Posts tagged ‘canada’

SANS Internet Storm Center, InfoCON: green: Trolling Memory for Credit Cards in POS / PCI Environments, (Tue, Aug 26th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

In a recent penetration test, I was able to parlay a network oversight into access to a point of sale terminal.  Given the discussions these days, the next step for me was an obvious one – memory analysis.

My first step was to drive to the store I had compromised and purchase an item.

I’m not a memory analysis guru, but the memory capture and analysis was surprisingly easy.  First, dump memory:
dumpit
Yup, it’s that simple, I had the dumpit executable locally by that point (more info here https://isc.sans.edu/diary/Acquiring+Memory+Images+with+Dumpit/17216)
or, if you don’t have keyboard access (dumpit requires a physical “enter” key, I/O redirection won’t work for this):
win32dd /f memdump.img
(from the SANS Forensics Cheat Sheet at https://blogs.sans.org/computer-forensics/files/2012/04/Memory-Forensics-Cheat-Sheet-v1_2.pdf )

Next, I’ll dig for my credit card number specifically:

strings memdump.img | grep [mycardnumbergoeshere] | wc -l
     171

Yup, that’s 171 occurences in memory, unencrypted.  So far, we’re still PCI complaint – PCI 2.0 doesn’t mention cardholder data in memory, and 3.0 only mentions it in passing.  The PCI standard mainly cares about data at rest – which to most auditors means “on disk or in database”, or data in transit – which means on the wire, capturable by tcpdump or wireshark.  Anything in memory, no matter how much of a target in today’s malware landscape, is not an impact on PCI compliance.

The search above was done in windows, using strings from SysInternals – by default this detects strings in both ASCII and Unicode.  If I repeat this in linux (which by default is ASCII only), the results change:
strings memdump.img | grep [mycardnumbergoeshere] | wc -l
     32

To get the rest of the occurences, I also need to search for the Unicode representations,  which “strings” calls out as “little-endian” numbers:
strings -el memdump.img | grep [mycardnumbergoeshere] | wc -l
     139

Which gives me the same total of 171.

Back over to windows, let’s dig a little deeper – how about my CC number and my name tied together?
strings memdump.img | grep [myccnumbergoeshere] | grep -i vandenbrink | wc -l
     1

or my CC number plus my PIN  (we’re CHIP+PIN in Canada)
strings memdump.img | grep [mycardnumbergoeshere] | grep [myPINnumber]
     12

Why exactly the POS needs my PIN is beyond me!

Next, let’s search this image for a number of *other* credit cards – rather than dig by number, I’ll search for issuer name so there’s no mistake.  These searches are all using the Sysinternals “strings” since the defaults for that command lend itself better to our search:

CAPITAL ONE       85
VISA             565
MASTERCARD      1335
AMERICAN EXPRESS  20

and for kicks, I also searched for debit card prefixes (I only search for a couple with longer IIN numbers):
Bank of Montreal   500766     245
TD CAnada Trust    589297    165

Looking for my number + my CC issuer in the same line gives me:
strings memdump.img | grep [myccnumbergoeshere] | grep [MASTERCARD] | wc -l
gives me a result of “5″

So, assuming that this holds true for others (it might not, even though the patterns are all divisible by 5), this POS terminal has hundreds, but more likely thousands of valid numbers in memory, along with names, PIN numbers and other informaiton

Finally, looking for a full magstripe in memory:

The search for a full stripe:
grep -aoE “(((%?[Bb]?)[0-9]{13,19}^[A-Za-zs]{0,26}/[A-Za-zs]{0,26}^(1[2-9]|2[0-9])(0[1-9]|1[0-2])[0-9s]{3,50}?)[;s]{1,3}([0-9]{13,19}=(1[2-9]|2[0-9])(0[1-9]|1[0-2])[0-9]{3,50}?))” memdump.img  | wc -l
    0

where:

    -a = Processes a binary file as text
    -o = Shows only the matched text
    -E = Treats the pattern as an extended regular expression

or using this regex to find Track strings only:

((%?[Bb]?)[0-9]{13,19}^[A-Za-zs]{0,26}/[A-Za-zs]{0,26}^(1[2-9]|2[0-9])(0[1-9]|1[0-2])[0-9s]{3,50}?)
gives us 0 results.

or this regex to find Track 2 strings only:

([0-9]{13,19}=(1[2-9]|2[0-9])(0[1-9]|1[0-2])[0-9]{3,50}?)  
Gives us 162  (I’m not sure how much I trust this number)

Anyway, what this tells me is that this store isn’t seeing very many folks swipe their cards, it’s all CHIP+PIN (which you’d expect)

(Thanks to the folks at bromium for the original regular expressions and breakdown: http://labs.bromium.com/2014/01/13/understanding-malware-targeting-point-of-sale-systems/)

Getting system uptime (from the system itself) wraps up this simple analysis – the point of this being “how long does it take to collect this much info?”

net statistics server | find “since””
shows us that we had been up for just under 4 days.

Other ways to find uptime?
from the CLI:
systeminfo ” find “Boot Time”
or, in powershell:
PS C:> Get-WmiObject win32_operatingsystem | select csname, @{LABEL=’LastBootUpTime’;EXPRESSION={$_.ConverttoDateTime($_.lastbootuptime)}}
or, in wmic:
wmic get os last bootuptime
or, if you have sysinternals available, you can just run “uptime

What does this mean for folks concerned with PCI compliance?
Today, not so much.  Lots of environments are still operating under PCI 2.0.  PCI 3.0 simply calls for education on the topic of good coding practices to combat memory scraping.  Requirement 6.5 phrases this as “Train developers in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory.  Develop applications based on secure coding guidelines.”

Personally (and this is just my opinion), I would expect/hope that the next version of PCI will call out encryption of card and personal information in memory specifically as a requirement.  If things play out that way, What this will mean to the industry is that either:
a/ folks will need to move to card readers that encrypt before the information is on the POS terminal
or
b/ if they are using this info to collect sales / demographic information, they might instead tokenize the CC data for the database, and scrub it from memory immediately after.  All  I can say to that approach is “good luck”.  Memory management is usually abstracted from the programming language, so I’m not sure how successful you’d be in trying to scrub artifacts of this type from memory.

===============
Rob VandenBrink, Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Krebs on Security: Feds: Hackers Ran Concert Ticket Racket

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A Russian man detained in Spain is facing extradition to the United States on charges of running an international cyber crime ring that allegedly stole more than $10 million in electronic tickets from e-tickets vendor StubHub.

stubhubVadim Polyakov, 30, was detained while vacationing in Spain. Polyakov is wanted on conspiracy charges to be unsealed today in New York, where investigators with the Manhattan District Attorney’s office and the U.S. Secret Service are expected to announce coordinated raids of at least 20 people in the United States, Canada and the United Kingdom accused of running an elaborate scam to resell stolen e-tickets and launder the profits.

Sources familiar with the matter describe Polyakov, from St. Petersburg, Russia, as the ringleader of the gang, which allegedly used thousands of compromised StubHub user accounts to purchase huge volumes of electronic, downloadable tickets that were fed to a global network of resellers.

Robert Capps, senior director of customer success for RedSeal Networks and formerly head of StubHub’s global trust and safety organization, said the fraud against StubHub — which is owned by eBay — largely was perpetrated with usernames and passwords stolen from legitimate StubHub customers. Capps noted that while banks have long been the target of online account takeovers, many online retailers are unprepared for the wave of fraud that account takeovers can bring.

“In the last year online retailers have come under significant attack by cyber criminals using techniques such as account takeover to commit fraud,” Capps said. “Unfortunately, the transactional risk systems employed by most online retailers are not tuned to detect and defend against malicious use of existing customer accounts.  Retooling these systems to detect account takeovers can take some time, leaving retailers exposed to significant financial losses in the intervening time.”

Polyakov is the latest in a recent series of accused Russian hackers detained while traveling abroad and currently facing extradition to the United States. Dmitry Belorossov, a Russian citizen wanted in connection with a federal investigation into a cyberheist gang that leveraged the Gozi Trojan, also is facing extradition to the United States from Spain. He was arrested in Spain in August 2013 while attempting to board a flight back to Russia.

Last month, federal authorities announced they had arrested Russian citizen Roman Seleznev as he was vacationing in the Maldives. Seleznev, the son of a prominent Russian lawyer, is currently being held in Guam and is awaiting extradition to the United States.

Arkady Bukh, a New York criminal lawyer who frequently represents Russian and Eastern European hackers who wind up extradited to the United States, said the Polyakov case will be interesting to watch because his extradition is being handled by New York authorities, not the U.S. government.

“I’m not saying they won’t get some help from the feds, but extradition by state prosecutors is often a failure,” Bukh said. “In fact, I don’t remember the last time we saw a successful extradition of cybercrime suspects by U.S. state prosecutors. You have to have a lot of political juice to pull off that kind of thing, and normally state prosecutors don’t have that kind of juice.”

Nevertheless, Bukh said, U.S. authorities have made it crystal clear that there are few countries outside of Russia and Ukraine which can be considered safe havens for wanted cybercriminals.

“The U.S. government has delivered the message that these guys can get arrested anywhere, that there are very few places they can go and go safely,” Bukh said.

Krebs on Security: Banks: Card Breach at Goodwill Industries

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Heads up, bargain shoppers: Financial institutions across the country report that they are tracking what appears to be a series of credit card breaches involving Goodwill locations nationwide. For its part, Goodwill Industries International Inc. says it is working with the U.S. Secret Service on an investigation into these reports.

goodwillHeadquartered in Rockville, Md., Goodwill Industries International, Inc. is a network of 165 independent agencies in the United States and Canada with a presence in 14 other countries. The organizations sell donated clothing and household items, and use the proceeds to fund job training programs, employment placement services and other community-based initiatives.

According to sources in the financial industry, multiple locations of Goodwill Industries stores have been identified as a likely point of compromise for an unknown number of credit and debit cards.

In a statement sent to KrebsOnSecurity, Goodwill Industries said it first learned about a possible incident last Friday, July 18. The organization said it has not yet confirmed a breach, but that it is working with federal authorities on an investigation into the matter.

“Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email.

“Investigators are currently reviewing available information,” the statement continued. “At this point, no breach has been confirmed but an investigation is underway. Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern. Goodwill Industries International is working with industry contacts and the federal authorities on the investigation. We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered.”

The U.S. Secret Service did not respond to requests for comment.

It remains unclear how many Goodwill locations may have been impacted, but sources say they have traced a pattern of fraud on cards that were all previously used at Goodwill stores across at least 21 states, including Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington and Wisconsin.

It is also not known at this time how long ago this apparent breach may have begun, but those same financial industry sources say the breach could extend back to the middle of 2013.

Financial industry sources said the affected cards all appear to have been used at Goodwill stores, but that the fraudulent charges on those cards occurred at non-Goodwill stores, such as big box retailers and supermarket chains. This is consistent with activity seen in the wake of other large data breaches involving compromised credit and debit cards, including the break-ins at Target, Neiman Marcus, Michaels, Sally Beauty, and P.F. Chang’s.

TorrentFreak: Anti-Piracy Firm Wants to Fine Aussie and Canadian File-Sharers

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate-runningFor more than a decade copyright holders have been monitoring pirated downloads of their work on various file-sharing networks.

Traditionally these efforts have focused on the United States where ISPs are required to forward takedown notices to their account holders.

A recent trend has seen these notices become more than mere warnings. Companies such as CEG TEK and Rightscorp also tag on settlement requests, hoping to recoup some of the damages allegedly caused by file-sharers.

Since these requests are sent as DMCA notices, copyright holders do not have to involve the courts. Nonetheless, the ‘fines’ can be as high as several hundred dollars per shared file. Thus far these “automated fines” have been limited to the United States, but soon they will expand to Japan, with Australia and Canada next on the list.

TorrentFreak spoke with CEG TEK’s Kyle Reed who confirmed that they will soon start their piracy monetization service in Japan. At the same time the company will run various tests to see how Aussie and Canadian Internet providers respond to their notices.

“Increased coverage for our monetization clients in additional countries has always been top of mind. We have a base of international clients, some of which call these countries home,” Reed tells TorrentFreak

“Canada and Australia are both hot topics with rights owners and the market conditions afford us the opportunity to initiate ISP compliance testing,” Reed adds.

If the notice forwarding goes well with the ISPs, and there are decent response rates, the company will also begin sending out settlement requests in Australia and Canada.

Internet providers have to be tested in advance, because the settlement scheme fails if ISPs ignore or modify the notices. For example, in the U.S. many of the larger ISPs forward the notice without the actual settlement offer.

CEG TEK is not the only piracy monetization service to consider international expansion. Previously Rightscorp announced that it was interested in offering its services in Canada.

Whether Internet providers in Australia and Canada are willing to cooperate has yet to be seen. In Canada there is currently no legal obligation for ISPs to cooperate, although this will change soon. Australia has a notice and takedown policy but this doesn’t require ISPs to forward the settlement requests.

According to CEG TEK their settlement services are superior to traditional anti-piracy warnings since they stop more unauthorized transfers while making money in the process.

“In the United States and around the world, traditional peer-to-peer anti-piracy methods have proved to be largely ineffective. We have the only peer-to-peer solution shown to decrease infringements and repeat offenders, as well as return monetary settlements to rightful copyright owners,” Reed says.

The irony is of course that these companies will render themselves obsolete if they become too effective, but for now there are still plenty of pirates around.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Microsoft Kills Security Emails, Blames Canada

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the company’s recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software.

keepcalmblamecanadaUpdate, 5:39 p.m. ET: In an apparent reversal, Microsoft now says it will be re-instating the security notifications via email. Please read the update at the end of this post.

Original story:

Last week, Microsoft sent the following notice to IT professionals and others who have signed up to receive email notices of security updates:

As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:”

* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins

“In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website.”

“For more information, or to sign up for an RSS feed, visit the Microsoft Technical Security Notifications webpage at http://technet.microsoft.com/security/dd252948.”

Asked about the reason for the change, a Microsoft spokesperson said email communication was suspended to comply with a new Canadian anti-spam law that takes effect on July 1, 2014.

Some anti-spam experts who worked very closely on Canada’s Anti-Spam Law (CASL) say they are baffled by Microsoft’s response to a law which has been almost a decade in the making.

Neil Schwartzman, executive director of the Coalition Against Unsolicited Commercial Email (CAUCE), said CASL contains carve-outs for warranty and product safety and security alerts that would more than adequately exempt the Microsoft missives from the regulation.

Indeed, an exception in the law says it does not apply to commercial electronic messages that solely provide “warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased.

“I am at a complete and total loss to understand how the people in Redmond made such an apparently panicked decision,” Schwartzman said,” noting that Microsoft was closely involved in the discussions in the Canadian parliament over the bill’s trajectory and content. “This is the first company I know of that’s been that dumb.”

Schwartzman said many companies have used CASL as an excuse to freshen up their email lists and to re-engage their customers. Some have even gone so far as to enter respondents who verify that they still want to receive email communications from a company into drawings for cash prizes and other giveaways.

“Over the past couple of weeks, I’ve seen nothing but a steady stream of reconfirmation mails from various companies,” he said. “I’m now in the running for several $500 dollar gift certificates because I confirmed my email. And at the bottom of each of these messages is a note that says ‘please ignore this offer if you’re not Canadian.’”

CAUCE board member Jeff Williams, a former group program manager at Microsoft’s Malware Protection Center, chalked Microsoft’s decision up to a little more than a tough call.

“I can imagine the discussion and wondering among the lawyers and [Microsoft] whether they should try to get hundreds of millions of opt-ins before June 30 or if they should change the way they share info,” Williams said. “I’m sure it wasn’t an wasn’t an easy decision, but I wouldn’t call it an overreaction.”

In addition to pushing notices about new updates out via Microsoft’s RSS feeds, the company also appears to be making the security email alerts available to users who have Live, Outlook or Hotmail accounts with Microsoft. And of course, readers can continue to rely on KrebsOnSecurity to feature information on any new security updates available from Microsoft, including each Patch Tuesday bundle as well as emergency, “out-of-band” updates released to address zero-day security threats.

Update, 5:40 p.m. ET: In an apparent reversal of its decision, Microsoft now says it will be re-starting its security notifications via email early next month. From a Microsoft’s spokesperson: “On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014.”

TorrentFreak: Court Hands Google a Worldwide Site Blocking Injunction

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

canadaGoogle’s dominance of the Internet, particularly in search, has seen the company become embroiled in the disputes of countless other companies.

Day after day, Google is expected to take action in third parties’ intellectual property complaints to avoid becoming liable itself. Prime examples can be found in the millions of DMCA-style notices the company processes each week. Google must remove those entries or face being accused of facilitating infringement.

Another case that Google has become involved in, Equustek Solutions Inc. v. Jack, sees two Canadian entities face off (the latter previous employees of the former) over stolen intellectual property used to manufacture competing products.

While Google has no direct links to the case, the plaintiffs claim that the company’s search engine is helping to direct people to a network of websites operated by the defendants which are selling the unlawful products. Google already removed links from its Google.ca results voluntarily, but that wasn’t enough for Equustek who wanted broader action.

In a ruling handed down in British Columbia, Justice L.A. Fenlon agreed, ordering Google to remove the infringing websites’ listings from its search results. Despite protestations from Google that any injunction should be limited to Canada and Google.ca, the Judge targeted Google’s central database in the United States, meaning that the ruling has worldwide implications.

“I note again that on the record before me, the injunction would compel Google to take steps in California or the state in which its search engine is controlled, and would not therefore direct that steps be taken around the world,” the Judge wrote.

“That the effect of the injunction could reach beyond one state is a separate issue. Even an order mandating or enjoining conduct entirely within British Columbia may have such extraterritorial, or even worldwide effect.”

Noting that Google did not complain that an order requiring it block the websites would “offend” the law in California where it is based, or any other country from where a search could be carried out, the Judge said that the search giant acknowledged that most countries would recognize that dealing in pirated products was “a legal wrong.”

Further detailing her decision, Judge Fenlon compared Google to an innocent warehouse that had been forbidden from shipping out goods for a company subjected to an injunction. That local order not to ship could also have broader geographical implications.

“Could it sensibly be argued that the Court could not grant the injunction because it would have effects worldwide? The impact of an injunction on strangers to the suit or the order itself is a valid consideration in deciding whether to exercise the Court’s jurisdiction to grant an injunction. It does not, however, affect the Court’s authority to make such an order,” she wrote.

The Judge also touched on the futility of ordering a blockade of results only on Google.ca, when users can simply switch to another variant.

“For example, even if the defendants’ websites were blocked from searches conducted through www.google.ca, Canadian users can go to www.google.co.uk or www.google.fr and obtain results including the defendants’ websites. On the record before me it appears that to be effective, even within Canada, Google must block search results on all of its websites,” she explained.

The nature of the ruling has raised concerns with lawyer Michael Geist, who notes that despite being issued by a local court, the ruling has attempted to match Google’s global reach.

“The issues raised by the decision date back to the very beginning of the globalization of the Internet and the World Wide Web as many worried about jurisdictional over-reach with courts applying local laws to a global audience,” Geist explains.

“While there is much to be said for asserting jurisdiction over Google – if it does business in the jurisdiction, the law should apply – attempts to extend blocking orders to a global audience has very troubling implications that could lead to a run on court orders that target the company’s global search results.”

While Google has a little under two weeks to comply with the injunction, its representatives told The Globe and Mail that the decision will be appealed.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Flixtor Finds Anti-Piracy Investigator on Its Doorstep, Shuts Down

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

This weekend the website of the movie torrent streaming application Flixtor suddenly went offline, and the same happened to search engine TorrentLookup.com.

Both projects were run by the same team, which is based in Canada, and were slowly but steadily expanding their user bases. This suddenly changed a few days ago when a message posted on both sites announced that the streaming app and search engine were being discontinued.

“We voluntarily decided to close all services of torrentlookup.com. Thanks to everybody that used Flixtor and bought the mobile version. We have reached the finish line,” a message now displays on both sites.

The decision came as a total surprise to users of the site and app. Flixtor, a custom-built Popcorn Time alternative based on the same Peerflix engine, was just a few weeks old.

The Flixtor app had a user interface similar to Popcorn Time, but was not a fork. Instead, it used its own code and the movies/series API from TorrentLookup.com, which claimed to have the latest releases faster.

Flixtor
flixtor

TorrentFreak got in touch with one of the developers, who informed us that the decision to close was the result of movie industry pressure. The developer in question had an investigator from the MPAA-funded Motion Picture Association Canada come by his house, and it didn’t stop there.

“They were annoying me with phone calls repeatedly, and I talked to them quite a few times,” the developer explained.

The movie industry group only had one goal, and that was to shut down the streaming application and the torrent site. The investigator threatened the developer with legal action if he refused to comply.

“They wanted me to close Flixtor/Torrentlookup and then they would drop the charges against me, which are $20,000 per copyrighted file,” the developer told us.

With the threat of a massive lawsuit on their shoulders, the people behind the two projects decided to pull the plug this weekend. Even if they wanted to, they lack the funds to properly defend themselves in court.

The above shows that, behind the scenes, a lot of pressure is being put on the people who operate torrent sites and related services. It may also explain why some sites simply disappear, or why some of the “Popcorn Time” developers ceased their activities.

TorrentFreak contacted the Motion Picture Association Canada for a comment yesterday, but at the time of publication we were yet to receive a response.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Canada’s Anti-Spam Legislation (CASL) 2014, (Tue, Jun 17th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Canada recently passed anti-spam legislation.  Starting July 1 2014, organizations now need consent to send unsolicited emails or other electronic communications, which includes text messages, faxes and anything else you might think of.  This doesn’t cover just mass marketing, a single email to a single person is covered in this new legislation.

Starting Jan 15,2015, the installation of apps, plug-ins and other programs need similar consent.

With fines up to $1 million for individuals and $10 million for organizations, there’s a bit of a scramble to get consent from us Canadians .  Everyone from car companies wanting to send service bulletins to insurance companies who this this applies to emails on our insurance claims are sending “click here to consent” emails.  And of course, a similar scramble for folks that we’ve bought something from once, who want to send us sales flyers forever.

See the problem yet?  There was a clue in the note above

In this onslaught of “Click here” notes, it’s oh-so-easy to slip in a few malicious emails, and of course if you do click in those notes, there’s some special malware just for you!

To make things more interesting, many of the legit emails of this type are loaded with graphics with the links point to third party sites, so they also look like malicious content all on their own.

So in an effort to protect us Canadians from our collective compulsion to open every email and click every link (this isn’t confined to just Canadians mind you), this legislation is actually resulting in a new “easy button” attack vector, so we have a spike of the very activity this is trying to prevent!

I wonder if the folks in Ottawa who wrote this legislation realize that this also applies to their campaign material at election time?  Or if they understand that a telephone call is also “electronic communication”?  <Just the first two gotcha’s that came to mind>

If you’ve seen malware in email of this type, or if you have a slow day and want to read the legislation and look for similar “oops” situations, please share using our comment form !

http://www.crtc.gc.ca/eng/casl-lcap.htm
http://fightspam.gc.ca

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Darknet - The Darkside: 14-Year Olds Hack ATM With Default Password

This post was syndicated from: Darknet - The Darkside and was written by: Darknet. Original post: at Darknet - The Darkside

This is actually a pretty good hack and a good use of the word hacking in the original sense, two curious teenagers managed to access the administrator mode of an ATM in Winnipeg, Canada by using the default password they found in a manual they downloaded online. Ingenious and pretty forward thinking, I like the [...]

The post 14-Year Olds Hack…

Read the full post at darknet.org.uk

TorrentFreak: How Sweden Gained Access to a Canada-Hosted Torrent Site

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Earlier this week tips coming into TorrentFreak suggested that a relatively small torrent site known as Sparvar had come under the scrutiny of the police. Sure enough, the site subsequently went offline.

Problems had been building for more than two years. Swedish anti-piracy group Rights Alliance (Antipiratbyran) had built up an interest in Sparvar, a site directed at a largely Swedish audience. In early 2012 following action against a private site known as Swepiracy, Rights Alliance warned that Sparvar was on their list of targets.

Until this week, however, Sparvar had been hosted in Canada with Montreal-based Netelligent Hosting Services. For some time it had been presumed that hosting a torrent site is Canada is legal, a notion that was recently backed up by Netelligent president Mohamed Salamé.

“[As] long as there are no violations of our [acceptable use policy], we take no actions against torrent sites which are still legal in Canada,” Salamé told TF.

Nevertheless, the Royal Canadian Mounted Police (RCMP) still took action against Sparvar. How did this come to pass?

A source familiar with the case who agreed to speak on condition of anonymity told TorrentFreak that Netelligent was served with a data preservation order by the RCMP who were working together with authorities in Sweden.

In the first instance Netelligent were gagged from informing their client about the investigation, presumably so that no data could be tampered with. Netelligent was then sent a hard drive by the RCMP for the purposes of making a copy of the Sparvar server. This was to be handed over to their authorities.

We’re led to believe that Netelligent put up a fight to protect their customer’s privacy but in the end they were left with no choice but to comply with the orders. And here’s why.

MLAT, or Mutual Legal Assistance Treaty agreements, enable countries to gather, share and exchange information in order to enforce the law. Since 2001, Canada has had an MLAT with Sweden and since there was a criminal investigation underway in Sweden against Sparvar, Canada and Netelligent were legally obligated to provide assistance in the case.

So what does this mean for other sites hosted in Canada? Well, according to our source anyone running a site should be aware of the countries that Canada has MLAT agreements with, just in case another country decides to launch a case.

Those countries can be found here but they include everyone from the United States to Australia, from China to Russia, and many countries across Europe including the UK, Netherlands, Spain, Poland, France and Italy.

Finally, our source informs us that while cooperation in criminal cases has obviously been requested before, to the extent of his knowledge this is the first time that a torrent site has been a target.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Updated: Canadian Police Raid BitTorrent Tracker, Confiscate Server

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

If one would like to gauge the opinions of the world’s leading entertainment companies on Canadian attitudes towards BitTorrent sites, one only needs to look at this year’s International Intellectual Property Alliance (IIPA) submission to the USTR.

“It is hard to avoid the conclusion that Canada remains a magnet for sites whose well-understood raison d’être is to facilitate and enable massive unauthorized downloading of pirated versions of feature films, TV shows, recorded music, entertainment software, and other copyright materials,” the IIPA wrote.

These claims are actually the tip of a very large iceberg. It’s indeed true that some large public torrent sites are at least partly hosted on Canadian soil but mildly under the radar are also dozens of private tracker communities, many of which have happily operated from Canada for many, many years.

The overall impression is that Canada is one of the safest countries in which to put a file-sharing site, but developments yesterday cast a shadow over that notion.

With 10,000 members, Sparvar.org (Sparrows) was a reasonably sized private site. Aimed largely at a Swedish audience, Sparvar had enjoyed Canadian hosting on an IP address belonging to Montreal-based Netelligent Hosting Services, a company that has welcomed many similar sites in the past. Sometime in the past 24 hours, however, Sparvar disappeared from the Internet.

Netelligent servers

Neteligent

Soon after a rumor began circulating that Sparvar had been raided by the police. That version of events has now been confirmed by Scandinavian anti-piracy outfit Rights Alliance.

Update: Netelligent confirm action against Sparvar’s server, but deny any raid took place. See update below.

“Police in Canada have seized a server belonging to the illegal file-sharing service sparvar.org. Sparrows was a secret service with some 10 000 registered members. The server was located in Canada, but the activity was directed mainly against Sweden,” the anti-piracy group says.

“Behind the complaint stands Rights Alliance which has long been monitoring and documenting this business. The investigation is continuing with a focus on identifying the perpetrators. The seized server will be analyzed.”

The action against Sparvar shows that Rights Alliance have long memories. More than two years ago following their action against private site Swepiracy, Rights Alliance warned of further action to come, specifically naming Sparvar as a target.

That the group can conduct its work across borders, especially into Canada where it was believed there was a more torrent friendly environment, will come as a surprise to the many other sites hosted there under similar circumstances.

Canada has been paying more attention to IP issues in recent years, enacting the Copyright Modernization Act in 2012 and subsequently introducing a bill designed to strengthen IP enforcement. Following these efforts the United States shifted Canada from the Priority Watch List to the standard Watch List in this year’s Special 301 Report. How much further Canada is prepared to go remains to be seen.

Update: TorrentFreak has been informed by Netelligent president Mohamed Salamé that the police action against Sparvar was carried out in an orderly cooperative fashion with authorities and was not the product of a raid.

“The fact of the matter is we are a datacenter hosting all sorts of customers downstream from us. And as long as there are no violations of our AUP, we take no actions against torrent sites which are still legal in Canada,” Salamé explains.

“We also don’t get ‘raids’ as we have a very professional relationship with all agencies on the federal and provincial level to address the issues. And by professional relationship I mean that we do not just give out information or hardware just because they are law agencies. We make sure their requests are legitimate and that they have subpoenas, court orders, or warrants before complying with any of their demands.”

A separate source familiar with the case informs TorrentFreak that contrary to claims by Rights Alliance, no hardware was seized. It appears that a server was indeed cloned but that was in response to an official order to preserve data following a request by Swedish and Canadian authorities.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.