Four days ago, a group calling itself the "MediaDefender-Defenders" released a torrent pointing to 700 megabytes of corporate emails from MediaDefender, a company providing "BitTorrent protection services" to record labels and movie studios. The emails expose company strategy, confidential contracts, passwords and login information, lists of servers and IP addresses, and reactions to mentions of the company in the news [read them here]. This post is a summary of recent events, along with a heaping of speculation as to what happened behind the scenes.
The immediate fallout
MediaDefender has lost control of:
- Lists of IP addresses and domain names under their control. This is valuable to counter-piracy evasion.
- Login information to FTP, MySQL, domain, SSH, and control panel accounts. This gives anyone with an internet connection read/write access to many, many corporate servers. Here's a sampling of what was exposed:
- ftpumg.umusic.com contained some of the very MP3 files that MD was working to protect from unauthorized dissemination. (Astonishingly, the AP reported the username and password for this server -- I can only assume the password has since been changed.)
- Databases of activity MD recorded on several P2P networks, including Gnutella, KaZaa, eMule, and BitTorrent (specifically Azureus, with its Distributed Hash Table.)
- And if my guess is correct, a recorded phone call with the Attorney General of New York. (More on that below.)
- Personal (SSN, address, phone number) and financial (salary, last raise, account routing number) information for the development team, thanks to a salary spreadsheet. (The SSN and routing numbers are redacted on the MD-D site. Please do not use the phone numbers, etc. to harass the MD employees -- they're regular people, just like me and you.)
- Executable program files that were not publicly released, or were only meant for administrative purposes. (These can be decompiled and analyzed to learn more about MD's strategies.)
- Discussions of an encryption scheme to be used on a website. (When a strong cryptosystem has its source code published, its security does not suffer. In fact, any cryptosystem must be published to be considered strong. This was meant to be private, and therefore is weakened by exposure.)
- Verisign certificate and other keys, public and private. (Could be used to decrypt private information or spoof the MD site.)
- Corporate strategy documents. These give great insight into the specific techniques that MD employed to spam, spoof, pollute, hack, and otherwise damage peer-to-peer networks, thus giving P2P programmers a leg up in defeating such practices. Additionally, one powerpoint files contains the following nuggets: "A larger volume of CD sales in 2006 were lost to borrowing, rather than to P2P", "Established P2P users spend more on CDs than consumers new to P2P." If these don't cast doubt on MD's morals and loyalty (hint: not with the artists), I don't know what does.
- Details about MiiVi, a program/website intended to... what? No one's quite sure, but it looks like it was designed to a) trap users into uploading copyrighted content, and b) turn the user's machine into a p2p-spoofing zombie. When MiiVi was first connected to MD, MediaDefender issued a press release stating that MiiVi was only meant to be an internal website. The emails put the lie to that claim, with talk of SEO and public image.
- Bad coding practices. This bug report from MiiVi showed that MD's sites are likely vulnerable to MySQL injection attacks.
How it happened
We still don't have confirmation on precisely how the emails were leaked, but this is my best guess:
- Jay Maris, an employee of MD, has all of his work email forwarded to his GMail account, firstname.lastname@example.org. His password sucks: "blahbob". (This information is directly reported by MD-D.)
- Jay registers an account at a private torrent tracker. Private trackers are semi-exclusive clubs that can generally keep industry spybots out, so these are juicy targets for the likes of MD. (From the emails, we know that MD was doing this [e.g.]. We speculate that Jay was directly involved in this activity.)
- Unfortunately, Jay registers the account using his GMail address and his GMail password. (Speculation; however, it fits the facts extremely well. Many people use the same password for multiple services.)
- The owners of the tracker notice that he is logging in from a banned IP address. (Very common. Many of the emails deal with acquiring new, not-yet-banned IP addresses and accounts. [e.g.])
- The tracker website is altered to capture Jay's password, since the password are likely not stored as plaintext in the database, for security reasons. The next time Jay logs in, the password is captured. (Why do I think they got the password this way? Well, GMail would be impossible to brute-force due to rate-limiting on the server, and human error is always more likely the cause for a security breach than program insecurity. This is why phishing works.)
- MD-D knows that the IP address is owned by MD, so they know Jay is a person of interest. They test the password against his email account, and it works. They find the corporate emails and export them, most likely using POP3 to download them into an email client. The rest is history.
Again, I doubt anyone "hacked" GMail, since that would be technically infeasible with only a single, pre-defined target (Jay) as well as with arbitrary, as-you-find-them targets (users of an insecure WiFi point.) Even then, they wouldn't have his actual password; such hacks usually result in direct access to his account without any way of determining the login info.
Phone conversation with NY Attorney General
After releasing the emails, MediaDefender-Defenders also released an MP3 recording of a VoIP conversation between MD and the New York Attorney General's office. The conversation focused on their collaboration in tracking down child pornography on peer-to-peer networks, and specifically on a log-in attempt from somewhere in Sweden [read or listen]. The source of the MP3 is unknown, though some in the efnet#mediadefender-defenders chatroom opined that MD recorded the VoIP call and left it on a server, the login info to which was exposed by the email leak. MD-D claims that it has infiltrated MD, but this may be a false statement intended to push MD into an internal witch-hunt.
Personally, I'm guessing the "attack" on the server was in reality a MD-D member testing out login info found in Jay's email. In any event, the AG keeps asking whether MD's mail servers are secure, and the topic turns to PGP and other forms of end-to-end encryption.
Sadly, it is in vain. Security is defeated again by human factors.