Tag Archives: ip address

Scalable and Secure MQTT Load Balancing with Elastic Beam and HiveMQ

Post Syndicated from The HiveMQ Team original http://www.hivemq.com/blog/scalable-and-secure-mqtt-load-balancing-with-elastic-beam-and-hivemq/

elasticbeam-hivemq

A key challenge for a scalable and resilient MQTT broker infrastructure is load balancing the MQTT broker cluster nodes to ensure optimal performance and maximum reliability. Historically, all load balancing strategies for MQTT typically involve L4 load balancing, which means the load balancing takes place on the Transport OSI layer, which only has limited value for MQTT broker clusters.

Elastic Beam™ Secure Proxy is one of the first products that supports first-class MQTT routing features out-of-the-box to overcome MQTT load balancing limits. This blog post shows how HiveMQ and Elastic Beam can be used together to create truly resilient and secure MQTT cloud infrastructures.

Why are load balancers beneficial for MQTT?

Load balancers play a significant role in traffic routing and traffic shaping for the Internet and the IoT. Most load balancer products focus on L4 load balancing that routes traffic based on information like IP address, port and protocol (e.g. TCP or UDP).

L4 load balancing is typically pretty simple and only a few traffic delivery strategies are supported (e.g round robin or Sticky IP). It’s important to note that such a L4 load balancer is not aware of the Layer 7 protocol that is used (e.g. MQTT) and is not able to make delivery decisions based on high level protocol information.

Key advantages using a load balancer in MQTT deployments are:

  • TLS offloading: Expensive cryptographic operations take place on the load balancer and not on the brokers
  • Perfect for broker clusters: A MQTT client does not need to be aware of the MQTT broker topologies; it connects to the load balancer and the load balancer is responsible for establishing a connection with the “right” broker
  • First line of defense: The MQTT brokers are not exposed directly to the Internet and – depending on the load balancing product – sophisticated attack prevention mechanisms on different levels of the OSI stack are used. Malicious clients won’t be able to hit the brokers directly
  • Failover: When a MQTT broker node is unavailable, the load balancer will route traffic to healthy nodes to compensate for the unavailable node

Elastic Beam and HiveMQ

For sophisticated MQTT broker cluster implementations like HiveMQ, next-generation load balancers are needed to bring additional value to the table. This is where Elastic Beam, a commercial load balancer and IoT proxy router, comes into play. Beside the typical MQTT load balancing advantages we discussed above, the following additional advantages are available when combining Elastic Beam and HiveMQ:

  • L7 MQTT load balancing: Elastic Beam understands MQTT natively and can make sophisticated routing decisions based on MQTT characteristics (e.g. client identifier)
  • No single point of failure: Elastic Beam can be clustered and high availability can be achieved with additional mechanisms like DNS round robin for the load balancers. This means the broker cluster is highly available and the load balancer is also highly available
  • Hybrid cloud support: Elastic Beam supports all major cloud providers and data center deployments – at the same time. Your MQTT clients from on-premise installations can communicate with the brokers easily as well as clients with Internet connectivity
  • Additional security: Elastic Beam implements state-of-the-art security mechanisms as well as innovative features like machine learning for intrusion detection
  • MQTT over websockets: Elastic Beam has first-class websocket support, which enables MQTT clients to use MQTT over (secure) websockets

Reference Architecture with Elastic Beam and HiveMQ

elasticbeam-infographic-2_v2

The reference architecture of Elastic Beam and HiveMQ as joint solution includes these components:

  • A variety of MQTT clients connected to the backend with either plain MQTT (with TLS) or websockets (with TLS). Communication via both channels is possible simultaneously
  • One or more Elastic Beam Secure Proxy nodes terminate TLS traffic, block compromised clients and route the traffic to the MQTT brokers
  • Multiple HiveMQ MQTT broker cluster nodes for high availability and scalability
  • (optional) Enterprise applications that are connected to the MQTT brokers either via Enterprise Integrations, plain MQTT or Shared Subscriptions. They can connect directly to the MQTT brokers or via the Elastic Beam load balancer, depending on the requirements

Easy Integration

Both software products, Elastic Beam and HiveMQ, are very easy to install and get started. To get started, you literally just need to download the software and run the start script for both products.

For a kickstart with Elastic Beam and HiveMQ, there is an official HiveMQ Elastic Beam Integration Plugin available. With that HiveMQ plugin installed, Elastic Beam is able to integrate with the MQTT broker and can detect topology changes if nodes are unavailable.

Application Note

To learn more about the Elastic Beam and HiveMQ integration, we recommend to download the application note that includes details about the solution, the reference architecture and benchmarks.

Downlad the application note

KickassTorrents’ Connections to the US Doomed the Site

Post Syndicated from Andy original https://torrentfreak.com/kickasstorrents-connections-to-the-us-doomed-the-site-160723/

katTo the huge disappointment of millions of BitTorrent users, KickassTorrents disappeared this week following an investigation by the Department of Homeland Security in the United States.

With a huge hole now present at the top of the torrent landscape, other sites plus interested groups and individuals will be considering their options. Step up their game and take over the top slot? Cautiously maintain the status quo? Or pull out altogether…

Make no mistake, this is a game of great reward, matched only by the risk. If the DHS complaint is to be believed, Kickass made dozens of millions of euros, enough to tempt even the nerviest of individuals. But while that might attract some, is avoiding detection almost impossible these days?

The complaint against KAT shows that while not inevitable, it’s becoming increasingly difficult. It also shows that carelessness plays a huge part in undermining security and that mistakes made by others in the past are always worth paying attention to.

Servers in the United States

Perhaps most tellingly, in the first instance KAT failed to learn from the ‘mistakes’ made by Megaupload. While the cases are somewhat dissimilar, both entities chose to have a US presence for at least some of their servers. This allowed US authorities to get involved. Not a great start.

“[Since 2008], KAT has relied on a network of computer servers around the world to operate, including computer servers located in Chicago, Illinois,” the complaint against the site reads.

The Chicago server weren’t trivial either.

“According to a reverse DNS search conducted by the hosting company on or about May 5, 2015, that server was the mail client ‘mail.kat.ph’.”

Torrent site mail servers. In the United States. What could go possibly go wrong?

In a word? Everything. In January 2016, DHS obtained a search warrant and cloned the Chicago servers. Somewhat unsurprisingly this gifted investigating agent Jared Der-Yeghiayan (the same guy who infiltrated Silk Road) valuable information.

“I located multiple files that contained unique user information, access logs, and other information. These files include a file titled ‘passwd’ located in the ‘etc’ directory, which was last accessed on or about January 13, 2016, and which identified the users who had access to the operating system,” Der-Yeghiayan said.

Servers in Canada

KAT also ran several servers hosted with Montreal-based Netelligent Hosting Services. There too, KAT was vulnerable.

In response to a Mutual Legal Assistance Treaty request, in April 2016 the Royal Canadian Mounted Police obtained business records associated with KAT’s account and made forensic images of the torrent site’s hard drives.

Why KAT chose Netelligent isn’t clear, but the site should have been aware that the hosting company would be forced to comply with law enforcement requests. After all, it had happened at least once before in a case involving Swedish torrent site, Sparvar.

Mistakes at the beginning

When pirate sites first launch, few admins expect them to become world leaders. If they did, they’d probably approach things a little differently at the start. In KAT’s case, alleged founder Artem Vaulin registered several of the site’s domains in his own name, information that was happily handed to the DHS by US-based hosting company GoDaddy.

Vaulin also used a Gmail account, operated by US-based Google. The complaint doesn’t explicitly say that Google handed over information, but it’s a distinct possibility. In any event, an email sent from that account in 2009 provided a helpful bridge to investigators.

“I changed my gmail. now it’s admin@kickasstorrents.com,” it read.

Forging further connections from his private email accounts to those operated from KAT, in 2012 Vaulin sent ‘test’ emails from KAT email addresses to his Apple address. This, HSI said, signaled the point that Vaulin began using KAT emails for business.

No time to relax, even socially

In addition to using an email account operated by US-based Apple, (in which HSI found Vaulin’s passport and driver’s license details, plus his banking info), the Ukranian also had an iTunes account.

Purchases he made there were logged by Apple, down to the IP address. Then, thanks to information provided by US-based Facebook (notice the recurring Stateside theme?), HSI were able to match that same IP address against a login to KAT’s Facebook page.

Anonymous Bitcoin – not quite

If the irony of the legitimate iTunes purchases didn’t quite hit the spot, the notion that Bitcoin could land someone in trouble should tick all the boxes. According to the complaint, US-based Bitcoin exchange Coinbase handed over information on Vaulin’s business to HSI.

“Records received from the bitcoin exchange company Coinbase revealed that the KAT Bitcoin Donation Address sent bitcoins it received to a user’s account maintained at Coinbase. This account was identified as belonging to Artem Vaulin located in Kharkov, Ukraine,” it reads.

Final thoughts

For a site that the US Government had always insisted was operating overseas, KickassTorrents clearly had a huge number of United States connections. This appears to have made the investigation much more simple than it would have been had the site and its owner had maintained a presence solely in Eastern Europe.

Why the site chose to maintain these connections despite the risks might never be answered, but history has shown us time and again that US-based sites are not only vulnerable but also open to the wrath of the US Government. With decades of prison time at stake, that is clearly bad news.

But for now at least, Vaulin is being detained in Poland, waiting to hear of his fate. Whether or not he’ll quickly be sent to the United States is unclear, but it seems unlikely that a massively prolonged Kim Dotcom-style extradition battle is on the agenda. A smaller one might be, however.

While the shutdown of KAT and the arrest of its owner came out of the blue, the writing has always been on the wall. The shutdown is just one of several momentous ‘pirate’ events in the past 18 months including the closure (and resurrection) of The Pirate Bay, the dismantling of the main Popcorn Time fork, and the end of YTS/YIFY.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Solarmovie Disappears Following KAT Shutdown

Post Syndicated from Andy original https://torrentfreak.com/solarmovie-disappears-following-kat-shutdown-160721/

solarmovieIn the most dramatic turn of events since the raid of The Pirate Bay in December 2014, KickassTorrents went dark yesterday.

Previously the world’s largest torrent site, KAT shut down following the arrest of its alleged founder. Artem Vaulin, a 30-year-old from Ukraine, was arrested in Poland after his entire operation had been well and truly compromised by the Department of Homeland Security (DHS).

When large sites are raided it is common for other sites in a similar niche to consider their positions. This phenomenon was illustrated perfectly when the 2012 raids on Megaupload resulted in sites such as BTjunkie taking the decision to shut down.

At this point, most other torrent sites seem fairly stable but there appears to have been at least one ‘pirate’ casualty following yesterday’s drama.

For many years, Solarmovie has been one of the most visible and visited ‘pirate’ streaming portals. Like many others, the site has had its fair share of domain issues, starting out at .COM and more recently ending up at .PH. However, sometime during the past few hours, Solarmovie disappeared.

solar-large

No official announcement concerning the site’s fate has been made but it’s clear from the criminal complaint filed against KickassTorrents that Artem Vaulin had close connections to Solarmovie.

As reported yesterday, the Department of Homeland Security obtained a copy of KickassTorrents’ servers from its Canadian host and also gained access to the site’s servers in Chicago. While conducting his inquiries, the Special Agent handling the case spotted an email address for the person responsible for renting KAT’s servers.

Further investigation of Vaulin’s Apple email account showed the Ukrainian corresponding with this person back in 2010.

“The subject of the email was ‘US Server’ and stated: ‘Hello, here is access to the new server’ followed by a private and public IP address located in Washington DC, along with the user name ‘root’ and a password,” the complaint reveals.

Perhaps tellingly, the IP address provided by this individual to Vaulin was found to have hosted Solarmovie.com from August 2010 through to April 2011. Furthermore, up until just last month, the IP address was just one away from an IP address used to host KickassTorrents.

“As of on or about June 27, 2016, one of the IP addresses hosting solarmovie.ph was one IP address away (185.47.10.11) from an IP address that was being used to host KAT (185.47.10.12 and 185.47.10.13),” the complaint adds.

While none of the above is proof alone that Vaulin was, for example, the owner of Solarmovie, it’s clear that at some point he at least had some connections with the site or its operator.

On the other hand, in torrent and streaming circles it’s common for people to use services already being used by others they know and trust, so that might provide an explanation for the recent IP address proximity.

In any event, last night’s shutdown of Solarmovie probably indicates that the heat in the kitchen has become just a little too much. Expect more fallout in the days to come.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Canadian Man Behind Popular ‘Orcus RAT’

Post Syndicated from BrianKrebs original https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/

Far too many otherwise intelligent and talented software developers these days apparently think they can get away with writing, selling and supporting malicious software and then couching their commerce as a purely legitimate enterprise. Here’s the story of how I learned the real-life identity of Canadian man who’s laboring under that same illusion as proprietor of one of the most popular and affordable tools for hacking into someone else’s computer.

Earlier this week I heard from Daniel Gallagher, a security professional who occasionally enjoys analyzing new malicious software samples found in the wild. Gallagher said he and members of @malwrhunterteam and @MalwareTechBlog recently got into a Twitter fight with the author of Orcus RAT, a tool they say was explicitly designed to help users remotely compromise and control computers that don’t belong to them.

A still frame from a Youtube video showing Orcus RAT's keylogging ability to steal passwords from Facebook users and other credentials.

A still frame from a Youtube video demonstrating Orcus RAT’s keylogging ability to steal passwords from Facebook and other sites.

The author of Orcus — a person going by the nickname “Ciriis Mcgraw” a.k.a. “Armada” on Twitter and other social networks — claimed that his RAT was in fact a benign “remote administration tool” designed for use by network administrators and not a “remote access Trojan” as critics charged. Gallagher and others took issue with that claim, pointing out that they were increasingly encountering computers that had been infected with Orcus unbeknownst to the legitimate owners of those machines.

The malware researchers noted another reason that Mcgraw couldn’t so easily distance himself from how his clients used the software: He and his team are providing ongoing technical support and help to customers who have purchased Orcus and are having trouble figuring out how to infect new machines or hide their activities online.

What’s more, the range of features and plugins supported by Armada, they argued, go well beyond what a system administrator would look for in a legitimate remote administration client like Teamviewer, including the ability to launch a keylogger that records the victim’s every computer keystroke, as well as a feature that lets the user peek through a victim’s Web cam and disable the light on the camera that alerts users when the camera is switched on.

A new feature of Orcus announced July 7 lets users configure the RAT so that it evades digital forensics tools used by malware researchers, including an anti-debugger and an option that prevents the RAT from running inside of a virtual machine.

Other plugins offered directly from Orcus’s tech support page (PDF) and authored by the RAT’s support team include a “survey bot” designed to “make all of your clients do surveys for cash;” a “USB/.zip/.doc spreader,” intended to help users “spread a file of your choice to all clients via USB/.zip/.doc macros;” a “Virustotal.com checker” made to “check a file of your choice to see if it had been scanned on VirusTotal;” and an “Adsense Injector,” which will “hijack ads on pages and replace them with your Adsense ads and disable adblocker on Chrome.”

WHO IS ARMADA?

Gallagher said he was so struck by the guy’s “smugness” and sheer chutzpah that he decided to look closer at any clues that Ciriis Mcgraw might have left behind as to his real-world identity and location. Sure enough, he found that Ciriis Mcgraw also has a Youtube account under the same name, and that a video Mcgraw posted in July 2013 pointed to a 33-year-old security guard from Toronto, Canada.

ciriis-youtubeGallagher noticed that the video — a bystander recording on the scene of a police shooting of a Toronto man — included a link to the domain policereview[dot]info. A search of the registration records attached to that Web site name show that the domain was registered to a John Revesz in Toronto and to the email address john.revesz@gmail.com.

A reverse WHOIS lookup ordered from Domaintools.com shows the same john.revesz@gmail.com address was used to register at least 20 other domains, including “thereveszfamily.com,” “johnrevesz.com, revesztechnologies[dot]com,” and — perhaps most tellingly —  “lordarmada.info“.

Johnrevesz[dot]com is no longer online, but this cached copy of the site from the indispensable archive.org includes his personal résumé, which states that John Revesz is a network security administrator whose most recent job in that capacity was as an IT systems administrator for TD Bank. Revesz’s LinkedIn profile indicates that for the past year at least he has served as a security guard for GardaWorld International Protective Services, a private security firm based in Montreal.

Revesz’s CV also says he’s the owner of the aforementioned Revesz Technologies, but it’s unclear whether that business actually exists; the company’s Web site currently redirects visitors to a series of sites promoting spammy and scammy surveys, come-ons and giveaways.

IT’S IN THE EULA, STUPID!

Contacted by KrebsOnSecurity, Revesz seemed surprised that I’d connected the dots, but beyond that did not try to disavow ownership of the Orcus RAT.

“Profit was never the intentional goal, however with the years of professional IT networking experience I have myself, knew that proper correct development and structure to the environment is no free venture either,” Revesz wrote in reply to questions about his software. “Utilizing my 15+ years of IT experience I have helped manage Orcus through its development.”

Revesz continued:

“As for your legalities question.  Orcus Remote Administrator in no ways violates Canadian laws for software development or sale.  We neither endorse, allow or authorize any form of misuse of our software.  Our EULA [end user license agreement] and TOS [terms of service] is very clear in this matter. Further we openly and candidly work with those prudent to malware removal to remove Orcus from unwanted use, and lock out offending users which may misuse our software, just as any other company would.”

Revesz said none of the aforementioned plugins were supported by Orcus, and were all developed by third-party developers, and that “Orcus will never allow implementation of such features, and or plugins would be outright blocked on our part.”

In an apparent contradiction to that claim, plugins that allow Orcus users to disable the Webcam light on a computer running the software and one that enables the RAT to be used as a “stresser” to knock sites and individuals users offline are available directly from Orcus Technologies’ Github page.

Revesz’s also offers a service to help people cover their tracks online. Using his alter ego “Armada” on the hacker forum Hackforums[dot]net, Revesz also sells a “bulletproof dynamic DNS service” that promises not to keep records of customer activity.

Dynamic DNS services allow users to have Web sites hosted on servers that frequently change their Internet addresses. This type of service is useful for people who want to host a Web site on a home-based Internet address that may change from time to time, because dynamic DNS services can be used to easily map the domain name to the user’s new Internet address whenever it happens to change.

armadadyndns

Unfortunately, these dynamic DNS providers are extremely popular in the attacker community, because they allow bad guys to keep their malware and scam sites up even when researchers manage to track the attacking IP address and convince the ISP responsible for that address to disconnect the malefactor. In such cases, dynamic DNS allows the owner of the attacking domain to simply re-route the attack site to another Internet address that he controls.

Free dynamic DNS providers tend to report or block suspicious or outright malicious activity on their networks, and may well share evidence about the activity with law enforcement investigators. In contrast, Armada’s dynamic DNS service is managed solely by him, and he promises in his ad on Hackforums that the service — to which he sells subscriptions of various tiers for between $30-$150 per year — will not log customer usage or report anything to law enforcement.

According to writeups by Kaspersky Lab and Heimdal Security, Revesz’s dynamic DNS service has been seen used in connection with malicious botnet activity by another RAT known as Adwind.  Indeed, Revesz’s service appears to involve the domain “nullroute[dot]pw”, which is one of 21 domains registered to a “Ciriis Mcgraw,” (as well as orcus[dot]pw and orcusrat[dot]pw).

I asked Gallagher (the researcher who originally tipped me off about Revesz’s activities) whether he was persuaded at all by Revesz’s arguments that Orcus was just a tool and that Revesz wasn’t responsible for how it was used.

Gallagher said he and his malware researcher friends had private conversations with Revesz in which he seemed to acknowledge that some aspects of the RAT went too far, and promised to release software updates to remove certain objectionable functionalities. But Gallagher said those promises felt more like the actions of someone trying to cover himself.

“I constantly try to question my assumptions and make sure I’m playing devil’s advocate and not jumping the gun,” Gallagher said. “But I think he’s well aware that what he’s doing is hurting people, it’s just now he knows he’s under the microscope and trying to do and say enough to cover himself if it ever comes down to him being questioned by law enforcement.”

Can KickassTorrents Make a Comeback?

Post Syndicated from Ernesto original https://torrentfreak.com/can-kickasstorrents-make-a-comeback-160721/

kickasstorrents_500x500Founded in 2009, KickassTorrents (KAT) grew out to become the largest torrent site on the Internet with millions of visitors a day.

As a result, copyright holders and law enforcement have taken aim at the site in recent years. This resulted in several ISP blockades around the world, but yesterday the big hit came when the site’s alleged founder was arrested in Poland.

Soon after the news was made public KAT disappeared, leaving its users without their favorite site. The question that’s on many people’s minds right now is whether the site will make a Pirate Bay-style comeback.

While it’s impossible to answer this question with certainty, the odds can be more carefully weighed by taking a closer look at the events that led up to the bust and what may follow.

First off, KickassTorrents is now down across all the site’s official domain names. This downtime seems to be voluntary in part, as the authorities haven’t seized the servers. Also, several domains are still in the hands of the KAT-team.

That said, the criminal complaint filed in the U.S. District Court in Chicago does reveal that KAT has been heavily compromised (pdf).

According to the feds, Artem Vaulin, a 30-year-old from Ukraine, is the key player behind the site. Over the years, he obfuscated his connections to the site, but several security holes eventually revealed his identity.

With help from several companies in the United States and abroad, Homeland Security Investigations (HSI) agent Jared Der-Yeghiayan identifies the Ukrainian as the driving force behind the site.

The oldest traces to Vaulin are the WHOIS records for various domains, registered in his name early 2009.

“A review of historical Whois information for KAT….identified that it was registered on or about January 19, 2009, to Artem Vaulin with an address located in Kharkiv, Ukraine,” the affidavit reads.

This matches with records obtained from domain registrar GoDaddy, which indicate that Vaulin purchased three KAT-related domain names around the same time.

The agent further uncovered that the alleged KAT founder used an email address with the nickname “tirm.” The same name was listed as KAT’s “owner” on the site’s “People” page in the early days, but was eventually removed in 2011.

Tirm on KAT’s people page

KATpeople

The HSI agent also looked at several messages posted on KAT, which suggest that “tirm” was actively involved in operating the site.

“As part of this investigation, I also reviewed historical messages posted by tirm, KAT’s purported ‘Owner.’ These postings and others indicate that tirm was actively engaged in the early running of KAT in addition to being listed as an administrator and the website’s owner,” the HSI agent writes.

Assisted by Apple and Facebook the feds were then able to strengthen the link between Vaulin, tirm, and his involvement in the site.

Facebook, for example, handed over IP-address logs from the KAT fanpage. With help from Apple, the investigator was then able to cross-reference this with an IP-address Vaulin used for an iTunes transaction.

“Records provided by Apple showed that tirm@me.com conducted an iTunes transaction using IP Address 109.86.226.203 on or about July 31, 2015. The same IP Address was used on the same day to login into the KAT Facebook Account.”

In addition, Apple appears to have handed over private email conversations which reference KAT, dating back several years. These emails also mention a “kickasstorrent payment,” which is believed to be revenue related.

“I identified a number of emails in the tirm@me.com account relating to Vaulin’s operation of KAT. In particular, between on or about June 8, 2010, and on or about September 3, 2010,” the HSI agent writes.

More recent records show that an IP-address linked to KAT’s Facebook page was also used to access Vaulin’s Coinbase account, suggesting that the Bitcoin wallet also assisted in the investigation.

“Notably, IP address 78.108.178.77 accessed the KAT Facebook Account about a dozen times in September and October 2015. This same IP Address was used to login to Vaulin’s Coinbase account 47 times between on or about January 28, 2014, through on or about November 13, 2014.”

As for the business side, the complaint mentions a variety of ad payments, suggesting that KAT made over a dozen million dollars in revenue per year.

It also identifies the company Cryptoneat as KAT’s front. The Cryptoneat.com domain was registered by Vaulin and LinkedIn lists several employees of the company who were involved in the early development of the site.

“Many of the employees found on LinkedIn who present themselves as working for Cryptoneat are the same employees who received assignments from Vaulin in the KAT alert emails,” the complaint reads.

Interestingly, none of the other employees are identified or charged.

To gather further information on the money side, the feds also orchestrated an undercover operation where they posed as an advertiser. This revealed details of several bank accounts, with one receiving over $28 million in just eight months.

“Those records reflect that the Subject Account received a total of approximately €28,411,357 in deposits between on or about August 28, 2015, and on or about March 10, 2016.”

Bank account

bankkat

Finally, and crucially, the investigators issued a warrant directed at the Canadian webhost of KickassTorrents. This was one of the biggest scores as it provided them with full copies of KAT’s hard drives, including the email server.

“I observed […] that they were all running the same Linux Gentoo operating system, and that they contained files with user information, SSH access logs, and other information, including a file titled ‘passwd’ located in the ‘etc’ directory,” the HSI agent writes.

“I also located numerous files associated with KAT, including directories and logs associated to their name servers, emails and other files,” he adds.

Considering all the information U.S. law enforcement has in its possession, it’s doubtful that KAT will resume its old operation anytime soon.

Technically it won’t be hard to orchestrate a Pirate Bay-style comeback, as there are probably some backups available. However, now that the site has been heavily compromised and an ongoing criminal investigation is underway, it would be a risky endeavor.

Similarly, uploaders and users may also worry about what information the authorities have in their possession. The complaint cites private messages that were sent through KAT, suggesting that the authorities have access to a significant amount of data.

While regular users are unlikely to be targeted, the information may provide useful for future investigations into large-scale uploaders. More clarity on this, the site’s future, and what it means for the torrent ecosystem, is expected to become evident when the dust settles.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Feds Seize KickassTorrents Domains, Arrest Owner

Post Syndicated from Ernesto original https://torrentfreak.com/feds-seize-kickasstorrents-domains-charge-owner-160720/

kickasstorrents_500x500With millions of unique visitors per day KickassTorrents (KAT) has become the most-used torrent site on the Internet, beating even The Pirate Bay.

Today, however, the site has run into a significant roadblock after U.S. authorities announced the arrest of the site’s alleged owner.

The 30-year-old Artem Vaulin, from Ukraine, was arrested today in Poland from where the United States has requested his extradition.

In a criminal complaint filed in U.S. District Court in Chicago, the owner is charged with conspiracy to commit criminal copyright infringement, conspiracy to commit money laundering, and two counts of criminal copyright infringement.

katcomplaint

The complaint further reveals that the feds posed as an advertiser, which revealed a bank account associated with the site.

It also shows that Apple handed over personal details of Vaulin after the investigator cross-referenced an IP-address used for an iTunes transaction with an IP-address that was used to login to KAT’s Facebook account.

“Records provided by Apple showed that tirm@me.com conducted an iTunes transaction using IP Address 109.86.226.203 on or about July 31, 2015. The same IP Address was used on the same day to login into the KAT Facebook,” the complaint reads.

In addition to the arrest in Poland, the court also granted the seizure of a bank account associated with KickassTorrents, as well as several of the site’s domain names.

Commenting on the announcement, Assistant Attorney General Caldwell said that KickassTorrents helped to distribute over $1 billion in pirated files.

“Vaulin is charged with running today’s most visited illegal file-sharing website, responsible for unlawfully distributing well over $1 billion of copyrighted materials.”

“In an effort to evade law enforcement, Vaulin allegedly relied on servers located in countries around the world and moved his domains due to repeated seizures and civil lawsuits. His arrest in Poland, however, demonstrates again that cybercriminals can run, but they cannot hide from justice.”

KAT’s .com and .tv domains are expected to be seized soon by Verisign. For the main Kat.cr domain as well as several others, seziure warrants will be sent to the respective authorities under the MLAT treaty.

At the time of writing the main domain name Kat.cr has trouble loading, but various proxies still appear to work. KAT’s status page doesn’t list any issues, but we assume that this will be updated shortly.

TorrentFreak has reached out to the KAT team for a comment on the news and what it means for the site’s future, but we have yet to hear back.

Breaking story, in depth updates will follow.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

How to Use AWS CloudFormation to Automate Your AWS WAF Configuration with Example Rules and Match Conditions

Post Syndicated from Ben Potter original https://blogs.aws.amazon.com/security/post/Tx3NYSJHO8RK22S/How-to-Use-AWS-CloudFormation-to-Automate-Your-AWS-WAF-Configuration-with-Exampl

AWS WAF is a web application firewall that integrates closely with Amazon CloudFront (AWS’s content delivery network [CDN]). AWS WAF gives you control to allow or block traffic to your web applications by, for example, creating custom rules that block common attack patterns.

We recently announced AWS CloudFormation support for all current features of AWS WAF. This enables you to leverage CloudFormation templates to configure, customize, and test AWS WAF settings across all your web applications. Using CloudFormation templates can help you reduce the time required to configure AWS WAF. In this blog post, I will show you how to use CloudFormation to automate your AWS WAF configuration with example rules and match conditions.

AWS WAF overview

If you are not familiar with AWS WAF configurations, let me try to catch you up quickly. AWS WAF consists of three main components: a web access control list (web ACL), rules, and filters (also known as a match set). A web ACL is associated with a given CloudFront distribution. Each web ACL is a collection of one or more rules, and each rule can have one or more match conditionswhich are composed of one or more filters. The filters inspect components of the request (such as its headers or URI) to match for certain match conditions.

Solution overview

The solution in this blog post uses AWS CloudFormation in an automated fashion to provision, update, and optionally delete the components that form the AWS WAF solution. The CloudFormation template will deploy the following rules and conditions as part of this solution:

  • A manual IP rule that contains an empty IP match set that must be updated manually with IP addresses to be blocked.
  • An auto IP rule that contains an empty IP match condition for optionally implementing an automated AWS Lambda function, such as is shown in How to Import IP Address Reputation Lists to Automatically Update AWS WAF IP Blacklists and How to Use AWS WAF to Block IP Addresses That Generate Bad Requests.
  • A SQL injection rule and condition to match SQL injection-like patterns in URI, query string, and body.
  • A cross-site scripting rule and condition to match Xss-like patterns in URI and query string.
  • A size-constraint rule and condition to match requests with URI or query string >= 8192 bytes which may assist in mitigating against buffer overflow type attacks.
  • ByteHeader rules and conditions (split into two sets) to match user agents that include spiders for non–English-speaking countries that are commonly blocked in a robots.txt file, such as sogou, baidu, and etaospider, and tools that you might choose to monitor use of, such as wget and cURL. Note that the WordPress user agent is included because it is used commonly by compromised systems in reflective attacks against non–WordPress sites.
  • ByteUri rules and conditions (split into two sets) to match request strings containing install, update.php, wp-config.php, and internal functions including $password, $user_id, and $session.
  • A whitelist IP condition (empty) is included and added as an exception to the ByteURIRule2 rule as an example of how to block unwanted user agents, unless they match a list of known good IP addresses.

All example rules configured by the template as part of the solution will count requests that match the rules for you to test with your web application. This template makes use of CloudFormation to provide a modular, manageable method of creating and updating nested stacks. A nested stack aligns with CloudFormation best practices to separate common components for reuse and ensure you do not reach the template body size limit, which is currently 51,200 bytes. All rules and conditions in this CloudFormation template are referenced with a resource reference number internal to the stack for each resource (for example, ByteBodyCondition1), so you can easily duplicate and extend each component. As with any example CloudFormation template, you can edit and reuse the template to suit your needs.

The following architecture diagram shows the overview of this solution, which consists of a single web ACL and multiple rules with match conditions:

Descriptions of key details in the preceding diagram are as follows:

  1. Requests are resolved by DNS to CloudFront, configured with Web ACL to filter all requests.
  2. AWS WAF Web ACL evaluates each request with configured rules containing conditions.
  3. If a request matches a block condition, the request results in returning an HTTP 403 error (forbidden) to the client computer. If a request matches a count rule, the requests are served. 
  4. The origin configured in CloudFront serves allowed or counted requests.

Deploying the solution

Prerequisites

The following deployment steps assume that you already have a CloudFront distribution that you use to deliver content for your web applications. If you do not already have a CloudFront distribution, see Creating or Updating a Web Distribution Using the CloudFront Console. This solution also uses CloudFormation to simplify the provisioning process. For more information, see What is AWS CloudFormation?

Step 1: Create the example configuration CloudFormation stack

  1. To start the wizard that creates a CloudFormation stack, choose the link for the region in which you want to create AWS resources:
  1. If you are not already signed in to the AWS Management Console, sign in when prompted.
  2. On the Select Template page, choose Next.
  3. On the Specify Details page, specify the following values:

  • Stack name – You can use the default name AWSWafSample, or you can change the name. The stack name cannot contain spaces and must be unique within your AWS account.
  • WAF Web ACL Name – Specify a name for the web ACL that CloudFormation will create. The name that you specify is also used as a prefix for the match conditions and rules that CloudFormation will create, so you can easily find all of the related objects.
  • Action For All Rules – Specify the action for all rules. The default of COUNT will pass all requests and monitor, and BLOCK will block all requests that match.
  • White List CIDR – Specify a single IP range that will be allowed to bypass all rules in CIDR notation. Note that only /8, /16, /24, and /32 are accepted. For a single IP you would enter x.x.x.x/32, for example.
  • Max Size of URI – Select from the list an acceptable size limit for the URI of a request.
  • Max Size of Query String – Select from the list an acceptable size limit for the query string of a request.
  1. Choose Next.
  2. (Optional) On the Options page, enter tags and advanced settings, or leave the fields blank. Choose Next.
  3. On the Review page, review the configuration and then choose Create. CloudFormation then creates the AWS WAF resources.

Step 2: Update your CloudFront distribution settings

After CloudFormation creates the AWS WAF stack, associate the CloudFront distribution with the new AWS WAF web ACL.

To associate your CloudFront distribution with AWS WAF:

  1. Open the CloudFront console.
  2. In the top pane of the console, select the distribution for which you want AWS WAF to monitor requests. (If you do not already have a distribution, see Getting Started with CloudFront.)
  3. In the Distribution Settings pane, choose the General tab, and then choose Edit.
  4. In the AWS WAF Web ACL list, choose the web ACL that CloudFormation created for you in Step 1.
  5. Choose Yes, Edit to save your changes.

Step 3: (Optional) Delete your CloudFormation stack

If you want to delete the CloudFormation stack created in the previous steps (including example rules and match conditions):

  1. Open the CloudFormation console.
  2. Select the check box for the stack; the default name is AWSWafSample
  3. Choose Delete Stack from the Actions drop-down menu.
  4. Choose Yes, Delete to confirm.
  5. To track the progress of the stack deletion, select the check box for the stack, and choose the Events tab in the bottom pane.

Testing the solution

After creating the example CloudFormation stack (Step 1) and associating the AWS WAF web ACL with a CloudFront distribution (Step 2), you can monitor the web requests and determine if the rules require modification to suit your web application.

In the AWS WAF console, you can view a sample of the requests that CloudFront has forwarded to AWS WAF for inspection. For each sampled request, you can view detailed information about the request, such as the originating IP address and the headers included in the request. You can also view which rule the request matched, and whether the rule is configured to allow or block requests.

To view a sample of the web requests that CloudFront has forwarded to AWS WAF:

  1. Sign in to the AWS WAF console.
  2. In the navigation pane, click the name of the web ACL for which you want to view requests.
  3. In the right pane, choose the Requests tab. The Sampled requests table displays the following values for each request:

  • Source IP – Either the IP address that the request originated from or, if the viewer used an HTTP proxy or a load balancer to send the request, the IP address of the proxy or load balancer. 


  • URI – The part of a URL that identifies a resource (for example, /images/daily-ad.jpg). 


  • Matches rule – The first rule in the web ACL for which the web request matched all of the match conditions. If a web request does not match all of the conditions in any rule in the web ACL, the value of Matches rule is Default. Note that when a web request matches all of the conditions in a rule and the action for that rule is Count, AWS WAF continues inspecting the web request based on subsequent rules in the web ACL. In this case, a web request could appear twice in the list of sampled requests: once for the rule that has an action of Count, and again for a subsequent rule or the default action.
  • Action – Whether the action for the corresponding rule is Allow, Block, or Count.
  • Time – The time when AWS WAF received the request from CloudFront.



  1. To refresh the list of sample requests, choose Get new samples.

You may also want to analyze your CloudFront or web application log files for bots, scrapers, or generally unwanted behavior, and modify the rules and match conditions to block them. For further information about CloudFront logs, see Access Logs.

Finally, to enforce blocking of malicious requests for all rules:

  1. Open the CloudFormation console.
  2. Select the check box for the master stack. The default name is AWSWafSample.
  3. Choose Update Stack from the Actions drop-down menu.
  4. Choose Use Current Template and Next.
  5. Choose BLOCK for Actions for All Rules.
  6. Accept changes and choose Next.
  7. To track the progress of the stack update, select the check box for the stack, and choose the Events tab in the bottom pane.

A zipped version of the CloudFormation templates for the example stack and other AWS WAF example solutions are available in our GitHub repository: aws-waf-sample repository.

Summary

This blog post has shown you how to use CloudFormation to automate the configuration of a basic set of rules and match conditions to get started with AWS WAF. If you would like to see more sample rule sets for a specific platform or application, or if you have a comment about this blog post, submit a comment in the “Comments” section below. If you have questions about this blog post, please start a new thread on the AWS WAF forum.

– Ben

Automater – IP & URL OSINT Tool For Analysis

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/_-OKcJophfU/

Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com,…

Read the full post at darknet.org.uk

Romanian Govt. Seizes Leading Pirate Site Domain

Post Syndicated from Andy original https://torrentfreak.com/romanian-govt-seizes-leading-pirate-site-domain-160711/

domainseizedOver the past several years, many countries in mainly Western Europe have responded to pressure from US-based companies to act against Internet piracy.

In some cases, this has involved passing new legislation to make life harder for pirates but largely it has been left to national courts and informal industry-led stakeholders groups to decide how to deal with unauthorized distribution.

In Eastern Europe, anti-piracy activity is much more limited but now it appears that tough measures can be taken when the authorities see fit. According to reports coming out of Romania, the government has seized the domain of one of the country’s most popular streaming portals.

990.ro was among Romania’s top 100 most popular sites overall and looked like this before being shut down by the state.

rom-seized1

A TorrentFreak reader familiar with the site confirmed that 990.ro was one of the most popular locations for streaming video, TV shows in particular.

“Game of Thrones episodes were live within just a few hours after airing, complete with new (local) translations. This site was huge, you could almost watch any TV show on the planet and about 90% of the latest movies,” he explained.

For now, however, the show(s) won’t go on. Following action by the government, 990.ro’s domain is now under the control of the Ministry of Justice and displays the following message.

rom-seized

While no notice was given of this seizure, the action didn’t entirely come out of the blue. In 2012, Romania’s Audiovisual Council (CNA) reported more than 40 ‘pirate’ movie and TV show websites to the police, demanding action to shut them down.

990.ro was among those reported. The list also included Vplay.ro, the largest site of its type at the time. That domain is also under the control of the Ministry of Justice. Many of the others mentioned have since shut down, moved to new domains and/or had old ones seized.

The action against 990.ro follows a similar crackdown carried out in June 2015 which received assistance from the FBI. Three sites were shut down then and several people were arrested.

Thus far there has been no reports of arrests following the latest domain seizure. However, more serious breaches of Romanian copyright law can be punishable by fines and jail sentences of up to four years.

Since 990.ro carried a lot of advertising, it wouldn’t be a surprise to hear that tax evasion and money laundering offenses are being investigated, just as they were following last year’s raids.

Local media initially reported that 990.ro is owned by Romanian news and entertainment portal Romania Online but the company is now denying the allegations.

“The 990.ro site does not belong and has never belonged to the company ROL ONLINE NETWORK SA or any other companies in the group ROL.ro,” the company said in a statement.

“990.ro site was one of the 145,232 customers of the FASTUPLOAD.ro free service that lets you store, transfer and viewing files. FASTUPLOAD.ro site is the largest Romanian storage services and file transfer and operates under Romanian law.”

According to ROL.ro’s Linkedin page, ROL.ro is indeed affiliated with FASTUPLOAD but says that any liability lies with that company, not them.

A direct IP address for 990.ro has since ceased to function and there is no news of any return for the site.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

How Una Got Her Stolen Laptop Back

Post Syndicated from Andy Klein original https://www.backblaze.com/blog/how-una-found-her-stolen-laptop/

Lost Laptop World Map

Reading Peter’s post on getting your data ready for vacation travels, reminded me of a story we recently received from a Backblaze customer. Una’s laptop was stolen and then traveled the over multiple continents over the next year. Here’s Una’s story, in her own words, on how she got her laptop back. Enjoy.

Pulse Incident Number 10028192
(or: How Playing Computer Games Can Help You In Adulthood)

One day when I was eleven, my father arrived home with an object that looked like a briefcase made out of beige plastic. Upon lifting it, one realized it had the weight of, oh, around two elephants. It was an Ericsson ‘portable’ computer, one of the earliest prototypes of laptop. All my classmates had really cool and fashionable computer game consoles with amazing names like “Atari” and “Commodore”, beautifully vibrant colour displays, and joysticks. Our Ericsson had a display with two colours (orange and … dark orange), it used floppy discs that were actually floppy (remember those?), ran on DOS and had no hard drive (you had to load the operating system every single time you turned on the computer. Took around 10 minutes). I dearly loved this machine, however, and played each of the 6 games on it incessantly. One of these was “Where In The World Is Carmen Sandiego?” an educational game where a detective has to chase an archvillain around the world, using geographical and cultural references as clues to get to the next destination. Fast forward twenty years and…

It’s June 2013, I’m thirty years old, and I still love laptops. I live in Galway, Ireland; I’m a self-employed musician who works in a non-profit music school so the cash is tight, but I’ve splashed out on a Macbook Pro and I LOVE IT. I’m on a flight from Dublin to Dubai with a transfer in Turkey. I talk to the guy next to me, who has an Australian accent and mentions he’s going to Asia to research natural energy. A total hippy, I’m interested; we chat until the convo dwindles, I do some work on my laptop, and then I fall asleep.

At 11pm the plane lands in Turkey and we’re called off to transfer to a different flight. Groggy, I pick up my stuff and stumble down the stairs onto the tarmac. In the half-light beside the plane, in the queue for the bus to the terminal, I suddenly realize that I don’t have my laptop in my bag. Panicking, I immediately seek out the nearest staff member. “Please! I’ve left my laptop on the plane – I have to go back and get it!”

The guy says: “No. It’s not allowed. You must get on the bus, madam. The cabin crew will find it and put it in “Lost and Found” and send it to you.” I protest but I can tell he’s immovable. So I get on the bus, go into the terminal, get on another plane and fly to Dubai. The second I land I ring Turkish Air to confirm they’ve found my laptop. They haven’t. I pretty much stalk Turkish Air for the next two weeks to see if the laptop turns up, but to no avail. I travel back via the same airport (Ataturk International), and go around all three Lost and Found offices in the airport, but my laptop isn’t there amongst the hundreds of Kindles and iPads. I don’t understand.

As time drags on, the laptop doesn’t turn up. I report the theft in my local Garda station. The young Garda on duty is really lovely to me and gives me lots of empathy, but the fact that the laptop was stolen in airspace, in a foreign, non-EU country, does not bode well. I continue to stalk Turkish Airlines; they continue to stonewall me, so I get in touch with the Turkish Department for Consumer Affairs. I find a champion amongst them called Ece, who contacts Turkish Airlines and pleads on my behalf. Unfortunately they seem to have more stone walls in Turkey than there are in the entire of Co. Galway, and his pleas fall on deaf ears. Ece advises me I’ll have to bring Turkish Airlines to court to get any compensation, which I suspect will cost more time and money than the laptop is realistically worth. In a firstworld way, I’m devastated – this object was a massive financial outlay for me, a really valuable tool for my work. I try to appreciate the good things – Ece and the Garda Sharon have done their absolute best to help me, my pal Jerry has loaned me a laptop to tide me over the interim – and then I suck it up, say goodbye to the last of my savings, and buy a new computer.

I start installing the applications and files I need for my business. I subscribe to an online backup service, Backblaze, whereby every time I’m online my files are uploaded to the cloud. I’m logging in to Backblaze to recover all my files when I see a button I’ve never noticed before labelled “Locate My Computer”. I catch a breath. Not even daring to hope, I click on it… and it tells me that Backblaze keeps a record of my computer’s location every time it’s online, and can give me the IP address my laptop has been using to get online. The records show my laptop has been online since the theft!! Not only that, but Backblaze has continued to back up files, so I can see all files the thief has created on my computer. My laptop has last been online in, of all the places, Thailand. And when I look at the new files saved on my computer, I find Word documents about solar power. It all clicks. It was the plane passenger beside me who had stolen my laptop, and he is so clueless he’s continued to use it under my login, not realizing this makes him trackable every time he connects to the internet.

I keep the ‘Locate My Computer” function turned on, so I’m consistently monitoring the thief’s whereabouts, and start the chapter of my life titled “The Sleep Deprivation and The Phonebill”. I try ringing the police service in Thailand (GMT +7 hours) multiple times. To say this is ineffective is an understatement; the language barrier is insurmountable. I contact the Irish embassy in Bangkok – oh, wait, that doesn’t exist. I try a consulate, who is lovely but has very limited powers, and while waiting for them to get back to me I email two Malaysian buddies asking them if they know anyone who can help me navigate the language barrier. I’m just put in touch with this lovely pal-of-a-pal called Tupps who’s going to help me when… I check Backblaze and find out that my laptop had started going online in East Timor. Bye bye, Thailand.

I’m so wrecked trying to communicate with the Thai bureaucracy I decide to play the waiting game for a while. I suspect East Timor will be even more of an international diplomacy challenge, so let’s see if the thief is going to stay there for a while before I attempt a move, right? I check Backblaze around once a week for a month, but then the thief stops all activity – I’m worried. I think he’s realized I can track him and has stopped using my login, or has just thrown the laptop away. Reason kicks in, and I begin to talk myself into stopping my crazy international stalking project. But then, when I least expect it, I strike informational GOLD. In December, the thief checks in for a flight from Bali to Perth and saves his online check-in to the computer desktop. I get his name, address, phone number, and email address, plus flight number and flight time and date.

I have numerous fantasies about my next move. How about I ring up the police in Australia, they immediately believe my story and do my every bidding, and then the thief is met at Arrivals by the police, put into handcuffs and marched immediately to jail? Or maybe I should somehow use the media to tell the truth about this guy’s behaviour and give him a good dose of public humiliation? Should I try my own version of restorative justice, contact the thief directly and appeal to his better nature? Or, the most tempting of all, should I get my Australian-dwelling cousin to call on him and bash his face in? … This last option, to be honest, is the outcome I want the most, but Emmett’s actually on the other side of the Australian continent, so it’s a big ask, not to mention the ever-so-slightly scary consequences for both Emmett and myself if we’re convicted… ! (And, my conscience cries weakly from the depths, it’s just the teensiest bit immoral.) Christmas is nuts, and I’m just so torn and ignorant about course of action to take I … do nothing.

One morning in the grey light of early February I finally decide what to do. Although it’s the longest shot in the history of long shots, I will ring the Australian police force about a laptop belonging to a girl from the other side of the world, which was stolen in airspace, in yet another country in the world. I use Google to figure out the nearest Australian police station to the thief’s address. I set my alarm for 4am Irish time, I ring Rockhampton Station, Queensland, and explain the situation to a lovely lady called Danielle. Danielle is very kind and understanding but, unsurprisingly, doesn’t hold out much hope that they can do anything. I’m not Australian, the crime didn’t happen in Australia, there’s questions of jurisdiction, etc. etc. I follow up, out of sheer irrational compulsion rather than with the real hope of an answer, with an email 6 weeks later. There’s no response. I finally admit to myself the laptop is gone. Ever since he’s gone to Australia the thief has copped on and stopped using my login, anyway. I unsubscribe my stolen laptop from Backblaze and try to console myself with the thought that at least I did my best.

And then, completely out of the blue, on May 28th 2014, I get an email from a Senior Constable called Kain Brown. Kain tells me that he has executed a search warrant at a residence in Rockhampton and has my laptop!! He has found it!!! I am stunned. He quickly gets to brass tacks and explains my two options: I can press charges, but it’s extremely unlikely to result in a conviction, and even if it did, the thief would probably only be charged with a $200 fine – and in this situation, it could take years to get my laptop back. If I don’t press charges, the laptop will be kept for 3 months as unclaimed property, and then returned to me. It’s a no-brainer; I decide not to press charges. I wait, and wait, and three months later, on the 22nd September 2014, I get an email from Kain telling me that he can finally release the laptop to me.

Naively, I think my tale is at the “Happy Ever After” stage. I dance a jig around the kitchen table, and read my subsequent email from a “Property Officer” of Rockhampton Station, John Broszat. He has researched how to send the laptop back to me … and my jig is suddenly halted. My particular model of laptop has a lithium battery built into the casing which can only be removed by an expert, and it’s illegal to transport a lithium battery by air freight. So the only option for getting the laptop back, whole and functioning, is via “Sea Mail” – which takes three to four months to get to Ireland. This blows my mind. I can’t quite believe that in this day and age, we can send people to space, a media file across the world in an instant, but that transporting a physical object from one side of the globe to another still takes … a third of a year! It’s been almost a year and a half since my laptop was stolen. I shudder to think of what will happen on its final journey via Sea Mail – knowing my luck, the ship will probably be blown off course and it’ll arrive in the Bahamas.

Fortunately, John is empathetic, and willing to think outside the box. Do I know anyone who will be travelling from Australia to Ireland via plane who would take my laptop in their hand luggage? Well, there’s one tiny silver lining to the recession: half of Craughwell village has a child living in Australia. I ask around on Facebook and find out that my neighbour’s daughter is living in Australia and coming home for Christmas. John Broszat is wonderfully cooperative and mails my laptop to Maroubra Police Station for collection by the gorgeous Laura Gibbons. Laura collects it and brings it home in her flight hand luggage, and finally, FINALLY, on the 23rd of December 2014, 19 months after it’s been stolen, I get my hands on my precious laptop again.

I gingerly take the laptop out of the fashionable paper carrier bag in which Laura has transported it. I set the laptop on the table, and examine it. The casing is slightly more dented than it was, but except for that it’s in one piece. Hoping against hope, I open up the screen, press the ‘on’ button and… the lights flash and the computer turns on!!! The casing is dented, there’s a couple of insalubrious pictures on the hard drive I won’t mention, but it has been dragged from Turkey to Thailand to East Timor to Indonesia to Australia, and IT STILL WORKS. It even still has the original charger accompanying it. Still in shock that this machine is on, I begin to go through the hard drive. Of course, it’s radically different – the thief has deleted all my files, changed the display picture, downloaded his own files and applications. I’m curious: What sort of person steals other people’s laptops? How do they think, organize their lives, what’s going through their minds? I’ve seen most of the thief’s files before from stalking him via the Backblaze back-up service, and they’re not particularly interesting or informative about the guy on a personal level. But then I see a file I haven’t seen before, “ free ebook.pdf ”. I click on it, and it opens. I shake my head in disbelief. The one new file that the thief has downloaded onto my computer is the book “How To Win Friends And Influence People”.

A few weeks later, a new friend and I kiss for the first time. He’s a graphic designer from London. Five months later, he moves over to Ireland to be with me. We’re talking about what stuff he needs to bring when he’s moving and he says “I’m really worried; my desktop computer is huge. I mean, I have no idea how I’m going to bring it over.” Smiling, I say “I have a spare laptop that might suit you…”

[Editor: The moral of the story is make sure your data is backed up before you go on vacation.]

The post How Una Got Her Stolen Laptop Back appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

EC2 Run Command Update – Hybrid and Cross-Cloud Management

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/ec2-run-command-update-hybrid-and-cross-cloud-management/

We launched EC2 Run Command late last year (read my post, New EC2 Run Command – Remote Instance Management at Scale to learn more). This feature was designed to allow developers, system administrators, and other IT professionals to easily and efficiently manage multiple EC2 instances running Windows or Linux. As I explained in my original post,  you can simply choose the desired command, select the desired instances by attributes, tags, or keywords, and then run the command on the selected instances. EC2 Run Command provides access to the output of the command and also retains a log so that you can see which commands were run on which instances. Last month we made EC2 Run Command even more useful by giving you the ability to create, manage, and share command documents with your colleagues or with all AWS users.

Our customers have taken a liking to EC2 Run Command and are making great use of it. Here are a few of the use cases that have been shared with us:

  • Create local users and groups.
  • Scan for missing Windows updates and install them.
  • Install all applicable Windows updates.
  • Manage (start, stop, restart) services.
  • Install packages and applications.
  • Access local log files.

Hybrid and Cross-Cloud Management
Many AWS customers also have some servers on-premises or on another cloud, and have been looking for a single, unified way to manage their hybrid environment at scale. In order to address this very common use case, we are now opening up Run Command to servers running outside of EC2.

We call these external servers Managed Instances. You can install the AWS SSM Agent on your external servers, activate the agent on each server, and then use your existing commands and command documents to manage them (you can also create new documents, of course).

The agent runs on the following operating systems:

  • Windows Server (32 and 64 bit) – 2003-2012, including R2 versions (more info).
  • Linux (64 bit) – Red Hat Enterprise Linux 7.1+, CentOS 7.1+ (more info).

If you run a virtualized environment using VMware ESXi, Microsoft Hyper-V, KVM or another hypervisor, you can install the agent on the guest operating system(s) as desired.

For simplicity, the agent needs nothing more than the ability to make HTTPS requests to the SSM endpoint in your desired region. These requests can be direct, or can be routed through a proxy or a gateway, as dictated by your network configuration. When the agent makes a request to AWS, it uses an IAM role to access the SSM API. You’ll set up this role when you activate your first set of servers.

The agent sends some identifying information to AWS. This information includes the fully qualified host name, the platform name and version, the agent version, and the server’s IP address. All of these values are stored securely within AWS, and will be deleted if you choose to unregister the server at some point in the future.

Setting up Managed Instances
The setup process is simple and you should be up and running pretty quickly. Here are the steps:

  1. Open up the EC2 Console, locate the Commands section, and click on Activations to create your first activation code. As part of this process the Console will prompt you to create the IAM role that I described above:
  2. Enter a description for the activation, choose a limit (you can activate up to 1000 servers at a time), set an expiration date, and assign a name that will help you to track the Managed Instances in the Console, then click on Create Activation:
  3. Capture the Activation Code and the Activation ID:
  4. Install the SSM Agent on the desired servers, and configure it using the values that you saved in the previous step. You simply download the agent, install it, and then enter the values, as detailed in the installation instructions.
  5. Return to the console and click on Managed Instances to verify that everything is working as expected:

Running Commands on Managed Instances
Now that your instances are managed by AWS, you can run commands on them. For example:
The status of the commands, along with the output, is available from the Console:

To learn more, read Manage Amazon EC2 Instances Remotely.

Available Now
This feature is available now and you can start using it today in all AWS Regions where Run Command is available (see the Run Command page for details). I am looking forward to hearing how you have put it to use in your environment; leave me a comment and let me know how it works out for you!


Jeff;

 

The Most Viewed AWS Security Blog Posts so Far in 2016

Post Syndicated from Craig Liebendorfer original https://blogs.aws.amazon.com/security/post/Tx2N52FR8XGJVL3/The-Most-Viewed-AWS-Security-Blog-Posts-so-Far-in-2016

The following 10 posts are the most viewed AWS Security Blog posts that we published during the first six months of this year. You can use this list as a guide to catch up on your blog reading or even read a post again that you found particularly useful.

  1. How to Set Up DNS Resolution Between On-Premises Networks and AWS Using AWS Directory Service and Amazon Route 53
  2. How to Configure Rate-Based Blacklisting with AWS WAF and AWS Lambda
  3. Announcing Industry Best Practices for Securing AWS Resources
  4. How to Use the New AWS Encryption SDK to Simplify Data Encryption and Improve Application Availability
  5. Adhere to IAM Best Practices in 2016
  6. How to Use AWS WAF to Block IP Addresses That Generate Bad Requests
  7. How to Optimize and Visualize Your Security Groups
  8. How to Set Up DNS Resolution Between On-Premises Networks and AWS Using AWS Directory Service and Microsoft Active Directory
  9. How to Reduce Security Threats and Operating Costs Using AWS WAF and Amazon CloudFront
  10. How to Add DNS Filtering to Your NAT Instance with Squid

And the following 10 posts published since the blog’s inception in April 2013 were the most viewed AWS Security Blog posts in the first half of this year.

  1. Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket
  2. Securely connect to Linux instances running in a private Amazon VPC
  3. A New and Standardized Way to Manage Credentials in the AWS SDKs
  4. Where’s My Secret Access Key?
  5. Enabling Federation to AWS Using Windows Active Directory, ADFS, and SAML 2.0
  6. IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources)
  7. How to Connect Your On-Premises Active Directory to AWS Using AD Connector
  8. Writing IAM Policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket
  9. How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface
  10. Demystifying EC2 Resource-Level Permissions

Let us know in the comments section below if there is a specific security or compliance topic you would like us to cover on the Security Blog in the remainder of 2016. 

– Craig

Judge Dismisses Movie Piracy Case, IP-Address Doesn’t Prove Anything

Post Syndicated from Ernesto original https://torrentfreak.com/judge-dismisses-movie-piracy-case-ip-address-doesnt-prove-anything-160627/

trollsignFor more than half a decade so-called “copyright trolling” cases have been keeping the U.S. judicial system busy.

While new cases are still filed every week, there are signs that some judges are growing tired of the practice, and are increasingly skeptical about the claims made by copyright holders.

In the Oregon District Court, Magistrate Judge Stacie Beckerman recently recommended dismissal of a complaint filed by the makers of the Adam Sandler movie The Cobbler.

According to the Judge both claims of direct and indirect infringement were not sufficient for the case to continue. What’s unique in this case, is that the direct infringement claims were dismissed sua sponte, which hasn’t happened before.

To prove direct infringement copyright holders merely have to make it “plausible” that a defendant, Thomas Gonzales in this case, is indeed the copyright infringer.

This is traditionally done by pointing out that the IP-address is directly linked to the defendant’s Internet connection, for example. However, according to Judge Beckerman this is not enough.

“The only facts Plaintiff pleads in support of its allegation that Gonzales is the infringer, is that he is the subscriber of the IP address used to download or distribute the movie, and that he was sent notices of infringing activity to which he did not respond. That is not enough,” she writes in her recommendation.

“Plaintiff has not alleged any specific facts tying Gonzales to the infringing conduct. While it is possible that the subscriber is also the person who downloaded the movie, it is also possible that a family member, a resident of the household, or an unknown person engaged in the infringing conduct.”

That an outsider could be the pirate is not unlikely. The defendant operates an adult foster care home where several people had access to the Internet. The filmmakers were aware of this and during a hearing their counsel admitted that any guest could have downloaded the film.

To gather more information, the filmmakers were allowed to depose Gonzales, but this didn’t result in any additional evidence. Nevertheless, they amended the complaint to name Gonzales as the defendant, which is not correct according to Judge Beckerman.

“Based on the facts alleged in the First Amended Complaint, Gonzales is but one of many possible infringers, and Plaintiff’s allegation that Gonzales is the infringer is just a guess.”

“’Plausible’ does not mean certain, but it does mean ‘likely,’ and Plaintiff has not pled sufficient facts to support its allegation that Gonzales is the likely infringer here. Accordingly, the district judge should dismiss Plaintiff’s claim for copyright infringement.”

The filmmakers also tried to hold Gonzales accountable for the infringements of others through his connection, but the Judge concluded that a claim of indirect copyright infringement doesn’t hold up here either.

In March, Beckerman recommended dismissing the claims for both direct and indirect copyright infringement, a conclusion District Court Judge Anna Brown adopted earlier this month.

“This Court agrees with the Magistrate Judge that Plaintiff has failed to allege sufficient facts to state a plausible claim “tending to exclude the possibility that an alternative explanation is true”,” she concludes.

While not all judges across the country may come to the same conclusion, the ruling offers hope for defendants who are in a similar position. Suing alleged BitTorrent pirates is still an option but increasingly judges demand additional proof.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Studios & ISPs Clash Over Aussie Pirate Bay Blockade

Post Syndicated from Andy original https://torrentfreak.com/studios-isps-clash-over-aussie-pirate-bay-blockade-160624/

ausAfter new legislation was passed last year, the first site-blocking cases were filed in Federal Court during the early part of 2016.

Two major industry players are putting the legislation to the test, with Roadshow Films (the movie division of Village Roadshow) and TV giant Foxtel both seeking to have several pirate sites blocked at the ISP level.

Foxtel wants to render The Pirate Bay, Torrentz, isoHunt and TorrentHound inaccessible in Australia. Roadshow is targeting streaming portal Solarmovie.

After a hearing in March, entertainment companies and local ISPs appeared in court again this week to thrash out the details. The ISPs aren’t putting up a fight against blocking per se, but there are still many practical issues to be agreed.

Section 115a of the Copyright Act states that ISPs can be forced to block an overseas “online location” if its purpose is to infringe copyright. To future-proof the law against new technologies, the term “online location” is intentionally broad. No surprise then that rightsholders argued this week that it encompasses blocking more than just IP addresses and URLs.

“[It’s] a broader shorthand reference for the idea that those responsible for the publication of the digital content at the website accessible by various URLs and IP addresses are within the broader definition of online location,” said Foxtel and Roadshow counsel Richard Lancaster.

What rightsholders are striving for is a situation similar to the one in the UK, where sites such as The Pirate Bay and KickassTorrents are blocked but proxies and other workarounds can be easily added to existing injunctions. To date, rightsholders and ISPs have been unable to reach agreement on how such a mechanism can be implemented in Australia.

Today, there was further legal argument, and not unexpectedly the ISPs are at odds with several of the studios’ demands.

To cut down on costs, rightsholders want the ability to swiftly add mirrors and proxies to existing blocking orders after formally advising ISPs. They say this will streamline the process and ensure that new blocks are put in place within 15 days.

However, ISPs Telstra, Optus, TPG and M2 say that rightsholders should have to obtain new court orders for each “workaround” site that appears.

Counsel for Telstra said that taking the official route would not entail much more work than informally filing a request with ISPs. According to an ITNews report, the rightsholders disagreed.

“This is a known problem in the real world. It will be a problem that arises in the implementation of your honor’s orders,” Richard Lancaster said.

“And we’re concerned – given this is the first [blocking] case – that a procedure be adopted that will not create a real administrative burden for the future in having to do something unnecessary and elaborate such as the [ISPs] suggest.”

Arguing the case for a simplified process, Lancaster said that in the unlikely event of a problem while executing an informal website block, any issues could be quickly be presented to the court for resolution.

“It’s not a proportionate response to the likelihood that these secondary [proxy and mirror] sites will be popping up for the copyright owners to be required to brief lawyers, pay them to prepare an affidavit, file it and serve it and so on. An out of court notification is sufficient by way of technical notice and practical operation.”

While the sides continue to butt heads over the mechanics of blocking, the not insignificant matter of who will pay also persists. Predictably, rightsholders feel that ISPs should foot the bill. ISPs think otherwise.

Arguing that ISPs are “successful and wealthy organizations,” Lancaster said that the costs of blocking are both minimal and “comfortable” for them to bear. And if ISPs are paying, that will provide them with an incentive to keep costs down.

“In England the rights holders don’t have to pay for implementation because it’s regarded as being part of the business of carrying out the business of an ISP,” Lancaster said.

“The [rights holders] can’t control the cost of implementation. If the [ISPs] bear the cost, that will encourage the most efficient and cost effective way of blocking. It’s appropriate that if the law requires that illegal or infringing content be blocked or stopped, and that requires some action on the part of [ISPs], they should bear those costs.”

And the rightsholders aren’t stopping there. Not only do they want ISPs to cover the costs of blocking, they want them to foot all of the legal bills too.

“They’re the ones that turned it into a contested hearing, putting on evidence and rounds of hearings,” Lancaster told the court.

The hearings continue.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Dallas Buyers Club Face Court Sanctions Over Piracy “Extortion” Tactics

Post Syndicated from Ernesto original https://torrentfreak.com/dallas-buyers-clubs-piracy-extortion-tactics-face-court-sanctions-160622/

dallasThe makers of Dallas Buyers Club have sued thousands of BitTorrent users over the past few years.

Many of these cases end up being settled for an undisclosed amount. This usually happens after the filmmakers obtain the identity of the Internet account holder believed to have pirated the movie.

Not all alleged downloaders are eager to pay up though. In fact, many don’t respond to the settlement letters they receive or claim that someone else must have downloaded the film using their connection.

This is also true for the case Dallas Buyers Club (DBC) filed against California resident Michael Amhari.

Earlier this year the filmmakers claimed that Amhari downloaded a pirated copy of the movie after he was linked to a “pirating” IP-address. Dallas Buyers Club’s attorney demanded a settlement of $10,000 and warned that “the price would go up” if he didn’t pay up soon enough.

Amhari, however, denied the allegations and explained that he lived in an apartment residence at San Diego State University with an open Wi-Fi connection. Nevertheless, the movie studio pursued its claim and increased the settlement demand to $14,000.

He continued to deny any involvement and even agreed to take a polygraph test to prove it, as DBC suggested. However, the filmmakers later retracted this offer and moved for a default judgment instead.

This judgment was set aside earlier this month and now the alleged “pirate” is pushing back in court.

Through his lawyer, Amhari is now asking for the case to be dismissed due to lack of evidence, as well as an award of attorney fees and monetary sanctions for DBC’s abuse tactics in these and other cases.

“Plaintiff has utilized extortion tactics by progressively demanding more money from defendant on each successive conversation with defense counsel and through emails, based on plaintiff’s costs and attorney fees,” attorney Clay Renick writes.

In his argument (pdf), Renick cites DBC’s own words, as they previously admitted that “Ahmari may not be the actual infringer as he shared a student apartment with other individuals.”

Despite this knowledge, they continued their case against Amhari.

“Despite the warning from the Court, Plaintiff moved forward to aggressively and maliciously name defendant in a manner that constitutes libel against defendant,” Amhari’s attorney writes.

As a result of the allegations, the accused pirate had to spend thousands of dollars on legal fees. According to the defense lawyer, however, it is clear that DBC doesn’t have any evidence linking his client to the actual download.

“It is uncontroverted that the sole basis of plaintiff’s lawsuit was that defendant was a subscriber to the IP address of which a movie was supposedly downloaded,” Renick writes.

“Plaintiff seems to believe that conflating a subscriber’s IP address to being the actual infringer should shield him from liability for those libelous statements and unethical actions to extort money from defendant,” the attorney adds.

Based on the lack of evidence, Amhari is asking the court to dismiss the case. In addition, he is requesting $12,000 in attorney fees and a monetary penalty of $36,000 for the coercive tactics used in this and other cases.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Fraudsters are Buying IPv4 Addresses

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/06/fraudsters_are_.html

IPv4 addresses are valuable, so criminals are figuring out how to buy or steal them.

Hence criminals’ interest in ways to land themselves IP addresses, some of which were detailed this week by ARIN’s senior director of global registry knowledge, Leslie Nobile, at the North American Network Operators Group’s NANOG 67 conference.

Nobile explained that criminals look for dormant ARIN records and try to establish themselves as the rightful administrator. ARIN has 30,556 legacy network records, she said, but a validated point of contact for only 54 per cent of those networks. The remaining ~14,000 networks are ripe for targeting by hijackers who Nobile said are only interested in establishing legitimacy with ARIN so they can find a buyer for unused IPv4 addresses possessed by dormant legacy networks.

Criminals do so by finding dormant ARIN records and Whois data to see if there is a valid contact, then ascertaining if IPv4 allocations are currently routed. If the assigned addresses are dark and no active administrator exists, hijackers can revive dormant domain names or even re-register the names of defunct companies in order to establish a position as legitimate administrators of an address space. If all goes well, the hijackers end up with addresses to sell.

Video presentation here.

I’ve bought some more awful IoT stuff

Post Syndicated from Matthew Garrett original http://mjg59.dreamwidth.org/43486.html

I bought some awful WiFi lightbulbs a few months ago. The short version: they introduced terrible vulnerabilities on your network, they violated the GPL and they were also just bad at being lightbulbs. Since then I’ve bought some other Internet of Things devices, and since people seem to have a bizarre level of fascination with figuring out just what kind of fractal of poor design choices these things frequently embody, I thought I’d oblige.

Today we’re going to be talking about the KanKun SP3, a plug that’s been around for a while. The idea here is pretty simple – there’s lots of devices that you’d like to be able to turn on and off in a programmatic way, and rather than rewiring them the simplest thing to do is just to insert a control device in between the wall and the device andn ow you can turn your foot bath on and off from your phone. Most vendors go further and also allow you to program timers and even provide some sort of remote tunneling protocol so you can turn off your lights from the comfort of somebody else’s home.

The KanKun has all of these features and a bunch more, although when I say “features” I kind of mean the opposite. I plugged mine in and followed the install instructions. As is pretty typical, this took the form of the plug bringing up its own Wifi access point, the app on the phone connecting to it and sending configuration data, and the plug then using that data to join your network. Except it didn’t work. I connected to the plug’s network, gave it my SSID and password and waited. Nothing happened. No useful diagnostic data. Eventually I plugged my phone into my laptop and ran adb logcat, and the Android debug logs told me that the app was trying to modify a network that it hadn’t created. Apparently this isn’t permitted as of Android 6, but the app was handling this denial by just trying again. I deleted the network from the system settings, restarted the app, and this time the app created the network record and could modify it. It still didn’t work, but that’s because it let me give it a 5GHz network and it only has a 2.4GHz radio, so one reset later and I finally had it online.

The first thing I normally do to one of these things is run nmap with the -O argument, which gives you an indication of what OS it’s running. I didn’t really need to in this case, because if I just telnetted to port 22 I got a dropbear ssh banner. Googling turned up the root password (“p9z34c”) and I was logged into a lightly hacked (and fairly obsolete) OpenWRT environment.

It turns out that here’s a whole community of people playing with these plugs, and it’s common for people to install CGI scripts on them so they can turn them on and off via an API. At first this sounds somewhat confusing, because if the phone app can control the plug then there clearly is some kind of API, right? Well ha yeah ok that’s a great question and oh good lord do things start getting bad quickly at this point.

I’d grabbed the apk for the app and a copy of jadx, an incredibly useful piece of code that’s surprisingly good at turning compiled Android apps into something resembling Java source. I dug through that for a while before figuring out that before packets were being sent, they were being handed off to some sort of encryption code. I couldn’t find that in the app, but there was a native ARM library shipped with it. Running strings on that showed functions with names matching the calls in the Java code, so that made sense. There were also references to AES, which explained why when I ran tcpdump I only saw bizarre garbage packets.

But what was surprising was that most of these packets were substantially similar. There were a load that were identical other than a 16-byte chunk in the middle. That plus the fact that every payload length was a multiple of 16 bytes strongly indicated that AES was being used in ECB mode. In ECB mode each plaintext is split up into 16-byte chunks and encrypted with the same key. The same plaintext will always result in the same encrypted output. This implied that the packets were substantially similar and that the encryption key was static.

Some more digging showed that someone had figured out the encryption key last year, and that someone else had written some tools to control the plug without needing to modify it. The protocol is basically ascii and consists mostly of the MAC address of the target device, a password and a command. This is then encrypted and sent to the device’s IP address. The device then sends a challenge packet containing a random number. The app has to decrypt this, obtain the random number, create a response, encrypt that and send it before the command takes effect. This avoids the most obvious weakness around using ECB – since the same plaintext always encrypts to the same ciphertext, you could just watch encrypted packets go past and replay them to get the same effect, even if you didn’t have the encryption key. Using a random number in a challenge forces you to prove that you actually have the key.

At least, it would do if the numbers were actually random. It turns out that the plug is just calling rand(). Further, it turns out that it never calls srand(). This means that the plug will always generate the same sequence of challenges after a reboot, which means you can still carry out replay attacks if you can reboot the plug. Strong work.

But there was still the question of how the remote control works, since the code on github only worked locally. tcpdumping the traffic from the server and trying to decrypt it in the same way as local packets worked fine, and showed that the only difference was that the packet started “wan” rather than “lan”. The server decrypts the packet, looks at the MAC address, re-encrypts it and sends it over the tunnel to the plug that registered with that address.

That’s not really a great deal of authentication. The protocol permits a password, but the app doesn’t insist on it – some quick playing suggests that about 90% of these devices still use the default password. And the devices are all based on the same wifi module, so the MAC addresses are all in the same range. The process of sending status check packets to the server with every MAC address wouldn’t take that long and would tell you how many of these devices are out there. If they’re using the default password, that’s enough to have full control over them.

There’s some other failings. The github repo mentioned earlier includes a script that allows arbitrary command execution – the wifi configuration information is passed to the system() command, so leaving a semicolon in the middle of it will result in your own commands being executed. Thankfully this doesn’t seem to be true of the daemon that’s listening for the remote control packets, which seems to restrict its use of system() to data entirely under its control. But even if you change the default root password, anyone on your local network can get root on the plug. So that’s a thing. It also downloads firmware updates over http and doesn’t appear to check signatures on them, so there’s the potential for MITM attacks on the plug itself. The remote control server is on AWS unless your timezone is GMT+8, in which case it’s in China. Sorry, Western Australia.

It’s running Linux and includes Busybox and dnsmasq, so plenty of GPLed code. I emailed the manufacturer asking for a copy and got told that they wouldn’t give it to me, which is unsurprising but still disappointing.

The use of AES is still somewhat confusing, given the relatively small amount of security it provides. One thing I’ve wondered is whether it’s not actually intended to provide security at all. The remote servers need to accept connections from anywhere and funnel decent amounts of traffic around from phones to switches. If that weren’t restricted in any way, competitors would be able to use existing servers rather than setting up their own. Using AES at least provides a minor obstacle that might encourage them to set up their own server.

Overall: the hardware seems fine, the software is shoddy and the security is terrible. If you have one of these, set a strong password. There’s no rate-limiting on the server, so a weak password will be broken pretty quickly. It’s also infringing my copyright, so I’d recommend against it on that point alone.

comment count unavailable comments

Copyright Trolls Slammed in UK House of Lords

Post Syndicated from Andy original https://torrentfreak.com/copyright-trolls-slammed-in-uk-house-of-lords-160616/

lucas-smallThe Intellectual Property (Unjustified Threats) Bill was introduced in the House of Lords during May 2016.

Among other things, the draft legislation (pdf) aims to protect companies and individuals from threats of expensive IP litigation where no infringement has taken place.

While aimed largely at patents, trademarks and other design rights, during a Lords Grand Committee hearing yesterday the hot topic of unfounded threats against Internet users was thrust onto the agenda. Lord Lucas, who previously tackled the infamous ACS:Law, was again at the forefront.

“The world is full of people who like to play a junior game of what this bill addresses. A few years ago I had a small role in the demise of ACS Solicitors which were thankfully sacked by the law society,” Lord Lucas began.

“They were shaking down Internet users for allegedly infringing copyright on pornography and other low grade media. Their evidence was extremely suspect and was never tested in court. ACS made its money from their threats and never took anyone to court, though it used the courts to target its victims via Norwich Pharmacal Orders.”

But while ACS:Law is well and truly dead, others in the UK have now resumed shaking down Internet account holders with the aim of securing fast cash settlements. From his speech yesterday it’s abundantly clear that Lord Lucas is unhappy at this unwelcome development.

“Some careless person has dropped blood onto the ashes of ACS and the same scam is alive again. The same thin evidence. They have an IP address, they have not revealed how they get that IP address. But, given that IP address, they go through the same Norwich Pharmacal [ISP disclosure] procedure,” he told those assembled in the Moses Room, the main venue for grand committees.

Lord Lucas in the House of Lords yesterday

lord-lucas-1

As has become clear during the past few years, companies involved in so-called Speculative Invoicing in the UK have learned from ACS:Law’s mistakes. Probably quite sensibly (they tend to feel the wrath of the Solicitors Regulatory Authority) no lawyers are involved in the threats being made to Internet subscribers. This fact has not escaped Lord Lucas.

“This time, to remove the vulnerability that ACS found, the solicitor involved, Wagner and Co, withdraws after obtaining the Norwich Pharmacal Order, so they’re not involved in the threat processes which are undertaken by shell companies. There doesn’t seem to be any redress for people threatened or for ISPs who are asked to comply with Norwich Pharmacal orders,” he said.

Up until this point no live companies had been named, but there would be no escape. A well-briefed Lord Lucas covered them all and had some advice for anyone whose path they cross.

“If anybody comes across the names of Hatton and Berkeley, RangerBay, GoldenEye International, Mircom International and TCYK …I really urge them to put [their correspondence] in the bin. The current scammers aren’t pursuing anyone [in court] they’re just after threats, and extortion, and shaking people down,” he said.

“I applaud our government for helping businesses avoid unjustified threats but I would really like to know what they intend to do to help the granny [accused by TCYK recently] who is being threatened by their smaller, nastier cousins with allegations that she has been downloading illegally.”

Describing the companies above as “villains laughing at and abusing the system”, Lord Lucas called for citizens to be given the ability to respond to trolls with a “sue or desist” letter, which would render any further threats (short of court action) punishable by law.

“Wouldn’t that be a good right for citizens who are being threatened in any circumstances?” he said.

Joe Hickster, the administrator of troll-watching site ACS:Bore, welcomes Lord Lucas’ comments.

“Lord Lucas has lent legitimacy and sobriety to a cause of much concern for those in receipt of letters from the likes of Hatton & Berkeley, Goldeneye International, Ranger Bay, TCYK and Mircom,” Hickster told TF.

“This may be a real turning point in the fight against copyright trolling in the UK. With the ISPA shortlisting TCYK as ‘Internet Villain of the Year’ this week, lets hope this intervention from Lord Lucas will embolden them to send guidance to their members, to stand up and say NO! to these trolls.”

Only time will tell how the government will react to Lord Lucas’ calls, but more than ever something needs to be done to force the UK’s copyright trolls to either put up, or shut up.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

How to Record SSH Sessions Established Through a Bastion Host

Post Syndicated from Nicolas Malaval original https://blogs.aws.amazon.com/security/post/Tx2HSURNJZPUP68/How-to-Record-SSH-Sessions-Established-Through-a-Bastion-Host

A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration. For example, you can use a bastion host to mitigate the risk of allowing SSH connections from an external network to the Linux instances launched in a private subnet of your Amazon Virtual Private Cloud (VPC).

In this blog post, I will show you how to leverage a bastion host to record all SSH sessions established with Linux instances. Recording SSH sessions enables auditing and can help in your efforts to comply with regulatory requirements.

The solution architecture

In this section, I present the architecture of this solution and explain how you can configure the bastion host to record SSH sessions. Later in this post, I provide instructions about how to implement and test the solution.

Amazon VPC enables you to launch AWS resources on a virtual private network that you have defined. The bastion host runs on an Amazon EC2 instance that is typically in a public subnet of your Amazon VPC. Linux instances are in a subnet that is not publicly accessible, and they are set up with a security group that allows SSH access from the security group attached to the underlying EC2 instance running the bastion host. Bastion host users connect to the bastion host to connect to the Linux instances, as illustrated in the following diagram.

You can adapt this architecture to meet your own requirements. For example, you could have the bastion host in a separate Amazon VPC and a VPC peering connection between the two Amazon VPCs. What matters is that the bastion host remains the only source of SSH traffic to your Linux instances.

This blog post’s solution for recording SSH sessions resides on the bastion host only and requires no specific configuration of Linux instances. You configure the solution by running commands at launch as the root user on an Amazon Linux instance.

Note: It is a best practice to harden your bastion host because it is a critical point of network security. Hardening might include disabling unnecessary applications or services, tuning the network stack, and the like. I do not discuss hardening in detail in this blog post.

When a client connects to an Amazon Linux instance, the default behavior of OpenSSH, the SSH server, is to run an interactive shell. Instead, I configure OpenSSH to execute a custom script that wraps an interactive shell into a script command. By doing so, the script command records everything displayed on the terminal, including keyboard input and full-screen applications such as vim. You can replay the session from the resulting log files by using the scriptreplay command. See the step-by-step example in the “Testing the solution” section later in this blog post.

Note that I intentionally block a few SSH features because they would allow users to create a direct connection between their local computer and the Linux instances, thereby bypassing the solution.

# Create a new folder for the log files
mkdir /var/log/bastion

# Allow ec2-user only to access this folder and its content
chown ec2-user:ec2-user /var/log/bastion
chmod -R 770 /var/log/bastion
setfacl -Rdm other:0 /var/log/bastion

# Make OpenSSH execute a custom script on logins
echo -e "\nForceCommand /usr/bin/bastion/shell" >> /etc/ssh/sshd_config

# Block some SSH features that bastion host users could use to circumvent 
# the solution
awk '!/AllowTcpForwarding/' /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
awk '!/X11Forwarding/' /etc/ssh/sshd_config > temp && mv temp /etc/ssh/sshd_config
echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
echo "X11Forwarding no" >> /etc/ssh/sshd_config

mkdir /usr/bin/bastion

cat > /usr/bin/bastion/shell << 'EOF'

# Check that the SSH client did not supply a command
if [[ -z $SSH_ORIGINAL_COMMAND ]]; then

  # The format of log files is /var/log/bastion/YYYY-MM-DD_HH-MM-SS_user
  LOG_FILE="`date --date="today" "+%Y-%m-%d_%H-%M-%S"`_`whoami`"
  LOG_DIR="/var/log/bastion/"

  # Print a welcome message
  echo ""
  echo "NOTE: This SSH session will be recorded"
  echo "AUDIT KEY: $LOG_FILE"
  echo ""

  # I suffix the log file name with a random string. I explain why 
  # later on.
  SUFFIX=`mktemp -u _XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX`

  # Wrap an interactive shell into "script" to record the SSH session
  script -qf --timing=$LOG_DIR$LOG_FILE$SUFFIX.time $LOG_DIR$LOG_FILE$SUFFIX.data --command=/bin/bash

else

  # The "script" program could be circumvented with some commands 
  # (e.g. bash, nc). Therefore, I intentionally prevent users 
  # from supplying commands.

  echo "This bastion supports interactive sessions only. Do not supply a command"
  exit 1

fi

EOF

# Make the custom script executable
chmod a+x /usr/bin/bastion/shell

# Bastion host users could overwrite and tamper with an existing log file 
# using "script" if they knew the exact file name. I take several measures 
# to obfuscate the file name:
# 1. Add a random suffix to the log file name.
# 2. Prevent bastion host users from listing the folder containing log 
# files. 
# This is done by changing the group owner of "script" and setting GID.
chown root:ec2-user /usr/bin/script
chmod g+s /usr/bin/script

# 3. Prevent bastion host users from viewing processes owned by other 
# users, because the log file name is one of the "script" 
# execution parameters.
mount -o remount,rw,hidepid=2 /proc
awk '!/proc/' /etc/fstab > temp && mv temp /etc/fstab
echo "proc /proc proc defaults,hidepid=2 0 0" >> /etc/fstab

# Restart the SSH service to apply /etc/ssh/sshd_config modifications.
service sshd restart

The preceding commands make OpenSSH execute a custom script on login, which records SSH sessions into log files stored in the folder,/var/log/bastion. For durable storage, the log files are copied at a regular interval to an Amazon S3 bucket, using theaws s3 cp command, which follows.

cat > /usr/bin/bastion/sync_s3 << 'EOF'
# Copy log files to S3 with server-side encryption enabled.
# Then, if successful, delete log files that are older than a day.
LOG_DIR="/var/log/bastion/"
aws s3 cp $LOG_DIR s3://bucket-name/logs/ --sse --region region --recursive && find $LOG_DIR* -mtime +1 -exec rm {} \;

EOF

chmod 700 /usr/bin/bastion/sync_s3

At this point, OpenSSH is configured to record SSH sessions and the log files are copied to Amazon S3. In order to determine the origin of any action performed on the Linux instances using SSH, bastion host users are provided with personal user accounts on the bastion host and they use their personal SSH key pair to log in. Each user account receives the minimum required privileges so that bastion host users are unable to disable or tamper with the solution.

To ease the management of user accounts, the SSH public key of each bastion host user is uploaded to an S3 bucket. At a regular interval, the bastion host retrieves the public keys available in this bucket. For each public key, a user account is created if it does not already exist, and the SSH public key is copied to the bastion host to allow the user to log in with this key pair. For example, if the bastion host finds a file, john.pub, in the bucket, which is John’s SSH public key, it creates a user account, john, and the public key is copied to /home/john/.ssh/authorized_keys. If an SSH public key were to be removed from the S3 bucket, the bastion host would delete the related user account. Personal user account creations and deletions are logged in /var/log/bastion/users_changelog.txt.

The following commands create a shell script for managing personal user accounts and scheduling a cron job to run the shell script every 5 minutes.

# Bastion host users should log in to the bastion host with 
# their personal SSH key pair. The public keys are stored on 
# S3 with the following naming convention: "username.pub". This 
# script retrieves the public keys, creates or deletes local user 
# accounts as needed, and copies the public key to 
# /home/username/.ssh/authorized_keys

cat > /usr/bin/bastion/sync_users << 'EOF'

# The file will log user changes
LOG_FILE="/var/log/bastion/users_changelog.txt"

# The function returns the user name from the public key file name.
# Example: public-keys/sshuser.pub => sshuser
get_user_name () {
  echo "$1" | sed -e 's/.*\///g' | sed -e 's/\.pub//g'
}

# For each public key available in the S3 bucket
aws s3api list-objects --bucket bucket-name --prefix public-keys/ --region region --output text --query 'Contents[?Size>`0`].Key' | sed -e 'y/\t/\n/' > ~/keys_retrieved_from_s3
while read line; do
  USER_NAME="`get_user_name "$line"`"

  # Make sure the user name is alphanumeric
  if [[ "$USER_NAME" =~ ^[a-z][-a-z0-9]*$ ]]; then

    # Create a user account if it does not already exist
    cut -d: -f1 /etc/passwd | grep -qx $USER_NAME
    if [ $? -eq 1 ]; then
      /usr/sbin/adduser $USER_NAME && \
      mkdir -m 700 /home/$USER_NAME/.ssh && \
      chown $USER_NAME:$USER_NAME /home/$USER_NAME/.ssh && \
      echo "$line" >> ~/keys_installed && \
      echo "`date --date="today" "+%Y-%m-%d %H-%M-%S"`: Creating user account for $USER_NAME ($line)" >> $LOG_FILE
    fi

    # Copy the public key from S3, if a user account was created 
    # from this key
    if [ -f ~/keys_installed ]; then
      grep -qx "$line" ~/keys_installed
      if [ $? -eq 0 ]; then
        aws s3 cp s3://bucket-name/$line /home/$USER_NAME/.ssh/authorized_keys --region region
        chmod 600 /home/$USER_NAME/.ssh/authorized_keys
        chown $USER_NAME:$USER_NAME /home/$USER_NAME/.ssh/authorized_keys
      fi
    fi

  fi
done < ~/keys_retrieved_from_s3

# Remove user accounts whose public key was deleted from S3
if [ -f ~/keys_installed ]; then
  sort -uo ~/keys_installed ~/keys_installed
  sort -uo ~/keys_retrieved_from_s3 ~/keys_retrieved_from_s3
  comm -13 ~/keys_retrieved_from_s3 ~/keys_installed | sed "s/\t//g" > ~/keys_to_remove
  while read line; do
    USER_NAME="`get_user_name "$line"`"
    echo "`date --date="today" "+%Y-%m-%d %H-%M-%S"`: Removing user account for $USER_NAME ($line)" >> $LOG_FILE
    /usr/sbin/userdel -r -f $USER_NAME
  done < ~/keys_to_remove
  comm -3 ~/keys_installed ~/keys_to_remove | sed "s/\t//g" > ~/tmp && mv ~/tmp ~/keys_installed
fi

EOF

chmod 700 /usr/bin/bastion/sync_users

cat > ~/mycron << EOF
*/5 * * * * /usr/bin/bastion/sync_s3
*/5 * * * * /usr/bin/bastion/sync_users
0 0 * * * yum -y update --security
EOF
crontab ~/mycron
rm ~/mycron

Be very careful when distributing the key pair associated with the instance running the bastion host. With this key pair, someone could log in as the root or ec2-user user and damage or tamper with the solution. You might even consider launching the instance without a key pair if the operations requiring root access, such as patching, can be scripted and automated.

Also, you should restrict the permissions on the S3 bucket by using bucket or IAM policies. For example, you could make the log files readable only by a compliance team and the SSH public keys managed by a DevOps team.

Implementing the solution

Now that you understand the architecture of this solution, you can follow the instructions in this section to implement in your AWS account this blog post’s solution.

First, you will create two new key pairs. The first key pair will be associated with the instance running the bastion host. The second key pair will be associated with an Amazon Linux instance launched in a private subnet and will be used as the SSH key pair for a bastion host user.

To manually create the two key pairs:

  1. Open the Amazon EC2 console and select a region from the navigation bar.
  2. Click Key Pairs in the left pane.
  3. Click Create Key Pair.
  4. In the Key pair name box, type bastion and click Create. Your browser downloads the private key file as bastion.pem.
  5. Repeat Steps 3 and 4 to create another key pair and name it sshuser.

You then will use AWS CloudFormation to provision the required resources. Click Create a Stack to open the CloudFormation console and create a CloudFormation stack from the template. Click Next and enter bastion in BastionKeyPair and sshuser in InstanceKeyPair. Then, follow the on-screen instructions.

CloudFormation creates the following resources:

  • An Amazon VPC with an Internet gateway attached.
  • A public subnet on this Amazon VPC with a new route table to make it publicly accessible.
  • A private subnet on this Amazon VPC that will not have access to the Internet, for sake of simplicity.
  • An S3 bucket. The log files will be stored in a folder called logs and the SSH public keys in a folder called public-keys.
  • Two security groups. The first security group allows SSH traffic from the Internet, and the second security group allows SSH traffic from the first security group.
  • An IAM role to grant an EC2 instance permissions to upload log files to the S3 bucket and to read SSH public keys.
  • An Amazon Linux instance running the bastion host in the public subnet with the IAM role attached and the user data script entered to configure the solution.
  • An Amazon Linux instance in the private subnet.

After the stack creation has completed (it can take up to 10 minutes), click the Outputs tab in the CloudFormation console and note the values that the process returned: the name of the new S3 bucket, the public IP address of the bastion host, and the private IP address of the Linux instance.

Finally, you will upload the SSH public key for the key pair sshuser to the S3 bucket so that the bastion host creates a new user account:

  1. Retrieve the public key and save it locally to a file named sshuser.pub (see Retrieving the Public Key for Your Key Pair on Linux or Retrieving the Public Key for Your Key Pair on Windows).
  2. Open the S3 console and click the name of the bucket in the buckets list.
  3. Create a new folder called public-keys (see Creating a Folder), and upload the SSH public key sshuser.pub to this folder (see Uploading Objects into Amazon S3).
  4. Wait for a few minutes. You should see a new folder called logs in the bucket with a new file inside it that is recording events related to user account creation and deletion.

Testing the solution

You might recall that the key pair sshuser serves to log in to both the bastion host as a bastion host user and the Linux instance in the private subnet as the privileged ec2-user user. Therefore, to test this solution, you will use SSH agent forwarding to connect from the bastion host to the Linux instance without storing the private key on the bastion host. See this blog post for further information about SSH agent forwarding.

First, you will log in to the bastion host as sshuser with the -A argument to forward the SSH private key.

chmod 600 [path to sshuser.pem]
ssh-add [path to sshuser.pem]
ssh -A sshuser@[public IP of the bastion host] –i [path to sshuser.pem]

You should see a welcome message saying that the SSH session will be recorded, as shown in the following screenshot.

Write down the value of the audit key. Then, connect to the Linux instance, run some commands of your choice, and then close the SSH session.

ssh ec2-user@[private IP of the Linux instance]
[commands of your choice that will be recorded]
exit
exit

You will now replay the SSH session that was just recorded. Each session has two log files: one file contains the data displayed on the terminal, and the other contains the timing data that enables replay with realistic typing and output delays. For simplicity, you will connect as ec2-user to the bastion host and replay from the local copy of log files. 

Note: Under normal circumstances, you would not replay a SSH session on the bastion host, for two reasons. First, recall that you should strictly avoid using the privileged user account, ec2-user. Second, the bastion host does not have read permissions on the folder logs in the S3 bucket and the log files that are older than a day are deleted from the bastion host. Instead, you would use another Linux instance with sufficient permissions on the S3 bucket to download and replay the log files.

ssh ec2-user@[public IP of the bastion host] –i [path to bastion.pem]
export LOGFILE=`ls /var/log/bastion/[audit key]*.data | cut -d. -f1`
scriptreplay --timing=$LOGFILE.time $LOGFILE.data

You can now delete the CloudFormation stack to clean up the resources that were just created. Note that you need to empty the S3 bucket before it can be deleted by CloudFormation (see Empty a Bucket).

Conclusion

A bastion host is a standard element of network security that provides secure access to private networks over SSH. In this blog post, I have shown you a way to leverage this bastion host to record SSH sessions, which you can play back and use for auditing purposes.

If you have comments, submit them in the “Comments” section below. If you have questions, please start a new thread on the Amazon VPC forum.

– Nicolas

RIAA-Approved File-Sharing Service Hacked, 51m User Details Leaked

Post Syndicated from Andy original https://torrentfreak.com/riaa-approved-file-sharing-service-hacked-51m-user-details-leaked-160613/

imesh-logoBack in 2003, when file-sharing technology was still in its relative infancy, several platforms had aspirations of becoming the next Napster. One of those was Israel-based iMesh, which at four years old was practically a veteran already.

But in September that year an increasingly irritable RIAA said enough is enough and sued iMesh in the United States. At the time, both parties were defiant. The RIAA insisted that iMesh should be shut down, while iMesh’s owners claimed they’d done nothing wrong.

However, in the summer of 2014 an unusual peace was reached, with iMesh paying the RIAA more than $4m in compensation and continuing business as normal. As strange as it may seem, the RIAA appeared to have licensed people they’d already branded as pirates.

There were changes though. iMesh was forced to release a new client that carried filtering technology provided by Audible Magic, with the aim of stopping infringement on the network. From the release of iMesh v6 in October 2005, it’s almost certain that the RIAA had access to vast amounts of iMesh user data.

Now, however, some of that data has landed in the public arena. Following the sudden disappearance of iMesh in recent weeks, LeakedSource is reporting that it has obtained an iMesh database containing 51,310,759 user records.

“Each record contains an email address, a username, one password, an IP address, a Country location and a join date,” the site says.

The breach, which appears to have taken place in September 2013, lists users from 55 countries participating on iMesh. With 13.7m users, the United States was by far the most popular country.

imesh-1

Sadly, as is often the case when such breaches are made public, the password situation on iMesh was pretty bleak.

“Passwords were stored in multiple MD5 rounds with salting. ‘Salting’ makes decrypting passwords exponentially harder when dealing with large numbers such as these, and is better than what LinkedIn and MySpace did but MD5 itself is not nearly hard enough for modern computing. The methods iMesh used, albeit 3 years ago were still insufficient for the times,” LeakedSource notes.

Only making matters worse are the passwords deployed by users. Close to a million of iMesh’s users went for ‘123456’, with more than 330,000 going for the slightly longer variant ‘123456789’.

imesh-pass

For what would turn into a largely crippled file-sharing network, iMesh was still attracting plenty of new users. The leak shows that in 2006, just after the release of the RIAA-approved client, iMesh had 4.8 million people sign up. During 2011, 9.4 million jumped on board. The last data available shows 2.5 million new members in 2013.

Now, however, iMesh is suddenly no more. After more than a decade of working with the RIAA (and even the MPAA who had a deal to limit movie sharing on the service), several weeks ago iMesh suddenly shut down. May 5 is the last date an active page is available on Wayback Machine, boasting access to 15 million licensed songs and videos.

Unsurprisingly, the iMesh shutdown is just one of many. At the same time several other platforms closed down including Bearshare, Shareaza and Lphant. Each show an almost identical shutdown message on their homepages since underneath they were all one and the same software operated by the same company.

But while it is customary for file-sharing fans to mourn the loss of file-sharing services, few with knowledge of how this network operated will be disappointed that these have gone, and not just because of the RIAA deal either.

The original Shareaza and Lphant projects were both subjected to hostile action by Discordia, the owners of iMesh, in circumstances that remain murky to this day. The original and safe version of Shareaza continues on Sourceforge, somewhat against the odds.

Users concerned that their data may have been compromised can check here.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.