Deepfake Videos: When All News Becomes Fake News

Most people can tell whether a video is fake or not. It may be a very good fake but something about it just looks, well, unnatural. We may not be able to express why a fake video leaves us with this feeling, but we simply know it from our interactions with real people. If we comprehensibly analyzed why people determined a video to be fake, we would see that it came down to something as simple as a strange blink or an unusual movement of the head.

But what if we could eliminate all uncharacteristic movements from a fake video by directly linking it to every minor movement performed by an actual human subject? This can be done by using a neural net which can be ‘taught’ to learn certain natural, predictable, and idiosyncratic patterns of a targeted person’s movements from a video. The teaching video will serve to train the neural net on how a certain targeted person normally behaves. After the neural net learns how a certain individual behaves, an actor can then make a separate video. This is called the, ‘source video’ and this is what would be sent to the neural net. The neural net translates the actions on the source video to make a fake or target video. Thus, an actor in a source video can make a target do whatever they want them to do. Having been already trained on the natural movements of the target, the neural net ‘predicts’ how the targeted person would act and makes the fake video accordingly.  Here is a visual depiction of the process from the paper, Deep Video Portraits by Kim et al. which shows how an actor transfers his movements to a fake video of Barrack Obama.

deep fake source obama

To keep this from being too technical, information from the source video (upper row) is interpreted by the neural net to produce the target video (lower row). in this way, the actor makes the target act in the way that he wants it to.

Take particular note of how the background corresponds with realistic head movements. This marks a major accomplishment in these fake videos.

The researchers made a number of such ‘fake’ videos and then asked people to determine whether they were watching a real or fake video. Interestingly, about 80% of people thought the real videos were actually fake. About 50% of people correctly identified the fake video. It should be kept in mind that these people knew in advance that they would likely be ‘tricked’ into thinking a fake video might be real and, in consequence, were probably hyper critical. Both percentages would be much higher for unprepared viewers. The researchers admit that sudden, unusual head movements or quick changes in facial expressions in the source video may produce results that would appear to be unrealistic or fake. Would you be able to tell which is the source and which is the target, or fake video, in the sample below?

 

Yeah, I couldn’t either. The fake is on the right.

All of this about creating a perfect fake video is well and good, but this only takes into account the video portion of a fake video. What about reproducing voices? Most often, this tends to be the weak point in these videos. People can tell if a voice sounds ‘robotic’ even when they may be fooled by a video. That said, there have been some major advances in this area. Last year, a new startup, Lyrebird, produced this audio clip of Donald Trump, Barrack Obama, and Hillary Clinton talking about their firm. The overall vocal characteristics aren’t bad, but the stress, emphasis, and pacing make the track easily identifiable as a fake. Take a listen.

Of course, with more training, these voices have improved. The latest samples are better but they are still a little muddy and not altogether convincing.

That said, we are rapidly closing in on the day when a video will appear which will fool us all. We simply won’t be able to tell whether it is real or not. The first videos to do this will contain little or no speaking. Only by looking at fine details will anyone be able to determine whether what we see happening is really happening. Later, the videos will be so good that even a forensic examination could leave us with some degree of doubt.

Of course, there will be those who try to benefit from these realistic but fake videos. If the surrounding circumstances seem believable, viewers could be persuaded that the video is, in fact, real. These could be videos of politicians saying outrageous things or simply behaving badly. Even if the videos are discounted as probably fake, they could, nonetheless, instill doubt and will tend to tarnish the targeted person’s character. If, as will probably be the case, the videos are made to discredit a politician, those who want to believe the content of these videos probably will.

But fake videos open up a two-way street. Politicians who actually are caught behaving improperly on videos could claim that the video is fake. Again, those who want to believe it is fake, probably will.

The Defense Department has been working on programs that will determine whether a video is fake or not. They were initially successful in determining that the people in fake videos did not blink. Unfortunately, this is no longer true. The new techniques are far too advanced to make such mistakes. In fact, every time a program learns a video is fake, it helps the neural net. This is simply how neural nets learn. The neural net computers that now routinely beat chess grandmasters are able to do so because they learned from playing and losing to them. In other words, losing is winning for a neural net. This is why fake videos are destined to become indistinguishable from real videos.

So what does this all mean? At some point, no one will be sure which videos are fake and which are real. All news programs showing compromising videos will come with the disclaimer that they could not authenticate them. Eventually, that won’t even matter. All news, all truth will become muddied. Viewers will believe what they want to believe and will choose the media outlet that matches those views. Media outlets will pander to their bases by choosing videos, fake or not, which support certain political viewpoints. In the end, all news will be fake news.

 

 

Posted in Uncategorized | Leave a comment

Hacking Your Face

Okay, so that’s a bit of an ambiguous title. I don’t mean using tricks to make yourself look better or hitting yourself in the face with a meat cleaver. What I’m referring to is a new form of malware that actually uses your computer or device’s camera to look at you and identify you before it begins to hack you. It’s a pretty scary scenario that has now become reality. Welcome to the new era of hacking.

As the cyber world evolves into the artificial intelligence (AI) realm, so too does hacking. For now, such AI-assisted malware is in the infancy stage; however, a proof-of-concept AI malware package called, DeepLocker, has been developed by IBM researchers. DeepLocker is malware which does not deploy until it finds a specific victim. The identification of this victim relies on AI, neural net properties. The use of a neural network by malware would, according to the researchers, make the malware’s detection more difficult.

Defense against most malware is based on analyzing its composition and matching that against known patterns. Malware, therefore, tries to find ways to hide these patterns to avoid detection. Well-designed malware will not deploy unless it detects a safe environment. For example, malware will scan a network it has infiltrated to see if there is any indication of a sandbox or if it has been lured into a honeypot. If the malware finds something suspicious, it won’t deploy. Once deployed, however, the malware gives away information about its design, after which, anti-malware architecture is updated.

As an example, notice how the famous Stuxnet worm inspected the network before it determined what to do next. (Stages 2 and 3 below)

stuxnet-diagram

DeepLocker hides itself in normal-looking software. The software may act normally unless certain trigger conditions are present. These triggers can be any number of things, such as matching GPS locations or voice recognition, but, for the purpose of this article, I’ll focus on facial recognition.

Neural networks are pattern recognizers. They can be trained to identify certain patterns, such as faces. If the neural network integrated with the malware was pre-trained to recognize a particular face, it would only trigger the associated malware to deploy when that pattern, that face, was recognized. To do this, the malware would need to have access to the device’s camera. Thus, any software that required the use of a camera, such as video calling/conferencing software, would be an ideal package for this type of malware.

The problem comes with trying to defend against this type of malware. The only ones who know the raison d’etre of the neural net pattern associated with the malware are those who created the malware. It cannot be back-engineered by the attacked network. Even the connection of the trigger to the malware can be encrypted or otherwise obfuscated. In short, it would be very difficult to conclude that an attack was underway or that one even took place. Here is a diagram showing the concealment such malware can use.

deeplocker hide

If malware like DeepLocker wanted to target you, it would first need to get you to download and install a specific type of software that would enable it to have access to the pattern it was designed to look for. It could, theoretically, do this through a fake update of software that is already installed on your device. The attacker could, if advanced enough, scan your system or network to see what software avenues are available. It could then develop a recognition pattern that would make use of the previously installed software. It could, for instance, develop a voice or facial recognition neural net pattern that used your pre-installed video chat program and use that program to target you.

The best way to develop such malware would be to train the neural net through direct communication with the victim. This would enable the attacker to record the interaction and, thus, obtain sufficient data to train the net for a future attack. That said, few people would accept a video call from a stranger. Malware that takes control of a device’s camera and microphone is readily available, but this could be detected by security architecture. The only way to train the neural net without infiltrating the network or device is to use publicly available videos and photos. Thus, the greater online presence you have, the more susceptible you would be to such an attack.

It should be noted that no such attacks have been detected in the wild. That said, how would they be detected? The malware would only be vulnerable to defense strategies in the earliest stages of an attack. However, those who would design such a targeted attack would be those who had access to multiple cyber attack resources and were in a position to obfuscate all stages of such an attack. That’s right. Most of these attacks would tend to come from nation states because the resources and knowledge it would take to develop them would be beyond that of most unaffiliated hackers.

So, if these attacks were developed, they would not be widely distributed, at least at the beginning. Only high profile targets who had a substantial online presence would be victimized. A substantial online presence would be necessary to develop a training set for the neural net. The target would need to possess valuable information or data that would be worth all the time it would take to design the attack. So if you fit this profile you may want to begin your defense by at least putting some tape over the camera lens on your laptop and disabling your microphone.

It would not surprise me if intelligence agencies already possessed such malware, but if they don’t, they soon will. Low profile, highly secured but valuable targets may still get hacked using such malware but this would require advanced attack techniques. For example, the time is not far off when someone could call a target using voice simulation software that makes them appear to be someone the target knows. This could be a way to gather voice samples from the target that they could then use to train a neural net for a future attack. As is often the case, the cybersecurity community has been put on the back foot by this new attack vector. At least for a while, the defense against AI attacks, like DeepLocker will be more reactive than proactive. Efforts are being made to decode neural nets before they deploy, but major attacks using this vector will succeed long before such defenses are developed. For those in the cybersecurity community, there are some hard times ahead.

Posted in Uncategorized | Tagged , , | Leave a comment

Why an Attack on a Taiwanese Chipmaker May Affect You

Most people have probably never heard of Taiwan Semiconductor Manufacturing Co. (TSMC). Most people would be surprised to learn that it is the seventh biggest tech firm in the world, placing just below Apple. In fact, according to Bloomberg, TMSC is the “sole maker of the iPhone’s main processor” and is currently preparing to begin producing chips for Apple’s next iPhone. Indeed, Apple accounts for 21% of TMSC’s income. So you’d have to figure that an attack that shut down three of its factories had to have some negative effects.

As of this writing, TMSC is giving few details about what exactly caused the closure of its factories. The Wall Street Journal claims that the company was attacked by a computer virus which was “a modified version of the WannaCry virus”. But calling it “a computer virus” is simply a way to obscure the facts. And, to add to the mystery, the company also claimed that the virus was not introduced by an outsider. The latest company statement on the problem states that the disruption was caused by a “mistake made during software installation that then spread through its network.” That was some mistake.

Without more details, it’s impossible to know what exactly they are talking about. How does a bad software installation shut down three factories? Since they referred to a “computer virus”, does this mean that malware was pre-installed on some important software that masked itself as an update? How long ago was this installation performed? Was this virus or malware on the network for a long time or did its installation instantly shut down the factories?

According to an update of the original Bloomberg article, “no confidential information was compromised in the virus attack”. So it now termed an “attack”, not just a problem caused by incompatible software. This conclusion seems confirmed by a statement from Chief Financial Officer, Lora Ho, who said, “TSMC has taken actions to close this security gap and further strengthen security measures.”

Okay, so what precisely was the security gap that needed closing? Because it now appears that the network was breached by someone either looking to disrupt operations or steal information. You don’t take the time to compromise the supply chain just for fun. In either case, it must have been a major business competitor or a hostile nation state that could benefit from such a disruption or benefit from some secret information it may be able to get its hands on.

This being the case, would anyone be surprised if China was behind this attack? Probably not. According to one source, Taiwan’s government networks are attacked by China at a rate of up to 40 million a month. China would like nothing more than to give one of Taiwan’s biggest tech companies a black eye. Doing so would make competing Chinese companies look better, by comparison. Maybe they could persuade Apple to depend less on TSMC for its chips and start using Chinese semiconductor producers.

Then again, maybe they wanted to steal information on the new iPhone chips. TMSC claims that no confidential information was accessed by the attackers. However, what would you expect them to say? In every major attack I have written on, the attacked company always initially downplays the attack. Over time, they release more details. The company has only stated that deliveries of new iPhones may be delayed and that TMSC may see a temporary 3% decrease in profits which will amount to a loss of about $250 million.

We may find out the truth if a Chinese smartphone maker suddenly comes out with a phone that is surprisingly similar to the new upcoming iPhone 9. But maybe the attacker’s plans were simply to sully the image of the iPhone by using malware that would change the manufacturing parameters on machinery used in iPhone chip production. Such actions would then result in the production of underperforming iPhones. These imperfect phones would have to be recalled and, in so doing, Apple’s reputation would suffer. We also cannot dismiss the possibility that the hacker wanted to put some sort of backdoor into the chips.

If this attack was engineered through contaminating software from a supplier, it would most definitely have to be the work of a nation state. Such an approach is simply far too sophisticated for a bedroom hacker. Connecting this malware to the WannaCry virus seems a bit of a stretch, but it is possible that it had some similarities. For me, it seems closer to a variation on the Stuxnet malware, similar to the Triton malware that shut down Saudi Aramco last year. Interestingly, when that particular attack was reported, Saudi Aramco claimed there had been no attack at all.

If we assume that China was behind this attack, we’d have to speculate on how they compromised the supplier. Without knowing who the supplier was, we can only assume attack strategies that have been identified by the United States Office of the National Counterintelligence Executive in their 2018 report. Besides normal cyber attack methods, China uses the following routes to get the information it needs to support its tech industries.

chinese hacking

We would have to know the infected supplier to reach any conclusions as to how the malware may have been placed in the software without it being detected before distribution. It should be noted, however, that TMSC has a semiconductor fabrication plant (fab) in Shanghai. Just saying.

China is no newcomer to the ICS/ SCADA (Industrial Control System/ Supervisory Control and Data Acquisition) attack arena. These refer to the control system architecture of machinery or other infrastructure that sets production parameters. If tampering with machine control systems was, in fact, the attack vector China used against TMSC, no one would be surprised. China is the leader in this type of attack. In 2013, Trend Micro set up some honeypots that looked like valid SCADA networks. They wanted to see if they would be attacked and by whom. In short, they were quickly and robustly attacked. And who were the main attackers? The chart below will give you that answer.

china scada

Yes, China led the way with 35% of the attacks being attributed to them.

While we await details on this attack, we can only speculate on the consequences. The attackers may leak information on what they found out about the new iPhone to take away some of its thunder. Well, what a coincidence! Yesterday, August 8th, a Chinese publication called, Economic Daily News, leaked details of the new series of iPhones. The information was reportedly from a Foxconn employee, but who knows?

iphone 9

The debut of the new phones is expected in September, but that may be delayed. If a delay occurs, it may not only be because production was shut down for three days. If the malware was in the system for longer than the company admits, they may have to check to see if new chips and phones that may have already been produced possess faults. If the delay is longer than just a couple of weeks, the hack may have been more successful than the company has claimed.

At the very least, the attack may cast doubt on the reliability of the iPhone. Most hardcore iPhone users may not be phased. However, those contemplating a change to another brand may see this as the last straw and make a move to another maker. This will be especially true if, by sheer coincidence, a Chinese smartphone producer comes up with a phone that is almost a clone of the new iPhone. I guess we’ll just have to wait and see.

Posted in Uncategorized | Tagged , , , | Leave a comment

Why Not Get Google Results with a Private, Non-Tracking Search Engines?

I like Google. I think it gives better search results than any mainstream search engine. That said, I know it’s following me. It keeps records of what I search for, what sites I visit, and what I like to build a profile of me. It then offers me targeted ads and targeted search results. Sometimes that can be good. It saves me search time. Unfortunately, there are other times that I might not want Google to know so much about me.

If, for example, the government ever needs to find information about me, I’m sure they will stop at Google for a little help. And, make no mistake about it, Google will be only all too happy to comply. Here is the most recent data from Google showing requests for customer data within the U.S.

google data requests

But requests for data are one thing and actually coughing up that data is another. So what percentage of these requests were acceded to? Here’s the chart that gives this information.

google percent data requests honored

In other words, Google agrees to most of the data requests it receives (82%).

What data does it have on you? Quite a bit. You can get a copy of all the data Google has on you here. You can choose what information to look at. I chose the following, which comprised over 2GB of data.

google data

But there is more to privacy than this. Google knows in advance what you are probably searching for. If you type in the first letter of a search, it will suggest frequently visited sites that begin with that letter. This can be convenient. It could also cause you problems.

Imagine, for example, your wife wants to look for a bread recipe, types in a ‘b’ and sees that ‘babes in bikinis’ is suggested. Busted! Sure, you can delete your history, but how many of us actually do that after each browsing session. Besides, Google will still keep your browsing information no matter what privacy steps you decide to take. They need it for advertising. But I understand. Google is a business and they need to make money. At this point in cyber history, selling personal information is the best way to get rich.

But what if you can use a non-tracking browser that uses the Google search engine? What if Google never knew who was browsing or what they were browsing for? That would certainly give the user much more privacy. Well, those search engines are here, and, in this post, I’ll suggest a few.

There are a number of private search engines. Most privacy-concerned individuals have heard about DuckDuckGo, which is used by the Tor browser. DuckDuckGo leverages Yahoo search, and I don’t really find the results from Yahoo to be as good as those from Google. Besides, Yahoo has the worst privacy policy available and they have been known to collude with the NSA. Therefore, I will only focus on private search engines that use actual Google results or results from a combination of search engines that includes Google.

Private search engines protect your privacy by acting as an intermediary. You type your search terms into their search page and they go to Google for you. Google only sees the search engine address as the searcher. They don’t know the real person behind it.

As Google builds its profile about you, their algorithm begins to send you targeted search results. In short, they filter out any results they think you would not be interested in. This leads to the formation of what is called, a ‘filter bubble’. You will be isolated from results that conflict with your viewpoint. It is a strategy which, no doubt, can help magnify divisions within a culture. Private search engines will not do this. When they leverage Google, Google has no profile of you personally, so they must present all viewpoints in their search results.

For this post, I will look at three search engines which base their results on Google or Google and other search results (not including Yahoo) and which have high privacy features. These search engines are StartPage, Gibiru, and SearX.

StartPage

startpage

Startpage uses Google search results. It does not offer suggestions as you type, but you have the option of turning this feature on in the settings menu. However, keep in mind that the suggestions will be Google’s suggestions so they could be biased.

You can browse for images and videos and videos will be shown in thumbnails. If you click on the thumbnail you will receive this message.

Some may also worry about using Startpage with servers in the U.S. because they worry that these servers could be compromised by law enforcement. Yes, that does happen. However, Startpage gives you the option of using only EU servers, not that these can be guaranteed to be safer, but they could be. Then again, there’s no guarantee that Startpage or any other private search engine will not keep logs that connect to your IP address, you simply have to trust that they won’t.

Startpage uses ads to make money. They appear at the top of the search result and are not as obvious as they are on some search engine results.

Gibiru

gibiru

“Gibiru is the preferred Search Engine for Patriots.” At least that’s how the founder and CEO of Gibiru, Steve Marshal, markets it. It is a bare-bones search engine that uses Google results. It was designed by a former Google employee who became disenchanted with the way Google was manipulating personal information to make big profits. “Just as Google was forced by China to only show negative results for the web search Dali Lama and Tibet in an agreement that would allow Google to operate business in China, the same system of censorship and secret policing of citizens is developing now. Would you trust the government’s mainstream media to tell you the truth?” Some may call it paranoia, others may call it being cautious.

Gibiru uses featured ads to make money. They also seem to use your IP address to target you with these ads. In other words, they seem to, at least temporarily, store this information. They recommend incorporating their search engine into the Firefox browser for enhanced anonymity.

SearX

searx
SearX is the most malleable of all private search engines. It is a metasearch engine, meaning that it aggregates search results from a number of search engines. The selling point of SearX is that you can choose which search engines you want to use. There are a number of other settings that you can use to personalize SearX.

By default, SearX does not autocomplete your search results; however, you can enable this feature and even choose which search engine you want to do the autocomplete function. All custom settings are saved in your browser, not on the SearX website. You can also filter search results in a variety of ways not offered by other private search engines. SearX is based on open source code so it does not give you any ads. It does, however, ask for donations. Nonetheless, you could make a good argument for SearX being the best search engine available anywhere, encrypted or not.

Other Notable Private Search Engines

Search Encrypt is often mentioned when people write about private search engines. It has the advantage of encrypting your search terms before it searches, thus, adding another layer of anonymity to your searching. On the other hand, it is not configurable. You get the search results it wants to give you, and, in my opinion, these are often lacking. Search Encrypt can be integrated with your browser (Chrome and Firefox), but users complain that it interferes with search results more than it helps. Some claim it acts more like malware, but this may be because it predetermines which sites are free of tracking and will not suggest them. It is supported by ads in the search results.

Qwant is a French-based private search engine which seems to be growing in popularity. Those who want to avoid U.S.-based servers may find it attractive. The search results are fair, but a multiple of filters can be applied. It does use autocomplete, but it is impossible to tell if this is biased, because it cuts out early when typing in a search phrase. It does offer paid ads mixed in among the search results and they are not all that obvious.

Final Remarks

All of the private search engines mentioned in this post will protect your search results from being used to build a profile of you that can subsequently be sold to advertisers. Some simply offer more features than others. Just like a VPN, there is no way to ensure that they keep their end of the bargain, but if you find you are being targeted with ads through your searches, be suspicious. Keep in mind that once you click on a website in the search, you are on your own. The search engines only protect your searches from being monetized and nothing more. Add a VPN and even Tor browser into the mix if you are looking for the best privacy you can get. However, keep in mind that absolute privacy may still be unattainable.

Posted in Uncategorized | Tagged , , | Leave a comment

The Recent Russian Indictment Raises 7 Major Questions

While the recent indictment of 12 Russian hackers does give some interesting new details on the hacking of the DCCC (Democratic Congressional Campaign Committee) and DNC, it still leaves many questions unanswered. In addition, the indictment itself raises new questions. So, here is what we still need to know to get to the truth.

1. Why didn’t the FBI or other intelligence agencies look at the hacked servers?

Like it or not, Donald Trump is right to ask this question. If you were diagnosed with a serious illness, wouldn’t you get a second opinion before undergoing treatments? Why wouldn’t the FBI want to confirm the findings of private security firm, CrowdStrike, before investigating the hack? It seems like an obvious first step.

A number of answers have been given for this. The FBI claims they made several requests to see the servers, but the DNC refused them access. But if this was considered an issue of national security, couldn’t they have demanded access? They seem to have given up without much of a fight.

For its part, the DNC claims they offered the FBI the opportunity to see the servers but said that the FBI wasn’t interested. In the end, the FBI chose to take CrowdStrike’s word for the Russian intrusion.

Both stories may hold some truth. James Comey claimed that there was really no need to see the servers because they had “upstream” information that the Russians had hacked the DNC. True, back in 2015, they had warned both the DNC and the RNC that Russia would try to hack into their networks. Thus, when it looked like the Russians had eventually succeeded, the FBI was not surprised and probably felt no compulsion to investigate further.

Another story is that the DNC did not want the FBI to see the servers because there was incriminating information on them. We know, from the documents that were later released, that the fix was in against Bernie Sanders. Then, there was the Trump dossier. In addition, they did not want the negative attention such an investigation would give them as they were already feeling the backlash from the emails hacked from Hillary Clinton’s private server. Their ineptitude at protecting donor information could hinder supporter financial contributions. Remember, until June, 2016, they did not realize that the stolen documents would be made public. Add to this the fact that many heads of the intelligence community assumed an inevitable Clinton victory and one could understand why they did not want to rock the Clinton boat. Practically speaking, those that did might eventually lose their jobs when Clinton was elected.

Recently, some publications have claimed that the FBI did not need access to the servers because CrowdStrike had given them image files. That may be, but in this case we would have to believe that no files were deleted or tampered with before the images were created and turned over to the FBI.

2. How did the FBI identify these specific hackers?

What emerges most from the indictment is the U.S. intelligence community’s ability to follow the actions of the accused hackers. We can infer that the FBI had control of a server in Arizona used by the hackers to send the stolen documents on to their command and control (C&C) center. But how did they identify this particular server? Were they already following the cyber actions of these individuals? Did CrowdStrike find evidence of this when they examined the servers?

In the indictment, the Russian hackers are identified along with the positions they held in the Russian intelligence community. Information is also given on the roles they played in the DNC/DCCC hacks. But how did the intelligence community learn of these specific roles? Do they have malware within the Russian intelligence networks or do they have Russian informers working with them? These are important questions because, not knowing the answers, we are back to just believing whatever the intelligence community tells us.

3. The indictment includes much information on the hacking of Hillary Clinton campaign chairman, John Podesta. My main question is: Why was Podesta using a Gmail account for official communication? Who were those spear phished at the DNC/DCCC? Did they all have Gmail accounts?

Hillary Clinton campaign chairman, John Podesta, was hacked because he had a Gmail account. He was sent to a fake site to change his password and that password was captured by the hackers. Once his account was compromised, any of his contacts could be spearphished. Why wasn’t he given or forced to use a DNC account? Many others within the DNC, such as Debbie Wassermann-Schultz, also had Gmail accounts. How many of them were also hacked in this way? Did the FBI analyze these infected endpoints to gather information on the hackers?

The hackers compromised endpoints in the DCCC to hack into the DNC network. They then installed malware in the network to gather documents and data. What sort of cybersecurity did the DNC have that did not detect any of this activity? If the hackers were so sophisticated as to hide their activity, why were they so clumsy as to allow their identities to be traced? We know now that they used Tor to hide their IP addresses, so did the FBI have control of Tor?

4. How did the hackers manage to transfer so many gigabytes of data without being detected?

Many have suggested that the hack was an inside job; a leak. They claim that it would have been impossible to hack such data remotely because it would have taken too much time to transfer it. The timeframe for the movement of these documents is supposedly known and only a local transfer (e.g. to a USB) would be possible. To accomplish such a transfer of gigabytes of data remotely would be impossible even at peak internet speeds, which were not available at that time.

The indictment seems to be aware of this objection and answers it by stating that the hackers “used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.” What tool was that? How much was this data compressed to enable hackers to move it across the internet so quickly? Was this information available in the logs? Where are those logs anyway?

5. How were the hackers able to maintain their presence on the DNC and DCCC networks until October, 2016?

Almost as soon as the hackers breached the DCCC network on April, 12, 2016, they were into the DNC network. They intalled X-Agent and X-Tunnel malware onto computers connected to both networks. Thereafter, they began harvesting data. And it did not end there. As the indictment states, “between on or about May 25, 2016 and June 1, 2016, the Conspirators hacked the DNC Microsoft Exchange Server and stole thousands of emails from the work accounts of DNC employees.” CrowdStrike came on the scene in May, and almost at once concluded Russia was behind the attack, but their concomitant report makes no mention of whether or not they purged the Russian malware from the network. The indictment makes it clear that they did not. It states that, “despite these efforts (by CrowdStrike), a Linux-based version of X-Agent, programmed to communicate with the GRU-registered domain linuxkrnl.net, remained on the DNC network until in or around October 2016.” So the hackers continued to hack the DNC and get information from it until the election.

The indictment also points out that “in or around September 2016, the Conspirators also successfully gained access to DNC computers hosted on a third-party cloud-computing service.” I believe this was the Amazon’s AWS service. This is new information, but we know nothing of what, specifically, was stolen. Can we have some details?

6. What was the real goal of the hackers?

The indictment seems to indicate that the true purpose of the hacks was to sow discord between the Sanders and Clinton campaigns. They did not feel that Trump was a viable candidate. At that time, Julian Assange of Wikileaks wrote to the hacker known as Guccifer 2.0, “we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting.” He wanted documents to prove that such a conflict existed and could be exploited. At this point in the campaign, Russia news media was clearly supporting the Sander’s ideology. They, like everyone else, also probably thought that Trump had little chance of gaining the nomination, let alone the presidency. They would, therefore, be supportive of anyone who supported Sanders, such as Wikileaks. The indictment agrees that the goal of the hackers was mainly to “interfere in the 2016 U.S. presidential election.” There is no information in the indictment to conclude that the hackers committed their breaches to help the Trump campaign.

7. Did the Russian government hack the DNC/DCCC?

dnc

Maybe. Even probably, but, in fact, I’m not really sure. Cybersecurity expert, Brian Krebs, stated in a post on the DNC hack that “based on what I’ve learned over the past decade studying Russian language, culture and hacking communities, my sense is that if the Russians were responsible and wanted to hide that fact — they’d have left a trail leading back to some other country’s door.” Didn’t CrowdStrike, even for a brief moment, wonder if their so easily finding Russia in the DNC network was too good to be true? Then again, they probably knew what the FBI expected them to find.

According to the indictment, the hackers did try to cover their tracks, but, somehow, the FBI, or, at least, CrowdStrike, found those tracks. So either the hackers did a bad job hiding their tracks or the real hackers wanted it to look like Russia was behind the hacks. But if not Russia, who would want to make it look like it was Russia? Maybe that should be the main question.

Given the information above, it is hard to imagine why the 2017 report on Russian influence in the 2016 election stated that the election of Donald Trump was the main goal of Russia and its hackers. However, the intelligence agencies behind this report did not completely agree on this point. The FBI and CIA claimed high confidence in the conclusion that Russia hacked the DNC to help Donald Trump, while the NSA was only moderately confident in this regard. Moderate confidence “means that the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.”

Julian Assange has always maintained that it was not Russia that hacked the DNC. He claims he has the physical proof for this and, in fact, apparently offered this proof to the FBI in exchange for some sort of immunity deal. However, when given this opportunity, FBI Director, James Comey, apparently told those in contact with Assange to “stand down”. At least, this was the information delivered by Senator Mark Warner to Assange contact, Adam Waldman.

Of course, it is also possible that Assange only believes he has proof. He could have equally been fooled through obfuscation techniques. And that’s really the point. There’s a lot of information in the indictment but it fails to come together into a cohesive package that leaves no doubt about who was really behind these hacks and what their actual purpose was. If everyone involved in this investigation, (the intelligence agencies, the DNC, and Assange) would agree to work together, maybe we’d finally get to the bottom of this. But I can’t really say I see much hope that this will ever happen, especially since the DNC just filed a lawsuit, via Twitter, against Wikileaks.

Posted in Uncategorized | Leave a comment

Hackers Using the Browser’s Red Warning Screens to Begin Attacks

Personally, I’m glad the Edge browser has SmartScreen. Chrome users should also be glad because Microsoft is now offering that browser an add-on that gives those users the same protection as Edge users. SmartScreen warns you that the site you’re planning to visit may have malicious intentions. You don’t have to go there to find out because the browser has already done that for you. It’s something like a person warning you not to open a door because bad things are in the room behind it. It’s too bad predictable horror movies don’t have this function. If they did, the terrified girls in these films may think twice before deciding it might be a good idea to look around the cellar where the lights never seem to work.

But there are users who feel that the SmartScreen Filter is too proactive. Some feel that the protecting red screen comes up at inappropriate times and simply interferes with their browsing. It is possible to disable the filter but doing so exposes the user to a variety of attacks. Malware may also make use of the filter to do unsavory things.

If you have been lucky enough never to have seen this feature, here is what it looks like.

red screen

The code that creates the screen will specify which threats may lie in wait in the page ahead.

In December, 2016,  a researcher found that criminals were manipulating this feature in a number of browsers for financial benefit. The screens were made to give phone numbers that a user should call to fix a problem. Some of these screens are not red but are designed to look like they came from Microsoft Support. Many of them come with phone numbers.

fake microsoft support

The attackers hope to scare you into purchasing some ‘necessary’ product that will fix your system. The typical warning will be similar to this: “The removal of (3) Viruses is required immediately to prevent further system damage, loss of Apps, Photos or other files. Traces of (1) Phishing/Spyware were found on your computer. Personal and banking information are at risk.” If you call the number they give you, they may ask you to give them remote control over your device so they can “fix it”. They will then do some hocus pocus (like installing Firefox) and expect you to pay for this. Most people say they paid about $150. Consider this as the price of ignorance, which you can no longer claim after reading this post.

These so-called tech support scams have been going on for years. Recently, though, they have been getting better and more believable. They’ve also become more dangerous. If you give anyone remote access to your computer/device, you are asking for trouble because nothing can stop them from installing a remote access trojan right before your very eyes. They may make it look like it is some security tool so as not to make you suspicious, but once it’s installed, they can steal any information they want, including your credit card numbers and bank logins.

A new variation on the scam is to apparently freeze your browser on the fake support page. It appears as if you cannot browse to another site and, sometimes, not even open your task manager. In fact, your browser is not frozen. The attackers simply add some code to a page that maxes out your computer’s resources. It is referred to as the history.pushState() method. Here is the code that accomplishes this.

history push

You may not even be able to shut down your computer with a Ctl+Alt+Del command. In this case, do a hard reboot (push the “off/on” button for 5 seconds). Just don’t call the support number. It should be noted that some of these scams come bundled in software, so when you unpack the software make sure not to accept the default installation.

Although the Chrome browser has been scammed for some time, it is Microsoft’s Edge browser that now holds better scamming possibilities. I made the following scam page as an example. This is just a screenshot. The original used the Smartscreen html code and, on it, the link to “Google” would work.

facebook unsafe

So I could make a legitimate and frequently visited site appear, for some undisclosed reason, to be unsafe. I gave a fake message which I could tailor for my needs. Normally, these pages tell you to go to your homepage. Maybe the link goes there and maybe it doesn’t. I made it look like you could go to google.com. Actually, on the created page, I made it go to Microsoft’s homepage to show that you can’t believe every link you see. But I could have made it go to a page that contains malicious code. (Here is the technical information on how the researcher bypassed a patch to Edge.)

Malware has been known to disable the SmartScreen filter. In most cases, it is better to have SmartScreen warnings turned on. To make sure it’s enabled on your Edge browser, go to Windows Settings, Update & security, Windows Defender, App & browser control. There, you will see this.

smartscreen warn

You will also see other SmartScreen options that protect you from downloading infected apps.

As a last resort, you may want to do what one frustrated victim did, when he kept getting bothered by these fake red screen scams. He actually did call them.

“I called 100 times on 20 simultaneous channels. They answered, talked to my bots. Then they started to put my bots on hold. Then they started swearing, shouting to each other, about what is going on, I could hear in the background. Then I made 500 calls on 20 simultaneous channels to the number. After 300 phone (calls), they disconnected the number,” he said.

Recently, some of these scams have become so good that I really had difficulty determining if the message was actually from Microsoft or not. A list of some of these screen manipulation scams can be found here, but keep in mind that they are changing all the time and they continue to fool the unsuspecting. Do not call technical support numbers, download files or patches that are supposed to help you, or follow instructions to turn off SmartScreen protection. Microsoft will never give you a number to call and always check a link address by hovering the cursor over it. If it does not have a microsoft.com address, it is leading you to a scam support page. All browsers are susceptible to these scams, and Microsoft reports that the number of scam victims is on the increase. Most victims lost between $200 and $500, but others have lost thousands. A new trick involves combining a tech scam with an overpayment scam as in the following example.

tech scam

So scammers are upping their game daily. If you haven’t been targeted yet, you eventually will be, and you may not realize it’s a scam.

Posted in Uncategorized | Tagged , , | Leave a comment

One-Third of Companies Would Rather Pay Ransom Than Invest in Cybersecurity…Really?

Welcome Hackers! This might as well be the slogan for the third of companies who think it would be more cost effective to pay hackers ransom than to invest in a comprehensive cybersecurity defense. Such a conclusion is based purely on monetary considerations. The thinking is that investing in expensive cybersecurity may be nothing more than throwing money away. If no one ever tries to hack your company, you won’t need to pay for cybersecurity, right? After all, why pay for nothing? Why pay for cybersecurity architecture and all the qualified people you need to manage it? Wouldn’t it be less expensive just to pay the hackers some ransom or just pay for the cleanup after a hack? Although it may seem like a naïve approach to many in the cybersecurity industry, it’s a fair question and one that needs to be looked at seriously.

So, let’s delineate some of the monetary underpinnings for this viewpoint. According to a Deloitte survey of 747 firms, the average percent of revenue channeled into IT departments amounts to around 3.28%. Of this, generally less than 20% will be specifically designated for cybersecurity. The graph below shows that some economic sectors are more concerned about IT than others.

IT budgets

Gartner defines a small business as one with a revenue of less than $50 million a year. This means the average small to medium company would spend about $2 million on IT. Assuming about 20% of this is spent on cybersecurity, we end up with a cybersecurity expenditure of roughly $400,000. Of course, large companies in certain sectors will be paying much more, but, for the sake of this investigation, I’ll use the $400,000 figure as representative of a small to medium-sized business. These are businesses that have to keep a tighter rein on their expenditures so they would necessarily be most concerned about any losses due to hacking.

Last year, Kaspersky reported that the average loss to a small to medium-sized business from hacking was $117,000. Thus, on the surface, solely from a financial point of view, it would seem that taking the gamble on not being hacked could be justified. But Kaspersky notes that there are extenuating circumstances. Here are the costs that firms incur when trying to recover from the effects of a breach.

kaspersky hack recovery

Keep in mind that these are the costs that follow a breach. That’s where the $117,000 figure came from. It does not take into account any money that the hackers may have either stolen or asked for as in a ransomware attack. It does not take into account how much hackers can make from selling a database of personal information. Attacks that result in a lost database of personal information can be the most expensive to recover from. A Ponemon study estimated the average cost of a data breach to be around $690,000.

Now, back to the report from NTT which interviewed “1,800 global business decision makers” to find out their views on cybersecurity. The main takeaway I got from this report is that these “business decision makers” seemed naïve when it came to cybersecurity. A majority (47%) believed that they had never been affected by a breach. Maybe that was true or maybe they are just one of those companies who have been breached but don’t yet realize it. (Statistics for US firms show “63% report an incident in the past year and nearly half (47%) have experienced two or more”.) However, what was even worse was that one-third of the respondents felt that they would never be breached.

ntt breach chances

This fact probably explains what NTT claimed was “one of the most shocking statistics in this report”. That is, that one-third of respondents said they would rather pay a ransom than invest in cybersecurity. An additional 16% were unsure of whether they would pay a ransom or not. Taken together, this means that half of all companies would at least consider paying a ransom. This attitude must have been welcomed news to those criminals using ransomware to make money. It also reveals the respondents’ naiveté. Their underlying belief seems to be that paying a ransom will restore everything to normal. In fact, there is no guarantee that the criminals will either honor the ransom payment and decrypt the data or, given the incentive of the first payment, not attack them again.

Another fact that seems to emerge from the report is the uncertainty that exists over who would be ultimately responsible if a breach occurred. One-fifth believed that such a breach would be the responsibility of the CEO, even though it seems that few CEOs really knew what was going on in their IT departments. Statistics indicate that very little communication was going on between high level management and the IT department. This could be because management did not feel qualified to speak cogently on IT matters. Then again, it may be that such conversations only occurred when the IT department approached management for budget allocations or informed them about serious breaches. A Ponemon study seems to support a general lack of communication going on in most businesses, as can be seen in the graph below.

ponemon relationships

Malwarebytes found that, of companies experiencing a ransomware attack, 20% were forced to shut down immediately. Most companies were down for 1- 8 working days (assuming a 12 hour working day). 80% of ransom demands were for under $10,000. 21% of those receiving ransom demands paid the amount requested. Of those not paying the ransom, 32% lost files. It is impossible to assess the cost per day of a company not being operational. That would vary with the type and size of the company. In this respect, however, the ransom itself would probably be a minor expense. Medical, financial, and online retailing firms would probably be more likely to pay the ransom in the hope of resuming normal operations. So the average cost for a ransomware attack would be about $127,000. However, many companies experienced more than one ransomware attack in a year.

But hacking is not just for receiving a ransom. Hackers steal for financial gains or to acquire important information. Hacks stealing information tend to be more difficult to recover from. When customer information is stolen it is often sold on the deep web. How would customers ever trust a company that exposed their personal information? Stolen company secrets put the existence of the enterprise at risk. In both such hacks, the company reputation suffers. As most companies realize, reputation is closely linked to profits. The quarter after the Target hack, profits fell by 50%, a loss which smaller companies may not be able to absorb.

There is a widely quoted statistic that 60% of small businesses will fail in six months following a cyber attack. The statistic is claimed to originate from the National Cyber Security Alliance. I made a rigorous attempt to verify this claim, but could not. I did, however, eventually find a press release from the NCSA in May of 2017 saying that “this statistic was not generated from NCSA research” and that “members of the media, policy makers, small businesses and others are encouraged to rely upon more current and clearly sourced data.” That said, most businesses will experience serious financial stress following any cyber attack. A Cisco report found that 38% of organizations experienced a substantial financial loss, 42% saw a substantial loss of opportunities, and 39% saw a substantial loss of customers. Each small business needs to take these statistics into consideration and determine for themselves if they could survive such an impact to their particular business.

This is all not to say that small and medium-sized businesses have absolutely no security at all. They may have some simple antivirus software or may use a VPN. They don’t, however, have a coordinated cybersecurity strategy backed by an IT department that would be needed in the case of a strong attack. They certainly do not have state-of the-art technology to protect themselves from the most commonly used attack vector; the exploitation of unprotected endpoints. As such, they are continuously vulnerable to irresponsible online behavior of any employee that has access to their network.

And that brings us back to the main question: Is it better to wait to be hacked before paying for cybersecurity? It’s a gamble; a gamble that is the statistical equivalent of a coin toss. In other words, would you risk your business on the toss of a coin? In the end, you simply have to ask yourself one question: Are you feeling lucky?

Posted in Uncategorized | Tagged , , , | Leave a comment