Posts tagged ‘canada’

Schneier on Security: Over 700 Million People Taking Steps to Avoid NSA Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There’s a new international survey on Internet security and trust, of “23,376 Internet users in 24 countries,” including “Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States.” Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those “have taken steps to protect their online privacy and security as a result of his revelations.”

The press is mostly spinning this as evidence that Snowden has not had an effect: “merely 39%,” “only 39%,” and so on. (Note that these articles are completely misunderstanding the data. It’s not 39% of people who are taking steps to protect their privacy post-Snowden, it’s 39% of the 60% of Internet users — which is not everybody — who have heard of him. So it’s much less than 39%.)

Even so, I disagree with the “Edward Snowden Revelations Not Having Much Impact on Internet Users” headline. He’s having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)

Note that the countries in this survey only cover 4.7 billion out of a total 7 billion world population. Taking the conservative estimates that 20% of the remaining population uses the Internet, 40% of them have heard of Snowden, and 25% of those have done something about it, that’s an additional 46 million people around the world.

It’s probably true that most of those people took steps that didn’t make any appreciable difference against an NSA level of surveillance, and probably not even against the even more pervasive corporate variety of surveillance. It’s probably even true that some of those people didn’t take steps at all, and just wish they did or wish they knew what to do. But it is absolutely extraordinary that 750 million people are disturbed enough about their online privacy that they will represent to a survey taker that they did something about it.

Name another news story that has caused over ten percent of the world’s population to change their behavior in the past year? Cory Doctorow is right: we have reached “peak indifference to surveillance.” From now on, this issue is going to matter more and more, and policymakers around the world need to start paying attention.

Related: a recent Pew Research Internet Project survey on Americans’ perceptions of privacy, commented on by Ben Wittes.

TorrentFreak: Leak Exposes Hollywood’s Global Anti-Piracy Strategy

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

mpaa-logoThe Sony Pictures leak has caused major damage to the Hollywood movie studio, but the fallout doesn’t end there.

Contained in one of the leaked data batches is a complete overview of the MPAA’s global anti-piracy strategy for the years to come.

In an email sent to top executives at the major Hollywood studios earlier this year, one of the MPAA’s top executives shared a complete overview of Hollywood’s anti-piracy priorities.

The email reveals key areas of focus for the coming years, divided into high, medium and low priority categories, as shown below.

piracy-strategy-page

The plan put forward by the MPAA is the ideal strategy. Which elements are to be carried out will mostly depend on the funds made available by the studios.

High priority

For cyberlockers and video streaming sites the MPAA plans to reach out to hosting providers, payment processing companies and advertising networks. These companies are urged not to work with so-called rogue sites.

Part of the plan is to create “legal precedent to shape and expand the law on cyberlockers and their hosting providers,” with planned lawsuits in the UK, Germany and Canada.

Cyberlocker strategy
mpaa-cyberlocker

Other top priorities are:

Apps: Making sure that pirate apps are taken down from various App stores. Google’s removal of various Pirate Bay apps may be part of this. In addition, the MPAA wants to make apps “unstable” by removing the pirated files they link to.

Payment processors: The MPAA wants to use government influence to put pressure on payment processors, urging them to ban pirate sites. In addition they will approach major players with “specific asks and proposed best practices” to deter piracy.

Site blocking: Expand site blocking efforts in the UK and other countries where it’s supported by law. In other countries, including the U.S., the MPAA will investigate whether blockades are an option through existing principles of law.

Domain seizures: The MPAA is slowly moving toward domain seizures of pirate sites. This strategy is being carefully tested against sites selling counterfeit products using trademark arguments.

Site scoring services: Developing a trustworthy site scoring system for pirate sites. This can be used by advertisers to ban rogue sites. In the future this can be expanded to payment processors, domain name registrars, hosting providers and search engines, possibly with help from the government.

Copyright Notices: The MPAA intends to proceed with the development of the UK Copyright Alert System, and double the number of notices for the U.S. version. In addition, the MPAA wants to evaluate whether the U.S. Copyright Alert System can expand to mobile carriers.

Mid and low priority

BitTorrent is categorized as a medium priority. The MPAA wants to emphasize the role of BitTorrent in piracy related apps, such as Popcorn Time. In addition, illegal torrent sites will be subject to site blocking and advertising bans.

BitTorrent strategy
mpaa-bittorrent-strategy

Other medium and low priorities are:

Search: Keep putting pressure on search engines and continue periodic research into its role in facilitating piracy. In addition, the MPAA will support third-party lawsuits against search engines.

Hosting: The MPAA sees Cloudflare as a problem and is developing a strategy of how to deal with the popular hosting provider. Lawsuits against hosting providers are also in the agenda.

Link sites: Apart from potential civil lawsuits in Latin America, linking sites will only be targeted if they become “particularly problematic.”

In the email the MPAA’s top executive does not consider the above strategies to be “final” or “set in stone”. How much the MPAA will be able to carry out with its partners depends on funds being availble, which appears to be a subtle reminder that the studios should keep their payments coming.

“…the attached represents priorities and activities presuming online CP is adequately resourced. Your teams understand that, depending upon how the budget process plays out, we may need to lower priorities and activities for many sources of piracy and/or antipiracy initiatives,” the email reads.

The leaked strategy offers a unique insight into Hollywood’s strategy against various forms of online infringement.

It exposes several key priorities that were previously unknown. The MPAA’s strong focus on domain name seizures for example, or the plans to target cyberlockers with lawsuits in the UK, Germany and Canada.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Bebe Stores Confirms Credit Card Breach

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

In a statement released this morning, women’s clothier chain bebe stores inc. confirmed news first reported on this blog Thursday: That hackers had stolen customer card data from stores across the country in a breach that persisted for several weeks last month.

Image: Wikipedia.

Image: Wikipedia.

Bebe stores said its investigation indicates that the breach impacted payment cards swiped in its U.S., Puerto Rico and U.S. Virgin Islands stores between Nov. 8, 2014 and Nov. 26, 2014. The data may have included cardholder name, account number, expiration date, and verification code.

The company emphasized that purchases made though its web site, mobile site/application, or in Canada or other international stores were not affected, and that customers should feel confident in continuing to use their payment cards in bebe stores.

“Our relationship with our customers is of the highest importance,” said bebe CEO Jim Wiggett, in a statement. “We moved quickly to block this attack and have taken steps to further enhance our security measures.”

Predictably, bebe stores is offering free credit monitoring services for one year to customers impacted by this incident, even though credit monitoring services do nothing to help consumers block fraud on existing accounts — such as credit and debit card accounts that may have been stolen in this breach.
Consumers still need to keep a close eye on monthly statements, and report any unauthorized charges as quickly as possible.

On Thursday, KrebsOnSecurity reported that several banks had complained about a pattern of fraudulent charges on customer credit cards that all had one thing in common: They’d all been used at bebe locations across the country. One bank contacted by this reporter also found several of its cards for sale in a brand new batch of stolen cards pushed onto the market in an underground “carding” shop, cards that all turned out to have been used at bebe stores during a two week period in the latter half of November.

Interestingly, when I first accessed the breach notification page at bebe stores this morning, Kaspersky Antivirus flagged the page as a possible phishing attack (see screenshot below). This is most likely a false positive, but I thought it was worth mentioning anyway.

Kaspersky Antivirus popped up this phishing page warning when I first tried to access the bebe stores breach alert.

Kaspersky Antivirus popped up this phishing page warning when I first tried to access the bebe stores breach alert.

LWN.net: Announcing netdev 0.1

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

“Netdev” is a new conference aimed at networking developers; it will be
held February 14 to 17 in balmy Ottawa, Canada. The call for
papers is open now, with a submission deadline of January 10. “Netdev 0.1 (year 0, conference 1) is a community-driven conference geared
towards Linux netheads. Linux kernel networking and user space utilization
of the interfaces to the Linux kernel networking subsystem are the focus.
If you are using Linux as a boot system for proprietary networking, then
this conference may not be for you.

Krebs on Security: ‘Replay’ Attacks Spoof Chip Card Charges

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards.

emvblueOver the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.

The most puzzling aspect of these unauthorized charges? They were all submitted through Visa and MasterCard‘s networks as chip-enabled transactions, even though the banks that issued the cards in question haven’t even yet begun sending customers chip-enabled cards.

The most frustrating aspect of these unauthorized charges? They’re far harder for the bank to dispute. Banks usually end up eating the cost of fraud from unauthorized transactions when scammers counterfeit and use stolen credit cards. Even so, a bank may be able to recover some of that loss through dispute mechanisms set up by Visa and MasterCard, as long as the bank can show that the fraud was the result of a breach at a specific merchant (in this case Home Depot).

However, banks are responsible for all of the fraud costs that occur from any fraudulent use of their customers’ chip-enabled credit/debit cards — event fraudulent charges disguised as these pseudo-chip transactions.

CLONED CHIP CARDS, OR CLONED TRANSACTIONS?

The bank I first heard from about this fraud — a small financial institution in New England — battled some $120,000 in fraudulent charges from Brazilian stores in less than two days beginning last week. The bank managed to block $80,000 of those fraudulent charges, but the bank’s processor, which approves incoming transactions when the bank’s core systems are offline, let through the other $40,000. All of the transactions were debit charges, and all came across MasterCard’s network looking to MasterCard like chip transactions without a PIN.

The fraud expert with the New England bank said the institution had decided against reissuing customer cards that were potentially compromised in the five-month breach at Home Depot, mainly because that would mean reissuing a sizable chunk of the bank’s overall card base and because the bank had until that point seen virtually no fraud on the accounts.

“We saw very low penetration rates on our Home Depot cards, so we didn’t do a mass reissue,” the expert said. “And then in one day we matched a month’s worth of fraud on those cards thanks to these charges from Brazil.”

A chip card. Image: First Data

A chip card. Image: First Data

The New England bank initially considered the possibility that the perpetrators had somehow figured out how to clone chip cards and had encoded the cards with their customers’ card data. In theory, however, it should not be possible to easily clone a chip card. Chip cards are synonymous with a standard called EMV (short for Europay, MasterCard and Visa), a global payment system that has already been adopted by every other G20 nation as a more secure alternative to cards that simply store account holder data on a card’s magnetic stripe. EMV cards contain a secure microchip that is designed to make the card very difficult and expensive to counterfeit.

In addition, there are several checks that banks can use to validate the authenticity of chip card transactions. The chip stores encrypted data about the cardholder account, as well as a “cryptogram” that allows banks to tell whether a card or transaction has been modified in any way. The chip also includes an internal counter mechanism that gets incremented with each sequential transaction, so that a duplicate counter value or one that skips ahead may indicate data copying or other fraud to the bank that issued the card.

And this is exactly what has bank fraud fighters scratching their heads: Why would the perpetrators go through all the trouble of taking plain old magnetic stripe cards stolen in the Home Depot breach (and ostensibly purchased in the cybercrime underground) and making those look like EMV transactions? Why wouldn’t the scammers do what fraudsters normally do with this data, which is simply to create counterfeit cards and use the phony cards to buy gift cards and other high-priced merchandise from big box retailers?

More importantly, how were these supposed EMV transactions on non-EMV cards being put through the Visa and MasterCard network as EMV transactions in the first place?

The New England bank said MasterCard initially insisted that the charges were made using physical chip-based cards, but the bank protested that it hadn’t yet issued its customers any chip cards. Furthermore, the bank’s processor hadn’t even yet been certified by MasterCard to handle chip card transactions, so why was MasterCard so sure that the phony transactions were chip-based?

EMV ‘REPLAY’ ATTACKS?

MasterCard did not respond to multiple requests to comment for this story. Visa also declined to comment on the record. But the New England bank told KrebsOnSecurity that in a conversation with MasterCard officials the credit card company said the most likely explanation was that fraudsters were pushing regular magnetic stripe transactions through the card network as EMV purchases using a technique known as a “replay” attack.

According to the bank, MasterCard officials explained that the thieves were probably in control of a payment terminal and had the ability to manipulate data fields for transactions put through that terminal. After capturing traffic from a real EMV-based chip card transaction, the thieves could insert stolen card data into the transaction stream, while modifying the merchant and acquirer bank account on the fly.

Avivah Litan, a fraud analyst with Gartner Inc., said banks in Canada saw the same EMV-spoofing attacks emanating from Brazil several months ago. One of the banks there suffered a fairly large loss, she said, because the bank wasn’t checking the cryptograms or counters on the EMV transactions.

“The [Canadian] bank in this case would take any old cryptogram and they weren’t checking that one-time code because they didn’t have it implemented correctly,” Litan said. “If they saw an EMV transaction and didn’t see the code, they would just authorize the transaction.”

Litan said the fraudsters likely knew that the Canadian bank wasn’t checking the cryptogram and that it wasn’t looking for the dynamic counter code.

“The bad guys knew that if they encoded these as EMV transactions, the banks would loosen other fraud detection controls,” Litan said. “It appears with these attacks that the crooks aren’t breaking the EMV protocol, but taking advantage of bad implementations of it. Doing EMV correctly is hard, and there are lots of ways to break not the cryptography but to mess with the implementation of EMV.”

The thieves also seem to be messing with the transaction codes and other aspects of the EMV transaction stream. Litan said it’s likely that the perpetrators of this attack had their own payment terminals and were somehow able to manipulate the transaction fields in each charge.

“I remember when I went to Brazil a couple of y ears ago, their biggest problem was merchants were taking point-of-sale systems home, and the running stolen cards through them,” she said. “I’m sure they could rewire them to do whatever they wanted. That was the biggest issue at the time.”

The New England bank shared with this author a list of the fraudulent transactions pushed through by the scammers in Brazil. The bank said MasterCard is currently in the process of checking with the Brazilian merchants to see whether they had physical transactions that matched transactions shown on paper.

In the meantime, it appears that the largest share of those phony transactions were put through using a payment system called Payleven, a mobile payment service popular in Europe and Brazil that is similar in operation to Square. Most of the transactions were for escalating amounts — nearly doubling with each transaction — indicating the fraudsters were putting through debit charges to see how much money they could drain from the compromised accounts.

Litan said attacks like this one illustrate the importance of banks setting up EMV correctly. She noted that while the New England bank was able to flag the apparent EMV transactions as fraudulent in part because it hadn’t yet begun issuing EMV cards, the outcome might be different for a bank that had issued at least some chip cards.

“There’s going to be a lot of confusion when banks roll out EMV, and one thing I’ve learned from clients is how hard it is to implement properly,” Litan said. “A lot of banks will loosen other fraud controls right away, even before they verify that they’ve got EMV implemented correctly. They won’t expect the point-of-sale codes to be manipulated by fraudsters. That’s the irony: We think EMV is going to solve all our card fraud problems, but doing it correctly is going to take a lot longer than we thought. It’s not that easy.”

TorrentFreak: United States Hosts Most Pirate Sites, UK Crime Report Finds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

sam-pirateThe UK IP Crime Group, a coalition of law enforcement agencies, government departments and industry representatives, has released its latest IP Crime Report.

The report is produced by the UK Government’s Intellectual Property Office and provides an overview of recent achievements and current challenges in the fight against piracy and counterfeiting. Increasingly, these threats are coming from the Internet.

“One of the key features in this year’s report is the continuing trend that the Internet is a major facilitator of IP crime,” the Crime Group writes.

The report notes that as in previous years, Hollywood-funded industry group FACT remains one of the key drivers of anti-piracy efforts in the UK. Over the past year they’ve targeted alleged pirate sites though various channels, including their hosting providers.

Not all hosts are receptive to FACT’s complaints though, and convincing companies that operate abroad is often a challenge. This includes the United States where the majority of the investigated sites are hosted.

“Only 14% of websites investigated by FACT are hosted in the UK. While it is possible to contact the hosts of these websites, there still remains a considerable number of copyright infringing websites that are hosted offshore and not within the jurisdiction of the UK.”

“Analysis has shown that the three key countries in which content is hosted are the UK, the USA and Canada. However, Investigating servers located offshore can cause specific problems for FACT’s law enforcement partners,” the report notes.

ushostpirate

The figure above comes as a bit of a surprise, as one would expect that United States authorities and industry groups would have been keeping their own houses in order.

Just a few months ago the US-based IIPA, which includes MPAA and RIAA as members, called out Canada because local hosting providers are “a magnet” for pirate sites. However, it now appears they have still plenty of work to do inside U.S. borders.

But even when hosting companies are responsive to complaints from rightsholders the problem doesn’t always go away. The report mentions that most sites simply move on to another host, and continue business as usual there.

“In 2013, FACT closed a website after approaching the hosting provider on 63 occasions. Although this can be a very effective strategy, in most instances the website is swiftly transferred onto servers owned by another ISP, often located outside the UK.”

While downtime may indeed be relatively brief the report claims that it may still hurt the site, as visitors may move on to other legitimate or illegitimate sources.

“The [moving] process usually involves a disruptive period of time whereby the website is offline, during which users will often find an alternative service, thus negatively affecting the website’s popularity.”

While hosting companies remain a main target, tackling the online piracy problem requires a multi-layered approach according to the UK Crime Group.

With the help of local law enforcement groups such as City of London’s PIPCU, copyright holders have rolled out a variety of anti-piracy measures in recent months. This includes domain name suspensions, cutting off payment processors and ad revenue, website blocking by ISPs and criminal prosecutions.

These and other efforts are expected to continue during the years to come. Whether that will be enough to put a real dent in piracy rates has yet to be seen.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Leaked TPP Draft Reveals Tough Anti-Piracy Measures

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

copyright-brandedThe Trans-Pacific Partnership, an agreement aimed at strengthening economic ties between the United States, Canada, New Zealand, Japan and eight other countries in the region, has been largely shrouded in secrecy.

Today whistleblower outfit Wikileaks sheds some light on the ongoing negotiations by leaking a new draft of the agreement’s controversial intellectual property chapter.

The draft dates back to May 2014 and although it’s far from final, some significant progress has been made since the first leak during August last year.

For example, the countries have now agreed that a new copyright term will be set in the agreement. No decision has been made on a final term but options currently on the table are life of the author plus 50, 70 or 100 years.

The proposal to add criminal sanctions for non-commercial copyright infringement, which is currently not the case in many countries, also remains in play.

The leak further reveals a new section on ISP liability. This includes a proposal to make it mandatory for ISPs to alert customers who stand accused of downloading copyrighted material, similar to the requirement under the U.S. DMCA.

Alberto Cerda of Georgetown University Law Center points out that some of the proposals in the ISP liability section go above and beyond the DMCA.

“The most worrying proposal on the matter is that one that would extend the scope of the provisions from companies that provide Internet services to any person who provides online services,” Cerda told TorrentFreak.

This means that anyone who passes on Internet traffic could be held liable for the copyright infringements of others. This could include the local coffeehouse that offers free wifi, or even someone’s own Internet connection if it’s shared with others.

The leaked draft also adds a provision that would allow ISPs to spy on their own users to catch those who download infringing content. This is another concern, according to the law Professor.

“From a human rights viewpoint, that should be expressly limited to exceptional circumstances,” Cerda says.

It’s clear that the ISP liability section mimicks the DMCA. In fact, throughout the TPP chapter the most draconian proposals often originate from the United States.

Law Professor Michael Geist notes that Canada has been the leading opponent of many of the U.S. proposals, which often go against the country’s recently revamped copyright law. Geist warns that the TPP may eventually lead to tougher local laws as U.S. pressure continues.

“As the treaty negotiations continue, the pressure to cave to U.S. pressure will no doubt increase, raising serious concerns about whether the TPP will force the Canadian government to overhaul recently enacted legislation,” Geist writes.

Compared to the previous draft that leaked last year there are also some positive developments to report.

For example, Canada put forward a proposal that permits countries to allow exceptions to technological protection measures. This would makes it possible to classify DRM-circumvention as fair use, for example. A refreshing proposal, but one that’s unlikely to be approved by the U.S.

If anything, the leaked TPP chapter shows once again that there is still a very long way to go before a final draft is ready. After more than three years of negotiating many of the proposals are still heavily debated and could go in multiple directions.

That is, if an agreement is ever reached.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Firedrive Mystery Deepens, iOS and Android Apps Disappear

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

firedriveBugs, glitches and technical issues are real-life problems for all web-based operations. As a result, most websites are vulnerable to downtime, whether that’s for a few minutes or a few hours.

In the file-sharing space the phenomenon is very common indeed as these entities, torrent and ‘cyberlockers’ in particular, often face unique challenges. These special issues can often lead to unexpected downtime, although with the advent of social media many sites have improved their communications with users.

That being said, tens of thousands of Firedrive users currently have no idea what has happened to their site.

Firedrive, which was previously known as Putlocker before a rebranding exercise earlier this year, started behaving strangely last week. User reports to TorrentFreak initially complained that the site was simply down, but a couple of days later, with no official announcement forthcoming, things took a turn for the strange.

It’s well known that Firedrive is used by some to host unauthorized copies of movies. It’s unclear just how many but thousands of sites around the world carry links to Firedrive that allow the viewing of mainstream movies with nothing more than a web browser. However, users trying to access those links are currently facing disappointment.

Since before the weekend, many (perhaps all) video files on Firedrive have been replaced with 13-15 second intros used by the major movie studios. TF tested a few random links we found using Google and found intros from Sony, Warner, Universal and Dreamworks, instead of the movies that claimed to be there.

Fire-weird

TVAddons, the XBMC-focused community previously known as XBMCHub, told TorrentFreak that the issues at Firedrive and sister-site Sockshare (which is also currently non-functional) have broken some of their XBMC/Kodi addons. However, even greater concern lies with those who use Firedrive as a personal storage site.

In recent months following the Putlocker transition, Firedrive has been debuting tools and features which give the site an appeal to users looking for Dropbox-style functionality. And this is where things get even more strange. After a short beta period, on October 1 Firedrive issued a press release heralding the official debut of their iOS and Android syncing apps.

“We are looking forward to our users exploring the new applications and finding value in sharing and backing up their rich media using Firedrive,” said Joseph Turner, CEO of Firedrive.

However, users searching for the apps on either the App Store or Google Play are now met with silence. ITunes reports that the app is only available in Canada yet switching to that location reveals that it has been removed. Searches on Google Play for the Android versions yields nil results.

Ever since their press release Firedrive simply hasn’t been working and the only posts on Firedrive’s Facebook page are from angry users complaining about everything from lost files to hackers having taken over the site.

“All I can say is thank god I didn’t pay for this bullshit and to think was just about to go pro and pay,” wrote one. “Never happening now even if it does come back with my files intact, which I doubt will happen! Anyone into a class action suit, I have 100s of hours of work lost could only imagine what paying customers might have lost!”

TorrentFreak reached out to the site for comment but we have yet to receive any response. If anyone has any additional information, feel free to contact us.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: In Home Depot Breach, Investigation Focuses on Self-Checkout Lanes

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The malicious software that unknown thieves used to steal credit and debit card numbers in the data breach at Home Depot this year was installed mainly on payment systems in the self-checkout lanes at retail stores, according to sources close to the investigation. The finding means thieves probably stole far fewer cards during the almost five-month breach than they might have otherwise.

A self-checkout lane at a Home Depot in N. Virginia.

A self-checkout lane at a Home Depot in N. Virginia.

Since news of the Home Depot breach first broke on Sept. 2, this publication has been in constant contact with multiple financial institutions that are closely monitoring daily alerts from Visa and MasterCard for reports about new batches of accounts that the card associations believe were compromised in the break-in. Many banks have been bracing for a financial hit that is much bigger than the exposure caused by the breach at Target, which lasted only three weeks and exposed 40 million cards.

But so far, banking sources say Visa and MasterCard have been reporting about far fewer compromised cards than expected given the length of the Home Depot exposure.

Sources now tell KrebsOnSecurity that in a conference call with financial institutions today, officials at MasterCard shared several updates from the ongoing forensic investigation into the breach at the nationwide home improvement store chain. The card brand reportedly told banks that at this time it is believed that only self-checkout terminals were impacted in the breach, but stressed that the investigation is far from complete.

MasterCard also reportedly relayed that the investigation to date found evidence of compromise at approximately 1,700 of the nearly 2,200 U.S. stores, with another 112 stores in Canada potentially affected.

Officials at MasterCard declined to comment. Home Depot spokeswoman Paula Drake also declined to comment, except to say that, “Our investigation is continuing, and unfortunately we’re not going to comment on other reports right now.”

Linux How-Tos and Linux Tutorials: How to Control a 3 Wheel Robot from a Tablet With BeagleBone Black

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Ben Martin. Original post: at Linux How-Tos and Linux Tutorials

terrytee pantiltGive the BeagleBone Black its own wheels, completely untether any cables from the whole thing and control the robot from a tablet.

The 3 Wheel Robot kit includes all the structural material required to create a robot base. To the robot base you have to add two gearmotors, batteries, and some way to control it. Leaving the motors out of the 3 wheel kit allows you to choose the motor with a torque and RPM suitable for your application.

In this article we’ll use the Web server on the BeagleBone Black and some Bonescript to allow simple robot control from any tablet. No ‘apps’ required. Bonescript is a nodejs environment which comes with the BeagleBone Black.

Shown in the image at left is the 3 wheel robot base with an added pan and tilt mechanism. All items above the long black line and all batteries, electronics, cabling, and the two gearmotors were additions to the base. Once you can control the base using the BeagleBone Black, adding other hardware is relatively easy.

This article uses two 45 rpm Precision Gear Motors. The wheels are 6 inches in diameter so the robot will be speed-limited to about 86 feet per minute (26 meter/min). These motors can run from 6-12 volts and draw a maximum stall current draw of 1 amp. The large stall current draw will happen when the motor is trying to turn but is unable to. For example, if the robot has run into a wall and the tires do not slip. It is a good idea to detect cases that draw stall current and turn off power to avoid overheating and/or damaging the motor.

In this Linux.com series on the BeagleBone Black we have also seen how to use the Linux interface allowing us to access chips over SPI and receive interrupts when the voltage on a pin changes, and how to drive servo motors.

Constructing the 3 Wheel Robot

3 wheel robot kit parts

The parts for the 3 Wheel Robot kit are shown above (with the two gearmotors in addition to the raw kit). You can assemble the robot base in any order you choose. A fair number of the parts are used, together with whichever motors you selected, to mount the two powered front wheels. The two pieces of channel are connected using the hub spacer and the swivel hub is used to connect the shorter piece of channel at an angle at the rear of the robot. I’m assuming the two driving wheels are at the ‘front’. I started construction at the two drive wheels as that used up a hub adapter, screw hub, and two motor mount pieces. Taking those parts out of the mix left less clutter for the subsequent choice of pieces.terry in construction

Powering Everything

In a past article I covered how the BeagleBone Black wanted about 2.5 into the low 3 Watts of power to operate. The power requirements for the BeagleBone Black can be met in many ways. I chose to use a single 3.7-Volt 18650 lithium battery and a 5 V step up board. The BeagleBone Black has a power jack expecting 5 V. At a high CPU load the BeagleBone Black could take up to 3.5 W of power. So the battery and step up converter have to be comfortable supplying a 5V/700mA power supply. The battery is rated at about 3 amp-hours so the BeagleBone Black should be able to run for hours on a single charge.

The gearmotors for the wheels can operate on 6 to 12 V. I used a second battery source for the motors so that they wouldn’t interfere with the power of the BeagleBone Black. For the motors I used a block if 8 NiMH rechargeable AA batteries. This only offered around 9.5 V so the gearmotors would not achieve their maximum performance but it was a cheap supply to get going. I have manually avoided stalling either motor in testing so as not to attempt to draw too much power from the AA batteries. Some stall protection to cut power to the gearmotors and protect the batteries should be used or a more expensive motor battery source. For example, monitoring current and turning off the motors if they attempt to draw too much.

The motor power supply was connected to the H-bridge board. Making the ground terminal on the H-bridge a convenient location for a common ground connection to the BeagleBone Black.

Communicating without Wires

The BeagleBone Black does not have on-board wifi. One way to allow easy communication with the BeagleBone Black is to flash a TP-Link WR-703N with openWRT and use that to provide a wifi access point for access to the BeagleBone Black. The WR-703N is mounted to the robot base and is connected to the ethernet port of the BeagleBone Black. The tablets and laptops can then connect to the access point offered by the onboard WR-703N.

I found it convenient to setup the WR-703N to be a DHCP server and to assign the same IP address to the BeagleBone Black as it would have obtained when connected to my wired network. This way the tablet can communicate with the robot both in a wired prototyping setup and when the robot is untethered.

Controlling Gearmotors from the BeagleBone Black

Unlike the servo motors discussed in the previous article, gearmotors do not have the same Pulse Width Modulation (PWM) control line to set at an angle to rotate to. There is only power and ground to connect. If you connect the gearmotor directly to a 12 V power source it will spin up to turn as fast as it can. To turn the gearmotor a little bit slower, say at 70 percent of its maximum speed, you need to supply power only 70 percent of the time. So we are wanting to perform PWM on the power supply wire to the gearmotor. Unlike the PWM used to control the servo we do not have any fixed 20 millisecond time slots forced on us. We can divide up time any way we want, for example running full power for 0.7 seconds then no power for 0.3 s. Though a shorter time slice than 1 s will produce a smoother motion.

An H-Bridge chip is useful to be able to switch a high voltage, high current wire on and off from a 3.3 V wire connected to the BeagleBone Black. A single H-Bridge will let you control one gearmotor. Some chips like the L298 contain two H-Bridges. This is because two H-Bridges are useful if you want to control some stepper motors. A board containing an L298, heatsink and connection terminals can be had for as little as $5 from a China based shop, up to more than $30 for a fully populated configuration made in Canada that includes resistors to allow you to monitor the current being drawn by each motor.

The L298 has two pins to control the configuration of the H-Bridge and an enable pin. With the two control pins you can configure the H-Bridge to flow power through the motor in either direction. So you can turn the motor forwards and backwards depending on which of the two control pins is set high. When the enable pin is high then power flows from the motor batteries through the motor in the direction that the H-Bridge is configured for. The enable pin is where to use PWM in order to turn the motors at a rate slower than their top speed.

The two control lines and the enable line allow you to control one H-Bridge and thus one gearmotor. The L298 has a second set of enable and control lines so you can control a second gearmotor. Other than those lines the BeagleBone Black has to connect ground and 3.3 V to the H-Bridge.

When I first tried to run the robot in a straight line I found that it gradually turned left. After some experimenting I found that at full power the left motor was rotating at a slightly slower RPM relative to the right one. I’m not sure where this difference was being introduced but having found it early in the testing the software was designed to allow such callibration to be performed behind the scenes. You select 100 percent speed straight ahead and the software runs the right motor at only 97 percent power (or whatever callibration adjustment is currently applied).

To allow simple control of the two motors I used two concepts: the speed (0-100) and heading (0-100). A heading of 50 means that the robot should progress straight ahead. This mimics a car interface where steering (heading) and velocity are adjusted and the robot takes care of the details.

I have made the full source code available on github. Note the branch linux.com-article which is frozen in time at the point of the article. The master branch contains some new goodies and a few changes to the code structure, too.

The Server

Because the robot base was “T” shaped, over time it was referred to as TerryTee. The TerryTee nodejs class uses bonescript to control the PWM for the two gearmotors.

The constructor takes the pin identifier to use for the left and right motor PWM signals and a reduction to apply to each motor, with 1.0 being no reduction and 0.95 being to run the motor at only 95 percent the specified speed. The reduction is there so you can compensate if one motor runs slightly slower than the other.

function TerryTee( leftPWMpin, rightPWMpin, leftReduction, rightReduction )
{
    TerryTee.running = 1;
    TerryTee.leftPWMpin = leftPWMpin;
    TerryTee.rightPWMpin = rightPWMpin;
    TerryTee.leftReduction = leftReduction;
    TerryTee.rightReduction = rightReduction;
    TerryTee.speed = 0;
    TerryTee.heading = 50;
}

The setPWM() method shown below is the lowest level one in TerryTee, and other methods use it to change the speed of each motor. The PWMpin selects which motor to control and the ‘perc’ is the percentage of time that motor should be powered. I also made perc able to be from 0-100 as well as from 0.0 – 1.0 so the web interface could deal in whole numbers.

When an emergency stop is active, running is false so setPWM will not change the current signal. The setPWM also applies the motor strength callibration automatically so higher level code doesn’t need to be concerned with that. As the analogWrite() Bonescript call uses the underlying PWM hardware to output the signal, the PWM does not need to be constantly refreshed from software, once you set 70 percent then the robot motor will continue to try to rotate at that speed until you tell it otherwise.

TerryTee.prototype.setPWM = function (PWMpin,perc) 
{
    if( !TerryTee.running )
	return;
    if( PWMpin == TerryTee.leftPWMpin ) {
	perc *= TerryTee.leftReduction;
    } else {
	perc *= TerryTee.rightReduction;
    }
    if( perc >  1 )   
	perc /= 100;
    console.log("awrite PWMpin:" + PWMpin + " perc:" + perc  );
    b.analogWrite( PWMpin, perc, 2000 );
};

The setSpeed() call takes the current heading into consideration and updates the PWM signal for each wheel to reflect the heading and speed you have currently set.

TerryTee.prototype.setSpeed = function ( v ) 
{
    if( !TerryTee.running )
	return;
    if( v < 40 )
    {
	TerryTee.speed = 0;
	this.setPWM( TerryTee.leftPWMpin,  0 );
	this.setPWM( TerryTee.rightPWMpin, 0 );
	return;
    }
    var leftv  = v;
    var rightv = v;
    var heading = TerryTee.heading;
    
    if( heading > 50 )
    {
	if( heading >= 95 )
	    leftv = 0;
	else
	    leftv *= 1 - (heading-50)/50;
    }
    if( heading < 50 )
    {
	if( heading <= 5 )
	    rightv = 0;
	else
	    rightv *= 1 - (50-heading)/50;
    }
    console.log("setSpeed v:" + v + " leftv:" + leftv + " rightv:" + rightv );
    this.setPWM( TerryTee.leftPWMpin,  leftv );
    this.setPWM( TerryTee.rightPWMpin, rightv );
    TerryTee.speed = v;
};

The server itself creates a TerryTee object and then offers a Web socket to control that Terry. The ‘stop’ message is intended as an emergency stop which forces Terry to stop moving and ignore input for a period of time so that you can get to it and disable the power in case something has gone wrong.

var terry = new TerryTee('P8_46', 'P8_45', 1.0, 0.97 );
terry.setSpeed( 0 );
terry.setHeading( 50 );
b.pinMode     ('P8_37', b.OUTPUT);
b.pinMode     ('P8_38', b.OUTPUT);
b.pinMode     ('P8_39', b.OUTPUT);
b.pinMode     ('P8_40', b.OUTPUT);
b.digitalWrite('P8_37', b.HIGH);
b.digitalWrite('P8_38', b.HIGH);
b.digitalWrite('P8_39', b.LOW);
b.digitalWrite('P8_40', b.LOW);
io.sockets.on('connection', function (socket) {
  ...
  socket.on('stop', function (v) {
      terry.setSpeed( 0 );
      terry.setHeading( 0 );
      terry.forceStop();
  });
  socket.on('speed', function (v) {
      console.log('set speed to ', v );
      console.log('set speed to ', v.value );
      if( typeof v.value === 'undefined')
	  return;
      terry.setSpeed( v.value );
  });
  ...

The code on github is likely to evolve over time to move the various fixed cutoff numbers to be configurable and allow Terry to be reversed from the tablet.

The Client (Web page)

To quickly create a Web interface I used Bootstrap and jQuery. If the interface became more advanced then perhaps something like AngularJS would be a better fit. To control the speed and heading with an easy touch interface I also used the bootstrap-slider project.BeagleBone robot web interface

<div class="inner cover">
  <div class="row">
    <div class="col-md-1"><p class="lead">Speed</p></div>
    <div class="col-md-8"><input id="speed" data-slider-id='speedSlider' 
                    type="text" data-slider-min="0" data-slider-max="100" 
                    data-slider-step="1" data-slider-value="0"/></div>
  </div>
  <div class="row">
    <div class="col-md-1"><p class="lead">Heading</p></div>
    <div class="col-md-8"><input id="heading" data-slider-id='headingSlider' 
                    type="text" data-slider-min="0" data-slider-max="100" 
                    data-slider-step="1" data-slider-value="50"/></div>
  </div>
</div>
<div class="inner cover">
    <div class="btn-group">
	<button id="rotateleft" type="button" class="btn btn-default btn-lg" >
	  <span class="glyphicon glyphicon-hand-left"></span>&nbsp;Rot&nbsp;Left</button>
	<button id="straightahead" type="button" class="btn btn-default btn-lg" >
	  <span class="glyphicon glyphicon-arrow-up"></span>&nbsp;Straight&nbsp;ahead</button>
	<button id="rotateright" type="button" class="btn btn-default btn-lg" >
	  <span class="glyphicon glyphicon-hand-right"></span>&nbsp;Rot&nbsp;Right</button>
    </div>
</div>

With those UI elements the hook up to the server is completed using io.connect() to connect a ‘var socket’ back to the BeagleBone Black. The below code sends commands back to the BeagleBone Black as UI elements are adjusted on the page. The rotateleft command is simulated by setting the heading and speed for a few seconds and then stopping everything.

$("#speed").on('slide', function(slideEvt) {
    socket.emit('speed', {
        value: slideEvt.value[0],
        '/end': 'of-message'
    });
});
...
$('#straightahead').on('click', function (e) {
     $('#heading').data('slider').setValue(50);
})
$('#rotateleft').on('click', function (e) {
     $('#heading').data('slider').setValue(0);
     $('#speed').data('slider').setValue(70);
     setTimeout(function() {
        $('#speed').data('slider').setValue(0);
        $('#heading').data('slider').setValue(50);
     }, 2000);
})

The BeagleBone Black runs a Web server offering files from /usr/share/bone101. I found it convenient to put the whole project in /home/xuser/webapps/terry-tee and create a softlink to the project at /usr/share/bone101/terry-tee. This way http://mybeagleip/terry-tee/index.html will load the Web interface on a tablet. Cloud9 will automatically start any Bonescript files contained in /var/lib/cloud9/autorun. So two links setup Cloud9 to both serve the client and automatically start the server Bonescript for you:

root@beaglebone:/var/lib/cloud9/autorun# ls -l
lrwxrwxrwx 1 root root 39 Apr 23 07:02 terry.js -> /home/xuser/webapps/terry-tee/server.js
root@beaglebone:/var/lib/cloud9/autorun# cd /usr/share/bone101/
root@beaglebone:/usr/share/bone101# ls -l terry-tee
lrwxrwxrwx 1 root root 29 Apr 17 05:48 terry-tee -> /home/xuser/webapps/terry-tee

Wrap up

I originally tried to use the GPIO pins P8_41 to 44. I found that if I had wires connected to those ports the BeagleBone Black would not start. I could remove and reapply the wires after startup and things would function as expected. On the other hand, leaving 41-44 unconnected and using 37-40 instead the BeagleBone Black would boot up fine. If you have a problem starting your BeagleBone Black you might be accidentally using a connector that has a reserved function during startup.

While the configuration shown in this article allows control of only the movement of the robot base the same code could easily be extended to control other aspects of the robot you are building. For example, to control an arm attached and be able to move things around from your tablet.

Using a BeagleBone Black to control the robot base gives the robot plenty of CPU performance. This opens the door to using a mounted camera with OpenCV to implement object tracking. For example, the robot can move itself around in order to keep facing you. While the configuration in this article used wifi to connect with the robot, another interesting possibility is to use 3G to connect to a robot that isn’t physically nearby.

The BeagleBone Black can create a great Web-controlled robot and the 3 wheel robot base together with some gearmotors should get you moving fairly easily. Though once you have the base moving around you may find it difficult to resist giving your robot more capabilities!

We would like to thank ServoCity for supplying the 3 wheel robot base, gearmotors, gearbox and servo used in this article.

SANS Internet Storm Center, InfoCON: green: Trolling Memory for Credit Cards in POS / PCI Environments, (Tue, Aug 26th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

In a recent penetration test, I was able to parlay a network oversight into access to a point of sale terminal.  Given the discussions these days, the next step for me was an obvious one – memory analysis.

My first step was to drive to the store I had compromised and purchase an item.

I’m not a memory analysis guru, but the memory capture and analysis was surprisingly easy.  First, dump memory:
dumpit
Yup, it’s that simple, I had the dumpit executable locally by that point (more info here https://isc.sans.edu/diary/Acquiring+Memory+Images+with+Dumpit/17216)
or, if you don’t have keyboard access (dumpit requires a physical “enter” key, I/O redirection won’t work for this):
win32dd /f memdump.img
(from the SANS Forensics Cheat Sheet at https://blogs.sans.org/computer-forensics/files/2012/04/Memory-Forensics-Cheat-Sheet-v1_2.pdf )

Next, I’ll dig for my credit card number specifically:

strings memdump.img | grep [mycardnumbergoeshere] | wc -l
     171

Yup, that’s 171 occurences in memory, unencrypted.  So far, we’re still PCI complaint – PCI 2.0 doesn’t mention cardholder data in memory, and 3.0 only mentions it in passing.  The PCI standard mainly cares about data at rest – which to most auditors means “on disk or in database”, or data in transit – which means on the wire, capturable by tcpdump or wireshark.  Anything in memory, no matter how much of a target in today’s malware landscape, is not an impact on PCI compliance.

The search above was done in windows, using strings from SysInternals – by default this detects strings in both ASCII and Unicode.  If I repeat this in linux (which by default is ASCII only), the results change:
strings memdump.img | grep [mycardnumbergoeshere] | wc -l
     32

To get the rest of the occurences, I also need to search for the Unicode representations,  which “strings” calls out as “little-endian” numbers:
strings -el memdump.img | grep [mycardnumbergoeshere] | wc -l
     139

Which gives me the same total of 171.

Back over to windows, let’s dig a little deeper – how about my CC number and my name tied together?
strings memdump.img | grep [myccnumbergoeshere] | grep -i vandenbrink | wc -l
     1

or my CC number plus my PIN  (we’re CHIP+PIN in Canada)
strings memdump.img | grep [mycardnumbergoeshere] | grep [myPINnumber]
     12

Why exactly the POS needs my PIN is beyond me!

Next, let’s search this image for a number of *other* credit cards – rather than dig by number, I’ll search for issuer name so there’s no mistake.  These searches are all using the Sysinternals “strings” since the defaults for that command lend itself better to our search:

CAPITAL ONE       85
VISA             565
MASTERCARD      1335
AMERICAN EXPRESS  20

and for kicks, I also searched for debit card prefixes (I only search for a couple with longer IIN numbers):
Bank of Montreal   500766     245
TD CAnada Trust    589297    165

Looking for my number + my CC issuer in the same line gives me:
strings memdump.img | grep [myccnumbergoeshere] | grep [MASTERCARD] | wc -l
gives me a result of “5”

So, assuming that this holds true for others (it might not, even though the patterns are all divisible by 5), this POS terminal has hundreds, but more likely thousands of valid numbers in memory, along with names, PIN numbers and other informaiton

Finally, looking for a full magstripe in memory:

The search for a full stripe:
grep -aoE “(((%?[Bb]?)[0-9]{13,19}^[A-Za-zs]{0,26}/[A-Za-zs]{0,26}^(1[2-9]|2[0-9])(0[1-9]|1[0-2])[0-9s]{3,50}?)[;s]{1,3}([0-9]{13,19}=(1[2-9]|2[0-9])(0[1-9]|1[0-2])[0-9]{3,50}?))” memdump.img  | wc -l
    0

where:

    -a = Processes a binary file as text
    -o = Shows only the matched text
    -E = Treats the pattern as an extended regular expression

or using this regex to find Track strings only:

((%?[Bb]?)[0-9]{13,19}^[A-Za-zs]{0,26}/[A-Za-zs]{0,26}^(1[2-9]|2[0-9])(0[1-9]|1[0-2])[0-9s]{3,50}?)
gives us 0 results.

or this regex to find Track 2 strings only:

([0-9]{13,19}=(1[2-9]|2[0-9])(0[1-9]|1[0-2])[0-9]{3,50}?)  
Gives us 162  (I’m not sure how much I trust this number)

Anyway, what this tells me is that this store isn’t seeing very many folks swipe their cards, it’s all CHIP+PIN (which you’d expect)

(Thanks to the folks at bromium for the original regular expressions and breakdown: http://labs.bromium.com/2014/01/13/understanding-malware-targeting-point-of-sale-systems/)

Getting system uptime (from the system itself) wraps up this simple analysis – the point of this being “how long does it take to collect this much info?”

net statistics server | find “since””
shows us that we had been up for just under 4 days.

Other ways to find uptime?
from the CLI:
systeminfo ” find “Boot Time”
or, in powershell:
PS C:> Get-WmiObject win32_operatingsystem | select csname, @{LABEL=’LastBootUpTime';EXPRESSION={$_.ConverttoDateTime($_.lastbootuptime)}}
or, in wmic:
wmic get os last bootuptime
or, if you have sysinternals available, you can just run “uptime

What does this mean for folks concerned with PCI compliance?
Today, not so much.  Lots of environments are still operating under PCI 2.0.  PCI 3.0 simply calls for education on the topic of good coding practices to combat memory scraping.  Requirement 6.5 phrases this as “Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.  Develop applications based on secure coding guidelines.”

Personally (and this is just my opinion), I would expect/hope that the next version of PCI will call out encryption of card and personal information in memory specifically as a requirement.  If things play out that way, What this will mean to the industry is that either:
a/ folks will need to move to card readers that encrypt before the information is on the POS terminal
or
b/ if they are using this info to collect sales / demographic information, they might instead tokenize the CC data for the database, and scrub it from memory immediately after.  All  I can say to that approach is “good luck”.  Memory management is usually abstracted from the programming language, so I’m not sure how successful you’d be in trying to scrub artifacts of this type from memory.

===============
Rob VandenBrink, Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Feds: Hackers Ran Concert Ticket Racket

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A Russian man detained in Spain is facing extradition to the United States on charges of running an international cyber crime ring that allegedly stole more than $10 million in electronic tickets from e-tickets vendor StubHub.

stubhubVadim Polyakov, 30, was detained while vacationing in Spain. Polyakov is wanted on conspiracy charges to be unsealed today in New York, where investigators with the Manhattan District Attorney’s office and the U.S. Secret Service are expected to announce coordinated raids of at least 20 people in the United States, Canada and the United Kingdom accused of running an elaborate scam to resell stolen e-tickets and launder the profits.

Sources familiar with the matter describe Polyakov, from St. Petersburg, Russia, as the ringleader of the gang, which allegedly used thousands of compromised StubHub user accounts to purchase huge volumes of electronic, downloadable tickets that were fed to a global network of resellers.

Robert Capps, senior director of customer success for RedSeal Networks and formerly head of StubHub’s global trust and safety organization, said the fraud against StubHub — which is owned by eBay — largely was perpetrated with usernames and passwords stolen from legitimate StubHub customers. Capps noted that while banks have long been the target of online account takeovers, many online retailers are unprepared for the wave of fraud that account takeovers can bring.

“In the last year online retailers have come under significant attack by cyber criminals using techniques such as account takeover to commit fraud,” Capps said. “Unfortunately, the transactional risk systems employed by most online retailers are not tuned to detect and defend against malicious use of existing customer accounts.  Retooling these systems to detect account takeovers can take some time, leaving retailers exposed to significant financial losses in the intervening time.”

Polyakov is the latest in a recent series of accused Russian hackers detained while traveling abroad and currently facing extradition to the United States. Dmitry Belorossov, a Russian citizen wanted in connection with a federal investigation into a cyberheist gang that leveraged the Gozi Trojan, also is facing extradition to the United States from Spain. He was arrested in Spain in August 2013 while attempting to board a flight back to Russia.

Last month, federal authorities announced they had arrested Russian citizen Roman Seleznev as he was vacationing in the Maldives. Seleznev, the son of a prominent Russian lawyer, is currently being held in Guam and is awaiting extradition to the United States.

Arkady Bukh, a New York criminal lawyer who frequently represents Russian and Eastern European hackers who wind up extradited to the United States, said the Polyakov case will be interesting to watch because his extradition is being handled by New York authorities, not the U.S. government.

“I’m not saying they won’t get some help from the feds, but extradition by state prosecutors is often a failure,” Bukh said. “In fact, I don’t remember the last time we saw a successful extradition of cybercrime suspects by U.S. state prosecutors. You have to have a lot of political juice to pull off that kind of thing, and normally state prosecutors don’t have that kind of juice.”

Nevertheless, Bukh said, U.S. authorities have made it crystal clear that there are few countries outside of Russia and Ukraine which can be considered safe havens for wanted cybercriminals.

“The U.S. government has delivered the message that these guys can get arrested anywhere, that there are very few places they can go and go safely,” Bukh said.

Krebs on Security: Banks: Card Breach at Goodwill Industries

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Heads up, bargain shoppers: Financial institutions across the country report that they are tracking what appears to be a series of credit card breaches involving Goodwill locations nationwide. For its part, Goodwill Industries International Inc. says it is working with the U.S. Secret Service on an investigation into these reports.

goodwillHeadquartered in Rockville, Md., Goodwill Industries International, Inc. is a network of 165 independent agencies in the United States and Canada with a presence in 14 other countries. The organizations sell donated clothing and household items, and use the proceeds to fund job training programs, employment placement services and other community-based initiatives.

According to sources in the financial industry, multiple locations of Goodwill Industries stores have been identified as a likely point of compromise for an unknown number of credit and debit cards.

In a statement sent to KrebsOnSecurity, Goodwill Industries said it first learned about a possible incident last Friday, July 18. The organization said it has not yet confirmed a breach, but that it is working with federal authorities on an investigation into the matter.

“Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email.

“Investigators are currently reviewing available information,” the statement continued. “At this point, no breach has been confirmed but an investigation is underway. Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern. Goodwill Industries International is working with industry contacts and the federal authorities on the investigation. We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered.”

The U.S. Secret Service did not respond to requests for comment.

It remains unclear how many Goodwill locations may have been impacted, but sources say they have traced a pattern of fraud on cards that were all previously used at Goodwill stores across at least 21 states, including Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington and Wisconsin.

It is also not known at this time how long ago this apparent breach may have begun, but those same financial industry sources say the breach could extend back to the middle of 2013.

Financial industry sources said the affected cards all appear to have been used at Goodwill stores, but that the fraudulent charges on those cards occurred at non-Goodwill stores, such as big box retailers and supermarket chains. This is consistent with activity seen in the wake of other large data breaches involving compromised credit and debit cards, including the break-ins at Target, Neiman Marcus, Michaels, Sally Beauty, and P.F. Chang’s.

TorrentFreak: Anti-Piracy Firm Wants to Fine Aussie and Canadian File-Sharers

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate-runningFor more than a decade copyright holders have been monitoring pirated downloads of their work on various file-sharing networks.

Traditionally these efforts have focused on the United States where ISPs are required to forward takedown notices to their account holders.

A recent trend has seen these notices become more than mere warnings. Companies such as CEG TEK and Rightscorp also tag on settlement requests, hoping to recoup some of the damages allegedly caused by file-sharers.

Since these requests are sent as DMCA notices, copyright holders do not have to involve the courts. Nonetheless, the ‘fines’ can be as high as several hundred dollars per shared file. Thus far these “automated fines” have been limited to the United States, but soon they will expand to Japan, with Australia and Canada next on the list.

TorrentFreak spoke with CEG TEK’s Kyle Reed who confirmed that they will soon start their piracy monetization service in Japan. At the same time the company will run various tests to see how Aussie and Canadian Internet providers respond to their notices.

“Increased coverage for our monetization clients in additional countries has always been top of mind. We have a base of international clients, some of which call these countries home,” Reed tells TorrentFreak

“Canada and Australia are both hot topics with rights owners and the market conditions afford us the opportunity to initiate ISP compliance testing,” Reed adds.

If the notice forwarding goes well with the ISPs, and there are decent response rates, the company will also begin sending out settlement requests in Australia and Canada.

Internet providers have to be tested in advance, because the settlement scheme fails if ISPs ignore or modify the notices. For example, in the U.S. many of the larger ISPs forward the notice without the actual settlement offer.

CEG TEK is not the only piracy monetization service to consider international expansion. Previously Rightscorp announced that it was interested in offering its services in Canada.

Whether Internet providers in Australia and Canada are willing to cooperate has yet to be seen. In Canada there is currently no legal obligation for ISPs to cooperate, although this will change soon. Australia has a notice and takedown policy but this doesn’t require ISPs to forward the settlement requests.

According to CEG TEK their settlement services are superior to traditional anti-piracy warnings since they stop more unauthorized transfers while making money in the process.

“In the United States and around the world, traditional peer-to-peer anti-piracy methods have proved to be largely ineffective. We have the only peer-to-peer solution shown to decrease infringements and repeat offenders, as well as return monetary settlements to rightful copyright owners,” Reed says.

The irony is of course that these companies will render themselves obsolete if they become too effective, but for now there are still plenty of pirates around.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Microsoft Kills Security Emails, Blames Canada

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the company’s recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software.

keepcalmblamecanadaUpdate, 5:39 p.m. ET: In an apparent reversal, Microsoft now says it will be re-instating the security notifications via email. Please read the update at the end of this post.

Original story:

Last week, Microsoft sent the following notice to IT professionals and others who have signed up to receive email notices of security updates:

As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:”

* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins

“In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website.”

“For more information, or to sign up for an RSS feed, visit the Microsoft Technical Security Notifications webpage at http://technet.microsoft.com/security/dd252948.”

Asked about the reason for the change, a Microsoft spokesperson said email communication was suspended to comply with a new Canadian anti-spam law that takes effect on July 1, 2014.

Some anti-spam experts who worked very closely on Canada’s Anti-Spam Law (CASL) say they are baffled by Microsoft’s response to a law which has been almost a decade in the making.

Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE), said CASL contains carve-outs for warranty and product safety and security alerts that would more than adequately exempt the Microsoft missives from the regulation.

Indeed, an exception in the law says it does not apply to commercial electronic messages that solely provide “warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased.

“I am at a complete and total loss to understand how the people in Redmond made such an apparently panicked decision,” Schwartzman said,” noting that Microsoft was closely involved in the discussions in the Canadian parliament over the bill’s trajectory and content. “This is the first company I know of that’s been that dumb.”

Schwartzman said many companies have used CASL as an excuse to freshen up their email lists and to re-engage their customers. Some have even gone so far as to enter respondents who verify that they still want to receive email communications from a company into drawings for cash prizes and other giveaways.

“Over the past couple of weeks, I’ve seen nothing but a steady stream of reconfirmation mails from various companies,” he said. “I’m now in the running for several $500 dollar gift certificates because I confirmed my email. And at the bottom of each of these messages is a note that says ‘please ignore this offer if you’re not Canadian.’”

CAUCE board member Jeff Williams, a former group program manager at Microsoft’s Malware Protection Center, chalked Microsoft’s decision up to a little more than a tough call.

“I can imagine the discussion and wondering among the lawyers and [Microsoft] whether they should try to get hundreds of millions of opt-ins before June 30 or if they should change the way they share info,” Williams said. “I’m sure it wasn’t an wasn’t an easy decision, but I wouldn’t call it an overreaction.”

In addition to pushing notices about new updates out via Microsoft’s RSS feeds, the company also appears to be making the security email alerts available to users who have Live, Outlook or Hotmail accounts with Microsoft. And of course, readers can continue to rely on KrebsOnSecurity to feature information on any new security updates available from Microsoft, including each Patch Tuesday bundle as well as emergency, “out-of-band” updates released to address zero-day security threats.

Update, 5:40 p.m. ET: In an apparent reversal of its decision, Microsoft now says it will be re-starting its security notifications via email early next month. From a Microsoft’s spokesperson: “On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014.”

TorrentFreak: Court Hands Google a Worldwide Site Blocking Injunction

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

canadaGoogle’s dominance of the Internet, particularly in search, has seen the company become embroiled in the disputes of countless other companies.

Day after day, Google is expected to take action in third parties’ intellectual property complaints to avoid becoming liable itself. Prime examples can be found in the millions of DMCA-style notices the company processes each week. Google must remove those entries or face being accused of facilitating infringement.

Another case that Google has become involved in, Equustek Solutions Inc. v. Jack, sees two Canadian entities face off (the latter previous employees of the former) over stolen intellectual property used to manufacture competing products.

While Google has no direct links to the case, the plaintiffs claim that the company’s search engine is helping to direct people to a network of websites operated by the defendants which are selling the unlawful products. Google already removed links from its Google.ca results voluntarily, but that wasn’t enough for Equustek who wanted broader action.

In a ruling handed down in British Columbia, Justice L.A. Fenlon agreed, ordering Google to remove the infringing websites’ listings from its search results. Despite protestations from Google that any injunction should be limited to Canada and Google.ca, the Judge targeted Google’s central database in the United States, meaning that the ruling has worldwide implications.

“I note again that on the record before me, the injunction would compel Google to take steps in California or the state in which its search engine is controlled, and would not therefore direct that steps be taken around the world,” the Judge wrote.

“That the effect of the injunction could reach beyond one state is a separate issue. Even an order mandating or enjoining conduct entirely within British Columbia may have such extraterritorial, or even worldwide effect.”

Noting that Google did not complain that an order requiring it block the websites would “offend” the law in California where it is based, or any other country from where a search could be carried out, the Judge said that the search giant acknowledged that most countries would recognize that dealing in pirated products was “a legal wrong.”

Further detailing her decision, Judge Fenlon compared Google to an innocent warehouse that had been forbidden from shipping out goods for a company subjected to an injunction. That local order not to ship could also have broader geographical implications.

“Could it sensibly be argued that the Court could not grant the injunction because it would have effects worldwide? The impact of an injunction on strangers to the suit or the order itself is a valid consideration in deciding whether to exercise the Court’s jurisdiction to grant an injunction. It does not, however, affect the Court’s authority to make such an order,” she wrote.

The Judge also touched on the futility of ordering a blockade of results only on Google.ca, when users can simply switch to another variant.

“For example, even if the defendants’ websites were blocked from searches conducted through www.google.ca, Canadian users can go to www.google.co.uk or www.google.fr and obtain results including the defendants’ websites. On the record before me it appears that to be effective, even within Canada, Google must block search results on all of its websites,” she explained.

The nature of the ruling has raised concerns with lawyer Michael Geist, who notes that despite being issued by a local court, the ruling has attempted to match Google’s global reach.

“The issues raised by the decision date back to the very beginning of the globalization of the Internet and the World Wide Web as many worried about jurisdictional over-reach with courts applying local laws to a global audience,” Geist explains.

“While there is much to be said for asserting jurisdiction over Google – if it does business in the jurisdiction, the law should apply – attempts to extend blocking orders to a global audience has very troubling implications that could lead to a run on court orders that target the company’s global search results.”

While Google has a little under two weeks to comply with the injunction, its representatives told The Globe and Mail that the decision will be appealed.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Flixtor Finds Anti-Piracy Investigator on Its Doorstep, Shuts Down

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

This weekend the website of the movie torrent streaming application Flixtor suddenly went offline, and the same happened to search engine TorrentLookup.com.

Both projects were run by the same team, which is based in Canada, and were slowly but steadily expanding their user bases. This suddenly changed a few days ago when a message posted on both sites announced that the streaming app and search engine were being discontinued.

“We voluntarily decided to close all services of torrentlookup.com. Thanks to everybody that used Flixtor and bought the mobile version. We have reached the finish line,” a message now displays on both sites.

The decision came as a total surprise to users of the site and app. Flixtor, a custom-built Popcorn Time alternative based on the same Peerflix engine, was just a few weeks old.

The Flixtor app had a user interface similar to Popcorn Time, but was not a fork. Instead, it used its own code and the movies/series API from TorrentLookup.com, which claimed to have the latest releases faster.

Flixtor
flixtor

TorrentFreak got in touch with one of the developers, who informed us that the decision to close was the result of movie industry pressure. The developer in question had an investigator from the MPAA-funded Motion Picture Association Canada come by his house, and it didn’t stop there.

“They were annoying me with phone calls repeatedly, and I talked to them quite a few times,” the developer explained.

The movie industry group only had one goal, and that was to shut down the streaming application and the torrent site. The investigator threatened the developer with legal action if he refused to comply.

“They wanted me to close Flixtor/Torrentlookup and then they would drop the charges against me, which are $20,000 per copyrighted file,” the developer told us.

With the threat of a massive lawsuit on their shoulders, the people behind the two projects decided to pull the plug this weekend. Even if they wanted to, they lack the funds to properly defend themselves in court.

The above shows that, behind the scenes, a lot of pressure is being put on the people who operate torrent sites and related services. It may also explain why some sites simply disappear, or why some of the “Popcorn Time” developers ceased their activities.

TorrentFreak contacted the Motion Picture Association Canada for a comment yesterday, but at the time of publication we were yet to receive a response.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Canada’s Anti-Spam Legislation (CASL) 2014, (Tue, Jun 17th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Canada recently passed anti-spam legislation.  Starting July 1 2014, organizations now need consent to send unsolicited emails or other electronic communications, which includes text messages, faxes and anything else you might think of.  This doesn’t cover just mass marketing, a single email to a single person is covered in this new legislation.

Starting Jan 15,2015, the installation of apps, plug-ins and other programs need similar consent.

With fines up to $1 million for individuals and $10 million for organizations, there’s a bit of a scramble to get consent from us Canadians .  Everyone from car companies wanting to send service bulletins to insurance companies who this this applies to emails on our insurance claims are sending “click here to consent” emails.  And of course, a similar scramble for folks that we’ve bought something from once, who want to send us sales flyers forever.

See the problem yet?  There was a clue in the note above

In this onslaught of “Click here” notes, it’s oh-so-easy to slip in a few malicious emails, and of course if you do click in those notes, there’s some special malware just for you!

To make things more interesting, many of the legit emails of this type are loaded with graphics with the links point to third party sites, so they also look like malicious content all on their own.

So in an effort to protect us Canadians from our collective compulsion to open every email and click every link (this isn’t confined to just Canadians mind you), this legislation is actually resulting in a new “easy button” attack vector, so we have a spike of the very activity this is trying to prevent!

I wonder if the folks in Ottawa who wrote this legislation realize that this also applies to their campaign material at election time?  Or if they understand that a telephone call is also “electronic communication”?  <Just the first two gotcha’s that came to mind>

If you’ve seen malware in email of this type, or if you have a slow day and want to read the legislation and look for similar “oops” situations, please share using our comment form !

http://www.crtc.gc.ca/eng/casl-lcap.htm
http://fightspam.gc.ca

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Darknet - The Darkside: 14-Year Olds Hack ATM With Default Password

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

This is actually a pretty good hack and a good use of the word hacking in the original sense, two curious teenagers managed to access the administrator mode of an ATM in Winnipeg, Canada by using the default password they found in a manual they downloaded online. Ingenious and pretty forward thinking, I like the […]

The post 14-Year Olds Hack…

Read the full post at darknet.org.uk

TorrentFreak: How Sweden Gained Access to a Canada-Hosted Torrent Site

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Earlier this week tips coming into TorrentFreak suggested that a relatively small torrent site known as Sparvar had come under the scrutiny of the police. Sure enough, the site subsequently went offline.

Problems had been building for more than two years. Swedish anti-piracy group Rights Alliance (Antipiratbyran) had built up an interest in Sparvar, a site directed at a largely Swedish audience. In early 2012 following action against a private site known as Swepiracy, Rights Alliance warned that Sparvar was on their list of targets.

Until this week, however, Sparvar had been hosted in Canada with Montreal-based Netelligent Hosting Services. For some time it had been presumed that hosting a torrent site is Canada is legal, a notion that was recently backed up by Netelligent president Mohamed Salamé.

“[As] long as there are no violations of our [acceptable use policy], we take no actions against torrent sites which are still legal in Canada,” Salamé told TF.

Nevertheless, the Royal Canadian Mounted Police (RCMP) still took action against Sparvar. How did this come to pass?

A source familiar with the case who agreed to speak on condition of anonymity told TorrentFreak that Netelligent was served with a data preservation order by the RCMP who were working together with authorities in Sweden.

In the first instance Netelligent were gagged from informing their client about the investigation, presumably so that no data could be tampered with. Netelligent was then sent a hard drive by the RCMP for the purposes of making a copy of the Sparvar server. This was to be handed over to their authorities.

We’re led to believe that Netelligent put up a fight to protect their customer’s privacy but in the end they were left with no choice but to comply with the orders. And here’s why.

MLAT, or Mutual Legal Assistance Treaty agreements, enable countries to gather, share and exchange information in order to enforce the law. Since 2001, Canada has had an MLAT with Sweden and since there was a criminal investigation underway in Sweden against Sparvar, Canada and Netelligent were legally obligated to provide assistance in the case.

So what does this mean for other sites hosted in Canada? Well, according to our source anyone running a site should be aware of the countries that Canada has MLAT agreements with, just in case another country decides to launch a case.

Those countries can be found here but they include everyone from the United States to Australia, from China to Russia, and many countries across Europe including the UK, Netherlands, Spain, Poland, France and Italy.

Finally, our source informs us that while cooperation in criminal cases has obviously been requested before, to the extent of his knowledge this is the first time that a torrent site has been a target.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Updated: Canadian Police Raid BitTorrent Tracker, Confiscate Server

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

If one would like to gauge the opinions of the world’s leading entertainment companies on Canadian attitudes towards BitTorrent sites, one only needs to look at this year’s International Intellectual Property Alliance (IIPA) submission to the USTR.

“It is hard to avoid the conclusion that Canada remains a magnet for sites whose well-understood raison d’être is to facilitate and enable massive unauthorized downloading of pirated versions of feature films, TV shows, recorded music, entertainment software, and other copyright materials,” the IIPA wrote.

These claims are actually the tip of a very large iceberg. It’s indeed true that some large public torrent sites are at least partly hosted on Canadian soil but mildly under the radar are also dozens of private tracker communities, many of which have happily operated from Canada for many, many years.

The overall impression is that Canada is one of the safest countries in which to put a file-sharing site, but developments yesterday cast a shadow over that notion.

With 10,000 members, Sparvar.org (Sparrows) was a reasonably sized private site. Aimed largely at a Swedish audience, Sparvar had enjoyed Canadian hosting on an IP address belonging to Montreal-based Netelligent Hosting Services, a company that has welcomed many similar sites in the past. Sometime in the past 24 hours, however, Sparvar disappeared from the Internet.

Netelligent servers

Neteligent

Soon after a rumor began circulating that Sparvar had been raided by the police. That version of events has now been confirmed by Scandinavian anti-piracy outfit Rights Alliance.

Update: Netelligent confirm action against Sparvar’s server, but deny any raid took place. See update below.

“Police in Canada have seized a server belonging to the illegal file-sharing service sparvar.org. Sparrows was a secret service with some 10 000 registered members. The server was located in Canada, but the activity was directed mainly against Sweden,” the anti-piracy group says.

“Behind the complaint stands Rights Alliance which has long been monitoring and documenting this business. The investigation is continuing with a focus on identifying the perpetrators. The seized server will be analyzed.”

The action against Sparvar shows that Rights Alliance have long memories. More than two years ago following their action against private site Swepiracy, Rights Alliance warned of further action to come, specifically naming Sparvar as a target.

That the group can conduct its work across borders, especially into Canada where it was believed there was a more torrent friendly environment, will come as a surprise to the many other sites hosted there under similar circumstances.

Canada has been paying more attention to IP issues in recent years, enacting the Copyright Modernization Act in 2012 and subsequently introducing a bill designed to strengthen IP enforcement. Following these efforts the United States shifted Canada from the Priority Watch List to the standard Watch List in this year’s Special 301 Report. How much further Canada is prepared to go remains to be seen.

Update: TorrentFreak has been informed by Netelligent president Mohamed Salamé that the police action against Sparvar was carried out in an orderly cooperative fashion with authorities and was not the product of a raid.

“The fact of the matter is we are a datacenter hosting all sorts of customers downstream from us. And as long as there are no violations of our AUP, we take no actions against torrent sites which are still legal in Canada,” Salamé explains.

“We also don’t get ‘raids’ as we have a very professional relationship with all agencies on the federal and provincial level to address the issues. And by professional relationship I mean that we do not just give out information or hardware just because they are law agencies. We make sure their requests are legitimate and that they have subpoenas, court orders, or warrants before complying with any of their demands.”

A separate source familiar with the case informs TorrentFreak that contrary to claims by Rights Alliance, no hardware was seized. It appears that a server was indeed cloned but that was in response to an official order to preserve data following a request by Swedish and Canadian authorities.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.