The Courts

The Lawyer Who Founded Prenda Law Just Got Disbarred (engadget.com) 62

Long-time Slashdot reader lactose99 writes: One of the original copyright trolls finally got their comeuppance. From TFA: "John L. Steele, a Chicago lawyer who pled guilty to perjury, fraud and money laundering resulting from alleged 'honeypot' schemes, has just been disbarred by an Illinois court." John L. Steele, as you may know, is one of the principals of Prenda Law, a notorious copyright troll who has been featured on /. several times. The article goes on to describe how the Prenda lawyers used honeypot-like tactics to trick people into downloads and then subsequently scammed them for copyright violations.
Their operation brought in $6 million in settlement fees, reports Engadget, adding "While it is illegal to download copyrighted files from file-sharing sites, it is also against the law to extort downloaders."
Security

PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes (bleepingcomputer.com) 82

An anonymous reader writes: "The Wana Decrypt0r ransomware -- also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r -- infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow," reports BleepingComputer. "During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware's scanning module, which helps it spread to new victims... Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches."

The article also highlights the fact that the group behind this threat is possibly made of inexperienced coders, who just stumbled upon a way to weaponize an NSA exploit. Their three previous WanaDecrypt0r campaigns were mundane, and one researcher called their code "utter [expletive]." This is because WanaDecrypt0r is actually made of two main modules, the ransomware itself, and the SMB worm (based on the NSA exploit). While the SMB worm is top-shelf code, the ransomware itself is quite unsophisticated, making a lot of operational errors, including using only 3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.

Botnet

BrickerBot, the Permanent Denial-of-Service Botnet, Is Back With a Vengeance (arstechnica.com) 113

An anonymous reader quotes a report from Ars Technica: BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things devices before they can be conscripted into Internet-crippling denial-of-service armies, is back with a new squadron of foot soldiers armed with a meaner arsenal of weapons. Pascal Geenens, the researcher who first documented what he calls the permanent denial-of-service botnet, has dubbed the fiercest new instance BrickerBot.3. It appeared out of nowhere on April 20, exactly one month after BrickerBot.1 first surfaced. Not only did BrickerBot.3 mount a much quicker number of attacks -- with 1,295 attacks coming in just 15 hours -- it used a modified attack script that added several commands designed to more completely shock and awe its targets. BrickerBot.1, by comparison, fired 1,895 volleys during the four days it was active, and the still-active BrickerBot.2 has spit out close to 12 attacks per day. Shortly after BrickerBot.3 began attacking, Geenens discovered BrickerBot.4. Together, the two newly discovered instances have attempted to attack devices in the research honeypot close to 1,400 times in less than 24 hours. Like BrickerBot.1, the newcomer botnets are made up of IoT devices running an outdated version of the Dropbear SSH server with public, geographically dispersed IP addresses. Those two characteristics lead Geenens to suspect the attacking devices are poorly secured IoT devices themselves that someone has compromised and used to permanently take out similarly unsecured devices. Geenens, of security firm Radware, has more details here.
Twitter

Former Twitter Employees: 'Abuse Problem' Comes From Their Culture Of Free Speech (buzzfeed.com) 465

Twitter complained of "inaccuracies in the details and unfair portrayals" in an article which described their service as "a honeypot for assholes." Buzzfeed interviewed 10 "high-level" former employees who detailed a company "Fenced in by an abiding commitment to free speech above all else and a unique product that makes moderation difficult and trolling almost effortless". An anonymous Slashdot reader summarizes their report: Twitter's commitment to free speech can be traced to employees at Google's Blogger platform who all went on to work at Twitter. They'd successfully fought for a company policy that "We don't get involved in adjudicating whether something is libel or slander... We'll do it if we believe we are required to by law." One former Twitter employee says "The Blogger brain trust's thinking was set in stone by the time they became Twitter Inc."

Twitter was praised for providing an uncensored voice during 2009 elections in Iran and the Arab Spring, and fought the secrecy of a government subpoena for information on their WikiLeaks account. The former of head of news at Twitter says "The whole 'free speech wing of the free speech party' thing -- that's not a slogan. That's deeply, deeply embedded in the DNA of the company... [Twitter executives] understand that this toxicity can kill them, but how do you draw the line? Where do you draw the line? I would actually challenge anyone to identify a perfect solution. But it feels to a certain extent that it's led to paralysis.

While Twitter now says they are working on the problem, Buzzfeed argues this "maximalist approach to free speech was integral to Twitter's rise, but quickly created the conditions for abuse... Twitter has made an ideology out of protecting its most objectionable users. That ethos also made it a beacon for the internet's most vitriolic personalities, who take particular delight in abusing those who use Twitter for their jobs."
Government

British Spy Agency GCHQ Used URL Shortener To Honeypot Arab Spring Activists (vice.com) 40

The British spy agency GCHQ used a custom URL shortener and Twitter sockpuppets to influence and infiltrate activists during the Iran revolution of 2009 and the Arab Spring of 2011, reports Motherboard, citing leaked documents by Edward Snowden. From the article: The GCHQ's special unit, known as the Joint Threat Research Intelligence Group or JTRIG, was first revealed in 2014, when leaked top secret documents showed it tried to infiltrate and manipulate -- using "dirty trick" tactics such as honeypots -- online communities including those of Anonymous hacktivists, among others. The group's tactics against hacktivists have been previously reported, but its influence campaign in the Middle East has never been reported before. I was able to uncover it because I was myself targeted in the past, and was aware of a key detail, a URL shortening service, that was actually redacted in Snowden documents published in 2014. A now-defunct free URL shortening service -- lurl.me -- was set up by GCHQ that enabled social media signals intelligence. Lurl.me was used on Twitter and other social media platforms for the dissemination of pro-revolution messages in the Middle East.
Privacy

Researchers Discover Over 100 Tor Nodes Designed To Spy On Hidden Services (schneier.com) 56

An anonymous reader writes from a report via Schneier on Security: Two researchers have discovered over 100 Tor nodes that are spying on hidden services. Cory Doctorow from Boing Boing reports: "These nodes -- ordinary nodes, not exit nodes -- sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over. The researchers used 'honeypot' .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions' existence. They didn't advertise the honions' existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits. No one knows who is running the spying nodes: they could be run by criminals, governments, private suppliers of 'infowar' weapons to governments, independent researchers, or other scholars (though scholarly research would not normally include attempts to hack the servers once they were discovered)." The Tor project is aware of the attack and is working to redesign its system to try and block it. Security firm Bitdefender has issued an alert about a malicious app called EasyDoc that hands over control of Macs to criminals via Tor.
Security

Dell Open Sources DCEPT, a Honeypot Tool For Detecting Network Intrusions (helpnetsecurity.com) 37

An anonymous reader writes: Dell SecureWorks researchers have developed a tool that allows Windows system administrators to detect network intrusion attempts and pinpoint them to the original source (i.e. a compromised endpoint), and have made it available for everybody. The tool is called DCEPT (Domain Controller Enticing Password Tripwire). It consists of: The DCEPT Generation Server, which creates unique honeytoken credentials for Active Directory (AD), the Windows component used by network administrators to manage accounts, processes, and permissions on devices within their domain. The DCEPT Agent, which introduces them daily into the memory of each endpoint on the network. The DCEPT Sniffer, which looks for Kerberos pre-authentication packets destined for the AD domain controller that match the honeytoken username. If it detects one, it alerts the network administrator and points towards the compromised workstation. DCEPT has been open sourced and is available on GitHub, along with instructions for deployment.
Piracy

FBI Wants Pirate Bay Logs For Criminal Investigation Into Copyright Trolls 84

the simurgh writes: It has been revealed today that In the past few months, two of the Pirate Bay co-founders have been repeatedly questioned by Swedish authorities, acting on behalf of the FBI. The internet now has clear evidence that Prenda is indeed being investigated by the U.S. Government for uploading their own copyrighted content in torrents placed onto The Pirate Bay, for the sole purpose of creating a honeypot trap to sue over pirated downloads.
Communications

FTC Announces $50k In Prizes For Robocaller Trap Software 79

crazyhorse44 that the Federal Trade Commission announced this week that it is launching two new robocall contests challenging the public to develop a crowd-source honeypot and better analyze data from an existing honeypot. A honeypot is an information system that may be used by government, private and academic partners to lure and analyze robocalls. The challenges are part of the FTC's long-term multi-pronged effort to combat illegal robocallers and contestants of one of the challenges will compete for $25,000 in a top prize. As part of Robocalls: Humanity Strikes Back, the FTC is asking contestants to create a technical solution for consumers that will identify unwanted robocalls received on landlines or mobile phones, and block and forward those calls to a honeypot. A qualifying phase [launched Wednesday] and runs through June 15, 2015 at 10:00 p.m. ET; and a second and final phase concludes at DEF CON 23 on Aug. 9, 2015.
The Courts

Judge: It's OK For Cops To Create Fake Instagram Accounts 209

An anonymous reader writes with a ruling that seems obvious in a case about police making a fake Instagram account. A federal judge in New Jersey has signed off on the practice of law enforcement using a fake Instagram account in order to become "friends" with a suspect — thus obtaining photos and other information that a person posts to their account. "No search warrant is required for the consensual sharing of this type of information," United States District Judge William Martini wrote in an opinion published last Tuesday. In other news, an undercover officer still doesn't need to tell you that he or she is a member of law enforcement if you ask.
Security

Building a Honeypot To Observe Shellshock Attacks In the Real World 41

Nerval's Lobster writes A look at some of the Shellshock-related reports from the past week makes it seem as if attackers are flooding networks with cyberattacks targeting the vulnerability in Bash that was disclosed last week. While the attackers haven't wholesale adopted the flaw, there have been quite a few attacks—but the reality is that attackers are treating the flaw as just one of many methods available in their tool kits. One way to get a front-row seat of what the attacks look like is to set up a honeypot. Luckily, threat intelligence firm ThreatStream released ShockPot, a version of its honeypot software with a specific flag, "is_shellshock," that captures attempts to trigger the Bash vulnerability. Setting up ShockPot on a Linux server from cloud host Linode.com is a snap. Since attackers are systematically scanning all available addresses in the IPv4 space, it's just a matter of time before someone finds a particular ShockPot machine. And that was definitely the case, as a honeypot set up by a Dice (yes, yes, we know) tech writer captured a total of seven Shellshock attack attempts out of 123 total attacks. On one hand, that's a lot for a machine no one knows anything about; on the other, it indicates that attackers haven't wholesale dumped other methods in favor of going after this particular bug. PHP was the most common attack method observed on this honeypot, with various attempts to trigger vulnerabilities in popular PHP applications and to execute malicious PHP scripts.
Security

Recipe For Building a Cheap Raspberry Pi Honeypot Network 68

mask.of.sanity (1228908) writes "Honeypots are the perfect bait for corporate IT shops to detect hackers targeting and already within their networks and now a guide has been published to build a dirt cheap battalion of the devices from Raspberry Pis. "By running honeypots on our internal network, we are able to detect anomalous events. We gain awareness and insight into our network when network hosts interact with a Raspberry Pi honeypot sensor," the author explained."
Communications

FTC To Trap Robocallers With Open Source Software 125

coondoggie writes: The Federal Trade Commission today announced the rules for its second robocall exterminating challenge, known this time as Zapping Rachel Robocall Contest. 'Rachel From Cardholder Services,' was a large robocall scam the agency took out in 2012. The agency will be hosting a contest at next month's DEF CON security conference to build open-source methods to lure robocallers into honeypots and to predict which calls are robocalls. They'll be awarding cash prizes for the top solutions.
Social Networks

Employees Staying Away From Internal Corporate Social Networks 131

jfruh (300774) writes As social networks proliferated in the early '10s, so did the idea of a corporate social network — a Facebook-like community on an intranet where employees could interact. Unfortunately, corporate users are staying away in droves, perceiving the systems as one more in-box they'd have to take care of and getting their social-networking fix from Facebook and the like. From what I've seen of these internal networks, another good reason is that they're not as good as the full-time social networks are, and offer access only to a small universe of particpants anyhow. They're like a central-casting "rock band" in '80s movies — they come off as conspicuously aping the real thing.
Security

DVRs Used To Attack Synology Disk Stations and Mine Bitcoin 75

UnderAttack (311872) writes "The SANS Internet Storm Center got an interesting story about how some of the devices scanning its honeypot turned out to be infected DVRs. These DVRs are commonly used to record footage from security cameras, and likely got infected themselves due to weak default passwords (12345). Now they are being turned into bots (but weren't they bots before that?) and are used to scan for Synology Disk Stations who are vulnerable. In addition, these DVRs now also run a copy of a bitcoin miner. Interestingly, all of this malware is compiled for ARM CPUs, so this is not a case of standard x86 exploits that happen to hit an embedded system/device."
Security

NBC News Confuses the World About Cyber-Security 144

Nerval's Lobster writes "In a video report posted Feb. 4, NBC News reporter Richard Engel, with the help of a security analyst, two fresh laptops, a new cell phone, and a fake identity, pretended to go online with the technical naiveté of a Neanderthal housepet. (Engel's video blog is here.) Almost as soon as he turned on the phone in the Sochi airport, Engel reported hackers snooping around, testing the security of the machines. Engel's story didn't explain whether 'snooping around' meant someone was port-scanning his device in particular with the intention of cracking its security and prying out its secrets, no matter how much effort it took, or if the 'snooping' was other WiFi devices looking for access points and trying automatically to connect with those that were unprotected. Judging from the rest of his story, it was more likely the latter. Engel also reported hackers snooping around a honeypot set up by his security consultant which, as Gartner analyst Paul Proctor also pointed out in a blog posting, is like leaving the honey open and complaining when it attracts flies. When you try to communicate with anything, it also tries to communicate with you; that's how networked computers work: They communicate with each other. None of the 'hacks' or intrusions Engel created or sought out for himself have anything to do with Russia or Sochi, however; those 'hacks' he experienced could have happened in any Starbucks in the country, and does almost every day, Proctor wrote. That's why there is antivirus software for phones and laptops. It's why every expert, document, video, audio clip or even game that has anything at all to do with cybersecurity makes sure to mention you should never open attachments from spam email, or in email from people you don't know, and you should set up your browser to keep random web sites from downloading and installing anything they want on your computer. But keep up the fear-mongering."
Encryption

Building Deception Into Encryption Software 106

holy_calamity writes "MIT Technology Review reports on a new cryptosystem designed to protect stolen data against attempts to break encryption by brute force guessing of the password or key. Honey Encryption serves up plausible fake data in response to every incorrect guess of the password. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data. Ari Juels, who invented the technique and was previously chief scientist at RSA, is working on software to protect password managers using the technique."
The Internet

Demonoid BitTorrent Tracker Apparently Back Online 134

Freshly Exhumed writes "TorrentFreak has broken the news that after more than a year of downtime the Demonoid tracker is back online. The tracker is linked to nearly 400,000 torrent files and more than a million peers, which makes it one of the largest working BitTorrent trackers on the Internet. There is no word yet on when the site will make a full comeback, but the people behind it say they are working to revive one of the most famous file-sharing communities. As the single largest semi-private BitTorrent tracker that ever existed, Demonoid used to offer a home to millions of file-sharers. Note that this is apparently the original Demonoid and not the d2 site that claims to be using the Demonoid database."
Math

The Math of Gamification 36

An anonymous reader writes "The Foursquare blog has an interesting post about some of the math they use to evaluate and verify the massive amount of user-generated data that enters their database. They need to figure out the likelihood that any given datapoint accurately represents reality, so they've worked out a complicated formula that will minimize abuse. Quoting: 'By choosing the points based on a user's accuracy, we can intelligently accrue certainty about a proposed update and stop the voting process as soon as the math guarantees the required certainty. ... The parameters are automatically trained and can adapt to changes in the behavior of the userbase. No more long meetings debating how many points to grant to a narrow use case. So far, we've taken a very user-centric view of p-sub-k (this is the accuracy of user k). But we can go well beyond that. For example, p-sub-k could be "the accuracy of user k's vote given that they have been to the venue three times before and work nearby." These clauses can be arbitrarily complicated and estimated from a (logistic) regression of the honeypot performance. The point is that these changes will be based on data and not subjective judgments of how many "points" a user or situation should get."
Crime

Researchers Use Computer-Generated 10-Year-Old Girl To Catch Online Predators 545

mrspoonsi writes "Dutch researchers conducted a 10-week sting, using a life-like, computer-generated 10-year-old Filipino girl named 'Sweetie.' During this time, 20,000 men contacted her. 1,000 of these men offered money to remove clothing (254 were from the U.S., 110 from the U.K. and 103 from India). Charity organization Terre des Hommes launched a global campaign to stop 'webcam sex tourism.' It has 'handed over its findings to police and has said it will provide authorities with the technology it has developed."

Slashdot Top Deals