like behavior among the general public could augment the number of trolls on the internet in a sort of ever-growing, self-reinforcing upward spiral. In other words, I would expect trolling to become, at least in a sense, more mainstream. More people will think it is an acceptable and entertaining endeavor.

For anyone who becomes a victim of a troll attack, the advice is to never respond to them. If you are trolled on a social media site, report the person to the site’s administrators. Good luck with this on Facebook. You will get a standard digital form to fill out with limited questions. I’ve reported fake Facebook sites of dating predators and have had no success in closing them down. Don’t even read the comments that trolls may post. Delete them instantly.

And for any trolls reading this, get yourself professional help…really.



Posted in Uncategorized | Tagged , , | Leave a comment

Washington Post Report on Putin Election Hacking Leaves Major Questions Unanswered

The Washington Post’s recent article on Kremlin involvement in the 2016 election primarily questions President Obama’s reactions to it. The article points out the seriousness of the attack while contrasting it with what they consider to be Obama’s anemic response. In retaliation for what the Post claims to be the political “crime of the century”, Obama took actions that the Post criticizes as “modest”, “largely symbolic”, and without “proportionate consequences”.  The weak Obama response caused one former senior Obama administration official to admit that, “I feel like we sort of choked.”

Here is what we know about this extremely top secret report. Former CIA Director, John Brennan, must have received this intelligence well before August, 2016 because he released the report on it to President Obama early that month. The report claims the CIA “captured Putin’s specific instructions” on discrediting and defeating Hillary Clinton while assisting Donald Trump. Remember, however, that the Russians had been in the DNC network for over a year at this point and that 20,000 documents were released to Wikileaks on July, 22, 2016. The hacking had already been attributed to the Russians by cybersecurity firm, CrowdStrike, in April. In other words, these new revelations raise a number of questions that are not answered in the article. First of all, when exactly did the CIA get the information on Putin ordering a Clinton-discrediting cyber attack? Was it prior to the infiltration of the DNC and, if so, why did they take so long to give the president this information? Moreover, if they got this information earlier, why didn’t they take steps to stop the attack from occurring in the first place?

FBI Director, James Comey, alerted the DNC of possible Russian infiltration as early as September, 2015. Did he know something that the CIA did not? Don’t these agencies talk to each other? When Brennan decided to release his information on the Putin-directed cyberattack, he didn’t include the FBI. He didn’t initially even tell President Obama. He contacted chief of staff, Denis McDonough, deputy national security adviser, Avril Haines, and national security adviser, Susan Rice.

John Brennan

Why did he feel it necessary to tell them first? Was he testing the waters to see what Obama’s response might be? Was he wondering whether to give the president this information at all? These are questions that need to be answered. Interestingly, the official declassified report states that it is a “version of a highly classified assessment that has been provided to the President and to recipients approved by the President.” Well, which is it? Clearly, the president couldn’t have approved of the information being given to those mentioned above if they received it before he did.

Although the CIA and FBI now claim they have high confidence in Putin/Russian meddling in the election, they did not, apparently, have such confidence in July, 2016. At the Aspen Security Forum on July, 28th, 2016, Director of National Intelligence, James Clapper, had this interchange with CNN’s Chief National Security Correspondent, Jim Sciutto.

James Clapper

SCIUTTO: …the official in the White House described — said to me there is little doubt it’s Russia.  I just wonder does the intelligence community share that certainty?

 CLAPPER: Well, I will just say that I don’t think we are quite ready yet to make a call on attribution.  I mean, we all know there’re just a few usual suspects out there, but in terms of the process that we try to stick to, I don’t think we are ready to make a public call on that yet.

 SCIUTTO: And is that because you haven’t made a decision to publicly name and shame or because there’s still some uncertainty?

 CLAPPER: Little both, little both.

 SCIUTTO: Good.  Do you think that we in the media, but also some officials who have been speaking to us in the media have gotten ahead of the certainty on this?

 CLAPPER: Yes, I guess, yes.


It was not until October 7th that the intelligence community agreed to a statement naming Russia as being behind the election hacks. The statement was signed by Jeh Johnson and Clapper, but Comey removed his signature, saying it was too close to the election and he did not want to make it look as if the bureau was trying to influence the outcome, even though he did intervene two weeks later. That same day, Susan Rice summoned Russian Ambassador, Sergey Kislyak, to the White House and handed him a message to deliver to Putin.

Although initial drafts of the statement mentioned Putin as being behind the attack, the final version changed this to “Russia’s senior-most officials”. As luck would have it, the carefully written statement went largely unnoticed, as it coincided with the Trump-incriminating Access Hollywood tape and the first release, by Wikileaks, of the John Podesta emails. Perhaps, if Putin was directly mentioned in the statement, more attention would have been paid to it. But with the election looming and a Clinton victory seemingly in the cards, everyone probably thought that it would be better to wait until the election was over before releasing details which could influence the results.

There are other hazy areas in the Washington Post article. In the article, The Post writes that they are “withholding some details of the intelligence at the request of the U.S. government.” This must include information on how Putin was hacked. Putin is said to be very cautious about being a hacking target. So how did U.S. intelligence get this information?

The answer to this might be found in leaks released by a Ukrainian hacking group known as, CyberHunta, which, possibly with the help of U.S. intelligence, hacked the communications of Vladislav Surkov, a close aide to Putin. It could be that U.S. intelligence was able to intercept some communications which indicated that Putin was interested in promoting a hack on the DNC. The Post article even remarks that “some of the most critical technical intelligence on Russia came from another country.” However, there is no evidence in the Surkov leaks that directly points to Putin ordering a hack on the DNC. Does the U.S. intelligence community possess the necessary cyber tools to hack the Kremlin? Probably, yes, but it would be easier to do so with a little inside help. Barring more specific information, it cannot be concluded that Putin, himself, was hacked. At this time, any evidence of Putin’s direct involvement in the hack seems to be either circumstantial or arrived at by intercepting third party correspondence and is, therefore, not conclusive.

The shock of the Trump victory plunged the White House and the intelligence community into morbid introspection. “What if we had…?” A growing narrative emerged which blamed the Clinton loss on Russian meddling coupled with the weak government response to it. This sentiment eventually evolved into a desire for revenge against the protagonists. In a December, 2016 meeting organized by Rice and attended by Clapper, Brennan, Kerry, and Deputy FBI Director, Andrew McCabe, the attendees were told to retaliate against Russia to the “max of their comfort zones.” This caused Obama to send 35 suspected Kremlin operatives packing on December 29th. But this was also the time of the Trump transition with the normal confusion that accompanies all such transitions. This Russian can of worms was dumped in the lap of Trump’s designated national security adviser, Michael Flynn, who, in an apparent attempt to calm the Russian ambassador, only managed to get himself fired.

Susan Rice

In the scramble to retaliate against Russia before he left office, Obama issued executive Order 12333 which expanded government surveillance and made unmasking easier. Clapper signed the order on December 15, 2016 and Attorney General, Loretta Lynch, signed it two weeks before leaving office on January 6, 2017. Obama also approved the use of destructive malware or “implants” on sensitive parts of Russia’s infrastructure; infrastructure components that were “important to the adversary and that would cause them pain and discomfort if they were disrupted.” This remotely triggered malware could be related to the Nitro Zeus malware which, in turn, is related to Stuxnet.

The only surprise about this revelation is that it is considered a revelation. Infrastructure-destroying malware was likely already in the Russian infrastructure as theirs is already in place in the infrastructure of the U.S. Possibly, Obama only agreed on its upgrade.

The Post article does not address what is the main question about the investigation: Why didn’t the F.B.I. have its own forensic team examine the DNC servers? I understand that the government has worked with CrowdStrike for years but in such a serious case, wouldn’t it be good to get a second opinion, especially since CrowdStrike has subsequently lowered its confidence level on Russian involvement from ‘highly confident’ to ‘moderately confident’? Comey admitted that the F.B.I. made “multiple requests at different levels” to get access to these servers, but the requests were rebuffed. Why? Was there something that the DNC didn’t want the F.B.I. to know? Something’s just not right here and I’m not the only one who thinks so. Until we get more answers, it only looks like the government and intelligence agencies are trying to cover up their poor behavior by using the Washington Post as a shill.

Posted in Uncategorized | Tagged , , | Leave a comment

Fireball Malware Strikes a Quarter Billion Computers

Unlike most malware, for which attribution is hard to determine, everyone knows where Fireball Malware comes from. Not only is it known to originate in China, but it is also known to be designed by the Chinese digital advertising firm, Rafotech. In fact, this may have been an advertising angle that got out of control. Digital advertising is a competitive business so many advertisers use browser plug-ins to increase their advertising effectiveness. That’s kind of what Rafotech did; at least initially.

The company’s website has disappeared, but its Linkedin page describes the company, in a somewhat garbled manner, as follows.

“Being years of publisher ourselves, Rafotech has deep understanding of what it means to monetize more. Started as a business unit of Rafo Technology Inc, one of the premium publisher powering over 6 billion monthly impressions, our solution to monetize both display and search traffic has been proved profitable and sustainable. It is a solution made by publisher and for publishers.”

My guess is that they are saying they can help you make more money by advertising more effectively. Well, they kind of kept their promise.

Initially, Rafotech installed plug-ins in browsers that could be used to control what ads appeared on pages that the user navigated to. Then they got a little too creative. They took advantage of the fact that all of us use a default search engine, and for many of us, that search engine is or


From the Check Point Report

 By redirecting victims from their normal default search page to a Rafotech-approved search page, Fireball designers can position themselves to implant tracking pixels into browsers to gather user information. They can use the same technique to replace your normal home page with one of these search engines, like the one shown below.


Example of a Fireball-approved Search Engine

The reason they use this technique is to find out what a user is interested in and then target them with ads based on this interest. This advertising approach is not, in itself, dangerous. Its main use is to generate money for the company and its affiliates. However, the fact that the company controls your browser means Rafotech, or others, can use it to install malware onto your computer. They could, for example, send users to a malicious site that is designed to download remote access malware and take full control of your device. Although Rafotech has not done this, as far as we know, they have opened a backdoor that others could, perhaps, take advantage of.


From the Check Point Report

 Actually, the line between this advertising strategy and a malware attack is very fuzzy. Adware distribution is not, in itself, considered a crime or the CEOs of all major social media firms would be in prison.

Check Point, the cybersecurity firm that discovered this malware, calls Fireball, “possibly the largest infection operation in history.” The main question, then, is: How did Fireball manage to infect 250 million computers?  In a word, the answer is, bundling. Bundling is including other, usually unwanted programs, in a download that the user has chosen. Normally, when installing the wanted download, the user is given the option of a customized installation. If they do not choose this option, the malware or adware is automatically installed. In other words, the company did nothing wrong because you, the user, have accepted the extra programs in the bundle. And good luck trying to uninstall these programs. This is something left to experts only. Still, there is no law that says you have to make your programs easy to uninstall. To illustrate this difficulty, here is the advice given for uninstalling the Trotux search engine shown above.

“How to remove redirect (Removal Guide)

This malware removal guide may appear overwhelming due to the amount of the steps and numerous programs that are being used. We have only written it this way to provide clear, detailed, and easy to understand instructions that anyone can use to remove malware for free. Please perform all the steps in the correct order. If you have any questions or doubt at any point, STOP and ask for our assistance.”

At other times, you may not be given the choice of what adware or browser plug-ins are installed with your chosen download. You won’t even know they are there until your browser begins to act in unpredictable ways, suddenly leading you to sites you never chose to visit or opening your browser to a new home page. Again, it will be difficult to remove these browser controllers because, even when they are deleted from your browser, they will reinstall themselves once the browser is opened again. Sometimes, the only option left may be resetting your browser to its default settings.

Check Point also suspects that Fireball spreads by less than legitimate means, such as through spam or by using fake names on the freeware to make it appear as something that it isn’t. It would be difficult to get such a huge number of infections installed if bundling were the only distribution method. That’s because the infection power of this malware can only be called, astounding. In Indonesia, for example, 60% of corporate networks are infected. Check Point claims that 20% of the world’s corporate networks are infected with Fireball. The U.S. is just beginning to be targeted with ‘only’ 10.7% of U.S. corporate networks infiltrated.

The tools for a major security breech are, thus, in place. As Check Point notes, “Rafotech holds the power to initiate a global catastrophe.” I guess that about sums it up. What else could you say if 20% of the world’s corporate networks could be breached and sensitive information stolen? What if these computers were used in a DDoS attack? It is no exaggeration to say that most of the world’s internet services would be knocked offline. Keep in mind that the Mirai Botnet DDoS attack took down major internet sites around the world with only 100,000 infected endpoints. Fireball is hundreds of millions of times bigger. Just think about that for a while.

Are you or your enterprise network infected? Go to the Check Point post to read the removal instructions. Good luck.


Posted in Uncategorized | Tagged , , , , | Leave a comment

Movie Review: Risk: The Julian Assange Documentary

Risk Poster

The reviews for this documentary are all over the place. Reviewers who are firm advocates of WikiLeaks tend to over-exaggerate the film’s virtues, while those who find the organization’s actions reprehensible tend to hate it. For this reason, I tried to watch the film as an objective reviewer.

Some have called the film a sleeper and there are parts of the film that live up to that branding. These episodes occur mainly at the beginning of the film when scenes shift quickly and conversations are somewhat baffling and vapid. Some conversations seem to emerge without enough context to give them comprehensibility. It also seems to lack a coherent theme.

Assange emerges as an emotionally remote character who hides his true personality behind his dedication to WikiLeaks. He even states that what he does is more important than who he is. The only scene in which we get a glimpse into his repressed character is when he is interviewed by Lady Gaga, dressed in her Wicked-Witch-of-the West costume. Ms. Gaga, like most celebrities, tries to hide her insecurity behind false bravado and seemingly unfiltered, clumsy questions which tell us more about her than Assange. In a clear case of projection, she asks about his relationship to his parents, wherein Assange claimed his father was “abstract”.

We do get some glimpses into the life Assange lives within the Ecuadorean Embassy. We learn about his relationships with his team. We see what he does to pass the time and plan strategies, and we learn a few ways that the organization keeps itself protected from government intrusion. A pervading and probably justified paranoia surrounds everything they do. This look into daily life at Wikileaks may hold some interest for some viewers.

The latter half of the film is more interesting, especially when the topic turns to the DNC hacking. I only wish this were expanded more as it is more timely. It is at this point in the film that Assange gives more information on his view of the world. He talks about the Earth as being so interconnected that any action must be evaluated in a global context. It is an interesting an important viewpoint that should be considered. It is not simply “think globally, act locally”. It is closer to the idea that even a small local action may have global implications.

The film leaves many questions unanswered and, as a whole, doesn’t flow very well. It could have been better made. There is nothing compelling in it, meaning that a viewer may be tempted to stop watching the film entirely at certain points. There is no hook that makes us want to see how it ends. There are no compelling relationships and some issues seem unresolved that could easily have been. Still, a few scenes are definitely worth seeing. For those interested in the world of cyber security, political intrigue, and government surveillance, this documentary may be of interest. For the general public, however, except for a few scenes, it may simply be too dull. I’ll give it a 6 out of 10.


See all my reviews at

Posted in Uncategorized | Leave a comment