Category: information

What is the Dark Web?

The Dark Web is the websites that the owners don’t want you to find, unless they specifically give out an invitation. These sites are not on Google or other search engines because they have never been registered  and deliberately don’t have links from other sites that Google or other search engines know about.

It’s true that most of the Dark web is about illegal activity including fraud, phishing, terrorist activities, drugs, hacking etc. However, there is some activity on the Dark web that people don’t want to be seen but is not illegal such as whistle-blowers preparing or sharing information, things that are legal in some jurisdictions but not in others, unmonitored communication in countries with totalitarian controls etc.

Darknet websites are accessible only through networks such as Tor  and I2P (“Invisible Internet Project”). Tor browser and Tor-accessible sites are widely used among the darknet users and can be identified by the domain “.onion”.

These route the users’ data through a large number of intermediate servers, which protects the users’ identity and gives anonymity. The complicated system makes it almost impossible to decrypt the information even  layer by layer. Communication between darknet users is highly encrypted allowing users to talk, blog, and share files confidentially.

Web Based Hidden Services in January 2015

Directories 2.5% Blogs 2.75% Pornography 2.75% Hacking 4.25%
Searches 4.25% Anonymity 4.5% Counterfeit 5.2% Whistle blowers 5.2%
Wiki 5.2% Email 5.2% Bitcoin 6.2% Market 9%
Drugs 15.4%

There are markets similar to Amazon but that sell illegal items such as drugs, weapons, hacking software, viruses, etc. Many hackers sell their services individually or as a part of groups. Various government bodies around the world try to track activity on the Dark Web but it is not easy.   There are numerous forums where credit card details and identities are sold.

Amongst the numerous illegal activity sites are scam sites that defraud people trying to carry out illegal activity.

See http://www.fightbackonline.org/index.php/guidance/12-explanations/69-the-dark-web-what-is-it for further information.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

The Identity Theft Resource Centre

http://www.idtheftcenter.org/

The Identity Theft Resource Centre (ITRC) is a non-profit organization that supports victims of identity theft in resolving their cases, and broadens public education and awareness in the understanding of identity theft, data breaches, cyber security, scams/fraud and privacy issues.

It is for American citizens only. You can call the ITRC on a Freephone number and they provide no-cost case mitigation and consumer education to approximately 10,000 victims and consumers annually. ITRC maintains records of data breaches and publish the list each week.

ITRC aim to:-

  • Educate consumers, corporations, government agencies, and other organizations on best practices for fraud and identity theft detection, reduction and mitigation
  • Serve as a relevant national resource on consumer issues related to cybersecurity, data breaches, social media, fraud, scams and other issues.

The ITRC also conduct research and surveys in collaboration with partners and sponsors resulting in white papers, fact sheets, and solutions to educate consumers and businesses.

They believe that prevention and reduction of identity theft will require education and cooperation between consumers, businesses, law enforcement agencies, and legislators.

ITRC is a very useful organisation and they help a lot of people each year.

Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja.

A World of Passwords

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce and is one of America’s oldest physical science laboratories.  NIST produces  a wide range of measurements and standards, many of which are used world-wide and contribute to many advanced technologies, materials and fabrication.

NIST also produces guidelines for the system developers who create APPS needing passwords and tells them what checks should be made and what restrictions to apply.

The latest guidance on passwords is DRAFT NIST Special Publication 800-63B Digital Identity Guidelines

It says that passwords should be

  • chosen by and memorable for the user.
  • of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover them.
  • at least 8 characters in length (unless allocated by the system in which case they should be at least 6 characters)

In the last few years, most websites needing passwords have insisted they include capital letters and numbers, but this new guidance says that’s unnecessary.

Systems shall not permit the subscriber to store a “hint” (for their password)  that is accessible to an unauthenticated user.

When processing requests to establish or change passwords, systems shall compare the prospective password  against a list that contains values known to be commonly-used, expected, or compromised. For example, the list may include (but is not limited to):

  • Dictionary words
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
  • Context specific words, such as the name of the service, the username, and derivatives thereof.

If the chosen password is found in the list, the system shall advise the subscriber that they need to select a different secret, shall provide the reason for rejection, and shall require the user to choose a different value.

There should be a maximum number of times a user can try to input a password, and then the user should be blocked temporarily.

For some years, it became common for systems to require a password be changed every 6 or 12 months and that advice was given out many times, but this has changed. It is now recommended that systems do not require password changes. Users can choose to change their passwords whenever they wish.

Passwords are essential to access many online services and hopefully the new guidelines will enable the developers to make the process of selecting a new password easier and more secure than previously.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

The Hero Who Stopped NHS Ransomware Attack

The WannaCry ransomware attack of May 2017 wasn’t aimed at the NHS, it was spread across Europe and Asia and happened to hit the NHS very hard for a series of reasons including that they had old Windows 95 machines on their network and because their network has a huge number of computers attached to it.  The ransomware demands users pay $300 worth of online currency Bitcoins to retrieve their files, but the price goes up if they don’t pay quickly and of course there is no guarantee that payment allows file retrieval.

An anonymous  UK cybersecurity researcher (known by the Twitter handle @malwaretechblog)  with the help of Darien Huss from security firm Proofpoint looked at the ransomware and discovered the name of a website which was being accessed by the ransomware. But the website address hadn’t been registered by anyone. He bought the domain name in order to track the activities of the ransomware but in fact it was a “kill switch” that stopped the ransomware from spreading any further. Well done, if unintentionally.

That didn’t help the people whose computers had already been infected but it stop the outbreak from continuing.

Unfortunately once the scammers realised how the malware had been stopped, they created and released a version that ignored the kill switch. But at least people had time to build defences against another attack.

The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who works for Kryptos logic.

MalwareTech explained that he bought the domain because his company tracks botnets (automated networks of controlled computers), and by registering these domains they can get an insight into how the botnet is spreading. “The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain,” he said. But the following hours were an “emotional rollercoaster”.

He also said he planned to hold onto the URL, and he and colleagues were collecting the IPs and sending them off to law enforcement agencies so they can notify the infected victims, not all of whom are aware that they have been affected.

He said he got his first job out of school without any real qualifications, having skipped university to start up a tech blog and write software.

“It’s always been a hobby to me, I’m self-taught. I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. I’ve been working there a year and two months now.”

Well done hero – he’s now an honorary Ninja.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Walkers Crisps 2016 Competition Scam

Walkers Crisps spent a fortune advertising their summer competition called Spell and Go, using Gary Lineker in the promotions.

The adverts claimed 20,000 holidays were to be won including trips to Hong Kong, Tokyo, New York, Bangkok and lots more places. It all sounded great.

Simply buy a bag of Walkers and enter the 12 digit code on the bag into the Walkers website and it will give you a letter. You collect the letters until you have the destination name you want and you claim the holiday.

In case you cannot find all of the letters you want, there was a swap feature whereby you could swap a letter for another random one or swap with another person.

BUT, once the competition had got going, frustrated and angry people used social media to vent their feelings towards Walkers.

The problem was that all of the destinations contained one or more of the letters C,D and K and those just didn’t turn up. Nobody could find one and on the social media sites no-one could be found that had actually won one of the holidays. Eventually some people did claim to have won but it still seemed a virtual impossibility.

Figures provided by Walkers to the Advertising Standards Agency show that only 796 of the claimed 20,000 holidays were ever won.

Of the 12.8 million times people had entered a code on the website – just 98 letter Ks, 252 letter Ds and 278 letter Cs were given out.

PLUS, in the swap facility there were zero letter Ks, letter Ds and letter Cs – what a scam.

The Advertising Standards Authority received over a thousand complaint about the competition and ruled that because some of the valuable letters were released they couldn’t declare I the whole competition misleading but that the random swap feature was misleading and Walkers must do better in future.

Let’s hope that Walkers have learned their lesson and will not aggravate their customers with this kind of misleading Marketing in the future.

Do you have an opinion on this matter? Please comment in the box below.

Victim Support

Website:  https://www.victimsupport.org.uk/

VICTIM SUPPORT is an independent charity that works towards a world where people affected by crime or traumatic events get the support they need and the respect they deserve. They help people feel safer and find the strength to move beyond crime. Last year they offered support to just under one million people.

If you’ve been affected by crime, Victim Support can support you to move forward. The services are free, confidential and available to anyone in England and Wales, regardless of whether the crime has been reported or how long ago it happened.

Contact Victim Support by phone on their national number (08 08 16 89 111 ) or by local phone number or go online.  (The care team in Surrey is on 0808 168 9274)

Practical help

Being a victim of crime can lead to all kinds of practical problems. This can range from minor issues (such as damage to your property or having to fill in insurance forms), through to serious medical problems or the loss of your home. While emotional support can help you to deal with your feelings after a crime, practical problems often act as reminders of what you’ve been through and make it harder to get your life back under control.

That’s why they also offer help with sorting out the practical implications of crime.

They can help with simple tasks like filling out forms (for compensation claims, for example), getting broken doors and windows fixed and installing burglar alarms. they can also assist with bigger problems such as getting medical treatment, getting rehoused or dealing with the criminal justice system over the course of your trial. They’ll give you the information you need to understand your options and next steps.

Everyone reacts to crime differently, which is why their services are tailored to individual needs. They’re here to help anyone affected by crime, not only those who experience it directly, but also their friends, family and any other people involved.

About Victim Support

The main source of income is from Police and Crime Commissioners and other statutory and non-statutory bodies for the essential services that are provided to victims.

But Victim Support relies on donations to help fund projects and services for other service needs. Donations are vital to help them work for a world where people affected by crime and traumatic incidents get the support they need and the respect they deserve.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.