Sunday, September 16, 2007

Anti-P2P company suffers major security breach

MediaDefender, a company that attempts to disrupt the sharing of copyrighted material owned by its clients on peer-to-peer filesharing networks, has suffered an embarassing security breach--the leaking of 700 MB of emails from senior employees in the company. The leak allegedly occurred because one senior employee was forwarding company email to his Gmail account, and he used the same password for his Gmail account that he used to register for a P2P service of some kind.

This breach demonstrates the importance of adhering to corporate policies about use of external mail providers and using good password security--anything really important should have a unique password, not the same one used for accessing a variety of online websites and services.

UPDATE: It's now being claimed that MediaDefender's phone systems have also been compromised for the last nine months, and a 25-minute phone call between MediaDefender and the New York Attorney General's office is circulating, as well as a transcript. The transcript indicates that the AG's office was concerned (rightly so, apparently) about a possible mail server compromise at MediaDefender; the MediaDefender representative states at one point that he is speaking over a VoIP connection.

UPDATE: It seems the record companies are using information about P2P downloads collected by MediaDefender to make marketing decisions. Here's a quote from one of the leaked emails (quoted from SlashDot):
Subject: Nicole Scherzinger
Date: Fri, 24 Aug 2007 15:14:31 -0700

Nicole from pussy cat dolls has a single called "whatever u like". It's not selling well on itunes or playing that great on radio. A song called "Baby Love" just leaked (I don't know how long ago). Interscope wants to know if Baby Love is picking up steam on p2p. They need to make a decision by early next week on whether they should switch to this song as the single. Please get me a score comparison on Monday for these two tracks. Also, please put beyonces, fergie, gwen, and nelly furtado singles as comparisons.
UPDATE (September 17, 2007): Ars Technica has a good summary of the breach and what the leaked information shows about what MediaDefender has been up to with its video upload service (apparently designed to encourage the upload of copyrighted content as a sort of sting operation), MiiVi. MediaDefender says it was an "internal project" that was supposed to be password protected but was inadvertently made public.

CNet has a story on MediaDefender which notes:

Some of the tactics employed the movie and music industries in their fight against copyright infringement have come under scrutiny of late. The Motion Picture Assoc. of America acknowledged recently that it paid a hacker $15,000 to obtain private e-mails belonging to TorrentSpy, a company accused by the MPAA of encouraging file sharing.

The MPAA said it believed the e-mails were legally obtained.

In that case, the MPAA obtained the emails from a former TorrentSpy business associate, Robert Anderson, who signed an agreement saying that he obtained the emails legally, telling the MPAA he obtained them from an "informant." The CNet article on that controversy says that "records show" that Anderson "allegedly 'hacked' into TorrentSpy's e-mail system and rigged it so that 'every incoming and outgoing e-mail message would also be copied and forwarded to his anonymous Google e-mail account." In other words, it has some similarities to the MediaDefender case--likely unauthorized forwarding of email (though Anderson may not have had any authority to see those emails at all), and obtaining the email from a GMail account (though in the MediaDefender case the mail was obtained by someone other than the owner of the account).

No comments: