Alu Card

Researcher Receives Copyright Threat After Exposing Security Hole

imperothreatLast month researcher Zammis Clark (known online as ‘Slipstream’) discovered a security flaw in Impero Education Pro (IEP), a not insignificant find given the software’s application.

IEP is widely used in UK schools to monitor and restrict students’ Internet activities. According to Slipstream, the flaw had the potential to expose the personal details of thousands of users’ to hackers.

Early last month the researcher announced his find on Twitter while noting that it would allow for remote code execution on all Windows clients. Within the tweet he posted a link to his proof-of-concept code.

slipstream

“[Impero] had a booth at BETT back in January. They gave out donuts. Those were nice,” Slipstream wrote

“Unfortunately, when I asked about their security, nobody answered me. Some reversing later, looks like Impero is completely pwned amirite.”

While Slipstream ultimately advised against using Impero’s product, he says he didn’t immediately inform the company of the vulnerability.

“Not being a customer, I wouldn’t have known where to send it, or whether they’d even reply to me,” the researcher told TF. “And, given the severity of the issue, I figured that full disclosure would cause some sort of fix pretty quickly.”

In fact, that prediction proved correct, with Impero issuing a temporary security patch to fix the flaw.

“We immediately released a hot fix, as a short-term measure, to address the issue and since then we have been working closely with our customers and penetration testers to develop a solid long-term solution,” the company said.

“All schools will have the new version, including the long-term fix, installed in time for the new school term.”

However, Slipstream claims the patch wasn’t effective.

“Of course, their fix turned out to be inadequate. After speaking to Impero users on a forum who advised me to email Impero support, I did just that, responsibly disclosing to them exactly how their fix was inadequate and that I had an updated PoC that worked against it,” he told us.

At this point it appears that relations between Slipstream and Impero had already taken a turn for the worse. After disclosing the issues with the patch almost a week ago, this week he received a legal threat from the company.

“In breach of the license terms, you have modified the software without our client’s authority, you have decompiled the software for purposes otherwise than to achieve interoperability and you have published confidential information about our client’s software,” Impero’s legal team state.

“By publicising the encryption key on the internet and on social media and other confidential information, you have enabled anyone to breach the security of our client’s software program and write destructive files to disrupt numerous software systems throughout the UK.”

improcopyright

Impero’s lawyers say that Slipstream’s actions have caused “direct loss and damage” in addition to “reputational damage” and “potential damage” to numerous IT systems used by schools throughout the UK.

“The loss and damage to our clients caused by your activities is significant and will in any legal action taken in the civil courts be the subject of applications to the court for restraining orders to restrict you from further copyright infringement and breach of confidence as well as court orders for monetary compensation,” the letter adds.

After advising Slipstream to seek legal advice and setting a deadline of July 17, Impero’s lawyers suggest that the damage to their clients could be mitigated if the Github posting and all associated Tweets are taken down. That has not yet happened.

Slipstream is disappointed by the threats and informs TF that taking action against researchers like himself could even prove counter-productive.

“Legal threats here would just be ‘shooting the messenger’ so to speak, and would discourage security researchers from actively reporting any issues,” he explains.

“Such legal threats to security researchers would certainly not prevent any malicious individuals from finding issues themselves, and using them for malicious purposes.”

Indeed, this last point is particularly relevant. Slipstream says that he knows someone who has found two other security issues in Impero’s software. Whether they will be tempted to speak to the company considering its aggressive legal response will remain to be seen.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.


Source: TorrentFreak

Pirate Bay ‘Hydra’ Loses Another Domain Name

hydra2Last May the Stockholm District Court ordered the Pirate Bay’s .SE domains to be handed over to the Swedish state, arguing that they were linked to copyright crimes.

The Pirate Bay was fully prepared for the negative outcome and quickly redirected its visitors to a ‘Hydra’ of six new domain names.

The notorious torrent site decided to use more than one domain name, anticipating that not all would survive pressure from copyright holders.

This was no unnecessary precaution as the first domain name was suspended after just a few days. The site’s .GS domain went offline after an intervention from the associated registry, chopping off one head.

Today, another domain has gone overboard.

A few hours ago the Armenian registry put ThePirateBay.AM om hold, rendering it inaccessible. The URL may still work for some if the DNS entries are cached, but it will soon be unavailable everywhere.

The ISOC-AM registry hasn’t commented publicly on the domain name suspension yet. However, it seems likely that the organization took action following a copyright holder complaint.

thepiratebay.am on hold

tpbamwhois

Not all domain registries are equally responsive to copyright complaints. Some suspend a domain name after a single complaint, while others require a local court order before taking action.

The Mongolian registry, which is behind TPB’s .MN domain name, previously informed TF that they will process potential complaints through ICANN’s Dispute Resolution Policy, suggesting that they will not take any voluntary action.

Despite losing another domain name, The Pirate Bay team isn’t too worried. They still have plenty of alternative domains to pick from and four of the current domain names still work just fine.

“We have more domain names behind, if needed. We are stronger than ever and will defend the site to the end,” the TPB team informs us.

The Pirate Bay is currently accessible via the LA, VG, MN and GD domain names. The original .SE domain is still operational as well, pending an appeal, and redirects users to one of the new domain names.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.


Source: TorrentFreak