Tag Archives: trojan

ShadowBrokers Releases NSA UNITEDRAKE Manual

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/09/shadowbrokers_r.html

The ShadowBrokers released the manual for UNITEDRAKE, a sophisticated NSA Trojan that targets Windows machines:

Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information.

UNITEDRAKE, described as a “fully extensible remote collection system designed for Windows targets,” also gives operators the opportunity to take complete control of a device.

The malware’s modules — including FOGGYBOTTOM and GROK — can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed.

More news.

UNITEDRAKE was mentioned in several Snowden documents and also in the TAO catalog of implants.

And Kaspersky Labs has found evidence of these tools in the wild, associated with the Equation Group — generally assumed to be the NSA:

The capabilities of several tools in the catalog identified by the codenames UNITEDRAKE, STRAITBAZZARE, VALIDATOR and SLICKERVICAR appear to match the tools Kaspersky found. These codenames don’t appear in the components from the Equation Group, but Kaspersky did find “UR” in EquationDrug, suggesting a possible connection to UNITEDRAKE (United Rake). Kaspersky also found other codenames in the components that aren’t in the NSA catalog but share the same naming conventions­they include SKYHOOKCHOW, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, and DESERTWINTER.

ShadowBrokers has only released the UNITEDRAKE manual, not the tool itself. Presumably they’re trying to sell that

Court Orders Aussie ISPs to Block Dozens of Pirate Sites

Post Syndicated from Ernesto original https://torrentfreak.com/court-orders-aussie-isps-to-block-dozens-of-pirate-sites-170818/

Rather than taking site operators to court, copyright holders increasingly demand that Internet providers should block access to ‘pirate’ domains.

As a result, courts all around the world have ordered ISPs to block subscriber access to various pirate sites.

This is also happening in Australia where the first blockades were issued late last year. In December, the Federal Court ordered ISPs to block The Pirate Bay and several other sites, which happened soon after.

However, as is often the case with website blocking, one order is not enough as there are still plenty of pirate sites and proxies readily available. So, several rightsholders including movie studio Village Roadshow and local broadcaster Foxtel went back to court.

Today the Federal Court ruled on two applications that cover 59 pirate sites in total, including many popular torrent and streaming portals.

The first order was issued by Justice John Nicholas, who directed several Internet providers including IINet, Telstra, and TPG to block access to several pirate sites. The request came from Village Roadshow, which was backed by several major Hollywood studios.

The order directs the ISPs to stop passing on traffic to 41 torrent and streaming platforms including Demonoid, RARBG, EZTV, YTS, Gomovies, and Fmovies. The full list of blocked domains is even longer, as it also covers several proxies.

“The infringement or facilitation of infringement by the Online Locations is flagrant and reflect a blatant disregard for the rights of copyright owners,” the order reads.

“By way of illustration, one of the Online Locations is accessible via the domain name ‘istole.it’ and it and many others include notices encouraging users to implement technology to frustrate any legal action that might be taken by copyright owners.”

In a separate order handed down by Federal Court Judge Stephen Burley, another 17 sites are ordered blocked following a request from Foxtel. This includes popular pirate sites such as 1337x, Torlock, Putlocker, YesMovies, Vumoo, and LosMovies.

The second order also includes a wide variety of alternative locations, including proxies, which brings the total number of targeted domain names to more than 160.

As highlighted by SHM, the orders coincide with the launch of a new anti-piracy campaign dubbed “The Price of Piracy,” which is organized by Creative Content Australia. Lori Flekser, Executive director of the non-profit organization, believes that the blockades will help to significantly deter piracy.

“Not only is there decreasing traffic to pirate sites but there is a subsequent increase in traffic to legal sites,” she said.

At the same time, she warns people not to visit proxy and mirror sites, as these could be dangerous. This message is also repeated by her organization’s campaign, which warns that pirate sites can be filled with ransomware, spyware, trojans, viruses, bots, rootkits and worms.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Piracy Narrative Isn’t About Ethics Anymore, It’s About “Danger”

Post Syndicated from Andy original https://torrentfreak.com/piracy-narrative-isnt-about-ethics-anymore-its-about-danger-170812/

Over the years there have been almost endless attempts to stop people from accessing copyright-infringing content online. Campaigns have come and gone and almost two decades later the battle is still ongoing.

Early on, when panic enveloped the music industry, the campaigns centered around people getting sued. Grabbing music online for free could be costly, the industry warned, while parading the heads of a few victims on pikes for the world to see.

Periodically, however, the aim has been to appeal to the public’s better nature. The idea is that people essentially want to do the ‘right thing’, so once they understand that largely hard-working Americans are losing their livelihoods, people will stop downloading from The Pirate Bay. For some, this probably had the desired effect but millions of people are still getting their fixes for free, so the job isn’t finished yet.

In more recent years, notably since the MPAA and RIAA had their eyes blacked in the wake of SOPA, the tone has shifted. In addition to educating the public, torrent and streaming sites are increasingly being painted as enemies of the public they claim to serve.

Several studies, largely carried out on behalf of the Digital Citizens Alliance (DCA), have claimed that pirate sites are hotbeds of malware, baiting consumers in with tasty pirate booty only to offload trojans, viruses, and God-knows-what. These reports have been ostensibly published as independent public interest documents but this week an advisor to the DCA suggested a deeper interest for the industry.

Hemanshu Nigam is a former federal prosecutor, ex-Chief Security Officer for News Corp and Fox Interactive Media, and former VP Worldwide Internet Enforcement at the MPAA. In an interview with Deadline this week, he spoke about alleged links between pirate sites and malware distributors. He also indicated that warning people about the dangers of pirate sites has become Hollywood’s latest anti-piracy strategy.

“The industry narrative has changed. When I was at the MPAA, we would tell people that stealing content is wrong and young people would say, yeah, whatever, you guys make a lot of money, too bad,” he told the publication.

“It has gone from an ethical discussion to a dangerous one. Now, your parents’ bank account can be raided, your teenage daughter can be spied on in her bedroom and extorted with the footage, or your computer can be locked up along with everything in it and held for ransom.”

Nigam’s stance isn’t really a surprise since he’s currently working for the Digital Citizens Alliance as an advisor. In turn, the Alliance is at least partly financed by the MPAA. There’s no suggestion whatsoever that Nigam is involved in any propaganda effort, but recent signs suggest that the DCA’s work in malware awareness is more about directing people away from pirate sites than protecting them from the alleged dangers within.

That being said and despite the bias, it’s still worth giving experts like Nigam an opportunity to speak. Largely thanks to industry efforts with brands, pirate sites are increasingly being forced to display lower-tier ads, which can be problematic. On top, some sites’ policies mean they don’t deserve any visitors at all.

In the Deadline piece, however, Nigam alleges that hackers have previously reached out to pirate websites offering $200 to $5000 per day “depending on the size of the pirate website” to have the site infect users with malware. If true, that’s a serious situation and people who would ordinarily use ‘pirate’ sites would definitely appreciate the details.

For example, to which sites did hackers make this offer and, crucially, which sites turned down the offer and which ones accepted?

It’s important to remember that pirates are just another type of consumer and they would boycott sites in a heartbeat if they discovered they’d been paid to infect them with malware. But, as usual, the claims are extremely light in detail. Instead, there’s simply a blanket warning to stay away from all unauthorized sites, which isn’t particularly helpful.

In some cases, of course, operational security will prevent some details coming to light but without these, people who don’t get infected on a ‘pirate’ site (the vast majority) simply won’t believe the allegations. As the author of the Deadline piece pointed out, it’s a bit like Reefer Madness all over again.

The point here is that without hard independent evidence to back up these claims, with reports listing sites alongside the malware they’ve supposed to have spread and when, few people will respond to perceived scaremongering. Free content trumps a few distant worries almost every time, whether that involves malware or the threat of a lawsuit.

It’ll be up to the DCA and their MPAA paymasters to consider whether the approach is working but thus far, not even having government heavyweights on board has helped.

Earlier this year the DCA launched a video campaign, enrolling 15 attorney generals to publish their own anti-piracy PSAs on YouTube. Thus far, interest has been minimal, to say the least.

At the time of writing the 15 PSAs have 3,986 views in total, with 2,441 of those contributed by a single video contributed by Wisconsin Attorney General Brad Schimel. Despite the relative success, even that got slammed with 2 upvotes and 127 downvotes.

A few of the other videos have a couple of hundred views each but more than half have less than 70. Perhaps most worryingly for the DCA, apart from the Schimel PSA, none have any upvotes at all, only down. It’s unclear who the viewers were but it seems reasonable to conclude they weren’t entertained.

The bottom line is nobody likes malware or having their banking details stolen but yet again, people who claim to have the public interest at heart aren’t actually making a difference on the ground. It could be argued that groups advocating online safety should be publishing guides on how to stay protected on the Internet period, not merely advising people to stay away from certain sites.

But of course, that wouldn’t achieve the goals of the MPAA Digital Citizens Alliance.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Commentary on US Election Security

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/07/commentary_on_u.html

Good commentaries from Ed Felten and Matt Blaze.

Both make a point that I have also been saying: hacks can undermine the legitimacy of an election, even if there is no actual voter or vote manipulation.

Felten:

The second lesson is that we should be paying more attention to attacks that aim to undermine the legitimacy of an election rather than changing the election’s result. Election-stealing attacks have gotten most of the attention up to now — ­and we are still vulnerable to them in some places — ­but it appears that external threat actors may be more interested in attacking legitimacy.

Attacks on legitimacy could take several forms. An attacker could disrupt the operation of the election, for example, by corrupting voter registration databases so there is uncertainty about whether the correct people were allowed to vote. They could interfere with post-election tallying processes, so that incorrect results were reported­ an attack that might have the intended effect even if the results were eventually corrected. Or the attacker might fabricate evidence of an attack, and release the false evidence after the election.

Legitimacy attacks could be easier to carry out than election-stealing attacks, as well. For one thing, a legitimacy attacker will typically want the attack to be discovered, although they might want to avoid having the culprit identified. By contrast, an election-stealing attack must avoid detection in order to succeed. (If detected, it might function as a legitimacy attack.)

Blaze:

A hostile state actor who can compromise a handful of county networks might not even need to alter any actual votes to create considerable uncertainty about an election’s legitimacy. It may be sufficient to simply plant some suspicious software on back end networks, create some suspicious audit files, or add some obviously bogus names to to the voter rolls. If the preferred candidate wins, they can quietly do nothing (or, ideally, restore the compromised networks to their original states). If the “wrong” candidate wins, however, they could covertly reveal evidence that county election systems had been compromised, creating public doubt about whether the election had been “rigged”. This could easily impair the ability of the true winner to effectively govern, at least for a while.

In other words, a hostile state actor interested in disruption may actually have an easier task than someone who wants to undetectably steal even a small local office. And a simple phishing and trojan horse email campaign like the one in the NSA report is potentially all that would be needed to carry this out.

Me:

Democratic elections serve two purposes. The first is to elect the winner. But the second is to convince the loser. After the votes are all counted, everyone needs to trust that the election was fair and the results accurate. Attacks against our election system, even if they are ultimately ineffective, undermine that trust and ­ by extension ­ our democracy.

And, finally, a report from the Brennan Center for Justice on how to secure elections.

The Terrible Horrors of ‘Kodi Boxes’ Shock The UK

Post Syndicated from Andy original https://torrentfreak.com/the-terrible-horrors-of-kodi-boxes-shock-the-uk-170702/

In the beginning, we were told that Kodi Boxes are probably going to destroy Hollywood, not to mention companies like Sky and The Premier League. But who cares about the big people in suits drinking champagne from gold swimming pools?

No, what the unwashed masses need to hear are stories that make us realize that these little plastic wonder boxes are going to ruin our miserable lives. Luckily, they’ve been appearing thick and fast this past couple of weeks.

It turns out that Kodi Boxes are not only likely to burn your house down, but they’re also part of a master plan to pick away at the delicate threads holding family life together.

Forget about the piracy, that doesn’t matter. The powers that be need you to understand that Kodi Boxes are Trojan horses of misery that people are willingly bringing in to their own homes. Can you believe people are being so stupid?

According to an article in this week’s The Mirror, for example, kids’ movies spewed out by these evil devices are now being interrupted by adverts for alcohol. Well, it makes a change from seeing Phil Mitchell smashed out of his mind at 8pm on BBC1, doesn’t it?

At the same time, Kodi Boxes are straining relationships between father and son, not to mention subjecting unsuspecting parents to malware threats. They include scams purporting to be from the ‘FBI’ which demand money for using Popcorn Time inside Kodi. The world truly has gone mad.

Of course, if only one person sees this nonsense it’s too much, and The Mirror piece is quite rightly filled with quotes from real people who gave up piracy as a result of their bad experiences. It also has plenty of useful advice from the UK’s leading anti-piracy outfit, as you’d expect.

Intrigued, we decided to carry out our own research among a handful of the millions of maniacs who are still prepared to plug one of these death devices into their UK mains supply. And we were shocked – not by a dodgy power adaptor from China – but by the huge numbers of other problems these Kodi Boxes can foist upon the honest working man.

A user called Neil told us that he’d bought a Kodi Box off eBay after hearing all the hype in the media. His plan was to watch Premier League football without paying a penny. However, instead of scooping up that forbidden 3pm kick-off excitement, all it did was ruin his enjoyment of the beautiful game.

“I’d been out drinking all day with the lads. I was proper, proper smashed. I got home and shoved the thing into the nearest telly to watch Liverpool versus Manchester United and although I felt really sick, couldn’t focus on the screen, and soon fell unconscious, I think the picture wasn’t too bad,” he said.

“I don’t think I saw that wheel thing spinning in the middle of the screen and everything stopping either, which is a big plus for me on a free box. And to top it all, Liverpool beat United 2:1, which was a real bonus.

“However, when discussing the game the next day with my dad who watched the game on Sky with a proper subscription, I was horrified to learn that Manchester United actually won the game 3:0 – against Arsenal! It just goes to show, you get what you pay for. My box is now where it should have been all along – in the bin.”

A man called Rich told us that he’d also heard good things about Kodi Boxes but was really upset after being completely misled by the person who sold him one.

“I used to be a subscriber to Sky’s top package, including those fifty channels nobody watches but they force you to have. I also forked out for all their boxing PPVs that come on at stupid o’clock in the morning, and bought several blu-ray discs each time I got paid. All in all I must’ve spent £140 a month.

“So, when a bloke down the pub who I’ve never met before told me that I could legally get the same stuff for free using a Kodi Box, I immediately believed him. I mean, what reasonable bloke wouldn’t? He had just one left as well, how lucky was that?”

But it didn’t take long for Rich’s enthusiasm to wane. The thought of owning a potential incendiary device filled with content provided by a Russian crime syndicate and funded by Columbian drug barons was too much.

“I watched a couple of films on it without my house burning down, but then I started reading horror stories in the paper about these boxes shoving drinks adverts in our kids’ faces,” he told us.

“Enough was enough. After being lied to by the seller the thought of my kids demanding toys and beer for Christmas was just too much, it just wasn’t worth the risk. So I went straight back to giving Sky over a grand a year and life’s never been better.”

Kodi Box user Peter told us that he could really relate to warnings published in the papers this week that set-top box users had been hit with popups demanding their bank details.

“I was hoping to watch the big fight last weekend but it only came on for a few minutes and then suddenly went off,” he explained. “Then a notice appeared telling me to ring a number with my credit card details. Well, I’d heard about these ransomware attacks and I wasn’t going to fall for that old trick.

“However, imagine my surprise when I realized that I’d accidentally put on my official satellite box instead of Kodi, and the message was actually from my pay-per-view provider. Just goes to show, everybody wants your money these days, and these crooks can rope you in for years, and make it really hard to cancel.”

Another chap called James told us that he never considered getting a Kodi Box until he saw an article in a UK tabloid explaining how Kodi Boxes pose a risk for families with children.

“The article quoted some anti-piracy company. They said that parents don’t realize that Kodi Boxes allow easy access to hardcore pornography. And it’s true, I had no idea,” James said.

“But I live alone, so I wasted no time buying one off eBay. I’m watching it in the shed with a fire extinguisher in the other hand, just to be safe.”

But while James clearly has his hands full, our last user is much less satisfied.

Sue told us that she was assured her Kodi box was a miracle device with endless uses. However, after its addons recently stopped working she decided to test the claim by sliding the failing unit under the leg of a wobbly table. It soon became clear the hardware had been massively oversold.

“They say these boxes can do anything but mine clearly wasn’t fit for purpose. It was way too thick so when I put it under the leg, the table sat at a really steep angle. If anything, it was more unstable than it was before.

“I dread to think what could’ve happened if I’d put a pot of boiling oil on it next to the baby. No wonder health and safety are up in arms.”

Tune in next week when we reveal how Kodi Boxes can cause unsightly hair growth and unwanted pregnancies.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Yet more reasons to disagree with experts on nPetya

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/07/yet-more-reasons-to-disagree-with.html

In WW II, they looked at planes returning from bombing missions that were shot full of holes. Their natural conclusion was to add more armor to the sections that were damaged, to protect them in the future. But wait, said the statisticians. The original damage is likely spread evenly across the plane. Damage on returning planes indicates where they could damage and still return. The undamaged areas are where they were hit and couldn’t return. Thus, it’s the undamaged areas you need to protect.

This is called survivorship bias.
Many experts are making the same mistake with regards to the nPetya ransomware. 
I hate to point this out, because they are all experts I admire and respect, especially @MalwareJake, but it’s still an error. An example is this tweet:
The context of this tweet is the discussion of why nPetya was well written with regards to spreading, but full of bugs with regards to collecting on the ransom. The conclusion therefore that it wasn’t intended to be ransomware, but was intended to simply be a “wiper”, to cause destruction.
But this is just survivorship bias. If nPetya had been written the other way, with excellent ransomware features and poor spreading, we would not now be talking about it. Even that initial seeding with the trojaned MeDoc update wouldn’t have spread it far enough.
In other words, all malware samples we get are good at spreading, either on their own, or because the creator did a good job seeding them. It’s because we never see the ones that didn’t spread.
With regards to nPetya, a lot of experts are making this claim. Since it spread so well, but had hopelessly crippled ransomware features, that must have been the intent all along. Yet, as we see from survivorship bias, none of us would’ve seen nPetya had it not been for the spreading feature.

Online Platforms Should Collaborate to Ban Piracy and Terrorism, Report Suggests

Post Syndicated from Andy original https://torrentfreak.com/online-platforms-collaborate-ban-piracy-terrorism-report-suggests-170608/

With deep ties to the content industries, the Digital Citizens Alliance periodically produces reports on Internet piracy. It has published reports on cyberlockers and tried to blame Cloudflare for the spread of malware, for example.

One of the key themes pursued by DCA is that Internet piracy is inextricably linked to a whole bunch of other online evils and that tackling the former could deliver a much-needed body blow to the latter.

Its new report, titled ‘Trouble in Our Digital Midst’, takes this notion and runs with it, bundling piracy with everything from fake news to hacking, to malware and brand protection, to the sextortion of “young girls and boys” via their computer cameras.

The premise of the report is that cybercrime as a whole is undermining America’s trust in the Internet, noting that 64% of US citizens say that their trust in digital platforms has dropped in the last year. Given the topics under the spotlight, it doesn’t take long to see where this is going – Internet platforms like Google, Facebook and YouTube must tackle the problem.

“When asked, ‘In your opinion, are digital platforms doing enough to keep the Internet safe and trustworthy, or are do they need to do more?’ a staggering 75 percent responded that they need to do more to keep the Internet safe,” the report notes.

It’s abundantly clear that the report is mostly about piracy but a lot of effort has been expended to ensure that people support its general call for the Internet to be cleaned up. By drawing attention to things that even most pirates might find offensive, it’s easy to find more people in agreement.

“Nearly three-quarters of respondents see the pairing of brand name advertising with offensive online content – like ISIS/terrorism recruiting videos – as a threat to the continued trust and integrity of the Internet,” the report notes.

Of course, this is an incredibly sensitive topic. When big brand ads turned up next to terrorist recruiting videos on YouTube, there was an almighty stink, and rightly so. However, at every turn, the DCA report manages to weave the issue of piracy into the equation, noting that the problem includes the “$200 million in advertising that shows up on illegal content theft websites often unbeknownst to the brands.”

The overriding theme is that platforms like Google, Facebook, and YouTube should be able to tackle all of these problems in the same way. Filtering out a terrorist video is the same as removing a pirate movie. And making sure that ads for big brands don’t appear alongside terrorist videos will be just as easy as starving pirates of revenue, the suggestion goes.

But if terrorism doesn’t grind your gears, what about fake news?

“64 percent of Americans say that the Fake News issue has made them less likely to trust the Internet as a source of information,” the report notes.

At this juncture, Facebook gets a gentle pat on the back for dealing with fake news and employing 3,000 people to monitor for violent videos being posted to the network. This shows that the company “takes seriously” the potential harm bad actors pose to Internet safety. But in keeping with the theme running throughout the report, it’s clear DCA are carefully easing in the thin end of the wedge.

“We are at only the beginning of thinking through other kinds of illicit and illegal activity happening on digital platforms right now that we must gain or re-gain control over,” DCA writes.

Quite. In the very next sentence, the group goes on to warn about the sale of drugs and stolen credit cards, adding that the sale of illicit streaming devices (modified Kodi boxes etc) is actually an “insidious yet effective delivery mechanism to infect computers with malware such as Remote Access Trojans.”

Both Amazon and Facebook receive praise in the report for their recent banning (1,2) of augmented Kodi devices but their actions are actually framed as the companies protecting their own reputations, rather than the interests of the media groups that have been putting them under pressure.

“And though this issue underscores the challenges faced by digital platforms – not all of which act with the same level of responsibility – it also highlights the fact digital platforms can and will step up when their own brands are at stake,” the report reads.

But pirate content and Remote Access Trojans through Kodi boxes are only the beginning. Pirate sites are playing a huge part as well, DCA claims, with one in three “content theft websites” exposing people to identify theft, ransomware, and sextortion via “the computer cameras of young girls and boys.”

Worst still, if that was possible, the lack of policing by online platforms means that people are able to “showcase live sexual assaults, murders, and other illegal conduct.”

DCA says that with all this in mind, Americans are looking for online digital platforms to help them. The group claims that citizens need proactive protection from these ills and want companies like Facebook to take similar steps to those taken when warning consumers about fake news and violent content.

So what can be done to stop this tsunami of illegality? According to DCA, platforms like Google, Facebook, YouTube, and Twitter need to up their game and tackle the problem together.

“While digital platforms collaborate on policy and technical issues, there is no evidence that they are sharing information about the bad actors themselves. That enables criminals and bad actors to move seamlessly from platform to platform,” DCA writes.

“There are numerous examples of industry working together to identify and share information about exploitive behavior. For example, casinos share information about card sharks and cheats, and for decades the retail industry has shared information about fraudulent credit cards. A similar model would enable digital platforms and law enforcement to more quickly identify and combat those seeking to leverage the platforms to harm consumers.”

How this kind of collaboration could take place in the real world is open to interpretation but the DCA has a few suggestions of its own. Again, it doesn’t shy away from pulling people on side with something extremely offensive (in this case child pornography) in order to push what is clearly an underlying anti-piracy agenda.

“With a little help from engineers, digital platforms could create fingerprints of unlawful conduct that is shared across platforms to proactively block such conduct, as is done in a limited capacity with child pornography,” DCA explains.

“If these and other newly developed measures were adopted, digital platforms would have the information to enable them to make decisions whether to de-list or demote websites offering illicit goods and services, and the ability to stop the spread of illegal behavior that victimizes its users.”

The careful framing of the DCA report means that there’s something for everyone. If you don’t agree with them on tackling piracy, then their malware, fake news, or child exploitation angles might do the trick. It’s quite a clever strategy but one that the likes of Google, Facebook, and YouTube will recognize immediately.

And they need to – because apparently, it’s their job to sort all of this out. Good luck with that.

The full report can be found here (pdf)

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

CIA’s Pandemic Toolkit

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/06/cias_pandemic_t.html

WikiLeaks is still dumping CIA cyberweapons on the Internet. Its latest dump is something called “Pandemic”:

The Pandemic leak does not explain what the CIA’s initial infection vector is, but does describe it as a persistent implant.

“As the name suggests, a single computer on a local network with shared drives that is infected with the ‘Pandemic’ implant will act like a ‘Patient Zero’ in the spread of a disease,” WikiLeaks said in its summary description. “‘Pandemic’ targets remote users by replacing application code on-the-fly with a Trojaned version if the program is retrieved from the infected machine.”

The key to evading detection is its ability to modify or replace requested files in transit, hiding its activity by never touching the original file. The new attack then executes only on the machine requesting the file.

Version 1.1 of Pandemic, according to the CIA’s documentation, can target and replace up to 20 different files with a maximum size of 800MB for a single replacement file.

“It will infect remote computers if the user executes programs stored on the pandemic file server,” WikiLeaks said. “Although not explicitly stated in the documents, it seems technically feasible that remote computers that provide file shares themselves become new pandemic file servers on the local network to reach new targets.”

The CIA describes Pandemic as a tool that runs as kernel shellcode that installs a file system filter driver. The driver is used to replace a file with a payload when a user on the local network accesses the file over SMB.

WikiLeaks page. News article.

Some comments on the Wikileaks CIA/#vault7 leak

Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/03/some-comments-on-wikileaks-ciavault7.html

I thought I’d write up some notes about the Wikileaks CIA “#vault7” leak. This post will be updated frequently over the next 24 hours.

The CIA didn’t remotely hack a TV. The docs are clear that they can update the software running on the TV using a USB drive. There’s no evidence of them doing so remotely over the Internet. If you aren’t afraid of the CIA breaking in an installing a listening device, then you should’t be afraid of the CIA installing listening software.

The CIA didn’t defeat Signal/WhatsApp encryption. The CIA has some exploits for Android/iPhone. If they can get on your phone, then of course they can record audio and screenshots. Technically, this bypasses/defeats encryption — but such phrases used by Wikileaks are highly misleading, since nothing related to Signal/WhatsApp is happening. What’s happening is the CIA is bypassing/defeating the phone. Sometimes. If they’ve got an exploit for it, or can trick you into installing their software.

There’s no overlap or turf war with the NSA. The NSA does “signals intelligence”, so they hack radios and remotely across the Internet. The CIA does “humans intelligence”, so they hack locally, with a human. The sort of thing they do is bribe, blackmail, or bedazzle some human “asset” (like a technician in a nuclear plant) to stick a USB drive into a slot. All the various military, law enforcement, and intelligence agencies have hacking groups to help them do their own missions.

The CIA isn’t more advanced than the NSA. Most of this dump is child’s play, simply malware/trojans cobbled together from bits found on the Internet. Sometimes they buy more advanced stuff from contractors, or get stuff shared from the NSA. Technologically, they are far behind the NSA in sophistication and technical expertise.

The CIA isn’t hoarding 0days. For one thing, few 0days were mentioned at all. The CIA’s techniques rely upon straightforward hacking, not super secret 0day hacking Second of all, they aren’t keeping 0days back in a vault somewhere — if they have 0days, they are using them.

The VEP process is nonsense. Activists keep mentioning the “vulnerability equities process”, in which all those interested in 0days within the government has a say in what happens to them, with the eventual goal that they be disclosed to vendors. The VEP is nonsense. The activist argument is nonsense. As far as I can tell, the VEP is designed as busy work to keep people away from those who really use 0days, such as the NSA and the CIA. If they spend millions of dollars buying 0days because it has that value in intelligence operations, they aren’t going to destroy that value by disclosing to a vendor. If VEP forces disclosure, disclosure still won’t happen, the NSA will simply stop buying vulns.

But they’ll have to disclose the 0days. Any 0days that were leaked to Wikileaks are, of course, no longer secret. Thus, while this leak isn’t an argument for unilateral disarmament in cyberspace, the CIA will have to disclose to vendor the vulns that are now in Russian hands, so that they can be fixed.

There’s no false flags. In several places, the CIA talks about making sure that what they do isn’t so unique, so it can’t be attributed to them. However, Wikileaks’s press release hints that the “UMBRAGE” program is deliberately stealing techniques from Russia to use as a false-flag operation. This is nonsense. For example, the DNC hack attribution was live command-and-control servers simultaneously used against different Russian targets — not a few snippets of code. [More here]

This hurts the CIA a lot. Already, one AV researcher has told me that a virus they once suspected came from the Russians or Chinese can now be attributed to the CIA, as it matches the description perfectly to something in the leak. We can develop anti-virus and intrusion-detection signatures based on this information that will defeat much of what we read in these documents. This would put a multi-year delay in the CIA’s development efforts. Plus, it’ll now go on a witch-hunt looking for the leaker, which will erode morale. Update: Three extremely smart and knowledgeable people who I respect disagree, claiming it won’t hurt the CIA a lot. I suppose I’m focusing on “hurting the cyber abilities” of the CIA, not the CIA as a whole, which mostly is non-cyber in function.

The CIA is not cutting edge. A few days ago, Hak5 started selling “BashBunny”, a USB hacking tool more advanced than the USB tools in the leak. The CIA seems to get most of their USB techniques from open-source projects, such Travis Goodpseeds “GoodFET” project.

The CIA isn’t spying on us. Snowden revealed how the NSA was surveilling all Americans. Nothing like that appears in the CIA dump. It’s all legitimate spy stuff (assuming you think spying on foreign adversaries is legitimate).

Update #2: How is hacking cars and phones not SIGINT (which is the NSA’s turf)?[*The answer is via physical access. For example, they might have a device that plugs into the ODBII port on the car that quickly updates the firmware of the brakes. Think of it as normal spy activity (e.g. cutting a victim’s brakes), but now with cyber.

Update #3: Apple iPhone. My vague sense is that CIA is more concerned about decrypting iPhones they get physical access to, rather than remotely hacking them and installing malware. CIA is HUMINT and covert ops, meaning they’ll punch somebody in the face, grab their iPhone, and run, then take it back to their lab and decrypt it.


WikiLeaks Releases CIA Hacking Tools

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/03/wikileaks_relea.html

WikiLeaks just released a cache of 8,761 classified CIA documents from 2012 to 2016, including details of its offensive Internet operations.

I have not read through any of them yet. If you see something interesting, tell us in the comments.

EDITED TO ADD: There’s a lot in here. Many of the hacking tools are redacted, with the tar files and zip archives replaced with messages like:

::: THIS ARCHIVE FILE IS STILL BEING EXAMINED BY WIKILEAKS. :::

::: IT MAY BE RELEASED IN THE NEAR FUTURE. WHAT FOLLOWS IS :::
::: AN AUTOMATICALLY GENERATED LIST OF ITS CONTENTS: :::

Hopefully we’ll get them eventually. The documents say that the CIA — and other intelligence services — can bypass Signal, WhatsApp and Telegram. It seems to be by hacking the end-user devices and grabbing the traffic before and after encryption, not by breaking the encryption.

New York Times article.

EDITED TO ADD: Some details from The Guardian:

According to the documents:

  • CIA hackers targeted smartphones and computers.
  • The Center for Cyber Intelligence is based at the CIA headquarters in Virginia but it has a second covert base in the US consulate in Frankfurt which covers Europe, the Middle East and Africa.
  • A programme called Weeping Angel describes how to attack a Samsung F8000 TV set so that it appears to be off but can still be used for monitoring.

I just noticed this from the WikiLeaks page:

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

So it sounds like this cache of documents wasn’t taken from the CIA and given to WikiLeaks for publication, but has been passed around the community for a while — and incidentally some part of the cache was passed to WikiLeaks. So there are more documents out there, and others may release them in unredacted form.

Wired article. Slashdot thread. Two articles from the Washington Post.

EDITED TO ADD: This document talks about Comodo version 5.X and version 6.X. Version 6 was released in Feb 2013. Version 7 was released in Apr 2014. This gives us a time window of that page, and the cache in general. (WikiLeaks says that the documents cover 2013 to 2016.)

If these tools are a few years out of date, it’s similar to the NSA tools released by the “Shadow Brokers.” Most of us thought the Shadow Brokers were the Russians, specifically releasing older NSA tools that had diminished value as secrets. Could this be the Russians as well?

EDITED TO ADD: Nicholas Weaver comments.

EDITED TO ADD (3/8): These documents are interesting:

The CIA’s hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a “fingerprint” that can be used by forensic investigators to attribute multiple different attacks to the same entity.

This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution.

The CIA’s Remote Devices Branch‘s UMBRAGE group collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states including the Russian Federation.

With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the “fingerprints” of the groups that the attack techniques were stolen from.

UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.

This is being spun in the press as the CIA is pretending to be Russia. I’m not convinced that the documents support these allegations. Can someone else look at the documents. I don’t like my conclusion that WikiLeaks is using this document dump as a way to push their own bias.

AWS Quick Starts Update – Tableau, Splunk, Compliance, Alfresco, Symantec

Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/aws-quick-starts-update-tableau-splunk-compliance-alfresco-symantec/

AWS Quick Starts help you to deploy popular solutions on AWS. Each Quick Start is designed by AWS solutions architects or partners, and makes use of AWS best practices for security and high availability. You can use them to spin up test or production environments that you can use right away.

The Quick Starts include comprehensive deployment guides and AWS CloudFormation templates that you can launch with a single click. The collection of Quick Starts is broken down in to seven categories, as follows:

  • DevOps
  • Databases & storage
  • Big Data & analytics
  • Security & compliance
  • Microsoft & SAP
  • Networking & access
  • Additional

Over the past two months we have added six new Quick Starts to our collection, bringing the total up to 42. Today I would like to give you an overview of the newest Quick Starts in each category.

Tableau Server (Big data & analytics)
The Tableau Server on AWS Quick Start helps you to deploy a fully functional Tableau Server on the AWS Cloud. You can launch a single node deployment in your default VPC, or a multi-node cluster deployment in a new or existing VPC. Here’s the cluster architecture:

The CloudFormation template will prompt you for (among other things) your Tableau Activation Key.

Splunk Enterprise (Big data & analytics)
The Splunk Enterprise on AWS Quick Start helps you to deploy a distributed Splunk Enterprise environment on the AWS Cloud. You can launch into an existing VPC with two or more Availability Zones or you can create a new VPC. Here’s the architecture:

The template will prompt you for the name of an S3 bucket and the path (within the bucket) to a Splunk license file.

UK OFFICIAL (Security & compliance)
The UK-OFFICIAL on AWS Quick Start sets up a standardized AWS Cloud environment that supports workloads that are classified as United Kingdom (UK) OFFICIAL. The environment aligns with the in-scope guidelines found in the NCSC Cloud Security Principles and the CIS Critical Security Controls (take a look at the security controls matrix to learn more). Here’s the architecture:

Alfresco One
The Alfresco One on AWS Quick Start helps you to deploy an Alfresco One Enterprise Content Management server cluster in the AWS Cloud. It can be deployed into an existing VPC, or it can set up a new one with public and private subnets. Here’s the architecture:

You will need to have an Alfresco trial license in order to launch the cluster.

Symantec Protection Engine (Security & compliance)
The Symantec Protection Engine on AWS Quick Start helps you to deploy Symantec Protection Engine (SPE) in less than an hour. Once deployed (into a new or existing VPC), you can use SPE’s APIs to incorporate malware and threat detection into your applications. You can also connect it to proxies and scan traffic for viruses, trojans, and other types of malware. Here’s the architecture:

You will need to purchase an SPE license or subscribe to the SPE AMI in order to use this Quick Start.

For More Info
To learn more about our Quick Starts, check out the Quick Starts FAQ. If you are interested in authoring a Quick Start of your own, read our Quick Starts Contributor’s Guide.

Jeff;

 

Researchers Issue Security Warning Over Android VPN Apps

Post Syndicated from Andy original https://torrentfreak.com/researchers-issue-security-warning-over-android-vpn-apps-170125/

warningThere was a time when the Internet was a fairly straightforward place to navigate, with basic software, basic websites and few major security issues. Over the years, however, things have drastically changed.

Many people now spend their entire lives connected to the web in some way, particularly via mobile devices and apps such as Facebook and the countless thousands of others now freely available online.

For some users, the idea of encrypting their traffic has become attractive, from both a security and anti-censorship standpoint. On the one hand people like the idea of private communications and on the other, encryption can enable people to bypass website blocks, wherever they may occur and for whatever reason.

As a result, millions are now turning to premium VPN packages from reputable companies. Others, however, prefer to use the all-in-one options available on Google’s Play store, but according to a new study, that could be a risky strategy.

A study by researchers at CSIRO’s Data 61, University of New South Wales, and UC Berkley, has found that hundreds of VPN apps available from Google Play presented significant security issues including malware, spyware, adware and data leaks.

Very often, users look at the number of downloads combined with the ‘star rating’ of apps to work out whether they’re getting a good product. However, the researchers found that among the 283 apps tested, even the highest ranked and most-downloaded apps can carry nasty surprises.

“While 37% of the analyzed VPN apps have more than 500K installs and 25% of them receive at least a 4-star rating, over 38% of them contain some malware presence according to VirusTotal,” the researchers write.

The five types of malware detected can be broken down as follows: Adware (43%), Trojan (29%), Malvertising (17%), Riskware (6%) and Spyware (5%). The researchers ordered the most problematic apps by VirusTotal AV-Rank, which represents the number of anti-virus tools that identified any malware activity.

The worst offenders, according to the reportvpn-worst

The researchers found that only a marginal number of VPN users raised any security or privacy concerns in the review sections for each app, despite many of them having serious problems. The high number of downloads seem to suggest that users have confidence in them, despite their issues.

“According to the number of installs of these apps, millions of users appear to trust VPN apps despite their potential maliciousness. In fact, the high presence of malware activity in VPN apps that our analysis has revealed is worrisome given the ability that these apps already have to inspect and analyze all user’s traffic with the VPN permission,” the paper reads.

The growing awareness of VPNs and their association with privacy and security has been a hot topic in recent years, but the researchers found that many of the apps available on Google Play offer neither. Instead, they featured tracking of users by third parties while demanding access to sensitive Android permissions.

“Even though 67% of the identified VPN Android apps offer services to enhance online privacy and security, 75% of them use third-party tracking libraries and 82% request permissions to access sensitive resources including user accounts and text messages,” the researchers note.

Even from this low point, things manage to get worse. Many VPN users associate the product they’re using with encryption and the privacy it brings, but for almost one-fifth of apps tested by the researchers, the concept is alien.

“18% of the VPN apps implement tunneling protocols without encryption despite promising online anonymity and security to their users,” they write, adding that 16% of tested apps routed traffic through other users of the same app rather than utilizing dedicated online servers.

“This forwarding model raises a number of trust, security, and privacy concerns for participating users,” the researchers add, noting that only Hola admits to the practice on its website.

And when it comes to the handling of IPv6 traffic, the majority of the apps featured in the study fell short in a dramatic way. Around 84% of the VPN apps tested had IPv6 leaks while 66% had DNS leaks, something the researchers put down to misconfigurations or developer-induced errors.

“Both the lack of strong encryption and traffic leakages can ease online tracking activities performed by inpath middleboxes (e.g., commercial WiFi [Access Points] harvesting user’s data) and by surveillance agencies,” they warn.

While the study (pdf) is detailed, it does not attempt to rank any of the applications tested, other than showing a table of some of the worst offenders. From the perspective of the consumer looking to install a good VPN app, that’s possibly not as helpful as they might like.

Instead, those looking for a VPN will have to carry out their own research online before taking the plunge. Sticking with well-known companies that are transparent about their practices is a great start. And, if an app requests access to sensitive data during the install process for no good reason, get rid of it. Finally, if it’s a free app with a free service included, it’s a fair assumption that strings may be attached.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Pirates: You Can Click But You Can’t Can Hide

Post Syndicated from Andy original https://torrentfreak.com/pirates-you-can-click-but-you-cant-can-hide-170101/

mpaa-logoAt the turn of the century and just before Napster began to burn, a whole generation was turned on to the possibilities of Internet file-sharing.

With the music industry bewildered by the sudden and unauthorized transition to digital media via platforms such as KaZaA, another beast appeared on the horizon. BitTorrent had arrived and quickly became a painful thorn in Hollywood’s side.

By 2004, with hundreds of thousands – perhaps millions – of users frequenting both public and private torrent sites, Hollywood ran out of patience. With plans already being formed to target some of the larger US-based sites, the MPAA decided it was time to educate the consumer.

The ‘Respect Copyrights’ campaign launched with the now-common multi-faceted approach, with the MPAA first explaining what copyright is all about in a tone which by today’s standards seems a little old-fashioned.

“When some people hear the word ‘copyright,’ they think of a complicated legal term that doesn’t apply to them. In fact, copyrights touch us all. Simply put, copyrights protect creativity,” the MPAA said.

Of course, today’s audience is a lot more aware of what copyright is all about, but when it comes to the scare tactics deployed now and then, not much has changed.

“If you use peer-to-peer file-sharing services, you are almost certainly exposing your computer to harmful viruses, worms, Trojan horses, and annoying popups, and you are inviting strangers to access your private information. That makes it pretty easy for law enforcement to track you as well,” the MPAA warned.

Respect Copyrights campaign, 2004respect1

The idea that file-sharing in 2004 and 2005 wasn’t an anonymous activity was one that the MPAA was determined to drive home. As part of the larger campaign, Hollywood launched a sub-project which aimed to convince growing numbers of file-sharers that the Internet offered them no privacy.

The ‘You Can Click But You Can’t Hide’ campaign appeared to take its lead from comments made by boxer Joe Louis in 1946. When asked about upcoming opponent Billy Conn’s touted “hit and run” tactics, Louis said he might be able to run, but he wouldn’t be able to hide. The MPAA hoped the same would be true of file-sharers.

The subsequent campaign was targeted at young people at home, largely sitting in their bedrooms, together with students studying in the United States and further afield. Yes, you can download movies from file-sharing networks, the campaign said, but we can see everything you do.

clickbutcant1

To say that the ‘You Can Click But You Can’t Hide’ campaign wasn’t well received was a bit of an understatement. In addition to using emotive terms such as “trafficking” to describe file-sharing, it also tried to convince ordinary members of the public that sharing a single movie was very likely to result in a $150,000 fine.

Perhaps worse still, the campaign was also run as an advert in cinemas before movies. By default, that meant targeting paying customers in a way that the still current FBI warning does at the start of official DVDs and Blu-rays. That prompted the inevitable parody backlash.

Annoying customers…clickbutcantparody

However, the most remembered use of the campaign’s logo and message was on websites that had been shut down by the MPAA and FBI during 2004 and 2005. Perhaps the best early example was the appearance on popular public torrent site LokiTorrent which was shut down by the MPAA in 2005.

Previously, 28-year-old site admin Ed Webber told almost 700,000 users he was going to fight Hollywood’s lawsuit after accepting around $43,000 in legal battle donations. However, that money quickly disappeared into what was presumed to be the MPAA’s coffers. Were those donors and other site members going to be able to hide after they’d clicked?

The same questions were to be asked later in 2005 when the same campaign message went up on the busted EliteTorrents private tracker, a raid that resulted in several multi-year jail sentences for its operators and uploaders. In the end, no regular site users were ever punished, which certainly took some of the sting out of the campaign.

While its claims were still technically true for most people, as time went by the MPAA’s message began to look more and more dated. The campaign was eventually withdrawn but by then file-sharers were becoming acutely aware that anonymity is something you have to work for online. Then, in 2006, file-sharers were offered a solution, at a price.

Although not the first service of its type, the Relakks VPN service promoted by the Swedish Pirate Party was the first to be targeted mainly at file-sharers. Just a year after the MPAA’s campaign and for a small price, anyone could click whatever they liked and hide, pretty much completely.

Now, ten years later, protecting anonymity online is big business. There are hundreds of VPN suppliers, some better than others, which ensure that there could never be a repeat of the MPAA’s “Click But Can’t Hide Campaign.” Nevertheless, plenty of people are still falling into its trap and failing to heed a decade-old warning.

Every month, millions of file-sharers are tracked online due to them using no kind of protection, with thousands receiving warning notices, fines and even lawsuits for their trouble. It’s surprisingly easy to both click and hide these days, but the majority still haven’t got the message.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Malicious Torrent Network Tool Revealed By Security Company

Post Syndicated from Andy original https://torrentfreak.com/malicious-torrent-network-tool-revealed-by-security-company-160921/

danger-p2pMore than 35 years after 15-year-old high school student Rich Skrenta created the first publicly spread virus, millions of pieces of malware are being spread around the world.

Attackers’ motives are varied but these days they’re often working for financial gain. As a result, popular websites and their users are regularly targeted. Security company InfoArmor has just published a report detailing a particularly interesting threat which homes in on torrent site users.

“InfoArmor has identified a special tool used by cybercriminals to distribute malware by packaging it with the most popular torrent files on the Internet,” the company reports.

InfoArmor says the so-called “RAUM” tool is being offered via “underground affiliate networks” with attackers being financially incentivized to spread the malicious software through infected torrent files.

“Members of these networks are invited by special invitation only, with strict verification of each new member,” the company reports.

InfoArmor says that the attackers’ infrastructure has a monitoring system in place which allows them to track the latest trends in downloading, presumably so that attacks can reach the greatest numbers of victims.

“The bad actors have analyzed trends on video, audio, software and other digital content downloads from around the globe and have created seeds on famous torrent trackers using weaponized torrents packaged with malicious code,” they explain.

RAUM instances were associated with a range of malware including CryptXXX, CTB-Locker and Cerber, online-banking Trojan Dridex and password stealing spyware Pony.

“We have identified in excess of 1,639,000 records collected in the past few months from the infected victims with various credentials to online-services, gaming, social media, corporate resources and exfiltrated data from the uncovered network,” InfoArmor reveals.

What is perhaps most interesting about InfoArmor’s research is how it shines light on the operation of RAUM behind the scenes. The company has published a screenshot which claims to show the system’s dashboard, featuring infected torrents on several sites, a ‘fake’ Pirate Bay site in particular.

dashtorrents

“Threat actors were systematically monitoring the status of the created malicious seeds on famous torrent trackers such as The Pirate Bay, ExtraTorrent and many others,” the researchers write.

“In some cases, they were specifically looking for compromised accounts of other users on these online communities that were extracted from botnet logs in order to use them for new seeds on behalf of the affected victims without their knowledge, thus increasing the reputation of the uploaded files.”

raum-1

According to InfoArmor the malware was initially spread using uTorrent, although any client could have done the job. More recently, however, new seeds have been served through online servers and some hacked devices.

In some cases the malicious files continued to be seeded for more than 1.5 months. Tests by TF on the sample provided showed that most of the files listed have now been removed by the sites in question.

Completely unsurprisingly, people who use torrent sites to obtain software and games (as opposed to video and music files) are those most likely to come into contact with RAUM and associated malware. As the image below shows, Windows 7 and 10 packs and their activators feature prominently.

raum-2

“All of the created malicious seeds were monitored by cybercriminals in order to prevent early detection by [anti-virus software] and had different statuses such as ‘closed,’ ‘alive,’ and ‘detected by antivirus.’ Some of the identified elements of their infrastructure were hosted in the TOR network,” InfoArmor explains.

The researchers say that RAUM is a tool used by an Eastern European organized crime group known as Black Team. They also report several URLs and IP addresses from where the team operates. We won’t publish them here but it’s of some comfort to know that between Chrome, Firefox and MalwareBytes protection, all were successfully blocked on our test machine.

InfoArmor concludes by warning users to exercise extreme caution when downloading pirated digital content. We’d go a step further and advise people to be wary of installing all software from any untrusted sources, no matter where they’re found online.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

EU Court: Open WiFi Operator Not Liable For Pirate Users

Post Syndicated from Andy original https://torrentfreak.com/eu-court-open-wifi-operator-not-liable-for-pirate-users-160916/

pirate-wifiCountless individuals and businesses around Europe operate open WiFi networks, but what happens when those networks are used by third parties to infringe intellectual property rights?

Pirate Party member Tobias McFadden runs a lighting and sound system shop in Germany and as part of his customer service and marketing efforts, he’s been operating an open WiFi network. Six years ago, this policy landed him in trouble with a major recording label.

In 2010, McFadden received a claim from music company Sony who alleged that his open WiFi had been used to offer one of their albums online without permission.

Sony demanded a range of measures from McFadden, including preventing future infringement by password protecting the WiFi network, blocking file-sharing ports, and logging/blocking users sharing copyrighted content.

Sony also wanted to hold McFadden liable for third party infringement, which led to the case being referred to the European Court of Justice. Yesterday the court handed down its judgment and its largely good news for the Pirate Party member.

[T]he Court holds, first of all, that making a Wi-Fi network available to the general public free of charge in order to draw the attention of potential customers to the goods and services of a shop constitutes an ‘information society service’ under the directive on [electronic commerce],” the decision reads.

The Court further notes that in order for such ‘mere conduit’ services to be exempt from third party liability, three cumulative conditions must be met:

– The provider must not have initiated the transmission

– It must not have selected the recipient of the transmission

– It must neither have selected nor modified the information contained in the transmission.

“[T]he Court confirms that, where the above three conditions are satisfied, a service provider such as Mr McFadden, who provides access to a communication network, may not be held liable,” the judgment reads.

“Consequently, the copyright holder is not entitled to claim compensation on the ground that the network was used by third parties to infringe its rights. Since such a claim cannot be successful, the copyright holder is also precluded from claiming the reimbursement of the costs of giving formal notice or court costs incurred in relation to that claim.”

However, the decision did not go entirely McFadden’s way. In an effort to strike a balance between protecting a service provider from third party liability and the rights of IP owners, the Court ruled that providers can be required to end infringement.

“[T]he directive does not preclude the copyright holder from seeking before a national authority or court to have such a service provider ordered to end, or prevent, any infringement of copyright committed by its customers,” the Court found.

One such measure could include the obtaining of an injunction which would force an operator to password-protect his open WiFi network in order to deter infringement.

“In that regard, the Court nevertheless underlines that, in order to ensure that deterrent effect, it is necessary to require users to reveal their identity to be prevented from acting anonymously before obtaining the required password,” the ruling adds.

On a more positive note, the Court rejected the notion of monitoring networks for infringement or taking more aggressive actions where unnecessary.

“[T]he directive expressly rules out the adoption of a measure to monitor information transmitted via a given network. Similarly, a measure consisting in terminating the internet connection completely without considering the adoption of measures less restrictive of the connection provider’s freedom to conduct a business would not be capable of reconciling the abovementioned conflicting rights,” the Court concludes.

Commenting on the decision, Marietje Schaake MEP says the ruling could complicate plans for more open access to WiFi.

“This may lead to a lot of unnecessary red tape for every small business that currently offers free Wi-Fi. [President of the European Commission] Juncker’s plan to offer free WiFi in European Cities also just became a bit more complicated after this ruling,” Schaake notes.

“On a more fundamental level we must remain vigilant that copyright enforcement does not become a Trojan horse for ending online anonymity.”

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Suspect in kernel.org breakin arrested

Post Syndicated from corbet original http://lwn.net/Articles/699128/rss

The US Department of Justice has announced
that it has arrested a suspect in the 2011
kernel.org breakin
. “[Donald Ryan] Austin is charged with
causing damage to four servers located in the Bay Area by installing
malicious software. Specifically, he is alleged to have gained unauthorized
access to the four servers by using the credentials of an individual
associated with the Linux Kernel Organization. According to the indictment,
Austin used that access to install rootkit and trojan software, as well as
to make other changes to the servers
.”

VPN Providers Protest Plans to Expand Government Hacking Powers

Post Syndicated from Andy original https://torrentfreak.com/vpn-providers-protest-plans-expand-government-hacking-powers-160622/

rule41Back in April the U.S. Supreme Court approved a rule change that will allow law enforcement to obtain a warrant to hack into computers and even phones anywhere in the world.

The changes affect Rule 41 of the Federal Rules of Criminal Procedure which determines how the government investigates criminal complaints.

The changes will allow a judge to grant permission to law enforcement agencies enabling them to hack computers anywhere, provided the location of the target computer has been hidden by technical means. That means that users of TOR, VPNs, and proxies etc could all become vulnerable, regardless of why they are using such tools. But it doesn’t stop there.

“It might also extend to people who deny access to location data for smartphone apps because they don’t feel like sharing their location with ad networks,” the EFF previously warned.

“It could even include individuals who change the country setting in an online service, like folks who change the country settings of their Twitter profile in order to read uncensored Tweets.”

Also of concern is the second part of the proposal which would allow judges to issue a search warrant authorizing the hacking or seizing of computers that might be acting as part of a botnet. That means you, if your computer happens to have been infected with a botnet trojan.

Importantly, Congress didn’t vote through the changes to Rule 41, judicial approval was obtained by the Department of Justice instead. This means that unless Congress passes new legislation to block the changes, time will run out December 1, 2016.

With this deadline looming, a fresh push is underway to try and block what many see as a serious danger to computer users’ security worldwide. To that end a broad coalition of 50 organizations including public interest groups, privacy tool providers, and Internet companies have written to Congress opposing the changes.

In their letter, Google, EFF, Demand Progress, FightForTheFuture, TOR, VPN providers Private Internet Access, Golden Frog and Hide My Ass, plus many others, urge Congress to “consider and debate” the implications of the new rule.

“The changes to Rule 41 give federal magistrate judges across the United States new authority to issue warrants for hacking and surveillance in cases where a computer’s location is unknown,” the letter reads.

“This would invite law enforcement to seek warrants authorizing them to hack thousands of computers at once — which it is hard to imagine would not be in direct violation of the Fourth Amendment.”

Noting that the changes would allow for the hacking of innocent computer users, the coalition describes the proposal as dangerously broad.

“It fails to provide appropriate guidelines for safeguarding privacy and security, and it circumvents the legislative process that would provide Congress and the public the critically necessary opportunity to evaluate these issues,” they continue.

But perhaps most importantly, the proposed changes will undermine the security of those who need it most – those who have taken legitimate steps to protect their privacy with anonymizing tools such as VPNs and TOR.

“There are countless reasons people may want to use technology to shield their privacy. From journalists communicating with sources to victims of domestic violence seeking information on legal services, people worldwide depend on privacy tools for privacy, personal safety, and data security,” the letter reads.

“Many businesses even require their employees to use virtual private networks for security, especially during travel. Such tools should be actively promoted as a way to safeguard privacy, not discouraged.”

Finally, the groups encourage Congress to take action.

The Stopping Mass Hacking Act offers a simple solution: it rejects the changes to Rule 41. Passing this bill by December 1 will ensure that Congress has time to fully consider the issue of government hacking before this practice becomes widespread. We urge you to support this bill and to reject the changes to Rule 41,” their letter concludes.

A petition to stop the changes to Rule 41 can be found here.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Mac OS X Ransomware KeRanger Is Linux Encoder Trojan

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/A3QDRb8kTfE/

So there’s been a fair bit of noise this past week about the Mac OS X Ransomware, the first of its’ kind called KeRanger. It also happens to be the first popular Mac malware of any form for some time. It’s also a lesson to all the Apple fanbois that their OS is not impervious […]

The post Mac OS X Ransomware KeRanger Is Linux Encoder Trojan…

Read the full post at darknet.org.uk