Security

MediaDefender's "Swedish" Hackers Attempted to Hack AG Computer

The hackers who stole and posted more than 6,000 e-mails from anti-piracy firm MediaDefender also attempted to break into a server belonging to the New York attorney general’s office, according to two of the internal MediaDefender e-mails that were posted online. The two e-mails, written to MediaDefender early on the morning of August 30 by […]

Randy_saaf_media_defender_500px

The hackers who stole and posted more than 6,000 e-mails from anti-piracy firm MediaDefender also attempted to break into a server belonging to the New York attorney general's office, according to two of the internal MediaDefender e-mails that were posted online.

The two e-mails, written to MediaDefender early on the morning of August 30 by members of the attorney general's staff, show that MediaDefender was aware at that time -- two weeks before the hackers posted the 6,000+ e-mails online -- that it might have been hacked. (The two e-mails also clear up the mystery around when a recorded MediaDefender phone call, that was also posted online by the hackers, occurred. See the end of this post for details about that.)

The two e-mails discuss a series of failed login attempts on a server at the attorney general's office. The person who attempted to log in to the server used information that the AG office had sent MediaDefender via e-mail the day before. The attempts by the hacker apparently failed because by the time he tried to break in to the AG server, MediaDefender had already changed its login and password for that server.

In the first of the two e-mails discussing the attempted break-in, Bradley Bartram, an intelligence analyst with the attorney general's office, tells MediaDefender employees that he had been reviewing the security logs on a server that morning -- a server that the AG office had set up to work on a child porn project with MediaDefender -- and came across a listing of failed login requests that appeared to originate from Sweden.

At 7:23 Eastern Time this morning, an ip from, what appears to be sweden, connected to the server using your username, made two failed password entries and then disconnected 4 seconds after the initial connection.

Are you aware of any of your people working on this project coming from a Scandinavian ISP and connecting to our system?

On that note, do you have a list of ip addresses that you would be accessing the server from so that I can update the ACL accordingly? Considering the nature of the information being collected, I would like to restrict access as much as possible.

Thank you.

Brad Bartram

A second e-mail to MediaDefender from Michael McCartney, a special investigator in the attorney general's office, indicates that the AG office was alarmed that the hacker might have obtained information to attempt the logins from an e-mail the AG office had sent MediaDefender the day before.

From: Michael McCartney

Sent: Thu 30-Aug-07 08:01

To: Ben Grodsky; Jay Mairs; Bradley Bartram

Subject: Re: Questions after morning log review

Jay:

Is this one of your engineers? Because if not, this is very disturbing! Who ever this was obviously had the non standard port as well as your user name to attempt these logins. This leads me to believe that your system is compromised and/or our communications were either sniffed or accessed providing this fella with much of the relevant information to attempt access. As of now, all out side access has been disabled until we can figure this out further.

Please let me know what you have learned about this as soon as possible.

Michael G. McCartney

Sr. Special Investigator

New York State Office of the Attorney General

Statler Towers

107 Delaware Avenue, Room 4-130

Buffalo, New York 14202

A group calling itself MediaDefender-Defenders has claimed responsibility for stealing the 6,000+ e-mails from MediaDefender and posting them on BitTorrent last Saturday. It's likely that the same hacker or hackers is responsible for the failed login attempts on the AG server. The group also posted a database taken from a MediaDefender server and a recorded phone call between MediaDefender and the New York attorney general's office.

In the phone call, McCartney and Bartram from the AG office further discuss the possibility that the person in Sweden who attempted to log into the server intercepted an e-mail. The parties don't say specifically which e-mail they think the hacker might have intercepted. I wrote in a story earlier this week that I thought they might have been referring to an internal MediaDefender e-mail that had been posted online back in July on a site called ZeroPaid. That was the first internal MediaDefender e-mail that was exposed. It discussed a list of file-sharing networks that MediaDefender was proposing to monitor for Fox Studios.

It now appears that the e-mail referred to in the phone call is the one that the AG office sent to MediaDefender on August 29th, listing the IP address of the AG server as well as the login and password the AG had set up to allow MediaDefender to obtain access to the server -- a server that has now, presumably, been taken offline. This means the phone call must have taken place a day or two after August 30th, when the two e-mails (published above) were sent.

The August 29th e-mail disclosing the AG IP address and login and password info was among the 6,000+ that the "Swedish" hackers posted on BitTorrent a week ago.

From: Bradley Bartram

To: Ben Grodsky; Jay Mairs

Cc: Michael McCartney

Sent: Wed Aug 29 06:29:54 2007

Subject: Access to OAG Server

You should be all setup for direct access into our servers. For ssh access, the address is 72.45.198.191:2551 - This is a non standard port.

Your username is mediadefender and the password is m3diad3fender

Please change your password on first login. I have granted this user full sudo access, so you shouldn't have any problems installing your software.

This system has full internet capability, so you should have no problem getting any packages you need.

The system is a dell poweredge 1950 with 2GB of ram and an attached MD1000 storage array mounted at /spool. Please configure your software so that all original collected data gets stored on this external array.

As I mentioned yesterday, please make a log of all software updated, added, removed from the system so that we can keep an accurate log of the system.

That should be enough to get you started. Of course, if you have any problems or questions let me know.

Brad Bartram

As I've mentioned previously, in that recorded phone call between the AG office and MediaDefender about the login attempts from Sweden, Ben Grodsky of MediaDefender assures the AG staff that his company's system has not been compromised and that it is completely secure. See this transcript of the phone call that someone has posted online.

Of course, we now know that wasn't the case. And since the initial 6,000+ e-mails were posted online, it now appears that MediaDefender shouldn't only be concerned about outside hackers obtaining sensitive company data. A note from the hackers posted on BitTorrent yesterday suggested that new info has come to them from a MediaDefender employee. The note accompanied source code that the hackers obtained for MediaDefender tools used to thwart people who illegally trade copyrighted content on file-sharing networks. In the note, the hackers thanked a MediaDefender employee for the source codes.

Photo: AP/Damien Dovarganes -- image shows MediaDefender CEO Randy Saaf (left) and Business Development VP Octavio Herrera.

See Also: