[funsec] MediaDefender Fires yesterdays IT security people,
looking for new ones
Joel R. Helgeson
joel at helgeson.com
Mon Sep 17 10:41:50 CDT 2007
Thread worth watching:
"...the word on the street is simply that one of their staff signed up to a
torrent site from one of MediaDefender's IPs with the same gmail address as
username and password as he used for his gmail account where all hese
e-mails had been archived."
Heh, they all but went out of their way to provide access to the hackers.
The top brass had his emails being forwarded to his Gmail account, bypassing
any and all security they had set up on the corporate network.
Then the hackers got the usernames and passwords and gained internal access
to the network, establishing admin access on the domain. They apparently set
up packet captures, or if MediaDefender were the ones capturing packets,
they found them and this is where they captured the VoIP calls.
"Keyloggers, we don't need no stinking keyloggers!"
The worst infections to get rid of are those who have admin access to the
network and who maintain their access using normal everyday network admin
utilities (From my experience, the French are especially good at this). I
have worked with sites that have been hacked where the intruders have
obtained an administrator level password, then gone in and set up RPC over
HTTPS on the domain servers, then the hackers have set up their own 2003
server, added it to the domain, promoted it to domain controller and had the
hacked company's Domain Controller perform an outbound sync (using the RPC
over HTTPS) to the hackers 2003 server. Any password changes the users make
on the home network will be replicated to their off site "guest host"
The hackers later added Distributed File Shares or DFS, and used it to
replicate file shares (i.e. user folders) information to their hacked domain
controller. The hackers basically set themselves up as a run-of-the-mill
remote office that synchronizes over a low-speed wan link.
This company was totally Pwn3d... I wouldn't be surprised to see the same
thing happened here with the amount of information they collected.
From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org] On
Behalf Of Adam Jacob Muller
Sent: Sunday, September 16, 2007 5:07 PM
To: Richard M. Smith
Cc: funsec at linuxbox.org
Subject: Re: [funsec] MediaDefender Fires yesterdays IT security people,
looking for new ones
"in a recently leaked phone call, a New York attorney and MediaDefender
discuss the security of their email-server. Whilst there is some initial
confusion as to where the leak may have originated, they eventually write it
off as some technical problem"
There is some irony here, i'm sure of it.
"MediaDefender-Defenders proudly presents some more internal MediaDefender
stuff. more will follow when time is ready. MediaDefender thinks they've
shut out their internals from us. Thats what they think."
"In addition the the phone call, a huge MySQL database dump from a
MediaDefender server was leaked on BitTorrent as well. The database shows
tracking and decoy file information for the Gnutella network which is used
by P2P clients such as LimeWire."
On Sep 15, 2007, at 5:20 PM, Richard M. Smith wrote:
"The company MediaDefender works with the RIAA and MPAA against piracy,
setting up fake torrents and trackers and disrupting p2p traffic.
Previously, the TorrentFreak site accused them of setting up a fake internet
video download site designed to catch and bust users. MediaDefender denied
the entrapment charges. Now
<http://torrentfreak.com/mediadefender-emails-leaked-070915/> 700MB of
MediaDefender's internal emails from the last 6 months have been leaked onto
BitTorrent trackers. The emails detail their entire plan, including how they
intended to distance themselves from the fake company they set up and future
strategies. Other pieces of company information were included in the emails
such as logins and passwords, wage negotiations, and numerous other aspect
of their internal business."
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the funsec