Posts tagged ‘fbi’

Errata Security: Ask a nerd

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

One should probably consult a lawyer on legal questions. Likewise, lawyers should probably consult nerds on technical questions. I point this out because of this crappy Lawfare post. It’s on the right side of the debate (FBI’s evidence pointing to North Korea is bad), but it’s still crap.

For example, it says: “One hears a lot in cybersecurity circles that the government has “solved” the attribution problem“. That’s not true, you hear the opposite among cybersecurity experts. I suspect he gets this wrong because he’s not talking about technical experts, but government circles. What government types in Washington D.C. say about cybersecurity is wholly divorced from reality — you really ought to consult technical people.

He then says: “it is at least possible that some other nation is spoofing a North Korean attack“. This is moronic, accepting most of the FBI’s premise that a nation state sponsored the attack, and that we are only looking for which nation state this might be. In reality, the Sony hack is well within the capabilities of teenagers. The evidence is solid that Sony had essentially no internal security — it required no special sophistication by the hacker. Anybody could’ve done this.

He then talks about the FBI “admitting that it knew about the tools and signatures that North Korea used in past attacks and exploitations and yet still was either unwilling or unable to stop the attack on Sony“. Just because The Phantom leaves behind his signature glove in his cat burglaries doesn’t mean police can stop him robbing the Pink Panther diamond. It’s perfectly reasonable to find similarities in computer viruses without that information being helpful in stopping future viruses. This is one of those things that seems only plausible to those completely ignorant of technology, which is why you ought to consult a techy first to see if you are off-base.

He then says “There are many, many steps the government will need to take to keep our networks more secure“. That’s a political line by fascists, like “government needs to keep the trains running on time”. Neither is a particular need; both are justifications for police states. A cyber police states is not the appropriate response to the Sony hack.

In summary, while this Lawfare post appears to be on my side (not enough North Korea evidence), it’s actually on the opposite side. It accepts all the basic premises by the government but only disagrees with them on one point. In actuality, much more is wrong with the government’s argument than the lack of evidence.

Errata Security: Sony hack was the work of SPECTRE

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The problem with hacking is that people try to understand it through analogies with things they understand. They try to fit new information into old stories/tropes they are familiar with. This doesn’t work — hacking needs to be understood in its own terms.

But since you persist in doing it this way, let me use the trope of SPECTRE to explain the Sony hack. This is the evil criminal/terrosist organization in the James Bond films that is independent of all governments. Let’s imagine that it’s SPECTRE who is responsible for the Sony hack, and how that fits within the available evidence.
This trope adequately explains the FBI “evidence” pointing to North Korea. SPECTRE has done work for North Korea, selling them weapons, laundering their money, and conducting hacking for them. While North Korea is one of their many customers, they aren’t controlled by North Korea.
The FBI evidence also points to Iran, with the Sony malware similar to that used in the massive Saudi Aramco hack. That would make sense, since an evil organization like SPECTRE does business with all the evil countries. Conversely, the Iranian connection doesn’t make sense if the Sony hack were purely the work of the North Koreans.
SPECTRE’s organization is highly modular, with different groups doing different things. Indeed, different arms of SPECTRE might be working for both sides of a conflict at the same time without each knowing about it. One arm of SPETRE develops malware. Another arm uses that to break into companies and steal credit card numbers. Another arm converts those credit cards numbers to cash.
It’s quite possible that the Sony hack was the work of a single SPECTRE agent. We’ll call him #8. Certainly, #8 uses the resources of SPECTRE to carry out the attack, and other resources will be called in to profit from the attack, but it’s largely an independent operation. In other words, “Guardians of Peace” can refer to a single guy — a largely independent operator who is unaware of those parts of SPECTRE who have interacted with Iran and North Korea. Thus, once he got into Sony, other members of SPECTRE contacted their North Korean customers and said “hey, we have an opportunity, give us $1 million and we’ll shut down that film you hate”. Once they got the cash, they directed #8 to make the threat.
My story of SPECTRE better explains the evidence in the Sony case than the FBI’s story of a nation-state attack. In both cases, there are fingerprints leading to North Korea. In my story, North Korea is a customer. In the FBI’s story, North Korea is in charge. However, my story better explains how everything is in English, how there are also Iranian fingerprints, and how the threats over The Interview came more than a week after the attack. The FBI’s story is weak and full of holes, my story is rock solid.
I scan the Internet. I find compromised machines all over the place. Hackers have crappy opsec, so that often leads me to their private lairs (i.e. their servers and private IRC chat rooms). There are a lot of SPECTRE-like organizations throughout the world, in Eastern Europe, South America, the Islamic world, and Asia. At the bottom, we see idiot kids defacing websites. The talented move toward the top of the organization, which has nebulous funding likely from intelligence operations or Al Qaeda, though virtually none of their activities are related to intelligence/cyberwar/cyberterror (usually, stealing credit cards for porn sites).
My point is this. Our government has created a single story of “nation state hacking”. When that’s the only analogy that’s available, all the evidence seems to point in that direction. But hacking is more complex than that. In this post, I present a different analogy, one that better accounts for all the evidence, but one in which North Korea is no longer the perpetrator.

Errata Security: The FBI’s North Korea evidence is nonsense

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The FBI has posted a press release describing why they think it’s North Korea. While there may be more things we don’t know, on its face it’s complete nonsense. It sounds like they’ve decided on a conclusion and are trying to make the evidence fit. They don’t use straight forward language, but confusing weasel words, like saying “North Korea actors” instead of simply “North Korea”. They don’t give details.

The reason it’s nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop it’s own malware from scratch.

Here’s the thing with computer evidence: you don’t need to keep it secret. It wouldn’t harm Sony and wouldn’t harm the investigation. It would help anti-virus and security vendors develop signatures to stop it. It would crowd source analysis, to see who it really points to. We don’t need to take the FBI’s word for it, we should be able to see the evidence ourselves. In other words, instead of saying “IP addresses associated with North Korea”, then can tell us what those IP addresses are, like “203.131.222.102”.

But the FBI won’t do that. They aren’t in the business of protection but control. The idea that Americans should protect themselves and decide for themselves is anathema to the FBI.

Krebs on Security: FBI: North Korea to Blame for Sony Hack

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The FBI today said it has determined that the North Korean government is responsible for the devastating recent hack attack against Sony Pictures Entertainment. Here’s a brief look the FBI’s statement, what experts are learning about North Korea’s cyberattack capabilities, and what this incident means for other corporations going forward.

In a statement released early Friday afternoon, the FBI said that its investigation — along with information shared by Sony and other U.S. government departments and agencies — found that the North Korean government was responsible.

The FBI said it couldn’t disclose all of its sources and methods, but that the conclusion was based, in part, on the following:

-“Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.”

-“The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.”

-“Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.”

The agency added that it was “deeply concerned” about the destructive nature of this attack on a private sector entity and the ordinary citizens who work there, and that the FBI stands ready to assist any U.S. company that is the victim of a destructive cyber attack or breach of confidential information.

“Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States,” the FBI said. “Though the FBI has seen a wide variety and increasing number of cyber intrusions, the destructive nature of this attack, coupled with its coercive nature, sets it apart. North Korea’s actions were intended to inflict significant harm on a U.S. business and suppress the right of American citizens to express themselves. Such acts of intimidation fall outside the bounds of acceptable state behavior. The FBI takes seriously any attempt—whether through cyber-enabled means, threats of violence, or otherwise—to undermine the economic and social prosperity of our citizens.”

SPE was hit with a strain of malware designed to wipe all computer hard drives within the company’s network. The attackers then began releasing huge troves of sensitive SPE internal documents, and, more recently, started threatening physical violence against anyone who viewed the Sony movie “The Interview,” a comedy that involves a plot to assassinate North Korean leader Kim Jong Un. Not long after a number of top movie theater chains said they would not show the film, Sony announced that it would cancel the movie’s theatrical release.

Apparently emboldened by Sony’s capitulation, the attackers are now making even more demands. According to CNN, Sony executives on Thursday received an email apparently from the attackers said they would no longer release additional stolen Sony Pictures data if the company announced that it would also cancel any plans to release the movie on DVD, Netflix or elsewhere. The attackers also reportedly demanded that any teasers and trailers about The Interview online be removed from the Internet.

A ‘MAGIC WEAPON’

Little is publicly known about North Korea’s cyber warfare and hacking capabilities, but experts say North Korean leaders view cyber warfare capabilities as an important asymmetric asset in the face of its perceived enemies — the United States and South Korea. An in-depth report (PDF) released earlier this year by HP Security Research notes that in November 2013, North Korea’s “dear leader” Kim Jong Un referred to cyber warfare capabilities as a “magic weapon” in conjunction with nuclear weapons and missiles.

“Although North Korea’s limited online presence makes a thorough analysis of their cyber warfare capabilities a difficult task, it must be noted that what is known of those capabilities closely mirrors their kinetic warfare tactics,” HP notes. “Cyber warfare is simply the modern chapter in North Korea’s long history of asymmetrical warfare. North Korea has used various unconventional tactics in the past, such as guerilla warfare, strategic use of terrain, and psychological operations. The regime also aspires to create viable nuclear weapons.”

Sources familiar with the investigation tell KrebsOnSecurity that the investigators believe there may have been as many as several dozen individuals involved in the attack, the bulk of whom hail from North Korea. Nearly a dozen of them are believed to reside in Japan.

Headquarters of the Chongryon in Japan.

Headquarters of the Chongryon in Japan.

According to HP, a group of ethnic North Koreans residing in Japan known as the Chongryon are critical to North Korea’s cyber and intelligence programs, and help generate hard currency for the regime. The report quotes Japanese intelligence officials stating that “the Chongryon are vital to North Korea’s military budget, raising funds via weapons trafficking, drug trafficking, and other black market activities.” HP today published much more detail about specific North Korean hacking groups that may have played a key role in the Sony incident given previous such attacks.

While the United States government seems convinced by technical analysis and intelligence sources that the North Koreans were behind the attack, skeptics could be forgiven for having doubts about this conclusion. It is interesting to note that the attackers initially made no mention of The Interview, and instead demanded payment from Sony to forestall the release of sensitive corporate data. It wasn’t until well after the news media pounced on the idea that the attack was in apparent retribution for The Interview that we saw the attackers begin to mention the Sony movie.

In any case, it’s unlikely that U.S. officials relish the conclusion that North Korea is the aggressor in this attack, because it forces the government to respond in some way and few of the options are particularly palatable. The top story on the front page of the The Wall Street Journal today is an examination of what the U.S. response to this incident might look like, and it seems that few of the options on the table are appealing to policymakers and intelligence agencies alike.

The WSJ story notes that North Korea’s only connections to the Internet run through China, but that pressuring China to severe or severely restrict those connections is unlikely to work.

Likewise, engaging in a counter-attack could prove fruitless, or even backfire, the Journal observed, “in part because the U.S. is able to spy on North Korea by maintaining a foothold on some of its computer systems. A retaliatory cyberstrike could wind up damaging Washington’s ability to spy on Pyongyang…Another former U.S. official said policy makers remain squeamish about deploying cyberweapons against foreign targets.”

IMPLICATIONS FOR US FIRMS

If this incident isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is. I’ve done more than two dozen speaking engagements around the world this year, and one point I always try to drive home is that far too few organizations recognize how much they have riding on their technology and IT operations until it is too late. The message is that if the security breaks down, the technology stops working — and if that happens the business can quickly grind to a halt. But you would be hard-pressed to witness signs that most organizations have heard and internalized that message, based on their investments in cybersecurity relative to their overall reliance on it.

A critical step that many organizations fail to take is keeping a basic but comprehensive and ongoing inventory of the all of the organization’s IT assets. Identifying where the most sensitive and mission-critical data resides (identifying the organization’s “crown jewels”) is another essential exercise, but too many organizations fail to take the critical step of encrypting this vital information.

Over the past several years, we’ve seen a remarkable shift toward more destructive attacks. Most organizations are accustomed to tackling malware infestations within their IT environments, but few are prepared to handle fast-moving threats designed to completely wipe data from storage drives across the network.

As I note in my book Spam Nation, miscreants who were once content to steal banking information and blast out unsolicited commercial email increasingly are using their skills to hold data for ransom using malware tools such as ransomware. I’m afraid that as these attackers become better at situational awareness — that is, gaining a better understanding of who their victims are and the value of the assets the intruders have under their control — these attacks and ransom demands will become more aggressive and costly in the months ahead.

Schneier on Security: The Limits of Police Subterfuge

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

“The next time you call for assistance because the Internet service in your home is not working, the ‘technician’ who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and — ­when he shows up at your door, impersonating a technician­ — let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have ‘consented’ to an intrusive search of your home.”

This chilling scenario is the first paragraph of a motion to suppress evidence gathered by the police in exactly this manner, from a hotel room. Unbelievably, this isn’t a story from some totalitarian government on the other side of an ocean. This happened in the United States, and by the FBI. Eventually — I’m sure there will be appeals — higher U.S. courts will decide whether this sort of practice is legal. If it is, the county will slide even further into a society where the police have even more unchecked power than they already possess.

The facts are these. In June, Two wealthy Macau residents stayed at Caesar’s Palace in Las Vegas. The hotel suspected that they were running an illegal gambling operation out of their room. They enlisted the police and the FBI, but could not provide enough evidence for them to get a warrant. So instead they repeatedly cut the guests’ Internet connection. When the guests complained to the hotel, FBI agents wearing hidden cameras and recorders pretended to be Internet repair technicians and convinced the guests to let them in. They filmed and recorded everything under the pretense of fixing the Internet, and then used the information collected from that to get an actual search warrant. To make matters even worse, they lied to the judge about how they got their evidence.

The FBI claims that their actions are no different from any conventional sting operation. For example, an undercover policeman can legitimately look around and report on what he sees when he invited into a suspect’s home under the pretext of trying to buy drugs. But there are two very important differences: one of consent, and the other of trust. The former is easier to see in this specific instance, but the latter is much more important for society.

You can’t give consent to something you don’t know and understand. The FBI agents did not enter the hotel room under the pretext of making an illegal bet. They entered under a false pretext, and relied on that for consent of their true mission. That makes things different. The occupants of the hotel room didn’t realize who they were giving access to, and they didn’t know their intentions. The FBI knew this would be a problem. According to the New York Times, “a federal prosecutor had initially warned the agents not to use trickery because of the ‘consent issue.’ In fact, a previous ruse by agents had failed when a person in one of the rooms refused to let them in.” Claiming that a person granting an Internet technician access is consenting to a police search makes no sense, and is no different than one of those “click through” Internet license agreements that you didn’t read saying one thing and while meaning another. It’s not consent in any meaningful sense of the term.

Far more important is the matter of trust. Trust is central to how a society functions. No one, not even the most hardened survivalists who live in backwoods log cabins, can do everything by themselves. Humans need help from each other, and most of us need a lot of help from each other. And that requires trust. Many Americans’ homes, for example, are filled with systems that require outside technical expertise when they break: phone, cable, Internet, power, heat, water. Citizens need to trust each other enough to give them access to their hotel rooms, their homes, their cars, their person. Americans simply can’t live any other way.

It cannot be that every time someone allows one of those technicians into our homes they are consenting to a police search. Again from the motion to suppress: “Our lives cannot be private — ­and our personal relationships intimate­ — if each physical connection that links our homes to the outside world doubles as a ready-made excuse for the government to conduct a secret, suspicionless, warrantless search.” The resultant breakdown in trust would be catastrophic. People would not be able to get the assistance they need. Legitimate servicemen would find it much harder to do their job. Everyone would suffer.

It all comes back to the warrant. Through warrants, Americans legitimately grant the police an incredible level of access into our personal lives. This is a reasonable choice because the police need this access in order to solve crimes. But to protect ordinary citizens, the law requires the police to go before a neutral third party and convince them that they have a legitimate reason to demand that access. That neutral third party, a judge, then issues the warrant when he or she is convinced. This check on the police’s power is for Americans’ security, and is an important part of the Constitution.

In recent years, the FBI has been pushing the boundaries of its warrantless investigative powers in disturbing and dangerous ways. It collects phone-call records of millions of innocent people. It uses hacking tools against unknown individuals without warrants. It impersonates legitimate news sites. If the lower court sanctions this particular FBI subterfuge, the matter needs to be taken up — ­and reversed­ — by the Supreme Court.

This essay previously appeared in The Atlantic.

Schneier on Security: How the FBI Unmasked Tor Users

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Kevin Poulson has a good article up on Wired about how the FBI used a Metasploit variant to identity Tor users.

Errata Security: All malware defeats 90% of defenses

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

When the FBI speaks, you can tell they don’t know anything about hacking. An example of this quote by Joseph Demarest, the assistant director of the FBI’s cyberdivision:

“The malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government”
He’s trying to show how sophisticated, organized, and unprecedented the hackers were.
This is nonsense. All malware defeats 90% of defenses. Hackers need do nothing terribly sophisticated in order to do what they did to Sony.
Take, for example, a pentest we did of a Fortune 500 financial firm. We had some USB drives made with the logo of the corporation we were pen-testing. We grabbed a flash game off the Internet, changed the graphics so that they were punching the logo of their main competitor, and put text in the Final Score screen suggesting “email this to your friends and see what they get”. We then added some malware components to it. We then dropped the USB drives in the parking lot.
This gave us everything in the company as people passed the game around. The CEO and many high-level executives ran it on their machines. Sysadmins ran it. Once we got control of the central domain controller, we got access to everything: all files, all emails, … everything.
The point I’m trying to make here is that we used relatively unsophisticated means to hack an extremely secure company. Crafting malware to get past their anti-virus defenses is trivially easy. Everything we did was easy.
The problem isn’t that hackers are sophisticated but that company are insecure. Companies believe that anti-virus stops viruses when it doesn’t, for example. The FBI perpetuates this myth, claiming Sony hackers were sophisticated, able to get around anti-virus, when the truth is that Sony relied too much on anti-virus, so even teenagers could get around it.
The FBI perpetuates these myths because they want power. If the problem is sophisticated hackers, then there is nothing you can do to stop them. You are then helpless to defend yourself, so you need the FBI to defend you. Conversely, if the problem is crappy defense, then you you can defend yourself by fixing your defenses.

Update: Here is a previous post where I add a Metasploit exploit to a PDF containing a legal brief that gets past anti-virus.

Errata Security: FYI: Snowden made things worse

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Snowden appeared at a #CatoSpyCon, and cited evidence of how things have improved since his disclosures (dislaimer: as Libertarian, I’m a fan of both CATO and Snowden). He cited some pretty compelling graphs, such as a sharp increase of SSL encryption. However, at the moment, I’m pretty sure he’s made things worse.

The thing is, governments didn’t know such surveillance was possible. Now that Snowden showed what the NSA was doing, governments around the world are following that blueprint, dramatically increasing their Internet surveillance. Not only do they now know how to do it, they are given good justifications. If the United States (the moral leader in “freedoms”) says it’s okay, then it must be okay for more repressive governments (like France). There is also the sense of competition, that if the NSA knows what’s going on across the Internet, then they need to know, too.

This is a problem within the United Sates, too. The NSA collected everyone’s phone records over the last 7 years. Before Snowden, that database was accessed rarely, and really for only terrorism purposes. However, now that everyone else in government knows the database exists, they are showing up at the NSA with warrants to get the data. It’s not just the FBI, but any department within the government who thinks they have a need for that data (e.g. the IRS). Recently, an amendment was added to the Intelligence Authorization bill to codify the process. We don’t have any transparency into this, but it’s a good bet that the database has been accessed to retrieve American information more often in the year since Snowden than the 7 years before.

Snowden did the right thing in exposing phone surveillance, of course. My point isn’t to say he’s wrong. Instead, my point is that we aren’t winning the war against surveillance. Activists are focussing on the good news, cherry picking the parts where we win. They are ignoring the bad news, that we are losing the war. The Intelligence Authorization bill is an excellent example of that.

Krebs on Security: Toward a Breach Canary for Data Brokers

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

When a retailer’s credit card systems get breached by hackers, banks usually can tell which merchant got hacked soon after those card accounts become available for purchase at underground cybercrime shops. But when companies that collect and sell sensitive consumer data get hacked or are tricked into giving that information to identity thieves, there is no easy way to tell who leaked the data when it ends up for sale in the black market. In this post, we’ll examine one idea to hold consumer data brokers more accountable.

breachcanarySome of the biggest retail credit card breaches of the past year — including the break-ins at Target and Home Depot — were detected by banks well before news of the incidents went public. When cards stolen from those merchants go up for sale on underground cybercrime shops, the banks often can figure out which merchant got hacked by acquiring a handful of their cards and analyzing the customer purchase history of those accounts. The merchant that is common to all stolen cards across a given transaction period is usually the breached retailer.

Sadly, this process of working backwards from stolen data to breach victim generally does not work in the case of breached data brokers that trade in Social Security information and other data, because too often there are no unique markers in the consumer data that would indicate from where the information was obtained.

Even in the handful of cases where underground crime shops selling consumer personal data have included data points in the records they sell that would permit that source analysis, it has taken years’ worth of very imaginative investigation by law enforcement to determine which data brokers were at fault. In Nov. 2011, I wrote about an identity theft service called Superget[dot]info, noting that “each purchasable record contains a two- to three-letter “sourceid,” which may provide clues as to the source of this identity information.”

Unfortunately, the world didn’t learn the source of that ID theft service’s data until 2013, a year after U.S. Secret Service agents arrested the site’s proprietor — a 24-year-old from Vietnam who was posing as a private investigator based in the United States. Only then were investigators able to determine that the source ID data matched information being sold by a subsidiary of big-three credit bureau Experian (among other data brokers that were selling to the ID theft service). But federal agents made that connection only after an elaborate investigation that lured the proprietor of that shop out of Vietnam and into a U.S. territory.

Meanwhile, during the more than six years that this service was in operation, Superget.info attracted more than 1,300 customers who paid at least $1.9 million to look up Social Security numbers, dates of birth, addresses, previous addresses, email addresses and other sensitive information on consumers, much of it used for new account fraud and tax return fraud.

Investigators got a lucky break in determining the source of another ID theft service that was busted up and has since changed its name (more on that in a moment). That service — known as “ssndob[dot]ru” — was the service used by exposed[dot]su, a site that proudly displayed the Social Security, date of birth, address history and other information on dozens of Hollywood celebrities, as well as public officials such as First Lady Michelle Obama, then FBI Director Robert Mueller, a then-director of the CIA.

As I explained in a 2013 exclusive, civilian fraud investigators working with law enforcement gained access to the back-end server that was being used to handle customer requests for consumer information. That database showed that the site’s 1,300 customers had spent hundreds of thousands of dollars looking up SSNs, birthdays, drivers license records, and obtaining unauthorized credit and background reports on more than four million Americans.

Although four million consumer records may seem like a big number, that figure did not represent the total number of consumer records for available through the ssndob[dot]ru. Rather, four million was merely the number of consumer records that the service’s customers had paid the service to look up. In short, it appeared that the ID theft service was drawing on active customer accounts inside of major consumer data brokers.

Investigators working on that case later determined that the same crooks who were running ssndob[dot]ru also were operating a small, custom botnet of hacked computers inside of several major data brokers, including LexisNexis, Dun & Bradstreet, and Kroll. All three companies acknowledged infections from the botnet, but shared little else about the incidents.

Despite their apparent role in facilitating (albeit unknowingly) these ID theft services, to my knowledge the data brokers involved have never been held publicly accountable in any court of law or by Congress.

CURRENT ID THEFT SERVICES

At present, there are multiple shops in the cybercrime underground that sell everything one would need to steal someone’s identity in the United States or apply for new lines of credit in their name — including Social Security numbers, addresses, previous addresses, phone numbers, dates of birth, and in some cases full credit history. The price of this information is shockingly low — about $3 to $5 per record.

KrebsOnSecurity conducted an exhaustive review of consumer data on sale at some of the most popular underground cybercrime sites. The results show that personal information on some of the most powerful Americans remains available for just a few dollars. And of course, if one can purchase this information on these folks, one can buy it on just about anyone in the United States today.

As an experiment, this author checked two of the most popular ID theft services in the underground for the availability of Social Security numbers, phone numbers, addresses and previous addresses on all members of the Senate Commerce Committee‘s Subcommittee on Consumer Protection, Product Safety and Insurance. That data is currently on sale for all thirteen Democrat and Republican lawmakers on the panel.

Between these two ID theft services, the same personal information was for sale on Edith Ramirez and Richard Cordray, the heads of the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB), respectively.

ssndob-found

Getting these ID theft services shut down might feel good, but it is not a long-term solution. Both services used to conduct these lookups of the public figures mentioned above are second- and third-generation shops that have re-emerged from previous takedown efforts. In fact, at least one of them appears to be a reincarnation of ssndob[dot]ru, while the other seems little more than a reseller of that service.

Rather, it seems clear that what we need is more active oversight of the data broker industry, and new tools to help law enforcement (and independent investigators) determine the source of data being resold by these identity theft services.

Specifically, if there were a way for federal investigators to add “breach canaries,” — unique, dummy identities — to records maintained by the top data brokers, it could make it far easier to tell which broker is leaking consumer data either through breaches or hacked/fraudulent accounts.

Data brokers like Experian have strongly resisted calls from regulators for greater transparency in their operations and in the data that they hold about consumers. When the FTC recommended the creation of a central website where data brokers would be listed — with links to these companies, their privacy policies and also choice options, giving consumers the capability to review/amend the data that companies maintain — Experian lobbied against the idea, charging that it would “have the unintended effect of confusing consumers and eroding trust in e-commerce.”

The company’s main argument was essentially that it was unfair to impose such requirements on the bigger data brokers and ignore the rest. Experian’s chief lobbyist Tony Hadley has made the argument that there are just too many companies that have and share all this consumer data, which seems precisely the problem.

“The Direct Marketing Association (DMA) estimates that even a narrow definition of a marketing information service provider is likely to include more than 2,500 companies from all sectors of the economy,” Hadley wrote in a blog post earlier this year. “Simply put, the entire data industry – extremely vital to the US economy — cannot be neatly or accurately identified and then subjected to unrealistic requirements.”

My guess is that if the data broker giants are opposed to the idea of inserting dummy identities into their records to act as breach canaries, it is because such a practice could expose data-sharing relationships and record-keeping practices that these companies would rather not see the light of day. But barring any creative ideas to help investigators quickly learn the source of data being sold by identity theft services online, data brokers will remain free to facilitate and even profit from an illicit market for sensitive consumer information.

Krebs on Security: Sony Breach May Have Exposed Employee Healthcare, Salary Data

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The recent hacker break-in at Sony Pictures Entertainment appears to have involved the theft of far more than unreleased motion pictures: According to multiple sources, the intruders also stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical and salary information.

Screen shot from an internal audit report allegedly stolen from Sony.

Screen shot from an internal audit report allegedly stolen from Sony and circulating on file-trading networks.

Several files being traded on torrent networks seen by this author include an global Sony employee list, a Microsoft Excel file that includes the name, location, employee ID, network username, base salary and date of birth for more than 6,800 individuals.

Sony officials could not be immediately reached for comment; a press hotline for the company rang for several minutes without answer, and email requests to the company went unanswered.  But a comprehensive search on LinkedIn for dozens of the names in the list indicate virtually all correspond to current or former Sony employees.

Another file being traded online appears to be a status report from April 2014 listing the names, dates of birth, SSNs and health savings account data on more than 700 Sony employees. Yet another apparently purloined file’s name suggests it was the product of an internal audit from accounting firm Pricewaterhouse Coopers, and includes screen shots of dozens of employee federal tax records and other compensation data.

The latest revelations come more than a week after a cyberattack on Sony Pictures Entertainment brought down the company’s corporate email systems. A Sony spokesperson told Reuters that the company has since “restored a number of important services” and was “working closely with law enforcement officials to investigate the matter.”

Several media outlets reported at the time that Sony employees had been warned not to connect to the company’s corporate network or to check email, and noted that Sony’s IT departments had instructed employees to turn off their computers as well as disable Wi-Fi on all mobile devices.” Other reports cited unnamed investigators pointing to North Korean hackers as the source of the attack, although those reports could not be independently confirmed.

Such extreme precautions would make sense if the company’s network was faced with a cyber threat designed to methodically destroy files on corporate computers. Indeed, the FBI this week released a restricted “Flash Alert” warning of just such a threat, about an unnamed attack group that has been using malware designed to wipe computer hard drives — and the underlying “master boot record on the affected systems — of all data.

KrebsOnSecurity obtained a copy of the alert, which includes several file names and hashes (long strings of letters and numbers that uniquely identify files) corresponding to the file-wiping malware.

The FBI does not specify where the malware was found or against whom it might have been used, noting only that “the FBI has high confidence that these indicators are being used by CNE [computer network exploitation] operators for further network exploitation.” The report also says the language pack referenced by the malicious files is Korean.

The FBI alert references several network traffic “signatures” that organizations can use to detect the traffic seen in previous attacks from this malware — traffic that appears to beacon back to (mostly like compromised) systems in Thailand, Poland and Italy). But the alert also says this type of vigilance may only serve to let organizations know that their files are currently in the process of being deleted.

“The following Snort signature can be used to detect the beacon traffic, though by the time the beacons occur, the destructive process of wiping the files has begun,” the alert warned.

Here’s the Snort signature, in case this is useful for any readers who didn’t get this memo:

Alert tcp any any – > [88.53.215.64, 217.96.33.164, 203.131.222.102] [8080, 8000] (msg: “wiper_callout”;
dsize:42;  content:  “|ff  ff  ff  ff|”;  offset:  26;  depth:  4;  sid:  314;

This is a developing story. More to come. Stay tuned.

 

TorrentFreak: US Efforts to Jail Dotcom Fail as Kim Walks Free

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

dotcom-laptopAfter three days of hearings in Auckland, Kim Dotcom left court smiling today.

The recent appearances were triggered by new claims from United States authorities who want to extradite Dotcom to face charges of copyright infringement, money laundering and racketeering.

They alleged that the Megaupload founder had breached his bail conditions on numerous occasions since his arrest in early 2012 and should put back behind bars as a result.

Relying on what appeared to be wiretap evidence from FBI Special Agent Rodney Hays, who did not appear in court, the Crown said that Dotcom had indirectly associated with Julius Bencko, a former Megaupload developer also named in the U.S. indictment.

During the hearing it was also put to Dotcom that with his knowledge, estranged wife, Mona, had attempted to sell a 2010 Rolls Royce Phantom, a $500,000 forfeitable asset.

Also of concern to the United States is Dotcom’s alleged wealth. Last week Dotcom admitted that since his arrest in 2012 he’d made $40m, but that had all been spent on a luxurious lifestyle and funding a $10m legal battle. The Crown argued that it could not be ruled out that Dotcom had money hidden away, a factor which elevated him as a flight risk.

Also under discussion was the exit of Dotcom’s legal team, which reportedly ditched him after learning that the money had run out. This would be a significant problem for Dotcom during next year’s extradition battle and could indicate that the Megaupload founder would flee rather than face extradition, the Crown argued.

But in the end, none of the arguments convinced the Auckland District Court to jail Dotcom today.

Judge Nevin Dawson said there was “no proof” that Dotcom had contacted former Megaupload staff, nor was there evidence to back up claims that he’d hidden money away to facilitate a pre-extradition escape from New Zealand.

However, Judge Dawson did recognize that the risk of Dotcom fleeing would increase as next year’s hearing nears so with that in mind he banned the entrepreneur from traveling by helicopter or sea, unless that transport is via a public service. Dotcom was also ordered to double up on his current once weekly visits to a police station.

Leaving the Court, a clearly relieved Dotcom told waiting reporters that he had been exonerated.

“The Court has found that i’ve not breached any of my bail conditions,” Dotcom said.

“I have been probably the most compliant and exemplary candidate and I am surprised, even though I’m going home right now, that my bail conditions have been tightened.”

Dotom said that the attempt to revoke his bail was timed by local and U.S. authorities to exploit his during a moment of weakness.

“I think this is another example of harassment and bullying by the United States government in concert with the New Zealand government,” he said.

“I think this whole application was only made because my lawyers decided to resign because of lack of funds on my part because Hollywood has seized the new family assets that have been earned after the raid. So the Crown and the U.S. government have used this opportunity in a weak moment to make up the bogus case for me having breached my bail conditions.”

Dotcom went further still, accusing the FBI’s Special Agent Rodney Hays of flat-out lying to the Court.

“I invite every member of the media to have a look at the Court file and see how an FBI agent lied in his declarations that I have attempted to sell a car, that I have attempted to get a refund for forfeitable assets, and that I have breached my bail conditions by being directly or indirectly in contact with one of my co-defendants,” Dotcom said.

“All these things have been proven to be wrong, and lies, and I invite everyone to have a look at this to understand the tactics of the U.S. government and to understand that the U.S. government can not be treated with candor and good faith in this case.

“The same thing that I’ve experienced in this bail hearing I’ve also experienced with the indictment, which is just as flawed and wrong and misleading and malicious as this bail proceeding was.”

Handing questions over to his lawyer Ron Mansfield, who Dotcom praised for doing an excellent job, the German smiled.

“I am now going home to play with my kids.”

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: FBI Agents Pose as Repairmen to Bypass Warrant Process

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is a creepy story. The FBI wanted access to a hotel guest’s room without a warrant. So agents broke his Internet connection, and then posed as Internet technicians to gain access to his hotel room without a warrant.

From the motion to suppress:

The next time you call for assistance because the internet service in your home is not working, the “technician” who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and — when he shows up at your door, impersonating a technician — let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have “consented” to an intrusive search of your home.

Basically, the agents snooped around the hotel room, and gathered evidence
that they submitted to a magistrate to get a warrant. Of course, they never told the judge that they had engineered the whole outage and planted the fake technicians.

More coverage of the case here.

This feels like an important case to me. We constantly allow repair technicians into our homes to fix this or that technological thingy. If we can’t be sure they are not government agents in disguise, then we’ve lost quite a lot of our freedom and liberty.

TorrentFreak: U.S. Brands Kim Dotcom a Fugitive, ‘Spies’ on Others

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

megaupload-logoIt’s been nearly three years since Megaupload was taken down by the U.S. authorities but it’s still uncertain whether Kim Dotcom and his fellow defendants will be extradited overseas.

Two months ago the U.S. Government launched a separate civil action in which it asked the court to forfeit the bank accounts, cars and other seized possessions of the Megaupload defendants, claiming they were obtained through copyright and money laundering crimes.

Megaupload responded to these allegations at the federal court in Virginia with a motion to dismiss the complaint. According to Megaupload’s lawyers the U.S. Department of Justice (DoJ) is making up crimes that don’t exist.

In addition, Dotcom and his co-defendants claimed ownership of the assets U.S. authorities are trying to get their hands on. A few days ago the DoJ responded to these claims, arguing that they should be struck from the record as Dotcom and his colleagues are fugitives.

In a motion (pdf) submitted to a Virginia District Court the U.S. asks for the claims of the defendants to be disregarded based on the doctrine of fugitive disentitlement.

“Claimants Bram van der Kolk, Finn Batato, Julius Bencko, Kim Dotcom, Mathias Ortmann, and Sven Echternach, are deliberately avoiding prosecution by declining to enter the United States where the criminal case is pending,” U.S. Attorney Dana Boente writes.

“The key issue in determining whether a person is a fugitive from justice is that person’s intent. A defendant who flees with intent to avoid arrest is a fugitive from justice,” he adds.

Since Kim Dotcom and his New Zealand-based Megaupload colleagues are actively fighting their extradition they should be seen as fugitives, the DoJ concludes.

“Those claimants who are fighting extradition on the criminal charges in the related criminal case, claimants van der Kolk, Batato, Kim Dotcom, and Ortmann, are fugitives within the meaning of the statute, regardless of the reason for their opposition.”

Megaupload lawyer Ira Rothken disagrees with this line of reasoning. He told TF that the fugitive disentitlement doctrine shouldn’t apply here.

“The DOJ is trying to win the Megaupload case on procedure rather than the merits. Most people don’t realize that Kim Dotcom has never been to the United States,” Rothken says.

A person who has never been to the United States and is currently going through a lawful procedure in New Zealand shouldn’t be seen as a fugitive, according to Rothken.

The recent DoJ filing also highlights another aspect of the case. According to a declaration by special FBI agent Rodney Hays, the feds have obtained “online conversations” of Julius Bencko and Sven Echternach, the two defendants who currently reside in Europe.

These conversations were obtained by law enforcement officers and show that the authorities were ‘spying’ on some of the defendants months after Megaupload was raided.

tapped

“During a conversation that occurred on or about March 28, 2012, Bencko allegedly told a third-party, ‘I can come to Bratislava [Slovakia] if needed .. bu [sic] you know .. rather not travel around much .. ‘ Later in the conversation, Bencko states ‘i’m facing 55 years in usa’,” the declaration reads.

In addition to the two defendants, law enforcement also obtained a conversation of Kim’s wife Mona Dotcom, who is not a party in the case herself.

“During a conversation that occurred on or about February 9, 2012 a third-party told Mona Dotcom, ‘Also Julius [Bencko] wants Kim [Dotcom] to know that he will be supportive in what ever way possible that he needs’,”

According to the U.S. the ‘tapped’ conversations of Bencko and Echternach show that since they are avoiding travel to the United States, they too can be labeled fugitives.

It’s unclear how the online conversations were obtained, but Megaupload lawyer Ira Rothken told TF that he wouldn’t be surprised if civil liberties were violated in the process, as has happened before in the case.

Whether these fugitive arguments will be accepted by the court has yet to be seen. Highlighting the motion Megaupload submitted earlier, Rothken notes that regardless of these arguments the case should be dismissed because the court lacks jurisdiction.

“The United States doesn’t have a stature for criminal copyright infringement,” Rothken tells us. “We believe that the case should be dismissed based on a lack of subject matter jurisdiction.”

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Feds Arrest Alleged ‘Silk Road 2′ Admin, Seize Servers

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Federal prosecutors in New York today announced the arrest and charging of a San Francisco man they say ran the online drug bazaar and black market known as Silk Road 2.0. In conjunction with the arrest, U.S. and European authorities have jointly seized control over the servers that hosted Silk Road 2.0 marketplace.

The home page of the Silk Road 2.0 market has been replaced with this message indicating the community's Web servers were seized by authorities.

The home page of the Silk Road 2.0 market has been replaced with this message indicating the community’s Web servers were seized by authorities.

On Wednesday, agents with the FBI and the Department of Homeland Security arrested 26-year-old Blake Benthall, a.k.a. “Defcon,” in San Francisco, charging him with drug trafficking, conspiracy to commit computer hacking, and money laundering, among other alleged crimes.

Benthall’s LinkedIn profile says he is a native of Houston, Texas and was a programmer and “construction worker” at Codespike, a company he apparently founded using another company, Benthall Group, Inc. Benthall’s LinkedIn and Facebook profiles both state that he was a software engineer at Space Exploration Technologies Corp. (SpaceX), although this could not be immediately confirmed. Benthall describes himself on Twitter as a “rocket scientist” and a “bitcoin dreamer.”

Blake Benthall's public profile page at LinkedIn.com

Blake Benthall’s public profile page at LinkedIn.com

Benthall’s arrest comes approximately a year after the launch of Silk Road 2.0, which came online less than a month after federal agents shut down the original Silk Road community and arrested its alleged proprietor — Ross William Ulbricht, a/k/a “Dread Pirate Roberts.” Ulbricht is currently fighting similar charges, and made a final pre-trial appearance in a New York court earlier this week.

According to federal prosecutors, since about December 2013, Benthall has secretly owned and operated Silk Road 2.0, which the government describes as “one of the most extensive, sophisticated, and widely used criminal marketplaces on the Internet today.” Like its predecessor, Silk Road 2.0 operated on the “Tor” network, a special network of computers on the Internet, distributed around the world, designed to conceal the true IP addresses of the computers on the network and thereby the identities of the network’s users.

“Since its launch in November 2013, Silk Road 2.0 has been used by thousands of drug dealers and other unlawful vendors to distribute hundreds of kilograms of illegal drugs and other illicit goods and services to buyers throughout the world, as well as to launder millions of dollars generated by these unlawful transactions,”reads a statement released today by Preet Bharara, the United States Attorney for the Southern District of New York. “As of September 2014, Silk Road 2.0 was generating sales of at least approximately $8 million per month and had approximately 150,000 active users.”

Benthall's profile on Github.

Benthall’s profile on Github.

The complaint against Benthall claims that by October 17, 2014, Silk Road 2.0 had over 13,000 listings for controlled substances, including, among others, 1,783 listings for “Psychedelics,” 1,697 listings for “Ecstasy,” 1,707 listings for “Cannabis,” and 379 listings for “Opioids.” Apart from the drugs, Silk Road 2.0 also openly advertised fraudulent identification documents and computer-hacking tools and services. The government alleges that in October 2014, the Silk Road 2.0 was generating at least approximately $8 million in monthly sales and at least $400,000 in monthly commissions.

The complaint describes how federal agents infiltrated Silk Road 2.0 from the very start, after an undercover agent working for Homeland Security investigators managed to infiltrate the support staff involved in the administration of the Silk Road 2.0 website.

“On or about October 7, 2013, the HSI-UC [the Homeland Security Investigations undercover agent] was invited to join a newly created discussion forum on the Tor network, concerning the potential creation of a replacement for the Silk Road 1.0 website,” the complaint recounts. “The next day, on or about October 8, 2013, the persons operating the forum gave the HSI‐UC moderator privileges, enabling the HSI‐UC to access areas of the forum available only to forum staff. The forum would later become the discussion forum associated with the Silk Road 2.0 website.”

The complaint also explains how the feds located and copied data from the Silk Road 2.0 servers. “In May 2014, the FBI identified a server located in a foreign country that was believed to be hosting the Silk Road 2.0 website at the time. On or about May 30, 2014, law enforcement personnel from that country imaged the Silk Road 2.0 Server and conducted a forensic analysis of it . Based on posts made to the SR2 Forum, complaining of service outages at the time the imaging was conducted, I know that once the Silk Road 2.0 server was taken offline for imaging, the Silk Road 2.0 website went offline as well, thus confirming that the server was used to host the Silk Road 2.0 website.”

The government’s documents detail how Benthall allegedly hatched a selfless plan to help the Silk Road 2.0 community recover from an incident in February 2014, wherein thieves stole millions of dollars worth of Bitcoins from community users.

“On or about September 11, 2014, Defcon had an online conversation with the HSI-UC, in which he discussed, in sum and substance, his intention to reopen the Silk Road 2.0 marketplace, and his plan to recoup the deficit of Bitcoins that had been stolen from Silk Road 2.0. Specifically, Defcon confirmed that the site needed to recoup approximately 2,900 Bitcoins to cover the loss, and stated that he intended to donate approximately 1,000 of his own Bitcoins to return liquidity to Silk Road 2.0 (“I’m planning to throw my1000 BTC to kickstart the thing.”).”

“Defcon further acknowledged that the site had approximately 150,000 monthly active users (“We have 150,000 monthly active users. That’s why we have to save this thing.”). The HSI‐UC asked how long it would take to recover from the theft, and Defcon replied that it would take approximately three months’ worth of commission payments, if sales on Silk Road 2.0 continued at a steady rate (“Three months if sales continue at current pace and we don’t bottom out”). Thus, Defcon appears to have expected Silk Road2.0 to generate approximately $6 million in monthly sales over the next three months, which would have resulted in commissions over that three‐month period totaling approximately $900,000 ‐ equal to approximately 1,900 Bitcoins at the then prevailing exchange rate. “

Benthall’s biggest mistake may have been using his own personal email to register the servers used for the Silk Road 2.0 marketplace. In the complaint against Benthall, an undercover agent who worked the case said that “based on a review of records provided by the service provider for the Silk Road 2.0 Server, I have discovered that the server was controlled and maintained during the relevant time by an individual using the email account blake@benthall.net.”

“To me, it appears that both the human element, an undercover agent, plus technical attacks in discovering the hidden service, both played a key part in this arrest,” said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley.

Federal agents also say they tracked Benthall administering the Silk Road 2.0 from his own computer, and using Bitcoin exchanges to make large cash withdrawals. In one instance, he allegedly cashed out $270,000, and used $70,000 for a down payment on a Tesla Model S, a luxury electric car worth approximately USD $127,000.

Benthall faces a raft of series charges that could send him to federal prison for life. He is facing one count of conspiring to commit narcotics trafficking, which carries a maximum sentence of life in prison and a mandatory minimum sentence of 10 years in prison; one count of conspiring to commit computer hacking, which carries a maximum sentence of five years in prison; one count of conspiring to traffic in fraudulent identification documents, which carries a maximum sentence of 15 years in prison; and one count of money laundering conspiracy, which carries a maximum sentence of 20 years in prison.

A copy of the complaint against Benthall is available here.

TorrentFreak: Android Pirate Pleads Guilty to Criminal Copyright Infringement

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Assisted by police in the Netherlands and France, in the summer of 2012 the FBI took down three unauthorized Android app stores. Appbucket, Applanet and SnappzMarket all had their domains seized. The event was the first of its kind in the Android piracy scene.

During the two years that followed the United States Department of Justice has slowly released more information on the operation, subsequent arrests, charges and pleas.

Yesterday, Scott Walton of Cleveland, Ohio, became the latest to plead. The 28-year-old pleaded guilty to one count of conspiracy to commit criminal copyright infringement before U.S. District Judge Timothy C. Batten Sr. of the Northern District of Georgia.

Walton was arrested in July alongside Joshua Ryan Taylor, 24, of Kentwood, Michigan. Both stand accused of being members of the SnappzMarket release group.

Another member of the group, Kody Jon Peterson of Clermont, Florida, pleaded guilty in April to one count of conspiracy to commit criminal copyright infringement. Peterson gave up his right to be tried by a jury and any right to an appeal. He also agreed to cooperate with the authorities in the investigation.

In common with Peterson, Walton admitted being involved in the illegal copying and distribution of more than a million pirated Android apps with a retail value of $1.7 million. He will be sentenced at a later date.

Members of Appbucket have also been facing the legal system.

During March and April 2014, Thomas Allen Dye, 21, of Jacksonville, Florida; Nicholas Anthony Narbone, 26, of Orlando, Florida, and Thomas Pace, 38, of Oregon City, Oregon all pleaded guilty to conspiracy to commit criminal copyright infringement after distributing Android apps with a value of $700,000.

Another indictment returned June 17 in Georgia charged James Blocker, 36, of Rowlett, Texas, with one count of conspiracy to commit criminal copyright infringement.

A further indictment in the same month charged Aaron Blake Buckley, 20, of Moss Point, Mississippi; David Lee, 29, of Chino Hills, California; and Gary Edwin Sharp II (also of Appbucket) with one count of conspiracy to commit criminal copyright infringement for their part in Applanet.

Lee was also charged with one count of aiding and abetting criminal copyright infringement and Buckley with one count of criminal copyright infringement.

The USDOJ claims that along with other members of Applanet they are responsible for the illegal distribution of four million pirate Android apps with a value of $17m.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Google Glass Now Banned in US Movie Theaters Over Piracy Fears

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

Google Glass poses a significant threat to the movie industry, Hollywood believes. The advent of the wearable technology has sparked fears that it could be used for piracy.

This January the FBI dragged a man from a movie theater in Columbus, Ohio, after theater staff presumed his wearing of Google Glass was a sign that he was engaged in camcorder piracy.

At the time the MPAA shrugged off the incident as an unfortunate mistake, claiming that it had seen “no proof that it is currently a significant threat that could result in content theft.” This has now changed.

Starting today Google Glass is no longer welcome in movie theaters. The new ban applies to all US movie theaters and doesn’t include an exception for prescription glasses.

The MPAA and the National Association of Theatre Owners (NATO) stress that they welcome technological innovations and recognize the importance of wearables for consumers. However, the piracy enabling capabilities of these devices can’t be ignored.

“As part of our continued efforts to ensure movies are not recorded in theaters, however, we maintain a zero-tolerance policy toward using any recording device while movies are being shown,” MPAA and NATO state.

“As has been our long-standing policy, all phones must be silenced and other recording devices, including wearable devices, must be turned off and put away at show time. Individuals who fail or refuse to put the recording devices away may be asked to leave,” they add.

Cautioning potential pirates, the movie groups emphasize that theater employees will take immediate action when they spot someone with wearable recording devices. Even when in doubt, the local police will be swiftly notified.

“If theater managers have indications that illegal recording activity is taking place, they will alert law enforcement authorities when appropriate, who will determine what further action should be taken.”

The wearable ban is now part of the MPAA’s strict set of anti-piracy practices. These instruct movie theater owners to be on the lookout for suspicious individuals who may have bad intentions.

Aside from the wearables threat, the best practices note that all possible hidden camera locations in the theater should be considered, including cup holders. In addition, employees should be alert for possible concealed recording equipment, as often seen in the movies.

“Movie thieves are very ingenious when it comes to concealing cameras. It may be as simple as placing a coat or hat over the camera, or as innovative as a specially designed concealment device,” it warns.

To increase vigilance among movie theater employees, a $500 bounty is being placed on the heads of those who illegally camcord a movie.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Errata Security: FBI’s crypto doublethink

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Recently, FBI Director James Comey gave a speech at the Brookings Institute decrying crypto. It was transparently Orwellian, arguing for a police-state. In this post, I’ll demonstrate why, quoting bits of the speech.

“the FBI has a sworn duty to keep every American safe from crime and terrorism”
“The people of the FBI are sworn to protect both security and liberty”

This is not true. The FBI’s oath is to “defend the Constitution”. Nowhere in the oath does it say “protect security” or “keep people safe”.

This detail is important. Tyrants suppress civil liberties in the name of national security and public safety. This oath taken by FBI agents, military personnel, and the even the president, is designed to prevent such tyrannies.

Comey repeatedly claims that FBI agents both understand their duty and are committed to it. That Comey himself misunderstands his oath disproves both assertions. This reinforces our belief that FBI agents do not see their duty as protecting our rights, but instead see rights as an impediment in pursuit of some other duty.

Freedom is Danger

The book 1984 describes the concept of “doublethink“, with political slogans as examples: “War is Peace”, “Ignorance is Strength”, and “Freedom is Slavery”. Comey goes full doublethink:

Some have suggested there is a conflict between liberty and security. I disagree. At our best, we in law enforcement, national security, and public safety are looking for security that enhances liberty. When a city posts police officers at a dangerous playground, security has promoted liberty—the freedom to let a child play without fear.

He’s wrong. Liberty and security are at odds. That’s what the 4th Amendment says. We wouldn’t be having this debate if they weren’t at odds.

He follows up with more doublethink, claiming “we aren’t seeking a back-door”, but instead are instead interested in “developing intercept solutions during the design phase”. Intercept solutions built into phones is the very definition of a backdoor, of course.

“terror terror terror terror terror”
“child child child child child child”

Comey mentions terrorism 5 times and child exploitation 6 times. This is transparently the tactic of the totalitarian, demagoguery based on emotion rather than reason.

Fear of terrorism on 9/11 led to the Patriot act, granting law enforcement broad new powers in the name of terrorism. Such powers have been used overwhelming for everything else. The most telling example is the detainment of David Miranda in the UK under a law that supposedly only applied to terrorists. Miranda was carrying an encrypted copy of Snowden files — clearly having nothing to do with terrorism. It was clearly exploitation of anti-terrorism laws for the purposes of political suppression.

Any meaningful debate doesn’t start with the headline grabbing crimes, but the ordinary ones, like art theft and money laundering. Comey has to justify his draconian privacy invasion using those laws, not terrorism.

“rule of law, rule of law, rule of law, rule of law, rule of law”
Comey mentions rule-of-law five times in his speech. His intent is to demonstrate that even the FBI is subject to the law, namely review by an independent judiciary. But that isn’t true.

The independent judiciary has been significantly weakened in recent years. We have secret courts, NSLs, and judges authorizing extraordinary powers because they don’t understand technology. Companies like Apple and Google challenge half the court orders they receive, because judges just don’t understand. There is frequent “parallel construction”, where evidence from spy agencies is used against suspects, sidestepping judicial review.

What Comey really means is revealed by this statement: “I hope you know that I’m a huge believer in the rule of law. … There should be no law-free zone in this country”. This a novel definition of “rule of law”, a “rule by law enforcement”, that has never been used before. It reveals what Comey really wants, a totalitarian police-state where nothing is beyond the police’s powers, where the only check on power is a weak and pliant judiciary.

“that a commitment to the rule of law and civil liberties is at the core of the FBI”
No, lip service to these things is at the core of the FBI.

I know this from personal experience when FBI agents showed up at my offices and threatened me, trying to get me to cancel a talk at a cybersecurity conference. They repeated over and over how they couldn’t force me to cancel my talk because I had a First Amendment right to speak — while simultaneously telling me that if I didn’t cancel my talk, they would taint my file so that I would fail background checks and thus never be able to work for the government ever again.
We saw that again when the FBI intercepted clearly labeled “attorney-client privileged” mail between Weev and his lawyer. Their excuse was that the threat of cyberterrorism trumped Weev’s rights.

Then there was that scandal that saw widespread cheating on a civil-rights test. FBI agents were required to certify, unambiguously, that nobody helped them on the test. They lied. It’s one more oath FBI agents seem not to care about.

If commitment to civil liberties was important to him, Comey would get his oath right. If commitment to rule-of-law was important, he’d get the definition right. Every argument Comey make demonstrates how little he is interested in civil liberties.

“Snowden Snowden Snowden”

Comey mentions Snowden three times, such as saying “In the wake of the Snowden disclosures, the prevailing view is that the government is sweeping up all of our communications“.

This is not true. No news article based on the Snowden document claims this. No news site claims this. None of the post-Snowden activists believe this. All the people who matter know the difference between metadata and full eavesdropping, and likewise, the difficulty the FBI has in getting at that data.

This is how we know the FBI is corrupt. They ignore our concerns that government has been collecting every phone record in the United States for 7 years without public debate, but instead pretend the issue is something stupid, like the false belief they’ve been recording all phone calls. They knock down strawman arguments instead of addressing our real concerns.

Regulate communication service providers

In his book 1984, everyone had a big screen television mounted on the wall that was two-way. Citizens couldn’t turn the TV off, because it had to be blaring government propaganda all the time. The camera was active at all time in case law enforcement needed to access it. At the time the book was written in 1934, televisions were new, and people thought two-way TVs were plausible. They weren’t at that time; it was a nonsense idea.

But then the Internet happened and now two-way TVs are a real thing. And it’s not just the TV that’s become two-way video, but also our phones. If you believe the FBI follows the “rule of law” and that the courts provide sufficient oversight, then there’s no reason to stop them going full Orwell, allowing the police to turn on your device’s camera/microphone any time they have a court order in order to eavesdrop on you. After all, as Comey says, there should be no law-free zone in this country, no place law enforcement can’t touch.

Comey pretends that all he seeks at the moment is a “regulatory or legislative fix to create a level playing field, so that all communication service providers are held to the same standard” — meaning a CALEA-style backdoor allowing eavesdropping. But here’s thing: communication is no longer a service but an app. Communication is “end-to-end”, between apps, often by different vendors, bypassing any “service provider”. There is no way to way to eavesdrop on those apps without being able to secretly turn on a device’s microphone remotely and listen in.

That’s why we crypto-activists draw the line here, at this point. Law enforcement backdoors in crypto inevitably means an Orwellian future.


Conclusion

There is a lot more wrong with James Comey’s speech. What I’ve focused on here were the Orwellian elements. The right to individual crypto, with no government backdoors, is the most important new human right that technology has created. Without it, the future is an Orwellian dystopia. And as proof of that, I give you James Comey’s speech, whose arguments are the very caricatures that Orwell lampooned in his books.

TorrentFreak: FBI Screens Interns On Their Piracy Habits

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

usdojOver the last decade the FBI has been involved in numerous file-sharing related investigations, mainly in respect of large scale copyright infringement.

In 2005 the FBI shuttered EliteTorrents, a popular ‘private’ BitTorrent community that came to a sticky end after making available a pre-release ‘workprint’ copy of Star Wars Episode III. By 2010 the agency was focusing its resources on Operation in Our Sites, an initiative which closed down several domains including the notorious NinjaVideo. Then two years ago the FBI played a key role in the closure of Kim Dotcom’s Megaupload.

While few would doubt the gravity of the cases highlighted above, it may come as a surprise that in addition to commercial scale infringement, the FBI also views unauthorized personal copying as a serious offense. While it may not actively pursue individual pirates, it doesn’t want them in-house.

Monday this week Sacramento State‘s Career Center welcomed the FBI for a visit concerning recruitment of students for its paid internship program. One of the topics discussed were historical actions that could exclude applicants from the program.

In addition to drug use, criminal activity and even defaulting on a student loan, students were informed that if they had illegally downloaded content in the past, that could rule them out of a position at the FBI. It appears that to the agency, downloading is tantamount to stealing.

While some students might be tempted to tell a white lie or two about their piracy experiences during their initial interviews, that appears to be a dangerous course of action. All responses are recorded and sent to a polygraph technician and if the student fails the lie detector test they are excluded from the FBI forever, even if they tried to cover up the smallest thing.

But what if applicants have a bit of personal piracy to hide, but choose to tell the truth? Information is limited, but a 2012 posting on 911JobForums by a rejected applicant reveals that while honesty might be the best policy, it can be enough to rule someone out of a job.

“My reason for posting this is to help give fair warning to those who don’t think pirating copyrighted information from the internet will trip them up later on. While I sometimes ask myself what might have been, I can honestly say I gave it my best shot,” the poster explains.

“I had downloaded songs while at college 10 years prior (300+) and a few recently (<20). I had an illegal copy of Windows XP in my possession and 10 years ago had watched fewer than 8 pirated full-length movies which I had downloaded then promptly deleted. I had copied a Redbox DVD to my iPod I wasn’t able to watch before returning but then promptly deleted the movie after watching once.”

According to the student-run newspaper The State Hornet, the FBI are interested in the amount of illegal content applicants have downloaded, so it’s possible that people downloading very small amounts might be shown leniency.

Those interested in how the polygraph procedure itself works can find details of the equivalent CIA test here. Interestingly the writer has a tip for former pirate students.

“[The CIA] were concerned mostly about crime, drugs, and misuse of technology systems. Downloading music, though it is illegal, does not disqualify you. Most people especially college students did this, just pretend you didn’t know that it was illegal,” he notes.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: iPhone Encryption and the Return of the Crypto Wars

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last week Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone’s encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it.

From now on, all the phone’s data is protected. It can no longer be accessed by criminals, governments, or rogue employees. Access to it can no longer be demanded by totalitarian governments. A user’s iPhone data is now more secure.

To hear U.S. law enforcement respond, you’d think Apple’s move heralded an unstoppable crime wave. See, the FBI had been using that vulnerability to get into peoples’ iPhones. In the words of cyberlaw professor Orin Kerr, “How is the public interest served by a policy that only thwarts lawful search warrants?”

Ah, but that’s the thing: You can’t build a “back door” that only the good guys can walk through. Encryption protects against cybercriminals, industrial competitors, the Chinese secret police and the FBI. You’re either vulnerable to eavesdropping by any of them, or you’re secure from eavesdropping from all of them.

Back-door access built for the good guys is routinely used by the bad guys. In 2005, some unknown group surreptitiously used the lawful-intercept capabilities built into the Greek cell phone system. The same thing happened in Italy in 2006.

In 2010, Chinese hackers subverted an intercept system Google had put into Gmail to comply with U.S. government surveillance requests. Back doors in our cell phone system are currently being exploited by the FBI and unknown others.

This doesn’t stop the FBI and Justice Department from pumping up the fear. Attorney General Eric Holder threatened us with kidnappers and sexual predators.

The former head of the FBI’s criminal investigative division went even further, conjuring up kidnappers who are also sexual predators. And, of course, terrorists.

FBI Director James Comey claimed that Apple’s move allows people to “place themselves beyond the law” and also invoked that now overworked “child kidnapper.” John J. Escalante, chief of detectives for the Chicago police department now holds the title of most hysterical: “Apple will become the phone of choice for the pedophile.”

It’s all bluster. Of the 3,576 major offenses for which warrants were granted for communications interception in 2013, exactly one involved kidnapping. And, more importantly, there’s no evidence that encryption hampers criminal investigations in any serious way. In 2013, encryption foiled the police nine times, up from four in 2012­and the investigations proceeded in some other way.

This is why the FBI’s scare stories tend to wither after public scrutiny. A former FBI assistant director wrote about a kidnapped man who would never have been found without the ability of the FBI to decrypt an iPhone, only to retract the point hours later because it wasn’t true.

We’ve seen this game before. During the crypto wars of the 1990s, FBI Director Louis Freeh and others would repeatedly use the example of mobster John Gotti to illustrate why the ability to tap telephones was so vital. But the Gotti evidence was collected using a room bug, not a telephone tap. And those same scary criminal tropes were trotted out then, too. Back then we called them the Four Horsemen of the Infocalypse : pedophiles, kidnappers, drug dealers, and terrorists. Nothing has changed.

Strong encryption has been around for years. Both Apple’s FileVault and Microsoft’s BitLocker encrypt the data on computer hard drives. PGP encrypts email. Off-the-Record encrypts chat sessions. HTTPS Everywhere encrypts your browsing. Android phones already come with encryption built-in. There are literally thousands of encryption products without back doors for sale, and some have been around for decades. Even if the U.S. bans the stuff, foreign companies will corner the market because many of us have legitimate needs for security.

Law enforcement has been complaining about “going dark” for decades now. In the 1990s, they convinced Congress to pass a law requiring phone companies to ensure that phone calls would remain tappable even as they became digital. They tried and failed to ban strong encryption and mandate back doors for their use. The FBI tried and failed again to ban strong encryption in 2010. Now, in the post-Snowden era, they’re about to try again.

We need to fight this. Strong encryption protects us from a panoply of threats. It protects us from hackers and criminals. It protects our businesses from competitors and foreign spies. It protects people in totalitarian governments from arrest and detention. This isn’t just me talking: The FBI also recommends you encrypt your data for security.

As for law enforcement? The recent decades have given them an unprecedented ability to put us under surveillance and access our data. Our cell phones provide them with a detailed history of our movements. Our call records, email history, buddy lists, and Facebook pages tell them who we associate with. The hundreds of companies that track us on the Internet tell them what we’re thinking about. Ubiquitous cameras capture our faces everywhere. And most of us back up our iPhone data on iCloud, which the FBI can still get a warrant for. It truly is the golden age of surveillance.

After considering the issue, Orin Kerr rethought his position, looking at this in terms of a technological-legal trade-off. I think he’s right.

Given everything that has made it easier for governments and others to intrude on our private lives, we need both technological security and legal restrictions to restore the traditional balance between government access and our security/privacy. More companies should follow Apple’s lead and make encryption the easy-to-use default. And let’s wait for some actual evidence of harm before we acquiesce to police demands for reduced security.

This essay previously appeared on CNN.com

EDITED TO ADD (10/6): Three more essays worth reading. As is this on all the other ways Apple and the government have to get at your iPhone data.

And a Washington Post editorial manages to say this:

How to resolve this? A police “back door” for all smartphones is undesirable–a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant.

Because a “secure golden key” is completely different from a “back door.”

Errata Security: Reading the Silk Road configuration

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Many of us believe it wasn’t the FBI who discovered the hidden Silk Road server, but the NSA (or other intelligence organization). We believe the FBI is using “parallel construction”, meaning creating a plausible story of how they found the server to satisfy the courts, but a story that isn’t true.

Today, Brian Krebs released data from the defense team that seems to confirm the “parallel construction” theory. I thought I’d write up a technical discussion of what was found.

The Tarbell declaration

A month ago, the FBI released a statement from the lead investigator, Christopher Tarbell, describing how he discovered the hidden server (“the Tarbell declaration“). This document had four noticeable defects.

The first is that the details are vague. It is impossible for anybody with technical skill (such as myself) to figure out what he did.

The second problem is that some of the details are impossible, such as seeing the IP address in the “packet headers”.

Thirdly, his saved none of the forensics data. You’d have thought that had this been real, he would have at least captured packet logs or even screenshots of what he did. I’m a technical blogger. I document this sort of thing all the time. It’s not hard for me, it shouldn’t be hard for the FBI when it’s the cornerstone of the entire case.

Lastly, Tarbell doesn’t even deny it was parallel construction. A scenario of an NSA agent showing up at the FBI offices and opening a browser to the IP address fits within his description of events.

I am a foremost Internet expert on this sort of thing. I think Christopher Tarbell is lying.

The two servers involved

There were two serves involved.

The actual Tor “onion” server ran on a server in Germany at the IP address 65.75.246.20. This was the front-end server.

The Silk Road data was held on a back-end server in Iceland at the IP address 193.107.86.49. This is the server Tarbell claims to have found.

The data dumped today on Brian Krebs’ site is configuration and log files from the second server.

The Icelandic configuration

The Icelandic backend had two “sites”, one on HTTP (port 80) running the phpmyadmin pages, and a second on HTTPS (port 443) for communicating the Silk Road content to the German onion server.

The HTTP (port 80) configuration is shown below. Because this requires “basic authentication”, Tarbell could not have accessed the server on this port.

However, the thing to note about this configuration is that “basic” authentication was used over port 80. If the NSA were monitoring links to/from Iceland, they could easily have discovered the password and used it to log onto the server. This is basic cybersecurity, what the “Wall of Sheep” at DefCon is all about.

The following picture shows the configuration of the HTTPS site.

Notice firstly that the “listen 443″ specifies only a port number and not an IP address. Consequently, anybody on the Internet could connect to the server and obtain its SSL certificate, even if it cannot get anything but an error message from the web server. Brian Krebs quotes Nicholas Weaver as claiming “This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server”. This is wrong, the web server accept all TCP connections, though it may give a “403 forbidden” as the result.

BTW: one plausible way of having discovered the server is to scan the entire Internet for SSL certificates, then correlate information in those certificates with the information found going across the Tor onion connection.

Next is the location information that allows only localhost, the German server, and then denies everything else (“deny all”). As mentioned above, this doesn’t prevent the TCP connection, but does produce a “403 forbidden” error code.

However, there is a flaw: this configuration is overridden for PHP files in the next section down. I’ve tested this on my own server. While non-PHP files are not accessible on the server, anything with the .php file extension still runs for everyone.

Worse yet, the login screen uses “/index.php”. The rules above convert an access of “/” automatically to “/index.php”. If indeed the server has the file “/var/www/market/public/index.php”, then Tarbell’s explanation starts to make sense. He’s still missing important details, and of course, there is no log of him having accessed the server this way,, but this demonstrates that something like his description isn’t impossible. One way this could have been found is by scanning the entire Internet for SSL servers, then searching for the string “Silkroad” in the resulting webpage.

The log files

The FBI imaged the server, including all the log files. Typical log entries looked like the following:

62.75.246.20 – – [14/Jul/2013:06:55:33 +0000] “GET /orders/cart HTTP/1.0″ 200 49072 “http://silkroadvb5piz3r.onion/silkroad/item/0f81d52be7″ “Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0″

Since the defense could not find in the logfiles where Tarbell had access the system, the prosecutors helped them out by pointing to entries that looked like the following:

199.170.71.133 – – [11/Jun/2013:16:58:36 +0000] “GET / HTTP/1.1″ 200 2616 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36″

199.170.71.133 – – [11/Jun/2013:16:58:36 +0000] “GET
/phpmyadmin.css.phpserver=1&lang=en&collation_connection=utf8_general_ci&token=451ca1a827cda1c8e80d0c0876e29ecc&js_frame=right&nocache=3988383895 HTTP/1.1″ 200 41724 “http://193.107.86.49/” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36″

However, these entries are wrong. First, they are for the phpmyadmin pages and not the Silk Road login pages, so they are clearly not the pages described in the Tarbell declaration. Second, they return “200 ok” as the error code instead of a “401 unauthorized” login error as one would expect from the configuration. This means either the FBI knew the password, or the configuration has changed in the meantime, or something else is wrong with the evidence provided by the prosecutors.

Conclusion

As an expert in such topics as sniffing passwords and masscaning the Internet, I know that tracking down the Silk Road site is well within the NSA’s capabilities. Looking at the configuration files, I can attest to the fact that the Dread Pirate Roberts sucked at op-sec.

As an expert, I know the Tarbell declaration is gibberish. As an expert reading the configuration and logs, I know that it doesn’t match the Tarbell declaration. That’s not to say that the Tarbell declaration has been disproven, it’s just that “parallel construction” is a better explanation for what’s going on than Tarbell actually having found the Silk Road server on his own.

Krebs on Security: Silk Road Lawyers Poke Holes in FBI’s Story

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

New court documents released this week by the U.S. government in its case against the alleged ringleader of the Silk Road online black market and drug bazaar suggest that the feds may have some ‘splaining to do.

The login prompt and CAPTCHA from the Silk Road home page.

The login prompt and CAPTCHA from the Silk Road home page.

Prior to its disconnection last year, the Silk Road was reachable only via Tor, software that protects users’ anonymity by bouncing their traffic between different servers and encrypting the traffic at every step of the way. Tor also lets anyone run a Web server without revealing the server’s true Internet address to the site’s users, and this was the very technology that the Silk road used to obscure its location.

Last month, the U.S. government released court records claiming that FBI investigators were able to divine the location of the hidden Silk Road servers because the community’s login page employed an anti-abuse CAPTCHA service that pulled content from the open Internet — thus leaking the site’s true Internet address.

But lawyers for alleged Silk Road captain Ross W. Ulbricht (a.k.a. the “Dread Pirate Roberts”) asked the court to compel prosecutors to prove their version of events.  And indeed, discovery documents reluctantly released by the government this week appear to poke serious holes in the FBI’s story.

For starters, the defense asked the government for the name of the software that FBI agents used to record evidence of the CAPTCHA traffic that allegedly leaked from the Silk Road servers. The government essentially responded (PDF) that it could not comply with that request because the FBI maintained no records of its own access, meaning that the only record of their activity is in the logs of the seized Silk Road servers.

The response that holds perhaps the most potential to damage the government’s claim comes in the form of a configuration file (PDF) taken from the seized servers. Nicholas Weaver,a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley, explains the potential significance:

“The IP address listed in that file — 62.75.246.20 — was the front-end server for the Silk Road,” Weaver said. “Apparently, Ulbricht had this split architecture, where the initial communication through Tor went to the front-end server, which in turn just did a normal fetch to the back-end server. It’s not clear why he set it up this way, but the document the government released in 70-6.pdf shows the rules for serving the Silk Road Web pages, and those rules are that all content – including the login CAPTCHA – gets served to the front end server but to nobody else. This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server.”

Translation: Those rules mean that the Silk Road server would deny any request from the Internet that wasn’t coming from the front-end server, and that includes the CAPTCHA.

“This configuration file was last modified on June 6, so on June 11 — when the FBI said they [saw this leaky CAPTCHA] activity — the FBI could not have seen the CAPTCHA by connecting to the server while not using Tor,” Weaver said. “You simply would not have been able to get the CAPTCHA that way, because the server would refuse all requests.”

The FBI claims that it found the Silk Road server by examining plain text Internet traffic to and from the Silk Road CAPTCHA, and that it visited the address using a regular browser and received the CAPTCHA page. But Weaver says the traffic logs from the Silk Road server (PDF) that also were released by the government this week tell a different story.

“The server logs which the FBI provides as evidence show that, no, what happened is the FBI didn’t see a leakage coming from that IP,” he said. “What happened is they contacted that IP directly and got a PHPMyAdmin configuration page.” See this PDF file for a look at that PHPMyAdmin page. Here is the PHPMyAdmin server configuration.

But this is hardly a satisfying answer to how the FBI investigators located the Silk Road servers. After all, if the FBI investigators contacted the PHPMyAdmin page directly, how did they know to do that in the first place?

“That’s still the $64,000 question,” Weaver said. “So both the CAPTCHA couldn’t leak in that configuration, and the IP the government visited wasn’t providing the CAPTCHA, but instead a PHPMyAdmin interface. Thus, the leaky CAPTCHA story is full of holes.”

Many in the Internet community have officially called baloney [that’s a technical term] on the government’s claims, and these latest apparently contradictory revelations from the government are likely to fuel speculation that the government is trying to explain away some not-so-by-the-book investigative methods.

“I find it surprising that when given the chance to provide a cogent, on-the record explanation for how they discovered the server, they instead produced a statement that has been shown inconsistent with reality, and that they knew would be inconsistent with reality,” Weaver said. “”Let me tell you, those tin foil hats are looking more and more fashionable each day.”

Krebs on Security: $1.66M in Limbo After FBI Seizes Funds from Cyberheist

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A Texas bank that’s suing a customer to recover $1.66 million spirited out of the country in a 2012 cyberheist says it now believes the missing funds are still here in the United States — in a bank account that’s been frozen by the federal government as part of an FBI cybercrime investigation.

robotrobkbIn late June 2012, unknown hackers broke into the computer systems of Luna & Luna, LLP, a real estate escrow firm based in Garland, Texas. Unbeknownst to Luna, hackers had stolen the username and password that the company used to managed its account at Texas Brand Bank (TBB), a financial institution also based in Garland.

Between June 21, 2012 and July 2, 2012, fraudsters stole approximately $1.75 million in three separate wire transfers. Two of those transfers went to an account at the Industrial and Commercial Bank of China. That account was tied to the Jixi City Tianfeng Trade Limited Company in China. The third wire, in the amount of $89,651, was sent to a company in the United States, and was recovered by the bank.

Jixi is in the Heilongjiang province of China on the border with Russia, a region apparently replete with companies willing to accept huge international wire transfers without asking too many questions. A year before this cyberheist took place, the FBI issued a warning that cyberthieves operating out of the region had been the recipients of approximately $20 million in the year prior — all funds stolen from small to mid-sized businesses through a series of fraudulent wire transfers sent to Chinese economic and trade companies (PDF) on the border with Russia.

Luna became aware of the fraudulent transfers on July 2, 2012, when the bank notified the company that it was about to overdraw its accounts. The theft put Luna & Luna in a tough spot: The money the thieves stole was being held in escrow for the U.S. Department of Housing and Urban Development (HUD). In essence, the crooks had robbed Uncle Sam, and this was exactly the argument that Luna used to talk its bank into replacing the missing funds as quickly as possible.

“Luna argued that unless TBB restored the funds, Luna and HUD would be severely damaged with consequences to TBB far greater than the sum of the swindled funds,” TBB wrote in its original complaint (PDF). TBB notes that it agreed to reimburse the stolen funds, but that it also reserved its right to legal claims against Luna to recover the money.

When TBB later demanded repayment, Luna refused. The bank filed suit on July 1, 2013, in state court, suing to recover the approximately $1.66 million that it could not claw back, plus interest and attorney’ fees.

For the ensuing year, TBB and Luna wrangled in the courts over the venue of the trial. Luna also counterclaimed that the bank’s security was deficient because it only relied on a username and password, and that TBB should have flagged the wires to China as highly unusual.

TBB notes that per a written agreement with the bank, Luna had instructed the bank to process more than a thousand wire transfers from its accounts to third-party accounts. Further, the bank pointed out that Luna had been offered but refused “dual controls,” a security measure that requires two employees to sign off on all wire transfers before the money is allowed to be sent.

In August, Luna alerted (PDF) the U.S. District Court for the Northern District of Texas that in direct conversations with the FBI, an agent involved in the investigation disclosed that the $1.66 million in stolen funds were actually sitting in an account at JPMorgan Chase, which was the receiving bank for the fraudulent wires. Both Luna and TBB have asked the government to consider relinquishing the funds to help settle the lawsuit.

The FBI did not return calls seeking comment. The Office of the U.S. attorney for the Northern District of Texas, which is in the process of investigating potential criminal claims related to the fraudulent transfers, declined to comment except to say that the case is ongoing and that no criminal charges have been filed to date.

As usual, this cyberheist resulted from missteps by both the bank and the customer. Dual controls are a helpful — but not always sufficient — security control that Luna should have adopted, particularly given how often these cyberheists are perpetrated against title and escrow firms. But it is galling that it is easier to find more robust, customer-facing security controls at your average email or other cloud service provider than it is at one of thousands of financial institutions in the United States.

If you run a small business and are managing your accounts online, you’d be wise to expect a similar attack on your own accounts and prepare accordingly. That means taking your business to a bank that offers more than just usernames, passwords and tokens for security. Shop around for a bank that lets you secure your transfers with some sort of additional authentication step required from a mobile device. These security methods can be defeated of course, but they present an extra hurdle for the bad guys, who probably are more likely to go after the lower-hanging fruit at thousands of other financial institutions that don’t offer more modern security approaches.

But if you’re expecting your bank to protect your assets should you or one of your employees fall victim to a malware phishing scheme, you could be in for a rude awakening. Keep a close eye on your books, require that more than one employee sign off on all large transfers, and consider adopting some of these: Online Banking Best Practices for Businesses.

TorrentFreak: Giganews Resorts to DMCA to Quieten FBI Allegations

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

GNlogoOn the morning of September 11, 2014, TorrentFreak was greeted with one of the most unusual emails we’ve ever received.

Sent from an alleged former employee of Giganews who identified himself as Nick Caputo, the email contained serious allegations about his former employer. Caputo told us that he’d begun working at the company in 2009 and as a “huge pirate” he loved to help people download “all the rich multimedia content they could.” But that was just the beginning.

The email outlined Caputo’s rise through the company through two quick promotions in two-and-a-half years. However, it quickly descended into allegations that far from being a straight-down-the-line newsgroup provider, Giganews is in fact an FBI-run operation. Caputo says he discovered this after getting into a dispute with the company about removing child abuse material and elevating his complaint to the FBI.

TorrentFreak decided not to run with the story, despite clear indications that Caputo is who he claimed he was. The story, which had plenty of detail, just didn’t hold up on its own. There was plenty of ‘evidence’ provided but the problem was that none of it added up to a level of proof that we’d be prepared to stand behind.

But four days later and after being contacted by Caputo, Cryptome published the email and documents originally sent to TorrentFreak and possibly others.

The story quickly spread around dozens of sites including Reddit and HackerNews forcing Giganews to respond, acknowledging that Caputo was indeed a former employee but denying the allegations.

“This is a hoax. These allegations are 100% false,” the company wrote.

“Unfortunately, since his termination, the poster has periodically posted versions of this information online. Sometimes, he tries to misrepresent himself as our CEO and sometimes he posts as himself.”

With Giganews criticizing Cryptome for publishing the allegations, Caputo it seemed was not giving up. The archive of evidence originally offered to TF found itself uploaded to Internet Archive from where Caputo hoped it would be spread far and wide.

However, according to a new email published by Cryptome, that has now been brought to halt by the issuing of a DMCA notice.

Subject: archive.org item subject to copyright claim
From:”Internet Archive”
Date:Sep 18, 2014 9:41:11 PM

Hello,

Access to the item at https://archive.org/details/giganews-fbi has been disabled following receipt by Internet Archive of a copyright claim submitted on behalf of Data Foundry, Inc (datafoundry.com). The claim was submitted with information and statements requested by Internet Archive’s Copyright Policy (posted at https://archive.org/about/terms.php near the bottom of the page). If you have questions regarding the claim, please let us know.

Sincerely,

The Internet Archive Team

While Giganews clearly thinks the contents of the archive are defamatory, one has to dig into the details to see where the company has a copyright claim over the file.

That can be found in a dump of employee contact details which documents show were obtained from Data Foundry’s intranet. Each employee card has a photograph attached and those are likely to have been taken by a company employee in company time.

Also included in the dump is a Giganews appraisal of Caputo’s performance during 2010. It was authored by a manager and the rights to the form will most likely sit with the company. While Giganews would probably write something different today, four years ago the company felt that Caputo was “the go-to guy” for getting stuff done on nights, ranking his overall performance as “exceeding” the standard required.

“Giganews is in the impossible position of proving a negative,” the company said in a statement.

“If we say our list of employees does not include any FBI employees, then they must be ‘using false identities.’ If we say the named FBI operatives don’t look like any of our employee photos, ‘the pictures must have been altered.’ Even the denial itself is used as further evidence of the truth of the accusation. In a court of law, such an accusation would never stand up to scrutiny, but on the Open Internet, opinions can be formed by only a few words on a popular website.”

Whether the allegations will now calm down and go away is anyone’s guess, but a DMCA notice to one of the many sources of the file is unlikely to make it disappear forever.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: Fake Cell Phone Towers Across the US

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Earlier this month, there were a bunch of stories about fake cell phone towers discovered around the US These seems to be ISMI catchers, like Harris Corporation’s Stingray, and are used to capture location information and potentially phone calls, text messages, and smart-phone Internet traffic. A couple of days ago, the Washington Post ran a story about fake cell phone towers in politically interesting places around Washington DC. In both cases, researchers used by security software that’s part of CryptoPhone from the German company GSMK. And in both cases, we don’t know who is running these fake cell phone towers. Is it the US government? A foreign government? Multiple foreign governments? Criminals?

This is the problem with building an infrastructure of surveillance: you can’t regulate who gets to use it. The FBI has been protecting Stingray like its an enormous secret, but it’s not a secret anymore. We are all vulnerable to everyone because the NSA wanted us to be vulnerable to them.

We have one infrastructure. We can’t choose a world where the US gets to spy and the Chinese don’t. We get to choose a world where everyone can spy, or a world where no one can spy. We can be secure from everyone, or vulnerable to anyone. And I’m tired of us choosing surveillance over security.

Krebs on Security: Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

How much are your medical records worth in the cybercrime underground? This week, KrebsOnSecurity discovered medical records being sold in bulk for as little as $6.40 apiece. The digital documents, several of which were obtained by sources working with this publication, were apparently stolen from a Texas-based life insurance company that now says it is working with federal authorities on an investigation into a possible data breach.

The "Fraud Related" section of the Evolution Market.

The “Fraud Related” section of the Evolution Market.

Purloined medical records are among the many illicit goods for sale on the Evolution Market, a black market bazaar that traffics mostly in narcotics and fraud-related goods — including plenty of stolen financial data. Evolution cannot be reached from the regular Internet. Rather, visitors can only browse the site using Tor, software that helps users disguise their identity by bouncing their traffic between different servers, and by encrypting that traffic at every hop along the way.

Last week, a reader alerted this author to a merchant on Evolution Market nicknamed “ImperialRussia” who was advertising medical records for sale. ImperialRussia was hawking his goods as “fullz” — street slang for a package of all the personal and financial records that thieves would need to fraudulently open up new lines of credit in a person’s name.

Each document for sale by this seller includes the would-be identity theft victim’s name, their medical history, address, phone and driver license number, Social Security number, date of birth, bank name, routing number and checking/savings account number. Customers can purchase the records using the digital currency Bitcoin.

A set of five fullz retails for $40 ($8 per record). Buy 20 fullz and the price drops to $7 per record. Purchase 50 or more fullz, and the per record cost falls to just $6.40 — roughly the price of a value meal at a fast food restaurant. Incidentally, even at $8 per record, that’s cheaper than the price most stolen credit cards fetch on the underground markets.

Imperial Russia's ad on Evolution pimping medical and financial records stolen from a Texas life insurance firm.

Imperial Russia’s ad pimping medical and financial records stolen from a Texas life insurance firm.

“Live and Exclusive database of US FULLZ from an insurance company, particularly from NorthWestern region of U.S.,” ImperialRussia’s ad on Evolution enthuses. The pitch continues:

“Most of the fullz come with EXTRA FREEBIES inside as additional policyholders. All of the information is accurate and confirmed. Clients are from an insurance company database with GOOD to EXCELLENT credit score! I, myself was able to apply for credit cards valued from $2,000 – $10,000 with my fullz. Info can be used to apply for loans, credit cards, lines of credit, bank withdrawal, assume identity, account takeover.”

Sure enough, the source who alerted me to this listing had obtained numerous fullz from this seller. All of them contained the personal and financial information on people in the Northwest United States (mostly in Washington state) who’d applied for life insurance through American Income Life, an insurance firm based in Waco, Texas.

American Income Life referred all calls to the company’s parent firm — Torchmark Corp., an insurance holding company in McKinney, Texas. This publication shared with Torchmark the records obtained from Imperial Russia. In response, Michael Majors, vice president of investor relations at Torchmark, said that the FBI and Secret Service were assisting the company in an ongoing investigation, and that Torchmark expected to begin the process of notifying affected consumers this week.

“We’re aware of the matter and we’ve been working with law enforcement on an ongoing investigation,” Majors said, after reviewing the documents shared by KrebsOnSecurity. “It looks like we’re working on the same matter that you’re inquiring about.”

Majors declined to answer additional questions, such as whether Torchmark has uncovered the source of the data breach and stopped the leakage of customer records, or when the company believes the breach began. Interestingly, ImperialRussia’s first post offering this data is dated more than three months ago, on June 15, 2014. Likewise, the insurance application documents shared with Torchmark by this publication also were dated mid-2014.

The financial information in the stolen life insurance applications includes the checking and/or savings account information of the applicant, and is collected so that American Income can pre-authorize payments and automatic monthly debits in the event the policy is approved. In a four-page discussion thread on Imperial Russian’s sales page at Evolution, buyers of this stolen data took turns discussing the quality of the information and its various uses, such as how one can use automated phone systems to verify the available balance of an applicant’s bank account.

Jessica Johnson, a Washington state resident whose records were among those sold by ImperialRussia, said in a phone interview that she received a call from a credit bureau this week after identity thieves tried to open two new lines of credit in her name.

“It’s been a nightmare,” she said. “Yesterday, I had all these phone calls from the credit bureau because someone tried to open two new credit cards in my name. And the only reason they called me was because I already had a credit card with that company and the company thought it was weird, I guess.”

ImperialRussia discusses his wares with potential and previous buyers.

ImperialRussia discusses his wares with potential and previous buyers.

More than 1.8 million people were victims of medical ID theft in 2013, according to a report from the Ponemon Institute, an independent research group. I suspect that many of these folks had their medical records stolen and used to open new lines of credit in their names, or to conduct tax refund fraud with the Internal Revenue Service (IRS).

Placing a fraud alert or freeze on your credit file is a great way to block identity thieves from hijacking your good name. For pointers on how to do that, as well as other tips on how to avoid becoming a victim of ID theft, check out this story.