Governments and Law Enforcement Agencies Can Now Hack Every iOS or Android Device…Really

cellebrite announcement

In a report to potential customers (part of which is shown above), the mobile forensics firm, Cellebrite, claims that it can now unlock virtually any smartphone. Of course, it claims that it will only sell its unlocking technology to governments and law enforcement firms, but, the key underlying point here is that the unlocking ability exists in the first place. The rest is academic. At some point, others will figure this out, either by back-engineering Cellebrite’s technology or by figuring it out on their own. And guess what? Some of these ‘others’ will not be nice guys. They could be governments, but oppressive governments. They could be law enforcement, but corrupt law enforcement. Or they could just simply be cyber criminals looking for a way to make money by hacking smartphones.

Among Cellebrite’s tens of thousands of customers is the U.S. government. Cellebrite has been under contract to the U.S. government since 2007. As can be seen in the following chart from insidegov.com, Cellebrite has received $40.7 million for 1,308 government contracts. It is currently under contract with the Department of Homeland Security (DHS).

celebrite us gov

On the surface, many may see this as a positive development; after all, don’t we want to find out all we can about criminals who endanger the U.S.? Sure, that’s a loaded question. But, Cellebrite claims to have 60,000 contracts in 150 countries. There is little doubt that some of these countries have governments whose reputations may be less than sterling. Some may even have interests that are counter to those of the U.S. As the company notes. “by enabling access, sharing and analysis of digital data from mobile devices, social media, cloud, computer and other sources, Cellebrite products, solutions, services and training help customers build the strongest cases quickly, even in the most complex situations.” That’s fine, if these cases are against dangerous operatives, but, in some countries, dangerous operatives may include anyone who opposes the government.

So how does Cellebrite control who gets access to its technology? If you want to extract information from a locked device, you must fill out a form on their website. Although I assume there must be restrictions on who can use their technology, I could find no information on this on their site. The form on their site gives no clues.

cellebrite form

I could, for example, find no countries that were excluded from such requests, including North Korea, Iran, and China. The contract (EULA) for use of the software only notes that necessary laws must be followed and that those in the U.S. cannot export the software to countries under sanctions. However, there is no mention of which countries should not bother to contact Cellebrite directly. There is no mention of ethical considerations that should be kept in mind when using their technology. Besides a phone conversation with an interested buyer, I could find no information on how validation of a user’s credentials is conducted. I’m not alone in this observation on a lack of openly stated restrictions. A Motherboard investigation reached the same conclusions.

“Cellebrite’s End User License Agreement (EULA) makes no mention of respecting human rights. It also does not state that Cellebrite’s tools shouldn’t be used against certain populations, such as journalists. Cellebrite declined a request for comment, and did not answer an emailed set of questions about the company’s vetting of customers, nor the absence of any human rights clauses from the EULA.”

The same investigation found that Cellebrite did, in fact, work with repressive regimes in Turkey, Russia, and the United Arab Emirates. How did Motherboard learn all this? Apparently, they were given 900GB of data hacked from a Cellebrite server. But that’s another story.

If the potential customer passes whatever validation exists, they will be told to send in the phone they want unlocked or they will be given the option to buy the company’s software. According to a Forbes article, the cost for a one-time phone unlock is as low as $1500. Cellebrite was reportedly behind the unlocking of the infamous iPhone found in possession of the San Bernardino terrorists, but my guess is that the FBI paid a little more for them to unlock this phone.

What stops Apple or other smartphone manufacturers from back-engineering the technology and then circumventing it with a system update? Nothing really, except for a clause in the user license saying that you shouldn’t do that. In an odd way, such update patches would be welcomed by Cellebrite. This is because they would then enter into a lucrative patch, subvert-patch death spiral. True, companies, like Apple, could pay Cellebrite bug bounties for any bugs it found in their operating systems and, thereby, avoid having their phones exposed and their reputations damaged, but this idea would not contribute much to Cellebrite’s own reputation and growth, as they would more or less get paid to keep quiet.

But we shouldn’t feel too sorry for Apple. Apple has long ago abandoned any pretense of being concerned about their clients’ privacy. The noble fight they engaged in over the unlocking of the San Bernardino terrorist phone has since been tarnished when they readily agreed to give up any information on any Chinese-based customer to the Chinese government. The final nail in the privacy coffin took place recently when Apple agreed to store all Chinese customer information on a government controlled server. After all, you can’t afford to lose access to so many customers, right?

china apple worm

Not everyone worries about security. The truth is that most people have only minimal protection enabled on their smartphones and simply hope they won’t get hacked. It’s a different matter, however, for people who have smartphones that are allowed to connect to a company’s or organization’s network. These phones are sought out by high level hackers to gain access to sensitive data in the enterprises they are connected to. Such phones must be secure and should not be phones that can be unlocked because this would expose the entire enterprise to serious risk.

Before the latest Cellebrite report, the iPhone X and Samsung 8 were considered to be among the most secure smartphones available. Now, if security is your main factor for buying a smartphone, the two best are considered to be the Blackphone 2 and the DTEK 60 by Blackberry (yes, Blackberry is still around.) Although at one time Cellebrite claimed to be able to unlock a Blackberry, nothing in their recent reports indicates that they can still do so.

blackphone

But it may not be so much a security issue as an availability issue. There are just not enough of these secure phones being used by criminals for Cellebrite to worry about. In other words, the demand for unlocking them simply does not exist. Both makers are, in fact, on the verge of financial collapse. Cybersecurity experts at InZero Systems believe the Blackphone 2 can be compromised due to the fact that its security depends on software architecture. The BlackBerry DTEK60 must be only considered as ‘hack resistant’ as it is, after all, based on Android architecture.

No one considers phone security a priority until they get hacked. But if all phones can be unlocked, as Cellebrite claims, then, anything on your phone can and will be used against you in a court of law, if the law deems this necessary. And remember that access to your phone extends to access beyond your phone. Cellebrite, or others using their techniques, would have access to whatever websites your phone is connected to, such as your email, social media, cloud storage, and bank accounts. They can also control your contacts and your friends. It has come to the point where anyone who controls your smartphone can control your life.

Most people in a big city will not leave their keys in their car’s ignition. Most will lock their doors when they leave for the day. Yet, for some reason, these same people are mostly careless in the way they protect access to their phones, even though losing access to them could be far more devastating. It may be that people have become numb to cybersecurity threats. It may be that they feel manufacturers bear the brunt of responsibility for cyber protection. Maybe it’s just that the technological know-how necessary for good cybersecurity is beyond most people’s grasp. Now, it seems this may not matter. If Cellebrite is correct, no amount of cybersecurity will stand in the way of those who really want to get to the information stored on your phone. It will be interesting to see how smartphone manufacturers respond to this challenge.

 

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

The Forgotten Story That Could Uncover the Truth about Russian Connections

As the major media outlets chase after the latest shiny object cast in front of them (the indictment of 13 Russian trolls who can’t be prosecuted), another major story is slipping by relatively unnoticed. It is a story that has the potential to answer many questions about the full extent of Russian meddling in the 2016 US elections. It might even substantiate speculations that have only existed on fringe media sites. The problem with this news story is that it hides under a rather bland banner: BuzzFeed Sues the DNC.

On the surface, this seems like a ‘so what’ story. I mean, everyone sues everyone these days. Maybe it has a mildly interesting cannibalistic angle in that a left wing media outlet is suing the Democratic National Committee. But the true story is in why this is happening at all.

The story begins with BuzzFeed’s decision to publish the now largely debunked Steele dossier on Donald Trump. It was a poor decision by a media outlet which was seeking the limelight at the expense of good journalism. However, in their defense, they must have been convinced, at least to a minimal degree, that there were reliable sources behind the document. The document, when published, referred to one Alexsej Gubarev and his company, Webzilla, as being behind the Russian hacking of the DNC. Gubarev was understandably upset with seeing himself openly and unjustly shamed and, seeing what this could do to the reputation of his company, sued BuzzFeed for libel.

The amount of money mentioned in the suit must have been substantial and may be enough to effectively close down BuzzFeed. I say this because BuzzFeed spared no expense in hiring former FBI and White House cybersecurity official, Anthony Ferrante, to seek information that may, in fact, implicate Gubarev in the DNC hacking or substantiate other sections of the dossier. The hope is that this would show that they were not negligent in their publication of the document. This and other suits filed against BuzzFeed over their publication of the dossier have forced BuzzFeed to fight for its journalistic life.

But what if Gubarev really was behind the hack of the DNC? What if he was not as innocent as he claims? In this case, not only would the lawsuit be dropped, but BuzzFeed could countersue. But there is only one organization that would know for sure who was behind the hack of the DNC, and that is the DNC itself. If clues to the hacking exist, that information may still be somewhere on their servers. At least, this is what BuzzFeed hopes, and this is why they sued the DNC. They want access to those servers to see if they can find out who really hacked the DNC.

But wait a minute. Don’t we already know that the Russian government, or at least someone connected to the Russian government, hacked the DNC? After all, didn’t 17 government intelligence agencies find this to be the case? Well, that’s a bit of an exaggeration. The fact is that the only people who ever saw the DNC servers were not part of the government at all. They were a private cybersecurity firm called, Crowdstrike. The DNC refused to let the FBI look at their servers, if you believe the FBI version of the story because, according to the DNC, the FBI never asked for access to their servers. Neither of these scenarios looks good for the FBI.

The DNC claimed they randomly chose Crowdstrike to help them when they suspected they may have been hacked. They continually worried about Sanders’ supporters trying to hack them. Their claim was that they hired an independent firm because they didn’t want to involve the FBI. At the time, the FBI was investigating Clinton’s use of a private server, and they felt that involving the FBI in this problem would make things worse for Hillary and the DNC. To put it bluntly, they were afraid that such an open investigation could hurt donations to the party. This is substantiated by the fact that, after they announced the hack in June, 2016, they immediately announced that no donor information was involved. This story later proved to be false when Guccifer 2.0 released pages of information on donors.

But did the DNC randomly choose Crowdstrike as they claimed? Crowdstrike, in fact, had already been contracted by the FBI back in July, 2015, as can be seen in the image from USASpending.gov seen below.

crowdstrike contract

They were still under contract when they investigated the DNC hacking. This begs the question: Did the FBI suggest that Crowdstrike investigate the hack and, thus, simply trust their conclusions? The FBI had already known the DNC was being hacked. They had warned them to be careful months before. Crowdstrike, having previously dealt with Russian hacking, quickly concluded that Russian hacking groups were behind the attacks. There were certain Russian references in the malware code and the servers used to operate the attack were ones Crowdstrike had seen before. The government intelligence agencies that claimed the hack was organized by Russian operatives based their conclusions on the forensics performed by Crowdstrike. They did not, and could not verify this claim on their own. Now, keep in mind that this was one of the key cyber events in years and, perhaps, in history. Wouldn’t you think that the highest level law enforcement agency in the US government would want to double check the conclusions of a private cybersecurity firm?

So BuzzFeed appears to have a case. In fact, many in the cybersecurity community had their doubts about Russia being the source of this cyber attack. First of all, attribution for an attack is very difficult. The best hackers will hide all traces of where the attack came from. In fact, they will insert code or use servers that appear to point to other countries entirely. If they believe they have been discovered, they have a ‘kill switch’ that will wipe all evidence of the infiltration from the compromised network. What if someone just wanted to make it look like the Russians were the culprits? You could not absolutely exclude this possibility from the evidence given.

As soon as the hack was announced, the DNC put forth the story that Russia hacked them to help then candidate Donald Trump. But were these hackers allied with the Russian government or were the hacks performed by one of the numerous, independent Russian hacking groups? One would expect an attack by the Russian government to be sophisticated. In fact, this one was not. According to the Crowdstrike employee who worked on the hack, Robert Johnston, this was not an example of a sophisticated hack. “The target list was, like, 50 to 60,000 people around the world. They hit them all at once.” He observed that it was unusual for “an intel service to be so noisy.” To be blunt, this looks more like an attack performed by an amateurish hacking group that just happened to get lucky with one of its mass phishing campaigns. Whether the bounty gained from this attack was subsequently used by the Russian government is impossible to say. (For details on how this attack occurred, see this post.)

What is somewhat unsettling is that Crowdstrike has since lost some of its credibility. Crowdstrike falsely attributed attacks on a Ukrainian artillery app to Russia in December, 2016. At that time, Dmitri Alperovitch, the anti-Russian founder of Crowdstrike, claimed that this buttressed Crowdstrike’s conclusions for Russia’s involvement in the DNC hack. When this claim proved to be false, Crowdstrike’s reputation as experts on Russian hacking was tarnished. In addition, when asked to testify before an intelligence committee investigating the DNC hack, they refused, making some wonder if they were trying to hide something.

It was such behavior that has spawned a number of alternative theories. Although some of these may be classified as true conspiracy theories, others have a certain amount of support and could, indeed, be credible. Among the latter are those presenting evidence that the DNC documents were leaked and not stolen. Other theories have suggested that Crowdstrike or the FBI may have inserted malware into the DNC servers to intentionally make it look like the Russians were involved in the hacking. Why would they do this? Most such theories suggest that the DNC was trying to hide something and needed the Russian story to distract the public.

Crowdstrike used its Falcon platform to detect the unusual movements of large numbers of files within the DNC network. At the same time they were doing this, the Awan family was illegally moving thousands of files belonging to over 40 Congressional Democrats (including those of DNC Chairperson, Debbie Wasserman-Schultz) to Dropbox accounts and a server for the House Democratic Caucus. (The server was subsequently stolen.) Did Crowdstrike detect any of this unusual activity? (For more information on the Awan family scam, read this post.)

In the end we are left with more questions than answers. If judges allow BuzzFeed access to the DNC servers, and assuming there is still evidence of the hacking on them, it might just be possible to answer some of these questions on Russia’s involvement in the election. It is possible that what is found could squelch some of the conspiracy theories surrounding Russian collusion and support others. Then again, information may surface that could change the course of the Mueller investigation completely. Some decision should be made next month. However, the DNC lawyers are pushing back saying that, “if these documents were disclosed, the DNC’s internal operations, as well as its ability to effectively achieve its political goals, would be harmed.”

I don’t mean to be sarcastic, but I think their internal operations and political goals were already harmed. It’s time to stop sandbagging and let everyone get to the bottom of this matter once and for all.

 

Posted in Uncategorized | Tagged , | Leave a comment

Video Game Addiction and Death

When Mr. Hsieh died in a crowded room, nobody took any notice. For hours, he sat there slumped over and face-down on a table. Even when his dead body was carried out of the room, few paid much attention. Why? Because he died in an internet café in Taiwan. The other gamers were simply too involved in their gaming to pay attention to what was going on around them. Death was caused by cardiac arrest probably brought on by sleep deprivation.

But was the ultimate cause of Hsieh’s death video game addiction? It certainly must be considered a major contributing factor. If an alcoholic passes out on a cold night and freezes to death, the cause of death may be listed as hypothermia. However, few would deny that the underlying cause may be the alcoholism that caused him to pass out in the first place.

Hseih was known to disappear for days to play games at his local internet café. He had all the symptoms associated with video game addiction. The World Health Organization (WHO) has recently classified gaming addiction as a mental health disorder. The condition becomes a mental disorder when a persistent pattern of gaming behavior develops that “takes precedence over other life interests.” The organization points out that “for gaming disorder to be diagnosed, the behavior pattern must be of sufficient severity to result in significant impairment in personal, family, social, educational, occupational or other important areas of functioning and would normally have been evident for at least 12 months.” In short, gaming addicts put gaming above all other aspects of life, even when they know that relationships and health are being harmed as a consequence.

video game lives

Gaming addiction often leads to a lack of sleep which, in turn, leads to heart failure. Dr. Daniel Kuetting and his colleagues at the Department of Diagnostic and Interventional Radiology at the University of Bonn studied the effects of sleep deprivation on people who worked 24 hour shifts. They found that, “short-term sleep deprivation in the context of 24-hour shifts can lead to a significant increase in cardiac contractility, blood pressure and heart rate.” It is safe to assume that the condition worsens if one stretches the time of being awake even further. Many of the gamers who have died of their addiction had, like Mr. Hseih, been playing for up to three days straight. Most died of heart failure. Though most such gamers would survive a three-day gaming marathon, those in poor physical condition or with pre-existing heart problems would be at a much greater risk.

Just as not all those who drink alcohol become alcoholics, not all game players become gaming addicts. Studies vary in the number of gamers who become addicts but it’s generally agreed that around 8-10% are either addicted or have problems related to gaming. According to the most recent statistics, 6.2% of adults have Alcohol Use Disorder (what we used to call, alcoholism), and we can assume that the percent of adults with some kind of drinking problem is much higher. A big difference between the two addictions is that around 88,000 people a year die alcohol-related deaths. These include driving accidents, fires, suicides, homicides, health problems, and falls. Even including deaths like that of Daniel Petric’s shooting of his parents for taking away his Halo 3 game, video gaming deaths are nowhere near as many as those related to alcohol addiction or even gambling, but it doesn’t mean that gaming addiction doesn’t ruin lives. For example, 15% of women filing for divorce listed excessive gaming as a contributing factor. To put this in perspective, here is a reminiscence of self-described gaming addict, Mike Fahey.

“The woman I had once told was the love of my life was sitting undressed in my bed not a foot away from my computer desk, begging me to join her, and I kept putting it off. I was so close to level 40 I could taste it. I was in the Dreadlands, kiting large enemies back and forth, killing them slowly with my Bard songs. I still remember the urgency I felt, along with the annoyance that this woman was trying to keep me from reaching my goal. Couldn’t she understand how important this was to me?”

So what games are most addicting and, potentially, most life-threatening or life-destroying? There are a number of lists that claim certain games are more addictive than others. Of course, games are made for different platforms but the following names come up a lot. They are in no particular order. It should be noted that men are 7.5 times more likely to become addicts than women so games that appeal to men are, in all probability, the ones that will cause the most problems.

World of Warcraft

Minecraft

Call of Duty

Candy Crush Saga

Everquest

The Sims

League of Legends

Dota 2

If you expanded this to the most addictive games ever, you’d have to include games like Tetris, Super Mario, Pac Man, and Age of Empires. Remember that everyone has their own poison. I’ve known Tetris addicts, Asteroids addicts, Wolfenstein, and Duke Nukem addicts.

But, according to experts, the most dangerously addicting games are multiplayer online games aka. massively multiplayer online role-playing games (MMORPGs). These are the ones parents should pay most attention to if they feel their child is losing contact with the real world or is having social, behavioral, or academic problems.

Among these potentially problematic games are the following. (the asterisks indicate free online games).

Overwatch

Battlefield

Grand Theft Auto

Destiny

Call of Duty

League of Legends/Dota 2*

Star Wars Battlefront

FIFA

Resident Evil

Diablo 3

Fornite* (also the fastest growing online game)

Smite*

Eve Online*

According to psychologists who treat gaming addiction, the games that are mentioned most are,

World of Warcraft

Call of Duty

Second Life

Everquest

Eve Online,

although my gamer son claims this list is out of date.

But what precisely is it that makes these games the most addicting among the thousands on the market? Experts on gaming addiction give the following reasons why some games are more addictive than others.

Addictive games will be,

1. Online Multiplayer Games: MMORGs.

2. Games that allow players to create their own characters, teams, and worlds. This social element creates an alternative world and an escape from reality.

3. Games that have no predefined end or goal, which means they can continue to be played forever.

4. Games that have levels or rewards for playing more or for acquiring more skills. Games that are difficult to advance in tend to create a ‘give up factor’ which would kill potential addiction. Rewards stimulate addiction.

5. Games that have frequent upgrades to keep the game fresh and interesting.

6. Games that generate emotions. These are not always positive emotions, such as a feeling of accomplishment. Negative emotions, such as anger or a need for revenge, can also lead to more gaming.

Taking all of the above into consideration, I would suggest that the crystal meth of online games would have all of these elements and, in addition, be free and available on multiple platforms. With all of the above factors in mind, I sorted through a list of the best multiplayer games and came up with the following which should be considered among the current games with the most potential to cause addiction.

Warhammer 40,000, Fortnite, Heroes of the Storm, Dota 2, Smite, League of Legends, and Paladins.

Others that need to be watched are Terraria, Trackmania Turbo, PlanetSide 2, and Pixel Worlds.

Video game addiction is a physical addiction. Robert Lustig, a professor of pediatrics and endocrinology, recently reported his research on how gaming “can overrelease dopamine, overexcite and kill neurons, leading to addiction.” He further states that “when the brain gets used to a higher level of dopamine, it wants us to keep seeking out the addictive substance or habit.” Teens and young adults are particularly susceptible to dopamine addiction. Add to this the fact that video game developers actually try to make gaming as addicting as possible and you have the dopamine trap known as gaming addiction.

The free online game model works because addicted gamers will pay real money for in-game content. Thus, the more gaming addicts companies can create, the more money they can extract from gamers. And the sad truth is that gamers seek games that are addicting. In the end, it’s a perfect example of a codependent relationship. Mental health experts say that “people with codependency often form or maintain relationships that are one-sided, emotionally destructive and/or abusive.” That about sums it up.

you are dead

Posted in Uncategorized | Tagged , , | Leave a comment

Social Security Scams on the Rise, and It’s Not Just the Elderly Who Have to Worry

It was just a matter of time. With Boomers retiring in droves, more and more criminals have been targeting them to cash in on their retirement benefits. And if you think you’re safe because you’re not retiring yet, think again. One of the most recent scams will actually register you for retirement long before you’ve ever considered doing so. This means that when you do retire, your money may end up going to someone else. In fact, in some cases, these criminals may have preemptively withdrawn all of your retirement benefits before you even registered for retirement. This attack vector was increasingly used in 2017 and led cybersecurity expert, Brian Krebs, to encourage people to register on the Social Security Administration website as soon as possible.

In order to register on the SSA website, you will need to give them some basic information. This will include a name, address, telephone number, email, and, of course, your Social Security Number. If someone has these, they can register as you. But wait, the SSA uses something called an “Identity Services Provider” to “help us verify the identity of our online customers and to prevent fraudulent access to our customers’ sensitive personal information.” And who is this trusted authenticator? Equifax, a company that was hacked last year and lost its database of 145 million Americans; a database which included all of the above personal information and more. So, yes, your Social Security future may be impacted. To find out if your information was lost in this breach, go here. If you are outside of the US, you’ll have to use a VPN that can redirect you through a US server.

Update: On February 9th, the Wall Street Journal reported that Equifax lost more information than they previously disclosed. This included “tax identification numbers, which are used when someone doesn’t have a social security number, as well as e-mail addresses, credit card information, and some additional drivers license information.”

It has been reported that the data from the Equifax hack was dumped and put up for sale. Whether this is true or not doesn’t really matter. Social Security information is readily available for sale on the deep web. For example, I found this information on one deep web site. I removed sensitive information but it would otherwise be there for all to see.

ssn deep web

Some of the information seems to check out.

ssn valid

So, if you have not registered at the SSA website, someone else could certainly do it for you. They could change your address, email, and bank account number to their own and you would be none the wiser.

Then there are the scams. Even if you are registered, criminals can use this information against you. Take a look at a common phishing letter that is making the rounds.

ssa email

Okay, so the bad grammar may be a give away, but would you otherwise recognize it as fake? If you clicked on the link, you may even go to a sign in page that looks like a legitimate SSA site. Yes, you should hover the cursor over the link to see where it goes (check the lower left hand corner of your screen), but sometimes these links are made to look real. The SSA gives this real example of one such link (don’t worry. It goes nowhere):

https://www.socialsecurity.gov.gmx.de/

Notice that it is has legitimate looking elements and even has an ‘https’ header which seems to give it a secure look. But beware of these so-called secure sites. If you must trust any of them, the ‘https’ should be green. Here are two examples. The first is from the legitimate SSA website. Notice that it is not green, and that includes its sign-in page.

ssa https

The second, from Bank of America, shows the highest level of security.

boa

The problem is that any website can get the gray certificate. It can even be acquired for free. Check my post on this for more information.

SSA email scams, like the one mentioned above, are a relatively new phenomenon. Most scams targeting seniors use scam phone callers pretending to be from the SSA. They have the same goal, however, to get your personal information. Why do they use phone scams? Because, sadly enough, older people tend to be more trusting, especially when they hear a friendly voice on the other end of the line. But as seniors become more tech savvy and depend more on email and social media, these are more and more likely to become the main attack vectors. Look for such scams to increase and become more sophisticated in the future.

 

Posted in Uncategorized | Tagged , | Leave a comment

The Cryptocurrency Scam Epidemic

When a businessman friend of mine told me he and his brother were investing in cryptocurrencies, I was, quite frankly, dumbfounded. Here were two technologically challenged businessmen planning to invest considerable money in one of the most technologically challenging concepts in existence. However, I understood the motivation behind their optimism. It was, in short, the belief that this was the road to instant wealth. It was not only the triumph of greed over fear, but the triumph of ignorance over reason. As someone who writes on cybersecurity, my first question to them was whether they had bought a hardware wallet. Their blank stares said more than any words could have.

This interaction made me wonder how many others were like these two businessmen. How many people, hoping for instant wealth, invested large sums in bitcoins or other cryptocurrencies without knowing the first thing about how they operate? I suspected the numbers were high, and, if this were true, there must be hundreds of hungry scammers waiting to feed on them.

Yes, I expected to see a lot of scams, but what I found exceeded all my expectations. There is a rampant feeding frenzy going on among scammers who are glutting themselves on the overabundance of naïve bitcoin and other cryptocurrency buyers. They are taking advantage of these people in a number of ways. Some of the scams are simplistic while others are more complex. Here are some that are currently making the rounds.

The ICO (Initial Coin Offering) Scam

 Initial coin offerings (ICOs) are supposed opportunities to be among the first to invest in a new type of cryptocurrency. As one writer recently put it, “the shear number of ICO’s that have come across my desk makes my head spin.” The writer estimates that 90% of these offers are scams. If you check a site like Bitcoin Jerk, you will find a list of nearly every possible cryptocurrency available. As of this writing, there are almost 1500 of them with some selling for less than one cent. Although bitcoin itself is based on complex code and encryption, some of the currencies listed are based on absolutely nothing. Then how can they even exist? The answer is: by pure speculation.

If I have enough people believing that a green piece of paper with some esoteric markings on it has value, then it has value, at least among the believers. This paper can, then,  be exchanged for goods and services. Remember that bitcoin really got its footing in the deep web where people needed to buy illegal merchandise, often drugs, in an untraceable fashion. As more people believed in its value, its value increased.

New cryptocurrencies need some way to make themselves known. The best way to do this is to pair themselves with a spamming network or botnet. This is what the largely unheard of cryptocurrency, Swisscoin, is doing.

swisscoin

Swisscoin has paired itself with the infamous Necurs botnet to spread spam offers for the coin. Swisscoin spokespeople deny this and ask those who get such emails to report it to them. That said, Swisscoin has been termed a Ponzi scheme by a number of researchers as it relies mainly on persuading investors to interest other people in the coin in order to increase interest (speculation) in it, thus, raising its price in what is termed a pump-and-dump scam. It could be that only one investor used the botnet to encourage more people to invest in the coin. The increased interest would, then, increase the price of the coin and, by extension, the spammer’s own income. The current price of a Swisscoin stands at $0.004. It is no surprise, then, that Swisscoin wants people to buy packages that start at 25 euros. That said, according to those who’ve traced the bitcoin address for the company, Swisscoin has received over $2.5 million in bitcoins alone. Not a bad return for a little known and almost useless cryptocurrency.

For this and other cryptocurrency spam emails, look for subject lines like the following.

Subject:    Forget about bitcoin, there’s a way better coin you can buy.

Subject:    Let me tell you about one crypto currency that could turn 1000 bucks into 1 million

Subject:    This crypto coin could go up fifty thousand percent this year

Subject:    Could this digital currency actually make you a millionaire?

Cryptocurrency Wallet Hacks

 When you buy your bitcoins, you are really buying a private key that enables you, and only you, to use the coins. This key needs to be protected because, if it falls into someone else’s hands, the coins are as good as theirs. What’s worse is that bitcoin’s built-in privacy will allow the thief to escape all detection. So, to protect the key and your bitcoins, you need what is called, a wallet. Basically, there are three kinds of wallets. One that is often used comes with the coins you buy through some website, like Coinbase. The website protects your private key with its own security. In order for you to access your private key, you need a username and password. However, these ‘cloud’ wallets are vulnerable if someone gets your password. They can get this through normal hacking methods, such as phishing scams, or by infiltrating your email and contacting the bitcoin site to reset the password, thereby taking control of your account.

Cloud services themselves have been hacked and customers’ bitcoins were stolen. This happened to NiceHash when hackers compromised an employee’s computer to steal $64 million. The Mt. Gox hack (billions of dollars in bitcoins stolen) and the recent Coincheck hack ($450 million stolen) are examples of online storage sites that were hacked. Some of these could have been inside jobs.

Software wallets store your bitcoin information on your device or computer and, in so doing, are connected to the internet. Such wallets allow for easy use of your bitcoins but are more accessible to hackers. No serious bitcoin owner will use software to protect their private key. Serious users use hardware wallets, which are independent devices, not connected to the internet. They can be hacked, but not easily. For more information on these hardware wallets, see my recent post.

Fake Recipient Hacks

 “All of my money was just send from MyEtherWallet to this address. It looks like that person has stolen more than 44 million dollars worth of crypto. What now?” So began one post on Reddit. It appears the user signed into a spoofed (look alike) website and gave them the information they needed to steal his bitcoins from the real website. Always check the URL carefully as even a one letter difference can be important. GoogIe.com is not the same as Google.com. (They look the same because of the font used on this website. The capital ‘I’ is indistinguishable from the letter ‘l’, but that’s my point. Spoofing a false link can be difficult to spot.)

It is also possible for a hacker to divert bitcoin payments through a man-in-the-middle attack. Without going into details, the scammer initiates a transaction with both a buyer and a seller and watches it progress. When the time is right, the scammer, pretending to be the seller, gives the buyer his own bitcoin address for the buyer to send the coins to. For more details on this scam, go here.

So, my final observation after studying many of these scams is that those who speculate on cryptocurrencies without knowing how they work are destined to find out how they work after they lose their coins. When greed is the underlying motive for buying cryptocurrency, reason is co-opted and people are more willing to take risks they would not normally take. As for my businessman friend mentioned at the beginning of this post, he ended up losing about 30% of his original investment. For the moment, his greatest fear is not of being hacked, but of having his wife learn about his costly investment.

 

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

Emotion Detection and Manipulation Headsets Are Now on Sale

Here is the latest version of a headset that is capable of detecting and influencing your emotions.

emotion headset

The headset, developed by imec and Holst Centre, is promoted as “breakthrough technology to advance neuro research, e-learning and virtual gaming”.

Before we get too carried away with this idea, and before we delve into the true implications of this technology, keep in mind that we have been using technology to modify our emotions for decades. We are emotionally influenced by movies and music and may choose to alter or augment our moods by matching them to the appropriate media output. Even the simplest video games can influence our emotional states in positive and negative ways. Those who have experienced games in virtual reality know that reason can be bypassed in VR environments. There are still games my gamer son won’t play because they are simply too scary, and even though I logically know I am not on the edge of a high building, I have great difficulty making my mind believe that I can take that first step into the abyss. So how will this headset change anything?

Here is what the company says about the integration of music and emotion detection.

“With the integration of music playback, the system can not only measure, but also influence the emotions of the person that is wearing the headset. With the help of Artificial Intelligence our headset can learn the personal musical preferences of the wearer and compose and playback, in real-time, music that fits his preferences and influences his emotions to achieve the wearers’ desired emotional state.”

 Isn’t this what drugs do? If drugs are used to alter our emotional states and change our perceptions of reality, won’t these headsets do more or less the same thing? The somewhat surprising phrase in the quote is that the device will interact with AI to “compose” music to achieve the user’s desired emotional state. This begs the question: Can a nefarious actor use the same technique to alter a person’s personality in order to manipulate them?

The new headset is certainly a breakthrough in terms of comfort and use. In the past, in order to access a person’s emotional states, electrodes had to be ‘glued’ to a person’s skull and placed in precise locations. The new headset uses ‘dry’ detectors and is designed to fit in a way that enables the embedded electrodes to be placed above the precise brain regions that need to be monitored. It would seem but a matter of time before VR headsets, such as the Sony Playstation VR headset, come with similar emotion detecting electrodes.

But why wait? The future is already here. Looxidlabs has already integrated brain sensors with a dual camera VR headset.

loomix headset

loomix headse2t

The system can detect what a user is looking at on a VR screen and simultaneous chart the emotional response to it. The diagram below shows how the device is integrated.

loomix diagram

Currently, the device is being marketed as a research tool. Marketers could get a quick insight into what ads had the most effect on potential customers. Game designers could determine which images created the desired emotional impact. Fashion designers could target market niches more precisely. The list goes on and on. The device will be available for pre-orders on February 1, 2018.

All first, I couldn’t really understand how game developers could use this technology to make any substantial difference to gaming. Would users be able to preset emotional options such as what level of fear they want to tolerate? Possibly, but my guess is that marketers have more financial goals in mind, and I don’t say this without a reason.

Take a look at this leaked screenshot from a marketing company that specializes in marketing within the gaming environment. From information given in the leak, the marketing may be associated with EA games.  Notice how they detect the psychological state of the gamer and use it in microtransactions to gain income.

gamer leak

In short, the marketers determine a gamer’s psychological state by using the gaming device microphone to analyze the gamer’s vocal characteristics. Apparently, a depressed gamer will have a high purchase rate for in-game products (microtransactions) but will then tend to experience buyer’s remorse, which may inhibit future purchases. Thus, if the marketers can manipulate the user into a non-depressed state, they would increase long-term revenues.

The leaked documents also show how the marketers would analyze the sound of a car’s engine that they picked up on a user’s smartphone. Using a combination of algorithms, they were able to determine the brand of car the gamer used and, thus, calculate the social status of the individual, making them easier to target for marketing. Numerous other data gathering tools were mentioned in the leak as well as how the data could be used for specific purposes.

It is interesting to note that EA games initially dropped microtransactions in its Star Wars Battlefront II game when they were criticized by the EU for encouraging gambling within the gaming environment. In any event, it doesn’t take much imagination to see how game developers could use an emotion detection VR headset to further their marketing success and gain income for the company. The development of data mining via the gaming vector should contribute to a marked increase in free online gaming in the years to come.

Of course, there will be positive uses for these emotion detector headsets. An array of psychological problems could be addressed and even cured. Phobias could be overcome. Social relationships could be improved, and learning could be enhanced. However, there is a disturbing undercurrent that comes with this emotion-on-demand technology. Would game developers be able to make games more addicting? Could gaming be used to manipulate an individual’s viewpoints in a manner similar to brainwashing? These are questions yet to be answered, but, disturbingly enough, the questions have now become valid.

Posted in Uncategorized | Tagged , , , | 1 Comment

Bitcoin Hardware Wallets and Their Vulnerabilities

Bitcoins don’t exist. That is, there is no physical coin with a bitcoin logo, even though attempts have been made to create them. Those that do exist, exist as novelty items, like the one in this image.

bitcoin

When you buy a bitcoin, you buy a line of computer code that a group of people believe has monetary value, just like we believe that a piece of paper has a special value if it has the correct identifying features.

dollar

When you buy a bitcoin, you get a private key that allows you and only you to use it. If you do not protect this private key, you are in danger of having it stolen. That’s why you need something called, a ‘bitcoin wallet’. Just as you can protect your money by putting it in a safe or a bank, you can protect your key and bitcoins by putting them in a bitcoin wallet.

Just like banks, some wallets are better than others. Bitcoin wallets can take the form of an app, a software program, a website (cloud), or a removable hardware storage device, like a USB. Wallets that use programs connected to the internet are termed, ‘hot storage’. Those wallets on independent, physically isolated devices are referred to as, ‘cold storage’. It should be quite clear that, especially if you have a considerable investment tied up in bitcoins, a hardware wallet, or cold storage wallet, is preferable, if not mandatory.

Anyone serious about keeping their bitcoins safe will use a hardware wallet. Hardware wallets, being physical devices, must be paid for, unlike some software wallets, which are either free or included in a cloud service. Prices start at just under $100. But, how do you know which hardware wallet is best?

The best hardware wallets will come with their own small screens so that you are even less exposed to malware, like keyloggers, that may be waiting for you to type information on your computer. The image below shows a hardware wallet made by the firm, KeepKey, with its built-in screen.

keepkey

Of  course, there are other ‘wallets’ that you could use. You could use a separate computer that is not connected to the internet to store your bitcoin data. You could use hardware architecture on an Android device, such as that offered by InZero Systems, which separates the hardware at the kernel level, making what amounts to, two separate devices out of one device. Just be sure that the safe side of the device is not connected to the internet. Or you could write down your private key on a piece of paper.

Hardware Wallet Vulnerabilities

  1. You could lose your wallet

Yes, it can happen. Back in 2013, James Howells threw out an old hard drive when he was cleaning up his desk. Later, he realized that he had stored 7,500 bitcoins on it that he had bought, and then forgot about, years before. That’s right. At today’s rates, he had thrown away $120 million. It’s still buried in a landfill in Wales, if you’re interested.

You might not be as unlucky as James Howells, but you could still misplace or accidentally destroy your hardware wallet. Then what? Well, that’s the end of the story. If someone steals your wallet, they cannot open it without a pin. Three pin attempts will delete everything on the wallet so even the owner can lose all the data if they forget the pin. What if your house burns down? What if you drop the device in the toilet? You get the picture. Hardware wallets have physical vulnerabilities.

For all of these reasons, those who have large investments in bitcoins often buy more than one hardware wallet. One can be kept nearby, while another can be kept in a secure and more distant location, like a safety deposit box in a bank. And don’t forget analog storage. That is, you can always write your private key on a piece of paper and store that in a secure place.

  1. The firmware could be tampered with

bitcoin wallet warning

The above warning is given for one particular hardware wallet for a reason. People have been scammed by buying a wallet from a third party like eBay. In one case, the wallet appeared to work and send bitcoins to a recipient. Only later did the owner realize that all of his bitcoins, $34,000 worth, were missing. Apparently, the wallet was programmed by the seller to send bitcoins to his/her address. Most hardware wallets have to have the firmware programmed into the device to work and should not, in general, work right out of the box.

Such attacks are often referred to as ‘supply chain attacks’. Anyone physically handling a device from the time it is manufactured to the time it is delivered could potentially tamper with it to make it perform to their needs.

  1. Firmware updates

 This is a common attack vector for both regular criminals and nation-states. Basically, the attacker forces a firmware update of the hardware wallet. The user may have set their computer to update programs automatically. The update may reprogram the device to send information, such as the private key, back to the attackers. Often, victims have no idea this has even happened until their bitcoins disappear.

  1. Recovery attacks

 Many hardware wallet companies realize that people, being humans, will make mistakes. They may lose, damage, or otherwise lose access to their wallet. That’s why they use a special way for customers to get their wallets back. It’s called, the ‘recovery phrase’. This is a phrase of 12 to 24 related or unrelated words that can be used to recover lost private keys. An example is given below.

bitcoin wallet phrase

If this message shows up on your computer screen, it can be captured with screen capture malware and there go your bitcoins. Others may store their phrase/words in an accessible file on their regular computer or write it down and put it somewhere in their house, which makes them vulnerable to other forms of attack.

KeepKey uses the phrase recovery technique but advises customers to use it only on a new KeepKey wallet. KeepKey encrypts each letter as you type it into your computer before it is sent to the company to retrieve your private key. This, of course, means that some of your data is stored in the KeepKey cloud, which would make it a target for hackers. Indeed, KeepKey was hacked in early 2017. Company CEO, Darin Stanchfield reported that “the attacker was able to temporarily access one of our sales distribution channels, a vendor we use for shipping and logistics, and our email marketing software account. This means he momentarily had access to a portion of our customer data which included addresses, emails and phone numbers.” This is troubling even if the attacker did not gain access to the private keys of customers. A good attacker could use this personal information to engineer an attack which could trick users into revealing their private keys.

  1. Other Vulnerabilities

In the documentary film about Edward Snowden, Citizen Four, Snowden is seen pulling a blanket over his head before typing in his password.

snowden blanket

Apparently, he was worried about hidden security cameras capturing his password when he typed it in. It could conceivably happen with a hardware wallet. Not only a security camera, but malware which controlled your webcam could, at least in theory, capture information from your bitcoin wallet screen. It could also capture your device’s pin.

In addition, new vulnerabilities recently found in a number of processors could be leveraged to take control of bitcoin wallets, although this is yet to be demonstrated.

As long as the price of bitcoins remains high, criminals will do anything to get their hands on them. Once stolen, the same technology that is used to keep bitcoin owners anonymous will keep those stealing them anonymous as well. The cryptocurrency realm is a dangerous terrain to navigate and threats can appear at any turn in the road. For those with little experience in speculating on cryptocurrency, here be monsters.

Posted in Uncategorized | Tagged , , , | Leave a comment