Posts tagged ‘research’

Schneier on Security: New Pew Research Report on Americans’ Attitudes on Privacy, Security, and Surveillance

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is interesting:

The surveys find that Americans feel privacy is important in their daily lives in a number of essential ways. Yet, they have a pervasive sense that they are under surveillance when in public and very few feel they have a great deal of control over the data that is collected about them and how it is used. Adding to earlier Pew Research reports that have documented low levels of trust in sectors that Americans associate with data collection and monitoring, the new findings show Americans also have exceedingly low levels of confidence in the privacy and security of the records that are maintained by a variety of institutions in the digital age.

While some Americans have taken modest steps to stem the tide of data collection, few have adopted advanced privacy-enhancing measures. However, majorities of Americans expect that a wide array of organizations should have limits on the length of time that they can retain records of their activities and communications. At the same time, Americans continue to express the belief that there should be greater limits on government surveillance programs. Additionally, they say it is important to preserve the ability to be anonymous for certain online activities.

Lots of detail in the reports.

Schneier on Security: Research on Patch Deployment

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

New research indicates that it’s very hard to completely patch systems against vulnerabilities:

It turns out that it may not be that easy to patch vulnerabilities completely. Using WINE, we analyzed the patch deployment process for 1,593 vulnerabilities from 10 Windows client applications, on 8.4 million hosts worldwide [Oakland 2015]. We found that a host may be affected by multiple instances of the same vulnerability, because the vulnerable program is installed in several directories or because the vulnerability is in a shared library distributed with several applications. For example, CVE-2011-0611 affected both the Adobe Flash Player and Adobe Reader (Reader includes a library for playing .swf objects embedded in a PDF). Because updates for the two products were distributed using different channels, the vulnerable host population decreased at different rates, as illustrated in the figure on the left. For Reader patching started 9 days after disclosure (after patch for CVE-2011-0611 was bundled with another patch in a new Reader release), and the update reached 50% of the vulnerable hosts after 152 days.

For Flash patching started earlier, 3 days after disclosure, but the patching rate soon dropped (a second patching wave, suggested by the inflection in the curve after 43 days, eventually subsided as well). Perhaps for this reason, CVE-2011-0611 was frequently targeted by exploits in 2011, using both the .swf and PDF vectors.

Paper.

Krebs on Security: Security Firm Redefines APT: African Phishing Threat

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

A security firm made headlines earlier this month when it boasted it had thwarted plans by organized Russian cyber criminals to launch an attack against multiple US-based banks. But a closer look at the details behind that report suggests the actors in question were relatively unsophisticated Nigerian phishers who’d simply registered a bunch of new fake bank Web sites.

The report was released by Colorado Springs, Colo.-based security vendor root9B, which touts a number of former National Security Agency (NSA) and Department of Defense cybersecurity experts among its ranks. The report attracted coverage by multiple media outlets, including, Fox News, PoliticoSC Magazine and The Hill. root9B said it had unearthed plans by a Russian hacking gang known variously as the Sofacy Group and APT28. APT is short for “advanced persistent threat,” and it’s a term much used among companies that sell cybersecurity services in response to breaches from state-funded adversaries in China and Russia that are bent on stealing trade secrets via extremely stealthy attacks.

The cover art for the root9B report.

The cover art for the root9B report.

“While performing surveillance for a root9B client, the company discovered malware generally associated with nation state attacks,” root9B CEO Eric Hipkins wrote of the scheme, which he said was targeted financial institutions such as Bank of America, Regions Bank and TD Bank, among others.

“It is the first instance of a Sofacy or other attack being discovered, identified and reported before an attack occurred,” Hipkins said. “Our team did an amazing job of uncovering what could have been a significant event for the international banking community. We’ve spent the past three days informing the proper authorities in Washington and the UAE, as well as the CISOs at the financial organizations.”

However, according to an analysis of the domains reportedly used by the criminals in the planned attack, perhaps root9B should clarify what it means by APT. Unless the company is holding back key details about their research, their definition of APT can more accurately be described as “African Phishing Threat.”

The report correctly identifies several key email addresses and physical addresses that the fraudsters used in common across all of the fake bank domains. But root9B appears to have scant evidence connecting the individual(s) who registered those domains to the Sofacy APT gang. Indeed, a reading of their analysis suggests their sole connection is that some of the fake bank domains used a domain name server previously associated with Sofacy activity: carbon2go[dot]com (warning: malicious host that will likely set off antivirus alerts).

The problem with that linkage is although carbon2go[dot]com was in fact at one time associated with activity emanating from the Sofacy APT group, Sofacy is hardly the only bad actor using that dodgy name server. There is plenty of other badness unrelated to Sofacy that calls Carbon2go home for their DNS operations, including these clowns.

From what I can tell, the vast majority of the report documents activity stemming from Nigerian scammers who have been conducting run-of-the-mill bank phishing scams for almost a decade now and have left quite a trail.

rolexzadFor example, most of the wordage in this report from root9B discusses fake domains registered to one or two email addresses, including “adeweb2001@yahoo.com,” adeweb2007@yahoo.com,” and “rolexzad@yahoo.com”.

Each of these emails have long been associated with phishing sites erected by apparent Nigerian scammers. They are tied to this Facebook profile for a Showunmi Oluwaseun, who lists his job as CEO of a rather fishy-sounding organization called Rolexzad Fishery Nig. Ltd.

The domain rolexad[dot]com was flagged as early as 2008 by aa419.com, a volunteer group that seeks to shut down phishing sites — particularly those emanating from Nigerian scammers (hence the reference to the Nigerian criminal code 419, which outlaws various confidence scams and frauds). That domain also references the above-mentioned email addresses. Here’s another phishy bank domain registered by this same scammer, dating all the way back to 2005!

Bob Zito, a spokesperson for root9B, said “the root9B team stands by the report as 100 percent accurate and it has been received very favorably by the proper authorities in Washington (and others in the cyber community, including other cyber firms).”
I wanted to know if I was alone in finding fault with the root9B report, so I reached out to Jaime Blasco, vice president and chief scientist at AlienVault — one of the security firms that first published the initial findings on the Sofacy/APT28 group back in October 2014. Blasco called the root9B research “very poor” (full disclosure: AlienVault is one of several advertisers on this blog).
“Actually, there isn’t a link between what root9B published and Sofacy activity,” he said. “The only link is there was a DNS server that was used by a Sofacy domain and the banking stuff root9B published. It doesn’t mean they are related by any means. I’m really surprised that it got a lot of media attention due to the poor research they did, and [their use] of [terms] like ‘zeroday hahes’ in the report really blew my mind. Apart from that it really looks like a ‘marketing report/we want media coverage asap,’ since days after that report they published their Q1 financial results and probably that increased the value of their penny stocks.”

Blasco’s comments may sound harsh, but it is true that root9B CEO Joe Grano bought large quantities of the firm’s stock roughly a week before issuing this report. On May 14, 2015, root9B issued its first quarter 2015 financial results.

There is an old adage: If the only tool you have is a hammer, you tend to treat everything as if it were a nail. In this case, if all you do is APT research, then you’ll likely see APT actors everywhere you look. 

Schneier on Security: More on Chris Roberts and Avionics Security

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last month ago I blogged about security researcher Chris Roberts being detained by the FBI after tweeting about avionics security while on a United flight:

But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There’s some serious surveillance going on.

We know a lot more of the backstory from the FBI’s warrant application. He was interviewed by the FBI multiple times previously, and was able to take control of at least some of the panes’ controls during flight.

During two interviews with F.B.I. agents in February and March of this year, Roberts said he hacked the inflight entertainment systems of Boeing and Airbus aircraft, during flights, about 15 to 20 times between 2011 and 2014. In one instance, Roberts told the federal agents he hacked into an airplane’s thrust management computer and momentarily took control of an engine, according to an affidavit attached to the application for a search warrant.

“He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” said the affidavit, signed by F.B.I. agent Mike Hurley.

Roberts also told the agents he hacked into airplane networks and was able “to monitor traffic from the cockpit system.”

According to the search warrant application, Roberts said he hacked into the systems by accessing the in-flight entertainment system using his laptop and an Ethernet cable.

Wired has more.

This makes the FBI’s behavior much more reasonable. They weren’t scanning the Twitter feed for random keywords; they were watching his account.

We don’t know if the FBI’s statements are true, though. But if Roberts was hacking an airplane while sitting in the passenger seat…wow is that a stupid thing to do.

From the Christian Science Monitor:

But Roberts’ statements and the FBI’s actions raise as many questions as they answer. For Roberts, the question is why the FBI is suddenly focused on years-old research that has long been part of the public record.

“This has been a known issue for four or five years, where a bunch of us have been stood up and pounding our chest and saying, ‘This has to be fixed,'” Roberts noted. “Is there a credible threat? Is something happening? If so, they’re not going to tell us,” he said.

Roberts isn’t the only one confused by the series of events surrounding his detention in April and the revelations about his interviews with federal agents.

“I would like to see a transcript (of the interviews),” said one former federal computer crimes prosecutor, speaking on condition of anonymity. “If he did what he said he did, why is he not in jail? And if he didn’t do it, why is the FBI saying he did?”

The real issue is that the avionics and the entertainment system are on the same network. That’s an even stupider thing to do. Also last month I wrote about the risks of hacking airplanes, and said that I wasn’t all that worried about it. Now I’m more worried.

Krebs on Security: St. Louis Federal Reserve Suffers DNS Breach

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The St. Louis Federal Reserve today sent a message to the banks it serves alerting them that in late April 2015 attackers succeeded in hijacking the domain name servers for the institution. The attack redirected Web searches and queries for those seeking a variety of domains run by the government entity to a Web page set up by the attackers in an apparent bid by cybercrooks to hijack online communications of banks and other entities dealing with the regional Fed office.

fedstlouisThe communique, shared by an anonymous source, was verified as legitimate by a source at another regional Federal Reserve location.

The notice from the St. Louis Fed stated that the “the Federal Reserve Bank of St. Louis has been made aware that on April 24, 2015, computer hackers manipulated routing settings at a domain name service (DNS) vendor used by the St. Louis Fed so that they could automatically redirect some of the Bank’s web traffic that day to rogue webpages they created to simulate the look of the St. Louis Fed’s research.stlouisfed.org website, including webpages for FRED, FRASER, GeoFRED and ALFRED.”

Requests for comment from the St. Louis Fed so far have gone unreturned. It remains unclear what impact, if any, this event has had on the normal day-to-day operations of hundreds of financial institutions that interact with the regional Fed operator.

The advisory noted that “as is common with these kinds of DNS attacks, users who were redirected to one of these phony websites may have been unknowingly exposed to vulnerabilities that the hackers may have put there, such as phishing, malware and access to user names and passwords.”

The statement continues:

“These risks apply to individuals who attempted to access the St. Louis Fed’s research.stlouisfed.org website on April 24, 2015. If you attempted to log into your user account on that date, it is possible that this malicious group may have accessed your user name and password.

The St. Louis Fed’s website itself was not compromised.

“Out of an abundance of caution, we wanted to alert you to this issue, and also make you aware that the next time you log into your user account, you will be asked to change your password. In addition, in the event that your user name and password are the same or similar as those you use for other websites, we highly recommend that you follow best practices and use a strong, unique and different password for each of your user accounts on the Internet. Click https://research.stlouisfed.org/useraccount/forgotpassword/step1 to change your user account password now.”

According to Wikipedia, the Federal Reserve Economic Data (FRED) is a database maintained by the Research division of the Federal Reserve Bank of St. Louis that has more than 247,000 economic time series from 79 sources. The data can be viewed in graphical and text form or downloaded for import to a database or spreadsheet, and viewed on mobile devices. They cover banking, business/fiscal, consumer price indexes, employment and population, exchange rates, gross domestic product, interest rates, monetary aggregates, producer price indexes, reserves and monetary base, U.S. trade and international transactions, and U.S. financial data.

FRASER stands for the Federal Reserve Archival System for Economic Research, and reportedly contains links to scanned images (PDF format) of historic economic statistical publications, releases, and documents including the annual Economic Report of the President. Coverage starts with the 19th and early 20th century for some economic and banking reports.

According to the Federal Reserve, GeoFred allows authorized users to create, customize, and share geographical maps of data found in FRED.

ALFRED, short for ArchivaL Federal Reserve Economic Data, allows users to retrieve vintage versions of economic data that were available on specific dates in history.

The St. Louis Federal Reserve is one of twelve regional Fed organizations, and serves banks located in the all of Arkansas and portions of six other states: Illinois, Indiana, Kentucky, Mississippi, Missouri and Tennessee. According to the reserve’s Web site, it also serves most of eastern Missouri and southern Illinois.

No information is available at this time about the attackers involved in this intrusion, but given the time lag between this event and today’s disclosure it seems likely that it is related to state-sponsored hacking activity from a foreign adversary. If the DNS compromise also waylaid emails to and from the institution, this could be a much bigger deal. This is likely to be a fast-moving story. More updates as they become available.

Errata Security: Our Lord of the Flies moment

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

In its war on researchers, the FBI doesn’t have to imprison us. Merely opening an investigation into a researcher is enough to scare away investors and bankrupt their company, which is what happened last week with Chris Roberts. The scary thing about this process is that the FBI has all the credibility, and the researcher none — even among other researchers. After hearing only one side of the story, the FBI’s side, cybersecurity researchers quickly turned on their own, condemning Chris Roberts for endangering lives by taking control of an airplane.

As reported by Kim Zetter at Wired, though, Roberts denies the FBI’s allegations. He claims his comments were taken out of context, and that on the subject of taking control a plane, it was in fact a simulator not a real airplane.

I don’t know which side is telling the truth, of course. I’m not going to defend Chris Roberts in the face of strong evidence of his guilt. But at the same time, I demand real evidence of his guilt before I condemn him. I’m not going to take the FBI’s word for it.

We know how things get distorted. Security researchers are notoriously misunderstood. To the average person, what we say is all magic technobabble anyway. They find this witchcraft threatening, so when we say we “could” do something, it’s interpreted as a threat that we “would” do something, or even that we “have” done something. Important exculpatory details, like “I hacked a simulation”, get lost in all the technobabble.

Likewise, the FBI is notoriously dishonest. Until last year, they forbad audio/visual recording of interviews, preferring instead to take notes. This inshrines any misunderstandings into official record. The FBI has long abused this, such as for threatening people to inform on friends. It is unlikely the FBI had the technical understanding to understand what Chris Roberts said. It’s likely they willfully misunderstood him in order to justify a search warrant.

There is a war on researchers. What we do embarrasses the powerful. They will use any means possible to stop us, such as using the DMCA to suppress publication of research, or using the CFAA to imprison researchers. Criminal prosecution is so one sided that it rarely gets that far. Instead, merely the threat of prosecution ruins lives, getting people fired or bankrupted.

When they come for us, the narrative will never be on our side. They will have constructed a story that makes us look very bad indeed. It’s scary how easily the FBI convict people in the press. They have great leeway to concoct any story they want. Journalists then report the FBI’s allegations as fact. The targets, who need to remain silent lest their words are used against them, can do little to defend themselves. It’s like how in the Matt Dehart case, the FBI alleges child pornography. But when you look into the details, it’s nothing of the sort. The mere taint of this makes people run from supporting Dehart. Similarly with Chris Roberts, the FBI wove a tale of endangering an airplane, based on no evidence, and everyone ran from him.

We need to stand together on or fall alone. No, this doesn’t mean ignoring malfeasance on our side. But it does mean that, absent clear evidence of guilt, that we stand with our fellow researchers. We shouldn’t go all Lord of the Flies on the accused, eagerly devouring Piggy because we are so relieved it wasn’t us.


P.S. Alex Stamos is awesome, don’t let my bitch slapping of him make you believe otherwise.

Errata Security: Those expressing moral outrage probably can’t do math

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Many are discussing the FBI document where Chris Roberts (“the airplane hacker”) claimed to an FBI agent that at one point, he hacked the plane’s controls and caused the plane to climb sideways. The discussion hasn’t elevated itself above the level of anti-vaxxers.

It’s almost certain that the FBI’s account of events is not accurate. The technical details are garbled in the affidavit. The FBI is notorious for hearing what they want to hear from a subject, which is why for years their policy has been to forbid recording devices during interrogations. If they need Roberts to have said “I hacked a plane” in order to get a search warrant, then that’s what their notes will say. It’s like cops who will yank the collar of a drug sniffing dog in order to “trigger” on drugs so that they have an excuse to search the car.

Also, security researchers are notorious for being misunderstood. Whenever we make innocent statements about what we “could” do, others often interpret this either as a threat or a statement of what we already have done.

Assuming this scenario is true, that Roberts did indeed control the plane briefly, many claim that this is especially reprehensible because it endangered lives. That’s the wrong way of thinking about it. Yes, it would be wrong because it means accessing computers without permission, but the “endangered lives” component doesn’t necessarily make things worse.

Many operate under the principle that you can’t put a price on a human life. That is false, provably so. If you take your children with you to the store, instead of paying the neighbor $10 to babysit them, then you’ve implicitly put a price on your children’s lives. Traffic accidents near the home are the leading cause of death for children. Driving to the store is a vastly more dangerous than leaving the kids at home, so you’ve priced that danger around $10.

Likewise, society has limited resources. Every dollar spent on airline safety has to come from somewhere, such as from AIDS research. With current spending, society is effectively saying that airline passenger lives are worth more than AIDS victims.

Does pentesting an airplane put passenger lives in danger? Maybe. But then so does leaving airplane vulnerabilities untested, which is the current approach. I don’t know which one is worse — but I do know that your argument is wrong when you claim that endangering planes is unthinkable. It is thinkable, and we should be thinking about it. We should be doing the math to measure the risk, pricing each of the alternatives.

It’s like whistleblowers. The intelligence community hides illegal mass surveillance programs from the American public because it would be unthinkable to endanger people’s lives. The reality is that the danger from the programs is worse, and when revealed by whistleblowers, nothing bad happens.

The same is true here. Airlines assure us that planes are safe and cannot be hacked — while simultaneously saying it’s too dangerous for us to try hacking them. Both claims cannot be true, so we know something fishy is going on. The only way to pierce this bubble and find out the truth is to do something the airlines don’t want, such as whistleblowing or live pentesting.

The systems are built to be reset and manually overridden in-flight. Hacking past the entertainment system to prove one could control the airplane introduces only a tiny danger to the lives of those on-board. Conversely, the current “security through obscurity” stance of the airlines and FAA is an enormous danger. Deliberately crashing a plane just to prove it’s possible would of course be unthinkable. But, running a tiny risk of crashing the plane, in order to prove it’s possible, probably will harm nobody. If never having a plane crash due to hacking is your goal, then a live test on a plane during flight is a better way of doing this than the current official polices of keeping everything secret. The supposed “unthinkable” option of live pentest is still (probably) less dangerous than the “thinkable” options.

I’m not advocating anyone do it, of course. There are still better options, such as hacking the system once the plane is on the ground. My point is only that it’s not an unthinkable danger. Those claiming it is haven’t measure the dangers and alternatives.

The same is true of all security research. Those outside the industry believe in security-through-obscurity, that if only they can keep details hidden and pentesters away from computers, then they will be safe. We inside the community believe the opposite, in Kerckhoff’s Principle of openness, and that the only trustworthy systems are those which have been thoroughly attacked by pentesters. There is a short term cost of releasing vulns in Adobe Flash, because hackers will use them. But the long term benefit is that this leads to a more secure Flash, and better alternatives like HTML5. If you can’t hack planes in-flight, then what you are effectively saying is that our believe in Kerckhoff’s Principle is wrong.

Each year, people die (or get permanently damaged) from vaccines. But we do vaccines anyway because we are rational creatures who can do math, and can see that the benefits of vaccines are a million to one times greater than the dangers. We look down on the anti-vaxxers who rely upon “herd immunity” and the fact the rest of us put our children through danger in order to protect their own. We should apply that same rationality to airline safety. If you think pentesting live airplanes is unthinkable, then you should similarly be able to do math and prove it, rather than rely upon irrational moral outrage.

I’m not arguing hacking airplanes mid-flight is a good idea. I’m simply pointing out it’s a matter of math, not outrage.

The Hacker Factor Blog: Email Delivery Errors

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Email seems like a necessary evil. While I dislike spam, I like the non-immediate nature of the communication and the fact that messages can queue up (for better or for worse). And best of all, I can script actions for handling emails. If the email matches certain signatures, then the script can mark it as spam. If it comes from certain colleagues, then the script can mark it as urgent. In this regard, I think email is better than most communication methods.

Other forms of communication have their niche, but they also have their limitations. For example:

  • Phone. If the phone is there for my convenience, then why do I have to drop everything to answer it? (Dropping everything is not convenient.) And I have never had an answering machine show me the subject of the call before listening to it. Most answering machines require you to listen to message in the order they were received.

  • Chat rooms. Does anyone still use IRC or Jabber/XMPP? Real-time chat rooms are good if everyone is online at the same time. But if we’re all online and working together on a project, then it is just as easy to do a conference call on the phone, via Skype, or using any of those other VoIP protocols. Then again, most chat rooms do have ways to log conversations — which can be great for documenting progress.
  • Twitter. You rarely see details in 140 characters. It’s also hard to go back and see previous messages. And if you are following lots of people (or a few prolific people), then you might miss something important. (I view Twitter like the UDP of social communications… it’s alright to miss a few packets.)
  • Text messages. These are almost as bad as Twitter. At least with Twitter, I’m not charged per message.
  • Message boards. Whether it’s forum software, comments on a blog, or a private wall page at Facebook, message boards are everywhere. You can set topics, have threaded replies, etc. However, messages are restricted to members. If I am not a member of the message board, then I cannot leave you a message. (Message boards without membership requirements are either moderated or flooded with spam.) And there may be no easy way for someone to search or recall previous discussions.
  • Private messages. LinkedIn, Facebook, Flickr, Imgur, Reddit… Most services have ways to send private messages between members. This is fine if everyone you know uses those services. But messages are limited to the service.

In contrast, email permits large messages to be sent in a timely manner to people who use different services. If I cannot get to the message immediately, then it will sit in my mailbox — I will get to it when it is convenient. I can use my home email system to write to friends, regardless of whether they use Gmail, Yahoo, or Facebook. There are even email-to-anything and anything-to-email crossover systems, like If-this-then-that. Even Google Voice happily sends me email when someone leaves a message. (Google Voice also tries to translate the voice mail to text in the email. I know it’s from my brother when Google writes, “Unable to transcribe this message.”)

Clear Notifications

As automated tasks go, it is very common to have email sent as a notification. My RAID emails me monthly with the current status (“everything’s shiny!”) When one of my Linux servers had a memory failure, it emailed me.

Over at FotoForensics, I built an internal messaging system. As an administrator, I get notices about certain system events. I’ve even linked these messages with email — administrators get email when something important is queued up and needs a response. This really helps simplify maintenance — I usually get an email from the system every few days.

When users submit comments, I get a message. And I’ve designed the system to allow me to respond to the user via email. (This is why the comment form asks for an email address.) For the FotoForensics Lab service, I even configured a double-opt-in system so users can request accounts without my assistance.

And therein lies a problem… The easier it is to send messages, the easier it is to abuse it with spam. Over the decades, people have employed layers upon layers of spam detectors and heuristics to mitigate abuse.

With all of the layers of anti-spam crap that people use, creating a system that can send a status email or a double-opt-in message to anyone who requests contact can get complicated. It’s not as simple as calling a PHP function to send an email. In my experience, the PHP mail() function will succeed less than half of the time; usually the PHP mail() messages get discarded by spam filters.

Enabling Email

Even though my system works most of the time, I still have to fight with it occasionally in order to make sure that users receive responses to inquires. Some of the battles I had to fight so far:

  • Blacklists. Before you begin, make sure that your network address is not on any blacklists. If your network address was previously used by a spammer, then you’ve inherited a blacklisted address and nobody will receive your emails. Getting removed from blacklists ranges from difficult to impossible. And as long as your system is blacklisted, most people will not receive your emails.

  • Scripts. Lots of spammers use scripts. If you use a pre-packaged script to generate outgoing email, then it is likely to be identified as spam. This happens because different tools generate different signatures. If your tool matches the profile of a tool known to send spam, then it will be filtered. And chances are really good that spammers have already abused any pre-packaged scripts for sending spam.
  • Real mail. The email protocols (SMTP and ESMTP) are pretty straightforward. However, most scripts to send email only do the bare minimum. In particular, they usually don’t handle email errors very well. I ended up using a PHP script that communicates with my real mail server (Postfix). The postfix server properly delivers email and handles errors correctly. I’ve configured my postfix server to send email, but it never receives email. (Incoming email goes to a different mail server.)

At this point — with no blacklists, custom scripts, and a real outgoing email server — I was able to send email replies to about half of the people who requested service information. (Replying to people who fill out the contact form or who request a Lab account.) However, I still could not send email to anyone using Gmail, AOL, Microsoft Outlook, etc.

  • SPF. By itself, email is unauthenticated; anyone can send email as anyone. There are a handful of anti-spam additions to email that attempt to authenticate the sender. One of the most common ones is SPF — sender permitted from. This is a DNS record (TXT field) that lists the network addresses that can send email on behalf of a domain. If the recipient server sees that the sender does not match the SPF record, then it can be immediately discarded as spam.

    Many professional email services require an SPF record. Without it, they will assume that the email is unauthenticated and from a spammer. Enabling SPF approaches the 90% deliverable mark. Email can be delivered to Gmail, but not AOL or anyone using the Microsoft Outlook service.

  • Reverse hostnames. When emailing users at AOL, the AOL server would respond with a cryptic error message:

    521 5.2.1 : AOL will not accept delivery of this message.

    This is not one of AOL’s documented error codes. It took a lot of research, but I finally discovered that this is related to the reverse network address. Both AOL and Microsoft require the sender’s reverse hostname to resolve to the sender’s domain name. (Or in the case of AOL, it can resolve to anything except an IP address. If a lookup of your network address returns a hostname with the network address in it, then AOL will reject the email.) If you have a residential service (like Comcast or Verizon), then the reverse DNS lookup will not be permitted — you cannot send email to AOL directly from most residential ISPs. Fortunately, my hosting provider for FotoForensics was able to set my reverse DNS so I could send email from the FotoForensics server.

  • Microsoft. With everything else done, I could send email to all users except those who use the Microsoft Outlook service. The error message Microsoft returns says (with recipient information redacted):
    <recipient@recipient.domain>: host
    recipient.domain.mail.protection.outlook.com[213.x.x.x>] said: 550 5.7.1
    Service unavailable; Client host [65.x.x.x>] blocked using FBLW15; To
    request removal from this list please forward this message to
    delist@messaging.microsoft.com (in reply to RCPT TO command)

    This cryptic warning is Microsoft’s way of saying that I need to contact them first and get permission to email their users.

    In my experience, writing in to ask permission will get you nowhere. Most services won’t answer the phone, ignore emails about delivery issues, and won’t help you at all. However, with Microsoft, I really had no other option. They didn’t give me any other option to contact them.

    With nothing left to lose, I bounced the entire email with the error message, original email, and headers, to Microsoft. I was actually amazed when I received an automated email with a trouble ticket number and telling me to wait 24 hours. I was even more amazed when, after 10 hours, I received a confirmation that the block was removed. I resent the FotoForensics contact form reply to the user… and it was delivered.

While I am thrilled to see that my server can now send replies to requests at every major service, I certainly hope other services do not adopt the Microsoft method. If my server needs to send replies to users at 100 different domains, then I do not want to spend time contacting each domain first and begging for permission to contact their users.

(Fortunately, this worked. If writing to Microsoft had not worked, then I was prepared to detect email addresses that use Outlook as a service and just blacklist them. “Please use a different email service since your provider will not accept email from us.”)

The dog ate it

While email is a convenient form of communication, I still have no idea whether I’ve fixed all of the delivery issues. Many sites will silently drop email rather than sending back a delivery error notice. Although I believe my outgoing email system now works with Gmail, Microsoft, Yahoo, AOL, and most other providers, the message may still be filtered somewhere down the line. (Email lacks a reliable delivery confirmation system. Hacks like web bugs and return receipts are unsupported by many email services.) It’s very possible for a long reply to never reach the recipient, and I’ll never know it.

Currently, the site sends about a half-dozen emails per day (max). These are responses to removal and unban requests, replies to comments, and double-opt-in messages (you requested an account; click on this link to confirm and create the account). I honestly never see a future when I will use email to promote new services or features. (Having spent decades tracking down spammers and developing anti-spam solutions, I cannot see myself joining the dark side.)

Of course, email is not the only option for communication. I’ve just started learning about WebRTC and HTML5 — I want to be able to give online training sessions and host voice calls via the web browser.

TorrentFreak: Shutting Down Pirate Sites is Ineffective, European Commission Finds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

eucommtechreportA few years ago Europe witnessed the largest piracy-related busts in history with the raid of the popular movie streaming portal Kino.to.

Police officers in Germany, Spain, France and the Netherlands raided several residential addresses, data centers and arrested more than a dozen individuals connected to the site.

The operation wiped out the largest unauthorized streaming portal in Europe and was praised as a massive success. However, new research from the European Commission’s Joint Research Centre shows that the effect on end users was short-lived and relatively limited.

In a working paper titled “Online Copyright Enforcement, Consumer Behavior, and Market Structure” researchers examined clickstream data for a set of 5,000 German Internet users to see how their legal and illegal consumption habits changed in response to the shutdown.

One of the main conclusions is that the kino.to raid led to a short-lived decrease in piracy, after which piracy levels returned to normal. At the same time, the researchers observed only a small increase in the use of legal services.

“While users of kino.to decreased their levels of piracy consumption by 30% during the four weeks following the intervention, their consumption through licensed movie platforms increased by only 2.5%,” the paper reads.

Based on the above the researchers conclude that if the costs of the raids and prosecution are factored in, the shutdown probably had no positive effect.

totalp1

“Taken at face value, these results indicate that the intervention mainly converted consumer surplus into deadweight loss. If we were to take the costs of the intervention into account, our results would suggest that the shutdown of kino.to has not had a positive effect on overall welfare,” the researchers write.

Perhaps more worrying is the fact that Kino.to was soon replaced by several new streaming services. This so-called “Hydra” effect means that a landscape which was previously dominated by one site, now consists of several smaller sites that together have roughly the same number of visitors.

The researchers note that Movie2k.to and KinoX.to quickly filled the gap, and that the scattered piracy landscape would make future shutdowns more costly.

“Our analysis shows that the shutdown of kino.to resulted in a much more fragmented structure of the market for unlicensed movie streaming,” the paper reads.

“This potentially makes future law enforcement interventions either more costly – as there would not be a single dominant platform to shutdown anymore – or less effective if only a single website is targeted by the intervention”

totalp

One of the policy implications could be to advise against these type of large piracy raids, as they do very little to solve the problem at hand.

However, the researchers note that the results should be interpreted with caution. For example, it doesn’t include any data on offline sales. Similarly, back in 2011 there were relatively few legal options available, so the effects may be different now.

That said, the current findings shed an interesting light on the limited effectiveness of international law enforcement actions directed at piracy sites. Also, it’s the first research paper we know of that provides strong evidence for the frequently mentioned Hydra effect.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

TorrentFreak: YouTuber Sues Google, Viacom Over Content ID Takedowns

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

While in previous years people were simply grateful to have somewhere to host their own vides, these days a growing number of YouTube users rely on the site to generate extra cash.

Earning money with YouTube is now easier than ever, with some ‘YouTubers’ even making enough to invest in a mansion.

For others, however, the environment created by the Google-owned video platform is far from perfect, with complaints over the company’s Content ID anti-piracy system regularly making the news. Now YouTuber Benjamin Ligeri is adding his name to the disgruntled list.

In a lawsuit filed at the US District Court for the District of Rhode Island which lists Google, Viacom, Lionsgate and another YouTuber as defendants, Ligeri bemoans a restrictive YouTube user contract and a system that unfairly handles copyright complaints.

Ligeri says that he has uploaded content to YouTube under the name BetterStream for purposes including “criticism, comment, news reporting, teaching, scholarship, and/or research,” but never in breach of copyright. Nevertheless, he claims to have fallen foul of YouTube’s automated anti-piracy systems.

One complaint details a video uploaded by Ligeri which he says was a parody of the film The Girl With the Dragon Tattoo. It was present on YouTube for a year before a complaint was filed against it by a YouTube user called Egeda Pirateria.

“Defendant Pirateria is not the rightful owner of the rights to The Girl With the Dragon Tattoo, nor did the Plaintiff’s critique of it amount to copying or distribution of the movie,” Ligeri writes.

However, much to his disappointment, YouTube issued a copyright “strike” against Ligeri’s account and refused to remove the warning, even on appeal.

“YouTube, although Defendants Pirateria or Lion’s Gate lacked any legal claim
to any copyright to The Girl With the Dragon Tattoo, denied the Plaintiff’s appeal pertaining to his account’s copyright strike,” the complaint reads.

Ligeri says Viacom also got in on the action, filing a complaint against his “critique” of the 2014 remake of Teenage Mutant Ninja Turtles.

“A claim was made with YouTube on behalf of Defendant Viacom. Defendant Viacom does not have a legal or valid copyright to TMNT. Defendant YouTube allowed Viacom the option to mute, disable or monetize the Plaintiff’s Fair Use content,” Ligeri adds.

Although the fair use argument could be up for debate, in 2009 Nickelodeon acquired the global rights to the Teenage Mutant Ninja Turtles brand. Nickelodeon’s parent company is Viacom-owned Paramount Pictures.

“Content ID is an opaque and proprietary system where the accuser can serve as the judge, jury and executioner,” Ligeri continues.

“Content ID allows individuals, including Defendants other than Google, to steal ad revenue from YouTube video creators en masse, with some companies claiming content they don’t own deliberately or not. The inability to understand context and parody regularly leads to fair use videos getting blocked, muted or monetized.”

Noting that YouTube exercises absolute power through its take-it-or-leave-it user agreement, Ligeri says the agreement and Content ID combined result in non-compliance with the Digital Millennium Copyright Act.

“Normally, under DMCA, there would be a process where the reported content
would be removed for 10-14 days so any dispute could be resolved by way of notice and counter-notice,” Ligeri writes.

“Content ID and YouTube’s adhesion contract are not compliant with DMCA
because, at a minimum, the software’s algorithm fails [to] recognize when content may or may not be violating copyright.”

Ligeri says that rather than acting as a neutral party, YouTube favors larger copyright holders using Content ID over smaller creators who do not.

“This software and YouTube’s terms of use circumvent DMCA by creating a
private arbitration mechanism. Further, a party claiming copyright infringement has no burden of proof under this private arbitration mechanism,” he notes.

In conclusion, Ligeri is demanding an injunction which compels Google/YouTube to restore the content taken down via the allegedly bogus complaints and “otherwise comply with the DMCA.”

Ligeri also seeks declaratory judgments that he did not infringe the copyrights of the defendants and that YouTube’s terms of use are void on several counts, including that they ignore or fail to comply with the DMCA.

A claim for nominal damages of $10,000, ‘special’ damages of $1,000,000 plus unspecified punitive damages and costs conclude the filing.

This is not the first time Ligeri has personally targeted YouTube. In 2008 he unsuccessfully sued the company in an effort to obtain a 1/500th share in the revenue generated by the video site.

The self-styled “#1 Most Viewed YouTube Icon” also appears to enjoy representing himself. In addition to the current case his Linkedin profile describes him as a “human rights activist private litigator” with previous experience working in a public defender’s office for the criminally insane.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Krebs on Security: Who’s Scanning Your Network? (A: Everyone)

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Not long ago I heard from a reader who wanted advice on how to stop someone from scanning his home network, or at least recommendations about to whom he should report the person doing the scanning. I couldn’t believe that people actually still cared about scanning, and I told him as much: These days there are countless entities — some benign and research-oriented, and some less benign — that are continuously mapping and cataloging virtually every devices that’s put online.

GF5One of the more benign is scans.io, a data repository of research findings collected through continuous scans of the public Internet. The project, hosted by the ZMap Team at the University of Michigan, includes huge, regularly updated results grouped around scanning for Internet hosts running some of the most commonly used “ports” or network entryways, such as Port 443 (think Web sites protected by the lock icon denoting SSL/TLS Web site encryption); Port 21, or file transfer protocol (FTP); and Port 25, or simple mail transfer protocol (SMTP), used by many businesses to send email.

When I was first getting my feet wet on the security beat roughly 15 years ago, the practice of scanning networks you didn’t own looking for the virtual equivalent of open doors and windows was still fairly frowned upon — if not grounds to get one into legal trouble. These days, complaining about being scanned is about as useful as griping that the top of your home is viewable via Google Earth. Trying to put devices on the Internet and and then hoping that someone or something won’t find them is one of the most futile exercises in security-by-obscurity.

To get a gut check on this, I spoke at length last week with University of Michigan researchers Michael D. Bailey (MB) and Zakir Durumeric (ZD) about their ongoing and very public project to scan all the Internet-facing things. I was curious to get their perspective on how public perception of widespread Internet scanning has changed over the years, and how targeted scanning can actually lead to beneficial results for Internet users as a whole.

MB: Because of the historic bias against scanning and this debate between disclosure and security-by-obscurity, we’ve approached this very carefully. We certainly think that the benefits of publishing this information are huge, and that we’re just scratching the surface of what we can learn from it.

ZD: Yes, there are close to two dozen papers published now based on broad, Internet-wide scanning. People who are more focused on comprehensive scans tend to be the more serious publications that are trying to do statistical or large-scale analyses that are complete, versus just finding devices on the Internet. It’s really been in the last year that we’ve started ramping up and adding scans [to the scans.io site] more frequently.

BK: What are your short- and long-term goals with this project?

ZD: I think long-term we do want to add coverage of additional protocols. A lot of what we’re focused on is different aspects of a protocol. For example, if you’re looking at hosts running the “https://” protocol, there are many different ways you can ask questions depending on what perspective you come from. You see different attributes and behavior. So a lot of what we’ve done has revolved around https, which is of course hot right now within the research community.

MB: I’m excited to add other protocols. There a handful of protocols that are critical to operations of the Internet, and I’m very interested in understanding the deployment of DNS, BGP, and TLS’s interception with SMTP. Right now, there’s a pretty long tail to all of these protocols, and so that’s where it starts to get interesting. We’d like to start looking at things like programmable logic controllers (PLCs) and things that are responding from industrial control systems.

ZD: One of the things we’re trying to pay more attention to is the world of embedded devices, or this ‘Internet of Things’ phenomenon. As Michael said, there are also industrial protocols, and there are different protocols that these embedded devices are supporting, and I think we’ll continue to add protocols around that class of devices as well because from a security perspective it’s incredibly interesting which devices are popping up on the Internet.

BK: What are some of the things you’ve found in your aggregate scanning results that surprised you?

ZD: I think one thing in the “https://” world that really popped out was we have this very large certificate authority ecosystem, and a lot of the attention is focused on a small number of authorities, but actually there is this very long tail — there are hundreds of certificate authorities that we don’t really think about on a daily basis, but that still have permission to sign for any Web site. That’s something we didn’t necessary expect. We knew there were a lot, but we didn’t really know what would come up until we looked at those.

There also was work we did a couple of years ago on cryptographic keys and how those are shared between devices. In one example, primes were being shared between RSA keys, and because of this we were able to factor a large number of keys, but we really wouldn’t have seen that unless we started to dig into that aspect [their research paper on this is available here].

MB: One of things we’ve been surprised about is when we measure these things at scale in a way that hasn’t been done before, often times these kinds of emergent behaviors become clear.

BK: Talk about what you hope to do with all this data.

ZD: We were involved a lot in the analysis of the Heartbleed vulnerability. And one of the surprising developments there wasn’t that there were lots of people vulnerable, but it was interesting to see who patched, how and how quickly. What we were able to find was by taking the data from these scans and actually doing vulnerability notifications to everybody, we were able to increase patching for the Heartbleed bug by 50 percent. So there was an interesting kind of surprise there, not what you learn from looking at the data, but in terms of what actions do you take from that analysis? And that’s something we’re incredibly interested in: Which is how can we spur progress within the community to improve security, whether that be through vulnerability notification, or helping with configurations.

BK: How do you know your notifications helped speed up patching?

MB: With the Heartbleed vulnerability, we took the known vulnerable population from scans, and ran an A/B test. We split the population that was vulnerable in half and notified one half of the population, while not notifying the other half, and then measured the difference in patching rates between the two populations. We did end up after a week notifying the second population…the other half.

BK: How many people did you notify after going through the data from the Heartbleed vulnerability scanning? 

ZD: We took everyone on the IPv4 address space, found those that were vulnerable, and then contacted the registered abuse contact for each block of IP space. We used data from 200,000 hosts, which corresponded to 4,600 abuse contacts, and then we split those into an A/B test. [Their research on this testing was published here].

So, that’s the other thing that’s really exciting about this data. Notification is one thing, but the other is we’ve been building models that are predictive of organizational behavior. So, if you can watch, for example, how an organization runs their Web server, how they respond to certificate revocation, or how fast they patch — that actually tells you something about the security posture of the organization, and you can start to build models of risk profiles of those organizations. It moves away from this sort of patch-and-break or patch-and-pray game we’ve been playing. So, that’s the other thing we’ve been starting to see, which is the potential for being more proactive about security.

BK: How exactly do you go about the notification process? That’s a hard thing to do effectively and smoothly even if you already have a good relationship with the organization you’re notifying….

MB: I think one of the reasons why the Heartbleed notification experiment was so successful is we did notifications on the heels of a broad vulnerability disclosure. The press and the general atmosphere and culture provided the impetus for people to be excited about patching. The overwhelming response we received from notifications associated with that were very positive. A lot of people we reached out to say, ‘Hey, this is a great, please scan me again, and let me know if I’m patched.” Pretty much everyone was excited to have the help.

Another interesting challenge was that we did some filtering as well in cases where the IP address had no known patches. So, for example, where we got information from a national CERT [Computer Emergency Response Team] that this was an embedded device for which there was no patch available, we withheld that notification because we felt it would do more harm than good since there was no path forward for them. We did some aggregation as well, because it was clear there were a lot of DSL and dial-up pools affected, and we did some notifications to ISPs directly.

BK: You must get some pushback from people about being included in these scans. Do you think that idea that scanning is inherently bad or should somehow prompt some kind of reaction in and of itself, do you think that ship has sailed?

ZD: There is some small subset that does have issues. What we try to do with this is be as transparent as possible. All of our hosts we use for scanning, if look at them on WHOIS records or just visit them with a browser it will tell you right away that this machine is part of this research study, here’s the information we’re collecting and here’s how you can be excluded. A very small percentage of people who visit that page will read it and then contact us and ask to be excluded. If you send us an email [and request removal], we’ll remove you from all future scans. A lot of this comes down to education, a lot of people to whom we explain our process and motives are okay with it.

BK: Are those that object and ask to be removed more likely to be companies and governments, or individuals?

ZD: It’s a mix of all of them. I do remember offhand there were a fair number of academic institutions and government organizations, but there were a surprising number of home users. Actually, when we broke down the numbers last year (PDF), the largest category was small to mid-sized businesses. This time last year, we had excluded only 157 organizations that had asked for it.

BK: Was there any pattern to those that asked to be excluded?

ZD: I think that actually is somewhat interesting: The exclusion requests aren’t generally coming from large corporations, which likely notice our scanning but don’t have an issue with it. A lot of emails we get are from these small businesses and organizations that really don’t know how to interpret their logs, and often times just choose the most conservative route.

So we’ve been scanning for a several years now, and I think when we originally started scanning, we expected to have all the people who were watching for this to contact us all at once, and say ”Please exclude us.’ And then we sort of expected that the number of people who’d ask to be excluded would plateau, and we wouldn’t have problems again. But what we’ve seen is, almost the exact opposite. We still get [exclusion request] emails each day, but what we’re really finding is people aren’t discovering these scans proactively. Instead, they’re going through their logs while trying to troubleshoot some other issue, and they see a scan coming from us there and they don’t know who we are or why we’re contacting their servers. And so it’s not these organizations that are watching, it’s the ones who really aren’t watching who are contacting us.

BK: Do you guys go back and delete historic records associated with network owners that have asked to be excluded from scans going forward?

ZD: At this point we haven’t gone back and removed data. One reason is there are published research results that are based on those data sets, results, and so it’s very hard to change that information after the fact because if another researcher went back and tried to confirm an experiment or perform something similar, there would be no easy way of doing that.

BK: Is this what you’re thinking about for the future of your project? How to do more notification and build on the data you have for those purposes? Or are you going in a different or additional direction?

MB: When I think about the ethics of this kind of activity, I have very utilitarian view: I’m interested in doing as much good as we possibly can with the data we have. I think that lies in notifications, being proactive, helping organizations that run networks to better understand what their external posture looks like, and in building better safe defaults. But I’m most interested in a handful of core protocols that are under-serviced and not well understood. And so I think we should spend a majority of effort focusing on a small handful of those, including BGP, TLS, and DNS.

ZD: In many ways, we’re just kind of at the tip of this iceberg. We’re just starting to see what types of security questions we can answer from these large-scale analyses. I think in terms of notifications, it’s very exciting that there are things beyond the analysis that we can use to actually trigger actions, but that’s something that clearly needs a lot more analysis. The challenge is learning how to do this correctly. Every time we look at another protocol, we start seeing these weird trends and behavior we never noticed before. With every protocol we look at there are these endless questions that seem to need to be answered. And at this point there are far more questions than we have hours in the day to answer.

Schneier on Security: Online Dating Scams

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Interesting research:

We identified three types of scams happening on Jiayuan. The first one involves advertising of escort services or illicit goods, and is very similar to traditional spam. The other two are far more interesting and specific to the online dating landscape. One type of scammers are what we call swindlers. For this scheme, the scammer starts a long-distance relationship with an emotionally vulnerable victim, and eventually asks her for money, for example to purchase the flight ticket to visit her. Needless to say, after the money has been transferred the scammer disappears. Another interesting type of scams that we identified are what we call dates for profit. In this scheme, attractive young ladies are hired by the owners of fancy restaurants. The scam then consists in having the ladies contact people on the dating site, taking them on a date at the restaurant, having the victim pay for the meal, and never arranging a second date. This scam is particularly interesting, because there are good chances that the victim will never realize that he’s been scammed — in fact, he probably had a good time.

TorrentFreak: MPA Report Advises Outreach Campaign Against ‘Pirate’ Ads

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

mpaAs part of their war against the unauthorized sharing of copyrighted material online, entertainment industry groups and their affiliates commission reports to highlight how so-called ‘pirate’ sites operate.

In 2014, for example, research company NetNames published a report detailing the revenue streams for so-called ‘cyberlockers’. It was later used by a U.S. senator to pressure Visa and Mastercard to stop doing business with such sites.

With continued lobbying efforts in mind, a new report commissioned by the Motion Picture Association (MPA) has again been examining how so-called ‘pirate’ sites generate their income.

The study, carried out by UK-based Incopro, analyzes the revenue sources for the 250 most popular sites offering access to unlicensed content in Germany, Spain, France, Italy and United Kingdom. Due to some overlap in each country’s “most-popular 250″ list, 622 sites in three categories (hosting, linking only, P2P) were examined overall.

Advertising, cash – or both

The company looked at two key areas of revenue generation – monies received from companies who advertise on the sites (intentionally or otherwise) and monies received from users who either pay or donate via payment methods including Visa, MasterCard and Bitcoin.

In its analysis Incopro found that 550 of the 622 sites surveyed carried advertising and 142 offered at least one payment method. An overlap between the two groups meant that 122 sites carried advertising and also accepted payments. With just 52 sites out of 622 carrying no advertising and accepting no payments, a total of 570 sites (91.6%) had at least one source of revenue.

The sources of revenue for each of the three site categories were broken down revealing that ‘linking only’ and ‘P2P portal’ sites rely heavily on advertising. ‘Hosting’ sites tended to have both advertising and payments, with free users being shown advertising and premium users often paying to avoid them.

incop-1

Key advertising intermediaries

Since advertising is viewed as the most important source of revenue for the majority of the sites in the report, Incopro has attempted to identify which advertising intermediaries are responsible. While several companies each served up to 55 sites in the report, three entities are highlighted as market leaders.

“Analysis found that AdCash, Propellerads/OnClickAds….and DirectREV were the top three intermediaries to serve adverts across all unique sites in this study,” Incopro reports.

Noting that the report concentrates on the intermediaries delivering adverts to the 622 sites, Incopro says that opportunities exist to disrupt the flow of ads.

“One possible approach to this would be to engage with the Content Delivery Networks (CDNs) which do not serve the adverts independently but cache the creative elements that are called by ad tags served by other intermediaries. Consideration should be given to approaching the leading CDNs and working with them to block adverts served to unauthorised sites,” the company writes.

Advertising categories

Incopro says that the adverts observed in the study were placed into standard categories such as entertainment (5%), tech (5.9%), retail (6.6%), business/finance (7.4%), games (10%), adult (10.4%) and gambling (18.1%).

However, due to the high number of deceptive ads appearing on ‘pirate’ sites the company had to create a new group (‘Trick button/Malware’) which accounted for 31.5% of the total, the biggest group by far.

“The Trick Button/Malware types of advert typically do not mention the advertiser in the initial ad, and thus they are a form of ‘bait-and-switch’,” the company says.

“Typically, the user is presented with a button that says ‘download’ and/or ‘play’. Believing that these will lead to the desired file, the user then clicks the button. Once clicked, the user is prompted to download an executable file containing a potentially unwanted program.

“These Trick Buttons are a common feature of unauthorized sites and are worth looking at in more detail given the potentially damaging financial and emotional effect on the user.”

Finding that two companies (RevenueHits and Matomy Market) were responsible for up to 89% of these kinds of ads to the sites they serve, Incopro advises that some kind of campaign could be effective in turning users away from the sites serving them.

“Given the likelihood that end users will encounter potentially harmful software from these types of adverts across all types of site, awareness and outreach campaigns around this issue could be reinforced to help to discourage use of unauthorized sites,” the company writes.

Top advertisers

Regular European visitors to file-sharing related sites will be well aware of the high number of ads served up from gambling companies. Unsurprisingly the Incopro report reaches the same conclusion, finding that four out of the top five most prolific advertisers (Trick button ads excluded) are gambling companies.

incop-2

“These companies may not be aware that their adverts are appearing on these sites and should be considered for an approach in order to once again frustrate the ability of an unauthorised site to generate ad revenue,” the report reads.

“For this reason, Trick button/PUP adverts have been excluded from this section in order to concentrate on companies that are potentially approachable.”

Payment methods

As highlighted earlier, 142 out of the 622 sites studied accept payments from users. Of interest, however, is how many different payment methods are utilized by those sites – 83 in all. In total, four broad areas were identified, as detailed in the image below.

incop-3

“Host sites were the primary location for payment methods and accounted for 91% of all payment methods detected. Payment to the host site was predominantly via a ‘premium’ subscription service whereas other site types were more likely to accept payment for donations,” the report notes.

Advising again on possible mitigation measures, the report suggests that pressure on payment companies of all kinds could limit the use of their systems on “infringing” sites.

“Visa and MasterCard, the most observed payment service providers in this study, have responded to notifications in the past. In the same way that the major global Brands would most likely not wish to be associated with infringing websites because it could affect their reputation, these companies may feel the same,” Incopro writes.

“In the same way that the payment card providers can be asked to take action, payment processors can also be asked to take similar action to prevent transactions on those merchant accounts where they are facilitating the revenue generation of unauthorized sites.”

Despite best efforts so far, the image below reveals that the usual big names are still servicing the top “infringing” sites.

incop-4

Conclusions

Overall, Incopro concludes that advertising is far and away the biggest source of revenue for the sites in their study.

“Given this reliance on advertising, concerted effort should be made by brands, agencies, and where possible, the authorities, to work together to persuade the various intermediaries to undermine these revenue streams,” the company says.

“Regarding payment methods, analysis has shown that the payment methods observed broadly consist of four transaction types on the unauthorized websites studied. These are the payment service providers like Visa and MasterCard, payment processors such as Liqpay and Dalpay, virtual wallets such as Google Wallet, RoboKassa and PayPal and resellers such as VIPKeys. Engagement with the first three
is recommended. Resellers should be examined as a separate issue,” the company concludes.

Just like the NetNames report before it, this MPA-commissioned report will be cited by entertainment industry companies during the months to come to put yet more pressure on advertisers and payment companies alike. Whether that will be enough to stifle the revenue arms race will remain to be seen.

The full report can be downloaded here (pdf)

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Raspberry Pi: Meet the Raspberry Pi Creative Technologists

This post was syndicated from: Raspberry Pi and was written by: Ben Nuttall. Original post: at Raspberry Pi

In February Rachel Rayns, our Creative Producer, announced and opened entries for the new Raspberry Pi Creative Technologists mentorship programme. We selected final participants from the applicants at the beginning of this month – we’ve got a wonderful group of young people.

Last weekend we held the induction weekend here at Pi Towers in Cambridge, which involved Pecha Kucha presentations (20 slides, 20 seconds per slide) from participants and mentors; introducing the CTs to their new Raspberry Pi starter kits; getting them up and running with their Pis with a Python and GPIO workshop using the CamJam EduKit and the camera module; and a punting trip through the heart of Cambridge.

We then took the group on their second field trip – to Newcastle to visit Maker Faire UK and the Baltic Centre. Next up is a trip to Pimoroni‘s workshop for a hack weekend full of laser cutter fun, and we have plenty more in store.

Meet the Creative Technologists

Andrew

 

Andrew is 18, studying Computer Science at Queen’s University in Belfast. Readers of the blog will be familiar with Andrew as the developer of PiNet – he also runs the Northern Ireland Raspberry Jam.

The Creative Technologists are a great bunch – everybody’s very excited, and enthusiastic about life. Through the programme I want to make more interactive stuff people can play with, and learn from.

Bawar

 

Bawar is 18, studying Maths, Computer Science and English at a Sixth Form in West London. He found out about the programme the day before entries closed – and stayed up all night making his video (but says it was worth it).

I was amazed to find that behind such a big name – Raspberry Pi – there were normal people running it, and I realised we could grow up to do something big like that.

Connor B

 

Connor is 19 and works in Operations at Ragworm. With his work he’s exposed to the maker community and regularly attends Maker Faires and hackathons.

I want to put everything I can into motion, so those little crazy ideas in my notepad can finally be realised, and shared with the world

Hannah

 

Hannah is 20 and studies Creative Writing and Theatre at Lancaster University. She’s been writing stories since she was 6 and has an interest in exploring video game script writing.

The world is becoming more technical and I think it’s important to become more innovative when combining technology and creativity.

Javier

 

Javier is 17 and Spanish; he lives and goes to school in Corunna in North West Spain. He his first languages are Spanish and Galacian (he also speaks English better than some of we do), and he’s been programming since he was ten, and he likes to disassemble gadgets. He’s also a fan of dogecoin.

I am still a beginner, both in programming and electronics. I would love to learn more and more, so I could bring to life a lot of ideas I have.

Maddy

 

Maddy is 17, studying Visual Effects at college in Nottingham. She spent 3 months creating an animated music video for a local band (it’s brilliant). She is constantly dancing.

I wasn’t sure whether I should send my application, but hitting that Submit button was the most important click of my life. This one weekend has honestly changed the entire prospects of my career.

Milton

 

Milton is 21, and works as a web developer in London. He loves code and wants to create worlds within worlds. He has a strange obsession with identifying as a dessert.

I want to learn electronics and research behavioural psychology and explore how people interact with technology.

Owen

 

Owen is 17, studying Science subjects at college in Lewes. He’s lightning fast with a Rubik’s cube (better than Gordon and me), does magic tricks (all the time) and he wondered if we were looking for people like him…

You spend 90% of your time playing with things other people have made – and you have the tools to do it yourself.

Yasmin

 

Yasmin is 21, and works as a front-end web developer in Devon. She’s a keen and successful Vlogger, a games enthusiast, content creator, storyteller and musician.

It was one of the most inspirational weekends I have probably ever had. It’s so true, it was just amazing.

 

Yasmin also created this video after the induction weekend – we love it!

We’ll be sharing more information about the Creative Technologists as the programme continues and the participants’ projects are developed. It’s a 12-month programme and we intend to run it again next year. Register your interest and we’ll email you when information about the 2016-17 programme is available.

TorrentFreak: MPAA Funds Pro-Copyright Scholars to Influence Politics

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

mpaa-logoLast year the MPAA started a new grants program inviting academics to pitch their research proposals.

Researchers are being offered a $20,000 grant for projects that address various piracy related topics, including the impact of copyright law and the effectiveness of notice and takedown regimes.

Last month marked the silent start of a new round of grant applications for the fall of 2015.

There’s no public announcement but MPAA boss Chris Dodd previously said there’s a need for better and unbiased copyright related research to find out how recent developments are affecting the film industry.

“We need more and better research regarding the evolving role of copyright in society. The academic community can provide unbiased observations, data analysis, historical context and important revelations about how these changes are impacting the film industry…,” Dodd noted.

While Dodd’s comments about unbiased research are admirable, there also appears to be a hidden agenda which until now hasn’t seen the light of day.

In an email leaked in the Sony hack MPAA General Counsel Steven Fabrizio explains to the member studios that they’re soliciting pro-copyright papers. The April 2014 email further reveals that the MPAA hopes to identify pro-copyright scholars who can be used to influence future copyright policies.

“As you know, as one component of our Academic Outreach program, the MPAA is launching a global research grant program both to solicit pro-copyright academic research papers and to identify pro-copyright scholars who we can cultivate for further public advocacy,” Fabrizio writes.

Needless to say, soliciting pro-copyright papers and spotting pro-copyright scholars for public advocacy doesn’t sound very unbiased.

Perhaps for this reason the MPAA has decided not to publicize the initiative too much. There was no press release on the official site regarding the grants and it’s also unknown which scholars received last year’s grants.

While $20,000 is relatively modest, the MPAA is also funding scholars outside of the grant program with much more. Last November we revealed that the MPAA had donated over a million dollars to Carnegie Mellon University in support of its piracy research program.

Thus far the Carnegie Mellon team has published a few papers. Among other things the researchers found that the Megaupload shutdown worked, that piracy mostly hurts revenues, and that censoring search engine results can diminish piracy.

As expected, these results are now used by the MPAA as a lobbying tool to sway politicians and influence public policy.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: Measuring the Expertise of Burglars

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

New research paper: “New methods for examining expertise in burglars in natural and simulated environments: preliminary findings“:

Expertise literature in mainstream cognitive psychology is rarely applied to criminal behaviour. Yet, if closely scrutinised, examples of the characteristics of expertise can be identified in many studies examining the cognitive processes of offenders, especially regarding residential burglary. We evaluated two new methodologies that might improve our understanding of cognitive processing in offenders through empirically observing offending behaviour and decision-making in a free-responding environment. We tested hypotheses regarding expertise in burglars in a small, exploratory study observing the behaviour of ‘expert’ offenders (ex-burglars) and novices (students) in a real and in a simulated environment. Both samples undertook a mock burglary in a real house and in a simulated house on a computer. Both environments elicited notably different behaviours between the experts and the novices with experts demonstrating superior skill. This was seen in: more time spent in high value areas; fewer and more valuable items stolen; and more systematic routes taken around the environments. The findings are encouraging and provide support for the development of these observational methods to examine offender cognitive processing and behaviour.

The lead researcher calls this “dysfunctional expertise,” but I disagree. It’s expertise.

Claire Nee, a researcher at the University of Portsmouth in the U.K., has been studying burglary and other crime for over 20 years. Nee says that the low clearance rate means that burglars often remain active, and some will even gain expertise in the crime. As with any job, practice results in skills. “By interviewing burglars over a number of years we’ve discovered that their thought processes become like experts in any field, that is they learn to automatically pick up cues in the environment that signify a successful burglary without even being aware of it. We call it ‘dysfunctional expertise,'” explains Nee.

See also this paper.

Schneier on Security: Hacking Airplanes

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Imagine this: A terrorist hacks into a commercial airplane from the ground, takes over the controls from the pilots and flies the plane into the ground. It sounds like the plot of some “Die Hard” reboot, but it’s actually one of the possible scenarios outlined in a new Government Accountability Office report on security vulnerabilities in modern airplanes.

It’s certainly possible, but in the scheme of Internet risks I worry about, it’s not very high. I’m more worried about the more pedestrian attacks against more common Internet-connected devices. I’m more worried, for example, about a multination cyber arms race that stockpiles capabilities such as this, and prioritizes attack over defense in an effort to gain relative advantage. I worry about the democratization of cyberattack techniques, and who might have the capabilities currently reserved for nation-states. And I worry about a future a decade from now if these problems aren’t addressed.

First, the airplanes. The problem the GAO identifies is one computer security experts have talked about for years. Newer planes such as the Boeing 787 Dreamliner and the Airbus A350 and A380 have a single network that is used both by pilots to fly the plane and passengers for their Wi-Fi connections. The risk is that a hacker sitting in the back of the plane, or even one on the ground, could use the Wi-Fi connection to hack into the avionics and then remotely fly the plane.

The report doesn’t explain how someone could do this, and there are currently no known vulnerabilities that a hacker could exploit. But all systems are vulnerable–we simply don’t have the engineering expertise to design and build perfectly secure computers and networks–so of course we believe this kind of attack is theoretically possible.

Previous planes had separate networks, which is much more secure.

As terrifying as this movie-plot threat is–and it has been the plot of several recent works of fiction–this is just one example of an increasingly critical problem: As the computers already critical to running our infrastructure become connected, our vulnerability to cyberattack grows. We’ve already seen vulnerabilities in baby monitors, cars, medical equipment and all sorts of other Internet-connected devices. In February, Toyota recalled 1.9 million Prius cars because of a software vulnerability. Expect similar vulnerabilities in our smart thermostats, smart light bulbs and everything else connected to the smart power grid. The Internet of Things will bring computers into every aspect of our life and society. Those computers will be on the network and will be vulnerable to attack.

And because they’ll all be networked together, a vulnerability in one device will affect the security of everything else. Right now, a vulnerability in your home router can compromise the security of your entire home network. A vulnerability in your Internet-enabled refrigerator can reportedly be used as a launching pad for further attacks.

Future attacks will be exactly like what’s happening on the Internet today with your computer and smartphones, only they will be with everything. It’s all one network, and it’s all critical infrastructure.

Some of these attacks will require sufficient budget and organization to limit them to nation-state aggressors. But that’s hardly comforting. North Korea is last year believed to have launched a massive cyberattack against Sony Pictures. Last month, China used a cyberweapon called the “Great Cannon” against the website GitHub. In 2010, the U.S. and Israeli governments launched a sophisticated cyberweapon called Stuxnet against the Iranian Natanz nuclear power plant; it used a series of vulnerabilities to cripple centrifuges critical for separating nuclear material. In fact, the United States has done more to weaponize the Internet than any other country.

Governments only have a fleeting advantage over everyone else, though. Today’s top-secret National Security Agency programs become tomorrow’s Ph.D. theses and the next day’s hacker’s tools. So while remotely hacking the 787 Dreamliner’s avionics might be well beyond the capabilities of anyone except Boeing engineers today, that’s not going to be true forever.

What this all means is that we have to start thinking about the security of the Internet of Things–whether the issue in question is today’s airplanes or tomorrow’s smart clothing. We can’t repeat the mistakes of the early days of the PC and then the Internet, where we initially ignored security and then spent years playing catch-up. We have to build security into everything that is going to be connected to the Internet.

This is going to require both significant research and major commitments by companies. It’s also going to require legislation mandating certain levels of security on devices connecting to the Internet, and at network providers that make the Internet work. This isn’t something the market can solve on its own, because there are just too many incentives to ignore security and hope that someone else will solve it.

As a nation, we need to prioritize defense over offense. Right now, the NSA and U.S. Cyber Command have a strong interest in keeping the Internet insecure so they can better eavesdrop on and attack our enemies. But this prioritization cuts both ways: We can’t leave others’ networks vulnerable without also leaving our own vulnerable. And as one of the most networked countries on the planet, we are highly vulnerable to attack. It would be better to focus the NSA’s mission on defense and harden our infrastructure against attack.

Remember the GAO’s nightmare scenario: A hacker on the ground exploits a vulnerability in the airplane’s Wi-Fi system to gain access to the airplane’s network. Then he exploits a vulnerability in the firewall that separates the passengers’ network from the avionics to gain access to the flight controls. Then he uses other vulnerabilities both to lock the pilots out of the cockpit controls and take control of the plane himself.

It’s a scenario made possible by insecure computers and insecure networks. And while it might take a government-led secret project on the order of Stuxnet to pull it off today, that won’t always be true.

Of course, this particular movie-plot threat might never become a real one. But it is almost certain that some equally unlikely scenario will. I just hope we have enough security expertise to deal with whatever it ends up being.

This essay originally appeared on CNN.com.

EDITED TO ADD: News articles.

LWN.net: How Tor is building a new Dark Net with help from the U.S. military (The Daily Dot)

This post was syndicated from: LWN.net and was written by: ris. Original post: at LWN.net

The Daily Dot reports
that the Tor project is receiving some funding from the US Defense Advanced
Research Projects Agency (DARPA) to improve Tor’s hidden services. “The Dark Net road map moving forward is ambitious. Tor plans to double the encryption strength of hidden service’s identity key and to allow offline storage for that key, a major security upgrade.

Next-generation hidden services may be run from multiple hosts to better deal with denial of service attacks and high traffic in general, a potentially big power boost that further closes the gap between the Dark Net and normal websites.”

Schneier on Security: Hacker Detained by FBI after Tweeting about Airplane Software Vulnerabilities

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is troubling:

Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane’s engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft’s functions, including temperatures of various equipment, fuel flow and quantity, and oil pressure. In the tweet, Roberts jested: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone ? :)” FBI agents questioned Roberts for four hours and confiscated his iPad, MacBook Pro, and storage devices.

Yes, the real issue here is the chilling effects on security research. Security researchers who point out security flaws is a good thing, and should be encouraged.

But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There’s some serious surveillance going on.

Now, it is possible that Roberts was being specifically monitored. He is already known as a security researcher who is working on avionics hacking. But still…

Slashdot thread. Hacker News thread.

Schneier on Security: Hacker Detained by FBI After Tweeting About Airplane Software Vulnerabilities.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is troubling:

Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane’s engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft’s functions, including temperatures of various equipment, fuel flow and quantity, and oil pressure. In the tweet, Roberts jested: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? ‘PASS OXYGEN ON’ Anyone ? :)” FBI agents questioned Roberts for four hours and confiscated his iPad, MacBook Pro, and storage devices.

Yes, the real issue here is the chilling effects on security research. Security researchers who point out security flaws is a good thing, and should be encouraged.

But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight he was on, and sent an FBI team to the Syracuse airport within a couple of hours. There’s some serious surveillance going on.

Now, it is possible that Roberts was being specifically monitored. He is already known as a security researcher who is working on avionics hacking. But still…

Slashdot thread. Hacker News thread.

TorrentFreak: VPN and Site Blocking Attacked By Consumer Group

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

ausAfter Attorney-General George Brandis and Communications Minister Malcolm Turnbull asked the Australian Cabinet to approve the development of a new legal mechanism allowing rightsholders to obtain site-blocking injunctions, legislation was introduced to parliament last month.

What followed is a still-current six-week consultation period for additional submissions, with various groups invited to voice their opinions and concerns.

While the site-blocking elements of the Copyright Amendment (Online Infringement) Bill 2015 are likely to please rightsholders, concerns remain that not only will the legislation fail to achieve its aims, but may also have unintended consequences that could stifle consumer choice.

In its submission the Australian Communications Consumer Action Network (ACCAN), the body that represents the interests of consumers on communications issues including broadband and emerging Internet services, three key issues are raised – VPN use, efficacy and cost of blocking, plus consumer interests.

The VPN problem

ACCAN is concerned over some of the wording employed in the amendments. Instead of referencing “website blocking”, the legislation speaks about “online locations”. While this appears to be an effort to future-proof the Bill, it also has the potential for additional consequences should rightsholders decide to exploit the ambiguity.

“Our first concern relates to the scope of activities that may be picked up by an interpretation of an ‘online location’ which ‘facilitates an infringement’ of copyright,” ACCAN writes.

“Without clear legal precedent, there is ambiguity under the Copyright Act about what constitutes infringement in relation to the use of a Virtual Private Network (VPN) to gain access to geo-blocked products and services. If this ambiguity is not cleared up, this amendment may have the unintended consequence of blocking these services and in turn harm competition and consumer choice.”

And confusion does exist. On his website Minister for Communications Malcolm Turnbull says that the Copyright Act does not make it illegal to use a VPN to access overseas content. On the other hand, the Australian Copyright Council believes that using a VPN to download content licensed overseas is “likely to be an infringement of copyright in Australia.”

While it was previously reported that the Bill had been delayed due to modifications aimed at protecting VPN-like services, ACCAN says that it would prefer clarity on the matter.

“While this ambiguity exists there is a risk that rights holders will attempt to use this injunctive power to block VPN websites and limit consumer access to paid content overseas,” the group writes.

And the threat is real. As reported last week, New Zealand based media companies report that they are on the verge of suing local ISPs who provide VPN services designed to unlock overseas content. Avoiding the same thing Down Under is a priority for ACCAN.

Protecting the public interest

In most countries where rightsholders have demanded site blocking on copyright grounds, ISPs have refused to block voluntarily and have insisted on a court order. This has resulted in processes where movie and recording industry companies become the plaintiffs and ISPs the defendants. The sites themselves aren’t involved in the process, and neither are their users.

“[We] remain concerned that a judge in an ex parte hearing will not have the requisite evidence at hand to weigh the public interest against those of rights holders,” ACCAN writes.

“The amendment creates no right for legitimate users of a site to present evidence on any adverse consequences of an injunction. There should be a presumption in the Bill in favor of allowing parties to become interveners or amicus curiae in the context of these injunction applications.”

Efficacy and costs of blocking

Like many other similarly focused groups, ACCAN is concerned that not only will site / online location blocking prove ineffective when it comes to stopping infringement, but the bill for the exercise will ultimately fall at the feet of the consumer.

Citing Dutch studies which found that blocking The Pirate Bay enjoyed only short-lived success, ACCAN voices concerns that once one site is blocked, users will simply migrate elsewhere.

“This research confirmed the findings in other studies which found that legal action against file sharing often has an immediate effect, but this typically fades out after a period of six months as new sources for pirated content emerge. ACCAN’s concern is that this website blocking bill may devolve into an expensive game of ‘whack-a-mole’, which consumers will end up paying for through higher internet bills,” the group writes.

Similar fears over consumers picking up costs for online infringement enforcement have been voiced across Europe and in the United States, but in no cases has that caused a court to deny rightsholders the opportunity to protect their copyrights. It is guaranteed that one way or another – via their Internet bill or through the cost of media – Aussies will eventually pay for the proposed enforcement measures

The Bill is currently under review by the Senate Legal and Constitutional Affairs Legislation Committee, with a report due in a little under a month.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Schneier on Security: The No-Fly List and Due Process

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The Congressional Research Service has released a report on the no-fly list and current litigation that it violates due process.

Errata Security: Solidarity

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

The government’s zealous War on Hackers threatens us, the good hackers who stop the bad ones. They can’t tell the good witches from the bad witches. When members of our community get threatened by the system, we should probably do more to stand in solidarity with them. I mention this because many of you will be flying to SFO this coming week for the RSA Conference, which gives us an opportunity to show solidarity.

Today, a security researcher tweeted a joke while on a plane. When he landed, the FBI grabbed him and confiscated all his stuff. The tweets are here:


Chris Roberts’ area of research is embedded control systems like those on planes. It’s not simply that the FBI grabbed him because of a random person on a plane, but specifically because he’s a security researcher. He’s on the FBI’s radar (so to speak) for things like this Fox News interview.

I suggest we all start joke tweeting along these lines,  from the airplanes, like:

DFW->SFO. Playing with airplane wifi. I hope the pilots enjoy the Rick Astely video playing on their EICAS system. 

LGA->SFO. Note to self. Don’t fuzz the SATCOM unit while on Twitter. Takes GoGo an hour to come back up. 

NRT->SFO. Yup, the IFE will grab corrupt MP3 from my iPhone and give a shell. I wonder if nmap will run on it. 

PDX->SFO. HackRF says there’s a strong 915 MHz qpsk 64k symbol/second signal. I wonder what’ll happen if I replay it.

The trick is to write jokes, not to actually threaten anything — like the original tweet above. Those of us with technical knowledge and skills should be free to express our humor without the FBI confiscating all our stuff when we land.


BTW, I know you can all steal in-flight WiFi easier than you can pay for it, but do pay for it :)

SANS Internet Storm Center, InfoCON: green: Microsoft Patch Tuesday – April 2015, (Tue, Apr 14th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

Overview of the April 2015 Microsoft patches and their status.

# Affected Contra Indications – KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS15-032 Cumulative Security Update for Internet Explorer
(ReplacesMS15-018 )
CVE-2015-1652, CVE-2015-1657, CVE-2015-1659, CVE-2015-1660, CVE-2015-1661, CVE-2015-1662, CVE-2015-1665, CVE-2015-1666, CVE-2015-1667, CVE-2015-1668 KB 3038314 No Severity:Critical
Exploitability:
Critical Important
MS15-033 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
(ReplacesMS14-081 MS15-022 )
CVE-2015-1639
CVE-2015-1641
CVE-2015-1649
CVE-2015-1650
CVE-2015-1651
KB 3048019 vuln. public. Severity:Critical
Exploitability:
Critical Important
MS15-034 Vulnerability in HTTP.sys Could Allow Remote Code Execution
CVE-2015-1635 KB 3042553 No Severity:Critical
Exploitability:
Critical Critical
MS15-035 Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution
CVE-2015-1645 KB 3046306 No Severity:Critical
Exploitability:
Critical Critical
MS15-036 Vulnerabilities in Microsoft SharePoint Server Could Allow Elevation of Privilege
(ReplacesMS15-022 )
CVE-2015-1640
CVE-2015-1653
KB 3052044 No Severity:Important
Exploitability:
N/A Important
MS15-037 Vulnerability in Windows Task Scheduler Could Allow Elevation of Privilege
CVE-2015-0098 KB 3046269 No Severity:Important
Exploitability:
Important Important
MS15-038 Vulnerabilities in Microsoft Windows Could Allow Elevation of Privilege
(ReplacesMS15-025 MS15-031 )
CVE-2015-1643
CVE-2015-1644
KB 3049576 No Severity:Important
Exploitability:
Important Important
MS15-039 Vulnerability in XML Core Services Could Allow Security Feature Bypass
(ReplacesMS14-067 )
CVE-2015-1646 KB 3046482 No Severity:Important
Exploitability:
Important Important
MS15-040 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure
CVE-2015-1638 KB 3045711 No Severity:Important
Exploitability:
Important Important
MS15-041 Vulnerability in .NET Framework Could Allow Information Disclosure
(ReplacesMS14-009 )
CVE-2015-1648 KB 3048010 No Severity:Important
Exploitability:
Important Important
MS15-042 Vulnerability in Windows Hyper-V Could Allow Denial of Service
CVE-2015-1647 KB 3047234 No Severity:Important
Exploitability:
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating

  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become interesting”>Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.


Alex Stanford – GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

TorrentFreak: Music Industry Wants Cross Border Pirate Site Blocks

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

stop-blockedIn recent years blockades of “pirate” websites have spread across Europe and elsewhere. In the UK, for example, more than 100 websites are currently blocked by the major ISPs.

In recent weeks alone several new countries adopted similar measures, Australia, Spain and Portugal included.

Opponents of this censorship route often argue that the measures are ineffective, and that people simply move to other sites. However, in its latest Digital Music Report music industry group IFPI disagrees, pointing at research conducted in the UK.

“Website blocking has proved effective where applied,” IFPI writes, noting that the number of UK visits to “all BitTorrent” sites dropped from 20 million in April 2012 to 11 million two years later.

effblock

The key to an effective blocking strategy is to target not just one, but all leading pirate sites.

“While blocking an individual site does not have a significant impact on overall traffic to unlicensed services, once a number of leading sites are
blocked then there is a major impact,” IFPI argues.

For now, however, courts have shown to be among the biggest hurdles. It can sometimes take years before these cases reach a conclusion, and the same requests have to be made in all countries.

To streamline the process, copyright holders now want blocking injunctions to apply across borders, starting in the European Union.

“The recording industry continues to call for website blocking legislation where it does not already exist. In countries where there is already a legal basis for blocking, procedures can be slow and burdensome,” IFPI writes.

“For example, within the EU, blocking The Pirate Bay has meant taking multiple legal actions in different member states and rights holders are calling for injunctions to have cross-border effect.”

In addition to website blockades the music industry also stresses that other stakeholders should do more to help fight piracy. Search engines should prioritize legal services, for example, and advertisers and payment processors should cut their ties with pirate sites.

While IFPI’s numbers suggests that BitTorrent piracy has decreased globally, it still remains a significant problem. The group estimates that there are still four billion pirated music downloads per year on BitTorrent alone.

In other words, there’s plenty of blocking to be done before it’s no longer an issue, if that point will ever be reached.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.