By Ernesto, of TorrentFreak



Court documents show that a hacker, hired by the MPAA, offered to reveal the identities of the Pirate Bay founders. The hacker, who also retrieved private information from TorrentSpy, was paid $15.000 for his efforts.

pirate bay hackerIt turns out that the MPAA will do pretty much anything to obtain information about BitTorrent sites and its users. Back in 2006, they made a deal with a “hacker”, better known as Robert Anderson, to steal e-mail correspondence and trade secrets from TorrentSpy.

The hacker later admitted that this was indeed true, and in a surprising turn of events, he switched sides, and joined TorrentSpy. The court case between the MPAA and TorrentSpy eventually led to the downfall of TorrentSpy, but it turned out that the MPAA was also interested in intel on The Pirate Bay.

Cnet cites court documents showing that Anderson wrote to the MPAA: “We can provide the names, address, and phone (numbers) of the owners of Torrentspy.com and Thepiratebay.org — along with evidence, including correspondence between the two companies.”

In addition, the court documents reveal that MPAA’s Dean Garfield stated: “We were going to get information about the location and identity of the people who were running Torrentspy, as well as information related to a general conspiracy and relationship between Torrentspy and a number of other prominent services including ThePirateBay.”

The Pirate Bay has always been one of the main targets of the MPAA. In 2006, John Malcolm, Executive Vice President of the MPAA wrote a letter to Sweden’s State Secretary in which he urged the authorities to take action against the site: “It is certainly not in Sweden’s best interests to earn a reputation among other nations and trading partners as a place where utter lawlessness with respect to intellectual property rights is tolerated.”

It is of course interesting to see that the MPAA is interested in the identities of the Pirate Bay founders, but they could have easily done a Google search, because that info is pretty much public information. I guess they rather use a hacker.

The Pirate Bay website is offline at the moment, unrelated to this news, as they are doing some server maintenance and site upgrades. They will be back soon.

By Lynn Shapiro, Writer

Implantable medical devices like pacemakers seem safe for the 25 million Americans who view them as life savers. However, researchers have shown that a combination pacemaker and defibrillator with wireless capabilities--the Medtronic Maximo DR--can be hacked.

In an academic paper, computer scientists from Beth Israel Deaconess Medical Center, Harvard Medical Center, the University of Massachusetts, Amherst and the University of Washington, presented a paper entitled "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero Power Defenses," to the 2008 IEEE Symposium on Security and Privacy.

The authors write that given the advances in implantable cardiac defibrillator (ICD) technology, "now is the right and critical time to focus on protecting the security and privacy of future implantable devices."

Using an antenna, radio hardware and a PC, they found that a hacker could indeed violate the privacy of patient information and medical telemetry of Medtronic's ICD, since the ICD wirelessly transmits patient information without encryption.

A hacker "could intercept wireless signals from the ICD and learn information including: a patient's name, medical history, date of birth and so on," the authors write.

Such a person could turn off or modify settings stored on the ICD, incapacitating the device so it can no longer respond to dangerous cardiac events. A malicious person could also make the ICD deliver a shock that could induce ventricular fibrillation, which is often lethal, the authors report.

The team proposed three approaches for increasing the safety of the devices, using WISP technology from Intel Research. They explain that some implantable devices, such as pacemakers and ICDs, have non-replaceable batteries. When batteries are low, the entire implantable devices often need to be replaced. From a safety perspective, it is critical to protect the battery life on these devices. Therefore, all three defense approaches use zero-power: they do not rely on the IMD's battery but rather on power from external radio frequency signals.

The first zero-power approach uses an audible alert, warning patients when a hacker attempts to wirelessly communicate with their IMD. The second approach shows that it is possible to use cryptographic (secure) authentication methods using RF power. (The researchers said they purposely did not reveal details of how this might work.)

The third zero-power approach presents a new method for communicating cryptographic keys--sophisticated passwords--so that people wearing the implanted devices can actually "hear or feel" when a hacker tries to disrupt their IMD.

The authors conclude, "We strongly believe that nothing in our report should deter patients from receiving these devices if recommended by their physician."

Meanwhile, Medtronic said in a statement that the company is continuing to come up with new designs to improve security of its cardiac devices.

The May 2008 paper appears on the website: www.secure-medicine.org. (Also see the Medical Device Security Center homepage).

By Jeremy Kirk, IDG News Service

Banking Web sites suffer from design flaws that undermine their security, exclusive of software vulnerabilities, according to a University of Michigan study to be released Friday.

Of 214 sites surveyed in 2006, more than 75 percent had at least one design flaw that could lead to a security problem, the university said. The flow and layout of the sites can make those sites riskier, and the problems can't be fixed with a patch unlike a software vulnerability.
Don't Miss!Read the latest WhitePaper - Troubleshooting Remote Site Networks - Best Practices

A few of the study's findings were released on Tuesday by the university. The full findings will be presented at the Symposium on Usable Privacy and Security meeting Friday at Carnegie Mellon University in Pittsburgh.

The study was undertaken by Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science, and two doctoral students, Laura Falk and Kevin Borders. Prakash began investigating after noticing problems with the Web site of his own bank, the university said.

Although the research was done in 2006, many of the problems still affect financial sites. One of the core troubles is an underutilization of SSL (Secure Sockets Layer) encryption technology on Web pages.

The study found that 47 percent of banks didn't use SSL on login pages, which could open the door for a hacker to reroute data to their own PC. Not using SSL also makes it easier for a man-in-the-middle attack, where the victim's data passes through an attacker's PC before it's routed to the bank's server.

Another pervasive problem affecting 55 percent of institutions is placing contact information and security advice on insecure pages. A hacker could conceivably break into the Web site and change the customer service phone number to direct banking customers to a fictitious call center. Again, SSL is the remedy.

The researchers found 30 percent of sites would redirect users to other Web sites, which can skew how a person is supposed to evaluate risk, the study said.

Since a bank site is trusted, the site it links to will likely not be considered a security risk even if it may be. Bank should put all their Web pages on the same server, but some have outsourced security features that are hosted on other domains.

Weak user IDs and passwords continue to be troublesome, with 28 percent of banks either lacking password guidelines or allowing weak ones. Institutions will also e-mail passwords or statements, which is also risky, the study said.

By Eric Krangel

Every other year since 1994, hackers from all over the world have converged on New York City for the Hackers On Planet Earth conference. But this year's bash, held last weekend, was supposed to be the final run. HOPE's long-time home the Hotel Pennsylvania was said to be closing, and conference organizers, the editors of Long Island-based 2600 magazine, were calling it quits. They were laying it on pretty thick, too: the con's name was "The Last HOPE," the conference logo was a tombstone, and in the biggest conference room a coffin was set up to commemorate the "death" of the event.

Not so. According to multiple reports from people present at HOPE 2008's closing ceremonies, HOPE honcho Eric Corley (a/k/a "Emmanuel Goldstein") announced that the conference will back in 2010. The conference bulletin board carries a description of the theatrics:

Emmanuel started a eulogy, and then there was some clammering in the back as a procession of pallbearers brought a coffin through the room. Everyone was silent and totally somber. But then Emmanuel, master of language that he is, played with some words and much to everyone's relief (or so it seemed to me) announced that there will very likely be another hope. So you can think of the last hope simply as the last one you attended. I think his last words of the evening were, "See you in two years".

We emailed the notoriously press-averse Corley and haven't heard back, but Corley/Goldstein (or someone using his name) registered the domain name thenexthope.org.

By CBS

SAN FRANCISCO (CBS 5) ― A computer engineer accused of illegally taking control of the city of San Francisco's network and locking out other system administrators has turned over the secret access codes directly to Mayor Gavin Newsom during a secret jailhouse meeting, the San Francisco Chronicle reported Tuesday evening.

The newspaper said Terry Childs, 43, of Pittsburg, who's being held on charges of computer tampering, surrendered the passwords during the private meeting at the Hall of Justice jail with Newsom — who did not inform police or prosecutors beforehand.

A spokesman for Newsom said the codes were valid and allowed access to the computer network in question. It stores critical city government data, including e-mails, law enforcement records, and payroll documents, officials have said.

Childs, who was a longtime employee in the city's technology department, was due to appear in court Wednesday for a bail reduction hearing and his attorney Erin Crane was expected to cite his cooperation in turning over the information to Newsom.

Childs remained jailed Tuesday night on $5 million bail.