Dumping Kiddie Pr0n on a Victim

CraginS · ‎01-08-2020

Interesting story -

New York Times columnist says someone is using his IP address to download kiddie pr0n.

NYT‘s Paul Krugman Says Hacker Downloaded ‘Child Pornography’ Using His IP Address
By Caleb EcarmaJan 8th, 2020, 4:01 pm, Mediaite.

OK, if real, that could be a very serious attack vector on a victim, given the international cooperation of law enforcement to shut down that category of illegal content, and the harsh punishment given those who are convicted.

So, how might this work?

First, the attacker has to discover the victims IP address. Maybe from an e-mail header?

Once the IP address is known, send a GET command or an ftp command to the illicit server, spoofing the source IP address.

If successful, that should send the requested content to the target box.

So, how did Krugman find out it is happening, causing him to contact his ISP/

Maybe seeing unsolicited files arriving, adn being shocked when he opened one?

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

DHerrmann · ‎01-08-2020

Very troubling. This is the worst type of crime and immorality.

CraginS · ‎01-09-2020

@DHerrmann wrote:
Very troubling. This is the worst type of crime and immorality.

But reporting on this item shows that there is a bit of skepticism about whether Krugman is telling an accurate tale. The twitterers, in particular, has been less than sympathetic to him.

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

piperlester · ‎01-09-2020

Terrifying to be certain. This is an excellent (terrible?) example of why guest wireless needs to be heavily controlled and keys frequently cycled, both in corporate and home settings.

Another possibility is a VPN service that is essentially acting like a P2P exit node for other VPN users. https://www.pcworld.com/article/2928340/ultra-popular-hola-vpn-extension-sold-your-bandwidth-for-use...

This is one example of a VPN doing something shady, but it isn't a stretch to think of other providers doing similar things. In this way, a provider wouldn't necessarily need a large bandwidth pool to serve all it's users, it would simply use all the other customers to randomize traffic (i.e. per-flow load balancing). This is arguably a more terrifying possibility, as you are expecting privacy from the provider, but depending on how it is implemented, you may not receive this privacy and in fact end up suspected of such activities based on connecting through an IP that has had suspicious traffic on it.

I think the key takeaway here is there will be much more to this story than has been shared (or discovered), and there is perhaps more this individual could be doing to protect themselves.

Fenix · ‎01-09-2020

I don't believe him. The IP address doesn't belong to him. It could be his one day, yours the next and mine the day after. Even if he did have a static IP address, it could easily be changed by the ISP.
But let's entertain the notion that said IP address which was/is associated to him was downloading CP. IF the police came knocking at his door, what would they find? Nothing. Since the download was done by an outside actor and not him.
The FTP method is very questionable if it would work. There are assumptions on many levels, first that his FTP ports are open, he is running sw which would allow him to receive said CP.
There's probably a dozen other factors which would I could think of why this can't happen.

rslade · ‎01-09-2020

> Fenix (Newcomer II) posted a new reply in Tech Talk on 01-09-2020 09:14 AM in

> I don't believe him. The IP address doesn't belong to him. It could be his one
> day, yours the next and mine the day after.

Depends. Needs more investigation. I'm on DHCP, and my "lease" has been
remarkably stable (per the actual IP address) over the years.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
If everyone demanded peace instead of another television set,
then there'd be peace. - John Lennon
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

CraginS · ‎01-10-2020

Well, some wisdom and experience is finally getting to the top. NY Times has an article that gives a much better picture.

Apparently Krugman did not find pr0n on his computer, nor was he covering up for someone discovering pr0n on it.

He was reacting to a phishing phone call or email!

He fell for it and got burned.

Here is the NYT story:

Nobel laureate Paul Krugman said he likely fell for a phishing scam. Here's how phishing scams work ...
Aaron Holmes Jan 9, 2020, 9:56 AM

For added fun, here is an arstechnica take on the story:

Paul Krugman’s no good, very bad Internet day
Claims "security team" told him his IP address was downloading child pr0n, got blockchain spam.

SEAN GALLAGHER - 1/9/2020, 10:19 AM

Poor Paul was apparently taken for a ride.

Well, being smart enough for a Pulitzer does not mean you are immune from con games and scammer.

Plus, his analytical skills may fail him once in a while. After all, check what his predictions for the US economy were in late 2016 and early 2017. That didn't work out, either.

Dangit, the forum nanny-wordprocessor caught me using the real word for pr0n again!

Craig

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

MikeGlassman · ‎01-12-2020

@CraginS wrote:
Well, some wisdom and experience is finally getting to the top. NY Times has an article that gives a much better picture.

Apparently Krugman did not find pr0n on his computer, nor was he covering up for someone discovering pr0n on it.
He was reacting to a phishing phone call or email!
He fell for it and got burned.

Here is the NYT story:
Nobel laureate Paul Krugman said he likely fell for a phishing scam. Here's how phishing scams work ...
Aaron Holmes Jan 9, 2020, 9:56 AM

For added fun, here is an arstechnica take on the story:
Paul Krugman’s no good, very bad Internet day
Claims "security team" told him his IP address was downloading child pr0n, got blockchain spam.
SEAN GALLAGHER - 1/9/2020, 10:19 AM

Poor Paul was apparently taken for a ride.

Well, being smart enough for a Pulitzer does not mean you are immune from con games and scammer.
Plus, his analytical skills may fail him once in a while. After all, check what his predictions for the US economy were in late 2016 and early 2017. That didn't work out, either.

Dangit, the forum nanny-wordprocessor caught me using the real word for pr0n again!

Craig

I was going to write that this is exactly what happened to several seniors and workers in our organization.

It is very easy to dump material onto your computer without your knowledge if you click on a link in an email. You have absolutely no idea what is happening behind the scenes, as you don't usually when intelligent styled malicious code is downloaded to your computer as well (unless of course you are a tech savvy person who has more protection software than normal on your computer, and even then...).

It doesn't have to be a link in an email as well, it can be a web site you visit that has malicious code installed in an add window or the site itself. These are simple and do not need your IP address (although that's easy to steal unless you are using a proxy).

Smart does not mean immune to stupidity.

Sincerely,

Mike Glassman, CISSP
Iguana man