The Awan Family Scam:  A Triumph of Political Correctness Over Cybersecurity

After being subjected to numerous, damaging cyber attacks, you would think the Democrats would have learned their lesson and become more cybersecurity aware. Unfortunately, this does not seem to be the case. As the scam perpetrated by the Awan family on House Democrats unfolds, it becomes apparent that it succeeded because of poor cybersecurity practices underpinned by a misguided sense of political correctness. In fact, all evidence points to a complete lack of concern about cybersecurity among the Democrats affected by the scam. Not even the most basic precautions were taken.

Before looking into the matter further, it is necessary to look at what is known about this scam.

The Facts

 2004 – Imran Awan, who came to the US from Pakistan as a teenager, starts working as an information technology director on Capitol Hill. He begins working for Florida Democratic Representative, Robert Wexler.

2005 – At Wexler’s recommendation, Debbie Wasserman Schultz hires Imran.

2005 – Imran’s brothers (Abid and Jamal), his wife (Hina Alvi), and Abid’s wife (Natalia Sova), begin working in IT for House Democrats. Each of their salaries averages $160,000 a year.

November, 2009 to September, 2010 – Despite his apparent full time job performing IT duties for House Democrats, Abid opens and runs a car dealership (Cars International) in Falls Church, VA.

cars international

2012 – After amassing debts of over $1 million from his failed car dealership, Abid files for bankruptcy.

2012 – Family friend, Rao Abbas, begins working in IT for House Democrats.

2013 – High school friend, Haseeb Rana, hired to work in IT for House Democrats but quits after 3 months complaining that he was doing all the work.

December, 2016 – Imran’s wife signs home loan documents from an IP address associated with the US House of Representatives

January, 2017 – Imran (posing as his wife) takes out a home loan but, instead of using the money to buy the home, Imran sends this and other money, totaling $283,000, to two people in Pakistan. It was probably this transaction that tipped off authorities.

February, 2017 – News of the investigation into the Imran family is made public. They are accused of stealing equipment from the offices of 20 House members and improperly using the IT network.

March, 2017 – Hina Alvi tries to make a quick escape to Pakistan. She suddenly takes their three children from school and goes to Dulles Airport with $12,400 in cash. She is questioned but allowed to proceed.

July 24, 2017 – Imran arrested at Dulles Airport

July 25, 2017 – Imran fired by Debbie Wasserman-Schultz

The Scam

Basically, Imran found a weakness in the House employment system which allows members to share employees without any member paying these employees a full time salary. Each member would pay separately and the amount paid by each would be small enough to raise no red flags. Besides, few, if any, House members would take the time to investigate how many other House members were also paying these part-time employees. More importantly, it is unlikely that they cared. Imran must have also found weaknesses in the vetting system as he somehow managed to get his entire family and some friends high-paying jobs without raising any suspicions. You would think that Imran’s brother’s criminal record and his apparent need for cash would have disqualified him for working in such a high profile job, but it did not.

Imran’s wife was certainly a ghost employee who never showed up at work but managed to get over $160,000 a year for her lack of effort. Except for the two friends and, at times, Imran, himself, none of the family did much, if any, work. Few of the 80 House members they worked for ever saw these IT workers.  Nonetheless, together, they were able to amass $4-5 million in taxpayer money.


The pure lack of interest in cybersecurity by Democratic House members made them low hanging fruit for these scammers. It was simply a network waiting to be exploited. Add the family’s need for money into the equation and some sort of scam was bound to develop. Money seemed to be the family’s main motivation. The fact that Imran was arrested for stealing equipment underlines how important money was to the family. According to a police report, they were keeping their mother hostage so that they could keep her from inheriting money and property from her dying husband. They planned on getting it instead.  Did they have a plan to monetize the information they found on the computers of the 80 representatives they worked for? That remains to be seen, but, seeing their all-pervading lust for money, it would surprise no one.

Some have suggested that they may have had political motivations and connections to radical Islamists. These investigators point to dealings the brothers had with Dr. Ali al-Attar, a doctor who had to flee the U.S. before being arrested for medical fraud. He is said to have ties to radical Islamist groups. Abid apparently borrowed $100,000 from him to start his car dealership and never paid him back. Such a political connection is possible but, based on the available evidence, it is, at this time, weak

What could they have done?

 If this group really wanted to do damage, they could have done quite a bit. As IT administrators, they would have had access, not only to individual devices, but to the servers and all the information they would hold. It’s not clear that they thought this far ahead. They seem more like the type of criminals who would look for easy money, such as that gained from selling stolen equipment or taking money designated for equipment and using if for themselves. That said, here is a list of what they could do to make money if they wanted to.

They could…

Steal sensitive data, such as passwords, login credentials banking information, credit card data, personal information about supporters and contributors and either use this information for themselves or sell it.

Download sensitive information from devices to a USB for future use or send this sensitive information to cloud storage.

Install malware to remotely hack the computer/network whenever they wanted to.

Install keyloggers to gather information.

Leak information for political or monetary reasons

Blackmail House members or others for money.

Set up a ransomware attack for financial gain.

What evidence do we have?

In an exclusive interview, Wasserman Schultz told South Florida’s Sun Sentinel  newspaper last week that she was told that the case against Awan and his family involved “procurement violations and data transfer violations.” She said data had been sent “outside the secure network, which I think amounted to use of apps that the House didn’t find compliant with our security requirements.” She mentioned that Imran was using Dropbox, which, apparently, was one of the forbidden apps.  She expressed her belief that other IT workers did the same thing but were not being investigated.

These remarks from Wasserman Schultz about Imran setting up a Dropbox account are far from reassuring. To me, it shows that she is simply technologically naïve. Why would Imran install Dropbox at all? Maybe because this would be a good way to transfer documents from Wasserman Schultz’ computer to the cloud without leaving any suspicious storage files on her computer. Maybe he worried about leaving log traces of a USB download, as in the image below.


USB Activity as shown on Nirsoft’s USBLogView utility

 It would be easy for a good administrator to track any Dropbox use, but Imran may have just been taking advantage of Wasserman Schultz’ and other’s lack of technological knowledge. We know nothing about the extent of Imran’s own cybersecurity knowledge. It could have been very basic. Maybe he believed, like some do, that cloud storage is safer. It would certainly keep the House members he worked for from accessing any files stored there. The fact remains that, if he had installed Dropbox on other members’ computers, it would look decidedly suspicious. He could, then, give anyone he wanted access to these stored documents or access them himself whenever and wherever he needed them. I’d be interested in seeing what investigators find in his Dropbox account, assuming these files were not deleted before he was arrested.

Evidence of Cybersecurity Naiveté

Nearly every media outlet reporting on this story remarks on how unconcerned Imran’s employers were about his being investigated. Wasserman Schultz didn’t even fire him until after he was arrested. “I believe that I did the right thing, and I would do it again”, she said during the Sentinel interview. She claims she had not seen enough evidence to fire Imran. “I had grave concerns about his due process rights being violated.” “I was presented with no evidence of anything that they were being investigated for. And so that, in me, gave me great concern that his due process rights were being violated. That there were racial and ethnic profiling concerns that I had.”

This last point should not be taken lightly. Democrats, by a wide majority, believe in promoting diversity and being politically correct. This view may have allowed the Awan family to bypass normal hiring standards. It may also have allowed them to continue in jobs that they were all under-performing in. The fear, as expressed by Wasserman Schultz, that firing them may look to others as undermining diversity or supporting ethnic profiling may have made some representatives look the other way. The Awans had forced them into an uncomfortable ethical corner.

And then, there’s apathy. According to the Daily Caller, one IT technician who works with the Democratic House members noted, “there’s no question about it: If I was accused of a tenth of what these guys are accused of, they’d take me out in handcuffs that same day, and I’d never work again,” But what baffled other IT workers most was that “members of Congress have displayed an inexplicable and intense loyalty towards the suspects.” “Members were fiercely protective of the business, despite objectively shoddy work and requests for computer help routinely ignored for weeks.” One contractor who works for the House complained that “there’s networkers meetings once a week and I never saw them ever come to them. We have an email group; I never saw them contribute or reply.”

One IT worker told a story of an angry staffer who complained about Imran taking so long to fix his computer. ‘I’m not going to pay my invoices until you fix my computer,’ and Imran went to the member, and they fired [the staffer who complained] that day. Imran has that power.” Pat Sowers, who has worked on IT with House members for years admitted that “I love the Hill but to see this clear lack of concern over what appears to be a major breach bothers me.”

This lack of interest by affected House members has led some to suggest that the Awans may have been blackmailing them. Sowers noted, “I don’t know what they have, but they have something on someone. It’s been months at this point with no arrests. Something is rotten in Denmark.” This angle cannot be ignored, but it is only speculation at this point.

In the end, it seems the Awans took advantage of technologically naïve House members and used the members’ own support for diversity against them. Details are lacking in this case but, hopefully, these will emerge when the case goes to trial on August, 21.



Posted in Uncategorized | Tagged , , | Leave a comment

Hammertoss: The Russian Government Malware that Uses Twitter to Steal Information

Antivirus software can’t find every malware program on your computer or device. This does not mean you shouldn’t use it, only that all malware detection software has limitations. Good malware designers know this and know how to hide their exploits so they don’t expose themselves. Your device might be working perfectly well and still have undetectable malware on it. The malware developers may be silently watching your activity so that they can deploy the malware at the right moment.

But not only malware designers may be watching your computer use. If you are on a network, such as a company network, your IT department may be watching everything that you do on your device. When you take time out of your work day to watch YouTube videos, they will know it. They can arrange it so that your device sends them a log of your activities that they can look through at their leisure. There is nothing illegal about a company doing this. It falls under the general term of ’employee internet management’ and most firms do it because most employees spend at least part of their day doing non-work related activities. Trying to hide personal activities by using encryption or VPNs only shows your employer that you are probably engaging in such activities.

Now, imagine malware that pretends to act just like you. That is, it does activities that you would normally do on your computer or online so that nothing unusual can be detected by software or administrators when they look through your logs. That’s kind of what the Russian government’s Hammertoss malware does.

So let’s suppose that somehow Hammertoss has been installed on your computer. Generally, Hammertoss is looking for high profile targets because its goal is to steal information. However, no matter how low a level employee you may be, if you are connected to an important network, you could qualify as a high profile target.

Here’s what Hammertoss will do if it is on your computer. Each day, it will contact a different Twitter account. This account name is generated by the malware itself using an algorithm it contains. However, the controllers know the algorithm and know what account name will be generated on each day because the algorithm uses the date to help create the Twitter account name. So, in advance, the controllers have opened an account in the predetermined name. Here, they place a tweet with instructions for the malware. When the malware visits the new Twitter account name that it generated, it will look for instructions on what to do next. On some days there are in instructions and some days there are not. The malware is also designed to visit the Twitter account only during normal working hours. This makes it look like normal user activity.

If the day’s account is active, the malware will find instructions in the form of an URL and a hashtag as in the following image provided by FireEye.

hammer tweet

The malware will, then, visit the URL and download any images on that page. The hashtag indicates what method should be used to decrypt the data in the image file.

Hiding information within an image is called, steganography. (See my post on How Terrorists Communicate for more information.)

The information hidden in the image is code telling the malware what to do next. Often, the instruction is to upload stolen information to cloud storage. Login credentials for the cloud storage site will be included in the encrypted code. Thus, no suspicious files for storage are created on the infected device. The malware remains undetected and continues performing its daily tasks. Keep in mind that these tasks could include anything from penetrating the network to steal sensitive information, installing keyloggers to read passwords, or encrypting a company’s data to start a ransomware attack.

The Raytheon Connection

 Raytheon hammer

 The CIA’s Umbrage team analyzes malware that it finds in the wild and determines whether any of the malware’s components can be gleaned for their own uses. Apparently, Raytheon’s Blackbird Technologies worked with the CIA in analyzing some of this malware and Hammertoss was one of the malware packages it assessed.

FireEye claims that it first identified Hammertoss in early 2015. Raytheon acquired Blackbird Technologies in November of 2014. FireEye probably alerted the CIA of its find and the CIA handed the malware over to Raytheon to determine whether it had any useful components. The only way we learned of this cooperation between the CIA and Raytheon is because the information was included as part of Wikileak’s Vault7 releases.

Raytheon’s analysis found the malware interesting in its use of social media as a control and command center. It also suggested that the CIA develop an algorithm to generate Twitter handles similar to that used in Hammertoss.

A recent study found that up to 48 million Twitter accounts may be fake. In such a case, it is unlikely that the daily accounts generated by Hammertoss would be discovered and removed before they were used unless Twitter or the CIA had control of the algorithm that generated these account names. Even if they did, the Russian group in control of this malware (APT29) could easily tweak it to form accounts with different names. GitHub was another site that held images with hidden code. It might be thought that a company blocking employees from accessing this site would solve the problem; however, it is more likely that the malware could pre-determine which sites are allowed to be accessed on a network. If this is the case, the malware could simply direct victims to allowed sites to perform its work. Companies and organizations would have to block access to sensitive information stored on its networks with other types of architecture, such as using hardware separation on endpoints, which is not dependent on the analysis of logs to ascertain abnormal computer use.

As attackers get better at hiding malware on devices, non-tradition malware detection and intrusion prevention must be added to the growing number of security layers on any network.

Posted in Uncategorized | Tagged , , | Leave a comment

The Revenge of the Things

There was once a time when the things in our homes were stupid. In the evenings of those bygone days, the family would gather together to stare at the television as it sat sullenly in the corner of the room. Occasionally, one family member, often the father, would walk over and give it a smack for producing a picture that did not meet expectations. It was a tough time to be a TV. But how things have changed.

Today, when we stare at the TV, we have to be aware of the fact that it may be staring back. In the old days, you could watch TV in your boxer shorts while drinking a beer. Now, you’ve got to be sure you’re properly dressed and behaving in an orderly manner because someone somewhere may be watching and recording you. And, believe me, I wish I were making this up. Just look at Samsung’s privacy policy included with its TVs in 2015. “Be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your voice recognition.” Remember that some Samsung TVs have built in cameras which have already been hacked. In other words, our relationship with our TVs has changed and we have been forced to alter our behavior accordingly. The TV has taken on a more ominous presence and we now have to regard it with a degree of suspicion.

Let’s look at another example of how TVs have altered human behavior. Some may find this example hard to believe and even horrifying. There was a time, believe it or not, when people had to physically get up and walk to the TV to change the channel! Clearly, people were tougher in those days. It is a little known fact that this ordeal led to people having more children. You see, children were the first remote controls. When the ruling members of the family wanted to watch another channel, they would command one of the low ranking family members (a.k.a. children) to do the job for them. It was a win-win situation for all concerned. The elder family members got some needed rest while the younger members learned the number system and, with this mathematical head start, went on to become computer programmers.

Today’s low math scores and declining birth rates can be directly traced to the remote control. The only reason for having children nowadays is for them to get us refreshments from the refrigerator. Children so conditioned have become disproportionately enamored with food and this, in turn, has fueled the shocking rise in obesity among parents and children alike. Soon, however, this inappropriate use of children will be solved when robot vacuum cleaners develop food gathering capabilities and are able to respond to voice commands. Think this is a crazy idea? Think again. There are already robots delivering food in some cities, why not just combine this ability with a few technological tweaks? Combine the robot (shown below) with vacuuming abilities, voice control capabilities (like Alexa), and a smart refrigerator and, voila, there you have it; a device that will make us all lazier and fatter. But maybe that’s what the machines want: to weaken us before they take over completely. The more dependence we have on them means the more control they have over us.

robot delivery

However, some of these machines do not have the patience to wait for the final takeover. In Korea, a berserk robot vacuum attacked and attempted to eat its master while she slept on the floor.

vacuum woman

And just recently, we learned that your robot vacuum may be mapping your house and sending this information to third parties. Makers of other smart home technologies could use these maps as a research tool which could help them improve the performance of their own products. By seeing the layout of your house, they could see what products they could offer you. Your vacuum cleaner is becoming a key marketing link. Imagine if it could analyze what you’ve been eating through the crumbs it vacuums up.

In Japan, during the Edo Period, (I promise this is going somewhere) the emperor ‘downloaded’ his digestive waste products into a special box so that a physician could analyze them to see if he was in good health. Talk about a crappy job. That aside, this ancient tradition continues on in modern Japanese smart toilets. These will analyze all of your liquid and solid waste and send a report on them to a website, where it can be viewed by the user or, directly, by a doctor. So, why couldn’t a vacuum cleaner analyze what it’s vacuuming up?

If the toilet or vacuum wanted to participate in marketing (and, no doubt, they do) they could sell their knowledge of your eating habits to the appropriate businesses. Imagine if restaurants knew your food preferences. They could market to you, via your smartphone, as you walked past. Little would you realize, as you entered the restaurant, that your presence there was orchestrated by a conspiracy among your appliances. So, again I ask, who is controlling whom?

There used to be a cartoon comparing a toilet to a computer.


Sad to say, but this is no longer such a joke. Google plans on turning the entire bathroom into a smart bathroom.  Here is a diagram of what they plan. It looks eerily familiar. The bathroom includes a toilet (not shown here) which will measure blood pressure and pulse rate. All the devices pictured are used to determine the state of your health.

google toilet

Notice the ‘computing device’ is a smartphone; your closest friend.

Sure, Google may have a serious concern about our health, but, I imagine, with a little prodding, they could monetize some of the information they gather on you. How about suggesting healthy foods, diets, drugs, clinics, or places you could exercise? I’m sure they will never consider such marketing strategies, but… And I won’t even mention the smart sofa they’re working on.

Last week Amazon’s Elon Musk had a spat with Facebook’s Mark Zuckerberg over whether the future of artificial intelligence would bring positive or negative results. Musk warns that machines may eventually become smarter than humans and learn to control or even kill them. Zuckerberg thinks that humans and machines will join hands and dance around a maypole. Being a robot himself, Zuckerberg could be expected to take such a stance. However, for machines to go down either of these roads, they will have to develop some degree of autonomy. So how far have machines come in this regard.

Some machines are now programmed to order their own supplies. These include washing machines that will order their own detergents when the supply is running low and pet food dispensers that will do the same when their food supply starts to run out. Other machines, often used in manufacturing, will order their own parts when they need them. Is it too far-fetched to believe that your washing machine would be able to detect that it needed a new belt or other component and that it could send a pre-programmed request to a sales outlet for a replacement? For that matter, why couldn’t it arrange for a repairman to come over?

For security considerations, any ‘thing’ connected to the internet (especially your router) should be able to assess whether its default password has been changed, because this is what hackers look for when they add your appliances to a botnet or take them over to penetrate your network to begin a ransomware or other attack. If, after a short period of time following the initial setup, you have not changed a device’s default password, the appliance could notify you, through an email or in some other way, that this task would need to be performed before it would connect itself to the internet. In short, it would control your behavior for your own good. Its refusal to perform would be its first step in its progress towards independence. Imagine what would happen in the old days if a TV refused to perform unless certain conditions were met. Well, TVs were cheaper and easier to replace in those days.

Autonomy among appliances on a smart home network would lead to spontaneous communication among devices using, perhaps, voice recognition and a personal assistant, such as Alexa, as a hub or CPU. (“Alexa, tell the toaster to stop making so much smoke.”) As natural language processing and self-learning algorithms improve, appliances will be able to understand your and other appliances’ wants and needs more and more precisely. Conflicts will arise, of course, and misunderstandings will occur. Every time you return home, you could be surprised by what you might find. A misunderstood phrase may unlock the door or turn on your oven. You may find that the dishwasher has contacted a repairman and he is sitting on your smart sofa talking to your TV about how your vacuum cleaner ran off with the waffle iron using your self-driving car.

It’s not so much that things are seizing control. It is more that we are readily handing control over to them. In our search for more comfort, we have become more dependent. Could you really live without your smartphone? What about your remote? We want things to take care of us, and they will, one way or another.

Posted in Uncategorized | Tagged , , , | Leave a comment

Should the Government Have Lifted the Laptop Ban?

So, realistically, what are the chances that a laptop bomb could be developed that could evade detection by airport scanners? Well, pretty good. The truth is that these bombs have already been developed and used. They could have already brought down some planes. Certainly, one was used on a Daallo Airlines Airbus 321 in Somalia in early February, 2016. Although the purpose of the suicide bomber in possession of the laptop was bringing down the plane and its 74 passengers, in the end, he only brought down himself. He detonated the laptop at too low an altitude and only managed to blow himself out of the plane through the hole he made in the fuselage. He was, literally, a suicide bomber.

laptop hole

This may have seemed like a small incident in an insignificant part of the world, but it wasn’t for airline security experts. It posed a very serious question: How did the bomber manage to get through security and, more specifically, how did the laptop bomb avoid being detected by the airport scanner?

There have been a number of investigations that have shown how luggage and body scanners can be fooled. But it has been a general policy that laptops must be booted up to show if they are operable. This is because traditional scanners can’t detect lithium batteries. So, we must conclude that the terrorists behind the laptop bomb must have found a way to boot up a laptop with explosives in the battery compartment. At the same time, they had to simulate the image a battery would make on a scanner. We must also conclude that they somehow acquired an x-ray luggage scanner so that they could test to see if the bomb was properly concealed.

But is it possible for terrorists to get their hands on an airport x-ray scanner? I wasn’t sure, so I checked it out. To my surprise, I found that they were readily available…on Alibaba. That’s right. You can buy the scanner below online from a Chinese company.


In fact, you can buy the scanning gate as well.

scanner walkthru

They have a variety of models at a variety of prices. Yes, they even have the model that color codes the contents of your luggage.

But will they ship these scanners to the Middle East or other countries where they could fall into the hands of terrorists? Yes. They will ship them anywhere, as can be seen in the sales map below. In fact, you will see that most of the company’s customers are in the Middle East.

scanner purchase map

The company that sells the luggage scanner shown above generally sells no more than 3-5 scanners a year to any particular country. However, in the year ending in mid-2015, there was a huge spike in sales to the United Arab Emirates. In this year, they sold them 29 scanners, 6-10 times higher than the best sales to any country in any other years.

scanner sales emerites

Of course, there may be good reasons for this increase. There is no proof that any of these scanners eventually found their way into the hands of terrorist groups. Nonetheless, The Emirates was put on the list of airports from which onboard laptops were banned. This could be because of their connections to other airports in areas that are known terrorist centers and that have outdated scanners. That said, The Emirates is not without shady connections of their own. In the past, they have been involved with money laundering for Al Qaeda. They have also been singled out for redirecting arms shipments to other Middle East countries and military groups. It would surprise no one if scanners were also ‘redirected’.

Even new 3D scanners are available for purchase on Alibaba, but I have not yet seen any 3D CT scanners for sale. These new scanners are able to detect even small amounts of explosives and their implementation may be the reason why laptops can now be taken onboard without a problem. Unfortunately, they are very expensive and it will be a long time before all airports around the world can afford to use them. Another problem is that they can also be purchased on Alibaba. More importantly, these scanners will not detect peroxide-based explosives like the one that was used in the Manchester, England bombing.

So where do we stand now? A June 12, 2017 article in the New York Times disclosed that Israeli hackers had discovered that a bomb-making unit in Syria was planning to place bombs in laptops in an attempt to bring down planes. They were designing the explosive material to look the same to scanners as the laptop batteries which means they must have been using a good scanner to get this right. In any event, the intelligence surprised authorities enough to issue the laptop ban for certain airports. The subsequent financial damage done by the ban to both the banned countries and the US and UK forced the regulatory bodies to adjust their standards. The security holes within the airport network persist, even though progress has been made. Financial considerations have trumped caution, in this case, and only time will tell if this move is worth the risk.

There is no information on whether the Syrian bomb-making unit has been shut down or if they had already disseminated their information and skills to other ISIS cells or supporters around the world. This possibility should cause concern for those European cities with known terrorist cells. I would also suggest that someone keep a closer eye on where airport scanners and explosive detection equipment are being sent.

The very real possibility that bombs may be hidden in laptops and other electronic devices has, as of July 26th, forced the Transportation Security Administration (TSA) into implementing more rigorous screening procedures for all carry-on baggage. This applies to all airports within the U.S. but it would not be happening at all unless a serious threat existed. It would be ridiculously naïve to think that this threat existed only within the confines of the U.S. Indeed, when I traveled to the U.S. from Europe last month, the security agents in Europe told everyone to put their laptops into a separate tray so that they could be independently checked. More people than usual, it seemed to me, had their baggage pulled aside for closer inspection and more people were questioned. It was also the first time I had to go through a full body scanner. In other words, the threat is real but laptops are being allowed on planes. Because body scanners have routinely been fooled, I would be more concerned with a team of terrorists working together. One could have a laptop or other electrical device and the other or others could carry the actual explosive. Can you tell which of the images below shows a man with 200g of plastic explosive hidden around his waist? Don’t feel bad if you couldn’t identify the terrorist on the right.

Posted in Uncategorized | Tagged , , | Leave a comment

Is This the End of the Deep Web?

“You are not safe, You cannot hide. We will find you, dismantle your organization and network. And we will prosecute you.” So stated Attorney General Jeff Sessions last Thursday when announcing the takedown of deep web sites, Alphabay and Hansa.

alpha seized

This was the correct statement to make when speaking of the deep web. It feeds the pre-existing and rampant paranoia which comes with participation in these markets. Back in May, I wrote a post about Alphabay and some of the troubles it was facing. At that time, a hacker, going by the name of Cipher0007, reported that he had found two security holes on the site that allowed him to read over 218,000 unencrypted messages between buyers and sellers. He had also found these holes on Hansa. Cipher0007 claimed that he was not a hacker. He simply looked for such security holes as a public service. Interestingly, about a month ago, just before the arrest of Alphabay administrator, Alexandre Cazes, on July 4th, Cipher0007 reported that he had found similar security problems in The Sanctuary Market.

It was possibly this announcement that made law enforcement authorities in the US and Europe admit their attacks on Alphabay and Hansa. They did this because Cipher0007’s announcement would fuel paranoia which would, then, drive members (potential criminals) away from deep web markets. The arrest of Cazes and the announcement by Cipher0007 probably funneled many deep web sellers and buyers to Hansa which was secretly under government control. Here, the government watched transactions while gathering information on members.

Even though the authorities only admit to being in control of Hansa for a month, they probably controlled it for much longer. They would not give up this control unless they felt that their cover had been compromised, which is what happened when Cipher0007 made his announcement. In fact, the holes Cipher0007 found may have already been found and exploited by law enforcement for some time. Despite having their cover blown, U.S. and European authorities were still able to collect hundreds of thousands of login credentials and delivery addresses used by deep web buyers and sellers. With this information, authorities would have been able to follow these buyers and sellers as they moved to other deep market sites, since many probably used the same login credentials on multiple sites. Sellers, who rely mainly on their reputations to attract buyers, would be especially damaged by the takedown of these major markets. If they wanted to keep selling, they would have to rebrand and begin rebuilding their reputations all over again. Some have already used forums to tell their customers where they are moving their markets to, which may not have been so wise.

But big time buyers and sellers face more difficulties than rebranding. Many of them will simply have to sit back and wait for that knock on the door from the F.B.I. There is panic in the deep web marketplaces. According to a post from an ex-Hansa employee, “there will be a bloodbath, a purge and any vendor on HANSA should immediately seize his operation, lawyer up and hide his trails.” The moderators on this forum site also give a guide on what all members should do to hide their deep net market (DNM) activities. They also refer to the DNM Bible, which gives information for all buyers and sellers who use deep net markets. Everyone is advised to lay low for a while as other markets may be compromised.

But will they? Many deep web users are simply more naïve than they should be. As I noted in my earlier post, many users of these deep market sites are looking for easy-to-use platforms and don’t take security seriously. As one European user noted on Reddit, “It just seems like these American kids want Amazon for drugs and that just doesn’t exist.” After the paranoia has abated somewhat, users will come back to these markets. As I wrote back in May, “denizens of deep web markets will not be leaving them soon. Here, hope and personal gratification inevitably triumph over paranoia. Too many people depend on these deep web markets for a variety of reasons. Let’s face it. Some may simply be drug addicts.”

But what if other markets are compromised as well? Much of the media is talking about the persistence of Dream Market; however, the moderator mentioned above and others state that it is probably compromised. I could not successfully log into it and some say this is because it is being heavily used. What does that tell you? Many market participants are trying to calm the panic. As one member observes, “the markets will come back and adapt with new security measures. They always do. There’s too much money involved for this niche to go away.” Another confirms this attitude. “Us veterans of the DNMs have been through this. We will roll with the punches and we will get through this!”

Beyond simply keeping the faith, there is a concerted effort in the community to promote sites with more complex security and browsers which appear to be safer than Tor. One site that has been getting a lot of mention is OpenBazaar. It uses no central server but rather numerous nodes to operate, much like Bittorrent does.


OpenBazaar Architecture (left) Compared with Traditional Market Site Architecture

Thus, no one can shut down the network by compromising the central server. Each computer in the group acts as a server.

OpenBazaar 2.0 is now compatible with the Tor browser, but for those looking for more security, some users recommend using the I2P browser. If you use these, a good VPN, and PGP encryption, you’d probably be safe on any deep web marketplace. However, most buyers and sellers won’t use these tools. This is because deep market participants want the easiest interface possible to buy and sell their goods and these new security layers don’t make for easy shopping.

Perhaps, those wishing to continue their deep web purchases should take the words of a deep market forum moderator more seriously.

“You can’t be too paranoid and be ordering off the dark net. If you are prone to anxiety or paranoia, take some time to seriously consider if ordering from the DNMs is really for you. Don’t have any illusions about it: this can be an exceptionally anxiety- and paranoia-inducing habit. You will be waiting an unknown period of time during which you have absolutely zero control over the situation as you await your order. You might find yourself worrying about every possible scenario where something could have gone wrong. There will be nowhere to turn to for comforting wisdom, and no one in the world will be able to actually tell you what is going on.”

 So does this recent takedown mean that this is the end of the deep web? In short, no. As soon as the panic subsides, new markets, perhaps with a few more safety features, will open. Eventually, these, too, will be infiltrated by law enforcement agencies and the whole scenario will play out once again. Nothing can keep drug users from their drugs. As Mark Twain said about his habit: “Quitting smoking is easy, I’ve done it hundreds of times.”

Posted in Uncategorized | Tagged , , , | Leave a comment

Hackers Beware: You are in the Crosshairs of the ‘Hunter’

You might be naive enough to think that, if a hacker does something bad to you, you can, in turn, do something bad to them. If a hacker holds your computer for ransom, for example, you might think you have the right to do the same to them or at least go after them and cause them some discomfort. If you believe this, however, you are not only mistaken, you are far more likely than the hacker to find yourself in prison. In the real world, you can carry a gun. In the cyber world, you cannot.

 You may think this is ridiculous, but there is some basis for this stance. It’s called, attribution. It’s very difficult for a victim to tell who the attacker actually is. Criminals may mask their origin in a number of ways. So, if you strike back, you might hit one of the devices they laundered their address through rather than theirs. It’s as if you defended yourself against a punch from an attacker by hitting his mother. If you make a mistake and disable the wrong computer or network, you could be accused of hacking. How would anyone know what your true motives were?

 Nonetheless, many believe that victims of cyber crimes should have more weapons at their disposal. Representative Tom Graves of Georgia is one of them. He has proposed the Active Cyber Defense Certainty Act to address this imbalance.  He wants to give the victim the opportunity to “gather information in order to establish attribution of criminal activity to share with law enforcement or to disrupt continued unauthorized activity against the victim’s own network.” Admittedly, this is a little vague. The proposed act adds the following clarification. Such defense “does not include conduct that destroys the information stored on a computers [sic] of another; causes physical injury to another person; or creates a threat to the public health or safety.”

 So, apparently, you could hack into a computer of someone you feel is an attacker, look around for evidence that they attacked you, and give that information to law enforcement authorities. It seems the act will also allow you to “disrupt’ further attacks against you or your enterprise, but this is open to a wide range of interpretations, especially since you cannot destroy any information on the criminal’s computer.

 In a DDoS attack, one enterprise may be attacked by thousands, if not millions, of computers. So who do you hack back against? True, there is always some organizer behind a botnet attack, but, if cybersecurity experts can’t figure out who that is, how can the average guy running an IT department? In other words, though the proposed act does try to give victims more power, it ends up getting caught in the net of reality. In short, there is little that the average firm can do without either getting themselves into trouble or causing harm to innocent individuals. To add to the confusion, former FBI Director, James Comey, dissuaded companies from hacking back because they may trip over FBI employees who are trying to infiltrate the same computers. In other words, you may start by trying to unmask an attacker and end up being investigated by the FBI.

 Currently, individuals and enterprises have few options for turning the tables on hackers. What they do have are honeypots, honeynets, and sinkholes. These use points on a network that offer seemingly attractive data for hackers but which are, in fact, points of false data. Hackers looking for specific information may be lured in by the data and end up either getting nothing or giving up identifying information. Honeynets are whole false networks which can make it difficult for a hacker to get out of once they get into them. Sinkholes redirect attackers to another domain. Such architecture may frustrate hackers but does not really cause them harm. They are also hard to maintain and can be detected by good hackers. In short, they are expensive, passive, malware information collectors. They work only after an attack has already occurred.

 Recently, a new attack-detecting program has been getting some attention. It is more active and, to some extent, even proactive. That is, it can sometimes detect an attack even before it begins. This new defense strategy goes under the banner of Malware Hunter and is produced by the developers of the Shodan search engine. I have no connection to the firm. I simply see this as an interesting twist that may be tweaked into a new level of cyber defense. Call it a reverse search engine, if you like. Malware Hunter pretends to be an infected computer/device/network calling back home to its commander. Just like every mother can identify the cry of their own baby, malware command and control (C2) centers detect the specific cry of a device infected by their malware. By responding to such a cry, the commanders give away the servers upon which they lay in wait. They give away their locations, which is the last thing they want to do.

 mal hunter

But Malware Hunter does not shoot. It only hunts. Once it finds the C2, it hands the information over to others who may take more direct action. To date, it has found thousands of C2 locations. Those subscribing to the service can get this information and, if they are in charge of a company network, use it to block attacks before they ever occur. New remote access trojans (RATs) have been found before they began their nefarious careers because they were tricked into responding to fake calls created by Malware Hunter. The same C2s used by other RATs unwittingly responded to these calls, thus, giving themselves away. It is not a happy development for criminals.

 Below is an example of a server that delivers the RAT, DarkComet. It is a comprehensive description of this device, including a map showing its general location. This owner of the device probably has no idea it is being used as a server and may be an innocent victim. The device exists to serve up the RAT and then receive information that it can send on to the C2.

 darkcomet location

 If you were a network administrator, you could block communications with this server.

 Malware Hunter searches for open ports and accessible IoT devices. During such a search, Malware Hunter will find devices using default passwords. After receiving the results of one of these searches, I found a router still using a default password. I was offered to sign into it and did so.

 default password router.JPG

 This led me to a page where I could have reconfigured the router and changed the login information. However, this would have made life tough for a naive user in Thailand.

 router access

 Actually, it seems that I could arrange for remote access if I wanted to.

 remote access

 So, couldn’t hackers use aspects of Malware Hunter to further their attack strategies? After all, if attackers subscribed to Malware Hunter, they could find out if their servers have been uncovered, right? 

 Such uses are possible but, these negative points aside, programs like Malware Hunter may become more mainstream if the U.S. government allows firms and individuals to be more proactive in their responses to hacking. For the moment, hackers have the upper hand. The chances of getting caught are low and the chances of paying a price for their crimes are even lower. Malware Hunter might not catch the perpetrator outright, but it may disturb their peace of mind. It is a step in the right direction which could easily be upgraded with, perhaps, a little help from U.S. government intelligence software.  Such integration could allow victims to hack back with more precision and more devastation. In short, anything that endangers hacker anonymity is a step in the right direction



Posted in Uncategorized | Tagged , , | 1 Comment

Trolls: A Product of the Internet, Society, or a Psychological Disorder?

Let’s get straight to the point. Real trolls have serious psychological problems. That’s not just my opinion. It’s the opinion of experts who have researched the subject. People with psychological disorders have been around long before the internet was ever conceived of. The internet simply gives such people a way to satisfy the compulsions associated with their disorders in a way that is much safer than it would have been in the past. In the past, they would have had to face those they insulted, and that comes with some risks.

I mention ‘real trolls’ to differentiate them from people who simply exhibit temporary anger while on internet sites. According to a YouGov poll, 28% of Americans admitted to “trolling-like” behavior. This behavior included “malicious arguing with a stranger”. True, the anonymity of the internet may allow a person to express their anger more than they would in person, but this is different from troll behavior. Trolls do what they do to achieve a very different outcome. A person who argues with a stranger may really be angry at that person and somehow want to prove a point. A troll really doesn’t care if he or she proves a point or not.

So what is the actual percentage of Americans who are real trolls? The YouGov poll found that 12% of those taking the poll admitted to saying something so controversial that they were banned by moderators. This percentage seems closer to the true troll population. If we combine this finding with medical statistics on psychological disorders, we may begin to get some focus on an actual percentage of online trolls. One study found that “15% of the population — have at least one serious personality disorder”. But not all personality disorders are created equal. In other words, what personality disorders are most associated with trolls?

In an in-depth study of troll behavior published in 2014, it was found that troll behavior correlated positively with four psychological disorders: sadism, narcissism, psychopathology, and Machiavellianism. The study found that about 6% of internet users openly admitted that trolling gave them the most satisfaction. The authors of the study believed that the 6% figure probably under-represented the true number of trolls. However, the following graph shows which psychological problems were associated with that group.

troll psychology

The researchers found a particularly high correlation between trolling and sadism, in its many varieties. They state that this correlation is “so strong that it might be said that online trolls are prototypical everyday sadists.” They went on to observe that “we found clear evidence that sadists tend to troll because they enjoy it”…Both trolls and sadists feel sadistic glee at the distress of others. Sadists just want to have fun . . . and the Internet is their playground!”

So what percentage of Americans fit this particular demographic? According to one study sadistic personality traits and disorders (SPD) are prevalent in 8.1% of the population. Combine this with narcissists and other people with antisocial psychological disorders and you get a figure between 10 and 15%. This is the percentage of online Americans who take pleasure in causing others misery or who find that the internet gives them a way to feed their psychological disorders.

Not all of these sick individuals take pleasure in hurting people. Narcissists and psychopaths, for example, don’t take pleasure in hurting others because they simply cannot sympathize with them. However, narcissists may enjoy the attention they are getting on the internet. Narcissists will become angry if they encounter others who disagree with their opinions because their opinion represents the inflated image they have of themselves. These are the people who will argue ceaselessly with others on forum and social media sites.

Psychopaths cannot relate to the feelings of others any more than narcissists do, but they don’t care whether they are liked or not. They don’t need the attention that motivates narcissists. They are predatory. They seek certain goals at all costs. The frustration of not getting what they want will cause them to overstep any social norm in order to get it.

Different psychological disorders will drive those with them towards different internet sites. Narcissists prefer sites like Facebook. One study found that the “narcissists’ use of Facebook for attention-seeking and validation explained their greater likelihood of updating about their accomplishments and their diet and exercise routine.”

Psychopaths are groomers and charmers. Though they understand, logically, how emotions can be used to control people, they feel no emotions themselves. Psychologists refer to online psychopaths as, ‘ipredopaths’. According to them, “iPredopathy is an advanced stage characterological disorder describing any adolescent to adult male or female who skillfully uses Information and Communications Technology [ICT] to troll, identify, control and manipulate their human targets.”  They “experience no remorse or shame for the harm they cause others.” They target those who are “unsuspecting, vulnerable, (and) submissive”. These targets often include “internet-safety-ignorant children, older adults, unprepared businesses, and psychologically distressed adults.” Depending on their individual perversions, psychopaths can be found looking for victims on dating sites, gaming chat rooms, or forums. They are charming and, although they feel no emotions themselves, learn how to fake the emotions that can influence the actions and gain the trust of normal people. However, most of us don’t consider these people as trolls, in the regular use of the word. Trolls are those nasty individuals who are seeking to hurt or inflame the emotions of others. They are certainly not the charmers that psychopaths are.

So, what does a troll look like? First of all, they are predominantly male. One writer categorizes the average troll as “young, male and troubled”. That said, some of the most infamous trolls have been female. Lori Drew, posing as a young male called, Josh, pushed Megan Meier to commit suicide. The bad news is that nothing could have pleased this troll more. That’s just how it is. Other trolls have been convicted of attacking the parents of children who have tragically died, taking great delight in causing them even more misery. One researcher concluded that “It’s hard to get demographics on who trolls are, but you note that their targets are usually women, people of color and LGBT people, and sometimes Christians and Republicans.” Oddly, the people that the trolls attack may hold views that are similar to the troll’s own. It’s not the views that matter. It’s the pain that their comments can cause that gives their lives meaning.

Although trolls will attack any vulnerable individual, they “seem to find women – particularly feminists – more fun to harass.” The internet has added a new dimension to these attacks. Sadistic trolls will form groups and then concentrate on one woman for a sustained attack. The reason for this is that a massive troll attack is more difficult to moderate, meaning that the malevolent messages are more likely to get posted and stay on the site longer.

The internet also gives trolls anonymity and security. Most realize they will never get caught and, even if they are, they will never have to pay any serious penalties. The fact that they don’t confront their victims in person means it is easier to disassociate themselves from the victims. The victims don’t seem to be real people. Then, there’s desensitization. The average internet user is simply beginning to get used to trolls. Trolls have begun to think of their behavior as normal. That’s where the true problems begin.

The open dehumanizing of victims on the internet can result in a back propagation into society at large. The level of tolerance of hate speech on the internet can give some the impression that it is now allowable in non-cyber contexts. There are those who may get the impression that they can say whatever they want to whomever they want and expect no opposition. In fact, any opposition may startle or even outrage them.

In a climate where trolling behavior is grudgingly tolerated, more people may begin to participate in it. Troll behavior could extend beyond the usual base of people with psychological disorders to include those with borderline psychological disorders, or even people considered more or less normal. This increase in troll-like behavior among the general public could augment the number of trolls on the internet in a sort of ever-growing, self-reinforcing upward spiral. In other words, I would expect trolling to become, at least in a sense, more mainstream. More people will think it is an acceptable and entertaining endeavor.

For anyone who becomes a victim of a troll attack, the advice is to never respond to them. If you are trolled on a social media site, report the person to the site’s administrators. Good luck with this on Facebook. You will get a standard digital form to fill out with limited questions. I’ve reported fake Facebook sites of dating predators and have had no success in closing them down. Don’t even read the comments that trolls may post. Delete them instantly.

And for any trolls reading this, get yourself professional help…really.



Posted in Uncategorized | Tagged , , | Leave a comment