by Constantine von Hoffman

US Congress Used BitTorrent to Steal Movies, TV

Jan 18, 20134 mins

This week's cybersecurity news roundup has stories on the U.S. Congress illegally downloading movies and TV shows; an employee who worked several jobs at once by outsourcing them all to China, for a fraction of his pay; new Java exploits; and more.

A document from ScanEye, which runs BitTorrent monitoring services to help combat piracy, includes a list of pirated movies and TV files that have been downloaded via IP addresses associated with the U.S. House of Representatives.

What did these fine folks steal in October and early November?

A lot of TV, including DeGrassiThe Next Generation, Treme, Glee, CSI, Dexter, Are We There Yet  The Thanksgiving Episode, Boardwalk Empire and, perhaps most fittingly, The Walking Dead and two episodes of Pretty Little Liars  The Lying Game and A Kiss Before Lying.

Among the movies to get the Congressional seal of illegal approval: Iron Sky, Life of Pi, Dark Knight Rises, Captain America, Flight, Tron: The Revolution, Chronicles of Riddick, Untitled International Thriller (one of my favorites), and just in time for Christmas: Bad Santa2 which hasn’t been released yet.

Moving on, the best story this week not involving Manti T’eo (everyone who believes he was a “victim” of a hoax raise your hands) is …

A security audit revealed a star developer had outsourced his own job to a Chinese subcontractor for a fraction of what he was getting paid AND had also taken jobs with other firms and had outsourced that work too, netting him hundreds of thousands of dollars in profit.

Verizon investigators checked the computer habits of an employee of a client (code named “Bob”), and discovered he had hired a software consultancy in Shenyang to do his programming for him. Bob overnighted them his two-factor authentication token so they could log into his account, and he paid them a fifth of his six-figure salary to do the work.

As The Register reports:

“The analysis of his workstation found hundreds of PDF invoices from the Chinese contractors and determined that Bob’s typical work day consisted of:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos

11:30 a.m. – Take lunch

1:00 p.m. – Ebay time

2:00-ish p.m – Facebook updates, LinkedIn

4:30 p.m. – End-of-day update e-mail to management

5:00 p.m. – Go home

The scheme worked very well for Bob. In his performance assessments by the firm’s human resources department, he was the firm’s top coder for many quarters and was considered expert in C, C++, Perl, Java, Ruby, PHP, and Python.”

If he’d been the CEO he would have gotten a million dollar bonus.

Also in the week’s IT security news:

Phishing Toolkit Uses Whitelisting To ‘Bounce’ Non-Victims

  • (SlashDot) — Researchers at RSA say that a new phishing toolkit allows attackers to put a velvet rope around scam web pages – bouncing all but the intended victims. The new toolkit, dubbed ‘Bouncer,’ was discovered in an analysis of attacks on financial institutions in South Africa, Australia and Malaysia in recent weeks. It allows attackers to generate a unique ID for each intended victim, then embed that in a URL that is sent to the victim. Outsiders attempting to access the phishing page are redirected to a ‘404 page not found’ error message.

New Java Exploit Fetches $5,000 Per Buyer

  • (KrebsonSecurity) — Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned. On Sunday, Oracle rushed out a fix for a critical bug in Java that had been folded into exploit kits, crimeware made to automate the exploitation of computers via Web browser vulnerabilities. On Monday, an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting at $5,000 each.

Java Exploit Used in Red October Cyberespionage Attacks, Researchers Say

  • (CSO) — The hundreds of government, military and research organizations targeted in a large-scale cyberespionage operation dubbed Red October were not only attacked using malicious Excel and Word documents as previously believed, but also by using Web-based Java exploits, according to researchers from Israeli IT security firm Seculert.

Dire Warnings Don’t Yield Better Critical Infrastructure Security

  • (CSO) — The warnings of possible catastrophic cyberattacks on critical infrastructure in the U.S. have been issued for more than a decade. They were frequent and insistent in 2012, from high-ranking government officials and others. Outgoing U.S. Secretary of Defense Leon Panetta warned in a speech in New York last October that cyberattacks by a hostile nation-state on critical infrastructure like transportation, water supply or the electric grid could amount to a “cyber Pearl Harbor.” He also said the U.S. was at “a pre-9/11 moment.” But the Department of Homeland Security (DHS) says that despite those warnings, the peril remains — thousands of domestic industrial control systems (ICS) remain vulnerable.