I Can’t Support Hacktivism- But When The Targets Are Pedophile Websites I Really Want To…

October 26, 2011

A ZDNet article reports that the Anonymous hacktivist[i] group has turned their focus to pedophile websites and will, according to sources, target anyone hosting, promoting or supporting child pornography.

Though Anonymous has yet to formally claim their role, the ZDNet article says those associated with the Anonymous say the group takes credit for “taking offline over 40 websites used for sharing pedophilia – and for exposing the names and identifying information of more than 1500 alleged pedophiles” all were active members of a site called Lolita City.

Apparently some of Anonymous’ came across the child pornography websites when some members were browsing a darknet[ii] site private network of computers used for file sharing site called Hidden Wiki.

Here’s a post on Pastebin.com relating to their cleanup under the name “operationdarknet”

#OpDarknet Press Release – 10/15/2011

————————    Timeline of Events   ————————

At apprx 8:30 CST while browsing the Hidden Wiki we noticed a section called Hard Candy which was dedicated to links to child pornography. We then removed all links on the website, within 5 minutes the links were edited back in by an admin. For this reason, we will continue to make the Hidden Wiki unavailable.–

At apprx 8:45 CST we noticed 95% of the child pornography listed on the Hidden Wiki shared a digital fingerprint with the shared hosting server at Freedom Hosting.–

At apprx 9:00pm CST on October 14, 2011 We identified Freedom Hosting as the host of the largest collection of child pornography on the internet. We then issued a warning to remove the illegal content from their server, which they refused to do.–

 At apprx 11:30pm CST on October 14, 2011 We infiltrated the shared hosting server of Freedom Hosting and shutdown services to all clients due to their lack of action to remove child pornography from their server.–

 At apprx 5:00pm CST on October 15, 2011 Freedom Hosting installed their backups and restored services to their child pornography clients. We then issued multiple warnings to remove all child pornography from their servers, which Freedom Hosting refused to do.–

At apprx 8:00pm CST on October 15, 2011 despite new security features, we once again infiltrated the shared hosting server at Freedom Hosting and stopped service to all clients.

————————      Our Statement   ————————

The owners and operators at Freedom Hosting are openly supporting child pornography and enabling pedophiles to view innocent children, fueling their issues and putting children at risk of abduction, molestation, rape, and death.

 For this, Freedom Hosting has been declared #OpDarknet Enemy Number One.

 By taking down Freedom Hosting, we are eliminating 40+ child pornography websites, among these is Lolita City, one of the largest child pornography websites to date containing more than 100GB of child pornography.

 We will continue to not only crash Freedom Hosting’s server, but any other server we find to contain, promote, or support child pornography.

 ————————        Our Demands   ————————

Our demands are simple. Remove all child pornography content from your servers. Refuse to provide hosting services to any website dealing with child pornography. This statement is not just aimed at Freedom Hosting, but everyone on the internet. It does not matter who you are, if we find you to be hosting, promoting, or supporting child pornography, you will become a target.

The takedown and exposure of websites and users dedicated to hosting, viewing, sharing, selling, swapping, trading or otherwise exploiting minors is a cause I can really support, though I still can’t condone hacking or vigilantism.

While these activities make for great stories they generally destroy the opportunity to prosecute rendering these pedophiles immune from prosecution.

I have personally worked with law enforcement agencies to help take down child predator rings in the past and have found law enforcement to be remarkably keen to prosecute and in need of top technical skills. I’ve also seen how the wildly popular ‘To Catch a Predator’ exposé series made prosecution of many of the men caught impossible.

If Anonymous really wants to make a positive impact by bringing these perverts to justice and rescue the children being exploited – and God Bless them if they do, –  they need to volunteer their services to an international law enforcement body so that the world can truly benefit from their unquestionable skills and from the prosecution of these child abusers.


[i] Hacktivists are activists who hack websites to further their agenda

[ii] A darknet is a private network of computers used for file sharing that cannot be searched or reached by other computers on the internet


Banks Blame Businesses When Hackers Empty Their Bank Accounts

August 18, 2011

“If every [business] knew their money was at risk [from online fraud] in small and medium-sized banks, they would move their accounts to JPMorgan Chase,” said James Woodhill, a venture capitalist who is leading an effort to get smaller banks to upgrade anti-fraud security for their online banking programs. “That’s because JPMorgan Chase is the only major U.S. bank that insures commercial deposits against the type of hacking that plagues smaller banks.

There is an excellent article in BusinessWeek titled Hackers Take $1 Billion a Year as Banks Blame Their Clients that is a must read piece. It provides a clear explanation of the insurance loophole that is wiping out businesses, school districts, churches, and local governments bank accounts, when and how cybercriminals strike; why small banks aren’t stepping  up,  why law enforcement is struggling to deal with  the issue; the role of malware in these exploits, and what led to the creation of the yourmoneyisnotsafeinthebank.org website.

Read it.


Hackers May Be Able to Hijack More Personal Medical Devices

August 15, 2011

Whether you have a pacemaker, a defibrillator, an insulin monitor, or some other medical device that transmits information, there is the risk that it could be hacked.

At last week’s Black Hat security conference in Las Vegas security researcher Jay Radcliff showed how, by experimenting with this own diabetic equipment, he identified flaws that a hacker could use to remotely take over the control of his insulin flow. This follows on the 2008 demonstrations of how to hack pacemakers and how to hack defibrillators.

In Radcliff’s insulin pump example he found that the pump can be reprogrammed to respond to a stranger’s remote. According to a news article by CBS San Francisco, all Radcliffe “needed was a USB device that can be easily obtained from eBay or medical supply companies. Radcliffe also applied his skill for eavesdropping on computer traffic. By looking at the data being transmitted from the computer with the USB device to the insulin pump, he could instruct the USB device to tell the pump what to do.”

To remotely manipulate the insulin pump the hacker would have to be located within a narrow (200 feet) radius of the victim which is certainly doable. The article also said Radcliffe was able to tamper with his blood-sugar monitor, overriding the actual signal with a stronger signal so that the device would fail to deliver the proper insulin dose.  Assuming a powerful enough antenna, Radcliffe claims the attacker could be up to a half a mile away.

Missing Security

The problem with these small devices is the difficulty in fitting security tools into them.  Responding to questions, the FDA said that any medical device with wireless communication components can fall victim to eavesdropping and say the warn device makers that they are responsible for ensuring their equipment can be updated after it’s sold (to patch security holes if needed).

To date there is no evidence that any hacker has leveraged medical device flaws to harm a user, and the industry downplays any potential threat noting that the risk to patients of being hacked is very small whereas the risks associated with failing to use the devices are severe.  However, the CBS article quotes Yoshi Kohno, a University of Washington professor of computer science who said “The threat hasn’t manifested yet, so what they and we are trying to do is see what the risk could be in the future,” and that Radcliffe’s new research reinforces the urgency of addressing security issues in medical devices before attacks move out of research labs.

While it sounds like a new twist in a Robin Cook medical thriller, the ramifications to real patients could be just as deadly and highlight again the risks associated with the intersection of technology and medicine.

For more information on med-tech risks, see my blogs:


Oops! Sony did it Again….Another 24.6 Million Accounts Exposed

May 13, 2011

Another week, another security breach announcement from Sony.  The first breach compromised 77 million Sony consumers – add 24.6 million additional compromised users with this latest announcement and the total users affected is over 100 million. The company has also disclosed that 12,700 accounts included credit card numbers – though none from U.S. consumers as if that makes a difference.

There are several reasons to be frustrated with Sony’s behavior:

1)      Delayed notice. Sony chose once again to delay informing users about this second breach of their data records when every day that goes by counts. The value of a stolen credit card number decreases daily after the theft is discovered as users scramble to notify banks of the risk, but consumers can’t react to a risk unless companies inform them of a breach. Waiting a week after the first incident, and nearly two weeks after the second incident represents a careless disregard of the risk to users.

According to testimony Sony provided to a House hearing (the company chose not to attend in person) Sony said that it waited to inform consumers until it had more complete information on the attack, and that they have not received any reports of fraudulent credit card transactions linked to the attacks.

Well gee whiz. If you don’t inform the users of a risk, they are less likely to be watching for, or discovering, fraudulent charges.

2)      Cavalier response Sony chose to first notify their users via a company blog – if users didn’t actively go to the Sony site, they had no way of discovering their data was at risk until the media broadcast the breach.  When a company knows they’ve exposed their consumers to risk, and know exactly how to contact their users – including the names, addresses and email aliases – failing to email or use other means to contact each user immediately is shocking, careless, and disrespectful.

This isn’t 1980 when it could take a company a week to get their notification content approved through a slew of PR and legal folks, then another week to send and get back the material from a printing service, then a week to stuff and address 100 million+ envelopes, and possibly another week before the notices to arrive to consumers via snail mail.

Sony has earned every criticism aimed in their direction over the blatant delays and disregard they’ve shown their users safety and privacy and put their brand name in the toilet.  As Rep. Mary Bono Mack (R-Calif.) put it, Sony’s efforts were “half-hearted, and half-baked.”

3)      Pitiful “restitution”.  In Sony’s blog after the first data breach, they dumped the onus of defending against potential fraud on users. By collecting and storing consumer information the company took upon itself the responsibility for the safety and security of that information.

Yet, in these three paragraphs of that first blog Sony distances themselves from responsibility by urging consumers to be vigilant without stepping up to provide protection.

This tune has changed somewhat. In a blog released today, Sony Corp. Chief Executive Howard Stringer apologized to users for their “inconvenience and concern” and announced the launch of an identity theft protection program for U.S. account holders.

The service includes a $1 million identify theft insurance policy and will be free for 12 months after enrollment.

While it’s poor etiquette to look a gift horse in the mouth, let’s be clear this is program is neither a gift nor a horse. More like a Band-Aid and a donkey.

When any company collects your information and then fails to protect it, you should darn well expect ID theft insurance as a minimum, and without a paltry 12 month limit. Their loss of your information may expose you to increased risk of ID theft, targeted scams, and reputational damage for years, even for the rest of your life.

Think about it. You may jump to change your credit card number, and hopefully you’ll change passwords. But you can’t change your date of birth, and you aren’t likely to change your name or address. In fact, few of you will even consider changing email aliases. What this means is that crooks have all the key pieces of information needed to continue targeting you. Only really stupid criminals throw away information about you, it is likely to get sold, resold, repurposed, and accessed many, many times.

Other ways to discover that this horse is really a donkey is by looking into exactly what that $1million ID theft insurance policy does and does not cover. That insurance is likely only going to help you with financial ID theft, but how that term is defined is worth understanding.  Does it only cover credit card charges and credit restoration costs?

Will it cover you if you fall for a carefully crafted, personalized scam that leveraged the stolen information? Will it cover the potential reputational damage of having your accounts manipulated in unflattering ways? Or loss of business profits if information from one of your accounts that used the same password is also exposed? If you are like the vast majority of users who use a single password on all or many of your accounts the damage could be far reaching.  Will this policy cover the costs of trying to recover compromised information that is not financial in nature – i.e. if the hackers gained your password, and you used that same password on your Facebook account where now your family photos have been stolen, will they take care of the recovery/takedown of these images posted elsewhere?

Few users really understand the potentially far reaching risk ripple effect these types of data breaches may have on you – and beyond you. The theft of your personal information may increase the risk of ID theft and fraud to your family members and friends.

A criminal may use your information as a means of building trust with their next victim – your family member or friend.  If a criminal knows your name then your children may be at increased risk because crooks will know the answer to that frequently used ‘security question’ of what is your mother’s maiden name. They may use the information to identify the addresses and other information of those you live with.

And lest I forget, Sony’s plan to lure distrustful customers to return is to offer users a 30-day membership to their PlayStation Plus service and free entertainment downloads.  Yep, that should just about balance out the risks.

So what can you do?


For a fuller set of recommendations  and how to accomplish them see my blog Sony’s Security Breach, their Delay in Reporting, and their “User’s it’s Your Problem” Stance Deserves close scrutiny.

  1. Be diligent in monitoring your financial and medical identities. The information accessed by these hackers has significant value and criminals will exploit any information they acquire.
  2. Understand the scope of the ID theft problem
  3. Be wary of allowing additional information about yourself be placed online with Sony before better security standards are in place.
  4. Demand better security and accountability of the companies, institutions, and government agencies holding your records.
  5. National requirements for security standards need to be strengthened
  6. Learn to identify scams.

To be clear, it appears at this point that the hackers were very sophisticated, and though Sony has taken steps to further strengthen their security, they have not been accused of being security slackers. Hacks can occur in even tightly secured environments (just ask our military!).

The truly objectionable pieces in these incidents is that not only did Sony fail to protect your data, they failed to take immediate steps to inform consumers, and they did not step up to their responsibility to help users remedy the problem until pressure forced them to change positions – and even now it’s too little and too late.

Let the company know just how unhappy you are, and let your elected officials hear your dissatisfaction along with a request for stronger security requirements and penalties for companies holding consumer data.