Posts tagged ‘fbi’

Schneier on Security: “Hinky” in Action

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In Beyond Fear I wrote about trained officials recognizing “hinky” and how it differs from profiling:

Ressam had to clear customs before boarding the ferry. He had fake ID, in the name of Benni Antoine Noris, and the computer cleared him based on this ID. He was allowed to go through after a routine check of his car’s trunk, even though he was wanted by the Canadian police. On the other side of the Strait of Juan de Fuca, at Port Angeles, Washington, Ressam was approached by U.S. customs agent Diana Dean, who asked some routine questions and then decided that he looked suspicious. He was fidgeting, sweaty, and jittery. He avoided eye contact. In Dean’s own words, he was acting “hinky.” More questioning — there was no one else crossing the border, so two other agents got involved — and more hinky behavior. Ressam’s car was eventually searched, and he was finally discovered and captured. It wasn’t any one thing that tipped Dean off; it was everything encompassed in the slang term “hinky.” But the system worked. The reason there wasn’t a bombing at LAX around Christmas in 1999 was because a knowledgeable person was in charge of security and paying attention.

I wrote about this again in 2007:

The key difference is expertise. People trained to be alert for something hinky will do much better than any profiler, but people who have no idea what to look for will do no better than random.

Here’s another story from last year:

On April 28, 2014, Yusuf showed up alone at the Minneapolis Passport Agency and applied for an expedited passport. He wanted to go “sightseeing” in Istanbul, where he was planning to meet someone he recently connected with on Facebook, he allegedly told the passport specialist.

“It’s a guy, just a friend,”he told the specialist, according to court documents.

But when the specialist pressed him for more information about his “friend” in Istanbul and his plans while there, Yusuf couldn’t offer any details, the documents allege.

“[He] became visibly nervous, more soft-spoken, and began to avoid eye contact,” the documents say. “Yusuf did not appear excited or happy to be traveling to Turkey for vacation.”

In fact, the passport specialist “found his interaction with Yusuf so unusual that he contacted his supervisor who, in turn, alerted the FBI to Yusuf’s travel,” according to the court documents.

This is what works. Not profiling. Not bulk surveillance. Not defending against any particular tactics or targets. In the end, this is what keeps us safe.

The Hacker Factor Blog: There’s No Fool Like an April Fool

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I stopped celebrating “April Fools Day” many years ago. There’s always someone pulling an unfunny joke, someone trying to hide the fact that they fell for it, and someone who doesn’t get the joke — taking it way too seriously. And most of the gags I’ve seen really haven’t been funny. Moreover, people seem to be doing gags all the time; April Fools day just isn’t special anymore.

In the last two weeks, I have seen three computer security articles where people have just behaved like idiots. In one case, it’s the vendors. In another case, it’s the security researcher. And in the third case, it was law enforcement. With these news reports, I find it hard to believe that it isn’t April 1st.

Car Hacking

There are some things that people in the security community have known for years but have not been made public yet. The reason is usually that experts are working (or trying to work) with vendors to fix the problems. The bigger the problem, the longer it may take to fix. Whispers among small groups of people with the knowledge may go on for years before some problems are resolved. In many cases, the fixes are performed quietly since a public announcement will only benefit the bad guys during a slow roll-out. These are usually the cases where informing the public will educate criminals, without any viable solution for the public.

However, sometimes the vendors become non-responsive. That’s when vulnerabilities with no solution are often made public.

Earlier this month, news outlets reported on an upcoming security presentation about car hacking. Keep in mind, talks on car hacking have been going on for a decade. In this latest exploit, the attacker only needs a $20 amplifier that can fit in your hand to unlock your keyless-entry car. (Funny… the same exploit was discussed two years ago, when it only cost $5.)

Attacks against this keyless entry system have ranged from cracking the weak cryptography (2006) to record and playback attacks (2010).

So here’s the exploit (as detailed by various news outlets)… New keyless-entry cars just require the key near the car in order to unlock. What’s really happening is that the car is constantly sending out a cryptographic challenge over a wireless frequency to the key. The car uses a low power radio signal, so the key has to be very close to hear the challenge. If the key is near enough (usually within a few inches) then it hears the challenge, issues a response, and the car unlocks.

In this latest attack (which is actually from 2013), an amplifier just replays the car’s query louder. Rather than needing the key within a few inches, it can be a few hundred feet away and it will still respond. The amplifier hears the whispered response from the distant key and repeats it so the car can hear it. In the radio community, this is a basic radio repeater — it is technology that has been around for about a century. There’s no need for decryption and no interfering with the signal; the signal is just made louder so it has a larger range.

There comes a point when vendors fail to fix a problem and it must be made public. This usually happens when bad guys are actively using the exploit. Making these details public won’t help bad guys since they already know about it. But public disclosure will inform force legal repercussions onto the vendors.

In this case, the bad guys clearly know about this. Back in 2013, police announced that they were stumped by some car thefts. They included a video where the criminals walk up to the car, hold a small device in their hand, and the car unlocks. This happened outside a residence, where we can assume the key was probably less than a hundred feet from the car. (If the car doesn’t unlock, then the key is probably too far away to hear the amplified signal.)

When I first heard of the car break-ins (in 2013) I started asking around. The exploit had been known to some people in the security community for over a year. They had been trying to get the vendors to address the problem. It is no surprise to me that someone would make the details public years later, since vendors are still rolling out the same keyless entry system in even more vehicles.

Airplane Hacking

While I may be critical of them, I have a lot of respect for the Electronic Frontier Foundation. They stand up for computer security researchers, challenge governments and corporations that violate our digital freedoms, and advise us on ways to stay safe online. However, sometimes I question the battles that the EFF is willing to fight…

Last week, security researcher Chris Roberts was detained by the FBI. He had been planning on speaking at the upcoming RSA conference on airplane insecurity (how to hack airplanes while sitting in coach). Last week, the FBI visited Roberts. They confiscated his equipment but eventually release him. However, that wasn’t the end of it…

On his way to the conference, United Airlines refused to let him board the plane. Roberts was lucky to get on a different airline in order to make it to the conference. According to the EFF:

Our client, Chris Roberts, a founder of the security intelligence firm One World Labs, found himself detained by the FBI earlier this week after tweeting about airplane network security during a United Airlines flight. When Roberts landed in Syracuse, he was questioned by the FBI, which ultimately seized a number of his electronic devices. EFF attorneys now represent Roberts, and we’re working to get his devices back promptly. But unfortunately last week’s tweet and FBI action isn’t the end of the story.

Roberts was back at the airport on Saturday evening, headed to San Francisco to attend two high-profile security conferences, the RSA Conference, where he is scheduled to present on Thursday, and BSides SF. After Roberts retrieved his boarding pass, made his way through the TSA checkpoint and reached the gate, United corporate security personnel stopped him from boarding the plane. Roberts was told to expect a letter explaining the reasons for not being allowed to travel on United. Thankfully, Roberts was able to book a last-minute flight on another airline and has now landed safely in San Francisco.

Reading the report from the EFF, one would think that the FBI and United Airlines were trying to stop the presentation, hinder his freedom of speech, and enforce security by obscurity. However, the EFF left out one major detail: Roberts had tweeted a threat to the airlines.

https://twitter.com/Sidragon1/status/588433855184375808

In this tweet, Roberts explicitly listed attacks he could do on the airplane.

Keep in mind, talking about how to make bombs in an airport, how to shoot up a school, or how to take down an airplane before getting on a plane is still plotting to kill people. Even if said as a joke (not funny) or if he had no real intent.

I’m not an attorney, but it should be obvious that Freedom of Speech does not give you the freedom to cause panic or harm. As ruled in Schenck v. United States (249 U.S. 47, 1919), the First Amendment does not allow you to cause panic by shouting fire in a crowded theater. Tweeting about ways to take down an airplane that you are about to board seems no different to me.

Chris Roberts even knew that these actions were likely illegal, as he tweeted in follow-ups:

Frankly, I’m surprised that the FBI let him go. And I don’t blame United Airlines for exercising their right to refuse service to someone who threatened the safety of their airline.

Do I think the airlines have a security problem that needs to be addressed? Definitely. Do I think that the airline manufacturers and network providers (e.g., Boeing and Cisco) are intentionally ignoring the problem? Yes. Do I think Chris Roberts should give his presentation? Absolutely. But I also think Roberts was a dumb-ass for tweeting his “joke”.

In the case of Roberts, I doubt that anyone would have interfered with him if he did not tweet his joke. I’m looking forward to hearing how the EFF plans to defend this type of threatening speech that was clearly intended to cause panic.

Felony for an 8th Grader

Less than two weeks ago, the Tampa Bay Times reported on an eighth-grader at Paul R. Smith Middle School in Holiday, Florida. The kid had used the teacher’s computer and pulled a prank; he “changed the background image on a teacher’s computer to one showing two men kissing.” The kid was charged with “offense against a computer system and unauthorized access, a felony.”

(Note: Even though news articles repeatedly mention his name, I’m not naming the kid here because he is a minor.)

The article even quotes Sheriff Chris Nocco: “Even though some might say this is just a teenage prank, who knows what this teenager might have done.” To this, I feel that I need to personally respond to the sheriff…

Dear Sheriff Nocco:

Changing a background picture is not the same as stealing cars or threatening to take down airplanes. It’s a prank and nobody got hurt — except the kid, who is probably scarred for life. If you do not see the difference between changing a background picture and the threats dreamed up by your wild imagination, then you need to take some technology courses. And if you cannot see the difference between a prank and a threat, then you need to choose a new occupation.

The article mentions a lot of details about this case. I hope that the kid’s attorney is focusing on these items:

  • The article says that the kid “logged onto the school’s network on March 31 using an administrative-level password without permission.” If he had the password, then he had permission. He did not hack the system; he used it as it was designed.
  • The article says that this happened on March 31 and that the teacher was out that day. This means that the teacher would see it the next day, on April 1st (April Fools Day). This goes along with it being a harmless prank.
  • “One of the computers [the kid] accessed also had encrypted 2014 FCAT questions stored on it, though the sheriff and Pasco County School District officials said [the kid] did not view or tamper with those files.” If the kid did not attempt to access, view, or tamper with those files, then this clearly goes toward the kid’s intent as a prank and not anything malicious.
  • The kid was interviewed at his home and mentioned that ‘students would often log into the administrative account to screen-share with their friends’. (I’m quoting the Tampa Bay Times and not the kid’s actual words.) This shows that using the administrative account was common practice and acceptable behavior. If it wasn’t acceptable, then the administrators would have stopped this behavior before the kid changed the background.
  • The Tampa Bay Times noted that the kid discovered the password by watching the teacher type it in. The purpose of a classroom is for a teacher to show students new concepts. If the teacher showed any student how to login, then the child clearly learned well in this classroom environment.
  • The most startling part is where the Tampa Bay Times wrote, “It was a well-known trick … because the password was easy to remember: a teacher’s last name.” *sigh* At least the password wasn’t “abcde” — like some voting machines in Virginia. If someone intentionally chooses a weak password, then it implies that someone thinks that the system does not need to be secured. Simple patterns (“abcde”, “12345”, etc.), common words (“password”), and personal names have topped the lists of bad password choices for decades.

If the kid gets a felony for this, then the teach should get life. I’m not an attorney and I can easily see that the teachers (both the regular teacher and the substitute) should be charged with Contributing to the Delinquency of a Minor, Attractive Nuisance, and Child Neglect. In particular, the child was left alone with the teacher’s computer after being shown how to login to it. I’m sure an attorney could come up with even more charges.

The EFF pointed out some of these issues in their own report. The EFF describes the Florida law as using “overbroad and insensible language” and being applied arbitrarily. They also point out that the “school had terrible operational security where weak passwords, teachers entering passwords in front of students, and students regularly using teacher credentials, was prevalent.”

The news article ends with a warning from Sheriff Nocco: “If information comes back to us and we get evidence (that other kids have done it), they’re going to face the same consequences.”

In my opinion, Sheriff Nocco is an idiot. You don’t charge an inquisitive child with a felony for a harmless prank. The child should get off with nothing more than a reprimand. And if he is this creative and this tech savvy, then he should be placed in an environment that nurtures and directs his talents toward a beneficial outcome. (Why not have the kids suggest how to strengthen the school’s computer security, since clearly the teacher’s do not know.) In contrast, the teacher and the school should face heavy repercussions for failing to provide a safe environment for these children, failing to secure their computer systems, and failing to provide adequate guidance. And Sheriff Nocco should take an early retirement before being he gets charged with something more serious, like restricting the child’s creative outlet (a First Amendment violation).

Not Joking

It is long after April 1st, but we still have people acting like idiots. Car vendors should have acted upon these exploits when they learned of the risks. Security researchers should not make jokes about technologies that put life in danger. And law officers should not treat pranks as felonies. On the Internet, everyday seems like April Fools Day.

Schneier on Security: Hacker Detained by FBI After Tweeting About Airplane Software Vulnerabilities.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is troubling:

Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane’s engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft’s functions, including temperatures of various equipment, fuel flow and quantity, and oil pressure. In the tweet, Roberts jested: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone ? :)” FBI agents questioned Roberts for four hours and confiscated his iPad, MacBook Pro, and storage devices.

Yes, the real issue here is the chilling effects on security research. Security researchers who point out security flaws is a good thing, and should be encouraged.

But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There’s some serious surveillance going on.

Now, it is possible that Roberts was being specifically monitored. He is already known as a security researcher who is working on avionics hacking. But still…

Slashdot thread. Hacker News thread.

Schneier on Security: Hacker Detained by FBI after Tweeting about Airplane Software Vulnerabilities

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is troubling:

Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane’s engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft’s functions, including temperatures of various equipment, fuel flow and quantity, and oil pressure. In the tweet, Roberts jested: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone ? :)” FBI agents questioned Roberts for four hours and confiscated his iPad, MacBook Pro, and storage devices.

Yes, the real issue here is the chilling effects on security research. Security researchers who point out security flaws is a good thing, and should be encouraged.

But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There’s some serious surveillance going on.

Now, it is possible that Roberts was being specifically monitored. He is already known as a security researcher who is working on avionics hacking. But still…

Slashdot thread. Hacker News thread.

Schneier on Security: Counting the US Intelligence Community Leakers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s getting hard to keep track of the US intelligence community leakers without a scorecard. So here’s my attempt:

  • Leaker #1: Chelsea Manning.

  • Leaker #2: Edward Snowden.
  • Leaker #3: The person who leaked secret documents to Jake Appelbaum, Laura Poitras, and others in Germany: the Angela Merkel surveillance story, the TAO catalog, the X-KEYSCORE rules. My guess is that this is either an NSA employee or contractor working in Germany, or someone from German intelligence who has access to NSA documents. Snowden has said that he is not the source for the Merkel story, and Greenwald has confirmed that the Snowden documents are not the source for the X-KEYSCORE rules. This might be the “high-ranking NSA employee in Germany” from this story — or maybe that’s someone else entirely.
  • Leaker #4: “A source in the intelligence community,” according to the Intercept, who leaked information about the Terrorist Screening Database, the “second leaker” from the movie Citizen Four. Greenwald promises a lot from him: “Snowden, at a meeting with Greenwald in Moscow, expresses surprise at the level of information apparently coming from this new source. Greenwald, fearing he will be overheard, writes the details on scraps of paper.” We have seen nothing since, though. This is probably the leaker the FBI identified, although we have heard nothing further about that, either.
  • Leaker #5: Someone who is leaking CIA documents.
  • Leaker #6: The person who leaked secret information about WTO spying to the Intercept and the New Zealand Herald. This isn’t Snowden; the Intercept is very careful to identify him as the source when it writes about the documents he provided. Neither publication give any indication of how it was obtained. This might be Leaker #3, since it contains X-KEYSCORE rules.
  • Leaker #7: The person who just leaked secret information about the US drone program to the Intercept and Der Spiegel. This also might be Leaker #3, since there is a Germany connection. According to the Intercept: “The slides were provided by a source with knowledge of the U.S. government’s drone program who declined to be identified because of fears of retribution.” That implies someone new.

Am I missing anyone?

Harvard Law School professor Yochai Benkler has written an excellent law review article on the need for a whistleblower defense. And there’s this excellent article by David Pozen on why government leaks are, in general, a good thing. I wrote about the value of whistleblowers in Data and Goliath.

Way back in June 2013, Glenn Greenwald said that “courage is contagious.” He seems to be correct.

This post was originally published on the Lawfare blog.

Errata Security: Solidarity

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The government’s zealous War on Hackers threatens us, the good hackers who stop the bad ones. They can’t tell the good witches from the bad witches. When members of our community get threatened by the system, we should probably do more to stand in solidarity with them. I mention this because many of you will be flying to SFO this coming week for the RSA Conference, which gives us an opportunity to show solidarity.

Today, a security researcher tweeted a joke while on a plane. When he landed, the FBI grabbed him and confiscated all his stuff. The tweets are here:


Chris Roberts’ area of research is embedded control systems like those on planes. It’s not simply that the FBI grabbed him because of a random person on a plane, but specifically because he’s a security researcher. He’s on the FBI’s radar (so to speak) for things like this Fox News interview.

I suggest we all start joke tweeting along these lines,  from the airplanes, like:

DFW->SFO. Playing with airplane wifi. I hope the pilots enjoy the Rick Astely video playing on their EICAS system. 

LGA->SFO. Note to self. Don’t fuzz the SATCOM unit while on Twitter. Takes GoGo an hour to come back up. 

NRT->SFO. Yup, the IFE will grab corrupt MP3 from my iPhone and give a shell. I wonder if nmap will run on it. 

PDX->SFO. HackRF says there’s a strong 915 MHz qpsk 64k symbol/second signal. I wonder what’ll happen if I replay it.

The trick is to write jokes, not to actually threaten anything — like the original tweet above. Those of us with technical knowledge and skills should be free to express our humor without the FBI confiscating all our stuff when we land.


BTW, I know you can all steal in-flight WiFi easier than you can pay for it, but do pay for it :)

TorrentFreak: Microsoft Takes Pirated Windows NT 4.0 Source Code Offline

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

microsoft-pirateIn February 2004 large portions of Microsoft’s Windows 2000 and Windows NT 4.0 source code leaked onto the Internet.

In a statement issued at the time, Microsoft said the breach didn’t come from inside. The company worked closely with the FBI to track down the source but these efforts were fruitless.

Hoping to keep the leak under control, Microsoft also started issuing takedown notices to sites and P2P file-sharers, urging them to stop offering the code.

However, like anything that leaks onto the Internet it’s pretty much impossible to remove something for good. Even today, several NT 4.0 copies are still floating around in the dark corners of the web.

Up until a few days ago there was even a copy hosted on the popular developer platform GitHub. Posted by “njdragonfly” the leaked source code has been available there since 2011.

Microsoft initially didn’t spot the infringing copy but it recently took action by sending GitHub a DMCA takedown notice.

Microsoft’s takedown notice
mstd

“We have received information that the domain listed above, which appears to be on servers under your control, is offering unlicensed copies of, or is engaged in other unauthorized activities relating to, copyrighted works published by Microsoft Corporation,” the company writes

The notice proved to be successful. A few hours after its arrival the repository was made inaccessible. Those who try to access it now are redirected to GitHub’s standard takedown page.

While it’s understandable that Microsoft doesn’t want its source code out in the open, it’s not as much as a security threat as it was a decade ago. Today, more than 10 years after it was first published, pretty much all exploits have been patched.

That said, it’s worth nothing that after all these years Microsoft is trying to contain the leak. But perhaps that’s just for sentimental value.

Windows NT 4.0
Windows_NT_4.0

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Alternatives to the FBI’s Manufacturing of Terrorists

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

John Mueller suggests an alternative to the FBI’s practice of encouraging terrorists and then arresting them for something they would have never have planned on their own:

The experience with another case can be taken to suggest that there could be an alternative, and far less costly, approach to dealing with would-be terrorists, one that might generally (but not always) be effective at stopping them without actually having to jail them.

It involves a hothead in Virginia who ranted about jihad on Facebook, bragging about how “we dropped the twin towers.” He then told a correspondent in New Orleans that he was going to bomb the Washington, D.C. Metro the next day. Not wanting to take any chances and not having the time to insinuate an informant, the FBI arrested him. Not surprisingly, they found no bomb materials in his possession. Since irresponsible bloviating is not illegal (if it were, Washington would quickly become severely underpopulated), the police could only charge him with a minor crime — making an interstate threat. He received only a good scare, a penalty of time served and two years of supervised release.

That approach seems to have worked: the guy seems never to have been heard from again. It resembles the Secret Service’s response when they get a tip that someone has ranted about killing the president. They do not insinuate an encouraging informant into the ranter’s company to eventually offer crucial, if bogus, facilitating assistance to the assassination plot. Instead, they pay the person a Meaningful Visit and find that this works rather well as a dissuasion device. Also, in the event of a presidential trip to the ranter’s vicinity, the ranter is visited again. It seems entirely possible that this approach could productively be applied more widely in terrorism cases. Ranting about killing the president may be about as predictive of violent action as ranting about the virtues of terrorism to deal with a political grievance. The terrorism cases are populated by many such ranters­ — indeed, tips about their railing have frequently led to FBI involvement. It seems likely, as apparently happened in the Metro case, that the ranter could often be productively deflected by an open visit from the police indicating that they are on to him. By contrast, sending in a paid operative to worm his way into the ranter’s confidence may have the opposite result, encouraging, even gulling, him toward violence.

TorrentFreak: Major Labels Sue Music Leaker After FBI Investigation

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

nickiIf there is one issue guaranteed to incense recording labels and artists alike it’s the premature public availability of pre-release music.

Over the years leaks from popular artists have featured in countless online piracy cases, painted by the labels as some of the most damaging forms of unauthorized distribution.

While some believe that leaks are useful for creating buzz, labels often argue that availability amounts to unfair competition and the undermining of an artist’s decision as to when and where content should be heard.

Pre-release leaks can happen anywhere in the supply chain, usually towards the retail environment, but a case set to be heard next month is unusual in several respects, not least the point at which the music was obtained.

Between 2010 and 2013 it’s alleged that unreleased music began leaking from industry-affiliated email accounts based in the United States. Tracks from some of the world’s biggest stars was targeted, including those from Nicki Minaj, Chris Brown and Mary J Blige.

It’s claimed that the music began turning up in public after being sold to DJs worldwide, events which heralded the involvement of the FBI and a trail to Sweden.

“In the United States an investigation was launched into the stolen songs. The tracks led to Sweden through bank accounts and IP addresses. Therefore, we were contacted,” says prosecutor Fredrik Ingblad.

Further investigation led Swedish authorities to a 25-year-old local man who is said to have hacked the email accounts, obtained the music, and sold it on for a profit.

“He hacked into the email accounts and got hold of unreleased songs, and songs that might have never been released. That makes this case unusual,” Ingblad adds.

The prosecution claims that the man, who denies the charges, made around $12,000 from sales of the tracks. He will go on trial in Sweden next month and will face fines and up to two years in prison. Labels including Sony, Warner and Universal are suing the man and will be seeking damages.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Errata Security: Stop making the NSA the bogeyman of privacy

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Snowden is my hero, but here’s the thing: the NSA is the least of our worries. Firstly, their attention is foreign, not domestic. Secondly, they are relatively uncorrupt. Our attention should be focused on the corrupt domestic law-enforcement agencies, like the ATF, DEA, and FBI.

I mention this because a lot of people seem concerned that the “cyber threat sharing” bills in congress (CISA/CISPA) will divulge private information to the NSA. This is nonsense. The issue is private information exposed to the FBI and other domestic agencies. It’s the FBI, ATF, or DEA that will come break down your door and arrest you, not the NSA.
We see that recently where the DEA (Drug Enforcement Administration) has been caught slurping up international phone records going back to the 1990s. This appears as bad as the NSA phone records program that started the Snowden disclosures.
I know the FBI is corrupt because I’ve experienced it personally, when they threatened me in order to suppress a conference talk. We know they are corrupt in the way they hide cellphone interception devices (“stingray”) from public disclosure. We know they are corrupt because their headquarters is named after J Edgar Hoover, the notoriously corrupt head of the FBI during much of the last century. 
For all that the FBI is horrid, the DEA and the ATF are worse. These are truly scary police-state style agencies which we allow operate only because their focus is so narrow. Every gun store owner I know has stories of obviously dodgy characters trying to buy guns who they are certain are actually ATF agents doing “sting” operations. One of the many disturbing elements of the “fast and furious” ATF scandal is how they strong-armed gun store owners into complying.
In any case, even if you hate the NSA the most, the NSA’s frightening ability to monitor everything outside the United States means they probably don’t need the domestic “cyber threat information”.
My point is this: stop making the NSA the bogeyman of privacy. Domestic agencies, namely the FBI, are a far greater danger.

Schneier on Security: Lone-Wolf Terrorism

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The Southern Poverty Law Center warns of the rise of lone-wolf terrorism.

From a security perspective, lone wolves are much harder to prevent because there is no conspiracy to detect.

The long-term trend away from violence planned and committed by groups and toward lone wolf terrorism is a worrying one. Authorities have had far more success penetrating plots concocted by several people than individuals who act on their own. Indeed, the lone wolf’s chief asset is the fact that no one else knows of his plans for violence and they are therefore exceedingly difficult to disrupt.

[…]

The temptation to focus on horrific groups like Al Qaeda and the Islamic State is wholly understandable. And the federal government recently has taken steps to address the terrorist threat more comprehensively, with Attorney General Eric Holder announcing the coming reconstitution of the Domestic Terrorism Executive Committee. There has been a recent increase in funding for studies of terrorism and radicalization, and the FBI has produced a number of informative reports.

And Holder seems to understand clearly that lone wolves and small cells are an increasing threat. “It’s something that frankly keeps me up at night, worrying about the lone wolf or a group of people, a very small group of people, who decide to get arms on their own and do what we saw in France,” he said recently.

Jim Harper of the Cato Institute wrote about this in 2009 after the Fort Hood shooting.

Krebs on Security: FBI Warns of Fake Govt Sites, ISIS Defacements

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The Federal Bureau of Investigation (FBI) is warning that individuals sympathetic to the Islamic State of Iraq and al-Shams (ISIS) are mass-defacing Websites using known vulnerabilities in WordPress. The FBI also issued an alert advising that criminals are hosting fraudulent government Web sites in a bid to collect personal and financial information from unwitting Web searchers.

fbilogoAccording to the FBI, ISIS sympathizers are targeting WordPress Web sites and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international sites. The agency said the attackers are mainly exploiting known flaws in WordPress plug-ins for which security updates are already available.

The public service announcement (PSA) coincides with a less public alert that the FBI released to its InfraGard members, a partnership between the FBI and private industry partners. That alert noted that several extremist hacking groups indicated they would participate in an operation dubbed #OpIsrael, which will target Israeli and Jewish Web sites to coincide with Holocaust Remembrance Day (Apr .15-16).

“The FBI assesses members of at least two extremist hacking groups are currently recruiting participants for the second anniversary of the operation, which started on 7 April 2013, and coincides with Holocaust Remembrance Day,” the InfraGard alert notes. “These groups, typically located in the Middle East and North Africa, routinely conduct pro-extremist, anti-Israeli, and anti-Western cyber operations.”

Experts say there may be no actual relationship between these defacements and Islamist militants. In any case, if you run a Web site powered by WordPress — or any other content management system (CMS) — please take a few moments today to ensure that the CMS itself is up-to-date with the latest patches, and apply all available fixes for any installed plug-ins.

The FBI also issued an unrelated PSA advising people to be wary of fake government Web sites set up to take advantage of search engine optimization techniques that try to get the sites listed prominently in search results when searching for government services online. The FBI explains the scam thusly:

“Victims use a search engine to search for government services such as obtaining an Employer Identification Number (EIN) or replacement social security card. The fraudulent criminal websites are the first to appear in search results, prompting the victims to click on the fraudulent government services website. The victim completes the required fraudulently posted forms for the government service they need. The victim submits the form online, believing they are providing their PII to government agencies such as the Internal Revenue Service, Social Security Administration, or similar agency based on the service they need.”

“Once the forms are completed and submitted, the fraudulent website usually requires a fee to complete the service requested. The fees typically range from $29 to $199 based on the government service requested. Once the fees are paid the victim is notified they need to send their birth certificate, driver’s license, employee badge, or other personal items to a specified address. The victim is then told to wait a few days to several weeks for processing.”

“By the time the victim realizes it is a scam, they may have had extra charges billed to their credit/debit card, had a third-party designee added to their EIN card, and never received the service(s) or documents requested. Additionally, all of their PII data has been compromised by the criminals running the websites and can be used for any number of illicit purposes. The potential harm gets worse for those who send their birth certificate or other government-issued identification to the perpetrator.”

The FBI advises consumers to use search engines or other websites to research the advertised services or person/company you plan to deal with. Search the Internet for any negative feedback or reviews on the government services company, their Web site, their e-mail addresses, telephone numbers, or other searchable identifiers. Fly-by-night scam Web sites often have little or no reputation — i.e., they haven’t been online that long. A simple WHOIS Web site registration record search will often reveal scam domains as just recently having been put online.

Schneier on Security: The Eighth Movie-Plot Threat Contest

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s April 1, and time for another Movie-Plot Threat Contest. This year, the theme is Crypto Wars II. Strong encryption is evil, because it prevents the police from solving crimes. (No, really — that’s the argument.) FBI Director James Comey is going to be hard to beat with his heartfelt litany of movie-plot threats:

“We’re drifting toward a place where a whole lot of people are going to be looking at us with tears in their eyes,” Comey argued, “and say ‘What do you mean you can’t? My daughter is missing. You have her phone. What do you mean you can’t tell me who she was texting with before she disappeared?”

[…]

“I’ve heard tech executives say privacy should be the paramount virtue,” Comey said. “When I hear that, I close my eyes and say, ‘Try to imagine what that world looks like where pedophiles can’t be seen, kidnappers can’t be seen, drug dealers can’t be seen.'”

(More Comey here.)

Come on, Comey. You might be able to scare noobs like Rep. John Carter with that talk, but you’re going to have to do better if you want to win this contest. We heard this same sort of stuff out of then-FBI director Louis Freeh in 1996 and 1997.

This is the contest: I want a movie-plot threat that shows the evils of encryption. (For those who don’t know, a movie-plot threat is a scary-threat story that would make a great movie, but is much too specific to build security policies around. Contest history here.) We’ve long heard about the evils of the Four Horsemen of the Internet Apocalypse — terrorists, drug dealers, kidnappers, and child pornographers. (Or maybe they’re terrorists, pedophiles, drug dealers, and money launderers; I can never remember.) Try to be more original than that. And nothing too science fictional; today’s technology or presumed technology only.

Entries are limited to 500 words — I check — and should be posted in the comments. At the end of the month, I’ll choose five or so semifinalists, and we can all vote and pick the winner.

The prize will be signed copies of the 20th Anniversary Edition of the 2nd Edition of Applied Cryptography, and the 15th Anniversary Edition of Secrets and Lies, both being published by Wiley this year in an attempt to ride the Data and Goliath bandwagon.

Good luck.

Errata Security: What ever it is, CISA isn’t cybersecurity

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

In the next couple months, Congress will likely pass CISA, the Cybersecurity Information Sharing Act. This is a bad police-state thing. It will do little to prevent attacks, but do a lot to increase mass surveillance.

They did not consult us security experts when drafting this bill. If they had, we would have told them the idea doesn’t really work. Companies like IBM and Dell SecureWorks already have massive “cybersecurity information sharing” systems where they hoover up large quantities of threat information from their customers. This rarely allows them to prevent attacks as the CISA bill promises.

In other words, we’ve tried the CISA experiment, and we know it doesn’t really work.

While CISA won’t prevent attacks, it will cause mass surveillance. Most of the information produced by countermeasures is in fact false-positives, triggering on innocent anomalies rather than malicious hackers. Your normal day-to-day activities on the Internet occasionally trigger these false-positives. When this information gets forwarded to law enforcement, it puts everyone in legal jeopardy. It may trigger an investigation, or it may just become evidence about you, for example, showing which porn sites you surf. It’s mass surveillance through random sampling.

That such mass surveillance is the goal is demonstrated by several clauses in the bill, such as how the information can be used in cases of sexual exploitation of minors. If CISA were about prevention, then it would be useless in such cases. But CISA isn’t about prevention, it’s about gathering information after the fact while prosecuting a crime.

Even if CISA could work, it would still be dampened by the fact that government is both incompetent and corrupt. The FBI and DHS do not have adequate technical expertise. We can see that from the incomplete and incorrect warnings they produce. That they are corrupt is demonstrated by whether something is a “cyber threat indicator” changes according to what is politically correct. Who receives the best information depends upon who is best politically connected. CISA even calls for loyalty oaths to the United States before the government will even consider sharing threat information. Conversely, the FBI today regularly threatens people to suppress them from sharing cyber threat information that would embarrass the politically connected.

I know all this because I’m one of the foremost experts in this field. I created BlackICE Guard, the first intrusion-prevention system (IPS). The IPS is one of the biggest producers of information the government wants to get their hands on. The IPS is also one of the biggest consumers of threat intelligence that government proposes sharing in the other direction. I have sat in the monitoring center gathering data from thousands of customers, and know from personal experience that it’s of limited value in preventing attacks. When I was favored by the FBI, I received special threat information others did not. When I was not in favor with the FBI, I received threats trying to stop me from embarrassing the politically connected.

In summary, CISA does not work. Private industry already has exactly the information sharing the bill proposes, and it doesn’t prevent cyber attacks as CISA claims. On the other side, because of the false-positive problem, CISA does far more to invade privacy than even privacy advocates realize, doing a form of mass surveillance. Even if it could work and privacy could be protected, CISA creates a corrupt system for the politically connected. This is a typical bad police state bill, and not one that anybody should take seriously as something that would stop hackers.

Krebs on Security: Premera Blue Cross Breach Exposes Financial, Medical Records

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Premera Blue Cross, a major provider of health care services, disclosed today that an intrusion into its network may have resulted in the breach of financial and medical records of 11 million customers. Although Premera isn’t saying so just yet, there are independent indicators that this intrusion is once again the work of state-sponsored espionage groups based in China.

premeraIn a statement posted on a Web site set up to share information about the breach — premeraupdate.com — the company said that it learned about the attack on January 29, 2015. Premera said its investigation revealed that the initial attack occurred on May 5, 2014.

“This incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and our affiliate brands Vivacity and Connexion Insurance Solutions, Inc,” the company said. Their statement continues:

“Our investigation determined that the attackers may have gained unauthorized access to applicants and members’ information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska.

“Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected. The investigation has not determined that any such data was removed from our systems.  We also have no evidence to date that such data has been used inappropriately.”

Premera said it will be notifying affected customers in letters sent out via postal mail, and that it will be offering two years of free credit monitoring services through big-three credit bureau Experian.

ANOTHER STATE-SPONSORED ATTACK?

The health care provider said it working with security firm Mandiant and the FBI in the investigation. Mandiant specialize in tracking and blocking attacks from state-sponsored hacking groups, particularly those based in China. Asked about clues that would suggest a possible actor involved in the breach, Premera deferred to the FBI.

An official with the FBI’s Seattle field office confirmed that the agency is investigating, but declined to discuss details of its findings thus far, citing “the ongoing nature of the investigation. “Cybercrime remains a significant threat and the FBI will continue to devote substantial resources and efforts to bringing cyber criminals to justice,” the FBI said in an emailed statement.

There are indications that this may be the work of the Chinese espionage group tied to the breach disclosed earlier this year at Anthem, an intrusion that affected some 78 million Americans.

On Feb. 9, 2015, KrebsOnSecurity carried an exclusive story pointing to clues in the Anthem breach which suggested that the attackers blamed for that breach — a Chinese state-sponsored hacking group known variously as “Deep Panda,” “Axiom,” “Group 72,” and the “Shell_Crew” — began chipping away at Anthem’s defenses in late April 2014. The evidence revolved around an Internet address that researchers had tied to Deep Panda hacking activity, and that address was used to host a site called we11point.com (Anthem was previously known as Wellpoint prior to its corporate name change in late 2014).

As that story noted, Arlington, Va. based security firm ThreatConnect Inc. tied that Wellpoint look-alike domain to a series of targeted attacks launched in May 2014 that appeared designed to trick Wellpoint employees into downloading malicious software tied to the Deep Panda hacking gang.

On Feb. 27, 2015, ThreatConnect researchers published more information tying the same threat actors and modus operandi to a domain called “prennera.com” (notice the use of the double “n” there to mimic the letter “m”.

“It is believed that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the ‘m’ with two ‘n’ characters within the faux domain, the same technique that would be seen five months later with the we11point[.]com command and control infrastructure,” ThreatConnect wrote in a blog post three weeks ago.

More on this story as it develops. Stay tuned.

Schneier on Security: Can the NSA Break Microsoft’s BitLocker?

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The Intercept has a new story on the CIA’s — yes, the CIA, not the NSA — efforts to break encryption. These are from the Snowden documents, and talk about a conference called the Trusted Computing Base Jamboree. There are some interesting documents associated with the article, but not a lot of hard information.

There’s a paragraph about Microsoft’s BitLocker, the encryption system used to protect MS Windows computers:

Also presented at the Jamboree were successes in the targeting of Microsoft’s disk encryption technology, and the TPM chips that are used to store its encryption keys. Researchers at the CIA conference in 2010 boasted about the ability to extract the encryption keys used by BitLocker and thus decrypt private data stored on the computer. Because the TPM chip is used to protect the system from untrusted software, attacking it could allow the covert installation of malware onto the computer, which could be used to access otherwise encrypted communications and files of consumers. Microsoft declined to comment for this story.

This implies that the US intelligence community — I’m guessing the NSA here — can break BitLocker. The source document, though, is much less definitive about it.

Power analysis, a side-channel attack, can be used against secure devices to non-invasively extract protected cryptographic information such as implementation details or secret keys. We have employed a number of publically known attacks against the RSA cryptography found in TPMs from five different manufacturers. We will discuss the details of these attacks and provide insight into how private TPM key information can be obtained with power analysis. In addition to conventional wired power analysis, we will present results for extracting the key by measuring electromagnetic signals emanating from the TPM while it remains on the motherboard. We will also describe and present results for an entirely new unpublished attack against a Chinese Remainder Theorem (CRT) implementation of RSA that will yield private key information in a single trace.

The ability to obtain a private TPM key not only provides access to TPM-encrypted data, but also enables us to circumvent the root-of-trust system by modifying expected digest values in sealed data. We will describe a case study in which modifications to Microsoft’s Bitlocker encrypted metadata prevents software-level detection of changes to the BIOS.

Differential power analysis is a powerful cryptanalytic attack. Basically, it examines a chip’s power consumption while it performs encryption and decryption operations and uses that information to recover the key. What’s important here is that this is an attack to extract key information from a chip while it is running. If the chip is powered down, or if it doesn’t have the key inside, there’s no attack.

I don’t take this to mean that the NSA can take a BitLocker-encrypted hard drive and recover the key. I do take it to mean that the NSA can perform a bunch of clever hacks on a BitLocker-encrypted hard drive while it is running. So I don’t think this means that BitLocker is broken.

But who knows? We do know that the FBI pressured Microsoft into adding a backdoor in BitLocker in 2005. I believe that was unsuccessful.

More than that, we don’t know.

Krebs on Security: Spoofing the Boss Turns Thieves a Tidy Profit

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Judy came within a whisker of losing $315,000 in cash belonging to her employer, a mid-sized manufacturing company in northeast Ohio. Judy’s boss had emailed her, asking her to wire the money to China to pay for some raw materials. The boss, who was traveling abroad at the time, had requested such transfers before — at even higher amounts to manufacturers in China and elsewhere — so the request didn’t seem unusual or suspicious.

athookUntil it did. After Judy sent the wire instructions on to the finance department, something about the email stuck in her head: The message was far more formal-sounding than the tone of voice her boss normally used to express himself via email.

By the time she went back to review the missive and found she’d been scammed by an imposter, it was too late — the employee in charge of initiating wires at her company had already sent it on to the bank. Luckily, Judy’s employer’s bank hadn’t yet processed the wire, and they were able to claw back the funds.

“Judy” is a pseudonym; she asked to remain anonymous so as not to further embarrass herself or her employer. But for every close call like Judy’s there are many more small businesses each week that fall for these scams and lose millions in the process.

Known variously as “CEO fraud,” and the “business email compromise,” this swindle is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.  In January 2015, the FBI warned that cyber thieves stole nearly $215 million from businesses in the previous 14 months through such scams, which start when crooks spoof or hijack the email accounts of business executives or employees.

In February, con artists made off with a whopping $17.2 million from one of Omaha, Nebraska’s oldest companies —  The Scoular Co., an employee-owned commodities trader. According to Omaha.com, an executive with the 800-employee company wired the money in installments last summer to a bank in China after receiving emails ordering him to do so.

The scam email that nearly cost Judy her job appeared to have come from her company’s chief financial officer, who she said is not usually in the office. The message was made to appear as though it was a conversation between the CFO and the CEO, in which the CEO told the CFO that money needed to be wired to China.

“$315,000 is definitely a high amount, but I did a transaction for $1.4 million before, and I wire money to China for goods that we buy from there,” she said. “But truly, the email did bother me. It didn’t feel quite right when it came in, but at no point did I think, ‘this is someone imitating the boss.’”

After sending a co-worker in finance instructions to execute the wire transfer, Judy sent a note to the CFO asking if she should also notify the CEO that the wire had been sent. When the response came back in wording she couldn’t imagine the CFO putting in writing, she studied the forwarded email more closely. Sure enough, Judy discovered the message had been sent from a domain name that was one look-alike letter different from her employer’s true domain name.

Working with investigators, the company determined that the fraudsters had registered the phony domain and associated email account with Vistaprint, which offers a free one-month trial for companies looking to quickly set up a Web site.

“Turns out the scammers set up the domain and email address that morning, the same day as wire request,” Judy said. “When that email came through, the difference didn’t jump out at me. In hindsight, it blows my mind that it doesn’t bother me more than it did. But in the hustle and bustle of the day, I was not on guard for something like this. Now, I’m second-guessing everything.

Judy’s employer now has a mandatory policy about wire transfers:

“First of all, anytime there is a large wire or payment to make, we have to speak in person, whether that’s face-to-face, or in person on phone,” she said.

In other words, no more initiating large wire transfers because someone asked you to via email. It’s remarkable how much global trade is done via email, and how often both parties to the transaction are oblivious to or willfully ignore of the fact that that email is inherently insecure. More remarkable still, this form of fraud occurs in a channel where the victim’s bank has virtually no visibility.

The FBI’s advisory on these scams urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.

Schneier on Security: Attack Attribution and Cyber Conflict

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The vigorous debate after the Sony Pictures breach pitted the Obama administration against many of us in the cybersecurity community who didn’t buy Washington’s claim that North Korea was the culprit.

What’s both amazing — and perhaps a bit frightening — about that dispute over who hacked Sony is that it happened in the first place.

But what it highlights is the fact that we’re living in a world where we can’t easily tell the difference between a couple of guys in a basement apartment and the North Korean government with an estimated $10 billion military budget. And that ambiguity has profound implications for how countries will conduct foreign policy in the Internet age.

Clandestine military operations aren’t new. Terrorism can be hard to attribute, especially the murky edges of state-sponsored terrorism. What’s different in cyberspace is how easy it is for an attacker to mask his identity — and the wide variety of people and institutions that can attack anonymously.

In the real world, you can often identify the attacker by the weaponry. In 2006, Israel attacked a Syrian nuclear facility. It was a conventional attack — military airplanes flew over Syria and bombed the plant — and there was never any doubt who did it. That shorthand doesn’t work in cyberspace.

When the US and Israel attacked an Iranian nuclear facility in 2010, they used a cyberweapon and their involvement was a secret for years. On the Internet, technology broadly disseminates capability. Everyone from lone hackers to criminals to hypothetical cyberterrorists to nations’ spies and soldiers are using the same tools and the same tactics. Internet traffic doesn’t come with a return address, and it’s easy for an attacker to obscure his tracks by routing his attacks through some innocent third party.

And while it now seems that North Korea did indeed attack Sony, the attack it most resembles was conducted by members of the hacker group Anonymous against a company called HBGary Federal in 2011. In the same year, other members of Anonymous threatened NATO, and in 2014, still others announced that they were going to attack ISIS. Regardless of what you think of the group’s capabilities, it’s a new world when a bunch of hackers can threaten an international military alliance.

Even when a victim does manage to attribute a cyberattack, the process can take a long time. It took the US weeks to publicly blame North Korea for the Sony attacks. That was relatively fast; most of that time was probably spent trying to figure out how to respond. Attacks by China against US companies have taken much longer to attribute.

This delay makes defense policy difficult. Microsoft’s Scott Charney makes this point: When you’re being physically attacked, you can call on a variety of organizations to defend you — the police, the military, whoever does antiterrorism security in your country, your lawyers. The legal structure justifying that defense depends on knowing two things: who’s attacking you, and why. Unfortunately, when you’re being attacked in cyberspace, the two things you often don’t know are who’s attacking you, and why.

Whose job was it to defend Sony? Was it the US military’s, because it believed the attack to have come from North Korea? Was it the FBI, because this wasn’t an act of war? Was it Sony’s own problem, because it’s a private company? What about during those first weeks, when no one knew who the attacker was? These are just a few of the policy questions that we don’t have good answers for.

Certainly Sony needs enough security to protect itself regardless of who the attacker was, as do all of us. For the victim of a cyberattack, who the attacker is can be academic. The damage is the same, whether it’s a couple of hackers or a nation-state.

In the geopolitical realm, though, attribution is vital. And not only is attribution hard, providing evidence of any attribution is even harder. Because so much of the FBI’s evidence was classified—and probably provided by the National Security Agency — it was not able to explain why it was so sure North Korea did it. As I recently wrote: “The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong-un’s sign-off on the plan.” Making any of this public would reveal the NSA’s “sources and methods,” something it regards as a very important secret.

Different types of attribution require different levels of evidence. In the Sony case, we saw the US government was able to generate enough evidence to convince itself. Perhaps it had the additional evidence required to convince North Korea it was sure, and provided that over diplomatic channels. But if the public is expected to support any government retaliatory action, they are going to need sufficient evidence made public to convince them. Today, trust in US intelligence agencies is low, especially after the 2003 Iraqi weapons-of-mass-destruction debacle.

What all of this means is that we are in the middle of an arms race between attackers and those that want to identify them: deception and deception detection. It’s an arms race in which the US — and, by extension, its allies — has a singular advantage. We spend more money on electronic eavesdropping than the rest of the world combined, we have more technology companies than any other country, and the architecture of the Internet ensures that most of the world’s traffic passes through networks the NSA can eavesdrop on.

In 2012, then US Secretary of Defense Leon Panetta said publicly that the US — presumably the NSA — has “made significant advances in … identifying the origins” of cyberattacks. We don’t know if this means they have made some fundamental technological advance, or that their espionage is so good that they’re monitoring the planning processes. Other US government officials have privately said that they’ve solved the attribution problem.

We don’t know how much of that is real and how much is bluster. It’s actually in America’s best interest to confidently accuse North Korea, even if it isn’t sure, because it sends a strong message to the rest of the world: “Don’t think you can hide in cyberspace. If you try anything, we’ll know it’s you.”

Strong attribution leads to deterrence. The detailed NSA capabilities leaked by Edward Snowden help with this, because they bolster an image of an almost-omniscient NSA.

It’s not, though — which brings us back to the arms race. A world where hackers and governments have the same capabilities, where governments can masquerade as hackers or as other governments, and where much of the attribution evidence intelligence agencies collect remains secret, is a dangerous place.

So is a world where countries have secret capabilities for deception and detection deception, and are constantly trying to get the best of each other. This is the world of today, though, and we need to be prepared for it.

This essay previously appeared in the Christian Science Monitor.

Schneier on Security: <i>Data and Goliath</i>’s Big Idea

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Data and Goliath is a book about surveillance, both government and corporate. It’s an exploration in three parts: what’s happening, why it matters, and what to do about it. This is a big and important issue, and one that I’ve been working on for decades now. We’ve been on a headlong path of more and more surveillance, fueled by fear­–of terrorism mostly­–on the government side, and convenience on the corporate side. My goal was to step back and say “wait a minute; does any of this make sense?” I’m proud of the book, and hope it will contribute to the debate.

But there’s a big idea here too, and that’s the balance between group interest and self-interest. Data about us is individually private, and at the same time valuable to all us collectively. How do we decide between the two? If President Obama tells us that we have to sacrifice the privacy of our data to keep our society safe from terrorism, how do we decide if that’s a good trade-off? If Google and Facebook offer us free services in exchange for allowing them to build intimate dossiers on us, how do know whether to take the deal?

There are a lot of these sorts of deals on offer. Wayz gives us real-time traffic information, but does it by collecting the location data of everyone using the service. The medical community wants our detailed health data to perform all sorts of health studies and to get early warning of pandemics. The government wants to know all about you to better deliver social services. Google wants to know everything about you for marketing purposes, but will “pay” you with free search, free e-mail, and the like.

Here’s another one I describe in the book: “Social media researcher Reynol Junco analyzes the study habits of his students. Many textbooks are online, and the textbook websites collect an enormous amount of data about how­–and how often­–students interact with the course material. Junco augments that information with surveillance of his students’ other computer activities. This is incredibly invasive research, but its duration is limited and he is gaining new understanding about how both good and bad students study­–and has developed interventions aimed at improving how students learn. Did the group benefit of this study outweigh the individual privacy interest of the subjects who took part in it?”

Again and again, it’s the same trade-off: individual value versus group value.

I believe this is the fundamental issue of the information age, and solving it means careful thinking about the specific issues and a moral analysis of how they affect our core values.

You can see that in some of the debate today. I know hardened privacy advocates who think it should be a crime for people to withhold their medical data from the pool of information. I know people who are fine with pretty much any corporate surveillance but want to prohibit all government surveillance, and others who advocate the exact opposite.

When possible, we need to figure out how to get the best of both: how to design systems that make use of our data collectively to benefit society as a whole, while at the same time protecting people individually.

The world isn’t waiting; decisions about surveillance are being made for us­–often in secret. If we don’t figure this out for ourselves, others will decide what they want to do with us and our data. And we don’t want that. I say: “We don’t want the FBI and NSA to secretly decide what levels of government surveillance are the default on our cell phones; we want Congress to decide matters like these in an open and public debate. We don’t want the governments of China and Russia to decide what censorship capabilities are built into the Internet; we want an international standards body to make those decisions. We don’t want Facebook to decide the extent of privacy we enjoy amongst our friends; we want to decide for ourselves.”

In my last chapter, I write: “Data is the pollution problem of the information age, and protecting privacy is the environmental challenge. Almost all computers produce personal information. It stays around, festering. How we deal with it­–how we contain it and how we dispose of it­–is central to the health of our information economy. Just as we look back today at the early decades of the industrial age and wonder how our ancestors could have ignored pollution in their rush to build an industrial world, our grandchildren will look back at us during these early decades of the information age and judge us on how we addressed the challenge of data collection and misuse.”

That’s it; that’s our big challenge. Some of our data is best shared with others. Some of it can be ‘processed’­–anonymized, maybe­–before reuse. Some of it needs to be disposed of properly, either immediately or after a time. And some of it should be saved forever. Knowing what data goes where is a balancing act between group and self-interest, a trade-off that will continually change as technology changes, and one that we will be debating for decades to come.

This essay previously appeared on John Scalzi’s blog Whatever.

TorrentFreak: Cyber Criminals Leak First Episode of “CSI: Cyber”

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

csicyberCSI: Cyber is the fourth series in the popular CSI franchise.

The police drama, starring Emmy Award winner Patricia Arquette, revolves around the FBI’s Cyber Crime Division which investigates illegal activities on the Internet, including piracy.

The new show is set to premiere tomorrow night but cyber criminals have spoiled the exclusive for CBS.

Ironically, or perhaps fittingly, leaked copies of the first episode surfaced on various pirate sites during the past day. The leaked footage comes from a high quality copy and doesn’t have any visible watermarks.

The leak appears to come from the P2P group “PMP” and is titled “CSI-Cyber-S01E01-HDTV-x264-PMP.”

Leaked CSI Cyber Episode 1
csicyber

Interestingly, however, the episode isn’t spreading through the usual torrent sites. Instead, it appeared on various streaming services and cyberlockers first, which is quite unusual.

There are no traces to the video source. It may have come from a promotional screener, or perhaps the leak itself is a promotion? If so, it wouldn’t be the first time that a TV-series has been intentionally leaked to gain traction.

From reading the comments of early viewers the pilot is getting mixed reviews. Some love the concept of a cyber CSI, but others are more critical of the various technicalities.

“Wow. Not a good first effort at all. Did they hire any real hackers or anyone with any real working knowledge of hacking,” one cyber ‘criminal’ commented.

Whether CBS plans to alert the FBI’s real “CSI:Cyber” to hunt down the leakers is unknown, but for now they remain on the loose.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: The Democratization of Cyberattack

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The thing about infrastructure is that everyone uses it. If it’s secure, it’s secure for everyone. And if it’s insecure, it’s insecure for everyone. This forces some hard policy choices.

When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA’s program for what is called packet injection–basically, a technology that allows the agency to hack into computers.

Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well.

All of these existed before I wrote about QUANTUM. By using its knowledge to attack others rather than to build up the internet’s defenses, the NSA has worked to ensure that anyone can use packet injection to hack into computers.

This isn’t the only example of once-top-secret US government attack capabilities being used against US government interests. StingRay is a particular brand of IMSI catcher, and is used to intercept cell phone calls and metadata. This technology was once the FBI’s secret, but not anymore. There are dozens of these devices scattered around Washington, DC, as well as the rest of the country, run by who-knows-what government or organization. By accepting the vulnerabilities in these devices so the FBI can use them to solve crimes, we necessarily allow foreign governments and criminals to use them against us.

Similarly, vulnerabilities in phone switches–SS7 switches, for those who like jargon–have been long used by the NSA to locate cell phones. This same technology is sold by the US company Verint and the UK company Cobham to third-world governments, and hackers have demonstrated the same capabilities at conferences. An eavesdropping capability that was built into phone switches to enable lawful intercepts was used by still-unidentified unlawful intercepters in Greece between 2004 and 2005.

These are the stories you need to keep in mind when thinking about proposals to ensure that all communications systems can be eavesdropped on by government. Both the FBI’s James Comey and UK Prime Minister David Cameron recently proposed limiting secure cryptography in favor of cryptography they can have access to.

But here’s the problem: technological capabilities cannot distinguish based on morality, nationality, or legality; if the US government is able to use a backdoor in a communications system to spy on its enemies, the Chinese government can use the same backdoor to spy on its dissidents.

Even worse, modern computer technology is inherently democratizing. Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools. As long as we’re all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon.

We can’t choose a world where the US gets to spy but China doesn’t, or even a world where governments get to spy and criminals don’t. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It’s security or surveillance.

As long as criminals are breaking into corporate networks and stealing our data, as long as totalitarian governments are spying on their citizens, as long as cyberterrorism and cyberwar remain a threat, and as long as the beneficial uses of computer technology outweighs the harmful uses, we have to choose security. Anything else is just too dangerous.

This essay previously appeared on Vice Motherboard.

TorrentFreak: Pre-Release Movie ‘Hacker’ Indicted By The Feds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

hackedYear in and year out dozens of movies leak online, some long before they are set to appear in theaters.

These pre-release leaks are of great concern to Hollywood and the cases often see the FBI become involved. But despite law enforcement’s best efforts the leakers are seldom identified.

This week, however, a federal grand jury in Los Angeles indicted Dutch resident Joey Vogelaar for unlawfully obtaining three Hollywood movies back in November 2010.

The now 28-year-old from Delft allegedly accessed the Sony Pictures Entertainment film “How Do You Know,” Paramount’s “Rango” and the Dreamworks movie “Megamind,” all of which were unreleased at the time.

A copy of the indictment obtained by TF (pdf) shows that Vogelaar, also known under the aliases “TyPeR” and “neXus”, is accused of computer hacking and identity theft. Interestingly, no copyright infringement charges have been filed.

The Dutchman allegedly “hacked” into the computer of a company involved in the production of the three movies. The term “hacking” should be used loosely here, as Vogelaar appears to have accessed the computer with the login credentials of an employee, who’s mentioned by the initials T.H.

How the man obtained the login credentials is unknown, but it’s not unlikely that they were already available online.

For the computer hacking charge Vogelaar faces five years in prison, and a possible identity theft sentence could add two more years – if he’s extradited to the United States.

First the defendant will have to be served but according to his father, Ben, they haven’t yet been informed of the charges. “We’ll wait, it’ll be okay,” he says.

The Department of Justice is taking the case very seriously, especially with the Sony hack fresh in mind. This hack put cybersecurity firmly back on top of the political agenda and in part triggered President Obama’s new cybersecurity plans.

MPAA CEO Chris Dodd said that because of hackers certain companies have their “digital products exposed and available online for anyone to loot.”

“That’s why law enforcement must be given the resources they need to police these criminal activities,” Dodd noted at the time.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Everyone Wants You To Have Security, But Not from Them

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In December, Google’s Executive Chairman Eric Schmidt was interviewed at the CATO Institute Surveillance Conference. One of the things he said, after talking about some of the security measures his company has put in place post-Snowden, was: “If you have important information, the safest place to keep it is in Google. And I can assure you that the safest place to not keep it is anywhere else.”

The surprised me, because Google collects all of your information to show you more targeted advertising. Surveillance is the business model of the Internet, and Google is one of the most successful companies at that. To claim that Google protects your privacy better than anyone else is to profoundly misunderstand why Google stores your data for free in the first place.

I was reminded of this last week when I appeared on Glenn Beck’s show along with cryptography pioneer Whitfield Diffie. Diffie said:

You can’t have privacy without security, and I think we have glaring failures in computer security in problems that we’ve been working on for 40 years. You really should not live in fear of opening an attachment to a message. It ought to be confined; your computer ought to be able to handle it. And the fact that we have persisted for decades without solving these problems is partly because they’re very difficult, but partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you. The trouble is, I’m not sure of any practical alternative.

That neatly explains Google. Eric Schmidt does want your data to be secure. He wants Google to be the safest place for your data ­ as long as you don’t mind the fact that Google has access to your data. Facebook wants the same thing: to protect your data from everyone except Facebook. Hardware companies are no different. Last week, we learned that Lenovo computers shipped with a piece of adware called Superfish that broke users’ security to spy on them for advertising purposes.

Governments are no different. The FBI wants people to have strong encryption, but it wants backdoor access so it can get at your data. UK Prime Minister David Cameron wants you to have good security, just as long as it’s not so strong as to keep the UK government out. And, of course, the NSA spends a lot of money ensuring that there’s no security it can’t break.

Corporations want access to your data for profit; governments want it security purposes, be they benevolent or malevolent. But Diffie makes an even stronger point: we give lots of companies access to our data because it makes our lives easier.

I wrote about this in my latest book, Data and Goliath:

Convenience is the other reason we willingly give highly personal data to corporate interests, and put up with becoming objects of their surveillance. As I keep saying, surveillance-based services are useful and valuable. We like it when we can access our address book, calendar, photographs, documents, and everything else on any device we happen to be near. We like services like Siri and Google Now, which work best when they know tons about you. Social networking apps make it easier to hang out with our friends. Cell phone apps like Google Maps, Yelp, Weather, and Uber work better and faster when they know our location. Letting apps like Pocket or Instapaper know what we’re reading feels like a small price to pay for getting everything we want to read in one convenient place. We even like it when ads are targeted to exactly what we’re interested in. The benefits of surveillance in these and other applications are real, and significant.

Like Diffie, I’m not sure there is any practical alternative. The reason the Internet is a worldwide mass-market phenomenon is that all the technological details are hidden from view. Someone else is taking care of it. We want strong security, but we also want companies to have access to our computers, smart devices, and data. We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices.

Those “someones” will necessarily be able to violate our privacy, either by deliberately peeking at our data or by having such lax security that they’re vulnerable to national intelligence agencies, cybercriminals, or both. Last week, we learned that the NSA broke into the Dutch company Gemalto and stole the encryption keys for billions ­ yes, billions ­ of cell phones worldwide. That was possible because we consumers don’t want to do the work of securely generating those keys and setting up our own security when we get our phones; we want it done automatically by the phone manufacturers. We want our data to be secure, but we want someone to be able to recover it all when we forget our password.

We’ll never solve these security problems as long as we’re our own worst enemy. That’s why I believe that any long-term security solution will not only be technological, but political as well. We need laws that will protect our privacy from those who obey the laws, and to punish those who break the laws. We need laws that require those entrusted with our data to protect our data. Yes, we need better security technologies, but we also need laws mandating the use of those technologies.

This essay previously appeared on Forbes.com.

Krebs on Security: FBI: $3M Bounty for ZeuS Trojan Author

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The FBI this week announced it is offering a USD $3 million bounty for information leading to the arrest and conviction of one Evgeniy Mikhailovich Bogachev, a Russian man the government believes is responsible for building and distributing the ZeuS banking Trojan.

Bogachev is thought to be a core architect of ZeuS, a malware strain that has been used to steal hundreds of millions of dollars from bank accounts — mainly from small- to mid-sized businesses based in the United States and Europe. Bogachev also is accused of being part of a crime gang that infected tens of millions of computers, harvested huge volumes of sensitive financial data, and rented the compromised systems to other hackers, spammers and online extortionists.

So much of the intelligence gathered about Bogachev and his alleged accomplices has been scattered across various court documents and published reports over the years, but probably just as much on this criminal mastermind and his associates has never seen the light of day. What follows is a compendium of knowledge — a bit of a dossier, if you will — of Bogachev and his trusted associates.

I first became aware of Bogachev by his nickname at the time –“Slavik” — in June 2009, after writing about a $415,000 cyberheist against Bullitt County, Kentucky. I was still working for The Washington Post then, but that story would open the door to sources who were tracking the activities of an organized cybercrime gang that spanned from Ukraine and Russia to the United Kingdom.

Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. "lucky12345", "slavik", "Pollingsoon". Source: FBI.gov "most wanted, cyber.

Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. “lucky12345″, “slavik”, “Pollingsoon”. Source: FBI.gov “most wanted, cyber.

Not long after that Bullitt County cyberheist story ran, I heard from a source who’d hacked the Jabber instant message server that these crooks were using to plan and coordinate their cyberheists. The members of this crew quickly became regular readers of my Security Fix blog at The Post after seeing their exploits detailed on the blog.

bullittcar-thumb-250x110They also acknowledged in their chats that they’d been in direct contact with the Zeus author himself — and that the gang had hired the malware author to code a custom version of the Trojan that would latter become known as “Jabberzeus.” The “jabber” part of the name is a reference to a key feature of the malware that would send an Jabber instant message to members of the gang anytime a new victim logged into a bank account that had a high balance.

Here’s a snippet from that chat, translated from Russian. “Aqua” was responsible for recruiting and managing a network of “money mules” to help cash out the payroll accounts that these crooks were hijacking with the help of their custom Jabberzeus malware. “Dimka” is Aqua’s friend, and Aqua explains to him that they hired the ZeuS author to create the custom malware and help them troubleshoot it. But Aqua is unhappy because the ZeuS author declined to help them keep it undetectable by commercial antivirus tools.

dimka: I read about the king of seas, was that your handiwork?

aqua: what are you talking about?

dimka: zeus

aqua: yes, we are using it right now. its developer sits with us on the system

dimka: it seems to be very popular right now

aqua: but that fucker annoyed the hell out of everyone. he refuses to write bypass of [anti-malware] scans, and trojan penetration is only 35-40%. we need better

aqua: http://voices.washingtonpost.com/securityfix read this. here you find almost everything about us

aqua: we’re using this [custom] system. we are the Big Dog. the rest using Zeus are doing piddly crap.

Days later, other members of the Jabberzeus crew  were all jabbering about the Bullitt County cyberheist story. The individual who uses the nickname “tank” in the conversation below managed money mules for the gang and helped coordinate the exchange of stolen banking credentials. Tank begins the conversation by pasting a link to my Washington Post story about the Bullitt County hack.

tank@incomeet.com: That is about us. Only the figures are fairytales. 

haymixer@jabber.ru/dimarikk: This was from your botnet account. Apparently, this is why our hosters in service rejected the old ones. They caused a damn commotion.

tank@incomeet.com: I have already become paranoid over this. Such bullshit as this in the Washington Post.

haymixer@jabber.ru/dimarikk: I almost dreamed of this bullshit at night. He writes about everything that I touch in any manner…Klik Partners, ESTHost, MCCOLO…

tank@incomeet.com: Now you are not alone.  Just 2 weeks before this I contacted him as an expert to find out anything new. It turns out that he wrote this within 3 days. Now we also will dream about him.

In a separate conversation between Tank and the Zeus author (using the nickname “lucky12345″ here), the two complain about news coverage of Zeus:

tank: Are you there?

tank: This is what they damn wrote about me.

tank: [pasting a link to the Washington Post story]

tank: I’ll take a quick look at history

tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court

tank: Well, you got it from that cash-in.

lucky12345: From 200k?

tank: Well, they are not the right amounts and the cash out from that account was shitty.

tank: Levak was written there.

tank: Because now the entire USA knows about Zeus.

tank: :(

lucky12345: It’s fucked.

After the Bullitt County story, my source and I tracked this gang as they hit one small business after another. In the ensuing six months before my departure from The Post, I wrote about this gang’s attacks against more than a dozen companies in the United States.

By this time, Slavik was openly selling the barebones ZeuS Trojan code that Jabberzeus was built on to anyone who could pay several thousand dollars for the crimeware kit. There is evidence he also was using his own botnet kit or at least taking a fee to set up instances of it on behalf of buyers. In late 2009, security researchers had tracked dozens of Zeus control servers that phoned home to domains which bore his nickname, such as slaviki-res1.com, slavik1[dot]com, slavik2[dot]com, slavik3[dot]com, and so on.

On Dec. 13, 2009, one of the Jabberzeus gang’s money mule recruiters –a crook who used the pseudonym “Jim Rogers” — somehow intercepted news I hadn’t shared beyond a few trusted friends at that point: That the Post had eliminated my job in the process of merging the newspaper’s Web site with the dead tree edition. The following is an exchange between Jim Rogers and the above-quoted “tank”.

jim_rogers@jabber.org: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington Post. We are giddily awaiting confirmation :) Good news expected exactly by the New Year! Besides us no one reads his column :)

tank@incomeet.com: Mr. Fucking Brian Fucking Kerbs!

I continued to write about new victims of this gang even as I was launching this blog, and in the first year I profiled dozens more companies that were robbed of millions. I only featured victims that had agreed to let me tell their stories. For every story I wrote, there were probably 10-20 victim organizations I spoke with that did not wish to be named.

By January 2010, Slavik was selling access to tens of thousands of hacked PCs to spammers, as well as large email lists from computer systems plundered by his malware. As I wrote in a Feb. 2012 piece, Zeus Trojan Author Ran With Spam Kingpins, Slavik was active on multiple crime forums, not only finding new clients and buyers for his malware, but for the goods harvested by his own botnets powered by ZeuS.

jabberzeuscrewEight months later, authorities in the United Kingdom arrested 20 individuals connected to the Jabberzeus crime ring, and charged 11 of them with money laundering and conspiracy to defraud, including Yevhen “Jonni” Kulibaba, the ringleader of the gang, and Yuri “JTK” Konovalenko.

In conjunction with that action, five of the gang’s members in Ukraine also were detained, but very soon after released, including the aforementioned Vyacheslav “Tank” Penchukov and a very clever programmer named Ivan “petr0vich” Klepikov.  More details about these two and others connected with the Jabberzeus crew is available from this unsealed 2012 complaint (PDF) from the U.S. Justice Department.

Unsurprisingly, not long after the global law enforcement crackdown, Slavik would announce he was bowing out of the business, handing over the source code for Zeus to a hacker named “”Harderman” (a.k.a. “Gribodemon”), the author of a competing crimeware kit called SpyEye (25-year-old Russian man Alexsander Panin pleaded guilty last year to authoring SpyEye).

Near as I can tell, Slavik didn’t quit developing Zeus after the code merger with SpyEye, he just stopped selling it publicly. Rather, it appears he began developing a more robust and private version of Zeus.

Ivan "petr0vich" Klepikov, in an undated photo from his LiveJournal blog.

Ivan “petr0vich” Klepikov, in an undated photo from his LiveJournal blog.

By late 2011, businesses in the United States and Europe were being hit with a new variant of Zeus called “Gameover” Zeus, which used the collective, global power of the PCs infected with Gameover Zeus to launch crippling distributed denial-of-service (DDoS) attacks against victims and their banks shortly after they were robbed.

In late March 2012, Microsoft announced it had orchestrated a carefully planned takedown of dozens of botnets powered by ZeuS and SpyEye. In so doing, the company incurred the wrath of many security researchers when it published in court documents the nicknames, email addresses and other identifying information on the Jabberzeus gang and the Zeus author.

A few months later, the Justice Department officially charged nine men in the Jabberzeus conspiracy, including most of the above named actors and two others — a money mover named Alexey Dmitrievich Bron (a.k.a.”TheHead”) and Alexey “Kusanagi” Tikonov, a programmer from Tomsk, Russia. Chat records intercepted from the incomeet.com server that this crew used for its Jabber instant message communications strongly suggest that Bron and Penchukov (“Tank”) were co-workers in Donetsk, Ukraine, possibly even in the same building.

In June 2014, the U.S. Justice Department joined authorities in many other countries and a large number of security firms in taking down the Gameover ZeuS botnet, which at the time was estimated to have infected more than a million PCs.

It’s nice that the Justice Department has put up such a large bounty for a man responsible for so much financial ruin and cybercrime. Kulibaba (“Jonni”) and his buddy Konovalenko (“Jtk0″) were extradited to the United States. Unfortunately, the rest of the Jabberzeus crew will likely remain free as long as they stick within the borders of Ukraine and/or Russia.

jabberzeuscrew-a

TorrentFreak: Megaupload Programmer Sentenced to a Year in Prison

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

megaupload-logoAfter three years of relative inaction the criminal case against Megaupload and seven of its employees heated up this week.

Just a few days ago the U.S. authorities arrested Andrus Nomm, one of the indicted Megaupload defendants.

The 36-year-old programmer had been living in the Netherlands but came to the States to take a plea deal.

The Department of Justice announced that Nomm pleaded guilty to criminal copyright infringement, and sentenced to a year and a day in prison.

According to the DoJ statement Nomm acknowledged that he “was aware that copyright-infringing content was stored on the websites, including copyright protected motion pictures and television programs, some of which contained the “FBI Anti-Piracy” warning.”

“Nomm also admitted that he personally downloaded copyright-infringing files from the Mega websites. Nomm continued to participate in the Mega Conspiracy,” the statement continues.

The authorities are happy with their first vistory in this case and are determined to bring the other defendants to the U.S. as well.

“This outcome is the result of years of hard work by our office and our partners from the Criminal Division and the Federal Bureau of Investigation,” U.S. Attorney Dana Boente said.

“The Mega Conspiracy engaged in massive criminal infringement of copyrighted works on the Internet, and we are confident that this case will be a sign to those who would abuse technology for illegal profit,” he added.

Meanwhile, Megaupload’s founder Kim Dotcom slams the U.S. legal system in a comment, but says that he understands Nomm’s decision.

“The US Justice system: An innocent coder pleads guilty after 3 years of DOJ abuse, with no end in sight, in order to move on with his life,” Dotcom tweeted. “I have nothing but compassion and understanding for Andrus Nomm and I hope he will soon be reunited with his son.”

Megaupload lawyer Ira Rothken told TF and the U.S. authorities might have taken advantage of Nomm. As an Estonian citizen living in a foreign country he was vulnerable, and running out of funds.

“The DOJ apparently used Andrus Nomm’s weak financial condition and inability to fight back to manufacture a hollywood style publicity stunt in the form of a scripted guilty plea in court,” Rothken says.

“The facts mentioned in court, like a lack of cloud filtering of copyrighted works, are civil secondary copyright issues not criminal issues,” he adds.

According to Rothken the “publicity stunt” reveals how weak the DoJ’s case is.

“The DOJ apparently convinced Andrus Nomm to say the conclusory phrase that Kim Dotcom “did not care about protecting copyrights” and such point shows off the weakness in the DOJ’s case as Megaupload, amongst many other ways of caring, had a robust copyright notice and takedown system which gave direct delete access to major content owners and from which millions of links were removed.”

Nomm’s sentencing for criminal copyright infringement is raising eyebrows among several experts.

In the indictment there was only one example of possible copyright infringement, and that referred to watching a copy of a pirated TV-show. For now it remains unclear what other evidence the authorities have.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.