Posts tagged ‘research’

Schneier on Security: The Security of Various Programming Languages

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Interesting research on the security of code written in different programming languages. We don’t know whether the security is a result of inherent properties of the language, or the relative skill of the typical programmers of that language.

The report.

Krebs on Security: Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past year. The disclosure comes almost a month after the breach was first disclosed by KrebsOnSecurity.

On Mar. 17, 2014, this blog published evidence showing that the Web storefront for French hardware giant LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

The Web site as listed in the control panel of a botnet of hacked ecommerce sites.

The Web site as listed in the control panel of a botnet of hacked ecommerce sites.

In a statement sent to this reporter on Monday, however, Seagate allowed that its investigation had indeed uncovered a serious breach. Seagate spokesman Clive J. Over said the breach may have exposed credit card transactions and customer information for nearly a year beginning March 27, 2013. From his email:

“To follow up on my last e-mail to you, I can confirm that we did find indications that an unauthorized person used the malware you referenced to gain access to information from customer transactions made through LaCie’s website.”

“The information that may have been accessed by the unauthorized person includes name, address, email address, payment card number and card expiration date for transactions made between March 27, 2013 and March 10, 2014. We engaged a leading forensic investigation firm, who conducted a thorough investigation into this matter. As a precaution, we have temporarily disabled the e-commerce portion of the LaCie website while we transition to a provider that specializes in secure payment processing services. We will resume accepting online orders once we have completed the transition.”

Security and data privacy are extremely important to LaCie, and we deeply regret that this happened. We are in the process of implementing additional security measures which will help to further secure our website. Additionally, we sent notifications to the individuals who may have been affected in order to inform them of what has transpired and that we are working closely and cooperatively with the credit card companies and federal authorities in their ongoing investigation.

It is unclear how many customer records and credit cards may have been accessed during the time that the site was compromised; Over said in his email that the company did not have any additional information to share at this time.

As I noted in a related story last month, Adobe ColdFusion vulnerabilities have given rise to a number of high profile attacks in the past. The same attackers who hit LaCie also were responsible for a breach at jam and jelly maker Smuckers, as well as Alpharetta, Ga. based credit card processor SecurePay.

In February, a hacker in the U.K. was charged with accessing computers at the Federal Reserve Bank of New York in October 2012 and stealing names, phone numbers and email addresses using ColdFusion flaws. According to this Business Week story, Lauri Love was arrested in connection with a sealed case which claims that between October 2012 and August 2013, Love hacked into computers belonging to the U.S. Department of Health and Human Services, the U.S. Sentencing Commission, Regional Computer Forensics Laboratory and the U.S. Department of Energy.

According to multiple sources with knowledge of the attackers and their infrastructure, this is the very same gang responsible for an impressive spree of high-profile break-ins last year, including:

-An intrusion at Adobe in which the attackers stole credit card data, tens of millions of customer records, and source code for most of Adobe’s top selling software (ColdFusion,Adobe Reader/Acrobat/Photoshop);

-A break-in targeting data brokers LexisNexis, Dun & Bradstreet, and Kroll.

-A hack against the National White Collar Crime Center, a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.

TorrentFreak: 39% of Film Industry Professionals are Movie & TV Show Pirates

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

Reports, research and surveys covering piracy-related issues have been released in their dozens in recent years, with many of them painting a picture of two distinct groups of people – those who illegally download and those who pay for content.

Of course, the reality is that many people who obtain content for free also cheerfully pay for content too. In fact, some studies have found that the entertainment industry’s best customers are also illegal downloaders.

But what if there was evidence to suggest that some of those pirates were actually the very people helping to create movies and TV shows? That’s one of the intriguing findings of a survey carried out by Stephen Follows, a writer and producer with a keen interest in discovering what makes the industry tick.

“Many of the decisions in the film business are based on gut, opinion and gossip so I find it fascinating to research the topics and see what the numbers say,” Follows informs TorrentFreak.

“Piracy seemed like a ready topic to research so I added a few question into a survey I ran of 1,235 film industry professionals. The respondents were all people who had been to one of the three major films markets in the past five years – Cannes, Berlin or the American film Market.”

Follows first set of questions focused on whether the film professionals felt that piracy had affected their business. The responses were then split by industry sector and budgets the professionals work to.

Considering the anti-piracy rhetoric coming out of Hollywood during the past thirty years, it’s perhaps surprising that 53% of all respondents said that piracy had either no effect or a positive effect on their business.


Respondents were from all sectors of the industry including development, production, post-production, sales and distribution, exhibition and marketing. When the responses from each sector are broken down, one can see that respondents in sales and distribution – arguably the role that file-sharing fulfills – say they are most worried by piracy.

survey 2

Turning the tables to discover how the industry professionals are themselves affecting piracy rates couldn’t be approached directly for obvious reasons, so Follows tried a different tactic.

“When it came to researching how many of them actually illegally download movies I felt I needed to be a bit sneaky,” he told TF.

“To one randomly assigned set of participants I presented three statements
about the industry (such as ‘I prefer to watch films on DVD than in the cinema’). I then asked the respondent how many of the three statements they agreed with, but only asking for the combined total (i.e. ‘I agree with two of the three statements’).”

“Then, to a different randomly assigned set I offered the same three statements with the additional statement ‘I have illegally downloaded a TV show or feature film’. By subtracting the average number of agreed-with statements from the average of the control group I was able to calculate the percentage of people who agreed with the additional statement.”


As can be seen from the diagram, 39% of the industry respondents admitted to illegally downloading video content, with 61% claiming never to have done so. Interestingly, respondents working on lower budgets were more likely to have illegally downloaded than those working on big budgets.

“Only 2% of people working on films over $10 million admitted to illegally downloading a film or TV show, compared with 65% of those working on films under $1 million,” Follows explains.

Also of interest is how the percentage of those who admitted illegal downloading fluctuated according to industry sector, with 55% of those in marketing saying they have grabbed movies or TV shows without paying versus zero percent in exhibition (movie theaters).

survey 4

Sales and distribution, the sector that said they’d been most affected by piracy, accounted for the next lowest piracy ‘confession’ rate of 28%.

“These are the middlemen behind the scenes of the industry who negotiate the rights between producers and cinemas/retailers. They are part of the reason why there are so many damned logos at the start of every movie,” Follows explains.

“They have the largest vested interest in stopping piracy as they don¹t have many other reasons for doing what they do (unlike filmmakers who might be wanting to create art/entertainment) and no other source of income, unlike cinemas who make a fortune on Coke/popcorn etc.”

Further reading on Stephen Follows’ research and methodology can be found here and here. A great video he produced for Friends of the Earth can be watched on Vimeo.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

TorrentFreak: YouTube Hurts Music Album Sales, Research Finds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

youtubesadsmallIn recent years many academics have researched the link between Internet piracy and the revenues of the major music labels, with varying results. Some have concluded that there is no adverse impact of piracy on sales, others argue that there’s a moderate negative relation.

While the music industry and many researchers seek answers in the piracy realm, other drastic changes are too often ignored. The availability of free on-demand music through legal services such as YouTube for example.

Researchers from Fairfield University and the University of Colorado have started to fill this gap with a new study. In their working paper the researchers examine the effect of Warner Music’s 2009 YouTube blackout on the record label’s album sales.

At the time, Warner pulled all their music from the video hosting service due to a licensing dispute. The researchers use this event to compare the sales of Warner’s artists listed in the Billboard Album 200, to those from labels that still had their videos on YouTube.

The results are intriguing, to say the least. After controlling for several variables, such as music genre and album specific characteristics, they found that Warner’s top artists sold many more albums during the blackout.

“We showed that the removal of content from YouTube had a causal impact on album sales by upwards of on average 10,000 units per week for top albums,” the paper reads.

According to the researchers, these results indicate that YouTube doesn’t always serve as a promotional tool as many claim, certainly not for the top artists.

“While a great deal has been said about the potential role of these service in promoting and discovering new artists and music, our results cast some doubt on this widely believed notion, at least with regards to top selling albums [...], they write.

The researchers estimate that for the top albums the total in lost sales because of YouTube equals roughly $1 million per year. This is a significant percentage of the label’s total revenue.

It is hard to say, however, that YouTube is hurting overall revenue, as the advertising revenue it receives from Google also brings in a significant sum of money.

The results, which are largely driven by the top selling albums, suggest that there is no promotional effect of YouTube on album sales. In addition, there is no effect on Google searches for the artists in question either. In other words, YouTube doesn’t mainly hurt album sales.

“Our findings suggest that sales displacement effect can be real without a promotional effect. That is, the people listening on YouTube appear to be, to some extent people who would know about this album anyway, but may not buy it because of YouTube,” the researchers conclude.

The findings are interesting for a variety of reasons. Although they don’t prove that YouTube costs the music industry more than it brings in, it clearly shows that there are more factors that can explain people’s shift in music buying habits than piracy alone.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Linux How-Tos and Linux Tutorials: What is Good LaTeX Editor Software on Linux?

This post was syndicated from: Linux How-Tos and Linux Tutorials and was written by: Linux How-Tos and Linux Tutorials. Original post: at Linux How-Tos and Linux Tutorials

As you may have already read here, LaTeX is an extremely useful document markup language. Whether it is for a research paper, a math homework, a presentation, or a fancy resume, LaTeX is pretty much the go to language. However, its syntax can be a bit confusing at first, and it is recommended, at least […]
Continue reading…

    Read more at Xmodulo

    Krebs on Security: Fact-Checking Experian’s Talking Points

    This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

    In the wake of long-overdue media attention to revelations that a business unit of credit bureau Experian sold consumer personal data directly to an online service that catered to identity thieves, Experian is rightfully trying to explain its side of the story by releasing a series of talking points. This blog post is an attempt to add more context and fact-checking to those talking points.

    Experian has posted several articles on its Web properties that lament the existence of “inaccurate information about Experian circulating in news outlets and other Web sites.”

    “It’s no surprise that cybercrime and data breaches are hot topics for media and bloggers these days,” wrote Gerry Tschopp, senior vice president of public affairs at Experian. “Unfortunately, because of all the attention paid to these topics, we’ve seen some inaccurate information about Experian circulating in news outlets and other Web sites. I want to take a moment to clarify the facts and events.”

    I’ve read this clarification closely, and it seems that Experian’s latest talking points deserve some clarification and fact-checking of their own. Below are Experian’s assertions of the facts (in bold), followed by some supplemental information glossed over by said statements of fact.

    -No Experian database was accessed. The data in question have at all relevant times been owned and maintained, not by Experian, but by a company called US Info Search.

    As all of my stories on this incident have explicitly stated, the government has said the data was not obtained directly from Experian, but rather via Columbus, Ohio-based US Info Search. US Info Search had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the US Info Search data as well as Court Ventures’ data, and vice versa. Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including the proprietor of the identity theft service).

    For its part, US Info Search says Experian’s explanation of the events is based on false statements and misrepresentations, and that the proprietor of the ID theft service paid Experian for his access using large cash payments sent to Experian via wire from Singapore.

    “Experian provided access to records via a gateway that used multiple data sources and the suspect never had access to our service,” US Info Search CEO Marc Martin said in a written statement. “We, like many others, provide data to Experian, who in turn sold data to customers they approved and monitored. Our agreement with Court Ventures and subsequently Experian was to provide information that was being used for identity verification and fraud prevention.

    -Further, Experian’s only involvement was that it purchased the assets of a company, Court Ventures, that provided access to US Info Search’s data to Court Ventures’ customers. Under that contract, customers of Court Ventures, including the criminal in this case, could access US Info Search’s data. This was not an Experian database, and specifically, this was not a credit database.

    Experian has a duty to conduct “due diligence” on companies it wishes to acquire, because it knows that in purchasing a company it will acquire all of the company’s assets — including whatever debts, liabilities or poor decisions the previous owners may have incurred that end up creating problems down the road. Experian wants to blame everyone else, but by its own admission, Experian didn’t conduct proper due diligence on Court Ventures before acquiring the company. Addressing a U.S. Senate committee last December, Experian’s senior vice president of government policy, Tony Hadley, allowed that “during the due diligence process, we didn’t have total access to all the information we needed in order to completely vet that, and by the time we learned of the malfeasance nine months had expired, and the Secret Service came to us and told us of the incident. We were a victim, and scammed by this person.”

    Also, if it wasn’t clear by now, Experian’s PR mantra on this crisis has been that “no Experian database was accessed,” in this fraud. But this mantra draws attention away from the real victim: Consumers whose information was sold by Experian’s company directly to an identity theft service. A critical question to ask to this line of thinking is: Why does it matter whose database it is, if it contains personal info and Experian profited from its sale? 

    -Court Ventures was selling the data in question to the criminal for over a year before Experian acquired the assets of Court Ventures.

    True. Which suggests there should have been plenty of evidence for Experian’s due diligence team to detect fraudulent activity of the sort generated by an identity theft service using its network. Perhaps just as importantly, Court Ventures continued to sell consumer records to the ID theft service for almost 10 months after Experian acquired the company.

    -Furthermore, any implication that there was a breach of 200 million records is entirely false and misleading – while the size of the database may be 200 million, that does not mean the total number of records were accessed.

    This publication has never stated that there was a breach of 200 million records. But it is true that was the first to report on the information contained in government statements made during the guilty plea hearing of Hieu Minh Ngo — the man who admitted to running the identity theft service. In those statements, prosecutors for the U.S. Justice Department stated that Ngo — by virtue of fooling Court Ventures into thinking he was a private investigator – had access to approximately 200 million consumer records. As I have stated previously, however, Ngo had to pay for the records he accessed, and he was running a service that charged customers for each records search they ran.

    A transcript (PDF) of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity shows that his ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data on more than three million Americans.

    Lastly, Experian discontinued the sales of this data immediately upon learning of the problem and worked closely with law enforcement to bring this criminal to justice, (the perpetrator has recently pleaded guilty). We are treating the matter seriously and have filed a lawsuit against the former owners of Court Ventures for permitting the sale of US Info Search’s data to Ngo (the perpetrator), and intend to hold those individuals fully responsible for their conduct in establishing access to the data for an identity thief unbeknownst to Experian.

    If it really was US Info Search — not Court Ventures — whose database was accessed in this scheme, why is Experian suing Court Ventures? [Update, 9:03 P.M.: has a good explanation to this question, which happens to support previous research of mine on why this breach could be far bigger than 3 million Americans).

    Original story:

    Here’s a far more important question that Experian needs to answer: What has the company done to make things right with the Americans whose identities were stolen because of this whole fiasco? 

    Regarding those victims, Experian’s Mr. Hadley stated under oath in front of a U.S. Senate committee that “we know who they are, and we’re going to make sure they’re protected.” But, incredibly, in the very next breath Hadley seemed to suggest that none of the millions of consumers whose data was stolen by Ngo and his identity theft service had experienced any danger of identity theft or were even in need of Experian’s protection.

    “There’s been no allegation that any harm has come, thankfully, in this scam,” Hadley told the committee.

    For his part, US Info Search CEO Martin says it doesn’t appear that Experian is interested in notifying anyone.

    “We have cooperated and assisted the authorities in their investigation and from the onset have urged Experian to make timely notifications,” Martin wrote in an email to KrebsOnSecurity. “In addition, Experian never notified us of the breach as required by state statute, and to date has not cooperated with our investigation, nor provided us with the queries the suspect ran.”

    Experian has declined to answer questions about whether it has lifted a finger to help consumers impacted by this scheme, or to clarify its apparently conflicting statements about whether it believes anyone has been harmed by its (in)action. But then again, what exactly would the company do? Offer them a year’s worth of dubiously valuable credit monitoring services? Oh wait, that’s right, Experian practically invented the hugely profitable credit monitoring industry, whose services are negotiated and purchased en masse virtually every time there is a major consumer data breach. Br’er Rabbit would be so proud.

    In summary, Experian wants you to remember that the consumer data sold to Ngo’s identity theft service didn’t come directly from its database, but merely from the database of a company it owns. But happily, there is no proof that any of Ngo’s customers — who collectively paid Experian $1.9 million to access the data — actually harmed any consumers.

    Readers who find all of this a bit hard to swallow can be forgiven: After all, this version of the facts comes from a company that has been granted a legal right to sell your personal data without your consent (opting out generally requires you to cut through a bunch of red tape and to pay them a fee on top of it). This from a company that is quibbling over which of its business units profited from the sale of consumer records to an identity theft service.

    Source Code in TV and Films: Hello there! I recently I was watching the movie THX 1138 and…

    This post was syndicated from: Source Code in TV and Films and was written by: Source Code in TV and Films. Original post: at Source Code in TV and Films

    Hello there!

    I recently I was watching the movie THX 1138 and suddenly I caught what seems to be FORTRAN code in some parts of this movie. The code I think was specifically written for this movie, because of the name of the statements which describe the qualities of the the main character THX during a physical test. I also did a very short research and I’m sure that the code  found is FORTRAN, or at least the keywords in that picture belong to the language’s syntax.

    Hope I helped you and keep up with this project ;)

    (oh here you can find a gif version I uploaded on postimage)alternative picture

    Krebs on Security: Android Botnet Targets Middle East Banks

    This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

    I recently encountered a botnet targeting Android smartphone users who bank at financial institutions in the Middle East. The crude yet remarkably effective mobile bot that powers this whole operation comes disguised as one of several online banking apps, has infected more than 2,700 phones, and has intercepted at least 28,000 text messages.

    The botnet — which I’ve affectionately dubbed “Sandroid” — comes bundled with Android apps made to look like mobile two-factor authentication modules for various banks, including Riyad Bank, SAAB (formerly the Saudi British Bank), AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank.

    The fake Android bank apps employed by this botnet.

    The fake Android bank apps employed by the Sandroid botnet.

    It’s not clear how the apps are initially presented to victims, but if previous such scams are any indication they are likely offered after infecting the victim’s computer with a password-stealing banking Trojan. Many banks send customers text messages containing one-time codes that are used to supplement a username and password when the customer logs on to the bank’s Web site. And that precaution of course requires attackers interested in compromising those accounts to also hack the would-be victim’s phone.

    Banking Trojans — particularly those targeting customers of financial institutions outside of the United States — will often throw up a browser pop-up box that mimics the bank and asks the user to download a “security application” on their mobile phones. Those apps are instead phony programs that merely intercept and then relay the victim’s incoming SMS messages to the botnet master, who can then use the code along with the victim’s banking username and password to log in as the victim.

    Text messages intercepted by the Sandroid botnet malware.

    Some of the 28,000+ text messages intercepted by the Sandroid botnet malware.

    This particular botnet appears to have been active for at least the past year, and the mobile malware associated with it has been documented by both Symantec and Trend Micro. The malware itself seems to be heavily detected by most of the antivirus products on the market, but then again it’s likely that few — if any — of these users are running antivirus applications on their mobile devices.

    In addition, this fake bank campaign appears to have previously targeted Facebook, as well as banks in Australia and Spain, including Caixa Bank, Commonwealth Bank, National Australia Bank, and St. George Bank.

    The miscreant behind this campaign seems to have done little to hide his activities. The same registry information that was used to register the domain associated with this botnet — — was also used to register the phony bank domains that delivered this malware, including,,,,,, and The registrar used in each of those cases was Center of Ukrainian Internet Names.

    I am often asked if people should be using mobile antivirus products. From my perspective, most of these malicious apps don’t just install themselves; they require the user to participate in the fraud. Keeping your mobile device free of malware involves following some of the same steps outlined in my Tools for a Safer PC and 3 Rules primers: Chiefly, if you didn’t go looking for it, don’t install it! If you own an Android device and wish to install an application, do your homework before installing the program. That means spending a few moments to research the app in question, and not installing apps that are of dubious provenance. 

    That said, this malware appears to be well-detected by mobile antivirus solutions. Many antivirus firms offer free mobile versions of their products. Some are free, and others are free for the initial use — they will scan and remove malware for free but charge for yearly subscriptions. Some of the free offerings include AVG, Avast, Avira, Bitdefender, Dr. Web, ESET, Fortinet, Lookout, Norton, Panda Cloud Antivirus, Sophos, and ZoneAlarm.

    Incidentally, the mobile phone number used to intercept all of the text messages is +79154369077, which traces back to a subscriber in Moscow on the Mobile Telesystems network.

    TorrentFreak: Mobile Music Piracy More Popular Than Torrents and Cyberlockers

    This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

    cassetteIn recent years the music industry ‘s battle against piracy mostly focused on torrent sites, cyberlockers and unauthorized MP3 indexes. However, new research from the industry analysis firm NPD Group suggests that a new, much bigger threat, has arrived.

    NPD’s Senior Vice President, Industry Analysis, Russ Crupnick informs us that mobile music piracy through apps has outgrown traditional P2P file-sharing and direct downloads.

    “In terms of the number of internet users doing a variety of music sharing activities, downloading from mobile apps is the most popular,” Crupnick tells TF.

    The data comes from unpublished research, which was the first to include statistics on the usage of mobile apps to download music. Quite surprisingly, mobile piracy comes out on top right away.

    It is estimated that in the United States 27 million people downloaded at least one music track via their mobile over the past year, mostly without permission. This trumps all other forms of online piracy. By comparison, 21 million people used traditional P2P sites such as The Pirate Bay to download music.

    For other media types the results are different, but the findings signal an interesting trend.

    According to NPD mobile apps are, as one would expect, most popular with younger consumers. There are a variety of reasons for the mobile piracy explosion, but the research firm believes that increased usage of smartphones and apps among Millennials is a major driver.

    “My guess is there is an underground buzz network about music apps that is fueled by teens and Millennials,” Crupnick says.

    NPD believes that it’s important for copyright holders and app platforms to work together to tackle this problem. While some people may know that these apps are unauthorized, the fact that they appear in iTunes or Google Play may give them an air of legitimacy.

    “Lots of things on the web are free or ad-supported, including some entertainment content. I’m sure some users are quite aware that there is music that is not legally distributed on these apps, but others may not be as educated,” Crupnick tells us.

    “If it’s on an app store, it must be ‘OK’. This is where the music industry and technology companies have an opportunity and maybe an obligation to work together to make sure consumers understand, and artists get compensated,” he adds.

    These last comments appear to signal a new working territory for the music industry’s anti-piracy initiatives. Until now, there hasn’t been a major campaign against “infringing” apps, but this is bound to change in the near future.

    Whether a crackdown on apps will be enough to counter the current mobile piracy trend has yet to be seen. In addition to pirate apps, several unauthorized MP3 indexes have also developed mobile versions, which will prove much harder to deal with.

    Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

    The Hacker Factor Blog: Locating Pictures

    This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

    There’s a question that I often receive regarding photos: Where was this picture taken? Basically, they have a photo and want to identify the location. This comes up in legal cases, media requests, and just odd photos found online. (With news outlets, they usually follow it up with “and when was it taken?”) Tracking a photo to a location is usually a very difficult problem. Unfortunately, there are no generic or automated solutions.

    However, just because it is a hard problem does not mean it is impossible. (Sometimes it is impossible, but not always.) Usually it just takes time and a dedication to tracking down clues.

    The easy way

    When people think about identifying where a photo was taken, they immediately think about embedded GPS coordinates. And the truth is, if GPS information exists in the picture’s metadata, then that is a great place to begin.

    Unfortunately, very very very few pictures contain GPS information. At FotoForensics, we’re getting close to a half-million unique picture uploads, and only about 1% of them contain GPS metadata. There are reasons that GPS information is so hard to find:

    • Unavailable. GPS data is almost exclusively associated with smartphones. Very few point-and-shoot cameras have built-in GPS.

    • Disabled. For devices with GPS chips, there is usually an option to disable geo-stamping photos. Some devices default to “off” and are never turned on, while others may default to “on” but have users intentionally turn it off. There’s also the GPS system itself; lots of people turn off GPS on their smartphones because it will drain your battery. If your phone’s GPS is disabled then your camera will not include GPS information in the picture.

      There are other ways for a device to geolocate without using GPS. Some smartphones can get a rough estimate using nearby wireless access point identifiers (SSIDs) or by finding nearby cell towers. But to the camera’s function that looks up GPS information, this is all the same. If your device cannot geolocate then there will not be a location recorded with the picture.

    • Stripped. Processing a picture with a graphics program, or uploading it to an online service like Facebook or Twitter, can (and usually will) alter or remove metadata. This includes removing GPS information. Even if the data was there at the beginning, it is not there anymore.

    Of course, even if the GPS information is present, it does not mean it is accurate. I’m sure that people with smartphones have noticed the accuracy issue. When you first turn on the mapping program, it will draw a huge circle on the map. The circle may span a couple of miles. It does not mean that you are in the center of the circle; it’s indicating that you are “somewhere” in that circle — you could be near the center or somewhere along the edge. After a few minutes, the device has time to synchronize and better narrow down the region — denoted with a smaller circle. Eventually it may become a dot that identifies your location to within a few feet.

    With GPS metadata, there are fields for location and accuracy. Unfortunately, most mobile devices only fill out the location data and not the accuracy information. This means that the extremely precise GPS location stored in the metadata may be off by a mile. Even if the GPS location pinpoints a house, you cannot be certain that the photo was taken in that house — it could have been captured a half-mile away.

    Another place to look is in metadata annotations. If the picture came from a media outlet, then there’s probably metadata that identifies “where” the photo was taken, even if it is just a city name. Unfortunately, most online news sites resave images prior to publishing, and that can strip out these annotations.

    Looking Closer

    GPS information and annotations in metadata are nice when they exist. Unfortunately, they may not exist. And even if they are present, they may still not be very accurate or reliable. That means geolocating a photo must rely on the photo’s content. There are different clues in the photo’s content that may help identify the location. Some of these may be very precise (geolocation) while others may help you narrow down a region (geo-fencing), country, or at least rule out some parts of the world.

    The easiest photos are the ones with unique and notable landmarks: statues, distinct buildings, street signs… Even photos of mountain ranges or generic streets may be enough to find the location. If the camera was fairly close to the subject, then you can probably identify the photographer’s position to within a few feet. A long distance shot may narrow it down to an area.

    For very notable objects, such as scenic views, distinct statues, or elements seen at tourist stops, you may be able to find the location by uploading the picture to TinEye or Google Image Search. If other people have photographed the same object from about the same position, then these image search engines may be able to identify other photos from the same spot.

    In my opinion, TinEye is better at finding similar photos, but Google may annotate the search results with a text name or description. In either case, you will probably need to visit the resulting web pages in order to see if any page mentions where the photographer was located. (Knowing that the photo’s content shows “New York City” is not the same as geolocating a photographer who was standing at the foot of the Statue of Liberty.)

    Different cities and countries have different building styles. If you can identify the style, then you may be able to identify where the photo was taken. There’s been a few advances in this research area (for example, PDF). Unfortunately, as far as I know, there are no public image search engines that do this type of matching.

    Usually, you just happen to find someone who recognizes the style and can help narrow down a location. (That’s one of the benefits of turning a photo over to a large social group like Reddit — there is likely someone who will recognize something.) However, even this can be somewhat inaccurate. For example, neighboring countries (e.g., Poland and Germany) can have similar architectural styles. In California, there’s a city called Solvang that looks like Denmark. Most American cities have a “Chinatown” that uses Chinese architecture, and China has rebuilt cities from countries like France and Italy.

    If you cannot identify a city or a country, then you can probably still identify regions to exclude. For example, do you see any text in the photo? If the street signs are only in English, then you are probably not looking at any Asian, African, or middle-Eastern countries. (Non-English speaking countries either do not use English letters or include multiple languages on the signs.)

    Currency can be another great clue. If I see Mexican pesos, then I’m thinking Mexico. Sure, it could be a Spanish-language classroom in the United States, but then other clues would tip you off that it’s a classroom. (Like maybe, desks?) It could also be someone from Mexico who lives in Canada and has decorated his home with trinkets from his homeland. But unless you have a reason to suspect another country, a best-guess is to use what you see. If everything looks like Mexico, then it’s probably Mexico.

    Exclusion cannot tell you where a photo was taken. However, it can help identify where the photo was not taken. (Photo showing a tropical beach? It’s probably not the South Pole or Northern Europe.)

    Picture Time!

    To give you an example of geolocation, consider this photo that was recently trending at FotoForensics:

    My question is: where was this photo taken? Or more specifically, where was the photographer standing and what direction was the photographer facing?

    Sure, you could go to the forum where the picture was being discussed and the city is identified, but let’s assume that you do not have that information. (And anyway, the forum does not tell you the exact location where the photographer was standing or the direction the camera is facing.) In real life, you may have nothing more than a photo; assume that you just have this photo and nothing else. Also, let’s assume that you are like me and you do not know the area and do not recognize the street.

    Here’s how I walked through it to identify the location (your approach may be different):

    1. Metadata. First, let’s go for the easy clues and start with the metadata. Maybe we will get lucky and find GPS coordinates or a textual description. Unfortunately, this picture has no informative metadata. (It’s been stripped, but it was still worth the time to look.)

    2. Search. Using TinEye and Google Image Search turned up no useful results.
    3. License Plates. Someday I hope to have a database of license plate formats (colors, layouts, etc.), but I do not have that today. However, I know that long, rectangular, and yellow (with or without the blue strip on the left) is European. So I can immediately rule out Africa, Asian, Australia, North America, and South America. (While the cars could have been shipped to another country, we go with what it most likely.)
    4. English. All of the text is in English. European and English-only? That’s an island like England, Ireland, or Scotland. It’s not the European mainland. (This is geo-fencing — narrowing down a location to a region or area.)
    5. Bank. Now I can start looking up text. I see an HSBC ATM machine. I know that HSBC is a bank and it’s found in the British Isles. (While HSBC is found in lots of other countries, it does not exclude my current geo-fenced area.)
    6. Store. I do not know what “Waitrose” is, but I can type the word into Google. It turns out, Waitrose is a grocery store in England. That narrows down my search to one of about 300 locations. (I know, 300 seems like a lot, but it’s smaller than “anywhere in the world.”)
    7. Web. The Waitrose corporate website allows you to select a branch. (There’s 339 of them right now.) Each branch contains a small picture of the location. Non-programmers will need to go one-by-one and look at each picture. Fortunately, I’m a programmer. It took me a few minutes to write a small script to harvest all of their store pictures. I thought I would use these thumbnail images to rule out locations. (No red brick. No black awning. Not on a corner…) Instead, I got lucky:

      The green advertisement on the wall in the photo is blue in the thumbnail, and the HSBC ATM is missing, but it’s the same location. According to their corporate headquarters, this is Waitrose Wilmslow.

    8. Address. Unfortunately, the corporate web site does not provide a numerical street address or GPS location. All they say is: “Church Street, Wilmslow, Cheshire, SK9 1AY”. (Not being from England, this looks to me like a description and not a mailing address.) Fortunately, I can type this into Google Maps and find the street. Using Google Street View, I can find the address: 4 Church Street, Wilmslow, England, UK.

      The street view shows me the exact location. The photographer had to be standing in the street, facing North. (Not where the mouse has highlighted the road — the photographer was standing a little to the right.) Even if he was using a telephoto lens, he would still need to be somewhere down the street, facing North.

    Now we have answered the questions. We know where the photographer was standing and the direction the camera was facing.

    Digging Deeper

    Armed with this information, there’s a few other things I can now tell about this photo. For example, the Google Street View shows that there are cameras everywhere. You can even see one in the photo above the “Waitrose” sign. If this photo was showing a crime, then there are cameras that recorded the photographer.

    Looking at the shadows, we can see that they fall to the North (toward the store) and not to the left or right. So this was likely taken in the middle of the day. And is that the photographer reflected in the car’s mirror?

    The corporate web site’s thumbnail was timestamped November 2010 and it lacked the ATM. The Google Street View is timestamped (lower-left) September 2012 and it shows the ATM. So sometime between November 2010 and September 2012, the ATM was installed. This means that the photo was taken sometime after November 2010. If I contacted Waitrose, then I suspect we could narrow down the date based on the advertisements that are visible. While we probably would not find the exact date, I believe that we could narrow it down to a month or less. Together with the camera information (assuming at least one camera on the street still has the pictures available), we can even identify the exact moment — and possibly even watch the photographer come and go.

    With Google Street View, we can even tell a little more about the building. For example, watching the building while moving down the street permits us to see the framed advertisement change. It it a scrolling billboard. The green advertisement in the photo, the blue advertisement in the corporate thumbnail, and the picture seen in the Google Street View could all be part of the same scrolling ad series.

    Using Bing’s street view of the same address (requires Internet Explorer), there is one image that shows part of the green banner scrolling into place. So it is part of the rotation cycle. Unfortunately, Bing doesn’t display any date information related to the street view. However… In the photo’s upper-left corner is a yellow and black sign. This same sign is seen in the Google Street View, but it is not present in the Bing street view. If we knew when that black-and-yellow sign appeared, then we could further narrow down the date range.

    (If we cheat, then we can look at the forum. The posting was made on 21-November-2013, so the date range is November 2010 to 21-November-2013. The person claims to have taken the photo “a few weeks ago”, so that would be October or early November 2013.)

    Needles and Haystacks

    The good news is that many pictures can be geolocated to a specific location. However, there is no generic or automated solution. Right now, every photo is a unique challenge, and some may be very time-consuming.

    (And for the people who really want to know: I think the license plates are real. It’s hard to tell from the photo due to multiple resaves, but the UK permits people to look up the vehicles based on the plate and manufacturer. Both license plates exist and they match the vehicles.)

    Errata Security: A traditional cybersecurity company

    This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

    Picture of the loft, from Space Rogue.
    This is the tradition.

    In the prosecutors’ response to the Weev appeal, they make the snarky claim about Goatse security:

    It is not, to put it mildly, a traditional security research company. The firm’s name is a reference to a notoriously obscene internet shock site. …  Goatse Security’s corporate motto is “gaping holes exposed.” 

    They are wrong. This is traditional, at least for security research companies. We start out as hobbyists having fun, not taking what we do seriously. We start wearing t-shirts and hoodies. Only as we grow older do we realize that people will pay serious money for this, and it becomes our formal job, where we might show up to meetings wearing a suit.
    Take, for example, L0pht Heavy Industries back in the 1990s. This was a hacker collective who rented a loft together, as a place to stick all their computer equipment, sharing a link to the Internet. It was a place to go after work. The name “heavy industries” comes from Japanese anime.
    Their collective started to become a “real” business, with consulting contracts and selling their tool “L0phtcrack”. For some members, it became their day job. They then merged with some entrepreneurs and venture capitalist to form “@Stake”, creating a “real” cybersecurity research and consulting company servicing the Fortune 500. @Stake was then purchased by Symantec.
    Today, former L0pht members are are scattered throughout the cybersecurity industry, often in management positions. “Mudge” became the director of DARPA cybersecurity research. “Weld Pond” and “Dildog” founded a new startup “Veracode”. “Space Rogue” is management at “Tenable”. These guys are now the elders of cybersec, shepherding the young coming from the same sorts of informal roots they came from.
    Sure, my comparison isn’t a good one. L0pht was merely informal, whereas “Goatse” was the maximum amount of rudeness and trolling. My point is simply that these are all the same “tradition” of cybersecurity: while we might end up wearing suits, few of us started that way. This further demonstrates that the prosecution of Weev is prejudicial and arbitrary, based on factors other than whether his “access” was truly “unauthorized” as per the CFAA.

    Schneier on Security: Geolocating Twitter Users

    This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

    Interesting research into figuring out where Twitter users are located, based on similar tweets from other users:

    While geotags are the most definitive location information a tweet can have, tweets can also have plenty more salient information: hashtags, FourSquare check-ins, or text references to certain cities or states, to name a few. The authors of the paper created their algorithm by analyzing the content of tweets that did have geotags and then searching for similarities in content in tweets without geotags to assess where they might have originated from. Of a body of 1.5 million tweets, 90 percent were used to train the algorithm, and 10 percent were used to test it.

    The paper.

    TorrentFreak: Google Takedown Notices Surge 711,887 Percent in Four Years

    This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

    google-baySigned into law by President Bill Clinton in 1998, the Digital Millenium Copyright Act (DMCA) aimed to ready copyright law for the digital age.

    The law heightened punishment for copyright infringement over the Internet and criminalized circumvention of DRM. In addition, it also introduced a safe harbor for Internet services, meaning that they can’t be held liable for their pirating users as long as they properly process takedown notices.

    Initially these notices were mostly sent to consumer ISPs to alert them to pirating subscribers. At the time, rightsholders showed little interest in sending takedown notices to other online services, but this changed drastically in the years that followed.

    New research by Stanford Law School’s Daniel Seng reveals that online services such as Google and Twitter have seen a surge in takedown requests in recent years. In fact, drawing on data from, Seng finds that the number of DMCA notices processed by Google increased 711,887 percent in four years, from 62 in 2008 to 441,370 in 2012.

    Published takedown notices per recipient*

    Titled “The State of the Discordant Union” and published in the Virginia Journal of Law and Technology, the paper discusses this upward trend. Two key changes Seng observes are that the average number of URLs in each notice is increasing, and that claims for multiple works are often included in a single notice.

    Where copyright holders previously listed only one work per notice, there are now sometimes dozens of movies or tracks bundled in each. This is a worrying development according to Seng.

    “It is disturbing to see the trend where more claims and more takedown requests are packed into each takedown notice. Up until 2010, each notice contained only one claim. But in 2011, the average number of claims per notice is 2.18, and in 2012, this average is 5.05,” Seng writes.

    More copyrighted works per notice also means that the number of URLs per notice is increasing too. For example, between 2011 and 2012 the average number of URLs listed in each notice increased from 47.79 to 124.75.

    According to Seng, these changes can be attributed to a small number of copyright holders. In fact, most copyright holders still submit only one notice.

    “These increasing averages paint a slightly misleading picture. More than 65% of all reporters have only issued one notice, and almost 95% of all reporters have issued no more than 10 notices in 2012,” Seng writes.

    The most active copyright holders up until 2012 were the RIAA, Froytal and Microsoft, each listing more than five million notices. Seng’s paper doesn’t include the most recent data, but Google’s Transparency Report shows that these numbers more than doubled again in 2013.

    Total URLs for all notices per reporting group
    A breakdown by industry shows that most of the notices (59%) come from the music industry, followed by adult entertainment companies (20%), and the movie industry (10%) respectively.

    Notices per industry
    The paper emphasizes that most changes are driven by a small number of copyright holders and industry groups, who are mostly targeting Google. Roughly 95% of all notices and 99% of all URLs included in the research were sent to the search engine, which has been under fire from the MPAA and RIAA for two years now.

    Interestingly, the surge in notices started right after the SOPA and PIPA bills failed to pass, suggesting that this is anti-piracy plan B for the entertainment industries.

    The release of the paper documents an important change in the use of DMCA takedown notices and coincides with ongoing discussions between copyright holders and online service providers on how to improve the DMCA takedown process. What changes will be made, if any, remains to be seen.

    *The number of notices sent by Yahoo in 2011 and 2012 are most likely 0 because they stopped reporting them to Chillingeffects.

    Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

    Krebs on Security: ZIP Codes Show Extent of Sally Beauty Breach

    This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

    Earlier this month, beauty products chain Sally Beauty acknowledged that a hacker break-in compromised fewer than 25,000 customer credit and debit cards. My previous reporting indicated that the true size of the breach was at least ten times larger. The analysis published in this post suggests that the Sally Beauty breach may have impacted virtually all 2,600+ Sally Beauty locations nationwide.

    Sally Beauty cards sold under the "Desert Strike" base on Rescator's site.

    Sally Beauty cards sold under the “Desert Strike” base on Rescator’s site.

    Sally Beauty has declined to speculate on how many stores or total cards may have been exposed by the breach, saying in a statement last week that so far its analysis indicates fewer than 25,000 cards were compromised. But that number seems very conservative when viewed through the prism of data from the cybercriminal shop primarily responsible for selling cards stolen from Sally Beauty customers. Indeed, it suggests that the perpetrators managed to hoover up cards used at nearly all Sally Beauty stores.

    The research technique used to arrive at this conclusion was the same method that allowed this reporter and others to conclude that the Target hackers had succeeded at installing card-stealing malware on cash registers at nearly all 1,800 Target locations in the United States.

    The first indications of a breach at Target came when millions of cards recently used at the big box retailer started showing up for sale on a crime shop called Rescator[dot]so. This site introduced an innovation that to my knowledge hadn’t been seen before across dozens of similar crime shops in the underground: It indexed stolen cards primarily by the city, state and ZIP code of the Target stores from which each card had been stolen.

    This feature was partly what allowed Rescator to sell his cards at much higher prices than other fraud shops, because the ZIP code feature allowed crooks to buy cards from the store that were stolen from Target stores near them (this feature also strongly suggested that Rescator had specific and exclusive knowledge about the breach, a conclusion that has been supported by previous investigations on this blog into the malware used at Target and the Internet history of Rescator himself).

    To put the ZIP code innovation in context, the Target break-in came to light just a week before Christmas, and many banks were at least initially reluctant to reissue cards thought to be compromised in the breach because they feared a backlash from consumers who were busy doing last minute Christmas shopping and traveling for the holidays. Rather, many banks in the interim chose to put in place “geo blocks” that would automatically flag for fraud any in-store transactions that were outside the customer’s normal geographic purchasing area. The beauty of Rescator’s ZIP code indexing was that customers could buy only cards that were used at Target stores near them, thereby making it far more likely that Rescator’s customers could make purchases with the stolen cards without setting off geo-blocking limits set by the banks.

    To test this theory, researchers compiled a list of the known ZIP codes of Target stores, and then scraped Rescator’s site for a list of the ZIP codes represented in the cards for sale. Although there are more than 43,000 ZIP codes in the United States, slightly fewer than 1,800 unique ZIPs were referenced in the Target cards for sale on Rescator’s shop — roughly equal to the number of Target locations across America.

    Sally Beauty declined to provide a list of its various store ZIP codes, but with the assistance of several researchers — none of whom wished to be thanked or cited in this story — I was able to conduct the same analysis with the new batch of cards on Rescator’s site that initially tipped me off to the Sally Beauty breach. The result? There are nearly the exact same number of U.S. ZIP codes represented in the batch of cards for sale on Rescator’s shop as there are unique U.S. ZIP codes of Sally Beauty stores (~2,600).

    More importantly, there was a 99.99 percent overlap in the ZIP codes. That strongly suggests that virtually all Sally Beauty stores were compromised by this breach.

    And here we come full circle to an explanation of why there is almost no chance that the number of breached cards is limited to fewer than 25,000. Let’s assume for the moment that Sally Beauty managed to detect and eradicate the threat that led to this payment card breach within the first 24 hours. That would essentially mean that only 10 transactions total were compromised from each store that day before the company managed to stop the theft. It’s possible, but unlikely.

    What is more likely is that this batch of 282,000 cards (dubbed “Desert Strike” by Rescator) will be the first of several pushed out to Rescator’s shops in the coming weeks. Time will tell.

    I asked Sally Beauty to comment on my findings. They declined again to offer any more detail on the breach, issuing the following statement:

    “As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security incident prior to the completion of a comprehensive forensic investigation. As a result, we will not speculate as to the scope or nature of the data security incident. Please check for updates.”

    The zip code analysis is available in this .csv spreadsheet.

    SANS Internet Storm Center, InfoCON: green: New Microsoft Advisory: Unpatched Word Flaw used in Targeted Attacks, (Mon, Mar 24th)

    This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

    Microsoft today published a new security bulletin, announcing that it has seen a new Word 2010 exploit used in recent targeted attacks. The exploit uses a so far unpatched vulnerability in Word that is triggered by opening a crafted RTF document.

    To prevent exploitation of the vulnerability, Microsoft released a "Fix It" that will prevent Word from opening RTF documents. [1][2] 

    Frequently RTF ("Rich Text Format") is used as a more portable way to exchange documents with basic formatting elements. The Fix-It may not be appropriate if you use RTF documents regularly. However, given that RTF documents are portable and can be opened by other software, it MAY be ok to just use software other then word to open the document.

    This vulnerability is identified by CVE-2014-1761.

    More details about the exploit can be found in Microsoft's "Security Research and Defense Blog" [3]. It points out that EMET can help block the exploit if the "Mandatory ASLR" and the "Anti-ROP" features are selected. This may be of help if you can't stop opening RTFs altogether. Word 2013 appears vulnerable, but the exploit fails due to ASLR and "just" crashes Word 2013. 

    The blog post also includes indicators of compromise for the particular exploit seen.



    Johannes B. Ullrich, Ph.D.
    SANS Technology Institute

    (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

    SANS Internet Storm Center, InfoCON: green: Integrating Physical Security Sensors, (Mon, Mar 24th)

    This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

    I have been playing for a few years now with different network connected devices [1]. As a "security guy", a lot of this research has been about vulnerability in these devices, or what we sometimes call the "Internet of Things". Over the years, I also learned to appreciated the ability of these devices to deliver physical context to some events that I may see in my logs, and I started to add the state reported from some of these devices to my syslog collector feeding into my SIM (right now not a "full SIM, but Splunk for the most part). 

    Here are a couple of experiences that I found helpful:


    Servers (and many desktops) do provide a number of useful sensors. For example a sensor to detect opening the case, and various temperature sensors. The temperature sensor can easily be monitored with tools like Nagios. The case sensor is a bit more tricky. Yes, it can easily be monitored (nagios again), but I find that nobody resets the sensor in the BIOS after legitimately opening the case, and to avoid tampering with this setting, this requires a BIOS password. Not too many people are willing to set BIOS passwords and rather rely on the physical security of the data center itself. A switch port can also be used to detect disconnection of a server, and the power usage of your power distribution unit (PDU) can often be polled remotely. I haven't run into a PDU yet that can set a syslog/snmp message that would alert you of power use going to zero on a device. Usually they have alerts that will tell you about high load or high temperature.

    Environmental Sensors

    There are a number of environmental sensors that are available outside of the server. Many AC systems can be polled remotely I have run into http APIs, some snmp and even syslog. This can alert you of an AC failure before the temperature in your server rises significantly. Some advanced systems will also provide overall "health" information but I haven't played much with that yet. Usually this information is used for remote maintenance. Of course, you can always add additional network readable sensors for temperature and humidity. There are also a number of options to detect more "catastrophic" conditions like water leaks and to automatically shut off water feeds if they are detected.

    Physical Sensors

    Access cards and door open/close sensors are pretty much standard in large office buildings these days. But the information isn't always easily accessible to the network security team. Being able to correlate an event with a person's presence (or absence) from an area can be important. Not just to identify the culprit, but also to provide context to an alert. For example, a work station sending excessive HTTP requests while a user isn't sitting in front of it can be an important indicator. You may be able to get signals if a screen saver is engadged or not on a system in order to monitor physical security or additionally verify if a user is using a system or not (nagios can do that easily in Linux. Not sure if there is an easy way to poll in Windows remotely if a screen saver is engadged).

    My favorite example is always a hotel in Singapore that used the signal from an opening room door to dispatch an elevator to that respective floor.


    Network cameras are pretty much everywhere these days. Some come with integrated motion sensors, or can detect motion by monitoring changes to the image. Either way, many of these cameras can send a signal whenver they detect motion, and even attach images. This can suplement some of the door sensors.

    Anything else you recently integrated?



    Johannes B. Ullrich, Ph.D.
    SANS Technology Institute

    (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

    The Hacker Factor Blog: Phone calls with Brangelina

    This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

    Lots of web sites give advice for stopping telemarketeers. Some advice is good, but some is bad or just naive. For example, over at WiseGeek is advice like “registered on any government sponsored ‘do not call’ list”. Virtually all of the calls that I receive don’t bother checking the no-call lists and enrolling has done nothing to lower the volume of these undesirable calls. A few years ago, the FTC realized that the no-call lists are a complete failure and offered $50,000 to anyone who could come up with a solution.

    In contrast, Erica Elson wrote some great tips over at LifeHacker: “I’m a Telemarketer. Here’s How to Get Rid of Me“. Most of her tips are very useful:

    • “Don’t immediately hang up the phone.” Telemarketeers will view this as a non-response and call you back later.
    • “Don’t give up mid-conversation and hang up without an explanation.” Again, this is a non-response so they will try to call you again later.
    • “Don’t let the telemarketer call you back at another time.” That’s just inviting them to call you.
    • “Don’t get irrationally angry at the telemarketer.” I agree with this. They are used to rejection and will mark you for a call-back just out of spite.
    • “Don’t engage with the telemarketer in any way.” She says that this gives them a false hope, leading to more calls. This is good advice for most people. But personally, I disagree with this tactic.

    In my experience, there are two types of telemarketers: honest and dishonest. For the honest ones, allow them to talk for a few seconds. If they pause, say something like, “I’m listening” or “Please continue”. Then at the next pause, say “Remove me from your calling list”. Not “Could you please remove me” or “I’d like to be removed”, but the more forceful “Remove me”. This way, they don’t have an optional way to interpret the request.

    There’s a reason for letting them speak a little bit and not starting off the call with “Remove me…” Although they may be from a legitimate company (honest), that doesn’t mean they are not slimy. Some telemarketers hear the removal request coming and hang up before you can finish the sentence. If they don’t hear you say the full sentence then it doesn’t count. By letting them talk for a moment, it catches them off guard and guarantees that you will get the full sentence out. (They never expected you to say that out of the blue.)

    For the dishonest ones, no amount of asking to be removed will make a difference. They’re not legitimate anyway.

    Collecting Calls

    At my office, there are two types of unsolicited phone calls that I receive often. I previously mentioned one of them: the fake IT support call. The other common calls are from people who want money to help me find more clients. For both of these types of calls, I usually try to find out who they are before playing along. I want their company name, address, and phone number. Inevitably, they will lie to me.

    In my previous IT Support call example (MP3), he gave me a fake company name, fake phone number, and told me that his address “won’t be relevant” before he hung up. That was on February 2.

    About a month later (March 18), I received another one of these calls (MP3). This guy was a horrible script reader — he clearly has a written paragraph that he used. Still, I pressed him for more information. Keep in mind, he’s a quiet talker and kept mumbling at the end of each sentence.

    Q: “What is your name?”
    A: “My name is Brad. Brad Willis[mumbled].”

    Q: “What is your company?”
    A: “Cyber Support. I told you at the beginning[mumbled].”

    Good thing I record calls. He did not previously state his company’s name. A quick search for that company name turns up official scam warnings issued from Microsoft. There’s also a warning from Malwarebytes (one of the comments explicitly mentions “Cyber Support”) and other people had similar words of warning. Make no mistake: this is a scam. Real people who get this call should hang up by now.

    Q: “What is your company’s phone number?”
    A: “Company’s phone number? Right now, we are connected. I do believe we are connected and talking over the phone. Right? And you don’t have to worry about anything…”

    This is a refusal to answer. A legitimate company will always give you a phone number. Since he doesn’t want to provide it, I pushed him again for this information.

    Q: “No problem. What is your company’s phone number? Just in case we get disconnected and I need to call you back, or if I have problems in the future?”
    A: “201-259-2658″

    Area code 201 is New Jersey. The area code and prefix (201-259) is a Verizon cellphone based in New Brunswick, New Jersey. A search for the phone number turns up other people who reported receiving unsolicited “fix your computer” calls from this same number. One of the reports even claimed to speak to “Brad” a few days before he called me.

    As with this review, I asked for more information:

    Q: “And where are you located?”
    A: “You said you wanted the number and I gave it to you. Now you want where we are located? We are located in New York City. Anything else? Any other information you want? You want me personal number?”
    Q: “Sure!”
    A: “You want my personal number??”
    Q: “Sure! You offered! Yeah!”
    A: “Okay. Note down the number I am giving you. 206-239-4603.”

    He didn’t give me his company’s address, but he did give me another phone number. Area code 206 is Washington State and 206-239 is a Qwest landline phone in Seattle. I doubt that this is really his phone number.

    After giving me his phone numbers, he hung up on me. A real company would not have hung up. This call was definitely a scam. Personally, I’m kind of disappointed that he hung up. Since I’m playing with him, I was ready to have him fix my computer. (I was working from my Raspberry Pi and it always runs slow.)

    *Ring* *Ring* Hello?

    Every now and then I get calls that want to offer me government jobs. I didn’t start to get calls like this until I signed up with Dun & Bradstreet and the CAGE system back in 2010. Those two services have only led to spam and unsolicited phone calls — even though I selected every one of the “do not give out my information” options. In 2012, I explicitly tried to get removed from their lists. I know that I got removed from CAGE back in 2012 and earlier this month I think I finally got removed from Dun & Bradstreet. Yet, these unsolicited and undesirable calls keep coming…

    A few days ago I received an unsolicited telephone call that asked me if I wanted to work direct with the government through a five-year no-bid contract. My “scam” radar immediately went off because the automated message never told me who was calling me.

    The recording only wanted to me press “1″ to work with the government and “2″ to be added to a list. There were no other options… so I pressed “0″, hoping to speak to an operator. Instead, it just replayed the message. So I chose “1″.

    The phone was quickly answered by someone named Angela. However, she mumbled her company name. “Federal Express Consulting”? “Fredricksberg Consulting”? Something like that. Entering variations of the name into Google did not identify any likely companies.

    Anyway, Angela had trouble finishing sentences. She wanted “to reach the owner of… Hello?” but she didn’t name my company. In fact, she never asked who I was and she never validated that she had reached the correct number or office. Was she speaking with a decision maker or someone who just answered a ringing phone? Did she even know my company’s name?

    Telemarketers follow a script. Fortunately for me, I also follow a script. My script basically says:

    1. If he/she did not identify their company in the first few seconds, then ask why they did not identify themselves. The FCC has requirements and one of them is that the caller must identify their name and company.

    2. Find out who they are: name, phone, and address. Other information is a bonus.
    3. Find out what they know about me. Do they know my name? My address? My company’s name? Do they know what my company does? I must not confirm anything about myself (including my name) and I must not provide them with hints. This deters them from cold-reading me and allows me to find out how they learned about me.
    4. Ask them about the no-call list. If they know my name or my telephone’s area code (area codes map to states), then they know what state and country I am in. There is a national do-not-call list and the Colorado no-call list. I’m registered with both of them. Telemarketers are legally required to consult with those lists before contacting me. (And if they checked with those lists, then they should never contact me.)
    5. Tell them to remove me from their calling lists.

    My actual script is more like a decision tree. If they are taking a survey, if they sound nice, if they hesitate, etc. I have plenty of options. (As an aside: Does anyone know of any good, public system for flowcharting these decisions and option? I think having the tree public would make for a great open-source project.)

    With Angela’s call, she sounded like a bored script reader. So, I followed the decision tree for aggressively handling the call. I may speak sternly, but I never yell and I never get mad. With this tactic, my questions are more important than hers, so I want her to answer every one of my questions before we move on to the next question. As a social engineering exercise, my goal is to keep her off balance by keeping her off the script. This increases the likelihood of her getting frustrated and telling me exactly what I want to know.

    Q: “Why did your automated recording not identify your company name?”
    A: “Uh… that’s… I would wonder about… It is a recorded message. I have to tell you the truth, and we’re calling regarding a five year GSA contract with the Federal government. And I can identify myself, which is [unclear]Fredricksburg consulting…” (back to the script)

    Q: “Do you know where I am located?”
    A: “As of this point, because you are right now an inbound call. Sir, our reception department has probably 50-60% of your company information in our system because you might quality for GSA.” (back to the script)

    How can I be an inbound call if they called me? That’s how telemarketers work. An automated system establishes the call and then you are connected to the next available drone. Anyway, she did not answer my question.

    Q: “What company do you think you have called?”
    A: “Uh… okay… I see a name: Kravitz. And I don’t know if you are a consulting firm as well or if you have products or if you. Okay, I know a little more, sir. You do IT services.”

    At this point, it is clear that she doesn’t know my company name, doesn’t know what I do, and grossly overestimated that “50-60%” that she knows about my company. When enrolling with D&B and CCR/SAM, you have to provide a business category. For D&B, I had entered the code for “Other IT”. For CCR, I selected “OSHA SIC code: 7379 Computer Related Services, Not Elsewhere Classified”. The information that Angela provided strongly suggests that she is working on partial information provided by D&B.

    I explicitly informed her that I do not do “IT Services”. I view IT Services as something akin to system administration. I try not to provide sysadmin services to anyone except myself and my father (and that’s only because I think it’s rude to hang up on my father).

    Of course, Angela used this as an excuse to get back to her script:

    Well then, I can tell you how that works, sir. Businesses work with us. We are the number one in the nation for awarding GSA contracts and what we can give you is of no harm. We can give you information in how to obtain a GSA contract. Information, if you qualify for GSA, which, the requirements would be your business… you would need to be a minimum two years in business. Your products and services.

    This kind of reminds me of the movie The Truman Show. At one point in the movie, Truman (played by Jim Carrey) blurts out “Who are you talking to???” Angela says that businesses work with her company. But she also says that she doesn’t know if I’m a business or what I offer… So why she still talking to me?

    Also, that “minimum two years in business” sounds familiar. The calls from Dun & Bradstreet kept saying (incorrectly) that I had been in business for four years.

    I thought Angela had gone on long enough, so I decided to ask more questions and take her off-script. (I like how she stutters every time she goes off-script.)

    Q: “Are you aware that the number you have called is on the no-call list?”
    A: “That I wouldn’t know, sir. And, uh, we we we’ve been called, we’ve been told that businesses, that you are a business, sir. You can be looked up in the yellow pages or I don’t know if you have a number that has been restricted. I don’t know.”

    Angela, you just lied to me. My company isn’t listed in the yellow pages. And earlier you stated that you didn’t know if I was a business. In fact, you still haven’t told me my business’s name.

    Q: “What is your company’s address?”
    A: “Interest! To…”

    She must have misheard me. She tried to go back on script!

    Q: “Address. Street address.”
    A: “Address. And why would you need our address, sir?”
    Q: “So I would know who I am talking to.”
    A: “Of course… The address is GSA Application Services, Tampa Road in Oldsmar, Florida.”

    Bingo — this is why we keep her off-balance and stay off-script. Google finds this company name very quickly. The address is 4035 Tampa Road, Oldsmar, FL 34677. (Some records say that their address number is 4033, 3925, or 3875, but they are all on Tampa Road.) The company has two web sites, but neither returns anything (a blank page and a server not found). Also, the name “GSA Application Services” is not the same name that Angela gave me earlier (“Federal Express Consulting” or something like that). There’s a comment on about this company:

    Run away. The Sprecher organization, to which this shell company belongs, has a history of felony embezzlement and fraud. Research this company carefully before you give them a dime. Check the other names they use, too. GSA 1000, GSA Preview, GSA Greenville, GSA Tampa, Federal Verification, Countryside Publishing. Check the Florida Attorney General’s website for a status on the AG’s investigation into the Sprecher organization for deceptive practices.

    They have similar reviews at the Ripoff Report, Complaints Board, and with the Florida Better Business Bureau.

    According to the various write-ups, this company will ask me for a few thousand dollars (non-refundable) and then fail to deliver a GSA contract. Of the many names that this company has gone by, the funniest is the Lewisburg Group. According to one person (who claimed to work at the company for a short duration), this name is funny because the company owner spent several years in Federal Prison at the Lewisburg Penitentiary.

    This is explicitly why it is important to know exactly who is calling you. They sound helpful. They sound like something I might be interested in. But when you push them for their contact information, they turn out to be a scam.

    However… we’re only half-way through this call. And I’m not done yet.

    Q: “What is your company’s phone number?”
    A: “My phone number is 502-410-2779 and my name is Angela.”

    That phone number is for Louisville, Kentucky. Searches for this phone number turn up lots of complaints about telemarketers pushing government contracts.

    Q: “You can remove me…”
    A: “I can’t. I can’t.”
    Q: “Remove me from your calling list.”
    A: “Sir, stay on the line until I get your number completely. I show it is 970-282. Because as I said, we are sending out recorded messages to all small businesses. You have an option to say ‘I’m interested in government contracting’ and…”

    Notice the delay tactic. She says I have to stay on the line while she reads my phone number to me. Then she reads a little bit of the number and goes back to the sales script. However, she explicitly said “970″. That means she knows I am in Colorado. (Area code 970 is only found in Colorado and the prefix 282 places me in Fort Collins.)

    A: “I’m about to get the last four digits. And please verify your phone number, sir. I have 970-282..”
    Q: “Why do I need to verify it? I’m the person who answered the phone.”
    A: “Because I have not dialed out. You are one of 20 thousand business that we are calling today. I mean, how can I verify who you are right now? Unless you speak to me and verify your company information.”

    I’m glad I recorded this. She tries to make me think that I called her, but that definitely is not the case. The laws regarding telemarketers are very clear about this: if the person who answers the phone requests to be removed, then the telemarketer must remove them. This is not a debate point.

    At this point, I just want to keep her off script:

    Q: “If you are in the United States then you should have run that number past the no-call list. I am listed.”
    A: “Sir, you know why we are calling? US Federal Government uh GSA uh…”
    Q: “I am not Federal Government.”
    A: “But sir, you kind of putting words in my mouth. We are not outsource and we do not want to be outsourced. We want to help US American economy. If you want to be part of it. But right now I put your number down. 970-[redacted]. And sir, it sometimes takes 48 hours sometimes before we have purged out all these numbers. I appreciate your patience and I wish you a wonderful day.”

    I like how she says “US American economy” with her thick foreign accent. She tries to make me feel guilty about not participating in the economy because I want to be removed from her calling list. And who was talking about outsourcing? I can only assume that she accidentally jumped to a different part of her script.

    At this point, I’ve kept her off-script. However, that won’t be enough to keep them from calling me again. Time to put the fear of Gawd in her:

    Q: “This call has been recorded and will be posted online.”
    A: [long pause] “Sir, really. I mean, that makes no sense. You have not. And I tell you something right now. You did something unlawful. Because you have not told me that you recorded me. You are not at liberty to record me.”
    Q: “Oh sure I am! I’m in Colorado. Colorado is a one [click] call state. Hello?”

    I meant to say a “one party state”, but it doesn’t matter because she hung up on me before she could hear that. As she was arguing with me, you could hear the panic in her voice. (And you can probably hear the smile on my face.) And at the very end, you can hear her under my voice saying “Thank you for your time!” *click*

    Let me make this abundantly clear for every telemarketer that calls me: I will record you. As stated in 18 U.S.C. §2511(2)(d), Federal law permits recording as long as at least one party on the phone is aware that the call is being recorded. Only 12 states override the Federal law and require full-consent. The remaining 38 states — including Colorado (where I and my recording device are located) — only need one party to consent. I am in Colorado, I am on the phone, and I consent to recording these unsolicited cold-calls.

    Her reaction to being recorded brings up one other issue. Her company cold-called me with a business offer. Had she known that the call was being recorded, would she have given me the same sales pitch? I caught her in a couple of lies. Would she have still lied to me if she knew she was being recorded? (This goes toward those reviews that mentioned ‘deceptive business practices’.) Then again, I’ve had plenty of telemarketers hang up immediately when I say that the call is being recorded. A legitimate offer would never be concerned about being recorded.

    Here’s the entire recorded phone call: MP3. The only thing I redacted was my own phone number (you’ll hear it as a warble sound). However, I left my area code (970) since that identifies a phone in Colorado.

    TorrentFreak: Copyright Group: Chilling Effects DMCA Archive is “Repugnant”

    This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

    chillingThanks to Google’s Transparency Report we have the clearest picture yet of the battle taking place between content owners and the indexing and linking of allegedly infringing content online. The search engine takes down millions of URLs every week, a not insignificant amount by any standard.

    Fortunately we don’t simply have to take Google’s statistics at face value. The notices received by the company are processed and later sent to the Chilling Effects Clearinghouse. There they are input into a searchable database so that the public can cross reference Google’s reports (along with others from companies such as Twitter) with the actual takedown notices, thus bringing accountability to the process.

    It is through both of these database that TorrentFreak has been able to unearth dozens of serious errors and abuses carried out by the automated takedown systems operated by the world’s largest copyright holders. While there can be little doubt that Chilling Effects is an invaluable resource for those reporting on piracy issues or tracking DMCA abuses, not everyone is happy with the service being offered by the site.

    As detailed in our previous reports (1,2), this week various rightsholders and service providers have been giving statements on the effectiveness of the DMCA. Among them was the Copyright Alliance, an organization that counts the MPAA, NBC, Viacom and TimeWarner among its members. The theme running through CEO Sandra Aistars’ statement is that the takedown provisions of the DMCA don’t work, whether you’re a creator or a website drowning in notices. Surprisingly, Aistars also took aim at Chilling Effects

    aistarsThe project is operated by a selection of law school clinics and the EFF with the aim of supporting lawful online activity against the chill of unwarranted legal threats, but the Copyright Alliance CEO says the site helps bully artists who stand up for their rights.

    “The activities of are repugnant to the purposes of Section 512 [of the DMCA],” Aistars reported to the House Judiciary Subcommittee hearing.

    “Data collected by high-volume recipients of DMCA notices such as Google, and senders of DMCA notices such as trade associations representing the film and music industries demonstrate that the overwhelming majority of DMCA notices sent are legitimate, yet the site unfairly maligns artists and creators using the legal process created by Section 512 as proponents of censorship.”

    Speaking with TorrentFreak, Chilling Effects Project Leader Wendy Seltzer said that the repository exists for informational and research purposes.

    “Many of the Chilling Effects participants filed an amicus brief (pdf) in the 9th Circuit a few years ago, in which we describe Chilling Effects’ public purpose at length, and cite 25+ research works that, even in 2010, had been written using Chilling Effects data,” Seltzer explained.

    However, continuing her criticism, Aistars told the hearing that by publishing DMCA notices intact, thereby revealing their senders, Chilling Effects had helped subject creators to “harassment and personal attacks for seeking to exercise their legal rights.”

    seltzerSeltzer, a Fellow with Princeton University’s Center for Information Technology Policy who sits on the boards of both the Tor Project and of World Wide Web Foundation, dismisses the allegations.

    “[Chilling Effects] has always had policies of redacting unnecessary personally identifying information, while preserving the information needed for researchers, including members of the Internet-using public, to determine who filed takedown notices and what content they requested removal.”

    Finally, in a not unexpected development, the Copyright Alliance CEO said that due to Chilling Effects publishing DMCA notices in their entirety, its database had grown into a huge list of pirate content links.

    “Finally, because the site does not redact information about the infringing URLs identified in the notices, it has effectively become the largest repository of URLs hosting infringing content on the internet,” Aistars concludes.

    While copyright holders may not like what Chilling Effects does, the site brings much-needed accountability to those using and abusing the DMCA takedown process. Without it the entire process would exist in the dark, and content wrongfully disappeared from search engines and other sites would remain unaccounted for. The site is one of, if not the most important DMCA-related resource online today, and long may that continue.

    Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

    TorrentFreak: Pirate Bay Sees Surge in High-Definition Downloads

    This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

    pirate bayDespite numerous legal setbacks and continued pressure from copyright holders, The Pirate Bay is still here. In recent years the notorious torrent site expanded its reach with millions of users, each looking for the latest multimedia content.

    The site’s status as one of the largest online media libraries has also piqued the interest of researchers, who are closely following what people are sharing.

    Previously we documented how the number of files uploaded to The Pirate Bay increased 50% in just a year, and that more than one-third of the uploads are adult content.

    A new study, conducted by researchers from the Institut Mines-Télécom in Paris and Madrid’s Universidad Carlos III, confirms the Pirate Bay’s expansion and adds several new insights. The researchers looked at large samples of torrents from various Pirate Bay categories, and polled the active sharers at various points in time.

    “To the best of our knowledge it is the first study that weights several factors related to BitTorrent over a two years window,” researcher Reza Farahbakhsh tells TF.

    From their data samples, which span from 2009 to 2012, the researchers draw three main conclusions.

    • The number of high-definition video torrents on The Pirate Bay increased more than 500%.
    • The median file-size of all torrents has doubled.
    • Between 40-50% of all torrents point to video content and 80% of the total downloads come from these torrents.

    During the latest measurement in 2012, high-definition video torrents accounted for 8.2% of the total, up from a mere 1.5% in 2009. As a result, the number of people downloading these files also surged, now making up nearly 10% of all downloads.

    “The popularity of High-resolution PORN and VIDEO content follows the increasing availability of this type of content. While it only attracted 1.87% of the downloads in 2010, it has increased its popularity 5 times by receiving 9.62% of the downloads in 2012,” the researchers write.

    Another result of the increased availability of high-definition videos is that the median size of all content indexed by The Pirate Bay has doubled over the years.

    “The median value of the content size in 2009 was 223MB torrent-sizeand increased by 53% (to 341MB) in the next five months, and it kept growing up to 370MB and 458MB in 2011 and 2012 respectively,” the researchers write.
    The researchers’ data could act as a warning signal to Internet providers, who need to make sure they can handle further increases in their network usage. Not just with BitTorrent in mind either, but also other pirate sources such as cyberlockers where similar patterns may emerge.

    “These findings are useful to those Internet players (i.e. ISPs, CDN operators) involved in the content distribution business in order to update their infrastructures, resources and algorithms to efficiently distribute and serve multimedia content,” the researchers conclude.

    It will be interesting to see how the demand for high-definition content develops. With increasing broadband penetration and bigger screen sizes, the upward trend is expected to continue in the years to come.

    Source: TorrentFreak, for the latest info on copyright, file-sharing and VPN services.

    Errata Security: Newsweek myth busted: "disk space is cheap"

    This post was syndicated from: Errata Security and was written by: Robert Graham. Original post: at Errata Security

    What makes the Newsweek outing of “Satoshi Nakamoto” so egregious is that the story cites no evidence. Everything cited in the story is easily disproven. An example is the following “evidence” described by the “forensic analyst” involved in the story.

    According to this article, one of the corroborating bits of evidence is the bit from the Bitcoin paper describing how to conserve “disk space”. According to the analyst, disk space is cheap these days, and no young person would consider conserving it. Therefore, according to her reasoning, the creator of bitcoin must come from the pocket-calculator/slide-rule generation.

    This is nonsense. The current blockchain is 17.3 gigabytes in size. It takes up a sizeable amount of my 256-gigabyte SSD boot drive, meaning that Bitcoin is already too big to fit easily on laptops. Moreover, Bitcoin is growing faster than Moore’s Law, meaning the problem will only get worse. In another couple years, after which desktop drives will have doubled in size, Bitcoin will have double more times, and be too big to fit easily on those drives.

    Here’s the thing about Moore’s Law: it exists because we are constantly bumping up against resource limits. Disk drive manufacturers spend billions of dollars every year in research finding ways to increase disk drive space because we still don’t have enough. Only when Moore’s Law stops will we have reached the point when these resources have become too cheap to be considered.

    Every engineer who does real work is constantly hitting the limits of CPU speed, network bandwidth, and drive space. Whether 17 or 70, it’s unreasonable to expect that the creator of Bitcoin would ignore these resource constraints when designing a system to handle billions of transactions.

    The above story claims that the forensic analyst,  Sharon Sergeant (@AncestralManor), is a “systems engineer by training with experience in computing security, military protocol analysis, and artificial intelligence”. This appears to be an exaggeration. Her profession is “genealogist”, not a “systems engineer”. For all we know, the sum of her experience is a single engineering class in college. She may actually be more qualified, but her incorrect claims that engineers ignore resource constraints indicates otherwise.

    SANS Internet Storm Center, InfoCON: green: Gems in the ISC Diary Comments, (Thu, Mar 6th)

    This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

    Thanks for reading the ISC Diary!  I hope you find useful information in the diary posts.  I, and the other handlers, work hard to try and bring you the latest news as it develops, as well as point out interesting new research that affects our industry and our ability to protect our networks.  BUT don’t stop with the diary.  Quite often the MOST interesting part of the article is in the comments from the readers.  Consider the following:

    About a year ago I did a post entitled “What can you do with funky directory names?”

    The post is about creating a “..  “ (Dot Dot Space) directory.  You can even create a funky directory name that will cause windows to generate an error dialog message and go into an error condition.  This is COOL STUFF right?  Well, yeah but not nearly as interesting as the mostly overlooked last comment on the page.  An anonymous ISC reader posted this comment:

    “It's also easy to use similar file name tricks to make your malicious binary appear to be Microsoft signed. Name your malware file "svchost.exe " (note trailing space) and put it in the same folder as the legitimate file. Attempted reads of your malicious file will "miss" your file and instead hit the legitimate (and signed) binary. (This is because win32 will auto-remove the trailing space.)

    The nice thing about CreateProcess is that it launches the malicious process just fine.”

    What does this mean?  Well, if you create a executable on the hard drive that ends with a SPACE and then execute it some interesting things happen.  Applications such as Microsoft Sigcheck, Mandiant Redline, Process hacker and other tools that will check the digital signatures of the processes in the process list check the incorrect file.  The malware is “svchost.exe  “.  But when these tools turn to the hard drive to read the executable digital signature the underlying API trims the trailing space and they read the signature on the real “svchost.exe”.  The result is that those security tools find a legitimate digital signature and incorrectly believe the file  “svchost.exe   “  has been digitally signed by Microsoft.

    Matt Graeber (@mattifestation) did a write up on his testing of the issue here

    I have found this technique to be useful for fooling Non-Microsoft tools that rely on digital signatures.  So don't stop with the article!  Read the comments from our brilliant readers.   Please TEST your HIPS, Whitelisting applications, Forensics tools and other digital signature based tools using the process outline by Matt Graeber.   Is it vulnerable?   Post a comment (responsible disclosure is encouraged) and other brilliant insights in the comments! 

    Follow me on Twitter: @markbaggett

    There are a couple of chances to sign up for SANS Python programming course.  The course starts from the very beginning, assuming you don't know anything about programming or Python.  The course is self paced learning and we cover the essentials before we start building tools you can use in your next security engagement.   You will love it!!    Join me for Python for Penetration testers in Reston VA March 17-21 or at SANSFire in Baltimore June 23-27.

    (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

    SANS Internet Storm Center, InfoCON: green: Triple Handshake Cookie Cutter, (Tue, Mar 4th)

    This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

    Researches have released a paper describing several vulnerabilities in TLS (Transport Layer Security). Some of the attacks have been known for a while, but the paper combines and explains them nicely, and also adds a couple of really clever new ideas. The tricks rely on cutting sessions off and re-starting them in a way that client and server end up with a different (security) state. The full research is available here The good news is that (a) the main impact is apparently limited to connections that use client-side certificates, which is rare, and (b) the researchers have informed the browser vendors early on, and some browsers and TLS libraries are already patched.

    (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

    Krebs on Security: Thieves Jam Up Smucker’s, Card Processor

    This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

    Jam and jelly maker Smucker’s last week shuttered its online store, notifying visitors that the site was being retooled because of a security breach that jeopardized customers’ credit card data. Closer examination of the attack suggests that the company was but one of several dozen firms — including at least one credit card processor — hacked last year by the same criminal gang that infiltrated some of the world’s biggest data brokers.

    Smuckers's letter to visitors.

    Smucker’s alerts Website visitors.

    As Smucker’s referenced in its FAQ about the breach, the malware that hit this company’s site behaves much like a banking Trojan does on PCs, except it’s designed to steal data from Web server applications.

    PC Trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the Web session and sent to whatever site the victim is visiting.

    The malware that tore into the Smucker’s site behaved similarly, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers were submitting the data during the online checkout process.

    What’s interesting about this attack is that it drives home one important point about malware’s role in subverting secure connections: Whether resident on a Web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that Web session. With Zeus, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these Web site attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).


    When a reader first directed my attention to the Smucker’s breach notice, I immediately recalled seeing the company’s name among a list of targets picked last year by a criminal hacking group that plundered sites running outdated, vulnerable versions of ColdFusion, a Web application platform made by Adobe Systems Inc.

    According to multiple sources with knowledge of the attackers and their infrastructure, this is the very same gang responsible for an impressive spree of high-profile break-ins last year, including:

    -An intrusion at Adobe in which the attackers stole credit card data, tens of millions of customer records, and source code for most of Adobe’s top selling software (ColdFusion, Adobe Reader/Acrobat/Photoshop);

    -A break-in targeting data brokers LexisNexis, Dun & Bradstreet, and Kroll.

    -A hack against the National White Collar Crime Center, a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.


    Not all of the above-mentioned victims involved the exploitation of ColdFusion vulnerabilities, but Smucker’s was included in a list of compromised online stores that I regrettably lost track of toward the end of 2013, amid a series of investigations involving breaches at much bigger victims.

    As I searched through my archive of various notes and the cached Web pages associated with these attackers, I located the Smucker’s reference near the top of a control panel for a ColdFusion botnet that the attackers had built and maintained throughout last year (and apparently into 2014, as Smucker’s said it only became aware of the breach in mid-February 2014).

    A tiny portion of the ColdFusion botnet panel.

    A tiny portion of the ColdFusion botnet panel.

    The botnet control panel listed dozens of other e-commerce sites as actively infected. Incredibly, some of the shops that were listed as compromised in August 2013 are still apparently infected — as evidenced by the existence of publicly-accessible backdoors on the sites. KrebsOnSecurity notified the companies that own the Web sites listed in the botnet panel (snippets of which appear above and below, in red and green), but most of them have yet to respond.

    Some of the victims here — such as onetime Australian online cash exchange — are no longer in business. According to this botnet panel, Technocash was infected on or before Feb. 25, 2013 (the column second from the right indicates the date that the malware on the site was last updated).


    It’s unclear whether the infection of Technocash’s secure portal ( contributed to its demise, but the company seems to have had trouble on multiple fronts. Technocash closed its doors in June 2013, after being named in successive U.S. Justice Department indictments targeting the online drug bazaar Silk Road and the now-defunct virtual currency Liberty Reserve.


    One particularly interesting victim that was heavily represented in the botnet panel was SecurePay, a credit card processing company based in Alpharetta, Ga. Reached via phone, the company’s chief operating officer Tom Tesmer explained that his organization — — had in early 2013 acquired SecurePay’s assets from Pipeline Data, a now-defunct entity that had gone bankrupt.

    At the time, the hardware and software that powered Pipeline’s business was running out of a data center in New York. Tesmer said that Pipeline’s servers had indeed been running an outdated version of ColdFusion, but that the company’s online operations had been completely rebuilt in CalpianCommerce’s Atlanta data center under the SecurePay banner as of October 2013.

    Tesmer told me the company was unaware of any breach affecting SecurePay’s environment. “We’re not aware of compromised cards,” Tesmer said in an email. This struck me as odd, since the thieves had clearly marked much of the data they had stolen as “SecurePay” and listed the URL “” as the infected page.

    Following our conversation, I sent Tesmer approximately 5,000 card transaction records that thieves had apparently stolen from SecurePay’s payment gateway and stashed on a server along with data from other victimized companies (data that was ultimately shared via third parties with the FBI last fall). The data on the attacker’s botnet panel indicated the thieves were still collecting card data from SecurePay’s gateway as late as Aug. 26, 2013.

    Tesmer came back and confirmed that the card data was in fact stolen from customer transactions processed through its SecurePay payment gateway, and that SecurePay has now contacted its sponsoring bank about the incident. Further, Tesmer said the compromised transactions mapped back to a Web application firewall alert triggered last summer that the company forwarded to its data center — then located in New York.

    Several servers from credit card processing firm SecurePay were compromised by the ColdFusion botmasters.

    Several servers from credit card processing firm SecurePay were hacked by the ColdFusion botmasters.

    “That warning showed up while the system was not under our control, but under the control of the folks up in New York,” Tesmer said. “We fired that alert over to the network guys up there and they said they were going to block that IP address, and that was the last we heard of that.”

    Turns out, SecurePay also received a visit from the FBI in September, but alas that inquiry also apparently went nowhere.

    “We did get a visit from the FBI last September, and they said they had found the name SecurePay on a list of sites that they were pursuing some big hacker team about,” Tesmer said. “I didn’t associate one with the other. We had the FBI come over and have a look at that database, and they suggested we make a version of our system and set that one aside for them and create a new system, which we did. They said they would get back in touch with us about their findings on the database. But we never heard from them again.”

    Tomorrow, we’ll look at Part II of this story, which examines the impact that this botnet has had on several small businesses, as well as the important and costly lessons these companies learned from their intrusions.

    Спирт, есенция и умора: 2014-03-02 спирт

    This post was syndicated from: Спирт, есенция и умора and was written by: Vasil Kolev. Original post: at Спирт, есенция и умора

    (отдавна се каня да го напиша)

    Преди някакво количество години бях решил да пробвам различни уискита (след като Велин поиска за една работа да му се плати с една бутилка Ardbeg, щото му беше станало интересно), бяхме седнали в един бар в студентски град (“Masterpiece”, имат огромна колекция), бяхме отворили wikipedia и гледахме статията за Islay. След като нямаха Laphroaig, ми сипаха един Lagavulin и аз толкова се влюбих в него, че в следващите дни си намерих доставчик на едро, и когато се изнасях от предната квартира открих, че имам около 1 куб. метър кутии от него.

    С годините тествах различни неща и открих, че в крайна сметка човек след като мине на пушени уискита, другите не са му интересни. Също така по-трудно се попада на ментета, и от тях глава не боли (а съм изпивал бая…). Ето малко бележки по нещата, които съм пробвал, ако някой иска повече информация, Iain Banks е писал книга по темата – “Raw Spirit” (питали го “не искаш ли да обиколиш Шотландия, да пробваш всичките уискита и да напишеш книга, и той в първия момент си помислил, че се шегуват с него. Всички, на които казал после го питали дали не иска помощ…).

    Пушените уискита идват основно от Islay в Шотландия (малък остров с малко хора и много алкохол). Това, което най-лесно може да се намери от там по нашите магазини е Lagavulin и Laphroaig. Аз съм тествал:

    Ardbeg – много торфено и доста остро. Някои хора много го обичат, аз не толкова. Имам един Ardbeg Corryvreckan, който е доста по-мек и който е печелил уиски на годината преди 2-3 години, и се хареса доста на последния запой вкъщи.

    Laphroaig – Хората се делят на два лагера, има такива, дето го харесват и такива, дето не (аз съм от вторите). Пак е доста остро, малко по-малко от Ardbeg-а.

    Lagavulin – първото ми любимо уиски. По-меко от Ardbeg и Laphroaig, много опушено, с истински, пълен вкус. Много хора казват, че им мирише на терпентин/доктор/акварелни боички (за другите какво казват, не ми се ще да мисля), но като цяло за мен то е централния вкус на уискито от тоя остров. Води се май едно от най-опушените уискита там (като изключим някои неща като octomore).

    Kilchoman – това е най-новата дистилерия на острова, и определено ми станаха новото любимо питие от там. Kilchoman machir bay има още по-приятен аромат от Lagavulin-а, пак е меко и като цяло се пие с голямо удоволствие.

    Octomore е един странен експеримент на дистилерията Bruchladdich, направили са най-опушеното възможно уиски. Има мярка за опушеност, ppm (parts per millon) на фенолите, и Lagavulin е 45ppm, Octomore 3 е 152ppm. Има няколко версии, като моите любими са 3 и Comus (5 горе-долу ставаше, новите – 10 и т.н., вече не стават). Също така са по около 60 градуса и много точно може да усетите първата глътка как си прави път през вас.

    Bruchladdich имат още много други различни неща, например едно Cuvee (неопушено), ама те искат още research от моя страна.

    Горе-долу това са тези от Islay, които са ми били интересни. От опушените има още едно, което много ми хареса – Glen Els Ember – немско уиски, пушено на дърво, провах го на CCC конгреса миналата година, и което трябва да се намери начин да се внася в България.

    Имам и някакво количество не-опушени неща, които държа основно за други хора – основно Cardhu, на което аз викам “дамско уиски”, щото го пият основно девойките, дето не харесват пушеците.

    (за мен най-голямото предимство на това пиене е, че всъщност върши много хубава работа за борба с вътрешния ми алкохолзъм. Не мога да седна да пия ей-така, трябва да имам подходящото настроение и да ми се услади, усещам как в последните години съм започнал да пия много по-малко, отколкото преди)

    The Hacker Factor Blog: On The Attack

    This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

    Yesterday evening, on Feb 27 at 5:18pm localtime (00:18 GMT), the FotoForensics server came under a large distributed denial-of-service (DDoS) attack. They generated nearly 8Gb/sec before the system went offline, and the ISP informed me that it topped out at around 30Gb/sec. (If your home network is a 100Mb network, then this is 300x more network traffic than your home can withstand.) The outage lasted 24 hours.

    Technically, our ISP detected the DDoS and quickly null-routed the IP address. The server was still up, I could still access it, and all of the data was sitting there. There was no system compromise. Only the public could not access the system.

    As far as I can tell (I can only access my server and not the ISP’s firewall), the FotoForensics server never directly experienced any attack. My logs show no attack and there is no indication that the packets ever reached the server. Instead, they were stopped at one of the firewall layers.

    About the Attack

    According to the ISP, the attack against looks like a UDP flood on the NTP port (network time protocol, port 123/UDP). This is the current fad — it’s called an NTP amplification attack. Brian Krebs came under the same type of attack earlier this month, and his peaked at 400Gbps.

    With this NTP amplification attack, a single user with a 1Gb connection can generate 200Gb of traffic aimed at a victim. Basically, UDP is a connectionless network protocol, where the recipient trusts that the header information is legitimate. This makes it ideal for DDoS attacks since the bad guy can supply a fake header that looks like the victim. They send out one small packet and the victim receives one large packet. Having 1Gb of input generate 200Gb of output is a massive amplification of the attack. It ends up costing a little for the attacker and a lot for the victim.

    Looking at the IP addresses in the snapshot that was forwarded to me, it looks like the attack came from hosts all over the world. However, China seems to have more hosts than any other country. In fact, my distribution from this small snapshot looks similar to the table in the Cloudflare report regarding Brian Kreb’s attack.

    This does not mean that China is behind this attack. Rather, it means that China has more vulnerable systems that can be used for this type of attack.

    Mitigation Options

    Sadly, this isn’t a new attack. There are known ways to secure NTP servers. Some solutions require installing a new NTP server. However, one of the easiest solution is for ISPs and sysadmins to block all NTP traffic (similar to how many larger ISPs currently block NetBIOS, ICMP, and spam). ISPs can either offer their own NTP service to their clients, or provide a white-list of permitted NTP servers. With the full-filtering solution, the ISP only needs one synchronized time server.

    With either full filtering or white-listing, this solution protects their clients from future attacks and prevents those clients from participating in future attacks. (ISPs cannot expect all of their users to know how to reconfigure NTP. However, they can implement a transparent fix by redirecting all client NTP queries to the ISP’s NTP server.)

    Granted, filtering doesn’t stop the packets. The packets will still be transmitted and will still reach the ISP. Nothing except upstream filtering will stop that. However, filtering will prevent the attack from harming the ISP’s internal network and clients.

    There’s also a lasting effect from filtering the attack. If the attack is unsuccessful in harming the ISP’s clients, then attackers won’t bother with the attack again. (As an ISP, if one of your clients gets hit with this attack, then you can be certain that other clients will eventually get hit. It’s better to act preventively and filter now.) In addition, if enough ISPs filter this type of attack, then it no longer becomes a threat to anyone (similar to how filtering ICMP has mostly ended DDoS from ICMP Smurf attacks).

    Behind the Attack

    When my hosting provider learned of the DDoS, they laughed and said, “It would appear you’ve made some enemies.” One of my business partners asked, “So who did you piss off today?”

    Attacks like this are not signed. So unless the bad guys tell the victim the reason for the attack, it’s mostly guesswork at this point. Considering the target (the free/public FotoForensics server), I can pretty much narrow it down to three primary types of suspects.

    The first category of suspects are the random drive-by attackers. I understand that yesterday, NameCheap, and other sites also came under similar DDoS attacks. Maybe some kid thought it would be funny to attack a bunch of sites for no reason. In that case, I should feel privileged to have my little server grouped into the same set as major online services that handle millions of clients.

    The second category of suspects are the people who are banned for uploading porn to the server. Maybe someone got mad because they uploaded porn, got banned, and decided to launch a denial-of-service attack. (This type of childish mentality makes me think that they wouldn’t understand the porn they were looking at anyway.)

    The final category are people who did not like something that I did recently. And the only recent thing I did with FotoForensics was evaluate a picture — hours before the attack. Specifically, I had pointed out yesterday morning that a photo showing a crowd of people in Syria was digitally altered. I made this observation to a group of journalists in the Open Newsroom public forum. (When I mentioned to my business partners about the Syria photo, they immediately said, “Syria – most likely”.)

    Syria Photo

    Regarding the picture… Jorge López tweeted a picture to me and asked for my opinion of it. I found a larger version at Time. The caption says:

    A handout picture released by the United Nation Relief and Works Agency on Feb. 26, 2014 shows residents of Syria’s besieged Yarmuk Palestinian refugee camp, south of Damascus, crowding a destroyed street during a food distribution led by the UN agency, on Jan. 31, 2014.

    As far as I can tell, there was a crowd and it looked similar to the photo. However, the photographer/artist replaced the sea of people in the middle with people looking at the camera.

    There’s actually a video of this event (hat tip to Ian Pert and the Open Newsroom). An anonymous person sent me a screenshot from the video with the annotations that identify the same people in both the photo and the video (screenshot is from 13 seconds into the video). The base photo used for the Time picture had to have been taken within seconds of the video capture because they show the same people in nearly the same areas.

    Some of the problems that I noticed with the photo:

    • The shape of the crowd in the photo is different than the shape of the crowd in the video. So in a few seconds, the entire crowd shape changed.

    • Virtually everyone is facing forward in the photo. The video clip (from 12 seconds to 15 seconds) shows that there are people looking in every direction. Yet the photographer claims to have captured that one special moment when nearly everyone was looking forward at the camera. (I showed this photo to a few photographers who all agreed that a crowd that large looking at the camera like that was either staged or digitally altered. And given the video, the photo was clearly digitally altered.)
    • The video shows a haze over the crowd that gets thick in the distance. The photo shows the haze over the buildings but not over the sea of people.
    • People get smaller in the distance — it’s called ‘perspective’. In the video, you can see that the people near the camera are big, people in the distance are small, and there is a smooth height transition from big to small that follows the depth. In the photo, we have big people near the camera and small people right behind them; there is no transition related to the perspective.

    Prior to seeing the video, I only evaluated the photo. Every algorithm I tried showed a significant difference between the small-people crowd and the front and sides of the photo. The compression level is inconsistent, the depth of focus is inconsistent, the lighting is inconsistent, the coloring is inconsistent. There’s a guy with a monobrow in the center looking down (two people to the left of the blue ‘FIRE’ jacket); someone altered his face and hair. All of these modifications are significant. The picture may have been based on a photo, but the middle sea of people was replaced to make a stronger impression.

    DDoS Impact

    I recently wrote about journalist Brian Krebs and how only idiots attack the wrong person. Since they attacked my site, I assume that they wanted to attack me. But let’s take a look at this network attack against FotoForensics and see who it hurts…

    • The server was still up and running, and no data was compromised or destroyed. The server was not harmed.

    • The ISP quickly detected the attack and null-routed the packets. This attack was not hurting the ISP and not costing me or the ISP anything in bandwidth. The packets are being stopped far upstream.
    • While the system was unavailable from the public interface, I could still access it via the private interface. (I completed a full set of backups.)
    • I had a demo planned for today. The public server is not the demo box, so the DDoS did not impact my presentation. (The DDoS was not even a topic of conversation.)
    • The public server is not where I do work. This had zero impact on my ability to work for my clients, and it had no impact on my clients.
    • When I do analysis, I use tools and computers in my office. I don’t use the public system for my own work. So this DDoS does not impact my ability to do analysis.
    • We do occasionally ban and block people from using the FotoForensics site. People who were banned are still banned, so that doesn’t change. If someone is upset about being banned, then this does nothing to reinstate their access.
    • How about diverting attention? Maybe the attack is meant to cause people to stop looking so closely at photos. In that case, it failed. People still tweeted about FotoForensics today and word about the DDoS is spreading. All of this will only increase the site’s usage.

    The only people harmed by this attack are the general public, who only have access to the free site. Most recently, this includes people in South America who want to analyze photos of political unrest from Venezuela, people wanting to evaluate photos of atrocities in Syria and Ukraine, fans of One Direction who use the site to evaluate the band’s photos, and the folks at Reddit who want to look closer at everything. We cannot even blame this on pro- or anti-government entities since both sides seem to use FotoForensics. The site is neutral with regards to political turmoil and propaganda.

    This DDoS stopped everyone from using the public site… everyone except me and my research partners. I had a coworker who once told me, “If nobody is angry at you, then you’re not doing it right.” This DDoS just proves that the site works… at least well enough to piss someone off.