Feb 29 2012

Constitutional Showdown Voided: Feds Decrypt Laptop Without Defendant’s Help

 

Colorado federal authorities have decrypted a laptop seized from a bank-fraud defendant, mooting a judge’s order that the defendant unlock the hard drive so the government could use its contents as evidence against her.

The development ends a contentious legal showdown over whether forcing a defendant to decrypt a laptop is a breach of the Fifth Amendment right against compelled self incrimination.

The authorities seized the encrypted Toshiba laptop from defendant Ramona Fricosu in 2010 with valid court warrants while investigating alleged mortgage fraud, and demanded she decrypt it. Colorado U.S. District Judge Robert Blackburn ordered the woman in January to decrypt the laptop by the end of February. The judge refused to stay his decision to allow Fricosu time to appeal.

“They must have used or found successful one of the passwords the co-defendant provided them,” Fricosu’s attorney, Philip Dubois, said in a telephone interview Wednesday.

He said the authorities delivered to him Wednesday a copy of the information they discovered on the drive. Dubois said he has not examined it.

The development comes a week after a federal appeals court ruled in a separate case that forcing a criminal suspect to decrypt hard drives so their contents can be used by prosecutors is a breach of the Fifth Amendment right against compelled self-incrimination.

It was the nation’s first appellate court to issue such a finding. The Supreme Court has never dealt directly with the issue.

The decision by the 11th U.S. Circuit Court of Appeals said that an encrypted hard drive is akin to a combination to a safe, and is off limits, because compelling the unlocking of either of them is the equivalent of forcing testimony.

Judge Blackburn, however, was not legally bound to follow that precedent, because he sits in the circuit covered by the 10th U.S. Circuit Court of Appeals, which had refused to review his decision.

The woman and her ex-husband co-defendant, Scott Whatcott, are accused of filing fraudulent documents to obtain home titles and selling the houses without paying the mortgage. Dubois believes Whatcott supplied the password to the police.

Dubois had suggested in an earlier interview that Fricosu may have forgotten the password, and faced potential contempt charges had she not decrypted the hard drive by Wednesday.

Photo: nist6ss/Flickr

Feb 29 2012

Kim Dotcom Remains Free on Bail As U.S. Appeal Fails

Kim DotCom in 1996. Photo:

AUCKLAND, New Zealand – Kim Dotcom remains free on bail after United States authorities lost an appeal of an earlier decision by a New Zealand court to grant him bail. Justice Brewer dismissed the appeal, which was put forward by New Zealand Crown lawyers on behalf of the U.S. government, in the Auckland High Court late Wednesday afternoon, local time.

Dotcom, the outsized founder of Megaupload and associated file locker sites, is accused of masterminding a business that made more than $100 million by charging users to watch and download copyrighted material. Megaupload’s lawyers say the site complied with U.S. copyright laws, despite being based in Hong Kong, and that like any other internet company it is not responsible for policing its own site for copyright violations. New Zealand police raided Dotcom’s mansion in New Zealand in January, acting on warrants issued by the United States for conspiracy to commit money laundering and criminal copyright infringement.

Dotcom will remain free, though tracked via an electronic bracelet, while he awaits the hearing that will decide if he and four Megaupload associates should be extradited to the U.S. The hearing is expected to take place in August this year. If the U.S. Justice Department had won the appeal, Dotcom would have faced a further six months in jail until the extradition hearing. Dotcom is also banned from using the internet as a condition of his bail.

According to Justice Brewer’s ruling, if Dotcom were to be held in prison for the next six months, the flight risk would have to be real. U.S. authorities alleged that Dotcom has undeclared funds stashed away, and that these could be used to flee the country. However, Justice Brewer said that while he could not be certain that Dotcom would not leave New Zealand, he wasn’t required to be satisfied of that to give the Megaupload millionaire bail.

In a new twist, the pregnant wife of Dotcom, Mona, is also under investigation by U.S. authorities. New Zealand Crown lawyers acting for the U.S. have received an application alleging that Mona Dotcom may have been involved in the company. They expect more information to arrive overnight from U.S. prosecutors. Whether or not this will lead to the arrest of Mona Dotcom is unclear at this stage.

Earlier on, Dotcom’s lawyers requested that some $185,000 a month of his seized funds be released to cover living expenses. These would be used for expenses including staff such as nannies, bodyguards, and a personal assistant. The prosecution, however, would only concede to roughly $6,700 a month.

Feb 28 2012

25 Alleged Anons Arrested in International Crackdown

A Spanish protestor in a Guy Fawkes mask. Photo: Pepe Pont/Flickr

Police in four nations arrested 25 alleged participants in the Anonymous collective Tuesday for attacks against websites in Columbia and Chile dating from the middle of 2011.

Officers in Argentina, Chile, Colombia and Spain worked together in “Operation Unmask,” seizing 250 pieces of equipment, including phones, during searches of 40 locations in 15 cities, according to INTERPOL. The arrestees were between the ages of 17 and 40, but their names and locations were not released.

“This operation shows that crime in the virtual world does have real consequences for those involved, and that the Internet cannot be seen as a safe haven for criminal activity, no matter where it originates or where it is targeted,” said Bernd Rossbach, Acting INTERPOL Executive Director of Police Services, in the INTERPOL release.

The arrests come as Anonymous has become a powerful online force. On Monday, WikiLeaks sprang back to life, publishing e-mails from a controversial private intelligence firm known as Stratfor that were obtained by Anonymous hackers. Anonymous’ recent activities have ranged from coordinating protests against ACTA in Europe and supporting the Arab Spring with online logistics to conducting regularly scheduled Friday hacks intended to embarrass law enforcement and corporations.

The interpol.int website was down for some time Tuesday, after a prominent Spanish language account associated with Anonymous called for a DDoS attack on the site on Twitter. Another Anonymous account declared “Tango Down,” the anon term signaling a website has been taken offline, at 5:43 p.m. EST. As of the time of this writing, the INTERPOL website is responding again, but slowly.

Spanish police traced back IP addresses from server logs, leading to 10 suspects in Argentina, six in Chile and five in Colombia, responsible for defacement of websites and publishing confidential data, including the personal data of the security detail of unnamed top officials, according to Agence France Presse.

Others who have participated in Anonymous DDoS protests and some accused of real hacking have been arrested and prosecuted in the U.S. and internationally. However, the arrests have not, at least so far, had any outward effects on the Anonymous movement.

Feb 28 2012

Google Offers $1 Million in Hacker Bounties for Exploits Against Chrome

It may be hard out there for a pimp, but it just got a little bit more lucrative for a hacker.

Google announced on Monday that it would pay $1 million in cash awards to anyone who can hack its Chrome browser during its Pwnium security challenge next week in Vancouver at the CanSecWest conference.

Google has pledged to pay multiple awards in the amounts of $60,000, $40,000 and $20,000, depending on the severity of the exploits, up to $1 million. Winners will also receive a Chromebook.

“We require each set of exploit bugs to be reliable, fully functional end to end, disjoint, of critical impact, present in the latest versions and genuinely ’0-day,’ i.e. not known to us or previously shared with third parties,” Google wrote on its blog.

The exploits must work against Windows 7 machines running the Chrome browser.

$60,000 – “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.

$40,000 – “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows sandbox bug.

$20,000 – “Consolation reward, Flash / Windows / other”: Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. These exploits are not specific to Chrome and will be a threat to users of any web browser. Although not specifically Chrome’s issue, we’ve decided to offer consolation prizes because these findings still help us toward our mission of making the entire web safer.

Google’s hack challenge will run alongside the $15,000 Pwn2Own contest that runs each year at CanSecWest, which challenges researchers to exploit vulnerabilities in fully patched browsers and other software.

Last year, Google offered a $20,000 bounty, on top of the base $15,000 Pwn2Own prize, for anyone who successfully downed Chrome, but there were no takers. Chrome is currently the only browser eligible for the Pwn2Own contest that has never been brought down, Ars Technica notes. Contestants have indicated that difficulties bypassing Google’s security sandbox is the reason they’ve avoided the browser and focused on the Internet Explorer and Safari browsers instead.