A Chinese technology firm has been siphoning text messages and call records from cheap Android-based mobile smart phones and secretly sending the data to servers in China, researchers revealed this week. The revelations came the same day the White House and the U.S. Department of Homeland Security issued sweeping guidelines aimed at building security into Internet-connected devices, and just hours before a key congressional panel sought recommendations from industry in regulating basic security standards for so-called “Internet of Things” (IoT) devices.

At the center of the spyware controversy is software made by Shanghai ADUPS Technology, a Chinese firm whose product touts the ability to wirelessly update software installed on mobile and and IoT devices. The ADUPS technology is typically bundled with smart phones made by dozens of global wireless firms including ZTE, BLU and Huawei, and sold at popular consumer destinations like Amazon and BestBuy. Often retailing for between $50 and $100, the sleek and powerful devices sell so cheaply because they also require the user to accept on-screen advertisements.

According to research released this week, the low up-front cost of these smart phones may be subsidized not just by ads but by also by the theft of private information stolen from users. Researchers at Fairfax, Va.-based security firm Kryptowire say the ADUPS software gives the company near-total control over the devices that it runs on, and that they have proof ADUPS has abused that control to siphon personal data from countless consumers.

Kryptowire researchers say they stumbled upon ADUPS’s spyware capabilities by accident after purchasing a $59 BLU R1 HD smart phone from Amazon.com for use during international travel. Prying apart the phone and the ADUPS software, they discovered that all call records and text messages to and from the device were being digitally copied, encrypted and secretly forwarded to a server in Shanghai, China every 72 hours.

They also learned that ADUPS’s product was able to mine user text messages for specific strings of text, as well as install and remove any software from host devices.

“This behavior cannot be detected by mobile anti-virus tools because they assume that software that ships with the device is not malware and that it is white-listed,” Kryptowire wrote in an advisory published Tuesday. “We were able to capture, decrypt, and trace the data on the network as they were sent to multiple server locations that are located in Shanghai, China.”

In a statement posted to its Web site, ADUPS said it collects “model information, device status, application information, bin/xbin information and summary information from phones and messages,” and that it has done so “in response to user demand to screen out junk texts and calls from advertisers.”

ADUPS further claims that the functionality was added in June 2016 to some Blu Product Inc. devices, and that it has since shipped an update through its firmware updating software to disable the spying functionality on Blu phones.

But Azzedine Benameur, director of research at Kryptowire, said ADUPS’s software — deeply embedded alongside the operating system on these mobile devices — gives it full ability to re-enable the spyware capabilities at any time. He says ADUPS’s public response to their research raises more questions than it answers.

“They do not provide how many devices were affected and how the data were used,” Benameur said. “Also, they don’t mention who had access to that data, including third parties and the Chinese government. Also, there might be other [manufacturers] and device models affected that ADUPS does not mention.”

ADUPS claims on its Web site to have worldwide presence with more than 700 million active users, and that its firmware is integrated into “more than 400 leading mobile operators, semiconductor vendors and device manufacturers spanning from wearable and mobile devices to cars and televisions.”

“This is just one random device of theirs that we looked at,” Benameur said. “For a company that claims to provide over-the-air updates for 700 million devices, including cars and millions of IoT devices…this is really scary and unacceptable behavior.”

ADUPS’s current site promises the company’s partners “big data analytics” and higher profit for partners. Earlier versions of the same page from 2015 and cached at the Internet Archive promise partners a slightly less euphemistic menu of services, from an “app push service,” and “device data mining” to “unique package checking” and “mobile advertising.” Interestingly, this story from January 2015 documents how ADUPS’s software has been used to install unwanted apps on customer mobile devices.

As for the Blu R1 HD phone? Benameur said it would be nice if it came with a disclosure that owners can expect zero privacy or control while using it. Aside from that? “At $59, it’s a steal,” Benameur said. “Minus the spyware, it’s a great phone.”

NEW IOT REGULATIONS?

The ADUPS scandal, first reported by The New York Times, comes as U.S. lawmakers are under increasing pressure to legislate basic software security standards for Internet-connected devices. Many low-cost IoT devices — from consumer routers to security cameras and digital video recorders (DVRs) — ship with little to no security built in. This has left millions of consumer devices ripe for exploitation by malicious hackers who enslave the devices in powerful cyber attacks designed to knock Web sites offline and otherwise disrupt Internet services.

Two of those attacks — an hours-long digital siege in October against Internet infrastructure provider Dyn, and a September attack that crippled KrebsOnSecurity for days — harnessed the computing power and network bandwidth of hundreds of thousands of Internet-based cameras and DVRs that were secured with the same default password and configured to be remotely controllable over the Web. A Chinese manufacturing firm whose electronics featured prominently in many of the IoT devices used in those attacks recently said it was issuing a recall for millions of the vulnerable devices — which were shipped with user credentials that were hard-coded into the devices and that could not be easily changed by users.

Both the attack on Dyn and against this site were referenced on multiple occasions today by lawmakers and witnesses to a U.S. House Energy & Commerce Committee hearing titled “Understanding the Role of Connected Devices in Recent Cyber Attacks.”

Bruce Schneier, a security expert who has long advocated holding software vendors legally liable for producing fundamentally flawed and/or insecure products, said the IoT attacks and this latest scandal with ADUPS are examples of a market failure that is crying out for government regulation.

“In many ways, the Dyn attack was benign,” Schneier said in his written testimony. “Some websites went offline for a while. No one was killed. No property was destroyed. But computers have permeated our lives. The Internet now affects the world in a direct physical manner. The Internet of Things is bringing computerization and connectivity to many tens of millions of devices worldwide. We are connecting cars, drones, medical devices, and home thermostats. What was once benign is now dangerous.”

Schneier encouraged lawmakers to think about commercial software and hardware that gets shipped with junk security as a form of pollution: But instead of pumping liquid toxic waste into thinly-lined man-made cesspools, many makers of low-end electronics are churning out default-insecure products that will likely remain in operation — and therefore a public nuisance — for many years to come.

“We’re asking consumers to shore up lousy products,” Schneier told the committee. “It shouldn’t be that there are default passwords. These devices are low profit margin, they’re made offshore. And the buyer and seller don’t care. I might own this DVR, you might own it. You don’t know if it’s secure or not. You can’t test it. And you fundamentally don’t care. You bought it for the features and the price.”

Rep. Anna Eshoo (D-Calif.) called attention to a bill she’s offered — the Promoting Good Cyber Hygiene Act of 2015 — that calls on government regulators to develop best practices aimed at boosting public and private sector network security. As noted above, the White House and the Department of Homeland Security both did just that on Tuesday, each issuing guidelines on cybersecurity for IoT devices.

“We need a good housekeeping seal of approval on this, and my bill called for NIST [the National Institute of Standards and Technology] to set the standards — not Congress — because we really don’t know anything about that, and when we miss the mark we miss it by a wide mile,” Eshoo said.

Indeed, some experts have advocated creating a sort of government-approved Underwriters Laboratories for cybersecurity that would perhaps imprint its seal of approval on certified IoT devices. But Schneier said most consumers are unlikely to be moved by “a sticker that says this device costs $20 more and is 30 percent less likely to annoy people you don’t know.”

Instead, he suggested Congress should create a new federal agency to regulate basic secure design standards for IoT devices. “A U.S.-only regulatory system will affect the products in the rest of the world because this is software,” Schneier said. “Companies will make one software and sell it everywhere. It makes no sense for anyone to come up with two versions of their software.”

Rep. Eshoo called the prospect of creating new bureaucracy in a Republican controlled Congress and White House an idea that was “dead in the water.”

“We have a continuing new, new majority and I don’t think they want to create a new agency,” Eshoo said. “They don’t like stuff like that. New agencies, new regulations, we’re dead in the water. But we can’t leave this issue dead in the water. Our country deserves better.”

If this Congress or the next is reluctant to mandate basic cybersecurity standards for IoT devices, they may soon find themselves forced to legislate in a hurry when people start dying because of IoT insecurity, Schneier said.

“The government is getting involved here regardless,” he said. “The risks are too great and stakes are too high, and nothing motivates government into action [more] than security and fear. In 2001, we had another small-government, no-regulation administration produce a new federal agency 44 days after the terrorist attacks. If something similar happens with the Internet of Things, we’re going to have a similar response. I see the choice here not between government involvement and no government involvement, but between smart government and stupid government. This is the world of dangerous things, and we regulate dangerous things.”

Emphasizing that point, Kevin Fu, chief executive at healthcare security provider Virta Laboratories, told the panel that healthcare and medical device community dodged a bullet on the Dyn attack.

“Hospitals survived not by design, but by luck. The adversary did not target healthcare. This time,” Fu said in his written testimony (PDF). “Dyn represents a single point of failure for resolving Internet names, but hospitals have other kinds of single points of failure. For instance, heating and ventilation now resembles IoT with unpatched computers controlling negative pressure in units with highly infectious diseases.”

Such attacks, he said, have very quickly moved from the theoretical to real life. Earlier this month, a denial-of-service attack like the one that knocked my site and Dyn offline was reportedly used to shut off environmental controls at two apartment buildings in Finland, temporarily leaving residents there without heat or hot water for several days. Also this month, a hospital in the United Kingdom was forced to cancel surgeries and divert trauma patients to nearby hospitals after a cyberattack shut down its internal systems.

Fu urged Congress to study the feasibility of standing up an independent, national embedded cybersecurity testing facility modeled after the automotive crash testing conducted by the National Transportation Safety Board (NTSB). Such a center, he posited, could serve as a security test-bed for everything from consumer IoT devices to far more sensitive medical equipment and embedded health and safety devices, more of which are being connected to the Internet each day.

“The Mayo Clinic reportedly spends roughly $300K per medical device to perform security assessment, and they have thousands of models of devices,” Fu explained. “It makes little economic sense to have individual hospitals testing the security of devices that ought to remain secure for all 6,000 hospitals in the USA. Cybersecurity ought to be a public good much like automobile safety. Imagine if every car dealer were individually responsible for crash testing automobiles: costs would skyrocket and the public would have little confidence. A facility for embedded cybersecurity at the scale of a hospital could provide testing to both government and industry, while allowing students to conduct innovative research during surplus time.”

Fu also suggested that the government could do a much better job working with industry partners to encourage more people to pursue careers in cybersecurity.

“There are tens of thousands of unfilled cybersecurity jobs in the USA,” Fu said. “Existing approaches aren’t insufficient to train a large enough work force to counter growing cybersecurity threats against IoT devices, our economy, and infrastructure.”

Whether or not Congress tries to improve IoT security, miscreants who leverage poor IoT security for criminal purposes will continue their search for additional systems that can be rented out in denial-of-service attacks or used in high-stakes digital shakedowns for money, said Dale Drew, chief security officer at Level 3 Communications.

“Bad actors are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated, and they know there are no endpoint protection capabilities on IoT devices that can detect and remove the threats,” Drew said.  “Network operators, device manufacturers and users will need to remain vigilant to the security risks these devices present.”

Less than six hours after Donald Trump became the presumptive president-elect of the United States, a Russian hacker gang perhaps best known for breaking into computer networks at the Democratic National Committee launched a volley of targeted phishing campaigns against American political think-tanks and non-government organizations (NGOs).

That’s according to a new report from Washington, D.C.-based cyber incident response firm Volexity. The firm’s researchers say they’ve been closely monitoring the activities of an well-established Russian malware development gang known variously as Cozy Bear, APT29, and The Dukes.

Hacking attacks launched by The Dukes were thought to be connected to intrusions at the Democratic National Committee (DNC), as well as cyber break-ins at multiple high-profile United States Government organizations, Volexity reports in a blog post published Thursday morning.

Last month, the Obama administration publicly acknowledged for the first time that it believed that the Russian government was responsible for stealing and disclosing emails from the DNC and a range of other institutions and prominent individuals, most recently Hillary Clinton’s campaign chairman, John D. Podesta. The emails were posted on WikiLeaks and other sites.

Volexity CEO Steven Adair said The Dukes have launched at least five sorties of email-based malware phishing attacks since Trump’s acceptance speech, and that the malware campaigns are ongoing.

“Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving insight and perhaps a postmortem analysis into the elections,” Adair wrote.”Two of the other attacks purported to be eFax links or documents pertaining to the election’s outcome being revised or rigged. The last attack claimed to be a link to a PDF download on “Why American Elections Are Flawed.”

According to Volexity, in July 2015 the Dukes started heavily targeting think tanks and NGOs.

“This represented a fairly significant shift in the group’s previous operations and one that continued in the lead up to and immediately after the 2016 United States Presidential election,” Adair wrote.

Prior to the election, The Dukes were active on August 10, 2016 and on August 25, 2016, launching several waves of highly targeted spear phishing attacks against several U.S.-based think tanks and NGOs.

“These spear phishing messages were spoofed and made to appear to have been sent from real individuals at well-known think tanks in the United States and Europe,” Adair wrote. “These August waves of attacks purported to be from individuals at Transparency International, the Center for a New American Security (CNAS),  the International Institute for Strategic Studies (IISS), Eurasia Group, and the Council on Foreign Relations (CFR).”

Adair said the more typical attacks from The Dukes come in the form of slightly less-targeted email blasts — often to just a few dozen recipients at a time — that include booby-trapped Microsoft Office documents.

When launched, the tainted Excel or Word document opens an actual file with real content, but it also prompts the target to enable “macros” — a powerful functionality built into Office documents that hackers can use to automatically download and run malicious code on a Windows system.

The Dukes prefer to launch the attacks using hacked servers and email inboxes belonging to unsuspecting, trusted workers at NGOs and U.S. government systems, Adair explained. Most often, he said, the intruders will repurpose a legitimate document found in one of these hacked inboxes and inject a sophisticated backdoor “trojan horse program.”

If the phishing target opens the document and has macros enabled in Microsoft Office — or allows macros to be run after the decoy document is shown — a malicious script embedded in the macro installs on the target’s system a powerful foothold for the attacker.

Adair said The Dukes have a well-earned reputation for coding and constantly improving their own custom backdoor trojans, but that they’re not known for using so-called “zero day” threats — previously unknown security weaknesses in software and hardware that knowledgeable attackers can use to remotely compromise a target’s computer just by loading a Web page or opening a document.

“In some ways, these guys seem kind of low-budget, but their macros are well-obfuscated and will sail right through just about any [antivirus] tool, appliance or cloud service,” Adair said in an interview. 

The Dukes also take great care not to phish security personnel at targeted organizations. For example, if the phishing target has macros enabled in Microsoft Office or allows them to be run after the decoy document is shown, a malicious script embedded in the macro executes a busy little program that scours the target’s computer for signs that it is running on an network administrator’s machine.

If the malicious script detects the user is “admin” or “administrator,” the infection goes no further and the malware shuts down. Likewise, it checks many other signs that it might be running in a “sandbox” environment — a test lab often used by security and malware researchers.

Adair said his although his research team doesn’t have specific insight into to how successful these latest espionage attacks may have been, The Dukes are an effective information- and resource gathering machine.

“My opinion is that if this group got access to a zero-day and it’s something they can embed in a document, they could devastate anyone they target,” Adair said. “This is a well-funded and in some respects professional organization. What they’re doing takes time and effort, and for eight plus years now they’ve been in continuous development of new backdoors. They’re continually targeting different verticals — universities, NGOs and governments — and they learn from others, retool and modify their attacks constantly.”

As The New York Times reported last month, “President Obama is weighing a ‘proportional’ response to Russia’s efforts to interfere with this fall’s election campaign through hacking.

Thursday morning, security vendor Kaspersky Lab warned that a massive cyberattack hit five of Russia’s largest banks. Kaspersky said in a statement that the distributed denial of service attacks (DDoS) began Tuesday at 1830 IST and targeted “the websites of at least five well-known financial institutions in the top 10” in Russia.

It remains unclear who launched the bank cyberattacks, which are reportedly ongoing. Kaspersky said the attack on Russia’s banking system is apparently being launched by a network of more than 24,000 hacked Internet of Things (IoT) devices, and that more than half of the hacked things were in the United States, India, Taiwan and Israel.

Further reading on the storied hacking history of The Dukes:

F-Secure calls them CozyDuke (PDF).  FireEye‘s take (PDF). Crowdstrike on Cozy Bear.

Let’s get this out of the way up front: Having “2016 election” in the headline above is probably the only reason anyone might read this story today. It remains unclear whether Republicans and Democrats can patch things up after a bruising and divisive election, but thanks to a special Election Day Patch Tuesday hundreds of millions of Adobe and Microsoft users have some more immediate patching to do.

As the eyes of the world stayed glued to screens following the U.S. presidential election through the night, Microsoft and Adobe were busy churning out a large number of new security updates for Windows, MS Office, Flash Player and other software. If you use Flash Player or Microsoft products, please take a deep breath and read on.

Regularly scheduled on the second Tuesday of each month, this month’s “Patch Tuesday” fell squarely on Election Day in the United States and included 14 patch bundles. Those patches fixed a total of 68 unique security flaws in Windows and related software.

Six of the 14 patches carry Microsoft’s most’s-dire “critical” label, meaning they fix bugs that malware or miscreants could use to remotely compromise vulnerable PCs without any help from users apart from maybe visiting a hacked or malicious Web site.

Microsoft says two of the software flaws addressed this week are already being exploited in active attacks. It also warned that three of the software vulnerabilities were publicly detailed prior to the release of these fixes – potentially giving attackers a head start in figuring out how to exploit the bugs.

“MS16-129 is our usual dogs breakfast of remote code execution vulnerabilities in the Microsoft Edge browser, impacting both HTML rendering and scripting,” said Bobby Kuzma, systems engineer at Core Security. “MS16-130 contains  a privilege escalation in the onscreen keyboard function from Vista forward. That’s great news for anyone running touchscreen kiosks that are supposedly locked down.”

As part of a new Microsoft policy that took effect last month, home and business Windows users will no longer be able to pick and choose which updates to install and which to leave for another time. Consumers on Windows 7 Service Pack 1 and Windows 8.1 will henceforth receive what Redmond is calling a “Monthly Rollup,” which addresses both security issues and reliability issues in a single update. The “Security-only updates” option — intended for enterprises and not available via Windows Update —  will only include new security patches that are released for that month. What this means is that if any part of the patch bundle breaks, the only option is to remove the entire bundle (instead of the offending patch, as was previously possible). 

It’s important to note that several update types won’t be included in a rollup, including those released for Adobe Flash Player on Tuesday. For the second time this month, Adobe issued a critical update for its ubiquitous Flash Player browser plugin. The newest Flash version — v.  23.0.0.207 and available here for both Windows and Mac computers — plugs at least nine more flaws in Flash. To see if you have Flash installed and if so what version is running, check this link.

Google users may need to restart the browser to install or automatically download the latest version. When in doubt, click the vertical three dot icon to the right of the URL bar, select “Help,” then “About Chrome”: If there is an update available, Chrome should install it then.

Somehow KrebsonSecurity neglected to mention the other critical update Adobe pushed for Flash on Oct. 26, 2016 (my bad folks, sorry). It’s really hard to keep up with Flash updates sometimes. That’s part of the reason I’ll continue to encourage readers to disable or remove Adobe Flash unless until it is needed for something specific. Fewer sites now require it, and leaving this buggy, powerful program enabled all the time is just asking for security trouble. Check out the advice at A Month Without Adobe Flash Player for tips on how to hobble or do without Flash entirely.

Indeed, Google reportedly is planning to phase out full support for Flash on its Chrome browser by the end of 2016. And Mozilla is now blocking certain Flash content deemed “not essential to the the user experience.” Specifically, as stated by Mozilla’s Benjamin Smedberg, Mozilla Firefox is blocking specific Flash content that is invisible to users.

“This is expected to reduce Flash crashes and hangs by up to 10%. To minimize website compatibility problems, the changes are initially limited to a short, curated list of Flash content that can be replaced with HTML,” Smedberg wrote back in June. “We intend to add to this list over time.”

For more on this week’s patches, check out coverage from security firms Qualys and Shavlik. And, as always, if you experience any issues downloading or installing any of these updates, please leave a note about it in the comments below.

KrebsOnSecurity received many a missive over the past 24 hours from readers who wanted to know why I’d not written about widespread media reports that Mirai — a malware strain made from hacked “Internet of Things” (IoT) devices such as poorly secured routers and IP cameras — was used to knock the entire country of Liberia offline. The trouble is, as far as I can tell no such nationwide outage actually occurred.

First, a quick recap on Mirai: This blog was taken offline in September following a record 620 Gpbs attack launched by a Mirai botnet. The source code for Mirai was leaked online at the end of September. Since then, the code has been forked several times, resulting in the emergence of several large Mirai-based botnets. In late October, many of the Internet’s top destinations went offline for the better part of a day when Mirai was used to attack Internet infrastructure firm Dyn.

Enter Kevin Beaumont, a security architect from Liverpool, England who on Thursday published a piece on Medium.com about an attack by Mirai against Liberia. Beaumont had been researching the output of an automated Twitter account set up by security researchers to monitor attacks from these various Mirai botnets. That Twitter account, @MiraiAttacks, burps out a tweet with each new Mirai attack, listing the targeted Internet address, the attack type, and the observed duration of the attack.

Beamont’s story noted that a botnet based on Mirai was seen attacking the telecommunications infrastructure in the West African nation of Liberia. Citing anonymous sources, Beaumont said transit providers confirmed an attack of more than 500 Gpbs targeting Liberia’s lone underseas large-transit Internet cable, which Beaumont said “provides a single point of failure for internet access.”

“From monitoring we can see websites hosted in country going offline during the attacks,” Beaumont wrote. “Additionally, a source in country at a Telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack. The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state.”

Not long after Beamont’s story went live, a piece at The Hacker News breathlessly announced that hackers using Mirai had succeeded in knocking Liberia off the Internet. The Hacker News piece includes nifty graphics and images of Liberia’s underseas Internet cables. Soon after, ZDNet picked up the outage angle, as did the BBC and The Guardian and a host of other news outlets.

The only problem that I can see with these stories is that there does not appear to have been anything close to a country-wide outage as a result of this Mirai attack.

Daniel Brewer, general manager for the Cable Consortium of Liberia, confirmed that his organization has fielded inquiries from news outlets and other interest groups following multiple media reports of a nationwide outage. But he could not point to the reason.

“Both our ACE submarine cable monitoring systems and servers hosted (locally) in LIXP (Liberia Internet Exchange Point) show no downtime in the last 3 weeks,” Brewer said. “While it is likely that a local operator might have experienced a brief outage, we have no knowledge of a national Internet outage and there are no data to [substantiate] that.”

Yes, multiple sources confirm that Mirai was used to launch an attack exceeding 500 Gbps against a mobile telecom provider in Liberia, but those sources also say the provider in question had a denial-of-service attack mitigation plan in place that kicked into action shortly after the attack began.

This was confirmed in a tweet on Thursday by Dyn. The company said in a separate tweet that routing in Liberia has been stable for days.

Akamai, a company with a global Internet presence and visibility, said it saw a dip in traffic levels from Liberia. Akamai tweeted a graphic Thursday evening that indicated traffic to Liberia was lower than normal as compared to traffic patterns from previous days this week. But there was nothing to indicate a nationwide outage, and the dip in traffic may just as well have to do with the fact that the first Thursday of November in Liberia is Thanksgiving, a public holiday there.

“Neither @dynresearch nor @akamai_soti have data supporting the assertion that Liberia suffered a national outage,” tweeted Dyn’s Doug Madory.

To recap: Did a Mirai botnet attack an infrastructure provider in Liberia? No question. Is the IoT problem bad enough that we have to worry about entire countries being knocked offline? Quite possibly. Was there an outage that knocked the country of Liberia offline this week? I have yet to see the evidence to support that claim.

Way back in the last millennium when I was a lowly copy aide at The Washington Post, I pitched the Metro Section editor on an idea for new column: “And the Good News Is…” The editor laughed me out of her office. But I still think it’s a decent idea — particularly in the context of cybersecurity — to periodically highlight the good news when people allegedly responsible for spewing so much badness online are made to face justice.

In the United Kingdom this week, 14 people were arrested on suspicion of laundering at least £11 million (~USD $13.7M) on behalf of thieves who stole the money using sophisticated banking Trojans like Dridex and Dyre. A statement issued by the U.K.’s National Crime Agency (NCA) said 13 men and a woman, aged between 23 and 52, were arrested in the roundup, including a number of foreign nationals.

The NCA warned in a report released this year that cybercrime had overtaken traditional crime in the United Kingdom. According to the U.K.’s Office of National Statistics, there were 2.46 million cyber incidents and 2.11 million victims of cybercrime in the U.K. in 2015.

Also in the U.K., 19-year-old Adam Mudd pleaded guilty to operating and profiting from Titanium Stresser, an attack-for-hire or “booter” service that could be hired to knock Web sites offline. When U.K. authorities arrested Mudd at his home last year, they found detailed records of the attack service’s customers and victims, which included evidence of more than 1.7 million attacks. Prosecutors say Mudd launched the service when he was 15 years old.

As I noted in this 2014 story, the source code for Titanium Stresser was later used by miscreants with the Lizard Squad hacking group to power their Lizard Stresser attack service. Happily, two other 19-year-olds were arrested earlier this month and accused of operating the Lizard Stresser attack service. It’s nice to see authorities here and abroad sending a message that operating booter service can land you in jail, full stop.

Back stateside, a Florida man has pleaded guilty to hacking and spamming the world with ads for online pharmacies and other businesses eager to buy dodgy customer leads. Timothy Livingston, 31, acknowledged that he and his company — aptly named “A Whole Lot of Nothing LLC” — earned more than $1.3 million using countless hacked email accounts and huge collections of compromised computers to relay the junk missives.

Livingston could hardly be a better caricature of the typical spammer. Living in Florida (Boca Raton) and lavishly spending his ill-gotten gains on a flashy lifestyle. As part of his plea, Livingston agreed to forfeit $1,346,442, as well as a 2009 Cadillac Escalade and a 2006 Ferrari F430 Spider.