Secure Tomorrow

Unless you have been living under an internet rock this past week, you have heard all the news surrounding the company MediaDefender. From MediaDefender’s website, “MediaDefender, Inc. is the leading provider of anti-piracy solutions in the emerging Internet-Piracy-Prevention (IPP) industry. We provide services that stop the spread of illegally traded copyrighted material over the Internet and Peer-to-Peer networks.”

In February 2007, MediaDefender launched a video sharing site called Miivi.com. Back on July 4th it was discovered that the video download site MiiVi was really a “honey pot” (fake site) put up to track individual downloading videos illegally. In an interview with Ars Technica, chief executive Randy Saaf stated that “MediaDefender was working on an internal project that involved video and didn’t realize that people would be trying to go to it and so we didn’t password-protect the site”. MiiVi was showdown that same day, July 4th, 2007.

This past week, 6 months (700 MB) worth of emails were leaked out and spread all over the internet. The emails contain information about the various tactics and technical solutions for tracking p2p users, and disrupting p2p services. Following MediaDefender’s subsequent email leak, TorrentFreak alleged that MediaDefender’s statement about it being an “internal project” (see quote above) was revealed to be a deliberate falsehood. The emails revealed that the site was closed when this fact became public knowledge, and was scheduled to be re-launched as www.viide.com. Viide.com has not yet been opened up to the public.

Quoted from an article on Arstechnica
“MediaDefender’s damage control program went into full swing shortly after that. When Douglas pointed out that information about MiiVi had been added to the MediaDefender Wikipedia page, Saaf decided that he wanted it taken down. “Can you please do what you can to eliminate the entry? Let me know if you have any success,” Saaf wrote. “I will attempt to get all references to miivi removed from wiki,” developer Ben Ebert replied. “We’ll see if I can get rid of it.”

After a statement Saaf sent to Digital Daily was included in a blog entry, Saaf sent an e-mail to a handful of MediaDefender employees asking if it would be a good idea to post it to the Digg.com news site. He also suggested possibly having MediaDefender employees post comments. Referring to the Digg community, MediaDefender co-founder Octavio Herrera replied, ‘They aren’t going to believe you.’”

In an additional blow (and I am sure not the last), the group known as the “MediaDefender-Defenders”, who are responsible for distributing the leaked emails initially, have today leaked the source code MediaDefender used “for the ‘trapping’ and decoy software that MediaDefender uses to spread fake files on P2P networks.”

As security professionals we all understand that hacking, in and of itself, is not evil or wrong. Hackers are no more “terrorists”, as locksmiths are cat burglars. In fact, hacking is merely the discovery of information whether it be in software or hardware. It’s the choices you make and how you use said knowledge that really starts to define the “white” versus “black” hats in this realm. That said, I’d like to state I don’t endorse or condone pirating movies or music, nor hacking with mal intent. Now that I have gotten all the disclaimers out of the way, I would also like to state that I also don’t endorse or condone MediaDefenders tactics in “preventing piracy”. These unethical and in some cases illegal business techniques are really the root cause of why they are in such hot water now. Two Wrongs Do Not Make a Right. Some might say what the hackers did falls under this mantra too, but in this case, they didn’t hack for mal intent per se. It was an expose. They revealed the unethical techniques used by this corporation, no differently than any undercover journalist would. Just because the technology has changed doesn’t make it any different then a 20/20 hidden camera or “to catch a predator” style journalism. These hackers are the modern day “deep throat” (the informer not the movie). I don’t want to glorify there actions too much, but at the same time it had to be said to squash any “double standard” remarks. Infecting P2P networks is not the way to handle this issue. MediaDefender is no different then the bored 13 year old kid in China who writes the next big worm or virus. I could go on and on about the techniques they used but with a little help from Google you can read the leaked emails and see for yourself. Regardless of how you feel about illegal downloading or swapping of music and movies, I think you should read over them and ask yourself if you feel the actions by this corporation was ethical as a business, and if there techniques are any better than the “criminals” they were out to prevent.

I really do think in this case MediaDefender is really only a victim of one thing, karma.

Kevin Blanchard hackers, IPP, MediaDefender

Pretty much anyone who has ever been unemployed in the past 10 years, probably has set up an account on Monster.com at one time or another. Symantec is reporting they found a new Trojan called Infostealer.Monstres. It’s sole purpose seems to use compromised employer accounts to harvest personal information of anyone who has a visible job profile on Monster. At the time of discovery by Symantec, the remote server collecting the hacked information had already collected 1.6 million entries with personal information belonging to several hundred thousand people.

I have included a link to the full article if you are interested in reading all the details. I will leave you with a great bit of knowledge from the article, which I can not emphasize the importance of enough.

“To protect your identity when using recruitment sites, or at least limit your exposure to identity theft, you should limit the contact information you post on these sites, use a separate disposable email address and never disclose sensitive details such as your Social Security number, passport or driver’s license numbers, bank account information, etc to prospective employers until you have established they are legitimate.”

Full Article Link

Kevin Blanchard hackers, identity theft, Monster, trojan

The Washington Post is running a story about hackers targeting U.S. Power grids. When it comes to my own beliefs about security in the news, any news is good news. Not that weak security in critical systems is a “good thing” but the fact that these kind of stories help to raise public understanding and to put a little fire under the feet of the people implementing security policies for these places, which in my mind is a good thing.

I will start by discussing what I like about these types of articles. For too many years, security has been put on the back burner. Unless you are a company that offers security services, many companies have difficulties justifying the costs involved in properly securing your systems and training employees on updated security policies. In the past, trying to explain money spent on “potential security issues” to the accountants and people who signed off on budgets in large companies was an uphill battle, if not a brick wall. In the recent years an increasing number of non-security personal have become aware of the important of security. The costs of recovering from a “security incident” generally are much higher then the initial cost to prevent such incidents from happening in the first place. I like articles like this because it increases awareness of such issues even more. Any time a company gets hacked, or a new worm makes it’s rounds, people take notice. I am hoping in the future it won’t always take the “penny in a light socket” approach for a company to change its ways. I’d like to see a more pro-active method used to focus on keeping hackers out BEFORE you find your confidential company info on some website along side Paris Hilton’s recent cell phone pictures.

Awareness is step one. In the US, we have been making a slow climb towards awareness that everyone is at risk. Whether it is your grandma’s PC being used as a zombie in a DoS attack or a high profile credit card company, everyone needs to be aware that they are at risk. That said, we move into phase 2, the attackers. Now that CEOs understand they need to beef up security, the next question is “who” is trying to hack us? This leads into the problem I had with these types of articles. Since 9/11, “terrorism” has been used as the primary “scare tactic”/cheerleader in pushing security agendas. As I said earlier, I strongly agree with any plan [as long as it's the truth] that encourages companies to take a second look at their security and make sure it is not being neglected. The problem with pushing the terrorism angle over and over is, they do not represent that total threat. My concern with focusing too much on one security “enemy” is that you can easily forget about the others. Organized crime syndicates, intelligent bored 16 year old kids in China hacking sites from their parents basement, and even new high tech gangs provide as much [and some would argue more] threat to security in the US. I am not down playing the threat of cyber terrorism by any means. I do feel that if we focus too much on it, we are not preparing ourselves for the full range of targets approaching and the tactics they will be using. As we reach a new dawn of understanding in the US about security we need to further the education and take a good look at ALL threats to security and not just focus on terrorists. Sometimes the biggest threats come from with in your own country. Let’s hope companies in the US don’t require a Julius Caesar like event to realize this.

Kevin Blanchard hackers, national security