Snapchat: The Best App for Those Having an Affair or Hiding Bad Behavior… Or Is It?

I have never seen an app so overrated as Snapchat. I have no idea why it is valued at $24 billion. My only guess is that there is either too much extra money floating around or that speculation has become dangerously optimistic.

The key selling point to Snapchat is its disappearing messages and photos. It’s meant to keep your communications secret. But Snapchat is to secrecy as Twitter is to informative discussion. In principle, both are possible. In practice, both fail at their goals.

Because it supposedly leaves no evidence, Snapchat is the first choice for those engaged in bad behavior, like having an affair. Why Snapchat and not Facebook? Let’s look at a few statistics. 41% of people caught having affairs say that they were caught because of what they posted on Facebook, and 66% of divorce lawyers claimed they used evidence from Facebook to advance their cases. The fear of getting caught is the main reason people give for not having affairs. 75% of men and 60% of women said that they would have an affair if they knew they wouldn’t get caught. You might wonder why these people simply don’t ratchet up their Facebook privacy settings. Well, maybe they don’t know how to. You can’t rule out ignorance when it comes to cyber security. However, even if they do lock down their Facebook page to just friends, it doesn’t stop the dedicated investigator from using a fake profile to get befriended by the targeted individual. So wouldn’t it be better just to use an app that includes the service of automatically making messages disappear? It is no wonder, then, that those involved in bad behavior, especially behavior that they expect to engage in over an extended period of time, choose Snapchat to stay safe from prying eyes. In fact, a site known as “The Affair Handbook (Learn how to cheat without getting caught!)” points out some “clever ways” you can use Snapchat with “your affair partner”. It’s at the point where simply seeing Snapchat on your partner’s smartphone should make you suspicious. Parents should also be concerned about their children in the same way.

This being the case, users of the app need to be assured that it does what it says it will do; keep their communications secret. There must be no way for disappearing messages to suddenly reappear. Well, in most cases and for most people, Snapchat will do the job. However, for those dedicated to saving chats and photos, there are ways to circumvent the disappearing message conundrum. For example, the person who receives your secret chat could take a screenshot of your photo or message. This is handy if, for example, you receive a photo of something you’d like to save, like a recipe or bus schedule. However, if the receiver does choose to take a screenshot of what was sent them, the sender will be notified that this action has taken place. It’s too late to take the photo back, but the sender would probably be wary of sending any compromising photos in the future.

But there are other, more devious, ways to save chats and messages that do not inform the sender of what is really happening. At the most basic level, the person could just take a regular photo of the phone screen. It’s a bit primitive and probably not so easy to do, but it is effective. A phone, tablet, or camera could be used to take a continuous video of the Snapchat screen during a session and then this video could be saved thereafter.

There are apps and workarounds that do much of the same thing but within the phone itself. Many of these apps have been sued by Snapchat and taken off Google Play and Apple app stores. Still they continue to pop up. Often, they are the same apps but with different names. Some apps are not specifically designed to capture Snapchat sessions but can be programmed to do just that. There are various screen capture apps that are said to work in capturing Snapchat sessions. However, even though some of these apps continue to be offered on Google Play, they have had to change their modus operandi. In the past, Apowersoft Android Recorder, could be used to save Snapchat sessions. However, the app now notifies Snapchat message senders that it is being used. It is not clear if another screen recorder, AZ Screen Recorder, is still working with Snapchat, but it used to. The point here is that there will always be apps popping up that will compromise Snapchat’s secrecy, at least until they are blocked.

There are also some workarounds which take advantage of the Snapchat app itself. Some, such as the airplane mode hack, still seem to be working. This basically turns off connectivity to the Snapchat session which leaves the photo/message/video screen locked and available to saving. If the app and phone are subsequently turned off and, then, connectivity is restored, the sender will not be notified that their information has been saved. You can see a video on this workaround here.

But you may not even need a workaround. According to some comments on Google Play, sometimes the messages won’t automatically delete.

“They do not delete any texts or pics or videos you send in the chats. Even with the clear conversation nothing gets deleted. My cousin hasn’t saved any texts either. Nothing deletes.”

And at other times the screen freezes on its own, even without using the airplane mode.

“I hate this app the video chat sucks make it a good quality chat I can’t look at the screen for more than 5 seconds without it freezing 6 seconds if I’m lucky but PLZ fix it.”

snap homer

Snapchat is not without its rivals, some of which are more reliable in keeping your conversations secret. A number of them even offer more features. In other words, Snapchat, as a messaging app, may be now having its temporary moment in the sun. Even its arch rival, Instagram, has reasserted itself. In fact, one assessment shows that Instagram has gained the advantage.

snap instagram

Instagram now offers a delete-after-24-hours feature and, recently, WhatsApp has offered the same. Apparently, that’s been a big hit. “Facebook Live and Instagram Stories have been a runaway hit and the Instagram feature, in particular, has stolen a large chunk of Snapchat’s user base. A similar feature on WhatsApp — which, with a user base of over a billion, dwarves both Instagram and Snapchat in number of daily users — will probably spell doom for the company that came up with the idea in the first place.”   According to one report, “there’s been an average decline in Snapchat Stories views of 20 to 30 percent from August until mid-January”. It now looks like Snapchat is using the IPO to shore up the company until some better idea comes along.

views per snap

It may be that Snapchat can solve its problems or come up with something more innovative. The teenagers I’ve talked to, who use Snapchat as a regular messenger and not simply to hide their behavior, say that the interface is easier to use than the other social apps. They like the disappearing message/photo feature because they don’t have to worry about cleaning up storage space later on. They were not aware of the new disappearing message feature in WhatsApp and Instagram, however.

Snapchat does include a cash transfer feature called, Snapcash, which the company may be banking on. Some have expressed alarm at this cash transfer app being included in a messaging app that is most popular with children and teens. Others claim that the app’s lack of good security practices leaves it vulnerable to hacking, similar to the hack that occurred in 2014.

At the beginning of this post I said that, “I have never seen an app so overrated as Snapchat”, and I’ll stand by that conclusion no matter how much of a darling the stock may be at the beginning of its IPO offering.

Posted in Uncategorized | Tagged , , , | Leave a comment

Ukraine Braces for an All-Out Cyber Attack on its Infrastructure

Nir Giller, co-founder and CTO of cybersecurity firm, CyberX, suspects that Russia is behind new malware that has been found lying in wait in key infrastructure, banks, media, and scientific research sites throughout Ukraine. However, a member of CyberX contacted me and indicated that they have no direct evidence that this is true.

 The main purpose of this new malware, dubbed, BugDrop, is reconnaissance. It is designed to turn on the microphones of specifically targeted devices so as to let the operators listen in on sensitive conversations. The conversations are saved as sound files and then surreptitiously uploaded to Dropbox. Although eavesdropping seems to be its main purpose, the malware is also capable of scanning computers/devices for documents,  passwords, and grabbing screenshots. Since there is no way for the malware to determine which conversations are valuable and which are not, it appears to require a large network of humans who can analyze the immense amount of uploaded data coming in from numerous sources. This requirement for human support, with the expense that this would incur, plus the sophistication of the malware indicate that it must have been developed and deployed by a nation-state.

 The real sophistication in this malware is in the methods it uses to remain undetected. Here are some of the ways CyberX discovered  BugDrop uses to remains hidden.

 bugout

In addition, the malware encrypted the file in which all of the stolen data was stored, so, if found, it could not be identified.

 Keep in mind that much malware only needs to infect one device, such as a smartphone, to spread throughout a network. To no surprise, the initial infection begins with a well-designed phishing email which includes an appropriately named Microsoft Office document as an attachment. However, when the victim tries to open the document, they receive what appears to be a legitimate message which looks like this.

 bugdrop-office

The message is in Russian, but translates as, “The file was created in a newer version of Microsoft Office programs. You must enable macros to correctly display the contents of the document”. If the victim subsequently enables macros, as suggested, the malware is released.

 It may not seem as if this malware is very threatening. After all, the malware developers only seem to have a network of reconnaissance devices. No harm seems to have been done. However, it is well-known that reconnaissance is the first stage of a more serious attack, such as the attack that took down part of the Ukrainian power grid in December, 2015. In other words, the attackers have a far more sinister goal in mind and, given the extent of the surveillance, whatever the attack will be, it is sure to be highly organized, precisely targeted, and extensive. It is probably being planned as you read this. With that, let me introduce BlackEnergy and Telebots.

 It is quite clear that if an all out cyber attack occurs, it will probably be based on the malware that brought down part of the Ukrainian power grid in 2015, BlackEnergy 3. BlackEnergy has been around for a while, but its newer models come with Stuxnet-like capabilities as they can target any computer-dependent industrial controls that, for example, are necessary for the proper operation of most machinery. Although the latest malware found in the infrastructure has been named Telebots, ESET, the cybersecurity firm that discovered it, believes it to be just another upgrade of BlackEnergy.

 Similar to the attack vector outlined above, the Telebots group uses spearphishing email with a fake Microsoft Excel document as the malware-releasing attachment. The malware can compromise other computers not connected to the internet by employing a tunneling tool. They can also, when they are finished with their attack, employ KillDisk, which is basically a hard drive erasing tool. It can be set to begin its destruction at a particular date or to target particular files. Look at it this way. If you wanted to disrupt a network, you would first steal all the important data that you could, then, you could make the computers operating that network, or machinery connected to it, unusable.

 To begin the attack, the reconnaissance performed with BugDrop would be analyzed to discover the weak points in the target country’s infrastructure. The subsequent attack would simultaneously bring down those weak points in a specified manner, the purpose of which would be to spread chaos. Needless to say, since many institutions and businesses are interconnected and, thus, dependent on one another, the attackers would not have to infect all aspects of the country’s infrastructure with malware to bring the entire nation to the point of complete collapse, but the developers probably already know this.

 The assault on the Ukrainian power grid in 2015 can be considered as a test; a proof of concept. The fact that that test succeeded led to phase two; a comprehensive reconnaissance program. The final assault, phase three, will likely use an even more sophisticated malware which can be installed by initiating an upgrade of pre-existing malware already residing in the infrastructure. It is important to note that the Telebots malware contains an automatic malware updater. In my opinion, the chaos resulting from a full scale cyber attack would most likely be coordinated with, phase 4, the final, physical, military assault. Under these conditions, the ensuing battle would be overwhelmingly one-sided.

 But Ukraine will not give up without a fight. They have some of the best hackers of all shades, and some of them have probably used BlackEnergy as a template to develop infrastructure-destroying malware of their own. In other words, a serious infrastructure attack on Ukraine will probably trigger a counterattack against Russia. Did the Russian trial cyber attack in 2015 trigger a counterattack? It’s possible. According to one source, Russia suffered a 50% increase in cyber attacks on power companies in 2016, with 350 total attempts. The US government is also getting nervous. They are also preparing for an infrastructure attack, and, in anticipation of it, they have invested $4 million in the Chess Master Project aimed at protecting critical infrastructure. Tests of Ukraine’s response capabilities may continue to ramp up to the point at which Russia may feel enough confidence to launch a more serious attack. If an attack occurs, other nations may be wittingly or unwittingly drawn into it. This is why the situation must be closely monitored. I will update this post if more information becomes available.

Posted in Uncategorized | Tagged , , | Leave a comment

Are You Sure Your Employee Accidentally Clicked on that Phishing Link? Insider Trading on the Deep Web

The problem of inside information being sold on the deep web is not a new one, but it’s certainly one that major corporations need to begin to take more seriously. This is chiefly because more deep web sites are popping up which are making insider trading a cooperative venture. For the promise of anonymity and security, these sites allow select members to share and profit from the information that they give to each other.

The two main insider information trading sites on the deep web are The Stock Insiders and KickAss Marketplace. Both try to limit their members to an exclusive group. Both use extensive screening, but KickAss also charges a monthly fee, and a steep one at that. First, here’s how The Stock Insiders operates.

stock-insider

The Stock Insiders’ goal is “to create a long-term and well-selected community of gentlemen who confidently exchange insider information about publicly traded companies”. The administrator of the site claims to be “a former successful (originally European) IT entrepreneur living in the U.S.” who is “also an active trader and has inside access to the several publicly traded companies.” He is clearly not a native English speaker, so his foreign origins seem to check out. He guarantees security which is achieved by enabling “access to the forum only to a small number of the well-proven members.”

Kickass Markets goes a step further.

kickass-logoFor those who simply want to go from newbie to pro, you’ll first have to pay $250 a month in Bitcoins. That will eliminate many potential members right off. You also are told to do the following.

kick-ass-market

And, if you’re lucky enough to pass this test, you get to pay $1,000 a month.

What do you get? According to the administrator, members get insider information that is carefully analyzed by a team of experts. Members are not allowed to post information directly. The site does employ hackers (“They obtain information relating to a potential movement in the market”), so they apparently leak whatever the hackers may have ‘uncovered’ in their ‘investigations’. Members are given advice on when to invest to take most advantage of the leaked information. “Customer service is key, and we wish to deliver quality information.” What members make in profit is dependent on how they use the site’s advice and the amount they risk investing in it. According to information given in an interview last year, the site had members from 15 investment firms. If true, that’s a surprising and troubling fact. It begs the question: Do you still think stock investment has a level playing field?

According to information from a report on insider trading by cybersecurity firms RedOwl and InSights, insider trading on the deep web doubled last year.

insider-graph

To be sure, these sites are worrying, but far more dangerous is the fact that The Stock Insiders administration or rogue members of the group are selling information directly to interested investors, bypassing the site’s vetting filter. Here is an example.

“I am a member of an Insider Stock Market group: If you’re not insider yourself, but would like to profit off inside information – this is your chance. All inside stock trading groups require you to post continually or suspend your membership. We have a trade about every 5-8 days, and I am allowing you to be a part of it. I understand I need to build trust, and this will take time. I will message you details of when the trade will occur and be complete, and you will have your money back in a week or less. My occupation is trading options for a large hedge fund. I have clients who occasionally provide me tips on major announcements or earnings coming up. I exchange this type of information within the Stock Insider forum. I use my knowledge of options trading, and the insider forum to make trades. I am looking to grow my own personal wealth by trading with others money. I have a separated broker account setup, and I’m working to grow this through trades on inside information. My service; I am offering interested clients 15% return on each trade I make, which averages to 1/trade every 8-10 days. Upon purchase, I will provide the date of the trade, and when your funds + 15% will be returned. The trades made from my insider broker account yield high returns (sometimes over 200%). I keep any profit above the 15% paid to the customers. I am willing to negotiate the return rate for higher deposits. Please message me for details. I hope we can do business together. I look forward to add to my ever growing list of clients.”

This appears to be someone trying to profit from inside information. He, being a member of a trading firm, would not be able take the risk of investing himself. However, he could secretly sell his information to others. On the surface, it would look like any other trader-client relationship. The client’s  risk would be minimal and the trader secretly gets his 15% cut of any profits. Anyone investigating the transaction, even if it was connected to this insider employee, would be unable to prove that anything was out of order. It would only look like this was a regular client who happened to get lucky.

Here is a bit of a different and somewhat more dangerous approach.

“Normally: $99 SPECIAL SALE PRICE: $15 This tip is a [HIGH QUALITY] leak with [94%] Confidence and [MEDIUM-HIGH] profit potential. These tips have been harvested from compromised executive email accounts at major companies as well as from keylogged bank and law firm employees. The tips have also been stolen from hacking communities and hedge funds.”

 Is it possible that the emails of major corporate CEOs have been hacked and insider information harvested from them? Unfortunately, it is highly likely. In a post I wrote on CEO email scams, I explained how such scams operate and why they have successfully bagged over $3 billion for the hackers. Most CEO scams trick company employees into wiring money into an account that the employee believes to be valid. In the scenario above, it appears that the hackers may have found another way to get money, selling the insider information that they accidentally stumbled across during their CEO hacking.

But there is more frightening information here. It appears these hackers have had keyloggers installed on employee devices to gather information from bank and law firm networks. This is something that would take a certain amount of hacking skill to do. More than likely, they would have had to penetrate the banks’ cyber defenses by tricking an employee into downloading a file in a phishing email or clicking on a link that would eventually lead the victim to installing malware on their device. It’s a hit and miss strategy that succeeds in direct proportion to the ignorance of the employees and the quality of a firm’s cybersecurity defenses. Well-educated, vigilant employees within relatively secure networks make this strategy highly inefficient.

This is where the scariness reaches another level. The RedOwl report shows that hacking groups, or even Stock Insiders members, have actively recruited bank and corporate employees. In one instance, they wanted bank employees to give them access to computers that make money transfers. The hackers promised to pay them “7 figures on a weekly basis” for every week that they continue to have access to these computers. Here is a conversation between one hacker and a bank employee uncovered by RedOwl.

bank-insider

Some hackers will pay employees to install malware on a bank or corporate network, but this requires the employee to have some hacking skills and there is a real risk that the attempt will be detected.

Far better, in my opinion, would be for a hacker to arrange for an employee to ‘accidentally’ open an attachment or click on a bad link in a phishing email that the hacker sends them. This would enable the hacker to have remote-access malware installed on a key device through which they would infiltrate the network, getting what it is they are looking for. They would not have to worry about relying on or training a technologically-challenged employee. They would not have to teach them hacking techniques and the employee would not have to endanger themselves by making an inept move.

Even if caught in such an arranged scam, the employee could simply claim ignorance. If the planned phishing email was well designed, such a plea of ignorance might seem valid. The employee would simply suffer some reprimand. At worse, the employee would be fired. However, if the money they made in the fraud scam was anything like the numbers mentioned above, they may not even worry about losing their jobs. In fact, a good hacker with good malware would be able to erase all evidence relating to the intrusion so the employee’s complicity could not be proved.

The weak point here is the hacker’s payment of the insider. That’s where the deep web comes in. Deep web deals are held in escrow by the administrator until both sides are satisfied. In other words, if the hacker agrees that the employee has done the job, the administrator will release payment to the insider. My guess would be that this payment would have to be close to a yearly salary as an employee would, even if not proven to be involved in the hack, be at risk of losing their job due to incompetence. There are other cases of insiders being blackmailed into working with the hackers.

So do you have insiders working for hackers in your company or bank? Have you been suspicious of an employee who compromised your firm by ‘accidentally’ installing malware? Look for the usual danger signs. Was the employee already disgruntled? Did they suddenly find themselves in financial straits? Are they buying expensive things, like cars, that they shouldn’t really be able to afford? The problem with this type of attack is that education will not help. A company can do all the cybersecurity awareness training that it wants, but it can never be absolutely sure that a particular employee simply forgot the training and made a stupid decision. Sadly, such insider training is nearly foolproof and, because of this, may embolden employees to work with deep web sites and hackers. Participation in deep web markets by legitimate trading firms has the potential to become an expected, if secret, part of any trading firm’s tactics. It may even be that any firm that does not use the deep web for an investment edge will be considered behind the times.

_____________________________________________________________

The WorkPlay Solution: Ultra-secure, hardware separation, which puts two or more, non-communicating operating systems on any endpoint device (smartphone, tablet, laptop) will prevent insider coercion from accessing sensitive company data. The end user can even install malware on their device, but, it will not be able to cross the hardware barrier and access the corporate network.

Posted in Uncategorized | Leave a comment

The State of the Deep Web 2017: Part 2: The State of the Deep Web Markets

 Before the story on AlphaBay broke (see my last post), I had concluded that the deep web markets had improved since my last report on them in early 2016. At that time, I found that the deep web was operating, but not as well as it had been in the past. Yes, there were sites that were up, but there was a lot of paranoia about them being infiltrated by law enforcement. There was also the fear that these relatively new markets might pull an ‘exit scam’: suddenly closing and taking everyone’s money with them. This is what happened when the Evolution Marketplace suddenly disappeared overnight. Paranoia will always be a by-product of the deep web, but it seemed to have subsided a little over the course of 2016. It is now, after the AlphaBay hack, back in full.

 Before I continue this discussion on deep web markets, let me restate my working definition of the deep and dark web. In my opinion, any site that is accessible through normal browsers, including those that require passwords to enter, are really in the normal web. Those sites that can only be accessed by special, secure browsers, like Tor, I refer to as deep web sites. Within this deep web region, there are dark web sites. These are sites that are dedicated to illegal activities which victimize people. These include child pornography sites, human trafficking sites, hackers-for-hire sites, and any site that will accept money for harming individuals. I do not include in the dark web those victimless, though technically illegal, sites such as drug-selling or weapon-selling sites. Anyway, that’s the definition that I will be working within here.

 In this post, I want to focus mainly on what you can purchase on deep web sites. As has always been the case, drugs are the main item purchased in deep web markets. Markets still depend largely on trust scores given by buyers and there are a variety of methods used to make deals secure and keep customers satisfied. For those who want to know the details on purchasing and delivery, see my previous posts.

 Vendors selling guaranteed-working credit card information are in abundance. A working card will cost you around $10 (in Bitcoins) but with a discount offered for those buying more cards. If you want a physical credit card, you can get that if you pay for shipping. If, for some reason, the card information you purchase doesn’t work, it will be replaced for free. No vendor wants to get their trust rating lowered. Keep in mind that two-thirds of cards are in the form of information that can be used for purchasing items on legitimate websites, such as Amazon. Only a third of cards bought on deep web markets are physical cards.

 You can buy any type of fake document including passports from almost any country, drivers licenses (every US state and many countries), and even fake degrees from Ivy League schools. Counterfeit money sites are also popular, with some clearly offering a better product than others. Some sites will sell you loads of personal information like the, somewhat disturbing, site below.

 social-sec-numbers

 Guns don’t seem as popular as they once were, even though there are vendors that specialize in selling them. This may be because guns are relatively easy to purchase in the US and the risk of having a gun sent to you overseas may simply be too great. That said, some, like the one below, are still available.

 glock

 Some fraudsters target certain retailers and, among these, Amazon continues to be their main target. Here is one of the more comprehensive attacks.

amazon-hack 

And here’s a similar assault on McDonald’s.

 mcdonald-hack

I don’t know how valid these are. I’m only using them as examples of what is being sold in these markets. The trust scores seem to indicate that most customers are satisfied. 

There continues to be a lot of malware for sale on these deep web sites. Some are more scary then others. This site seems suspiciously like information offered by The Shadow Brokers, the allegedly Russian hacking group that hacked the NSA. However, on closer inspection, the tools that it makes available are really re-packaged, free tools that can be downloaded on the regular internet, so be careful what you’re paying for. The low trust scores show that most hackers realized this.

 fbi-hack

 There are far more troubling sites than this on the deep web. Among these, are two sites that are selling insider trading information: The Stock Insiders and KickAss Marketplace. From time to time, individuals selling insider information appear on deep web market sites in an effort to profit from secrets that they know. The difference here is that these two sites are trying to form an exclusive community of insiders who work together to benefit from each other’s inside trading tips. It is organized crime at the corporate level as all informants/members must be connected to publicly traded companies. Both of these sites are concerned with being infiltrated and, thus, have a careful vetting process. To be allowed on The Stock Insiders, you must give up some information that checks out and you must continue doing so to keep your membership. The KickAss Marketplace has an even more extensive (and somewhat bizarre) vetting process that also involves participants paying a steep monthly fee.

The scary part is that both sites claim to have legitimate trading firms and employees of publicly traded companies as members. The potential danger of these markets cannot be underrated and I will write a more extensive post on them in the near future.

 For now, this is about as dark as the deep web gets. Of course, the dark web is far more evil, and the two do share some tenuous connections. Selling drugs, credit cards, and weapons can lead to or involve more serious criminal activity, and it is seems that some vendors serve as circuitous portals to more sinister dark web sites. That said, and despite all the risks inherent in purchasing in these markets, deep web markets will continue to thrive. Individual markets will come and go, Law enforcement will occasionally make high profile closures of certain markets to discourage their use. They may even infiltrate these markets to use them for gathering information on the buyers and sellers. Even if they don’t, they would like the participants to believe that this is possible. For these reasons,  paranoia will continue to exist. However, paranoia has never been enough to close these markets in the past and it won’t in the future. Like it or not, it has come to the point where deep web markets have become an established business model.

 

 

Posted in Uncategorized | Leave a comment

The State of the Deep Web 2017: Part 1: The AlphaBay Incident and Its Implications

As I began writing this post about the deep web, news broke that the number one deep web marketplace, AlphaBay, had been compromised by a hacker known only as Cipher0007. This sent a wave of panic through an underground community that is already fueled by hyper-paranoia.

It seems that the hacker found two bugs on the site that allowed him access to over 218,000 unencrypted messages between buyers and sellers. Such messages on AlphaBay were supposed to be encrypted by default. Oops. It now seems that it was possible for anyone knowing this vulnerability to see who was buying what from whom and where that merchandise was being sent. The following is a screenshot given by the hacker to prove the validity of his hacking claim.

alphabay

User login information was also compromised. You cannot ask for a greater disaster for a site that depends entirely on anonymity. And if you wander around the deep web, you know who its users fear the most. That’s right, the federal government. There is concern, and very valid concern, that federal law enforcement agencies (known in deep web jargon as ‘LE’, law enforcement) may have known about this vulnerability all along and were secretly using it to accumulate data on AlphaBay users. This is not paranoia. It’s a justified fear.

Unsurprisingly, AlphaBay tried to downplay the vulnerability. They claimed that this exploit was done by a single hacker who they had subsequently paid for finding the bugs. The amount they paid was undisclosed. They also stated that only users who had done business on the site during the last 30 days were affected. My observation on this is…really? That’s only true if this vulnerability was only known to Cipher0007. Let me cite a few occurrences that may show that others may have also found this vulnerability.

AlphaBay users should have been suspicious when, in September, a hacker compromised an AlphaBay account and remotely viewed a chat about Philadelphia ransomware. Was this hacker also aware of this bug?

Even earlier in the year, fraudsters tricked AlphaBay users with phishing scams that involved a fake AlphaBay login page. In May, another phishing scam saw hackers posing as AlphaBay administrators. This scam temporarily shut down the site. Below is one of the phishing messages used to trick users. Visiting the link in the message would require the victim to login with personal information that would be captured by the attacker and later used to wipe out the victim’s account. (Notice the grammatical errors which should have alerted users that something was wrong.)

“Hello

All account’s have been locked until verification is complete, This is to ensure the safety of all our Alphabay user’s!

Please copy & paste the link below into your browser:

phishinglink.onion/verification

*NOTE* Members who do not protect there account’s will not be able to access the market, once this is done you should be able to access your account within the next few hour’s!

We apologize for the inconveniences,

AlphaBay Team”

If these events don’t make users nervous, then the arrests  of some AlphaBay users last year should; especially since AlphaBay was cited as a key element in these arrests. Here are some of the most prominent AlphaBay-related arrests.

In December, 2016, Aaron James Glende, aka, IcyEagle, was sentenced to 4 years for selling stolen login credentials.

 Former Australian police officer, James Goris, was arrested for selling stolen police ID and fake police, airport, and port authority identification.

 Cary Lee Ogborn, of Houston, was arrested for trying to buy explosives.

 Chrissano Leslie, aka, Owlcity, was arrested for selling drugs.

 Abudullah Almashwali and Chaudhry Ahmad Farooq were arrested for selling drugs.

 It is possible that other, minor arrests were made, but no information on these is available. It appears that federal law enforcement agencies are only interested in larger vendors or in those individuals who may pose a security threat. The fact that the feds can target whomever they choose should make users take notice. If this and other deep web sites are infiltrated or even run by law enforcement, the agencies involved would certainly want to maintain a low profile and would not want to bother with small time criminals. It would blow their cover if they started to arrest large numbers of small time buyers of drugs, for example.

AlphaBay was originally established by Russian carders and may still be legitimate. In this case, it is possible that Cipher0007 really did find previously undiscovered bugs. AlphaBay administrators are not commenting on what vulnerabilities were discovered. However, if I were to guess, I would suspect that AlphaBay stored unencrypted information on users and user messages somewhere on the site before encryption was applied. It may have been in a file that automatically deletes itself after a certain period of time, such as 30 days. This is why most users writing on the topic insist that everyone use client-side encryption (PGP). They also wondered why sites like AlphaBay don’t require such encryption, but the answer to this is easy. Many users of these deep market sites are looking for something that’s easy to use. As one European user noted on Reddit, “It just seems like these American kids want Amazon for drugs and that just doesn’t exist.”

PGP (Pretty Good Privacy) is a good first step towards keeping your information secure, but it is not flawless. In short, it’s just as the name implies: pretty good. It does have vulnerabilities and some say it is past its pull date. Still, many deep web sites do require users to use PGP, and, consequently, do not have the number of clients that AlphaBay has. After the hack, AlphaBay put up the following warning/suggestion on users’ pages after they log in.

alpha-security

Though the implication is that PGP will give better security, they stopped short of requiring that you use it. It remains just a suggestion.

Short of the government actually taking down the site, nothing will really stop users from going to AlphaBay for what they need. It is, for the most part, a well-designed online market site which, despite the fact that it uses Bitcoins and sells unusual merchandise and services, will be recognizable to anyone who has shopped on Amazon. Denizens of deep web markets will not be leaving them soon. Here, hope and personal gratification inevitably triumph over paranoia. Too many people depend on these deep web markets for a variety of reasons. Let’s face it. Some may simply be drug addicts. The discussions in many forums, following the AlphaBay breach, revolved around which deep web markets are safest, with the conclusion being that none of them are or ever will be completely safe. True, but they will continue to thrive.

In my next post I will look more at what is available on the deep web and what innovative markets are sprouting up there. In this regard, there have been some interesting and even frightening developments over the past year.

 

 

Posted in Uncategorized | 1 Comment

Talking to the Dead in Virtual Graveyards: Digital Death and Virtual Resurrection

The dead have always tried to speak to us. Walk through almost any graveyard and you will see epitaphs written by those whose physical remains have long since blended with the soil while their words live on. Such words give the living a sense of the character of the person interred beneath the stone. Here are a couple of examples of what can be learned of the character of a person from what they had carved on their tombstones.

 tombstone1

tombstone2.jpg Those were the good old days of analog memories, but advances in technology indicate that those days may be about to come to an end.

 Have you ever wondered what would happen to your Facebook account when your mortality was finally verified?  Well, you have the choice of having your account deleted or memorialized. This can be set up through your Facebook security menu.

 facebook-memorial

  If you sign up for a memorial account, when you die, your account will still appear but with the word, ‘remembering’ placed in front of the profile name. Here is Whitney Houston’s memorial account.

 whitney

 Visitors to a memorial account can view the person’s history and photos as well as leave memorial messages.

 For years, digital cemeteries have been popping up online and, physically, in places around the globe. For those that require physical access, a member must put all the deceased person’s digital information (photos, videos, documents)  on a typical USB stick. The stick is, then, put it in a digital cemetery. Those who would like to view this information would have to go to the ‘cemetery’, retrieve the stick, and look at its contents in a private room.

 usb-tomb

This, of course, begs the question as to why the family of the deceased wouldn’t simply distribute copies of the information to friends and family without having the need for a digital repository/graveyard.

 The far more common form of digital cemetery can be found online. They offer a variety of services from designing the tombstone, choosing the location to place the tombstone (field, forest, seaside), to adding music. Most will allow you to write a personal remembrance and allow visitors to leave messages and sometimes digital flowers. Whether they will ever give the personal satisfaction of visiting an actual graveyard is difficult to assess. To me, the fact that they are digital, make them feel rather impersonal.

 But the landscape of digital death is now changing. The old digital age has been replaced by the new digital age; the age of virtual reality. Virtual reality can do things for the dead that have not been done before, like, for instance, resurrect them.

 Steve Koutsouliotas and Nick Stavrou were longtime friends who both lost their fathers. In their grief, they began to wonder if digitally reproducing their fathers would help them come to grips with their losses. Thus arose the concept of Project Elysium. Project Elysium exists to answer one question: If you had the choice to meet with and talk to some loved one who had passed away, would you do it?

 Both Koutsouliotas and Stavrou worry that the experience might prove too traumatic for some people. “We aren’t chasing realism; in fact we are aiming more towards hyper-realism,” says Stavrou. In other words, they want the participant to continually be aware of the fact that what they are experiencing is not real. “It wouldn’t overwhelm you so much that it takes the experience away, but it would visually keep reminding you where you are,” Stavrou emphasizes.

 It is necessary to keep in mind that both developers work in gaming, They understand the power of virtual reality and how it can fool the mind into believing the experience it is having is real. For this reason, they have employed grief counselors to help them build an emotionally satisfying experience. A person who wants to meet with a lost loved one must wait for a specified time before having this meeting. The grieving process must have been already rationalized to some degree. The participant will only have a limited time to visit with the person they lost. They may return to the visit, but only after a break. There will also be a debriefing program built in to help the participant assess the experience before returning to the actual world. As Stavrou notes, “This is a serious service and we don’t know what ramifications things can have. This is all a new frontier.”

 Currently, the service is being purposely underdeveloped to make it less ‘real’ than it could be. They use photos to build the avatar. Then, they work with the client to fine-tune the avatar to express certain idiosyncrasies. They fully understand that more realism is possible, but for now, they only want the client to have a one way conversation with the avatar. It is also possible to use audio recordings to allow the avatar to say a few phrases but it won’t really be anything close to a true, interactive conversation.

 That said, it is clear we are venturing into a new frontier here. As technology advances, programmers could gather together a compendium of information about a person from videos, chats, photos, recordings, and writings to construct a far more realistic avatar. Avatars will someday reach a point where they will become nearly indistinguishable from the real person they are modeled on, at least in a VR environment. If self-learning, neural net programs are thrown into the mix, fully conversant avatars may be the result. At the ultimate end, we may even have realistic looking robots which could do all of this. Actually, we are closing in on this with every passing day, but we still have a long way to go before any of these digital re-creations can pass the Turing test.

 The developers of Project Elysium have other uses for their project. If you wanted to create your own avatar before you die, you can work with them to design it. Wouldn’t you like to speak to your future grandchildren or great grandchildren? How about those people who you may not have time to say goodbye to? Yes, it’s the digital age’s equivalent of the epitaph, but much more so. In the future, VR technology is more likely to become available to the general public and, when this happens, expect virtual epitaphs and resurrections to become the norm.

 The developers also have the idea of allowing clients to speak to famous people from the past. Would you like to have a conversation with Beethoven, Teddy Roosevelt, or Marilyn Monroe? There seems to be a lot of potential here and we are only beginning to realize a small part of it.  

 

Posted in Uncategorized | Leave a comment