GoDaddy Supports SOPA, Sparks Exodus From Its Registry Service

When the list of supporters for the Stop Online Privacy Act of the United States of America was put up online, many of the companies were large storehouses of copyrighted information and were predictably backing up this Act. However, one prominent company in that list was GoDaddy. GoDaddy is the largest domain name registrar of the world with [and I quote their own post] around 50 million names registered   to their service.


This did not sit well with Reddit user selfprodigy. Selfprodigy moved 51 domains of his small business, his personal domain, as well as threatening to move 300 domains of his company, whose IT he manages, away from GoDaddy.

I just finished writing GoDaddy a letter stating why I’m moving my small businesses 51 domains away from them, as well as my personal domains. I also pointed out that i transferred over 300 domains to them as a director of IT for a major American company.

The end result of this post? A massive exodus from GoDaddy to other registrars such as Namecheap and Hostgator. Joining the ranks of these people is Ben Huh, the CEO of the famous (?) Cheezburger group of sites, threatening to move his 1,000 domains away from GoDaddy unless they stop supporting the SOPA:-

Capitalizing on this opportunity are other registrars who are all offering discounts and the like for new registrations and transfers. such as Hostgator,, EasyDNS and others.

GoDaddy’s statement on this growing concern is one of infinite confidence in itself. To it, these are but a few drops in a boundless ocean of revenue. Yet I am sure that these drops will rain upon them in a torrent of retribution (pun intended). Protect the freedom of the internet, everyone!

RIAA Caught Downloading Illegal Torrents

Well well well if it isn’t a ripe case of somebody set up us the bomb. At least that is what the Recording Industry Association of America claims after being caught red-handed; many people in its offices have been downloading illegal torrents of movies and music, the same kind of people that the RIAA has been on a crusade against for the past years and fining them enormous amounts of money because it infringed on their copyright. Not only are they downloading music torrents (which some may claim may be for research purposes), they are also downloading TV shows and cracked versions of software. All this was done with the aid of a crawler for torrent downloads called, in which the IP addresses logged in public trackers coupled with your current IP address show the torrents downloaded by your IP address. While totally worthless with dynamic IP addresses or with those who use private trackers to download torrents, it is still a very useful site that can be used for a lot of purposes. That is exactly what Torrentfreak did and caught RIAA, amongst others, in the act of doing exactly what they want to crack down upon.


So what was RIAA’s response to this? We totally did not download it, guys. Seriously!. Yes they gave pretty much the exact excuse that those who get the dreaded legal letter from RIAA suing them do. In most cases, the people whom the RIAA sues are actually innocent, because many people do not know the dangers of having an open WiFi connection, and some do not know what a dynamic IP is. However, it seems that the RIAA has built an interesting excuse to get away with this, as a spokesperson for the RIAA claims:-

Those partial IP addresses are similar to block addresses assigned to RIAA. However, those addresses are used by a third party vendor to serve up our public Web site. As I said earlier, they are not used by RIAA staff to access the Internet.

What is actually funny around here is that it is quite obvious that the IP addresses found to be downloading torrents are completely registered to RIAA such as Moreover a company cannot register a block of IP addresses for its own use and then allowa third party vendor to usethese IP addresses.

For a company that is used to suing children, old people without working internet connections or computers, and even dead people, this comes off as a godly smack on the face. I wish this evil organization is taken down, but if wishes were horses…

[Photo To Doby Benjamin Gray]

Google, Microsoft, Yahoo and AOL Team Up to Combat Phishing

In spite of spirited efforts from email providers, browser developers, and security firms, phishing continues to be a major nuisance. There are already repositories like Phishtank that rely on crowdsourcing to identify phishing campaigns. However, crowdsourcing is not nearly nimble enough to tackle phishing scams that often require just a few hours to cause the intended damage.

Now, a new Cisco spinoff called Agari is trying to tackle the problem by combining multiple sophisticated approaches including authentication of the sender, message analysis, and end-to-end email channel visibility. Google, Microsoft, Yahoo, and AOL, who are amongst the biggest email providers, have joined hands to provide metadata about emails passing through their networks to Agari, which uses its cloud infrastructure to analyze more than 1.5 billion messages every day. It doesn’t receive the actual messages, but might receive suspicious links contained in the message along with miscellaneous metadata. Agari, which is launching today, has Facebook and some of the largest financial institutions, social networks, and ecommerce companies as its customers. Besides the aforementioned four email giants, file sharing website YouSendIt, social network LinkedIn, and Cisco are also part of its trust fabric network.


“Facebook can go into the Agari console and see charts and graphs of all the activity going on in their e-mail channel (on their domains and third-party solutions) and see when an attack is going on in a bar chart of spam hitting Yahoo,” for instance, Daniel Raskin, vice president of marketing for Agari, explained to CNET. “They receive a real-time alert and they can construct a policy to push out to carriers (that says) when you see this thing happening don’t deliver it, reject it.”

Agari, which had been operating in stealth mode for the past couple of years, protects 50 percent of U.S. consumer e-mail traffic and more than one billion individual mailboxes. During its stealth phase, it rejected more than one billion messages across its email partners. Agari believes that by having end-to-end visibility over most messages it can rapidly react and stop phishing campaigns in their tracks.

FBI’s Operation Ghost Click Busts Operators of DNSChanger Malware

FBI has released details of its Operation Ghost Click which led to the arrest of six operators of an internet fraud ring that had created and distributed a malware called DNSChanger. All of the arrested men were of Estonian descent and worked primarily from Estonia and Russia.

DNSChanger changed the DNS settings of the host computer, so that when a user of the affected system tried to open a webpage, he/she would be re-routed to a website or advertisement as decided by the hackers. The victims were also directed to websites with other potential malware. They had infected about 4 million computers in 100 different countries. United States alone had almost 500,000 DNSChanger infected PCs ranging from those owned by individuals to enterprises to even those used by NASA. The hackers are believed to have gotten at least 14 million dollars from the fraud.

As Janice Fedarcyk, Assistant Director in Charge of FBI’s New York office, read out in a statement,

The harm inflicted by the defendants was not merely a matter of reaping illegitimate income. The defendants also inflicted the following:

They victimized legitimate website operators and advertisers who missed out on income through click hijacking and ad replacement fraud.

Unwitting customers of the defendants’ sham publisher networks were paying for Internet traffic from computer users who had not intended to view or click their ads.

Users involuntarily routed to Internet ads may well have harboured discontent with those businesses, even though the businesses were blameless.

And then there is the harm to the users of the hijacked computers. The DNSChanger malware was a virus more akin to an antibiotic-resistant bacterium. It had a built-in defence that blocked anti-virus software updates. And it left infected computers vulnerable to other malware.

The rogue DNS servers have been replaced by genuine ones so that the affected users do not have to face disruption of internet services. But do note that this process does not remove the actual virus from the affected system. FBI has released a PDF document with details on how to check whether your system is infected. They have also released a range of rogue IP addresses that was used by the gang.


The details on how to find your IP address and help on cleaning up your system is also detailed in the PDF document mentioned above.

Massive DNS Poisoning Affects Major Brazilian ISPs

Brazil is currently under a massive DNS cache poisoning attack, reports Kaspersky Labs. When a user tries to visit popular, local and global sites, such as Google, Yahoo and Facebook, a popup like the one shown below is displayed. It asks the user to download a security suite called Google Defender in order to access the site.


As Kaspersky’s Fabio Assolini explains in his blog post,

In reality, though, this file is a Trojan banker detected by Kaspersky’s heuristic engine. Research into this IP highlighted several malicious files and exploits hosted there:














In fact the file ad.html is an encrypted script, exploiting CVE-2010-4452 and running arbitrary code in an old installation of JRE. The exploit detected by us as Exploit.Java.CVE-2010-4452.a calls up one of the files in this list. According to statistics in KSN (Kaspersky Security Network) all the infected users are from Brazil; we registered more than 800 attempts to access this site which were thwarted by our web antivirus.

The attack has been going on for some time. It is suspected that employees of ISP companies, who had access to DNS records, were paid to change them in order to redirect the users to malicious sites. Fabio also notes that an arrest has already been made in this case by the Brazilian Federal Police. The accused (who is an employee of an ISP company) allegedly changed the DNS records over a 10 month period.

So, if you are from Brazil and have experienced similar pop-ups, we recommend that you do not click it. Follow the usual procedures such as updating your OS, security software as well as all other install programs and run a complete system scan. Kaspersky also suggests changing your DNS provider to someone other than your ISP, such as  Open DNS or Google DNS.

Microsoft Releases Fix it Solution for Duqu and Advanced Notification for November Bulletin

Microsoft has released  advanced notification for its November bulletin which will be released on 8th of this month.

This month will see the release of four security updates, of which one is rated critical, two are important and one is moderate. As noted in the table  below  , Bulletin 1 and 2 patches vulnerabilities that enable Remote Code Execution, while Bulletin 3 is for an Elevation of Privileges bug and Bulletin 4 is for a Denial of Service bug.


Of the four security updates, only Bulletin 3 applies to Windows XP and Server 2003. Bulletins 1, 2 and 3 apply to Windows Vista and Windows Server 2008. Interestingly, newer Operating Systems, Windows 7 and Windows Server 2008 R2 requires all four updates.

While Microsoft acknowledged zero-day vulnerability in a Windows component the Win32k TrueType font parsing engine – they did not include an update for this in this month’s Security Bulletin. Instead, they have released a Fix It solution which can be used until an update is released.

The vulnerability, which was utilized by the Duqu worm, will allow a hacker to run arbitrary code in kernel mode, thus giving him the ability to install or run software or to view/edit data. The temporary workaround for this vulnerability is to disable access to T2EMBED.DLL. The Fix it solution released by Microsoft just automates this process.

You can download the Fix it solution from here and the related security advisory can be found here.

In order to protect yourself from the zero-day attacks, make sure that you install the above mentioned updates as soon as they are released.

Stay up to date, stay safe.  

Have you been pwned? PwnedList will help you find out

Do you, at times, wonder whether your accounts have been compromised? If the answer is yes, you can now verify your doubt by using a service appropriately called PwnedList (Pwn is a jargon used by hackers to imply that an account has been compromised).

It was developed by two security researchers – Alen Puzic and Jasiel Spelman, of DVLabs. They explain the birth of PwnedList as:

The site started out as small research project with a rather simple premise. To discover how many compromised accounts can be harvested programatically in just a couple of hours. Well, needless to say, the results were astonishing. In just under 2 hours we had close to 30,000 accounts, complete with logins and passwords. The truly scary part, however, was the quality of data we were able to collect in such a short amount of time. The accounts we were able to retrieve consisted of email services, social media sites, merchants and even financial institutions. It was clear that something had to be done.

At that moment PwnedList was born. We wanted to create a simple one-click service to help the public verify if their accounts have been compromised as a part of a corporate data breach, a malicious piece of software sneaking around on their computers, or any other form of security compromise.

All you have to do is head to and enter your email id or username in the text box and click Check. The data is then compared with SHA-512 hashes of harvested account dumps stored as key value pairs. The site says that the entered data is used only once for the search and is not stored. Still, if you don’t want to enter your username/email, you can use the SHA-512 hash of your email (or username) instead.


So, what if your email or username is identified in their database? Immediately change their passwords as well as passwords of your other accounts just to be on the safe side. See my article, The Layman’s Guide to Computer Security  for tips on creating a strong password.

A Look at Facebook’s Security Infrastructure

25 billion actions a day or 65,000 actions a second! That is the volume of actions generated by Facebook’s 800 million users. And Facebook this week, released some information about its massive Security infrastructure called the Facebook Immune System or FIS that scans all of these actions for any kind of suspicious activities.

As New Scientist explains,

It protects against scams by harnessing artificially intelligent software to detect suspicious patterns of behaviour. The system is overseen by a team of 30 people, but it can learn in real time and is able to take action without checking with a human supervisor.

The system was developed over a three year period and the numbers released by Facebook shows that it has been pretty effective. The number of users affected by spam has been reduced to less than 1%. Even though that 1% accounts for about 8 million users, with a little bit of caution from the end user while using Facebook, that number can be reduced even further.

Microsoft Research has put forward a PDF detailing the principles of FIS. According to it, the main components of FIS are

• Classifier services: Classifier services are networked interfaces to an abstract classifier interface. That abstraction is implemented by a number of different machine-learning algorithms, using standard object-oriented methods. Implemented algorithms include random forests, SVMs, logistic regression, and a version of boosting, among other algorithms. Classifier services are always online and are designed never to be restarted.

• Feature Extraction Language (FXL): FXL is the dynamically executed language for expressing features and rules. It is a Turing-complete, statically-typed functional language. Feature expressions are checked then loaded into classifier services and feature tailers1 online, without service restart.

• Dynamic model loading: Models are built on features and those features are either basic or derived via an FXL expression. Like features, models are loaded online into classifier services, without service or tailer restart. As well, many of classifier implementations support online training.

• Policy Engine: Policies organize classification and features to express business logic, policy, and also holdouts for evaluating classifier performance. Policies are Boolean-valued FXL expressions that trigger responses. Policies execute on top of machine-learned classification and feature data providers. Responses are system actions. There are numerous responses.

Some examples are blocking an action, requiring an authentication challenge, and disabling an account.

• Feature Loops (Floops): Classification generates all kinds of information and associations during feature extraction. The floops take this data, aggregate it, and make it available to the classifiers as features. The floops also incorporate user feedback, data from crawlers2, and query data from the data warehouse.


Although FIS has come a long way in tackling spam, it should be noted that FIS is still vulnerable to tactics that are new to it, such as,  socialbots. A socialbot works by sending friend requests to random people. The profile data of people who accept this friend request is used for identity theft, phishing attacks etc.

So, it is always up to the end user to remain cautious of these types of attacks in order to protect their personal information.

You can find some of the common tips to protect your Facebook account here.

An Interview with an OpDarknet Anon

By now a good chunk of you all will know about OpDarknet. This is a new operation by the nebulous collective of Anonymous to purge the DarkNet, also known as the deep web, which is a microcosm of hidden networks that is unreachable by conventional web crawlers.

For this reason, the DarkNet is a treasure trove for those interested in illicit information and materials such as illegal drugs, arms and ammunition and child pornography (CP).

The fact that innocent children are being exploited to feed the urges of a number of perverse individuals did not sit well with Anonymous and thus #OpDarknet was born:-

On October 6th, 2011 some of us Anon were doing research into encryption and security.   The ‘darknet’ sites of TOR, I2P, and Freenode peaked our interest.   We were aware that, TOR and I2P where originally designed to protect individuals from the oppressive governments of China, Iran and protect Free Speech.

What we discovered was quite the opposite.   An growing and large of community of pedophiles was abusing such systems for personal profit.   To demonstrate this, The Hidden Wiki’s “hidden” section, the ‘Hard Candy’ is stated to be:

* This wiki page discusses resources specifically for people who are attracted to children. This can include everything from discussion groups to ostensibly legal images of children in dresses to full-out child pornography. The term children here refers to children and teenagers.

To explain how popular this community of pedophiles is.   The total page views of the Hidden   Wiki ‘Hard Candy’ section as of October 20th, 2011 is a total 2,055,701.   The total view count of main index (non-pedophilia content) of The Hidden Wiki was 2,677,430 time.

Considering the scope of this mission and its success, we initiated a brief interview on the #OpDarknet channel of the anonops server on IRC with a user named arson’ representing #OpDarknet. This operation is a worldwide phenomenon, as most other Anonymous operations are with Anons in every continent (as stated by arson). Arson forewarned us that much of the operation is still secretive and that they may not be able to answer all the questions put forth by us.


Techie Buzz (TB): Pastebin data reveals that there is a huge amount of CP proliferating the DarkNet and most of the people there are staunch with their refusal to remove it since it is their “last safe haven” so to speak. Will it end in a stalemate?

Arson (A): I don’t believe it will. There are enough of us that operations go on around the clock nonstop, and we are gaining new supporters every day.

TB: And the process of your attacks will mostly be the same, i.e. DDoS (Distributed Denial of Service Attack) and when possible the unveiling of personal information of people involved in this kind of work, yes?

A: That I cannot say. What I can say is we will continue to take down the servers with any method necessary, and our research team will continue to dig up detail on the pedophiles.

TB: I see. This brings up my next question: is this attack only against CP or will it also continue to get rid of the the underground markets such as the silk road, the farmer’s market and the contract killers etc. on the DarkNet?

A: This is only against CP

TB: Is there any connection between this op and the shut down of /r/jailbait? I know this is a rather lame question but the two events occurred quite close to each other so I was wondering. (Also the fact that a news channel got wind of [almost] CP proliferating on the clearnet and thus debasement of a collective of the internet followed.)

A: To my knowledge, there is no connection between #OpDarknet and the shut down.

TB: How do you think the attack will affect the BitCoin (BTC) economy, since a very high amount of transactions are done using BTC in the DarkNet and the fact that you guys have struck a nerve there may put a pause to a majority of the transactions there since it might be deemed unreliable.

A: The majority of transactions have nothing to do with CP, and as for the illicit ones that do, they should feel evasive of buying or selling any sort of CP related material.

TB: This might be nitpicking, but considering that CP-related material proliferates every bit of the DarkNet (from whatever I can see, it’s either that, or drugs or misc. shady deals) which is bought by BTC won’t the BTC market fall?

A: You might say so, but in doing that, you’re saying that BitCoins rely on child pornography. Forgive me for sounding crass, but if that’s the case, then the currency is doomed at heart.

TB: Why the sudden turn of events to policing the DarkNet? Was there any trigger for this operation?

A: We vowed to fight for the defenseless, there is none more defenseless than innocent children being exploited.

TB: Thanks a lot arson. Any final words you’d like to add?

A: We aren’t doing it for the recognition, or the PR. We are doing this because it’s what is right and what should have been done a long time ago.

The Anonymous collective is hell bent on weeding out the smear of child porn from the DarkNet’s servers (specifically from Freedom Hosting) and it seems that they will punch through the staunch defense of the hidden web’s CP aficionados. However, if these people fled the searchable internet to the hidden one to pursue their ghastly pursuits, with enough time they may yet flee to a darker layer of the deep web to proliferate. Moreover, this is just a sprightly small step to be rid of the plague of child pornography and there are many miles to go before #OpDarknet sleeps. We hope the mainstream media picks this up and champions a campaign to get to the root cause of this exploitation. Kudos to #OpDarknet!

Germany is Using Trojan Spyware on its Citizens?

Today, I received a letter from Emsisoft that explained how a well known group of hackers in Germany discovered and tested a trojan program that’s used by the German Federal government to spy on its citizens. These white hat hackers, known as the Computer Chaos Club, determined that the “R2D2″ or “State Trojan” is not only able to spy on an infected target computer, it’s also able to download more software and remotely control the target computer. So far, it’s designed to work only on Windows based PCs.

Spy Man

Back in 2008, Computerworld reported that WikiLeaks documents provided information that Germany had hired a company named “Digitask” to create a trojan spy program for them. A few days ago, ZDnet was confirming that a few of the German State agencies have admitted to using this trojan in their investigations. Naturally, these were “legal” uses of the trojan, and required a judge’s signature.

The Electronic Frontier Foundation was curious to see if the U.S. Government had similar trojans, and in 2008, they submitted  a FOIA request. Unlike many other attempts to get information released, the EFF received documents that revealed how the FBI was investigating ways to intercept Skype conversations. I think we can assume that since then, the U.S. has done more than just “investigate” how to spy on Skype.

What does all of this mean to the average Windows user? It means that you not only have to worry about threats from the usual hackers after your money, you also have to worry about “Big Brother” trojans from your own government. Fortunately, companies like Emsisoft, F-Secure and Sophos have assured us that they intend to search and elimate government trojans as well as the typical spyware we’re used to seeing.

For those of you who are using Macintosh or Linux instead of Windows, feel free to stick out your tongue and say “na na na na na na“. You don’t have to worry about these trojans … for now.