Connect with us


Hacker stole unreleased music and then tried to frame someone else



Image: Anthony Roberts

US authorities charged a Texas man this week for hacking into the cloud accounts of two music companies and the social media account of a high-profile music producer, from where he stole unreleased songs that he later published online for free on public internet forums.

When the man realized he could be caught, he contacted one of the hacked companies and tried to pin the blame on another individual.

Hacks targeted cloud accounts for music labels

According to court documents published on Monday by the Department of Justice, the suspect is a 27-year-old named Christian Erazo, from Austin, Texas.

US authorities say that Erazo worked with three other co-conspirators on a series of hacks that took place between late 2016 and April 2017.

The group’s primary targets were two music management companies, one located in New York, and the second in Los Angeles.

According to investigators, the four hackers obtained and used employee credentials to access the companies’ cloud storage accounts, from where they downloaded more than 100 unreleased music songs.

Most of the data came from the New York-based music label, from where the Erazo and co-conspirators stole more than 50 GBs of music. Erazo’s indictment claims the group accessed the company’s cloud storage account more than 2,300 times across several months.

Hackers also went after producers and artists

Erazo also allegedly hacked the “microblogging and social networking” account (very likely Twitter) of an LA-based musician and producer.

The suspect used the access to this hacked account to send private messages to other producers and music artists, asking them to send unreleased songs to an email address under Erazo’s control, investigators said.

Songs gathered through this scheme were later also leaked online on internet forums, damaging the producer’s reputation.

The attempted cover-up

US officials said that Erazo began discussing with his co-conspirators in December 2016 about the idea of pinning the hacks on someone else — referred in the indictment only as “Individual-1.”

The group went ahead with their plan on January 8, when one of the co-conspirators emailed the NY-based music label stating that Individual-1 had gained access to their cloud data and was currently selling their songs online for $300 per track.

The music label contacted authorities, and when Erazo and a co-conspirator called the music label ten days later on January 18, they talked on the phone with an undercover FBI agent posing as the label’s security staff.

Investigators say that during this conversation and later emails, Erazo and friends posed as do-gooders trying to help to company and its music artists.

According to statements quoted in the indictment, Erazo said he was “doing this for the love of the artists” and claiming they want no harm done to the producer — who, they were still actively hacking at the time.

US authorities said that Erazo offered to help the music company in its investigation into Individual-1.

“I’m happy to help out if you need any of the info or anything I could dig up for you guys just let me know and I’m more than happy to help you guys out with this,” Erazo was quoted in the indictment as saying.

“Yeah and another thing to why we are going to you guys is we just hate this fucking [person]. Bottom line. We aren’t even going to beat around the bush,” Erazo also allegedly said, also offering to play a double agent if the music company asked.

In addition, Erazo urged the music label to take legal action against this person, and also advised the company about improving the security of its cloud storage account.

A week after contacting the NY music company, investigators said that Erazo sent on online message to one of his co-conspirators saying that “this is the perf[ect] cover up.”

Charges and sentence

However, Erazo’s plans didn’t work. He was charged in a New York court on Monday under three counts.

Charges include one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years; one count of conspiracy to commit computer intrusion, which carries a maximum sentence of five years; and one count of aggravated identity theft, which carries a mandatory minimum term of imprisonment of two years.

News of Erazo’s arrest comes after in mid-September UK police arrested two teens — one in London and one in Ipswich — for similar charges of stealing data from music artists. It is unclear if the two cases are related, however, the two UK teens were accused of selling the tracks online, rather than releasing them on forums.

Erazo’s case is not related to the Radiohead incident from March 2019 when a hacker gained access to unreleased Radiohead music and tried to extort the band for $150,000. In response to the ransom attempt, the band published the music on a Bandcamp account ahead of its planned release.

This is by no means the first incident of its kind, and hacks like these have been happening for years. For example, in 2012, hackers stole and published more than 50,000 songs from Sony Music, including unreleased Michael Jackson songs.

Source link

Continue Reading


The Five Pillars of (Azure) Cloud-based Application Security



This 1-hour webinar from GigaOm brings together experts in Azure cloud application migration and security, featuring GigaOm analyst Jon Collins and special guests from Fortinet, Director of Product Marketing for Public Cloud, Daniel Schrader, and Global Director of Public Cloud Architecture and Engineering, Aidan Walden.

These interesting times have accelerated the drive towards digital transformation, application rationalization, and migration to cloud-based architectures. Enterprise organizations are looking to increase efficiency, but without impacting performance or increasing risk, either from infrastructure resilience or end-user behaviors.

Success requires a combination of best practice and appropriate use of technology, depending on where the organization is on its cloud journey. Elements such as zero-trust access and security-driven networking need to be deployed in parallel with security-first operations, breach prevention and response.

If you are looking to migrate applications to the cloud and want to be sure your approach maximizes delivery whilst minimizing risk, this webinar is for you.

Continue Reading


Data Management and Secure Data Storage for the Enterprise



This free 1-hour webinar from GigaOm Research brings together experts in data management and security, featuring GigaOm Analyst Enrico Signoretti and special guest from RackTop Systems, Jonathan Halstuch. The discussion will focus on data storage and how to protect data against cyberattacks.

Most of the recent news coverage and analysis of cyberattacks focus on hackers getting access and control of critical systems. Yet rarely is it mentioned that the most valuable asset for the organizations under attack is the data contained in these systems.

In this webinar, you will learn about the risks and costs of a poor data security management approach, and how to improve your data storage to prevent and mitigate the consequences of a compromised infrastructure.

Continue Reading


CISO Podcast: Talking Anti-Phishing Solutions



Simon Gibson earlier this year published the report, “GigaOm Radar for Phishing Prevention and Detection,” which assessed more than a dozen security solutions focused on detecting and mitigating email-borne threats and vulnerabilities. As Gibson noted in his report, email remains a prime vector for attack, reflecting the strategic role it plays in corporate communications.

Earlier this week, Gibson’s report was a featured topic of discussions on David Spark’s popular CISO Security Vendor Relationship Podcast. In it, Spark interviewed a pair of chief information security officers—Mike Johnson, CISO for SalesForce, and James Dolph, CISO for Guidewire Software—to get their take on the role of anti-phishing solutions.

“I want to first give GigaOm some credit here for really pointing out the need to decide what to do with detections,” Johnson said when asked for his thoughts about selecting an anti-phishing tool. “I think a lot of companies charge into a solution for anti-phishing without thinking about what they are going to do when the thing triggers.”

As Johnson noted, the needs and vulnerabilities of a large organization aligned on Microsoft 365 are very different from those of a smaller outfit working with GSuite. A malicious Excel macro-laden file, for example, poses a credible threat to a Microsoft shop and therefore argues for a detonation solution to detect and neutralize malicious payloads before they can spread and morph. On the other hand, a smaller company is more exposed to business email compromise (BEC) attacks, since spending authority is often spread among many employees in these businesses.

Gibson’s radar report describes both in-line and out-of-band solutions, but Johnson said cloud-aligned infrastructures argue against traditional in-line schemes.

“If you put an in-line solution in front of [Microsoft] 365 or in front of GSuite, you are likely decreasing your reliability, because you’ve now introduced this single point of failure. Google and Microsoft have this massive amount of reliability that is built in,” Johnson said.

So how should IT decision makers go about selecting an anti-phishing solution? Dolph answered that question with a series of questions of his own:

“Does it nail the basics? Does it fit with the technologies we have in place? And then secondarily, is it reliable, is it tunable, is it manageable?” he asked. “Because it can add a lot overhead, especially if you have a small team if these tools are really disruptive to the email flow.”

Dolph concluded by noting that it’s important for solutions to provide insight that can help organizations target their protections, as well as support both training and awareness around threats. Finally, he urged organizations to consider how they can measure the effectiveness of solutions.

“I may look at other solutions in the future and how do I compare those solutions to the benchmark of what we have in place?”

Listen to the Podcast: CISO Podcast

Continue Reading