Tag Archives: theft

Man Who Leaked The Revenant Online Fined $1.1m

Post Syndicated from Andy original https://torrentfreak.com/man-leaked-revenant-online-fined-1-1m-160930/

revenantIn December 2015, many so-called ‘screener’ copies of the latest movies leaked online. Among them a near perfect copy of Alejandro G. Iñárritu’s ‘The Revenant’.

Starring Leonardo DiCaprio and slated for a Christmas day release, in a matter of hours the tale vengeance clocked up tens of thousands of illegal downloads.

With such a high-profile leak, it was inevitable that the authorities would attempt to track down the individual responsible. It didn’t take them long.

Following an FBI investigation, former studio worker William Kyle Morarity was discovered as the culprit. Known online by the username “clutchit,” the 31-year-old had uploaded The Revenant and The Peanuts Movie to private torrent tracker Pass The Popcorn.

The Revenant

therevenant

Uploading a copyrighted work being prepared for commercial distribution is a felony that carries a maximum penalty of three years in prison, so his sentencing always had the potential to be punishing for the Lancaster man, despite his early guilty plea.

This week Morarity was sentenced in federal court for criminal copyright infringement after admitting screener copies of both movies to the Internet.

After being posted online six days in advance of its theatrical release, it was estimated that The Revenant was downloaded at least a million times during a six week period, costing Twentieth Century Fox Film Corporation to suffer losses of “well over $1 million.”

United States District Court Judge Stephen V. Wilson ordered Morarity to pay $1.12 million in restitution to Twentieth Century Fox. He also sentenced the 31-year-old to eight months’ home detention and 24 months’ probation.

According to court documents, Morarity obtained the screeners and copied them to a portable hard drive. He then uploaded the movies to Pass The Popcorn on December 17 and December 19.

“The film industry creates thousands of jobs in Southern California,” said United States Attorney Eileen M. Decker commenting on the sentencing.

“The defendant’s illegal conduct caused significant harm to the victim movie studio. The fact that the defendant stole these films while working on the lot of a movie studio makes his crime more egregious.”

Deirdre Fike, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, said that Morarity had abused his position of trust to obtain copies of the movies and then used them in a way that caused Fox to incur huge losses.

“The theft of intellectual property – in this case, major motion pictures – discourages creative incentive and affects the average American making ends meet in the entertainment industry,” Fike said.

As part of his punishment, Morarity also agreed to assist the FBI to produce a public service announcement aimed at educating the public about the harms of copyright infringement and the illegal uploading of movies to the Internet.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

The Cost of Cyberattacks Is Less than You Might Think

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/09/the_cost_of_cyb.html

Interesting research from Sasha Romanosky at RAND:

Abstract: In 2013, the US President signed an executive order designed to help secure the nation’s critical infrastructure from cyberattacks. As part of that order, he directed the National Institute for Standards and Technology (NIST) to develop a framework that would become an authoritative source for information security best practices. Because adoption of the framework is voluntary, it faces the challenge of incentivizing firms to follow along. Will frameworks such as that proposed by NIST really induce firms to adopt better security controls? And if not, why? This research seeks to examine the composition and costs of cyber events, and attempts to address whether or not there exist incentives for firms to improve their security practices and reduce the risk of attack. Specifically, we examine a sample of over 12 000 cyber events that include data breaches, security incidents, privacy violations, and phishing crimes. First, we analyze the characteristics of these breaches (such as causes and types of information compromised). We then examine the breach and litigation rate, by industry, and identify the industries that incur the greatest costs from cyber events. We then compare these costs to bad debts and fraud within other industries. The findings suggest that public concerns regarding the increasing rates of breaches and legal actions may be excessive compared to the relatively modest financial impact to firms that suffer these events. Public concerns regarding the increasing rates of breaches and legal actions, conflict, however, with our findings that show a much smaller financial impact to firms that suffer these events. Specifically, we find that the cost of a typical cyber incident in our sample is less than $200 000 (about the same as the firm’s annual IT security budget), and that this represents only 0.4% of their estimated annual revenues.

The result is that it often makes business sense to underspend on cybersecurity and just pay the costs of breaches:

Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company’s annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues.

As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.

He also noted that the effects of a data incident typically don’t have many ramifications on the stock price of a company in the long term. Under the circumstances, it doesn’t make a lot of sense to invest too much in cyber security.

What’s being left out of these costs are the externalities. Yes, the costs to a company of a cyberattack are low to them, but there are often substantial additional costs borne by other people. The way to look at this is not to conclude that cybersecurity isn’t really a problem, but instead that there is a significant market failure that governments need to address.

UK IP Crime Report 2016 Reveals IPTV/Kodi Piracy as Growing Threat

Post Syndicated from Andy original https://torrentfreak.com/uk-ip-crime-report-2016-reveals-iptvkodi-piracy-as-growing-threat-160929/

For more than a decade the IP Crime Group and the Intellectual Property Office have collaborated to produce an assessment of the level of IP crime in the UK. Their annual IP Crime Report details the responses of businesses, anti-piracy groups, and government agencies.

As usual, this year’s report covers all areas of IP crime, both in the physical realm and online. However, it is the latter area that appears to be causing the most concern to participating anti-piracy groups.

“Perhaps the area where IP crime statistics most often reach jaw-dropping levels is in relation to the industries providing digital content,” the report reads.

“During a sample three-month period last year, 28% of those questioned admitted their music downloads in the UK came from illegal sources. Similarly, 23% of films, 22% of software, 16% of TV and 15% of games were downloaded in breach of copyright.”

While noting that illicit music downloads have actually reduced in recent years, the report highlights areas that aren’t doing so well, TV show consumption for example.

“The reasons for the spike in TV copyright infringement appear to be, in part, technological, with ‘unofficial services’ such as uTorrent, BitTorrent, TV catch up apps and established sources such as YouTube offering content without legal certainty,” it adds.

But while several methods of obtaining free TV content online are highlighted in the report, none achieve as much attention as IPTV – commonly known as Kodi with illicit third-party addons.

In her report preamble, Minister for Intellectual Property Baroness Neville-Rolfe describes anti-IPTV collaboration between the Federation Against Copyright Theft, Trading Standards, and the Police, as one of the year’s operational successes. Indeed, FACT say anti-IPTV work is now their top priority.

Federation Against Copyright Theft

“We have prioritised an emerging threat to the audiovisual industry, internet protocol TV (IPTV) boxes,” FACT write.

“In their original form, these boxes are legitimate. However, with the use of apps and add-ons, they allow users to access copyright infringing material, from live TV and sports, to premium pay-for channels and newly released films. Once configured these boxes are illegal.”

FACT say they are concentrating on two areas – raising awareness in the industry and elsewhere while carrying out enforcement and disruption operations.

“In the last year FACT has worked with a wide range of partners and law enforcement bodies to tackle individuals and disrupt businesses selling illegal IPTV boxes. Enforcement action has been widespread across the UK with numerous ongoing investigations,” FACT note.

Overall, FACT say that 70% of the public complaints they receive relate to online copyright infringement. More than a quarter of all complaints now relate to IPTV and 50% of the anti-piracy group’s current investigations involve IPTV boxes.

fact-ipcrime

British Phonographic Industry (BPI)

In their submission to the report, the BPI cite three key areas of concern – online piracy, physical counterfeiting, and Internet-enabled sales of infringing physical content. The former is their top priority.

“The main online piracy threats to the UK recorded music industry at present come from BitTorrent networks, MP3 aggregator sites, cyberlockers, unauthorised streaming sites, stream ripping sites and pirate sites accessed via mobile devices,” the BPI writes.

“Search engines – predominantly Google – also continue to provide millions of links to infringing content and websites that are hosted by non-compliant operators and hosts that cannot be closed down have needed to be blocked in the UK under s.97A court orders (website blocking).”

The BPI notes that between January 2015 and March 2016, it submitted more than 100 million URL takedowns to Google and Bing. Counting all notices since 2011 when the BPI began the practice, the tally now sits at 200 million URLs.

“These astronomic numbers demonstrate the large quantity of infringing content that is available online and which is easily accessible to search engine users,” the BPI says.

On the web-blocking front, the BPI says it now has court orders in place to block 63 pirate sites and more than 700 related URLs, IP addresses and proxies.

“Site blocking is proving a successful strategy, and the longer the blocks are in place, the more effective they tend to be. The latest data available shows that traffic to sites blocked for over one year has reduced by an average of around 80%; with traffic to sites blocked for less than a year reduced by an average of around 50%,” the BPI adds.

Infringement warnings for Internet subscibers

The Get it Right campaign is an educational effort to advise the public on how to avoid pirate sites and spend money on genuine products. The campaign has been somewhat lukewarm thus far, but the sting in the tail has always been the threat of copyright holders sending warnings to Internet pirates.

To date, nothing has materialized on that front but hidden away on page 51 of the report is a hint that something might happen soon.

“A further component of the ‘Get it Right’ campaign is a subscriber alert programme that will, starting by the end of 2016, advise ISPs’ residential subscribers when their accounts are believed to have been used to infringe copyright,” the report reads.

“Account holders will receive an Alert from their ISP, advising them that unlawful uploading of a copyright content file may have taken place on their internet connection and offering advice on where to find legitimate sources of content.”

Overall, the tone of the report suggests a huge threat from IP crime but one that’s being effectively tackled by groups such as FACT, BPI, the Police Intellectual Property Crime Unit, and various educational initiatives. Only time will tell if next year’s report will retain the optimism.

The full report can be downloaded here (pdf)

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Man Likely to Sacrifice Himself Testing Streaming Piracy Limits

Post Syndicated from Andy original https://torrentfreak.com/man-likely-to-sacrifice-himself-testing-streaming-piracy-limits-160925/

android-boxYear in, year out, people with an interest in Internet file-sharing discuss what is permissible under current legislation. It’s an important exercise if people are to stay on the right side of the law.

These discussions have historically taken place among enthusiasts but with the advent of easily accessible piracy tools such as Popcorn Time, modified Kodi, and Showbox, the man in the street his now taking part.

One individual that has provoked interest among the public is UK-based Brian ‘Tomo’ Thompson, who was previously raided by police and Trading Standards after selling “fully loaded” Android boxes from his shop in the north-east.

Thompson is now being prosecuted by his local council. He says he intends to fight back to discover where the boundaries lie for sellers of similar devices.

“All I want to know is whether I am doing anything illegal. I know it’s a grey area but I want it in black and white,” he said this week.

“I’m prepared to accept what the court decides but at the moment as far as I’m concerned I’m not breaking the law.”

There are many people who share Thompson’s opinion and there’s no shortage of supporters willing the Middlesbrough man on to victory against what some see as a vindictive prosecution.

But while this is indeed an attack on the little guy, Thompson is almost certainly about to sacrifice himself for little to no gain. Admittedly the case isn’t completely straightforward, but a conviction seems almost inevitable. Here’s why.

Hardware devices – whether a computer, Android phone, tablet, or in this case, a set-top box – are 100% legal. Anyone can buy, sell or trade such devices almost anywhere in the world with no issues.

Thompson knows this, describing the blank devices as “just like a big USB stick.” While not a great analogy, for the purposes of the law, that will suffice.

On its own, the Kodi media player is also 100% legal. Anyone can download, install, use or give away the software with no problems whatsoever. Installing Kodi on an Android device and selling it is legal almost everywhere and definitely legal in the UK.

If Thompson had only done the above – sell Android set-top boxes with basic Kodi installed – he would have no issues with the police or indeed Trading Standards. Individually and combined, the software and devices are completely non-infringing.

However, Thompson did not stop there. What he did was sold Android boxes with Kodi installed, plus all the extra third-party addons that allow people to view infringing movies, TV shows, live sports, plus all the other ‘goodies’ that buyers of these boxes demand. His adverts on Facebook make that very clear.

tomo-1

It is these third-party addons that make what Thompson did unlawful. Selling devices and/or software designed for infringing copying purposes is illegal in the UK. Encouraging others to break the law never goes in a defendant’s favor either.

According to The Northern Echo, since he was raided in March, Thompson has been selling boxes that do not have the addons installed.

“These boxes are available from all over the place, not just me, but it’s the downloading of software to watch channels that is apparently causing the problem,” he said.

But despite not offering them himself, the businessman continued to encourage his customers to install the addons on devices he supplied, despite being targeted twice previously by the authorities.

The advert below is currently available on Thompson’s Facebook page and many of the channels are subscription-only affairs. Judges rarely look kindly on people encouraging others to break the law, especially where big corporate interests are the perceived victims.

tomo-2

Finally, there is another issue that could negatively affect Thompson’s defense. In June 2015, a company called Geeky Kit was raided near to Thompson’s premises. That company was also targeted for selling fully-loaded Android boxes. That company’s storefront at the time of the raid is shown below.

The signage clearly states that items being sold within are being offered on the basis that they provide access to subscription TV package channels for free. Geeky Kit’s premises remained closed in the weeks that followed the raid but in August came a surprise announcement from Thompson.

tomo-3

Thompson is now set to appear before Magistrates’ Court next week in what will be a first-of-its-kind case. Much will hinge on the outcome, for Thompson and others in his position.

“This may have to go to the crown court and then it may go all the way to the European court, but I want to make a point with this and I want to make it easier for people to know what it legal and what isn’t,” he said. “I expect it go against me but at least I will know where I stand.”

While some definitive legal clarity in this area would help thousands of people to understand where the boundaries lie with these boxes, one can’t help but think that this is a particularly bad case for testing the waters.

Whether it will go entirely against Thompson next week remains to be seen, but if he wins the case and boxes with addons are declared legal to sell, it will be nothing short of a miracle. Companies like Sky, Premier League, and the Federation Against Copyright Theft, will rightly go into meltdown.

“It is the first case of its kind in the world so it is going to be interesting,” Thompson concludes.

He’s not wrong there.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

10 Years in Prison For Online Pirates a Step Closer in the UK

Post Syndicated from Andy original https://torrentfreak.com/10-years-in-prison-for-online-pirates-a-step-closer-in-the-uk-160914/

In an effort to control the prevalence of online piracy, numerous criminal actions against file-sharers and file-sharing site operators have already taken place in the UK. However, these prosecutions have not been straightforward.

Due to UK copyright law allowing for custodial sentences of ‘just’ two years for online offenses, anti-piracy groups such as the Federation Against Copyright Theft have chosen to pursue their own private prosecutions. These have largely taken place under legislation designed for those who have committed fraud, rather than the more appropriate offense of copyright infringement.

Physical pirates (CDs, DVDs) can be jailed for up to 10 years under current legislation. During the past few years, there have been lobbying efforts for this punishment to apply both on and offline. That resulted in a UK Government announcement last year indicating that it would move to increase the maximum prison sentence for online copyright infringement to ten years.

This proposal was detailed in a draft of the Digital Economy Bill published in July. If passed into law, it would amend the relevant section of the Copyright, Designs and Patents Act 1988.

That likelihood increased yesterday with the 2nd Reading of the Digital Economy Bill in the House of Commons. Karen Bradley, Secretary of State for Culture, Media and Sport, was in attendance. The MP, who was appointed in July, spoke strongly in favor of strict copyright enforcement.

“We will help businesses from attacks on their intellectual property. Burglars can be sentenced to ten years in prison, but the criminal gangs that are making vast sums of money through exploiting the online creations of others only face a two-year sentence. We will increase this to ten,” Bradley said.

bradley

Interestingly, Bradley mentioned a convicted pirate by name. Paul Mahoney ran streaming portal FastPassTV and discussion and linking forum BedroomMedia. After being raided in 2011, the Northern Ireland-based man was sentenced to four years in jail under the Fraud Act, two more than the maximum he would’ve received under copyright legislation.

“Criminals like Paul Mahoney, who profited by almost £300,000 and cost industry millions by facilitating access to illegal films on the Internet, need to be sent a clear message,” Bradley said.

“We need to ensure that enforcement agencies and their partners have the right set of tools to tackle all types of piracy, which is why this clause is so important.”

When the increase to ten years was first reported, some news outlets suggested that regular file-sharers could be subjected to the decade-long sentence. That was addressed in Parliament yesterday by Labour MP Thangam Debbonaire, who welcomed the move but sought assurances that the casual downloader wouldn’t be targeted.

“I am pleased that clause 26 amends the current legislation on copyright to bring online criminal penalties for copyright infringement in line with off-line penalties, with a maximum of 10 years’ imprisonment. This will target anyone who infringes copyright in order to make a commercial gain,” he said.

“However, I wish to stress to hon. Members and to members of the public that this is not to catch out people who download music and unwittingly download or stream something illegal. I want to make that clear in adding my support to this measure. As far as I understand it, it targets the criminals who make money from distributing music to which they do not have the rights.”

Culture Secretary Karen Bradley confirmed that was indeed the case.

Speaking in support of the amendment, Conservative MP John Whittingdale said he was “delighted” that online and offline penalties will be equalized but said that more still needs to be done. Unsurprisingly, given the current environment, Google was again the target.

“The Conservative party manifesto stated that we would put pressure on search engines to try to prevent illegal sites from coming up at the top of a search. I know that round-table discussions have been taking place for a considerable time, but it is a matter of great concern that no significant progress has yet been made,” Whittingdale said.

“In the most recent attempt to find out whether or not there had been an improvement, a Google search was made for ‘Ed Sheeran Photograph download’, with ‘Photograph’ being one of Ed Sheeran’s most recent songs. Only one of the top 10 listings involved a legal site, and the legal site was YouTube, which, of course, is owned by Google.”

In response, Labour MP Dr Rupa Huq offered his thoughts on how that might be mitigated in future.

“[John Whittingdale] said that Ed Sheeran’s song was available on illegal platforms. Does he agree that technology companies, ​and platforms such as Google and YouTube, should be compelled to list only legal sites?” Huq said.

“At present the pirates are sometimes listed higher up than legal sites, and our British musicians who contribute, I believe, £4 billion annually to the economy are losing out as a consequence.”

Whittingdale wasn’t convinced of Huq’s solution, but agreed that much more needs to be done.

“I think it would be unrealistic to expect Google to establish whether every single site was legal or illegal. What it can do is react when illegal sites are brought to its attention,” the MP said.

“[Google] does de-list, but new sites then appear immediately. There have been a vast number of complaints from rights owners about particular sites, but they should tweak their algorithms so that those sites no longer appear at the top of the search listings. Measures of that kind have been under discussion for months and months, but the problem still exists.”

Whittingdale added that there may be a need to include a legal provision which would encourage service providers to establish some kind of voluntary code.

“[T]here may well be a case for legislation, because we cannot allow Google and other search providers to go on allowing people access to illegal sites,” he said.

The Bill will now move to Committee and Report stages, before moving to its Third Reading. It will then pass to readings in the House of Lords before undergoing amendments and the final stage of Royal Assent.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Apple’s Cloud Key Vault

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/09/apples_cloud_ke.html

Ever since Ian Krstić, Apple’s Head of Security Engineering and Architecture, presented the company’s key backup technology at Black Hat 2016, people have been pointing to it as evidence that the company can create a secure backdoor for law enforcement.

It’s not. Matthew Green and Steve Bellovin have both explained why not. And the same group of us that wrote the “Keys Under Doormats” paper on why backdoors are a bad idea have also explained why Apple’s technology does not enable it to build secure backdoors for law enforcement. Michael Specter did the bulk of the writing.

The problem with Tait’s argument becomes clearer when you actually try to turn Apple’s Cloud Key Vault into an exceptional access mechanism. In that case, Apple would have to replace the HSM with one that accepts an additional message from Apple or the FBI­ — or an agency from any of the 100+ countries where Apple sells iPhones­ — saying “OK, decrypt,” as well as the user’s password. In order to do this securely, these messages would have to be cryptographically signed with a second set of keys, which would then have to be used as often as law enforcement access is required. Any exceptional access scheme made from this system would have to have an additional set of keys to ensure authorized use of the law enforcement access credentials.

Managing access by a hundred-plus countries is impractical due to mutual mistrust, so Apple would be stuck with keeping a second signing key (or database of second signing keys) for signing these messages that must be accessed for each and every law enforcement agency. This puts us back at the situation where Apple needs to protect another repeatedly-used, high-value public key infrastructure: an equivalent situation to what has already resulted in the theft of Bitcoin wallets, RealTek’s code signing keys, and Certificate Authority failures, among many other disasters.

Repeated access of private keys drastically increases their probability of theft, loss, or inappropriate use. Apple’s Cloud Key Vault does not have any Apple-owned private key, and therefore does not indicate that a secure solution to this problem actually exists.

It is worth noting that the exceptional access schemes one can create from Apple’s CKV (like the one outlined above) inherently entails the precise issues we warned about in our previous essay on the danger signs for recognizing flawed exceptional access systems. Additionally, the Risks of Key Escrow and Keys Under Doormats papers describe further technical and nontechnical issues with exceptional access schemes that must be addressed. Among the nontechnical hurdles would be the requirement, for example, that Apple run a large legal office to confirm that requests for access from the government of Uzbekistan actually involved a device that was located in that country, and that the request was consistent with both US law and Uzbek law.

My colleagues and I do not argue that the technical community doesn’t know how to store high-value encryption keys­ — to the contrary that’s the whole point of an HSM. Rather, we assert that holding on to keys in a safe way such that any other party (i.e. law enforcement or Apple itself) can also access them repeatedly without high potential for catastrophic loss is impossible with today’s technology, and that any scheme running into fundamental sociotechnical challenges such as jurisdiction must be evaluated honestly before any technical implementation is considered.

Congressional Report Slams OPM on Data Breach

Post Syndicated from BrianKrebs original https://krebsonsecurity.com/2016/09/congressional-report-slams-opm-on-data-breach/

The massive data breach at the U.S. Office of Personnel Management (OPM) that exposed background investigations and fingerprint data on millions of Americans was the result of a cascading series of cybersecurity blunders from the agency’s senior leadership on down to the outdated technology used to secure the sensitive data, according to a lengthy report released today by a key government oversight panel.

OPM offices in Washington, DC. Image: Flickr.

OPM offices in Washington, DC. Image: Flickr.

The 241-page analysis, commissioned by the U.S. House Oversight & Government Reform Committee, blames OPM for jeopardizing U.S. national security for more than a generation.

The report offers perhaps the most exhaustive accounting and timeline of the breach since it was first publicly disclosed in mid-2015. According to the document, the lax state of OPM’s information security left the agency’s information systems exposed for any experienced hacker to infiltrate and compromise.

“The agency’s senior leadership failed to fully comprehend the extent of the compromise, allowing the hackers to remove manuals and other sensitive materials that essentially provided a roadmap to the OPM IT environment and key users for potential compromise,” the report charges.

Probably the most incisive portion of the assessment is the timeline of major events in the breach, which details a series of miscalculations on the part of the OPM leadership. The analysis paints the picture of a chronic — almost willful — underestimation by senior leadership at OPM about the seriousness of the threat facing the agency, until it was too late.

According to the report, the OPM first learned something was amiss on March 20, 2014, when the US-CERT notified the agency of data being exfiltrated from its network. In the ensuing weeks, OPM worked with US-CERT to implement a strategy to monitor the attackers’ movements to gather counterintelligence.

The only problem with this plan, according to the panel, was that the agency erroneously believed it had cornered the intruder. However, the hacker that OPM and US-CERT had eyes on wasn’t alone. While OPM monitored the first hacker [referred to in the report only as Hacker X1] on May 7, 2014 another hacker posed as an employee of an OPM contractor (Keypoint) performing background investigations. That intruder, referred to as Hacker X2, used the contractor’s OPM credentials to log into the OPM system, install malware and create a backdoor to the network.

As the agency monitored Hacker X1’s movements through the network, the committee found, it noticed hacker X1 was getting dangerously close to the security clearance background information. OPM, in conjunction with DHS, quickly developed a plan to kick Hacker X1 out of its system. It termed this remediation “the Big Bang.” At the time, the agency was confident the planned remediation effort on May 27, 2014 eliminated Hacker X1’s foothold on their systems.

The decision to execute the Big Bang plan was made after OPM observed the attacker load keystroke logging malware onto the workstations of several database administrators, the panel found.

“But Hacker X2, who had successfully established a foothold on OPM’s systems and had not been detected due to gaps in OPM’s security posture, remained in OPM’s systems post-Big Bang,” the report notes.

On June 5, malware was successfully installed on a KeyPoint Web server. After that, X2 moved around OPM’s system until July 29, 2014, when the intruders registered opmlearning.org — a domain the attackers used as a command-and-control center to manage their malware operations.

Beginning in July through August 2014, the Hacker X2 exfiltrated the security clearance background investigation files. Then in December 2014, 4.2 million personnel records were exfiltrated.

On March 3, 2015, wdc-news-post[dot]com was registered by the attackers, who used it as a command-and-control network. On March 26, 2015, the intruders begin stealing fingerprint data.

The committee found that had the OPM implemented basic, required security controls and more expeditiously deployed cutting edge security tools when they first learned hackers were targeting such sensitive data, they could have significantly delayed, potentially prevented, or significantly mitigated the theft.

For example, “OPM’s adoption of two-factor authentication for remote logons in early 2015, which had long been required of federal agencies, would have precluded continued access by the intruder into the OPM network,” the panel concluded.

Unfortunately, the exact details on how and when the attackers gained entry and established a persistent presence in OPM’s network are not entirely clear, the committee charges.

“This is in large part due to sloppy cyber hygiene and inadequate security technologies that left OPM with reduced visibility into the traffic on its systems,” the report notes. “The data breach by Hacker X1 in 2014 should have sounded a high level, multi-agency national security alarm that a sophisticated, persistent actor was seeking to access OPM’s highest-value data. It wasn’t until April 15, 2015 that the OPM identified the first indicator that its systems were compromised by Hacker X2.”

The information stolen in the breach included detailed files and personal background reports on more than 21.5 million individuals, and fingerprint data on 5.6 million of these individuals. Those security clearance background reports often included extremely sensitive information, such as whether applicants had consulted with a health care professional regarding an emotional or mental health condition; illegally used any drugs or controlled substances; experienced financial problems due to gambling.

The intrusion, widely attributed to hackers working with the Chinese government, likely pointed out which federal employees working for the U.S. State Department were actually spies trained by the U.S. Central Intelligence Agency. That’s because — unlike most federal agencies — the CIA conducted its own background checks on potential employees, and did not manage the process through the OPM.

As The Washington Post pointed out in September 2015, the CIA ended up pulling a number of officers from its embassy in Beijing in the wake of the OPM breach, mainly because the data leaked in the intrusion would have let the Chinese government work out which State Department employees stationed there were not listed in the background check data stolen from the OPM.

As bad and as total as the OPM breach has been, it’s remarkable how few security experts I’ve heard raise the issue of what might be at stake if the OPM plunderers had not simply stolen data, but also manipulated it.

Not long after congressional hearings began on the OPM breach, I heard from a source in the U.S. intelligence community who wondered why nobody was asking this question: If the attackers could steal all of this sensitive data and go undetected for so long, could they not also have granted security clearances to people who not only didn’t actually warrant them, but who might have been recruited in advance to work for the attackers? To this date, I’ve not heard a good answer to this question.

A copy of the 110 mb report is available here (PDF).

‘Flash Hijacks’ Add New Twist to Muggings

Post Syndicated from BrianKrebs original https://krebsonsecurity.com/2016/09/flash-hijacks-add-new-twist-to-muggings/

A frequent crime in Brazil is a scheme in which thieves kidnap people as they’re leaving a bank, and free them only after visiting a number of ATMs to withdraw cash. Now the crooks have introduced a new time-saving wrinkle into this scam: In these so-called “flash hijacks” the thieves pull out a wireless card reader, swipe a few debit transactions with the victim’s card, and then release the individual.

A story in the Brazilian newspaper Liberal documents one such recent flash hijacking, involving two musicians in their 20s who were accosted by a pair of robbers — one of whom was carrying a gun. The thieves forced the victims to divulge their debit card personal identification numbers (PINs), and then proceeded to swipe the victim’s cards on a handheld, wireless card machine.

First spotted in 2015, flash hijackings are becoming more common in Brazil, said Paulo Brito, a cybersecurity expert living in the Campinas area of Brazil. Brito said even his friend’s son was similarly victimized recently.

“Of course transactions can be traced as far as they are done with Brazilian banks, but these bad guys can evolve and transact with foreign banks,” Brito said.

I suppose it’s slightly less traumatic for the victim if the use of handheld machines by the crooks mean victims have a gun to their heads for a shorter duration. It’s also nice that the thieves are bringing the theft to the victim, instead of the other way around.

In any case, these attacks underscore a major point I try to make when adding updates to my All About Skimmers series: Most of us are far more likely to get mugged after withdrawing money from an ATM or bank than we are to encounter a skimming device in real life.

The most important security advice is to watch out for your own physical safety while using an ATM. Keep your wits about you as you transact in and leave the area, and try to be keenly aware of your immediate surroundings. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots. Also, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well.

Apple Patents Collecting Biometric Information Based on Unauthorized Device Use

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/08/apple_patents_c.html

Apple received a patent earlier this year on collecting biometric information of an unauthorized device user. The obvious application is taking a copy of the fingerprint and photo of someone using as stolen smartphone.

Note that I have no opinion on whether this is a patentable idea or the patent is valid.

Notes on that StJude/MuddyWatters/MedSec thing

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/08/notes-on-that-stjudemuddywattersmedsec.html

I thought I’d write up some notes on the StJude/MedSec/MuddyWaters affair. Some references: [1] [2] [3] [4].

The story so far

tl;dr: hackers drop 0day on medical device company hoping to profit by shorting their stock

St Jude Medical (STJ) is one of the largest providers of pacemakers (aka. cardiac devices) in the country, around ~$2.5 billion in revenue, which accounts for about half their business. They provide “smart” pacemakers with an on-board computer that talks via radio-waves to a nearby monitor that records the functioning of the device (and health data). That monitor, “Merlin@Home“, then talks back up to St Jude (via phone lines, 3G cell phone, or wifi). Pretty much all pacemakers work that way (my father’s does, although his is from a different vendor).

MedSec is a bunch of cybersecurity researchers (white-hat hackers) who have been investigating medical devices. In theory, their primary business is to sell their services to medical device companies, to help companies secure their devices. Their CEO is Justine Bone, a long-time white-hat hacker. Despite Muddy Waters garbling the research, there’s no reason to doubt that there’s quality research underlying all this.

Muddy Waters is an investment company known for investigating companies, finding problems like accounting fraud, and profiting by shorting the stock of misbehaving companies.

Apparently, MedSec did a survey of many pacemaker manufacturers, chose the one with the most cybersecurity problems, and went to Muddy Waters with their findings, asking for a share of the profits Muddy Waters got from shorting the stock.

Muddy Waters published their findings in [1] above. St Jude published their response in [2] above. They are both highly dishonest. I point that out because people want to discuss the ethics of using 0day to short stock when we should talk about the ethics of lying.

“Why you should sell the stock” [finance issues]

In this section, I try to briefly summarize Muddy Water’s argument why St Jude’s stock will drop. I’m not an expert in this area (though I do a bunch of investment), but they do seem flimsy to me.
Muddy Water’s argument is that these pacemakers are half of St Jude’s business, and that fixing them will first require recalling them all, then take another 2 year to fix, during which time they can’t be selling pacemakers. Much of the Muddy Waters paper is taken up explaining this, citing similar medical cases, and so on.
If at all true, and if the cybersecurity claims hold up, then yes, this would be good reason to short the stock. However, I suspect they aren’t true — and they are simply trying to scare people about long-term consequences allowing Muddy Waters to profit in the short term.
@selenakyle on Twitter suggests this interest document [4] about market-solutions to vuln-disclosure, if you are interested in this angle of things.
Update from @lippard: Abbot Labs agreed in April to buy St Jude at $85 a share (when St Jude’s stock was $60/share). Presumable, for this Muddy Waters attack on St Jude’s stock price to profit from anything more than a really short term stock drop (like dumping their short position today), Muddy Waters would have believe this effort will cause Abbot Labs to walk away from the deal. Normally, there are penalties for doing so, but material things like massive vulnerabilities in a product should allow Abbot Labs to walk away without penalties.

The 0day being dropped

Well, they didn’t actually drop 0day as such, just claims that 0day exists — that it’s been “demonstrated”. Reading through their document a few times, I’ve created a list of the 0day they found, to the granularity that one would expect from CVE numbers (CVE is group within the Department of Homeland security that assigns standard reference numbers to discovered vulnerabilities).

The first two, which can kill somebody, are the salient ones. The others are more normal cybersecurity issues, and may be of concern because they can leak HIPAA-protected info.

CVE-2016-xxxx: Pacemaker can be crashed, leading to death
Within a reasonable distance (under 50 feet) over several hours, pounding the pacemaker with malformed packets (either from an SDR or a hacked version of the Merlin@Home monitor), the pacemaker can crash. Sometimes such crashes will brick the device, other times put it into a state that may kill the patient by zapping the heart too quickly.

CVE-2016-xxxx: Pacemaker power can be drained, leading to death
Within a reasonable distance (under 50 feet) over several days, the pacemaker’s power can slowly be drained at the rate of 3% per hour. While the user will receive a warning from their Merlin@Home monitoring device that the battery is getting low, it’s possible the battery may be fully depleted before they can get to a doctor for a replacement. A non-functioning pacemaker may lead to death.

CVE-2016-xxxx: Pacemaker uses unauthenticated/unencrypted RF protocol
The above two items are possible because there is no encryption nor authentication in the wireless protocol, allowing any evildoer access to the pacemaker device or the monitoring device.

CVE-2016-xxxx: Merlin@Home contained hard-coded credentials and SSH keys
The password to connect to the St Jude network is the same for all device, and thus easily reverse engineered.

CVE-2016-xxxx: local proximity wand not required
It’s unclear in the report, but it seems that most other products require a wand in local promixity (inches) in order to enable communication with the pacemaker. This seems like a requirement — otherwise, even with authentication, remote RF would be able to drain the device in the person’s chest.

So these are, as far as I can tell, the explicit bugs they outline. Unfortunately, none are described in detail. I don’t see enough detail for any of these to actually be assigned a CVE number. I’m being generous here, trying to describe them as such, giving them the benefit of the doubt, there’s enough weasel language in there that makes me doubt all of them. Though, if the first two prove not to be reproducible, then there will be a great defamation case, so I presume those two are true.

The movie/TV plot scenarios

So if you wanted to use this as a realistic TV/movie plot, here are two of them.
#1 You (the executive of the acquiring company) are meeting with the CEO and executives of a smaller company you want to buy. It’s a family concern, and the CEO really doesn’t want to sell. But you know his/her children want to sell. Therefore, during the meeting, you pull out your notebook and an SDR device and put it on the conference room table. You start running the exploit to crash that CEO’s pacemaker. It crashes, the CEO grabs his/her chest, who gets carted off the hospital. The children continue negotiations, selling off their company.
#2 You are a hacker in Russia going after a target. After many phishing attempts, you finally break into the home desktop computer. From that computer, you branch out and connect to the Merlin@Home devices through the hard-coded password. You then run an exploit from the device, using that device’s own radio, to slowly drain the battery from the pacemaker, day after day, while the target sleeps. You patch the software so it no longer warns the user that the battery is getting low. The battery dies, and a few days later while the victim is digging a ditch, s/he falls over dead from heart failure.

The Muddy Water’s document is crap

There are many ethical issues, but the first should be dishonesty and spin of the Muddy Waters research report.

The report is clearly designed to scare other investors to drop St Jude stock price in the short term so that Muddy Waters can profit. It’s not designed to withstand long term scrutiny. It’s full of misleading details and outright lies.

For example, it keeps stressing how shockingly bad the security vulnerabilities are, such as saying:

We find STJ Cardiac Devices’ vulnerabilities orders of magnitude more worrying than the medical device hacks that have been publicly discussed in the past. 

This is factually untrue. St Jude problems are no worse than the 2013 issue where doctors disable the RF capabilities of Dick Cheney’s pacemaker in response to disclosures. They are no worse than that insulin pump hack. Bad cybersecurity is the norm for medical devices. St Jude may be among the worst, but not by an order-of-magnitude.

The term “orders of magnitude” is math, by the way, and means “at least 100 times worse”. As an expert, I claim these problems are not even one order of magnitude (10 times worse). I challenge MedSec’s experts to stand behind the claim that these vulnerabilities are at least 100 times worse than other public medical device hacks.

In many places, the language is wishy-washy. Consider this quote:

Despite having no background in cybersecurity, Muddy Waters has been able to replicate in-house key exploits that help to enable these attacks

The semantic content of this is nil. It says they weren’t able to replicate the attacks themselves. They don’t have sufficient background in cybersecurity to understand what they replicated.

Such language is pervasive throughout the document, things that aren’t technically lies, but which aren’t true, either.

Also pervasive throughout the document, repeatedly interjected for no reason in the middle of text, are statements like this, repeatedly stressing why you should sell the stock:

Regardless, we have little doubt that STJ is about to enter a period of protracted litigation over these products. Should these trials reach verdicts, we expect the courts will hold that STJ has been grossly negligent in its product design. (We estimate awards could total $6.4 billion.15)

I point this out because Muddy Waters obviously doesn’t feel the content of the document stands on its own, so that you can make this conclusion yourself. It instead feels the need to repeat this message over and over on every page.

Muddy Waters violation of Kerckhoff’s Principle

One of the most important principles of cyber security is Kerckhoff’s Principle, that more openness is better. Or, phrased another way, that trying to achieve security through obscurity is bad.

The Muddy Water’s document attempts to violate this principle. Besides the the individual vulnerabilities, it makes the claim that St Jude cybersecurity is inherently bad because it’s open. it uses off-the-shelf chips, standard software (line Linux), and standard protocols. St Jude does nothing to hide or obfuscate these things.

Everyone in cybersecurity would agree this is good. Muddy Waters claims this is bad.

For example, some of their quotes:

One competitor went as far as developing a highly proprietary embedded OS, which is quite costly and rarely seen

In contrast, the other manufacturers have proprietary RF chips developed specifically for their protocols

Again, as the cybersecurity experts in this case, I challenge MedSec to publicly defend Muddy Waters in these claims.

Medical device manufacturers should do the opposite of what Muddy Waters claims. I’ll explain why.

Either your system is secure or it isn’t. If it’s secure, then making the details public won’t hurt you. If it’s insecure, then making the details obscure won’t help you: hackers are far more adept at reverse engineering than you can possibly understand. Making things obscure, though, does stop helpful hackers (i.e. cybersecurity consultants you hire) from making your system secure, since it’s hard figuring out the details.

Said another way: your adversaries (such as me) hate seeing open systems that are obviously secure. We love seeing obscure systems, because we know you couldn’t possibly have validated their security.

The point is this: Muddy Waters is trying to profit from the public’s misconception about cybersecurity, namely that obscurity is good. The actual principle is that obscurity is bad.

St Jude’s response was no better

In response to the Muddy Water’s document, St Jude published this document [2]. It’s equally full of lies — the sort that may deserve a share holder lawsuit. (I see lawsuits galore over this). It says the following:

We have examined the allegations made by Capital and MedSec on August 25, 2016 regarding the safety and security of our pacemakers and defibrillators, and while we would have preferred the opportunity to review a detailed account of the information, based on available information, we conclude that the report is false and misleading.

If that’s true, if they can prove this in court, then that will mean they could win millions in a defamation lawsuit against Muddy Waters, and millions more for stock manipulation.

But it’s almost certainly not true. Without authentication/encryption, then the fact that hackers can crash/drain a pacemaker is pretty obvious, especially since (as claimed by Muddy Waters), they’ve successfully done it. Specifically, the picture on page 17 of the 34 page Muddy Waters document is a smoking gun of a pacemaker misbehaving.

The rest of their document contains weasel-word denials that may be technically true, but which have no meaning.

St. Jude Medical stands behind the security and safety of our devices as confirmed by independent third parties and supported through our regulatory submissions. 

Our software has been evaluated and assessed by several independent organizations and researchers including Deloitte and Optiv.

In 2015, we successfully completed an upgrade to the ISO 27001:2013 certification.

These are all myths of the cybersecurity industry. Conformance with security standards, such as ISO 27001:2013, has absolutely zero bearing on whether you are secure. Having some consultants/white-hat claim your product is secure doesn’t mean other white-hat hackers won’t find an insecurity.

Indeed, having been assessed by Deloitte is a good indicator that something is wrong. It’s not that they are incompetent (they’ve got some smart people working for them), but ultimately the way the security market works is that you demand of such auditors that the find reasons to believe your product is secure, not that they keep hunting until something is found that is insecure. It’s why outsiders, like MedSec, are better, because they strive to find why your product is insecure. The bigger the enemy, the more resources they’ll put into finding a problem.

It’s like after you get a hair cut, your enemies and your friends will have different opinions on your new look. Enemies are more honest.

The most obvious lie from the St Jude response is the following:

The report claimed that the battery could be depleted at a 50-foot range. This is not possible since once the device is implanted into a patient, wireless communication has an approximate 7-foot range. This brings into question the entire testing methodology that has been used as the basis for the Muddy Waters Capital and MedSec report.

That’s not how wireless works. With directional antennas and amplifiers, 7-feet easily becomes 50-feet or more. Even without that, something designed for reliable operation at 7-feet often works less reliably at 50-feet. There’s no cutoff at 7-feet within which it will work, outside of which it won’t.

That St Jude deliberately lies here brings into question their entire rebuttal. (see what I did there?)

ETHICS EHTICS ETHICS

First let’s discuss the ethics of lying, using weasel words, and being deliberately misleading. Both St Jude and Muddy Waters do this, and it’s ethically wrong. I point this out to uninterested readers who want to get at that other ethical issue. Clear violations of ethics we all agree interest nobody — but they ought to. We should be lambasting Muddy Waters for their clear ethical violations, not the unclear one.

So let’s get to the ethical issue everyone wants to discuss:

Is it ethical to profit from shorting stock while dropping 0day.

Let’s discuss some of the issues.

There’s no insider trading. Some people wonder if there are insider trading issues. There aren’t. While it’s true that Muddy Waters knew some secrets that nobody else knew, as long as they weren’t insider secrets, it’s not insider trading. In other words, only insiders know about a key customer contract won or lost recently. But, vulnerabilities researched by outsiders is still outside the company.

Watching a CEO walk into the building of a competitor is still outsider knowledge — you can trade on the likely merger, even though insider employees cannot.

Dropping 0day might kill/harm people. That may be true, but that’s never an ethical reason to not drop it. That’s because it’s not this one event in isolation. If companies knew ethical researchers would never drop an 0day, then they’d never patch it. It’s like the government’s warrantless surveillance of American citizens: the courts won’t let us challenge it, because we can’t prove it exists, and we can’t prove it exists, because the courts allow it to be kept secret, because revealing the surveillance would harm national intelligence. That harm may happen shouldn’t stop the right thing from happening.

In other words, in the long run, dropping this 0day doesn’t necessarily harm people — and thus profiting on it is not an ethical issue. We need incentives to find vulns. This moves the debate from an ethical one to more of a factual debate about the long-term/short-term risk from vuln disclosure.

As MedSec points out, St Jude has already proven itself an untrustworthy consumer of vulnerability disclosures. When that happens, the dropping 0day is ethically permissible for “responsible disclosure”. Indeed, that St Jude then lied about it in their response ex post facto justifies the dropping of the 0day.

No 0day was actually dropped here. In this case, what was dropped was claims of 0day. This may be good or bad, depending on your arguments. It’s good that the vendor will have some extra time to fix the problems before hackers can start exploiting them. It’s bad because we can’t properly evaluate the true impact of the 0day unless we get more detail — allowing Muddy Waters to exaggerate and mislead people in order to move the stock more than is warranted.

In other words, the lack of actual 0day here is the problem — actual 0day would’ve been better.

This 0day is not necessarily harmful. Okay, it is harmful, but it requires close proximity. It’s not as if the hacker can reach out from across the world and kill everyone (barring my movie-plot section above). If you are within 50 feet of somebody, it’s easier shooting, stabbing, or poisoning them.

Shorting on bad news is common. Before we address the issue whether this is unethical for cybersecurity researchers, we should first address the ethics for anybody doing this. Muddy Waters already does this by investigating companies for fraudulent accounting practice, then shorting the stock while revealing the fraud.

Yes, it’s bad that Muddy Waters profits on the misfortunes of others, but it’s others who are doing fraud — who deserve it. [Snide capitalism trigger warning] To claim this is unethical means you are a typical socialist who believe the State should defend companies, even those who do illegal thing, in order to stop illegitimate/windfall profits. Supporting the ethics of this means you are a capitalist, who believe companies should succeed or fail on their own merits — which means bad companies need to fail, and investors in those companies should lose money.

Yes, this is bad for cybersec research. There is constant tension between cybersecurity researchers doing “responsible” (sic) research and companies lobbying congress to pass laws against it. We see this recently how Detroit lobbied for DMCA (copyright) rules to bar security research, and how the DMCA regulators gave us an exemption. MedSec’s action means now all medical devices manufacturers will now lobby congress for rules to stop MedSec — and the rest of us security researchers. The lack of public research means medical devices will continue to be flawed, which is worse for everyone.

Personally, I don’t care about this argument. How others might respond badly to my actions is not an ethical constraint on my actions. It’s like speech: that others may be triggered into lobbying for anti-speech laws is still not constraint on what ethics allow me to say.

There were no lies or betrayal in the research. For me, “ethics” is usually a problem of lying, cheating, theft, and betrayal. As long as these things don’t happen, then it’s ethically okay. If MedSec had been hired by St Jude, had promised to keep things private, and then later disclosed them, then we’d have an ethical problem. Or consider this: frequently clients ask me to lie or omit things in pentest reports. It’s an ethical quagmire. The quick answer, by the way, is “can you make that request in writing?”. The long answer is “no”. It’s ethically permissible to omit minor things or do minor rewording, but not when it impinges on my credibility.

A life is worth about $10-million. Most people agree that “you can’t put value on a human life”, and that those who do are evil. The opposite is true. Should we spend more on airplane safety, breast cancer research, or the military budget to fight ISIS. Each can be measured in the number of lives saved. Should we spend more on breast cancer research, which affects people in their 30s, or solving heart disease, which affects people’s in their 70s? All these decisions means putting value on human life, and sometimes putting different value on human life. Whether you think it’s ethical, it’s the way the world works.

Thus, we can measure this disclosure of 0day in terms of potential value of life lost, vs. potential value of life saved.

Is this market manipulation? This is more of a legal question than an ethical one, but people are discussing it. If the data is true, then it’s not “manipulation” — only if it’s false. As documented in this post, there’s good reason to doubt the complete truth of what Muddy Waters claims. I suspect it’ll cost Muddy Waters more in legal fees in the long run than they could possibly hope to gain in the short run. I recommend investment companies stick to areas of their own expertise (accounting fraud) instead of branching out into things like cyber where they really don’t grasp things.

This is again bad for security research. Frankly, we aren’t a trusted community, because we claim the “sky is falling” too often, and are proven wrong. As this is proven to be market manipulation, as the stock recovers back to its former level, and the scary stories of mass product recalls fail to emerge, we’ll be blamed yet again for being wrong. That hurts are credibility.

On the other the other hand, if any of the scary things Muddy Waters claims actually come to pass, then maybe people will start heading our warnings.

Ethics conclusion: I’m a die-hard troll, so therefore I’m going to vigorously defend the idea of shorting stock while dropping 0day. (Most of you appear to think it’s unethical — I therefore must disagree with you).  But I’m also a capitalist. This case creates an incentive to drop harmful 0days — but it creates an even greater incentive for device manufacturers not to have 0days to begin with. Thus, despite being a dishonest troll, I do sincerely support the ethics of this.

Conclusion

The two 0days are about crashing the device (killing the patient sooner) or draining the battery (killin them later). Both attacks require hours (if not days) in close proximity to the target. If you can get into the local network (such as through phishing), you might be able to hack the Merlin@Home monitor, which is in close proximity to the target for hours every night.

Muddy Waters thinks the security problems are severe enough that it’ll destroy St Jude’s $2.5 billion pacemaker business. The argument is flimsy. St Jude’s retort is equally flimsy.

My prediction: a year from now we’ll see little change in St Jude’s pacemaker business earners, while there may be some one time costs cleaning some stuff up. This will stop the shenanigans of future 0day+shorting, even when it’s valid, because nobody will believe researchers.

A Life or Death Case of Identity Theft?

Post Syndicated from BrianKrebs original https://krebsonsecurity.com/2016/08/a-life-or-death-case-of-identity-theft/

Identity thieves have perfected a scam in which they impersonate existing customers at retail mobile phone stores, pay a small cash deposit on pricey new phones, and then charge the rest to the victim’s account. In most cases, switching on the new phones causes the victim account owner’s phone(s) to go dead. This is the story of a Pennsylvania man who allegedly died of a heart attack because his wife’s phone was switched off by ID thieves and she was temporarily unable to call for help.

On Feb. 20, 2016, James William Schwartz, 84, was going about his daily routine, which mainly consisted of caring for his wife, MaryLou. Mrs. Schwartz was suffering from the end stages of endometrial cancer and wasn’t physically mobile without assistance. When Mr. Schwartz began having a heart attack that day, MaryLou went to use her phone to call for help and discovered it was completely shut off.

Little did MaryLou know, but identity thieves had the day before entered a “premium authorized Verizon dealer” store in Florida and impersonated the Schwartzes. The thieves paid a $150 cash deposit to “upgrade” the elderly couple’s simple mobiles to new iPhone 6s devices, with the balance to be placed on the Schwartz’s account.

“Despite her severely disabled and elderly condition, MaryLou Schwartz was finally able to retrieve her husband’s cellular telephone using a mechanical arm,” reads a lawsuit (PDF) filed in Beaver County, Penn. on behalf of the Schwartz’s two daughters, alleging negligence by the Florida mobile phone store. “This monumental, determined and desperate endeavor to reach her husband’s working telephone took Mrs. Schwartz approximately forty minutes to achieve due to her condition. This vital delay in reaching emergency help proved to be fatal.”

By the time paramedics arrived, Mr. Schwartz was pronounced dead. MaryLou Schwartz died seventeen days later, on March 8, 2016. Incredibly, identity thieves would continue robbing the Schwartzes even after they were both deceased: According to the lawsuit, on April 14, 2016 the account of MaryLou Schwartz was again compromised and a tablet device was also fraudulently acquired in MaryLou’s name.

The Schwartz’s daughters say they didn’t learn about the fraud until after both parents passed away. According to them, they heard about it from the guy at a local Verizon reseller that noticed his longtime customers’ phones had been deactivated. That’s when they discovered that while their mother’s phone was inactive at the time of her father’s death, their father’s mobile had inexplicably been able to make but not receive phone calls.

KNOW YOUR RIGHTS AND OPTIONS

Exactly what sort of identification was demanded of the thieves who impersonated the Schwartzes is in dispute at the moment. But it seems clear that this is a fairly successful and common scheme for thieves to steal (and, in all likelihood, resell) high-end phones.

Lorrie Cranor, chief technologist for the U.S. Federal Trade Commission, was similarly victimized this summer when someone walked into a mobile phone store, claimed to be her, asked to upgrade her phones and walked out with two brand new iPhones assigned to her telephone numbers.

“My phones immediately stopped receiving calls, and I was left with a large bill and the anxiety and fear of financial injury that spring from identity theft,” Cranor wrote in a blog on the FTC’s site.  Cranor’s post is worth a read, as she uses the opportunity to explain how she recovered from the identity theft episode.

She also used her rights under the Fair Credit Reporting Act, which requires that companies provide business records related to identity theft to victims within 30 days of receiving a written request. Cranor said the mobile store took about twice that time to reply, but ultimately explained that the thief had used a fake ID with Cranor’s name but the impostor’s photo.

“She had acquired the iPhones at a retail store in Ohio, hundreds of miles from where I live, and charged them to my account on an installment plan,” Cranor wrote. “It appears she did not actually make use of either phone, suggesting her intention was to sell them for a quick profit. As far as I’m aware the thief has not been caught and could be targeting others with this crime.”

Cranor notes that records of identity thefts reported to the FTC provide some insight into how often thieves hijack a mobile phone account or open a new mobile phone account in a victim’s name.

“In January 2013, there were 1,038 incidents of these types of identity theft reported, representing 3.2% of all identity theft incidents reported to the FTC that month,” she explained. “By January 2016, that number had increased to 2,658 such incidents, representing 6.3% of all identity thefts reported to the FTC that month.  Such thefts involved all four of the major mobile carriers.”

The reality, Cranor said, is that identity theft reports to the FTC likely represent only the tip of a much larger iceberg. According to data from the Identity Theft Supplement to the 2014 National Crime Victimization Survey conducted by the U.S. Department of Justice, less than 1% of identity theft victims reported the theft to the FTC.

While dealing with diverted calls can be a hassle, having your phone calls and incoming text messages siphoned to another phone also can present new security problems, thanks to the growing use of text messages in authentication schemes for financial services and other accounts.

Perhaps the most helpful part of Cranor’s post is a section on the security options offered by the four major mobile providers in the U.S. For example, AT&T offers an “extra security” feature that requires customers to present a custom passcode when dealing with the wireless provider via phone or online.

“All of the carriers have slightly different procedures but seem to suffer from the same problem, which is that they’re relying on retail stores relying on store employee to look at the driver’s license,” Cranor told KrebsOnSecurity. “They don’t use services that will check the information on the drivers license, and so that [falls to] the store employee who has no training in spotting fake IDs.”

Some of the security options offered by the four major providers. Source: FTC.

Some of the security options offered by the four major providers. Source: FTC.

It’s important to note that secret passcodes often can be bypassed by determined attackers or identity thieves who are adept at social engineering — that is, tricking people into helping them commit fraud.

I’ve used a six-digit passcode for more than two years on my account with AT&T, and last summer noticed that I’d stopped receiving voicemails. A call to AT&T’s customer service revealed that all voicemails were being forwarded to a number in Seattle that I did not recognized or authorize.

Since it’s unlikely that the attackers in this case guessed my six-digit PIN, they likely tricked a customer service representative at AT&T into “authenticating” me via other methods — probably by offering static data points about me such as my Social Security number, date of birth, and other information that is widely available for sale in the cybercrime underground on virtually all Americans over the age of 35. In any case, Cranor’s post has inspired me to exercise my rights under the FCRA and find out for certain.

Vineetha Paruchuri, a masters in computer science student at Dartmouth College, recently gave a talk at the Bsides security conference in Las Vegas on her research into security at the major U.S. mobile phone providers. Paruchuri said all of the major mobile providers suffer from a lack of strict protocols for authenticating customers, leaving customer service personnel exposed to social engineering.

“As a computer science student, my contention was that if we take away the control from the humans, we can actually make this process more secure,” Paruchuri said.

Paruchuri said perhaps the most dangerous threat is the smooth-talking social engineer who spends time collecting information about the verbal shorthand or mobile industry patois used by employees at these companies. The thief then simply phones up customer support and poses as a mobile store technician or employee trying to assist a customer. This was the exact approach used in 2014, when young hooligans tricked my then-ISP Cox Communications into resetting the password for my Cox email account.

I suppose one aspect of this problem that makes the lack of strong customer authentication measures by the mobile industry so frustrating is that it’s hard to imagine a device which holds more personal and intimate details about you than your wireless phone. After all, your phone likely knows where you were last night, when you last traveled, the phone number you last called and numbers you most frequently text.

And yet, the best the mobile providers and their fleet of reseller stores can do to tell you apart from an ID thief is to store a PIN that could be bypassed by clever social engineers (who may or may not be shaving yet).

A NOTE FOR AT&T READERS

By the way, readers with AT&T phones may have received a notice this week that AT&T is making some changes to “authorized users” allowed on accounts. The notice advised that starting Sept. 1, 2016, customers can designate up to 10 authorized users per account.

“If your Authorized User does not know your account passcode or extra security passcode, your Authorized User may still access your account in a retail store using a Forgotten Passcode process. Effective Nov. 5, 2016, Authorized Users and those persons who call into Customer Service and provide sufficient account information (“Authenticated Callers”) Will have the ability to add a new line of service to your account. Such requests, whether made by you, an Authorized User, an Authenticated Caller or someone with online access to your account, will trigger a credit check on you.”

AT&T's message this week about upcoming account changes.

AT&T’s message this week about upcoming account changes.

I asked AT&T about what need this new policy was designed to address, and the company responded that AT&T has made no changes to how an authorized user can be added to an account. AT&T spokesman Jim Greer sent me the following:

“With this notice, we are simply increasing the number of authorized users you may add to your account and giving them the ability to add a line in stores or over the phone. We made this change since more customers have multiple lines for multiple people. Authorized users still cannot access the account holder’s sensitive personal information.”

“Over the past several years, the authentication process has been strengthened. In stores, we’re safeguarding customers through driver’s license or other government issued ID authentication.  We use a two-factor authentication when you contact us online or by phone that requires a one-time PIN. We’re continuing our efforts to better protect customers, with additional improvements on the horizon.”

“You don’t have to designate anyone to become an authorized user on your account. You will be notified if any significant changes are made to your account by an authorized user, and you can remove any person as an authorized user at any time.”

The rub is what AT&T does — or more specifically, what the AT&T customer representative does — to verify your identity when the caller says he doesn’t remember his PIN or passcode. If they allow PIN-less authentication by asking for your Social Security number, date of birth and other static information about you, ID thieves can defeat that easily.

Has someone fraudulently ordered phone service or phones in your name? Sound off in the comments below.

If you’re wondering what you can do to shield yourself and your family against identity theft, check out these primers:

How I Learned to Stop Worrying and Embrace the Security Freeze (this primer goes well beyond security freezes and includes a detailed Q&A as well as other tips to help prevent and recover from ID theft).

Are Credit Monitoring Services Worth It? 

What Tax Fraud Victims Can Do

The Lowdown on Freezing Your Kid’s Credit

PIPCU’s Operation Creative Gets New Leader & New Backers

Post Syndicated from Andy original https://torrentfreak.com/pipcus-operation-creative-gets-new-leader-new-backers-160823/

Back in 2013, major torrent sites began receiving letters from the UK’s National Fraud Intelligence Bureau (NFIB), a City of London Police unit tasked with identifying organized crime groups in order to disrupt their activities.

Behind the scenes, the fledgling Police Intellectual Property Crime Unit (PIPCU) had been working with the Federation Against Copyright Theft (FACT), the British Recorded Music Industry (BPI) and The Publishers Association with the aim of closing as many torrent and streaming sites as possible.

In time, this initiative became known as Operation Creative, a multi-pronged effort to reduce piracy using a variety of tactics, including the targeting of domains and the disruption of revenue streams.

The latter included the development of the Infringing Website List (IWL), a blacklist of websites distributed to potential advertisers and agencies who are asked to boycott the domains in the name of supporting creators.

The police, on the other hand, reportedly placed their own ads on some ‘pirate’ sites in an effort to scare would-be pirates.

Operation Creative is now in its third year and with that anniversary comes the appointment of a brand new senior officer to head up the initiative.

Detective Constable Steve Salway joins PIPCU having spent time at the National Fraud Investigation Bureau (NFIB) as a disruptions team investigator. During his time there, Salway is reported to have overseen the closure of “hundreds of criminal websites” worldwide.

While NFIB is involved in tackling IP infringement, the unit also has responsibility for investigating a wide variety of online crimes including financial fraud and identity theft. Salway’s work there crossed over with PIPCU operations and enticed him in.

“Operation Creative is leading the way in disrupting UK online digital piracy, and now it’s time to take success to the next level by exploring different tactics like maximising disruption opportunities around criminal revenue,” Salway says.

“My experience in tackling online crime and closing down criminal internet infrastructures will be applied to all future referrals and I am proud to be part of this new era for the initiative.”

PIPCU’s new dedicated officer puts the successes of Operation Creative down to the strength of the partnerships the police have forged with the private sector.

In addition to FACT, BPI and The PA, the International Federation of the Phonographic Industry (IFPI), PRS for music and the Association for UK Interactive Entertainment (UKIE) are all members. Coinciding with Salway’s appointment, the initiative now welcomes a new member in the form of the Music Publishers Association (MPA).

The MPA has a mission to “safeguard and promote” the interests of music publishers and writers while representing their interests to government, the rest of the industry, and the public. It currently boast around 260 members and 4,000 music catalogues.

“I am pleased to welcome the Music Publishers Association to the Operation Creative initiative,” says PIPCU head Detective Chief Inspector Peter Ratcliffe.

“The Police Intellectual Property Crime Unit is committed to reducing the impact of intellectual property crime on the UK’s creative industries and in Creative we have a wonderful tool to disrupt the infringers’ revenue streams and hit them where it hurts them the most.”

While providing no specific details, Ratcliffe says that since Operation Creative is “entering a new phase”, new supporters will help strengthen its ranks.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

How Legitimate Content Killed an “Ethical” Torrent Site

Post Syndicated from Andy original https://torrentfreak.com/how-legitimate-content-killed-an-ethical-torrent-site-160821/

When peer-to-peer file-sharing networks started to gain traction more than a decade and a half ago, it soon became clear that if entertainment industries were to compete, they’d need to step up their game.

In the early 2000s, for example, users of Sharman Networks’ Kazaa software already had wide and free access to music and video titles. The introduction of BitTorrent shortly after only turned up the pressure.

Fifteen years down the line it’s now clearer than ever. The true enemy of illicit file-sharing is broad and convenient access to all content at a fair price. In the meantime, however, platforms such as torrent sites continue to pick up the slack. More than a decade ago, they were leading the charge.

Founded in 2003/4, torrent site UKNova took a somewhat unusual approach to its offering. Rather than the free-for-all witnessed on most platforms, UKNova aimed to responsibly service UK-based consumers and those overseas with select content that couldn’t easily be obtained by other means.

Initially, the site catered to a few ex-pats who were desperate for their fix of long-running TV soap, Eastenders. It had been made available in the States by BBC America, but in 2003 the iconic show was dropped.

“After initially sending VHS tapes across the Atlantic, a daring foray into the unknown world of trackers and torrents was made by brave visionaries and uknova.com was born,” a site operator told TorrentFreak.

“UKNova rapidly became known as the ‘go-to’ place for UK television and for a while was probably the leading private tracker catering to ex-pats and Anglophiles around the world.”

Most private torrent sites have strict rules, but UKNova went a step further than most by only allowing UK-produced TV content that was not available on DVD or premium channels. But despite the restrictions, UKNova was a success.

“Membership rapidly grew and was voluntarily limited to between 30,000 and 40,000 members. Forum activity could become so heavy that server problems arose, leading to an iconic ‘Mind The Gap‘ message.”

But UKNova was much more than just a torrent site. Like many niche trackers, UKNova had a thriving close-knit community centered around the theme and culture of UK TV. With assistance from the site’s radio station, those friendships thrived beyond the digital space.

“Events and activities grew from the forums: picnics and meet-ups, annual awards ceremonies with live radio, mugs and t-shirts, fantasy football leagues, and above all solidarity for members who were in need, ill or deceased,” the operator explains.

“There were at least four marriages resulting from friendships struck up on UKNova’s forums and IRC chat.”

Due to the nature of UK TV (free to view, for those who pay the standard license fee), UKNova offered a lot of BBC content. Back in the early days BBC iPlayer simply did not exist so once shows disappeared off air, that was that until the corporation decided to bring them back. UKNova not only filled that gap, but even received a request to help the BBC complete its archives.

“During this time relations with the BBC were cordial. In one case UKNova was even asked if they could find a missing recording of documentary series Horizon,” a site representative explains.

But by 2012, the atmosphere had begun to shift.

“UKNova is being forced to change,” an operator told TF at the time. “We have been issued with a ‘cease and desist’ order by FACT (Federation Against Copyright Theft.”

FACT was clear in its demands. All copyrighted content needed to come down, no matter where that content had come from and despite the fact that UKNova had never had a complaint from any TV station since its inception. The site didn’t believe it could be successfully prosecuted but had no way of defending itself.

“UKNova has never had any source of revenue other than donations to help pay for the servers and bandwidth. In latter years the site survived uniquely on private donations from Staff,” TF was told.

Within weeks UKNova shut down, but the dream wasn’t quite over yet.

“In 2013 a group of independent users decided to re-ignite the flame with a new site which was kept as low profile as possible. This site kept the ethos of the original UKNova, with the same rules concerning commercially available material,” a site veteran explains.

This, it appears, was to be the site’s ultimate undoing. The environment in 2013 was massively different to that of 2003. Legitimate services were appearing left and right, meaning that the content pool available to UKNova users under the site’s own stringent rules was diminishing every day.

UKNova’s decision to maintain its position as “the ethical torrent site” was cutting off its own oxygen supply and over the next three years the site began to die.

“In 2016 it became clear that the advent of the BBC Store and Amazon Video, linked to the quasi-immediate availability of shows from other channels on DVD, meant that allowable content was shrinking daily,” a site operator explains.

With the main reason for people visiting the site diminishing all the time, members had less and less to talk about. The continued rise of external and mainstream social media only exacerbated the situation.

“The discussion forums were grinding to a halt and membership was gradually shrinking. Rather than flogging a dead horse it seemed appropriate to turn out the lights, lock the door and gracefully retire.”

On Saturday August 7, UKNova’s trackers were taken offline. A week later the site was shuttered completely. UKNova was dead, this time for real.

“It’s been a good long run, so much good has been done, and so much fun has been had, by so many people – a unique experience. But all good things..,” the site said in a closing statement.

While FACT’s intervention was certainly an unwelcome one, it seems fairly clear that its own strict rules and the availability of legitimate content was what ultimately led to UKNova’s demise. Sadly, however, UKNova’s initial goals of serving the ex-pat community are still proving a problem today.

Only last week, FACT and the UK’s Police Intellectual Property Unit shut down an IPTV service directly aimed at British citizens living abroad.

PIPCU said that the platform had many thousands of customers, showing that a potentially lucrative market still exists if only someone, somewhere, would service it. Someone will, but it won’t be UKNova.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Major NSA/Equation Group Leak

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/08/major_nsaequati.html

The NSA was badly hacked in 2013, and we’re just now learning about it.

A group of hackers called “The Shadow Brokers” claim to have hacked the NSA, and are posting data to prove it. The data is source code from “The Equation Group,” which is a sophisticated piece of malware exposed last year and attributed to the NSA. Some details:

The Shadow Brokers claimed to have hacked the Equation Group and stolen some of its hacking tools. They publicized the dump on Saturday, tweeting a link to the manifesto to a series of media companies.

The dumped files mostly contain installation scripts, configurations for command and control servers, and exploits targeted to specific routers and firewalls. The names of some of the tools correspond with names used in Snowden documents, such as “BANANAGLEE” or “EPICBANANA.”

Nicholas Weaver has analyzed the data and believes it real:

But the proof itself, appear to be very real. The proof file is 134 MB of data compressed, expanding out to a 301 MB archive. This archive appears to contain a large fraction of the NSA’s implant framework for firewalls, including what appears to be several versions of different implants, server side utility scripts, and eight apparent exploits for a variety of targets.

The exploits themselves appear to target Fortinet, Cisco, Shaanxi Networkcloud Information Technology (sxnc.com.cn) Firewalls, and similar network security systems. I will leave it to others to analyze the reliability, versions supported, and other details. But nothing I’ve found in either the exploits or elsewhere is newer than 2013.

Because of the sheer volume and quality, it is overwhelmingly likely this data is authentic. And it does not appear to be information taken from comprised systems. Instead the exploits, binaries with help strings, server configuration scripts, 5 separate versions of one implant framework, and all sort of other features indicate that this is analyst-side code­ — the kind that probably never leaves the NSA.

I agree with him. This just isn’t something that can be faked in this way. (Good proof would be for The Intercept to run the code names in the new leak against their database, and confirm that some of the previously unpublished ones are legitimate.)

This is definitely not Snowden stuff. This isn’t the sort of data he took, and the release mechanism is not one that any of the reporters with access to the material would use. This is someone else, probably an outsider…probably a government.

Weaver again:

But the big picture is a far scarier one. Somebody managed to steal 301 MB of data from a TS//SCI system at some point between 2013 and today. Possibly, even probably, it occurred in 2013. But the theft also could have occurred yesterday with a simple utility run to scrub all newer documents. Relying on the file timestamps­ — which are easy to modify­ — the most likely date of acquisition was June 11, 2013. That is two weeks after Snowden fled to Hong Kong and six days after the first Guardian publication. That would make sense, since in the immediate response to the leaks as the NSA furiously ran down possibly sources, it may have accidentally or deliberately eliminated this adversary’s access.

Okay, so let’s think about the game theory here. Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were I betting, I would bet Russia, and that it’s a signal to the Obama Administration: “Before you even think of sanctioning us for the DNC hack, know where we’ve been and what we can do to you.”

They claim to be auctioning off the rest of the data to the highest bidder. I think that’s PR nonsense. More likely, that second file is random nonsense, and this is all we’re going to get. It’s a lot, though. Yesterday was a very bad day for the NSA.

EDITED TO ADD: Snowden’s comments. He thinks it’s an “NSA malware staging server” that was hacked.

EDITED TO ADD (8/18): Dave Aitel also thinks it’s Russia.

EDITED TO ADD (8/19): Two news articles.

Cisco has analyzed the vulnerabilities for their products found in the data. They found several that they patched years ago, and one new one they didn’t know about yet. See also this about the vulnerabilities.

EDITED TO ADD (8/20): More about the vulnerabilities found in the data.

Previously unreleased material from the Snowden archive proves that this data dump is real, and that the Equation Group is the NSA.

Visa Alert and Update on the Oracle Breach

Post Syndicated from BrianKrebs original https://krebsonsecurity.com/2016/08/visa-alert-and-update-on-the-oracle-breach/

Credit card industry giant Visa on Friday issued a security alert warning companies using point-of-sale devices made by Oracle‘s MICROS retail unit to double-check the machines for malicious software or unusual network activity, and to change passwords on the devices. Visa also published a list of Internet addresses that may have been involved in the Oracle breach and are thought to be closely tied to an Eastern European organized cybercrime gang.

VSA-oracle

The Visa alert is the first substantive document that tries to help explain what malware and which malefactors might have hit Oracle — and by extension many of Oracle’s customers — since KrebsOnSecurity broke news of the breach on Aug. 8. That story cited sources close to the investigation saying hackers had broken into hundreds of servers at Oracle’s retail division, and had completely compromised Oracle’s main online support portal for MICROS customers.

MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.

In short, tens of millions of credit cards are swiped at MICROS terminals monthly, and a breach involving the theft of credentials that might have granted remote access to even just a small percentage of those systems is potentially a big and costly problem for all involved.

So far, however, most MICROS customers are left scratching their heads for answers. A frequently asked questions bulletin (PDF) Oracle also released last Monday held little useful information. Oracle issued the same cryptic response to everyone who asked for particulars about how far the breach extended. “Oracle has detected and addressed malicious code in certain legacy MICROS systems.”

Oracle also urged MICROS customers to change their passwords, and said “we also recommend that you change the password for any account that was used by a MICROS representative to access your on-premises systems.”

One of two documents Oracle sent to MICROS customers and the sum total of information the company has released so far about the breach.

One of two documents Oracle sent to MICROS customers and the sum total of information the company has released so far about the breach.

Some technology and fraud experts, including Gartner Analyst Avivah Litan, read that statement highlighted in yellow above as an acknowledgement by Oracle that hackers may have abused credentials gained in the MICROS portal breach to plant malicious code on the point-of-sale devices run by an unknown number of MICROS customers.

“This [incident] could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider,” Litan told me last week. “I’d say there’s a big chance that the hackers in this case found a way to get remote access” to MICROS customers’ on-premises point-of-sale devices.”

Clearly, Visa is concerned about this possibility as well.

INDICATORS OF COMPROMISE

In my original story about the breach, I wasn’t able to reveal all the data I’d gathered about the apparent source of the attacks and attackers. A key source in that story asked that I temporarily delay publishing certain details of the investigation, specifically those known as indicators of compromise (IOCs). Basically, IOCs are list of suspect Internet addresses, domain names, filenames and other curious digital clues that are thought to connect the victim with its attacker.

I’ve been inundated all week with calls and emails from security experts asking for that very data, but sharing it wasn’t my call. That is, until yesterday (8/12/16), when Visa published a “merchant communication alert” to some customers. In that alert (PDF), Visa published IOCs that may be connected with the intrusion. These IOCs could be extremely useful to MICROS customers because the presence of Internet traffic to and from these online destinations would strongly suggest the organization’s point-of-sale systems may be similarly compromised.

Some of the addresses on this list from Visa are known to be associated with the Carbanak Gang, a group of Eastern European hackers that Russian security firm Kaspersky Lab estimates has stolen more than $1 billion from banks and retailers. Here’s the IOCs list from the alert Visa pushed out Friday:

VISA warned merchants to check their systems for any communications to and from these Internet addresses and domain names associated with a Russian organized cybercrime gang called "Carbanak."

Visa warned merchants to check their systems for any communications to and from these Internet addresses and domain names associated with a Russian organized cybercrime gang called “Carbanak.”

Thankfully, since at least one of the addresses listed above (192.169.82.86) matched what’s on my source’s list, the source agreed to let me publish the entire thing. Here it is. I checked my source’s list and found at least five Internet addresses that were seen in both the Oracle attack and in a Sept. 2015 writeup about Carbanak by ESET Security, a Slovakian antivirus and security company. [NB: If you are unskilled at safely visiting malicious Web sites and/or handling malware, it’s probably best not to visit the addresses in the above-linked list.]

Visa also mentioned a specific POS-malware threat in its alert called “MalumPOS.” According to researchers at Trend Micro, MalumPOS is malware designed to target point-of-sale systems in hotels and related industries. In fact, Trend found that MalumPOS is set up to collect data specifically from point-of-sale systems running on Oracle’s MICROS platform.

It should come as no surprise then that many of Oracle’s biggest customers in the hospitality industry are starting to make noise, accusing Oracle of holding back key information that could help MICROS-based companies stop and clean up breaches involving malware and stolen customer credit card data.

“Oracle’s silence has been deafening,” said Michael Blake, chief executive officer at HTNG, a trade association for hotels and technology. “They are still grappling and trying to answer questions on the extent of the breach. Oracle has been invited to the last three [industry] calls this week and they are still going about trying to reach each customer individually and in the process of doing so they have done nothing but given the lame advice of changing passwords.”

The hospitality industry has been particularly hard hit by point-of-sale compromises over the past two years. Last month, KrebsOnSecurity broke the news of a breach at Kimpton Hotels (Kimpton appears to run MICROS products, but the company declined to answer questions for this story).

Kimpton joins a long list of hotel brands that have acknowledged card breaches over the last year, including Trump Hotels (twice), Hilton, Mandarin Oriental, and White Lodging (twice), Starwood Hotels and Hyatt. In many of those incidents, thieves had planted malicious software on the point-of-sale devices at restaurants and bars inside of the hotel chains. And, no doubt, many of those cash registers were run on MICROS systems.

If Oracle doesn’t exactly know which — if any — of its MICROS customers had malware on their point-of-sale systems as a result of the breach, it may be because the network intruders didn’t have any reason to interact with Oracle’s customers via the MICROS portal after stealing usernames and passwords that would allow them to remotely access customer on-premises systems. In theory, at that point the fraudsters could have bypassed Oracle altogether from then on.

BREACHED BY MULTIPLE ACTORS?

Another possibly interesting development in the Oracle breach story: There are indications that Oracle may have been breached by more than one cybercrime group. Or at least handed off from one to the other.

Late this week, Thomas Fox-Brewster at Forbes published a story noting that MICROS was just one of at least five point-of-sale companies that were recently hacked by a guy who — from an exhaustive review of his online chats — appears to have just sat himself down one day and decided to hack a bunch of point-of-sale companies.

Forbes quoted my old friend Alex Holden of Hold Security saying he had evidence that hackers had breached at least 10 payment companies, and the story focuses on getting confirmation from the various other providers apparently breached by the same cybercriminal actor.

Holden showed me multiple pages worth of chat logs between two individuals on a cybercrime forum [full disclosure: Holden’s company lists me as an adviser, but I accept no compensation for that role, and he ignores most of my advice].

The discussion between the two hackers begins around July 15, 2016, and goes on for more than a week. In it, the two hackers have been introduced to one another through a mutual, trusted contact. For a while, all they discuss is whether the seller can be trusted to deliver the Oracle MICROS database and control over the Oracle MICROS customer ticketing portal.

In the end, the buyer is convinced by what he sees and agrees to pay the bitcoin equivalent of roughly USD $13,000 for access to Oracle’s MICROS portal, as well as a handful of other point-of-sale Web sites. The buyer’s bitcoin wallet and the associated transactions can be seen here.

A screen shot shared by one of the hackers involved in compromising Oracle's MICROS support portal. This screen shot was taken of a similar Web shell the hackers placed on the Web site of another POS provider (this is not the shell that was on Oracle).

A screen shot shared by one of the hackers involved in compromising Oracle’s MICROS support portal. This screen shot was taken of a similar Web shell the hackers placed on the Web site of another POS provider (this is not the shell that was on Oracle).

According to the chat log, the hacker broke in by exploiting a file-upload function built into the MICROS customer support portal. From there the attackers were able to upload an attack tool known as a “WSO Web Shell.” This is a crude but effective text-based control panel that helps the attacker install additional attack tools to harvest data from the compromised Web server (see screen shot above). The beauty of a Web shell is that the attacker can control the infected site using nothing more than a Web browser, using nothing more than a hidden login page and a password that only he knows.

The two hackers discussed and both viewed more than a half-dozen files that were apparently left behind on the MICROS portal by the WSO shell they uploaded in mid-July (most of the malicious files ended in the file extension “wso.aspx”). The chat logs show the pair of miscreants proceeding to target another 9 online payment providers or point-of-sale vendors.

Some of those companies were quoted in the Forbes piece having acknowledged a breach similar to the Web shell attack at Oracle. But none of them have anywhere near the size of Oracle’s MICROS customer base.

GOOD HOSPITALITY, OR SWEPT UNDER THE RUG?

Oracle maintains in its FAQ (PDF) about the MICROS attack that “Oracle’s Corporate network and Oracle’s other cloud and service offerings were not impacted.” But a confidential source within Oracle’s Hospitality Division told KrebsOnSecurity that the breach first started in one of Oracle’s major point-of-sale data centers — specifically the company’s large data center in Manassas, Va.

According to my source, that particular center helps large Oracle hospitality industry clients manage their fleets of MICROS point-of-sale devices.

“Initially, the customer’s network and the internal Oracle network were on the same network,” said my source, who spoke under condition of anonymity because he did not have permission from his employer to speak on the record. “The networking team did a network segmentation of these two networks — ironically for security purposes. However, it seems as if what they have done actually allowed access from the Russian Cybercrime group.”

My source said that in mid-July 2016 Oracle sent out an email alert to employees of its hospitality division that they had to re-image their laptops without backing anything up.

“All of the files and software that were on an employee’s computer were deleted, which was crippling to business operations,” my source recalled. “Project management lost all their schedules, deployment teams lost all the software that they use to install on customer sites. Oracle did not tell the employees in this email that they got hacked but just to re-image everything with no backups. It seems as if Oracle did a pretty good job sweeping this incident under the rug. Most employees don’t know about the hack and it hasn’t been a huge deal to the customers. However, it is estimated that this cost them billions, so it is a really major breach.”

I sent Oracle a litany of questions based on the above, but a spokesperson for the company said Oracle would comment on none of it.

Hackers Stealing Cars

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/08/hackers_stealin.html

We’re seeing car thefts in the wild accomplished through hacking:

Houston police have arrested two men for a string of high-tech thefts of trucks and SUVs in the Houston area. The Houston Chronicle reports that Michael Armando Arce and Jesse Irvin Zelaya were charged on August 4th, and are believed to be responsible for more than 100 auto thefts. Police said Arce and Zelaya were shuttling the stolen vehicles across the Mexican border.

[…]

The July video shows the thief connecting a laptop to the Jeep before driving away in it. A Fiat-Chrysler spokesman told ABC News that the thieves used software intended to be used by dealers and locksmiths to reprogram the vehicle’s keyless entry and ignition system.

PIPCU Raids ‘Pirate’ TV Streaming Operation, Three Arrested

Post Syndicated from Andy original https://torrentfreak.com/pipcu-raids-pirate-tv-streaming-operation-three-arrested-160811/

cityoflondonpoliceLast month saw the shutdown of KickassTorrents and the arrest of its alleged founder, a development which sent shockwaves through the file-sharing community.

That was followed by the surprise shutdown of Torrentz, the world’s largest torrent meta-search engine. It’s not known why the site chose to close its doors but its departure from the scene was somewhat more orderly than that of KAT.

Meanwhile, and as revealed in our earlier report, streaming continues to prove increasingly popular with Internet users, a fact the authorities are well aware of.

With that in mind, the UK’s Police Intellectual Property Unit (PIPCU) has just carried out a new operation against individuals it believes are involved in streaming content online and distributing set-top boxes modified to receive it.

Following a series of dawn raids carried out yesterday morning in Lancashire, PIPCU arrested three men aged 36, 40 and 58, on suspicion of conspiracy to defraud and money laundering offences.

PIPCU say that the operation received assistance from local police and a forensic investigator from the Federation Against Copyright Theft (FACT).

While previous operations against streaming pirates have usually resulted in the seizure of Kodi-enabled Android set-top boxes, this operation appears to have gone a step up the chain.

Photographs provided by PIPCU show what appears to be a somewhat sophisticated operation, beginning with satellite TV reception.

satellites

The PIPCU operation spanned three residential addresses and an as-yet-unnamed business premises. It seems likely that the photograph of the server room shown below was taken in the latter location. Thus far, PIPCU say they have seized approximately 30 servers.

servers

In addition, PIPCU say they also recovered set-top boxes which had been modified so that users could access hundreds of premium subscription-only channels.

“Some of the channels available on the devices include pay-per-view sports, the latest movies and UK broadcast television only available to UK licence fee payers. Officers have also identified 15 satellites,” PIPCU report.

Neither the police nor FACT have provided any information which allows us to easily identify those arrested or their operation. However, there are a number of clues which point us in a particular direction.

Firstly, PIPCU claims that the devices were being sold as legitimate products that could provide content to users anywhere in the world for an annual fee of around £400. Second, the unit also identified a small town with a population of just 41,000.

So, given the location of the raids and the specific nature and size of the business, TorrentFreak sources familiar with IPTV operators in the UK told us that one company in particular stands out as the most likely candidate.

The outfit has not yet responded to our requests for comment so naturally we won’t name them, but we do know that they offer IPTV packages to the expat market and those abroad for just a few pounds less than the £400 mentioned by PIPCU.

The packages (and indeed the hardware) are also marketed and sold as entirely legitimate. We’re also aware that a staff member at the company was previously involved in another business dealing in satellite communications.

At the time of writing their website is still up and running and registered to a business premises in Chorley, Lancashire, the town mentioned by PIPCU. Furthermore, a posting discovered online by TF indicates that the IPTV operation had been established for a number of years and was recently running 30 servers.

In a statement, head of PIPCU, Detective Chief Inspector Peter Ratcliffe, described the outfit as “a significant and highly resourced operation to distribute pirated television on an industrial scale” to tens of thousands of people across the globe.

“Operations like this remain an integral part of protecting livelihoods supported by the entertainment industry and the law abiding public who pay for their channels with their hard earned cash,” he said.

Director General of the Federation Against Copyright Theft, Kieron Sharp, said his organization will continue to pursue those engaged in this growing area of piracy.

“Illegally modified set-top boxes, along with infringing apps and add-ons, have created new opportunities for criminality and piracy. Tackling these threats and the people behind them is one of our highest priorities and therefore today’s multi-agency action is another great result for law enforcement and the creative industries,” Sharp said.

“We will continue to work with our members and partners, such as the City of London Police, to crack down on those involved in the illegal supply of these boxes so that both the content and its creators are protected.”

When TF has solid information concerning the identity of the company involved we will post an update.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

MPAA Anti-Piracy Cutbacks Lead to “Bullying” Lawsuit

Post Syndicated from Andy original https://torrentfreak.com/mpaa-anti-piracy-cutbacks-lead-to-bullying-lawsuit-160804/

mpaThe Australian Federation Against Copyright Theft was viewed by many as the country’s leading anti-piracy outfit. Financed by the major Hollywood studios, AFACT was front and center of most major copyright battles Down Under since its inception in 2004.

Perhaps most notably, AFACT was the group that spearheaded the prolonged and ultimately unsuccessful legal action that aimed to force local ISP iiNet to disconnect Internet users for alleged piracy.

For several years, AFACT was headed up by Neil Gane, a former Hong Kong Police Inspector who had worked with the MPAA against piracy across Asia. In 2014, when AFACT became known by the more friendly name of the Australian Screen Association (ASA), Gane left the organization to return to Hong Kong.

There Gane headed up the newly created Asia Pacific Internet Centre (APIC), a regional anti-piracy, policy, research and training hub for the Motion Picture Association (MPA) Asia Pacific.

Gane was replaced as head of ASA/AFACT by Mark Day, a former regional legal counsel at the MPA and the group’s main representative in China. Between 2001 and 2009, Day oversaw multiple criminal and civil cases prosecuted by MPA members.

Now, however, Day’s career at the ASA appears to be over. After just a year in his new role, Day was fired from the top job. In response, he’s now suing his former employer and former AFACT chief Neil Gane for allegedly doing so illegally.

According to court papers filed in Federal Court and first reported by SMH, in 2015 the MPAA made a decision to significantly reduce ASA’s budget.

In response, ASA director Mike Ellis, a veteran of the MPA and its Asia Pacific president, decided to dismiss Day in November 2015 to take over the position himself. Day was on sick leave at the time.

Day later fought back, claiming through his lawyer that he’d been working in a hostile workplace and had been the victim of bullying. He’s now suing the ASA, Mike Ellis and Neil Gane, for discrimination and punishing him for exercising his workplace rights.

According to SMH, Day is seeking compensation for economic loss, psychological injury, pain, suffering, humiliation, and damage to his professional reputation.

While Day’s lawsuit could yield some interesting facts about the anti-piracy operations of the MPA, the dismissal of the former ASA boss in the face of MPAA cuts is the broader story.

As revealed in May this year, the MPAA is also set to withdraw funding from the UK’s Federation Against Copyright Theft before the end of 2016, ending a 30-year relationship with the group.

Local funding for FACT was withdrawn in favor of financing larger regional hubs with a wider remit, in FACT’s case the MPA’s EMEA (Europe, Middle East, Africa) hub in Brussels.

In ASA’s case, it’s clear that the MPA has decided that its recently-formed Asia Pacific Internet Centre (APIC) will be its regional anti-piracy powerhouse and where its local funding will be concentrated in future.

The MPA’s regional hubs are said to offer the studios “a nimble local presence and a direct relationship with local law enforcement.”

Meanwhile, the MPAA’s head office remains in Los Angeles.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

The Security of Our Election Systems

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/07/the_security_of_11.html

Russia was behind the hacks into the Democratic National Committee’s computer network that led to the release of thousands of internal emails just before the party’s convention began, U.S. intelligence agencies have reportedly concluded.

The FBI is investigating. WikiLeaks promises there is more data to come. The political nature of this cyberattack means that Democrats and Republicans are trying to spin this as much as possible. Even so, we have to accept that someone is attacking our nation’s computer systems in an apparent attempt to influence a presidential election. This kind of cyberattack targets the very core of our democratic process. And it points to the possibility of an even worse problem in November ­ that our election systems and our voting machines could be vulnerable to a similar attack.

If the intelligence community has indeed ascertained that Russia is to blame, our government needs to decide what to do in response. This is difficult because the attacks are politically partisan, but it is essential. If foreign governments learn that they can influence our elections with impunity, this opens the door for future manipulations, both document thefts and dumps like this one that we see and more subtle manipulations that we don’t see.

Retaliation is politically fraught and could have serious consequences, but this is an attack against our democracy. We need to confront Russian President Vladimir Putin in some way ­ politically, economically or in cyberspace ­ and make it clear that we will not tolerate this kind of interference by any government. Regardless of your political leanings this time, there’s no guarantee the next country that tries to manipulate our elections will share your preferred candidates.

Even more important, we need to secure our election systems before autumn. If Putin’s government has already used a cyberattack to attempt to help Trump win, there’s no reason to believe he won’t do it again ­ especially now that Trump is inviting the “help.”

Over the years, more and more states have moved to electronic voting machines and have flirted with Internet voting. These systems are insecure and vulnerable to attack.

But while computer security experts like me have sounded the alarm for many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified.

We no longer have time for that. We must ignore the machine manufacturers’ spurious claims of security, create tiger teams to test the machines’ and systems’ resistance to attack, drastically increase their cyber-defenses and take them offline if we can’t guarantee their security online.

Longer term, we need to return to election systems that are secure from manipulation. This means voting machines with voter-verified paper audit trails, and no Internet voting. I know it’s slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great.

There are other ways to attack our election system on the Internet besides hacking voting machines or changing vote tallies: deleting voter records, hijacking candidate or party websites, targeting and intimidating campaign workers or donors. There have already been multiple instances of political doxing ­ publishing personal information and documents about a person or organization ­ and we could easily see more of it in this election cycle. We need to take these risks much more seriously than before.

Government interference with foreign elections isn’t new, and in fact, that’s something the United States itself has repeatedly done in recent history. Using cyberattacks to influence elections is newer but has been done before, too ­ most notably in Latin America. Hacking of voting machines isn’t new, either. But what is new is a foreign government interfering with a U.S. national election on a large scale. Our democracy cannot tolerate it, and we as citizens cannot accept it.

Last April, the Obama administration issued an executive order outlining how we as a nation respond to cyberattacks against our critical infrastructure. While our election technology was not explicitly mentioned, our political process is certainly critical. And while they’re a hodgepodge of separate state-run systems, together their security affects every one of us. After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy.

Election security is now a national security issue; federal officials need to take the lead, and they need to do it quickly.

This essay originally appeared in the Washington Post.

Real-World Security and the Internet of Things

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/07/real-world_secu.html

Disaster stories involving the Internet of Things are all the rage. They feature cars (both driven and driverless), the power grid, dams, and tunnel ventilation systems. A particularly vivid and realistic one, near-future fiction published last month in New York Magazine, described a cyberattack on New York that involved hacking of cars, the water system, hospitals, elevators, and the power grid. In these stories, thousands of people die. Chaos ensues. While some of these scenarios overhype the mass destruction, the individual risks are all real. And traditional computer and network security isn’t prepared to deal with them.

Classic information security is a triad: confidentiality, integrity, and availability. You’ll see it called “CIA,” which admittedly is confusing in the context of national security. But basically, the three things I can do with your data are steal it (confidentiality), modify it (integrity), or prevent you from getting it (availability).

So far, Internet threats have largely been about confidentiality. These can be expensive; one survey estimated that data breaches cost an average of $3.8 million each. They can be embarrassing, as in the theft of celebrity photos from Apple’s iCloud in 2014 or the Ashley Madison breach in 2015. They can be damaging, as when the government of North Korea stole tens of thousands of internal documents from Sony or when hackers stole data about 83 million customer accounts from JPMorgan Chase, both in 2014. They can even affect national security, as in the case of the Office of Personnel Management data breach by — presumptively — China in 2015.

On the Internet of Things, integrity and availability threats are much worse than confidentiality threats. It’s one thing if your smart door lock can be eavesdropped upon to know who is home. It’s another thing entirely if it can be hacked to allow a burglar to open the door — or prevent you from opening your door. A hacker who can deny you control of your car, or take over control, is much more dangerous than one who can eavesdrop on your conversations or track your car’s location.

With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the Internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.

Today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway. We’re worried about manipulated counts from electronic voting machines, frozen water pipes through hacked thermostats, and remote murder through hacked medical devices. The possibilities are pretty literally endless. The Internet of Things will allow for attacks we can’t even imagine.

The increased risks come from three things: software control of systems, interconnections between systems, and automatic or autonomous systems. Let’s look at them in turn:

Software Control. The Internet of Things is a result of everything turning into a computer. This gives us enormous power and flexibility, but it brings insecurities with it as well. As more things come under software control, they become vulnerable to all the attacks we’ve seen against computers. But because many of these things are both inexpensive and long-lasting, many of the patch and update systems that work with computers and smartphones won’t work. Right now, the only way to patch most home routers is to throw them away and buy new ones. And the security that comes from replacing your computer and phone every few years won’t work with your refrigerator and thermostat: on the average, you replace the former every 15 years, and the latter approximately never. A recent Princeton survey found 500,000 insecure devices on the Internet. That number is about to explode.

Interconnections. As these systems become interconnected, vulnerabilities in one lead to attacks against others. Already we’ve seen Gmail accounts compromised through vulnerabilities in Samsung smart refrigerators, hospital IT networks compromised through vulnerabilities in medical devices, and Target Corporation hacked through a vulnerability in its HVAC system. Systems are filled with externalities that affect other systems in unforeseen and potentially harmful ways. What might seem benign to the designers of a particular system becomes harmful when it’s combined with some other system. Vulnerabilities on one system cascade into other systems, and the result is a vulnerability that no one saw coming and no one bears responsibility for fixing. The Internet of Things will make exploitable vulnerabilities much more common. It’s simple mathematics. If 100 systems are all interacting with each other, that’s about 5,000 interactions and 5,000 potential vulnerabilities resulting from those interactions. If 300 systems are all interacting with each other, that’s 45,000 interactions. 1,000 systems: 12.5 million interactions. Most of them will be benign or uninteresting, but some of them will be very damaging.

Autonomy. Increasingly, our computer systems are autonomous. They buy and sell stocks, turn the furnace on and off, regulate electricity flow through the grid, and — in the case of driverless cars — automatically pilot multi-ton vehicles to their destinations. Autonomy is great for all sorts of reasons, but from a security perspective it means that the effects of attacks can take effect immediately, automatically, and ubiquitously. The more we remove humans from the loop, faster attacks can do their damage and the more we lose our ability to rely on actual smarts to notice something is wrong before it’s too late.

We’re building systems that are increasingly powerful, and increasingly useful. The necessary side effect is that they are increasingly dangerous. A single vulnerability forced Chrysler to recall 1.4 million vehicles in 2015. We’re used to computers being attacked at scale — think of the large-scale virus infections from the last decade — but we’re not prepared for this happening to everything else in our world.

Governments are taking notice. Last year, both Director of National Intelligence James Clapper and NSA Director Mike Rogers testified before Congress, warning of these threats. They both believe we’re vulnerable.

This is how it was phrased in the DNI’s 2015 Worldwide Threat Assessment: “Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial-of-service operations and data-deletion attacks undermine availability. In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e. accuracy and reliability) instead of deleting it or disrupting access to it. Decision-making by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.”

The DNI 2016 threat assessment included something similar: “Future cyber operations will almost certainly include an increased emphasis on changing or manipulating data to compromise its integrity (i.e., accuracy and reliability) to affect decision making, reduce trust in systems, or cause adverse physical effects. Broader adoption of IoT devices and AI — in settings such as public utilities and healthcare — will only exacerbate these potential effects.”

Security engineers are working on technologies that can mitigate much of this risk, but many solutions won’t be deployed without government involvement. This is not something that the market can solve. Like data privacy, the risks and solutions are too technical for most people and organizations to understand; companies are motivated to hide the insecurity of their own systems from their customers, their users, and the public; the interconnections can make it impossible to connect data breaches with resultant harms; and the interests of the companies often don’t match the interests of the people.

Governments need to play a larger role: setting standards, policing compliance, and implementing solutions across companies and networks. And while the White House Cybersecurity National Action Plan says some of the right things, it doesn’t nearly go far enough, because so many of us are phobic of any government-led solution to anything.

The next president will probably be forced to deal with a large-scale Internet disaster that kills multiple people. I hope he or she responds with both the recognition of what government can do that industry can’t, and the political will to make it happen.

This essay previously appeared on Vice Motherboard.

BoingBoing post.