The notions of on-line black markets, services and information that occur and can be found on the ‘Deep Web’ (or however else it may go by–the collection of web addresses not indexed by search engines) are presently relatively well known. For those unfamiliar with the topic, a study in 2001 estimated the size of these non-indexed internet sites to be around 7.5 petabytes (Bergman, 2001). Currently, estimating the size of these non-indexed sites has proven to be even more complicated since content stored in its databases have peculiar features complicating their access. As an example, for data mining, this information can only be accessed through the query interface they support based on input attributes obliging user queries to specify values for these attributes (Liu, Wang & Agrawal, 2011). These intricacies have made it near-impossible to accurately determine, and even harsh to estimate, the size of this vast collection of information.
The ‘Deep Web’ has grown in importance as of late (Braga, Ceri, Daniel & Martinenghi, 2008; Cali, Martinenghi, 2008) and with it, the use of anonymity networks such as Tor. For the readers unfamiliar with Tor, “The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor’s users employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy.”. In short, Tor works by giving you a randomized relay IP-address donated by volunteers continuously such that no single relay point knows the route a user has taken throughout the random-generated relay route up to the user reaches their desired website. This process is repeated and is different every time the user visits a site. It goes without saying that the more users take part of this tool the “more randomized” it becomes. It does come with one weakness however, and that is node eavesdropping, or end-to-end correlation analysis. In short, both node ends between communication ports can be inspected to find a match in information and thus identify users. (For more information click here).
This is all fantastic news for reporters seeking to share controversial stories in oppressive governmental situations, or in general oppressed people seeking to express controversial messages. However this has also fostered crime through virtual networks, inducing organizations such as Interpol to obtain training in how to use and, “gain the upper-hand” with, these tools (Dutch/English). The amount of discussion about the level of anonymity in this network is vast and can be commonly found throughout both indexed and non-indexed web addresses. It commonly discusses the aforementioned end-to-end correlation analysis, points of encryption, whether to use TAILS, and where to use it from, and how often, self-destruct emails, personalized email encryptions, black bitcoin wallets, and much, much more.
This brings this blog to its fundamental point of contemplation which is much more relevant to this blog’s strategic perspective. How can this play out for business? Can IT-savvy security traders in worldwide financial capitals make use of these tools for own gain? Could this lead to a new financial meltdown where individual players’ lust for capital gains leads to the breakdown of a financial system? How could anonymous messages among acquainted parties play out in the M&A market, where secrecy is a fundamental pillar of daily business? How could this play out for entire industries?
There is no doubt that anonymous communication leads to freedom. This freedom is presently available to whoever has the knowledge to harness it. In a world where knowledge is openly available to any with a computer and internet connection. Both to the oppressed as well as to powerful individuals who are trusted with responsibility, and are closely monitored by third-parties because of mistakes occurred in the past that have led to a negative impact for several individuals.
In my own conceit, these tools can prove to be radical for business. A truly anonymous communication network would return the fullest definition of trust back into business. However, knowing human nature as it has shown itself throughout history, these tools might prove harmful in the long-run, assuming they are kept being worked on and made more common among society.
Author: Dennis Oliver Huisman
Bergman, M. K. (2001). “The Deep Web: Surfacing Hidden Value”. The Journal of Electronic Publishing (1).
Braga D., Ceri S., Daniel F., Martinenghi D. (2008). Optimization of multidomain queries on the web. Proceedings of the VLDB Endowment, 1(1): 562–673.
Cali A., Martinenghi D. (2008) Querying data under access limitations. In: Proceedings of the 24th IEEE International Conference on Data Engineering, 50–59.
Liu, T., Wang, F., Agrawal, G. (2001). “Stratified sampling for data mining on the deep web”, Frontiers of Computer Science (179-196)
My last blog already, time is flying! Let’s be honest, I didn’t start blogging out of free will but I actually kind of liked it. Just writing about interesting topics, giving my opinion and people joining the discussion. Can think of worse thing to do! I might continue blogging, but in the mean time follow me on you like IT and especially cyber security, be sure to follow we on twitter!
Now on to my last post! You all might have seen Jarro talking about Eriks piracy fine on this blog. For a while I’ve been interested in how online piracy actually works. When you occasionally download yourself (perfectly legal it seems) you might notice that a lot of ‘releases’ have a group mentioned and they even have there own information sheet (.nfo, this example of FAIRLIGHT). This got me interested into internet piracy and the fact I could not find any concrete information on this really triggered me. I did found this one clue, the pyramid of internet piracy in the image below. In this blog I will look at the top of the piracy food chain to find out what goes on in this dark corner of the Internet. So click read more below!
First of all: I have been working on this post for over a week and it turned out to be rather extensive. For that I’m sorry. The reason I’m writing this post is that I was amazed about the misinformed assumptions fellow classmates have and their curiosity on this topic.
In its earliest form, people have been attempting to conceal certain information that they wanted to keep to their own possession by substituting parts of the information with symbols, numbers and pictures. Stenographic techniques have been used for centuries. The first known application dates back to the ancient Greek times, when messengers tattooed messages on their shaved heads and then let their hair grow so the message remained unseen. A different method from that time used wax tables as a cover source. Text was written on the underlying wood and the message was covered with a new wax layer. The tablets appeared to be blank so they passed inspection without question. In the 20th century, invisible inks were a widely used technique. In the Second World War, people used milk, vinegar, fruit juices and urine to write secret messages. When heated, these fluids become darker and the message could be read. This technique is still used among inmates in U.S. prisons that belong to gangs.
Even later, the Germans developed a technique called the microdot. Microdots are photographs with the size of a printed period but have the clarity of a standard typewritten page. The microdots where then printed in a letter or on an envelope and being so small, they could be sent unnoticed.
Recently, the United States government claimed that Osama Bin Laden and the al-Qaeda organization use steganography to send messages through websites and newsgroups. However, until now, no substantial evidence supporting this claim has been found, so either al-Qaeda has used or created real good stenographic algorithms, or the claim is probably false. [Tel, 2004]
So why might someone want to use encryption?
Actually, there are numerous reasons why people might want to use encryption. Of course there are military reasons, the need to protect business or financial information, protecting communication from unauthorized access, the protection of stored data, authenticating payments and the prevention of espionage. However, due to a lack of knowledge unnecessary security issues still arise.
In order to understand the following sections allow me to introduce some terminology. Code is a technique to replace words or semantic structures by a corresponding code word. The simplest example of this principle is a shift in the alphabet by a fixed amount (e.g. 2 positions make a=c, b=d etc.) Cypher means a replacement based on symbols, where each symbol is mapped to another letter. Cryptography is the science of encrypting or hiding secrets. Cryptanalysis is thescience of decrypting messages (cyphertext) or breaking codes and ciphers in order to obtain the unencrypted message (plaintext). Cryptology is the combination of both Cryptography and Cryptanalysis.
Due to space constraints I am not digging into the algorithms. Moreover, I am afraid that I have already lost a lot of readers by now, and throwing in numbers might turn off the last readers. If you are really enthusiastic and think I’m leaving out the good parts, just leave me a message or come see me after class. (If it’s before noon, coffee would be appreciated.)
My experience tells me that basically, a good encryption algorithm is as strong as its randomness. In short, there are two algorithm categories; symmetric-key encryption and asymmetric key encryption. Symmetric key encryption uses one key for both encrypting and decrypting messages. Asymmetric key encryption uses complementary keys in order to encrypt and decrypt. Symmetric key encryption is often used repeated communication where asymmetric key encryption is used for one-shot communication like signatures (e.g. DigID). Do keep in mind that the latter is more computationally expensive.
Encryption and its use have been a controversial topic for years. Until the late ‘90s encryption algorithms were seen as munitions in some countries, including the U.S. and Germany. All kinds of issues arose from this form of governmental control. Companies were forced to release separate versions of their software (one for export, one for domestic use). Even T-shirts were printed stating (in cyper) “This T-Shirt is a munition.”
To prevent governments in creating backdoors, some developers started collaborating in the cloud. In 1991 PGP was the result of their effort. Since it was given away on the internet the U.S. felt this was export. Zimmerman and other developers saw it as a form of free speech. In 1996 court order ruled computer code to be speech leading to U.S. government dropping most export restrictions in 2000. Nowadays, many advanced encryption algorithms are open source, including AES which may even be used by U.S. Top Secret Agents. And did you know AES was originated by Joan Daemen and Vincent Rijmen in 1971? That sounds pretty Dutch right?
Next-Gen Encryption Algorithms
AsI stated before, cryptographers are continuously seeking for the algorithm that generates the most random cipher. Quantum Cryptology looks promising, although it contains flaws and researchers are worrying about its practicality. MIFARE, (PDF alert) an encryption algorithm used for securing data packets between satellite and RFID-chip. (Yes, it’s used for the OV-chipcard. No, it’s not cracked) is pretty advanced. It’s a well-kept secret that it uses swipe time and distance to satellite amongst other variables to generate random cipher. Hi Brenno!
I am amazed that you are still reading. In a discussion with fellow classmates I stated that longer passwords are not always more secure. In short, very long encrypted passwords generate simply less random cipher. Below you find an illustration of common misunderstandings about password strengths.
Yesterday, at the BreakPoint security conference in Melbourne researcher Barnaby Jack said in a speech that he has found a way to hack into pacemakers. And the consequences of that are deadly. Anonymous assassinations within 30 feet of the pacemaker seem to be possible. : ‘In a video demonstration, which Jack declined to release publicly because it may reveal the name of the manufacturer, he issued a series of 830 volt shocks to the pacemaker using a laptop. The pacemakers contained a “secret function” which could be used to activate all pacemakers and implantable cardioverter-defibrillators (ICDs) in a 30 foot -plus vicinity. … In reverse-engineering the terminals – which communicate with the pacemakers – he discovered no obfuscation efforts and even found usernames and passwords for what appeared to be the manufacturer’s development server. That data could be used to load rogue firmware which could spread between pacemakers with the “potential to commit mass murder.”
“The worst case scenario that I can think of, which is 100 percent possible with these devices, would be to load a compromised firmware update onto a programmer and … the compromised programmer would then infect the next pacemaker or ICD and then each would subsequently infect all others in range,” Jack said.
It was a marksman’s job (New York Times, 2011)
Last time I finished my post with telling you about Stuxnet and I think the infographic was quite clear about its capabilities and the treat it poses. However, I want to highlight a few fundamental points here. Never before have we witnessed such a highly specialized and well planned digital attack on an industrial plant. The hardware of a nuclear facility was deliberately sabotaged using software.
So, Stuxnet was a game changer and I’m going to elaborate a little more on why that is. First of all Stuxnet did something completely new (not just one thing I by the way): it targeted industrial systems. To be more precise; it targeted Programmable Logistic Controllers (PLC’s) which are used to control industrial hardware like pumps and valves. These PLC’s also controlled the centrifuges in Iran and a man-in-the-middle attack allowed Stuxnet to alter the centrifuges without alarming the system. Making them break and leaving the operators clueless.
Next to the highly specific target, Stuxnet used over 20 zero day exploits in order to infect the PC’s connected to the PLC’s. This is a huge number, since these exploits are hard to find; they are vulnerabilities that are not yet known by the manufacturers of the software and therefor can do lots of damage (why do you think Windows updates so much…). Stuxnet also used several stolen certificates which let Windows to believe it was software to be trusted. Next to that it had the ability to spread itself through USB and LAN networks, so once in a facility it could expand to other systems without an Internet connection.
These examples indicate how large scale this operation was; it wasn’t just one hacker operating from his basement in downtown Rotterdam, it was probably state sponsored. A lot of clues point to the United States collaborating with Israel, since they had the best motive for this attack combined with the resources. For more on this debate read THIS interesting Wired article.
Sophisticated espionage toolkit (InformationWeek, 2012)
Another big game changer popped up this year and is dubbed Flame. This malware is not targeted destroying anything, instead it focuses on espionage. Its source code is even more complex (and large; over 20MB compared to 500KB of Stuxnet) than Stuxnet and acts as a complete espionage package. Once a system is infected, quite in the same way as with Stuxnet, it registers key strokes, monitors passwords, can take screenshots of what you are doing and it records your microphone or webcam without you noticing anything. Creepy huh? Check out this informative (but less nicely designed) movie about Flame.
It has also been confirmed that Stuxnet and Flame authors worked together on their code. So like I said, only the tip of the iceberg. For those interested in more state sponsored malware and acts of cyber warfare, I suggest you look for ‘Gauss’, ‘Duqu’ and ‘MiniFlame’. The problem here is we do not know how much of this malware is already running and finding the malware is also really difficult. Stuxnet was out in the wild for over a year, Flame for over 3 years, before even being discovered (read more about why this is so difficult from one of my favorite security experts, Mikko Hypponen in Wired). Next to that the malware seems to be modular (the authors must have taken some classes of Innovation Management), which means that different modules like exploits can be used across multiple types of malware, making it really easy to develop new forms of malware for specific purposes.
So, what’s next? What kind of malware is already out there and yet to be discovered? Recently Dutch minister Ivo Opstelten proposed the Netherlands should also start hacking proactively, something other states seem to be doing for years. Are we too late? Makes me wonder where this cyber war will end… TBD I guess.
Like this? Follow me on Twitter!
SPOILER ALERT! A movie is present, so no need to actually read this stuff. Although I would strongly recommend you do, since the you might learn a thing or two.
As I promised yesterday I present to you a first blog about the dark corners of information technology, which are usually better left untouched. I kick off with a banger; cyber warfare. The biggest thing to happen to this dark side in a long time. But what exactly do we mean by cyber warfare? It doesn’t even sound that bad, does it?
Thinking about cyber warfare I immediately thought about the movie WarGames (1983). In this cold war SciFi flick a teenage hacker gains access into an US army supercomputer (called WOPR … ) and while believing he is playing a game it turns out he almost starts WOIII. Although this plot may sound a bit cheesy, the movie is really spot on and worth your precious time. In fact a must see for all new BIMmers! A little screenshot to convince you (if this brings back childhood memories, please do comment):
Big Brother is watching you! (George Orwell, 1949)
Another thing that directly comes to mind is George Orwell’s 1984. A visionary novel from one of the best SciFi writers ever. Written in 1949 it shows a future that is ruled by government surveillance and mind control by a totalitarian regime. This is where the famous Big Brother statement comes from which is becoming more present every day. Just think about the presence of Google online or the cameras which are now installed in the M-building (where we have our IS exam this coming Monday).
But this was all Science Fiction, right? Yes, we thought it was. But it seems the real world is catching up rather quickly. It all began in January 2010 (well, probably more around the 1950s, but I won’t bore you with history today) when the International Atomic Energy Agency (IAEA) inspected the nuclear facility of Natanz. They found out that physicians were swapping centrifuges at an incredible high rate, which indicated serious problems with the reactor.
The most complex malware ever written (Wired, 2011)
It took until June of 2010 to find out that the reason for these repairs lied in a computer virus, which became known as Stuxnet. This virus was specifically designed to target the Iranian nuclear program and had effectively brought damage to its facilities. For most security experts it was immediately clear that the game had changed, the first massive act of cyber warfare (made publicly) was a fact.
Since I have noticed you like videos I decided to add one explaining Stuxnet in great detail. It is actually really informative!
I’ll stop here and will elaborate more on Stuxnet in pt. 2. In there I will also focus on the current state of cyber warfare where I show that Stuxnet is just the tip of the iceberg. Big Brother really is watching you and maybe even with your own webcam. Click here to read pt. 2!
Like this? Follow me on Twitter!
Nice to see so many nice blog posts about all the possibilities new information technologies have brought us. What concerned me though, is that 99% of the blogs are about the positive effects. Doesn’t the digitization of this world have any darker side? Off course it does; I think we all remember the Anonymous attacks of last year, the Diginotar scandal and the Dorifel virus taking down entire governmental departments (bringing typewriters back in the office, what the heck). Because this dark side has not been highlighted until now, I have decided to team up with a few BIMmers to shine some light on this dark side of IT. With a series of blogs using this title and banner we like to give you some insight in the world of cyber security, hackers, botnets, DDoS attacks et cetera. Off course you are welcome to suggest topic to us, if you are interested in the subject.
Be prepared for some exciting readings and stay tuned!
Robert, Maurits & Jordan
[BREAKING] Ivo Opstelten just proposed the Dutch government should be able to ‘hack back’, deliberately attack computers and networks in other countries. Will probably be all over the news tomorrow. Are we going to war?