Any vetting that can be fooled, or that has an agenda already, can be a better attack vector than not having it at all - since once you have it, you tend to trust it. What could go wrong?
Nothing super-fuels a security sales pitch like the sort of threat it’s hard to ignore. After China’s massive Aurora attacks on Gmail in 2009, it was the terror of Advanced Persistent Threats (APTs) that helped make fortunes for a new wave of security startups, post-incident forensic companies, and others peddling intelligence …
Yup, like I've been seeing quite a few phishing websites with Extended Verification Certificates, but are otherwise amateurish copies of the real things. But people trust them anyway because the bar at the top of the browser is green.
I've noticed that a couple of these phishing sites are using certificates issued by CAs that are either government-run or are suspiciously friendly to governments. Like the other day I noticed a phishing website purporting to be a fairly large Saudi bank held a certificate issued by an Israeli CA. Or an Indian bank that was using a Pakistani-issued certificate.
I've also seen password stealing pages that use captchas, scams that require two-factor authentication, and many other nasties that take advantage of security mechanism to appear legitimate.
scams that require two-factor authentication,
How does that work? To pull that off, they should have your phone number beforehand, right?
Like the other day I noticed a phishing website purporting to be a fairly large Saudi bank held a certificate issued by an Israeli CA.
The two-factor authentication scam had victims register with the scam's website (Purporting to be the IRS / FBI / ICE / etc). As part of registration, it used a legitimate two-factor authentication system and asked to 'help secure your account' to lend the scam credence. The scams were fairly similar, tey'd start with "You are being investigated by <agency>, log into <website> and register with case <number> to respond to the accusations and view your case file" then when they register, they are asked to add enable two-factor-authentication 'for their protection'. The scam would then keep going on and on asking for more and more money for 'processing fees' and 'filing fees' and 'fines'. Pretty much a standard 419 scam except rather than a Nigerian Prince, it is a Federal Agent and instead of money they promise, its either not being arrested or deported.
For the Israeli certificate on a fake Saudi Arabian bank website it was a matter of a fake website that used all the logos of the real one, but the URL was slightly wrong (in this case used an 'n' instead of an 'r' in the url). The website even had an EV certificate that used the correct name of the bank i the verified owner, and for all intents and purposes looked like the real bank's website. The thing even functioned just like the real bank (Every action was 'passed through' to the real bank's website). The thing that really tipped me off was that the EV certificate was signed by a certificate authority based out of Israel and has a history of working with Mossad, western intelligence agencies and malware mercenaries like the Equation Group.
Right - if it's free, you're the product as the author implied - "The acronym TANSTAAFL was used by Robert Heinlein, the science fiction writer, in his 1966 novel, The Moon is a Harsh Mistress."
Which, interestingly, is about a revolution itself. One aided by a real AI(!).
These days, you're the product even if it isn't free - plenty of double dipping to go around.
Who watches these watchers? Some of them have pretty obvious agendas. Most aren't competent to do the job. All would love to have that juicy data, which would inevitably leak and be used in some partisan manner.
Too slow to be useful would seem to be the best case possible, though recriminations after the fact also seem to cause a lot of pain and are used as weapons by whoever didn't win.
to use these services?
It seems pretty obvious that you're going to be passing a lot of nominally private email traffic through these benevolents' portals. Between the various intelligence agencies of virtually every country on this planet and the ISPs, platforms (fb/google), and scanners/skimmers installed on our devices it seems that all my unworthy-of-attention ramblings are already well vetted.
Its just another Zuk trick. Everything about Facebook is deception..... A sociopath worth 60 billion, doesn't have self-awareness! "For a long time, Silicon Valley enjoyed an unencumbered embrace in America and now everyone says, Is this a trick?"
Call me paranoid, but I am so very worried about the amount of data that social media services are collecting especially when no one has really done anything to get rid of the whole FISC and their unconstitutional National Security Letters. I mean, at this point Facebook and their ilk have compiled a nice juicy database that contains our real names, locations, friends, religious beliefs, sexual orientations, nationalities, citizenship status, political position, etc (A lot of this isn't directly asked, but can be gleaned simply from the things people post). I am afraid of the day that the administration decides to just issue an NSL for that data, then use it to build their lists of 'undesirables'.
Due to the nature of NSLs, they may already have such a list and there is no way for us to know about it. And that frightens me more than anything ever could.
I am afraid of the day that the administration decides to just issue an NSL for that data, then use it to build their lists of 'undesirables'.
In a functioning democracy, we should in theory be able to remove that administration. When it's say, Apple and their mysterious 'trust' score, or Twitter, Facebook etc doing their version of the old Usenet Death Penalty for undesireables, things get blurrier.
So we're meant to believe that a small campaign on Facepalm swung an electorate of 600m or so Americans. Facepalm would like you to believe that their analytics and ad targetting can help you win elections... For the right sum, and possibly the right candidate given some partiality problems with social media platforms.
Politicians seem to be waking up to the idea that social media could be dangerous, and thus regulated.. Although how it could go about that remains a mystery. They're also waking up to the data hoarding and starting to ask some awkward questions, which could reveal some awkward answers. Like the big social media companies aren't as influential as assumed, and that could lead to less money being thrown their way. Some companies are already questioning the value of online advertising and cutting their spend. In EU-land, GDPR has given regulators some teeth and an ability to peek behind the curtain, which may not bode well for future FANG stock prices.. But given their weight in indexes like the NASDAQ 100, devaluation could have unfortunate knock-on effects.
Slowly, politicians do seem to be waking up to the idea that bulk privacy infringement isn't always a good idea.
“After China’s massive Aurora attacks on Gmail in 2009” elReg 2018
“In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access”, Bruce Schneier Jan 2010
“Google provided no evidence that China was even indirectly involved in the attacks targeting its source code.”, elReg Jan 2010
“it’s the Wizard of Oz-like enigma of Russia, which doesn’t just hack systems, but uses fake news, confusion, and the tragic anger-of-the-commons as a sort of mind-hack on entire populations”, elReg 2018
“Classified memo shows the CIA has sought to influence the US media and how journalism is taught since at least 1984”, Edward Snowden
Facebook clearly can't come up with any plausible way of fighting "fake news", and so it's focusing on what it can do. There's no suggestion, as far as I know, that hacking Facebook accounts is a major issue, but at least we know how to make it more difficult, so let's do that anyway.
Two thoughts - the first is that this sounds ripe for use by phishing groups, the second is that wait a minute wasn't Facebook the company that embedded employees in the Trump Campaign's Texas headquarters to better help them take advantage of the platform? Physically sitting right next to Cambridge Analytics employees? Sorta makes Zuck's current stance seem a little less than genuine...
There is no such thing as a free lunch, but free candy is available at the restaurant exit. Software companies however, work the other way around. One can be sure that Symantec will send a renewal notice with a hefty bill to continue using their invaluable service, as soon as the midterm elections are over.
As someone who works the elections (the polling places are run by volunteer labor in the US) I can state quite categorically that none of the systems we use are susceptible to hacking. The kit uses ancient technology, lacks network connections and leaves a paper trail. Then there's the magic of statistics that immediately flags anomalies in voting patterns -- that one's difficult to fool.
Which then leaves the issue of hacking political campaigns and all the noise about fake news. Misinformation and conspiracy theories are nothing new in US politics, they've been around since the Revolution and probably before. The best defense against this is a 'well informed electorate'. If we allow our information feeds to be filtered by corporate America, all in our best interests of course, then we're really just substituting one kind of misinformation for another, one that's more pernicious because it has corporate polish and the veneer of respectability.
The lessons of the last few years have been hard but I hope they've been learned. Generic email is about as private as a postcard -- overall, there's no guaranteed privacy on the Internet except that which you provide end to end (and even that is never 100% bulletproof). So mind your manners and your words when communicating because its quite likely that if someone wants to read your mail they will.
I think this privacy thing is being looked at in the wrong way....
I find it much more convenient when I have forgotten my password for a website (probably because I have forgotten all the random rules that it needed 2 caps, 4 numbers, a special character and half of it had to be in a different character set than my keyboard or whatever other bullshit masquerading as security requirements it had) to just call up some guy in Moscow to remind me what it was than have to jump through the agonising 75 step password recovery process instead....
Biting the hand that feeds IT © 1998–2021