Sponsored by..

Showing posts with label Crime. Show all posts
Showing posts with label Crime. Show all posts

Wednesday 4 February 2015

Infographic: Operation Yewtree vs Operation Fernbridge arrests

Two broadly equivalent investigations into child abuse rings, Operation Yewtree and Operation Fernbridge have had very different outcomes.

Yewtree has seen arrests of several high-profile people involved in the media, the majority of whom have not been found guilty of anything. But the rumoured suspects in Fernbridge include politicians, civil servants, judges and leaders of industry as well as a pop star or two. Why are the current outcomes looking so different?

(an earlier version of this infographic was published in July 2014)

Friday 27 June 2014

Vladimir Tsastsin sentenced to 6 years, 4 months in jail

A search of the office of Vladimir Tšaštšini
Photo: Jassu Hertsmann
Source: DELFI.ee
Sometimes the wheels of justice work very slowly. Back in 2011 I mentioned that Vladimir Tsastsin had been arrested in Estonia - the kingpin of EstHost, EstDomain and Rove Digital among other criminal enterprises, Tsastsin and his accomplices were responsible for a great deal of illegal activity in the past decade.

In this case a Court of Appeal in Estonia handed down a prison sentence of 6 years 4 months to Vladimir Tsastsin, and his accomplices were jailed from ranges of 1 year 10 months to 3 years 10 months or fined up to €100,000.

A full report of the sentences can be found here (in Estonian) or autotranslated below:

The circuit court sentenced Vladimir küberkurijategija Tšaštšini more than six years in prison


www.DELFI.ee
June 26, 2014 16:38
                    

The District Court sentenced today Tšaštšini Vladimir and his associates guilty of large scale money laundering activities of criminal association.

The Court of Appeal overturned the decision today, Harju County Court judgment of 20 December 2013, was sentenced to Vladimir Tšaštšin, Valentina Tšaštšina, Timur Gerassimenko, Dmitri Egorov, Konstantin Poltev, Oak Development LLC, Credit Union Ltd., IT Consulting, LLC and Infradata Novatech Ltd, and the case acquitted new decision, which ordered all parties guilty of large scale money laundering activities of criminal association.

Dmitri Egorov, Konstantin Poltev Novatech Ltd, and was convicted of a criminal offense as facilitators. Vladimir Tšaštšin was convicted in a criminal organization, the organization and management.

Do not subject to being sentenced to the penalty of Vladimir Tšaštšinile 6 years and 4 months and 6 days in prison.

Valentina Tšaštšinale sentenced to 3 years 10 months in prison, Timur Gerassimenkole 1 year, 10 months and 9 days, Dmitri Jegorov 1 year and 8 days, Konstantin Poltevile two years and eight days in prison.

Oak Development LLC, was sentenced to a financial penalty of 100,000 euros, Credit Union Ltd. for 60,000 euros, Infradata OÜ 40,000 euros, IT Consulting for 20,000 euros and Novatech LLC for 20,000 euros. Also convicted were confiscated criminal assets.

The indictment accused Parties Act to the greatest extent in money laundering and criminal organization.

The District Court denied the position of the county in which the county court held that the predicate offense, or computer crimes are not shown because there is no final judicial decision in this regard.

The District Court found that the purpose is not a final judicial decision is required, it is sufficient if there is evidence that a predicate offense has been committed. Proved the predicate offenses being committed U.S. indictment and other evidence gathered in the matter.

The Court of Appeal found that there was no malicious software downloads computer users to consent because there is no evidence that computer users have agreed to the installation of malware on their computer, and the relevant provisions of the amendment.

It also disagreed with the district court of the county's position that the prosecution has violated the principle of prohibition of double punishment because the parties have been charged in the money laundering and criminal organization, but the U.S. indictment accused the parties of computer crimes. Thus, making various allegations.

The decision can be challenged in the Supreme Court within 30 days, said a spokesman for the Tallinn Administrative Court and the District Court.

Monday 5 August 2013

Torsploit: is 65.222.202.53 the NSA?

There has been a lot of chatter in the past day or so about the takedown of an Irish outfit called Freedom Hosting which hosted a number of "hidden services" on Tor, ranging from Tormail (which allows anonymous email communication) to.. well, Really Bad Stuff that you don't want to know about. Basically.. Law Enforcement (LE) appear to have discovered the real-world location of these servers on the other side of Tor and have busted the alleged operator.

What gets interesting is that some of these Tor services were infected with an injection script that attempted to reveal the real IP address of the the visitor through a security flaw in the version of Firefox in the Tor Bundle. There's an interesting analysis of the script here and the long and the short of it is that the injected code attempt to call back to 65.222.202.53, in order to track the Tor users involved.

So.. who is 65.222.202.53? Well, it seems to be a Verizon Business IP (part of a "ghost block" of 65.222.202.48/29) in the Washington DC area. You know.. the home of several government agencies or branches thereof. But now the Internet is awash with rumours that this IP address belongs to the NSA. But what evidence is there?

A lot of the fuss seems to have happened because of this tweet from Baneki Privacy Labs.

What Baneki are saying is that the whole 65.222.202.0/24 block (the "C block" in classful parlance) is owned by a government contractor called SAIC (apparently not the SAIC who own MG Motors!) and that SAIC are connected to the DoD. Although SAIC are certainly a military contractor, the error that they are making is to believe the report from DomainTools which appears to be misinterpreting the allocations in that particular block.


So, does SAIC (listed here as SCIENCE APPLICATIONS INT) own the whole /24? No. Verizon has simply allocated the first /28 in that block to SAIC, and it appears the DomainTools is misinterpreting that data.

NetRange:       65.222.202.0 - 65.222.202.15
CIDR:           65.222.202.0/28
OriginAS:   
NetName:        UU-65-222-202-D4
NetHandle:      NET-65-222-202-0-1
Parent:         NET-65-192-0-0-1
NetType:        Reassigned
Comment:        Addresses within this block are non-portable.
RegDate:        2006-09-14
Updated:        2006-09-14
Ref:            http://whois.arin.net/rest/net/NET-65-222-202-0-1

CustName:       SCIENCE APPLICATIONS INT
Address:        47332 EAGAN MCALLISTER LN
Address:        RM 1112 1st fl
City:           LEXINGTON PARK
StateProv:      MD
PostalCode:     20653-2461
Country:        US
RegDate:        2006-09-14
Updated:        2011-03-19
Ref:            http://whois.arin.net/rest/customer/C01446299


Other suballocations is that block do include government agencies, but just a couple of IPs away from the mystery IP is 65.222.202.56/29 which belongs to an industrial supply company called Universal Machines. Whoever uses 65.222.202.53 is very likely to be a corporate or government entity, but really that's pretty much all you can tell from the Verizon Business IP. DomainTools is great but as with any automated tool.. sometimes you need to double-check what it reports back.

But then Baneki make another claim.. that obviously 65.222.202.53 belongs to the NSA, because the NSA controls the entire 65.192.0.0/11 range (65.192.0.1 to 65.223.255.254) which is about 2 million IPs.
 This is what they were referring to:

Umm, well.. no. That's just another block allocated to Verizon Business. You may as well argue that everything in 0.0.0.0/0 belongs to the NSA on the same principle. Actually.. maybe it does, but that's another matter entirely. Again.. Robtex is a great tool but you sometimes need to sanity-check the output.

It may surprise you to learn that law enforcement officers and intelligence agencies are not normally complete fucking idiots when it comes to guarding their IP addresses. They do not (for example) sign up to Silk Road with their @fbi.gov email addresses or poke around the underweb from an NSA IP address range. Well, not normally..

I am not saying that the injection wasn't the work of the NSA. Or the CIA, FBI, DOD, IRS or another other Alphabet Soup Agency. But let's see some real evidence first, eh?

UPDATE: I had a closer look at the users of the /24 here. It's a mix of businesses and government organisations and contractors, not surprising given the physical location of the /24.

Sunday 12 April 2009

"Body parts" murder II

The gruesome body parts murder has a new installment with the discovery of a fifth body part, quite near to some of the others. You can see a the distribution of finds on Google Maps.

This adds another element to the data set. The route between points "A" and "B" is curious and uses a lot of back roads, if that IS the route. Clearly these grisly finds have a pattern, but can they be traced back to the origin?

Thursday 9 April 2009

"Body parts" murder

One mystery gripping this part of the UK is the mysterious "body parts" murder, where part of a dismembered victim have been left near the roadside in several locations: Wheathampstead, Puckeridge and Cottered in Hertfordshire and the head was dumped in Asfordby, Leicestershire.

Given that the Puckeridge part was reportedly left by the northbound carriageway, that gives a clue as the the direction that the "dumper" was travelling. And making an assumption that the head was the last part to be dumped because it was the furthest away from the others, then you can take these four data points and plot them into Google Maps.

You can see more here. Of course, speculation is just that, but if does appear that the dumper did a loop around Hertfordshire perhaps near the A414, A10, A507 and then drove up the A1 for about an hour before turning off. Yes, there's a technology aspect here - a tool like Google Maps makes it very easy to visualise this sort of data.

OK, this is all pretty gruesome and don't forget that someone has lost their life. But there's a grim fascination as to where the next discovery will be. Will that fit into the pattern?