Using Social Media to Discover Hidden Wealth

Stories of burglars using social media to figure out who's on vacation are old hat. Now financial investigators are using social media to find hidden wealth.

Posted on June 24, 2016 at 6:29 AM5 Comments

Comparing Messaging Apps

Michah Lee has a nice comparison among Signal, WhatsApp, and Allo.

In this article, I'm going to compare WhatsApp, Signal, and Allo from a privacy perspective.

While all three apps use the same secure-messaging protocol, they differ on exactly what information is encrypted, what metadata is collected, and what, precisely, is stored in the cloud ­- and therefore available, in theory at least, to government snoops and wily hackers.

In the end, I'm going to advocate you use Signal whenever you can -­ which actually may not end up being as often as you would like.


Posted on June 23, 2016 at 6:54 AM47 Comments

Fraudsters are Buying IPv4 Addresses

IPv4 addresses are valuable, so criminals are figuring out how to buy or steal them.

Hence criminals' interest in ways to land themselves IP addresses, some of which were detailed this week by ARIN's senior director of global registry knowledge, Leslie Nobile, at the North American Network Operators Group's NANOG 67 conference.

Nobile explained that criminals look for dormant ARIN records and try to establish themselves as the rightful administrator. ARIN has 30,556 legacy network records, she said, but a validated point of contact for only 54 per cent of those networks. The remaining ~14,000 networks are ripe for targeting by hijackers who Nobile said are only interested in establishing legitimacy with ARIN so they can find a buyer for unused IPv4 addresses possessed by dormant legacy networks.

Criminals do so by finding dormant ARIN records and Whois data to see if there is a valid contact, then ascertaining if IPv4 allocations are currently routed. If the assigned addresses are dark and no active administrator exists, hijackers can revive dormant domain names or even re-register the names of defunct companies in order to establish a position as legitimate administrators of an address space. If all goes well, the hijackers end up with addresses to sell.

Video presentation here.

Posted on June 22, 2016 at 1:15 PM10 Comments

Situational Awareness and Crime Prevention

Ronald V. Clarke argues for more situational awareness in crime prevention. Turns out if you make crime harder, it goes down. And this has profound policy implications.

Whatever the benefits for Criminology, the real benefits of a greater focus on crime than criminality would be for crime policy. The fundamental attribution error is the main impediment to formulating a broader set of policies to control crime. Nearly everyone believes that the best way to control crime is to prevent people from developing into criminals in the first place or, failing that, to use the criminal justice system to deter or rehabilitate them. This has led directly to overuse of the system at vast human and economic cost.

Hardly anyone recognizes--whether politicians, public intellectuals, government policy makers, police or social workers--that focusing on the offender is dealing with only half the problem. We need also to deal with the many and varied ways in which society inadvertently creates the opportunities for crime that motivated offenders exploit by (i) manufacturing crime-prone goods, (ii) practicing poor management in many spheres of everyday life, (iii) permitting poor layout and design of places, (iv) neglecting the security of the vast numbers of electronic systems that regulate our everyday lives and, (v) enacting laws with unintended benefits for crime.

Situational prevention has accumulated dozens of successes in chipping away at some of the problems created by these conditions, which attests to the principles formulated so many years ago in Home Office research. Much more surprising, however, is that the same thing has been happening in every sector of modern life without any assistance from governments or academics. I am referring to the security measures that hundreds, perhaps thousands, of private and public organizations have been taking in the past 2-3 decades to protect themselves from crime.

Posted on June 21, 2016 at 12:16 PM31 Comments

Security Behavior of Pro-ISIS Groups on Social Media

Interesting:

Since the team had tracked these groups daily, researchers could observe the tactics that pro-ISIS groups use to evade authorities. They found that 15 percent of groups changed their names during the study period, and 7 percent flipped their visibility from public to members only. Another 4 percent underwent what the researchers called reincarnation. That means the group disappeared completely but popped up later under a new name and earned more than 60 percent of its original followers back.

The researchers compared these behaviors in the pro-ISIS groups to the behaviors of other social groups made up of protestors or social activists (the entire project began in 2013 with a focus on predicting periods of social unrest). The pro-ISIS groups employed more of these strategies, presumably because the groups were under more pressure to evolve as authorities sought to shut them down.

Research paper.

Posted on June 21, 2016 at 6:01 AM15 Comments

CIA Director John Brennan Pretends Foreign Cryptography Doesn't Exist

Last week, CIA director John Brennan told a Senate committee that there wasn't any strong cryptography outside of the US.

CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses.

And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical."

Here's the quote:

"US companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them," Brennan said.

"So although you are right that there's the theoretical ability of foreign companies to have those encryption capabilities available to others, I do believe that this country and its private sector are integral to addressing these issues."

Is he actually lying there? I suppose it is possible that he's simply that ignorant. Strong foreign cryptography hasn't been "theoretical" for decades. And earlier this year, I released a survey of foreign cryptography products, listing 546 non-theoretical products from 54 countries outside the US.

I know Sen. Wyden knows about my survey. I hope he asks Brennan about it.

Slashdot thread. HackerNews thread.

EDITED TO ADD (6/22): Herb Lin comments.

Posted on June 20, 2016 at 12:24 PM80 Comments

Nude Photos as Loan Collateral

The New York Times is reporting that some women in China are being forced to supply nude photos of themselves as collateral for getting a loan. Aside from the awfulness of this practice, it's really bad collateral because it's impossible to ever get it back.

Posted on June 20, 2016 at 6:01 AM25 Comments

Friday Squid Blogging: Not Finding a Giant Squid on Google Earth

The Internet is buzzing -- at least, my little corner of the Internet -- about finding a 120-meter-long giant squid on Google Earth. It's a false alarm.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on June 17, 2016 at 4:05 PM189 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.