Anthony Murgio and Yuri Lebedev operators of the Bitcoin/Fiat exchange Coin.mx were arrested by the FBI at their Florida homes last week and charges in the Southern District of New York by Preet Bharara's office were unsealed against them this week. The Feds accuse Coin.mx of trading roughly 1.8 million dollars worth of Bitcoin and Fiat using the pretext of a memorabilia collector's club to conceal their actual activities from their banks and later acquiring control of a small credit union for greater autonomy. Continue reading
Brute Force for keyboard-interactive OpenSSH Logins Discovered
There is a proof of concept which allows for an attacker to attempt to brute force OpenSSH servers with keyboard-interactive logins enabled. FreeBSD users are especially affected as FreeBSD allows keyboard-interactive OpenSSH logins by default. This brute force allows attempting up to 10,000 password entries at a time. For quite some time it has been known that all forms of password authentication over SSH are weaker by necessity than key based authentication which should be the only login method allowed on any machines over SSH. This is a rather minor enhancement to an existing protocol level vulnerability, but this incident should serve as a reminder that a well configured SSH server will by necessity only allow key based logins. A patch which corrects this issue has already been committed to the source tree and will be included with OpenSSH 7.0 which is due for release in a few weeks.
Counterfeit Coupon Dealer Pleads Guilty
A Louisiana man charged with conspiracy to commit wire fraud and conspiracy to commit trademark counterfeiting in May of this year has plead guilty (archive) to the charges. Beau Wattigney, better known on the PurpleLotus/GoldenLotus/MoxDiamond/NickMode sold counterfeit coupons on the Silk Road 1.0 and 2.0 which provided the bearer with significant discounts such as $50 Visa gift cards for $0.01 each.
Wattigney will be sentenced on October 28th, 2015.
Grooveshark Cofounder Dead at 28
Josh Greenberg a cofounder of the late music streaming service Grooveshark was found dead in his Florida home, and according to the BBC and his mother he had no ongoing health concerns. Grooveshark was founded in 2006 and closed this April after years of legal harassment by agents of the copyright regime culminating in a United States court finding Grooveshark liable for up to nearly three quarter of a billion dollars in damages. At its peak Grooveshark provided 145 people with employment.
"Entertainment System" Vulnerability Turns Vehicles Into Hot Death
Reports (video) are in that cybersecurity researchers Charlie Miller and Chris Valasek have demonstrated a potentially life-threatening1 security vulnerability in a raft of new cars and trucks with "connected" entertainment systems. Continue reading
Michael Hastings, anyone ? ↩
Bitcoin Group's IPO Hit With Stop Order By Australian Regulator
The Australian Securities and Investments Commission has issued an interim stop order on Sam Lee's Bitcoin Group IPO which intends to float on the Australian Stock Exchange later this year. After considerable delays, the Bitcoin Group lodged its prospectus late last month with the regulator issuing the interim stop order on the 13th of July1. At this time, ASIC provides no information as to why it has issued the interim stop order. ASIC describes a stop order as: Continue reading
Document #027846316 ↩
Microsoft Product Critical Vulnerability Week After Update End of Life
Microsoft has now announced a vulnerability in all of its Windows products a week after their Windows Server 2003 product has reached end of life for continued support. For what little it is worth Microsoft has issued an emergency patch to address this vulnerability in supported versions of their Windows family of products. The vulnerability exists in the way Microsoft products handle Microsoft's own "OpenType" format for fonts. This exploit via fonts affecting Windows desktops and servers follows an April exploit which rooted Windows servers using their flawed JPEG handling mechanisms. Microsoft stands to profit from users of Windows Server 2003 both upgrading to a supported version or opting for premium beyond end of life support contracts.
Silk Road Heroin Dealer Receives 2-1/2 Years Prison Sentence
Reuters reports (archive) that Michael Duch AKA Deezletime and otherwise known as the Silk Road heroin dealer who turned government witness and testified (archive) against Ross Ulbricht despite having never communicated with him has been sentenced to a term of 2-1/2 years prison time for conspiring to sell drugs.
A request by Duch's lawyer Samuel Braverman that Duch now be released into a drug treatment program was denied by U.S. District Judge Katherine Forrest stating it would be not be the right thing to do. Receiving credit for the 21 months already spent in custody, Duch is expected to be released soon.
Trial For Alleged Ricin Importer Begins
The Guardian reports (archive) the trial of a British man arrested last February after he allegedly attempted to purchase ricin via the darknet site Evolution Marketplace began this week with the prosecution telling jurors Mohammed Ammer Ali AKA WEIRDOS OOOO attempted to order 500mg of ricin from them paid for in bitcoin and that he promised to be a repeat customer.
Communicating with an undercover FBI agent, Mohammed Ammer Ali is alleged to have arranged the shipment of five 100mg vials from the United States into the UK telling the undercover agent masquerading as a darknet marketplace merchant that: Continue reading
ALM CEO Cries 'Terrorism' after Ashley Madison Hack
Billing itself as a dating site specifically for people in relationships who wish to have an affair, Ashley Madison was recently breached by an entity calling itself The Impact Team. A Gitlab user of the same name reportedly released a partial database dump containing members' personal information, including email and physical addresses and real names, though the dump was no longer accessible as of July 21st. In a message left on the site and since removed, the breacher claims to have "taken over all systems in [Avid Life Media (Ashley Madison's parent company)'s] entire office and production domains, all customer information databases, source code repositories, financial records, emails." The message lambasted ALM for charging its users a $19 fee to delete their account data while keeping their credit card purchase details including names and addresses on file, and threatened to release a complete database dump unless the company "shuts down" Ashley Madison and Established Men, another site it "owns". Continue reading