Cheer10s.com

MPAA Hacker Spied on The Pirate Bay

Fri, 25 Jul 2008 07:37:07 +0200

By Ernesto, of TorrentFreak

Court documents show that a hacker, hired by the MPAA, offered to reveal the identities of the Pirate Bay founders. The hacker, who also retrieved private information from TorrentSpy, was paid $15.000 for his efforts.

pirate bay hackerIt turns out that the MPAA will do pretty much anything to obtain information about BitTorrent sites and its users. Back in 2006, they made a deal with a hacker, better known as Robert Anderson, to steal e-mail correspondence and trade secrets from TorrentSpy.

The hacker later admitted that this was indeed true, and in a surprising turn of events, he switched sides, and joined TorrentSpy. The court case between the MPAA and TorrentSpy eventually led to the downfall of TorrentSpy, but it turned out that the MPAA was also interested in intel on The Pirate Bay.

Cnet cites court documents showing that Anderson wrote to the MPAA: We can provide the names, address, and phone (numbers) of the owners of Torrentspy.com and Thepiratebay.org along with evidence, including correspondence between the two companies.

In addition, the court documents reveal that MPAAs Dean Garfield stated: We were going to get information about the location and identity of the people who were running Torrentspy, as well as information related to a general conspiracy and relationship between Torrentspy and a number of other prominent services including ThePirateBay.

The Pirate Bay has always been one of the main targets of the MPAA. In 2006, John Malcolm, Executive Vice President of the MPAA wrote a letter to Swedens State Secretary in which he urged the authorities to take action against the site: It is certainly not in Swedens best interests to earn a reputation among other nations and trading partners as a place where utter lawlessness with respect to intellectual property rights is tolerated.

It is of course interesting to see that the MPAA is interested in the identities of the Pirate Bay founders, but they could have easily done a Google search, because that info is pretty much public information. I guess they rather use a hacker.

The Pirate Bay website is offline at the moment, unrelated to this news, as they are doing some server maintenance and site upgrades. They will be back soon.

Pacemakers are Vulnerable to Hackers

Fri, 25 Jul 2008 01:37:19 +0200

By Lynn Shapiro, Writer

Implantable medical devices like pacemakers seem safe for the 25 million Americans who view them as life savers. However, researchers have shown that a combination pacemaker and defibrillator with wireless capabilities--the Medtronic Maximo DR--can be hacked.

In an academic paper, computer scientists from Beth Israel Deaconess Medical Center, Harvard Medical Center, the University of Massachusetts, Amherst and the University of Washington, presented a paper entitled "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero Power Defenses," to the 2008 IEEE Symposium on Security and Privacy.

The authors write that given the advances in implantable cardiac defibrillator (ICD) technology, "now is the right and critical time to focus on protecting the security and privacy of future implantable devices."

Using an antenna, radio hardware and a PC, they found that a hacker could indeed violate the privacy of patient information and medical telemetry of Medtronic's ICD, since the ICD wirelessly transmits patient information without encryption.

A hacker "could intercept wireless signals from the ICD and learn information including: a patient's name, medical history, date of birth and so on," the authors write.

Such a person could turn off or modify settings stored on the ICD, incapacitating the device so it can no longer respond to dangerous cardiac events. A malicious person could also make the ICD deliver a shock that could induce ventricular fibrillation, which is often lethal, the authors report.

The team proposed three approaches for increasing the safety of the devices, using WISP technology from Intel Research. They explain that some implantable devices, such as pacemakers and ICDs, have non-replaceable batteries. When batteries are low, the entire implantable devices often need to be replaced. From a safety perspective, it is critical to protect the battery life on these devices. Therefore, all three defense approaches use zero-power: they do not rely on the IMD's battery but rather on power from external radio frequency signals.

The first zero-power approach uses an audible alert, warning patients when a hacker attempts to wirelessly communicate with their IMD. The second approach shows that it is possible to use cryptographic (secure) authentication methods using RF power. (The researchers said they purposely did not reveal details of how this might work.)

The third zero-power approach presents a new method for communicating cryptographic keys--sophisticated passwords--so that people wearing the implanted devices can actually "hear or feel" when a hacker tries to disrupt their IMD.

The authors conclude, "We strongly believe that nothing in our report should deter patients from receiving these devices if recommended by their physician."

Meanwhile, Medtronic said in a statement that the company is continuing to come up with new designs to improve security of its cardiac devices.

The May 2008 paper appears on the website: www.secure-medicine.org. (Also see the Medical Device Security Center homepage).

Design flaws, besides vulnerabilities, hurt banking sites

Thu, 24 Jul 2008 04:44:00 +0200

By Jeremy Kirk, IDG News Service

Banking Web sites suffer from design flaws that undermine their security, exclusive of software vulnerabilities, according to a University of Michigan study to be released Friday.

Of 214 sites surveyed in 2006, more than 75 percent had at least one design flaw that could lead to a security problem, the university said. The flow and layout of the sites can make those sites riskier, and the problems can't be fixed with a patch unlike a software vulnerability.
Don't Miss!Read the latest WhitePaper - Troubleshooting Remote Site Networks - Best Practices

A few of the study's findings were released on Tuesday by the university. The full findings will be presented at the Symposium on Usable Privacy and Security meeting Friday at Carnegie Mellon University in Pittsburgh.

The study was undertaken by Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science, and two doctoral students, Laura Falk and Kevin Borders. Prakash began investigating after noticing problems with the Web site of his own bank, the university said.

Although the research was done in 2006, many of the problems still affect financial sites. One of the core troubles is an underutilization of SSL (Secure Sockets Layer) encryption technology on Web pages.

The study found that 47 percent of banks didn't use SSL on login pages, which could open the door for a hacker to reroute data to their own PC. Not using SSL also makes it easier for a man-in-the-middle attack, where the victim's data passes through an attacker's PC before it's routed to the bank's server.

Another pervasive problem affecting 55 percent of institutions is placing contact information and security advice on insecure pages. A hacker could conceivably break into the Web site and change the customer service phone number to direct banking customers to a fictitious call center. Again, SSL is the remedy.

The researchers found 30 percent of sites would redirect users to other Web sites, which can skew how a person is supposed to evaluate risk, the study said.

Since a bank site is trusted, the site it links to will likely not be considered a security risk even if it may be. Bank should put all their Web pages on the same server, but some have outsourced security features that are hosted on other domains.

Weak user IDs and passwords continue to be troublesome, with 28 percent of banks either lacking password guidelines or allowing weak ones. Institutions will also e-mail passwords or statements, which is also risky, the study said.

HOPE Hacker Conference to Continue In New York in 2010, We Think

Thu, 24 Jul 2008 04:38:02 +0200

By Eric Krangel

Every other year since 1994, hackers from all over the world have converged on New York City for the Hackers On Planet Earth conference. But this year's bash, held last weekend, was supposed to be the final run. HOPE's long-time home the Hotel Pennsylvania was said to be closing, and conference organizers, the editors of Long Island-based 2600 magazine, were calling it quits. They were laying it on pretty thick, too: the con's name was "The Last HOPE," the conference logo was a tombstone, and in the biggest conference room a coffin was set up to commemorate the "death" of the event.

Not so. According to multiple reports from people present at HOPE 2008's closing ceremonies, HOPE honcho Eric Corley (a/k/a "Emmanuel Goldstein") announced that the conference will back in 2010. The conference bulletin board carries a description of the theatrics:

Emmanuel started a eulogy, and then there was some clammering in the back as a procession of pallbearers brought a coffin through the room. Everyone was silent and totally somber. But then Emmanuel, master of language that he is, played with some words and much to everyone's relief (or so it seemed to me) announced that there will very likely be another hope. So you can think of the last hope simply as the last one you attended. I think his last words of the evening were, "See you in two years".

We emailed the notoriously press-averse Corley and haven't heard back, but Corley/Goldstein (or someone using his name) registered the domain name thenexthope.org.

Accused SF Hacker Gives Newsom Secret Codes

Wed, 23 Jul 2008 11:23:26 +0200

By CBS

SAN FRANCISCO (CBS 5) ― A computer engineer accused of illegally taking control of the city of San Francisco's network and locking out other system administrators has turned over the secret access codes directly to Mayor Gavin Newsom during a secret jailhouse meeting, the San Francisco Chronicle reported Tuesday evening.

The newspaper said Terry Childs, 43, of Pittsburg, who's being held on charges of computer tampering, surrendered the passwords during the private meeting at the Hall of Justice jail with Newsom who did not inform police or prosecutors beforehand.

A spokesman for Newsom said the codes were valid and allowed access to the computer network in question. It stores critical city government data, including e-mails, law enforcement records, and payroll documents, officials have said.

Childs, who was a longtime employee in the city's technology department, was due to appear in court Wednesday for a bail reduction hearing and his attorney Erin Crane was expected to cite his cooperation in turning over the information to Newsom.

Childs remained jailed Tuesday night on $5 million bail.

Kaminsky's DNS flaw Unravelled

Tue, 22 Jul 2008 20:49:49 +0200

By Techtree News Staff

Two weeks ago, when security researcher Dan Kaminsky discovered a critical flaw in the Internet's Domain Name Server (DNS) system, he warned peers not to publicly discuss the same lest unscrupulous hackers got around to taking undue advantage of it.

Seems his advice has fallen on deaf ears as researcher Halvar Flake has posted a complete hypothesis describing a simple modus operandi for exploiting this vulnerability.

In Flake's view, all you need do is flood a DNS server with multiple requests for similar-sounding domain names -- confusing the poor server into querying a root server for name server/s handling lookups for these domains. This information could be then sent by a hacker to a DNS server making it look like authentic information. Flake's contention is that with so many requests, there is some probability that at least one would match -- meaning a hacker could be successful in redirecting a naive user to a fake site which then goes on to glibly steal his/her private and personal data.

Kamsinsky, whose concern seems to stem from the fact that public discussion of a vulnerability would only make it more vulnerable to being exploited by hackers; has declined comment on Flake's speculation. Kaminsky will wait till the Black Hat Conference in Las Vegas to offer a detailed discussion of the DNS flaw.

Flake's is a highly-respected name in security circles; even then, he had to go through "DNS-for-dummies" to be able to achieve this feat.

Firefox fixes Apple hacker flaw

Tue, 22 Jul 2008 20:45:59 +0200

By Katie Scott

Three bugs have been patched by the Mozilla team - one of which could have left Mac users open to hack attacks.

The Firefox 3.0.1 patches three critical vulnerabilities in Firefox 3.0.

These included a Mac-specific bug reported by Apple, which it suggested could leave Firefox users vulnerable to cyber crime.

A bug is caused by a fault in how Firefox processes GIF images, and Mozilla explained that this could be used by attackers to crash the browser.

Firefox 2.0 is not affected, it added.

Firefox 3.0.1 is the first update to the browser since it launched a month ago.

It also addressed several stability issues, fixed a problem with the anti-phishing/anti-malware blacklist, and mended a printing problem.

Users can download Firefox 3.0.1 for Windows, Mac OS X and Linux from the Mozilla site.

Computer whizz walks free

Sun, 20 Jul 2008 18:42:27 +0200

By REBECCA HARPER

A clever Whitianga teenager whose obsession with computers saw him investigated by the FBI now has a bright future.

Owen Thor Walker, 18, was at the centre of an international cybercrime ring that caused millions of dollars in damage.

In April he admitted six serious cyber crime charges, but in the High Court at Hamilton yesterday, Justice Judith Potter took the remarkable step of discharging him without conviction and wishing him well. The move was backed by the police.

She said his offending had no criminal intent, but stemmed from his fascination with computers.

"I have wrestled somewhat with the responsibility placed on the court," Justice Potter said. "Mr Walker's offending was serious; fortunately it was apprehended before it went too far. He was not motivated by criminal intent or maliciousness ... he has undoubted ability to achieve amazing things."

US Special Agent Rich Kolko said yesterday from Washington DC that the FBI considered it "an incredibly serious crime" and others nabbed in Operation Bot Roast had received a range of convictions.

Walker was ordered to pay $9526 as his half share of the damage caused to The University of Pennsylvania server computer, which crashed after it was hacked into by student Ryan Goldstien, who is facing prosecution in the US.

FBI investigations revealed Goldstien was working with another person known as "Akill" Walker's cyber ID. The FBI tipped off New Zealand police.

The University of Pennsylvania declined to comment on the sentence.

Walker may now get to put his significant talents with computers to use on the right side of the law; he filed an affidavit yesterday morning to say the New Zealand police and several overseas corporations were interested in offering him a job.

As Justice Potter spared him a conviction, Walker allowed himself a smile and his mother Shell Whyte buried her head in her hands in relief.

Outside court, the teenager and his family were delighted. Walker was remorseful and said he now realised what he did was wrong. Police had yet to actually offer him a job, but he would be keen to take them up on the offer if they did. Mrs Whyte said she was speechless when she realised the extent of her son's offending: "I just hope he stays on the right side of the law now ... I don't mind what he does as long as he's happy and does the right thing."

Walker was diagnosed with asperger's syndrome, a mild form of autism, when he was 10. The offending started in January 2006, when he was just 16, and lasted until November 2007.

Uber-Hacker Kevin Mitnick Signs Tell-All Book Deal

Sun, 20 Jul 2008 18:40:18 +0200

By Eric Krangel

Kevin Mitnick is going to tell his side of the story. And he's going to get paid for it.

Speaking to an adoring crowd of 800 at the Hackers On Planet Earth conference, Mitnick, once described as the "most wanted computer hacker in the world," announced that he had signed a deal with Little, Brown and Company to tell his life story. "Finally I get to tell my side," he said, saying the conditions of his parole kept him from profiting from his crimes -- including writing a biography -- for the past seven years.

Mitnick was convicted of computer crimes in 1999. At sentencing, prosecutors argued Mitnick should be subject to special treatment while incarcerated because the hacker could "start a nuclear war by whistling into a telephone." A judge agreed, and Mitnick was sentenced to solitary confinement. The perceived unfairness of the sentence made Mitnick a cause célèbre within the hacker community, and sites like freekevin.com sprang up on the Internet.

Mitnick promised the new book will be a tell-all about his hacking stunts, which relied on his speciality of "social engineering" -- hacker-speak for tricks that rely less on technical wizardry and more on duping human beings into giving up information. But Mitnick, who now makes an honest living as a computer security consultant, also enjoys finding holes in software. At HOPE, he showed off his latest hack, which involves scripting the "asterisk" open-source telephony program to show Caller ID information for anyone who calls him, even if that phone's Caller ID is set to "private."

Another non-news item

Sun, 20 Jul 2008 13:53:31 +0200

By Jeremiah Grymstone

I'm heading home from the Last HOPE today. I've made a few new contacts and came home with a new dedication. I was considering giving up Cheer10s as I've said before and this will be more of a blog than a news story. Read it if you want.

My ex-wife was more of a "spend-time-with-me-and-don't-do-anything-by-yourself" and would not have let me run a website unless I was making money off of it.

My current girlfriend said that she doesn't want me to give up any of my life so even though I make nothing off of Cheer10s, keep going.

YAY!

So, I come home with new dedication.

News will be slow until I recover from this trip, but once I do, I'll be pounding out as fast as I can. Thanks, and 73.