Posts tagged ‘fbi’

Errata Security: FBI’s crypto doublethink

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Recently, FBI Director James Comey gave a speech at the Brookings Institute decrying crypto. It was transparently Orwellian, arguing for a police-state. In this post, I’ll demonstrate why, quoting bits of the speech.

“the FBI has a sworn duty to keep every American safe from crime and terrorism”
“The people of the FBI are sworn to protect both security and liberty”

This is not true. The FBI’s oath is to “defend the Constitution”. Nowhere in the oath does it say “protect security” or “keep people safe”.

This detail is important. Tyrants suppress civil liberties in the name of national security and public safety. This oath taken by FBI agents, military personnel, and the even the president, is designed to prevent such tyrannies.

Comey repeatedly claims that FBI agents both understand their duty and are committed to it. That Comey himself misunderstands his oath disproves both assertions. This reinforces our belief that FBI agents do not see their duty as protecting our rights, but instead see rights as an impediment in pursuit of some other duty.

Freedom is Danger

The book 1984 describes the concept of “doublethink“, with political slogans as examples: “War is Peace”, “Ignorance is Strength”, and “Freedom is Slavery”. Comey goes full doublethink:

Some have suggested there is a conflict between liberty and security. I disagree. At our best, we in law enforcement, national security, and public safety are looking for security that enhances liberty. When a city posts police officers at a dangerous playground, security has promoted liberty—the freedom to let a child play without fear.

He’s wrong. Liberty and security are at odds. That’s what the 4th Amendment says. We wouldn’t be having this debate if they weren’t at odds.

He follows up with more doublethink, claiming “we aren’t seeking a back-door”, but instead are instead interested in “developing intercept solutions during the design phase”. Intercept solutions built into phones is the very definition of a backdoor, of course.

“terror terror terror terror terror”
“child child child child child child”

Comey mentions terrorism 5 times and child exploitation 6 times. This is transparently the tactic of the totalitarian, demagoguery based on emotion rather than reason.

Fear of terrorism on 9/11 led to the Patriot act, granting law enforcement broad new powers in the name of terrorism. Such powers have been used overwhelming for everything else. The most telling example is the detainment of David Miranda in the UK under a law that supposedly only applied to terrorists. Miranda was carrying an encrypted copy of Snowden files — clearly having nothing to do with terrorism. It was clearly exploitation of anti-terrorism laws for the purposes of political suppression.

Any meaningful debate doesn’t start with the headline grabbing crimes, but the ordinary ones, like art theft and money laundering. Comey has to justify his draconian privacy invasion using those laws, not terrorism.

“rule of law, rule of law, rule of law, rule of law, rule of law”
Comey mentions rule-of-law five times in his speech. His intent is to demonstrate that even the FBI is subject to the law, namely review by an independent judiciary. But that isn’t true.

The independent judiciary has been significantly weakened in recent years. We have secret courts, NSLs, and judges authorizing extraordinary powers because they don’t understand technology. Companies like Apple and Google challenge half the court orders they receive, because judges just don’t understand. There is frequent “parallel construction”, where evidence from spy agencies is used against suspects, sidestepping judicial review.

What Comey really means is revealed by this statement: “I hope you know that I’m a huge believer in the rule of law. … There should be no law-free zone in this country”. This a novel definition of “rule of law”, a “rule by law enforcement”, that has never been used before. It reveals what Comey really wants, a totalitarian police-state where nothing is beyond the police’s powers, where the only check on power is a weak and pliant judiciary.

“that a commitment to the rule of law and civil liberties is at the core of the FBI”
No, lip service to these things is at the core of the FBI.

I know this from personal experience when FBI agents showed up at my offices and threatened me, trying to get me to cancel a talk at a cybersecurity conference. They repeated over and over how they couldn’t force me to cancel my talk because I had a First Amendment right to speak — while simultaneously telling me that if I didn’t cancel my talk, they would taint my file so that I would fail background checks and thus never be able to work for the government ever again.
We saw that again when the FBI intercepted clearly labeled “attorney-client privileged” mail between Weev and his lawyer. Their excuse was that the threat of cyberterrorism trumped Weev’s rights.

Then there was that scandal that saw widespread cheating on a civil-rights test. FBI agents were required to certify, unambiguously, that nobody helped them on the test. They lied. It’s one more oath FBI agents seem not to care about.

If commitment to civil liberties was important to him, Comey would get his oath right. If commitment to rule-of-law was important, he’d get the definition right. Every single argument Comey make seeks demonstrates how little he is interested in civil liberties.

“Snowden Snowden Snowden”

Comey mentions Snowden three times, such as saying “In the wake of the Snowden disclosures, the prevailing view is that the government is sweeping up all of our communications“.

This is not true. No news article based on the Snowden document claims this. No news site claims this. None of the post-Snowden activists believe this. All the people who matter know the difference between metadata and full eavesdropping, and likewise, the difficulty the FBI has in getting at that data.

This is how we know the FBI is corrupt. They ignore our concerns that government has been collecting every phone record in the United States for 7 years without public debate, but instead pretend the issue is something stupid, like the false belief they’ve been recording all phone calls. They knock down strawman arguments instead of addressing our real concerns.

Regulate communication service providers

In his book 1984, everyone had a big screen television mounted on the wall that was two-way. Citizens couldn’t turn the TV off, because it had to be blaring government propaganda all the time. The camera was active at all time in case law enforcement needed to access it. At the time the book was written in 1934, televisions were new, and people thought two-way TVs were plausible. They weren’t at that time; it was a nonsense idea.

But then the Internet happened and now two-way TVs are a real thing. And it’s not just the TV that’s become two-way video, but also our phones. If you believe the FBI follows the “rule of law” and that the courts provide sufficient oversight, then there’s no reason to stop them going full Orwell, allowing the police to turn on your device’s camera/microphone any time they have a court order in order to eavesdrop on you. After all, as Comey says, there should be no law-free zone in this country, no place law enforcement can’t touch.

Comey pretends that all he seeks at the moment is a “regulatory or legislative fix to create a level playing field, so that all communication service providers are held to the same standard” — meaning a CALEA-style backdoor allowing eavesdropping. But here’s thing: communication is no longer a service but an app. Communication is “end-to-end”, between apps, often by different vendors, bypassing any “service provider”. There is no way to way to eavesdrop on those apps without being able to secretly turn on a device’s microphone remotely and listen in.

That’s why we crypto-activists draw the line here, at this point. Law enforcement backdoors in crypto inevitably means an Orwellian future.


Conclusion

There is a lot more wrong with James Comey’s speech. What I’ve focused on here were the Orwellian elements. The right to individual crypto, with no government backdoors, is the most important new human right that technology has created. Without it, the future is an Orwellian dystopia. And as proof of that, I give you James Comey’s speech, whose arguments are the very caricatures that Orwell lampooned in his books.

TorrentFreak: FBI Screens Interns On Their Piracy Habits

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

usdojOver the last decade the FBI has been involved in numerous file-sharing related investigations, mainly in respect of large scale copyright infringement.

In 2005 the FBI shuttered EliteTorrents, a popular ‘private’ BitTorrent community that came to a sticky end after making available a pre-release ‘workprint’ copy of Star Wars Episode III. By 2010 the agency was focusing its resources on Operation in Our Sites, an initiative which closed down several domains including the notorious NinjaVideo. Then two years ago the FBI played a key role in the closure of Kim Dotcom’s Megaupload.

While few would doubt the gravity of the cases highlighted above, it may come as a surprise that in addition to commercial scale infringement, the FBI also views unauthorized personal copying as a serious offense. While it may not actively pursue individual pirates, it doesn’t want them in-house.

Monday this week Sacramento State‘s Career Center welcomed the FBI for a visit concerning recruitment of students for its paid internship program. One of the topics discussed were historical actions that could exclude applicants from the program.

In addition to drug use, criminal activity and even defaulting on a student loan, students were informed that if they had illegally downloaded content in the past, that could rule them out of a position at the FBI. It appears that to the agency, downloading is tantamount to stealing.

While some students might be tempted to tell a white lie or two about their piracy experiences during their initial interviews, that appears to be a dangerous course of action. All responses are recorded and sent to a polygraph technician and if the student fails the lie detector test they are excluded from the FBI forever, even if they tried to cover up the smallest thing.

But what if applicants have a bit of personal piracy to hide, but choose to tell the truth? Information is limited, but a 2012 posting on 911JobForums by a rejected applicant reveals that while honesty might be the best policy, it can be enough to rule someone out of a job.

“My reason for posting this is to help give fair warning to those who don’t think pirating copyrighted information from the internet will trip them up later on. While I sometimes ask myself what might have been, I can honestly say I gave it my best shot,” the poster explains.

“I had downloaded songs while at college 10 years prior (300+) and a few recently (<20). I had an illegal copy of Windows XP in my possession and 10 years ago had watched fewer than 8 pirated full-length movies which I had downloaded then promptly deleted. I had copied a Redbox DVD to my iPod I wasn’t able to watch before returning but then promptly deleted the movie after watching once.”

According to the student-run newspaper The State Hornet, the FBI are interested in the amount of illegal content applicants have downloaded, so it’s possible that people downloading very small amounts might be shown leniency.

Those interested in how the polygraph procedure itself works can find details of the equivalent CIA test here. Interestingly the writer has a tip for former pirate students.

“[The CIA] were concerned mostly about crime, drugs, and misuse of technology systems. Downloading music, though it is illegal, does not disqualify you. Most people especially college students did this, just pretend you didn’t know that it was illegal,” he notes.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: iPhone Encryption and the Return of the Crypto Wars

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last week Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone’s encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it.

From now on, all the phone’s data is protected. It can no longer be accessed by criminals, governments, or rogue employees. Access to it can no longer be demanded by totalitarian governments. A user’s iPhone data is now more secure.

To hear U.S. law enforcement respond, you’d think Apple’s move heralded an unstoppable crime wave. See, the FBI had been using that vulnerability to get into peoples’ iPhones. In the words of cyberlaw professor Orin Kerr, “How is the public interest served by a policy that only thwarts lawful search warrants?”

Ah, but that’s the thing: You can’t build a “back door” that only the good guys can walk through. Encryption protects against cybercriminals, industrial competitors, the Chinese secret police and the FBI. You’re either vulnerable to eavesdropping by any of them, or you’re secure from eavesdropping from all of them.

Back-door access built for the good guys is routinely used by the bad guys. In 2005, some unknown group surreptitiously used the lawful-intercept capabilities built into the Greek cell phone system. The same thing happened in Italy in 2006.

In 2010, Chinese hackers subverted an intercept system Google had put into Gmail to comply with U.S. government surveillance requests. Back doors in our cell phone system are currently being exploited by the FBI and unknown others.

This doesn’t stop the FBI and Justice Department from pumping up the fear. Attorney General Eric Holder threatened us with kidnappers and sexual predators.

The former head of the FBI’s criminal investigative division went even further, conjuring up kidnappers who are also sexual predators. And, of course, terrorists.

FBI Director James Comey claimed that Apple’s move allows people to “place themselves beyond the law” and also invoked that now overworked “child kidnapper.” John J. Escalante, chief of detectives for the Chicago police department now holds the title of most hysterical: “Apple will become the phone of choice for the pedophile.”

It’s all bluster. Of the 3,576 major offenses for which warrants were granted for communications interception in 2013, exactly one involved kidnapping. And, more importantly, there’s no evidence that encryption hampers criminal investigations in any serious way. In 2013, encryption foiled the police nine times, up from four in 2012­and the investigations proceeded in some other way.

This is why the FBI’s scare stories tend to wither after public scrutiny. A former FBI assistant director wrote about a kidnapped man who would never have been found without the ability of the FBI to decrypt an iPhone, only to retract the point hours later because it wasn’t true.

We’ve seen this game before. During the crypto wars of the 1990s, FBI Director Louis Freeh and others would repeatedly use the example of mobster John Gotti to illustrate why the ability to tap telephones was so vital. But the Gotti evidence was collected using a room bug, not a telephone tap. And those same scary criminal tropes were trotted out then, too. Back then we called them the Four Horsemen of the Infocalypse : pedophiles, kidnappers, drug dealers, and terrorists. Nothing has changed.

Strong encryption has been around for years. Both Apple’s FileVault and Microsoft’s BitLocker encrypt the data on computer hard drives. PGP encrypts email. Off-the-Record encrypts chat sessions. HTTPS Everywhere encrypts your browsing. Android phones already come with encryption built-in. There are literally thousands of encryption products without back doors for sale, and some have been around for decades. Even if the U.S. bans the stuff, foreign companies will corner the market because many of us have legitimate needs for security.

Law enforcement has been complaining about “going dark” for decades now. In the 1990s, they convinced Congress to pass a law requiring phone companies to ensure that phone calls would remain tappable even as they became digital. They tried and failed to ban strong encryption and mandate back doors for their use. The FBI tried and failed again to ban strong encryption in 2010. Now, in the post-Snowden era, they’re about to try again.

We need to fight this. Strong encryption protects us from a panoply of threats. It protects us from hackers and criminals. It protects our businesses from competitors and foreign spies. It protects people in totalitarian governments from arrest and detention. This isn’t just me talking: The FBI also recommends you encrypt your data for security.

As for law enforcement? The recent decades have given them an unprecedented ability to put us under surveillance and access our data. Our cell phones provide them with a detailed history of our movements. Our call records, email history, buddy lists, and Facebook pages tell them who we associate with. The hundreds of companies that track us on the Internet tell them what we’re thinking about. Ubiquitous cameras capture our faces everywhere. And most of us back up our iPhone data on iCloud, which the FBI can still get a warrant for. It truly is the golden age of surveillance.

After considering the issue, Orin Kerr rethought his position, looking at this in terms of a technological-legal trade-off. I think he’s right.

Given everything that has made it easier for governments and others to intrude on our private lives, we need both technological security and legal restrictions to restore the traditional balance between government access and our security/privacy. More companies should follow Apple’s lead and make encryption the easy-to-use default. And let’s wait for some actual evidence of harm before we acquiesce to police demands for reduced security.

This essay previously appeared on CNN.com

EDITED TO ADD (10/6): Three more essays worth reading. As is this on all the other ways Apple and the government have to get at your iPhone data.

And a Washington Post editorial manages to say this:

How to resolve this? A police “back door” for all smartphones is undesirable–a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant.

Because a “secure golden key” is completely different from a “back door.”

Errata Security: Reading the Silk Road configuration

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Many of us believe it wasn’t the FBI who discovered the hidden Silk Road server, but the NSA (or other intelligence organization). We believe the FBI is using “parallel construction”, meaning creating a plausible story of how they found the server to satisfy the courts, but a story that isn’t true.

Today, Brian Krebs released data from the defense team that seems to confirm the “parallel construction” theory. I thought I’d write up a technical discussion of what was found.

The Tarbell declaration

A month ago, the FBI released a statement from the lead investigator, Christopher Tarbell, describing how he discovered the hidden server (“the Tarbell declaration“). This document had four noticeable defects.

The first is that the details are vague. It is impossible for anybody with technical skill (such as myself) to figure out what he did.

The second problem is that some of the details are impossible, such as seeing the IP address in the “packet headers”.

Thirdly, his saved none of the forensics data. You’d have thought that had this been real, he would have at least captured packet logs or even screenshots of what he did. I’m a technical blogger. I document this sort of thing all the time. It’s not hard for me, it shouldn’t be hard for the FBI when it’s the cornerstone of the entire case.

Lastly, Tarbell doesn’t even deny it was parallel construction. A scenario of an NSA agent showing up at the FBI offices and opening a browser to the IP address fits within his description of events.

I am a foremost Internet expert on this sort of thing. I think Christopher Tarbell is lying.

The two servers involved

There were two serves involved.

The actual Tor “onion” server ran on a server in Germany at the IP address 65.75.246.20. This was the front-end server.

The Silk Road data was held on a back-end server in Iceland at the IP address 193.107.86.49. This is the server Tarbell claims to have found.

The data dumped today on Brian Krebs’ site is configuration and log files from the second server.

The Icelandic configuration

The Icelandic backend had two “sites”, one on HTTP (port 80) running the phpmyadmin pages, and a second on HTTPS (port 443) for communicating the Silk Road content to the German onion server.

The HTTP (port 80) configuration is shown below. Because this requires “basic authentication”, Tarbell could not have accessed the server on this port.

However, the thing to note about this configuration is that “basic” authentication was used over port 80. If the NSA were monitoring links to/from Iceland, they could easily have discovered the password and used it to log onto the server. This is basic cybersecurity, what the “Wall of Sheep” at DefCon is all about.

The following picture shows the configuration of the HTTPS site.

Notice firstly that the “listen 443″ specifies only a port number and not an IP address. Consequently, anybody on the Internet could connect to the server and obtain its SSL certificate, even if it cannot get anything but an error message from the web server. Brian Krebs quotes Nicholas Weaver as claiming “This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server”. This is wrong, the web server accept all TCP connections, though it may give a “403 forbidden” as the result.

BTW: one plausible way of having discovered the server is to scan the entire Internet for SSL certificates, then correlate information in those certificates with the information found going across the Tor onion connection.

Next is the location information that allows only localhost, the German server, and then denies everything else (“deny all”). As mentioned above, this doesn’t prevent the TCP connection, but does produce a “403 forbidden” error code.

However, there is a flaw: this configuration is overridden for PHP files in the next section down. I’ve tested this on my own server. While non-PHP files are not accessible on the server, anything with the .php file extension still runs for everyone.

Worse yet, the login screen uses “/index.php”. The rules above convert an access of “/” automatically to “/index.php”. If indeed the server has the file “/var/www/market/public/index.php”, then Tarbell’s explanation starts to make sense. He’s still missing important details, and of course, there is no log of him having accessed the server this way,, but this demonstrates that something like his description isn’t impossible. One way this could have been found is by scanning the entire Internet for SSL servers, then searching for the string “Silkroad” in the resulting webpage.

The log files

The FBI imaged the server, including all the log files. Typical log entries looked like the following:

62.75.246.20 – - [14/Jul/2013:06:55:33 +0000] “GET /orders/cart HTTP/1.0″ 200 49072 “http://silkroadvb5piz3r.onion/silkroad/item/0f81d52be7″ “Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0″

Since the defense could not find in the logfiles where Tarbell had access the system, the prosecutors helped them out by pointing to entries that looked like the following:

199.170.71.133 – - [11/Jun/2013:16:58:36 +0000] “GET / HTTP/1.1″ 200 2616 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36″

199.170.71.133 – - [11/Jun/2013:16:58:36 +0000] “GET
/phpmyadmin.css.phpserver=1&lang=en&collation_connection=utf8_general_ci&token=451ca1a827cda1c8e80d0c0876e29ecc&js_frame=right&nocache=3988383895 HTTP/1.1″ 200 41724 “http://193.107.86.49/” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36″

However, these entries are wrong. First, they are for the phpmyadmin pages and not the Silk Road login pages, so they are clearly not the pages described in the Tarbell declaration. Second, they return “200 ok” as the error code instead of a “401 unauthorized” login error as one would expect from the configuration. This means either the FBI knew the password, or the configuration has changed in the meantime, or something else is wrong with the evidence provided by the prosecutors.

Conclusion

As an expert in such topics as sniffing passwords and masscaning the Internet, I know that tracking down the Silk Road site is well within the NSA’s capabilities. Looking at the configuration files, I can attest to the fact that the Dread Pirate Roberts sucked at op-sec.

As an expert, I know the Tarbell declaration is gibberish. As an expert reading the configuration and logs, I know that it doesn’t match the Tarbell declaration. That’s not to say that the Tarbell declaration has been disproven, it’s just that “parallel construction” is a better explanation for what’s going on than Tarbell actually having found the Silk Road server on his own.

Krebs on Security: Silk Road Lawyers Poke Holes in FBI’s Story

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

New court documents released this week by the U.S. government in its case against the alleged ringleader of the Silk Road online black market and drug bazaar suggest that the feds may have some ‘splaining to do.

The login prompt and CAPTCHA from the Silk Road home page.

The login prompt and CAPTCHA from the Silk Road home page.

Prior to its disconnection last year, the Silk Road was reachable only via Tor, software that protects users’ anonymity by bouncing their traffic between different servers and encrypting the traffic at every step of the way. Tor also lets anyone run a Web server without revealing the server’s true Internet address to the site’s users, and this was the very technology that the Silk road used to obscure its location.

Last month, the U.S. government released court records claiming that FBI investigators were able to divine the location of the hidden Silk Road servers because the community’s login page employed an anti-abuse CAPTCHA service that pulled content from the open Internet — thus leaking the site’s true Internet address.

But lawyers for alleged Silk Road captain Ross W. Ulbricht (a.k.a. the “Dread Pirate Roberts”) asked the court to compel prosecutors to prove their version of events.  And indeed, discovery documents reluctantly released by the government this week appear to poke serious holes in the FBI’s story.

For starters, the defense asked the government for the name of the software that FBI agents used to record evidence of the CAPTCHA traffic that allegedly leaked from the Silk Road servers. The government essentially responded (PDF) that it could not comply with that request because the FBI maintained no records of its own access, meaning that the only record of their activity is in the logs of the seized Silk Road servers.

The response that holds perhaps the most potential to damage the government’s claim comes in the form of a configuration file (PDF) taken from the seized servers. Nicholas Weaver,a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley, explains the potential significance:

“The IP address listed in that file — 62.75.246.20 — was the front-end server for the Silk Road,” Weaver said. “Apparently, Ulbricht had this split architecture, where the initial communication through Tor went to the front-end server, which in turn just did a normal fetch to the back-end server. It’s not clear why he set it up this way, but the document the government released in 70-6.pdf shows the rules for serving the Silk Road Web pages, and those rules are that all content – including the login CAPTCHA – gets served to the front end server but to nobody else. This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server.”

Translation: Those rules mean that the Silk Road server would deny any request from the Internet that wasn’t coming from the front-end server, and that includes the CAPTCHA.

“This configuration file was last modified on June 6, so on June 11 — when the FBI said they [saw this leaky CAPTCHA] activity — the FBI could not have seen the CAPTCHA by connecting to the server while not using Tor,” Weaver said. “You simply would not have been able to get the CAPTCHA that way, because the server would refuse all requests.”

The FBI claims that it found the Silk Road server by examining plain text Internet traffic to and from the Silk Road CAPTCHA, and that it visited the address using a regular browser and received the CAPTCHA page. But Weaver says the traffic logs from the Silk Road server (PDF) that also were released by the government this week tell a different story.

“The server logs which the FBI provides as evidence show that, no, what happened is the FBI didn’t see a leakage coming from that IP,” he said. “What happened is they contacted that IP directly and got a PHPMyAdmin configuration page.” See this PDF file for a look at that PHPMyAdmin page. Here is the PHPMyAdmin server configuration.

But this is hardly a satisfying answer to how the FBI investigators located the Silk Road servers. After all, if the FBI investigators contacted the PHPMyAdmin page directly, how did they know to do that in the first place?

“That’s still the $64,000 question,” Weaver said. “So both the CAPTCHA couldn’t leak in that configuration, and the IP the government visited wasn’t providing the CAPTCHA, but instead a PHPMyAdmin interface. Thus, the leaky CAPTCHA story is full of holes.”

Many in the Internet community have officially called baloney [that's a technical term] on the government’s claims, and these latest apparently contradictory revelations from the government are likely to fuel speculation that the government is trying to explain away some not-so-by-the-book investigative methods.

“I find it surprising that when given the chance to provide a cogent, on-the record explanation for how they discovered the server, they instead produced a statement that has been shown inconsistent with reality, and that they knew would be inconsistent with reality,” Weaver said. “”Let me tell you, those tin foil hats are looking more and more fashionable each day.”

Krebs on Security: $1.66M in Limbo After FBI Seizes Funds from Cyberheist

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A Texas bank that’s suing a customer to recover $1.66 million spirited out of the country in a 2012 cyberheist says it now believes the missing funds are still here in the United States — in a bank account that’s been frozen by the federal government as part of an FBI cybercrime investigation.

robotrobkbIn late June 2012, unknown hackers broke into the computer systems of Luna & Luna, LLP, a real estate escrow firm based in Garland, Texas. Unbeknownst to Luna, hackers had stolen the username and password that the company used to managed its account at Texas Brand Bank (TBB), a financial institution also based in Garland.

Between June 21, 2012 and July 2, 2012, fraudsters stole approximately $1.75 million in three separate wire transfers. Two of those transfers went to an account at the Industrial and Commercial Bank of China. That account was tied to the Jixi City Tianfeng Trade Limited Company in China. The third wire, in the amount of $89,651, was sent to a company in the United States, and was recovered by the bank.

Jixi is in the Heilongjiang province of China on the border with Russia, a region apparently replete with companies willing to accept huge international wire transfers without asking too many questions. A year before this cyberheist took place, the FBI issued a warning that cyberthieves operating out of the region had been the recipients of approximately $20 million in the year prior — all funds stolen from small to mid-sized businesses through a series of fraudulent wire transfers sent to Chinese economic and trade companies (PDF) on the border with Russia.

Luna became aware of the fraudulent transfers on July 2, 2012, when the bank notified the company that it was about to overdraw its accounts. The theft put Luna & Luna in a tough spot: The money the thieves stole was being held in escrow for the U.S. Department of Housing and Urban Development (HUD). In essence, the crooks had robbed Uncle Sam, and this was exactly the argument that Luna used to talk its bank into replacing the missing funds as quickly as possible.

“Luna argued that unless TBB restored the funds, Luna and HUD would be severely damaged with consequences to TBB far greater than the sum of the swindled funds,” TBB wrote in its original complaint (PDF). TBB notes that it agreed to reimburse the stolen funds, but that it also reserved its right to legal claims against Luna to recover the money.

When TBB later demanded repayment, Luna refused. The bank filed suit on July 1, 2013, in state court, suing to recover the approximately $1.66 million that it could not claw back, plus interest and attorney’ fees.

For the ensuing year, TBB and Luna wrangled in the courts over the venue of the trial. Luna also counterclaimed that the bank’s security was deficient because it only relied on a username and password, and that TBB should have flagged the wires to China as highly unusual.

TBB notes that per a written agreement with the bank, Luna had instructed the bank to process more than a thousand wire transfers from its accounts to third-party accounts. Further, the bank pointed out that Luna had been offered but refused “dual controls,” a security measure that requires two employees to sign off on all wire transfers before the money is allowed to be sent.

In August, Luna alerted (PDF) the U.S. District Court for the Northern District of Texas that in direct conversations with the FBI, an agent involved in the investigation disclosed that the $1.66 million in stolen funds were actually sitting in an account at JPMorgan Chase, which was the receiving bank for the fraudulent wires. Both Luna and TBB have asked the government to consider relinquishing the funds to help settle the lawsuit.

The FBI did not return calls seeking comment. The Office of the U.S. attorney for the Northern District of Texas, which is in the process of investigating potential criminal claims related to the fraudulent transfers, declined to comment except to say that the case is ongoing and that no criminal charges have been filed to date.

As usual, this cyberheist resulted from missteps by both the bank and the customer. Dual controls are a helpful — but not always sufficient — security control that Luna should have adopted, particularly given how often these cyberheists are perpetrated against title and escrow firms. But it is galling that it is easier to find more robust, customer-facing security controls at your average email or other cloud service provider than it is at one of thousands of financial institutions in the United States.

If you run a small business and are managing your accounts online, you’d be wise to expect a similar attack on your own accounts and prepare accordingly. That means taking your business to a bank that offers more than just usernames, passwords and tokens for security. Shop around for a bank that lets you secure your transfers with some sort of additional authentication step required from a mobile device. These security methods can be defeated of course, but they present an extra hurdle for the bad guys, who probably are more likely to go after the lower-hanging fruit at thousands of other financial institutions that don’t offer more modern security approaches.

But if you’re expecting your bank to protect your assets should you or one of your employees fall victim to a malware phishing scheme, you could be in for a rude awakening. Keep a close eye on your books, require that more than one employee sign off on all large transfers, and consider adopting some of these: Online Banking Best Practices for Businesses.

TorrentFreak: Giganews Resorts to DMCA to Quieten FBI Allegations

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

GNlogoOn the morning of September 11, 2014, TorrentFreak was greeted with one of the most unusual emails we’ve ever received.

Sent from an alleged former employee of Giganews who identified himself as Nick Caputo, the email contained serious allegations about his former employer. Caputo told us that he’d begun working at the company in 2009 and as a “huge pirate” he loved to help people download “all the rich multimedia content they could.” But that was just the beginning.

The email outlined Caputo’s rise through the company through two quick promotions in two-and-a-half years. However, it quickly descended into allegations that far from being a straight-down-the-line newsgroup provider, Giganews is in fact an FBI-run operation. Caputo says he discovered this after getting into a dispute with the company about removing child abuse material and elevating his complaint to the FBI.

TorrentFreak decided not to run with the story, despite clear indications that Caputo is who he claimed he was. The story, which had plenty of detail, just didn’t hold up on its own. There was plenty of ‘evidence’ provided but the problem was that none of it added up to a level of proof that we’d be prepared to stand behind.

But four days later and after being contacted by Caputo, Cryptome published the email and documents originally sent to TorrentFreak and possibly others.

The story quickly spread around dozens of sites including Reddit and HackerNews forcing Giganews to respond, acknowledging that Caputo was indeed a former employee but denying the allegations.

“This is a hoax. These allegations are 100% false,” the company wrote.

“Unfortunately, since his termination, the poster has periodically posted versions of this information online. Sometimes, he tries to misrepresent himself as our CEO and sometimes he posts as himself.”

With Giganews criticizing Cryptome for publishing the allegations, Caputo it seemed was not giving up. The archive of evidence originally offered to TF found itself uploaded to Internet Archive from where Caputo hoped it would be spread far and wide.

However, according to a new email published by Cryptome, that has now been brought to halt by the issuing of a DMCA notice.

Subject: archive.org item subject to copyright claim
From:”Internet Archive”
Date:Sep 18, 2014 9:41:11 PM

Hello,

Access to the item at https://archive.org/details/giganews-fbi has been disabled following receipt by Internet Archive of a copyright claim submitted on behalf of Data Foundry, Inc (datafoundry.com). The claim was submitted with information and statements requested by Internet Archive’s Copyright Policy (posted at https://archive.org/about/terms.php near the bottom of the page). If you have questions regarding the claim, please let us know.

Sincerely,

The Internet Archive Team

While Giganews clearly thinks the contents of the archive are defamatory, one has to dig into the details to see where the company has a copyright claim over the file.

That can be found in a dump of employee contact details which documents show were obtained from Data Foundry’s intranet. Each employee card has a photograph attached and those are likely to have been taken by a company employee in company time.

Also included in the dump is a Giganews appraisal of Caputo’s performance during 2010. It was authored by a manager and the rights to the form will most likely sit with the company. While Giganews would probably write something different today, four years ago the company felt that Caputo was “the go-to guy” for getting stuff done on nights, ranking his overall performance as “exceeding” the standard required.

“Giganews is in the impossible position of proving a negative,” the company said in a statement.

“If we say our list of employees does not include any FBI employees, then they must be ‘using false identities.’ If we say the named FBI operatives don’t look like any of our employee photos, ‘the pictures must have been altered.’ Even the denial itself is used as further evidence of the truth of the accusation. In a court of law, such an accusation would never stand up to scrutiny, but on the Open Internet, opinions can be formed by only a few words on a popular website.”

Whether the allegations will now calm down and go away is anyone’s guess, but a DMCA notice to one of the many sources of the file is unlikely to make it disappear forever.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: Fake Cell Phone Towers Across the US

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Earlier this month, there were a bunch of stories about fake cell phone towers discovered around the US These seems to be ISMI catchers, like Harris Corporation’s Stingray, and are used to capture location information and potentially phone calls, text messages, and smart-phone Internet traffic. A couple of days ago, the Washington Post ran a story about fake cell phone towers in politically interesting places around Washington DC. In both cases, researchers used by security software that’s part of CryptoPhone from the German company GSMK. And in both cases, we don’t know who is running these fake cell phone towers. Is it the US government? A foreign government? Multiple foreign governments? Criminals?

This is the problem with building an infrastructure of surveillance: you can’t regulate who gets to use it. The FBI has been protecting Stingray like its an enormous secret, but it’s not a secret anymore. We are all vulnerable to everyone because the NSA wanted us to be vulnerable to them.

We have one infrastructure. We can’t choose a world where the US gets to spy and the Chinese don’t. We get to choose a world where everyone can spy, or a world where no one can spy. We can be secure from everyone, or vulnerable to anyone. And I’m tired of us choosing surveillance over security.

Krebs on Security: Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

How much are your medical records worth in the cybercrime underground? This week, KrebsOnSecurity discovered medical records being sold in bulk for as little as $6.40 apiece. The digital documents, several of which were obtained by sources working with this publication, were apparently stolen from a Texas-based life insurance company that now says it is working with federal authorities on an investigation into a possible data breach.

The "Fraud Related" section of the Evolution Market.

The “Fraud Related” section of the Evolution Market.

Purloined medical records are among the many illicit goods for sale on the Evolution Market, a black market bazaar that traffics mostly in narcotics and fraud-related goods — including plenty of stolen financial data. Evolution cannot be reached from the regular Internet. Rather, visitors can only browse the site using Tor, software that helps users disguise their identity by bouncing their traffic between different servers, and by encrypting that traffic at every hop along the way.

Last week, a reader alerted this author to a merchant on Evolution Market nicknamed “ImperialRussia” who was advertising medical records for sale. ImperialRussia was hawking his goods as “fullz” — street slang for a package of all the personal and financial records that thieves would need to fraudulently open up new lines of credit in a person’s name.

Each document for sale by this seller includes the would-be identity theft victim’s name, their medical history, address, phone and driver license number, Social Security number, date of birth, bank name, routing number and checking/savings account number. Customers can purchase the records using the digital currency Bitcoin.

A set of five fullz retails for $40 ($8 per record). Buy 20 fullz and the price drops to $7 per record. Purchase 50 or more fullz, and the per record cost falls to just $6.40 — roughly the price of a value meal at a fast food restaurant. Incidentally, even at $8 per record, that’s cheaper than the price most stolen credit cards fetch on the underground markets.

Imperial Russia's ad on Evolution pimping medical and financial records stolen from a Texas life insurance firm.

Imperial Russia’s ad pimping medical and financial records stolen from a Texas life insurance firm.

“Live and Exclusive database of US FULLZ from an insurance company, particularly from NorthWestern region of U.S.,” ImperialRussia’s ad on Evolution enthuses. The pitch continues:

“Most of the fullz come with EXTRA FREEBIES inside as additional policyholders. All of the information is accurate and confirmed. Clients are from an insurance company database with GOOD to EXCELLENT credit score! I, myself was able to apply for credit cards valued from $2,000 – $10,000 with my fullz. Info can be used to apply for loans, credit cards, lines of credit, bank withdrawal, assume identity, account takeover.”

Sure enough, the source who alerted me to this listing had obtained numerous fullz from this seller. All of them contained the personal and financial information on people in the Northwest United States (mostly in Washington state) who’d applied for life insurance through American Income Life, an insurance firm based in Waco, Texas.

American Income Life referred all calls to the company’s parent firm — Torchmark Corp., an insurance holding company in McKinney, Texas. This publication shared with Torchmark the records obtained from Imperial Russia. In response, Michael Majors, vice president of investor relations at Torchmark, said that the FBI and Secret Service were assisting the company in an ongoing investigation, and that Torchmark expected to begin the process of notifying affected consumers this week.

“We’re aware of the matter and we’ve been working with law enforcement on an ongoing investigation,” Majors said, after reviewing the documents shared by KrebsOnSecurity. “It looks like we’re working on the same matter that you’re inquiring about.”

Majors declined to answer additional questions, such as whether Torchmark has uncovered the source of the data breach and stopped the leakage of customer records, or when the company believes the breach began. Interestingly, ImperialRussia’s first post offering this data is dated more than three months ago, on June 15, 2014. Likewise, the insurance application documents shared with Torchmark by this publication also were dated mid-2014.

The financial information in the stolen life insurance applications includes the checking and/or savings account information of the applicant, and is collected so that American Income can pre-authorize payments and automatic monthly debits in the event the policy is approved. In a four-page discussion thread on Imperial Russian’s sales page at Evolution, buyers of this stolen data took turns discussing the quality of the information and its various uses, such as how one can use automated phone systems to verify the available balance of an applicant’s bank account.

Jessica Johnson, a Washington state resident whose records were among those sold by ImperialRussia, said in a phone interview that she received a call from a credit bureau this week after identity thieves tried to open two new lines of credit in her name.

“It’s been a nightmare,” she said. “Yesterday, I had all these phone calls from the credit bureau because someone tried to open two new credit cards in my name. And the only reason they called me was because I already had a credit card with that company and the company thought it was weird, I guess.”

ImperialRussia discusses his wares with potential and previous buyers.

ImperialRussia discusses his wares with potential and previous buyers.

More than 1.8 million people were victims of medical ID theft in 2013, according to a report from the Ponemon Institute, an independent research group. I suspect that many of these folks had their medical records stolen and used to open new lines of credit in their names, or to conduct tax refund fraud with the Internal Revenue Service (IRS).

Placing a fraud alert or freeze on your credit file is a great way to block identity thieves from hijacking your good name. For pointers on how to do that, as well as other tips on how to avoid becoming a victim of ID theft, check out this story.

Krebs on Security: LinkedIn Feature Exposes Email Addresses

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing.

leakedinlogoLinkedIn has built much of its considerable worth on the age-old maxim that “it’s all about who you know”: As a LinkedIn user, you can directly connect with those you attest to knowing professionally or personally, but also you can ask to be introduced to someone you’d like to meet by sending a request through someone who bridges your separate social networks. Celebrities, executives or any other LinkedIn users who wish to avoid unsolicited contact requests may do so by selecting an option that forces the requesting party to supply the personal email address of the intended recipient.

LinkedIn’s entire social fabric begins to unravel if any user can directly connect to any other user, regardless of whether or how their social or professional circles overlap. Unfortunately for LinkedIn (and its users who wish to have their email addresses kept private), this is the exact risk introduced by the company’s built-in efforts to expand the social network’s user base.

According to researchers at the Seattle, Wash.-based firm Rhino Security Labs, at the crux of the issue is LinkedIn’s penchant for making sure you’re as connected as you possibly can be. When you sign up for a new account, for example, the service asks if you’d like to check your contacts lists at other online services (such as Gmail, Yahoo, Hotmail, etc.). The service does this so that you can connect with any email contacts that are already on LinkedIn, and so that LinkedIn can send invitations to your contacts who aren’t already users.

LinkedIn assumes that if an email address is in your contacts list, that you must already know this person. But what if your entire reason for signing up with LinkedIn is to discover the private email addresses of famous people? All you’d need to do is populate your email account’s contacts list with hundreds of permutations of famous peoples’ names — including combinations of last names, first names and initials — in front of @gmail.com, @yahoo.com, @hotmail.com, etc. With any luck and some imagination, you may well be on your way to an A-list LinkedIn friends list (or a fantastic set of addresses for spear-phishing, stalking, etc.).

LinkedIn lets you know which of your contacts aren't members.

LinkedIn lets you know which of your contacts aren’t members.

When you import your list of contacts from a third-party service or from a stand-alone file, LinkedIn will show you any profiles that match addresses in your contacts list. More significantly, LinkedIn helpfully tells you which email addresses in your contacts lists are not LinkedIn users.

It’s that last step that’s key to finding the email address of the targeted user to whom LinkedIn has just sent a connection request on your behalf. The service doesn’t explicitly tell you that person’s email address, but by comparing your email account’s contact list to the list of addresses that LinkedIn says don’t belong to any users, you can quickly figure out which address(es) on the contacts list correspond to the user(s) you’re trying to find.

Rhino Security founders Benjamin Caudill and Bryan Seely have a recent history of revealing how trust relationships between and among online services can be abused to expose or divert potentially sensitive information. Last month, the two researchers detailed how they were able to de-anonymize posts to Secret, an app-driven online service that allows people to share messages anonymously within their circle of friends, friends of friends, and publicly. In February, Seely more famously demonstrated how to use Google Maps to intercept FBI and Secret Service phone calls.

This time around, the researchers picked on Dallas Mavericks owner Mark Cuban to prove their point with LinkedIn. Using their low-tech hack, the duo was able to locate the Webmail address Cuban had used to sign up for LinkedIn. Seely said they found success in locating the email addresses of other celebrities using the same method about nine times out ten.

“We created several hundred possible addresses for Cuban in a few seconds, using a Microsoft Excel macro,” Seely said. “It’s just a brute-force guessing game, but 90 percent of people are going to use an email address that includes components of their real name.”

The Rhino guys really wanted Cuban’s help in spreading the word about what they’d found, but instead of messaging Cuban directly, Seely pursued a more subtle approach: He knew Cuban’s latest start-up was Cyber Dust, a chat messenger app designed to keep your messages private. So, Seely fired off a tweet complaining that “Facebook Messenger crosses all privacy lines,” and that as  result he was switching to Cyber Dust.

When Mark Cuban retweeted Seely’s endorsement of Cyber Dust, Seely reached out to Cyberdust CEO Ryan Ozonian, letting him known that he’d discovered Cuban’s email address on LinkedIn. In short order, Cuban was asking Rhino to test the security of Cyber Dust.

“Fortunately no major faults were found and those he found are already fixed in the coming update,” Cuban said in an email exchange with KrebsOnSecurity. “I like working with them. They look to help rather than exploit.. We have learned from them and I think their experience will be valuable to other app publishers and networks as well.”

Whether LinkedIn will address the issues highlighted by Rhino Security remains to be seen. In an initial interview earlier this month, the social networking giant sounded unlikely to change anything in response.

Corey Scott, director of information security at LinkedIn, said very few of the company’s members opt-in to the requirement that all new potential contacts supply the invitee’s email address before sending an invitation to connect. He added that email address-to-user mapping is a fairly common design pattern, and that is is not particularly unique to LinkedIn, and that nothing the company does will prevent people from blasting emails to lists of addresses that might belong to a targeted user, hoping that one of them will hit home.

“Email address permutators, of which there are many of them on the ‘Net, have existed much longer than LinkedIn, and you can blast an email to all of them, knowing that most likely one of those will hit your target,” Scott said. “This is kind of one of those challenges that all social media companies face in trying to prevent the abuse of [site] functionality. We have rate limiting, scoring and abuse detection mechanisms to prevent frequent abusers of this service, and to make sure that people can’t validate spam lists.”

In an email sent to this report last week, however, LinkedIn said it was planning at least two changes to the way its service handles user email addresses.

“We are in the process of implementing two short-term changes and one longer term change to give our members more control over this feature,” Linkedin spokeswoman Nicole Leverich wrote in an emailed statement. “In the next few weeks, we are introducing new logic models designed to prevent hackers from abusing this feature. In addition, we are making it possible for members to ask us to opt out of being discoverable through this feature. In the longer term, we are looking into creating an opt-out box that members can choose to select to not be discoverable using this feature.”

Krebs on Security: Dread Pirate Sunk By Leaky CAPTCHA

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Ever since October 2013, when the FBI took down the online black market and drug bazaar known as the Silk Road, privacy activists and security experts have traded conspiracy theories about how the U.S. government managed to discover the geographic location of the Silk Road Web servers. Those systems were supposed to be obscured behind the anonymity service Tor, but as court documents released Friday explain, that wasn’t entirely true: Turns out, the login page for the Silk Road employed an anti-abuse CAPTCHA service that pulled content from the open Internet, thus leaking the site’s true location.

leakyshipTor helps users disguise their identity by bouncing their traffic between different Tor servers, and by encrypting that traffic at every hop along the way. The Silk Road, like many sites that host illicit activity, relied on a feature of Tor known as “hidden services.” This feature allows anyone to offer a Web server without revealing the true Internet address to the site’s users.

That is, if you do it correctly, which involves making sure you aren’t mixing content from the regular open Internet into the fabric of a site protected by Tor. But according to federal investigators,  Ross W. Ulbricht — a.k.a. the “Dread Pirate Roberts” and the 30-year-old arrested last year and charged with running the Silk Road — made this exact mistake.

As explained in the Tor how-to, in order for the Internet address of a computer to be fully hidden on Tor, the applications running on the computer must be properly configured for that purpose. Otherwise, the computer’s true Internet address may “leak” through the traffic sent from the computer.

howtorworks

And this is how the feds say they located the Silk Road servers:

“The IP address leak we discovered came from the Silk Road user login interface. Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined.”

“The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal. When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was ‘leaking’ from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.”

For many Tor fans and advocates, The Dread Pirate Roberts’ goof will no doubt be labeled a noob mistake — and perhaps it was. But as I’ve said time and again, staying anonymous online is hard work, even for those of us who are relatively experienced at it. It’s so difficult, in fact, that even hardened cybercrooks eventually slip up in important and often fateful ways (that is, if someone or something was around at the time to keep a record of it).

A copy of the government’s declaration on how it located the Silk Road servers is here (PDF). A hat tip to Nicholas Weaver for the heads up about this filing.

A snapshop of offerings on the Silk Road.

A snapshop of offerings on the Silk Road.

TorrentFreak: In The Fappening’s Wake, 4chan Intros DMCA Policy

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

4chanEvery now and again a phenomenon takes the Internet by storm. They’re situations that the term ‘going viral’ was made for. A couple of weeks ago it was ice buckets, and since the weekend its been leaked celebrity pictures.

The event, which needs little introduction, saw the iCloud accounts of many prominent female celebrities accessed illegally and their personal (in many cases intimately so) photographs leaked online. The FBI are investigating and for the leakers this probably isn’t going to end well.

But for the users of 4chan this leak, which was rumored to have begun on the board itself, was the gift that just kept on giving. Excited users quickly came up with a portmanteau based on ‘happening’ plus ‘fapping’ and The Fappening was born, a prelude to taking the Internet by storm.

While the event itself appears to be dying down, the leak and the worldwide attention it bestowed on 4chan may have prompted a surprise decision by the site’s operator. Whether the leak was directly responsible will become clear in due course (we’ve reached out to the site for a response), but sometime yesterday 4chan introduced a DMCA policy.

4chan-DMCA

The policy registers a DMCA agent for 4chan, which helps to afford the site safe harbor protection under the Digital Millennium Copyright Act. Although not yet listed in the numerical section of Copyright.gov, the designated agent will now become the point of contact for copyright complaints and DMCA notices when content owners believe that their ownership rights have been violated on 4chan.

While most US-based user-generated content websites should not entertain operating without safe harbor, the way 4chan is set up provides a unique scenario in respect of infringing content being posted by its users.

“Threads expire and are pruned by 4chan’s software at a relatively high rate. Since most boards are limited to eleven or sixteen pages, content is usually available for only a few hours or days before it is removed,” the site’s FAQ explains.

4chan’s Chris Poole (‘moot’) previously told the Washington Post his deletion policy was both a necessarily evil and a plus to the site.

“It’s one of the few sites that has no memory. It’s forgotten the next day,” he said.

Despite the board’s userbase being notoriously rebellious, the deletion policy appears to work well. To date Google’s Transparency Report lists takedowns for just 706 URLs.

“I don’t have resources like YouTube to deal with $1 billion lawsuit with Viacom,” Poole said in 2012. “Don’t store what you absolutely don’t need. People are pre-disposed to wanting to store everything.”

Of course, it’s not only companies such as Viacom on the warpath. Yesterday a spokesman for Jennifer Lawrence said that the authorities had been contacted and anyone found posting ‘stolen’ photos of the actress online would be prosecuted.

While the scope of that action isn’t entirely clear, many of the leaked photos were ‘selfies’ to which Lawrence has first shout on copyright. They’re still being posted on hundreds if not thousands of Internet sites even today, so having a DMCA policy in place will help those sites avoid liability, even if in 4chan’s case the images are only present for a few hours.

In the meantime, sites such as The Pirate Bay who care substantially less about copyright law than 4chan does today are continuing to spread the full currently-available ‘Fappening’ archives at a rapid rate. Statistics collected by TorrentFreak suggest that the packs have been downloaded well over a million times.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Can We Publicly Confess to Online Piracy Crimes?

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

piracy-crimeLast week’s leak of The Expendables 3 was a pretty big event in the piracy calendar and as TF explained to inquiring reporters, that is only achieved by getting the right mix of ingredients.

First and foremost, the movie was completely unreleased meaning that private screenings aside, it had never hit a theater anywhere in the world. Getting a copy of a movie at this stage is very rare indeed. Secondly, the quality of the leaked DVD was very good indeed.

Third, and we touched on this earlier, are the risks involved in becoming part of the online distribution mechanism for something like this. Potentially unfinished copies of yet-to-be-released flicks can be a very serious matter indeed, with custodial sentences available to the authorities.

And yet this week, David Pierce, Assistant Managing Editor at The Verge, wrote an article in which he admitted torrenting The Expendables 3 via The Pirate Bay.

Pirate confessions – uncut

Verge1

“The Expendables 3 comes out August 15th in thousands of theaters across America. I watched it Friday afternoon on my MacBook Air on a packed train from New York City to middle-of-nowhere Connecticut. I watched it again on the ride back. And I’m already counting down the days until I can see it in IMAX,” he wrote.

Pierce’s article, and it’s a decent read, talks about how the movie really needs to be seen on the big screen. It’s a journey into why piracy can act as promotion and how the small screen experience rarely compensates for seeing this kind of movie in the “big show” setting.

Pierce is a great salesman and makes a good case but that doesn’t alter the fact that he just admitted to committing what the authorities see as a pretty serious crime.

The Family Entertainment and Copyright Act of 2005 refers to it as “the distribution of a work being prepared for commercial distribution, by making it available on a computer network accessible to members of the public, if such person knew or should have known that the work was intended for commercial distribution.”

The term “making it available” refers to uploading and although one would like to think that punishments would be reserved only for initial leakers (if anyone), the legislation fails to specify. It seems that merely downloading and sharing the movie using BitTorrent could be enough to render a user criminally liable, as this CNET article from 2005 explains.

FECA

So with the risks as they are, why would Pierce put his neck on the line?

Obviously, he wanted to draw attention to the “big screen” points mentioned above and also appreciates plenty of readers. It’s also possible he just wasn’t aware of the significance of the offense. Sadly, our email to Pierce earlier in the week went unanswered so we can’t say for sure.

But here’s the thing.

There can be few people in the public eye, journalists included, who would admit to stealing clothes from a Paris fashion show in order to promote Versace’s consumer lines when they come out next season.

steal-carAnd if we wrote a piece about how we liberated a Honda Type R prototype from the Geneva Motor Show in order to boost sales ahead of its consumer release next year, we’d be decried as Grand Theft Auto’ists in need of discipline.

What this seems to show is that in spite of a decade-and-a-half’s worth of “piracy is theft” propaganda, educated and eloquent people such as David Pierce still believe that it is not, to the point where pretty serious IP crimes can be confessed to in public.

At the very least, the general perception is that torrenting The Expendables 3 is morally detached from picking up someone’s real-life property and heading for the hills. And none of us would admit to the latter, would we?

Hollywood and the record labels will be furious that this mentality persists after years of promoting the term “intellectual property” and while Lionsgate appear to have picked their initial targets (and the FBI will go after the initial leakers), the reality is that despite the potential for years in jail, it’s extremely unlikely the feds will be turning up at the offices of The Verge to collar Pierce. Nor will they knock on the doors of an estimated two million other Expendables pirates either.

And everyone knows it.

As a result, what we have here is a crazy confession brave article from Pierce which underlines that good movies are meant to be seen properly and that people who pirate do go on to become customers if the product is right. And, furthermore, those customers promote that content to their peers, such as the guy on the train who looked over Pierce’s shoulder when he was viewing his pirate booty.

“He won’t be the last person I tell to go see The Expendables 3 when it hits theaters in August,” Pierce wrote. “And I’ll be there with them, opening night. I know the setlist now, I know all the songs by heart, but I still want to see the show.”

Pierce’s initial piracy was illegal, no doubt, but when all is said and done (especially considering his intent to promote and invest in the movie) it hardly feels worthy of a stay in the slammer. I venture that the majority would agree – and so the cycle continues.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Feds Receive Requests to Shut Down The Pirate Bay

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

pirate bayThere is no doubt that copyright holders repeatedly press the authorities to take action against The Pirate Bay.

So, when a Pirate Bay-related Freedom of Information request was sent to Homeland Security’s National Intellectual Property Rights Coordination Center, we expected to see letters from the major music labels and Hollywood studios. Interestingly that was not the case.

Late June Polity News asked Homeland Security to reveal all information the center holds on the notorious torrent site. Earlier this week the responses were received, mostly consisting of requests from individuals to shut down The Pirate Bay.

In total the center received 15 emails, and all appear to have been forwarded by the FBI, where they were apparently first sent. Some of the emails only list a few pirate site domains but others are more specific in calling for strong action against The Pirate Bay.

“Why don’t you seize all THE PIRATE BAY domains? Starting with thepiratebay.se. You have no idea how much good that would do to writers, artists, musicians, designers, inventors, software developers, movie people and our global economy in general,” one email reads.

crimesyn

The emails are all redacted but the content of the requests sometimes reveals who the sender might be. The example below comes from the author of “The Crystal Warrior,” which is probably the New Zealand author Maree Anderson.

“The Pirate Bay states that it can’t be held responsible for copyright infringement as it is a torrent site and doesn’t store the files on its servers. However the epub file of my published novel The Crystal Warrior has been illegally uploaded there,” the email reads.

The author adds that she takes a strong stand against piracy, but that her takedown notices are ignored by The Pirate Bay. She hopes that the authorities can take more effective action.

“Perhaps you would have more luck in putting pressure on them than one individual like myself. And if you are unable to take further action, I hope this notification will put The Pirate Bay in your sights so you can keep an eye on them,” the author adds.


pirateauthor

Most of the other requests include similar calls to action and appear to come from individual copyright holders. However, there is also a slightly more unusual request.

The email in question comes from the mother of a 14-year-old boy whose father is said to frequently pirate movies and music. The mother says she already visited an FBI office to report the man and is now seeking further advice. Apparently she previously reached out to the MPAA, but they weren’t particularly helpful.

“MPAA only wanted to know where he was downloading and could not help. I ask you what can I do, as a parent, to prevent a 14-year-old from witnessing such a law breaking citizen in his own home?” the mother writes.

“It is not setting a good example for him and I don’t think that it is right to subject him to this cyber crime. Devices on websites used: www.piratebay.com for downloads and www.LittleSnitch.com so he won’t be detected. This is not right. Any help would be appreciated,” she adds.

piratemom

All of the revealed requests were sent between 2012 and 2014. Thus far, however, the Department of Homeland Security nor the FBI have taken any action against the Pirate Bay.

Whether the pirating dad is still on the loose remains unknown for now, but chances are he’s still sharing music and movies despite the FBI referral.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Errata Security: Cliché: open-source is secure

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Some in cybersec keep claiming that open-source is inherently more secure or trustworthy than closed-source. This is demonstrably false.

Firstly, there is the problem of usability. Unusable crypto isn’t a valid option for most users. Most would rather just not communicate at all, or risk going to jail, rather than deal with the typical dependency hell of trying to get open-source to compile. Moreover, open-source apps are notoriously user-hostile, which is why the Linux desktop still hasn’t made headway against Windows or Macintosh. The reason is that developers blame users for being stupid for not appreciating how easy their apps are, whereas Microsoft and Apple spend $billions in usability studies actually listening to users. Desktops like Ubuntu are pretty good — but only when they exactly copy Windows/Macintosh. Ubuntu still doesn’t invest in the usability studies that Microsoft/Apple do.
The second problem is deterministic builds. If I want to install an app on my iPhone or Android, the only usable way is through their app stores. This means downloading the binary, not the source. Without deterministic builds, there is no way to verify the downloaded binary matches the public source. The binary may, in fact, be compiled from different source containing a backdoor. This means a malicious company (or an FBI NSL letter) can backdoor open-source binaries as easily as closed-source binaries.
The third problem is code-review. People trust open-source because they can see for themselves if it has any bugs. Or, if not themselves, they have faith that others are looking at the code (“many eyes makes bugs shallow”). Yet, this rarely happens. We repeatedly see bugs giving backdoor access (‘vulns’) that remain undetected in open-source projects for years, such as the OpenSSL Heartbleed bug. The simple fact is that people aren’t looking at open-source. Those qualified to review code would rather be writing their own code. The opposite is true for closed-source, where they pay people to review code. While engineers won’t review code for fame/glory, they will for money. Given two products, one open and the other closed, it’s impossible to guess which has had more “eyes” looking at the source — in many case, it’s the closed-source that has been better reviewed.
What’s funny about this open-source bigotry is that it leads to very bad solutions. A lot of people I know use the libpurple open-source library and the jabber.ccc.de server (run by CCC hacking club). People have reviewed the libpurple source and have found it extremely buggy, and chat apps don’t pin SSL certificates, meaning any SSL encryption to the CCC server can easily be intercepted. In other words, the open-source alternative is known to be incredibly insecure, yet people still use it, because “everyone knows” that open-source is more secure than closed-source.
Wickr and SilentCircle are two secure messaging/phone apps that I use, for the simple fact that they work both on Android and iPhone, and both are easy to use. I’ve read their crypto algorithms, so I have some assurance that they are doing things right. SilentCircle has open-sourced part of their code, which looks horrible, so it’s probable they have some 0day lurking in there somewhere, but it’s really no worse than equivalent code. I do know that both companies have spent considerable resources on code review, so I know at least as many “eyes” have reviewed their code as open-source. Even if they showed me their source, I’m not going to read it all — I’ve got more important things to do, like write my own source.
Thus, I see no benefit to open-source in this case. Except for Cryptocat, all the open-source messaging apps I’ve used have been buggy and hard to use. But, you can easily change my mind: just demonstrate an open-source app where more eyes have reviewed the code, or a project that has deterministic builds, or a project that is easier to use, or some other measurable benefit.
Of course, I write this as if the argument was about the benefits of open-source. We all know this doesn’t matter. As the EFF teaches us, it’s not about benefits, but which is ideologically pure; that open-source is inherently more ethical than closed-source.

Errata Security: Um, talks are frequently canceled at hacker cons

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Talks are frequently canceled at hacker conventions. It’s the norm. I had to cancel once because, on the flight into Vegas, a part fell off the plane forcing an emergency landing. Last weekend, I filled in at HopeX with a talk, replacing somebody else who had to cancel.

I point this out because of this stories like this one hyping the canceled Tor talk at BlackHat. It’s titled says the talk was “Suddenly Canceled”. The adverb “suddenly” is clearly an attempt to hype the story, since there is no way to slowly cancel a talk.
The researchers are academics at Carnegie-Mellon University (CMU). There are good reasons why CMU might have to cancel the talk. The leading theory is that it might violate prohibitions against experiments on unwilling human subjects. There also may be violations of wiretap laws. In other words, the most plausible reasons why CMU might cancel the talk have nothing to do with trying to suppress research.
Suppressing research, because somebody powerful doesn’t want it to be published, is the only reason cancelations are important. It’s why the Boston MTA talk was canceled, because they didn’t want it revealed how to hack transit cards. It’s why the Michael Lynn talk was (almost) canceled, because Cisco didn’t want things revealed.  It’s why I (almost) had a talk canceled, because TippingPoint convinced the FBI to come by my offices to threaten me (I gave the talk because I don’t take threats well). These are all newsworthy things.
The reporting on the Tor cancelation talk, however, is just hype, trying to imply something nefarious when there is no evidence.

TorrentFreak: Six Android Piracy Group Members Charged, Two Arrested

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

usdojAssisted by police in France and the Netherlands, in the summer of 2012 the FBI took down three unauthorized Android app stores. Appbucket, Applanet and SnappzMarket all had their domains seized, the first action of its type in the Android scene.

For two years the United States Department of Justice has released information on the case and last evening came news of more charges and more arrests.

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division announced the unsealing of three federal indictments in the Northern District of Georgia charging six members of Appbucket, Applanet and SnappzMarket for their roles in the unauthorized distribution of Android apps.

SnappzMarket

Joshua Ryan Taylor, 24, of Kentwood, Michigan, and Scott Walton, 28, of Cleveland, Ohio, two alleged members of SnappzMarket, were both arrested yesterday. They are due to appear before magistrates in Michigan and Ohio respectively.

An indictment returned on June 17 charges Gary Edwin Sharp II, 26, of Uxbridge, Massachusetts, along with Taylor and Walton, with one count of conspiracy to commit criminal copyright infringement. Sharp is also charged with two counts of criminal copyright infringement.

It’s alleged that the three men were members of SnappzMarket between May 2011 through August 2012 along with Kody Jon Peterson, 22, of Clermont, Florida. In April, Peterson pleaded guilty to one count of conspiracy to commit criminal copyright infringement. As part of his guilty plea he agreed to work undercover for the government.

Appbucket

Another indictment returned June 17 in Georgia charges James Blocker, 36, of Rowlett, Texas, with one count of conspiracy to commit criminal copyright infringement.

A former member of Appbucket, Blocker is alleged to have conspired with Thomas Allen Dye, 21, of Jacksonville, Florida; Nicholas Anthony Narbone, 26, of Orlando, Florida, and Thomas Pace, 38, of Oregon City, Oregon to distribute Android apps with a value of $700,000.

During March and April 2014, Dye, Narbone and Pace all pleaded guilty to conspiracy to commit criminal copyright infringement.

Applanet

applanetA further indictment June 17 in Georgia charges Aaron Blake Buckley, 20, of Moss Point, Mississippi; David Lee, 29, of Chino Hills, California; and Gary Edwin Sharp II (also of Appbucket) with one count of conspiracy to commit criminal copyright infringement.

Lee is additionally charged with one count of aiding and abetting criminal copyright infringement and Buckley with one count of criminal copyright infringement.

All three identified themselves as former members of Applanet. The USDOJ claims that along with other members they are responsible for the illegal distribution of four million Android apps with a value of $17m. Buckley previously launched a fund-raiser in an effort to fight off the United States government.

“As a result of their criminal efforts to make money by ripping off the hard work and creativity of high-tech innovators, the defendants are charged with illegally distributing copyrighted apps,” said Assistant Attorney General Caldwell.

“The Criminal Division is determined to protect the labor and ingenuity of copyright owners and to keep pace with criminals in the modern, technological marketplace.”

A statement from the FBI’s Atlanta Field Office indicates that the FBI will pursue more piracy groups in future.

“The FBI will continue to provide significant investigative resources toward such groups engaged in such wholesale pirating or copyright violations as seen here,” Special Agent in Charge J. Britt Johnson said.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Crooks Seek Revival of ‘Gameover Zeus’ Botnet

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Cybercrooks today began taking steps to resurrect the Gameover ZeuS botnet, a complex crime machine that has been blamed for the theft more than $100 million from banks, businesses and consumers worldwide. The revival attempt comes roughly five weeks after the FBI joined several nations, researchers and security firms in a global and thus far successful effort to eradicate it. gameover

The researchers who helped dismantle Gameover Zeus said they were surprised that the botmasters didn’t fight back. Indeed, for the past month the crooks responsible seem to have kept a low profile.

But that changed earlier this morning when researchers at Malcovery [full disclosure: Malcovery is an advertiser on this blog] began noticing spam being blasted out with phishing lures that included zip files booby-trapped with malware.

Looking closer, the company found that the malware shares roughly 90 percent of its code base with Gameover Zeus. Part of what made the original GameOver ZeuS so difficult to shut down was its reliance in part on an advanced peer-to-peer (P2P) mechanism to control and update the bot-infected systems.

But according to Gary Warner, Malcovery’s co-founder and chief technologist, this new Gameover variant is stripped of the P2P code, and relies instead on an approach known as fast-flux hosting. Fast-flux is a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind an ever-changing network of compromised systems acting as proxies, in a bid to make the botnet more resilient to takedowns.

Like the original Gameover, however, this variant also includes a “domain name generation algorithm” or DGA, which is a failsafe mechanism that can be invoked if the botnet’s normal communications system fails. The DGA creates a constantly-changing list of domain names each week (gibberish domains that are essentially long jumbles of letters).

In the event that systems infected with the malware can’t reach the fast-flux servers for new updates, the code instructs the botted systems to seek out active domains from the list specified in the DGA. All the botmasters need to do in this case to regain control over his crime machine is register just one of those domains and place the update instructions there.

Warner said the original Gameover botnet that was clobbered last month is still locked down, and that it appears whoever released this variant is essentially attempting to rebuild the botnet from scratch. “This discovery indicates that the criminals responsible for Gameover’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers and takedowns in history,” Warner said.

Gameover is based on code from the ZeuS Trojan, an infamous family of malware that has been used in countless online banking heists. Unlike ZeuS — which was sold as a botnet creation kit to anyone who had a few thousand dollars in virtual currency to spend — Gameover ZeuS has since October 2011 been controlled and maintained by a core group of hackers from Russia and Ukraine. Those individuals are believed to have used the botnet in high-dollar corporate account takeovers that frequently were punctuated by massive distributed-denial-of-service (DDoS) attacks intended to distract victims from immediately noticing the thefts.

According to the Justice Department, Gameover has been implicated in the theft of more than $100 million in account takeovers. According to the U.S. Justice Department, the author of the ZeuS Trojan (and by extension the Gameover Zeus malware) is allegedly a Russian citizen named Evgeniy Mikhailovich Bogachev.

For more details, check out Malcovery’s blog post about this development.

Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. "lucky12345", "slavik", "Pollingsoon". Source: FBI.gov "most wanted, cyber.

Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. “lucky12345″, “slavik”, “Pollingsoon”. Source: FBI.gov “most wanted, cyber.

TorrentFreak: Kim Dotcom Extradition Hearing Delayed Until 2015

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

The United States Government is keen to get its hands on Kim Dotcom. He stands accused of committing the biggest copyright-related crime ever seen through his now-defunct cloud storage site Megaupload.

But their access to the entrepreneur will have to wait.

According to Dotcom, his extradition hearing has now been delayed until February 16, 2015.

Delays and postponements have become recurring features of the criminal case being built against Dotcom in the United States.

A March 2013 date came and went without a promised hearing, as did another in November the same year, a delay which Dotcom said would “save Prime Minister John Key embarrassment during an election campaign.”

Another hearing date for April 2014 also failed to materialize and now the date penciled in for the coming weeks has also been struck down.

Dotcom also reports that he still hasn’t received a copy of the data that was unlawfully sent to the FBI by New Zealand authorities.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Dotcom Encryption Keys Can’t Be Given to FBI, Court Rules

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

dotcom-laptopDuring the raid more than two years ago on his now-famous mansion, police in New Zealand seized 135 computers and drives belonging to Kim Dotcom.

In May 2012 during a hearing at Auckland’s High Court, lawyer Paul Davison QC demanded access to the data stored on the confiscated equipment, arguing that without it Dotcom could not mount a proper defense.

The FBI objected to the request due to some of the data being encrypted. However, Dotcom refused to hand over the decryption passwords unless the court guaranteed him access to the data. At this point it was revealed that despite assurances from the court to the contrary, New Zealand police had already sent copies of the data to U.S. authorities.

In May 2014, Davison was back in court arguing that New Zealand police should release copies of the data from the seized computers and drives, reiterating the claim that without the information Dotcom could not get a fair trial. The High Court previously ruled that the Megaupload founder could have copies, on the condition he handed over the encryption keys.

But while Dotcom subsequently agreed to hand over the passwords, that was on the condition that New Zealand police would not hand them over to U.S. authorities. Dotcom also said he couldn’t remember the passwords after all but may be able to do so if he gained access to prompt files contained on the drives.

The police agreed to give Dotcom access to the prompts but with the quid pro quo that the revealed passwords could be passed onto the United States, contrary to Dotcom’s wishes.

Today Justice Winkelmann ruled that if the police do indeed obtain the codes, they must not hand them over to the FBI. Reason being, the copies of the computers and drives should never have been sent to the United States in the first place.

While the ruling is a plus for Dotcom, the entrepreneur today expressed suspicion over whether the FBI even need the encryption codes.

“NZ Police is not allowed to provide my encryption password to the FBI,” he wrote on Twitter, adding, “As if they don’t have it already.”

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: UK Cinemas Ban Google Glass Over Piracy Fears

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

google-glassThe movie industry sees the illegal recording of movies as one of the biggest piracy threats and for years has gone to extremes to stop it.

It started well over a decade ago when visitors began sneaking handheld camcorders into theaters. These big clunkers were relatively easy to spot, but as time passed the recording devices grew smaller and easier to obfuscate.

Google Glass is one of the newest threats on the block. Earlier this year the FBI dragged a man from a movie theater in Columbus, Ohio, after theater staff presumed he was using Google Glass to illegally record a film. While the man wasn’t recording anything at all, the response from the cinema employees was telling.

This month Google Glass went on sale in the UK, and unlike their American counterparts, British cinemas have been quick to announce a blanket ban on the new gadget.

“Customers will be requested not to wear these into cinema auditoriums, whether the film is playing or not,” Phil Clapp, chief executive of the Cinema Exhibitors’ Association told the Independent.

The first Glass wearer at a Leicester Square cinema has already been instructed to stow his device, and more are expected to follow. Google Glass wearers with prescription lenses would be wise to take a pair of traditional glasses along if they want to enjoy a movie on the big screen.

Movie industry group FACT sees Google Glass and other new recording devices as significant threats and works in tandem with local cinemas to prevent film from being recorded.

“Developments in technology have led to smaller, more compact devices which have the capability to record sound and vision, including most mobile phones. FACT works closely with cinema operators and distributors to ensure that best practice is carried out to prevent and detect illegal recordings taking place,” the group says.

In recent years the UK movie industry has intensified its efforts to stop camcording and not without success. In 2012 none of the illegally recorded movies that appeared online originated from a UK cinema while several attempts were successfully thwarted.

Last year, cinema staff helped UK police to arrest five people and another nine were sent home with cautions. As a thank you for these vigilant actions, the Film Distributors’ Association awarded 13 cinema employees with cash rewards of up to £500.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: 2014: The Year Extortion Went Mainstream

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The year 2014 may well go down in the history books as the year that extortion attacks went mainstream. Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are blurring the lines between online and offline fraud, and giving novice computer users a crash course in modern-day cybercrime.

An extortion letter sent to 900 Degrees Neapolitan Pizzeria in New Hampshire.

An extortion letter sent to 900 Degrees Neapolitan Pizzeria in New Hampshire.

At least four businesses recently reported receiving “Notice of Extortion” letters in the U.S. mail. The letters say the recipient has been targeted for extortion, and threaten a range of negative publicity, vandalism and harassment unless the target agrees to pay a “tribute price” of one bitcoin (currently ~USD $561) by a specified date. According to the letter, that tribute price increases to 3 bitcoins (~$1,683) if the demand isn’t paid on time.

The ransom letters, which appear to be custom written for restaurant owners, threaten businesses with negative online reviews, complaints to the Better Business Bureau, harassing telephone calls, telephone denial-of-service attacks, bomb threats, fraudulent delivery orders, vandalism, and even reports of mercury contamination.

The missive encourages recipients to sign up with Coinbase – a popular bitcoin exchange – and to send the funds to a unique bitcoin wallet specified in the letter and embedded in the QR code that is also printed on the letter.

Interestingly, all three letters I could find that were posted online so far targeted pizza stores. At least two of them were mailed from Orlando, Florida.

The letters all say the amounts are due either on Aug. 1 or Aug. 15. Perhaps one reason the deadlines are so far off is that the attackers understand that not everyone has bitcoins, or even knows about the virtual currency.

“What the heck is a BitCoin?” wrote the proprietors of New Hampshire-based 900 Degrees Neapolitan Pizzeria, which posted a copy of the letter (above) on their Facebook page.

Sandra Alhilo, general manager of Pizza Pirates in Pomona, Calif., received the extortion demand on June 16.

“At first, I was laughing because I thought it had to be a joke,” Alhilo said in a phone interview. “It was funny until I went and posted it on our Facebook page, and then people put it on Reddit and the Internet got me all paranoid.”

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley, said these extortion attempts cost virtually nothing and promise a handsome payoff for the perpetrators.

“From the fraudster’s perspective, the cost of these attacks is a stamp and an envelope,” Weaver said. “This type of attack could be fairly effective. Some businesses — particularly restaurant establishments — are very concerned about negative publicity and reviews. Bad Yelp reviews, tip-offs to the health inspector..that stuff works and isn’t hard to do.”

While some restaurants may be an easy mark for this sort of crime, Weaver said the extortionists in this case are tangling with a tough adversary — The U.S. Postal Service — which takes extortion crimes perpetrated through the U.S. mail very seriously.

“There is a lot of operational security that these guys might have failed at, because this is interstate commerce, mail fraud, and postal inspector territory, where the gloves come off,” Weaver said. “I’m willing to bet there are several tools available to law enforcement here that these extortionists didn’t consider.”

It’s not entirely clear if or why extortionists seem to be picking on pizza establishments, but it’s probably worth noting that the grand-daddy of all pizza joints – Domino’s Pizza in France — recently found itself the target of a pricey extortion attack earlier this month after hackers threatened to release the stolen details on more than 650,000 customers if the company failed to pay a ransom of approximately $40,000).

Meanwhile, Pizza Pirates’s Alhilo says the company has been working with the local U.S. Postal Inspector’s office, which was very interested in the letter. Alhilo said her establishment won’t be paying the extortionists.

“We have no intention of paying it,” she said. “Honestly, if it hadn’t been a slow day that Monday I might have just throw the letter out because it looked like junk mail. It’s annoying that someone would try to make a few bucks like this on the backs of small businesses.”

A GREAT CRIME FOR CRIMINALS

Fueled largely by the relative anonymity of cryptocurrencies like Bitcoin, extortion attacks are increasingly being incorporated into all manner of cyberattacks today. Today’s thieves are no longer content merely to hijack your computer and bandwidth and steal all of your personal and financial data; increasingly, these crooks are likely to hold all of your important documents for ransom as well.

“In the early days, they’d steal your credit card data and then threaten to disclose it only after they’d already sold it on the underground,” said Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training firm. “But today, extortion is the fastest way for the bad guys to make money, because it’s the shortest path from cybercrime to cash. It’s really a great crime for the criminals.

Last month, the U.S. government joined private security companies and international law enforcement partners to dismantle a criminal infrastructure responsible for spreading Cryptlocker, a ransomware scourge that the FBI estimates stole more than $27 million from victims compromised by the file-encrypting malware.

Even as the ink was still drying on the press releases about the Cryptolocker takedown, a new variant of Cryptolocker — Cryptowall — was taking hold. These attacks encrypt the victim PC’s hard drive unless and until the victim pays an arbitrary amount specified by the perpetrators — usually a few hundred dollars worth of bitcoins. Many victims without adequate backups in place (or those whose backups also were encrypted) pay up.  Others, like the police department in the New Hampshire hamlet of Durham, are standing their ground.

The downside to standing your ground is that — unless you have backups of your data — the encrypted information is gone forever. When these attacks hit businesses, the results can be devastating. Code-hosting and project management services provider CodeSpaces.com was forced to shut down this month after a hacker gained access to its Amazon EC2 account and deleted most data, including backups. According to Computerworld, the devastating security breach happened over a span of 12 hours and initially started with a distributed denial-of-service attack followed by an attempt to extort money from the company.

A HIDDEN CRIME

Extortion attacks against companies operating in the technology and online space are nothing new, of course. Just last week, news came to light that mobile phone giant Nokia in 2007 paid millions to extortionists who threatened to reveal an encryption key to Nokia’s Symbian mobile phone source code.

Trouble is, the very nature of these scams makes it difficult to gauge their frequency or success.

“The problem with extortion is that the money is paid in order to keep the attack secret, and so if the attack is successful, there is no knowledge of the attack even having taken place,” SANS’s Paller said.

Traditionally, the hardest part about extortion has been getting paid and getting away with the loot. In the case of the crooks who extorted Nokia, the company paid the money, reportedly leaving the cash in a bag at an amusement park car lot. Police were tracking the drop-off location, but ultimately lost track of the blackmailers.

Anonymous virtual currencies like Bitcoin not only make it easier for extortionists to get paid, but they also make it easier and more lucrative for more American blackmailers to get in on the action. Prior to Bitcoin’s rise in popularity, the principal way that attackers extracted their ransom was by instructing victims to pay by wire transfer or reloadable prepaid debit cards — principally Greendot cards sold at retailers, convenience stores and pharmacies.

But unlike Bitcoin payments, these methods of cashing out are easily traceable if cashed out in within the United States, the ICSI’s Weaver said.

“Bitcoin is their best available tool if in they’re located in the United States,” Weaver said of extortionists. “Western Union can be traced at U.S. cashout locations, as can Greendot payments. Which means you either need an overseas partner [who takes half of the profit for his trouble] or Bitcoin.”

TorrentFreak: Movie Chain Bans Google Glass Over Piracy Fears

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Ever since the concept became public there have been fears over potential misuse of Google Glass. The advent of the wearable computer has sparked privacy fears and perhaps unsurprisingly, concerns that it could be used for piracy.

Just this January the FBI dragged a man from a movie theater in Columbus, Ohio, after theater staff presumed his wearing of Google Glass was a sign that he was engaged in camcorder piracy.

While it’s possible the device could be put to that use, it’s now less likely that patrons of the Alamo Drafthouse movie theater chain will be able to do so without being noticed. Speaking with Deadline, company CEO and founder Tim League says the time is now right to exclude the active use of Glass completely.

“We’ve been talking about this potential ban for over a year,” League said.

“Google Glass did some early demos here in Austin and I tried them out personally. At that time, I recognized the potential piracy problem that they present for cinemas. I decided to put off a decision until we started seeing them in the theater, and that started happening this month.”

According to League, people won’t be forbidden from bringing Google Glass onto the company’s premises, nor will they be banned from wearing the devices. Only when the devices are switched on will there be a problem.

“Google Glass is officially banned from drafthouse auditoriums once lights dim for trailers,” League explained yesterday.

Asked whether people could use them with corrective lenses, League said that discretion would be used.

“It will be case by case, but if it is clear when they are on, clear when they are off, will likely be OK,” he said.

But despite the theater chain’s apparent flexibility towards the non-active use of the device, the ban does seem to go further than the official stance taken by the MPAA following the earlier Ohio incident.

“Google Glass is an incredible innovation in the mobile sphere, and we have seen no proof that it is currently a significant threat that could result in content theft,” the MPAA said in a statement.

However, recording a movie in a theater remains a criminal offense in the United States, so the decision as to whether a crime has been committed will be the decision of law enforcement officers called to any ‘camming’ incident. Given then the MPAA’s statement, it will be interesting to see if the studios will encourage the police to pursue cases against future Google Glass users.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Errata Security: Can I drop a pacemaker 0day?

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Can I drop a pacemaker 0day at DefCon that is capable of killing people?

Computers now run our cars. It’s now possible for a hacker to infect your car with a “virus” that can slam on the brakes in the middle of the freeway. Computers now run medical devices like pacemakers and insulin pumps, it’s now becoming possible assassinate somebody by stopping their pacemaker with a bluetooth exploit.

The problem is that manufacturers are 20 years behind in terms of computer “security”. They don’t just have vulnerabilities, they have obvious vulnerabilities. That means not only can these devices be hacked, they can be easily be hacked by teenagers. Vendors do something like put a secret backdoor password in a device believing nobody is smart enough to find it — then a kid finds it in under a minute using a simple program like “strings“.
Telling vendors about the problem rarely helps because vendors don’t care. If they cared at all, they wouldn’t have been putting the vulnerabilities in their product to begin with. 30% of such products have easily discovered backdoors, which is something they should already care about, so telling them you’ve discovered they are one of the 30% won’t help.
Historically, we’ve dealt with vendor unresponsiveness through the process of “full disclosure”. If a vendor was unresponsive after we gave them a chance to first fix the bug, we simply published the bug (“drop 0day”), either on a mailing list, or during a talk at a hacker convention like DefCon. Only after full disclosure does the company take the problem seriously and fix it.
This process has worked well. If we look at the evolution of products from Windows to Chrome, the threat of 0day has caused them to vastly improve their products. Moreover, now they court 0day: Google pays you a bounty for Chrome 0day, with no strings attached on how you might also maliciously use it.
So let’s say I’ve found a pacemaker with an obvious BlueTooth backdoor that allows me to kill a person, and a year after notifying the vendor, they still ignore the problem, continuing to ship vulnerable pacemakers to customers. What should I do? If I do nothing, more and more such pacemakers will ship, endangering more lives. If I disclose the bug, then hackers may use it to kill some people.
The problem is that dropping a pacemaker 0day is so horrific that most people would readily agree it should be outlawed. But, at the same time, without the threat of 0day, vendors will ignore the problem.
This is the question for groups that defend “coder’s rights”, like the EFF. Will they really defend coders in this hypothetical scenario, declaring that releasing code 0day code is free speech that reveals problems of public concern? Or will they agree that such code should be suppressed in the name of public safety?
I ask this question because right now they are avoiding the issue, because whichever stance they take will anger a lot of people. This paper from the EFF on the issue seems to support disclosing 0days, but only in the abstract, not in the concrete scenario that I support. The EFF has a history of backing away from previous principles when they become unpopular. For example, they once fought against regulating the Internet as a public utility, now they fight for it in the name of net neutrality. Another example is selling 0days to the government, which the EFF criticizes. I doubt if the EFF will continue to support disclosing 0days when they can kill people. The first time a child dies due to a car crash caused by a hacker, every organization is going to run from “coder’s rights”.
By the way, it should be clear in the above post on which side of this question I stand: for coder’s rights.

Update: Here’s another scenario. In Twitter discussions, people have said that the remedy for unresponsive vendors is to contact an organization like ICS-CERT, the DHS organization responsible for “control systems”. That doesn’t work, because ICS-CERT is itself a political, unresponsive organization.

The ICS-CERT doesn’t label “default passwords” as a “vulnerability”, despite the fact that it’s a leading cause of hacks, and a common feature of exploit kits. They claim that it’s the user’s responsibility to change the password, and not the fault of the vendor if they don’t.

Yet, disclosing default passwords is one of the things that vendors try to suppress. When a researcher reveals a default password in a control system, and a hacker exploits it to cause a power outage, it’s the researcher who will get blamed for revealing information that was not-a-vulnerability.

I say this because I was personally threatened by the FBI to suppress something that was not-a-vulnerability, yet which they claimed would hurt national security if I revealed it to Chinese hackers.

Again, the only thing that causes change is full disclosure. Everything else allows politics to suppress information vital to public safety.


Update: Some have suggested it’s that moral and legal are two different arguments, that someone can call full disclosure immoral without necessarily arguing that it should be illegal.

That’s not true. That’s like saying that speech is immoral when Nazi’s do it. It isn’t — the content may be vile, but the act of speaking never immoral.

The “moral but legal” argument is too subtle for politics, you really have to pick one or the other. We saw that happen with the EFF. They originally championed the idea that the Internet should not be regulated. They, they championed the idea of net neutrality — which is Internet regulation. They original claimed there was no paradox, because they were saying merely that net neutrality was moral not that it should be law. Now they’ve discarded that charade, and are actively lobbying congress to make net neutrality law.

Sure, sometimes some full disclosure will result in bad results, but more often, those with political power will seek to suppress vital information with reasons that sound good at the time, like “think of the children!”. We need to firmly defend full disclosure as free speech, in all circumstances.


Update: Some have suggested that instead of disclosing details, a researcher can inform the media.

This has been tried. It doesn’t work. Vendors have more influence on the media than researchers.

We say this happen in the Apple WiFi fiasco. It was an obvious bug (SSID’s longer than 97 bytes), but at the time Apple kernel exploitation wasn’t widely known. Therefore, the researchers tried to avoid damaging Apple by not disclosing the full exploit. Thus, people could know about the bug without people being able to exploit it.

This didn’t work. Apple’s marketing department claimed the entire thing was fake. They did later fix the bug — claiming it was something they found unrelated to the “fake” vulns from the researchers.

Another example was two years ago when researchers described bugs in airplane control systems. The FAA said the vulns were fake, and the press took the FAA’s line on the problem.

The history of “going to the media” has demonstrated that only full-disclosure works.

TorrentFreak: Kim Dotcom Fails in Bid to Suppress FBI Evidence

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

dotcom-laptopIn 2012 following the raid on his New Zealand mansion, Kim Dotcom fought to gain access to the information being held against him by the FBI.

A ruling by District Court Judge David Harvey in May of that year, which stood despite an August appeal, ordered disclosure of all documents relating to the alleged crimes of the so-called Megaupload Conspiracy.

While it was agreed that this information should be made available, an order forbidding publication was handed down in respect to the so-called Record of Case, a 200-page document summarizing an estimated 22 million emails and Skype discussions obtained by the FBI during their investigation.

Last November a sealed court order by US Judge Liam O’Grady already allowed the U.S. Government to share the summary of evidence from the Megaupload case with copyright holders, something which was actioned before the end of the year.

Over in New Zealand, however, Kim Dotcom has been fighting an application by the Crown to make the Record of Case public. That battle came to an end today when Auckland District Court Judge Nevin Dawson rejected an application by Dotcom’s legal team to extend the suppression order placed on the document.

According to RadioNZ, the document contains sensitive information including email and chat conversations which suggest that the Megaupload team knew their users were uploading copyrighted material.

In another setback, further applications by Dotcom to force Immigration New Zealand, the Security Intelligence Service, and several other government departments to hand over information they hold on him, were also rejected by Judge Dawson.

Dotcom’s lawyer Paul Davidson, QC, told Stuff that the battle will continue.

“We will press on with our resolve,” he said.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.