Posts tagged ‘research’

The Hacker Factor Blog: Eight Is Enough

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I must be one of those people who lives in a cave. (Well, at least it’s a man-cave.) I didn’t even realize that Apple’s iOS 8 was released until I heard all of the hoopla in the news.

When Apple did their recent big presentation, I heard about the new watch and the new iPhone, but not about the new operating system. The smart-watch didn’t impress me. At CACC last month, I saw a few people wearing devices that told the time, maintained their calendar, synced with their portable devices, and even checked their heart rates and sleep cycles. In this regard, Apple seems a little late to the game, over-priced, and limited in functionality.

The new iPhone also didn’t impress me. The only significant difference that I have heard about is the bigger screen. I find it funny that pants pockets are getting smaller and phones are getting bigger… So, where do you put this new iPhone? You can’t be expected to carry it everywhere by hand when you’re also holding a venti pumpkin spice soy latte with whip no room. Someone really needs to build an iPhone protector that doubles as a cup-holder. (Oh wait, it exists.) Or maybe an iBelt… that hangs the iPhone like a codpiece since it is more of a symbol of geek virility than a useful mobile device.

Then again, I’m not an Apple fanatic. I use a Mac, but I don’t go out of the way to worship at the foot of the latest greatest i-device.

Sight Seeing

Apple formally announced all of these new devices on September 9th. I decided to look over the FotoForensics logs for any iOS 8 devices. Amazingly, I’ve had a few sightings… and they started months before the formal announcement.

The first place I looked was in my web server’s log files. Every browser sends its user-agent string with their web request. This usually identifies the operating system and browser. The intent is to allow web services to collect metrics about usage. If I see a bunch of people using some new web browser, then I can test my site with that browser and ensure a good user experience.

With iOS devices, they also encode the version number. So I just looked for anything claiming to be an iOS 8 device. Here’s the date/time and user-agent strings that match iOS 8. I’m only showing the 1st instance per day:

[18/Mar/2014:18:40:39 -0500] “Mozilla/5.0 (iPad; CPU OS 8_0 like Mac OS X) AppleWebKit/538.22 (KHTML, like Gecko) Mobile/12A214″

[29/Apr/2014:13:27:58 -0500] “Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/538.30.1 (KHTML, like Gecko) Mobile/12W252a”

[02/Jun/2014:16:56:45 -0500] “Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/538.34.9 (KHTML, like Gecko) Version/7.0 Mobile/12A4265u Safari/9537.53″

[03/Jun/2014:16:44:38 -0500] “Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/538.34.9 (KHTML, like Gecko) Version/7.0 Mobile/12A4265u Safari/9537.53″

After June 3rd, it basically became a daily appearance. The list includes iPhones and iPads. And, yes, the first few sightings came from Cupertino, California, where Apple is headquartered.

Even though iOS 8 is new, it looks like a few people have been using it for months. Product testers, demos, beta testers, etc.

Pictures?

When Apple released iOS 7, they added a new metadata field to their pictures. This field records the active-use time since the last reboot. I suspect that it is a useful metric for Apple. It also makes me wonder if iOS 8 added anything new.

As a research service, every picture uploaded to FotoForensics gets indexed for rapid searching. I searched the archive for any pictures that claim to be from an iOS 8 device. So far, there have only been five sightings. (Each photo shows personally identifiable information, selfies or pictures of text, so I won’t be linking to them.)

Amazingly, none of these initial iOS 8 photos are camera-original files. Adobe, Microsoft Windows, and other applications were used to save the picture. The earliest picture was uploaded on 2014-07-30 at 21:32:39 GMT by someone in California, and the picture’s metadata says it photographed on 2014-07-19.

Each of these iOS 8 photos came from an iPhone 5 or 5s device. I have yet to see any photos from an iPhone 6 device. (There was one sighting of an “iPhone 6Z” on 2013-01-30. But since it was uploaded by someone in France, I suspect that the metadata was altered.)

With the iPhone 5 and iOS 7, Apple introduced a “purple flareproblem. I don’t have many iOS 8 samples to compare against, and none are camera-originals. However, I’m not seeing the extreme artificial color correction that caused the purple flare. There’s still a distinct color correction, but it’s not as extreme. Perhaps the purple problem is fixed.

New Privacy

As far as I can tell, there is one notable new thing about iOS 8. Apple has publicly announced a change to their privacy policy. Specifically, they claim to have strong cryptography in the phones and no back doors. As a result, they will not be able to turn over any iPhone information to law enforcement, even if they have a valid subpoena. By implementing a technically strong solution and not retaining any keys, they forced their stance: it isn’t that they don’t want to help unlock a phone, it is that they technically cannot crack it in a realistic time frame.

While this stops Apple from assisting with iPhone and iPad devices that use iOS 8, it does nothing to stop Apple from turning over information uploaded to Apple’s iCloud service. (You do have the “backup to iCloud” option enabled, right?) This also does nothing to stop brute-force account guessing attacks, like the kind reportedly used to compromise celebrity nude photos. The newly deployed two-factor authentication seems like a much better solution even if it is too little too late.

Then again, I can also foresee new services that will handle your encryption keys for you, in case you lose them. After a few hundred complaints like “I lost my password and cannot access my precious kitty photos! Please help me!”, I expect that an entire market of back door options will become available for Apple users.

Behind the Eight Ball

I didn’t really pay attention to Apple’s latest releases until after they were out. However, it wouldn’t take much to make a database of known user agents and trigger an automated alert when the next Apple product first appears. It’s one thing to read about iOS 8 on Mac Rumors a few months before the release; it’s another thing to see it in my logs six months earlier.

While I don’t think much of Apple’s latest offerings, that doesn’t mean it won’t drive the market. Sometimes it’s not the produce itself that drives the innovation; sometimes it’s the spaces that need filling.

TorrentFreak: Mega Demands Apology Over “Defamatory” Cyberlocker Report

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Yesterday the Digital Citizens Alliance released a new report that looks into the business models of “shadowy” file-storage sites.

Titled “Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions,” the report attempts to detail the activities of some of the world’s most-visited hosting sites.

While it’s certainly an interesting read, the NetNames study provides a few surprises, not least the decision to include New Zealand-based cloud storage site Mega.co.nz. There can be no doubt that there are domains of dubious standing detailed in the report, but the inclusion of Mega stands out as especially odd.

Mega was without doubt the most-scrutinized file-hosting startup in history and as a result has had to comply fully with every detail of the law. And, unlike some of the other sites listed in the report, Mega isn’t hiding away behind shell companies and other obfuscation methods. It also complies fully with all takedown requests, to the point that it even took down its founder’s music, albeit following an erroneous request.

With these thoughts in mind, TorrentFreak alerted Mega to the report and asked how its inclusion amid the terminology used has been received at the company.

Grossly untrue and highly defamatory

mega“We consider the report grossly untrue and highly defamatory of Mega,” says Mega CEO Graham Gaylard.

“Mega is a privacy company that provides end-to-end encrypted cloud storage controlled by the customer. Mega totally refutes that it is a cyberlocker business as that term is defined and discussed in the report prepared by NetNames for the Digital Citizens Alliance.”

Gaylard also strongly refutes the implication in the report that as a “cyberlocker”, Mega is engaged in activities often associated with such sites.

“Mega is not a haven for piracy, does not distribute malware, and definitely does not engage in illegal activities,” Gaylard says. “Mega is running a legitimate business alongside other cloud storage providers in a highly competitive market.”

The Mega CEO told us that one of the perplexing things about the report is that none of the criteria set out by the report for “shadowy” sites is satisfied by Mega, yet the decision was still taken to include it.

Infringing content and best practices

One of the key issues is, of course, the existence of infringing content. All user-uploaded sites suffer from that problem, from YouTube to Facebook to Mega and thousands of sites in between. But, as Gaylard points out, it’s the way those sites handle the issue that counts.

“We are vigorous in complying with best practice legal take-down policies and do so very quickly. The reality though is that we receive a very low number of take-down requests because our aim is to have people use our services for privacy and security, not for sharing infringing content,” he explains.

“Mega acts very quickly to process any take-down requests in accordance with its Terms of Service and consistent with the requirements of the USA Digital Millennium Copyright Act (DMCA) process, the European Union Directive 2000/31/EC and New Zealand’s Copyright Act process. Mega operates with a very low rate of take-down requests; less than 0.1% of all files Mega stores.”

Affiliate schemes that encourage piracy

One of the other “rogue site” characteristics as outlined in the report is the existence of affiliate schemes designed to incentivize the uploading and sharing of infringing content. In respect of Mega, Gaylard rejects that assertion entirely.

“Mega’s affiliate program does not reward uploaders. There is no revenue sharing or credit for downloads or Pro purchases made by downloaders. The affiliate code cannot be embedded in a download link. It is designed to reward genuine referrers and the developers of apps who make our cloud storage platform more attractive,” he notes.

The PayPal factor

As detailed in many earlier reports (1,2,3), over the past few years PayPal has worked hard to seriously cut down on the business it conducts with companies in the file-sharing space.

Companies, Mega included, now have to obtain pre-approval from the payment processor in order to use its services. The suggestion in the report is that large “shadowy” sites aren’t able to use PayPal due to its strict acceptance criteria. Mega, however, has a good relationship with PayPal.

“Mega has been accepted by PayPal because we were able to show that we are a legitimate cloud storage site. Mega has a productive and respected relationship with PayPal, demonstrating the validity of Mega’s business,” Gaylard says.

Public apology and retraction – or else

Gaylard says that these are just some of the points that Mega finds unacceptable in the report. The CEO adds that at no point was the company contacted by NetNames or Digital Citizens Alliance for its input.

“It is unacceptable and disappointing that supposedly reputable organizations such as Digital Citizens and NetNames should see fit to attack Mega when it provides the user end to end encryption, security and privacy. They should be promoting efforts to make the Internet a safer and more trusted place. Protecting people’s privacy. That is Mega’s mission,” Gaylard says.

“We are requesting that Digital Citizens Alliance withdraw Mega from that report entirely and issue a public apology. If they do not then we will take further action,” he concludes.

TorrentFreak asked NetNames to comment on Mega’s displeasure and asked the company if it stands by its assertion that Mega is a “shadowy” cyberlocker. We received a response (although not directly to our questions) from David Price, NetNames’ head of piracy analysis.

“The NetNames report into cyberlocker operation is based on information taken from the websites of the thirty cyberlockers used for the research and our own investigation of this area, based on more than a decade of experience producing respected analysis exploring digital piracy and online distribution,” Price said.

That doesn’t sound like a retraction or an apology, so this developing dispute may have a way to go.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Report Brands Dotcom’s Mega a Piracy Haven

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

profitThe most popular file-hosting sites, also known as cyberlockers, have millions of visitors per day.

In recent years many of these sites have gotten a bad reputation as they are frequently used to share copyrighted files.

Today the Digital Citizens Alliance released a new report (pdf) that looks into the profitability of these sites and services. Titled “Behind The Cyberlocker Door: A Report How Shadowy Cyberlockers Use Credit Card Companies to Make Millions,” it offers insight into the money streams that end up at these alleged pirate sites.

The study, carried out by NetNames and backed by the entertainment industry, uses information from the busted Megaupload service to estimate the earnings of various other sites. Based on these and other assumptions it concludes that the top cyberlockers generate an average $3.2 million per site per year.

“Overall, total annual revenue across the thirty cyberlockers equated to $96.2 million or $3.2 million per site. One site gathered $17.6m per year in revenue,” the report notes, adding that it’s a conservative estimate.

Estimated revenue and profit per direct download cyberlocker
roguerev

The report brands these sites as piracy havens based on a sample of the files they host. All the sites that are listed are used predominantly for copyright infringement, they claim.

“The overwhelming use of cyberlockers is for content theft. Analysis of a sampling of the files on the thirty cyberlocker sites found that the vast majority of files were clearly infringing,” the report reads.

“At least 78.6 percent of files on direct download cyberlockers and 83.7 percent of files on streaming cyberlockers infringed copyright,” it adds.

Alleged “infringing” use per cyberlocker
rogueinfper

Here’s where the researchers make a crucial mistake. The sample, where the percentage of allegedly infringing files is based on, is drawn from links that are posted publicly online. These are certainly not representative for the entire site, at least not in all cases.

For Mega the researchers looked at 500 files that were shared online. However, the overwhelming majority of Mega’s files, which number more than 500,000,000, are never shared in public.

Unlike some other sites in the report, Mega is a rather traditional cloud hosting provider that’s frequently used for personal backup, through its desktop client or mobile apps for example. The files that are shared in public are the exception here, probably less than one percent of the total.

There is no denying that there are shady and rogue sites that do profit heavily from piracy, but lumping all these sites together and branding them with a pirate label is flat-out wrong.

Aside from “exposing” the estimated profitability of the cyberlockers the report also has a secondary goal. It puts out a strong call to the credit card companies Visa and MasterCard, and hosting providers such as Cloudflare, urging them to cut their ties with these supposed pirate havens.

“They should take a hard look at the checkered history of their cyberlocker partners. Simply put, the businesses that simply exploit and expropriate the creative efforts of others do not occupy a legitimate place in the Internet ecosystem,” the report notes.

“Content theft is a cancer on the Internet. It introduces viruses and malware to computers, robs creators who rely on the Internet to sell their products, damages brands by associating them with illegal and inappropriate content and provides seed money for criminals to engage in other illegal activities,” it adds.

Hopefully future reports will have more nuance. At minimum they should make sure to have all the facts right, as that’s generally more convincing.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Krebs on Security: Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

How much are your medical records worth in the cybercrime underground? This week, KrebsOnSecurity discovered medical records being sold in bulk for as little as $6.40 apiece. The digital documents, several of which were obtained by sources working with this publication, were apparently stolen from a Texas-based life insurance company that now says it is working with federal authorities on an investigation into a possible data breach.

The "Fraud Related" section of the Evolution Market.

The “Fraud Related” section of the Evolution Market.

Purloined medical records are among the many illicit goods for sale on the Evolution Market, a black market bazaar that traffics mostly in narcotics and fraud-related goods — including plenty of stolen financial data. Evolution cannot be reached from the regular Internet. Rather, visitors can only browse the site using Tor, software that helps users disguise their identity by bouncing their traffic between different servers, and by encrypting that traffic at every hop along the way.

Last week, a reader alerted this author to a merchant on Evolution Market nicknamed “ImperialRussia” who was advertising medical records for sale. ImperialRussia was hawking his goods as “fullz” — street slang for a package of all the personal and financial records that thieves would need to fraudulently open up new lines of credit in a person’s name.

Each document for sale by this seller includes the would-be identity theft victim’s name, their medical history, address, phone and driver license number, Social Security number, date of birth, bank name, routing number and checking/savings account number. Customers can purchase the records using the digital currency Bitcoin.

A set of five fullz retails for $40 ($8 per record). Buy 20 fullz and the price drops to $7 per record. Purchase 50 or more fullz, and the per record cost falls to just $6.40 — roughly the price of a value meal at a fast food restaurant. Incidentally, even at $8 per record, that’s cheaper than the price most stolen credit cards fetch on the underground markets.

Imperial Russia's ad on Evolution pimping medical and financial records stolen from a Texas life insurance firm.

Imperial Russia’s ad pimping medical and financial records stolen from a Texas life insurance firm.

“Live and Exclusive database of US FULLZ from an insurance company, particularly from NorthWestern region of U.S.,” ImperialRussia’s ad on Evolution enthuses. The pitch continues:

“Most of the fullz come with EXTRA FREEBIES inside as additional policyholders. All of the information is accurate and confirmed. Clients are from an insurance company database with GOOD to EXCELLENT credit score! I, myself was able to apply for credit cards valued from $2,000 – $10,000 with my fullz. Info can be used to apply for loans, credit cards, lines of credit, bank withdrawal, assume identity, account takeover.”

Sure enough, the source who alerted me to this listing had obtained numerous fullz from this seller. All of them contained the personal and financial information on people in the Northwest United States (mostly in Washington state) who’d applied for life insurance through American Income Life, an insurance firm based in Waco, Texas.

American Income Life referred all calls to the company’s parent firm — Torchmark Corp., an insurance holding company in McKinney, Texas. This publication shared with Torchmark the records obtained from Imperial Russia. In response, Michael Majors, vice president of investor relations at Torchmark, said that the FBI and Secret Service were assisting the company in an ongoing investigation, and that Torchmark expected to begin the process of notifying affected consumers this week.

“We’re aware of the matter and we’ve been working with law enforcement on an ongoing investigation,” Majors said, after reviewing the documents shared by KrebsOnSecurity. “It looks like we’re working on the same matter that you’re inquiring about.”

Majors declined to answer additional questions, such as whether Torchmark has uncovered the source of the data breach and stopped the leakage of customer records, or when the company believes the breach began. Interestingly, ImperialRussia’s first post offering this data is dated more than three months ago, on June 15, 2014. Likewise, the insurance application documents shared with Torchmark by this publication also were dated mid-2014.

The financial information in the stolen life insurance applications includes the checking and/or savings account information of the applicant, and is collected so that American Income can pre-authorize payments and automatic monthly debits in the event the policy is approved. In a four-page discussion thread on Imperial Russian’s sales page at Evolution, buyers of this stolen data took turns discussing the quality of the information and its various uses, such as how one can use automated phone systems to verify the available balance of an applicant’s bank account.

Jessica Johnson, a Washington state resident whose records were among those sold by ImperialRussia, said in a phone interview that she received a call from a credit bureau this week after identity thieves tried to open two new lines of credit in her name.

“It’s been a nightmare,” she said. “Yesterday, I had all these phone calls from the credit bureau because someone tried to open two new credit cards in my name. And the only reason they called me was because I already had a credit card with that company and the company thought it was weird, I guess.”

ImperialRussia discusses his wares with potential and previous buyers.

ImperialRussia discusses his wares with potential and previous buyers.

More than 1.8 million people were victims of medical ID theft in 2013, according to a report from the Ponemon Institute, an independent research group. I suspect that many of these folks had their medical records stolen and used to open new lines of credit in their names, or to conduct tax refund fraud with the Internal Revenue Service (IRS).

Placing a fraud alert or freeze on your credit file is a great way to block identity thieves from hijacking your good name. For pointers on how to do that, as well as other tips on how to avoid becoming a victim of ID theft, check out this story.

TorrentFreak: Search Engines Can Diminish Online Piracy, Research Finds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

google-bayIn recent years Hollywood and the music industry have taken a rather aggressive approach against Google. The entertainment industry companies believe that the search engine isn’t doing enough to limit piracy, and have demanded more stringent measures.

One of the suggestions often made is to remove or demote pirate sites in search results. A lower ranking would lead fewer people to pirate sources and promoting legal sources will have a similar effect.

Google previously said it would lower the ranking of sites based on DMCA complaints, but thus far these changes have had a limited effect. A few weeks ago the company also began promoting legal options but this effort is in the testing phase for now.

The question that remains is whether these changes would indeed decrease piracy. According to new research from Carnegie Mellon University, they can.

In a paper titled “Do Search Engines Influence Media Piracy?” the researchers ran two experiments where they let participants use a custom search engine to find a movie they wanted to watch. The respondents could pick from a list of 50 titles and received a $20 prepaid virtual Visa card as compensation.

All search results were pulled from a popular search engine. In the control category the results were not manipulated, but in the “legal” and “infringing” conditions the first page only listed “legal” (e.g Amazon) and neutral (e.g IMDb) sites or “infringing” (e.g. Pirate Bay) and neutral sites respectively.

While it’s quite a simple manipulation, and even though users could still find legal and pirated content in all conditions, the results are rather strong.

Of all participants who saw the standard results, 80% chose to buy the movie via a legal option. This went up to 94% if the results were mostly legal, and dropped to 57% for the group who saw mostly infringing results on the first page.

To Pirate or Not to Pirate
resulttable

TorrentFreak contacted Professor Rahul Telang who says that the findings suggest that Google and other search engines have a direct effect on people’s behavior, including the decision to pirate a movie.

“Prominence of legal versus infringing links in the search results seem to play a vital role in users decision to consume legal versus pirated content. In particular, demoting infringing links leads to lower rate of consumption of pirated movie content in our sample,” he notes.

In a second study the researchers carried out a slightly modified version of the experiment with college students, a group that tends to pirate more frequently. The second experiment also added two new conditions where only the first three results were altered, to see if “mild” manipulations would also have an effect.

The findings show that college students indeed pirate more as only 62% went for the legal option in the control condition. This percentage went up gradually to 76% with a “mild legal” manipulation, and to 92% in the legal condition. For the infringing manipulations the percentages dropped to 48% and 39% respectively.

To Pirate or Not to Pirate, take two
table2

According to Professor Telang their findings suggest that even small changes can have a significant impact and that altering search algorithms can be instrumental in the fight against online piracy.

“The results suggest that the search engines may play an important role in fight against intellectual property theft,” Telang says.

It has to be noted that Professor Telang and his colleagues received a generous donation from the MPAA for their research program. However, the researchers suggest that their work is carried out independently.

As a word of caution the researchers point out that meddling with search results in the real world may be much more challenging. False positives could lead to significant social costs and should be avoided, for example.

This and other caveats aside, the MPAA and RIAA will welcome the study as a new piece of research they can wave at Google and lawmakers. Whether that will help them to get what they want has yet to be seen though.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Errata Security: Hacker "weev" has left the United States

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

Hacker Andrew “weev” Auernheimer, who was unjustly persecuted by the US government and recently freed after a year in jail when the courts agreed his constitutional rights had been violated, has now left the United States for a non-extradition country:

I wonder what that means. On one hand, he could go full black-hat and go on a hacking spree. Hacking doesn’t require anything more than a cheap laptop and a dial-up/satellite connection, so it can be done from anywhere in the world.

On the other hand, he could also go full white-hat. There is lots of useful white-hat research that we don’t do because of the chilling effect of government. For example, in our VNC research, we don’t test default password logins for some equipment, because this can be interpreted as violating the CFAA. However, if ‘weev’ never intends on traveling to an extradition country, it’s something he can do, and report the results to help us secure systems.

Thirdly, he can now freely speak out against the United States. Again, while we theoretically have the right to “free speech”, we see how those like Barret Brown are in jail purely because they spoke out against the police-state.

TorrentFreak: BitTorrent: Our Users Buy 33% More Music Albums Online

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

bittorrent-crimeBitTorrent Inc, the company behind the successful uTorrent and BitTorrent file-sharing clients, has been making huge efforts in recent times to shed the false image that the company is synonymous with online piracy.

One of the key ways it’s changing this perception is by partnering with well-known artists such as De La Soul, Moby and Madonna, and showing that BitTorrent is an ideal tool to connect artists with fans.

To provide some examples of what it can do, BitTorrent Inc. has made a distribution and advertising deck with success stories. Thus far more than 10,000 artists have used BitTorrent’s bundles, generating over 100 million downloads which convert into real sales.

Slide from BitTorrent’s advertising deck (via Digiday)
bittorrents-pitch-deck

Aside from listing its successes the company also reports some intriguing statistics on the consumer behavior of its community.

On slide 12 BitTorrent Inc. notes that its community is 33% more likely to buy albums online, makes 34% more DVD purchases, watches 34% more movies in theater and is twice as likely to have a paid music subscription.

BitTorrent’s community
community

Because BitTorrent Inc provides no source for the data provided in this last slide we contacted the company last week to find out more. Unfortunately, we haven’t received a response thus far.

However, while writing this article we found that the numbers reported in the pitch deck trace back to one of our own articles. The data reported by BitTorrent Inc. comes from music industry group IFPI and details the buying habits of music pirates. BitTorrent Inc subsequently used these piracy statistics to sell its “community” to potential partners.

This is interesting for a variety of reasons. First, IFPI’s research doesn’t mention BitTorrent users, but file-sharing music pirates in general. Furthermore, since when does BitTorrent see “music pirates” as its community? Perhaps that’s the reason why the source for the data isn’t provided in the pitch deck (IFPI was mentioned as source in an earlier pitch deck).

That said, BitTorrent Inc is right to point out that file-sharers tend to be more engaged fans than the average person. Even the RIAA was willing to admit that.

It’s good to see that more and more artists, including many big names, are beginning to recognize this potential too. Even U2, whose former manager is one of the most vocal anti-piracy crusaders, has now decided to give away its latest album for free hoping that it will increase sales of older work. Without piracy, that would have never happened.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: Spotify: Aussie Music Piracy Down 20%

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

spotify-blackSince its launch Spotify always had a very clear goal in mind. Compete with piracy and make it obsolete.

To see how the company is faring on this front Spotify regularly researches piracy rates in countries where they enter the market. Thus far the results have been rather positive.

In 2012 the streaming service entered the Australian market and Spotify’s own research now shows that music piracy via BitTorrent dropped significantly during the following year.

In a keynote speech at the BIGSOUND music conference today, Spotify’s Director of Economics Will Page reveals that the volume of music piracy has decreased 20% between 2012 and 2013. Similarly, the number of people sharing music via BitTorrent in Australia has gone down too.

“It’s exciting to see that we are making inroads into reducing the music piracy problem within such a short space of time in this market,” Page says.

“It shows the scope for superior legal services (offered at an accessible price point) to help improve the climate for copyright online,” he adds.

While the overall volume is down not all pirates are giving up their habit. The research found that it’s mostly the casual file-sharers who stop sharing, while the hard-core pirates remain just as active as before.

Also worth noting is that interest in illegal music downloads pales in comparison to that of other media. The research found that the demand for TV-shows and movies is four times that of music.

Spotify suggests that it’s partly responsible for the drop in music piracy, but doesn’t say to what extent. It’s also not clear how the demand for and volume of other forms of piracy changed in the same time period.

Page sees the drop in music piracy as an encouraging sign, but notes that more has to be done. While Spotify’s Director of Economics doesn’t comment on specific anti-piracy proposals the Government has put forward, he does stress that both carrots and sticks are required to address the issue.

“Let’s be clear, Australia still faces a massive challenge in turning around its much talked about media piracy challenge, and it always has, and always will, take a combination of public policy and superior legal offerings,” page says.

“The downward trend in piracy volume and population suggests superior music legal services like Spotify are making a positive impact, and this has proven to be the case in Scandinavia, but it will take both carrots and sticks to turn the market around.”

The research seems to suggest that services like Spotify are reasonably good carrots, but what the sticks look like will have to become clear in the months to come.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Errata Security: Vuln bounties are now the norm

This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

When you get sued for a cybersecurity breach (such as in the recent Home Depot case), one of the questions will be “did you follow industry norms?”. Your opposition will hire expert witnesses like me to say “no, they didn’t”.

One of those norms you fail at is “Do you have a vuln bounty program?”. These are programs that pay hackers to research and disclose vulnerabilities (bugs) in their products/services. Such bounty programs have proven their worth at companies like Google and Mozilla, and have spread through the industry. The experts in our industry agree: due-diligence in cybersecurity means that you give others an incentive to find and disclose vulnerabilities. Contrariwise, anti-diligence is threatening, suing, and prosecuting hackers for disclosing your vulnerabilities.

There are now two great bounty-as-a-service*** companies “HackerOne” and “BugCrowd” that will help you run such a program. I don’t know how much it costs, but looking at their long customer lists, I assume it’s not too much.

I point this out because a lot of Internet companies have either announced their own programs, or signed onto the above two services, such as the recent announcement by Twitter. All us experts think it’s a great idea and that the tradeoffs are minor. I mean, a lot of us understand tradeoffs, such as why HTTPS is difficult for your website — we don’t see important tradeoffs for vuln bounties. It is now valid to describe this as a “norm” for cybersecurity.

By the way, I offer $100 in BitCoin for vulns in my tools that I publish on GitHub:
https://github.com/robertdavidgraham


*** Hacker1 isn’t a “bounty-as-a-service” company but a “vuln coordination”. However, all the high-profile customers they highlight offer bounties, so it comes out to much the same thing. They might not handle the bounties directly, but they are certainly helping the bounty process.


Update: One important tradeoff is that is that such bounty programs attract a lot of noise from idiots, such as “your website doesn’t use SSL, now gimme my bounty” [from @beauwoods]. Therefore, even if you have no vulnerabilities, there is some cost to such programs. That’s why BugCrowd and Hacker1 are useful: they can more efficiently sift through the noise than your own organization. However, this highlights a problem in your organization: if you don’t have the expertise to filter through such noise (and many organizations don’t), then you don’t have the expertise to run a bug bounty program. However, this also means you aren’t in a position to be trusted.

Update: Another cost [from @JardineSoftware] is that by encouraging people to test your site, you’ll increase the number of false-positives on your IDS. It’ll be harder now to distinguish testers from attackers. That’s not a concern: the real issue is that you spend far too much time looking at inbound attacks already and not enough at successful outbound exfiltration of data. If encouraging testers doubles the number of IDS alerts, then that’s a good thing not a bad thing.

Update: You want to learn about cybersecurity? Then just read what’s in/out of scope for the Yahoo! bounty: https://hackerone.com/yahoo

TorrentFreak: Breaking Bad Piracy Surges After Emmy Win, Research Finds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

bbPeople have many different motivations to pirate TV-shows and other media. Availability is a factor, for example, and price plays a role as well.

Another important driver of piracy is exposure or promotion through traditional media.

The latter is illustrated by new research from piracy monitoring firm CEG TEK, who found that the interest in pirated copies of Emmy nominated TV-shows surged after the award show aired on television.

The company measured the BitTorrent swarms of 50 Emmy-nominated TV-shows and found a big spike in overall piracy rates.

Breaking Bad, winner of the Emmy for best drama series and several individual awards, saw a 412% increase in peers after the award ceremony.

Pirate’s interest in True Detective, House of Cards, Homeland and The Newsroom also spiked at least 340% the day after the Emmys. These peaks are unusual according to CEG TEK, who note of the 47 of the 50 nominated shows they monitored saw an increase in sharing activity.

“Typically, piracy peaks on weekends, but of the 50 shows we monitored, 47 were pirated more as a result of the Primetime Emmy Awards broadcast,” CEG TEK CTO Jon Nicolini says.

“Clearly, the prestige of the Emmys is alive and well,” he adds.

While an Emmy award is certainly a big win, some people in the TV industry believe that being the most pirated TV-show may do even more to boost a show’s profile.

Jeff Bewkes, CEO of HBO’s parent company Time Warner, previously said that Game of Thrones piracy resulted in more subscriptions for his company and that receiving the title of “most pirated” show was “better than an Emmy.”

So that’s a double score for the Emmy winners then.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

The Hacker Factor Blog: The Naked Truth

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Warning: This blog entry discusses adult content.

In my previous blog entry, I wrote about the auto-ban system at FotoForensics. This system is designed to detect network attacks and prohibited content. Beginning yesterday, the system has been getting a serious workout. Over 600 people have been auto-banned. After 30 hours, the load is just beginning to ebb.

Yesterday on 4chan (the land of trolls), someone posted a long list of “celebrity nude photos”. Let me be blunt: they are all fakes. Some with heads pasted onto bodies, others have clothing digitally removed — and it’s all pretty poorly done. (Then again: if it came from the site that gave us Rickrolling and Pedobear, did anyone expect them to be real?)

Plenty of news outlets are reporting on this as if it was a massive data security leak. Except that there was no exploit beyond some very creepy and disturbed person with photoshop. (Seriously: to create this many fakes strikes me as a mental disorder from someone who is likely a sex offender.) When actress Victoria Justice tweeted that the pictures are fake, she was telling the truth. They are all fakes.

Unfortunately in this case, when people think photos may be fake, they upload them to FotoForensics. Since FotoForensics has a zero-tolerance policy related to porn, nudity, and sexually explicit content, every single person who uploads any of these pictures is banned. All of them. Banned for three months. And if they don’t get the hint and visit during the three-month ban, then the ban counter resets — it’s a three month ban from your last visit.

Why Ban?

I have previously written about why FotoForensics bans some content. To summarize the main reasons: we want less-biased content (not “50% porn”), we want to stay off blacklists that would prevent access from our desired user base, and we want to reduce the amount of child porn uploaded to the site.

As a service provider, I am a mandatory reporter. I don’t have the option to not report people who upload child porn. Either I turn you in and you get a felony, or I don’t turn you in and I get a felony. So, I’m turning you in ASAP. (As one law enforcement officer remarked after reviewing a report I submitted, “Wait… you’re telling me that they uploading child porn to a site named ‘Forensics’ and run by a company called ‘Hacker’?” I could hear her partners laughing in the background. “We don’t catch the smart ones.”)

By banning all porn, nudity, and sexually explicit content, it dramatically reduces the number of users who upload child porn. It also keeps the site workplace-safe and it stops porn from biasing the data archive.

The zero-tolerance policy at FotoForensics is really no different from the terms of service at Google, Facebook, Yahoo, Twitter, Reddit, and every other major service provider. All of them explicitly forbid child porn (because it’s a felony), and most just forbid all pornography and sexually explicit content because they know that sites without filters have problems with child porn.

Unfortunately, there’s another well-established trend at FotoForensics. Whenever there is a burst of activity, it is followed by people who upload porn, and then followed by people uploading child porn. This current trend (uploading fake nude celebrities) is a huge current trend. Already, we are seeing the switch over to regular porn. That means we are gearing up to report tons of child porn that will likely show up over the next few days. (This is the part of my job that I hate. I don’t hate reporting people — that’s fun and I hope they all get arrested. I hate having my admins and research partners potentially come across child porn.)

Coming Soon…

Over at FotoForensics, we have a lot of different research projects. Some of them are designed to identify fads and trends, while others are looking for ways to better conduct forensics. One of the research projects is focused on more accurately identifying prohibited content. These are all part of the auto-ban system.

Auto-ban has a dozen independent functions and a couple of reporting levels. Some people get banned instantly. Others get flagged for review based on suspicious activity or content. Some flagged content generates a warning for the user. The warning basically says that this is a family friendly site and makes the user agree that they are not uploading prohibited content. Other times content is silently flagged — the user never notices it, but it goes into the list of content for manual review and potential banning. (Even the review process is simplified: one person can easily review a few thousand files per hour.)

We typically deploy a new function as a flagging tool until it is well-tested. We want zero false-positives before we make banning automated. (Over the last 48 hours, auto-ban has banned over 600 people and flagged another 400 for review and manual banning.)

One of the current flagging rules is a high-performance and high-accuracy search engine that identifies visually similar content. (I’m not using the specific algorithms mentioned in my blog entry, but they are close enough to understand the concept.) This system can compare one BILLION hashes per second per CPU per gigahertz, and it scales linearly. (One 3.3GHz CPU can process nearly 3 billion hashes per second — it would be faster if it wasn’t I/O bound. And I don’t use a GPU because loading and unloading the GPU would take more time than just doing the comparisons on the basic CPU.) To put it simply, it will take a fraction of a second to compare every new upload against the list of known prohibited content. And if there’s a strong match, then we know it is the same picture, even if it has been resized, recolored, cropped, etc.

The last two days have been a great stress test for this new profiling system. I don’t think we missed banning any of these prohibited pictures. Later this week, it is going to graduate and become fully automated. Then we can begin banning people as fast as they upload.

TorrentFreak: MPAA Research: Blocking The Pirate Bay Works, So…..

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

blocktpb1Website blocking has become one of the favorite anti-piracy tools of the entertainment industries in recent years.

The UK is a leader on this front, with the High Court ordering local ISPs to block access to dozens of popular file-sharing sites, including The Pirate Bay and KickassTorrents.

Not everyone is equally excited about these measures and researchers have called their effectiveness into question. This prompted a Dutch court to lift The Pirate Bay blockade a few months ago. The MPAA, however, hopes to change the tide and prove these researchers wrong.

Earlier today Hollywood’s anti-piracy wish list was revealed through a leaked draft various copyright groups plan to submit to the Australian Government. Buried deep in the report is a rather intriguing statement that refers to internal MPAA research regarding website blockades.

“Recent research of the effectiveness of site blocking orders in the UK found that visits to infringing sites blocked declined by more than 90% in total during the measurement period or by 74.5% when proxy sites are included,” it reads.

MPAA internal research
mpaa-leak

In other words, MPAA’s own data shows that website blockades do help to deter piracy. Without further details on the methodology it’s hard to evaluate the findings, other than to say that they conflict with previous results.

But there is perhaps an even more interesting angle to the passage than the results themselves.

Why would the MPAA take an interest in the UK blockades when Hollywood has its own anti-piracy outfit (FACT) there? Could it be that the MPAA is planning to push for website blockades in the United States?

This is not the first sign to point in that direction. Two months ago MPAA boss Chris Dodd said that ISP blockades are one of the most effective anti-tools available.

Combine the above with the fact that the United States is by far the biggest traffic source for The Pirate Bay, and slowly the pieces of the puzzle begin to fall into place.

It seems only a matter of time before the MPAA makes a move towards website blocking in the United States. Whether that’s through a voluntary agreement or via the courts, something is bound to happen.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Raspberry Pi: Sonic Pi: Live & Coding Summer School

This post was syndicated from: Raspberry Pi and was written by: Carrie Anne Philbin. Original post: at Raspberry Pi

Carrie Anne – I have an ongoing long-term love affair with Sonic Pi ever since Dr Sam Aaron from the University of Cambridge introduced me to it in late 2012 to help me teach text-based programming to my students. Since then it has been used to teach music and artistic expression thanks to the Sonic Pi Live & Coding project, which I’ll talk more about in the coming months as it reaches its conclusion. A few weeks ago 60 children took part in a Sonic Pi Live & Coding summer school run by artists Juneau Projects at the Cambridge Junction. Here, in their own words, is their take on the experience:

Sonic Pi Live & Coding summer school

Sonic Pi Live & Coding summer school

The Sonic Pi Live & Coding summer school finished just over three weeks ago, and yet our heads are still full of it! It was a brilliant week where 56 children aged between 10 and 14 years spent the week at the Cambridge Junction, working amazingly hard not only to get to grips with the language of live coding, but also learning how to finesse that language and perform with it using Sonic Pi on Raspberry Pi. It was a beautiful thing to be a part of. Over the course of five days the students went from having never used Sonic Pi before to putting on a concert for an invited audience, incorporating never-before-seen software functions (literally added on the spot by Sam Aaron – the brains behind Sonic Pi – to help realise the students’ ambitions) and incredible showmanship!

Juneau Projects artists Ben &

Juneau Projects artists Ben & Phil

The plan for the week was not only to introduce the students to the technical aspects of Sonic Pi (i.e. how do you make a sound, and then make it sound how you want it to sound etc) but to offer an overview of what live coding sounds like and looks like and what it might become in the students’ hands. To this end we were lucky enough to see performances by Thor Magnusson, Shelly Knotts and Sam Aaron himself (wearing an incredible cyberpunk/wizard get-up – it’s amazing what a party hat and a pair of novelty sunglasses can do). The students were able to quiz the performers, who were all very open about their practice, and to get a sense not only of how these performers do what they do on-stage but also of why they do what they do.

Sam gives a performance to the students

Sam gives a performance to the students

The summer school was delivered by a great team that we were proud to be part of: Ben Smith, Ross Wilson (both professional musicians) and Jane Stott (head of music at Freman College) had all been part of the initial schools project during the summer term (at Freman College and Coleridge Community College) and brought their experience from those projects to help the students at the summer school on their journey into live coding. Michelle Brace, Laura Norman and Mike Smith did an amazing job of keeping everything moving smoothly over the course of the week, and in addition Michelle did a brilliant job of keeping everybody on track with the Bronze Arts Award that the students were working towards as part of the week, as well as project managing the whole thing! Pam Burnard and Franzi Florack were working on the research component of the project, interviewing students, observing the process of the week and feeding back to us – their feedback was invaluable in terms of keeping the week moving forward in a meaningful way. We had visits from Carrie Anne Philbin and Eben Upton from Raspberry Pi who supported the project throughout. Finally Sam Aaron was resident Sonic Pi guru, handling all those questions that no-one else could answer and being a general all-round ball of live coding enthusiasm.

Buttons!

Buttons + Sonic Pi + Raspberry Pi = Fun

The week held many highlights: the first ever Sonic Pi live coding battle (featuring 56 combatants!); live ambient soundtracks produced by thirty students playing together, conducted by Ross Wilson; Sonic Pi X Factor; and great guest performances by Thor and Shelly. From our perspective though there was no topping the final event. The students worked in self-selected groups to produce a final project. For many this was a live coding performance but the projects also included bespoke controllers designed to aid the learning process of getting to grips with Sonic Pi; ambient soundtrack installations; and a robotic performer (called ‘Pitron’).

The performances themselves were really varied in terms of the sounds and techniques used, but were universally entertaining and demonstrated the amount of information and knowledge the students had absorbed during the week. One group used live instruments fed directly into Sonic Pi, using a new function that Sam coded during the summer school – a Sonic Pi exclusive! A personal highlight were the Sonic Pi-oneers, a seven piece live coding group who blew the crowd away with the breadth of their live coding skills. They’re already being tipped as the One Direction of the live coding world. Another great moment was Pitron’s appearance on stage: Pitron’s creator, Ben, delivered an incredible routine, using lots of live coding skills in combination with genius comedy timing.

sonic-pi-summer-4

Live coding of music with Sonic Pi, instruments and installations.

All in all the summer school was a phenomenal thing to be a part of. We have never quite experienced anything like it before – it truly felt like the start of something new!

Krebs on Security: DQ Breach? HQ Says No, But Would it Know?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Sources in the financial industry say they’re seeing signs that Dairy Queen may be the latest retail chain to be victimized by cybercrooks bent on stealing credit and debit card data. Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters.

dqI first began hearing reports of a possible card breach at Dairy Queen at least two weeks ago, but could find no corroborating signs of it — either by lurking in shadowy online “card shops” or from talking with sources in the banking industry. Over the past few days, however, I’ve heard from multiple financial institutions that say they’re dealing with a pattern of fraud on cards that were all recently used at various Dairy Queen locations in several states. There are also indications that these same cards are being sold in the cybercrime underground.

The latest report in the trenches came from a credit union in the Midwestern United States. The person in charge of fraud prevention at this credit union reached out wanting to know if I’d heard of a breach at Dairy Queen, stating that the financial institution had detected fraud on cards that had all been recently used at a half-dozen Dairy Queen locations in and around its home state.

According to the credit union, more than 50 customers had been victimized by a blizzard of card fraud just in the past few days alone after using their credit and debit cards at Dairy Queen locations — some as far away as Florida — and that the pattern of fraud suggests the DQ stores were compromised at least as far back as early June 2014.

“We’re getting slammed today,” the fraud manager said Tuesday morning of fraud activity tracing back to member cards used at various Dairy Queen locations in the past three weeks. “We’re just getting all kinds of fraud cases coming in from members having counterfeit copies of their cards being used at dollar stores and grocery stores.”

Other financial institutions contacted by this reporter have seen recent fraud on cards that were all used at Dairy Queen locations in Florida and several other states, including Indiana, Illinois, Kentucky, Ohio, Tennessee, and Texas.

On Friday, Aug. 22, KrebsOnSecurity spoke with Dean Peters, director of communications for the Minneapolis-based fast food chain. Peters said the company had heard no reports of card fraud at individual DQ locations, but he stressed that nearly all of Dairy Queen stores were independently owned and operated. When asked whether DQ had any sort of requirement that its franchisees notify the company in the event of a security breach or problem with their card processing systems, Peters said no.

“At this time, there is no such policy,” Peters said. “We would assist them if [any franchisees] reached out to us about a breach, but so far we have not heard from any of our franchisees that they have had any kind of breach.”

Julie Conroy, research director at the advisory firm Aite Group, said nationwide companies like Dairy Queen should absolutely have breach notification policies in place for franchisees, if for no other reason than to protect the integrity of the company’s brand and public image.

“Without question this is a brand protection issue,” Conroy said. “This goes back to the eternal challenge with all small merchants. Even with companies like Dairy Queen, where the mother ship is huge, each of the individual establishments are essentially mom-and-pop stores, and a lot of these stores still don’t think they’re a target for this type of fraud. By extension, the mother ship is focused on herding a bunch of cats in the form of thousands of franchisees, and they’re not thinking that all of these stores are targets for cybercriminals and that they should have some sort of company-wide policy about it. In fact, franchised brands that have that sort of policy in place are far more the exception than the rule.”

DEJA VU ALL OVER AGAIN?

The situation apparently developing with Dairy Queen is reminiscent of similar reports last month from multiple banks about card fraud traced back to dozens of locations of Jimmy John’s, a nationwide sandwich shop chain that also is almost entirely franchisee-owned. Jimmy John’s has said it is investigating the breach claims, but so far it has not confirmed reports of card breaches at any of its 1,900+ stores nationwide.

The DHS/Secret Service advisory.

The DHS/Secret Service advisory.

Rumblings of a card breach involving at least some fraction of Dairy Queen’s 4,500 domestic, independently-run stores come amid increasingly vocal warnings from the U.S. Department of Homeland Security and the Secret Service, which last week said that more than 1,000 American businesses had been hit by malicious software designed to steal credit card data from cash register systems.

In that alert, the agencies warned that hackers have been scanning networks for point-of-sale systems with remote access capabilities (think LogMeIn and pcAnywhere), and then installing malware on POS devices protected by weak and easily guessed passwords.  The alert noted that at least seven point-of-sale vendors/providers confirmed they have had multiple clients affected.

Around the time that the Secret Service alert went out, UPS Stores, a subsidiary of the United Parcel Service, said that it scanned its systems for signs of the malware described in the alert and found security breaches that may have led to the theft of customer credit and debit data at 51 UPS franchises across the United States (about 1 percent of its 4,470 franchised center locations throughout the United States). Incidentally, the way UPS handled that breach disclosure — clearly calling out the individual stores affected — should stand as a model for other companies struggling with similar breaches.

In June, I wrote about a rash of card breaches involving car washes around the nation. The investigators I spoke with in reporting that story said all of the breached locations had one thing in common: They were all relying on point-of-sale systems that had remote access with weak passwords enabled.

My guess is that some Dairy Queen locations owned and operated by a particular franchisee group that runs multiple stores has experienced a breach, and that this incident is limited to a fraction of the total Dairy Queen locations nationwide. Unfortunately, without better and more timely reporting from individual franchises to the DQ HQ, it may be a while yet before we find out the whole story. In the meantime, DQ franchises that haven’t experienced a card breach may see their sales suffer as a result.

CARD BLIZZARD BREWING?

geodumpsLast week, this publication received a tip that a well-established fraud shop in the cybercrime underground had begun offering a new batch of stolen cards that was indexed for sale by U.S. state. The type of card data primarily sold by this shop — known as “dumps” — allows buyers to create counterfeit copies of the cards so that it can be used to buy goods (gift cards and other easily-resold merchandise) from big box retailers, dollar stores and grocers.

Increasingly, fraudsters who purchase stolen card data are demanding that cards for sale be “geolocated” or geographically indexed according to the U.S. state in which the compromised business is located. Many banks will block suspicious out-of-state card-present transactions (especially if this is unusual activity for the cardholder in question). As a result, fraudsters tend to prefer purchasing cards that were stolen from people who live near them.

This was an innovation made popular by the core group of cybercrooks responsible for selling cards stolen in the Dec. 2013 breach at Target Corp, which involved some 40 million compromised credit and debit cards. The same fraudsters would repeat and refine that innovation in selling tens of thousands of cards stolen in February 2014 from nationwide beauty products chain Sally Beauty.

This particular dumps shop pictured to the right appears to be run by a completely separate fraud group than the gang that hit Target and Sally Beauty. Nevertheless, just this month it added its first new batch of cards that is searchable by U.S. state. Two different financial institutions contacted by KrebsOnSecurity said the cards they acquired from this shop under this new “geo” batch name all had been used recently at different Dairy Queen locations.

The first batch of state-searchable cards at this particular card shop appears to have first gone on sale on Aug. 11, and included slightly more than 1,000 cards. The second batch debuted a week later and introduced more than twice as many stolen cards. A third bunch of more than 5,000 cards from this batch went up for sale early this morning.

An ad in the shop pimping a new batch of geo-located cards apparently stolen from Dairy Queen locations.

An ad in the shop pimping a new batch of geo-located cards apparently stolen from Dairy Queen locations.

The Hacker Factor Blog: CACC Recap

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I’m finally back from the Crimes Against Children Conference (CACC) and caught up from a week’s worth of out-of-office backlog.

CACC is a really fascinating conference. The topic is serious, sobering, and definitely not “fun” in the traditional sense. It focuses on child abuse, child exploitation, and related issues. Talks ranged from horrific case studies to setting up a sting operation. (I never thought about it, but the officers waiting behind the door are in a very specific order. The suspect really doesn’t stand a chance when the cops burst through the doorway.) The fun part, to me, is how amazing all of the people at the conference are, how informative the sessions were, and how I literally learned something new everywhere I turned, even at the evening dinner social gathering.

One of the best things I attended was the Forensic Challenge. This was the first year that they did it. They turned a hotel room into a crime scene and let teams work the scene. I was given special permission to sit quietly and observe as one group went through the mocked-up suspect’s apartment. This was way better than anything on TV, and I’m still blown away by everything I saw and learned. For example, one guy interviewed the suspect while the other two tossed the place. They systematically searched everything. One guy started off dropping to the floor and looking under the furniture before checking everything. The end result looked like a tornado went through the scene.

Afterwards, I asked if real crime scenes look as ransacked after being searched. “No,” said the veteran officer who ran the challenge. “This team put stuff back.” (The team that I observed didn’t win, but they did better than most teams and they weren’t even LEOs!)

What am I doing here?

Speakers at CACC are by invitation-only. Last year I was invited to give a talk. This year, I was asked to give four hands-on training sessions.

Some of the conference’s training sessions went for a half-day or a full-day, and most went really deep into their topic. I decided to take a different route and ended up giving an overview: “In 90 minutes I will not make you an expert on digital photo analysis. But I will give you an idea about what can be done and give you a little hands-on experience.”

Understanding digital photo analysis is critical for people who investigate child-related abuses. Telling real photos from computer graphics can make the difference between a conviction and a walk. In some cases, being able to quickly pull information out of pictures can mean the difference between life and death. My tools and methods are specifically designed to speed up the analysis process, rapidly extract critical details, and allow the analyst to accurately reach the correct conclusion with a high degree of confidence.

There will be a quiz

Even though I practiced this talk for months, I was still concerned about the timing. I knew that I had way too much material for the scheduled time. Worse: I didn’t get get the chance to practice in front of a live audience. The first time I actually gave this presentation to a large group was when I walked into the first training session. Yet, the first class ended at exactly 90 minutes. The second class was a little rushed (lots of people had computer troubles at the beginning and that ate nearly 10 minutes), but it still ended on time. And the last two classes were right on schedule. (Whew!)

I did include one surprise in my presentation, just to check their understanding. At the beginning of each class, I showed them a few pictures and asked if they trusted their eyes. Some pictures were real, some were digitally enhanced, and some were completely computer generated. At the end of the talk, I assigned those same pictures to the class (one picture per row of desks) and gave them exactly three minutes to evaluate their assigned image. (Why three minutes? Many photo analysis tools can take hours for an investigator to evaluate results. With my system, a trained person can evaluate a typical photo in under a minute and achieve a high-confidence result. But these students are not fully trained, so I gave then a few extra minutes. Literally: you have three minutes to evaluate one photo.)

After the allotted time, I asked each table for their results. “Table 1: Is that real, digitally enhanced or computer generated?” Someone would shout back “Fake!” I’d then ask “How do you know?” and they would tell me which analyzers and what they saw. I’d do exactly what they said on the big screen and elaborated on the results.

I had been warned that the first training session of the conference would likely be the most alert since everyone was fully rested. But really, the first class stunned me. As a whole, they nailed the pop quiz. The first class even had multiple people per table describing what they found. Despite the fact that I went very quickly though each section, they still understood it enough to ace the quiz.

The second class was right after lunch, so I expected them to be a little lethargic. They got most of the important observations. The other two classes were on the last day of the conference — and after week of lectures and a big late-night social event. Both classes thought that three minutes was not long enough but still did well. (Not bad for covering six complex topics with about 10 minutes per section, and then only given them three minutes to apply what they learned.)

Heuristics and Results

The conference ended on Thursday, but I’ve already begun to hear from people who attended my training classes. Each class had between 25 and 35 people, and I’m thrilled that people found value in my training sessions.

For myself, I took away a lot of ideas. With a little research and work, things I learned from talks on psychology and behavioral analysis may be applicable to digital photo forensics. Even little observations made jokingly over dinner may end up forming valuable heuristics or statistical models. I left the conference with three pages of notes about potential research projects. With any luck, a few will even become future blog topics.

TorrentFreak: Attackers Can ‘Steal’ Bandwidth From BitTorrent Seeders, Research Finds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

swarmBitTorrent is one of the fastest and most efficient ways to share large files over the Internet. The popular file-sharing protocol is used by dozens of millions of people every day and accounts for a substantial amount of total Internet traffic.

This popularity makes BitTorrent an interesting target for attacks, which various anti-piracy companies have shown in the past. One of these possible attacks was recently unveiled by Florian Adamsky, researcher at the City University London.

In an article published in “Computers & Security” Adamsky and his colleagues reveal an exploit which allows attackers to get a higher download rate from seeders than other people.

In technical terms, the exploit misuses BitTorrent’s choking mechanism of clients that use the “Allowed Fast” extension. Attackers can use this to keep a permanent connection with seeders, requesting the same pieces over and over.

The vulnerability was extensively tested in swarms of various sizes and the researchers found that three malicious peers can already slow download times up to 414.99%. When the number of attackers is greater compared to the number of seeders, the worse the effect becomes.

The impact of the attack further depends on the download clients being used by the seeders in the swarm. The mainline BitTorrent clients and uTorrent are not vulnerable for example, while Vuze, Transmission and Libtorrent-based clients are.

TorrentFreak spoke with Adamsky who predicts that similar results are possible in real swarms. Even very large swarms of more than 1,000 seeders could be affected through a botnet, although it’s hard to predict the precise impact.

“If an attacker uses a botnet to attack the swarm, I think it would be possible to increase the average download time of all peers [of swarms with 1,000 seeders] up to three times,” Adamsky tells us.

“If most of the clients would have a vulnerable client like Vuze or Transmission it would be possible to increase the average download time up ten times,” he adds.

In their paper the researchers suggest a relatively easy fix to the problem, through an update of the “Allowed Fast” extension. In addition, they also propose a new seeding algorithm that is less prone to these and other bandwidth attacks.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: QUANTUM Technology Sold by Cyberweapons Arms Manufacturers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last October, I broke the story about the NSA’s top secret program to inject packets into the Internet backbone: QUANTUM. Specifically, I wrote about how QUANTUMINSERT injects packets into existing Internet connections to redirect a user to an NSA web server codenamed FOXACID to infect the user’s computer. Since then, we’ve learned a lot more about how QUANTUM works, and general details of many other QUANTUM programs.

These techniques make use of the NSA’s privileged position on the Internet backbone. It has TURMOIL computers directly monitoring the Internet infrastructure at providers in the US and around the world, and a system called TURBINE that allows it to perform real-time packet injection into the backbone. Still, there’s nothing about QUANTUM that anyone else with similar access can’t do. There’s a hacker tool called AirPwn that basically performs a QUANTUMINSERT attack on computers on a wireless network.

A new report from Citizen Lab shows that cyberweapons arms manufacturers are selling this type of technology to governments around the world: the US DoD contractor CloudShield Technologies, Italy’s Hacking Team, and Germany’s and the UK’s Gamma International. These programs intercept web connections to sites like Microsoft and Google — YouTube is specially mentioned — and inject malware into users’ computers.

Turkmenistan paid a Swiss company, Dreamlab Technologies — somehow related to the cyberweapons arms manufacturer Gamma International — just under $1M for this capability. Dreamlab also installed the software in Oman. We don’t know what other countries have this capability, but the companies here routinely sell hacking software to totalitarian countries around the world.

There’s some more information in this Washington Post article, and this essay on the Intercept.

In talking about the NSA’s capabilities, I have repeatedly said that today’s secret NSA programs are tomorrow’s PhD dissertations and the next day’s hacker tools. This is exactly what we’re seeing here. By developing these technologies instead of helping defend against them, the NSA — and GCHQ and CESG — are contributing to the ongoing insecurity of the Internet.

Related: here is an open letter from Citizen Lab’s Ron Diebert to Hacking Team about the nature of Citizen Lab’s research and the misleading defense of Hacking Team’s products.

Krebs on Security: How Secure is Your Security Badge?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Security conferences are a great place to learn about the latest hacking tricks, tools and exploits, but they also remind us of important stuff that was shown to be hackable in previous years yet never really got fixed. Perhaps the best example of this at last week’s annual DefCon security conference in Las Vegas came from hackers who built on research first released in 2010 to show just how trivial it still is to read, modify and clone most HID cards — the rectangular white plastic “smart” cards that organizations worldwide distribute to employees for security badges.

HID iClass proximity card.

HID iClass proximity card.

Nearly four years ago, researchers at the Chaos Communication Congress (CCC), a security conference in Berlin, released a paper (PDF) demonstrating a serious vulnerability in smart cards made by Austin, Texas-based HID Global, by far the largest manufacturer of these devices. The CCC researchers showed that the card reader device that HID sells to validate the data stored on its then-new line of iClass proximity cards includes the master encryption key needed to read data on those cards.

More importantly, the researchers proved that anyone with physical access to one of these readers could extract the encryption key and use it to read, clone, and modify data stored on any HID cards made to work with those readers.

At the time, HID responded by modifying future models of card readers so that the firmware stored inside them could not be so easily dumped or read (i.e., the company removed the external serial interface on new readers). But according to researchers, HID never changed the master encryption key for its readers, likely because doing so would require customers using the product to modify or replace all of their readers and cards — a costly proposition by any measure given HID’s huge market share.

Unfortunately, this means that anyone with a modicum of hardware hacking skills, an eBay account, and a budget of less than $500 can grab a copy of the master encryption key and create a portable system for reading and cloning HID cards. At least, that was the gist of the DefCon talk given last week by the co-founders of Lares Consulting, a company that gets hired to test clients’ physical and network security.

Lares’ Joshua Perrymon and Eric Smith demonstrated how an HID parking garage reader capable of reading cards up to three feet away was purchased off of eBay and modified to fit inside of a common backpack. Wearing this backpack, an attacker looking to gain access to a building protected by HID’s iClass cards could obtain that access simply by walking up to a employee of the targeted organization and asking for directions, a light of a cigarette, or some other pretext.

Card cloning gear fits in a briefcase. Image: Lares Consulting.

Card cloning gear fits in a briefcase. Image: Lares Consulting.

Perrymon and Smith noted that, thanks to software tools available online, it’s easy to take card data gathered by the mobile reader and encode it onto a new card (also broadly available on eBay for a few pennies apiece). Worse yet, the attacker is then also able to gain access to areas of the targeted facility that are off-limits to the legitimate owner of the card that was cloned, because the ones and zeros stored on the card that specify that access level also can be modified.

Smith said he and Perrymon wanted to revive the issue at DefCon to raise awareness about a widespread vulnerability in physical security.  HID did not respond to multiple requests for comment.

“Until recently, no one has really demonstrated properly what the risk is to a business here,” Smith said. “SCADA installations, hospitals, airports…a lot of them use HID cards because HID is the leader in this space, but they’re using compromised technology. Your card might not have data center or HR access but I can get into those places within your organization just by coming up to some employee standing outside the building and bumming a light off of him.”

Organizations that are vulnerable have several options. Probably the cheapest involves the use of some type of sleeve for the smart cards. The wireless communications technology that these cards use to transmit data — called radio-frequency identification or RFID – can be blocked when not in use by storing the key cards inside a special RFID-shielding sleeve or wallet. Of course, organizations can replace their readers with newer (perhaps non-HID?) technology, and/or add biometric components to card readers, but these options could get pricey in a hurry.

A copy of the slides from Perrymon and Smith’s DefCon talk is available here.

Krebs on Security: Q&A on the Reported Theft of 1.2B Email Accounts

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

My phone and email have been flooded with questions and interview requests from various media outlets since security consultancy Hold Security dropped the news that a Russian gang has stolen more than a billion email account credentials. Rather than respond to each of these requests in turn, allow me to add a bit of perspective here in the most direct way possible: The Q&A.

Q: Who the heck is Alex Holden?

A: I’ve known Hold Security’s Founder Alex Holden for nearly seven years. Coincidentally, I initially met him in Las Vegas at the Black Hat security convention (where I am now). Alex is a talented and tireless researcher, as well as a forthright and honest guy. He is originally from Ukraine, and speaks/reads Russian and Ukrainian fluently. His research has been central to several of my big scoops over the past year, including the breach at Adobe that exposed tens of millions of customer records.

Q: Is this for real?

A: Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real. Without spilling his secrets or methods, it is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors.

Q: Ok, but more than a billion credentials? That seems like a lot.

A: For those unfamiliar with the operations of large-scale organized crime syndicates, yes, it does. Unfortunately, there are more than a few successful cybercrooks who are quite good at what they do, and do it full-time. These actors — mostly spammers and malware purveyors (usually both) — focus on acquiring as many email addresses and account credentials as they can. Their favorite methods of gathering this information include SQL injection (exploiting weaknesses in Web sites that can be used to force the site to cough up user data) and abusing stolen credentials to steal even more credentials from victim organizations.

One micro example of this: Last year, I wrote about a botnet that enslaved thousands of hacked computers which disguised itself as a legitimate add-on for Mozilla Firefox and forced infected PCs to scour Web sites for SQL vulnerabilities.

Q: What would a crime network even do with a billion credentials?

A: Spam, spam and….oh, spam. Junk email is primarily sent in bulk using large botnets — collections of hacked PCs. A core component of the malware that powers these crime machines is the theft of passwords that users store on their computers and the interception of credentials submitted by victims in the process of browsing the Web. It is quite common for major spammers to rely on lists of billions of email addresses for distributing their malware and whatever junk products they are getting paid to promote.

Another major method of spamming (called “Webspam”) involves the use of stolen email account credentials — such as Gmail, Yahoo and Outlook — to send spam from victim accounts, particularly to all of the addresses in the contacts list of the compromised accounts.

Spam is such a core and fundamental component of any large-scale cybercrime operation that I spent the last four years writing an entire book about it, describing how these networks are created, the crooks that run them, and the cybercrime kingpins who make it worth their while. More information about this book and ways to pre-order it before its release in November is available here.

Q: Should I be concerned about this? 

A: That depends. If you are the type of person who re-uses passwords at multiple sites — including email accounts — then the answer is yes. If you re-use your email password at another site and that other site gets hacked, there is an excellent chance that cyber crooks are plundering your inbox and using it to spam your friends and family to spread malware and to perpetuate the cybercrime food chain.

For a primer that attempts to explain the many other reasons that crooks might want to hack your inbox, your inbox’s relative market value, and what you can do to secure it, please see The Value of a Hacked Email Account and Tools for a Safer PC.

Got more questions? Sound off in the comments section and I’ll try to address them when time permits.

Update: As several readers have pointed out, I am listed as a special advisor to Hold Security on the company’s Web site. Mr. Holden asked me to advise him when he was setting up his company, and asked if he could list me on his site. However, I have and will not receive any compensation in any form for said advice (most of which, for better or worse, so far has been ignored).

Your email account may be worth far more than you imagine.

Your email account may be worth far more than you imagine.

Raspberry Pi: Mathematica 10 – now available for your Pi!

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

Liz: If you use Raspbian, you’ll have noticed that Mathematica and the Wolfram Language come bundled for free with your Raspberry Pi. (A little boast here: we were only the second computer ever on which Mathematica has been included for free use as standard. The first? Steve Jobs’s NeXT, back in 1988.) 

Earlier in July, Wolfram Research announced a big update to Mathematica, with the introduction of Mathematica 10. Here’s a guest post announcement from Arnoud Buzing at Wolfram about what the new Mathematica will offer those of you who use it on your Raspberry Pi. Over to you, Arnoud!

In July, we released Mathematica 10a major update to Wolfram’s flagship desktop product. It contains over 700 new functions, and improvements to just about every part of the system.

wolfram-rasp-pi2

Today I am happy to announce an update for Mathematica and the Wolfram Language for the Raspberry Pi, which bring many of those features to the Raspberry Pi.

To get this new version of the Wolfram Language, simply run this command in a terminal on your Raspberry Pi:

sudo apt-get update && sudo apt-get install wolfram-engine

This new version will also come pre-installed in the next release of NOOBS, the easy set-up system for the Raspberry Pi.

If you have never used the Wolfram Language on the Raspberry Pi, then you should try our new fast introduction for programmers, which is a quick and easy way to learn to program in this language. This introduction covers everything from using the interactive user interface, basic evaluations and expressions, to more advanced topics such as natural language processing and cloud computation. You’ll also find a great introduction to the Wolfram Language in the Raspberry Pi Learning Resources.

This release of the Wolfram Language also includes integration with the newly released Wolfram Cloud. This technology allows you to do sophisticated computations on a remote server, using all of the knowledge from Wolfram|Alpha and the Wolfram Knowledgebase. It lets you define custom computations and deploy them as a “instant API” on the cloud. The Wolfram Cloud is available with a free starter account, and has additional non-free accounts which enable additional functionality.

Check the Wolfram Community in the next couple of weeks for new examples which show you how to use the Wolfram Language with your Raspberry Pi.

Schneier on Security: The Fundamental Insecurity of USB

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is pretty impressive:

Most of us learned long ago not to run executable files from sketchy USB sticks. But old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against.

The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer.

These are exactly the sorts of attacks the NSA favors.

Raspberry Pi: Sonic Pi Competition

This post was syndicated from: Raspberry Pi and was written by: Carrie Anne Philbin. Original post: at Raspberry Pi

Coding music on a Raspberry Pi with Sonic Pi has quickly become a great way to learn programming concepts and to pump out some thumping beats. Last year I worked with Dr Sam Aaron, live coder and academic at the University of Cambridge, to teach KS3 pupils text-based programming on Raspberry Pis as part of their ICT & Computing lessons. Since then Sonic Pi has proved incredibly popular in classrooms worldwide. The scheme of work we used is available for free in the ‘Teach’ section of our resources for any educator wanting to teach computer programming in a fun way.

sonicpi2

Since our classroom collaboration, Sam has been busy working on Sonic Pi version 2.0 and together we have been wowing attendees of Picademy with the potential of Sonic Pi for the classroom. We have also been working on Sonic Pi: Live & Coding, a digital research project to turn a Raspberry Pi into a musical instrument with Sonic Pi, working with schools, artists, academics and the Cambridge Junction, which will culminate in a Sonic Pi: Live & Coding Summit this November. In fact, this week at the Cambridge Junction, 60 children have been participating in the project, having coding music battles, and jamming with musicians.

Sonic Pi

Push Sam’s buttons and watch his eyes pop at Sonic Pi Live and Coding!

To coincide with the summit, we will be launching a Sonic Pi: Live & Coding competition in September to find the best original sonic pi composition created by a child or young person in three age categories. We will have a significant number of Raspberry Pis to give away at random for those who take part, and the semi-finalists of the competition will be invited to perform their original work live at the summit in November in front of an audience and panel of judges to potentially be crowned the first ever Sonic Pi Competition winner!

So what are you waiting for? Download Sonic Pi version 2 for your Raspberry Pi by following these instructions, and then take a look at the Sonic Pi 2 article by Sam in the MagPi magazine, and our new Sonic Pi Version 2 Getting Started resource. Take this opportunity to practice and get a head start on the competition!

Get your pratice in for the Sonic Pi version 2 competition with our new resource.

Get your practice in for the Sonic Pi version 2 competition with our new resource.

TorrentFreak: Google Protects Chilling Effects From Takedown Notices

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

google-bayEach week many millions of DMCA-style copyright notices are sent to sites and services around the planet. Initially the process flew almost entirely under the radar, with senders and recipients dealing with complaints privately.

In 2001, that began to change with the advent of Chilling Effects, an archive created by activists who had become concerned that increasing volumes of cease-and-desist letters were having a “chilling effect” on speech.

In the decade-and-a-third that followed the archive grew to unprecedented levels, with giants such as Google and Twitter routinely sending received notices to the site for public retrieval.

However, while Chilling Effects strives to maintain free speech, several times a month rightsholders from around the world (probably unintentionally) try to silence the archive in specific ways by asking Google to de-index pages from the site.

As can be seen from the tables below, Home Box Office has tried to de-index Chilling Effects pages 240 times, with Microsoft and NBC Universal making 99 and 65 attempts respectively.

Chilling1

The ‘problem’ for these copyright holders is two-fold. Firstly, Chilling Effects does indeed list millions of URLs that potentially link to infringing content. That does not sit well with copyright holders.

“Because the site does not redact information about the infringing URLs identified in the notices, it has effectively become the largest repository of URLs hosting infringing content on the internet,” the Copyright Alliance’s Sandra Aistars complained earlier this year.

However, what Aistars omits to mention is that Chilling Effects has a huge team of lawyers under the hood who know only too well that their archive receives protection under the law. Chilling Effects isn’t a pirate index, it’s an educational, informational, research resource.

Thanks to Google, which routinely throws out all attempts at removing Chilling Effects URLs from its indexes, we are able to see copyright holder attempts at de-indexing.

Earlier this month, for example, Wild Side Video and their anti-piracy partners LeakID sent this notice to Google aiming to protect their title “Young Detective Dee.” As shown below, the notice contained several Chilling Effects URLs.

chill2

Each URL links to other DMCA notices on Chilling Effects, each sent by rival anti-piracy outfit Remove Your Media on behalf of Well Go USA Entertainment. They also target “Young Detective Dee”. This is an interesting situation that offers the potential for an endless loop, with the anti-piracy companies reporting each others’ “infringing” links on Chilling Effects in fresh notices, each time failing to get them removed.

chilling3

The seeds of the “endless loop” phenomenon were also experienced by HBO for a while, with the anti-piracy company sending notices (such as this one) targeting dozens of Chilling Effects pages listing notices previously sent by the company.

While publishing notices is entirely legal, the potential for these loops really angers some notice senders.

On April 10 this year a Peter Walley sent a notice to Google complaining that his book was being made available on a “pirate site” without permission. Google removed the link in its indexes but, as is standard practice, linked to the notice on Chilling Effects. This enraged Walley.

chilling4

None of these rantings had any effect, except to place yet another notice on Chilling Effects highlighting where the infringing material could be found.

It’s a lesson others should learn from too.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: “Internet scanning project” scans, (Sat, Jul 26th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

A reader, Greg, wrote in with a query on another internet scanning project. He checked out the IP address and it lead to a web site, www[.]internetscanningproject.org, which states:

“Hello! You’ve reached the Internet Scanning Project.

We’re computer security researchers performing periodic Internet-wide health assessments.

If you reached this site because of activity you observed on your network:

We apologize for any concern caused by our network activity. We are not specifically targeting your network.

We have not attempted to unlawfully access or abuse your network in any way. We are exclusively accessing publicly available servers, we respect all authentication barriers, and (as you can see) we have made no attempt to hide our activity.

This effort is part of a research project in which we are engaged in with view to possibly contributing to public Internet health datasets. We believe research of this sort is both legal and beneficial to the security of the Internet as a whole.

However, if you wish to be excluded from our scanning efforts after reading the clarifying information below, please email us with IP addresses or CIDR blocks to be added to our blacklist.”

It does not provide any information or assurances that this is a legitimate research project and I wouldn’t be want to sending information to unknown people via an unattributable web site. The normal low level open source searching doesn’t reveal anything of use or attribution either. It does, however, bring up a fair number hits of people asking what are these scans and the best way to block them.

It appears this scanning has been running for a couple of weeks and has being using multiple IP addresses (see https://isc.sans.edu/topips.txt for some examples). A curious point, for a “legitimate” scan, is that they have started changed the User Agent frequently and in some cases to some very odd nonsensical strings. The core scans are against TCP ports 21, 22 and 443 and the 443 scans may trigger alerts for probing on the Heartbleed bug.

Chris Mohan — Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Raspberry Pi: Pi in the Sky: hardware for high-altitude balloonists from Dave Akerman

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

Liz: Regular readers will be very familiar with the name Dave Akerman. Dave has been sending Raspberry Pis to the stratosphere under weather balloons since we launched the Pi in 2012, and his work in helping schools develop their own in-house space programs has been fantastic to watch. He and his friend Anthony Stirk have just produced a telemetry add-on board for the Raspberry Pi to help schools (and everybody else) reproduce the sort of spectacular results you’ve seen from him before. Here he is to introduce it: over to you, Dave!

High Altitude Ballooning is an increasingly popular hobby (I nearly said that interest has been “ballooning”, but fortunately I stopped myself just in time …), bringing what is termed “near space” within the reach of pretty much anyone who is willing to put in the effort and spend a moderate amount of money.

moon and sky from stratosphere

 

Although it’s possible to successfully fly and retrieve a balloon with a simple GSM/GPS tracker, the chances are that this will end in failure and tears. GSM coverage in the UK is nowhere near 100%, especially in rural areas which is where we want (and aim) the flights to land. The next step up, in reliability and price, is a “Spot” tracker which works solely via satellites, but those don’t work if they land upside down. Also, neither of these solutions will tell you how high the flight got, or record any science data (e.g. temperature, pressure), or indeed tell you anything about the flight until they land. If you’re lucky. A lost flight is a sad thing indeed.

pic from stratosphere

 

For some countries (e.g. USA, but not the UK), if you are a licensed amateur radio operator you can fly an APRS tracker, in which case the flight will be tracked for you via the ground-based APRS network run by other radio hams. Sadly UK laws prohibit radio hams transmitting from an airborne vehicle, so APRS is out for us.

For these reasons, pretty much everyone involved in the hobby in the UK, and many other countries, uses radio trackers operating in an ISM (Industrial, Scientific and Medical) band where airborne usage is allowed. These work throughout the flight, transmitting GPS co-ordinates plus temperature and anything else that you can add a sensor for. Many radio trackers can also send down live images, meaning that you can see what your flight is seeing without having to wait for it to land. Here’s a diagram showing how telemetry from the flight ends up as a balloon icon on a Google map:

tracking system

 

What’s not shown here is that, provided you tell them, the other balloonists will help track for you. So not only will you be receiving telemetry and images directly via your own radio receiver, but others will do to. All received data is collated on a server so if you do lose contact with the flight briefly then it doesn’t matter. However, this does not mean you can leave the tracking up to others! You’ll need to receive at the launch site (you have to make sure it’s working!) and also in the chase car once it lands. The expense of doing this is small – a TV dongle for £12 or so will do it, with a £15 aerial and a laptop, ideally with a 3G dongle or tethered to a phone.

Traditionally, balloonists build their own radio trackers, and for anyone with the skills or the time and ability to learn programming and some digital electronics, this is definitely the most rewarding route to take. Imagine receiving pictures of the Earth from 30km up, using a piece of kit that you designed and built and programmed! So if you are up to this challenge (and I suspect that most people reading are) then I recommend that you do just that. It takes a while, but during the development you’ll have plenty of time to research other aspects of the hobby (how to predict the flight path, and obtain permission, and fill the balloon, etc.). And when you’re done, you can hold in your hand something that is all your own work and has, to all intents and purposes, been to space.

weather balloon bursting

 

For some though, it’s just not practical to develop a new tracker. Or you might be a programming whizz, but not know which end of a soldering iron to pick up. It was with these people in mind that we (myself and Anthony Stirk – another high altitude balloonist) developed our “Pi In The Sky” telemetry board. Our principle aim is to enable schools to launch balloon flights with radio trackers, without having to develop the hardware and software first. It is also our hope that older children and students will write their own software or at least modify the provided (open source) software, perhaps connecting and writing code for extra sensors (the board has an i2c connection for add-ons).

The board and software are based on what I’ve been flying since my first “Pi In The Sky” flight over 2 years ago, so the technology has been very well proven (approximately 18 flights and no losses other than deliberate ones!). So far the board itself has clocked up 5 successful flights, with the released open-source software on 3 of those. Here’s the board mounted to a model B (though we very strongly recommend use of a model A, which consumes less power and weighs less):

Pi in the Sky board

It comes in a kit complete with a GPS antenna, SMA pigtail (from which you can easily make your own radio aerial), stand-offs for a rigid mounting to the Pi board, and battery connectors. Software is on https://github.com/piinthesky, with installation instructions at http://www.pi-in-the-sky.com/index.php?id=support, or there is a pre-built SD card image for the tragically lazy. We do recommend manual installation as you’ll learn a lot.

By now you’re probably itching to buy a board and go fly it next weekend. Please don’t. Well, buy the board by all means, but from the moment you decide that this is the project for you, you should task yourself with finding out all you can about how to make your flight a safe success. For a start, this means learning about applying for flight permission (which, if you want to launch from your garden at the end of an airport runway, isn’t going to be given). Permission is provided together with a NOTAM (NOtice To AirMen) which tells said pilots what/where/when your launch will be, so they can take a different path. You also need to learn about predicting the flight path so that it lands well away from towns or cities or motorways or airports. I hope I don’t need to explain how important all of this is.

IMG_0690-e1404813775746-768x1024

 

There’s lots more to learn about too, for example:

  • How to track the flight
  • How to fill a balloon
  • Where to buy the balloon
  • What size balloon? What size parachute? How to tie it all together?

None of this is complicated (it’s not, ahem “rocket science”), but there is a lot to know. Don’t be surprised if the time between “I’ll do it!” and “Wow, I did it!” is measured in months. Several of them. In fact, worry if it’s less than that – this research takes time. We will be producing some teaching materials, but meantime please see the following links:

As for the board, it provides a number of features borne out of a large number of successful flights:

  • Efficient built-in power regulator providing run time of over 20 hours from 4 AA cells (using a model A Pi)
  • Highly sensitive UBlox GPS receiver approved for altitudes up to 50km
  • Temperature compensated, license-free (Europe) frequency agile, 434MHz radio transmitter
  • Temperature sensor
  • Battery voltage monitoring
  • Sockets for external i2c devices, analog input, external temperature sensor
  • Allows use of Raspberry Pi camera
  • Mounting holes and spacers for a solid connection to the Pi

The open-source software provides these features:

  • Radio telemetry with GPS and sensor data using UKHAS standard
  • Radio image download using SSDV standard
  • Multi-threaded to maximize use of the radio bandwidth
  • Variable image size according to altitude
  • Stores full-definition images as well as smaller transmitted images
  • Automatically chooses better images for download
  • Configurable via text file in the Windows-visible partition of the SD card
  • Supplied as github repository with instructions, or SD card image

Finally, anyone interested in high altitude ballooning, using our board or not, should come to the UKHAS Conference on 16th August 2014 at the University of Greenwich. Anthony and I will be presenting our board during the morning sessions, and will run a workshop on the board in the afternoon. For tickets click here.