Tag Archives: fbi

Hackers Demand Ransom Over Stolen Copy of ‘Pirates of the Caribbean 5’

Post Syndicated from Ernesto original https://torrentfreak.com/hackers-demand-ransom-over-stolen-copy-of-pirates-of-the-caribbean-5-170516/

During a town hall meeting in New York on Monday, Disney CEO Bob Iger informed a group of ABC employees that hackers have stolen one of the company’s movies.

The hackers offered to keep it away from public eyes in exchange for ransom paid in Bitcoin but Disney says it has no intention to pay.

Although Iger did not mention the movie by name during the meeting, Deadline reports that it’s a copy of ‘Pirates of the Caribbean: Dead Men Tell No Tales.’

The fifth movie in the ‘Pirates‘ franchise starring Johnny Depp, is officially scheduled to appear in theaters next week. Needless to say, a high-quality leak at this point will be seen as a disaster for Disney.

The “ransom” demand from the hacker is reminiscent of another prominent entertainment industry leak, where the requested amount of Bitcoin was not paid.

Just a few weeks ago a group calling itself TheDarkOverlord (TDO) published the premiere episode of the fifth season of Netflix’s Orange is The New Black, followed by nine more episodes a few hours later.

Despite Netflix’s anti-piracy efforts, the ten leaked episodes of Orange is The New Black remain popular on many torrent indexes and pirate streaming sites.

There is no indication that the previous and threatened leaks are related in any way. TorrentFreak has seen a list of movies and TV-shows TDO said they have in their possession, but the upcoming ‘Pirates’ movie isn’t among them.

The Disney hackers have threatened to release the movie in increments, but the movie studio is hoping that they won’t go ahead with their claims.

Thus far there haven’t been any reports of leaked parts of the fifth Pirates of the Caribbean film. Disney, meanwhile, is working with the FBI to track down the people responsible for the hack.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

The Quick vs. the Strong: Commentary on Cory Doctorow’s Walkaway

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/the_quick_vs_th.html

Technological advances change the world. That’s partly because of what they are, but even more because of the social changes they enable. New technologies upend power balances. They give groups new capabilities, increased effectiveness, and new defenses. The Internet decades have been a never-ending series of these upendings. We’ve seen existing industries fall and new industries rise. We’ve seen governments become more powerful in some areas and less in others. We’ve seen the rise of a new form of governance: a multi-stakeholder model where skilled individuals can have more power than multinational corporations or major governments.

Among the many power struggles, there is one type I want to particularly highlight: the battles between the nimble individuals who start using a new technology first, and the slower organizations that come along later.

In general, the unempowered are the first to benefit from new technologies: hackers, dissidents, marginalized groups, criminals, and so on. When they first encountered the Internet, it was transformative. Suddenly, they had access to technologies for dissemination, coordination, organization, and action — things that were impossibly hard before. This can be incredibly empowering. In the early decades of the Internet, we saw it in the rise of Usenet discussion forums and special-interest mailing lists, in how the Internet routed around censorship, and how Internet governance bypassed traditional government and corporate models. More recently, we saw it in the SOPA/PIPA debate of 2011-12, the Gezi protests in Turkey and the various “color” revolutions, and the rising use of crowdfunding. These technologies can invert power dynamics, even in the presence of government surveillance and censorship.

But that’s just half the story. Technology magnifies power in general, but the rates of adoption are different. Criminals, dissidents, the unorganized — all outliers — are more agile. They can make use of new technologies faster, and can magnify their collective power because of it. But when the already-powerful big institutions finally figured out how to use the Internet, they had more raw power to magnify.

This is true for both governments and corporations. We now know that governments all over the world are militarizing the Internet, using it for surveillance, censorship, and propaganda. Large corporations are using it to control what we can do and see, and the rise of winner-take-all distribution systems only exacerbates this.

This is the fundamental tension at the heart of the Internet, and information-based technology in general. The unempowered are more efficient at leveraging new technology, while the powerful have more raw power to leverage. These two trends lead to a battle between the quick and the strong: the quick who can make use of new power faster, and the strong who can make use of that same power more effectively.

This battle is playing out today in many different areas of information technology. You can see it in the security vs. surveillance battles between criminals and the FBI, or dissidents and the Chinese government. You can see it in the battles between content pirates and various media organizations. You can see it where social-media giants and Internet-commerce giants battle against new upstarts. You can see it in politics, where the newer Internet-aware organizations fight with the older, more established, political organizations. You can even see it in warfare, where a small cadre of military can keep a country under perpetual bombardment — using drones — with no risk to the attackers.

This battle is fundamental to Cory Doctorow’s new novel Walkaway. Our heroes represent the quick: those who have checked out of traditional society, and thrive because easy access to 3D printers enables them to eschew traditional notions of property. Their enemy is the strong: the traditional government institutions that exert their power mostly because they can. This battle rages through most of the book, as the quick embrace ever-new technologies and the strong struggle to catch up.

It’s easy to root for the quick, both in Doctorow’s book and in the real world. And while I’m not going to give away Doctorow’s ending — and I don’t know enough to predict how it will play out in the real world — right now, trends favor the strong.

Centralized infrastructure favors traditional power, and the Internet is becoming more centralized. This is true both at the endpoints, where companies like Facebook, Apple, Google, and Amazon control much of how we interact with information. It’s also true in the middle, where companies like Comcast increasingly control how information gets to us. It’s true in countries like Russia and China that increasingly legislate their own national agenda onto their pieces of the Internet. And it’s even true in countries like the US and the UK, that increasingly legislate more government surveillance capabilities.

At the 1996 World Economic Forum, cyber-libertarian John Perry Barlow issued his “Declaration of the Independence of Cyberspace,” telling the assembled world leaders and titans of Industry: “You have no moral right to rule us, nor do you possess any methods of enforcement that we have true reason to fear.” Many of us believed him a scant 20 years ago, but today those words ring hollow.

But if history is any guide, these things are cyclic. In another 20 years, even newer technologies — both the ones Doctorow focuses on and the ones no one can predict — could easily tip the balance back in favor of the quick. Whether that will result in more of a utopia or a dystopia depends partly on these technologies, but even more on the social changes resulting from these technologies. I’m short-term pessimistic but long-term optimistic.

This essay previously appeared on Crooked Timber.

FBI’s Comey dangerous definition of "valid" journalism

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/05/fbis-comey-dangerous-definition-of.html

The First Amendment, the “freedom of speech” one, does not mention journalists. When it says “freedom of the press” it means the physical printing press. Yes, that does include newspapers, but it also includes anybody else publishing things, such as the famous agitprop pamphlets published by James Otis, John Dickinson, and Thomas Paine. There was no journalistic value to Thomas Paine’s Common Sense. The pamphlet argued for abolishing the monarchy and for American independence.

Today in testimony before congress, FBI directory James Comey came out in support of journalism, pointing out that they would not prosecute journalists doing their jobs. But he then modified his statement, describing “valid” journalists as those who in possession of leaks would first check with the government, to avoid publishing anything that would damage national security. It’s a power the government has abused in the past to delay or censor leaks. It’s specifically why Edward Snowden contacted Glenn Greenwald and Laura Poitras — he wanted journalists who would not kowtow the government on publishing the leaks.

Comey’s testimony today was in regards to prosecuting Assange and Wikileaks. Under the FBI’s official “journalist” classification scheme, Wikileaks are not real journalists, but instead publish “intelligence porn” and are hostile to America’s interests.

To be fair, there may be good reasons to prosecute Assange. Publishing leaks is one thing, but the suspicion with Wikileaks is that they do more, that they actively help getting the leaks in the first place. The original leaks that started Wikileaks may have come from hacks by Assange himself. Assange may have helped Manning grab the diplomatic cables. Wikileaks may have been involved in hacking the DNC and Podesta emails, more than simply receiving and publishing the information.

If that’s the case, then the US government would have good reason to prosecute Wikileaks.

But that’s not what Comey said today. Instead, Comey referred only to Wikileaks constitutionally protected publishing activities, and how since they didn’t fit his definition of “journalism”, they were open to prosecution. This is fundamentally wrong, and a violation of the both the spirit and the letter of the First Amendment. The FBI should not have a definition of “journalism” it thinks is valid. Yes, Assange is an anti-American douchebag. Being an apologist for Putin’s Russia disproves his claim of being a neutral journalist targeting the corrupt and powerful. But these activities are specifically protected by the Constitution.

If this were 1776, Comey would of course be going after Thomas Paine, for publishing “revolution porn”, and not being a real journalist.

Kim Dotcom Asks Police to Urgently Interview FBI Director Jim Comey

Post Syndicated from Andy original https://torrentfreak.com/kim-dotcom-asks-police-to-urgently-interview-fbi-director-jim-comey-170425/

When authorities in the United States and New Zealand shut down Megaupload in 2012, large amounts of data were seized in both locations. The data in the US is currently gathering dust but over in New Zealand yet another storm is brewing.

In the weeks following the raid, hard drives seized from Dotcom in New Zealand were cloned and sent to the FBI in the United States. A judge later found that this should not have been allowed, ruling that the copies in the FBI’s possession must be destroyed.

Like almost every process in the Megaupload saga the ruling went to appeal and in 2014 Dotcom won again, with the Court of Appeal upholding the lower court’s decision, stating that the removal of the clones to the United States was “plainly not authorized.”

At the time Dotcom said that fighting back is “encoded in his DNA” and today he’s taking that fight to the FBI. On Sunday, FBI director James Comey touched down in Queenstown, New Zealand, for an intelligence conference. With Comey in the country, Dotcom seized the moment to file a complaint with local police.

In the complaint shared with TorrentFreak, lawyer Simon Cogan draws police attention to the Court of Appeal ruling determining that clones of Dotcom drives were unlawfully shipped to the FBI in the United States. Since Comey is in the country, police should take the opportunity to urgently interview him over this potential criminal matter.

“As director of the FBI, Mr Comey will be able to assist Police with their investigation of the matters raised in Mr Dotcom’s complaint,” the complaint reads, noting several key areas of interest as detailed below.

Speaking with TF, Dotcom says that since the New Zealand High Court and Court of Appeal have both ruled that the FBI had no authority to remove his data from New Zealand, the FBI acted unlawfully.

“In simple terms the FBI has committed theft,” Dotcom says.

“The NZ courts don’t have jurisdiction in the US and could therefore not assist me in getting my data back. But FBI Director Comey has just arrived in New Zealand for a conference meaning he is in the jurisdiction of NZ courts. We have asked the NZ police to question Mr Comey about the theft and to investigate.”

In addition to seeking assistance from the police, Dotcom says that he’s also initiated a new lawsuit to have his data returned.

“We have also launched a separate civil court action to force Mr Comey to return my data to New Zealand and to erase any and all copies the FBI / US Govt holds. We expect an urgent hearing of the matter in the High Court tomorrow,” Dotcom concludes.

It’s likely that this will be another Dotcom saga that will run and run, but despite the seriousness of the matter in hand, Dotcom was happy to take to Twitter this morning, delivering a video message in his own inimitable style.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Surveillance and our Insecure Infrastructure

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/04/surveillance_an_2.html

Since Edward Snowden revealed to the world the extent of the NSA’s global surveillance network, there has been a vigorous debate in the technological community about what its limits should be.

Less discussed is how many of these same surveillance techniques are used by other — smaller and poorer — more totalitarian countries to spy on political opponents, dissidents, human rights defenders; the press in Toronto has documented some of the many abuses, by countries like Ethiopia , the UAE, Iran, Syria, Kazakhstan , Sudan, Ecuador, Malaysia, and China.

That these countries can use network surveillance technologies to violate human rights is a shame on the world, and there’s a lot of blame to go around.

We can point to the governments that are using surveillance against their own citizens.

We can certainly blame the cyberweapons arms manufacturers that are selling those systems, and the countries — mostly European — that allow those arms manufacturers to sell those systems.

There’s a lot more the global Internet community could do to limit the availability of sophisticated Internet and telephony surveillance equipment to totalitarian governments. But I want to focus on another contributing cause to this problem: the fundamental insecurity of our digital systems that makes this a problem in the first place.

IMSI catchers are fake mobile phone towers. They allow someone to impersonate a cell network and collect information about phones in the vicinity of the device and they’re used to create lists of people who were at a particular event or near a particular location.

Fundamentally, the technology works because the phone in your pocket automatically trusts any cell tower to which it connects. There’s no security in the connection protocols between the phones and the towers.

IP intercept systems are used to eavesdrop on what people do on the Internet. Unlike the surveillance that happens at the sites you visit, by companies like Facebook and Google, this surveillance happens at the point where your computer connects to the Internet. Here, someone can eavesdrop on everything you do.

This system also exploits existing vulnerabilities in the underlying Internet communications protocols. Most of the traffic between your computer and the Internet is unencrypted, and what is encrypted is often vulnerable to man-in-the-middle attacks because of insecurities in both the Internet protocols and the encryption protocols that protect it.

There are many other examples. What they all have in common is that they are vulnerabilities in our underlying digital communications systems that allow someone — whether it’s a country’s secret police, a rival national intelligence organization, or criminal group — to break or bypass what security there is and spy on the users of these systems.

These insecurities exist for two reasons. First, they were designed in an era where computer hardware was expensive and inaccessibility was a reasonable proxy for security. When the mobile phone network was designed, faking a cell tower was an incredibly difficult technical exercise, and it was reasonable to assume that only legitimate cell providers would go to the effort of creating such towers.

At the same time, computers were less powerful and software was much slower, so adding security into the system seemed like a waste of resources. Fast forward to today: computers are cheap and software is fast, and what was impossible only a few decades ago is now easy.

The second reason is that governments use these surveillance capabilities for their own purposes. The FBI has used IMSI-catchers for years to investigate crimes. The NSA uses IP interception systems to collect foreign intelligence. Both of these agencies, as well as their counterparts in other countries, have put pressure on the standards bodies that create these systems to not implement strong security.

Of course, technology isn’t static. With time, things become cheaper and easier. What was once a secret NSA interception program or a secret FBI investigative tool becomes usable by less-capable governments and cybercriminals.

Man-in-the-middle attacks against Internet connections are a common criminal tool to steal credentials from users and hack their accounts.

IMSI-catchers are used by criminals, too. Right now, you can go onto Alibaba.com and buy your own IMSI catcher for under $2,000.

Despite their uses by democratic governments for legitimate purposes, our security would be much better served by fixing these vulnerabilities in our infrastructures.

These systems are not only used by dissidents in totalitarian countries, they’re also used by legislators, corporate executives, critical infrastructure providers, and many others in the US and elsewhere.

That we allow people to remain insecure and vulnerable is both wrongheaded and dangerous.

Earlier this month, two American legislators — Senator Ron Wyden and Rep Ted Lieu — sent a letter to the chairman of the Federal Communications Commission, demanding that he do something about the country’s insecure telecommunications infrastructure.

They pointed out that not only are insecurities rampant in the underlying protocols and systems of the telecommunications infrastructure, but also that the FCC knows about these vulnerabilities and isn’t doing anything to force the telcos to fix them.

Wyden and Lieu make the point that fixing these vulnerabilities is a matter of US national security, but it’s also a matter of international human rights. All modern communications technologies are global, and anything the US does to improve its own security will also improve security worldwide.

Yes, it means that the FBI and the NSA will have a harder job spying, but it also means that the world will be a safer and more secure place.

This essay previously appeared on AlJazeera.com.

FBI Uses BitTorrent to Find and Catch Child Porn Offenders

Post Syndicated from Ernesto original https://torrentfreak.com/fbi-uses-bittorrent-to-find-and-catch-child-porn-offenders-170415/

To combat the distribution of child pornography on the Internet, U.S. law enforcement is using BitTorrent to track down and catch perpetrators.

File-sharing networks and tools are used to transfer all sorts of files, including pornographic footage of children.

The Department of Justice in the U.S. sees these cases as a high priority and has successfully prosecuted many cases in recent years. Several of these, were concluded with help from P2P file-sharing software.

A few years ago applications with shared folders, such as Limewire, allowed the FBI to pinpoint infringers who were actively sharing illegal content. The evidence in these cases was relatively strong and led to many convictions.

However, now that Limewire and other popular “shared folder” applications are no longer available, law enforcement has switched to BitTorrent.

While there have been similar cases before, this week we first spotted an indictment where BitTorrent was used to find someone sharing these files. In the affidavit, signed by a Homeland Security Investigations agent, the process is explained in detail.

The agent describes BitTorrent as a “very popular” file-sharing network that users typically connect to, through torrents they download from search engines such as Isohunt or The Pirate Bay.

These torrent sites don’t store any material themselves, the affidavit clarifies, but the perpetrators and law enforcement can use these sites to find illegal content.

“Law enforcement can search the BitTorrent network in order to locate individuals sharing previously identified child exploitation material in the same way a user searches this network,” the affidavit reads.

“By searching the network for these known torrents, law enforcement can quickly identify targets in the searcher’s jurisdiction.”

The FBI and other law enforcement agencies use these search engines to find torrents that are known to link to child porn. They then load the torrent files in modified torrent clients and obtain IP-addresses and other information from the associated trackers.

The software in question is modified to download complete files from a single source, so the investigator knows that the person on the other end has a full copy.

“There is law enforcement-specific BitTorrent network software which allows for single-source downloads from a computer at a single IP address, meaning that an entire file or files are downloaded only from a computer at a single IP address as opposed to obtaining the file from multiple peers/clients on the BitTorrent network.

“This procedure allows for the detection and investigation of those computers involved in sharing digital files of known or suspected child pornography on the BitTorrent network,” the affidavit adds.

In the present case a search by FBI special agent David Hand led to a Simi Valley man, who was arrested and indicted by a federal grand jury last week.

In addition to distributing child pornography, a follow-up investigation unveiled more gruesome details. The indictment alleges that the man also took 83 images and three videos of a 6-year-old girl with his iPhone.

Based on the above, the man faces lengthy prison terms for producing, distributing and possession of child pornography.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Kodi Wants to Beat Piracy With Legal Content and DRM

Post Syndicated from Ernesto original https://torrentfreak.com/kodi-wants-to-beat-piracy-with-legal-content-and-drm-170409/

Millions of people use Kodi as their main source of entertainment, often with help from add-ons that allow them to access pirated movies and TV-shows.

As Kodi’s popularity has increased drastically over the past two years, so have complaints from copyright holders.

While Kodi itself is a neutral platform, unauthorized add-ons give it a bad name. This is one of the reasons why the Kodi team is actively going after vendors who sell “fully loaded” pirate boxes and YouTubers who misuse their name to promote copyright infringement.

Interestingly, the Kodi team itself didn’t help its case by putting up an FBI seizure notice last week, as an April Fools gag.

The banner suggested that the site had been taken down by the US Department of Justice for copyright infringement. Downloads of the latest builds of the software were also blocked.

Kodi’s April Fools gag

This week TorrentFreak spoke with several members of the Kodi team, operating under the XBMC Foundation, who made it clear that they want to cooperate with rightsholders instead of being accused of facilitating piracy.

The team told us that copyright holders regularly approach them. Some are well informed and know that Kodi itself isn’t actively involved in anything piracy related. However, according to XBMC Foundation President Nathan Betzen, there are also those who are fooled by misleading media reports or YouTube videos.

“There are rightsholders that know who we are and realize we are distinct from the 3rd party add-on crowd,” Betzen says.

“And then there are the rights holders who have been successfully taken in by the propaganda, who write us very legal sounding letters because some random YouTuber or ‘news’ website described the author of a piracy add-on as a ‘Kodi developer’.”

The Kodi team doesn’t mind being approached by people who are misinformed, as it gives them an opportunity to set the record straight. It has proven to be more challenging to find a way forward with movie studios and other content creators that are aware of Kodi’s position.

These movie industry representatives sometimes ask Kodi to remove third-party repo installs and block certain pirate add-ons. However, according to XBMC Foundation’s Project lead Martijn Kaijser, this isn’t the direction Kodi wants to go in.

“Our view on this is that [removing code] would not help a bit, because the code is open-source and others can easily revert it. Blocking add-ons won’t help since they would instantly change the addon and the block would be in vain,” Kaijser tells us.

The Kodi team feels that pirates are leeching off their infrastructure and put the entire community at risk. But, instead of taking a repressive approach they would like to see more legal content providers join their platform. With an audience of millions of users, there is a lot of untapped potential on a platform that’s rapidly growing.

To facilitate this process, the media player is currently considering whether to add support for DRM so that content providers can offer their videos in a protected environment. While some users may cringe at the thought, Kodi believes it’ll help to get rightsholders on board.

“Our platform has a lot of potential and we are looking into attracting more legal and official content providers. Additionally, we’re looking into adding low-level DRM that would at least make it more feasible to gain trust from certain providers,” Kaijser tells TorrentFreak.

Kodi addons

Although Kodi does go after sellers of pirate boxes, Betzen personally doesn’t believe that this is the answer. The best way to deal with the piracy issue is to offer more legal content through official add-ons.

“We’d like to actually work with content providers to have official add-ons in our network. That’s much easier to do when we are proactively attempting to help them to fight copyright infringement,” Betzen says.

There are already plenty of legal uses for Kodi, including the DVR system, support for legal sports streaming, and a variety of add-ons such as Crunchyroll, HDHomeRun, Plex and Twitch. However, getting some major content providers on board has proven to be quite a challenge thus far.

Kaijser notes that rightsholders have been very reserved thus far. He tried to convince content providers to offer official add-ons, or even turn some community made ones into official ones, but hasn’t had much success.

In a way, the repeated piracy discussions and news items are both a blessing and a curse for Kodi. They help to grow the platform at a rate most competitors could only dream of, while at the same time keeping rightsholders at bay. Time will tell if Kodi can turn this around.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Encryption Policy and Freedom of the Press

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/04/encryption_poli.html

Interesting law journal article: “Encryption and the Press Clause,” by D. Victoria Barantetsky.

Abstract: Almost twenty years ago, a hostile debate over whether government could regulate encryption — later named the Crypto Wars — seized the country. At the center of this debate stirred one simple question: is encryption protected speech? This issue touched all branches of government percolating from Congress, to the President, and eventually to the federal courts. In a waterfall of cases, several United States Court of Appeals appeared to reach a consensus that encryption was protected speech under the First Amendment, and with that the Crypto Wars appeared to be over, until now.

Nearly twenty years later, the Crypto Wars have returned. Following recent mass shootings, law enforcement has once again questioned the legal protection for encryption and tried to implement “backdoor” techniques to access messages sent over encrypted channels. In the case, Apple v. FBI, the agency tried to compel Apple to grant access to the iPhone of a San Bernardino shooter. The case was never decided, but the legal arguments briefed before the court were essentially the same as they were two decades prior. Apple and amici supporting the company argued that encryption was protected speech.

While these arguments remain convincing, circumstances have changed in ways that should be reflected in the legal doctrines that lawyers use. Unlike twenty years ago, today surveillance is ubiquitous, and the need for encryption is no longer felt by a seldom few. Encryption has become necessary for even the most basic exchange of information given that most Americans share “nearly every aspect of their lives ­– from the mundane to the intimate” over the Internet, as stated in a recent Supreme Court opinion.

Given these developments, lawyers might consider a new justification under the Press Clause. In addition to the many doctrinal concerns that exist with protection under the Speech Clause, the
Press Clause is normatively and descriptively more accurate at protecting encryption as a tool for secure communication without fear of government surveillance. This Article outlines that framework by examining the historical and theoretical transformation of the Press Clause since its inception.

FBI Cannot Examine Megaupload Servers, Canada Appeal Court Rules

Post Syndicated from Andy original https://torrentfreak.com/fbi-cannot-examine-megaupload-servers-canada-appeal-court-rules-170403/

It’s incredible to think that more than five years after the raids on Megaupload, in some respects the case has made virtually no progress. This is particularly true of the defunct company’s servers in Canada.

Canada became quietly involved in the Megaupload investigation in December 2011, around a month before the raids in New Zealand, United States, and elsewhere. The U.S. Department of Justice asked the Minister of Justice to grant to obtain a search warrant authorizing the seizure of 32 leased computer servers located in Toronto.

On January 18, 2012, a Superior Court judge in Ontario issued the warrant which targeted the servers located in an Equinix datacenter. As the case continued to build against Megaupload, Kim Dotcom and his associates, the U.S. government asked Canadian authorities to hand the hardware over, claiming that an internal Megaupload email revealed them to be “database / number crunching machines.”

With the servers in the possession of the Royal Canadian Mounted Police, during January 2013 the Minister of Justice applied for an order for the servers to be sent to the United States. Megaupload protested on the basis that the servers contain a lot of information irrelevant to the case, but agreed that an independent forensic examiner could examine them before any handover.

An Ontario court sided with Megaupload and refused to send the servers’ data to the United States. In 2015, both sides were ordered to find a way to filter out irrelevant content, perhaps with the aid of a “clean team” of FBI investigators who had no connection with the case.

While this path was approved by a judge, both Megaupload and Equinix objected to the proposal, complaining that the FBI shouldn’t be involved at all and any examination should be carried out independently. In common with almost every decision in various Megaupload cases, this one also went to appeal.

The Ontario Court of Appeal handed down its decision on Friday, this time in favor of Megaupload.

“The judge had to decide what material, if any, should be ordered sent to the United States. The appellant and the American investigators, the FBI, stood in a strongly adversarial position with respect to the order that should be made,” the Court of Appeal wrote in its decision.

“The judge, because of the nature of the seized material, needed help in determining what order should be made. The judge needed someone who could prepare a report outlining the nature of the material so that the judge could decide what part of the material, if any, should be sent to the United States.”

Noting that the report would “significantly influence” the nature and scope of any order made by the judge, the appeal court said that while the FBI may indeed carry out their task as asked, having them involved at all would be entirely inappropriate.

“In my view, it is offensive to the appearance of fairness, and specifically the appearance of judicial impartiality, to have an entity closely associated with one of the adversaries provide the judge with the necessary report,” the decision reads.

“In coming to that conclusion, I make no assumption that the FBI ‘clean team’ would not comply with whatever conditions the court imposed. My concern is with the appearance of fairness and impartiality.”

The appeal court said that when a judge is asked to appoint an investigator, the starting point should always be with people unconnected with the case. Consideration should also be given to the issue of costs (the FBI option in the Megaupload case was cheaper) but they would have to be prohibitively excessive to chose an affiliated entity over an independent party.

With the earlier decision now overruled, the servers will continue to gather dust in the hands of the RCMP, where they have been since their seizure in 2012. No doubt the legal wrangling will continue, as it has done in the United States concerning the servers there.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

In Case You Missed These: AWS Security Blog Posts from January, February, and March

Post Syndicated from Craig Liebendorfer original https://aws.amazon.com/blogs/security/in-case-you-missed-these-aws-security-blog-posts-from-january-february-and-march/

Image of lock and key

In case you missed any AWS Security Blog posts published so far in 2017, they are summarized and linked to below. The posts are shown in reverse chronological order (most recent first), and the subject matter ranges from protecting dynamic web applications against DDoS attacks to monitoring AWS account configuration changes and API calls to Amazon EC2 security groups.

March

March 22: How to Help Protect Dynamic Web Applications Against DDoS Attacks by Using Amazon CloudFront and Amazon Route 53
Using a content delivery network (CDN) such as Amazon CloudFront to cache and serve static text and images or downloadable objects such as media files and documents is a common strategy to improve webpage load times, reduce network bandwidth costs, lessen the load on web servers, and mitigate distributed denial of service (DDoS) attacks. AWS WAF is a web application firewall that can be deployed on CloudFront to help protect your application against DDoS attacks by giving you control over which traffic to allow or block by defining security rules. When users access your application, the Domain Name System (DNS) translates human-readable domain names (for example, www.example.com) to machine-readable IP addresses (for example, 192.0.2.44). A DNS service, such as Amazon Route 53, can effectively connect users’ requests to a CloudFront distribution that proxies requests for dynamic content to the infrastructure hosting your application’s endpoints. In this blog post, I show you how to deploy CloudFront with AWS WAF and Route 53 to help protect dynamic web applications (with dynamic content such as a response to user input) against DDoS attacks. The steps shown in this post are key to implementing the overall approach described in AWS Best Practices for DDoS Resiliency and enable the built-in, managed DDoS protection service, AWS Shield.

March 21: New AWS Encryption SDK for Python Simplifies Multiple Master Key Encryption
The AWS Cryptography team is happy to announce a Python implementation of the AWS Encryption SDK. This new SDK helps manage data keys for you, and it simplifies the process of encrypting data under multiple master keys. As a result, this new SDK allows you to focus on the code that drives your business forward. It also provides a framework you can easily extend to ensure that you have a cryptographic library that is configured to match and enforce your standards. The SDK also includes ready-to-use examples. If you are a Java developer, you can refer to this blog post to see specific Java examples for the SDK. In this blog post, I show you how you can use the AWS Encryption SDK to simplify the process of encrypting data and how to protect your encryption keys in ways that help improve application availability by not tying you to a single region or key management solution.

March 21: Updated CJIS Workbook Now Available by Request
The need for guidance when implementing Criminal Justice Information Services (CJIS)–compliant solutions has become of paramount importance as more law enforcement customers and technology partners move to store and process criminal justice data in the cloud. AWS services allow these customers to easily and securely architect a CJIS-compliant solution when handling criminal justice data, creating a durable, cost-effective, and secure IT infrastructure that better supports local, state, and federal law enforcement in carrying out their public safety missions. AWS has created several documents (collectively referred to as the CJIS Workbook) to assist you in aligning with the FBI’s CJIS Security Policy. You can use the workbook as a framework for developing CJIS-compliant architecture in the AWS Cloud. The workbook helps you define and test the controls you operate, and document the dependence on the controls that AWS operates (compute, storage, database, networking, regions, Availability Zones, and edge locations).

March 9: New Cloud Directory API Makes It Easier to Query Data Along Multiple Dimensions
Today, we made available a new Cloud Directory API, ListObjectParentPaths, that enables you to retrieve all available parent paths for any directory object across multiple hierarchies. Use this API when you want to fetch all parent objects for a specific child object. The order of the paths and objects returned is consistent across iterative calls to the API, unless objects are moved or deleted. In case an object has multiple parents, the API allows you to control the number of paths returned by using a paginated call pattern. In this blog post, I use an example directory to demonstrate how this new API enables you to retrieve data across multiple dimensions to implement powerful applications quickly.

March 8: How to Access the AWS Management Console Using AWS Microsoft AD and Your On-Premises Credentials
AWS Directory Service for Microsoft Active Directory, also known as AWS Microsoft AD, is a managed Microsoft Active Directory (AD) hosted in the AWS Cloud. Now, AWS Microsoft AD makes it easy for you to give your users permission to manage AWS resources by using on-premises AD administrative tools. With AWS Microsoft AD, you can grant your on-premises users permissions to resources such as the AWS Management Console instead of adding AWS Identity and Access Management (IAM) user accounts or configuring AD Federation Services (AD FS) with Security Assertion Markup Language (SAML). In this blog post, I show how to use AWS Microsoft AD to enable your on-premises AD users to sign in to the AWS Management Console with their on-premises AD user credentials to access and manage AWS resources through IAM roles.

March 7: How to Protect Your Web Application Against DDoS Attacks by Using Amazon Route 53 and an External Content Delivery Network
Distributed Denial of Service (DDoS) attacks are attempts by a malicious actor to flood a network, system, or application with more traffic, connections, or requests than it is able to handle. To protect your web application against DDoS attacks, you can use AWS Shield, a DDoS protection service that AWS provides automatically to all AWS customers at no additional charge. You can use AWS Shield in conjunction with DDoS-resilient web services such as Amazon CloudFront and Amazon Route 53 to improve your ability to defend against DDoS attacks. Learn more about architecting for DDoS resiliency by reading the AWS Best Practices for DDoS Resiliency whitepaper. You also have the option of using Route 53 with an externally hosted content delivery network (CDN). In this blog post, I show how you can help protect the zone apex (also known as the root domain) of your web application by using Route 53 to perform a secure redirect to prevent discovery of your application origin.

Image of lock and key

February

February 27: Now Generally Available – AWS Organizations: Policy-Based Management for Multiple AWS Accounts
Today, AWS Organizations moves from Preview to General Availability. You can use Organizations to centrally manage multiple AWS accounts, with the ability to create a hierarchy of organizational units (OUs). You can assign each account to an OU, define policies, and then apply those policies to an entire hierarchy, specific OUs, or specific accounts. You can invite existing AWS accounts to join your organization, and you can also create new accounts. All of these functions are available from the AWS Management Console, the AWS Command Line Interface (CLI), and through the AWS Organizations API.To read the full AWS Blog post about today’s launch, see AWS Organizations – Policy-Based Management for Multiple AWS Accounts.

February 23: s2n Is Now Handling 100 Percent of SSL Traffic for Amazon S3
Today, we’ve achieved another important milestone for securing customer data: we have replaced OpenSSL with s2n for all internal and external SSL traffic in Amazon Simple Storage Service (Amazon S3) commercial regions. This was implemented with minimal impact to customers, and multiple means of error checking were used to ensure a smooth transition, including client integration tests, catching potential interoperability conflicts, and identifying memory leaks through fuzz testing.

February 22: Easily Replace or Attach an IAM Role to an Existing EC2 Instance by Using the EC2 Console
AWS Identity and Access Management (IAM) roles enable your applications running on Amazon EC2 to use temporary security credentials. IAM roles for EC2 make it easier for your applications to make API requests securely from an instance because they do not require you to manage AWS security credentials that the applications use. Recently, we enabled you to use temporary security credentials for your applications by attaching an IAM role to an existing EC2 instance by using the AWS CLI and SDK. To learn more, see New! Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI. Starting today, you can attach an IAM role to an existing EC2 instance from the EC2 console. You can also use the EC2 console to replace an IAM role attached to an existing instance. In this blog post, I will show how to attach an IAM role to an existing EC2 instance from the EC2 console.

February 22: How to Audit Your AWS Resources for Security Compliance by Using Custom AWS Config Rules
AWS Config Rules enables you to implement security policies as code for your organization and evaluate configuration changes to AWS resources against these policies. You can use Config rules to audit your use of AWS resources for compliance with external compliance frameworks such as CIS AWS Foundations Benchmark and with your internal security policies related to the US Health Insurance Portability and Accountability Act (HIPAA), the Federal Risk and Authorization Management Program (FedRAMP), and other regimes. AWS provides some predefined, managed Config rules. You also can create custom Config rules based on criteria you define within an AWS Lambda function. In this post, I show how to create a custom rule that audits AWS resources for security compliance by enabling VPC Flow Logs for an Amazon Virtual Private Cloud (VPC). The custom rule meets requirement 4.3 of the CIS AWS Foundations Benchmark: “Ensure VPC flow logging is enabled in all VPCs.”

February 13: AWS Announces CISPE Membership and Compliance with First-Ever Code of Conduct for Data Protection in the Cloud
I have two exciting announcements today, both showing AWS’s continued commitment to ensuring that customers can comply with EU Data Protection requirements when using our services.

February 13: How to Enable Multi-Factor Authentication for AWS Services by Using AWS Microsoft AD and On-Premises Credentials
You can now enable multi-factor authentication (MFA) for users of AWS services such as Amazon WorkSpaces and Amazon QuickSight and their on-premises credentials by using your AWS Directory Service for Microsoft Active Directory (Enterprise Edition) directory, also known as AWS Microsoft AD. MFA adds an extra layer of protection to a user name and password (the first “factor”) by requiring users to enter an authentication code (the second factor), which has been provided by your virtual or hardware MFA solution. These factors together provide additional security by preventing access to AWS services, unless users supply a valid MFA code.

February 13: How to Create an Organizational Chart with Separate Hierarchies by Using Amazon Cloud Directory
Amazon Cloud Directory enables you to create directories for a variety of use cases, such as organizational charts, course catalogs, and device registries. Cloud Directory offers you the flexibility to create directories with hierarchies that span multiple dimensions. For example, you can create an organizational chart that you can navigate through separate hierarchies for reporting structure, location, and cost center. In this blog post, I show how to use Cloud Directory APIs to create an organizational chart with two separate hierarchies in a single directory. I also show how to navigate the hierarchies and retrieve data. I use the Java SDK for all the sample code in this post, but you can use other language SDKs or the AWS CLI.

February 10: How to Easily Log On to AWS Services by Using Your On-Premises Active Directory
AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also known as Microsoft AD, now enables your users to log on with just their on-premises Active Directory (AD) user name—no domain name is required. This new domainless logon feature makes it easier to set up connections to your on-premises AD for use with applications such as Amazon WorkSpaces and Amazon QuickSight, and it keeps the user logon experience free from network naming. This new interforest trusts capability is now available when using Microsoft AD with Amazon WorkSpaces and Amazon QuickSight Enterprise Edition. In this blog post, I explain how Microsoft AD domainless logon works with AD interforest trusts, and I show an example of setting up Amazon WorkSpaces to use this capability.

February 9: New! Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI
AWS Identity and Access Management (IAM) roles enable your applications running on Amazon EC2 to use temporary security credentials that AWS creates, distributes, and rotates automatically. Using temporary credentials is an IAM best practice because you do not need to maintain long-term keys on your instance. Using IAM roles for EC2 also eliminates the need to use long-term AWS access keys that you have to manage manually or programmatically. Starting today, you can enable your applications to use temporary security credentials provided by AWS by attaching an IAM role to an existing EC2 instance. You can also replace the IAM role attached to an existing EC2 instance. In this blog post, I show how you can attach an IAM role to an existing EC2 instance by using the AWS CLI.

February 8: How to Remediate Amazon Inspector Security Findings Automatically
The Amazon Inspector security assessment service can evaluate the operating environments and applications you have deployed on AWS for common and emerging security vulnerabilities automatically. As an AWS-built service, Amazon Inspector is designed to exchange data and interact with other core AWS services not only to identify potential security findings but also to automate addressing those findings. Previous related blog posts showed how you can deliver Amazon Inspector security findings automatically to third-party ticketing systems and automate the installation of the Amazon Inspector agent on new Amazon EC2 instances. In this post, I show how you can automatically remediate findings generated by Amazon Inspector. To get started, you must first run an assessment and publish any security findings to an Amazon Simple Notification Service (SNS) topic. Then, you create an AWS Lambda function that is triggered by those notifications. Finally, the Lambda function examines the findings and then implements the appropriate remediation based on the type of issue.

February 6: How to Simplify Security Assessment Setup Using Amazon EC2 Systems Manager and Amazon Inspector
In a July 2016 AWS Blog post, I discussed how to integrate Amazon Inspector with third-party ticketing systems by using Amazon Simple Notification Service (SNS) and AWS Lambda. This AWS Security Blog post continues in the same vein, describing how to use Amazon Inspector to automate various aspects of security management. In this post, I show you how to install the Amazon Inspector agent automatically through the Amazon EC2 Systems Manager when a new Amazon EC2 instance is launched. In a subsequent post, I will show you how to update EC2 instances automatically that run Linux when Amazon Inspector discovers a missing security patch.

Image of lock and key

January

January 30: How to Protect Data at Rest with Amazon EC2 Instance Store Encryption
Encrypting data at rest is vital for regulatory compliance to ensure that sensitive data saved on disks is not readable by any user or application without a valid key. Some compliance regulations such as PCI DSS and HIPAA require that data at rest be encrypted throughout the data lifecycle. To this end, AWS provides data-at-rest options and key management to support the encryption process. For example, you can encrypt Amazon EBS volumes and configure Amazon S3 buckets for server-side encryption (SSE) using AES-256 encryption. Additionally, Amazon RDS supports Transparent Data Encryption (TDE). Instance storage provides temporary block-level storage for Amazon EC2 instances. This storage is located on disks attached physically to a host computer. Instance storage is ideal for temporary storage of information that frequently changes, such as buffers, caches, and scratch data. By default, files stored on these disks are not encrypted. In this blog post, I show a method for encrypting data on Linux EC2 instance stores by using Linux built-in libraries. This method encrypts files transparently, which protects confidential data. As a result, applications that process the data are unaware of the disk-level encryption.

January 27: How to Detect and Automatically Remediate Unintended Permissions in Amazon S3 Object ACLs with CloudWatch Events
Amazon S3 Access Control Lists (ACLs) enable you to specify permissions that grant access to S3 buckets and objects. When S3 receives a request for an object, it verifies whether the requester has the necessary access permissions in the associated ACL. For example, you could set up an ACL for an object so that only the users in your account can access it, or you could make an object public so that it can be accessed by anyone. If the number of objects and users in your AWS account is large, ensuring that you have attached correctly configured ACLs to your objects can be a challenge. For example, what if a user were to call the PutObjectAcl API call on an object that is supposed to be private and make it public? Or, what if a user were to call the PutObject with the optional Acl parameter set to public-read, therefore uploading a confidential file as publicly readable? In this blog post, I show a solution that uses Amazon CloudWatch Events to detect PutObject and PutObjectAcl API calls in near-real time and helps ensure that the objects remain private by making automatic PutObjectAcl calls, when necessary.

January 26: Now Available: Amazon Cloud Directory—A Cloud-Native Directory for Hierarchical Data
Today we are launching Amazon Cloud Directory. This service is purpose-built for storing large amounts of strongly typed hierarchical data. With the ability to scale to hundreds of millions of objects while remaining cost-effective, Cloud Directory is a great fit for all sorts of cloud and mobile applications.

January 24: New SOC 2 Report Available: Confidentiality
As with everything at Amazon, the success of our security and compliance program is primarily measured by one thing: our customers’ success. Our customers drive our portfolio of compliance reports, attestations, and certifications that support their efforts in running a secure and compliant cloud environment. As a result of our engagement with key customers across the globe, we are happy to announce the publication of our new SOC 2 Confidentiality report. This report is available now through AWS Artifact in the AWS Management Console.

January 18: Compliance in the Cloud for New Financial Services Cybersecurity Regulations
Financial regulatory agencies are focused more than ever on ensuring responsible innovation. Consequently, if you want to achieve compliance with financial services regulations, you must be increasingly agile and employ dynamic security capabilities. AWS enables you to achieve this by providing you with the tools you need to scale your security and compliance capabilities on AWS. The following breakdown of the most recent cybersecurity regulations, NY DFS Rule 23 NYCRR 500, demonstrates how AWS continues to focus on your regulatory needs in the financial services sector.

January 9: New Amazon GameDev Blog Post: Protect Multiplayer Game Servers from DDoS Attacks by Using Amazon GameLift
In online gaming, distributed denial of service (DDoS) attacks target a game’s network layer, flooding servers with requests until performance degrades considerably. These attacks can limit a game’s availability to players and limit the player experience for those who can connect. Today’s new Amazon GameDev Blog post uses a typical game server architecture to highlight DDoS attack vulnerabilities and discusses how to stay protected by using built-in AWS Cloud security, AWS security best practices, and the security features of Amazon GameLift. Read the post to learn more.

January 6: The Top 10 Most Downloaded AWS Security and Compliance Documents in 2016
The following list includes the 10 most downloaded AWS security and compliance documents in 2016. Using this list, you can learn about what other people found most interesting about security and compliance last year.

January 6: FedRAMP Compliance Update: AWS GovCloud (US) Region Receives a JAB-Issued FedRAMP High Baseline P-ATO for Three New Services
Three new services in the AWS GovCloud (US) region have received a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB) under the Federal Risk and Authorization Management Program (FedRAMP). JAB issued the authorization at the High baseline, which enables US government agencies and their service providers the capability to use these services to process the government’s most sensitive unclassified data, including Personal Identifiable Information (PII), Protected Health Information (PHI), Controlled Unclassified Information (CUI), criminal justice information (CJI), and financial data.

January 4: The Top 20 Most Viewed AWS IAM Documentation Pages in 2016
The following 20 pages were the most viewed AWS Identity and Access Management (IAM) documentation pages in 2016. I have included a brief description with each link to give you a clearer idea of what each page covers. Use this list to see what other people have been viewing and perhaps to pique your own interest about a topic you’ve been meaning to research.

January 3: The Most Viewed AWS Security Blog Posts in 2016
The following 10 posts were the most viewed AWS Security Blog posts that we published during 2016. You can use this list as a guide to catch up on your blog reading or even read a post again that you found particularly useful.

January 3: How to Monitor AWS Account Configuration Changes and API Calls to Amazon EC2 Security Groups
You can use AWS security controls to detect and mitigate risks to your AWS resources. The purpose of each security control is defined by its control objective. For example, the control objective of an Amazon VPC security group is to permit only designated traffic to enter or leave a network interface. Let’s say you have an Internet-facing e-commerce website, and your security administrator has determined that only HTTP (TCP port 80) and HTTPS (TCP 443) traffic should be allowed access to the public subnet. As a result, your administrator configures a security group to meet this control objective. What if, though, someone were to inadvertently change this security group’s rules and enable FTP or other protocols to access the public subnet from any location on the Internet? That expanded access could weaken the security posture of your assets. Consequently, your administrator might need to monitor the integrity of your company’s security controls so that the controls maintain their desired effectiveness. In this blog post, I explore two methods for detecting unintended changes to VPC security groups. The two methods address not only control objectives but also control failures.

If you have questions about or issues with implementing the solutions in any of these posts, please start a new thread on the forum identified near the end of each post.

– Craig

Updated CJIS Workbook Now Available by Request

Post Syndicated from Chris Gile original https://aws.amazon.com/blogs/security/updated-cjis-workbook-now-available-by-request/

CJIS logo

The need for guidance when implementing Criminal Justice Information Services (CJIS)–compliant solutions has become of paramount importance as more law enforcement customers and technology partners move to store and process criminal justice data in the cloud. AWS services allow these customers to easily and securely architect a CJIS-compliant solution when handling criminal justice data, creating a durable, cost-effective, and secure IT infrastructure that better supports local, state, and federal law enforcement in carrying out their public safety missions.

AWS has created several documents (collectively referred to as the CJIS Workbook) to assist you in aligning with the FBI’s CJIS Security Policy. You can use the workbook as a framework for developing CJIS-compliant architecture in the AWS Cloud. The workbook helps you define and test the controls you operate, and document the dependence on the controls that AWS operates (compute, storage, database, networking, regions, Availability Zones, and edge locations).

Our most recent updates to the CJIS Workbook include:

AWS’s commitment to facilitating CJIS processes with customers is exemplified by the recent CJIS Agreements put in place with the states of California, Colorado, Louisiana, Minnesota, Oregon, Utah and Washington (to name but a few). As we continue to sign CJIS agreements across the country, law enforcement agencies are able to implement innovations to improve communities’ and officers’ safety, including body cameras, real-time gunshot notifications, and data analytics. With the release of our updated CJIS Workbook, AWS remains dedicated to enabling cloud usage for the law enforcement market.

Please reach out to AWS Compliance if you have additional questions about CJIS or any other set of compliance standards.

– Chris Gile, AWS Risk and Compliance

Pranksters gonna prank

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/03/pranksters-gonna-prank.html

So Alfa Bank (the bank whose DNS traffic link it to trump-email.com) is back in the news with this press release about how in the last month, hackers have spoofed traffic trying to make it look like there’s a tie with Trump. In other words, Alfa claims these packets are trying to frame them for a tie with Trump now, and thus (by extension) it must’ve been a frame last October.

There is no conspiracy here: it’s just merry pranksters doing pranks (as this CNN article quotes me).

Indeed, among the people pranking has been me (not the pranks mentioned by Alfa, but different pranks). I ran a scan sending packets from IP address to almost everyone one the Internet, and set the reverse lookup to “mail1.trumpemail.com”.

Sadly, my ISP doesn’t allow me to put hyphens in the name, so it’s not “trump-email.com” as it should be in order to prank well.

Geeks gonna geek and pranksters gonna prank. I can imagine all sorts of other fun pranks somebody might do in order to stir the pot. Since the original news reports of the AlfaBank/trump-email.com connection last year, we have to assume any further data is tainted by goofballs like me goofing off.

By the way, in my particular case, there’s a good lesson to be had here about the arbitrariness of IP addresses and names. There is no server located at my IP address of 209.216.230.75. No such machine exists. Instead, I run my scans from a nearby machine on the same network, and “spoof” that address with masscan:

$ masscan 0.0.0.0/0 -p80 –banners –spoof-ip 209.216.230.75

This sends a web request to every machine on the Internet from that IP address, despite no machine anywhere being configured with that IP address.

I point this out because people are confused by the meaning of an “IP address”, or a “server”, “domain”, and “domain name”. I can imagine the FBI looking into this and getting a FISA warrant for the server located at my IP address, and my ISP coming back and telling them that no such server exists, nor has a server existed at that IP address for many years.

In the case of last years story, there’s little reason to believe IP spoofing was happening, but the conspiracy theory still breaks down for the same reason: the association between these concepts is not what you think it is. Listrak, the owner of the server at the center of the conspiracy, still reverse resolves the IP address 66.216.133.29 as “mail1.trump-email.com”, either because they are lazy, or because they enjoy the lulz.

It’s absurd thinking anything sent by the server is related to the Trump Orgainzation today, and it’s equally plausible that nothing the server sent was related to Trump last year as well, especially since (as CNN reports), Trump had severed their ties with Cendyn (the marketing company that uses Listrak servers for email).


Also, as mentioned in a previous blog post, I set my home network’s domain to be “moscow.alfaintra.net”, which means that some of my DNS lookups at home are actually being sent to Alfa Bank. I should probably turn this off before the FBI comes knocking at my door.

Vault 7 and the protection of America

Post Syndicated from Григор original http://www.gatchev.info/blog/?p=2037

For those who have spent the last month under a big stone:

Wikileaks recently published a lot of information about a set of malware, created by FBI and nicknamed “Vault 7”. There were specimens in it, able to break into and take control over mostly any kind of CPU-based device – smartphones running iOS or Android, PCs running Windows, MacOS or Linux, etc. FBI declared that this publication is a breach of the national security, and that this exposure made USA less secure.

I beg to differ.

What makes USA less secure is the existence of this trove. More specifically, the fact that FBI knew about the software vulnerabilities its malware exploits, but never notified the software manufacturers about these. Consequently, the disclosure of these vulnerabilities makes USA more secure. In this particular case, what is bad for FBI might be good for USA.

Why so?

First, let’s put a big question aside. Let’s assume that FBI would absolutely never use these tools to spy, unless that spying is benevolent and only protects USA. Further, let’s assume that FBI will never collect any information other than what it needs to protect USA. Also, that it will never use this information to any other goal than protecting USA. (For example, that a Watergate-style spying is impossible in principle.) And that every single FBI member is a white knight who will never betray their agency and never use its activities for personal gain. (If you have more ideas how to make FBI even more benevolent, use them here.)

Even this all will not change the fact that hiding these vulnerabilities was a harm to USA, bigger than any gain FBI could have made by exploiting them.

There are no FBI-specific software vulnerabilities. Every vulnerability is open for exploiting by anyone who knows about it. The mentality “we are the best, only we will know about it” is one of the most tested and proven nonsenses to exist. The entities who make a living from constantly seeking for software vulnerabilities are probably in the hundreds. All big intelligence services are into this, including these of most countries that are usually up to no good. And hundreds of cybercriminal gangs are into it too. Those two kinds of players together employ far more people and consequently far more talent than FBI. It would be a miracle if they don’t find most, if not all of the vulnerabilities FBI has found.

The similarity ends here. Even if not perfect, FBI is still a generally benevolent entity, trying to mostly limit their activities to protecting their country. They have a mostly responsible approach to acquiring information and protecting that information. These things however are true neither for the intelligence services of the authoritarian and aggressive countries, nor for the cyber criminals. Neither of these is benevolent or responsible to any degree, at least towards USA. Both kinds will happily eavesdrop on, or attack any American – the first because of the principle enmity of the dictators for the democracies, the second because the Americans tend to be richer than most other peoples.

By not telling the software manufacturers about these vulnerabilities, FBI exposed the American citizens at the mercy of tens of the intelligence services of authoritarian governments who hate USA, and of hundreds of cyber criminals who would happily empty the Americans’ pockets, blackmail them or even disrupt important activities for fun and power demonstration. It is true that in this way FBI also gives itself the opportunity to obtain info that can protect the Americans to some extent. However, the losses are bigger than the gains by magnitudes.

To sum it all: in this particular case FBI exposed America to harm, and Wikileaks helped prevent that harm for the future.

Whether FBI or Wikileaks are happy with the roles they played in that is another topic.

FBI: what to look for in the Trump/AlfaBank connection

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/03/fbi-what-to-look-for-in-trumpalfabank.html

As CNN reports, the FBI seems to be looking into that connection between Trump and Alfa Bank. Here are some things to look for.

First, get your own copy of the logs from root name servers. I don’t trust the source of the original logs. I suspect they’ve been edited in order to show a relationship with Alfa Bank. You’ve got lots of sources both inside government and in private industry that can provide a copy of these logs without a warrant. (Which sucks, you should need a warrant, but that’s the current state of affairs).

Second, look at the server in question. It’s probably located at 140 Akron Road, Ephrata, PA. What you are looking for are the logs of anything sent from the server during that time, specifically any e-mails.

Third, talk to Cendyn, and ask them what that server was used for during that time. Their current statement is that it was used by the Metron meeting software. In other words, they say that after they stopped using it to send marketing emails, they started using it for their meeting product. They seem a little confused, so it’d be nice to pin them down. Specifically, get logfiles indicating precisely what happened, and figure out how Metron works, what sorts of messages it will generate.

Fourth, talk to Cendyn, and ask them about customers of their Metron meeting software, namely who used it to arrange meetings with Alfa Bank or the Trump organization. My guess is that this is where you’ll really get the juicy information, getting a list of what meetings happened when and who was invited.

Fifth, talk to Cendyn and get logfiles form their DNS servers to figure out who was resolving that domain name (mail1.trump-email.com) during that time period.

Sixth, ask Alfa Bank for logfiles from their DNS resolvers that would tell you which machines internally were generating those requests.

My guess is that all of this will come up empty. There’s a coincidence here, but a small one. Much of the technical details have been overhyped and mean little.

Some notes on the RAND 0day report

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/03/some-notes-on-rand-0day-report.html

The RAND Corporation has a research report on the 0day market [ * ]. It’s pretty good. They talked to all the right people. It should be considered the seminal work on the issue. They’ve got the pricing about right ($1 million for full chain iPhone exploit, but closer to $100k for others). They’ve got the stats about right (5% chance somebody else will discover an exploit).

Yet, they’ve got some problems, namely phrasing the debate as activists want, rather than a neutral view of the debate.

The report frequently uses the word “stockpile”. This is a biased term used by activists. According to the dictionary, it means:

a large accumulated stock of goods or materials, especially one held in reserve for use at a time of shortage or other emergency.

Activists paint the picture that the government (NSA, CIA, DoD, FBI) buys 0day to hold in reserve in case they later need them. If that’s the case, then it seems reasonable that it’s better to disclose/patch the vuln then let it grow moldy in a cyberwarehouse somewhere.

But that’s not how things work. The government buys vulns it has immediate use for (primarily). Almost all vulns it buys are used within 6 months. Most vulns in its “stockpile” have been used in the previous year. These cyberweapons are not in a warehouse, but in active use on the front lines.

This is top secret, of course, so people assume it’s not happening. They hear about no cyber operations (except Stuxnet), so they assume such operations aren’t occurring. Thus, they build up the stockpiling assumption rather than the active use assumption.

If the RAND wanted to create an even more useful survey, they should figure out how many thousands of times per day our government (NSA, CIA, DoD, FBI) exploits 0days. They should characterize who they target (e.g. terrorists, child pornographers), success rate, and how many people they’ve killed based on 0days. It’s this data, not patching, that is at the root of the policy debate.

That 0days are actively used determines pricing. If the government doesn’t have immediate need for a vuln, it won’t pay much for it, if anything at all. Conversely, if the government has urgent need for a vuln, it’ll pay a lot.

Let’s say you have a remote vuln for Samsung TVs. You go to the NSA and offer it to them. They tell you they aren’t interested, because they see no near term need for it. Then a year later, spies reveal ISIS has stolen a truckload of Samsung TVs, put them in all the meeting rooms, and hooked them to Internet for video conferencing. The NSA then comes back to you and offers $500k for the vuln.

Likewise, the number of sellers affects the price. If you know they desperately need the Samsung TV 0day, but they are only offering $100k, then it likely means that there’s another seller also offering such a vuln.

That’s why iPhone vulns are worth $1 million for a full chain exploit, from browser to persistence. They use it a lot, it’s a major part of ongoing cyber operations. Each time Apple upgrades iOS, the change breaks part of the existing chain, and the government is keen on getting a new exploit to fix it. They’ll pay a lot to the first vuln seller who can give them a new exploit.

Thus, there are three prices the government is willing to pay for an 0day (the value it provides to the government):

  • the price for an 0day they will actively use right now (high)
  • the price for an 0day they’ll stockpile for possible use in the future (low)
  • the price for an 0day they’ll disclose to the vendor to patch (very low)

That these are different prices is important to the policy debate. When activists claim the government should disclose the 0day they acquire, they are ignoring the price the 0day was acquired for. Since the government actively uses the 0day, they are acquired for a high-price, with their “use” value far higher than their “patch” value. It’s an absurd argument to make that they government should then immediately discard that money, to pay “use value” prices for “patch” results.

If the policy becomes that the NSA/CIA should disclose/patch the 0day they buy, it doesn’t mean business as usual acquiring vulns. It instead means they’ll stop buying 0day.

In other words, “patching 0day” is not an outcome on either side of the debate. Either the government buys 0day to use, or it stops buying 0day. In neither case does patching happen.

The real argument is whether the government (NSA, CIA, DoD, FBI) should be acquiring, weaponizing, and using 0day in the first place. It demands that we unilaterally disarm our military, intelligence, and law enforcement, preventing them from using 0days against our adversaries while our adversaries continue to use 0days against us.

That’s the gaping hole in both the RAND paper and most news reporting of this controversy. They characterize the debate the way activists want, as if the only question is the value of patching. They avoid talking about unilateral cyberdisarmament, even though that’s the consequence of the policy they are advocating. They avoid comparing the value of 0days to our country for active use (high) compared to the value to to our country for patching (very low).

Conclusion

It’s nice that the RAND paper studied the value of patching and confirmed it’s low, that only around 5% of our cyber-arsenal is likely to be found by others. But it’d be nice if they also looked at the point of view of those actively using 0days on a daily basis, rather than phrasing the debate the way activists want.

Private Anti-Piracy Deals With Domain Registries are Dangerous, Professor Warns

Post Syndicated from Ernesto original https://torrentfreak.com/private-anti-piracy-deals-with-domain-registries-are-dangerous-professor-warns-170302/

In recent years various entertainment industry groups have switched their efforts away from legislation, towards voluntary cooperation with various stakeholders.

This has resulted in several agreements with Internet providers, advertising agencies and payment processors, which are all designed to help prevent piracy.

In 2016, this strategy was expanded to cover key players in the domain name industry. Last February, the MPAA and the Donuts registry signed a landmark agreement under which the movie industry group acts as a “trusted notifier” of “pirate” domains. A similar deal was later announced with Radix.

Traditionally, it has been very hard for rightsholders to get domain names suspended without a court order but through voluntary agreements, this process is simplified. Without a court order, the registries in question are now able to take pirate sites offline, if the evidence is sufficient.

Such agreements are praised by Hollywood and even have ICANN’s blessing. However, there are also concerns. In a recent article, University of Idaho Law Professor Annemarie Bridy expresses concern over these developments.

It is the first voluntary deal that touches on the Internet’s core technical functions, assigning private copyright enforcers as some sort of online police. The current agreements are fairly limited and Professor Bridy warns that it could be just the beginning.

“For now, non-judicial notice and takedown practices in the DNS are limited; however, demands on intermediaries for stronger online content regulation across the board are only growing,” Bridy writes.

With a lack of transparency and due process, the MPAA’s programs could easily expand to a broader range of controversial content such as fake news, hate speech, and terrorist propaganda, she warns.

“Lack of transparency and due process in such programs will make them inherently vulnerable to inconsistency, mistake, and abuse and could transform the DNS into a potent tool for suppressing disfavored speech.”

In copyright cases there are worrying consequences as well. Recent history has shown that over-blocking is a legitimate threat. Professor Bridy highlights the FBI’s seizure of the domain name MOOO.COM as an example, which took down 84,000 subdomains even though only ten were problematic.

ICANN, the non-profit body responsible for the smooth-running of the Internet’s Doman Name System, has always insisted that copyright disputes are beyond their mission. As such, it was happy to see registries and rightsholders coming to an agreement.

According to Bridy, however, ICANN is now giving the green light to private agreements that allow corporate and government parties to interfere with DNS without central oversight. That’s a very worrying development, in her book.

“[I]n creating that architecture, ICANN did nothing to secure any procedural protections or uniform substantive standards for domain name registrants who find themselves subject to this new form of DNS regulation,” Bridy writes.

“That omission should be a red flag for those who worry that ICANN’s newly minted independence from the U.S. government will make its internal governance more susceptible to capture by powerful commercial and governmental interests.”

It will be interesting to see where the private deals go from here and if they indeed move beyond copyright enforcement.

Last week the Donuts registry said that fears about a “slippery slope” toward inappropriate content control is unwarranted. Thus far they are correct by stressing that only a few domain names have been suspended under their deal, but that offers no guarantees for the future.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Megaupload Case Takes Toll on Finn Batato, But He’ll Keep Fighting

Post Syndicated from Andy original https://torrentfreak.com/megaupload-case-takes-toll-on-finn-batato-but-hell-keep-fighting-170227/

Whenever there’s a new headline about the years-long prosecution of Megaupload, it is usually Kim Dotcom’s image adorning publications around the world. In many ways, the German-born entrepreneur is the face of the United States’ case against the defunct storage site, and he appears to like it that way.

Thanks to his continuous presence on Twitter, regular appearances in the media, alongside promotion of new file-sharing platforms, one might be forgiven for thinking Dotcom was fighting the US single-handedly. But quietly and very much in the background, three other men are also battling for their freedom.

Megaupload programmers Mathias Ortmann and Bram van der Kolk face a similar fate to Dotcom but have stayed almost completely silent since their arrests in 2012. Former site advertising manager Finn Batato, whose name headlines the entire case (US v. Finn Batato) has been a little more vocal though, and from recent comments we learn that the US prosecution is taking its toll.

Seven years ago before the raid, Batato was riding the crest of a wave as Megaupload’s CMO. According to the FBI he pocketed $630,000 in 2010 and was regularly seen out with Dotcom having fun, racing around the Nürburgring’s Nordschleife track with Formula 1 star Kimi Raikkonen, for example. But things are different now.

Finn with Kimi Raikkonen

While still involved with Mega, the new file-sharing site that Dotcom founded and then left after what appears to be an acrimonious split, Batato is reportedly feeling the pressure. In a new interview with Newshub, the marketing expert says that his marriage is on the rocks, a direct result of the US case against him.

According to Batato, he’s now living in someone else’s house, something he hasn’t done “for 25 years.” It’s a far cry from the waterside luxury being enjoyed by Dotcom.

Batato met wife Anastasia back in 2012, not long after the raid and while he was still under house arrest. The pair married in 2015 and have two children, Leo and Oskar.

“The constant pressure over your head – not knowing what is there to come, is very hard, very tough,” Batato said in an earlier interview with NZHerald.

“Everything that happens in our life happens with that big black cloud over our heads which especially has an impact on me and my mood because I can’t just switch it off. If everything goes down the hill, maybe I will see [my sons] once every month in a prison cell. That breaks my heart. I can’t enjoy it as much as I would want to. It’s highly stressful.”

Since then, Batato has been busy. While working as Mega’s Chief Marketing Officer, the German citizen has been learning about the law. He’s had to. Unlike Dotcom who can retain the best lawyers in the game, Batato says he has few resources.

What savings he had were seized on the orders of the United States in Hong Kong back in 2012, and he previously admitted to having to check his bank account before buying groceries. As a result he’s been conducting his own legal defense for almost two years.

In 2015 he reportedly received praise while doing so, with lawyers appearing for his co-defendants commending him when he stood up to argue a point during a Megaupload hearing. “I was kind of proud about that,” he said.

Like Dotcom (with whom he claims to be on “good terms”), Batato insists that he’s done nothing wrong. He shares his former colleague’s optimism that he won’t be extradited and will take his case to the Supreme Court, should all else fail.

That may be necessary. Last week, the New Zealand High Court determined that Batato and his co-defendants can be extradited to the US, albeit not on copyright grounds. Justice Murray Gilbert agreed with the US Government’s position that their case has fraud at its core, an extraditable offense.

In the short term, the case is expected to move to the Court of Appeal and, depending on the outcome there, potentially to the Supreme Court. Either way, this case still has years to run with plenty more legal appearances for Batato. He won’t be doing it with the legal backup enjoyed by Dotcom but he’ll share his determination.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

You don’t need printer security

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/02/you-dont-need-printer-security.html

So there’s this tweet:

What it’s probably refering to is this:

This is an obviously bad idea.

Well, not so “obvious”, so some people have ask me to clarify the situation. After all, without “security”, couldn’t a printer just be added to a botnet of IoT devices?

The answer is this:

Fixing insecurity is almost always better than adding a layer of security.

Adding security is notoriously problematic, for three reasons

  1. Hackers are active attackers. When presented with a barrier in front of an insecurity, they’ll often find ways around that barrier. It’s a common problem with “web application firewalls”, for example.
  2. The security software itself can become a source of vulnerabilities hackers can attack, which has happened frequently in anti-virus and intrusion prevention systems.
  3. Security features are usually snake-oil, sounding great on paper, with with no details, and no independent evaluation, provided to the public.

It’s the last one that’s most important. HP markets features, but there’s no guarantee they work. In particular, similar features in other products have proven not to work in the past.

HP describes its three special features in a brief whitepaper [*]. They aren’t bad, but at the same time, they aren’t particularly good. Windows already offers all these features. Indeed, as far as I know, they are just using Windows as their firmware operating system, and are just slapping an “HP” marketing name onto existing Windows functionality.

HP Sure Start: This refers to the standard feature in almost all devices these days of having a secure boot process. Windows supports this in UEFI boot. Apple’s iPhones work this way, which is why the FBI needed Apple’s help to break into a captured terrorist’s phone. It’s a feature built into most IoT hardware, though most don’t enable it in software.

Whitelisting: Their description sounds like “signed firmware updates”, but if that was they case, they’d call it that. Traditionally, “whitelisting” referred to a different feature, containing a list of hashes for programs that can run on the device. Either way, it’s a pretty common functionality.

Run-time intrusion detection: They have numerous, conflicting descriptions on their website. It may mean scanning memory for signatures of known viruses. It may mean stack cookies. It may mean double-checking kernel modules. Windows does all these things, and it has a tiny benefit on stopping security threats.

As for traditional threats for attacks against printers, none of these really are important. What you need to secure a printer is the ability to disable services you aren’t using (close ports), enable passwords and other access control, and delete files of old print jobs so hackers can’t grab them from the printer. HP has features to address these security problems, but then, so do its competitors.

Lastly, printers should be behind firewalls, not only protected from the Internet, but also segmented from the corporate network, so that only those designed ports, or flows between the printer and print servers, are enabled.

Conclusion

The features HP describes are snake oil. If they worked well, they’d still only address a small part of the spectrum of attacks against printers. And, since there’s no technical details or independent evaluation of the features, they are almost certainly lies.

If HP really cared about security, they’d make their software more secure. They use fuzzing tools like AFL to secure it. They’d enable ASLR and stack cookies. They’d compile C code with run-time buffer overflow checks. Thety’d have a bug bounty program. It’s not something they can easily market, but at least it’d be real.

If you cared about printer security, then do the steps I outline above, especially firewalling printers from the traditional network. Seriously, putting $100 firewall between a VLAN for your printers and the rest of the network is cheap and easy way to do a vast amount of security. If you can’t secure printers this way, buying snake oil features like HP describes won’t help you.