Friday, 28 June 2013

FTC cracks down on firms for 'work from home' online scams

FTC Logo
The US Federal Trade Commission (FTC) has agreed to setttle a case against a group of individuals and businesses charged with running a massive marketing scam targeting home workers.
The FTC said that it had a agreed to a series of settlements against the group which had been charged with using deceptive marketing practices to collect money from users looking to start their own web businesses.
The settlement will bar the individuals from continuing with their practices and will also collect a series of fines, though many of the penalties were suspended due to an inability to pay.
According to the complain, first brough forward in May of last year, the scam advertised the opportunity for users to work from home with their own marketing and advertsiing sights. The scam promised users large cash returns by generating referrals and sales commissions from major retailers.
Instead, users were pushed to first invest hundreds of dollars for startup fees and were then solicited a series of advertising packages costing as much as $20,000 with the promise of alrge cash returns which were never generated.
In addition to the ban ending the 'work at home' scheme, the FTC has placed an order barring the group from violating telemarketing regulations and collecting or profiting from the personal data of users under threat of further penalty.
The FTC said that the order was part of aalrger effort to crack down on scams preying on users in financial hardship. With unemployment still high in many areas, users seeking steady employment can often finds themselves more vulnerable to online scams and 'get rich quick' schemes.

Hackers use Opera to sneak spyware onto thousands of Windows machines

Hackers have infected thousands of Windows machines with spyware using a stolen Opera digital signing certificate.
Opera's Sigbjørn VikSigbjorn confirmed the web browser company had lost at least one digital signing certificate during a recent network breach, warning the crooks are using it to mount a defence-dodging spyware campaign on Windows users.
"The current evidence suggests a limited impact. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser," wrote VikSigbjorn.
"It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19, may automatically have received and installed the malicious software. To be on the safe side, we will roll out a new version of Opera which will use a new code signing certificate."
VikSigbjorn called for Opera users to update to the latest browser to avoid falling victim to the attack. "Users are strongly urged to update to the latest version of Opera as soon as it is available, keep all computer software up to date, and to use a reputable antivirus product on their computer," wrote VikSigbjorn.
Trend Micro security researcher Alvin Bacani reiterated VikSigbjorn's sentiment, warning the TSPY_FAREIT.ACU malware used in the attack has several advanced spying powers. "Once executed, TSPY_FAREIT.ACU steals crucial information from certain FTP clients or file managers including usernames, passwords and server names. Aside from FTP clients, TSPY_FAREIT.ACU gathers more information from internet browsers," wrote Trend's Bacani.
"The data is typically login credentials for social networking, banking and ecommerce websites. Using the information, the people behind the malware can get hold of your various online accounts or even initiate unauthorised transactions. They can also profit from the stolen data by selling it to the underground market."
The malware is one of many to use legitimate certificates to bypass traditional defence systems. Last year the tactic was used by the infamous Flame malware, which used a spoofed Microsoft update certificate to bypass its victims' defences.

Facebook shells out $20,000 to bug bounty hero for spotting account hijacking flaw

facebook use drops 9 per cent
Facebook has fixed a critical flaw leaving users open to attack by hackers, shelling out a massive $20,000 to the bug bounty hunter that spotted the exploit.
The bug was originally discovered by UK-based security researcher and bug hunter Jack Whitten. It relates to the way Facebook manages updates to mobile devices via SMS, he explained.

"Facebook gives you the option of linking your mobile number with your account. This allows you to receive updates via SMS, and also means you can log in using the number rather than your email address. The flaw lies in the /ajax/settings/mobile/confirm_phone.php end-point. This takes various parameters, but the two main are code, which is the verification code received via your mobile, and profile_id, which is the account to link the number to," Whitten noted.
Whitten said that the flaw could potentially be used by criminals to hijack control of unwary users' Facebook accounts. "The thing is, profile_id is set to your account (obviously), but changing it to your target's doesn't trigger an error. To exploit this bug, we first send the letter F to 32665, which is Facebook's SMS shortcode in the UK. We receive an eight-character verification code back. We enter this code into the activation box, and modify the profile_id element inside the fbMobileConfirmationForm form," he wrote.
"Now we can initate a password reset request against the user and get the code via SMS. Another SMS is received with the reset code. We enter this code into the form, choose a new password, and we're done. The account is ours."
A Facebook spokesman confirmed to V3 it has since fixed the flaw, changing it so its systems no longer accept the profile_id parameter listed in Whitten's exploit from the user. The spokesman went on to thank Whitten for his help uncovering the exploit, listing it as a key victory in Facebook's ongoing bug bounty programme. "Facebook's White Hat programme is designed to catch and eradicate bugs before they cause problems. Once again, the system worked and we thank Jack for his contribution," the Facebook spokesman said.
He added the flaw could never have been automatically exploited, meaning its impact, even if targeted by hackers, would be limited. Despite the comment, other bug hunters have attacked Facebook, claiming Whitten has been drastically under-rewarded. Commentator Mohammad Husain wrote on his blog: "This is worth more than $20,000", while fellow blogger Shadôw Hawk added, "This issue is worthy [of a] million dollars".
Bug bounties are an increasingly common tactic used by tech companies to spot flaws in their systems, with big name firms like Google having established programmes. Most recently, security aggregator PacketStorm launched its own bug bounty programme, offering bug hunters as much as $7,000 for uncovering working exploits.

PRISM: David Davis says UK laws to protect citizens from surveillance are ‘completely useless'

The Houses of Parliament in London
The processes in place to protect UK citizens from surveillance by spy agencies such as GCHQ have been branded ‘completely useless' by former shadow home secretary and MP David Davis.
Speaking in the House of Commons at a session on the PRISM and Tempora revelations of the past few weeks, Davis said that it was clear from the level of data claimed to have been gathered by GCHQ that UK citizens had little protection from data-gathering technologies.
"The supervision procedures are completely useless - not just weak, but completely useless," he said at the committee event, attended by V3. "What Tempora has done is raise a red flag that we have to rethink, from scratch, all the oversight arrangements we have."
Davis said he, like everyone else, was only learning about these issues as they are being brought to light by whistleblowers, and said it was unclear why exactly the UK spy agencies were willing to hand so much data to the US. He laid out two main possibilities.
The first, he said, was as a ‘big chip' replacement for the intel the UK used to be able to provide to the US authorities from areas like Hong Kong and Cyprus, areas where the UK's influence has now waned.
The second, he said, was simply to provide information to the US in return for data from across the pond. This would be a "loophole" by which the UK could gather data on its citizens without directly doing so.
Looking to the future, Davis said one silver lining of the uproar from the revelations about PRISM and Tempora is that the Communications Data Bill, the so-called Snoopers' Charter, is unlikely to see the light of day for at least a year, despite calls for its return in the aftermath of the murder of soldier Lee Rigby in Woolwich.
"In the last five days a number of people [other MPs] who were huge sceptics about all this sort of thing have said to me, ‘maybe you are right', so we've probably seen it off for a year or so," he said. "After Woolwich there were calls that perhaps we need it [the Communications Data Bill] but MI5 themselves have admitted it would have made no difference, and it would probably cause more incidents as they'd be wasting time in databases rather than tracking people."

The role of organisational factors in insider cyber activity

Cyber insider is someone who (knowingly or unknowingly) misuses legitimate access to commit a malicious act or damage their employer.
It is widely recognised that the threat to enterprises from insider activities is increasing and that significant costs are being incurred.
Insider act takes place where is often an exploitable weakness with the employer’s own protective security or management practices which enables the insider to act.
The following organisational practices were identified as key enablers to an insider act:

  • Poor management practices
A general lack of management supervision or oversight of employees meant that many of the behaviours,
problems and activities of the insider were noticed but went unaddressed.
Management failure to address individual issues within the workplace (such as poor relationships with
colleagues, absenteeism or anti-social behaviours) often appears to have resulted in the behaviours
becoming more frequent or extreme.
Management failure to manage and resolve workplace issues (such as boredom or lack of work, overwork,
lack of resources or specific grievances) appears to have contributed to the level of employee disaffection.
  • Poor usage of auditing functions
Some organisations had not made regular and systematic use of their own IT or financial auditing functions to be in a position to quickly spot irregularities or unusual behaviours.
This enabled insiders to act in the first place and for some to continue acting without detection for longer than necessary.
  • Lack of protective security controls
Some organisations had not implemented simple systems for controlling how employees could introduce or remove organisational data electronically, and manipulate organisational information remotely even after their employment had been terminated.
Basic ‘need to know’ principles were not rigorously applied, allowing some insiders to acquire knowledge they did not actually need for their job and then use it to commit an insider act.
Lack of segregation of duties was particularly in evidence in process corruption cases, where one individual would be in a position to manipulate systems or data without needing approval or endorsement from a second employee.
  • Poor security culture
The case studies often revealed that a poor security culture existed in areas where insider acts took place, with a general lack of adherence to security policies and practices by employees, and with management being either unaware of these malpractices or failing to deal with them effectively.
Examples of the most common occurrences were the sharing of security passwords amongst employees, not locking computer terminals and allowing others to use logged-on terminals, sensitive materials being left on desks, security containers being left unlocked and pass access to secure areas not being enforced.
  • Lack of adequate role-based personnel security risk assessment prior to employment
In some insider cases organisations had placed individuals in positions without considering their suitability for the role and potential complications that might arise. For example, there were cases where employees had been placed in roles likely to make them more vulnerable to compromise due to their nationality,family connections or ideological sympathies.
There were also cases where the insider simply did not have the skills, experience or aptitude for the role,and without careful management, the employee was easily manipulated by a malicious third party or simply unwittingly committed an insider act.
  • Poor pre-employment screening
In a small number of process corruption cases it was evident that the appropriate level of preemployment screening had not been undertaken; most notably failures to identify that the individual had a history of fraudulent behaviour (such as credit card or benefit fraud) prior to recruitment.
  • Poor communication between business areas
The study has shown that if an organisation does not communicate and share information about threats and risks, but keeps the information in organisational silos, then its ability to mitigate and manage insider activity is severely reduced.
The study found cases where counter-productive workplace behaviour was known in one part of the organisation but had not been shared with others, resulting in delays to the organisation taking mitigating action to reduce the risk.
To fully understand the level of risk an employee poses, an organisation should be able to access information held by Human Resources concerning performance and welfare issues, information held by IT about access to electronic data, and Security for physical breaches of security policies. If information is retained by just one area of the business the organisation may misjudge the risk that it is carrying.
  • Lack of awareness of people risk at a senior level and inadequate governance
A lack of awareness of people risk at a senior level can lead to organisations missing the attention and resources necessary to address the insider threat. There needs to be a single, senior, accountable owner of people risk to whom all managers with a responsibility for people risk report.
Inadequate corporate governance and unclear policies in managing people risk and strengthening compliance can also make it more difficult to prevent and detect insider activity.

Threat Assessment: Italian organised crime

Italian organised crime is known all over the world, to the point that the term ‘Mafia’ is now understood across the globe as referring to the organised criminal underworld. Literature on the subject is abundant, ranging from history, sociology and criminology to fiction and plain entertainment. The distinctive character, looks, habits, idiosyncrasies and jargon of the Mafiosi have been described, analysed, explained and imitated. Apparently, everybody is familiar with Italian organised crime.
Nevertheless, a document analysing the overall scope of Italian organised crime at an international level from the law enforcement (LE) perspective, and the threat it poses in the EU and beyond, does not exist. This document is intended to fill that important information gap.
This is a public report intended for a wide audience, based on a more detailed strategic assessment prepared for law enforcement purposes.
The extreme difficulty in collecting information of the required quality confirmed the particular nature of Italian OC, which tends to operate ‘under the radar’ whenever it acts outside its territory.

New Breed of Banking Malware Hijacks Text Messages

Out of band authentication  communicating with a customer outside of his mobile banking app to verify his identity or a specific transaction  is a generally respected means of deflecting mobile banking fraud.
But RSA's Anti-Fraud Command Center on Monday found and reported on a Trojan called Bugat that has been updated to hijack out-of-band authentication codes sent to bank customers via SMS. This doesn't mean out-of-band authentication via text messaging is useless, but it can be compromised using a dated, unsophisticated piece of malware.
In the first step of this type of cyberattack, the online banking customer's computer is infected with a banking Trojan. This typically happens in one of two ways. In one, the customer receives an email with an attachment that he feels compelled to open — it might be from an online merchant from whom he has recently purchased a product, for instance. When he opens the attachment, he realizes the order is bogus. He may or may not realize his computer is infected.
The second way the Trojan enters the customer's computer is through a link to a familiar website in a social media post or an instant message. "When you get there, it looks like nothing is wrong, but you've just had a drive-by download," says Limor S. Kessem, cybercrime and online fraud communications specialist at RSA.
Kessem sees social media increasingly being used in such attacks. "Criminals are like, everybody is there, let's go there, too  whatever's popular," she says. Banking Trojans will steal Facebook credentials to infect the user's computer or the machines of other people on that user's contact list. "It's a very social trend," Kessem says.
When the customer logs into his online banking account from the infected machine, the Trojan will pop up a screen created via web injection. One created by the Bugat Trojan will tell the victim he needs to install security for his phone to protect his mobile banking transactions. It will ask him for his phone number and the type of mobile platform he uses (Android, iOS, BlackBerry, etc.) The customer is then provided with a link to download the security application on a third-party site.
"If you have an iPhone, that's not going to happen," Kessem points out. "Apple won't let you download apps from somewhere else. The way Apple does things has managed to keep it pretty malware-free in that sense."
The Android operating system discourages, but does not completely block, the downloading of third-party apps. The default setting on an Android phone prevents the installation of apps from unknown sources (any source other than the Google Play store). With that setting adjusted, the user can install apps from any location. When the user allows the downloading of apps from unknown sources, he receives a message warning him that his phone and personal data are more vulnerable to attack.
Android users who allow the installation of third-party applications and who click on the mischievous link are sent to the cybercriminals’ site and install the fake security application on their phone.
The app asks for permission to use SMS messaging, the customer will authorize it, and an SMS forwarder starts running in the background on that person's phone.
The next step for the attacker is to match the victim's mobile device with his computer. He'll present the victim with a code on his phone screen and ask him to type it into his the computer screen to pair the two devices.
Now, when the bank sends an SMS code to the victim's infected phone, the attacker grabs it. The cyberthieves are careful to not steal all text messages. "That would be too suspicious and too much data," says Kessem. "'I love you honey, I'm coming home,' is not necessary for the attacker, they just want things with a number." If a bank tends to use 12-digit codes, the malware will use an if-then script to pick out only SMS messages that contain those. The customer never knows what he missed.
The attacker receiving the SMS message then attempts to complete a transaction, impersonating the victim.
The Bugat Trojan is private malware developed by Russian-speaking developers for a closed gang, Kessem says. It's been in operation since 2010, but the nature of the attacks it's used for has changed and the SMS component is new.
"They used to go after business accounts and big money," she says. Recently, the operators built an SMS forwarder for it to target mobile banking.
"We're impressed by how they built it," she says. "They have this whole infrastructure that pulls the forwarders for each of the banks they target. They're very organized and very professional, they've made this special webinject to look very real and very colorful. It specifically matches the bank's total messaging."
One thing banks can do to prevent falling for this fraud is to educate their customers, Kessem says. They should tell customers to never download anything to do with their bank account from a third-party site. If they have any doubt about a link or application, they should call their bank.
To thwart the SMS-forwarder aspect of these attacks, Kessem recommends contracting anti-Trojan services like RSA's. "We disable the communication points of Trojans, make sure the whole clientele doesn't get infected or transmit their data to the attackers," she says. "Instead of going on the end point device, which is almost impossible, we disable all the information streaming to the botmaster. Without the Trojan itself, the SMS forwarder won't be that useful anymore."
Banks can also step up their fraud analytics and risk analytics, to challenge more of those transactions that look fishy or strange, even where they use out-of-band authentication using SMS messages. They could block such transactions or require a phone call to the customer.

Cyber Jihadists battle governments from south Algeria to Nigeria

In Nouakchott, a dusty city wedged between the Atlantic ocean and western dunes of the Sahara, a young hip-hop fan coordinates a diverse group of hackers targeting websites worldwide in the name of Islam.
Logging on to his computer, he greets his Facebook followers with a "good morning all" in English before posting links to 746 websites they have hacked in the last 48 hours along with his digital calling card: a half-skull, half-cyborg Guy Fawkes mask.
He calls himself Mauritania Attacker, after the remote Islamic republic in west Africa from which he leads a youthful group scattered across the Maghreb, southeast Asia and the West.
As jihadists battle regional governments from the deserts of southern Algeria to the scrubland of north Nigeria, Mauritania Attacker says the hacking collective which he founded, AnonGhost, is fighting for Islam using peaceful means.
"We're not extremists," he said, via a Facebook account which a cyber security expert identified as his. "AnonGhost is a team that hacks for a cause. We defend the dignity of Muslims."
During a series of conversations via Facebook, the 23-year-old spoke of his love of house music and hip hop, and the aims of his collective, whose targets have included U.S. and British small businesses and the oil industry.
He represents a new generation of Western-style Islamists who promote religious conservatism and traditional values, and oppose those they see as backing Zionism and Western hegemony.
In April, AnonGhost launched a cyber attack dubbed OpIsrael that disrupted access to several Israeli government websites, attracting the attention of security experts worldwide.
"AnonGhost is considered one of the most active groups of hacktivists of the first quarter of 2013," said Pierluigi Paganini, security analyst and editor of Cyber Defense magazine.
An online archive of hacked Web sites, Hack DB, lists more than 10,400 domains AnonGhost defaced in the past seven months.
Mauritania, a poor desert nation straddling the Arab Maghreb and black sub-Saharan Africa, is an unlikely hacker base. It has 3.5 million inhabitants spread across an area the size of France and Germany, and only 3 percent of them have Internet access.
Much of the population lives in the capital Nouakchott, which has boomed from a town of less than 10,000 people 40 years ago to a sprawling, ramshackle city of a million inhabitants. In its suburbs, tin and cinderblock shanties battle the Sahara's encroaching dunes and desert nomads stop to water their camels.
In the past six months experts have noted an increase in hacking activity from Mauritania and neighbouring countries. In part, that reflects Mauritania Attacker's role in connecting pockets of hackers, said Carl Herberger, vice president of security solutions at Radware.
"This one figure, Mauritania Attacker, is kind a figure who brings many of these groups together," Herberger told Reuters.
Mauritania Attacker says his activities are split between cyber cafes and his home, punctuated by the five daily Muslim prayers.
Well-educated, he speaks French and Arabic among other languages and updates his social media accounts regularly with details of the latest defacements and email hacks. He would not say how he made a living.
His cyber threats are often accented with smiley faces and programmer slang, and he posts links to dancefloor hits and amusing Youtube videos. But his message is a centuries-old Islamist call for return to religious purity.
"Today Islam is divisive and corrupt," he said in an online exchange. "We have abandoned the Koran."
Mauritanian Attacker aims to promote "correct Islam" by striking at servers hosted by countries they see as hostile to sharia law. "There is no Islam without sharia," he said.
Mauritania is renowned for its strict Islamic law. The sale of alcohol is forbidden and it is one of only a handful of states where homosexuality and atheism are punished by death.
The quality of Mauritania's religious scholars and koranic schools, or madrassas, attract students from around the world. Mauritanians have risen to prominent positions in regional jihadist groups, including al Qaeda's north African branch AQIM.
As hackers from the region organise into groups, the Maghreb is emerging as a haven for hacktivism as it lacks the laws and means to prosecute cyber criminals, Herberger said.
"There's a great degree of anonymity and there's a great degree of implied impunity," he said.
Security sources in Nouakchott said they were not aware of the activities of Mauritania Attacker.
He says he supports Islamists in Mauritania but opposes his government's support for the West, which sees the country as one of its main allies in its fight against al Qaeda in the region.
With tech-savy young Muslims in the Maghreb chafing under repressive regimes, analysts anticipate a rise in hacktivism.
Hacking is a way for young people to express religious and political views without being censored, says Aaron Zelin, fellow at the Washington Institute.
"These societies are relatively closed in terms of people's ability to openly discuss topics that are taboo," he said.
For disillusioned youth in countries like Mauritania, where General Mohamed Ould Abdel Aziz seized power in a 2008 coup before winning elections the next year, hacking has become "a way of expressing their distaste with status quo," Zelin said.
AnonGhost's global reach is its greatest weapon, but it has yet to stage a major attack on a Western economic target.
Most of AnonGhost's campaigns have simply defaced Web sites, ranging from kosher dieting sites to American weapon aficionado blogs, with messages about Islam and anti-Zionism.
It has attacked servers, often hosting small business websites, located in the United States, Brazil, France, Israel and Germany among others.
Mauritania Attacker and the AnonGhost crew say these countries have "betrayed Muslims" by supporting Israel and by participating in the wars in Afghanistan and Iraq.
"We are the new generation of Muslims and we are not stupid," read a message posted on the Web site of a party supply business in Italy. "We represent Islam. We fight together. We stand together. We die together."
The team has also leaked email credentials, some belonging to government workers from the United States and elsewhere.
As part of a June 20 operation against the oil industry, carried out alongside the international hacking network Anonymous, Mauritania Attacker released what he said were the email addresses and passwords for employees of Total.
A spokesperson for the French oil major did not immediately respond to requests for comment.
One security expert said AnonGhost's attacks exploited "well-known vulnerabilities in configurations of servers" in target countries rather than going after high-profile companies.
Carl Herberger, vice president of security solutions at Radware, remains unconvinced AnonGhost has the technical skills to wage full-scale cyber terrorism by harming operational capabilities of companies or government agencies.
"The jury is still out," he said, but cautioned against underestimating the emerging group. "You're never quite sure what they're going to do on the offensive, so they have to be right only once and you have to be right always."

US spy device 'tested on NZ public'

A high-tech United States surveillance tool which sweeps up all communications without a warrant was sent to New Zealand for testing on the public, according to an espionage expert.
The tool was called ThinThread and it worked by automatically intercepting phone, email and internet information.
ThinThread was highly valued by those who created it because it could handle massive amounts of intercepted information. It then used snippets of data to automatically build a detailed picture of targets, their contacts and their habits for the spy organisation using it.
Those organisations were likely to include the Government Communications Security Bureau (GCSB) after Washington, DC-based author Tim Shorrock revealed ThinThread was sent to New Zealand for testing in 2000-2001.
Mr Shorrock, who has written on intelligence issues for 35 years, said the revolutionary ThinThread surveillance tool was sent to New Zealand by the US National Security Agency. The GCSB is the US agency's intelligence partner - currently under pressure for potentially illegal wide-spread spying on the public.
The claim ThinThread was sent to New Zealand has brought fresh calls for the bureau to explain what it does.
A spokesman said the bureau was currently reviewing how much it did tell the public - but it would not be making comment on the ThinThread test. He said the intelligence agency "won't confirm or deny" the claim because it was an "operational" matter.
A spokeswoman for Prime Minister John Key also refused to comment saying it was an operational matter.
The claim emerged in an article by Mr Shorrock which ran in a magazine last month and featured whistleblower William Binney - a former high-ranking NSA official who designed ThinThread.
Mr Shorrock said the "ThinThread prototype" was installed at two NSA listening posts in late 2000 and at Fort Meade where the NSA is based.
"In addition, several allied foreign intelligence agencies were given the program to conduct lawful surveillance in their own corners of the world. Those recipients included Canada, Germany, Britain, Australia and New Zealand."
The "lawful" aspect was due to the software's ability to mask the identities of those whose information was being intercepted - a technical work around of the legal barrier which prohibits New Zealand and the US from spying on its own citizens.
Mr Shorrock said ThinThread operated in three phases. It began by intercepting call, email and internet traffic on a network and automatically assessing it for interest. The scale of the traffic was such that it narrowed down targets of interest by focusing on patterns of information rather than the content of the information.
Secondly, ThinThread automatically anonymised the collected data so the identities stayed hidden "until there was sufficient evidence to obtain a warrant".
The magic was in the back end of the system which used the raw data "to create graphs showing relationships and patterns that could tell analysts which targets they should look at and which calls should be listened to" using "metadata" - the same type of "information about information" which featured in about 60 of the 88 potentially illegal spying cases identified in the GCSB review.
The Greens and Labour both said it showed the need for an inquiry into the GCSB - an investigation which both have repeatedly demanded. Greens' co-leader Russel Norman said the Prime Minister and GCSB needed to explain to the public whether it was spied on by ThinThread.
"It reinforces why there is a different set of rules for the GCSB - they are integrated into this global spy network," he said.

Thursday, 27 June 2013

South Korea and US government hacks blamed on DarkSeoul group

south korea
The DarkSeoul hacker group is responsible for at least one of the recent attacks on the South Korean government, according to security firm Symantec.
Symantec researchers said initial analysis of the attacks and malwares used proved the DarkSeoul hackers were involved in the recent attacks on South Korea. "While multiple attacks were conducted by multiple perpetrators, one of the distributed denial-of-service (DDoS) attacks observed yesterday against South Korean government websites can be directly linked to the DarkSeoul gang and Trojan.Castov," Symantec's said.
The firm said the research also linked the team to several attacks on both South Korea and the US government. "We can now attribute multiple previous high-profile attacks to the DarkSeoul gang over the last four years against South Korea, in addition to yesterday's attack," it noted. "They previously conducted DDoS and wiping attacks on the US Independence Day as well."
The group's involvement in attacks on the US is expected to have political consequences, with many security researchers believing DarkSeoul is working for the North Korean government. If true, this is troubling as in the past the US government has indicated it would react to cyber attacks on its networks the same way it would real world acts of war. At the time of publishing, the US Department of Defense and White House had not responded to V3's request for comment on Symantec's research.
Symantec confirmed while there is some evidence to suggest the DarkSeoul group is state sponsored, it is still too early to definitively know if the group is operating at the behest of the North Korean government.
"The attacks conducted by the DarkSeoul gang have required intelligence and coordination, and in some cases have demonstrated technical sophistication. While nation-state attribution is difficult, South Korean media reports have pointed to an investigation which concluded the attackers were working on behalf of North Korea," wrote Symantec.
Symantec researchers said even if DarkSeoul is not working for North Korea, the group is in possession of several sophisticated attack tools and resources. The security firm warned businesses to expect and prepare for further attacks from the group.
"Symantec expects the DarkSeoul attacks to continue and, regardless of whether the gang is working on behalf of North Korea or not, the attacks are both politically motivated and have the necessary financial support to continue acts of cyber sabotage on organisations in South Korea," the firm said.
"Cyber sabotage attacks on a national scale have been rare - Stuxnet and Shamoon (W32.Disttrack) are the other two main examples. However, the DarkSeoul gang is almost unique in its ability to carry out such high-profile and damaging attacks over several years."
Hacks in Korea have started since the anniversary of the war between the two nations, with details on 40,000 troops leaked earlier this week.

Qantas becomes latest lure for Andromeda malware

malware virus security threat breach
Australian airline Qantas has been spoofed by malware operators connected to the Andromeda malware botnet.
Researchers with security firm Trustwave have spotted a series of spam messages claiming to be booking receipts from the airline. The messages inform the user that a flight reservation has been made and a receipt is attached.
Upon attempting to open the file and view the supposed receipt information, the attachment activates and attempts to download a number of additional malware payloads on the infected system. Among the applications downloaded is a command and control tool which is connected to the Andromeda infection.
Originally discovered in 2011, Andromeda has seen a resurgence in recent weeks as a series of spam campaigns have been connected to the infection.
“Cybercriminals have been actively spamming out Andromeda loaders for the past year. The spam themes vary from flight, courier, tax, hotel, payroll, invoice, social media and among others,” Trustwave said in its report.
“Most of the time the spam campaigns are very legitimate looking. It may be hard to spot whether it’s a malicious email.”
Andromeda is one of a growing number of botnets which has relied on misleading spam messages to infect users. Often posing as official notices from large companies or government agencies, the spam messages often threaten penalty or account loss if users don't open the attached payload or follow a link to an attack site.
Experts advise users to be weary of any claimed official notices or notifications that arrive as unsolicited emails. Users who are unsure about the nature of a notice are advised not to open attachments or links and instead contact a customer service representative.

Obama: I’m Not Going To Be Scrambling Jets To Get A 29-Year-Old Hacker

President Obama said Thursday he has not gotten personally involved in the case of Ed Snowden, because he expects other countries to "abide by international law" and not provide harbor to a fugitive. At the same time, he indicated he does not plan to go to extraordinary lengths to capture the NSA leaker, saying: "No, I'm not going to be scrambling jets to get a 29-year-old hacker."
As Republican lawmakers urge Obama to get tough with Russia as it denies extradition requests, Obama said he has not directly spoken with Russia's Vladimir Putin or Chinese President Xi Jinping. He flashed some annoyance as he declared he has not called either leader because "I shouldn't have to."
He noted that the U.S. does "a whole lot of business" with both countries, and said he doesn't want to be in a position where he's "wheeling and dealing and trading" just to "get a guy extradited."
The president suggested this should have been a routine bit of business for either leader, so he decided not to get personally involved.
Obama walked a fine line on the question about Snowden, addressed during a press conference in Senegal at the start of his trip to Africa. He said he "continues to be concerned about the other documents" Snowden has, but he suggested the media has hyped the story.
"I'm sure it will be a made-for-TV movie down the road," Obama said dismissively about the Snowden case.
He said the bulk of the damage has been done by the initial leak. He said the matter of trying to secure his arrest will be dealt with through the normal legal channels
"This is something that routinely is dealt with between law enforcement officials in various countries," he said.

Social media dangers: Behead Those Who Disrespect Our Prophet

We were looking around on Facebook and one of the pages that struck our eyes was the "Behead Those Who Disrespect Our Prophet P.B.U.H" page on Facebook. These kind of pages are doing nothing else than cause misery and pain to the religion they are trying to "represent" via the internet.
The readers; the members of these pages are people that have nothing else in mind than bring chaos in the world of religion. Because it is not believe that they are trying to teach - it is the religion they are bringing forward.
These kind of pages are the targets of Jihad recruiters that are trying to train armies to support their goals.

The page already has 222 likes and it keeps rising as people are starting to share the pictures that are posted on the Facebook page. The discussions that are being started there can be seen all over the internet - it looks like people don't seem to understand that discussions about religion on the internet will always result in a internet fight - sometimes it escalates to your front door.

Protesting can be done in peaceful ways - also when you are angered by someone that is disrespecting you or your believes.
You don't kill someone because the person decided not to respect your believes.

The Facebook page has this picture as their "Logo" but why did they choose to name their page "Behead Those Who Disrespect Our Prophet  P.B.U.H." then? It is not a message that you send out when you are protesting.

Edward Snowden poses trade risks for Ecuador

At a flower farm around 19 miles outside Quito, sales manager Juan Pablo Ponce shows off both the produce and logistics required to package bouquets, 80% of which are exported to the United States.
"We try to keep on working hard, doing what we do best," says Ponce, who has worked at the Valleflor site for seven years. "That's all we can do."
While Ecuador's government makes its decision on whether to grant U.S. fugitive whistleblower Edward Snowden asylum, colleagues of Ponce here who export flowers to the U.S. are concerned that fallout from the political decision may harm their business, especially with the Andean Trade Promotion and Drug Eradication Act (ATPDEA) pact up for renewal next month.
Senator Robert Menendez, head of the Senate Foreign Relations Committee, promised Wednesday that he would block renewal of the pact should Snowden be granted asylum.
"Our government will not reward countries for bad behavior," he said in a statement, following other lawmakers who have spent years saying that the pact should be allowed to lapse, partly down to the country's links with Iran.
Ecuador's President Rafael Correa has lambasted the threats as "blackmail." He must balance the anti-American plank of his government, allied with former Venezuelan President Hugo Chávez, with trade deals that have boosted the country's oil-fueled economy.
The ATPDEA agreement was initially signed by President George H.W. Bush in December 1991, allowing the countries involved to sell goods to the U.S. without paying import duties. It was designed to boost trade between the U.S. and Bolivia, Colombia, Ecuador and Peru.
The idea was to incentivize alternatives to cocaine production here. Colombia and Peru now have their own free trade agreements with the U.S. while Bolivia was kicked out in 2008. The U.S. said that it had failed to "cooperate with U.S. counternarcotics efforts."
More than 50% of Ecuador's exports go to the U.S., according to Cristian Espinosa, executive director of the Quito-based Ecuadorian-American Chamber of Commerce.
"The U.S. is our main trading partner," said Espinosa. "We've been trying for years to make this relationship richer and deeper. When we see political events that might hinder our work, we of course are … concerned. We hope that these political events do not affect trade because both countries benefit a lot from bilateral trade."
Espinosa urged Correa to understand that a political decision, such as one on Snowden, could impact his own sector as well as business in Ecuador more generally.
The main export product is oil, $5.4 billion worth of which was exported to the U.S. last year under the terms of the pact.
While Ecuador will not struggle to find other buyers for its oil, the $166 million it sold to the U.S. in cut flowers during the same period may suffer. Fruits, vegetables and tuna are also covered by the agreement. In total, the exports were worth $9.5 billion last year, according to the U.S. government.
"U.S.-Ecuador relations are not in great shape today but would deteriorate even more should Ecuador grant Snowden asylum," said Michael Shifter, president of the Washington-based Inter-American Dialogue thinktank. "Ecuador's economy would feel the hit, especially the flower sector."
Around a quarter of a million people depend on the sector, with 100,000 directly employed by it. Some 280 of them work with Ponce on his farm outside Quito.
Correa has long followed in the footsteps of the Castros in Cuba and the late Hugo Chávez in Venezuela as a harsh critic and adversary of Washington.
Riordan Roett, director of the Latin American Studies Program at John Hopkins University in Washington, said that should Correa allow Snowden asylum, he would be "destroying trade options for the Ecuadorian people for the sake of his own ego."
Ecuador's policy toward the U.S. has been unpredictable at times.
In 2009, Ecuador shut down the U.S.' Manta military base, on Ecuador's Pacific coast, and two years later, the U.S. ambassador was kicked out of Quito after a damaging WikiLeaks cable. Washington retaliated, though ambassadorial-level links were re-established in May 2012.
At the same time, Ecuador has worked hard to maintain the trade accord up for renewal next month. The Ecuadorian embassy in Washington set up the "Keep Trade Going" campaign, featuring testimonials from companies which have benefited from duty-free trade with Ecuador.
"A duty on Ecuadorian roses would effectively price Ecuadorian roses out of the United States marketplace," reads one from Royal Flowers.
Should the ATPDEA not be renewed at the end of next month, Ecuadorian authorities are hoping to fall back on the so-called Generalized System of Preferences, which allows for duty-free imports on certain goods by the U.S.
Correa and his advisers must calculate whether they will gain more political capital by taking in a U.S. fugitive — from leftist and anti-imperialist supporters — at the expense of Ecuador's economy.
"We're confident in a prudent decision by the Ecuadorian government," said Juan Reece, a leader at Expoflores, a trade body for the flower industry."

Facebook denies providing data to Turkish government

Facebook has denied having agreed to share data regarding postings on the Gezi Park protests with the Turkish government, as had previously been stated by Minister of Transport, Maritime Affairs and Communications Binali Yıldırım.
“Facebook has not provided user data to Turkish authorities in response to government requests relating to the protests,” the company said in a written statement today.
“More generally, we reject all government data requests from Turkish authorities and push them to formal legal channels unless it appears that there is an immediate threat to life or a child, which has been the case in only a small fraction of the requests we have received,” the statement added.
Yıldırım had said today that unlike Twitter, Facebook had responded “positively” to their request.
“Facebook has been working in coordination with the Turkish authorities for a long time. They have a unit in Turkey. We don’t have any problem with them. Twitter could also establish a similar structure. Otherwise, this is not sustainable,” Binali told reporters.
His statement had immediately caused a huge reaction among social media users, with some even calling to boycott the massive social network website.
Facebook also stressed that the draft bill on social media that would oblige companies to share data with authorities had also created uneasiness. It said company executives would raise the issue during a meeting with Turkish government representatives this week in the United States.
“We are concerned about legislative proposals that might purport to require Internet companies to provide user information to Turkish law enforcement authorities more frequently,” the statement said.
Facebook had reviewed the many comments of users prior to the official statement, Turkish media reported.

Russian financier Pavel Vrublevsky court case

In spite the fact that sentence regarding this case, lasting already a whole year, has not been pronounced. One of the defendants that was suspected in organization summer ddos-attack on the Russian payment "Assist" system in 2010 is arrested again for another 6 months. On June 5th, 2013 in the courtroom located in the northeast of the capital, in Tushino, Russian financier, Pavel Vrublevsky, was taken into custody. The consent given by Judge Natalia Lunina to satisfy the petition of the prosecutor Sergey Kotov, who asked to change a sanction such as recognizance not to leave to arrest, indicates that the state accuser is planning to bring the case to a home straight.
The defendant is arrested again despite that there was no judgment delivered after a year of court hearings.
Is the case of Russian financier Pavel Vrublevsky reaching a finish line?
Psychological warning or a sign of coming conviction?
For such unexpected turn in the case of Vrublevsky, Permyakov and brothers Artimovich little was done. Witness form the prosecution side Nikita Yevseyev claimed that Vrublevsky, who called him by mobile telephone on April 29th and 30th, was trying to bribe and frighten him; as a result, prosecutor Kotov requested an arrest of the suspect. Absence of any convincing evidence regarding the fact that Vrublevsky tried to affect the witness, were ignored by both the prosecutor, and the judge.


According to the investigation, Vrublevsky acted as initiator of the ddos-attack, having passed its technical implementation to the former employee of FSB, Maxim Permyakov, and programmers Dmitry and Igor Artimovich. The motive of the ddos-attack by Vrublevsky according to judicial scrutiny was an attempt to expose the competing company "Assist", by showing its vulnerability and inability to protect business partners from cyberattacks. From July 15th to July 24th , 2010 during the summer when the capital was literally filled with smoke because of the fires on peat bogs near Moscow, ddos-attack paralyzed "Assist’s" business operation. That time "Assist" was one of the companies provided electronic payments for the largest Russian airline "Aeroflot", whose controlling stake belongs to the state. Representatives from “Assist” declared that the damage caused to the company equaled 15 million rubles (about $500.000). But "Aeroflot" estimated that the losses (more precisely missed profit) reached the amount of 146 million rubles (a little less than 5 million dollars).
The version of the public prosecution side would look more convincing if there were proofs that "Aeroflot" plans to continue business cooperation with "Asisst". Actually, in July 2010 when "Aeroflot" held tender regarding the choice of payment decisions, the "Assist" was not among the competing contestants. As "Aeroflot" expected to choose a provider of payment services which could offer the unified scheme (processing) valid for all its management departments and structural divisions, the probability that "Assist" could keep the contract without participating in this tender is extreme small.
On the contrary, “Chronopay” participated in the tender, and it’s impossible that its employees did not know that "Assist" was absent among participants.
One year passed. Vrublevsky had an opportunity to leave the country for holidays and never come back  to Russia, but he behaved as if he did not realize an approaching danger. In July 2011, when he and his family, wife and three juvenile children, were coming back from Maldives Islands, he was arrested in the Sheremetyevo airport located to the north of Moscow.
Suspected of technical realization of a hacker attack programmer Igor Artimovich was released after two months in custody, but, at first, he received a doubtful pleasure of physical influence that is commonly used by Russian investigatory bodies. This young man in his thirties does not make an impression of the person with the athletic build and, moreover, does not look ready to bear physical pressure. Medical report attached to case files that was made by doctor Fedorov in the city station of medical aid located in Petersburg, in the presence of two witnesses, proves that the physical pressure was implemented. According to his experience, it’s clear that it is not required to be the lawyer Magnitsky that authorities allow to apply physical force towards suspect. On June, 9th 2011, after conducting medical examination in office №6 of Petersburg and Leningrad Regional Department of FSB, Dr. Feodorov estimated that Artimovich had «bruised head in parietal-temporal area and scratches in his forearms [1]».
By the autumn 2010 everyone had confessed (it should be noticed that in March 2012 Igor Artimovich refused statements giver earlier). According to the Russian standards, existence of these statements was enough to identify suspects and consider the case proven; therefore, the court would pronounce a fair sentence.
However, as hearings began in May 2011 it became clear that evidences from the prosecution side had essential shortcomings and contradictions, as well as, forensics were far from ideal; as a result, proceeding already lasts whole year.
Journalists who are following the developments on the case, can find different explanations to numerous contradictions and falsifications in this case, however, to neglect their presence would mean to simplify the occurred situation.

What did FSB​ declassified?

[[1] Case №678324, volume 2 page 140, 141.]

            The main dispute between lawyers and public prosecution was declassification of the materials on special investigation activities, made in May 2011. Defense noticed that numbering for the declassified FSB documents that appeared during investigatory process do not coincide with their initial record numbers. Numbers under which documents appeared in the resolution of declassification did not coincide with their numbers in the resolution on their submission to the investigation, and in some cases - with the numbers under which documents have been attached to the case materials [2].
So, for example, the inquiry №147/ОU/2-2063 was transformed to the document №147/ОU/2-1500; №147/ОU/2-2317 - it was also found under №147/ОU/2-1503, №147/ОU/2-1502; the inquiry №147/ОU/2/2164, concerning electronic e-wallet owned by one of the suspects, was stated as inquiry №147/ОU/2-1504 in one of the resolutions.
Lawyers have counted in total 10 discrepancies like that and «has drawn a conclusion that the materials appeared in Russian Investigatory Department of FSB that was attached to the materials of criminal case are OTHER documents, than those that have been declassified; therefore, those that have been declassified are absent in case materials» [3]. Under the lawyers' statement, the documents passed to the investigators by special investigative unit, «were not declassified in compliance with respect to the order established by the law; also there are no data on a source that originated and presented this information, dates of reception are also unknown».
Assuming that these documents are declassified with violation of declassification rules, in January 2013 lawyers asked authorization to exclude these 10 inquiries from the criminal case [4] connected to special investigation activities towards suspects. Lawyers asked to exclude these documents from the evidence material as it «was received with violation of criminal procedure legislation».
The main argument of lawyer Ajvar was that the decision from May 12th, 2011 regarding declassification of the materials from special investigation activities and the judgment made by the Moscow State Court on September 30th, 2010 regarding  operational procedures «declassified and presented material to the Investigation Department of FSB with essential violations of the CPC RF: as the documents contained the state secret, [they] could not be declassified by the head of the unit which is carrying out special investigation activities». At the same time article №13 «concerning the state secret» allows to declassify the resolution made by judge only on the basis of the judicial decision.
Lawyers also were concerned regarding how the dates were put down. Instead of the figure specifying a calendar year that the document should be dated, composers of inquiries wrote «present year» that complicates to define when the inquiries have been actually made.
2 Case №678324, volume 7, pages 275, 276, 277.
3 Ibid, pages 276.
4 Case №678324, volume 7, pages 323-reverse, 324.

 Judging by the fact that public prosecutor has asked court to make a pause in hearings to find out the reasons of these divergences, what led to the judicial session to be postponed for 3 weeks, this contradictions were unexpected for the state accuser. This fact indicates that prosecutor probably did not pay much attention for such detail while studying evidences.
     The way the crime investigators dealt with classified documents can be named illegal and has created almost comical situation. The screenshot that shows the access to the  Topol-Mejler  control panel appeared to be a part of confidential evidences - the inquiry №147/ОU/2-1501 from May 12th , 2011. At the same time before this inquiry was officially declassification, the same screenshot was published by journalist, Brian Krebs[5].
The public prosecutor requested an explanation from FSB. In the official document dated 1/24/2013 №147/ОU/2-222 given by the deputy chief of the Operations Control Center of Information Security of the FSB, col. Zhestkov, stated that «after declassification of the materials of special investigation activities those documents were assigned with different serial number in respect to the original numbering of (before confidential) documents» [6]. This document even had not been sealed with a stamp.
It's unclear what happened with the initial numbers (confidential numbers). The lawyers themselves did not see the original documentation on the basis of which the declassified certificates have been made. Meanwhile, the Russian legislation allows court to consider results of the special investigation activities (such as, records of conversations and the data obtained from communication channels) as evidence, but not the documentation made on a basis of these evidences.
Nevertheless, judge Lunina agreed with an argument of the public prosecutor, having rejected the lawyers' petition to exclude 10 inquiries from the case materials.

Falsification of evidence

Lawyers also detected falsification of investigatory documents. They managed to find out that first chief deputy of Operations Control Center of Information Security of the FSB, Lutikov backdated the letter №ОU/2/389/1-49 made on September 8, 2010 [7], in order to give «visibility of legitimacy for the actions conducted by employees of FSB RF and obtaining information on CD №5109№09250046318. Together with the letter, Lutikov was meant to send to the CEO «Information Security Group» LLC this CD.
6 Case №678324, volume 7, page 311.
7 Case №678324, volume 1, pages 50-51.

From 10th till 27th of September 2010 a group was engaged in the scrutiny of the CD. These dates were specified in the conclusive statement written by the employee of the Group [8]. However, the Moscow State Court has authorized to carry out special investigation activities allegedly to obtain this CD, only on September, 30th [9] 2010 (authorization №ОРМ 558k/s/2010.
It seems to be that the CD has been received without the official sanction of court, and employee of Information Security Center FSB, Lutikov, backdated the document as on September 8, 2010 he could not be aware that on September 30th, in 3 weeks time, the Moscow State Court will authorize the decision to carry out special investigation activities. Hence, if this document was made, ostensibly, on 8th of September Lutikov precisely specified number of the statement that was authorized by the Court on 30th of September. This letter dated 8th of September was written after 30th of September and the date has been specified intentionally incorrect to give visibility of legality to actions of inspectors.
This trick has allowed inspectors to legalize illegally “the evidence material”, the CD №5101№09250046318 (originally numbered differently), therefore, permitted to be taken as a basis for the charges.
When lawyers found out about this falsification, on 5/13/2013 they addressed the powerful Investigatory Committee with the request to check thoroughly the circumstances of the case.

Debates around the examination conducted by the employee of Kaspersky Laboratory

One of the most significant document among other evidences is examination of the files which had been withdrawn from one of the confiscated laptops belonged to one of the accused. This expertise was conducted by Grigory Anufriev - the young expert of the well-known Kaspersky Laboratory that is engaged in manufacture of anti-virus programs [10].
Expert from KL came to a conclusion that initial codes obtained from the laptop of the accused include all program functions that presumably attacked the server of the "Assist".
However, lawyers doubted regarding the choice of the Laboratory as expert authority. The defense claimed that the Laboratory can be considered as privy due to the fact that KL cooperated with the "Assist", therefore, it’s possible that judgment could be affected by personal interest. Also Kaspersky Laboratory is commercial entity; as a result, its neutrality could be affected by commercial interests. The public prosecutor, as well as judge Lunina had disagreed with this point of view, and examination remained in the case files. Though, the public prosecutor explained that Anufriev has participated as expert like private individual, the text of the examination had been assigned with Laboratory stamp.
8 Case №678324, volume 1, pages 52-61.
9 Case №678324, volume1, page 103.
10 In Spring 2012 KL announced that company profit for the last 5 years reached 864% in European, Middle Eastern and African countries

Lawyers were surprised that examination, in their opinion, was short, and there was no interim results or/and calculations attached. Without any exaggeration considering a huge volume of the data which expert was forced to analyze, such as, laconism, as well as, his statement that certain calculations he could reckon in his mind, looked appropriate for private discussion, rather for judicial hearings.
Independent experts approached by lawyers with the request to analyze Laboratory's expertise, found shortcomings unlike the public prosecutor.
The Russian legislation demands that expert must specify a technique used to conduct research or examination. This requirement allows other experts to check the results of expertise by reproducing experiment. Grigory Anufriev did not specify the technique he used, as well as, special references where the methods of similar examinations would be developed and presented.
In particular expert Igor Yurin, a head [11] of so-called «The National Centre for the fight against crimes in the sphere of high technologies» acted in court as a guest expert, insisted on methodical discrepancy between examination of Kaspersky Laboratory and the task which had been set by inspectors. He stated that no expertise can prove injuriousness of any Software as court is the only authority that entitled to do so, and that there are no techniques of research regarding binary vand initial code of the programs based on reading the Bible and disassembly in mind.
In the courtroom expert Yurin has complained that during familiarization with Anufriev's examination he was not sure whether this file somehow had been investigated. Though, Anufriev also had mentioned that the file was detected by Kaspersky's antivirus, he did not specify the file codes, also nothing was said in regard to the presence or absence of overlay hinged protection. According to Yurin, the examination made in Laboratory did not display any code sections or any functional or other identifying signs.
Speaking in court, Yurin has compared the conclusions from the Anufriev’s examination and the document made for the investigators by GroupIB and found contradiction. Judging by hash, appeared in the document of experts from GroupIB, the investigated object called dropper: the variation of a program which itself does not pose any special destructive functions (such programs extract other file, place them on a hard drive, register file in the system, and, at last, start files. This is the only what dropper is capable of).

11             This structure is not a state unit, therefore, phrase “National Center” should not be taken as this center is a part of executive branch.

There are also other remarks regarding examination of Grigory Anufriev that have been noticed by expert Yurin in courtroom:
- Experts from Group IB, were specifying the value of hash while showing the exact data object (script - X) that was examined. To compare, Anufriev's examination did not mention neither hash, file size, nor the information on last access to an investigated file.
- The expert of Laboratory had admitted confusion, having specified that he used disassemble IdaPro 6.0 released “Datarescue”. It's important to notice that version 6.0. had been released by another company.
- Whoever released program 6.0., this program does not allow to recreate precisely the initial text of the program using high level language, but allows to obtain only a certain text in assembler language, except some primal case when the program consists of several lines, consequently, it is possible to obtain version close to the original. The reasons is that during compilation the names of variables, constants, functions  are lost, at the same time some instructions are replaced by similar ones for optimization,  that is to say the program obtains significant changes.
As for the public prosecutor, the judge and the lawyers who are not quite familiar with programming and are not experts in this field of high technologies, such details, certainly were difficult enough to examine. There is a risk that the court taking into account examinations and experts' statements will draw the conclusions based not so much on mathematical accuracy but on intuition and general impressions. Nevertheless, one of the comments from expert Yurin presented in the courtroom had to be understood identically by everyone:  expert who analyses the results, can be tempted to make definitive conclusions, though, it is known that «even if he/she is well qualified in this programming language, it does not mean that he/she can properly understand and identify the initial code of the program written in the same language. It is especially relevant to the projects where considerable quantity of experts participated. There is a possibility that in such cases the developer can be confused in understanding what is going on in the program».

Hearings in 2011:
The judge refuses to consider case because of a poor quality of indictment, but the highest authority court cancels this decision.
The first attempt to carry out hearing was unsuccessful, then on 6/13/2012 judge Olga Alnykina satisfied the petition of the lawyer, Lyudmila Ajvar [12], and has decided criminal case
12 Ludmila Ayvar together with her husband, lawyer Irog Trunov lead Assosiation Bar “Trunov, Ayvar and partners».  Trunov is famous for representing interests of clients who were held as a hostage by the terrorists in the theater hall during musical “Nord-Ost”, then clients suffered from gas poison used by security force, which did not only provoked severe poisoning but also left some people chronically ill, even provoked  death of 130 people (information according the state authorities) and 174 people (according to the NGO "Nord-Ost", bringing together victims and their relatives)
«to be returned to General Attorney of the Russian Federation [13] in order to eliminate the obstacles that prevent the following legal investigation» and «to oblige the General Attorney of the Russian Federation to eliminate violations». The judge justified her decision as follow: «indictment does not have significant foundation for the accusation: the ambiguity of primary attributes of law edition on the basis of which the charges were laid. The above-stated circumstances display the presence of obstacles / …/, that exclude possibility for the court to reach legitimate and justified verdict or reach other decision on the basis of the drawn conclusion» [14].
As judge Alnykina explained, «the bill of particulars does not meet the requirements of paragraph 5 of Part 1 of Art. 220 Code of Criminal Procedure RF»: instead of revealing the evidence and to clarify its indication, investigation unit «discloses [only] the list of evidence».
The judge has rejected the indictment not only because it did not correspond to the requirements of the Criminal Procedure Code of Russia but also because inspectors accusing all four suspects «in committing a crime under Part 2 of Art. 272 of the Criminal Code and Part 3. 33 [and] Part 1 of Art. 273 of the Criminal Code of the Russian Federation "», have referred, for some inexplicable reason, to the Russian federal law №28-FЗ from the March 8th, 2011, devoted to agreement ratification between the former Soviet Republics of Azerbaijans, Kirghizia, Russia, Tajikistan, Turkmenia and Uzbekistan «which is dedicated to creation of the Central-Asian regional information coordination centre against illegal circulation of narcotics, psychotropic substances and their precursors». Having found inappropriate reference, judge Alnykina has specified that it «does not regulate changes in criminal and criminal-procedure legislation» in Russia.
Public prosecutor Kotov was trying to convince the judge to disagree with the lawyers' request, claiming that due to "technical error" charge had been brought in improper edition of the law №28-FЗ from March 7th, 2011, but his arguments had been rejected. Further the public prosecutor repeatedly explained [16] various contradictions in investigatory documents as «technical errors» and «the human factor». However, these explanations compel to ask a question: what kind of challenges the court faced with: with a systemic defect and shortcomings of the Russian public prosecutor body that presumes that numerous errors regarding evidences do not disturb a judicial legal investigation, or with low-qualified young inspectors of the Investigatory Department of FSB.

13 Abbreviation «RF» instead of “Russian Federation” is used in Russia to simplify the grammar
14 Quote from case №678324, volume 7, pages 47.
15 CCP – abbreviation for «Code of Criminal Procedure».
16 Ibid, page 46.
Nevertheless, the Judicial Board on criminal cases of the Moscow State Court, where the public prosecutor addressed his protest, cancelled the decision of judge Alnykinoj and returned the case in Tushinsky Court to carry out preliminary hearings [17].
Because the Russian judicial system cannot be considered independent by the European standards, the higher the judicial hierarchy the more dependent position. And if the district court decision can be sometimes unpredictable for the authorities and the public, it’s unlikely to expect surprises from courts of higher instances. And the decision which has been reached by the Moscow State Court in August, 2012 on the given case confirms the rule.

The short chr​onicle of judicial hearings for the first half of the year 2013

The aim for the hearings that took place on  May 29 and June 5 was to reach the decision whether the punishment for Vrublevsky will be changed. The integrated witnesses, signatures authenticity of whom were disputed by expert-graphologist, became more intense for last months. At the same time, litigation had new unexpected turn in its development, thanks to a number of expert evaluations that had been announced from March till May, as well as to certificates of the interrogated experts. During the trials held between Aeroflot and bank VTB 24 that carried out financial transactions the distribution of forces began to change. In the first half of the year the court perceived the financial damage proclaimed by “Aeroflot”, according to the company, as a result of ddos-attack at the beginning of April when Aeroflot could not appeal against judicial decision passed by The Moscow Arbitration Court according to which the airline claim towards VTB24 was rejected, as a result, the charges against Vrublevsky and brothers Artimovich could be questioned. Even if VTB gained a political support, the fact that lawyers of “Aeroflot” could not prove a presence of a financial damage, cause the doubts regarding whether Vrublevsky is guilty in respect with paragraph 2 of Art. 272 CC that assumes obligatory presence of a considerable material of the (financial) damage.
Despite that the court turns a blind eye on new amendments in the Article 272 CC and left accusation based on old (non-operational version of article of the Criminal Code) as relevant, lawyers still have an opportunity to achieve a charge to be requalified.
The defense that invited a several experts, whose arguments showed all ambiguity of the charges pressed against Vrublevsky and discrepancy of all examinations and expertise collected by investigation department, was convincing enough.
17 Case №678324, volume 7, page 79.

In March the CEO of the "The National Centre against crimes in the sphere of high technologies" PLC, Igor Yurin, questioned methodical correctness of the examination conducted by the expert of «Kaspersky Laboratory» LLC, Grigory Anufriev, regarding the analysis of the information collected from the suspect's laptop and disks.
Later executive director of Consulting Group "Aspect", Anton Genkin, who was an expert back in 2010 invited by the company "Aeroflot" to conduct a tender in order to choose payment decisions system, had doubts whether “Aeroflot” was planning to continue business relations with the payment system "Assist". He mentioned that "Assist" did not take part in the tender conducted by “Aeroflot”, thus, the statement of the prosecution that Vrublevsky could organize ddos-attack to show weakness of the security system of competitors, therefore, to compromise them, is groundless.
Back in April Leonid Raev, an expert-graphologist, who graduated from the faculty of criminology of the Volgograd Higher Investigatory School of the Ministry of Internal Affairs, testified in court. Having made a reservation that he had opportunity to familiarize only with digital images and photocopies of investigatory reports and not with originals, he could not use the special techniques to investigate documents. Raev pointed out for the court numerous different interpretations in signatures of the same individuals. As a result, he stated that in some cases signatures have been put not by the individuals on whose behalf the document was signed.

Compromised selection of witnesses and falsification of signatures as a basis f​or the bill of particulars

On 5th of June graphologist, Raeva, testified one more time. During May he made a detailed analysis of the new samples of the signatures collected by lawyers what became additional argument that demonstrated the falsification of the signatures from investigatory reports. This expert estimation added persuasiveness to the statement made on 29th of May where witness, Anastasia Kurochkina, argued that her signatures contained in several investigatory reports, have been forged, and that she has never participated in any investigatory actions neither on the case of ddos-attack, nor on other criminal cases.
Having noticed that signatures from the reports had a feature of slowness regarding their execution, in contrast, with mechanicalness, that is distinguishing feature as individual put his\her, though the years developed, signature. Raev ascertained essential distinctions between the samples of signatures from investigatory reports and other documents (in particular, in the judicial summons and examination sheet). In order to draw a certain conclusion, it is necessary to receive from inspector Dadinskij a list of signatures that were made on behalf of those individuals whose signatures were falsified by Dadinskij. Meanwhile, it can be assumed that all autographs belong to one person as they have common features, such as a wavy side of the endings and a triangular stroke with the termination located on the left.
18 Igor Feldman represents the interests of Dmitiry Artimovich and is the youngest among the lawyers that were chosen by the defendants. Except Feldman Ayvar, Zaitsev and Korneev who is defending the fourth suspect Maxim Permiakov, there are also state lawyers involved.
In the interview made by lawyer, Igor Feldman [18], on 29th of May, witness Yevseyev states that he can have an infinite number of signatures. The expert, without suspecting that quotation was literally reproduced in the courtroom, had ironically noticed that it indicates mental disorders of the individual.
Assuming that the person can possess an infallible memory, Raev has noticed that his arguments is possible to check, having asked «to examine around five» signatures. Reluctance of  Yevseyev and Tisljuka and the inspector Dadinsky to provide the samples of the signatures, convinced graphologist that he is right regarded, as «plus to [the expert] conclusion», confirming, «that the expert is right».
Extremely ambiguously, considering that graphologist has found resemblance between handwritings that allegedly belong to the witnesses and handwriting of the inspector, on 5th  of May inspector Sergey Dadinsky stated that in Russia «the witness institute is badly developed», that «people are afraid to go somewhere and participate in something»; «it is difficult to find individual who will be willing to spend with you as much time is needed», [preparing investigatory reports].
For now graphologist's estimations and some witnesses' testimonies suggest that the participation of  Nikita Yevseyev as a witness who also with according to the religious canons is a relative to the inspector, is not accident. It allowed the inspector Dadinsky to issue many reports as ostensibly assured by Yevseyev, and then during private conversation to advise to write a petition which authenticity can be questioned.
On 29th of June public prosecutor Kotov has referred to Yevseyev's statements and petitions where he claimed that on 29th and 30th of April Vrublevsky ostensibly tried to bribe him and threatened him during the telephone conversations. These unsubstantial statements, perhaps, would sound plausibly but the defense offered a number of proofs showed that Yevseyev mislead the court while testifying on 29th of May.
It is important to notice that his statement contradictes with a number of statements made by the witness Anastasiia Kurochkina and the inspector Dadinsky who appeared in court on 5th of May as a witness. Yevseyev denied any contacts with inspector of The Investigation Department of the FSB that would not be relevant to the investigation process but Dadinsky described their relationship as friendly relationship, though he did deny any relations, for example, based on religious practices or ceremonies.
Meanwhile, lawyer Pavel Zajtsev [19] also provide the court with documents to be put with the case materials, such as the letter, from 5/30/2013, made by the archpriest of the Epiphany Cathedral, Alexander Ageykin, confirming that the inspector Dadinsky became a godfather of Nikita Yevseyev's son. Earlier on 29th of May, Yevseyev himself stated he is devout Muslim.
19 Lawyer Pavel Zaitsev is a former investigator. Now he is a member of Moscow Board of Lawyers “MOVE” and is an expert of Council for Civil Society Institutions and Human Rights under the President of the Russian Federation, he is also a member of the presidium of the National Anticorruption Committee. Zaitsev is known, in particular, for his participation in the investigation regarding the smuggling of Italian furniture in 1999-2000. According to the Customs Committee, the state did not received about 8 million dollars. Zaitsev was the one who established involvement in the smuggling operations of some employees of the central apparatus of the FSB.

Did inspector forge the signature of his girlfriend?

More dramatic episode, than Vrublevsky's arrest, was the statement made by witness Kurochkina and stenographic expertise provided by lawyer Ajvar deciphered from audio record with conversation that was recorded between Dadinsky and Kurochkinoj on 20th of May. These citations indicate that the inspector tried to mislead the witness with regards to the accusations towards Vrublevsky, brothers Artimovich and Permjakov. Dadinsky asserted that the charges he pressed against suspects were connected with drug traffic, apologizing that he didn't let her know and put himself signature on her behalf. Nevertheless, the inspector considered admissible to ask Kurochkina to make a statement in which she would recognize these false signatures as her own, then he suggested not to appear in court on 29th of May claiming arrangement with the judge and the public prosecutor already have been reached.
After these remarks were quoted in court Dadinsky did not made any statements denying the accuracy of the quotes.
It can be noticed that the behavior of 29-year-old Anastas Kurochkin was more courageous compare to the behavior of inspector Dadinsky, and other witnesses: Yevseyev and Tisljuka. She was the only one interrogated on 29th of May and on 5th  of June who agreed to give to court the sample of her signature. Also unlike Dadinsky, she was tactful towards her former close friend and did not give any personal assessments about him. This courageous behavior is corresponds more to officer ethics, rather than negation, by the inspector, of the facts which have proved to be true in court.
Vrublevsky already was in custody, when Kurochkina has informed court that she received strange calls, also, including calls from detective agency. Unknown individuals called also to her work, asking, whether she has "office romances". Someone also called to her mother, assuring her that her daughter is blackmailer. As a result of such pressure, the witness has made decision to resign.
It is still unclear if Investigatory Committee and FSB undertook any actions regarding the request made by Kurochkina on 30th of May asking to give her the state protection and to clarify the circumstances of occurred false signatures made on her behalf.

Themis blinded in​ both eyes?

The Vrublevsky arrest occurred on 5th of June in a hall of Tushinsky District Court of Moscow became possible substantially because prosecutor Kotov ignored obvious infringement by the inspector Dadinsky at selection of witnesses paragraph 2.2 Article 60 CPC, forbidding all kind of relatives to participate in the role of witnesses in the criminal proceedings during lawsuit.
As judge Lunin clarified her decision to change restrictive measure by arguing that «there is no grounds to doubt Yevseyev's statements», and that they «are objective and there are solid ground for imprisonment», the whole complex of contradictions and the absurdities containing in certificates of Yevseyev, provoked lawyers openly to declare to the court a presence of convincing evidence that not only Yevseyev, but also the inspector Dadinsky in some cases committed perjury. Lawyers Lyudmila Ajvar, Pavel Zajtsev and Igor Feldman did not hide the intention to get authorization to obtain the materials in order to prove that inspector Dadinsky violated the law, as well as, to build a separate criminal case against the witness on a basis of committing perjury.
In first half of hearings while Vrublevsky has not been arrested yet, lawyers had presented to court the texts, assured by notary Afanaseva, that were  obtained from two mobile phones owned by Vrublevsky showing sms-massage exchange between defendant and witness Yevseyev who testified earlier. According to lawyer Ajvar, calm tone of these messages does not give any grounds to believe that Vrublevsky resorted to any threats.

Vrublevsky's​ arrest: false associations with Chronopay

For judge Natalia Lunina two incomplete days of hearings were enough that on 5th of June to make the decision on, whether to satisfy the petition of public prosecutor, Sergey Kotova, who asked on 29th  of May to change punishment to Russian financier, Pavel Vrublevsky, from recognizance not to leave on 6-month's arrest.
The press covering this news, positioned Vrublevsky as owner of payment system company "Chronopay". Actually, the company has co-owners, though, Vrublevsky founded the company back in 2003, within last two years he has completely departed from company affairs. At the time of last arrest Vrublevsky did not hold a position of CEO in "Chronopay" and did not participate in any activities on behalf of the company. His full attention was directed to created in 2012 fund RNP.

The first attempt ​to attain freedom

On 6th of June it was the first hearing that arrested a day earlier Vrublevsky watched from behind bars.
The defense found the punishment unreasonably strict, as a result, lawyers files a petition to change the sentence from 6-months imprisonment to house arrest where his movements and possibility to use communication facilities would be limited.
Representing Pavel Vrublevsky's interests the defender Lyudmila Ajvar mentioned that witness' statements on which basis the financier was taken into custody were based substantially on guesses and assumptions and, consequently, cannot have legal validity according to the current legislation.
Public prosecutor Kotov traditionally objecting the petitions of the defense finished debates with the exclamation: «Are we waiting until he will organize liquidation of the witness?!» Considering the fact that witness Yevseyev who on 30th of April asked court to grant state witness protection because he found in the remarks of Vrublevsky reasons to be afraid for his safety, still did not receive state protection. Therefore, prosecutor’s observation regarding organization someone's "liquidation" looks rather comical and hardly convincing.
Nevertheless,  judge Lunina has agreed with the public prosecutor that another measure of punishment (not connected with imprisonment) will not provide unobstructed judicial process and upheld the decision passed the day before on arrest of Vrublevsky.
From expertise that lawyers were planning to adduce by filing the petition on 6th of June, but the judge agreed to attach to the case materials only one, the expertise made by expert-graphologist, Raev. According to Lunina, even that graphologist testified 1.5 months earlier, he was so detailed by telling the court about the studied signatures that his observations represent obvious interest for the lawsuit.
Written by experts of NO «The Commonwealth of experts of the Moscow State Law Academy of the Kutafin» Gleb Shamaev and Anastasiia Semikalenova review regarding the examination of Kaspersky Laboratory, Grigory Anufrievs, judge Lunina has refused to attach to the case materials, having referred that the necessary "aspects" on this question have been considered by her earlier, and she does not see a necessity to use this review.
In second half of the hearing 6th of June lawyers and figurants of the case in the presence of the invited experts to scrutinize some electronic storages attached to evidences of the case, however that they did not have some technical devices necessary to conduct procedure methodically correct. Continuation will take place on Friday at 12:00.

Beforehand the defense expressed concern towards the invited candidate - employee of Laboratory Kaspersky, Grigory Anufriev - as an independent expert. Main objection for lawyers was the fact that Anufriev might be  interested in acknowledgement made by him before as an expect, that he has interest to prove his previous statement made in court earlier insisting that all defendants are guilty. However, the public prosecutor managed to convince court that Anufriev will exercise only additional role: only «promoting realization of technical action». Participation simultaneously of two experts in acquaintance with contents of electronic devices was caused by the agreement taken in previous sessions between defense and prosecution to use one expert from each party to make sure that of the parties could affect the result in accordance with their interest.

Lawyer Ajvar, knowing possible objections that could be announced by the state accuser while attempting to remove the expert that could be seen as expert from the prosecutor's side,  has opposed the other invited candidate, CEO of company "Chronopay" with the higher technical education Alexey Kovyrshin. When public prosecutor Kotov claimed that Kovyrshin can be seen as expert employed by Vrublevsky, company founder explained to the state accuser that Kovyrshin is the CEO and does not depend on shareholders such as Vrublevsky.
On 7th (?) of June lawyer Ajvar has submitted to the Moscow State Court the appeal on arrest of Vrublevsky. This appeal will be considered within 10 days.

The virus program ​has been written down on a DVD-disk when he was present at expertise in Group-IB.

During hearings on 10th  of June lawyers managed to receive convincing information that the virus program blocked the payment system, according to the investigation, written down on a DVD-disk considered by court, as basic proof against programmer, Dmitry Artimovich, on September 22nd, 2010 when the disk, according to evidences, was at Group-IB - as they say on the website, «one of the leading international companies on prevention and investigation of cybercrimes and fraud using high technologies» where it have been sent for research from Investigatory Department of FSB.
The expert of Kaspersky Laboratory, Grigory Anufriev, invited by prosecution, and expert Alexander Andriishin who works as programming engineer in "Information Innovation Company" LLC, invited by the defense, on termination of detailed examination of electronic devices (two laptops and a DVD-disk) testifying have solidary confirmed that the program has been created on 17th of September, and written down on a DVD-disk 5 days later, on September, 22nd, 2010. This information can affect a court course as on this disk, according to the state accuser, the virus program is written down.
Earlier state accuser asserted that this virus was obtained during special investigative activities from technical communication channels used by programmer Dmitry Artimovich up to August 11th, 2010. However, after lawyers with the assistance of the invited experts established that the virus program had been created on 17th of September, and then written down on a disk on 22nd of September 2010 - more than in a month after it has been ostensibly extracted by inspectors during special investigative activities, previously declared version of vents from side of investigation appears to be unpersuasive.
The answers which were given by both experts differed only in regard with phraseology, but not sense. So Grigory Anufriev, carefully selecting each word, explained that on 17th of September the program has been assembled in an executed file from initial texts. PETools program shows date of compilation of a virus file - 17th September. Alexander Andriishin in another words said that the date of 17th September is shown as the date when the program has been created from initial files.
Certain interest was represented also by checking whether one of the laptops obtained from Igor Artimovich have been switched on after confiscation. Expert Anufriev and expert Andriishin have agreed that on June 9th, 2010 before a search took place the laptop was switched off, but there are obvious signs that next day - 10th of June, it was used.
Lawyers tried to understand, whether Artimovich somehow could program his laptop so that it would start working automatically on next day.
Alexander Andriishin has confirmed that «it is almost improbable», but it is "theoretically possible".
Grigory Anufriev has expressed less unequivocal opinion, having noticed that he did not experiment with the PGP-program during examination. «If the computer has been switched off, and then someone wanted to log in, that, I believe, the password [nevertheless] was necessary, but, considering that I did not carry out experiment, I cannot exclude possibility of non-standard inclusion».
The nearest judicial hearings on concerning this case are planned on 10th of June, at 13:00, and from June, 18th the judge plans to begin interrogation of defendants. Judging by many signs, the case is reaching its finish line.