Data is assessed by our team members

Investigations can reveal some very sensitive & personal data. This intel is assessed by us & closely guarded used only for the purpose of fullfilling the needs of our clients to achieve the results we are commissioned to undertake More »

Team leader heads a group of professional investigators on the ready

We are proud to have access to the finest team members & discreet qualified persons who pride themselves in obtaining results for our clients where others fail. More »

The latest technology & equipment allow us to keep our finger on the intel pulse

Scientific apparatus & technical staff allow us to get sensitive & usefull information by utilizing the latest technology in getting information for our clients.The storage, use & availability of this data is done with great care More »

Communications between team members & networks is critical

In these days of world wide communications being at a peak of efficiency, the task of passing on & receiving information in the blink of an eye becomes possible between our team members & the network we have access to More »

Team leader & CEO of the intel agencies group is Donna-Lee Sapiecha Eyers

Donna-Lee is here at her graduation law degree ceremony proudly supported by her mother Karen, her sister Sharah-Lee & father Henry More »


How to build defenses against the internet’s doomsday of DDoS attacks

Last week assault on Dyn’s global managed DNS services was only the start. Here’s how to fend off hackers’ attacks both on your servers and the internet.

internet-of-things-symbol image

We knew major destructive attacks on the internet were coming. Last week the first of them hit Dyn, a top-tier a major Domain Name System (DNS) service provider, with a global Distributed Denial of Service (DDoS) attack.

As Dyn went down, popular websites such as AirBnB, GitHub, Reddit, Spotify, and Twitter followed it down. Welcome to the end of the internet as we’ve known it.

Up until now we’ve assumed that the internet was as reliable as our electrical power. Those days are done. Today, we can expect massive swaths of the internet to be brought down by new DDoS attacks at any time.

We still don’t know who was behind these attacks. Some have suggested, since Dyn is an American company and most of the mauled sites were based in the US, that Russia or Iran was behind the attack.

It doesn’t take a nation, though, to wreck the internet. All it takes is the hundreds of millions of unsecured shoddy devices of the Internet of Things (IoT).

In the Dyn onslaught , Kyle York, Dyn’s chief strategy officer said the DDoS attack used “tens of millions” devices. Hangzhou Xiongmai Technology, a Chinese technology company, has admitted that its webcam and digital video recorder (DVR) products were used in the assault. Xiongmai is telling its customers to update their device firmware and change usernames and passwords.

Good luck with that. Quick: Do you know how to update your DVR’s firmware?

The attack itself appears to have been made with the Mirai botnet. This open-source botnet scans for devices using their default username and password credentials. Anyone can use it — China, you, the kid next door — to generate DDoS attacks. For truly damaging DDoS barrages, you need to know something about the internet’s architecture, but that’s not difficult.

Or, as Jeff Jarmoc, a Salesforce security engineer, tweeted, “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.” That’s funny, but it’s no joke.

Fortunately, you can do something about it.


Securing the Internet of Things

First, and this unfortunately is a long-term solution, IoT vendors must make it easy to update and secure their devices. Since you can’t expect users to patch their systems — look at how well they do with Windows — patching must be made mandatory and done automatically.

One easy way to do this is to use an operating system, such as Ubuntu with Snap, to update devices quickly and cleanly. These “atomic” style updating systems make patches both easier to write and deploy.

Another method is to lock down IoT applications and operating systems. Just like any server, the device should have the absolute minimum of network services. Your smart TV may need to use DNS, but your smart baby monitor? Not so much.

That’s all fine and dandy and it needs to be done, but it’s not going to help you anytime soon. And, we can expect more attacks at any moment.

Defending your intranet and websites

First, you should protect your own sites by practicing DDoS prevention 101. For example, make sure your routers drop junk packets. You should also block unnecessary external protocols such as Internet Control Message Protocol (ICMP) at your network’s edge. And, as always, set up good firewalls and server rules. In short, block everything you can at your network edge.

Better still, have your upstream ISP block unnecessary and undesired traffic. For example, your ISP can make your life easier simply by upstream blackholing. And if you know your company will never need to receive UDP traffic, like Network Time Protocol (NTP) or DNS, your ISP should just toss garbage traffic into the bit bin.

You should also look to DDoS mitigation companies to protect your web presence. Companies such as Akamai, CloudFlare, and Incapsula offer affordable DDoS mitigation plans for businesses of all sizes.

As DDoS attacks grow to heretofore unseen sizes, even the DDoS prevention companies are being overwhelmed. Akamai, for example, had to stop trying to protect the Krebs on Security blog after it was smacked by a DDoS blast that reached 620 Gbps in size.

That’s fine for protecting your home turf, but what about when your DNS provider get nailed?

You can mitigate these attacks by using multiple DNS providers. One way to do this is to use Netflix‘s open-source program Denominator to support managed, mirrored DNS records. This currently works across AWS Route53, RackSpace CloudDNS, DynECT, and UltraDNS, but it’s not hard to add your own or other DNS providers. This way, even when a DDoS knocks out a single DNS provider, you can still keep your sites up and running.

Which ones will work best for you? You can find out by using Namebench. This is an easy-to-use, open-source DNS benchmark utility.

Even with spreading out your risk among DNS providers, DNS attacks are only going to become both stronger and more common. DNS providers like Dyn are very difficult to secure.

As Carl Herberger, vice president for security solutions at Radware, an Israeli-based internet security company, told Bloomberg, DNS providers are like hospitals: They must admit anyone who shows up at the emergency room. That makes it all too easy to overwhelm them with massive — in the range of 500 gigabits per second — attacks. In short, there is no easy, fast fix here.

One way you can try to keep these attacks from being quite so damaging is to increase the Time to Live (TTL) in your own DNS servers and caches. Typically, today’s local DNS servers have a TTL of 600 seconds or 5 minutes. If you increased the TTL to say 21,600 seconds or six hours, your local systems might dodge the DNS attack until it was over.


Protecting the internet

While the techniques might help you, they don’t do that much to protect the internet at large. DNS is the internet’s single point of total failure. That’s bad enough, but as F5, a top-tier ISP notes, DNS is historically under-provisioned. We must set up a stronger DNS system.

ISPs and router and switch vendors should also get off their duffs and finally implement Network Ingress Filtering, better known as Best Current Practice (BCP)-38.

BCP-38 works by filtering out bogus internet addresses at the edge of the internet. Thus, when your compromised webcam starts trying to spam the net, BCP-38 blocks these packets at your router or at your ISP’s router or switch.

It’s possible, but unfortunately not likely, that your ISP has already implemented BCP-38. You can find out by running Spoofer. This is a new, open-source program that checks to see how your ISP handles spoofed packets.

So why wasn’t it implemented years ago? Andrew McConachie, an ICANN technical and policy specialist, explained in an article that ISPs are too cheap to pay the small costs required to implement BCP-38.

BCP-38 isn’t a cure-all, but it sure would help.

Another fundamental fix that could be made is response rate limiting (RRL). This is a new DNS enhancement that can shrink attacks by 60 percent.

RRL works by recognizing that when hundreds of packets per second arrive with very similar source addresses asking for similar or identical information, chances are they’re an attack. When RRL spots malicious traffic, it slows down the rate the DNS replies to the bogus requests. Simple and effective.

Those are some basic ideas on how to fix the internet. It’s now up to you to use them. Don’t delay. Bigger attacks are on their way and there’s no time to waste.


Henry Sapiecha

Middle Eastern hackers employ this phishing technique to infect political targets with Trojan malware

‘Moonlight’ group is likely to be involved in cyber espionage, warns Vectra Networks.

White full moon atmosphere with star at dark night sky background

White full moon atmosphere with star at dark night sky background

The hacking group has been dubbed Moonlight due to references in code

A hacking group is conducting cyber espionage against targets in the Middle East by duping politicians, activists and staff at NGOs into clicking links to authentic-looking but fake versions of high-profile websites in the region, and then infecting them with malware.

The operation — dubbed ‘Moonlight’ by cyber security researchers, after the name the attackers chose for one of their command-and-control domains — has generated over two hundred samples of malware over the past two years and targets individuals via their private email accounts instead of their corporate ones, to increase the chances of a successful attack.

The attacks, which are themed around Middle Eastern political issues such as the war in Syria or the conflict in Palestine, have been unearthed by cybersecurity researchers at Vectra Networks, who say the tools and targets are reminiscent of the Gaza Hacker Team, a group of hacktivists said to be aligned with Hamas, the Palestinian militant Islamic group. The attacks are purely centered on Middle Eastern targets, with the text crafted in Arabic.

Moonlight typically delivers an obfuscated version of the widely available H-Worm, a malicious Visual Basic Script-based remote access Trojan. It isn’t sophisticated, but the effort the attackers put into their phishing attacks means that it’s effective.

“They put effort into lovingly crafting the emails, the websites, the documents they’ve created, putting a fair amount of effort and energy into it. But beyond that the underlying tech is off the shelf,” says Oliver Tavakoli, CTO at Vectra Networks, emphasizing how the attackers don’t need sophisticated hacking skills.

“It teaches you about the low degree of skill required to actually pull something like this off,” he adds.

As with other phishing schemes, those behind Moonlight are attempting to entice their target to click on malicious documents, which claim to contain information about issues and events in the Middle East, such as Hamas, Gaza, Syria, Egypt and other topics relevant to audiences in the Arab world.

moonlight-decoy-people-trafficing image

A decoy report on people trafficking.

Image: Vectra Networks

The lure is deployed as an EXE file, but rather than doing nothing but install malware when clicked on, Moonlight presents the victim with a relevant decoy, therefore avoiding suspicion that the document may be malicious.

Another method the attackers use to deploy malware is via malicious links that lead to fake but convincing versions of authentic Middle Eastern media organizations’ websites. Typically deploying the link via a shortened URL, the user is invited to click through to a news article based on current events in the Middle East. While it looks like the real deal, users will find themselves infected with malware.

The end result in each of these two attacks is that the victim — of which there have been hundreds — becomes infected with a Trojan that’s most likely used to conduct espionage. But rather than infecting corporate environments, it’s the personal email addresses and therefore home networks of victims which have been targeted, because they represent more vulnerable targets — and that’s reflected in unsophisticated nature of the malware itself.

“The obscuring that they did wasn’t of network communications, but of the actual exploit and malware they delivered. That leads me to believe that it’s not really targeted at employees of companies, but more at end users — politicians using their private emails or private machines, activists in the Middle East and NGOs,” says Tavakoli.

While the endgame of Moonlight and who is ultimately pulling the strings remains unknown, the group behind it is still active and still targeting individuals interested in political issues in the Middle East.

While those outside the Middle East aren’t likely to be targeted by Moonlight, it serves as a reminder that a well-crafted phishing attack can be almost indistinguishable from a real email. Nonetheless, there are still ways that targeted users and organizations can fight back.


Henry Sapiecha

The Dyn report: What we know so far about the planet’s biggest DDoS attack yet

The Internet of Things has been proven to be just as dangerous as we feared, with an assault from tens of millions of internet addresses & clogging up the works

We don’t know all the answers about the Distributed Denial of Service (DDoS) attack that blew away Dyn and its clients, but here’s what we do know.

close-up black web camera at the laptop

Close-up black web camera at the laptop

That innocent webcam on your desk may have attacked the internet.

First, there was nothing — nothing — surprising about this attack. As Paul Mockapetris, creator of the Domain Name System (DNS), said, “The successful DDoS attack on DYN is merely a new twist on age-old warfare. … Classic warfare can be anticipated and defended against. But warfare on the internet, just like in history, has changed. So let’s take a look at the asymmetrical battle in terms of the good guys (DYN) and the bad guys (Mirai botnets), and realize and plan for more of these sorts of attacks.”

This new twist came from the Internet of Things (IoT). Surprised? Please. We knew all along that not only could the IoT be used to attack networks, it would be used to target the internet.

IoT vendors must improve their security. Or, as Lyndon Nerenberg, an internet engineer, said on the North American Network Operators Group (NANOG), the professional association for internet engineering, architecture, and operations, mailing list, “The way this will get solved is for a couple of large ISPs and DDoS targets to sue a few of these IoT device manufacturers into oblivion.”

IoT vendors know this. Hangzhou Xiongmai Technology, the Chinese technology company that admitted its webcam and digital video recorder (DVR) products were used in the assault and recalled its webcams, is also threatening legal action against those that try to attach blame for the attack to its gear.

Of course, the ISPs and DNS providers deserve much of the blame as well. Their failure to implement Network Ingress Filtering, Best Current Practice (BCP)-38 and response rate limiting (RRL) played a large role in making the attacks possible.

The attacks themselves were in large part, as expected, driven by a Mirai botnet. Kyle York, Dyn’s chief strategy officer, reported, “The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

Let that sink in for a minute. Tens of millions of IP addresses. DDoS attacks of this size were unheard of even six months ago.


The attack itself came in three waves. York stated, “At 7:00 am ET, Dyn began experiencing a DDoS attack. While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different. Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers. After restoring service, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to our East Coast [Points of Presence] POPs), but was mitigated in just over an hour; service was restored at approximately 1:00 pm ET. Again, at no time was there a network-wide outage, though some customers would have seen extended latency delays during that time.”

This understates the problem. Globally users reported problems for hours afterward and many Dyn-supported sites were unavailable until the late afternoon.

Finally, “there was a third attack attempted, we were able to successfully mitigate it without customer impact.”

That ended the largest DDoS attack of all time… so far. More will be coming.

As York concluded, “It is said that eternal vigilance is the price of liberty. As a company and individuals, we’re committed to a free and open internet, which has been the source of so much innovation. We must continue to work together to make the internet a more resilient place to work, play and communicate.”

If we don’t, the internet will fail.


Henry Sapiecha

FBI Tells Law Enforcement Police To Hide Phone Tracking of People

sweeping-under-the-carpet image

Your local police may use a controversial piece of technology—ominously dubbed a stingray—to track your phone. But, the FBI is taking pains to make sure you never find out. The agency encourages police to find additional evidence so that stingray technology never comes up in court, according to a new memo.

It’s no secret that law enforcement agencies scattered around the country use such devices—known as IMSCI catchers, or colloquially “stingrays”—which mimic cellphone towers and collect data, like phone numbers and location, from everyone in their vicinity. But that’s not because the FBI isn’t trying to hide that fact. The agency is so keen on keeping the devices from the public that it asks local police departments to sign nondisclosure agreements about their stingrays—leading to some cops trying withdrawing cases that rely on stingrays for evidence.

But thanks to an open records request from the investigative journalism nonprofit Oklahoma Watch, there’s finally evidence that’s the FBI’s specific plan. In a 2014 memo from FBI Special Agent in Charge James Finch to Oklahoma City Police Department Chief William Citty, the bureau issued very specific guidelines.

“Information obtained through use of this equipment is for LEAD PURPOSES ONLY, and may not be used as primary evidence in any affidavits, hearings or trials. This equipment provides general location information about a cellular device, and your agency understands it is required to use additional and independent investigative means and methods, such as historical cellular analysis, that would be admissible at trial to corroborate information concerning the location of the target obtained through use of this equipment.”

The memo reflects the controversial practice known as parallel construction, in which a law enforcement agency collects evidence on a suspect without first bothering with a warrant, as that evidence likely wouldn’t be admissible as evidence in court. Armed with that information, agents or officers build a strong enough case with legally admissible evidence that they don’t need to ever tell the court about that earlier information.

A 2013 Reuters report on the practice, for example, found that the U.S. Drug Enforcement Agency routinely receives intelligence from various intelligence services, including the NSA, about where to find a suspected criminal, and that the DEA would then be expected to work backward from there. “You’d be told only, ‘Be at a certain truck stop at a certain time and look for a certain vehicle.’ And so we’d alert the state police to find an excuse to stop that vehicle, and then have a drug dog search it,” one DEA agent said.

“This is the first time I have seen language this explicitly calling for parallel construction to conceal evidence derived from Stingray use,” Nate Wessler, a staff attorney at the ACLU who specializes in stingray use, told Vocativ.

“[T]his goes the outrageous extra step of ordering police to actually engage in evidence laundering,” he said. “As a result, defendants are denied their right to challenge potentially unconstitutional surveillance and courts are deprived of an opportunity to curb law enforcement abuses.”

Though stingray use in the U.S. has largely existed without much public knowledge, that scenario is quickly changing. In March, an appellate court ruled for the first time that it’s illegal for police to use stingrays without first getting a warrant.

The FBI didn’t respond to request for comment.


Henry Sapiecha

This Algorithm & Robots Decides Crime Cases Almost As Well As A Judge

A Robotic computer program could help relieve the massive backlogs facing the world’s highest courts

justice-scales-gif image

A computer algorithm took on the work of real human judges and did a pretty good job, predicting the decisions of one of Europe’s highest courts with 79 percent accuracy. The finding suggests artificial intelligence could help the world’s busiest courts work through their massive backlog of cases, even if an algorithm isn’t about to take up a digital gown and gavel and start actually deciding cases.

The AI analyzed cases tried before the European Court of Human Rights, which hears cases from people and groups who claim their civil or political rights have been violated in their home countries. An international team of computer scientists worked with a legal scholar to determine just how well AI could predict the court’s ultimate judgement based on how the written decision described the factual background of the case and the arguments of the parties involved. They found it agreed with the judges’ decision four of five times — and that the underlying facts of the case were by far the best predictor of the outcome of a case, rather than any of the more abstract legal arguments.

“The fact that we can get this accuracy, it means that there are some consistent patterns of violations that lead to overturning the [previous court’s] decision,” University of Pennsylvania computer scientist Daniel Preoţiuc-Pietro told Vocativ.

That suggests the court is typically less concerned with parsing philosophical questions of whether a specific instance is a human rights violation than it is determining how that situation fits into their already defined categories of violations. Preoţiuc-Pietro pointed to the example of people who allege mistreatment in prison as a situation that typically led to decisions in those people’s favor. “That’s definitely more likely for the court to actually accept that the state made a mistake and the people involved were actually justified,” he said.

More U.S. Military Wants Robots That Can Explain Themselves

The AI used what’s known as natural language processing to analyze the cases. This particular method involved looking at the text of a decision as a big bag of words, not worrying about any particular word order or grammar. Instead, the AI looked at what individual words and combinations of two, three, or four words appeared most frequently in the text, regardless of order. The AI then looked at all these combinations, known as N-grams, and clustered them into different overall topics.

The court’s decisions include lengthy sections recapping not only the factual background of the cases but also the original arguments made by the parties in the case. This gave the AI a broad sense of what each text was talking about and gave it the context necessary to predict the outcome of the case, which it did correctly in nearly four out of every five cases.

But that doesn’t mean the researchers are hoping to see AI judges anytime soon.

“We’re not advocating for automating any decisions,” said Preoţiuc-Pietro. “Decisions should still be made by the judges.” Where the AI can make a difference is in helping determining which cases make it to the judges in the first place.

More Artificial Intelligence Writes Extremely Bad Harry Potter Fan Fic

In 2015, the researchers found that nearly 85,000 petitions were submitted to the court, of which just 891 were actually decided upon. All the rest were thrown out as inadmissible, meaning the court couldn’t take them on and the previous decision by a lower court would have to stand. The European Court of Human Rights relies both on individual judges and committees to work through all these cases and figure out which are worth bringing to the actual court’s attention. Last year, that meant the entire court apparatus had to process more than 230 cases every single day, making it a huge challenge just to give each petition the human attention it deserves.

Artificial intelligence, by contrast, could zip through 85,000 petitions and decide which were most likely to be worth the court’s time, based on how similar each petition is to the court’s previous cases. Preoţiuc-Pietro suggested the algorithm could separate the cases into three groups based on the court’s prior history: those the court would likely rule on, those it likely would rule inadmissible, and those in a gray area. Committees could then devote more time to examining the cases already identified as being of uncertain status, rather than having them take valuable time doing all their own categorization.

“These committees are time-limited and beyond that very costly, so they can actually look at just the flagged cases which are more likely to be disputed and analyze them more thoroughly,” said Preoţiuc-Pietro, “while the others they can be sent for just individuals and they don’t need to be scrutinized by more people.”

The goal then wouldn’t be to take the human element out of the law, but instead the complete opposite: The European Court of Human Rights and other bodies like it would have more time to focus more time on its most difficult cases, while the AI would separate out the cases that would likely just get thrown out anyway.



Henry Sapiecha


Report: 1 in 2 American Adults are Already In Facial Recognition Network System

DMV records, plus a so-so approach to mugshot databases, puts half of the US in the country’s surveillance system

facial-recognition-network image

Half of all American adults are already in some sort of facial recognition network accessible to law enforcement, according to a comprehensive new study.

Conducted over a year and relying in part on Freedom of Information and public record requests to 106 law enforcement agencies, the study, conducted by Georgetown Law’s Centre on Privacy and Technology, found American police use of facial recognition technology is a scattered, hodgepodge network of laws and regulations.

More Inside The Government Centers Where The FBI Shares Intel With Police

“Looking at the sum total of what we found, there have been no laws that comprehensively regulate face recognition technology, and there’s really no case law either,” Clare Garvie, an associate at the CPT, told Vocativ. “So we find ourselves having to rely on the agencies that are using that technology to rein it in. But what we found is that not every system — by a long shot — has a use policy.”

That so many American adults are in at least one facial recognition database is largely due to the fact that at least 26 states, and likely more, share their Department of Motor Vehicles databases with the FBI, state police, or other law enforcement agencies, the study found. Compounded with that, police often have access to mugshot databases. Garvie’s study found that most law enforcement agencies don’t purge such records, even if the arrested suspect is found not guilty, unless a court orders it. The sole known exception is the Michigan State Police, which does expunge photos after a set amount of time.

facial-recognition-chart image

The report also found that more than one in four law enforcement agencies have access to some sort of facial recognition capability, meaning either that the agency possesses such software or it has some sort of partnership with a police intelligence agency that does. The West Virginia Fusion Center, for example, a Charleston-based coalition of federal and local law enforcement, possesses software that matches individuals in video footage with a database of still photographs. Not only does it share information with the FBI, West Virginia State Police, and city and county departments, it may grant access to 77 other fusion centers across the country.

More NY To Test Facial Recognition Cameras At ‘Crossing Points’

“These systems are used on law-abiding Americans without their knowledge or consent in most cases,” Garvie said.


Henry Sapiecha


Microsoft’s great achievement: AI that’s better than humans at listening… on phone devices

Microsoft’s latest speech-recognition record means pro human transcribers may be the first to lose their jobs to artificial intelligence. AI.

microsoftcortana770x449 image

Microsoft’s speech-recognition AI could eventually be used to enhance Cortana’s accessibility features, say, for deaf people. Image: Microsoft

Microsoft researchers have evolved a system that recognizes speech as accurately as a professional human transcriptionist.

Researchers and engineers from Microsoft’s Artificial Intelligence and Research group have set a new record in speech recognition, achieving a word error rate of 5.9 percent, down from the 6.3 percent reported a month ago.

The word error rate is the percentage of times in a conversation that a system, in this case a combination of neural networks, mishears different words. Microsoft’s system performed as well as humans who were asked to listen to the same conversations.

Microsoft sized its machines up against professional transcribers who were tasked with listening to the same evaluation data over the phone, which included two-way conversation data and a separate set where friends and family have open-ended conversations.

Humans and Microsoft’s automated systems scored 5.9 percent and 11.3 percent error rates, for the respective test data.

The scores are an umbrella figure for the results of three tests, comparing how many times Microsoft’s system and the human transcribers wrongly substituted sounds, dropped a word from a sentence, and or inserted the wrong word.

As Microsoft notes in the paper, humans and the automated system mostly fumbled over the same sounds in the tests, with the exception of “uh-huh” and “uh”.

Microsoft’s system was confused by the sounds “uh-huh”, which can be a verbal nod for someone to go ahead speaking, and “uh”, used as a hesitation in speech. The utterances sound the same but have opposite meanings, which humans had far fewer problems identifying than Microsoft.

chatimity-team-freshdesk image

Freshdesk makes sixth acquisition to build enterprise AI chatbots

Customer engagement software provider Freshdesk has acquired social chat platform Chatimity to strengthen its AI chatbot capabilities.

The transcriptionists, for some reason, frequently dropped the letter ‘I’ from two-way conversations, and did so far more often than Microsoft’s AI.

Overall, Microsoft notes, humans had a lower substitution rate, and higher deletion rate, while both humans and machine produced a low number of insertions.

“The relatively higher deletion rate might reflect a human bias to avoid outputting uncertain information, or the productivity demands on a professional transcriber,” Microsoft speculates.

Still, to achieve parity with a human in this test was an “historic achievement”, said Xuedong Huang, Microsoft’s chief speech scientist.

Improved automated speech-recognition systems could be used in speech-to-text transcription services and enhance Cortana’s accessibility features, say, for deaf people. However, that prospect still appears to be some way off.

Microsoft used 2,000 hours of training data to equip its neural networks for the task. It claims that by parallelizing the data with its AI Computational Network Toolkit on a Linux-based multi-GPU server farm, it was able to cut down training times from months to under three weeks.

Despite the milestone, Microsoft admits it’s still a long way from achieving speech recognition that works well in real-life settings with lots of background noise.

For example, as a live transcription service it’s not yet possible to identify and assign names to multiple speakers who may have different accents, ages, and backgrounds. However, the company says it’s working on the technology, which could open up a whole set of possibilities.

Read more about speech recognition


Henry Sapiecha

Spying the new hacking method: Here’s how to retaliate

shadowy-virtual-reality-figure image

How can businesses defend themselves from hackers using traditional espionage techniques?

Education goes a long way to protect yourself from the wide variety of cyberthreats out there.

Once upon a time it was much easier to stay safe online; as long as you used an up-to-date antivirus package and were careful how you acted on the internet, you could expect to stay safe.

But now things have changed: new forms of malware and viruses appear every single day. Meanwhile the rise of social media means everything from your pet’s name to what you did at the weekend is online and could be exploited by cybercriminals to hack your devices and services.

Increasingly cybercriminals are using spying techniques better associated with intelligence agencies to identify relevant information about you and your life and turn that around to attack you.

“There are no hackers, they’re all gone — there are only spies,” says Eric O’Neill, national security strategist for Carbon Black and a former FBI counter-intelligence operative.

“The new hackers are using traditional espionage techniques and they’re blending it with advanced cyber penetrations in order to steal information,” he says, adding “just ask the DNC”.

Antivirus software was previously able to react to malicious activity but according to O’Neill, the rise of phishing and other social engineering techniques means companies are becoming more vulnerable to hackers than ever.

Ultimately, he argues, if a person can’t tell if any email is bogus — and in many cases they can’t — then antivirus has no chance.

“Antivirus can’t stop spear phishing if I’m going to leverage spy tradecraft, if I’m going to learn about you and learn everything I can from your social media accounts. And when I send a spear phishing email to you, it’s going to look like it’s from one of your pals. Once [cybercriminals] get in [to your devices], they get a foothold and antivirus isn’t going to touch that,” he says.

So how can you stay safe from these threats? For a start, don’t uninstall that antivirus yet because it still has a role to play.

“Many attacks can be ruled out by antivirus clients,” says Dr. Siraj Ahmed Shaikh, reader in cybersecurity at Coventry University.

At the most fundamental level, some sort of protection software is still required for any computer connected to the internet, especially when you consider the sheer amount of systems shipped and the amount of patching which is required to ensure they’re up-to-date.

“The role of a traditional antivirus is still useful because when you buy a computer, it’s already out of date because there have been so many patches since the software was released. Antivirus at least does a good job of raising the threshold, raising the minimum bar of our security systems,” says Dr. Shaikh.

But if protective software can’t be relied on to detect sophisticated attempts at coercion, how do we begin to take on the threat posed by cybercriminals attempting to trick people with espionage? The answer lies in education — training people to recognise what might be suspicious and reporting it.

“It’s about raising awareness that these emails are coming in and how sophisticated they can be. It’s about using examples, showing these emails, and breaking them down to show where the red flags are,” says cybersecurity consultant Dr Jessica Barker.

It’s also important to teach people that in the vast majority of cases, only those with malicious intent will ask for credentials and passwords to be sent over email. Even within an organisation, it’s unlikely that another department is going to ask for your login credentials over email.

“It’s about encouraging people that no company will ask you for your login details — but if they do, you should find another way of contacting them,” she says, detailing a simple way people can avoid falling victim to a phishing attempt. Within an organisation, that’s as simple as talking to the department where the email is said to be from.

It’s also important to make sure employees are aware they can come forward if they think they’ve fallen victim to phishing, because no matter what training is provided, it just takes one person clicking on a malicious link or accidentally providing corporate credentials to a criminal to breach a whole corporation’s network.

“What you need to do is build a culture when someone can immediately report that they’ve clicked a link they’re worried they shouldn’t have, and people feel safe to question and not be punished,” says Dr Barker. An organisation taking this approach can then move to minimise damage sooner rather than later.

“If you have an incident like that, where you get a phishing email and someone clicks the link, you can respond quickly and minimise the damage, whereas if someone doesn’t speak up, it’s harder to mitigate any damage.”

For O’Neill however, there’s only one way that the enterprise and cybersecurity providers will ensure that they remain secure — and that’s by using a similar level of intelligence to defend organisations.

Serious security: Three changes that could turn the tide on hackers

hacker-at-work image

We’re all guilty of making security an afterthought. We need to change that attitude, and fast.

“We need to think about spies, leverage human intelligence, not just machines. We need to start with human intelligence and use software to augment that,” he says.

We’re told data breaches cost millions on average – but this security study disagrees


New research suggests that the average cost of data breaches is lower than many estimates and too low to drive greater investment in cybersecurity.

Read more on cybersecurity


Henry Sapiecha


Courts gave Hacker who gave Isis ‘hitlist’ of US targets 20 years in prison

Do the crime do the time.Good to see.Let this be an example of what the courts can, will & do do to these masked ISIS cowardly terrorists & their support groups. These lessons should be learned by all who deliberately or inadvertently create danger to a country & its people or threaten national security.

internet-hacker image

Ardit Ferizi struggles to explain why he sent extremist group the details of hundreds of US government and military officials

Ardit Ferizi, a 20-year-old native of Kosovo, is the first person convicted in the US of both computer hacking and terrorism charges Photograph: Dominic Lipinski/PA

A hacker who helped Islamic State by providing the names of more than 1,000 US government and military workers as potential targets was sentenced on Friday to 20 years in prison.

The sentence was much higher than the six-year term sought by defense lawyers, who argued their client, Ardit Ferizi, meant no real harm and was not a true Isis supporter.

“He was a nonsensical, misguided teenager who did not know what he was doing,” said public defender Elizabeth Mullin. “He has never embraced Isil’s ideology.”

Ferizi, a 20-year-old native of Kosovo who was arrested last year in Malaysia, is the first person convicted in the US of both computer hacking and terrorism charges. He admitted hacking a private company and pulling out the names, email passwords and phone numbers of about 1,300 people with .gov and .mil addresses. Isis published the names with a threat to attack.

At Friday’s sentencing hearing, Ferizi struggled to explain why he did it, when asked directly by US district judge Leonie Brinkema for an explanation. He said that it all happened very quickly.

“I feel so bad for what I did,” he said. “I am very sorry for what I did, making people feel scared.”

Prosecutors asked for the maximum sentence of 25 years.

Assistant US attorney Brandon Van Grack said: “The defendant’s conduct has indefinitely put the lives of 1,300 military members and government workers at risk.”

He disputed the idea that Ferizi’s crime was a whim. Before turning over the names to the “Islamic State hacking division” last year, he operated a website devoted to propagating Isis propaganda. In online conversations, Ferizi defended Isis, and when he gave the 1,300 identities to the group, he knew he was putting them in would-be terrorists’ crosshairs, Van Grack said.

“This was a hitlist. The point was to find these individuals and hit them, to ‘strike at their necks’,” Van Grack said, mimicking the language Isis used when it published the names.

Van Grack quoted a letter from one of the victims, who said she had an easily identifiable name and was now nervous when she interacted with Muslims, something she felt guilty about. And Van Grack cited another terrorism case in northern Virginia, in which the defendant, Haris Qamar, allegedly used a hitlist, similar to the one Ferizi created, to stake out the homes of two neighbors in the town of Burke.

Mullin countered that nobody on the list has actually been harmed, and said much of the information Ferizi helped disseminate was publicly available anyway.

Court papers describe a difficult life for Ferizi, who was nominally raised as a Muslim and was just four years old when Nato airstrikes forced Serbian forces to withdraw from the territory, which subsequently became independent. Ferizi’s uncle was murdered and his father was kidnapped during the war, according to letters written by Ferizi’s family.

As a teenager, Ferizi got in trouble for hacking into Kosovar government databases, but he avoided jail. Ferizi went to Malaysia to study cybersecurity, but continued his hacking activities and developed worsening mental health problems, defense lawyers said.

He met an Isis recruiter on the internet while he was trying to expose online pedophiles, his lawyers said.


Henry Sapiecha