When torrents bite back

Four days ago, a group calling itself the "MediaDefender-Defenders" released a torrent pointing to 700 megabytes of corporate emails from MediaDefender, a company providing "BitTorrent protection services" to record labels and movie studios. The emails expose company strategy, confidential contracts, passwords and login information, lists of servers and IP addresses, and reactions to mentions of the company in the news [read them here]. This post is a summary of recent events, along with a heaping of speculation as to what happened behind the scenes.

The immediate fallout

MediaDefender has lost control of:

  • Lists of IP addresses and domain names under their control. This is valuable to counter-piracy evasion.
  • Login information to FTP, MySQL, domain, SSH, and control panel accounts. This gives anyone with an internet connection read/write access to many, many corporate servers. Here's a sampling of what was exposed:
    • ftpumg.umusic.com contained some of the very MP3 files that MD was working to protect from unauthorized dissemination. (Astonishingly, the AP reported the username and password for this server -- I can only assume the password has since been changed.)
    • Databases of activity MD recorded on several P2P networks, including Gnutella, KaZaa, eMule, and BitTorrent (specifically Azureus, with its Distributed Hash Table.)
    • And if my guess is correct, a recorded phone call with the Attorney General of New York. (More on that below.)
  • Personal (SSN, address, phone number) and financial (salary, last raise, account routing number) information for the development team, thanks to a salary spreadsheet. (The SSN and routing numbers are redacted on the MD-D site. Please do not use the phone numbers, etc. to harass the MD employees -- they're regular people, just like me and you.)
  • Executable program files that were not publicly released, or were only meant for administrative purposes. (These can be decompiled and analyzed to learn more about MD's strategies.)
  • Discussions of an encryption scheme to be used on a website. (When a strong cryptosystem has its source code published, its security does not suffer. In fact, any cryptosystem must be published to be considered strong. This was meant to be private, and therefore is weakened by exposure.)
  • Verisign certificate and other keys, public and private. (Could be used to decrypt private information or spoof the MD site.)
  • Corporate strategy documents. These give great insight into the specific techniques that MD employed to spam, spoof, pollute, hack, and otherwise damage peer-to-peer networks, thus giving P2P programmers a leg up in defeating such practices. Additionally, one powerpoint files contains the following nuggets: "A larger volume of CD sales in 2006 were lost to borrowing, rather than to P2P", "Established P2P users spend more on CDs than consumers new to P2P." If these don't cast doubt on MD's morals and loyalty (hint: not with the artists), I don't know what does.
  • Details about MiiVi, a program/website intended to... what? No one's quite sure, but it looks like it was designed to a) trap users into uploading copyrighted content, and b) turn the user's machine into a p2p-spoofing zombie. When MiiVi was first connected to MD, MediaDefender issued a press release stating that MiiVi was only meant to be an internal website. The emails put the lie to that claim, with talk of SEO and public image.
  • Bad coding practices. This bug report from MiiVi showed that MD's sites are likely vulnerable to MySQL injection attacks.

How it happened

We still don't have confirmation on precisely how the emails were leaked, but this is my best guess:

  1. Jay Maris, an employee of MD, has all of his work email forwarded to his GMail account, mdjaym@gmail.com. His password sucks: "blahbob". (This information is directly reported by MD-D.)
  2. Jay registers an account at a private torrent tracker. Private trackers are semi-exclusive clubs that can generally keep industry spybots out, so these are juicy targets for the likes of MD. (From the emails, we know that MD was doing this [e.g.]. We speculate that Jay was directly involved in this activity.)
  3. Unfortunately, Jay registers the account using his GMail address and his GMail password. (Speculation; however, it fits the facts extremely well. Many people use the same password for multiple services.)
  4. The owners of the tracker notice that he is logging in from a banned IP address. (Very common. Many of the emails deal with acquiring new, not-yet-banned IP addresses and accounts. [e.g.])
  5. The tracker website is altered to capture Jay's password, since the password are likely not stored as plaintext in the database, for security reasons. The next time Jay logs in, the password is captured. (Why do I think they got the password this way? Well, GMail would be impossible to brute-force due to rate-limiting on the server, and human error is always more likely the cause for a security breach than program insecurity. This is why phishing works.)
  6. MD-D knows that the IP address is owned by MD, so they know Jay is a person of interest. They test the password against his email account, and it works. They find the corporate emails and export them, most likely using POP3 to download them into an email client. The rest is history.

Again, I doubt anyone "hacked" GMail, since that would be technically infeasible with only a single, pre-defined target (Jay) as well as with arbitrary, as-you-find-them targets (users of an insecure WiFi point.) Even then, they wouldn't have his actual password; such hacks usually result in direct access to his account without any way of determining the login info.

Phone conversation with NY Attorney General

After releasing the emails, MediaDefender-Defenders also released an MP3 recording of a VoIP conversation between MD and the New York Attorney General's office. The conversation focused on their collaboration in tracking down child pornography on peer-to-peer networks, and specifically on a log-in attempt from somewhere in Sweden [read or listen]. The source of the MP3 is unknown, though some in the efnet#mediadefender-defenders chatroom opined that MD recorded the VoIP call and left it on a server, the login info to which was exposed by the email leak. MD-D claims that it has infiltrated MD, but this may be a false statement intended to push MD into an internal witch-hunt.

Personally, I'm guessing the "attack" on the server was in reality a MD-D member testing out login info found in Jay's email. In any event, the AG keeps asking whether MD's mail servers are secure, and the topic turns to PGP and other forms of end-to-end encryption.

Sadly, it is in vain. Security is defeated again by human factors.


Responses: 5 so far

  1. name says:

    With regard to the last bit on the phone conversation:

    I don't get why people come up with these elaborate ways in which the phone call was recorded and then MD-D got the recording???

    The note that was distributed with the phone conversation indicated the MD-D had been monitoring MD's phone systems for the past 9 months. While this doesn't give a clear indication of how, it certainly suggests that MD-D was in control rather than got lucky.

    What would make sense, since they had access to the e-mail, would be that MD-D simply dialed into the phone conference and pushed record (probably as well as 'mute'). Keep it simple, stupid.

    Anyway, the phone conversation doesn't say that the server was in Sweden, but the IP address that tried to log in was from Sweden. It also doesn't say what type of server it was, where did you get that it's an SSH server?

  2. Baron says:

    Nice :-)

  3. Tim McCormack says:

    @name: I didn't see that note; thanks for the tip. However, I'm not convinced that they dialed in -- wouldn't they show up in the VoIP software? I could believe that they hacked into an Asterisk server, since there are known major vulnerabilities in older versions of it, and people tend to overlook upgrades for that kind of infrastructure.

    Oh, my bad about the server -- you're right, the "attack" was from Sweden, and the transcript didn't say it was an SSH server.

    Thanks for the corrections!

  4. name says:

    Were they using an Asterisk server? I hadn't known about Asterisk until now, so I wouldn't have noticed if any information thus far had indicated that.

    In any event, I can only go off of my own experience. I used to work for a world-wide company and often needed to conduct business between offices in different countries by setting up conference calls. Doing so would provide me with an e-mail in the exact same format as the one for the recorded meeting from MD.

    Even as the host there was really no indication of who was connected, though you could sometimes tell by small sounds on the line. Muting a phone before connecting to the meeting would dramatically reduce any such indicating noise. I'm not at all well-read on the technology or software packages used in business conference calls, so my situation could have very well been an odd one.

  5. Tim McCormack says:

    Regarding the possibility of an Asterisk server... again, only IRC speculation.

    That's wild that you wouldn't see who was connected on a VoIP conference call! That seems like an *extremely* plausible explanation.