Posts tagged ‘fbi’

Schneier on Security: The Eighth Movie-Plot Threat Contest

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s April 1, and time for another Movie-Plot Threat Contest. This year, the theme is Crypto Wars II. Strong encryption is evil, because it prevents the police from solving crimes. (No, really — that’s the argument.) FBI Director James Comey is going to be hard to beat with his heartfelt litany of movie-plot threats:

“We’re drifting toward a place where a whole lot of people are going to be looking at us with tears in their eyes,” Comey argued, “and say ‘What do you mean you can’t? My daughter is missing. You have her phone. What do you mean you can’t tell me who she was texting with before she disappeared?”

[…]

“I’ve heard tech executives say privacy should be the paramount virtue,” Comey said. “When I hear that, I close my eyes and say, ‘Try to imagine what that world looks like where pedophiles can’t be seen, kidnappers can’t be seen, drug dealers can’t be seen.'”

(More Comey here.)

Come on, Comey. You might be able to scare noobs like Rep. John Carter with that talk, but you’re going to have to do better if you want to win this contest. We heard this same sort of stuff out of then-FBI director Louis Freeh in 1996 and 1997.

This is the contest: I want a movie-plot threat that shows the evils of encryption. (For those who don’t know, a movie-plot threat is a scary-threat story that would make a great movie, but is much too specific to build security policies around. Contest history here.) We’ve long heard about the evils of the Four Horsemen of the Internet Apocalypse — terrorists, drug dealers, kidnappers, and child pornographers. (Or maybe they’re terrorists, pedophiles, drug dealers, and money launderers; I can never remember.) Try to be more original than that. And nothing too science fictional; today’s technology or presumed technology only.

Entries are limited to 500 words — I check — and should be posted in the comments. At the end of the month, I’ll choose five or so semifinalists, and we can all vote and pick the winner.

The prize will be signed copies of the 20th Anniversary Edition of the 2nd Edition of Applied Cryptography, and the 15th Anniversary Edition of Secrets and Lies, both being published by Wiley this year in an attempt to ride the Data and Goliath bandwagon.

Good luck.

Errata Security: What ever it is, CISA isn’t cybersecurity

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

In the next couple months, Congress will likely pass CISA, the Cybersecurity Information Sharing Act. This is a bad police-state thing. It will do little to prevent attacks, but do a lot to increase mass surveillance.

They did not consult us security experts when drafting this bill. If they had, we would have told them the idea doesn’t really work. Companies like IBM and Dell SecureWorks already have massive “cybersecurity information sharing” systems where they hoover up large quantities of threat information from their customers. This rarely allows them to prevent attacks as the CISA bill promises.

In other words, we’ve tried the CISA experiment, and we know it doesn’t really work.

While CISA won’t prevent attacks, it will cause mass surveillance. Most of the information produced by countermeasures is in fact false-positives, triggering on innocent anomalies rather than malicious hackers. Your normal day-to-day activities on the Internet occasionally trigger these false-positives. When this information gets forwarded to law enforcement, it puts everyone in legal jeopardy. It may trigger an investigation, or it may just become evidence about you, for example, showing which porn sites you surf. It’s mass surveillance through random sampling.

That such mass surveillance is the goal is demonstrated by several clauses in the bill, such as how the information can be used in cases of sexual exploitation of minors. If CISA were about prevention, then it would be useless in such cases. But CISA isn’t about prevention, it’s about gathering information after the fact while prosecuting a crime.

Even if CISA could work, it would still be dampened by the fact that government is both incompetent and corrupt. The FBI and DHS do not have adequate technical expertise. We can see that from the incomplete and incorrect warnings they produce. That they are corrupt is demonstrated by whether something is a “cyber threat indicator” changes according to what is politically correct. Who receives the best information depends upon who is best politically connected. CISA even calls for loyalty oaths to the United States before the government will even consider sharing threat information. Conversely, the FBI today regularly threatens people to suppress them from sharing cyber threat information that would embarrass the politically connected.

I know all this because I’m one of the foremost experts in this field. I created BlackICE Guard, the first intrusion-prevention system (IPS). The IPS is one of the biggest producers of information the government wants to get their hands on. The IPS is also one of the biggest consumers of threat intelligence that government proposes sharing in the other direction. I have sat in the monitoring center gathering data from thousands of customers, and know from personal experience that it’s of limited value in preventing attacks. When I was favored by the FBI, I received special threat information others did not. When I was not in favor with the FBI, I received threats trying to stop me from embarrassing the politically connected.

In summary, CISA does not work. Private industry already has exactly the information sharing the bill proposes, and it doesn’t prevent cyber attacks as CISA claims. On the other side, because of the false-positive problem, CISA does far more to invade privacy than even privacy advocates realize, doing a form of mass surveillance. Even if it could work and privacy could be protected, CISA creates a corrupt system for the politically connected. This is a typical bad police state bill, and not one that anybody should take seriously as something that would stop hackers.

Krebs on Security: Premera Blue Cross Breach Exposes Financial, Medical Records

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Premera Blue Cross, a major provider of health care services, disclosed today that an intrusion into its network may have resulted in the breach of financial and medical records of 11 million customers. Although Premera isn’t saying so just yet, there are independent indicators that this intrusion is once again the work of state-sponsored espionage groups based in China.

premeraIn a statement posted on a Web site set up to share information about the breach — premeraupdate.com — the company said that it learned about the attack on January 29, 2015. Premera said its investigation revealed that the initial attack occurred on May 5, 2014.

“This incident affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and our affiliate brands Vivacity and Connexion Insurance Solutions, Inc,” the company said. Their statement continues:

“Our investigation determined that the attackers may have gained unauthorized access to applicants and members’ information, which could include member name, date of birth, email address, address, telephone number, Social Security number, member identification numbers, bank account information, and claims information, including clinical information. This incident also affected members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska.

“Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected. The investigation has not determined that any such data was removed from our systems.  We also have no evidence to date that such data has been used inappropriately.”

Premera said it will be notifying affected customers in letters sent out via postal mail, and that it will be offering two years of free credit monitoring services through big-three credit bureau Experian.

ANOTHER STATE-SPONSORED ATTACK?

The health care provider said it working with security firm Mandiant and the FBI in the investigation. Mandiant specialize in tracking and blocking attacks from state-sponsored hacking groups, particularly those based in China. Asked about clues that would suggest a possible actor involved in the breach, Premera deferred to the FBI.

An official with the FBI’s Seattle field office confirmed that the agency is investigating, but declined to discuss details of its findings thus far, citing “the ongoing nature of the investigation. “Cybercrime remains a significant threat and the FBI will continue to devote substantial resources and efforts to bringing cyber criminals to justice,” the FBI said in an emailed statement.

There are indications that this may be the work of the Chinese espionage group tied to the breach disclosed earlier this year at Anthem, an intrusion that affected some 78 million Americans.

On Feb. 9, 2015, KrebsOnSecurity carried an exclusive story pointing to clues in the Anthem breach which suggested that the attackers blamed for that breach — a Chinese state-sponsored hacking group known variously as “Deep Panda,” “Axiom,” “Group 72,” and the “Shell_Crew” — began chipping away at Anthem’s defenses in late April 2014. The evidence revolved around an Internet address that researchers had tied to Deep Panda hacking activity, and that address was used to host a site called we11point.com (Anthem was previously known as Wellpoint prior to its corporate name change in late 2014).

As that story noted, Arlington, Va. based security firm ThreatConnect Inc. tied that Wellpoint look-alike domain to a series of targeted attacks launched in May 2014 that appeared designed to trick Wellpoint employees into downloading malicious software tied to the Deep Panda hacking gang.

On Feb. 27, 2015, ThreatConnect researchers published more information tying the same threat actors and modus operandi to a domain called “prennera.com” (notice the use of the double “n” there to mimic the letter “m”.

“It is believed that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the ‘m’ with two ‘n’ characters within the faux domain, the same technique that would be seen five months later with the we11point[.]com command and control infrastructure,” ThreatConnect wrote in a blog post three weeks ago.

More on this story as it develops. Stay tuned.

Schneier on Security: Can the NSA Break Microsoft’s BitLocker?

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The Intercept has a new story on the CIA’s — yes, the CIA, not the NSA — efforts to break encryption. These are from the Snowden documents, and talk about a conference called the Trusted Computing Base Jamboree. There are some interesting documents associated with the article, but not a lot of hard information.

There’s a paragraph about Microsoft’s BitLocker, the encryption system used to protect MS Windows computers:

Also presented at the Jamboree were successes in the targeting of Microsoft’s disk encryption technology, and the TPM chips that are used to store its encryption keys. Researchers at the CIA conference in 2010 boasted about the ability to extract the encryption keys used by BitLocker and thus decrypt private data stored on the computer. Because the TPM chip is used to protect the system from untrusted software, attacking it could allow the covert installation of malware onto the computer, which could be used to access otherwise encrypted communications and files of consumers. Microsoft declined to comment for this story.

This implies that the US intelligence community — I’m guessing the NSA here — can break BitLocker. The source document, though, is much less definitive about it.

Power analysis, a side-channel attack, can be used against secure devices to non-invasively extract protected cryptographic information such as implementation details or secret keys. We have employed a number of publically known attacks against the RSA cryptography found in TPMs from five different manufacturers. We will discuss the details of these attacks and provide insight into how private TPM key information can be obtained with power analysis. In addition to conventional wired power analysis, we will present results for extracting the key by measuring electromagnetic signals emanating from the TPM while it remains on the motherboard. We will also describe and present results for an entirely new unpublished attack against a Chinese Remainder Theorem (CRT) implementation of RSA that will yield private key information in a single trace.

The ability to obtain a private TPM key not only provides access to TPM-encrypted data, but also enables us to circumvent the root-of-trust system by modifying expected digest values in sealed data. We will describe a case study in which modifications to Microsoft’s Bitlocker encrypted metadata prevents software-level detection of changes to the BIOS.

Differential power analysis is a powerful cryptanalytic attack. Basically, it examines a chip’s power consumption while it performs encryption and decryption operations and uses that information to recover the key. What’s important here is that this is an attack to extract key information from a chip while it is running. If the chip is powered down, or if it doesn’t have the key inside, there’s no attack.

I don’t take this to mean that the NSA can take a BitLocker-encrypted hard drive and recover the key. I do take it to mean that the NSA can perform a bunch of clever hacks on a BitLocker-encrypted hard drive while it is running. So I don’t think this means that BitLocker is broken.

But who knows? We do know that the FBI pressured Microsoft into adding a backdoor in BitLocker in 2005. I believe that was unsuccessful.

More than that, we don’t know.

Krebs on Security: Spoofing the Boss Turns Thieves a Tidy Profit

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Judy came within a whisker of losing $315,000 in cash belonging to her employer, a mid-sized manufacturing company in northeast Ohio. Judy’s boss had emailed her, asking her to wire the money to China to pay for some raw materials. The boss, who was traveling abroad at the time, had requested such transfers before — at even higher amounts to manufacturers in China and elsewhere — so the request didn’t seem unusual or suspicious.

athookUntil it did. After Judy sent the wire instructions on to the finance department, something about the email stuck in her head: The message was far more formal-sounding than the tone of voice her boss normally used to express himself via email.

By the time she went back to review the missive and found she’d been scammed by an imposter, it was too late — the employee in charge of initiating wires at her company had already sent it on to the bank. Luckily, Judy’s employer’s bank hadn’t yet processed the wire, and they were able to claw back the funds.

“Judy” is a pseudonym; she asked to remain anonymous so as not to further embarrass herself or her employer. But for every close call like Judy’s there are many more small businesses each week that fall for these scams and lose millions in the process.

Known variously as “CEO fraud,” and the “business email compromise,” this swindle is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.  In January 2015, the FBI warned that cyber thieves stole nearly $215 million from businesses in the previous 14 months through such scams, which start when crooks spoof or hijack the email accounts of business executives or employees.

In February, con artists made off with a whopping $17.2 million from one of Omaha, Nebraska’s oldest companies —  The Scoular Co., an employee-owned commodities trader. According to Omaha.com, an executive with the 800-employee company wired the money in installments last summer to a bank in China after receiving emails ordering him to do so.

The scam email that nearly cost Judy her job appeared to have come from her company’s chief financial officer, who she said is not usually in the office. The message was made to appear as though it was a conversation between the CFO and the CEO, in which the CEO told the CFO that money needed to be wired to China.

“$315,000 is definitely a high amount, but I did a transaction for $1.4 million before, and I wire money to China for goods that we buy from there,” she said. “But truly, the email did bother me. It didn’t feel quite right when it came in, but at no point did I think, ‘this is someone imitating the boss.’”

After sending a co-worker in finance instructions to execute the wire transfer, Judy sent a note to the CFO asking if she should also notify the CEO that the wire had been sent. When the response came back in wording she couldn’t imagine the CFO putting in writing, she studied the forwarded email more closely. Sure enough, Judy discovered the message had been sent from a domain name that was one look-alike letter different from her employer’s true domain name.

Working with investigators, the company determined that the fraudsters had registered the phony domain and associated email account with Vistaprint, which offers a free one-month trial for companies looking to quickly set up a Web site.

“Turns out the scammers set up the domain and email address that morning, the same day as wire request,” Judy said. “When that email came through, the difference didn’t jump out at me. In hindsight, it blows my mind that it doesn’t bother me more than it did. But in the hustle and bustle of the day, I was not on guard for something like this. Now, I’m second-guessing everything.

Judy’s employer now has a mandatory policy about wire transfers:

“First of all, anytime there is a large wire or payment to make, we have to speak in person, whether that’s face-to-face, or in person on phone,” she said.

In other words, no more initiating large wire transfers because someone asked you to via email. It’s remarkable how much global trade is done via email, and how often both parties to the transaction are oblivious to or willfully ignore of the fact that that email is inherently insecure. More remarkable still, this form of fraud occurs in a channel where the victim’s bank has virtually no visibility.

The FBI’s advisory on these scams urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.

Schneier on Security: Attack Attribution and Cyber Conflict

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The vigorous debate after the Sony Pictures breach pitted the Obama administration against many of us in the cybersecurity community who didn’t buy Washington’s claim that North Korea was the culprit.

What’s both amazing — and perhaps a bit frightening — about that dispute over who hacked Sony is that it happened in the first place.

But what it highlights is the fact that we’re living in a world where we can’t easily tell the difference between a couple of guys in a basement apartment and the North Korean government with an estimated $10 billion military budget. And that ambiguity has profound implications for how countries will conduct foreign policy in the Internet age.

Clandestine military operations aren’t new. Terrorism can be hard to attribute, especially the murky edges of state-sponsored terrorism. What’s different in cyberspace is how easy it is for an attacker to mask his identity — and the wide variety of people and institutions that can attack anonymously.

In the real world, you can often identify the attacker by the weaponry. In 2006, Israel attacked a Syrian nuclear facility. It was a conventional attack — military airplanes flew over Syria and bombed the plant — and there was never any doubt who did it. That shorthand doesn’t work in cyberspace.

When the US and Israel attacked an Iranian nuclear facility in 2010, they used a cyberweapon and their involvement was a secret for years. On the Internet, technology broadly disseminates capability. Everyone from lone hackers to criminals to hypothetical cyberterrorists to nations’ spies and soldiers are using the same tools and the same tactics. Internet traffic doesn’t come with a return address, and it’s easy for an attacker to obscure his tracks by routing his attacks through some innocent third party.

And while it now seems that North Korea did indeed attack Sony, the attack it most resembles was conducted by members of the hacker group Anonymous against a company called HBGary Federal in 2011. In the same year, other members of Anonymous threatened NATO, and in 2014, still others announced that they were going to attack ISIS. Regardless of what you think of the group’s capabilities, it’s a new world when a bunch of hackers can threaten an international military alliance.

Even when a victim does manage to attribute a cyberattack, the process can take a long time. It took the US weeks to publicly blame North Korea for the Sony attacks. That was relatively fast; most of that time was probably spent trying to figure out how to respond. Attacks by China against US companies have taken much longer to attribute.

This delay makes defense policy difficult. Microsoft’s Scott Charney makes this point: When you’re being physically attacked, you can call on a variety of organizations to defend you — the police, the military, whoever does antiterrorism security in your country, your lawyers. The legal structure justifying that defense depends on knowing two things: who’s attacking you, and why. Unfortunately, when you’re being attacked in cyberspace, the two things you often don’t know are who’s attacking you, and why.

Whose job was it to defend Sony? Was it the US military’s, because it believed the attack to have come from North Korea? Was it the FBI, because this wasn’t an act of war? Was it Sony’s own problem, because it’s a private company? What about during those first weeks, when no one knew who the attacker was? These are just a few of the policy questions that we don’t have good answers for.

Certainly Sony needs enough security to protect itself regardless of who the attacker was, as do all of us. For the victim of a cyberattack, who the attacker is can be academic. The damage is the same, whether it’s a couple of hackers or a nation-state.

In the geopolitical realm, though, attribution is vital. And not only is attribution hard, providing evidence of any attribution is even harder. Because so much of the FBI’s evidence was classified—and probably provided by the National Security Agency — it was not able to explain why it was so sure North Korea did it. As I recently wrote: “The agency might have intelligence on the planning process for the hack. It might, say, have phone calls discussing the project, weekly PowerPoint status reports, or even Kim Jong-un’s sign-off on the plan.” Making any of this public would reveal the NSA’s “sources and methods,” something it regards as a very important secret.

Different types of attribution require different levels of evidence. In the Sony case, we saw the US government was able to generate enough evidence to convince itself. Perhaps it had the additional evidence required to convince North Korea it was sure, and provided that over diplomatic channels. But if the public is expected to support any government retaliatory action, they are going to need sufficient evidence made public to convince them. Today, trust in US intelligence agencies is low, especially after the 2003 Iraqi weapons-of-mass-destruction debacle.

What all of this means is that we are in the middle of an arms race between attackers and those that want to identify them: deception and deception detection. It’s an arms race in which the US — and, by extension, its allies — has a singular advantage. We spend more money on electronic eavesdropping than the rest of the world combined, we have more technology companies than any other country, and the architecture of the Internet ensures that most of the world’s traffic passes through networks the NSA can eavesdrop on.

In 2012, then US Secretary of Defense Leon Panetta said publicly that the US — presumably the NSA — has “made significant advances in … identifying the origins” of cyberattacks. We don’t know if this means they have made some fundamental technological advance, or that their espionage is so good that they’re monitoring the planning processes. Other US government officials have privately said that they’ve solved the attribution problem.

We don’t know how much of that is real and how much is bluster. It’s actually in America’s best interest to confidently accuse North Korea, even if it isn’t sure, because it sends a strong message to the rest of the world: “Don’t think you can hide in cyberspace. If you try anything, we’ll know it’s you.”

Strong attribution leads to deterrence. The detailed NSA capabilities leaked by Edward Snowden help with this, because they bolster an image of an almost-omniscient NSA.

It’s not, though — which brings us back to the arms race. A world where hackers and governments have the same capabilities, where governments can masquerade as hackers or as other governments, and where much of the attribution evidence intelligence agencies collect remains secret, is a dangerous place.

So is a world where countries have secret capabilities for deception and detection deception, and are constantly trying to get the best of each other. This is the world of today, though, and we need to be prepared for it.

This essay previously appeared in the Christian Science Monitor.

Schneier on Security: <i>Data and Goliath</i>’s Big Idea

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Data and Goliath is a book about surveillance, both government and corporate. It’s an exploration in three parts: what’s happening, why it matters, and what to do about it. This is a big and important issue, and one that I’ve been working on for decades now. We’ve been on a headlong path of more and more surveillance, fueled by fear­–of terrorism mostly­–on the government side, and convenience on the corporate side. My goal was to step back and say “wait a minute; does any of this make sense?” I’m proud of the book, and hope it will contribute to the debate.

But there’s a big idea here too, and that’s the balance between group interest and self-interest. Data about us is individually private, and at the same time valuable to all us collectively. How do we decide between the two? If President Obama tells us that we have to sacrifice the privacy of our data to keep our society safe from terrorism, how do we decide if that’s a good trade-off? If Google and Facebook offer us free services in exchange for allowing them to build intimate dossiers on us, how do know whether to take the deal?

There are a lot of these sorts of deals on offer. Wayz gives us real-time traffic information, but does it by collecting the location data of everyone using the service. The medical community wants our detailed health data to perform all sorts of health studies and to get early warning of pandemics. The government wants to know all about you to better deliver social services. Google wants to know everything about you for marketing purposes, but will “pay” you with free search, free e-mail, and the like.

Here’s another one I describe in the book: “Social media researcher Reynol Junco analyzes the study habits of his students. Many textbooks are online, and the textbook websites collect an enormous amount of data about how­–and how often­–students interact with the course material. Junco augments that information with surveillance of his students’ other computer activities. This is incredibly invasive research, but its duration is limited and he is gaining new understanding about how both good and bad students study­–and has developed interventions aimed at improving how students learn. Did the group benefit of this study outweigh the individual privacy interest of the subjects who took part in it?”

Again and again, it’s the same trade-off: individual value versus group value.

I believe this is the fundamental issue of the information age, and solving it means careful thinking about the specific issues and a moral analysis of how they affect our core values.

You can see that in some of the debate today. I know hardened privacy advocates who think it should be a crime for people to withhold their medical data from the pool of information. I know people who are fine with pretty much any corporate surveillance but want to prohibit all government surveillance, and others who advocate the exact opposite.

When possible, we need to figure out how to get the best of both: how to design systems that make use of our data collectively to benefit society as a whole, while at the same time protecting people individually.

The world isn’t waiting; decisions about surveillance are being made for us­–often in secret. If we don’t figure this out for ourselves, others will decide what they want to do with us and our data. And we don’t want that. I say: “We don’t want the FBI and NSA to secretly decide what levels of government surveillance are the default on our cell phones; we want Congress to decide matters like these in an open and public debate. We don’t want the governments of China and Russia to decide what censorship capabilities are built into the Internet; we want an international standards body to make those decisions. We don’t want Facebook to decide the extent of privacy we enjoy amongst our friends; we want to decide for ourselves.”

In my last chapter, I write: “Data is the pollution problem of the information age, and protecting privacy is the environmental challenge. Almost all computers produce personal information. It stays around, festering. How we deal with it­–how we contain it and how we dispose of it­–is central to the health of our information economy. Just as we look back today at the early decades of the industrial age and wonder how our ancestors could have ignored pollution in their rush to build an industrial world, our grandchildren will look back at us during these early decades of the information age and judge us on how we addressed the challenge of data collection and misuse.”

That’s it; that’s our big challenge. Some of our data is best shared with others. Some of it can be ‘processed’­–anonymized, maybe­–before reuse. Some of it needs to be disposed of properly, either immediately or after a time. And some of it should be saved forever. Knowing what data goes where is a balancing act between group and self-interest, a trade-off that will continually change as technology changes, and one that we will be debating for decades to come.

This essay previously appeared on John Scalzi’s blog Whatever.

TorrentFreak: Cyber Criminals Leak First Episode of “CSI: Cyber”

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

csicyberCSI: Cyber is the fourth series in the popular CSI franchise.

The police drama, starring Emmy Award winner Patricia Arquette, revolves around the FBI’s Cyber Crime Division which investigates illegal activities on the Internet, including piracy.

The new show is set to premiere tomorrow night but cyber criminals have spoiled the exclusive for CBS.

Ironically, or perhaps fittingly, leaked copies of the first episode surfaced on various pirate sites during the past day. The leaked footage comes from a high quality copy and doesn’t have any visible watermarks.

The leak appears to come from the P2P group “PMP” and is titled “CSI-Cyber-S01E01-HDTV-x264-PMP.”

Leaked CSI Cyber Episode 1
csicyber

Interestingly, however, the episode isn’t spreading through the usual torrent sites. Instead, it appeared on various streaming services and cyberlockers first, which is quite unusual.

There are no traces to the video source. It may have come from a promotional screener, or perhaps the leak itself is a promotion? If so, it wouldn’t be the first time that a TV-series has been intentionally leaked to gain traction.

From reading the comments of early viewers the pilot is getting mixed reviews. Some love the concept of a cyber CSI, but others are more critical of the various technicalities.

“Wow. Not a good first effort at all. Did they hire any real hackers or anyone with any real working knowledge of hacking,” one cyber ‘criminal’ commented.

Whether CBS plans to alert the FBI’s real “CSI:Cyber” to hunt down the leakers is unknown, but for now they remain on the loose.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: The Democratization of Cyberattack

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The thing about infrastructure is that everyone uses it. If it’s secure, it’s secure for everyone. And if it’s insecure, it’s insecure for everyone. This forces some hard policy choices.

When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA’s program for what is called packet injection–basically, a technology that allows the agency to hack into computers.

Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well.

All of these existed before I wrote about QUANTUM. By using its knowledge to attack others rather than to build up the internet’s defenses, the NSA has worked to ensure that anyone can use packet injection to hack into computers.

This isn’t the only example of once-top-secret US government attack capabilities being used against US government interests. StingRay is a particular brand of IMSI catcher, and is used to intercept cell phone calls and metadata. This technology was once the FBI’s secret, but not anymore. There are dozens of these devices scattered around Washington, DC, as well as the rest of the country, run by who-knows-what government or organization. By accepting the vulnerabilities in these devices so the FBI can use them to solve crimes, we necessarily allow foreign governments and criminals to use them against us.

Similarly, vulnerabilities in phone switches–SS7 switches, for those who like jargon–have been long used by the NSA to locate cell phones. This same technology is sold by the US company Verint and the UK company Cobham to third-world governments, and hackers have demonstrated the same capabilities at conferences. An eavesdropping capability that was built into phone switches to enable lawful intercepts was used by still-unidentified unlawful intercepters in Greece between 2004 and 2005.

These are the stories you need to keep in mind when thinking about proposals to ensure that all communications systems can be eavesdropped on by government. Both the FBI’s James Comey and UK Prime Minister David Cameron recently proposed limiting secure cryptography in favor of cryptography they can have access to.

But here’s the problem: technological capabilities cannot distinguish based on morality, nationality, or legality; if the US government is able to use a backdoor in a communications system to spy on its enemies, the Chinese government can use the same backdoor to spy on its dissidents.

Even worse, modern computer technology is inherently democratizing. Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools. As long as we’re all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon.

We can’t choose a world where the US gets to spy but China doesn’t, or even a world where governments get to spy and criminals don’t. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It’s security or surveillance.

As long as criminals are breaking into corporate networks and stealing our data, as long as totalitarian governments are spying on their citizens, as long as cyberterrorism and cyberwar remain a threat, and as long as the beneficial uses of computer technology outweighs the harmful uses, we have to choose security. Anything else is just too dangerous.

This essay previously appeared on Vice Motherboard.

TorrentFreak: Pre-Release Movie ‘Hacker’ Indicted By The Feds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

hackedYear in and year out dozens of movies leak online, some long before they are set to appear in theaters.

These pre-release leaks are of great concern to Hollywood and the cases often see the FBI become involved. But despite law enforcement’s best efforts the leakers are seldom identified.

This week, however, a federal grand jury in Los Angeles indicted Dutch resident Joey Vogelaar for unlawfully obtaining three Hollywood movies back in November 2010.

The now 28-year-old from Delft allegedly accessed the Sony Pictures Entertainment film “How Do You Know,” Paramount’s “Rango” and the Dreamworks movie “Megamind,” all of which were unreleased at the time.

A copy of the indictment obtained by TF (pdf) shows that Vogelaar, also known under the aliases “TyPeR” and “neXus”, is accused of computer hacking and identity theft. Interestingly, no copyright infringement charges have been filed.

The Dutchman allegedly “hacked” into the computer of a company involved in the production of the three movies. The term “hacking” should be used loosely here, as Vogelaar appears to have accessed the computer with the login credentials of an employee, who’s mentioned by the initials T.H.

How the man obtained the login credentials is unknown, but it’s not unlikely that they were already available online.

For the computer hacking charge Vogelaar faces five years in prison, and a possible identity theft sentence could add two more years – if he’s extradited to the United States.

First the defendant will have to be served but according to his father, Ben, they haven’t yet been informed of the charges. “We’ll wait, it’ll be okay,” he says.

The Department of Justice is taking the case very seriously, especially with the Sony hack fresh in mind. This hack put cybersecurity firmly back on top of the political agenda and in part triggered President Obama’s new cybersecurity plans.

MPAA CEO Chris Dodd said that because of hackers certain companies have their “digital products exposed and available online for anyone to loot.”

“That’s why law enforcement must be given the resources they need to police these criminal activities,” Dodd noted at the time.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Everyone Wants You To Have Security, But Not from Them

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In December, Google’s Executive Chairman Eric Schmidt was interviewed at the CATO Institute Surveillance Conference. One of the things he said, after talking about some of the security measures his company has put in place post-Snowden, was: “If you have important information, the safest place to keep it is in Google. And I can assure you that the safest place to not keep it is anywhere else.”

The surprised me, because Google collects all of your information to show you more targeted advertising. Surveillance is the business model of the Internet, and Google is one of the most successful companies at that. To claim that Google protects your privacy better than anyone else is to profoundly misunderstand why Google stores your data for free in the first place.

I was reminded of this last week when I appeared on Glenn Beck’s show along with cryptography pioneer Whitfield Diffie. Diffie said:

You can’t have privacy without security, and I think we have glaring failures in computer security in problems that we’ve been working on for 40 years. You really should not live in fear of opening an attachment to a message. It ought to be confined; your computer ought to be able to handle it. And the fact that we have persisted for decades without solving these problems is partly because they’re very difficult, but partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you. The trouble is, I’m not sure of any practical alternative.

That neatly explains Google. Eric Schmidt does want your data to be secure. He wants Google to be the safest place for your data ­ as long as you don’t mind the fact that Google has access to your data. Facebook wants the same thing: to protect your data from everyone except Facebook. Hardware companies are no different. Last week, we learned that Lenovo computers shipped with a piece of adware called Superfish that broke users’ security to spy on them for advertising purposes.

Governments are no different. The FBI wants people to have strong encryption, but it wants backdoor access so it can get at your data. UK Prime Minister David Cameron wants you to have good security, just as long as it’s not so strong as to keep the UK government out. And, of course, the NSA spends a lot of money ensuring that there’s no security it can’t break.

Corporations want access to your data for profit; governments want it security purposes, be they benevolent or malevolent. But Diffie makes an even stronger point: we give lots of companies access to our data because it makes our lives easier.

I wrote about this in my latest book, Data and Goliath:

Convenience is the other reason we willingly give highly personal data to corporate interests, and put up with becoming objects of their surveillance. As I keep saying, surveillance-based services are useful and valuable. We like it when we can access our address book, calendar, photographs, documents, and everything else on any device we happen to be near. We like services like Siri and Google Now, which work best when they know tons about you. Social networking apps make it easier to hang out with our friends. Cell phone apps like Google Maps, Yelp, Weather, and Uber work better and faster when they know our location. Letting apps like Pocket or Instapaper know what we’re reading feels like a small price to pay for getting everything we want to read in one convenient place. We even like it when ads are targeted to exactly what we’re interested in. The benefits of surveillance in these and other applications are real, and significant.

Like Diffie, I’m not sure there is any practical alternative. The reason the Internet is a worldwide mass-market phenomenon is that all the technological details are hidden from view. Someone else is taking care of it. We want strong security, but we also want companies to have access to our computers, smart devices, and data. We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices.

Those “someones” will necessarily be able to violate our privacy, either by deliberately peeking at our data or by having such lax security that they’re vulnerable to national intelligence agencies, cybercriminals, or both. Last week, we learned that the NSA broke into the Dutch company Gemalto and stole the encryption keys for billions ­ yes, billions ­ of cell phones worldwide. That was possible because we consumers don’t want to do the work of securely generating those keys and setting up our own security when we get our phones; we want it done automatically by the phone manufacturers. We want our data to be secure, but we want someone to be able to recover it all when we forget our password.

We’ll never solve these security problems as long as we’re our own worst enemy. That’s why I believe that any long-term security solution will not only be technological, but political as well. We need laws that will protect our privacy from those who obey the laws, and to punish those who break the laws. We need laws that require those entrusted with our data to protect our data. Yes, we need better security technologies, but we also need laws mandating the use of those technologies.

This essay previously appeared on Forbes.com.

Krebs on Security: FBI: $3M Bounty for ZeuS Trojan Author

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The FBI this week announced it is offering a USD $3 million bounty for information leading to the arrest and conviction of one Evgeniy Mikhailovich Bogachev, a Russian man the government believes is responsible for building and distributing the ZeuS banking Trojan.

Bogachev is thought to be a core architect of ZeuS, a malware strain that has been used to steal hundreds of millions of dollars from bank accounts — mainly from small- to mid-sized businesses based in the United States and Europe. Bogachev also is accused of being part of a crime gang that infected tens of millions of computers, harvested huge volumes of sensitive financial data, and rented the compromised systems to other hackers, spammers and online extortionists.

So much of the intelligence gathered about Bogachev and his alleged accomplices has been scattered across various court documents and published reports over the years, but probably just as much on this criminal mastermind and his associates has never seen the light of day. What follows is a compendium of knowledge — a bit of a dossier, if you will — of Bogachev and his trusted associates.

I first became aware of Bogachev by his nickname at the time –“Slavik” — in June 2009, after writing about a $415,000 cyberheist against Bullitt County, Kentucky. I was still working for The Washington Post then, but that story would open the door to sources who were tracking the activities of an organized cybercrime gang that spanned from Ukraine and Russia to the United Kingdom.

Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. "lucky12345", "slavik", "Pollingsoon". Source: FBI.gov "most wanted, cyber.

Yevgeniy Bogachev, Evgeniy Mikhaylovich Bogachev, a.k.a. “lucky12345″, “slavik”, “Pollingsoon”. Source: FBI.gov “most wanted, cyber.

Not long after that Bullitt County cyberheist story ran, I heard from a source who’d hacked the Jabber instant message server that these crooks were using to plan and coordinate their cyberheists. The members of this crew quickly became regular readers of my Security Fix blog at The Post after seeing their exploits detailed on the blog.

bullittcar-thumb-250x110They also acknowledged in their chats that they’d been in direct contact with the Zeus author himself — and that the gang had hired the malware author to code a custom version of the Trojan that would latter become known as “Jabberzeus.” The “jabber” part of the name is a reference to a key feature of the malware that would send an Jabber instant message to members of the gang anytime a new victim logged into a bank account that had a high balance.

Here’s a snippet from that chat, translated from Russian. “Aqua” was responsible for recruiting and managing a network of “money mules” to help cash out the payroll accounts that these crooks were hijacking with the help of their custom Jabberzeus malware. “Dimka” is Aqua’s friend, and Aqua explains to him that they hired the ZeuS author to create the custom malware and help them troubleshoot it. But Aqua is unhappy because the ZeuS author declined to help them keep it undetectable by commercial antivirus tools.

dimka: I read about the king of seas, was that your handiwork?

aqua: what are you talking about?

dimka: zeus

aqua: yes, we are using it right now. its developer sits with us on the system

dimka: it seems to be very popular right now

aqua: but that fucker annoyed the hell out of everyone. he refuses to write bypass of [anti-malware] scans, and trojan penetration is only 35-40%. we need better

aqua: http://voices.washingtonpost.com/securityfix read this. here you find almost everything about us

aqua: we’re using this [custom] system. we are the Big Dog. the rest using Zeus are doing piddly crap.

Days later, other members of the Jabberzeus crew  were all jabbering about the Bullitt County cyberheist story. The individual who uses the nickname “tank” in the conversation below managed money mules for the gang and helped coordinate the exchange of stolen banking credentials. Tank begins the conversation by pasting a link to my Washington Post story about the Bullitt County hack.

tank@incomeet.com: That is about us. Only the figures are fairytales. 

haymixer@jabber.ru/dimarikk: This was from your botnet account. Apparently, this is why our hosters in service rejected the old ones. They caused a damn commotion.

tank@incomeet.com: I have already become paranoid over this. Such bullshit as this in the Washington Post.

haymixer@jabber.ru/dimarikk: I almost dreamed of this bullshit at night. He writes about everything that I touch in any manner…Klik Partners, ESTHost, MCCOLO…

tank@incomeet.com: Now you are not alone.  Just 2 weeks before this I contacted him as an expert to find out anything new. It turns out that he wrote this within 3 days. Now we also will dream about him.

In a separate conversation between Tank and the Zeus author (using the nickname “lucky12345″ here), the two complain about news coverage of Zeus:

tank: Are you there?

tank: This is what they damn wrote about me.

tank: [pasting a link to the Washington Post story]

tank: I’ll take a quick look at history

tank: Originator: BULLITT COUNTY FISCAL Company: Bullitt County Fiscal Court

tank: Well, you got it from that cash-in.

lucky12345: From 200k?

tank: Well, they are not the right amounts and the cash out from that account was shitty.

tank: Levak was written there.

tank: Because now the entire USA knows about Zeus.

tank: :(

lucky12345: It’s fucked.

After the Bullitt County story, my source and I tracked this gang as they hit one small business after another. In the ensuing six months before my departure from The Post, I wrote about this gang’s attacks against more than a dozen companies in the United States.

By this time, Slavik was openly selling the barebones ZeuS Trojan code that Jabberzeus was built on to anyone who could pay several thousand dollars for the crimeware kit. There is evidence he also was using his own botnet kit or at least taking a fee to set up instances of it on behalf of buyers. In late 2009, security researchers had tracked dozens of Zeus control servers that phoned home to domains which bore his nickname, such as slaviki-res1.com, slavik1[dot]com, slavik2[dot]com, slavik3[dot]com, and so on.

On Dec. 13, 2009, one of the Jabberzeus gang’s money mule recruiters –a crook who used the pseudonym “Jim Rogers” — somehow intercepted news I hadn’t shared beyond a few trusted friends at that point: That the Post had eliminated my job in the process of merging the newspaper’s Web site with the dead tree edition. The following is an exchange between Jim Rogers and the above-quoted “tank”.

jim_rogers@jabber.org: There is a rumor that our favorite (Brian) didn’t get his contract extension at Washington Post. We are giddily awaiting confirmation :) Good news expected exactly by the New Year! Besides us no one reads his column :)

tank@incomeet.com: Mr. Fucking Brian Fucking Kerbs!

I continued to write about new victims of this gang even as I was launching this blog, and in the first year I profiled dozens more companies that were robbed of millions. I only featured victims that had agreed to let me tell their stories. For every story I wrote, there were probably 10-20 victim organizations I spoke with that did not wish to be named.

By January 2010, Slavik was selling access to tens of thousands of hacked PCs to spammers, as well as large email lists from computer systems plundered by his malware. As I wrote in a Feb. 2012 piece, Zeus Trojan Author Ran With Spam Kingpins, Slavik was active on multiple crime forums, not only finding new clients and buyers for his malware, but for the goods harvested by his own botnets powered by ZeuS.

jabberzeuscrewEight months later, authorities in the United Kingdom arrested 20 individuals connected to the Jabberzeus crime ring, and charged 11 of them with money laundering and conspiracy to defraud, including Yevhen “Jonni” Kulibaba, the ringleader of the gang, and Yuri “JTK” Konovalenko.

In conjunction with that action, five of the gang’s members in Ukraine also were detained, but very soon after released, including the aforementioned Vyacheslav “Tank” Penchukov and a very clever programmer named Ivan “petr0vich” Klepikov.  More details about these two and others connected with the Jabberzeus crew is available from this unsealed 2012 complaint (PDF) from the U.S. Justice Department.

Unsurprisingly, not long after the global law enforcement crackdown, Slavik would announce he was bowing out of the business, handing over the source code for Zeus to a hacker named “”Harderman” (a.k.a. “Gribodemon”), the author of a competing crimeware kit called SpyEye (25-year-old Russian man Alexsander Panin pleaded guilty last year to authoring SpyEye).

Near as I can tell, Slavik didn’t quit developing Zeus after the code merger with SpyEye, he just stopped selling it publicly. Rather, it appears he began developing a more robust and private version of Zeus.

Ivan "petr0vich" Klepikov, in an undated photo from his LiveJournal blog.

Ivan “petr0vich” Klepikov, in an undated photo from his LiveJournal blog.

By late 2011, businesses in the United States and Europe were being hit with a new variant of Zeus called “Gameover” Zeus, which used the collective, global power of the PCs infected with Gameover Zeus to launch crippling distributed denial-of-service (DDoS) attacks against victims and their banks shortly after they were robbed.

In late March 2012, Microsoft announced it had orchestrated a carefully planned takedown of dozens of botnets powered by ZeuS and SpyEye. In so doing, the company incurred the wrath of many security researchers when it published in court documents the nicknames, email addresses and other identifying information on the Jabberzeus gang and the Zeus author.

A few months later, the Justice Department officially charged nine men in the Jabberzeus conspiracy, including most of the above named actors and two others — a money mover named Alexey Dmitrievich Bron (a.k.a.”TheHead”) and Alexey “Kusanagi” Tikonov, a programmer from Tomsk, Russia. Chat records intercepted from the incomeet.com server that this crew used for its Jabber instant message communications strongly suggest that Bron and Penchukov (“Tank”) were co-workers in Donetsk, Ukraine, possibly even in the same building.

In June 2014, the U.S. Justice Department joined authorities in many other countries and a large number of security firms in taking down the Gameover ZeuS botnet, which at the time was estimated to have infected more than a million PCs.

It’s nice that the Justice Department has put up such a large bounty for a man responsible for so much financial ruin and cybercrime. Kulibaba (“Jonni”) and his buddy Konovalenko (“Jtk0″) were extradited to the United States. Unfortunately, the rest of the Jabberzeus crew will likely remain free as long as they stick within the borders of Ukraine and/or Russia.

jabberzeuscrew-a

TorrentFreak: Megaupload Programmer Sentenced to a Year in Prison

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

megaupload-logoAfter three years of relative inaction the criminal case against Megaupload and seven of its employees heated up this week.

Just a few days ago the U.S. authorities arrested Andrus Nomm, one of the indicted Megaupload defendants.

The 36-year-old programmer had been living in the Netherlands but came to the States to take a plea deal.

The Department of Justice announced that Nomm pleaded guilty to criminal copyright infringement, and sentenced to a year and a day in prison.

According to the DoJ statement Nomm acknowledged that he “was aware that copyright-infringing content was stored on the websites, including copyright protected motion pictures and television programs, some of which contained the “FBI Anti-Piracy” warning.”

“Nomm also admitted that he personally downloaded copyright-infringing files from the Mega websites. Nomm continued to participate in the Mega Conspiracy,” the statement continues.

The authorities are happy with their first vistory in this case and are determined to bring the other defendants to the U.S. as well.

“This outcome is the result of years of hard work by our office and our partners from the Criminal Division and the Federal Bureau of Investigation,” U.S. Attorney Dana Boente said.

“The Mega Conspiracy engaged in massive criminal infringement of copyrighted works on the Internet, and we are confident that this case will be a sign to those who would abuse technology for illegal profit,” he added.

Meanwhile, Megaupload’s founder Kim Dotcom slams the U.S. legal system in a comment, but says that he understands Nomm’s decision.

“The US Justice system: An innocent coder pleads guilty after 3 years of DOJ abuse, with no end in sight, in order to move on with his life,” Dotcom tweeted. “I have nothing but compassion and understanding for Andrus Nomm and I hope he will soon be reunited with his son.”

Megaupload lawyer Ira Rothken told TF and the U.S. authorities might have taken advantage of Nomm. As an Estonian citizen living in a foreign country he was vulnerable, and running out of funds.

“The DOJ apparently used Andrus Nomm’s weak financial condition and inability to fight back to manufacture a hollywood style publicity stunt in the form of a scripted guilty plea in court,” Rothken says.

“The facts mentioned in court, like a lack of cloud filtering of copyrighted works, are civil secondary copyright issues not criminal issues,” he adds.

According to Rothken the “publicity stunt” reveals how weak the DoJ’s case is.

“The DOJ apparently convinced Andrus Nomm to say the conclusory phrase that Kim Dotcom “did not care about protecting copyrights” and such point shows off the weakness in the DOJ’s case as Megaupload, amongst many other ways of caring, had a robust copyright notice and takedown system which gave direct delete access to major content owners and from which millions of links were removed.”

Nomm’s sentencing for criminal copyright infringement is raising eyebrows among several experts.

In the indictment there was only one example of possible copyright infringement, and that referred to watching a copy of a pirated TV-show. For now it remains unclear what other evidence the authorities have.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: Megaupload Programmer Arrested in The U.S.

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

megaupload-logoActing on a lead from the entertainment industry, the U.S. Government shut down Megaupload early 2012.

Since then the case hasn’t progressed much. Kim Dotcom’s extradition hearing has been delayed time and time again, while most of the recent court proceedings have dealt with how the seized assets should be handled.

However, during the weeks to come the case is likely to heat up again as U.S. authorities have just arrested Andrus Nomm, one of the indicted Megaupload defendants.

The 36-year-old programmer had been living in the Netherlands awaiting his extradition hearing, but was arrested in Alexandria, Virginia yesterday.

The unusual arrest after more than three years could suggest that Nomm made a deal to testify against Dotcom and his former colleagues.

That suspicion is confirmed by Megaupload lawyer Ira Rothken, who told the NZHerald that Nomm “either agreed to come to the US or is involved in some sort of deal.”

Nomm’s arrest warrant, filed yesterday
arrestwarrant

In the indictment Nomm is described as a software programmer and Head of the Development of Megaupload’s Software Division. In 2010 he received $100,000 for his work at the now defunct file-hosting service.

Nomm is also accused of watching at least one copy of a pirated TV-show.

“On or about December 5, 2008, NOMM sent VAN DER KOLK an e-mail, which included a screenshot of NOMM’s account using Megavideo.com to watch an infringing episode of the copyrighted television show Chuck,” the indictment reads.

Megaupload lawyer Ira Rothken believes that U.S. authorities took advantage of Nomm. As an Estonian citizen living in a foreign country he was vulnerable, and running out of funds.

“Given he didn’t have anymore resources, it was expected the US would take advantage. This is to be expected where the US Department of Justice, in an experimental case, is trying to get folks scared and to testify in certain ways,” Rothken says.

“If these folks testify truthfully it would be of no benefit to the US,” he adds.

The U.S. authorities have yet to comment on the arrest and the possibility of a plea deal.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: If Pirate Bay is an FBI Trap it Isn’t a Very Good One

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

honeyWhen confronted with an outrageous story this week our immediate thoughts were to ignore it in the hope that it would quickly go away. Sadly that isn’t how things have played out.

Faced with the fantastic and outrageous proposition that The Pirate Bay’s return was facilitated by United States’ authorities keen to position the site as an FBI-run honeypot, the temptation to regurgitate the ‘news’ was just too great for several big publications.

As the week progressed, more and more sites reported on the doomsday scenario with varying levels of excitement and belief. For our part we dismissed the story as nonsense. But with Sunday here and time on our hands, let’s pretend that the allegations are true and that the FBI has indeed commandeered the world’s most notorious torrent site.

Operation Swedish Massage

After water-boarding login information out of the site’s former admin, Special Agent Phil Share takes control of TPB and begins gathering evidence on millions of users. The data volumes involved quickly become unwieldy. The site can log IP addresses but there’s only so many the feds can process. The feds start incurring expensive overtime pay and those holding the purse strings become unhappy.

IP address bonanza

In the face of rising costs, Agent Share has to justify the overtime to his seniors. He finds it extremely difficult. While he does indeed have every IP address of every person visiting the site, obstacles are many.

First, he has no idea who these people are without obtaining their details from their ISPs. Second, and perhaps most importantly, he can only produce a subpoena after reasonably showing that these people have committed an offense.

Then it dawns on him: browsing a website – even The Pirate Bay – is not a crime. He has millions of IP addresses but zero proof that any have committed any offenses, even those that download .torrent files from the site. There has to be another way.

The Pirate Bay is just the beginning

Eventually our friendly Special Agent comes to realize that if he wants evidence of infringement he’ll need to spread his wings a little. Sure, his access to The Pirate Bay databases may give him the IP and email addresses of the minority who signed up for an account, and that could even include information on big uploaders, but the former aren’t of much interest and the latter tend to hide their identities anyway.

No, proof of actual infringement is needed here and for that he’s going to need to connect to outside trackers or DHT, the mechanisms through which peers in torrent swarms are able to find each other and the content being shared. He heads back to his boss to ask for more resources and more money. He gets it.

Getting closer

With fistfuls of crisp dollars in hand, Special Agent Share starts exploring public trackers in order to find the IP addresses of people sharing illegal content. At last, here is the goldmine he’s been looking for. Over the course of the next few weeks he collects the IP addresses of individuals sharing infringing content and goes to court to obtain a subpoena against their ISPs. He’s now within reach of obtaining their identities.

More money please

With his project so near to completion, our Agent requests more funds to finally unveil the perpetrators. Just before signing off on yet more cash, the FBI’s chief purse-string controller asks: “These are Pirate Bay users, right?”

“Some are but not necessarily all,” he responds. “I pulled the data from a public tracker used by the site.”

Two words in the sentence interest the spy-funding accountant. “Public tracker?” he questions. “Aren’t those publicly available resources that ANYONE can get information from for FREE?”

“Yes sir,” Share confirms.

“And we needed The Pirate Bay for what exactly?” the accountant responds.

The Special Agent’s career flashes before his eyes. Then it hits him.

“To scare the shit out of the Internet sir?????????”

“You’re fired,” came the response. “They do that themselves. FOR FREE.”

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Krebs on Security: China To Blame in Anthem Hack?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Bloomberg reports that U.S. federal investigators probing the theft of 80 million Social Security records and other sensitive data from insurance giant Anthem Inc. are pointing the finger at state-sponsored hackers from China. Although unconfirmed, that suspicion would explain a confidential alert the FBI circulated last week warning that Chinese hackers were targeting personally identifiable information from U.S. commercial and government networks.

According to this story from Bloomberg’s Michael Riley and Jordan Robertson, “the attack appears to follow a pattern of thefts of medical data by foreigners seeking a pathway into the personal lives and computers of a select group — defense contractors, government workers and others, according to a U.S. government official familiar with a more than year-long investigation into the evidence of a broader campaign.”

While the story is light on details, it adds a bit more context to an FBI “flash alert” that KrebsOnSecurity obtained independently last week. The alert said the FBI has received information regarding a group of cyber actors who have compromised and stolen sensitive business information and Personally Identifiable Information (PII) from US commercial and government networks through cyber espionage.”

fbi-pandaflash

The alert notes that analysis of malware samples used in the attack indicate a significant amount of the computer network exploitation activities emanated from infrastructure located within China. The FBI said the tools used in the attack were referenced in open source reports on Deep Panda, a claim that also shows up in the Bloomberg piece. That story references data about Deep Panda from Atlanta-based cybersecurity firm CrowdStrike, which specializes in attributing nation state-level attacks.

According to the FBI, Deep Panda has previously used Adobe Flash zero-day exploits in order to gain initial access to victim networks. While it may be unrelated, it’s worth noting that in the past two weeks alone, Adobe has shipped no fewer than three unscheduled, emergency updates to address Flash Player vulnerabilities that were being exploited in active attacks at the time Adobe released patches.

The FBI’s flash advisory continues:

“Information obtained from victims indicates that PII was a priority target. The FBI notes that stolen PII has been used in other instances to target or otherwise facilitate various malicious activities such as financial fraud though the FBI is not aware of such activity by this group. Any activity related to this group detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.”

deeppanda-cs

In its own writeup on Deep Panda from mid-2014, CrowdStrike notes that “for almost three years now, CrowdStrike has monitored DEEP PANDA targeting critical and strategic business verticals including: government, defense, financial, legal, and the telecommunications industries. At the think tanks, [we have] detected targeting of senior individuals involved in geopolitical policy issues, in particular in the China/Asia Pacific region. DEEP PANDA presents a very serious threat not just to think tanks, but also multinational financial institutions, law firms, defense contractors, and government agencies.”

Leaving aside the question of whether state-sponsored Chinese hackers were in fact behind the Anthem breach, there are still many unanswered questions about this incident, such as when did Anthem find out about it? How long did the breach last? How did the attackers break in? What can other businesses learn from this incident to protect themselves?

Steve Ragan, a journalist who writes the Salted Hash blog for CSO Online, references a document he received from a trusted source that was reportedly sent as a memo from Anthem to its clients. That memo notes that the unauthorized activity seems to date back to at least December 10, 2014. That activity apparently continued undetected until January 27, 2015, meaning the attackers had access to Anthem’s customer database for more than a month before they were discovered.

A memo sent from Anthem to its associates. Credit: Salted Hash.

A memo sent from Anthem to its associates. Credit: Salted Hash.

The memo explains:

“On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate’s logon information. He had not initiated the query and immediately stopped the query and alerted Anthem’s Information Security department. It was also discovered the logon information for additional database administrators had been compromised.”

The notice from Anthem to its clients concludes that “the attacker had proficient understanding of the data platforms and successfully utilized valid databaes administrator logon information.”

As for how the attackers broke in, perhaps the FBI’s Flash warning on Deep Panda (PDF) holds some clues.

Incidentally, infosec professionals take note: Anthem is hiring. On Feb. 4, the same day that Anthem disclosed a breach at its “database warehouse” may have affected as many as 80 million consumers, it also posted a help wanted ad for a “Cloud Encryption Security Professional.”

TorrentFreak: The Pirate Bay Left Moldova Before Government Piracy Meeting

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

phoenix1The Pirate Bay is without doubt the most controversial file-sharing site ever to hit the Internet. Even Napster, still mentioned nearly 15 years after its demise, fails to eclipse the sheer number of headlines generated by The ‘Bay.

Throughout the site’s roller-coaster history, one element has remained constant. Sooner or later, one way or another, companies and organizations that provide infrastructure to the notorious site all come under the spotlight.

The latest Internet service provider to become associated with The Pirate Bay is Moldovan-based Trabia, the country’s largest datacenter. In January the ISP said that it supports freedom of speech and “barrier-free Internet usage” but noted that clients – Pirate Bay included – have to obey local and international laws.

It goes without saying that The Pirate Bay has rarely been associated with that kind of compliance so when the site came back online last Saturday, Trabia would’ve had good reasons to expect trouble. However, in the event, it did not do so from the company’s servers, Trabia has announced.

Trabia founder Sven Wiese says the operator of the infamous site contacted the ISP in January to inform the company that it would move to another location. While there’s no real reason to doubt Wiese’s word, it is now fairly difficult to backup the move with hard facts since, as usual, TPB is obfuscating its true location.

Speaking with Moldova.org, Wiese notes that The Pirate Bay is now ‘hosted’ with Cloudflare. While that’s not strictly true (the actual site is bound to be located in a separate hidden location), Cloudflare services are indeed providing a ‘front-end’ to the site.

It’s an interesting situation. After Hollywood pumped cash into Sweden to have local anti-piracy outfit Rights Alliance investigate and then raid The Pirate Bay in December, the site has not only resurrected itself but has boldly planted some of its infrastructure firmly in the studios’ backyard.

Use of U.S.-based Cloudflare is not without its issues and has certainly helped the conspiracy theorists. Earlier this week several large publications bought into the notion that The Pirate Bay is now an FBI honeypot. It’s not (and the site will discontinue using it soon) – but if simply using Cloudflare is a cause for concern, let the nail-biting begin.

In addition to the original Pirate Bay, many of the largest Pirate Bay clones and alternatives also use Cloudflare. They include ThePirateBay.com.ua, ThePirateBay.co.in, ThePirateBay.cr, ThePirateBayv2.org and ThePirateBay.lv. Even the largest of them all – OldPirateBay.org – uses Cloudflare in its setup.

Cloudflare hasn’t commented on The Pirate Bay’s use of its services but for Trabia over in Moldova, associations with the site are set to put piracy discussions back on the agenda. According to the State Agency for Intellectual Property (AGEPI), the hosting of the Pirate Bay in the country may have “boosted the notoriety” of Moldova overseas.

“In our country no one doubts that a thief who stole something must be arrested,” said AGEPI deputy Ion Tiganas. “We want to be considered as a country that has laws and where these laws are respected.”

Tiganas says that this month there will be a meeting to discuss intellectual property rights and as a result of The Pirate Bay’s foray into the country, the site will be on the agenda.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Krebs on Security: Data Breach at Health Insurer Anthem Could Impact Millions

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Anthem Inc., the nation’s second largest health insurer, disclosed Wednesday that hackers had broken into its servers and stolen Social Security numbers and other personal data from all of its business lines. Given the company’s size, this breach could end up impacting tens of millions of Americans.

anthemAnthem didn’t specify how many consumer records may have been breached, but it did say all of the company’s business units are affected. The figures from Anthem’s Web site offer a glimpse at just how big this breach could be: “With nearly 69 million people served by its affiliated companies including more than 37 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies.”

The company said it is conducting an extensive IT Forensic Investigation to determine what members are impacted.

“We are working around the clock to determine how many people have been impacted and will notify all Anthem members who are impacted through a written communication,” Anthem said in question and answer page released about the breach.

Formerly known as Wellpoint Inc., Anthem said in a statement that the company was the target of a “very sophisticated external cyber attack” that exposed names, dates of birth, member ID/ Social Security numbers, addresses, phone numbers, email addresses and employment information. The company stressed that the exposed data did not include medical records or financial information.

According to Athem’s statement, the impacted (plan/brands) include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. The company said impacted members will receive notice via mail which will advise them of the protections being offered to them as well as any next steps.

Anthem said once the attack was discovered, the company immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.

More on this story as it develops. Stay tuned.

Errata Security: Explaining the Game of Sony Attribation

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Attribution is a blame game. It’s not about who did it, but who is best to blame. Ambulance chasing lawyers sue whoever has the most money, not who is most responsible. I point this out because while the U.S. “attributes” the Sony hack to North Korea, this doesn’t mean North Korea did the attack. Instead, it means that North Korea was involved enough to justify sanctions. It still leaves the question of “who did it” unresolved.

The situation is comparable to the recent terrorist attack on Charlie Hebdo in France. Two brothers committed the crime, but “Al Qaeda of the Arabian Peninsula” (AQAP) claims credit. The precise facts are murky, but we have a good idea what happened. While AQAP probably provided some training, it appears the attack was conceived, planned, financed, and executed by the two brothers themselves without AQAP help. The brothers took out bank loans and purchased the weapons from the criminal (not terrorist) underground. They appear to have planned the attacks with a friend from ISIS (the Islamic “Caliphate”), an organization hostile to AQAP. It appears most of their training was in France rather than during their trip to AQAP camps in Yemen. AQAP waited several days to claim responsibility, as if they were as surprised by the attack as everyone else.

However much credit/blame AQAP deserves is a question of politics, and how much weight you want to place on their small contribution. Politically, we don’t want to give AQAP credit. We already have enough to blame on them to justify drone attacks. Therefore, there is much questioning whether AQAP is truly responsible.

Blaming North Korea for the Sony hack is similarly political. Not even the U.S. government claims that it was by uniformed cyber-soldiers working out of a building inside North Korea. Instead, the U.S. is claiming that North Korea shares some responsibility – enough to justify sanctions. It could be as little responsibility as AQAP has for the Charlie Hebdo attack.

That this attribution is political rather than technical is demonstrated by the way they go about it. They are using the same political process as they used to prove Iraq had WMDs. For example, government officials leak information to the press on condition of anonymity so that they can’t be questioned or challenged. Humorously, it’s not just the same technique, it’s the same corrupt reporters (like David Sanger from the NYTimes) that they used to promote the WMD idea. They are also using the same “independent” experts (Mandiant, Hayden, etc.) they always use to “independently” verify cybersecurity stuff, and to smear critics as “Truthers” or “Deniers”.

In the end, though, both government and critics could be right. North Korea could share enough responsibility to merit sanctions, while at the same time, be largely uninvolved in the attack.

In all likelihood, the Sony attack is what it seems: angry insiders trying to extort the company for money. Insiders are strongly implicated by the language of the communiqués from the “Guardians of Peace”. The hackers obviously cared more about internal Sony politics than the film “The Interview”. By “insiders”, we mean a range of possibilities, from IT tech support employees, to something out of left field, like an executive’s kid exploiting the parent’s credentials.

These insiders are connected to others. That’s because the entire hacker underground is interconnected. Links to North Korea aren’t terribly surprising, but they aren’t the only possible link. The government has a long list of cyber adversaries. An attack of this size is too important to waste on just North Korea. When the dust settles and the FBI has swooped in and arrested people, will find many more attributions than just North Korea tied to the Sony attack.

For example, consider the group known as “Lizard Squad”. They clearly have some sort of ties with Sony, if only as “gamers”. Among their activities was calling in a bomb threat last August in order to divert the flight of a Sony executive. Over Christmas, they DDoSed the Sony PlayStation network, preventing kids from using their Christmas presents. As reported by Brian Krebs, the FBI has already arrested several people in connection with the Lizard Squad.

Another example is Kim Dotcom (“the other Kim” in this affair). He’s the FBI’s #1 most cyber-Wanted. For over a decade, Kim has facilitated copyright infringement and the downloading of music/movies through his “Mega” companies. He is know for providing bulk upload/download services to hackers, and thus may have been involved in the exfiltration of Sony data, which required terabytes of data transfer. He’s also been involved with Lizard Squad, offering them free vouchers if they stopped their Christmas DDoS attacks. When the United States finally succeeds in getting him extradited from New Zealand, we might see some charges related to Sony.

Another example is Wikileaks. In truth, the government is happy with Assange’s self-imposed prison sentence, so he’s at the bottom of their Wanted list. Other Wikileaks activists are more important, as recent revelations showed. A simple email exchange, such as a Wikileaks member suggesting what information hackers should steal from Sony, would be a useful way to go after Wikileaks.

The Sony hackers tried to extort money. That means they probably used either BitCoin or gambling websites, both of which are used to cyber-launder money, both of which the FBI hates with a passion. When the FBI makes their arrests, and the entire extortion scheme comes to light, we’ll probably see some of these sites implicated.

Hackers interact a lot on forums and chat rooms. After the FBI makes its first arrests, it’ll release those people back into the community in order to trap additional hackers. This is the catch-and-release strategy they used with Sabu to take down LulzSec. (Pro tip: always be the first hacker arrested). They’ll be going after other hackers that helped plan the attacks, but they’ll also catch a lot of “accessories after the fact” (like Barrett Brown in the Stratfor case).

Finally, there may be other countries involved. The virus used shares characteristics with attacks by Iran. China is responsible for much of North Korea’s hacking infrastructure – indeed, the attacks could’ve been by Chinese to begin with, hiding behind the North Koreans.

The title of this piece isn’t a misspelling. I use “attribation” because attribution is a game. The goal isn’t to find out who did the hack, but the to find out the best person to blame. It’s a political decision more than anything. A year from now, after arrested perps confess the details, and all the facts are known, we’ll still be debating the political question of attribution. Nobody likes to blame poor kids getting in over their heads using simple hacking techniques. Everyone likes to blame nation states who develop sophisticated cyber viruses. Thus, North Korea is a better target to blame, regardless of the facts. Or the vast Lizard Squad conspiracy, or the kingpin Kim Dotcom, or so on.

If you’ll remember, the Stratfor hack was “state sponsored”, if you wanted to play the attribation that way. It was conceived, planned, and executed after the LuzSec group leader had become an informant for the FBI. The hack used FBI servers to exfiltrate data. I have several bets (in BitCoin, what else) with friends on this issue. Namely, I’ve bet that by the end of 2015, we’ll have gotten several arrests, and it will turn out that North Korea was as little involved in the Sony hack as the U.S. government was in the Stratfor hack. That isn’t to say North Korea doesn’t deserve sanctions, only that they clearly didn’t “do” the hack.

TorrentFreak: Pirate Bay Responds to Cloudflare and Moderation Concerns

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

phoenix1On Saturday The Pirate Bay made its long-awaited comeback. While most users were happy to see the site back online, others were suspicious about the new setup.

One of the issues that was discussed the most is Pirate Bay’s use of CloudFlare’s CDN and its SSL service. Several people voiced concerns that this would make it easy for U.S. authorities to spy on Pirate Bay’s users.

Others even went as far as rumoring that the FBI had already infiltrated the site. While this is complete nonsense, general security concerns of using a U.S.-based service are legitimate.

Today, the Pirate Bay responded to the possible security issue, explaining that it’s only using Cloudflare temporarily in order to cope with the continued stream of millions of visitors.

“We have seen that there has been some question to why we are using Cloudflare. This is only initially to handle the massive load upon the servers. It will be removed shortly,” TPB says in a statement.

Another concern is the lack of moderation on the site. The Pirate Bay previously decided to take away the rights of admins and moderators which resulted in a staff revolt and a subsequent pollution problem.

Since the site’s return many fake torrents have been posted to the site and without moderators these were not removed. The Pirate Bay operators now explain that the decision to keep the staff out was taken as a security measure.

“Due to severe security issues regarding the old moderator team all moderation has temporarily been disabled,” TPB notes.

reportTo deal with the spam and fake torrent problem they’ve now added a report link to every torrent details page.

“Before we sort everything out we have instead added a ‘Report link’ to all torrents which you can find in the details page. We believe that the TPB community can help moderate the site for the time being.”

Already, several flagged torrents have been removed from the site so the report button seems to work. Whether it will be as effective as a full team of moderators has yet to be seen.

Finally, The Pirate Bay’s .onion address has been brought back online too, which allows people to browse the site over the Tor network.

While The Pirate Bay may not have returned with a bang, it was certainly fuel for heated debates and conspiracy theories. The recent announcements may not resolve all concerns, especially not those of the moderators and admins, but it’s good that the people behind the site are speaking out again.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Krebs on Security: FBI: Businesses Lost $215M to Email Scams

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

It’s time once again to update my Value of a Hacked Email Account graphic: According to a recent alert from the FBI, cyber thieves stole nearly $215 million from businesses in the last 14 months using a scam that starts when business executives or employees have their email accounts hijacked.

Federal investigators say the so-called “business email compromise” (BEC) swindle is a sophisticated and increasingly common scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.

According to new data from the Internet Crime Compliant Center (IC3) — a partnership between the National White Collar Crime Center and the FBI — the victims of BEC scams range from small to large businesses that may purchase or supply a variety of goods, such as textiles, furniture, food, and pharmaceuticals.

Image: IC3

Image: IC3

One variation on the BEC scam, also known as “CEO fraud,” starts with the email account compromise for high-level business executives (CFO, CTO, etc). Posing as the executive, the fraudster sends a request for a wire transfer from the compromised account to a second employee within the company who is normally responsible for processing these requests.

“The requests for wire transfers are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request,” the agency warned. “In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank ‘X’ for reason ‘Y.’”

The IC3 notes that the fraudsters perpetrating these scams do their homework before targeting a business and its employees, monitoring and studying their selected victims prior to initiating the fraud.

“Fraudulent e-mails received have coincided with business travel dates for executives whose e-mails were spoofed,” the IC3 alert warns. “The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment. Victims may also first receive ‘phishing’ e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc).”

The advisory urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media.

For more info on how to rethink the security of your inbox, check out this post.

Your email account may be worth far more than you imagine.

Your email account may be worth far more than you imagine.

Krebs on Security: Spreading the Disease and Selling the Cure

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

When Karim Rattani isn’t manning the till at the local Subway franchise in his adopted hometown of Cartersville, Ga., he’s usually tinkering with code. The 21-year-old Pakistani native is the lead programmer for two very different yet complementary online services: One lets people launch powerful attacks that can knock Web sites, businesses and other targets offline for hours at a time; the other is a Web hosting service designed to help companies weather such assaults.

Grimbooter

Grimbooter

Rattani helps run two different “booter” or “stresser” services – grimbooter[dot]com, and restricted-stresser[dot]info. He also works on TheHosted[dot]me, a Web hosting firm marketed to Web sites looking for protection from the very attacks he helps to launch.

As part of an ongoing series on booter services, I reached out to Rattani via his Facebook account (which was replete with images linking to fake Youtube sites that foist malicious software disguised as Adobe’s Flash Player plugin). It turns out, the same Google Wallet is used to accept payment for all three services, and that wallet traced back to Rattani.

In a Facebook chat, Rattani claimed he doesn’t run the companies, but merely accepts Google Wallet payments for them and then wires the money (minus his cut) to a young man named Danial Rajput — his business partner back in Karachi. Rajput declined to be interviewed for this story.

The work that Rattani does for these booter services brings in roughly $2,500 a month — far more than he could ever hope to make in a month slinging sandwiches. Asked whether he sees a conflict of interest in his work, Rattani was ambivalent.

“It is kind of [a conflict], but if my friend won’t sell [the service], someone else will,” he said.

Rattani and his partner are among an increasing number of young men who sell legally murky DDoS-for-hire services. The proprietors of these services market them as purely for Web site administrators to “stress test” their sites to ensure they can handle high volumes of visitors.

But that argument is about as convincing as a prostitute trying to pass herself off as an escort. The owner of the attack services (the aforementioned Mr. Rajput) advertises them at hackforums[dot]net, an English language forum where tons of low-skilled hackers hang and out and rent such attack services to prove their “skills” and toughness to others. Indeed, in his own first post on Hackforums in 2012, Rajput states that “my aim is to provide the best quality vps [virtual private server] for ddosing :P”.

Damon McCoy, an assistant professor of computer science at George Mason University, said the number of these DDoS-for-hire services has skyrocketed over the past two years. Nearly all of these services allow customers to pay for attacks using PayPal or Google Wallet, even though doing so violates the terms of service spelled out by those payment networks.

“The main reason they are becoming an increasing problem is that they are profitable,” McCoy said. “They are also easy to setup using leaked code for other booters, increasing demand from gamers and other customers, decreasing cost of attack infrastructure that can be amplified using common DDoS attacks. Also, it is relatively low-risk to operate a booter service when using rented attack servers instead of botnets.”

The booter services are proliferating thanks mainly to free services offered by CloudFlare, a content distribution network that offers gratis DDoS protection for virtually all of the booter services currently online. That includes the Lizardstresser, the attack service launched by the same Lizard Squad (a.k.a. Loser Squad) criminals whose assaults knocked the Microsoft Xbox and Sony Playstation networks offline on Christmas Day 2014.

The sad truth is that most booter services probably would not be able to remain in business without CloudFlare’s free service. That’s because outside of CloudFlare, real DDoS protection services are expensive, and just about the only thing booter service customers enjoy attacking more than Minecraft and online gaming sites are, well, other booter services.

For example, looking at the (now leaked) back-end database for the LizardStresser, we can see that TheHosted and its various properties were targeted for attacks repeatedly by one of the Loser Squad’s more prominent members.

The Web site crimeflare.com, which tracks abusive sites that hide behind CloudFlare, has cataloged more than 200 DDoS-for-hire sites using CloudFlare. For its part, CloudFlare’s owners have rather vehemently resisted the notion of blocking booter services from using the company’s services, saying that doing so would lead CloudFlare down a “slippery slope of censorship.”

As I observed in a previous story about booters, CloudFlare CEO Matthew Prince has noted that while Cloudflare will respond to legal process and subpoenas from law enforcement to take sites offline, “sometimes we have court orders that order us to not take sites down.” Indeed, one such example was CarderProfit, a Cloudflare-protected carding forum that turned out to be an elaborate sting operation set up by the FBI.

I suppose it’s encouraging that prior to CloudFlare, Prince was co-creators of Project Honey Pot, which bills itself as the largest open-source community dedicated to tracking online fraud and abuse. In hacking and computer terminology, a honeypot is a trap set to detect, deflect or otherwise counteract attempts at unauthorized use or abuse of information systems.

It may well turn out to be the case that federal investigators are allowing these myriad booter services to remain in operation so that they can gather copious evidence for future criminal prosecutions against their owners and users. In the meantime, however, it will continue to be possible to purchase powerful DDoS attacks with little more than a credit card or prepaid debit card.

Schneier on Security: Accountability as a Security System

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

At a CATO surveillance event last month, Ben Wittes talked about inherent presidential powers of surveillance with this hypothetical: “What should Congress have to say about the rules when Barack Obama wants to know what Vladimir Putin is talking about?” His answer was basically that Congress should have no say: “I think most people, going back to my Vladimir Putin question, would say that is actually an area of inherent presidential authority.” Edward Snowden, a surprise remote participant at the event, said the opposite, although using the courts in general rather than specifically Congress as his example. “…there is no court in the world — well, at least, no court outside Russia — who would not go, ‘This man is an agent of the foreign government. I mean, he’s the head of the government.’ Of course, they will say, ‘this guy has access to some kind of foreign intelligence value. We’ll sign the warrant for him.'”

There’s a principle here worth discussing at length. I’m not talking about the legal principle, as in what kind of court should oversee US intelligence collection. I’m not even talking about the constitutional principle, as in what are the US president’s inherent powers. I am talking about the philosophical principle: what sorts of secret unaccountable actions do we want individuals to be able to take on behalf of their country?

Put that way, I think the answer is obvious: as little as possible.

I am not a lawyer or a political scientist. I am a security technologist. And to me, the separation of powers and the checks and balances written into the US constitution are a security system. The more Barack Obama can do by himself in secret, the more power he has — and the more dangerous that is to all of us. By limiting the actions individuals and groups can take on their own, and forcing differing institutions to approve the actions of each other, the system reduces the ability for those in power to abuse their power. It holds them accountable.

We have enshrined the principle of different groups overseeing each other in many of our social and political systems. The courts issue warrants, limiting police power. Independent audit companies verify corporate balance sheets, limiting corporate power. And the executive, the legislative, and the judicial branches of government get to have their say in our laws. Sometimes accountability takes the form of prior approval, and sometimes it takes the form of ex post facto review. It’s all inefficient, of course, but it’s an inefficiency we accept because it makes us all safer.

While this is a fine guiding principle, it quickly falls apart in the practicalities of running a modern government. It’s just not possible to run a country where every action is subject to review and approval. The complexity of society, and the speed with which some decisions have to be made, can require unilateral actions. So we make allowances. Congress passes broad laws, and agencies turn them into detailed rules and procedures. The president is the commander in chief of the entire US military when it comes time to fight wars. Policeman have a lot of discretion on their own on the beat. And we only get to vote elected officials in and out of office every two, four, or six years.

The thing is, we can do better today. I’ve often said that the modern constitutional democracy is the best form of government mid-18th-century technology could produce. Because both communications and travel were difficult and expensive, it made sense for geographically proximate groups of people to choose one representative to go all the way over there and act for them over a long block of time.

Neither of these two limitations is true today. Travel is both cheap and easy, and communications are so cheap and easy as to be virtually free. Video conferencing and telepresence allow people to communicate without traveling. Surely if we were to design a democratic government today, we would come up with better institutions than the ones we are stuck with because of history.

And we can come up with more granular systems of checks and balances. So, yes, I think we would have a better government if a court had to approve all surveillance actions by the president, including those against Vladimir Putin. And today it might be possible to have a court do just that. Wittes argues that making some of these changes is impossible, given the current US constitution. He may be right, but that doesn’t mean they’re not good ideas.

Of course, the devil is always in the details. Efficiency is still a powerful counterargument. The FBI has procedures for temporarily bypassing prior approval processes if speed is essential. And granularity can still be a problem. Every bullet fired by the US military can’t be subject to judicial approval or even a military court, even though every bullet fired by a US policeman is — at least in theory — subject to judicial review. And while every domestic surveillance decision made by the police and the NSA is (also in theory) subject to judicial approval, it’s hard to know whether this can work for international NSA surveillance decisions until we try.

We are all better off now that many of the NSA’s surveillance programs have been made public and are being debated in Congress and in the media — although I had hoped for more congressional action — and many of the FISA Court’s formerly secret decisions on surveillance are being made public. But we still have a long way to go, and it shouldn’t take someone like Snowden to force at least some openness to happen.

This essay previously appeared on Lawfare.com, where Ben Wittes responded.

Krebs on Security: Another Lizard Arrested, Lizard Lair Hacked

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Several media outlets are reporting that authorities in the United Kingdom early this morning arrested an 18-year-old in connection with the denial-of-service attacks on Sony Playstation and Microsoft Xbox systems over Christmas. The arrest is one of several tied to a joint U.K. and U.S. law enforcement investigation into a group calling itself the “Lizard Squad,” and comes as the group’s attack-for-hire online service was completely compromised and leaked to investigators.

A BBC story does not name the individual, saying only that the youth was arrested at an address in Southport, near Liverpool, and that he was accused of unauthorized access to computer material and knowingly providing false information to law enforcement agencies in the United States. The notice about the arrest on the Web site of the Southeast Regional Organized Crime Unit states that this individual has been actively involved in several “swatting” incidents — phoning in fake hostage situations or bomb threats to prompt a police raid at a targeted address.

U.K. police declined to publicly name the individual arrested. But according to two sources close to the investigation, the 18-year-old is Jordan Cameron. Known online variously as “Jordie,” “EvilJordie” and “GDKJordie,” Cameron frequently adopts the persona of an African American gang member from Chicago, as evidenced in this (extremely explicit) interview he and other Lizard Squad members gave late last year. Jordie’s Twitter account also speaks volumes, although it hasn’t been saying much for the past 13 hours.

An individual using variations on the “Jordie” nickname was named in this FBI criminal complaint (PDF) from Sept. 2014 as one of three from the U.K. suspected in a string of swatting attacks and bomb threats to schools and universities across the United States in the past year. According to that affidavit, Jordie was a member of a group of males aged 16-18 who called themselves the “ISISGang.”

In one of their most appalling stunts from September 2014, Jordie and his ISIS pals allegedly phoned in a threat to Sandy Hook Elementary — the site of the 2012 school massacre in Newtown, Ct. in which 20 kids and 6 adults were gunned down. According to investigators, the group told the school they were coming to the building with an assault rifle to “kill all your asses.”

In an unrelated development, not long after this publication broke the news that the Lizard Squad’s attack infrastructure is built on a network of thousands of hacked home Internet routers, someone hacked LizardStresser[dot]su, the Web site the group uses to coordinate attacks and sell subscriptions to its attacks-for-hire service. As I noted in a previous story, the attacks on Microsoft and Sony were merely meant to be commercials for this very “stresser” (a.k.a. “booter”) service, which allows paying customers to knock any Web site or individual offline for a small fee.

A copy of the LizardStresser customer database obtained by KrebsOnSecurity shows that it attracted more than 14,241 registered users, but only a few hundred appear to have funded accounts at the service. Interestingly, all registered usernames and passwords were stored in plain text. Also, the database indicates that customers of the service deposited more than USD $11,000 worth of bitcoins to pay for attacks on thousands of Internet addresses and Web sites (including this one).

One page of hundreds of support ticket requests filed by LizardStresser users.

One page of hundreds of support ticket requests filed by LizardStresser users.

Two other Lizard Squad members also have been rounded up by police since the initial Christmas Day attacks. In late December, U.K. police arrested 22-year-old Vincent “Vinnie” Omari, in connection with the investigation. Additionally, authorities in Finland questioned a 17-year-old named Julius “Ryan/Zeekill” Kivimäki, after he and Omari gave an interview to Sky News about the attacks. Sources say Kivimäki has been arrested and jailed several times in Finland on charges related to credit card theft, although he is currently not in custody.

Sources say the 18-year-old arrested this morning operates only on the fringes of the group responsible for the Christmas day attacks, and that the core members of the Lizard Squad remain at large.

Nevertheless, individuals involved in swatting need to face serious consequences for these potentially deadly stunts. Swatting attacks are not only extremely dangerous, they divert emergency responders away from actual emergencies, and cost taxpayers on average approximately $10,000 (according to the FBI).

In most states, the punishment for calling in a fake hostage situation or bomb threat is a fine and misdemeanor akin to filing a false police report. Having been the victim of a swatting attack myself, allow me to suggest an alternative approach: Treat all of those charged with the crime as an adult, and make the charge attempted murder.

Errata Security: Obama’s War on Hackers

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

In next week’s State of the Union address, President Obama will propose new laws against hacking that could make either retweeting or clicking on the above (fictional) link illegal. The new laws make it a felony to intentionally access unauthorized information even if it’s been posted to a public website. The new laws make it a felony to traffic in information like passwords, where “trafficking” includes posting a link.

You might assume that things would never become that bad, but it’s already happening even with the current laws. Prosecutors went after Andrew “weev” Auernheimer for downloading a customer list AT&T negligently made public. They prosecuted Barrett Brown for copying a URL to the Stratfor hack from one chatroom to another. A single click is all it takes. Prosecutors went after the PayPal-14 for clicking on a single link they knew would flood PayPal’s site with traffic. The proposed changes make such prosecutions much easier.

Even if you don’t do any of this, you can still be guilty if you hang around with people who do. Obama proposes upgrading hacking to a “racketeering” offense, means you can be guilty of being a hacker by simply acting like a hacker (without otherwise committing a specific crime). Hanging out in an IRC chat room giving advice to people now makes you a member of a “criminal enterprise”, allowing the FBI to sweep in and confiscate all your assets without charging you with a crime. If you innocently clicked on the link above, and think you can defend yourself in court, prosecutors can still use the 20-year sentence of a racketeering charge in order to force you to plea bargain down to a 1-year sentence for hacking. (Civil libertarians hate the police-state nature of racketeering laws).

Obama’s proposals come from a feeling in Washington D.C. that more needs to be done about hacking in response to massive data breaches of the last couple years. But they are blunt political solutions which reflect no technical understanding of the problem.

Most hacking is international and anonymous. They can’t catch the perpetrators no matter how much they criminalize the activities. This War on Hackers is likely to be no more effective than the War on Drugs, where after three decades the prison population has sky rocketed from 0.1% of the population to a staggering 1%. With 5% the world’s population, we have 25% of the world’s prisoners – and this has done nothing to stop drugs. Likewise, while Obama’s new laws will dramatically increase hacking prosecutions, they’ll be of largely innocent people rather than the real hackers that matter.

Internet innovation happens by trying things first then asking for permission later. Obama’s law will change that. For example, a search engine like Google downloads a copy of every website in order to create a search “index”. This sort of thing is grandfathered in, but if “copying the entire website” were a new idea, it would be something made illegal by the new laws. Such copies knowingly get information that website owners don’t intend to make public. Similarly, had hacking laws been around in the 1980s, the founders of Apple might’ve still been in jail today, serving out long sentences for trafficking in illegal access devices.

The most important innovators this law would affect are the cybersecurity professionals that protect the Internet. If you cared about things such as “national security” and “cyberterrorism”, then this should be your biggest fear. Because of our knowledge, we do innocent things that look to outsiders like “hacking”. Protecting computers often means attacking them. The more you crack down on hackers, the more of a chilling effect you create in our profession. This creates an open-door for nation-state hackers and the real cybercriminals.

Along with its Hacking Prohibition law, Obama is also proposing a massive Internet Surveillance law. Companies currently monitor their networks, using cybersecurity products like firewalls, IPSs, and anti-virus. Obama wants to strong-arm companies into sharing that information with the government, creating a virtualized or “cloud” surveillance system.

In short, President Obama’s War on Hackers is a bad thing, creating a Cyber Police State. The current laws already overcriminalize innocent actions and allow surveillance of innocent people. We need to roll those laws back, not extend them.