Posts tagged ‘fbi’

TorrentFreak: Android Pirate Agrees To Work Undercover For the Feds

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

snappzIn 2012, three Android-focused websites were seized by the Department of Justice. With help from French and Dutch police, the FBI took over, and, a trio of so-called ‘rogue’ app stores.

Carrying out several arrests the authorities heralded the operation as the first of its kind, alongside claims that together the sites had facilitated the piracy of more than two million apps.

Last month the Department of Justice announced that two of the three admins of Appbucket had entered guilty pleas to charges of criminal copyright infringement and would be sentenced in June.

Yesterday the DoJ reported fresh news on the third defendant. Appbucket’s Thomas Pace, 38, of Oregon City, Oregon, pleaded guilty to one count of conspiracy to commit criminal copyright infringement and will be sentenced in July.

As reported in late March, the former operator of Applanet says he intends to fight the U.S. Government. However, the same definitely cannot be said about Kody Jon Peterson of Clermont, Florida.

The 22-year-old, who was involved in the operations of SnappzMarket, pleaded guilty this week to one count of conspiracy to commit criminal copyright infringement. He admitted being involved in the illegal copying and distribution of more than a million pirated Android apps with a retail value of $1.7 million. His sentencing date has not been set, but even when that’s over his debt to the government may still not be paid.

As part of his guilty plea, Peterson entered into a plea agreement in which he gave up his right to be tried by a jury and any right to an appeal. He also accepted that he could be jailed for up to five years, be subjected to supervised release of up to three years, be hit with a $250,000 fine, and have to pay restitution to the victims of his crimes.

spyPeterson also agreed to cooperate with the authorities in the investigation, including producing all relevant records and attending interviews when required. However, in addition to more standard types of cooperation, the 22-year-old also agreed to go much further. A copy of his plea agreement obtained by TF reveals that Peterson has agreed to work undercover for the Government.

“Upon request by the Government, the Defendant agrees to act in an undercover investigative capacity to the best of his ability,” the agreement reads.

“The Defendant agrees that Defendant will make himself available to the law enforcement agents designated by the Government, will fully comply with all reasonable instructions given by such agents, and will allow such agents to monitor and record conversations and other interactions with persons suspected of criminal activity.”

The plea agreement also notes that in order to facilitate this work, Government attorneys and agents are allowed to contact Peterson on no notice and communicate with him without his own attorney being present. The extent of Peterson’s cooperation will eventually be detailed to the sentencing court and if it is deemed to be “substantial” then the Government will file a motion to have his sentence reduced.

But despite the agreements, Peterson has another huge problem to face. According to court documents he is an immigrant to the United States and as such a guilty plea could see him removed from the country. Whether he will be allowed to stay will be the subject of a separate proceeding but given his agreement to work undercover it seems unlikely the Government would immediately choose to eject such a valuable asset.

In the meantime, former associates and contacts of Peterson could potentially be talking online to him right now, with a FBI agent listening in over his shoulder and recording everything being said.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Crimeware Helps File Fraudulent Tax Returns

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Many companies believe that if they protect their intellectual property and customers’ information, they’ve done a decent job of safeguarding their crown jewels from attackers. But in an increasingly common scheme, cybercriminals are targeting the Human Resources departments at compromised organizations and rapidly filing fraudulent federal tax returns on all employees.

Last month, KrebsOnSecurity encountered a Web-based control panel that an organized criminal gang has been using to track bogus tax returns filed on behalf of employees at hacked companies whose HR departments had been relieved of W2 forms for all employees.

The control panel for a tax fraud botnet involving more than a half dozen victim organizations.

An obfuscated look at the he control panel for a tax fraud operation involving more than a half dozen victim organizations.

According to the control panel seen by this reporter, the scammers in charge of this scheme have hacked more than a half-dozen U.S. companies, filing fake tax returns on nearly every employee. At last count, this particular scam appears to stretch back to the beginning of this year’s tax filing season, and includes fraudulent returns filed on behalf of thousands of people — totaling more than $1 million in bogus returns.

The control panel includes a menu listing every employee’s W2 form, including all data needed to successfully file a return, such as the employee’s Social Security number, address, wages and employer identification number. Each fake return was apparently filed using the e-filing service provided by H&R Block, a major tax preparation and filing company. H&R Block did not return calls seeking comment for this story.

The "drops" page of this tax  fraud operation lists the nicknames of the co-conspirators who agreed to "cash out" funds on the prepaid cards generated by the bogus returns -- minus a small commission.

The “drops” page of this tax fraud operation lists the nicknames of the co-conspirators who agreed to “cash out” funds on the prepaid cards generated by the bogus returns — minus a small commission.

Fraudulent returns listed in the miscreants’ control panel that were successfully filed produced a specific five-digit tax filing Personal Identification Number (PIN) apparently generated by H&R Block’s online filing system. An examination of the panel suggests that successfully-filed returns are routed to prepaid American Express cards that are requested to be sent to addresses in the United States corresponding to specific “drops,” or co-conspirators in the scheme who have agreed to receive the prepaid cards and “cash out” the balance — minus their fee for processing the bogus returns.

Alex Holden, chief information security officer at Hold Security, said although tax fraud is nothing new, automating the exploitation of human resource systems for mass tax fraud is an innovation.

“The depth of this specific operation permits them to act as a malicious middle-man and tax preparation company to be an unwitting ‘underwriter’ of this crime,” Holden said. “And the victims maybe exploited not only for 2013 tax year but also down the road,  and perhaps subject of higher scrutiny by IRS — not to mention potential financial losses. Companies should look at their human resource infrastructure to ensure that payroll, taxes, financial, medical, and other benefits are afforded the same level of protection as their other mission-critical assets.”


I spoke at length with Doug, a 45-year-old tax fraud victim at a company that was listed in the attacker’s control panel. Doug agreed to talk about his experience if I omitted his last name and his employer’s name from this story. Doug confirmed that the information in the attacker’s tax fraud panel was his and mostly correct, but he said he didn’t recognize the Gmail address used to fraudulently submit his taxes at H&R Block.

Doug said his employer recently sent out a company-wide email stating there had been a security breach at a cloud provider that was subcontracted to handle the company’s employee benefits and payroll systems.

“Our company sent out a blanket email saying there had been a security breach that included employee names, addresses, Social Security numbers, and other information, and that they were going to pay for a free year’s worth of credit monitoring,” Doug said.

Almost a week after that notification, the company sent out a second notice stating that the breach extended to the personal information of all spouses and children of its employees.

“We were later notified that the breach was much deeper than originally suspected, which included all of our beneficiaries, their personal information, my life insurance policy, 401-K stuff, and our taxes,” Doug said. “My sister-in-law is an accountant, so I raced to her and asked her to help us file our taxes immediately. She pushed them through quickly but the IRS came back and said someone had already filed our taxes a few days before us.”

Doug has since spent many hours filling out countless forms with a variety of organizations, including the Federal Trade Commission, the FBI, the local police department, and of course the Internal Revenue Service.

Doug’s company and another victim at a separate company whose employees were all listed as recent tax fraud victims in the attacker’s online control panel both said their employers’ third-party cloud provider of payroll services was Weston, Fla.-based Ultimate Software. In each case, the attackers appear to have stolen the credentials of the victim organization’s human resources manager, credentials that were used to manage employee payroll and benefits at Ultipro, an online HR and payroll solutions provider.

Jody Kaminsky, senior vice president of marketing at Ultimate Software, said the company has no indication of a compromise of Ultimate’s security. Instead, she said Doug’s employer appears to have had its credentials stolen and abused by this fraud operation.

“Although we are aware that several customers’ employees were victims of tax fraud, we have no reason to believe this unauthorized access was the result of a compromise of our own security,” Kaminsky said. “Rather, our investigation suggests this is the result of stolen login information on the end-user level and not our application.”

Kaminsky continued:

“Unfortunately incidents of tax fraud this tax season across the U.S. are increasing and do not appear to be limited to just our customers or any one company (as I’m sure you’re well aware due to your close coverage of this issue). Over the past several weeks, we have communicated multiple times with our customers about recent threats of tax fraud and identity theft schemes.”

“We believe through schemes such as phishing or malware on end-user computers, criminals are attempting to obtain system login information and use those logins to access employee data for tax fraud purposes. We take identity theft schemes extremely seriously. As tax season progresses, we have been encouraging our customers to take steps to protect their systems such as enforcing frequent password resets and ensuring employee computers’ are up-to-date on anti-malware protection.”


According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.

It’s important to note that fraudsters engaged in this type of crime are in no way singling out H&R Block or Ultipro. Cybercrooks in charge of large collections of hacked computers can just as easily siphon usernames and passwords — as well as incomplete returns — from taxpayers who are preparing returns via other online filing services, including TurboTax and TaxSlayer.

If you become the victim of identity theft outside of the tax system or believe you may be at risk due to a lost/stolen purse or wallet, questionable credit card activity or credit report, etc., you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.

That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.

The most frightening aspect of this tax crimeware panel is that its designers appear to have licensed it for resale. It’s not clear how much this particular automated fraud machine costs, but sources in the financial industry tell this reporter that this same Web interface has been implicated in multiple tax return scams targeting dozens of companies in this year’s tax-filing season.

Krebs on Security: ‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.




“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”

An advisory from Carnegie Mellon University’s CERT notes that the vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f. According to Netcraft, a company that monitors the technology used by various Web sites, more than a half million sites are currently vulnerable. As of this morning, that included, and — ironically — the Web site of This list at Github appears to be a relatively recent test for the presence of this vulnerability in the top 1,000 sites as indexed by Web-ranking firm Alexa.

An easy-to-use exploit that is being widely traded online allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL “libssl” library in chunks of 64kb at a time. As CERT notes, an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets.

Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library [full disclosure: AlienVault is an advertiser on this blog].

It is likely that a great many Internet users will be asked to change their passwords this week (I hope). Meantime, companies and organizations running vulnerable versions should upgrade to the latest iteration of OpenSSL - OpenSSL 1.0.1g — as quickly as possible.

Update, 2:26 p.m.: It appears that this Github page allows visitors to test whether a site is vulnerable to this bug (hat tip to Sandro Süffert). For more on what you can do you to protect yourself from this vulnerability, see this post.

Schneier on Security: Ephemeral Apps

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Ephemeral messaging apps such as Snapchat, Wickr and Frankly, all of which advertise that your photo, message or update will only be accessible for a short period, are on the rise. Snapchat and Frankly, for example, claim they permanently delete messages, photos and videos after 10 seconds. After that, there’s no record.

This notion is especially popular with young people, and these apps are an antidote to sites such as Facebook where everything you post lasts forever unless you take it down—and taking it down is no guarantee that it isn’t still available.

These ephemeral apps are the first concerted push against the permanence of Internet conversation. We started losing ephemeral conversation when computers began to mediate our communications. Computers naturally produce conversation records, and that data was often saved and archived.

The powerful and famous — from Oliver North back in 1987 to Anthony Weiner in 2011 — have been brought down by e-mails, texts, tweets and posts they thought private. Lots of us have been embroiled in more personal embarrassments resulting from things we’ve said either being saved for too long or shared too widely.

People have reacted to this permanent nature of Internet communications in ad hoc ways. We’ve deleted our stuff where possible and asked others not to forward our writings without permission. “Wall scrubbing” is the term used to describe the deletion of Facebook posts.

Sociologist danah boyd has written about teens who systematically delete every post they make on Facebook soon after they make it. Apps such as Wickr just automate the process. And it turns out there’s a huge market in that.

Ephemeral conversation is easy to promise but hard to get right. In 2013, researchers discovered that Snapchat doesn’t delete images as advertised; it merely changes their names so they’re not easy to see. Whether this is a problem for users depends on how technically savvy their adversaries are, but it illustrates the difficulty of making instant deletion actually work.

The problem is that these new “ephemeral” conversations aren’t really ephemeral the way a face-to-face unrecorded conversation would be. They’re not ephemeral like a conversation during a walk in a deserted woods used to be before the invention of cell phones and GPS receivers.

At best, the data is recorded, used, saved and then deliberately deleted. At worst, the ephemeral nature is faked. While the apps make the posts, texts or messages unavailable to users quickly, they probably don’t erase them off their systems immediately. They certainly don’t erase them from their backup tapes, if they end up there.

The companies offering these apps might very well analyze their content and make that information available to advertisers. We don’t know how much metadata is saved. In SnapChat, users can see the metadata even though they can’t see the content and what it’s used for. And if the government demanded copies of those conversations — either through a secret NSA demand or a more normal legal process involving an employer or school — the companies would have no choice but to hand them over.

Even worse, if the FBI or NSA demanded that American companies secretly store those conversations and not tell their users, breaking their promise of deletion, the companies would have no choice but to comply.

That last bit isn’t just paranoia.

We know the U.S. government has done this to companies large and small. Lavabit was a small secure e-mail service, with an encryption system designed so that even the company had no access to users’ e-mail. Last year, the NSA presented it with a secret court order demanding that it turn over its master key, thereby compromising the security of every user. Lavabit shut down its service rather than comply, but that option isn’t feasible for larger companies. In 2011, Microsoft made some still-unknown changes to Skype to make NSA eavesdropping easier, but the security promises they advertised didn’t change.

This is one of the reasons President Barack Obama’s announcement that he will end one particular NSA collection program under one particular legal authority barely begins to solve the problem: the surveillance state is so robust that anything other than a major overhaul won’t make a difference.

Of course, the typical Snapchat user doesn’t care whether the U.S. government is monitoring his conversations. He’s more concerned about his high school friends and his parents. But if these platforms are insecure, it’s not just the NSA that one should worry about.

Dissidents in the Ukraine and elsewhere need security, and if they rely on ephemeral apps, they need to know that their own governments aren’t saving copies of their chats. And even U.S. high school students need to know that their photos won’t be surreptitiously saved and used against them years later.

The need for ephemeral conversation isn’t some weird privacy fetish or the exclusive purview of criminals with something to hide. It represents a basic need for human privacy, and something every one of us had as a matter of course before the invention of microphones and recording devices.

We need ephemeral apps, but we need credible assurances from the companies that they are actually secure and credible assurances from the government that they won’t be subverted.

This essay previously appeared on

TorrentFreak: Civil Rights Lawyer To Fight U.S. Govt. in Internet Piracy Case

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

In the summer of 2012, the FBI with assistance from French and Dutch police shut down, and, three sites that offered Android apps outside Google’s ecosystem.

The action was heralded as ground-breaking, with the authorities seizing the domains of these alternative stores and putting up the now-infamous FBI banner to inform visitors of their fate. Together it was claimed the sites were responsible for millions of dollars in losses to software producers.

News of the shutdowns came in August 2012, but it took until last week for the U.S. Government to provide a significant update. The Department of Justice revealed that two of the three operators of the Appbucket site had signed a plea deal with the Government and now face sentencing in June.

But while the Appbucket guys appear to have accepted their fate, the former admin of Applanet certainly has not. Speaking with TorrentFreak, Attorney Rain Minns says her client is still under fire, but won’t be giving in.

“It is extremely unfortunate that some of the young people targeted by the government’s dragnet have been forced to plead guilty,” Minns told TF.

“But this is an inevitable, and incredibly sad and disheartening, consequence when the United States unleashes the power and resources of the most powerful nation on earth against defenseless citizens who, like Aaron, care about free and open world-wide access to publicly available information, and who have not earned any significant income for their efforts.”

But while Minns says that the mere threat of a long prison term is enough for even the most innocent citizen to plead guilty, that isn’t going to be happening in Aaron’s case.

FBI Seizure

“Aaron is an extraordinarily brave and ethical young man, who is not willing to buckle under the pressure of the government’s abusive practices. He believes that someone should stand up to abuse of power, and he is willing to put himself at risk if that is the only way to keep information sites free and open.”

To that end and in an effort to level the playing field against the Government, Minns informs TF that Aaron’s legal team has just received a significant boost.

“After an extensive vetting process, I have now been joined by Attorney Antonio Ponvert III, an accomplished and much-feared civil rights lawyer from Connecticut who, to put it plainly, has enjoyed kicking the government’s ass for almost 25 years,” Minns explains.

“Antonio’s task is to take the offense in Aaron’s case, focusing on the government’s violation of state and federal civil rights laws, the First Amendment free speech implications of the government’s tactics, and the substantial reputational and financial harm that the D.O.J. has inflicted, and will continue to inflict on Aaron. One can be sure that a damages case is coming down the pike if, and when, an indictment is forthcoming.”

Through his lawyer Aaron informed TF that while it’s a pity that the Appbucket guys were “forced to buckle under the heavy-handed threats of the government”, he wishes them luck as he looks forward to his own day in court.

From the tone of the language employed by Rain Minns and by extension Antonio Ponvert, there appears to be plenty of appetite for a fight, should the Government decide to go the whole way against Aaron. If they do, Minns is confident he will prevail.

“It is not even close to a fair fight anymore. And we look forward to the battle,” she concludes.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Who Built the ID Theft Service

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Previous stories on this blog have highlighted the damage wrought by an identity theft service marketed in the underground called ssndob[dot]ru, which sold Social Security numbers, credit reports, drivers licenses and other sensitive information on more than four million Americans. Today’s post looks at a real-life identity behind the man likely responsible for building this service.

The administration page of ssndob[dot]ru. Note the logged in user,, is the administrator.

The administration page of ssndob[dot]ru. Note the logged in user,, is the administrator.

Last summer, ssndob[dot]ru (hereafter referred to as “SSNDOB”) was compromised by multiple attackers, its own database plundered. A copy of the SSNDOB database was exhaustively reviewed by The database shows that the site’s 1,300 customers have spent hundreds of thousands of dollars looking up SSNs, birthdays, drivers license records, and obtaining unauthorized credit and background reports on more than four million Americans.

Private messages and postings on various crime forums show that the service offered at ssndob[dot]ru was originally registered in 2009 at a domain called A historic records lookup purchased from shows that ssndob-search was first registered to an Armand Ayakimyan from Apsheronsk, Russia. This registrant used the email address

In 2013, a copy of the carding forum carder[dot]pro was leaked online. Forum records show that the address was used by a member who picked the username “Zack,” and who told other members to contact him on the ICQ instant messenger account 383337. On, a popular Russian social networking site, Mr. Zack is the name of a profile for a 24-year-old Armand Ayakimyan from Sukhumi, a city in western Georgia and the capital of Abkhazia — a disputed region on the Black Sea coast.

Mr. Zack lists his date of birth as August 27 and current town as Sochi, the site of the 2014 Winter Olympics, (although the Mr. Zack account appears to have been dormant for some time). We can see some pictures of Mr. Ayakimyan (DOB: Aug. 27, 1989) at this profile by the same name at, a music mixing site. That profile is tied to a group profile created by an Armand Ayakimyan in Sochi.

Mr. Ayakimyan appears to have used a number of different nicknames on various forums, including “Darkill,” “Darkglow” and “Planovoi”. That’s according to the administrators of verified[dot]cm, a top Russian crime forum at which he had apparently created numerous accounts. In an amusing multi-page thread on verified, the administrators respond to multiple member complaints about Plaovoi’s behavior by “doxing” him, essentially listing all of the identifiers that point from various email addresses, ICQ numbers and aliases back to accounts tied to Armand Ayakimyan.

KrebsOnSecurity attempted to reach Ayakimyan via multiple email addresses tied to his various profiles, including Facebook. An individual responding at the main Jabber address used by the operator of SSNDOB — — declined to comment for this story, saying only “Я против блога. Выберите другой сервис,” or, “I am against the blog. Choose another service.” This reply came immediately after the user of this profile updated his status message notifying customers that his identity theft service was just freshly stocked with a huge new update of personal data on Americans.

The conclusion that Ayakimyan is/was involved with the operation of SSNDOB is supported with evidence gathered from Symantec, which published a blog post last week linking the young man to the identity theft service. According to Big Yellow, Ayakimyan is but one of several men allegedly responsible for creating and stocking the ID theft bazaar, a group Symantec calls the “Cyclosa gang.” From their report:

“To keep their store stocked, the Cyclosa gang had to continue to attack companies for their databases of personal data. Along with the major breaches covered in Krebs’ report, Symantec found that the Cyclosa gang compromised a number of other firms. In May 2012, the Cyclosa gang breached a US-based credit union. A few months later, they compromised a bank based in California, USA, and a Georgian government agency. While the Georgian agency may not have a lot of information pertaining to US and UK citizens, it’s possible that this attack was of personal interest to the Cyclosa gang, considering Armand’s background.”

“At the start of 2009, evidence emerged of Armand’s partnership with three other people who used the handles ‘Tojava’, ‘JoTalbot’ and ‘DarkMessiah’ on cybercrime forums. There may be other players involved with this organization but these four individuals appear to be the main actors in this group. The four of them carried out numerous acts of cybercrime, such as conducting malware-based search engine optimization and pay-per-click schemes. They also bought and sold hijacked chat accounts, botnet traffic, and personal and financial information. Armand’s relationship with Tojava was vital for the formation of SSNDOB. Tojava was allegedly responsible for introducing Armand to the world of cybercrime and carding. We believe that Tojava created many of SSNDOB’s technical features, such as its search engine and its social security number query scripts.”

I created the following mind map to keep track of various identities and contact addresses apparently used by Ayakimyan over the years. aa-mm


As Symantec alludes, the owners of SSNDOB appear to have supplemented their stock of personal data by hacking into some of the largest data brokers in America. As I wrote in a September 2013 exclusive story — Data Broker Giants Hacked by Identity Theft Service — the operators of SSNDOB also ran a very small botnet that hooked directly into servers owned and operated by some of the biggest personal information brokers on the planet — including LexisNexis, Kroll and Dun & Bradstreet.

One of two bots connected to SSNDOB that was inside of LexisNexis.

One of two bots connected to SSNDOB that was inside of LexisNexis.

There is no direct evidence that the hackers behind SSNDOB managed to tap directly into consumer data stores maintained by these brokers; LexisNexis said it found no signs of consumer data exfiltration, and the other two firms acknowledged the break-ins but left it at that. But given their line of work, it seems unlikely that the hackers wasted such an opportunity; the person(s) in control of that botnet had access to the hacked servers for at least five months before they were discovered.

Meanwhile, it’s unclear whether Ayakimyan is still involved with SSNDOB. As Symantec notes, “Armand appears to have made a few career moves throughout his adult life, including working in a photo studio and becoming a sales manager for a cosmetics firm. He also considered using his technical skills for legitimate work, as he discussed creating an online dating service and a real estate website for properties in Abkhazia. However, neither of these services became a reality. In 2013, Armand appeared to be working at a church in Russia.”

As I mentioned at the top of this post, sometime in 2013, SSNDOB was hacked — its entire store of four million consumer records plundered (these were merely the records that customers of SSNDOB had paid the service to look up). According to information obtained by KrebsOnSecurity, the database and service was compromised by the same group of young American hackers responsible for launching exposed[dot]su, a site erected to leak the personal data of celebrities and public figures, including First Lady Michelle Obama, then-director of the FBI Robert Mueller, and U.S. Attorney General Eric Holder, among many others (see screen shot below).

Exposed[dot]su was built with the help of identity information obtained and/or stolen from ssndob[dot]ru.

Exposed[dot]su was built with the help of identity information obtained and/or stolen from ssndob[dot]ru.

TorrentFreak: Android App Pirates Plead Guilty to Criminal Copyright Infringement

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

appbucketWith help from French and Dutch police, the FBI took over the “pirate” Android stores, and during the summer of 2012.

The domain seizures were the first ever against “rogue” mobile app marketplaces and followed similar actions against BitTorrent and streaming sites.

Yesterday the Department of Justice announced that two of the three admins of the Appbucket site have plead guilty to criminal copyright infringement. Nicholas Narbone, 26, and Thomas Dye, 21, both signed a plea deal with the Government and are currently scheduled to be sentenced in June.

No information was provided on the third Appbucket defendant, Thomas Pace, who was primarily responsible for finding copies of Android apps and managing the site’s servers.

The authorities estimate that more than a million Apps were traded via Appbucket, with a retail value of approximately $700,000. Over the course of two years the site itself generated little over $80,000 in proceeds from subscriptions.

Seizure Banner


Acting Assistant Attorney General David O’Neil is happy with the guilty pleas, which are the first of their kind.

“These mark the first convictions secured by the Justice Department against those who illegally distribute counterfeit mobile apps,” O’Neil says.

“These men trampled on the intellectual property rights of others when they and other members of the Appbucket group distributed more than one million copies of pirated apps.”

Besides Appbucket, there are also cases pending against the operators of Snappzmarket and Applanet. The founder of Applanet previously launched a crowdfunding campaign to pay for his defense, but only managed to raised $1,029 of the required $50,000.

The FBI, meanwhile, is already on the lookout for their next targets.

“The FBI will continue to work with its various law enforcement partners in identifying, investigating, and presenting for prosecution those individuals and groups engaged in such criminal activities that involve the attempt to profit from the hard work and the developed creative ideas of others,” FBI Special Agent Johnson says.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Errata Security: Weev’s lawyers appear in court

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Some observations from today’s appeal hearing of Weev  (the notorious case of someone convicted of accessing public info).

What was it?

Andrew “Weev” Auernheimer was convicted of conspiring to violate the CFAA, and was sentenced a year ago to 41 months in jail. His lawyers appealed, the prosecutors submitted a reply brief, his lawyers submitted a reply to the reply brief. Today they got in front of the three judges of the Third Circuit Court to fight it out. Each side got to talk for 15 minutes, and the judges peppered them with questions.

The online-media
I saw representatives from Verge, Vice, and DailyDot – the typical sort of online journalism sites. I didn’t see the traditional media – judging by who I saw scribbling in their little reporter’s notebooks.
All electronics were banned — including laptops and Kindles. I asked the guard about this. He confirmed it was “highly unusual” (his words). He showed me the signed order that for today, and only today, nobody was allowed to have electronics.
…except for Weev’s attorneys. It was fun watching other attorney’s complaining as they had to give up their cellphones, too.

By the way, the bomb sniffing dog I saw coming out of the courtroom was perfectly normal. According to the guards, he does it every day.

Update: I should mention, “highly unusual” for this building. There are actually two different authorities: one authority (I think they said “federal marshals”) who gated access to the building, and then a Third Circuit Court guards gating access to the court room. It’s the court room guards who banned everything.

Update: I asked if Hanni Fakhoury, one of Weev’s lawyers who therefore could have a cellphone, could take a picture of the daily order for me. The guard got upset, stressing that all pictures inside the courthouse were completely forbidden. Hanni didn’t appear too pleased getting caught up in my drama, either. :)

The courtoom
The courthouse from the outside — because photos inside
are strictly verbotten.

The building itself was your typical dreary government office building, but the courtroom itself was very nice and modern. The far side was the “bench” for the three judges, in a nice Star Trek:NG configuration. In the back of the room were benches for the spectators, with room for about 40 of us.

The supporters
I’m not sure how many showed up. The room filled quickly and many were turned away. Unlike the sentencing hearing last year, where apparently some demonstrators were rambunctious, everyone was calm and respectful. Many wore suits, only a few had the stereotypical blue hair and piercings.
I did refrain from tearing off my clothes being dragged away shouting “HACK THE PLANET”  – barely.
The appeal
You can read the issues involved in the various briefs, such as this one:
There are two major points. The first is that the defense claims the reading of the CFAA is too broad. Weev was convicted of conspiring to access a website without authorization. But, the defense argues, AT&T had made information public, implicitly authorizing the public to access it.
The second major issue is “venue”. Weev was in Arkansas, his partner Spitner was in California, the servers in Georgia, and the company in Texas. There is absolutely nothing about New Jersey that makes it a more appropriate place to try the case.
Orin Kerr was the lead lawyer for the appeal, the guy standing up and arguing the position. He has experience appealing CFAA convictions (namely, the Lori Drew case). He has spent an enormous amount of time prepping for this. It’s the CFAA issue that he (and the cybersec community) wanted to argue.
However, the judges weren’t interested in the CFAA. What they were interested in was the “venue” issue. Orin started with the CFAA, the judges interrupted him, and spent almost all the half hour discussing the venue issue.
The Venue Issue
There are 94 federal districts in the United States. Right now there are some prosecutors in some of those districts with light case loads who want to make a name for themselves by prosecuting you for hacking. You might find yourself snapped up and shipped off to Alaska to face charges for something that has nothing to do with Alaska. (Not my argument — reflecting the argument Orin made.)
This is the crux of the “venue” argument. Back in the 1770s, one of the “grievances” that led to the American Revolution was that colonists would be arrested and shipped back to England, where they’d be unable to defend themselves (for example, all the witnesses were back in the United States).
Therefore, not once, but twice the Constitution mentions venue (as one of the judges helpfully pointed out). According to our constitution, you can only be tried “where the crime was committed”, not shipped off to an arbitrary location to face charges.
The judges seemed partial to this issue, grilling the prosecutor to come up with a good justification why New Jersey was a constitutionally acceptable venue to try Weev – since as mentioned above, no bits of the crime were committed in New Jersey. The prosecutor had weak reasons: the FBI agent read the Gawker article in New Jersey, and some people from New Jersey were in the database grabbed by Weev’s partner – even though none of them were disclosed by Gawker.
A lot of discussion centered CFAA language: the the crime was “accessing a computer”. That “access” happened from California to Georgia. In other words, the CFAA doesn’t mention “and disclosed the accessed information”, and thus, no matter how much was disclosed in New Jersey, that’s not the crime Weev was convicted of.
The “Harmless Error” issue
Assuming the judges agree that New Jersey was an inappropriate place to try Weev, they still might not overturn the conviction based on the “harmless error” principle, that result would’ve been the same regardless of where the trial happened.
A lot of argument was about how it’s not the result of the trial that is necessarily the harm, but the fact that the prosecutors charged Weev in the first place. As I mentioned above, it means that any prosecutor wanting to make a name for themselves can look for vague areas of cyber law and go after people anywhere in the country.  This prejudiced the prosecution from the very beginning.
For example, if the court throws out the conviction on the “venue” issue, remanding the case for retrial, it might not be retried. Georgia and California, possibly the only two appropriate venues, might decided not to prosecute, reading the CFAA law more narrowly than the New Jersey district.
Orin Kerr
Orin Kerr is a law professor, and it was fun watching him in action. He stepped up to the podium with binders upon binders of stuff he might reference when questioned.
Yet, he didn’t have to consult the papers, because he had everything on the tip of the tongue. Any question the judges came up with, Orin had a thoroughly prepared answer. I’m ignorant of the law, so this may be normal, but it impressed the heck out of me.
…although Orin isn’t perfect, he’s wrong about the 4rth Amendment :)
The prosecutor
I know I’m biased, but much of the prosecutor’s arguments were extremely week. Whereas Orin stuck religiously to legal precedent, the prosecutor would try mere rhetoric, and a bit of snark, like the particular one I describe below.

I don’t mean to disparage the prosecutor. He was neither incompetent nor evil. Our side has probably put more resources into this case than the prosecutor. Also, the judges on the panel grilled him harder — teasing out where his argument was the weakest.

What else floats in water
At one point, for no particular reason, the prosecutor pointed out that Spitler (Weev’s partner) downloaded IOS, did some decryption, and wrote a script. He said “I don’t even understand it – but I don’t know how you could call this anything other than hacking”. This isn’t an exact quote, I had to grab the notebook/pen from the Verge reporter sitting in front of me and write down as much of the quote that I could remember.  We’ll have to wait for the transcripts to be published to get what he said exactly.
What the prosecutor said was essentially the Monty Python bit from Holy Grail: if she weighs as much as a duck, she must be a witch. BURN HER.
That the prosecutor doesn’t understand Spitler’s actions doesn’t mean Spitler is a witch – it just means the prosecutor is an uneducated villager.
What Spitler did is perfectly normal. Legitimate people do this sort of thing all the time. Engineers do this. Nerdy teenagers do this. I can teach you how to do it in a couple hours.
For example, that’s how the Google search engine came about. Before you do a search, Google must “index” the Internet. It does this by creating a script that download a complete copy of every website. If Spitler what did was some sort of evil witchcraft, then what Google does is even worse.
The precedent set by the CFAA case is to make all us engineers witches, making what we do illegal, purely because federal prosecutors don’t understand it.
Maybe there is a good reason to broadly the interpret the CFAA to cover Weev’s actions, but this snarky comment from the prosecutor isn’t it. It’s just torches and pitchfork reasoning, not valid legal theory. Weev is a controversial figure; his good will alone wouldn’t bring out so many people in support. Likewise, most don’t understand legal issues like venue. Instead, the thing that filled the courtroom with activists was precisely this rhetoric by prosecutors.
Predictions on the outcome
It’s impossible to say.
The judges seemed real keen on the venue argument. I suspect they’ll overturn the conviction based on that, forcing a retrial in another venue. This may be good or bad for Weev, because it means different charges can be brought (e.g. to include drug offenses).
Regardless, it’d be an awesome ruling for the cybersec community, reducing the chance us colonists in cyberspace will get sent to Hawaii for trial.

As a final note, here’s a theory: judges like the venue issue because it’s law, not technology. If they can throw out the conviction based on venue, then they won’t need to consider the CFAA issue, either “yes” or “no”. That they understand legal code better than PERL code may nudge them toward that ruling. If they uphold venue, then they’ll have to spend more time reading HTTP RFCs.

Update: After this appeal, there are only two more options. The first is that the Third District re-hears the appeal en banc with all the judges instead of the panel of three in this case. The second is that the Supreme Court might take up the case. Lawyers tell me the chance of either is remote.

TorrentFreak: WWE Lawyer Offers Gifts to Obtain Streaming Pirate’s Home Address

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

WWE2After launching its own streaming network and speculation surrounding a takeover, World Wrestling Entertainment (WWE) is now worth a reported $2.3 billion.

Like many large entertainment industry companies, WWE is an aggressive protector of its copyrights and for several years has been pursuing companies and site owners who dare to step over the line. Part of that strategy is to force fan sites to hand over their domains, should they include ‘WWE’ in their URL. For owners of sites which threaten their PPV and streaming sales, things aren’t much better.

During March 2013, Facebook said that WWE Intellectual Property Director Matthew Winterroth was behind the closure of a page operated by Wrestling-Network, a site offering links to WWE streams and shows. Wrestling-Network operator ‘BeBe’ was told by the social network that he would need to contact the lawyer directly to solve the dispute. BeBe decided to quit Facebook and moved to Twitter instead, but by the summer WWE had raised its head again, this time after PayPal disabled an account used for the site’s finances.

BeBe says that in October WWE sent a takedown notice to Cloudflare, who handed over the details of the site’s actual host. For a few months things went calm, but last week all that changed. PayPal closed the site’s new account which had been opened by a third-party, and Facebook shutdown Wrestling-Network’s new page and BeBe’s personal page while they were at it. At this point things took a turn for the unusual.

facebayAfter being given Winterroth’s contact details by Facebook, BeBe contacted the lawyer to see what could be done.

“My Facebook page was removed, care to share why?” BeBe wrote in an email to WWE last Saturday.

Without being given any further details (aside from BeBe’s email address which is enough to connect him with Wrestling-Network via a simple Google search), Winterroth wrote straight back suggesting there might have been some kind of mistake.

“What is your name, address and Facebook page that was potentially inadvertently removed and I’ll look into it,” the lawyer wrote.

“,” BeBe responded.

Since Winterroth was the person named by Facebook as being responsible for the takedowns, it would be reasonable to presume that he already knew the circumstances behind the page’s disappearance, so suggesting at this point that there might have been some kind of error seems somewhat unusual. Nevertheless, Winterroth further underlined that notion in a rather unusual follow-up email.

Needless to say, BeBe wasn’t tempted to take up the offer.

“I just woke up and while I was checking my phone, I read the email and started laughing hysterically,” BeBe informs TF.

“I mean, I heard a long time ago about a case where in order to arrest them on US territory, some guys were attracted to the USA by undercover FBI agents who promised them money and girls, but a gift bag from WWE? Really? He could at least given me some WrestleMania tickets.”

BeBe says he politely declined the offer.

“Oh, that’s so generous of you, but no thanks,” he told Winterroth. “I just want my page back since I didn’t post any links to copyrighted materials like you claim.”

Exactly 20 minutes later, the WWE lawyer’s tone had changed.

“Thank you for your correspondence. We have shut down your Facebook page and also worked with PayPal to permanently suspend your payment processor account with them. We now have your address and whereabouts in Romania,” he explained.

“Should you not shut down the website and agree not to infringe WWE intellectual property in the future in an immediate fashion, WWE will continue to work with our counsel in Romania, as well as the relevant legal authorities, including the Ministry of Internal Affairs/Bucharest City Police and Romanian National Audiovisual Council on our ongoing criminal complaint against you.”

What followed were demands for BeBe to hand over his domain but with tempers beginning to fray, that seemed unlikely.

rflag“[..] If you don’t know, Romania is not a state in the United States of America. Romania is a country in eastern Europe. Unless you figured it out by now, US law does not apply here and no Romanian law is being violated,” BeBe told the WWE in an Anakata-inspired response.

“Yes, this is why we are working closely with Romanian legal authorities on this matter, who have more knowledge of the current state of Romanian law that [sic] either you or I,” BeBe was informed. “Your website exists to infringe WWE intellectual property in a wholesale fashion, and such illegal use will not be tolerated.”

At this point, relations truly broke down.

“Ok, ok, I’m gonna go outside and wait for the SWAT team, or are you gonna send Seal Team 6? Well, whatever, in the meantime, you can go fuck yourself ‘Captain Skinny-Dick’,” BeBe told Winterroth.

“Oh, since you wanted my name and address, here it is: Mr. Fukhusen, 110 eatshitlane, 6800 Romania. Also, please stop with these legal threats Judge Judy, go back in your room and watch Suits and Law and Order.”

Signing off with a request for Winterroth to say “Hi” to WWE supremo Vince McMahon, BeBe severed his “negotiations” with WWE and has heard no more since.

Whether WWE will be tag-teaming with the Romanian police anytime soon will remain to be seen.

Photo credit

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: The Long Tail of ColdFusion Fail

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Earlier this month, I published a story about a criminal hacking gang using Adobe ColdFusion vulnerabilities to build a botnet of hacked e-commerce sites that were milked for customer credit card data. Today’s post examines the impact that this botnet has had on several businesses, as well as the important and costly lessons these companies learned from the intrusions.

cffailLast Tuesday’s story looked at two victims; the jam and jelly maker Smucker’s, and SecurePay, a credit card processor based in Georgia. Most of the companies contacted for this story did not respond to requests for comment. The few business listed that did respond had remarkably similar stories to tell about the ordeal of trying to keep their businesses up and running in the face of such intrusions. Each of them learned important lessons that any small online business would be wise to heed going forward.

The two companies that agreed to talk with me were both lighting firms, and both first learned of their site compromises after the credit card firm Discover alerted their card processors to a pattern of fraudulent activity on cards that were recently used at the stores., a Maple Grove, Minn. based company that sells lighting products, was among those listed in the ColdFusion botnet panel. Vice President Paul McLellan said he first learned of the breach on Nov. 7, 2013 from his company’s processor – Heartland Payment Systems.


McLellan said the unpatched ColdFusion vulnerabilities on the company’s site was certainly a glaring oversight. But he said he’s frustrated that his company was paying a third-party security compliance firm upwards of $6,000 a year to test for vulnerabilities and that the firm also missed the ColdFusion flaws.

“Shortly before we were told by Heartland, we paid $6,000 a year for a company to brutalize our server, for protection and peace of mind,” McLellan said. “Turns out this flaw had existed for two years and they never saw it. 

McLellan said the company received a visit from the FBI last year, and the agent said the group responsible for hitting Elightbulbs had compromised much more high-profile targets.

“The FBI investigator said, ‘Hey, don’t beat yourself up. We’ve got credit card processors and government institutions that run ColdFusion who were breached, this is small potatoes’,” McLellan said. “That was a small consolation.”

Ultimately, opted to remove the target from its back by outsourcing the processing of credit cards on its site to, a third-party processing firm that specializes in securing e-commerce transactions.

“Myself and my IT director made a pact that we’re never going to back to charging cards on our server, that we were going to take the site out of the equation,” McLellan said. “At first I thought it would turn away customers, but people don’t seem to mind the extra step. And for me, I get to sleep at night knowing I’m protecting my customers data. Personally, I’ll never go back to taking [credit cards] on the site. It’s hard enough running a small business, and I don’t want credit card theft being one of the things I have to constantly worry about.”

kichler was another lighting store ensnared by the ColdFusion botnet. Company owner Gary Fitterman said the breach cost his company a tremendous amount of money and time.

“It was like being attacked by terrorists,” Fitterman said. “When we learned what had happened, we immediately went into a frenzy, spent a ton of money to get [forensics experts] in to take a look.”

In the end, Fitterman and his team also opted to outsource the credit card processing to a third party, deciding it wasn’t worth the risk of continuing to handle it in-house.

“Now we can just concentrate on making our business grow, rather than always playing catch-up to make sure we have latest and greatest,” Fitterman said.  ”It’s not worth the risk. I don’t think there’s that much information out there to make small businesses like me aware of everything you should be aware of before this happens to you.”

Also among the four dozen or so sites enslaved in the ColdFusion botnet was the Web storefront for LaCie, a hardware company that specializes in external hard drives.


Clive Over, director of corporate communications for LaCie owner Seagate, said the company has investigated the incident and has so far found no indication that any customer data was compromised in the attack.

“This week, the Company received information indicating a server hosting may have been maliciously targeted and possibly breached at some point during calendar 2013,” Over said in an emailed statement. “Privacy and security is of utmost importance to the Company, and we therefore took immediate action to investigate this matter as soon as we became aware of it. The Company has conducted a preliminary investigation and, at this time, we are not aware that company or third party information was improperly accessed. The Company is currently working closely with third party experts to do a deeper forensic analysis.”

Adobe ColdFusion vulnerabilities have given rise to a number of high profile attacks in the past. In February, a hacker in the U.K. was charged with accessing computers at the Federal Reserve Bank of New York in October 2012 and stealing names, phone numbers and email addresses using ColdFusion flaws. According to this Business Week story, Lauri Love was arrested in connection with a sealed case which claims that between October 2012 and August 2013, Love hacked into computers belonging to the U.S. Department of Health and Human Services, the U.S. Sentencing Commission, Regional Computer Forensics Laboratory and the U.S. Department of Energy.

Update, 12:15 p.m. ET: The Guardian reported today about another apparent victim of ColdFusion fail: the carmaker Citroen.

Source Code in TV and Films: House of Cards, S02E12 (“Chapter 25”) Gavin Orsay…

This post was syndicated from: Source Code in TV and Films and was written by: blackholesnrevelations. Original post: at Source Code in TV and Films

House of Cards, S02E12 (“Chapter 25”)

Gavin Orsay (Jimmi Simpson) shows an FBI agent he has access to eight of AT&T’s datacenters by showing the agent a console scrolling through some Java source code that reads a file into a string.

Krebs on Security: Thieves Jam Up Smucker’s, Card Processor

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Jam and jelly maker Smucker’s last week shuttered its online store, notifying visitors that the site was being retooled because of a security breach that jeopardized customers’ credit card data. Closer examination of the attack suggests that the company was but one of several dozen firms — including at least one credit card processor — hacked last year by the same criminal gang that infiltrated some of the world’s biggest data brokers.

Smuckers's letter to visitors.

Smucker’s alerts Website visitors.

As Smucker’s referenced in its FAQ about the breach, the malware that hit this company’s site behaves much like a banking Trojan does on PCs, except it’s designed to steal data from Web server applications.

PC Trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the Web session and sent to whatever site the victim is visiting.

The malware that tore into the Smucker’s site behaved similarly, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers were submitting the data during the online checkout process.

What’s interesting about this attack is that it drives home one important point about malware’s role in subverting secure connections: Whether resident on a Web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that Web session. With Zeus, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these Web site attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).


When a reader first directed my attention to the Smucker’s breach notice, I immediately recalled seeing the company’s name among a list of targets picked last year by a criminal hacking group that plundered sites running outdated, vulnerable versions of ColdFusion, a Web application platform made by Adobe Systems Inc.

According to multiple sources with knowledge of the attackers and their infrastructure, this is the very same gang responsible for an impressive spree of high-profile break-ins last year, including:

-An intrusion at Adobe in which the attackers stole credit card data, tens of millions of customer records, and source code for most of Adobe’s top selling software (ColdFusion, Adobe Reader/Acrobat/Photoshop);

-A break-in targeting data brokers LexisNexis, Dun & Bradstreet, and Kroll.

-A hack against the National White Collar Crime Center, a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.


Not all of the above-mentioned victims involved the exploitation of ColdFusion vulnerabilities, but Smucker’s was included in a list of compromised online stores that I regrettably lost track of toward the end of 2013, amid a series of investigations involving breaches at much bigger victims.

As I searched through my archive of various notes and the cached Web pages associated with these attackers, I located the Smucker’s reference near the top of a control panel for a ColdFusion botnet that the attackers had built and maintained throughout last year (and apparently into 2014, as Smucker’s said it only became aware of the breach in mid-February 2014).

A tiny portion of the ColdFusion botnet panel.

A tiny portion of the ColdFusion botnet panel.

The botnet control panel listed dozens of other e-commerce sites as actively infected. Incredibly, some of the shops that were listed as compromised in August 2013 are still apparently infected — as evidenced by the existence of publicly-accessible backdoors on the sites. KrebsOnSecurity notified the companies that own the Web sites listed in the botnet panel (snippets of which appear above and below, in red and green), but most of them have yet to respond.

Some of the victims here — such as onetime Australian online cash exchange — are no longer in business. According to this botnet panel, Technocash was infected on or before Feb. 25, 2013 (the column second from the right indicates the date that the malware on the site was last updated).


It’s unclear whether the infection of Technocash’s secure portal ( contributed to its demise, but the company seems to have had trouble on multiple fronts. Technocash closed its doors in June 2013, after being named in successive U.S. Justice Department indictments targeting the online drug bazaar Silk Road and the now-defunct virtual currency Liberty Reserve.


One particularly interesting victim that was heavily represented in the botnet panel was SecurePay, a credit card processing company based in Alpharetta, Ga. Reached via phone, the company’s chief operating officer Tom Tesmer explained that his organization — — had in early 2013 acquired SecurePay’s assets from Pipeline Data, a now-defunct entity that had gone bankrupt.

At the time, the hardware and software that powered Pipeline’s business was running out of a data center in New York. Tesmer said that Pipeline’s servers had indeed been running an outdated version of ColdFusion, but that the company’s online operations had been completely rebuilt in CalpianCommerce’s Atlanta data center under the SecurePay banner as of October 2013.

Tesmer told me the company was unaware of any breach affecting SecurePay’s environment. “We’re not aware of compromised cards,” Tesmer said in an email. This struck me as odd, since the thieves had clearly marked much of the data they had stolen as “SecurePay” and listed the URL “” as the infected page.

Following our conversation, I sent Tesmer approximately 5,000 card transaction records that thieves had apparently stolen from SecurePay’s payment gateway and stashed on a server along with data from other victimized companies (data that was ultimately shared via third parties with the FBI last fall). The data on the attacker’s botnet panel indicated the thieves were still collecting card data from SecurePay’s gateway as late as Aug. 26, 2013.

Tesmer came back and confirmed that the card data was in fact stolen from customer transactions processed through its SecurePay payment gateway, and that SecurePay has now contacted its sponsoring bank about the incident. Further, Tesmer said the compromised transactions mapped back to a Web application firewall alert triggered last summer that the company forwarded to its data center — then located in New York.

Several servers from credit card processing firm SecurePay were compromised by the ColdFusion botmasters.

Several servers from credit card processing firm SecurePay were hacked by the ColdFusion botmasters.

“That warning showed up while the system was not under our control, but under the control of the folks up in New York,” Tesmer said. “We fired that alert over to the network guys up there and they said they were going to block that IP address, and that was the last we heard of that.”

Turns out, SecurePay also received a visit from the FBI in September, but alas that inquiry also apparently went nowhere.

“We did get a visit from the FBI last September, and they said they had found the name SecurePay on a list of sites that they were pursuing some big hacker team about,” Tesmer said. “I didn’t associate one with the other. We had the FBI come over and have a look at that database, and they suggested we make a version of our system and set that one aside for them and create a new system, which we did. They said they would get back in touch with us about their findings on the database. But we never heard from them again.”

Tomorrow, we’ll look at Part II of this story, which examines the impact that this botnet has had on several small businesses, as well as the important and costly lessons these companies learned from their intrusions.

Schneier on Security: DDoSing a Cell Phone Network

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Interesting research:

Abstract: The HLR/AuC is considered to be one of the most important network elements of a 3G network. It can serve up to five million subscribers and at least one transaction with HLR/AuC is required for every single phone call or data session. This paper presents experimental results and observations that can be exploited to perform a novel distributed denial of service attack in 3G networks that targets the availability of the HLR/AuC. More specifically, first we present an experiment in which we identified and proved some zero-day vulnerabilities of the 3G network that can be exploited by malicious actors to mount various attacks. For the purpose of our experiment, we have used off-the-shelf infrastructure and software, without any specialized modification. Based on the observations of the experiment, we reveal an Advanced Persistent Threat (APT) in 3G networks that aims to flood an HLR/AuC of a mobile operator. We also prove that the discovered APT can be performed in a trivial manner using commodity hardware and software, which is widely and affordably available.

The attack involves cloning SIM cards, then making multiple calls from different handsets in different locations with the same SIM card. This confuses the network into thinking that the same phone is in multiple places at once.

Note that this has not been tested in the field, but there seems no reason why it wouldn’t work.

There’s a lot of insecurity in the fact that cell phones and towers largely trust each other. The NSA and FBI use that fact for eavesdropping, and here it’s used for a denial-of-service attack.

Schneier on Security: Breaking Up the NSA

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The NSA has become too big and too powerful. What was supposed to be a single agency with a dual mission — protecting the security of U.S. communications and eavesdropping on the communications of our enemies — has become unbalanced in the post-Cold War, all-terrorism-all-the-time era.

Putting the U.S. Cyber Command, the military’s cyberwar wing, in the same location and under the same commander, expanded the NSA’s power. The result is an agency that prioritizes intelligence gathering over security, and that’s increasingly putting us all at risk. It’s time we thought about breaking up the National Security Agency.

Broadly speaking, three types of NSA surveillance programs were exposed by the documents released by Edward Snowden. And while the media tends to lump them together, understanding their differences is critical to understanding how to divide up the NSA’s missions.

The first is targeted surveillance.

This is best illustrated by the work of the NSA’s Tailored Access Operations (TAO) group, including its catalog of hardware and software “implants” designed to be surreptitiously installed onto the enemy’s computers. This sort of thing represents the best of the NSA and is exactly what we want it to do. That the United States has these capabilities, as scary as they might be, is cause for gratification.

The second is bulk surveillance, the NSA’s collection of everything it can obtain on every communications channel to which it can get access. This includes things such as the NSA’s bulk collection of call records, location data, e-mail messages and text messages.

This is where the NSA overreaches: collecting data on innocent Americans either incidentally or deliberately, and data on foreign citizens indiscriminately. It doesn’t make us any safer, and it is liable to be abused. Even the director of national intelligence, James Clapper, acknowledged that the collection and storage of data was kept a secret for too long.

The third is the deliberate sabotaging of security. The primary example we have of this is the NSA’s BULLRUN program, which tries to “insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communication devices.” This is the worst of the NSA’s excesses, because it destroys our trust in the Internet, weakens the security all of us rely on and makes us more vulnerable to attackers worldwide.

That’s the three: good, bad, very bad. Reorganizing the U.S. intelligence apparatus so it concentrates on our enemies requires breaking up the NSA along those functions.

First, TAO and its targeted surveillance mission should be moved under the control of U.S. Cyber Command, and Cyber Command should be completely separated from the NSA. Actively attacking enemy networks is an offensive military operation, and should be part of an offensive military unit.

Whatever rules of engagement Cyber Command operates under should apply equally to active operations such as sabotaging the Natanz nuclear enrichment facility in Iran and hacking a Belgian telephone company. If we’re going to attack the infrastructure of a foreign nation, let it be a clear military operation.

Second, all surveillance of Americans should be moved to the FBI.

The FBI is charged with counterterrorism in the United States, and it needs to play that role. Any operations focused against U.S. citizens need to be subject to U.S. law, and the FBI is the best place to apply that law. That the NSA can, in the view of many, do an end-run around congressional oversight, legal due process and domestic laws is an affront to our Constitution and a danger to our society. The NSA’s mission should be focused outside the United States — for real, not just for show.

And third, the remainder of the NSA needs to be rebalanced so COMSEC (communications security) has priority over SIGINT (signals intelligence). Instead of working to deliberately weaken security for everyone, the NSA should work to improve security for everyone.

Computer and network security is hard, and we need the NSA’s expertise to secure our social networks, business systems, computers, phones and critical infrastructure. Just recall the recent incidents of hacked accounts — from Target to Kickstarter. What once seemed occasional now seems routine. Any NSA work to secure our networks and infrastructure can be done openly—no secrecy required.

This is a radical solution, but the NSA’s many harms require radical thinking. It’s not far off from what the President’s Review Group on Intelligence and Communications Technologies, charged with evaluating the NSA’s current programs, recommended. Its 24th recommendation was to put the NSA and U.S. Cyber Command under different generals, and the 29th recommendation was to put encryption ahead of exploitation.

I have no illusions that anything like this will happen anytime soon, but it might be the only way to tame the enormous beast that the NSA has become.

This essay previously appeared on

Slashdot thread. Hacker News thread.

The Hacker Factor Blog: Life of Brian

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

As someone who develops forensic tools, I get a good amount of interaction with people in law enforcement. There’s a truism that they will all tell you: “We don’t catch the smart ones.” This is a phrase that keeps going through my head when I read postings by tech journalist Brian Krebs.

(Full disclosure: I’ve chatted with Brian at conferences. He’s a very nice guy. And while we are not drinking buddies, he does know me on sight. When he sees me, his first words are usually, “Uh oh, here comes trouble.”)

For people who don’t know Brian Krebs, he’s the guy who broke the story about last November’s Target compromise. And his non-stop exposure of McColo back in 2005 resulted in an 86% drop in spam worldwide.

Target and McColo are just a few of his big exposés. Last October, he reported on a massive compromise at Adobe. If you follow his blog, Krebs on Security, then you’ve noticed that he has a couple of big stories every year, and lots of smaller findings. As someone in the tech industry, you pay attention to what Brian says. Corporations dread being mentioned because it’s almost certainly about a compromise. And people involved in illegal activities definitely don’t want Brian to focus on them, because Brian has an incredible track record of reports that lead to big takedowns and arrests.

Shoot The Messenger

Of course, Brian’s success has made him a target for revenge attacks by criminals. Among the more notable actions they have taken:

  • Swatted. Brian was the victim of ‘swatting’. That’s when the SWAT (Special Weapons And Tactics police squad) are called to your home. In this case, the bad guys spoofed his home phone number and called the police to report a home invasion. This swatting was in response to Brian writing about a Russian ID-theft ring.

  • Framed for drugs. Following a series of postings in 2013, criminals sent heroin to Brian’s address and tipped the police off about the drugs. They tried to get Brian arrested for possession. (It didn’t work, but it was an interesting approach.)
  • Denial-of-Service. Brian’s web site has repeatedly been the victim of denial-of-service attacks. These network attacks attempt to make the site unreachable for users. Just this week, he was hit by a truly huge attack that averaged 200-400 Gbps. I guess the thinking is that this temporary inconvenience might be intimidating…
  • Tree. I can’t make this up. Some lady wearing a mask walked up to his house and cut down his tree.

More recently, Brian has been covering malware authors. In response, these authors have begun to embed Brian’s name in the malware.

I’m not exactly sure what the virus authors expect out of embedding a message like “Coded by BRIAN KREBS for personal use only. I love my job & wife.” Do they think the FBI will accuse Brian of creating this virus? Do they think it will threaten his job security? (Hint: He’s self-employed. You can’t threaten his job.)

Barking Up The Wrong Tree

In computer security, there is the concept of “security by obscurity” (SbO). If the only thing protecting your security is a lack of others knowing the secret, then you have no practical security. The people behind McColo and the (Velvet) Cybercrime Underground and the denial-of-service attack were only protected by SbO. Brian may be the person who first made the story public, be I’m certain that he was not the first person to know their secret. The fact that someone knew enough to tip off Brian means that the bad guys were already bound for failure.

We can even view this as a hypothetical. Let’s say that these intimidation techniques make Brian give up journalism. Maybe he becomes too scared to write. Maybe someone pays him enough to stop. Maybe he just decides to retire… The knowledge is still out there and the tips will still come in. If the tips don’t go to Brian, then they will go to other journalists. Stopping one reporter will not stop the story and won’t prevent law enforcement from following the trail.

Brian’s reputation plays a big role in his success at reporting the big stories. He is one of the most trusted reporters in a field that is inherently untrusting. This means that anyone with a tip or odd observation is more likely to confide in Brian than any other reporter.

When I hear about these attacks against Brian, I cannot help but think how stupid these people are. If these people were smart, then they would realize that Brian is just the messenger. Before Brian’s first report, the secret protecting the bad guys is already compromised — and that compromise becomes the first tip.

Schneier on Security: What Information Are Stun Guns Recording?

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In a story about a stolen Stradivarius violin, there’s this:

Information from a stun gun company, an anonymous tip and hours of surveillance paved the way for authorities to find a stolen 300-year-old Stradivarius violin in the attic of a Milwaukee home, police said Thursday.


Taser International, the maker of the stun gun used in the attack, “provided invaluable information” that the FBI tracked down in Texas and ultimately led police to Universal Allah, a Milwaukee resident, Police Chief Edward Flynn said Thursday.

The criminals stunned a musician as he was leaving a show at church, and drove off with his multimillion-dollar violin. What information could the stun gun company give the police that would be invaluable? Is it as simple as knowing who purchased the weapon, which was dropped at the scene? Or something weirder?

EDITED TO ADD (2/18): This may be it:

As the Milwaukee Police and the FBI began to conduct the investigation they reached out to us at TASER in order to identify possible suspects in the case. This was accomplished thanks to our Anti-Felon Identification tags (AFID). The AFID program enforces accountability for each use of a TASER device. This system releases dozens of confetti-sized markers upon discharge of a CEW cartridge. Each AFID contains a serial number that tracks back to the original purchaser of the cartridge. The large number of AFIDs and their small size makes it impractical to clean up. Therefore, law enforcement can pick up one AFID and contact TASER International for a complete trace on the serial number.

At the time of purchase, we verify the identity and background of the prospective buyer with the understanding that we will not release the information and it will be kept confidential unless a TASER device is used in the commission of a crime. This information proved invaluable during the investigation on the Stradivarius violin. “We worked very closely with TASER International who provided us invaluable information that the FBI was able to track down for us in Texas,” said Chief Flynn, “That information led us to an individual who had purchased this device.”

TorrentFreak: Busted Android Store Founder to Crowdfund Battle Against U.S. Govt

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

At age 15 most teenagers are having fun online and Aaron from Mississippi was no exception. But while most are chatting on Facebook or watching videos on YouTube, this young man had bigger things in mind.

Before his 16th birthday Aaron had launched Applanet, a service dedicated to the sharing of Android software. While the site’s growth and success was undoubtedly exciting for the teenager, by his 18th birthday things had taken a turn for the worse.


On the morning of August 21, 2012, heavily armed FBI agents raided Aaron’s parents’ home, described in official documents as a “one-story house, gray in color” and pictured with a sit-down lawnmower outside. The lack of any kind of criminal record didn’t dampen the official response from federal agents.

“They were fully armed, because you know how dangerous a recently turned 18-year-old geek with no criminal history can be,” Aaron’s friends now explain.

“The mighty feds got a search and seizure warrant to raid Aaron’s home and confiscate all of his stuff. They took pretty much everything that had a power cord or a battery, even if it wasn’t remotely related to apps. The house was trashed.”

Aaron House

While Aaron was trying to recover from his shock, the government was speaking with the media. The Department of Justice said that seizure orders had been executed against three website domain names –, and – which were said to have engaged in the illegal distribution of copyrighted Android apps. They were the very first seizures of their kind.

“Criminal copyright laws apply to apps for cell phones and tablets, just as they do to other software, music and writings,” U.S. Attorney Yates announced.

“These laws protect and encourage the hard work and ingenuity of software developers entering this growing and important part of our economy. We will continue to seize and shut down websites that market pirated apps, and to pursue those responsible for criminal charges if appropriate.”

Now, 18 months later, Aaron is still in limbo while the government continues to build its case against him. The 19-year-old is putting up a fight, but of course that’s costing money. The cash put up so far by his family isn’t going to get him through a trial so to try and bridge the gap his friends have launched the Friends of Aaron Indiegogo campaign. They’re aiming to raise $50K, with any surplus automatically getting donated to the EFF.

TorrentFreak caught up with Aaron’s lawyer, Rain Minns of Rain Minns Law in Austin, Texas, to find out more about the campaign and her client’s predicament.

“I can tell you a little bit about Aaron. He’s 19 years old, has never had any type of criminal record, and doesn’t even have a drivers’ license. His life and friends are on-line. So, when the feds came and took his connection to the internet, they took away Aaron’s entire connection to friends,” Minns told TF.

“Friends of Aaron knows that Aaron does not have the money to fight against the massive resources that the U.S. federal government has put into this international power play. I can only guess, but I would suspect that hundreds of thousands of dollars have been spent in this attempt to throw Aaron into prison. The $50k is underestimated, but we do not need to match the feds dollar for dollar. The feds are not known for being cost effective,” Minns explains.

While Aaron is likely to be charged with offenses related to software piracy, Minns believes that her client is innocent and should respond accordingly.

“I believe that an innocent person should never plead guilty. The key for Aaron’s defense is to be able to have the funds to level the playing field against the resources of the feds,” Minns explains.

And leveling the playing field won’t be easy. Minns gave TF a list of expenses that will be burned through in defending Aaron, from the hiring of technology experts to counter the expensive ones the government will put forward to the anticipated cost of document analysts “in case the feds try to bury us in paperwork.”

“Justice is not something that should be about the size of a person’s wallet. For instance, I don’t see government raids of YouTube. To the contrary, YouTube was sued by another corporation and won the case on summary judgment (i.e. without even needing a trial). But, when it comes to a 19-year-old teenager, it’s a different story.”

The Friends of Aaron Indiegogo campaign, which carries more documentation on the raid and aftermath, can be found here.

Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.

Schneier on Security: 1971 Social Engineering Attack

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

From Betty Medsger’s book on the 1971 FBI burglary (page 22):

As burglars, they used some unusual techniques, ones Davidon enjoyed recalling years later, such as what some of them did in 1970 at a draft board office in Delaware. During their casing, they had noticed that the interior door that opened to the draft board office was always locked. There was no padlock to replace, as they had done at a draft board raid in Philadelphia a few months earlier, and no one in the group was able to pick the lock. The break-in technique they settled on at that office must be unique in the annals of burglary. Several hours before the burglary was to take place, one of them wrote a note and tacked it to the door they wanted to enter: “Please don’t lock this door tonight.” Sure enough, when the burglars arrived that night, someone had obediently left the door unlocked. The burglars entered the office with ease, stole the Selective Service records, and left. They were so pleased with themselves that one of them proposed leaving a thank-you note on the door. More cautious minds prevailed. Miss Manners be damned, they did not leave a note.

Krebs on Security: New Clues in the Target Breach

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

An examination of the malware used in the Target breach suggests that the attackers may have had help from a poorly secured feature built into a widely-used IT management software product that was running on the retailer’s internal network.

As I noted in  Jan. 15′s story – A First Look at the Target Intrusion, Malware – the attackers were able to infect Target’s point-of-sale registers with a malware strain that stole credit and debit card data. The intruders also set up a control server within Target’s internal network that served as a central repository for data hoovered up from all of the infected registers.

According to sources, "ttcopscli3acs" is the name of the Windows share point used by the POS malware planted at Target stores; the username that the thieves used to log in remotely and download stolen card data was "Best1_user"; the password was "BackupU$r"

“ttcopscli3acs” is the name of the Windows share used by the POS malware planted at Target stores; the username that malware used to upload stolen card data was “Best1_user”; the password was “BackupU$r”

That analysis looked at a malware component used in Target breach that was uploaded to Symantec’s ThreatExpert scanning service on Dec. 18 but which was later deleted (a local PDF copy of it is here). The ThreatExpert writeup suggests that the malware was responsible for moving stolen data from the compromised cash registers to that shared central repository, which had the internal address of The “ttcopscli3acs” bit is the Windows domain name used on Target’s network. The user account “Best1_user” and password “BackupU$r” were used to log in to the shared drive (indicated by the “S:” under the “Resource Type” heading in the image above.

That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base BMC Software — includes administrator-level user account called “Best1_user.”

This knowledge base article (PDF) published by BMC explains the Best1_user account is installed by the software to do routine tasks. That article states that while the Best1_user account is essentially a “system” or “administrator” level account on the host machine, customers shouldn’t concern themselves with this account because “it is not a member of any group (not even the ‘users’ group) and therefore can’t be used to login to the system.”

“The only privilege that the account is granted is the ability to run as a batch job,” the document states, indicating that it could be used to run programs if invoked from a command prompt. Here’s my favorite part:

Perform Technical Support does not have the password to this account and this password has not be released by Perform Development. Knowing the password to the account should not be important as you cannot log into the machine using this account. The password is known internally and used internally by the Perform agent to assume the identity of the “Best1_user” account.”

I pinged BMC to find out if perhaps the password supplied in the Target malware (BackupU$r) is in fact the secret password for the Best1_user account. The company has so far remained silent on this question.

This was the hunch put forward by the Counter Threat Unit (CTU) of Dell SecureWorks in an analysis that was privately released to some of the company’s clients this week.

Relationships between compromised and attacker-controlled assets. Source: Dell Secureworks.

Relationships between compromised and attacker-controlled assets. Source: Dell Secureworks.

“Attackers exfiltrate data by creating a mount point for a remote file share and copying the data stored by the memory-scraping component to that share,” the SecureWorks paper notes. “In the previous listing showing the data’s move to an internal server, is the intermediate server selected by attackers, and CTU researchers believe the “ttcopscli3acs” string is the Windows domain name used on Target’s network. The Best1_user account appears to be associated with the Performance Assurance component of BMC Software’s Patrol product. According to BMC’s documentation, this account is normally restricted, but the attackers may have usurped control to facilitate lateral movement within the network.

According to SecureWorks, one component of the malware installed itself as a service called “BladeLogic,” a service name no doubt designed to mimic another BMC product called BMC BladeLogic Automation Suite. BMC spokeswoman Ann Duhon said that the attackers were simply invoking BMC’s trademark to make the malicious program appear legitimate to the casual observer, but it seems likely that at least some BMC software was running inside of Target’s network, and that the attackers were well aware of it.

Update Jan. 30, 5:48 p.m.: BMC just issued the following statement:

There have been several articles in the press speculating about the Target breach.  BMC Software has received no information from Target or the investigators regarding the breach. In some of those articles, BMC products were mentioned in two different ways.

The first was a mention of a “bladelogic.exe” reference in the attack.   The executable name “bladelogic.exe” does not exist in any piece of legitimate BMC software.  McAfee has issued a security advisory stating that: “The reference to “bladelogic” is a method of obfuscation.  The malware does not compromise, or integrate with, any BMC products in any way.

The second reference was to a password that was possibly utilized as part of the attack, with the implication that it was a BMC password.  BMC has confirmed that the password mentioned in the press is not a BMC-generated password.

At this point, there is nothing to suggest that BMC BladeLogic or BMC Performance Assurance has a security flaw or was compromised as part of this attack.

Malware is a problem for all IT environments. BMC asks all of our customers to be diligent in ensuring that their environments are secure and protected.

I parse their statement to mean that the “BackupU$r” password referenced in the Target malware is not their software’s secret password. But nothing in the statement seems to rule out the possibility that the attackers leveraged a domain user account installed by BMC software to help exfiltrate card data from Target’s network.

Original story:

According to a trusted source who uses mostly open-source data to keep tabs on the software and hardware used in various retail environments, BMC’s software is in use at many major retail and grocery chains across the country, including Kroger, Safeway, Home Depot, Sam’s Club and The Vons Companies, among many others.

A copy of the SecureWorks report is here (PDF). It contains some fairly detailed analysis of this and other portions of the malware used in the Target intrusion. What it states up front that it does not have — and what we still have not heard from Target — is how the attackers broke in to begin with….


The folks at Malcovery (full disclosure: Malcovery is an advertiser on this blog) have put together a compelling case that the avenue of compromise at Target stemmed from an SQL injection attack. Malcovery notes that techniques that may be similar to the Target breach were used by the Alberto Gonzalez gang, as illustrated in an indictment against Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, Mikhail RytikovDmitriy Smilianet (see Hacker Ring Stole 160 Million Credit Cards for more information on these guys).

As that report notes, Drinkman and his associates were co-conspirators of Albert Gonzalez (famous for the TJX breach), Damon Toey, and Vladislav Horohorin (BadB). Drinkman and his gang of Russian hackers were active from at least August 2005 through at least July 2012 and were charged with stealing data from NASDAQ, 7-Eleven, CarrefourJCPenney, Hannaford Brothers, Heartland Payment Systems, Wet Seal, Commidea, Dexia Bank, JetBlue Airways, Dow Jones, an unspecified bank in Abu Dhabi, Euronet, Visa Jordan, Global Payment SystemsDiners Singapore (a regional branch of Diner’s Club), and Ingenicard.

Malcovery’s CTO and co-founder Gary Warner writes:

“In each of these cases, an SQL Injection attack resulted in malware being placed on the network and credit card or personal information being exfiltrated from the network. According to the indictment for the above, Gonzalez and Toey would travel to retail outlets and make observations about which Point of Sale terminal software was being used, afterwards, they would pass the information to the hacker crew who would penetrate the network, customize and load the malware, and exfiltrate the stolen data.”

A copy of the Malcovery report can be downloaded here.


An advertisement for "Eagle Claw," a base of more than 2 million card "dumps" stolen from Target.

An advertisement for “Eagle Claw,” a base of more than 2 million card “dumps” stolen from Target.

Meanwhile, the cybercrook known as Rescator and his merry band of thieves who are selling cards stolen in the Target breach continue to push huge new batches of stolen cards onto the market. In an update on Jan. 21, Rescator’s network of card shops released for sale another batch of two million cards apparently stolen from Target, a collection of cards which these crooks have dubbed “Eagle Claw.”

Working with several banks anxious to know whether this batch of two million cards really was from Target (or else some other recent breach like Neiman Marcus), we were able to determine that all of the cards purchased from Eagle Claw were used at Target between Nov. 27 and Dec. 15. The method behind that research was identical to that used in my previous research on this topic.

Incidentally, anyone who wants to understand the hierarchical pecking order of Rescator’s crew should check out this analysis by security researcher Krypt3ia, which examines the Lampeduza cybercrime forum of which Rescator is a leading member.

Anyone hoping that this retail breach disclosure madness will end sometime soon should stop holding their breath: In a private industry notification dated January 17 (PDF), the FBI warned that the basic code used in the point-of-sale malware has been seen by the FBI in cases dating back to at least 2011, and that these attacks are likely to continue for some time to come.

A frequency analysis of POS malware incidents assembled by Recorded Future.

A frequency analysis of POS malware incidents assembled by Recorded Future.

“The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors,” the FBI wrote. “We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.”


Krebs on Security: Feds Infiltrate, Bust Counterfeit Card Shop

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Federal authorities in New Jersey announced a series of arrests and indictments of 14 individuals thought to be connected to an online one-stop shop selling embossed, counterfeit credit cards and holographic overlays.

According to documents released by prosecutors in New Jersey and North Carolina, the men ran or otherwise profited from the Web site fakeplastic[dot]net, which specializes in selling high-quality, custom-made counterfeit credit and debit cards, as well as holographic overlays used to create fake driver’s licenses.

A customer's purchases from fakeplastic[dot]net, which federal authorities secretly seized on Dec. 5, 2013.

A customer’s purchases from fakeplastic[dot]net, which federal authorities secretly seized on Dec. 5, 2013.

The FBI and the U.S. Postal Investigative Service began investigating fakeplastic[dot]net in January 2013. Charged with running the site is 39-year-old Sean Roberson of Palm Bay, Fla. Investigators allege that Roberson began selling counterfeit cards in April 2011, and launched the site in June 2012. Since then, Roberson and two accomplices fulfilled orders for approximately 69,000 counterfeit cards — both embossed and unembossed; more than 35,000 holographic stickers used to make counterfeit cards appear more legitimate; and more than 30,000 state identification card holographic overlays. All of the orders — 36,000 parcels in total — were shipped by the site to customers via the U.S. mail.

Using a conservative estimate of loss of $500 associated with each counterfeit payment card (derived from the federal sentencing guidelines estimation of loss associated with stolen payment card information), prosecutors estimate the losses associated with just the counterfeit payment cards trafficked by Roberson and his conspirators at more than $34.5 million. The complaint against Roberson alleges that he personally made more than $1.7 million from the scheme.

According to the Justice Department, fakeplastic[dot]net was used by various groups of criminals across the country often referred to as “carding” or “cash out” crews. These crews buy stolen payment card numbers and related information – referred to as “track data” or “dumps” – which typically appear on the magnetic stripe on the back of legitimate payment cards. Illegal vendors of that information usually get it through hacking or skimming operations involving the installation of specialized equipment at ATM locations or point-of-sale terminals. The stolen data is ultimately put on a blank card and used to make unauthorized transactions.


“More sophisticated cash out operations use custom-made counterfeit payment cards embossed with the same account numbers that have been encoded on the back of the card, and often acquire fake identification cards in order to reduce the likelihood of detection from law enforcement,” reads a press release issued Thursday by New Jersey U.S. Attorney Paul J. Fishman and U.S. Attorney Anne M. Tompkins for the Western District of North Carolina. “The criminal underground has evolved from fractured, regional operations to an Internet-based market where buyers and sellers across the globe can advertise, purchase and transmit stolen track data. The fakeplastic website brought the physical tools needed by cash out operations to the world of e-commerce, as it eliminated the need for crews to purchase expensive hardware.”

The Justice Department says that by December 2013 — when federal agents quietly assumed control over fakeplastic[dot]net, the site had more than 400 members. Members with access to the fakeplastic website and seeking to purchase counterfeit payment cards could browse the website’s available counterfeit card templates. Members could then choose whether to input specific information to be embossed on the cards and whether they wanted additional authentication features – such as holographic stickers.


As is the case with many an online scam operation, the whole thing falls apart when key members fail to exercise proper operational and personal security habits. After assuming control over the card shop, federal agents made purchases through the site to learn more about the service’s shipping methods. According to charging documents, investigators confirmed that the Fakeplastic Click-N-Ship account used to generate the tracking number associated with the undercover purchases was registered to a “Sam Adams,” with a mailing address for a university in Florida, and that the email address associated with this account was (the “Budlighthouse Gmail Account”).

After obtaining a warrant to inspect that Gmail account, federal investigators discovered that all of the Web site’s order emails were sent to this address and to the address Tormail is a hidden service on the Tor darkweb network that allows users to send and receive email anonymously to addresses inside and outside of Tor, an anonymity network that is not reachable from the regular Internet and requires the use of special software to reach.

Interestingly, the feds used information gleaned from an incident last summer in which federal agents compromised TorMail as part of an investigation into a child pornography network. To wit:

Between July 22, 2013 and August 2, 2013, in connection with an unrelated criminal investigation, the FBI obtained a copy of a computer server located in France via a Mutual Legal Assistance Treaty request to France, which contained data and information from the Tormail email server, including the content of Tormail e-mail accounts. On or about September 24, 2013, law enforcement obtained a search warrant to search the contents of the Platplus Tormail Account, which resided on the seized Tormail server.

A key component of this investigation came from other federal actions and investigations, including the takedown of the ShadowCrew underground Web site, and the arrest of the alleged founder of Liberty Reserve, a virtual currency that went belly-up last year. When Liberty Reserve was seized by the feds, fakeplastic[dot]net switched to accepting payments via Bitcoin.

This is significant because investigators found that the Budlighthouse Gmail account contained a number of emails from Mt. Gox, a widely used Bitcoin exchanger.

“On or about August 27, 2012, the Budlighthouse Gmail Account received two withdrawal confirmation emails from Mt. Gox indicating that certain withdrawals were made from the IP address (the “Budlighthouse IP Address;’).”

Investigators subpoenaed Time Warner Cable for the customer records related to that Internet address, but the ISP said it no longer had those records. So, authorities turned to Amazon because they noticed that Roberson had an Amazon account, and they tied both the purchases and references to items purchased in the Budlighthouse account to that same IP address. A subpoena to Amazon showed the account was registered to a Sean Roberson in Palm Bay, Fla., and that Roberson had purchased a number of items commonly used to make fake identification cards.

The proprietor of fakeplastic[net] announces temporary closing of the shop.

The proprietor of fakeplastic[net] announces temporary closing of the shop.

Failing to separate one’s online criminal activities from one’s personal affairs is Opsec Fail 101. And nowhere was this illustrated more clearly than in a ill-fated vacation that authorities say Roberson took at the end of 2012. According to investigators, Roberson closed his card shop from Dec. 22, 2012 through January 4, 2013, with a notice to customers stating, “Will respond to your message when I return from vacation. Sorry for the inconvenience, but I need an escape also :)”.

In August 2013, investigators subpoenaed the credit card records of Roberson’s wife, and found a trail of purchases showing that the couple had traveled to Dollywood during that Christmas break, beginning on Dec. 22. The same records showed that by Jan. 6, 2013, the Robersons were back in Palm Bay, Florida. “Law enforcement also identified a photograph of Sean Roberson with his wife and others in Dollywood, posted on the Facebook page of Roberson’s mother.”

Roberson’s mom wasn’t hard to find, once one has located Roberson’s Facebook and Google Plus pages. Here’s the picture in question:


Sean Roberson, far right, at Dollywood. Sean’s mom captioned the photo “Dollyland”.

More information on this case is available in the charging document against Roberson, posted here (PDF).

Schneier on Security: Questioning the Efficacy of NSA’s Bulk-Collection Programs

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Two reports have recently been published questioning the efficacy of the NSA’s bulk-collection programs. The first one is from the left-leaning New American Foundation (report here, and one-page tabular summary here).

However, our review of the government’s claims about the role that NSA “bulk” surveillance of phone and email communications records has had in keeping the United States safe from terrorism shows that these claims are overblown and even misleading. An in-depth analysis of 225 individuals recruited by al-Qaeda or a like-minded group or inspired by al-Qaeda’s ideology, and charged in the United States with an act of terrorism since 9/11, demonstrates that traditional investigative methods, such as the use of informants, tips from local communities, and targeted intelligence operations, provided the initial impetus for investigations in the majority of cases, while the contribution of NSA’s bulk surveillance programs to these cases was minimal. Indeed, the controversial bulk collection of American telephone metadata, which includes the telephone numbers that originate and receive calls, as well as the time and date of those calls but not their content, under Section 215 of the USA PATRIOT Act, appears to have played an identifiable role in initiating, at most, 1.8 percent of these cases. NSA programs involving the surveillance of non-U.S. persons outside of the United States under Section 702 of the FISA Amendments Act played a role in 4.4 percent of the terrorism cases we examined, and NSA surveillance under an unidentified authority played a role in 1.3 percent of the cases we examined.

The second is from Marshall Erwin of the right-leaning Hoover Institute (report here, and summary here).

My conclusion is simple: neither of these cases demonstrates that bulk phone records collection is effective. Those records did not make a significant contribution to success against the 2009 plot because at the point at which the NSA searched the bulk records database, the FBI already had sufficient information to disrupt the plot. It is also unlikely that bulk collection would have helped disrupt the 9/11 attacks, given critical barriers to information sharing and as demonstrated by the wealth of information already available to the intelligence community about al-Mihdhar.

TorrentFreak: FBI Drags Google Glass Man From Theater on Piracy Fears

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

glassSometime during 2014 the much-anticipated Google Glass will launch to the general public. When it does the age of the wearable computer will have truly arrived in the form of a relatively unobtrusive pair of eye glasses.

While every technology enthusiast is bursting to at least test the device, there are concerns over its appearance. On the one hand it looks cool and futuristic, but on the other it could quickly be perceived in the same way as the original bluetooth ear-piece.

Nevertheless, in a few months time thousands of people will be wearing them, which will only serve to amplify the already considerable debate over the device. From the inside looking out, the integrated video camera is generating privacy worries in abundance and just last week a San Diego traffic court threw out a traffic violation against a Californian motorist after she was accused of watching video on her Glass while driving.

And now, right on cue, for the first time a Glass user has revealed the kind of treatment people can expect from the movie industry should they dare to wear even a switched-off device in one of their establishments.

Last Saturday evening a man and his wife attended the AMC movie theater in Easton Mall, Columbus, Ohio, to watch Jack Ryan: Shadow Recruit. The Glass unit itself was switched off, but out of convenience the man had paid for prescription lenses to be fitted to the device turning them into regular glasses. Sadly, theater staff and their friends at the MPAA and FBI were geared up to presume only the worst.

“About an hour into the movie, a guy comes near my seat, shoves a badge that had some sort of a shield on it, yanks the Google Glass off my face and says ‘follow me outside immediately’. It was quite embarrassing and outside of the theater there were about 5-10 cops and mall cops,” the man told Gadgeteer.

After trying to establish the official’s identity and authority (and trying to get his property back), the man was put firmly in his place.

“You see all these cops, you know we are legit, we are with the ‘federal service’ and you have been caught illegally taping the movie,” he was told.


His protests that this was a big misunderstanding only led to the couple being split up and taken to different rooms. The man was searched and his wallet plus work and personal phones (both off) were taken away from him.

“What followed was over an hour of the ‘feds’ telling me I am not under arrest, and that this is a ‘voluntary interview’, but if I choose not to cooperate bad things may happen to me,” he explained.

“They wanted to know who I am, where I live, where I work, how much I’m making, how many computers I have at home, why am I recording the movie, who am I going to give the recording to, why don’t I just give up the guy up the chain, ’cause they are not interested in me. Over and over and over again.”

And then yet more paranoia. Even though the Google Glass was switched off the man wasn’t allowed to touch the device out of fear he would “erase the evidence.” The FBI also asked some pretty strange questions.

“Then they wanted to know what does Google ask of me in exchange for Glass, how much is Google paying me, who is my boss and why am I recording the movie,” he explained.

Finally someone had the good sense to connect the Glass up to a laptop. Five minutes later and all family photos viewed (some 3.5 hours after the movie began) Mr Google Glass wearer was declared an innocent man. But not to worry, since the guy from the ‘movie association’ was about to make amends.

“A guy who claimed his name is Bob Hope (he gave me his business card) came in the room, and said he was with the Movie Association and they have problems with piracy at that specific theater and that specific movie. He gave me two free movie passes ‘so I can see the movie again’,” a gesture that was subsequently upped to four passes after the revelation that AMC had called him first and he’d decided to escalate the matter to the FBI.

This kind of heavy-handed response is what people have come to expect from the movie industry when confronted by people they suspect of piracy. Sure, there’s a need for them to be vigilant, but shooting first and then asking questions later is something that could and should be avoided. Google Glass might be the first device of this type, but it won’t be the last. Expect the problems – and controversy – to continue.

Update: Homeland Security has issued a statement to the Washington Post.

“On Jan. 18, special agents with ICE’s Homeland Security Investigations and local authorities briefly interviewed a man suspected of using an electronic recording device to record a film at an AMC theater in Columbus,” said ICE spokesman Khaalid Walls. “The man, who voluntarily answered questions, confirmed to authorities that the suspected recording device was also a pair of prescription eye glasses in which the recording function had been inactive. No further action was taken.”

Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.

TorrentFreak: Dotcom’s Baboom Launches With Good Times For Free

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

goodtimesSay what you like about Kim Dotcom, but the man is certainly tenacious. After being well and truly dismantled by the combined efforts of the FBI and a New Zealand anti-terrorist force, most people would still be at home, licking their wounds.

But for this larger-than-life German with a colorful past worthy of a Hollywood movie (he’d love one of those of course), backing down was never an option. Once released from prison he picked up where he left off, building a brand new lawyer-pleasing cloud hosting company and becoming an outspoken privacy advocate and Internet surveillance critic.

Rewind more than two years ago, before that frankly stunning January day in 2012, Dotcom was working on a project intended to shake up the music industry. His Megakey product was a tool designed to block ads as users browse the web, replacing them with ones from Dotcom’s own ad network. This would generate revenue to help pay for ‘free’ music, a controversial technique which led to Dotcom stating that it would only activate itself on sites in the Alexa 100 – a take from the rich and give to the poor mechanic.

It was envisioned that Megakey would dovetail with another service, Megabox, but that particular naming convention will no longer see the light of day. In 2013 Dotcom confirmed to TorrentFreak that his new music offering would be called Baboom.

Today, the eve of Dotcom’s 40th birthday and the one-year anniversary of the launch of, will also see the release of Dotcom’s brand new album, Good Times. Various tracks have already been heard around the web, from the rowdy ‘Party Amplifier’ to the Dotcom alter-ego-featuring Live My Life. With production genius Printz Board, erm, on board, the sound quality is as good as you’d expect.

Dotcom can do old-school CDs too (pic courtesy of Dotcom lawyer Ira Rothken)


Good Times is being promoted online by Dotcom himself and on radio, but it is also enjoying some traditional offline marketing, with Dotcom’s face currently plastered over the back of around 100 buses.


The really unique aspect of the album, however, is its integration into the launch today of Baboom. Billed as a ‘soft launch’ of the yet-to-debut full service, Dotcom’s album is the centerpiece and sole musical attraction.

Baboom’s only current offering, Kim Dotcom’s ‘Good Times’


At the moment the Baboom site is a fairly straightforward affair. As an early preview most features are disabled although fans can read all about Kim, look at his pictures and videos and, of course, listen to his music. All of the tracks from the album are available to download for free in three formats – MP3, FLAC and .WAV. There’s also some samples to download for use in a remix competition.

Additionally, those who wish to pay for the album can do so, but no money changes hands on the Baboom site. All sales are directed to iTunes, Amazon and Bandcamp. Dotcom’s Twitter feed is embedded into his artist page but there are currently no other signs of ‘social’ elements woven into the music experience. Music discovery processes will also have to wait.

Of course there are many unanswered questions over where the service goes from here. Most iTunes or Spotify-like streaming services have the backing of the major labels which together provide tens of millions of licensed tracks. At this stage, considering Dotcom’s somewhat stormy relationship with U.S.-based rightsholders, it seems unlikely that Baboom will be able to compete on volume. While a focused and personal artist-to-fan experience could be on the cards, Dotcom only does big….so watch this space.

The full Baboom service is currently penciled in for a late-2014 launch.

Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.

Schneier on Security: How the NSA Threatens National Security

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Secret NSA eavesdropping is still in the news. Details about once secret programs continue to leak. The Director of National Intelligence has recently declassified additional information, and the President’s Review Group has just released its report and recommendations.

With all this going on, it’s easy to become inured to the breadth and depth of the NSA’s activities. But through the disclosures, we’ve learned an enormous amount about the agency’s capabilities, how it is failing to protect us, and what we need to do to regain security in the Information Age.

First and foremost, the surveillance state is robust. It is robust politically, legally, and technically. I can name three different NSA programs to collect Gmail user data. These programs are based on three different technical eavesdropping capabilities. They rely on three different legal authorities. They involve collaborations with three different companies. And this is just Gmail. The same is true for cell phone call records, Internet chats, cell-phone location data.

Second, the NSA continues to lie about its capabilities. It hides behind tortured interpretations of words like “collect,” “incidentally,” “target,” and “directed.” It cloaks programs in multiple code names to obscure their full extent and capabilities. Officials testify that a particular surveillance activity is not done under one particular program or authority, conveniently omitting that it is done under some other program or authority.

Third, US government surveillance is not just about the NSA. The Snowden documents have given us extraordinary details about the NSA’s activities, but we now know that the CIA, NRO, FBI, DEA, and local police all engage in ubiquitous surveillance using the same sorts of eavesdropping tools, and that they regularly share information with each other.

The NSA’s collect-everything mentality is largely a hold-over from the Cold War, when a voyeuristic interest in the Soviet Union was the norm. Still, it is unclear how effective targeted surveillance against “enemy” countries really is. Even when we learn actual secrets, as we did regarding Syria’s use of chemical weapons earlier this year, we often can’t do anything with the information.

Ubiquitous surveillance should have died with the fall of Communism, but it got a new — and even more dangerous — life with the intelligence community’s post-9/11 “never again” terrorism mission. This quixotic goal of preventing something from happening forces us to try to know everything that does happen. This pushes the NSA to eavesdrop on online gaming worlds and on every cell phone in the world. But it’s a fool’s errand; there are simply too many ways to communicate.

We have no evidence that any of this surveillance makes us safer. NSA Director General Keith Alexander responded to these stories in June by claiming that he disrupted 54 terrorist plots. In October, he revised that number downward to 13, and then to “one or two.” At this point, the only “plot” prevented was that of a San Diego man sending $8,500 to support a Somali militant group. We have been repeatedly told that these surveillance programs would have been able to stop 9/11, yet the NSA didn’t detect the Boston bombings — even though one of the two terrorists was on the watch list and the other had a sloppy social media trail. Bulk collection of data and metadata is an ineffective counterterrorism tool.

Not only is ubiquitous surveillance ineffective, it is extraordinarily costly. I don’t mean just the budgets, which will continue to skyrocket. Or the diplomatic costs, as country after country learns of our surveillance programs against their citizens. I’m also talking about the cost to our society. It breaks so much of what our society has built. It breaks our political systems, as Congress is unable to provide any meaningful oversight and citizens are kept in the dark about what government does. It breaks our legal systems, as laws are ignored or reinterpreted, and people are unable to challenge government actions in court. It breaks our commercial systems, as US computer products and services are no longer trusted worldwide. It breaks our technical systems, as the very protocols of the Internet become untrusted. And it breaks our social systems; the loss of privacy, freedom, and liberty is much more damaging to our society than the occasional act of random violence.

And finally, these systems are susceptible to abuse. This is not just a hypothetical problem. Recent history illustrates many episodes where this information was, or would have been, abused: Hoover and his FBI spying, McCarthy, Martin Luther King Jr. and the civil rights movement, anti-war Vietnam protesters, and — more recently — the Occupy movement. Outside the US, there are even more extreme examples. Building the surveillance state makes it too easy for people and organizations to slip over the line into abuse.

It’s not just domestic abuse we have to worry about; it’s the rest of the world, too. The more we choose to eavesdrop on the Internet and other communications technologies, the less we are secure from eavesdropping by others. Our choice isn’t between a digital world where the NSA can eavesdrop and one where the NSA is prevented from eavesdropping; it’s between a digital world that is vulnerable to all attackers, and one that is secure for all users.

Fixing this problem is going to be hard. We are long past the point where simple legal interventions can help. The bill in Congress to limit NSA surveillance won’t actually do much to limit NSA surveillance. Maybe the NSA will figure out an interpretation of the law that will allow it to do what it wants anyway. Maybe it’ll do it another way, using another justification. Maybe the FBI will do it and give it a copy. And when asked, it’ll lie about it.

NSA-level surveillance is like the Maginot Line was in the years before World War II: ineffective and wasteful. We need to openly disclose what surveillance we have been doing, and the known insecurities that make it possible. We need to work toward security, even if other countries like China continue to use the Internet as a giant surveillance platform. We need to build a coalition of free-world nations dedicated to a secure global Internet, and we need to continually push back against bad actors — both state and non-state — that work against that goal.

Securing the Internet requires both laws and technology. It requires Internet technology that secures data wherever it is and however it travels. It requires broad laws that put security ahead of both domestic and international surveillance. It requires additional technology to enforce those laws, and a worldwide enforcement regime to deal with bad actors. It’s not easy, and has all the problems that other international issues have: nuclear, chemical, and biological weapon non-proliferation; small arms trafficking; human trafficking; money laundering; intellectual property. Global information security and anti-surveillance needs to join those difficult global problems, so we can start making progress.

The President’s Review Group recommendations are largely positive, but they don’t go nearly far enough. We need to recognize that security is more important than surveillance, and work towards that goal.

This essay previously appeared on

Schneier on Security: 1971 FBI Burglary

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Interesting story:

…burglars took a lock pick and a crowbar and broke into a Federal Bureau of Investigation office in a suburb of Philadelphia, making off with nearly every document inside.

They were never caught, and the stolen documents that they mailed anonymously to newspaper reporters were the first trickle of what would become a flood of revelations about extensive spying and dirty-tricks operations by the F.B.I. against dissident groups.

Video article. And the book.

Interesting precursor to Edward Snowden.