[This article is originally published in phys.org written by Frédéric Garlan - Uploaded by AIRS Member: Deborah Tannen] 

For years criminal websites shrouded in secrecy have thrived beyond the reach of traditional search engines, but a group of French engineers has found a way to navigate this dark web—a tool they don't want to fall into the wrong hands.

"We insist on this ability to say 'no'," Nicolas Hernandez, co-founder and CEO of Aleph Networks, says at the company's offices near Lyon, in the heart of France's Beaujolais wine country.

He said Aleph refused 30 to 40 percent of licensing requests for its "Google of the dark web," based on reviews by its ethics committee and input from its government clients.

Most web users never venture beyond the bounds of sites easily found and accessed with casual web surfing.

But people and sites seeking anonymity can hide behind layers of secrecy using easily available software like Tor or I2P.

These sites can't be found by searching: instead, users have to type in the exact URL string of often random characters.

In an authoritarian regime, a protest movement could use the secrecy to organize itself or connect with the outside world without fear of discovery.

But the dark web is also ideal for drug and weapon sales, people-smuggling and encrypted chat-room communications by terrorists.

When Aleph's co-founder Celine Haeri uses her software to search for "Glock", the Austrian pistol maker, several sites offering covert gun sales instantly pop up.

A search for Caesium 137, a radioactive element that could be used to create a "dirty" nuclear bomb, reveals 87 dark web sites, while another page explains how to make explosives or a homemade bazooka.

Arms smugglers find the dark web particularly useful

Arms smugglers find the dark web particularly useful

"Some even advertise the stars they've gotten for customer satisfaction," Hernandez said.

Uncharted territory

Over the past five years, Aleph has indexed 1.4 billion links and 450 million documents across some 140,000 dark web sites.

As of December, its software had also found 3.9 million stolen credit card numbers.

"Without a search engine, you can't have a comprehensive view" of all the hidden sites, Hernandez said.

He and a childhood friend began their adventure by putting their hacking skills to work for free-speech advocates or anti-child abuse campaigners while holding down day jobs as IT engineers.

Haeri, at the time a teacher, asked for their help in merging blogs by her colleagues opposed to a government reform of the education system.

The result became the basis of their mass data collection and indexing software, and the three created Aleph in 2012.

They initially raised 200,000 euros ($228,000) but had several close calls with bankruptcy before finding a keen client in the French military's weapon and technology procurement agency.

"They asked us for a demonstration two days after the Charlie Hebdo attack," Hernandez said, referring to the 2015 massacre of 12 people at the satirical magazine's Paris offices, later claimed by a branch of Al-Qaeda.

Terror atttacks in 2015 focused French authorities minds on the dark net

Terror attacks in 2015 focused French authorities' minds on the darknet

"They were particularly receptive to our pitch which basically said if you don't know the territory—which is the case with the dark web—you can't gain mastery of it," Haeri added.

Ethical risks

The ability to covertly navigate the dark web is a holy grail for security services trying to crack down on illicit trafficking and prevent terror attacks.

The US government's Defense Advanced Research Projects Agency (DARPA) has been working on a similar project, called Memex, for years.

Aleph plans to soon add artificial intelligence capabilities to its software, which would recognize images such as Kalashnikov rifles or child abuse victims, or alert businesses to potential copyright infringement.

Its revenues are expected to reach around 660,000 euros this year, a figure it hopes to double in 2019.

That has attracted the attention of investors as Aleph steps up efforts to add more private-sector buyers to its roster of government clients.

But as more people and businesses start using Aleph's search engine, the risk increases that criminal organizations or hostile governments will eventually gain access.

The challenge will be to grow while setting out clear guidelines for handling the thorny ethical questions.

But Hernandez insisted he would remain vigilant, comparing his role to that of the "Protectors of the City" in ancient Greek democracies.

Categorized in Deep Web

What would you do if your most private information was suddenly available online, for anyone to see? Just imagine: picturesvideos, financial information, emails...all accessible without your knowledge or consent to anyone who cares to look for it.  We've probably all seen news items come out about various celebrities and political figures who have been less careful than they should be with information that was not meant for public consumption.

Without proper oversight of this sensitive information, it can become available to anyone with an Internet connection.

Keeping information safe and protected online is a growing concern for many people, not just political figures and celebrities. It's smart to consider what privacy precautions you might have in place for your own personal information: financial, legal, and personal. In this article, we're going to go over five practical ways you can start protecting your privacy while online to guard yourself against any potential leaks, avoid embarrassment, and keep your information safe and secure.

Create Unique Passwords and Usernames for Each Online Service

Many people use the same usernames and passwords across all their online services. After all, there are so many, and it can be difficult to keep track of a different login and password for all of them. If you're looking for a way to generate and keep track of multiple secure passwords, KeePass is a good option, plus it's free: "KeePass is a free open source password manager, which helps you to manage your passwords in a secure way.

You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish)."

Don't Assume Services are Safeguarding Your Information

Online storage sites such as DropBox do a pretty good job of keeping your information safe and secure. However, if you're concerned that what you're uploading is especially sensitive, you should encrypt it - services like BoxCryptor will do that for you for free (tiered pricing levels do apply).

Be Careful Sharing Information Online

We're asked to fill out forms or log into a new service all the time on the Web. What is all this information used for? Companies make a lot of money analyzing and using the data that we are freely giving them. If you'd like to stay a little bit more private, you can use BugMeNot to avoid filling out unnecessary forms that ask for too much personal information and keep it for other uses.

Never Give Out Private Information

We should all know by now that giving out personal information (name, address, phone number, etc.) is a big no-no online. However, many people don't realize that the information that they are posting on forums and message boards and social media platforms can be put together piece by piece to create a complete picture. This practice is called "doxxing", and is becoming more of a problem, especially since many people use the same username across all of their online services.

In order to avoid this happening, be extremely cautious in how much information you're giving out, and make sure you don't use the same username across services (see the first paragraph in this article for a quick review!).

Log Out of Sites Often

Here's a scenario that happens all too often: John decides to take a break at work, and during that time, he decides to check his bank balance. He gets distracted and leaves the bank balance page up on his computer, leaving secure information out for anyone to see and use. This kind of thing happens all the time: financial information, social media logins, email, etc.

can all be compromised extremely easily. The best practice is to make sure you're on a secure computer (not public or work) when you're looking at personal information, and to log out of any site you might be using on a public computer so that other people who have access to that computer will not be able to access your information. 

Prioritize Online Privacy

Let's face it: while we'd like to think that everyone we come in contact with has our best interests at heart, this is sadly not always the case — and especially applies when we're online. Use the tips in this article to protect yourself from unwanted leaks of your personal information on the web. 

Source: This article was published lifewire.com By Jerri Collins

Categorized in Internet Privacy

WHATSAPP users are being targeted by cybercriminals, who have unearthed a new way to pilfer your online bank account details. This is everything you need to know about the new hack, and how to avoid the scam.

WhatsApp users should be careful to avoid a new scam that attempts to steal your bank account login details.

Hackers are targeting unsuspecting users with a mobile virus that is distributed via legitimate-looking Word documents sent inside WhatsApp .

Once opened, these documents are capable of siphoning sensitive information from users, including online banking credentials and other personal data.

The virus has also been disguised as a Microsoft Excel or PDF file, according to users.

So far, the technique has only been demonstrated in India, with the malicious files bearing the names of the NDA (National Defence Academy) and NIA (National Investigation Agency) to try and lure WhatsApp users into downloading and opening the virus-laced files.

According to a report by the Economic Times, central security services in India have issued a notification to the NDA and NIA, since it is believed the WhatsApp attacks are attempts to target people in uniform.

Officials told the publication, "As these two organisations are very popular and known within the country and abroad and there is a curiosity about them, it is possible that it may affect the mobile phones of people interested in these subjects.

"However, it has been analysed that the men and women in defence, paramilitary and police forces could be the target groups."

The virus is purportedly able to access personal data stored on the smartphone, including banking credentials and PIN codes.

This is not the first time cybercriminals have used .

Last year, WhatsApp users in the UK were warned about  that claimed to offer users a .

Worse still, the scam message appeared as if it was forwarded by someone within your contacts – such as a friend or family member.

However the recipient name was actually a fake designed to trick WhatsApp users into trusting the web address for the alleged £100 Sainsbury's voucher.

The scam message asks users to follow a link to the web for the Sainsbury's voucherThe WhatsApp scam message asks users to follow a link to the web for the Sainsbury's voucher

The messages reads: "Hey have you heard about this?

"Sainsbury's is giving away £100 gift cards. They are expanding their store network and they launched this promotion.

"Grab a gift card while its lasts. I got mine already." (sic)

The -owned app was recently praised by Amnesty International, which dubbed the Facebook-owned instant messenger as the "most secure" platform available to consumers.

But  was convinced by the praise.

WhatsApp is aware that cybercriminals use its app to try and steal users' information
WhatsApp is aware that cybercriminals use its app to try and steal users' information

According to Amnesty International, the chat app, which uses end-to-end encryption by default, was closely followed by Apple's iMessage and FaceTime, and Telegram.

However it is still possible to become the victim of a scam – like the above – within these secure apps.

WhatsApp is aware that spam messages manage to make their way onto its secure platform.

According to the hugely-successful firm, "We work diligently to reduce any spam messages that come through our system.

"Creating a safe space for users to communicate with one another is a priority. 

 "However, just like regular SMS or phone calls, it is possible for other WhatsApp users who have your phone number to contact you.

"Thus, we want to help you identify and handle these messages.

"Unwanted messages from unauthorised third parties come in many forms, such as spam, hoax and phishing messages. 

"All these types of messages are broadly defined as unsolicited messages from unauthorised third parties that try to deceive you and prompt you to act in a certain way."

If you think you have been tricked into clicking on any of these links –

Source: This article was published express.co.uk By AARON BROWN

Categorized in Internet Privacy

Do you sometimes wish that your Mac would read your mind and organize all your business notes properly? Do you sometimes waste valuable time, looking for important screenshots and files in your computer? Then try out these three technology hacks for quick and effective solutions to your problems in a jiffy.

1. Boost Your Efficiency With Hotkeys, Keywords And Much More With Alfred:

search

Do you often spend a lot of time searching for apps or websites you often use? Then check out Alfred – an award-winning productivity app designed exclusively for Mac OS X that gives you greater control over your computer and makes life much simpler. After making some settings, you’ll be able to open what you want within a second.

Here are just some of the many things you can do with Alfred:

  • Find apps and files without even removing your fingers from the keyboard
  • Browse the web with default and custom search keywords
  • Use the Shift key to preview contents of a document without opening it

2. Manage Your Clipboard History With This Handy Tool:

Tired of switching tabs again and again when copying and pasting a list of things? Clipmenu allows you to do so just all at once!

If you’ve been using clipboard, is your clipboard history too cluttered? Are your work notes always disorganized?

Then here’s ClipMenu to the rescue – a free and highly efficient clipboard manager for Mac OS X which allows you to record 8 clipboard types, including image, plain text and much more.

3. Find Your Precious Screen Shots In A Sec With This Quick Hack:

screen-shot-2016-10-12-at-10-55-00-am

All your screenshots are saved to the Desktop by default but if you take lots of screenshots, finding a particular one might be a difficult task. Fortunately, you can use this trick to change the default screenshot location on your computer. If you make them be saved to Downloads folder, then you can drag the screenshot as the latest download file from the folder in the tool bar.

From now on, be more productive when you switch on your Mac. Share these tips with your friends today!

Source:  lifehack.org

Categorized in Online Research

 

Imagine a criminal breaks into your home but doesn't steal anything or cause any damage. Instead, they photograph your personal belongings and valuables and later that day hand-deliver a letter with those pictures and a message: "Pay me a large sum of cash now, and I will tell you how I got in."

Cybercriminals are doing the equivalent of just that: Hacking into corporations to shake down businesses for upward of $30,000 when they find vulnerabilities, a new report from IBM Security revealed.

The firm has traced more than 30 cases over the past year across all industries, and at least one company has paid up. One case involved a large retailer with an e-commerce presence, said John Kuhn, senior threat researcher at IBM Security.

 

Though some companies operate bug bounty programs — rewarding hackers for revealing vulnerabilities — in these cases, the victims had no such program.

"This activity is all being done under the disguise of pretending to be a "good guy" when in reality, it is pure extortion," said Kuhn.

Researchers have dubbed the practice "bug poaching."

Here's how it typically works. The attacker finds and exploits web vulnerabilities on an organization's website. The main method of attack — known as SQL injection — involves the hacker injecting code into the website which allows them to download the database, said Kuhn.

 

Once the attacker has obtained sensitive data or personally identifiable information, they pull it down and store it, then place it in a cloud storage service. They then send an email to the victim with links to the stolen information — proof they have it — and demand cash to disclose the vulnerability or "bug."

Though the attacker does not always make explicit threats to expose the data or attack the organization directly, there is no doubt of the threatening nature of the emails. Hackers often include statements along the lines of, "Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for living, not for fun," said the report.

"This does not negate the fact that the attacker stole the organization's data and placed it online, where others could potentially find it, or where it can be released," said Kuhn.Trusting unknown parties to secure sensitive corporate data — particularly those who breached a company's security systems without permission — is inadvisable, said Kuhn. And, of course, there are no guarantees when dealing with these criminals so even when companies pay up, there is still a chance the attacker will just release the data.

 

Organizations that fall victim to this type of attack should should gather all relevant information from emails and servers and then contact law enforcement, said Kuhn.

Here are some measures companies can take to avoid becoming a victim, according to IBM Security: 1) Run regular vulnerability scans on all websites and systems. 2) Do penetration testing to help find vulnerabilities before criminals do. 3) Use intrusion prevention systems and web application firewalls. 4) Test and audit all web application code before deploying it. 5) Use technology to monitor data and detect anomalies.

Source:  http://www.cnbc.com/2016/05/27/the-disturbing-new-way-hackers-are-shaking-down-big-business.html

 

 

 

 

Categorized in Internet Privacy

 

The cyberattack that knocked hundreds of school networks offline in Japan last week had at least one novel feature: It was allegedly instigated by a student.A 16-year-old high school student who said he was frustrated with his teachers unleashed an attack on the Osaka Board of Education server that took 444 elementary, junior high and high school networks offline, investigators said.

The student monitored the attack from his cellphone and later told authorities that he wanted to join hacktivist group Anonymous, according to the investigators.

 

Unusual until recently, student-launched attacks are becoming more common, said Radware security researcher Daniel Smith. The firm issued a threat advisory alert this week.

Like the rest of the world, schools and universities are increasingly reliant on cloud-based infrastructure to function, making them more vulnerable to attack. At the same time, the widespread availability of free or inexpensive hacking software and services means malicious students no longer need special skills to cause trouble.

"We have been getting approached by education institutions or regional IT firms who say they are starting to see some increased attack activity," said Smith.

 

Aggression toward a school or staff member is one of several common motivations for the attacks. Others include delaying tests, changing grades and manipulating the registration process to gain an advantage over other students.

In the U.S., Rutgers, Arizona State University and the University of Georgia have had denial-of-service attacks in the past year. These attacks are often so effective that they completely overwhelm networks and prevent students, teachers and administrators from being able to log on. This wreaks havoc on large administrations and results in delays, for example, in class registration and final exams.

The Rutgers attacker, who has not been caught but is believed to be a student and reportedly goes by the name "Exfocus", carried out six attacks over the course of a year, starting in November 2014."He wanted to show the vulnerabilities inside the college network," said Smith. "It was very simple for him to topple the network, and it caused a lot of issues for students and staff members."

Attackers are taking aim at student portals, admission processing sites, mail servers and sensitive databases holding personal information. They are also targeting educational platforms connecting students and institutions including Blackboard and Moodle. One such example took aim at Janet, a research and educational network connecting 19 regional universities in England, which has fallen victim to several DDoS attacks over the past year.

 

Of course, just because these attackers are often still in high school does not mean they will get off lightly. A 15-year-old in Adelaide, Australia, could face 10 years in prison for allegedly launching one for the largest DDoS attacks the country has ever witnessed. The attack was directed at several organizations, including Reynella East College, and was so widespread that it impacted around 10,000 customers of internet service provider NuScope.

Source:  http://www.cnbc.com/2016/05/20/whos-hacking-schools-now-the-students.html

 

 

 

 

Categorized in Online Research

As the number of reported data breaches continues to blitz U.S. companies — over 6 million records exposed already this year, according to the Identity Theft Resource Center — IT budgets are ballooning to combat what corporations see as their greatest threat: faceless, sophisticated hackers from an outside entity.

But in reality, a bigger danger to many companies and to customers' sensitive data comes from seemingly benign faces inside the same companies that are trying to keep hackers out: a loan officer tasked with handling customers' e-mail, an attendant at a nursing home, a unit coordinator for the main operating room at a well-regarded city hospital.

According to Verizon's 2015 Data Breach Investigations Report, about 50 percent of all security incidents — any event that compromises the confidentiality, integrity or availability of an information asset — are caused by people inside an organization. And while 30 percent of all cases are due to worker negligence like delivering sensitive information to the wrong recipient or the insecure disposal of personal and medical data, roughly 20 percent are considered insider misuse events, where employees could be stealing and/or profiting from company-owned or protected information.

Often, that translates to employees on the front lines stealing patient medical data or client social security numbers, which can then be sold on the black market or used to commit fraud like collecting someone else's social security benefits, opening new credit card accounts in another's name, or applying for health insurance by assuming the identity of someone else.

"The Insider Misuse pattern shines a light on those in whom an organization has already placed trust," Verizon said in the report. "They are inside the perimeter defenses and given access to sensitive and valuable data, with the expectation that they will use it only for the intended purpose. Sadly, that's not always the way things work."

For the first time since 2011, Verizon found that it's not cashiers involved with most insider attacks, but many "insider" end users — essentially anyone at a company other than an executive, manager, finance worker, developer or system administrator — carrying out the majority of such acts. Most are motivated by greed.

"Criminals have a different motivating factor," said Eva Velasquez, CEO and president of Identity Theft Resource Center, a non-profit charity that supports victims of identity theft. "There are a number of jobs that pay minimum wage where individuals have access to this type of information, and so the incentive may be 'this isn't a job that is paying me enough to support myself.'"

Velasquez cites workers in an assisted living facility tasked with caring for patients, a job in close proximity to medical records that can be accessed by a few keyboard taps. According to the Bureau of Labor Statistics, such healthcare support occupations see mean annual wages hovering around $25,000, a salary that might make workers more vulnerable to stealing for self gain. Or, maybe worse, they fall prey to acting as a conduit for some type of organized crime ring looking to make big money by selling or manipulating stolen personal data.

"There are a number of jobs that pay minimum wage where individuals have access to this type of information, and so the incentive may be 'this isn't a job that is paying me enough to support myself."

According to the Verizon report, the public sector, health care and financial services — like credit card companies, banks, and mortgage and lending firms — were the industries hit hardest by insider incidents in 2015.

In one recent cases a Baltimore man is facing federal charges of identity theft and bank fraud after he used personal information of at least three nursing home residents to open multiple credit card accounts without their permission. A former employee of Tufts Health Plan pleaded guilty to stealing names, birth dates and social security numbers that were eventually used to collect social security benefits and fraudulent income tax refunds. A former assistant clerk at Montefiore Medical Center in New York who was indicted in June 2015 for printing thousands of patients' records daily and selling them. The information in the records was eventually used to open department store credit cards at places like Barneys New York and Bergdorf Goodman; the alleged actions are estimated to have caused more than $50,000 in fraud, according to the New York County District Attorney's Office.

While the number of breaches and hacks by outsiders has skyrocketed since 2007 in tandem with the surging digitization of information, the occurrence of insider jobs can be a read on the overall economy. It tends to peak during recessions and drop off when times are good, according to the Identity Theft Resource Center. In 2009, the percentage of insider attacks hit a high of roughly 17 percent; after a three-year slide, the amount today (about 10 percent) is slowly creeping back up.

"When the economy isn't doing well, you'll see people that are feeling stressed and taking advantage of opportunities they might not take advantage of otherwise," said attorney James Goodnow from the Lamber Goodnow team at law firm Fennemore Craig.

With the defining characteristic of an internal breach being privilege abuse — employees exploiting the access to data that they've been entrusted with — the best way to mitigate such attacks is to limit the amount of information allotted to workers.

"As business processes have started to rely more on information and IT, the temptation, the desire is to give people access to everything [because] we don't want to create any friction for users to do their jobs," said Robert Sadowski, director of marketing and technology solutions at security firm RSA.

Terry Kurzynski, senior partner at security firm Halock Security Labs, said that smart entities perform enterprise-wide risk assessments to find where their systems are most vulnerable and to spot aberrations in user behavior.

But sophisticated analytics does little to assuage situations where employees are using low-tech methods to capture information. "Most systems will not handle the single bank employee just writing down on paper all the bank numbers they see that day — that's difficult to track," said Guy Peer, a co-founder of security firm Dyadic Security.

Clay Calvert, director of cybersecurity at IT firm MetroStar Systems, said communication with employees in a position to turn rogue is key. "That's a big deterrent in identity theft cases; if an employee feels like the company cares for them, they're less likely to take advantage of the situation."

Hackers hiding in plain sight

Preventing the display of sensitive data in plain sight — say an employee seeing a confidential record as they walk by a colleague's computer — is the focus of Kate Borten, founder of Marblehead Group consultancy and a member of the Visual Privacy Advisory Council. She recommends companies institute a clean desk policy (ensuring that workers file away papers containing customer data before they leave their desk), implement inactivity time outs for any tech devices, and switch to an e-faxing system, which eliminates the exposure of sensitive patient data on paper that's piled up around traditional fax machines.

Experts also say that tougher penalties for and more prosecution of inside hackers would also be a disincentive for such crimes. "On a general level, there can be practical barriers to pursuit of a criminal case, such as the victim company's fear of embarrassment, reputational damage, or the perceived risk — real or not — that their trade secrets will be exposed in a court proceeding," said Brooke French, shareholder at law firm Carlton Fields.

But she added, "The DOJ and local authorities prosecute these cases all the time, despite what are seen as common barriers. The barriers are low when the actions are clearly wrong, such as a hospital employee stealing electronic medical records and selling them on the black market."

While the price tag for stolen information on the black market can translate to a lucrative sales career for some crooked employees, it's a costly phenomenon for organizations once they have realized it has occurred, which is often "during forensic examination of user devices after individuals left a company," said Verizon.

That's usually too late to enact damage control. According to the Ponemon Institute, the average cost of a breach is $217 per record.

"That's just the hard costs, what you have to pay for notifying customers or any type of remediation services," said Velasquez. "The bigger, broader cost is the reputational damage that shows itself not just to the entity that suffers the damage, but to the industry."

Source:  http://www.cnbc.com/2016/05/13/a-surprising-source-of-hackers-and-costly-data-breaches.html

Categorized in Internet Privacy

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.
Please wait

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Newsletter Subscription

Receive Great tips via email, enter your email to Subscribe.
Please wait

Follow Us on Social Media

Book Your Seat for Webinar GET FREE REGISTRATION FOR MEMBERS ONLY      Register Now