STE WILLIAMS

A new open source tool, introduced at Black Hat USA, places a priority on speed and automation.

One of the problems in malware analysis is that there’s just so much malware to analyze. An automated dis-assembler would help, but that would require writing an automated disassembler — which is what Amanda Rousseau and Rich Seymour did when they built Xori.

In their Black Hat USA presentation, Rousseau and Seymour described the reasoning behind writing Xori, the process of building the software — and the results that come from the effort. “I’m constantly looking at tons and tons of samples and I need to reverse them fast,” said Rousseau, senior malware researcher at Endgame, in an interview before the conference. When told by her boss that there were a thousand samples to be analyzed, she decided that automation was the only real answer.

Rousseau enlisted Seymour, a senior data scientist and Endgame, to help with development. He began, he said, with the parser. “I started writing that parser while Amanda was working on disassembly — what you can do on just raw bytes — and we sort of met in the middle,” he explained.

Speed, in both process and execution, was a primary objective of Xori, and Seymour said that they were successful in that objective. “Xori can process a thousand samples on a five-year-old computer I had under my desk in 20 minutes,” he said, noting that it’s not doing complete analysis, but what it is doing is disassembly in far less than the six hours per sample earlier methods required. “It can process [samples] at about a second per sample,” he said.

The processing results in a GUI output that presents the sample as a flowchart, or sequence of boxes that show the elements of the malware and the connections between them. Xori doesn’t stop there, however. “Besides making that flowchart for you, it also tries to enhance and annotate as much of the code as possible so you don’t have to really get into the actual assembly instructions themselves unless you really have to,” Seymour explained.

Getting to this point required considerable effort. Asked about the work, Rousseau laughed, saying, “Many, many nights! I couldn’t turn off my brain. Every day from 9 am until, oh, 10 pm, doing manual verification, learning the language, learning Rust, period, and trying to learn and trying to read the Intel manual,” she said.

Rust itself was a choice that had implications for Rousseau. “It kind of started under the Mozilla umbrella, but it’s since blossomed into a really great language and community that rides the line between strict type safety and academic languages, and then sort of the classic C/C++ type programming,” she explained.

One major difference between Xori and other disassemblers is that Rousseau and Seymour wrote their tool to provide basic screening of as many samples, in as short a time, as possible. Other disassemblers tend to focus on going deeply into a single sample, no matter how long that effort takes. Now, Rousseau said, “It’ll be good to put this out there as open source. Hopefully folks will not be afraid to contribute because I think it really does have a lot of potential.”

Related content:

• 5 Ways Small Security Teams Can Defend Like Fortune 500 Companies
• Russian National Vulnerability Database Operation Raises Suspicions
• SOCs Use Automation to Compensate for Training, Technology Issues

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info. 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/xori-adds-speed-breadth-to-disassembler-lineup/d/d-id/1332530?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers claim to have uncovered weaknesses in WhatsApp that can be potentially exploited to manipulate messages in private and group conversations.

Eggheads at Israeli security firm Check Point this week described how, with some social engineering trickery and custom extensions for popular network-packet-twiddling toolkit Burp Suite, they can apparently:

1. Alter the text of someone’s reply on your phone, essentially putting words in their mouth.
2. Use the “quote” feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.
3. Send a private message to another group participant that is disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.

Essentially, you can potentially fake message content, quote it back, and sow the seeds of all sorts of confusion. All the techniques involve social engineering tactics to hoodwink marks, as well as obtaining your public-private key pair from WhatsApp, as explained at some length in a blog post by Check Point’s Dikla Barda, Roman Zaikin, and Oded Vanunu right here.

There’s also a video illustrating the approach, as embedded below.

Youtube Video

Kevin Bocek, chief cybersecurity strategist at machine identity protection vendor Venafi, told us: “This was a serious flaw and it’s made possible thanks to machine identities – encryption keys and digital certificates that enable privacy and authentication between our devices, apps, and clouds.”

El Reg asked Facebook-owned WhatsApp to comment, and we’re yet to receive a response. We’ll update this story as and when more information comes to hand. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/09/whatsapp_message_manipulation/

Promo Cybersecurity software firm Sophos is inviting IT professionals to “See the Future” at The Brewery, near the Barbican in London, on Tuesday 9 October.

Starting at 8.45am and continuing until 4.15pm, this free event will include lunch in elegant 18th century surroundings. In between talks and breakout sessions, the experts from Sophos will cover everything from the latest ransomware threats to current trends in IT security and how to future-proof your organisation.

Attendees will gain an insider’s view on the company’s latest technology developments, the innovations it has in the pipeline and its business strategy.

Sophos CEO Kris Hagerman and Dan Schiappa, Senior Vice President and General Manager of Products, will be the main speakers. They will also be available for informal talks and questions.

Likely to be the star attraction will be keynote speaker Alexis Conran, best known for his appearances on The Real Hustle, the BBC3 programme exposing scams and cons. Cook, raconteur, magician, card-shark and hustler, Alexis will tell you everything you need to know about risk, communication and body language.

Curious about today’s threat landscape? In this breakout session, a virtual tour of SophosLabs will give attendees an insight into the current threat landscape and its impact on IT security. See a live demonstration of some of the data and bespoke systems SophosLabs uses to fend off today’s threats.

Crypto-ransomware looms over the threat landscape, not only fooling up-to-date anti-spam and web gateway appliances, but endpoint antivirus defences as well. Attend this breakout session to learn its history and explore today’s crypto-ransomware attacks. An overview of this shape-changing predator will benefit your wallet as well as your organisation’s productivity and intellectual properties.

Phishing attacks have seen a meteoric rise in the last year as attackers continue to share successful attack types. Find out how they have taken advantage of malware-as-a-service offerings on the dark web to step up attacks.

Register here to secure your place.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/09/discover_the_lurking_dangers_ahead_at_sophos_see_the_future_event/

The Professional Golfers’ Association of America (PGA) was hit by ransomware just before one of the sport’s biggest pro events, which teed off on Thursday.

Scrambled files on its infected computers include “creative materials” for this week’s PGA Championship as well as next month’s Ryder Cup, Golf Week reported.

The software nasty struck on Tuesday, August 7, demanding the association transfer crypto-coins into a given Bitcoin wallet to restore the encrypted documents. The malware’s masterminds reportedly offered to decrypt two files for free as a confidence building measures.

Online speculation suggests the ransomware may be a strain of BitPaymer, however, this remains unconfirmed. BitPaymer recently hit the offices of a number of US municipalities including in the Alaskan region of Matanuska-Susitna, whose workers were forced to fall back on typewriters after their computers became unusable.

A spokesperson for the PGA told The Register today: “This is an ongoing situation, so we have no comment.”

Targeted

BitPaymer infects Windows PCs, and typically spreads by brute-forcing its way into machines via RDP services. It was first spotted in July 2017, and became widely known after hitting Scottish hospitals a month later.

Allan Liska, senior security architect at threat intel biz Recorded Future, said that based on the ransom note, BitPaymer seems the most likely culprit.

The ransomware is believed to have been developed by the Dridex team, the same group responsible for the Locky ransomware, Liska added. “Unlike Locky, which was primarily delivered via phishing attacks, BitPaymer is generally delivered as part of an exploitation campaign, most often initiated through internet-facing RDP servers,” he said. “The Dridex team will either exploit unpatched RDP systems or brute force common username/password combinations.”

Recovering from BitPaymer attacks is difficult, Liska added.

“At this time, there is no way to decrypt files encrypted by BitPaymer without paying the ransom, so files need to be restored from backups,” he warned. “The best defense against BitPaymer is to scan your internet-facing systems to ensure there are no publicly accessible RDP servers and to ensure that antivirus and advanced endpoint protection is up to date.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/09/pga_golf_ransomware_attack/

A dozen people have been indicted in America for allegedly fencing more than $1m in smartphones and other kit obtained via hacking and fraud.

Geoffrey Berman, the US Attorney for the Southern District of New York, and Angel Melendez, the Special Agent in charge of the New York Office of the US Immigration and Customs Enforcement’s Homeland Security Investigations unit, on Thursday announced the charges, which cover fraud allegations from 2014 through the present.

Melendez in a statement said the individuals involved operated in New York, the Dominican Republic, and on the internet. “Their activities left a trail of unsuspecting victims across the United States and cost businesses significant losses,” he said. “They traveled to 30 states to obtain cellphones that were later sold through fencing operations in the Bronx.”

According to the indictment, the crew allegedly focused on breaking into customer accounts at cellular providers, usually to obtain iPhones but also sometimes to acquire iPads, watches, or other gear:

The fraud ring frequently obtained new phones or ‘upgrade’ phones by paying only a small fee in the store, while charging the vast majority of the purchase price to existing customers’ accounts, without the knowledge or consent of the customers.

At other times, the scheme involved the creation of fictitious accounts to obtain phones.

Seven of the 12 individuals charged have been arrested – Mario Diaz, Tomas Guillen, Jose Argelis Diaz, Jhonatan Diaz, Eddy Morrobel, Rayniel Robles, and Ronnie De Leon – and five remain at large – Isaac Concepcion Aquino, Joel Pena, Ruddy Sanchez, Michael Roque, and Joandra Tejada Gonzalez.

They’ve each been charged conspiracy to commit wire fraud and aggravated identity theft.

The techniques by which these individuals affected the alleged fraud varied. They included: buying mobile subscriber personal information using Bitcoin; sending phishing links to mobile subscribers to compromise their accounts; fake identification documents presented to retail store salespeople; and social security fraud, which sometimes involved using social security numbers belonging to a person with the same name as the fraudster to acquire phones using the victim’s credit.

IP freely

To take down the alleged ring, authorities executed a search warrant on a residence in Mt Vernon, New York, on August 15, 2017. Two IP addresses linked with the residence were associated with at least 3,300 cell phone accounts at an unidentified service provider.

The complaint indicates that a former member of the gang, previously convicted of a felony, provided the Feds with details about the residence as part of a cooperation effort to obtain a more lenient sentence.

SIM swapping

The charges come as two people have been collared – one in Florida, the other in California – for allegedly pulling off so-called port-out scams, in which a victim’s cellphone number is transferred to a miscreant’s SIM card.

This technique allows thieves to intercept marks’ two-factor authentication tokens, empty bank accounts and crypto-wallets, and so on.

Six of the individuals charged were present at the time of the raid, the indictment claimed. Items seized under a search warrant included 12 computers, 5 iPads, receipts from Western Union and MoneyGram transactions, evidence of Bitcoin and bank transactions, and several SIM cards.

A 15-minute Spanish-language video on how to commit cell phone fraud was found on one of the computers, along with other information pointing to the involvement of device users in fraud, the Feds alleged. Various Google searches noted by investigators suggest an interest in phone fraud among users of the devices.

One of the charged individuals, Ronnie De Leon, was tracked on a December 2, 2017, trip from Wisconsin to Bloomington, Minnesota, through a license plate reader. His recorded location in Minnesota, according to the complaint, was a 20-minute drive from Roseville, Minnesota, where a fraudulent iPhone purchase was made that same day under De Leon’s name and a fraud victim’s mobile account.

When De Leon was arrested on December 5, the complaint claimed, police saw mobile account change notifications linked to a fraud victim’s account on his home screen, without needing to unlock the device.

Each of the individuals indicted, if convicted, faces a maximum penalty of 20 years for conspiracy to commit wire fraud and two years for aggravated identity theft. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/09/phone_fraud/

Hackers provided a Bitcoin wallet number, though no specific ransom amount was demanded, for the return of files.

While golfing fans have been all about this week’s PGA Championship, extortion-minded hackers were more focused on the PGA of America’s computer servers.

On Tuesday, employees at the sporting organization found themselves locked out of files relating to marketing materials for this week’s event, in Missouri, and next month’s Ryder Cup in France.

According to Golfweek, “Staff realized Tuesday morning that their systems had been compromised when attempts to work on the files generated an ominous message: ‘Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm [sic].'”

They were also warned not to try to break the encryption or else they might not be able to get back certain files.

The PGA said it won’t respond to exortion demands; the hackers had included a Bitcoin wallet number, though no specific ransom amount was demanded. The situation remains unresolved as of yesterday.

Read more details here. 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/pga-of-america-struck-by-ransomware/d/d-id/1332523?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Problem lies in WhatsApp’s validation of message parameters and cannot be currently mitigated, Check Point researchers say.

Researchers at Check Point Software Technologies say they have discovered a dangerous weakness in the WhatsApp messaging app that gives threat actors a way to manipulate content in private and group conversations on the platform without raising any red flags.

The security vendor this week published a report demonstrating how an adversary could exploit the issue to change the identity of a message sender, alter the text of message replies, and send private messages spoofed as a public message to individual participants in a group.

In a statement, a spokeswoman for the Facebook-owned WhatsApp said the company had reviewed the issue and found it to be the equivalent of someone altering an email to make the content appear like something a person never wrote. “This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp,” the statement noted. 

But Oded Vanunu, head of product vulnerability research at Check Point, says his company has not claimed the issue has anything to do with the security of WhatsApp’s encryption at all. By raising the encryption issue, WhatsApp is only deflecting attention from the real problem: a fundamental weakness that exists in WhatsApp’s validation of key message parameters.

The weakness gives attackers a way to manipulate key attributes of a WhatsApp message before it is encrypted. For example, an attacker could use the “quote” feature in a group conversation to change the identity of the sender, even if that person is not a member of the group. Or they could exploit the weakness to alter the text of another person’s reply to make it appear as if they said something they never did. An attacker could also exploit the issue to trick a targeted individual into thinking they are sharing information in a private conversation when in reality it is visible to everyone else in a group.

In each case, the manipulation happens before the encryption happens — but since WhatsApp does not have a way to catch this manipulation, the altered messages simply get encrypted and delivered to the recipient. “The encryption works as expected,” Vanunu says. “The manipulation exists before the encryption via message parameters.”

WhatsApp currently has some 1.5 billion users, 450 million of whom use it daily to send text messages, share images and video, and make phone and video calls. WhatsApp is used widely not just by consumers but also by businesses and governments for sensitive conversations involving confidential information and other data that could even end up being used in a court of law, Vanunu says. Therefore, the potential for threat actors to exploit the weakness to carry out social engineering on a massive scale is very real, he says.

He points to recent incidents in India, where WhatsApp-borne rumors resulted in the lynching of several innocent people, and a disinformation campaign in Brazil involving the yellow fever vaccine as examples of how the platform already is being abused for social engineering. “We are talking about 65 billion messages sent every day,” he says. “We want people to understand that WhatsApp messages can be manipulated to trigger fake news.”

Vanunu describes the problem as a fundamental design issue in WhatsApp that currently cannot be mitigated. He says Check Point used a commonly available tool for intercepting network packets to understand how WhatsApp’s protocol works, and it quickly identified the parameters that are actually sent between the mobile version of WhatsApp and the web version.

The parameters of particular interest were “conversation,” which pertains to the actual content being sent or received; “participant,” referring to the message sender; “fromMe,” indicating if the user personally sent the message or someone else did; “remoteJid,” indicating the group or contact to which the message is sent; and “id,” the identity associated with the data.

Check Point found that it could relatively easily manipulate the parameters either via the browser in the web version of WhatsApp or by using an automated tool it developed to intercept and manipulate the communication between the mobile and web versions of the app.

“The mobile app is the back end if you are using WhatsApp Web,” he says. Everything that a user does on WhatsApp Web is synced directly with his or her mobile device. When a user sends a message on WhatsApp Web, the message is actually being sent from the mobile device, and that is where the encryption happens. What Check Point discovered is that if someone manipulates the parameters via the browser or automated tool and hits the “send” button on a message, the mobile app just encrypts and sends the message without any validation.

Related Content:

• WhatsApp Founder to Depart Facebook Amid Privacy, Encryption Dispute
• Securing Social Media: National Safety, Privacy Concerns
• Email, Social Media Still Security Nightmares
• 8 Steps Toward Safer Elections

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early-bird rate ends August 31. Click for more info. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/weakness-in-whatsapp-enables-large-scale-social-engineering/d/d-id/1332524?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Publicly accessible S3 bucket included configuration data for tens of thousands of systems, as well as sensitive pricing information.

Editors’ note: This article and its headline was updated to correct details about ownership of the S3 bucket and contents therein. 

Another week, another publicly accessible AWS storage cloud found to be leaking enterprise secrets. This time around, the company exposed was GoDaddy – but in a twist on the normal storyline, it was an AWS employee responsible for the misconfiguration. Researchers with the UpGuard Cyber Risk Team today disclosed that they found a publicly accessible Amazon S3 bucket wide open for public consumption.  

Included within that data store were documents that detailed configurations for tens of thousands of systems in the AWS cloud. Additionally, documents with pricing information about these systems were similarly accessible. 

“Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields,” UpGuard’s researchers reported. “Also included were what appear to be GoDaddy’s discounts from Amazon AWS, usually restricted information for both parties, who must negotiate for rates.”

Exposures such as these have become extremely prevalent. In this year alone, organizations including Accenture, FedEx, and Walmart have all been similarly exposed. Even though Amazon S3 buckets are securely configured by default, many AWS customers tend to turn off security settings for expedience. In an unusual turn of events, this particular exposure was caused not by GoDaddy but by an AWS employee.  

“The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer,” an Amazon spokesperson said. “No GoDaddy customer information was in the bucket that was exposed. While Amazon S3 is secure by default, and bucket access is locked down to just the account owner and root administrator under default configurations, the salesperson did not follow AWS best practices with this particular bucket.”

According to one study earlier this year by Digital Shadows, researchers estimated that 1.5 billion sensitive files were visible on the internet from misconfigured S3 buckets, NAS devices, FTP servers, and other cloud storage systems.

Configuration information such as that detailed in the exposed documents could potentially provide attackers with a wealth of information, including data about hostname, operating system, memory, CPU, AWS region, and what the specific workloads were being used for. This would be extremely valuable for attackers seeking to map out GoDaddy infrastructure to help direct future malicious activity and find particularly juicy targets. 

However, a spokesperson with GoDaddy explained that the documents exposed were “speculative models from an AWS employee and do not reflect work currently underway with Amazon.”

Nevertheless, the pricing data exposed by this incident could have been used for competitive advantage by GoDaddy rivals, technology service vendors, and cloud providers.

“Knowing the details of GoDaddy’s AWS discounts could give others a negotiation advantage and price point that would otherwise be unknown,” the report explains. “Furthermore, the way in which GoDaddy allocates their cloud spend is also strategic – this is a blueprint for running cloud infrastructure at the largest scales.”

Related Content:

• 8 Big Processor Vulnerabilities in 2018
• Getting Safe, Smart Secure on S3
• 10 Major Cloud Storage Security Slip-Ups (So Far) this Year
• HR Services Firm ComplyRight Suffers Major Data Breach

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/aws-employee-flub-exposes-s3-bucket-containing-godaddy-server-configuration-and-pricing-models/d/d-id/1332525?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Fortnite is a mega-popular, fight-the-demons, post-apocalyptic video game, and it’s about to come out on Android.

Thing is, the company that created it, Epic Games, just announced that it won’t be publishing it via Google Play, the market where most users – in the Western hemisphere, anyway – get most of their apps.

For many users, this may be their first experience going “off market“, a process that Google permits, but only after showing you a dire warning about what could go wrong.

Is that warning fair? Is Google Play really that much safer? Will going off market plunge you into Android gloom?

We discussed the issues live on camera…

(Watch directly on YouTube if the video won’t play here.)

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/d6Hcd99dJTU/

Who are the victims of deepfakes?

Is it the women who’ve been blackmailed with nonconsensual and completely fabricated revenge porn videos, their faces stitched onto porn stars’ bodies via artificial intelligence (AI)?

Is it actor Nicholas Cage? For whatever reason, deepfakes creators love to slather his likeness into movies.

It’s broader than either, the US Department of Defense says. Rather, it’s all of us who are exposed to fake news and run the risk of getting riled up by garbage. Like, say, this doctored image of Parkland shooting survivor Emma Gonzalez, pictured ripping up a shooting range target (left) in a photo that was then faked to make it look like she was ripping up the US Constitution (right).

@LeighStewy https://t.co/uHmqsrMctf

—
🕊🥀Rhiannon🌹🕊 (@WelshWitch07) March 26, 2018

Researchers in the Media Forensics (MediaFor) program run by the US Defense Advanced Research Projects Agency (DARPA) think that beyond blackmail and fun, fake images could be used by the country’s adversaries in propaganda or misinformation campaigns. Think fake news, but deeper, more convincing, in video footage that’s extremely tough to tell has been faked.

Take, for example, this deepfake video that apparently shows former US President Barack Obama but is actually doctored with the stitched-in mouth of comedian Jordan Peele, making Obama appear to say things the former president would never say in real life – at least, not publicly.

MediaFor is claiming a victory against these kind of fakes. After working on the problem for two years, it’s now come up with AI tools that can automatically spot AI-created fakes – the first forensics tools that can do so, MIT Technology Review reported on Tuesday.

MediaFor’s work on the forensics tools predates the widely reported deepfakes phenomenon: the DoD program started work on the issue about two years ago, but more recently, the team turned its attention to AI-produced forgery.

Matthew Turek, who runs MediaFor, told MIT Technology Review that the work has brought researchers to the point of being able to spot subtle clues in generative adversarial networks- (GAN-) manipulated images and videos that allow them to detect the presence of alterations. GANs are a class of AI algorithms used in unsupervised machine learning, implemented by a system of two neural networks contesting with each other in a zero-sum game framework. GANs can generate photographs that often look, at least superficially, authentic to human observers.

One clue that’s proved helpful is in the eyelids. A team led by Siwei Lyu, a professor at the University of Albany, State University of New York, generated about 50 fake videos and then tried traditional forensics methods to see if they’d catch the forgeries. They had mixed results, until one day Lyu came to the realization that faces made with deepfake techniques rarely, if ever, blink.

When they do blink, it looks fake. That’s because deepfakes are trained on still images, rather than on video, and stills typically show people with their eyes open.

Other cues include strange head movements or odd eye color: physiological signals that at this point are tough for deepfakes to mimic, according to Hany Farid, a leading digital forensics expert at Dartmouth University.

Skilled forgers can overcome the eye-blink giveaway – all they have to do is use images that show a person blinking. But Lyu said that his team has developed a technique that’s even more effective. They’re keeping it under wraps for now, he said, as the DoD works to stay ahead in this fake-image arms race:

I’d rather hold off at least for a little bit. We have a little advantage over the forgers right now, and we want to keep that advantage.

The advantage is presumably not what NBC News reported on in April: namely, that MediaFor’s tools are also picking up on deepfakes differences that aren’t detectable by a human eye. For example, MediaFor’s technology can run a heat map to identify where an image’s statistics – called a JPEG dimple – differ from the rest of the photo.

One example is of a heat map photo that highlights a part of an image – of race cars – where pixelation and image statistics differ from the other parts of the photo, revealing that one of the cars had been digitally added.

In another image, MediaFor’s tools picked up on anomalous light levels and an inconsistent direction from which the light is coming, showing that the original videos were shot at different times before being digitally stitched together.

Expect to hear more: MediaFor’s still at work to hammer out the digital forensics equivalent of a lie detector test for images that can help pick out lies and the liars that tell them.

Follow @LisaVaas
Follow @NakedSecurity

Image courtesy of Buzzfeed / Youtube.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/t3F-Q_Ungd4/