2017
03.24
fraud

fraud

The statistics continue to chill.

2.3M estimated fraud victims in the UK alone in 2015 according to the ONS. 173,000 confirmed reports of identity theft amongst CiFas members (largely utilities and finance companies) in 2015.

From a consumer perspective the chances are that over a period of three to four years you are now more likely than not to be a victim of a successful fraudulent act of some kind.

I happen to have used UK statistics as the impact reporting is unusually well-defined thanks to the efforts of the Office of National Statistics crime reporting. Consider though that the UK has a sophisticated banking sector, works under best-in-class EU regulation with regard to privacy and data protection, and has world-leading payment provider options for online merchants to choose from.

All this and there is a still what can only be described as a pandemic of fraud out there.

So what is driving this wave of crime?

Data breaches provide the kindling

Data breaches receive a great deal of publicity. Recently we’ve seen arrest warrants for four specific hackers for the Yahoo! Breach. That’s a great step forward albeit no-one has actually been arrested at the time of writing.

Data breaches are usually reported on as from the perspective of corporate security and what steps businesses should take to avoid them happening again. What is often unreported though is what happens to the details that are leaked. Sometimes the company itself is held to ransom. It is not possible to know how common this is as for obvious reasons it is not publicised.

More commonly, the data (card details, emails, phone numbers, addresses, account logons) are slowly released in batches and made available for sale on the dark web. The slow leaking of the details has the effect of controlling the price as well as extending the longevity of the details themselves. All Yahoo details all at once would provide a single attack vector that is more easily defended and also make the details practically worthless. Much better to release over time and make available alongside the booty from other breaches. This makes fraud prevention much harder.

The effect then from a policing and prevention point of view is impossible. Instead of searching for four hackers who perpetrated a single large breach you are now looking at crime that will be committed by thousands of people perpetrating millions of attempted frauds of relatively low value of which only a very small proportion will ever be reported to the police in any case.

The Dark Web fans the flames

The degree of technical knowledge required to commit card fraud or to take over an account is now minimal. The ability to download the Tor browser, access some sites on the dark web and make a purchase in bitcoin is not difficult. And it is certainly not expensive; card and personal details can be purchased for pennies. The latest pricing on the dark web for premium details are as follows:

  • Uber $3.78
  • Facebook $3.02
  • Paypal $6.43
  • Cards (gen) $0.22

On top of the low barrier to access, there is a growing community of people willing to use these details with little to no stigma attached to the crime widely seen as victimless.

This heady combination gives us both the motive an opportunity to commit crime and the lack of any social pressure to prevent people from doing it.

How do we fight the fire?

There is a large and growing industry around fraud prevention and there is a good understanding that the responsibility is shared between issuer, payment provider, merchant and acquirer.  Consumer rights are strong and for good reason – a significant loss of faith in online trade itself could have significant economic consequences.

The banking sector covers some the cost but the majority is borne by merchants. It is their merchant accounts from which the funds are taken to compensate the consumers by the banks, and it is their businesses that are at risk from being shuttered as their ability to take payments is denied by the card schemes. Therefore, it is not just a responsibility in the ethical sense, but a fundamental business requirement to take steps to prevent fraud from becoming a significant issue.

Fighting back

As attacks are getting more sophisticated so are the solutions…There are layers of sophistication in the world of cyber-crime.

At the top there are organised criminals hacking businesses for data and for ransom. These are sophisticated and vary their means of attack. Those who use the cards and details for low level crime are not sophisticated. But they are legion and they need only be better than a poor defence system to succeed.

The good news is that large numbers of people doing similar things for similar goals is that they leave patterns.

And there are techniques now that make the analysis of those patterns instant and highly accurate. Using machine learning, merchants can get not just a decision but a likelihood that any single visitor or order is fraudulent. Merchants can therefore set their own risk threshold. This is important because inevitably  some good orders will trigger bad patterns and it takes some time and training of the datasets to get those assessments near perfect.

The net effect of this is that there is no need for any fundamental shift in the customer experience. Merchants can and should continue to focus on creating great online buying experiences. This needs to be underpinned with strong, sensible security that is at least a little more sophisticated than the tools being used to attack their business. This is not really a matter of choice – this is the new reality.

Martin Sweeney, CEO of Ravelin
Image Credit: Gustavo Frazao / Shutterstock

2017
03.23

Deep web and dark web and clearnet these are the difference

The term Deep Web was coined by ‘Bright Planet’ indexing company, and they used it to describe non-indexable content such as dynamic database requests, paywalls and other hard-to-find elements through the use of conventional search engines. But later came the case of Silk Road, and the media began to use that term to refer to other elements such as Dark Webs.

Bright Planet has argued on many occasions that the term Deep Web is inaccurate to refer to Dark Webs and Darknets, but the damage was already done, people had assimilated and distinguish these three nomenclatures has become a hell. That is why today we are going to try to leave these three concepts to know exactly what the differences are and what we mean by them.

Generally, to distinguish the concepts of Darknet, Deep Web and Surface Web or superficial web usually used the scheme of the iceberg. The tip, the little that stands out on the surface is the web as you know it, the Surface Web. Everything under the water is the Deep Web, and the deepest part of it is the Darknets.

But this scheme is too simple, because the Deep Web is something more than the non-indexable in search engines, and next to the one of Darknet would have to introduce another term like the one of the Dark Web that does not usually appear. So, let’s start by describing oeach of these four concepts one by one in order to differentiate them.

 

The Surface Web is the Internet you know

The first of the concepts that you have to know is the ‘Clearnet’ or ‘Surface Net’, terms that mean ‘Red Limpia’ or ‘Surface Network’. Both refer to the same thing, the Internet as most cybernauts know it, that piece of the World Wide Web that anyone can easily access from any browser.

It is a network in which we are easily traceable through our IP. It mainly consists of pages indexed by conventional search engines like Google, Bing or Yahoo, but also all those other webs that you can access publicly without being indexed, such as Facebook, Twitter and other social networks, as well as any Another web page or blog.

It is difficult to know its exact size. According to Internet Live Stats this is made up of more than 1.139 million web pages, while data like WorldWideWebSize point to the fact that the Internet surface has more than 4.700 million pages indexed. Be that as it may, the accessible network still has only a small part of the data navigating through cyberspace.

 

Deep Web, the Depths of the World Wide Web

Just as in general the Clearnet is that portion of the Internet that you can easily access with your browser, we could say that the Deep Web is just the opposite. Given that ~ 90% of network content is not accessible through standard search engines, we are talking about a lot of data.

Also known as Invisible Web or Hidden Web (Hidden Web), it includes all that information that is online, but which you cannot access publicly. On the one hand, these may be conventional pages that have been protected by a paywall, but also files stored in Dropbox or e-mails stored on the servers of our provider.

The Deep Web also compose sites with a “Disallow” in the file robots.txt or dynamic pages that are generated when consulting a database. For example, when you enter a travel portal and look for a hotel in a certain city for a specific day, the page that is created with the results is indexed in any search engine, is temporary and is part of the Deep Web as the bank queries And similar queries.

Dark Web, the Internet of the Depths

Many times confused with the Deep Web, although it is part of it, Dark Web is that fragment of Internet that can only be accessed through specific applications. Just as the Deep Web is about 90% of the content of the World Wide Web, the Dark Web would occupy only 0.1% of it.

 

You may also like to read:

~~~~~~~

How to acces the dark web

~~~~~~~~

Pages like Diccionary define it as “the portion of the Internet that is intentionally hidden from search engines, uses masked IP addresses and is accessible only with a special web browser: part of the Deep Web.” So, although both are hidden from conventional search engines, the Deep Web is a compilation of everything that is outside them, including the Dark Web, which is part of it but is something different.

Mainly the Dark Web is usually formed by pages that have their own domains such as .onion TOR or .i2p of the I2P epsps, but which you can not access unless you have the necessary software to navigate the Darknets in the Which are housed.

There is a belief that, as the Deep Web is in some way the part of the Internet not indexed by commercial search engines, the Dark Web cannot be indexed by any. But this is not entirely true. Okay, in Google you will not find access to it, but there are other specific search engines in which you can do it.

Some are accessible from the Clearnet, such as Onion City, capable of indexing thousands of .onion pages. There are also other searchers within the Darknets themselves such as Evil, Torch or a version of DuckDuckGo also do the same. In addition, other tools like Onion.to allow access to the Dark Websites of TOR with simply adding the termination .to, the domain .onion.

 

Darknets, the independent networks that make up the Dark Web

The term Darknet was coined in 2002 in the document “The Darknet and the Future of Content Distribution” written by Peter Biddle, Paul England, Marcus Peinado and Bryan Willman, four researchers from Microsoft. In it they refer to it as a collection of networks and technologies that could be a revolution when it comes to sharing digital content.

To explain this concept we could say that while Dark Web is all that deliberately hidden content that we find on the Internet, darknets are those specific networks like TOR or I2P that host those pages. Come on, that although the Internet is only one, the World Wide Web, there are different darknets in their depths hiding the content that makes up the Dark Web.

The best known are the friend-to-friend network Freenet, I2P or Invisible Internet Project with its eepsites with extension .i2p or ZeroNet. With its many services. But the most popular of all is TOR, a network of anonymization that also has its own Darknet, and is basically the one that everyone refers to when speaking about them.

Given that there is no pre-established definition for Darknets, you have to keep in mind that although technically it is somewhat different, in many cases it is often used this same name to refer to the Dark Web. So do not be scared if you see in the media that refer to one as the other, the important thing is that you know how to differentiate at last from the Deep Web.

But this image you have above makes the difference, showing you that the Darknet are the hidden networks themselves, while Dark Web can be used to refer to two things. On the one hand, the term is used to refer to the content, dark webs, while on the other is also used to talk about the culture that implies, a somewhat ambiguous concept to refer to everything related, and so many times Confuses with Deep Web.

Darknet negative connotations

Darknet, dark red, translated the name right away you realize that it may have a negative connotation. This is not by chance, since many of the Dark Webs that usually have lodged in them usually have negative ends. Assassins on the payroll, total anonymity and red rooms, not all of these myths are real, but we have already seen that there are few pages in which to find objects, substances or contents of dubious legality.

However not everyone accepts these negative connotations, and many think of the term “dark” of these networks as a simile of something that is hidden in the shadows. Not because it is necessarily negative, we know that Darknets also have useful and constructive content, but simply because it cannot be accessed in a conventional way.

2017
03.23

Is This Massive Power Struggle About To Blow Up Bitcoin?

Bitcoin’s price plunged 25% over the weekend on rumors of a conspiracy theory to take over the network. 

Long-simmering tensions between two factions hardened, with each side threatening the other with everything ranging from lawsuits to software changes that would completely cut off the opposing group. 

Twitter, Reddit and Bitcoin forums were aflame with insults and tough talk as each stakeholder vied to ensure that their piece of the cryptocurrency, whose market cap fell from $20 billion to $15.5 billion, remained secure. 

We’re dangerously close to what could be the death of btc,” said bitcoin developer Andrew DeSantis over the weekend after he posted a tweet storm Friday that set off alarm bells for many in the community.

What triggered the widespread panic was the possibility that the network would be controlled by an oligopoly rather than held in an equilibrium of competing interests.

From Thursday to Saturday, the value of the btc dropped 25%, though it has recovered somewhat to 15% below. That day, Vinny Lingham, an entrepreneur in the space known for his price targets, said, “The smart money left three days ago.”Bitcoin

The alleged bad actors maintained innocence.

I think it’s conspiracy theorist stuff,” said Roger Ver, one of the most vocal advocates of a new version of the btc software called Bitcoin Unlimited that, if it gains sufficient control of the computing power in the network, could become the main version of bitcoin and be incompatible with previous versions. (Ver is nicknamed Bitcoin Jesus because of his history evangelizing bitcoin.)

His fellow Bitcoin Unlimited supporter, Jihan Wu, the cofounder of bitcoin chip manufacturer Bitmain, said by phone from Beijing, “Definitely, I don’t have such kind of plan.”

Whether or not the conspiracy theories are true, over the weekend, what has so far been a two-year-long he said-she said stalemate turned into an incredibly expensive game of chicken.

What They’re Fighting About

The crisis has its roots in a two-year-old debate over how to scale the network, which currently accommodates, on average, about a handful of transactions a second, based on a data cap of 1MB roughly every 10 minutes. On the surface, the argument is that some participants in the ecosystem want to raise that limit, called the block size, to what, under Bitcoin Unlimited, would be a flexible cap, while the developers who have been designing and maintaining the software for the last several years, a team called Bitcoin Core, want to keep the 1MB limit but make the system more efficient so it processes more transactions per block.

The argument stems from philosophical differences. “At the highest level, there are two camps that see bitcoin becoming two different things: digital gold or electronic cash,” says Adam White, head of GDAX, the professional trading platform of one of the most well-known startups in the space, Coinbase. “Neither is right or wrong. They’re just different perspectives on what the network can become.” The developers’ approach is one more of digital gold — not necessarily putting every coffee payment onto the bitcoin network itself, but having them processed by other, faster networks that would later connect to bitcoin’s to provide finality to the transaction. Bitcoin Unlimited’s vision, supported by a number of miners at this point, is of bitcoin as e-cash — a network that has room for every morning coffee to be processed on bitcoin’s network, which would, incidentally, give them more transaction fees.

However, what might, in the abstract, be called a philosophical disagreement has become, on the ground, an all-out power struggle.

To understand the fight, it helps to know the game theoretic aspects of bitcoin. Bitcoin miners are people and companies with computers that process transactions for the network by adding them to the blockchain, or the ledger of every bitcoin transaction since the network launched in January 2009. Miners are motivated by a payout that the bitcoin software makes as it mints new bitcoin with every block of transactions processed. (This so-called block reward is currently 12.5 bitcoins, or about $13,750 at press time.) In addition to newly minted bitcoins, miners also receive small transaction fees paid by every user sending bitcoin. Wu is involved in mining in two ways: He not only manufactures bitcoin mining chips through Bitmain but also runs the biggest bitcoin mining operation called Antpool.

Designing the game, and the incentives in it, are the developers. Their motivations can range from ideological to technical. Many developers simply want to see a decentralized financial system not controlled by one or a few entities, whether it’s a government or a few big miners. But they need the miners. Without miners, the network wouldn’t exist, and without enough of them it’s not secure. However, if too few of them dominate, then the delicate balance of no one party fully controlling the system falls apart since mining would be run by an oligopoly. Conversely, if the developers don’t do enough for the miners, the miners can retaliate against the developers.

Because the developers and the miners both need each other and have opposing incentives, they don’t fully trust each other. “Bitcoin is one of those things where nobody wants to be seen as controlling it,” says DeSantis. The magic of bitcoin has been the ability for various players with opposing interests to engage in a system that has so far led to an optimal outcome for all of them.

There’s one last group important to the game theory of bitcoin, but before we get to them: The detente between the two sides has lasted for a few years because the people who support bigger blocks (now in the form of Bitcoin Unlimited) had too little computing power on the network to take control of it. Also, certain technical upgrades, including a block size increase, require what’s called a hard fork, which runs the risk of creating two versions of bitcoin if not done with the full support of the community. Many consider this type of hostile hard fork a potential nuclear option in bitcoin — one that could destroy, or at least damage, the industry that, until last Thursday, had a $20 billion market cap.

From Impasse To Panic

On Friday, several exchanges announced that, in the event of a fork, Bitcoin Unlimited would not have the ticker symbol BTC. They were effectively preemptively awarding Bitcoin Core the reputation of being “the true bitcoin.” Many people in the community thought that that would deter Bitcoin Unlimited from forcing a hard fork.

But alarm spread when, later that day, DeSantis posted a 28-point tweet thread pointing out that Wu would soon be launching new facilities that would bring a lot more computing power to the network. (One deal was for U.S.-based facilities with John McAfee’s company MGT set to launch in the second quarter of 2017 and called MacPool.) While that wouldn’t necessarily give Wu or his companies more than 50% of the computing power, the worried developers hypothesized that since Wu’s company Bitmain manufactures the mining equipment that many miners use, purchasers of his mining equipment might feel pressure to support Bitcoin Unlimited so as not to have their supply of mining equipment cut off in the future. That could then tip Bitcoin Unlimited over the threshold that could allow them to, essentially, create a new version of bitcoin that cut off control from the current group of developers, which would then put the Bitcoin Unlimited developers in control and, at the very least, sow confusion in the market about which was the “true” bitcoin, if not make their version of it the dominant one.

The clincher? Bitmain owns BTC.com, and Ver controls Bitcoin.com. DeSantis asserts that, through search-engine strategies, Wu, Ver and their affiliates could lead many newcomers to believe that Bitcoin Unlimited is the “true” bitcoin. (The MacPool website, currently under construction, sports a ticker provided by Bitcoin.com; Ver is an advisor to MGT.)

As DeSantis puts it, “Most of the hardcore Bitcoiners are not good at talking to the press. They’d probably try to tell you about how the code is not the same and they’d go into some mathematical stuff and it would be a nightmare. You’d have a bunch of guys walking around, talking about math, and then other guys” — Wu, Ver, Bitcoin Unlimited — “saying, ‘We’re Bitcoin.com. Use Bitcoin.’” (DeSantis also notes that McAfee has been accused of murder and Ver is a convicted felon.)

In response, the Core team, DeSantis and other bitcoin developers are contemplating their version of the nuclear option: that they change the Bitcoin software so that it no longer works on the hardware currently running it. It would be as if Microsoft decided to change Office so that it no longer ran on PCs, rendering an entire industry useless. (Such a move would hit Wu, as both a manufacturer of the equipment and a mining pool operator, doubly hard.)

But Eric Lombrozo, a Bitcoin Core developer, says, “I’d rather that not happen. I think it’d be dangerous for the network to go down that route. It’s basically a warpath…. But all the players have to consider that these things might actually happen.”

The Defense

Both Ver and Wu deny that they plotted to bring online new mining facilities that would force a fork to Bitcoin Unlimited and then push that as the “true” version of bitcoin. Their criticisms of Core are somewhat similar: Both are unhappy that the team has ignored what they believe is a need for bigger blocks, and both have personal gripes about the developers.

Ver says that Core is ignoring very real problems that currently exist on the network that not only slow transaction times but therefore make transactions less safe altogether. He also says that they treated “horribly” several developers who had been deeply involved in developing the protocol when they advocated for increasing the block size.

Wu thinks that Bitcoin Core’s current proposal to make the network more efficient (for technical reasons, called SegWit) is good technology that solves a number of problems. However, he is angry that about a year ago, a number of Core developers and miners came to an agreement in Hong Kong to adopt both SegWit and a small block size increase. Since then, the developers have proceeded with what they wanted — SegWit — but not the bigger blocks the miners desired.

(Calling the Hong Kong agreement “a diplomatic failure” and “botched,” Lombrozo wrote in an email, “The agreement was not signed by the Core team as a whole…it was signed by a few individual contributors and many of us felt that not only was it impossible to deliver what was expected but that it was contrary to the philosophical underpinnings of Bitcoin. … Ultimately, protocol changes cannot be negotiated behind closed doors by small numbers of people.”)

As for theories that purchasers of his mining equipment would feel pressure to support Bitcoin Unlimited, Wu says, “We have to look at the facts — whether I have ever done this to my customers before. No, I have never. Because the customers give us money to buy equipment. Maybe I can talk to them, maybe I can convince them about what is the best interest of bitcoin miners, but I never force them to do anything because that is anti-bitcoin.”

He also notes that some of the computing power in the new mining facilities will mostly be rented out to other miners (10% of the Chinese facility will be controlled by Bitmain) and so those miners, and not Bitmain, will choose whether to run Bitcoin Unlimited or Bitcoin Core on their individual machines. However, despite a March 1 press release announcing MacPool would go online in Q2, he could not give a launch date for either facility and said both were delayed.

When asked about the possibility of the Core team changing the software so it no longer works on his mining equipment (which involves changing something called the proof-of-work, or POW, algorithm), Wu, who first learned about bitcoin in 2011 and launched his company in 2013, said he remembers the first time he heard this threat in a chat forum in early 2016: “I was astonished. Switching the POW algorithm of bitcoin was never the kind of idea you can think of. If someone disagrees with you, you decide to what? I decided this was very political and was about interests, it’s not only about engineering. If it was only an engineering debate, it would not escalate to this level.” His conclusion: “Since they are doing such threatening, I think it’s OK that we run another kind of software, Bitcoin Unlimited.”

Wu says if Bitcoin Unlimited gets enough network power, the fork will occur. This could create two coins — one with less value than the other, as happened last summer when the Ethereum network split into two, creating Ethereum and Ethereum Classic, the latter of which is worth a fraction of Ethereum even though it is technically the original chain. When asked why he would be willing to risk losing what could potentially not only be a huge sum of money but his entire business, Wu says, “I will reject your assumption” — meaning, he refused to even entertain the possibility that Bitcoin Unlimited would become the chain of lesser value.

Hypothetically, the final touches on the Bitcoin Unlimited nuclear option would be if, after the fork, Bitcoin Unlimited allocated some of its computer power to attacking the other chain so that it was unable to function properly. It would be possible technically since, in order to fork, it would need to gain 80% of the computing power, which means the other side would have a fraction right after the split. (Unlimited has ramped up steeply, rising from about 20% to 37% share over the last month, while Core fell from 80% to 62%. Another miner today announced support for Unlimited.) When asked if Wu would undermine Core, he wouldn’t rule it out: “It may not be necessary to attack it. But to attack it is always an option.” Another way of harming Bitcoin Core would be if supporters of Bitcoin Unlimited dumped all their Bitcoin Core bitcoins, driving down the price for Bitcoin Core coins.

Meanwhile, the Bitcoin Core developers and DeSantis say they are working on a compromise to prevent the various nuclear options. Wu declined to comment on whether he is currently negotiating with anyone. However, just in case, Core is working on new versions of the software that wouldn’t run on current mining equipment.

The Way Forward

Back to our game theory analysis: The last group with an interest in btc are the users, whose motivation is to make btc  transactions. (Note: exchanges have a role too, but they will ultimately follow the market, hence, for this discussion, we’ll lump them in with the users.) The way in which the network accommodates more transactions may be immaterial to many of them, making them neutral on the e-cash vs. digital gold question. However, their power over the system is economic: If, say, two versions of btc came out — one that reflected the miners’ preferences and one that reflected the developers’ — the one that would prevail (or at least dominate, if both continued to exist) won’t necessarily be the one that the majority of miners support even though that network might be more robust. Nor would it necessarily be the one that the majority of developers support, even though that network might be perceived as being more technically sound or more decentralized. It would be whichever one the greatest number of investors put their faith in.

Wu suggests a futures contract to determine what the market response would be before any nuclear options are pursued. One currently on offer on cryptocurrency exchange Bitfinex shows Bitcoin Unlimited having a fraction of the value of btc Core. But Wu says the contract is not structured correctly and instead suggests one with three possible outcomes: Bitcoin Unlimited after a fork; Bitcoin Core after a fork; and btc Core as it is now, no forks. (The current contract could be lumping together the latter two possibilities into one.)

Whether this death match ends in disaster or a truce remains to be seen. After all, Bitcoin’s “death” has been pronounced many times. However, while btc price has been seesawing, the value of Ethereum has more than doubled in the past two weeks and quadrupled since January, giving it a market capitalization of almost $4 billion. Bitcoin’s has now risen to $18 billion by press time, though it was as low as $15.5 billion on Saturday. Still, many cryptocurrency traders talk of what they foresee as “the flippening” — the moment when Ethereum’s market capitalization surpasses that of bitcoin’s. Some industry players surmise that if bitcoin underwent some fiasco around the same time Ethereum gained more validation, the two market caps could cross and never reverse. (Bitcoin’s block size debate may have also gotten at least one Ethereum developer contemplating reducing the reward to their miners.)

Lingham no longer even cares about DeSantis’s theory that Wu, Ver, McAfee and company planned to use their new mining facilities to force a fork to btc Unlimited. “I don’t want to delve into the details of whether this is true or not,” he says. “It’s irrelevant. The point is … this should not be possible in btc.”

Despite the bitter grudges held on both sides, multiple sources said that they thought the most likely outcome was that no hard fork would occur. “My suspicion is these people aren’t dumb enough to try to actually, in such a public way, get control of btc because they know it would lead to a big price drop in general, no matter how good the outcome was,” says Peter Todd, a btc protocol researcher who is aligned with DeSantis and Core. “I think the most likely scenario is that nothing will happen. I really mean nothing”

2017
03.23

Loads of Hacked Account Credentials Now Available on Dark Web

Millions of account credentials from hacked online platforms surface on the dark web, available for as less as $400. Read more…

dark web

by newsbtc

 

Hacking incidents happen frequently; some get reported while others don’t, at least until the compromised data resurfaces somewhere on the internet. Along the same lines, ill-gotten information from over 12 million accounts has made an appearance on the dark web.

The dark web marketplaces are known for all kinds of stuff. One can buy almost anything there, provided they know where to go and have enough cryptocurrency balance to pay for it. In order to obtain the compromised information of these 12 million accounts from the seller “doubleflag”, one should be willing to pay 0.3817 BTCs, which is almost equivalent to $400.

According to reports, the credentials currently up for sale were obtained over a period of six years from various sources. The package offered by “doubleflag” is said to include content from compromised cryptocurrency forums like BitcoinTalk, MtGox, Bitcoinsec, and BTC-E. Other leaked databases on sale include user information from Whois, Paddy Power, Experian, Brazzers, GTAGaming, Dota2, CDProjektRed, XHamster, and Lastfm. The publication also informs about the presence of datasets containing US voter records.

The information contained in the leaked data sets includes names, email addresses, passwords, etc. In some cases, the database was found to include phone numbers, date of birth, locations and even IP addresses. While some of these platforms are not functional anymore, the hacked data can still come in handy as many people tend to reuse the same credentials across multiple accounts. A hacker equipped with so much data can potentially reuse it on other platforms successfully.

However, the nature and size of hacked information currently being sold by “doubleflag” don’t come as a surprise. There have been numerous reports of large-scale hacking incidents that went unnoticed for a while. Like in the case of Yahoo, the company didn’t realize that the security has been compromised until a separate incident led the cyber security experts to a previously undetected incident. Other prominent platforms that have been targeted by hackers in the past includes LinkedIn and even Google accounts.

These incidents keep reminding internet users about the importance of security and best practices when it comes to online activities. It is advisable to change passwords frequently and to use a mix of complex characters instead of easily deducible words.

2017
03.22
tor project

Tor bounces web traffic over three randomly selected Tor relays out of a total of around 7,000 relays.

In the coming months, the Seattle-based nonprofit The  Tor Project will be making some changes to improve how the Tor network protects users’ privacy and security. The free network lets users browse the internet anonymously. For example, using Tor can reduce the risk of being identified when dissidents speak out against their governments, whistleblowers communicate with journalists and victims of domestic abuse seek help.

In its most common, and best-known, function, a person using the free Tor Browser – essentially a privacy-enhanced version of Firefox – uses the internet mostly normally. Behind the scenes, the browser and the network handle the web traffic by bouncing the communications through a chain of three randomly chosen computers from all over the world, called “relays.” As of March 2017, the Tor network counts almost 7,000 of these relays. The goal of leveraging these relays is to decouple a user’s identity from her activity.

But those users are still, generally speaking, using others’ websites, which can be shut down or pressured into censoring online activity. My own work as a scholar and volunteer member of The Tor Project also looks at the network’s way of allowing people to host websites privately and anonymously, which is where most of the upgrades to the system will come.

Called “onion services,” this element of the Tor network makes it possible for a person to run a website (or filesharing site, or chat service or even video calling system) from a dedicated server or even her own computer without exposing where in the world it is. That makes it much harder for authorities or opponents to take down. The upcoming changes will fix flaws in the system’s original design, and employ modern-day cryptography to make the system future-proof. They will improve security and anonymity for existing Tor users and perhaps draw additional users who were concerned the prior protections were not enough when communicating and expressing themselves online.

Understanding onion services

As of March 2017, an estimated 50,000 onion services are operating on the Tor network. Onion services continuously come online and offline, though, so it is difficult to obtain exact numbers. Their name comes from the fact that, like Tor users, their identities and activities are protected by multiple layers of encryption, like those of an onion.

While criminals are frequently early adopters of anonymity technology, as more people use the system, legal and ethical uses become far more common than illegal ones. Many onion services host websites, chat sites and video calling services. We don’t know all of what they’re doing because The Tor Project designs privacy into its technology, so it does not and cannot keep track. In addition, when new onion services are set up, their very existence is private by default; an operator must choose to broadcast a service’s existence publicly.

Many owners do announce their sites’ existence, however, and the Ahmia search engine provides a convenient way to find all publicly known onion services. They are as diverse as the internet itself, including a search engine, a literary journal and an archive of Marxist and related writing. Facebook even has a way for Tor users to connect directly to its social media service.

tor project

Creating an onion site

When a privacy-conscious user sets up an onion service (either manually or with a third-party tool such as onionshare), people who want to connect to it must use the Tor Browser or other Tor-enabled software; normal browsers such as Chrome and Firefox cannot connect to domains whose names end in “.onion.” (People who want to peek at onion sites without all of the network’s anonymity protections can visit Tor2web, which acts as a bridge between the open web and the Tor network.)

Originally, a new onion service was supposed to be known only to its creator, who could choose whether and how to tell others of its existence. Of course, some, like Facebook, want to spread the word as widely as possible. But not everyone wants to open their Tor site or service to the public, the way search and social media sites do.

However, a design flaw made it possible for an adversary to learn about the creation of a new onion service. This happened because each day, onion services announce their existence to several Tor relays. As happened in 2014, an attacker could potentially control enough relays to keep track of new service registrations and slowly build up a list of onion sites – both secret and public – over time.

The same design flaw also made it possible for an attacker to predict what relays a particular service would contact the following day, allowing the adversary to become these very relays, and render the onion service unreachable. Not only could someone wanting to operate a private, secret onion service be unmasked under certain circumstances, but their site could effectively be taken offline.

The updates to the system fix both of these problems. First, the relays each service contacts for its daily check-in will be randomly assigned. And second, the check-in message itself will be encrypted, so a relay can follow its instructions, but the human operator won’t be able to read it.

Naming domains more securely

Another form of security causes the names of onion services to be harder to remember. Onion domains are not named like regular websites are: facebook.com, theconversation.com and so on. Instead, their names are derived from randomly generated cryptographic data, and often appear like expyuzz4wqqyqhjn.onion, which is the website of The Tor Project. (It is possible to repeatedly generate onion domains until a user arrives at one that’s a bit easier to recognize. Facebook did that and – with a combination of luck and raw computational power – managed to create facebookcorewwwi.onion.)

Older onion services had names made up of 16 random characters. The new ones will use 56 characters, making their domain names look like this: l5satjgud6gucryazcyvyvhuxhr74u6ygigiuyixe3a6ysis67ororad.onion.

While the exact effects on users’ ability to enter onion services’ addresses haven’t been studied, lengthening their names shouldn’t affect things much. Because onion domain names have always been hard to remember, most users take advantage of the Tor Browser’s bookmarks, or copy and paste domain names into address fields.

Protecting onion sites

All this new design makes it significantly harder to discover an onion service whose operator wants it to remain hidden. But what if an adversary still manages to find out about it? The Tor Project has solved that problem by allowing onion services to challenge would-be users to enter a password before using it.

In addition, The Tor Project is updating the cryptography that onion services employ. Older versions of Tor used a cryptosystem called RSA, which could be broken by calculating the two prime factors of very large numbers. While RSA is not considered insecure yet, researchers have devised several attacks, so The Tor Project is replacing it with what is called elliptic-curve cryptography, which uses keys that are shorter, more efficient and understood to be at least as secure.

The developers are also updating other basic elements of the encryption standards used in Tor. The hash function, which Tor uses to derive short and constant-length text strings from arbitrarily long data, will change from the troubled – and partially broken – SHA-1 to the modern SHA-3. In addition, secret keys for the Advanced Encryption Standard cryptosystem will be twice as long as before – and therefore significantly harder to break. These don’t address specific immediate threats, but protect against future improvements in attacking encryption.

With these improvements to the software that runs Tor, we’re expecting to be able to prevent future attacks and protect Tor users around the world. However, better anonymity is only one aspect in the bigger picture. More experimentation and research are necessary to make onion services easier to use.

 

Also read: Tens of millions Gmail and Yahoo accounts hacked.

2017
03.22
Dark web

Dark web

 

This Dark Web Market is Planning to Add Support for Ethereum

A moderator for AlphaBay – one of the world’s most popular dark markets, according to data from DeepDotWeb – took to Reddit over the weekend to announce that it would integrate ether payments beginning on 1st May.

According to a PGP-signed moderator post on the AlphaBayMarket subreddit, recent price increases drove the integration decision.

The moderator wrote:

“We are currently laying out the framework to make ETH acceptance possible, and we will enable ethereum deposits and withdrawals starting May 1st, 2017. Vendors wishing to accept ethereum can edit their listings and set the ‘Accept ETH’ to ‘On’ in order to be able to be paid in ethereum.”

It’s not the first time the market has looked to digital currencies beyond bitcoin for listing. AlphaBay previously made waves in August 2016 when the market announced the integration of privacy-centric digital currency monero as a payment.

The moderator indicated that other platform upgrades are pending.

“We have plenty of new stuff in the works, so expect more updates in the near future,” they said.

2017
03.21

yahoo

Over 25 million Gmail and Yahoo accounts are being sold online, according to a new report.

They’re available for purchase on the dark web, with the vendor selling them going by the name ‘SunTzu583’.

According to HackRead, SunTzu583 is asking for $450 for 21,800,969 Gmail accounts, 75% of which supposedly contain decrypted passwords, with the remaining 25% hashed.

The data was stolen through hacks on Dropbox, Nulled.cr and MPGH.net between 2012 and 2016.

SunTzu583 has a separate $200 listing for a further 4,928,888 accounts, which allegedly contain email addresses and clear text passwords.

HackRead says these were stolen as part of LinkedIn, Adobe and Bitcoin Security Forum.

The cybercriminal is also selling 5,741,802 Yahoo accounts, many of which were stolen as part of MySpace, LinkedIn and Adobe hacks, for $250.

However, SunTzu583 has informed potential buyers that “Not all these combinations work directly on Yahoo, so don’t expect that all these email and passwords combinations work on Yahoo.”

Yahoo has been rocked by two of the biggest hacks of all time, and users who think they might be affected should take steps to protect themselves immediately, such as updating their passwords.

You can find out if you’ve been hacked by checking your email address at haveibeenpwned.com.

2017
03.18

Bodybuilder, 20, ‘died after taking steroids that he bought on the dark web’

Do you want to know how to acces the dark web? Click here

bodybuilder

  • Robbie Ryder(bodybuilder) was found in his bedroom in Driffield, East Yorkshire, in October 
  • A toxicology report found high levels of morphine and anti-anxiety tablets
  • But ambulance crews compromised the scene by taking a week to inform police 
  • Hull Coroner’s Court heard he turned to bodybuilding after his father’s death

bodybuilder died after taking steroids believed to have been bought on the dark web – but a police investigation was scuppered by ambulance crews taking a week to inform them of his death.

Robbie Ryder, (bodybuilder) 20, was found slumped and unresponsive in his bedroom by his mother, who had told him just hours before to ‘sort his life out’.

A toxicology report found high levels of morphine and anti-anxiety tablets in his system after purchasing the illegal products off the internet’s’ ‘black market.’

An envelope in his room that he is believed to have opened on the morning he died was key to the police investigation, but because the ambulance crews took a week to communicate with police, the scene had been entirely compromised.

Hull Coroner’s Court heard Mr Ryder’s mother, Yvonne Emerson, 46, said he struggled to come to terms with the death of his father and turned to bodybuilding.

Mother-of-two Ms Emerson had noticed a change in his behaviour weeks before his death and noticed he was ‘on something’.

She told the hearing on Wednesday (March 15): ‘In 2011, when Robbie (bodybuilder) was 14 years old his father was killed in a motorcycle accident.

‘That had a massive impact on Robbie (bodybuilder) and he struggled to cope. It affected his college work and he couldn’t sleep.

‘He turned to cannabis to cope with his anxiety and grief. But then he started working out and this gave Robbie structure in his life – the training benefitted him.

‘He was trying to be more positive and deal with his problems sober.

‘A couple of weeks before his death, Robbie’s demeanour changed and he seemed to be under the influence of something.’

Mrs Emerson told the inquest she had spoken to her son on the morning he died about sorting his life out.

But when she returned that evening on October 13, she found her son unresponsive in his bedroom.

She called 999 and then asked a neighbour for help and he was taken to Hull Royal Infirmary – but died shortly after.

After scouring Mr Ryder’s bedroom at his home in Driffield, East Yorkshire, police tracked down an illegal operation in Cyprus – and passed on the address to Interpol.

However, officers were annoyed that the ambulance crews notified them too late to look over the ‘crime scene’ – his bedroom – to trace an envelope linked to the dark web.

PC James Gray, of Humberside Police, said: ‘We found testosterone and other drugs in his bedroom – it seems he was heavily involved in taking body building steroids.

‘We found a number of suspicious packages containing white powder with no identification…

Also read: Junks getting their fix online 

2017
03.17

dark web

Looking for ‘how to get on the dark web?’ go to our tutorial:

click here 

NASHVILLE, Tenn. (WKRN) – Sure you can get drugs on the streets, but many addicts are turning to the internet to get their fix.

“When I’m looking for something, I find what I’m looking for,” Emilio Rodriguez said.

Rodriguez is a recovering addict.

“I’d been using since I was 16, so I’ve been using for a bit over half my life,” he said.

He said his addiction started with drinking and marijuana, and then cocaine and opiates until he found his drug of choice: heroin on the dark web.

“Heroin was my go-to. It was a euphoria that couldn’t be described with anything else really. I’d say probably used a good five or six times a day,” Rodriguez said, adding, “I was pretty much playing with fire until I got burned.”

For years, he bought his drugs online through the dark web, the hidden part of the internet available through specialized software.

“All you have to do is really follow a couple of little rules on how to use it, how to get online on it and once (there) you are off to the races,” Rodriguez explained.

A quick Google search will show you the few steps you have to take to access the dark web.

“Not difficult at all. It’s just like downloading a Snapchat app or a Facebook app, whatever it is,” said Rodriguez.

Once on the dark web, you will find virtually everything for sale.

“Weapons, heroin… There are even some that have been known to sell people. Click. I want this, I want that, and they ship it to you,” Rodriguez told News 2.

Access is free–and hard to trace.

“It can be traced, but it’s a lot more difficult to be traced to purchase drugs online,” he said.

Rodriquez also says he used a P.O. box for some drug deliveries. Other times he had them delivered to vacant houses in his neighborhood.

“I was in the pits of it I was the lowest you can go,” he added.

Rodriquez’s addiction led him to jail and nearly death. For buying on the dark web.

“I overdosed a total of four times. Two times were borderline death, teetering on death. You know, prison time, jail time, all these things, and it just started amounting,” he explained.

Rodriquez said he had enough and turned his life around. He has been sober now for 9 months and serves as a life coach for Addiction Campuses.

“I was able to make it to the other side now and I’m grateful for that because I can help other people do it.”

Also read: Bodybuilder died for buying drugs.

2017
03.17

dark web

Looking for how to acces the dark web?:

Click here

Spining the Dark Web

“Silk Road. Circa 2013. Purchased what promised as a ‘mind-blowing’ experience. Received a Dust Buster two days later. Strangely, no complaints on my end.” — gr8head, Reddit user

I’m sitting at my desk, abandoning a lukewarm cup of tea to engage in an intense online battle with MyUni over a Friday timetable slot. A friend pops up on Facebook Messenger to confirm that she does, in fact, enjoy cooked pineapple. I search for an appropriately shocked GIF when she adds, offhandedly, “have you heard of the dark web?”

Too embarrassed to admit my ignorance, I minimise the browser and open another. A quick search on Reddit tells me that the dark web – or darknet  – is not indexed by standard search engines like Google or Bing: it is a small, encrypted portion of the deep web that requires special software to operate.  Wherever I search, the same terms stand out: drug dealing; money laundering; human trafficking; leaked documents. 

I roll my eyes at my humble MacBook, and dismiss this online underworld as a phenomenon lying well beyond my technical capabilities. I begin closing tabs when one thread catches my attention. I pause.

“Dark Web: A STEP BY STEP GUIDE”.

Curious, I do as the guide says and download Tor, a free browser originally designed by the US military before it became open source. I hesitate before dragging the logo into my applications folder: will it open up my computer to hackers? I double click the app. My MECO2603 essays aren’t worth much anyway.

A popup appears with a loading bar. The bar snakes its way across my screen and then disappears. Tor opens.

The green-and-purple homepage looks innocuous. I copy and paste a link from Reddit into the search bar. The page loads and I choke on my tea; I’m faced with a single, disturbing image of a tentacled man brandishing a pentagram. The hitman recruitment site promises “permanent solutions to common problems”.

I quickly close the window and paste another link. It lists the IP addresses of known child pornography viewers. Another link: fake citizenship certificates. Another: a PDF file of the Anarchist’s Cookbook. Classified business information, weapons, human experiments – it’s all there. It was always right there.

Harry*, a Medical Science student at the University of Sydney, stumbled across the dark web on a coding forum when he was fourteen.

“I was browsing through and was just like, oh hey, I can buy an AK-47 for $350.”

He found himself on The Silk Road, an infamous darknet marketplace the FBI shut down in 2013. It functioned as a criminal eBay, offering everything from guns and drugs to stolen credit cards and Netflix subscriptions. He bought three cannabis seeds for $30.

“I wasn’t really expecting to get them, but I wanted the thrill of using the dark web and seeing how it works. You’re anonymous, so you don’t have the moral boundaries that you would have while dealing with someone face to face.”

The seeds took less than three weeks to arrive from the United States – faster than most of my textbook orders from the Book Depository. 

“They were packaged in a tin foil packet, like how you get tablets. You cracked it open like a Panadol. It was nicely wrapped – it looked professional,” he told me with a smirk.

A significant number of students are logging onto cryptomarkets to bypass traditional dealers and purchase drugs. We are all just one download, a quick bitcoin transfer and a few clicks away from having AusPost deliver narcotics straight to our doors.

Matt*, a Medicinal Chemistry student at UTS, was introduced to the dark web by a friend when he was sixteen and searching for a cheap source of acid. He bought a sheet of 20 tabs, and camped out by his parent’s mailbox waiting for the drugs to arrive.

“Having the drugs delivered to my house wasn’t my finest moment. I actually used my parents’ credit card too, and got caught on the bank statement. I told Dad I bought Halo.”

The LSD took just over a fortnight to travel from Switzerland to Matt’s home address, sealed in an envelope and sandwiched between two pieces of cardboard. Matt took a tab that same night to see if it was legitimate. It was.

The thought of purchasing opiates and stimulants with the click of a button is tempting, but while darknet user ratings can act as a market regulator, it is impossible to guarantee purity of character…or drug composition

Ben* bought 50 tabs of clonazolam off the internet when he was in year 9. He shared them with his mate, who became increasingly aggressive and withdrawn, until he had to be hospitalised

“[My friend] was basically a soulless husk of a person for a few days. I felt devastated that my own judgement could be completely stripped from me so suddenly. I was expelled 11 days later,” Ben wrote to me.

There is also the possibility of falling victim to an exit scam, whereby a vendor takes a large catalogue of orders before disappearing with your precious bitcoin. And you can’t exactly go to the courts over a dodgy drug deal.

Sam*, a geography student, bought MDMA and LSD in bulk – up to $7000 street worth at a time – and sold it to friends at cost price. It was an act of vigilantism against local suppliers and their generally impure products.

“We tried to minimise the risk by only buying off reputable sellers with lots of positive feedback, but we got ripped off about three times. Each instance was a few hundred dollars.”

Cyber risks aside, there is one glaringly obvious deterrent: drug possession is illegal. Students can rack up fines or face imprisonment, regardless of who their supplier is or where they conduct their business. One Engineering and Science student grew worried after making a particularly large purchase from The Silk Road.

“Despite making every effort to be safe, it’s easy to make a mistake and there are bugs everywhere,” they warned me.

“The thresholds for what is called a ‘marketable’, and worse, a ‘commercial’ quantity are surprisingly low. It certainly made me nervous when there were potentially packages linked to me sitting in a customs building somewhere full of illegal drugs.”

Before you hand over your bitcoin, put down the Guy Fawkes mask and consider the world you could be delving into. The darknet is ‘dark’ for a reason: one second you’re spinning the web, and the next it’s got you trapped.

While buying drugs off the darknet is undoubtedly exhilarating, ultimately it’s a slippery slope with no way to recover lost bitcoin and no way to undo whatever you’ve done.

I sip my tea and close the browser. Some secrets are best left hidden.