Tag: security

Darknet Evolution

To prevent the problems of customer binding, and losing business when darknet markets go down, merchants have begun to leave the specialized and centralized platforms and instead ventured to use widely accessible technology to build their own communications and operational back-ends.

Instead of using websites on the darknet, merchants are now operating invite-only channels on widely available mobile messaging systems like Telegram. This allows the merchant to control the reach of their communication better and be less vulnerable to system take-downs. To further stabilize the connection between merchant and customer, repeat customers are given unique messaging contacts that are independent of shared channels and thus even less likely to be found and taken down. Channels are often operated by automated bots that allow customers to inquire about offers and initiate the purchase, often even allowing a fully bot-driven experience without human intervention on the merchant’s side.

The other major change is the use of “dead drops” instead of the postal system which has proven vulnerable to tracking and interception. Now, goods are hidden in publicly accessible places like parks and the location is given to the customer on purchase. The customer then goes to the location and picks up the goods. This means that delivery becomes asynchronous for the merchant, he can hide a lot of product in different locations for future, not yet known, purchases. For the client the time to delivery is significantly shorter than waiting for a letter or parcel shipped by traditional means – he has the product in his hands in a matter of hours instead of days. Furthermore this method does not require for the customer to give any personally identifiable information to the merchant, which in turn doesn’t have to safeguard it anymore. Less data means less risk for everyone.

Nation-State Malware

The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal, which is essentially a malware zoo that’s used by security pros and antivirus/malware detection engines to gain a better understanding of the threat landscape. This feels like an example of the US’s new strategy of actively harassing foreign government actors. By making their malware public, the US is forcing them to continually find and use new vulnerabilities.

BGP hacking

This article will show how this hijacking works, and how China employs its conveniently distributed points of presence (PoPs) in western democracies’ telecommunications systems to redirect internet traffic through China for malicious use. It will show the actual routing paths, give a summary of how one hijacks parts of the internet by inserting these nodes, and outline the major security implications.

Free Credit Freezes

Later this month, all of the 3 major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you’ve been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it’s just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind.

Android fork consequences

Those modifications lead to headaches, though, including the well-established problem of delays in shipping security updates. They can also, as Stavrou and his team have uncovered, result in firmware bugs that put users at risk. “The problem is not going to go away, because a lot of the people in the supply chain want to be able to add their own applications, customize, add their own code. That increases the attack surface, and increases the probability of software error. They’re exposing the end user to exploits that the end user is not able to respond to.”

Owning elections

Last week at DEFCON 26 in Las Vegas, 11-year-old Emmett Brewer hacked into a replica of Florida’s state election site and changed the voting results. That’s scary enough. What’s even scarier is that it took him less than 10 minutes. An 11-year-old girl was able to hack into the same site in ~15 minutes. And more than 30 kids were able to hack into replicas of other states’ sites in less than 30 min.

Memory leak debugging

Guided by BLeak, we identify and fix over 50 memory leaks in popular libraries and apps including Airbnb, AngularJS, Google Analytics, Google Maps SDK, and jQuery. BLeak’s median precision is 100%; fixing the leaks it identifies reduces heap growth by an average of 94%, saving from 0.5MB to 8MB per round trip.

Information warfare attack

As DHS, DNI, FBI, and the Pentagon come together before the public to say Russia is actively attacking our midterm elections, as we have long been warned they’d do, please remember that exactly 2.5 weeks ago Donald Trump stood next to Russian President Vladimir Putin, refused to confront him on the 2016 infowar campaign our intelligence officials all say happened, and called Putin’s denial of the 2016 infowar “strong and powerful.”

Seeing all the intel chiefs on stage say one thing, and knowing the President — who wasn’t there? — believes another was weird.

All of the directors seemed to be saying they believe the nature of the attacks was overwhelmingly psyops, or online campaigns intended to influence opinion and voting choices, rather than direct attacks on voting infrastructure.

Conservation of Threat

as the environment becomes safer we manufacture new threats. To study how concepts change when they become less common, we brought volunteers into our laboratory and gave them a simple task — to look at a series of computer-generated faces and decide which ones seem “threatening.” The faces had been carefully designed by researchers to range from very intimidating to very harmless. As we showed people fewer and fewer threatening faces over time, we found that they expanded their definition of “threatening” to include a wider range of faces. When they ran out of threatening faces to find, they started calling faces threatening that they used to call harmless. Rather than being a consistent category, what people considered “threats” depended on how many threats they had seen lately.