A team of Ukrainian cyber-activists has thought of a simple yet potentially effective way to spread uncensored information in Russia: bundling torrents with text and video files pretending to include installation instructions.
Hijack Download Torrent
The initiative creates torrents that contain a text file with a list of credible news sources that Russians can trust and instructions on downloading and installing a VPN to secure anonymity from ISPs.
This also applies to entertainment, as even Russian cinemas are now showing pirated Hollywood movies without fearing legal prosecution, and people download TV series episodes from P2P networks in response to the exit of streaming services from the country.
The torrents are uploaded to popular torrent tracking platforms that pirates use for searching, and thanks to volunteers who seed them aggressively, they rise in popularity and rank high in tracker results.
Torrent poisoning is intentionally sharing corrupt data or data with misleading file names using the BitTorrent protocol. This practice of uploading fake torrents is sometimes carried out by anti-infringement organisations as an attempt to prevent the peer-to-peer (P2P) sharing of copyrighted content, and to gather the IP addresses of downloaders.[1]
Decoy insertion (or content pollution) is a method by which corrupted versions of a particular file are inserted into the network. This deters users from finding an uncorrupted version and also increases distribution of the corrupted file.[2] A malicious user pollutes the file by converting it into another format that is indistinguishable from uncorrupted files (e.g. it may have similar or same metadata). In order to entice users to download the decoys, malicious users may make the corrupted file available via high bandwidth connections.[3] This method consumes a large amount of computing resources since the malicious server must respond to a large quantity of requests.[4] As a result, queries return principally corrupted copies such as a blank file or executable files infected with a virus.[5] There were known cases when a company had created a special version of a game and published it on file sharing services advertising it as cracked, having undocumented hidden functionality, making it impossible to win this variant of the game.
This method targets the index found in P2P file sharing systems. The index allows users to locate the IP addresses of desired content. Thus, this method of attack makes searching difficult for network users. The attacker inserts a large amount of invalid information into the index to prevent users from finding the correct resource.[3] Invalid information could include random content identifiers or fake IP addresses and port numbers.[5] When a user attempts to download the corrupted content, the server will fail to establish a connection due to the large volume of invalid information. Users will then waste time trying to establish a connection with bogus users thus increasing the average time it takes to download the file.[3] The index poisoning attack requires less bandwidth and server resources than decoy insertion. Furthermore, the attacker does not have to transfer files nor respond to requests. For this reason, index poisoning requires less effort than other methods of attack.[4]
This method of attack prevents distributors from serving users and thus slows P2P file sharing. The attacker's servers constantly connect to the desired file, which floods the provider's upstream bandwidth and prevents other users from downloading the file.[6]
Selective content poisoning (also known as proactive or discriminatory content poisoning) attempts to detect copyright violators while allowing legitimate users to continue to enjoy the service provided by an open P2P network. The protocol identifies a peer with its endpoint address while the file index format is changed to incorporate a digital signature. A peer authentication protocol can then establish the legitimacy of a peer when she downloads and uploads files. Using identity based signatures, the system enables each peer to identify infringing users without the need for communication with a central authority. The protocol then sends poisoned chunks to these detected users requesting a copyright protected file only. If all legitimate users simply deny download requests from known infringers, the latter can usually accumulate clean chunks from colluders (paid peers who share content with others without authorization). However, this method of content poisoning forces illegitimate users to discard even clean chunks, prolonging their download time.[7]
Voluntary Collective Licensing and the Open Music Model are theoretical systems where users pay a subscription fee for access to a file-sharing network, and are able to legally download and distribute copyright content.[8] Selective content poisoning could potentially be used here to limit access to legitimate and subscribed users, by providing poisoned content to non-subscribed users who attempt to illegitimately use the network.[9]
In this attack, the attacker joins the targeted swarm and establishes connections with many peers. However, the attacker never provides any chunks (authentic or otherwise) to the peers. A common version of this attack is the "chatty peer" attack. The attacker establishes connection with targeted peers via the required handshake message, followed by a message advertising that they have a number of available chunks. Not only does the attacker never provide any chunks, they also repeatedly resend the handshake and message. These attacks prevent downloads as, essentially, the peer wastes time dealing with the attacker, instead of downloading chunks from others.[11]
There are several reasons why content providers and copyright holders may not choose torrent poisoning as a method for guarding their content. First, before injecting decoys, content providers have to normally monitor the BitTorrent network for signs that their content is being illegally shared (this includes watching for variations of files and files in compressed formats).
This process can be expensive and time-consuming. As a result, most poisoning is only continued for the first few months following a leak or release.[6] Second, it is also unlikely that torrent poisoning can be successful in disrupting every illegal download.
Instead, the aim of content providers is to make illegal downloads statistically less likely to be clean and complete, in the hope that users will be discouraged from illegally downloading copyright material. Content providers and copyright holders may decide that the financial outlay is not worth the end result of their efforts.
In 2005, it was reported that HBO was poisoning torrents of its show Rome by providing chunks of garbage data to users.[21] HBO were also reported to have sent cease-and-desist letters to the Internet service providers (ISPs) of downloaders they believe have illegally downloaded episodes of The Sopranos.
After an unauthorized copy of Michael Moore's movie Sicko was uploaded online, it became a hit on P2P websites such as Pirate Bay. MediaDefender was hired to poison torrents using decoy insertion.[25]
On 19 October 2007 Associated Press (AP) released information accusing the broadband service provider Comcast of "hindering" P2P file sharing traffic.[27] Tests conducted by AP have shown that Comcast hindered the uploading of complete files to BitTorrent. The Federal Communications Commission conducted public hearings in response to the allegations. Comcast argued that it was regulating network traffic to enable reasonable downloading times for the majority of users.[28] On 21 August 2008 the FCC issued an order which stated that Comcast's network management was unreasonable and that Comcast must terminate the use of its discriminatory network management by the end of the year. Comcast complied with the order and appealed. On 6 June 2010, the District Court of Appeals for the Columbia vacated the FCC order in Comcast Corp. v. FCC.
In March, the website of the Transmission torrent client was hacked, and a maliciously-altered copy of Transmission was uploaded in place of the real one. That incident was very well-publicized, as the malware being distributed this way was the KeRanger ransomware, which is currently the only real ransomware ever to affect the Mac platform.
More generally, any time you are running something like a torrent client, you are giving a lot of trust to that program. After all, a torrent client is not only a downloader, it is also a server, designed to allow strangers to download from your computer. (Torrents are designed to facilitate peer-to-peer downloads, meaning that you download from other people rather than from a central server that may get bogged down.)
Thus, torrent apps can be a huge hole in your Mac's security if they aren't properly configured or have vulnerabilities that can be attacked remotely. Any app that opens up your computer to remote connections by strangers is a potentially highly dangerous app.
If you're using a different torrent app, be very cautious about which one and how you use it. With other Mac torrent apps (such as uTorrent) guilty of installing adware on the user's Mac, it's may be difficult to find one worthy of trust.Who signed that app?To be fair, such a hack could easily be repeated with many other small Mac developers who don't have adequate security practices. The core of the issue, above and beyond the issue of hacking a website, is that it is trivial to hack an app without most users noticing.
What can the average user do about this? Although it will seem to be inconvenient, it's important to check the certificate used to sign an app before opening it. For example, if you are downloading an app made by Adobe, it would be a good idea to verify that the certificate is actually issued to Adobe.
"A specially crafted torrent file can cause a buffer overflow in Opera," said Opera in a security advisory yesterday. "This allows arbitrary code to be injected and executed." An exploit can be triggered if a user right-clicks on a specially crafted torrent file entry in the browser's built-in download manager. 2ff7e9595c
Comments