Thursday 27 June 2013

South Korea and US government hacks blamed on DarkSeoul group

south korea
The DarkSeoul hacker group is responsible for at least one of the recent attacks on the South Korean government, according to security firm Symantec.
Symantec researchers said initial analysis of the attacks and malwares used proved the DarkSeoul hackers were involved in the recent attacks on South Korea. "While multiple attacks were conducted by multiple perpetrators, one of the distributed denial-of-service (DDoS) attacks observed yesterday against South Korean government websites can be directly linked to the DarkSeoul gang and Trojan.Castov," Symantec's said.
The firm said the research also linked the team to several attacks on both South Korea and the US government. "We can now attribute multiple previous high-profile attacks to the DarkSeoul gang over the last four years against South Korea, in addition to yesterday's attack," it noted. "They previously conducted DDoS and wiping attacks on the US Independence Day as well."
The group's involvement in attacks on the US is expected to have political consequences, with many security researchers believing DarkSeoul is working for the North Korean government. If true, this is troubling as in the past the US government has indicated it would react to cyber attacks on its networks the same way it would real world acts of war. At the time of publishing, the US Department of Defense and White House had not responded to V3's request for comment on Symantec's research.
Symantec confirmed while there is some evidence to suggest the DarkSeoul group is state sponsored, it is still too early to definitively know if the group is operating at the behest of the North Korean government.
"The attacks conducted by the DarkSeoul gang have required intelligence and coordination, and in some cases have demonstrated technical sophistication. While nation-state attribution is difficult, South Korean media reports have pointed to an investigation which concluded the attackers were working on behalf of North Korea," wrote Symantec.
Symantec researchers said even if DarkSeoul is not working for North Korea, the group is in possession of several sophisticated attack tools and resources. The security firm warned businesses to expect and prepare for further attacks from the group.
"Symantec expects the DarkSeoul attacks to continue and, regardless of whether the gang is working on behalf of North Korea or not, the attacks are both politically motivated and have the necessary financial support to continue acts of cyber sabotage on organisations in South Korea," the firm said.
"Cyber sabotage attacks on a national scale have been rare - Stuxnet and Shamoon (W32.Disttrack) are the other two main examples. However, the DarkSeoul gang is almost unique in its ability to carry out such high-profile and damaging attacks over several years."
Hacks in Korea have started since the anniversary of the war between the two nations, with details on 40,000 troops leaked earlier this week.

Qantas becomes latest lure for Andromeda malware

malware virus security threat breach
Australian airline Qantas has been spoofed by malware operators connected to the Andromeda malware botnet.
Researchers with security firm Trustwave have spotted a series of spam messages claiming to be booking receipts from the airline. The messages inform the user that a flight reservation has been made and a receipt is attached.
Upon attempting to open the file and view the supposed receipt information, the attachment activates and attempts to download a number of additional malware payloads on the infected system. Among the applications downloaded is a command and control tool which is connected to the Andromeda infection.
Originally discovered in 2011, Andromeda has seen a resurgence in recent weeks as a series of spam campaigns have been connected to the infection.
“Cybercriminals have been actively spamming out Andromeda loaders for the past year. The spam themes vary from flight, courier, tax, hotel, payroll, invoice, social media and among others,” Trustwave said in its report.
“Most of the time the spam campaigns are very legitimate looking. It may be hard to spot whether it’s a malicious email.”
Andromeda is one of a growing number of botnets which has relied on misleading spam messages to infect users. Often posing as official notices from large companies or government agencies, the spam messages often threaten penalty or account loss if users don't open the attached payload or follow a link to an attack site.
Experts advise users to be weary of any claimed official notices or notifications that arrive as unsolicited emails. Users who are unsure about the nature of a notice are advised not to open attachments or links and instead contact a customer service representative.

Obama: I’m Not Going To Be Scrambling Jets To Get A 29-Year-Old Hacker

President Obama said Thursday he has not gotten personally involved in the case of Ed Snowden, because he expects other countries to "abide by international law" and not provide harbor to a fugitive. At the same time, he indicated he does not plan to go to extraordinary lengths to capture the NSA leaker, saying: "No, I'm not going to be scrambling jets to get a 29-year-old hacker."
As Republican lawmakers urge Obama to get tough with Russia as it denies extradition requests, Obama said he has not directly spoken with Russia's Vladimir Putin or Chinese President Xi Jinping. He flashed some annoyance as he declared he has not called either leader because "I shouldn't have to."
He noted that the U.S. does "a whole lot of business" with both countries, and said he doesn't want to be in a position where he's "wheeling and dealing and trading" just to "get a guy extradited."
The president suggested this should have been a routine bit of business for either leader, so he decided not to get personally involved.
Obama walked a fine line on the question about Snowden, addressed during a press conference in Senegal at the start of his trip to Africa. He said he "continues to be concerned about the other documents" Snowden has, but he suggested the media has hyped the story.
"I'm sure it will be a made-for-TV movie down the road," Obama said dismissively about the Snowden case.
He said the bulk of the damage has been done by the initial leak. He said the matter of trying to secure his arrest will be dealt with through the normal legal channels
"This is something that routinely is dealt with between law enforcement officials in various countries," he said.

Social media dangers: Behead Those Who Disrespect Our Prophet

We were looking around on Facebook and one of the pages that struck our eyes was the "Behead Those Who Disrespect Our Prophet P.B.U.H" page on Facebook. These kind of pages are doing nothing else than cause misery and pain to the religion they are trying to "represent" via the internet.
The readers; the members of these pages are people that have nothing else in mind than bring chaos in the world of religion. Because it is not believe that they are trying to teach - it is the religion they are bringing forward.
These kind of pages are the targets of Jihad recruiters that are trying to train armies to support their goals.

The page already has 222 likes and it keeps rising as people are starting to share the pictures that are posted on the Facebook page. The discussions that are being started there can be seen all over the internet - it looks like people don't seem to understand that discussions about religion on the internet will always result in a internet fight - sometimes it escalates to your front door.

Protesting can be done in peaceful ways - also when you are angered by someone that is disrespecting you or your believes.
You don't kill someone because the person decided not to respect your believes.

The Facebook page has this picture as their "Logo" but why did they choose to name their page "Behead Those Who Disrespect Our Prophet  P.B.U.H." then? It is not a message that you send out when you are protesting.

Edward Snowden poses trade risks for Ecuador


At a flower farm around 19 miles outside Quito, sales manager Juan Pablo Ponce shows off both the produce and logistics required to package bouquets, 80% of which are exported to the United States.
"We try to keep on working hard, doing what we do best," says Ponce, who has worked at the Valleflor site for seven years. "That's all we can do."
While Ecuador's government makes its decision on whether to grant U.S. fugitive whistleblower Edward Snowden asylum, colleagues of Ponce here who export flowers to the U.S. are concerned that fallout from the political decision may harm their business, especially with the Andean Trade Promotion and Drug Eradication Act (ATPDEA) pact up for renewal next month.
Senator Robert Menendez, head of the Senate Foreign Relations Committee, promised Wednesday that he would block renewal of the pact should Snowden be granted asylum.
"Our government will not reward countries for bad behavior," he said in a statement, following other lawmakers who have spent years saying that the pact should be allowed to lapse, partly down to the country's links with Iran.
Ecuador's President Rafael Correa has lambasted the threats as "blackmail." He must balance the anti-American plank of his government, allied with former Venezuelan President Hugo Chávez, with trade deals that have boosted the country's oil-fueled economy.
The ATPDEA agreement was initially signed by President George H.W. Bush in December 1991, allowing the countries involved to sell goods to the U.S. without paying import duties. It was designed to boost trade between the U.S. and Bolivia, Colombia, Ecuador and Peru.
The idea was to incentivize alternatives to cocaine production here. Colombia and Peru now have their own free trade agreements with the U.S. while Bolivia was kicked out in 2008. The U.S. said that it had failed to "cooperate with U.S. counternarcotics efforts."
More than 50% of Ecuador's exports go to the U.S., according to Cristian Espinosa, executive director of the Quito-based Ecuadorian-American Chamber of Commerce.
"The U.S. is our main trading partner," said Espinosa. "We've been trying for years to make this relationship richer and deeper. When we see political events that might hinder our work, we of course are … concerned. We hope that these political events do not affect trade because both countries benefit a lot from bilateral trade."
Espinosa urged Correa to understand that a political decision, such as one on Snowden, could impact his own sector as well as business in Ecuador more generally.
The main export product is oil, $5.4 billion worth of which was exported to the U.S. last year under the terms of the pact.
While Ecuador will not struggle to find other buyers for its oil, the $166 million it sold to the U.S. in cut flowers during the same period may suffer. Fruits, vegetables and tuna are also covered by the agreement. In total, the exports were worth $9.5 billion last year, according to the U.S. government.
"U.S.-Ecuador relations are not in great shape today but would deteriorate even more should Ecuador grant Snowden asylum," said Michael Shifter, president of the Washington-based Inter-American Dialogue thinktank. "Ecuador's economy would feel the hit, especially the flower sector."
Around a quarter of a million people depend on the sector, with 100,000 directly employed by it. Some 280 of them work with Ponce on his farm outside Quito.
Correa has long followed in the footsteps of the Castros in Cuba and the late Hugo Chávez in Venezuela as a harsh critic and adversary of Washington.
Riordan Roett, director of the Latin American Studies Program at John Hopkins University in Washington, said that should Correa allow Snowden asylum, he would be "destroying trade options for the Ecuadorian people for the sake of his own ego."
Ecuador's policy toward the U.S. has been unpredictable at times.
In 2009, Ecuador shut down the U.S.' Manta military base, on Ecuador's Pacific coast, and two years later, the U.S. ambassador was kicked out of Quito after a damaging WikiLeaks cable. Washington retaliated, though ambassadorial-level links were re-established in May 2012.
At the same time, Ecuador has worked hard to maintain the trade accord up for renewal next month. The Ecuadorian embassy in Washington set up the "Keep Trade Going" campaign, featuring testimonials from companies which have benefited from duty-free trade with Ecuador.
"A duty on Ecuadorian roses would effectively price Ecuadorian roses out of the United States marketplace," reads one from Royal Flowers.
Should the ATPDEA not be renewed at the end of next month, Ecuadorian authorities are hoping to fall back on the so-called Generalized System of Preferences, which allows for duty-free imports on certain goods by the U.S.
Correa and his advisers must calculate whether they will gain more political capital by taking in a U.S. fugitive — from leftist and anti-imperialist supporters — at the expense of Ecuador's economy.
"We're confident in a prudent decision by the Ecuadorian government," said Juan Reece, a leader at Expoflores, a trade body for the flower industry."

Facebook denies providing data to Turkish government

Facebook has denied having agreed to share data regarding postings on the Gezi Park protests with the Turkish government, as had previously been stated by Minister of Transport, Maritime Affairs and Communications Binali Yıldırım.
“Facebook has not provided user data to Turkish authorities in response to government requests relating to the protests,” the company said in a written statement today.
“More generally, we reject all government data requests from Turkish authorities and push them to formal legal channels unless it appears that there is an immediate threat to life or a child, which has been the case in only a small fraction of the requests we have received,” the statement added.
Yıldırım had said today that unlike Twitter, Facebook had responded “positively” to their request.
“Facebook has been working in coordination with the Turkish authorities for a long time. They have a unit in Turkey. We don’t have any problem with them. Twitter could also establish a similar structure. Otherwise, this is not sustainable,” Binali told reporters.
His statement had immediately caused a huge reaction among social media users, with some even calling to boycott the massive social network website.
Facebook also stressed that the draft bill on social media that would oblige companies to share data with authorities had also created uneasiness. It said company executives would raise the issue during a meeting with Turkish government representatives this week in the United States.
“We are concerned about legislative proposals that might purport to require Internet companies to provide user information to Turkish law enforcement authorities more frequently,” the statement said.
Facebook had reviewed the many comments of users prior to the official statement, Turkish media reported.

Russian financier Pavel Vrublevsky court case

In spite the fact that sentence regarding this case, lasting already a whole year, has not been pronounced. One of the defendants that was suspected in organization summer ddos-attack on the Russian payment "Assist" system in 2010 is arrested again for another 6 months. On June 5th, 2013 in the courtroom located in the northeast of the capital, in Tushino, Russian financier, Pavel Vrublevsky, was taken into custody. The consent given by Judge Natalia Lunina to satisfy the petition of the prosecutor Sergey Kotov, who asked to change a sanction such as recognizance not to leave to arrest, indicates that the state accuser is planning to bring the case to a home straight.
The defendant is arrested again despite that there was no judgment delivered after a year of court hearings.
Is the case of Russian financier Pavel Vrublevsky reaching a finish line?
Psychological warning or a sign of coming conviction?
For such unexpected turn in the case of Vrublevsky, Permyakov and brothers Artimovich little was done. Witness form the prosecution side Nikita Yevseyev claimed that Vrublevsky, who called him by mobile telephone on April 29th and 30th, was trying to bribe and frighten him; as a result, prosecutor Kotov requested an arrest of the suspect. Absence of any convincing evidence regarding the fact that Vrublevsky tried to affect the witness, were ignored by both the prosecutor, and the judge.

Background

According to the investigation, Vrublevsky acted as initiator of the ddos-attack, having passed its technical implementation to the former employee of FSB, Maxim Permyakov, and programmers Dmitry and Igor Artimovich. The motive of the ddos-attack by Vrublevsky according to judicial scrutiny was an attempt to expose the competing company "Assist", by showing its vulnerability and inability to protect business partners from cyberattacks. From July 15th to July 24th , 2010 during the summer when the capital was literally filled with smoke because of the fires on peat bogs near Moscow, ddos-attack paralyzed "Assist’s" business operation. That time "Assist" was one of the companies provided electronic payments for the largest Russian airline "Aeroflot", whose controlling stake belongs to the state. Representatives from “Assist” declared that the damage caused to the company equaled 15 million rubles (about $500.000). But "Aeroflot" estimated that the losses (more precisely missed profit) reached the amount of 146 million rubles (a little less than 5 million dollars).
The version of the public prosecution side would look more convincing if there were proofs that "Aeroflot" plans to continue business cooperation with "Asisst". Actually, in July 2010 when "Aeroflot" held tender regarding the choice of payment decisions, the "Assist" was not among the competing contestants. As "Aeroflot" expected to choose a provider of payment services which could offer the unified scheme (processing) valid for all its management departments and structural divisions, the probability that "Assist" could keep the contract without participating in this tender is extreme small.
On the contrary, “Chronopay” participated in the tender, and it’s impossible that its employees did not know that "Assist" was absent among participants.
One year passed. Vrublevsky had an opportunity to leave the country for holidays and never come back  to Russia, but he behaved as if he did not realize an approaching danger. In July 2011, when he and his family, wife and three juvenile children, were coming back from Maldives Islands, he was arrested in the Sheremetyevo airport located to the north of Moscow.
Suspected of technical realization of a hacker attack programmer Igor Artimovich was released after two months in custody, but, at first, he received a doubtful pleasure of physical influence that is commonly used by Russian investigatory bodies. This young man in his thirties does not make an impression of the person with the athletic build and, moreover, does not look ready to bear physical pressure. Medical report attached to case files that was made by doctor Fedorov in the city station of medical aid located in Petersburg, in the presence of two witnesses, proves that the physical pressure was implemented. According to his experience, it’s clear that it is not required to be the lawyer Magnitsky that authorities allow to apply physical force towards suspect. On June, 9th 2011, after conducting medical examination in office №6 of Petersburg and Leningrad Regional Department of FSB, Dr. Feodorov estimated that Artimovich had «bruised head in parietal-temporal area and scratches in his forearms [1]».
By the autumn 2010 everyone had confessed (it should be noticed that in March 2012 Igor Artimovich refused statements giver earlier). According to the Russian standards, existence of these statements was enough to identify suspects and consider the case proven; therefore, the court would pronounce a fair sentence.
However, as hearings began in May 2011 it became clear that evidences from the prosecution side had essential shortcomings and contradictions, as well as, forensics were far from ideal; as a result, proceeding already lasts whole year.
Journalists who are following the developments on the case, can find different explanations to numerous contradictions and falsifications in this case, however, to neglect their presence would mean to simplify the occurred situation.

What did FSB​ declassified?

[[1] Case №678324, volume 2 page 140, 141.]

            The main dispute between lawyers and public prosecution was declassification of the materials on special investigation activities, made in May 2011. Defense noticed that numbering for the declassified FSB documents that appeared during investigatory process do not coincide with their initial record numbers. Numbers under which documents appeared in the resolution of declassification did not coincide with their numbers in the resolution on their submission to the investigation, and in some cases - with the numbers under which documents have been attached to the case materials [2].
So, for example, the inquiry №147/ОU/2-2063 was transformed to the document №147/ОU/2-1500; №147/ОU/2-2317 - it was also found under №147/ОU/2-1503, №147/ОU/2-1502; the inquiry №147/ОU/2/2164, concerning electronic e-wallet owned by one of the suspects, was stated as inquiry №147/ОU/2-1504 in one of the resolutions.
Lawyers have counted in total 10 discrepancies like that and «has drawn a conclusion that the materials appeared in Russian Investigatory Department of FSB that was attached to the materials of criminal case are OTHER documents, than those that have been declassified; therefore, those that have been declassified are absent in case materials» [3]. Under the lawyers' statement, the documents passed to the investigators by special investigative unit, «were not declassified in compliance with respect to the order established by the law; also there are no data on a source that originated and presented this information, dates of reception are also unknown».
Assuming that these documents are declassified with violation of declassification rules, in January 2013 lawyers asked authorization to exclude these 10 inquiries from the criminal case [4] connected to special investigation activities towards suspects. Lawyers asked to exclude these documents from the evidence material as it «was received with violation of criminal procedure legislation».
The main argument of lawyer Ajvar was that the decision from May 12th, 2011 regarding declassification of the materials from special investigation activities and the judgment made by the Moscow State Court on September 30th, 2010 regarding  operational procedures «declassified and presented material to the Investigation Department of FSB with essential violations of the CPC RF: as the documents contained the state secret, [they] could not be declassified by the head of the unit which is carrying out special investigation activities». At the same time article №13 «concerning the state secret» allows to declassify the resolution made by judge only on the basis of the judicial decision.
Lawyers also were concerned regarding how the dates were put down. Instead of the figure specifying a calendar year that the document should be dated, composers of inquiries wrote «present year» that complicates to define when the inquiries have been actually made.
         
 
 
2 Case №678324, volume 7, pages 275, 276, 277.
3 Ibid, pages 276.
4 Case №678324, volume 7, pages 323-reverse, 324.

 Judging by the fact that public prosecutor has asked court to make a pause in hearings to find out the reasons of these divergences, what led to the judicial session to be postponed for 3 weeks, this contradictions were unexpected for the state accuser. This fact indicates that prosecutor probably did not pay much attention for such detail while studying evidences.
     The way the crime investigators dealt with classified documents can be named illegal and has created almost comical situation. The screenshot that shows the access to the  Topol-Mejler  control panel appeared to be a part of confidential evidences - the inquiry №147/ОU/2-1501 from May 12th , 2011. At the same time before this inquiry was officially declassification, the same screenshot was published by journalist, Brian Krebs[5].
The public prosecutor requested an explanation from FSB. In the official document dated 1/24/2013 №147/ОU/2-222 given by the deputy chief of the Operations Control Center of Information Security of the FSB, col. Zhestkov, stated that «after declassification of the materials of special investigation activities those documents were assigned with different serial number in respect to the original numbering of (before confidential) documents» [6]. This document even had not been sealed with a stamp.
It's unclear what happened with the initial numbers (confidential numbers). The lawyers themselves did not see the original documentation on the basis of which the declassified certificates have been made. Meanwhile, the Russian legislation allows court to consider results of the special investigation activities (such as, records of conversations and the data obtained from communication channels) as evidence, but not the documentation made on a basis of these evidences.
Nevertheless, judge Lunina agreed with an argument of the public prosecutor, having rejected the lawyers' petition to exclude 10 inquiries from the case materials.

Falsification of evidence

Lawyers also detected falsification of investigatory documents. They managed to find out that first chief deputy of Operations Control Center of Information Security of the FSB, Lutikov backdated the letter №ОU/2/389/1-49 made on September 8, 2010 [7], in order to give «visibility of legitimacy for the actions conducted by employees of FSB RF and obtaining information on CD №5109№09250046318. Together with the letter, Lutikov was meant to send to the CEO «Information Security Group» LLC this CD.
 
 
5 http://krebsonsecurity.com/2012/06/who-is-the-festi-botmaster/
6 Case №678324, volume 7, page 311.
7 Case №678324, volume 1, pages 50-51.

From 10th till 27th of September 2010 a group was engaged in the scrutiny of the CD. These dates were specified in the conclusive statement written by the employee of the Group [8]. However, the Moscow State Court has authorized to carry out special investigation activities allegedly to obtain this CD, only on September, 30th [9] 2010 (authorization №ОРМ 558k/s/2010.
It seems to be that the CD has been received without the official sanction of court, and employee of Information Security Center FSB, Lutikov, backdated the document as on September 8, 2010 he could not be aware that on September 30th, in 3 weeks time, the Moscow State Court will authorize the decision to carry out special investigation activities. Hence, if this document was made, ostensibly, on 8th of September Lutikov precisely specified number of the statement that was authorized by the Court on 30th of September. This letter dated 8th of September was written after 30th of September and the date has been specified intentionally incorrect to give visibility of legality to actions of inspectors.
This trick has allowed inspectors to legalize illegally “the evidence material”, the CD №5101№09250046318 (originally numbered differently), therefore, permitted to be taken as a basis for the charges.
When lawyers found out about this falsification, on 5/13/2013 they addressed the powerful Investigatory Committee with the request to check thoroughly the circumstances of the case.

Debates around the examination conducted by the employee of Kaspersky Laboratory

One of the most significant document among other evidences is examination of the files which had been withdrawn from one of the confiscated laptops belonged to one of the accused. This expertise was conducted by Grigory Anufriev - the young expert of the well-known Kaspersky Laboratory that is engaged in manufacture of anti-virus programs [10].
Expert from KL came to a conclusion that initial codes obtained from the laptop of the accused include all program functions that presumably attacked the server of the "Assist".
However, lawyers doubted regarding the choice of the Laboratory as expert authority. The defense claimed that the Laboratory can be considered as privy due to the fact that KL cooperated with the "Assist", therefore, it’s possible that judgment could be affected by personal interest. Also Kaspersky Laboratory is commercial entity; as a result, its neutrality could be affected by commercial interests. The public prosecutor, as well as judge Lunina had disagreed with this point of view, and examination remained in the case files. Though, the public prosecutor explained that Anufriev has participated as expert like private individual, the text of the examination had been assigned with Laboratory stamp.
 
 
8 Case №678324, volume 1, pages 52-61.
9 Case №678324, volume1, page 103.
10 In Spring 2012 KL announced that company profit for the last 5 years reached 864% in European, Middle Eastern and African countries




Lawyers were surprised that examination, in their opinion, was short, and there was no interim results or/and calculations attached. Without any exaggeration considering a huge volume of the data which expert was forced to analyze, such as, laconism, as well as, his statement that certain calculations he could reckon in his mind, looked appropriate for private discussion, rather for judicial hearings.
Independent experts approached by lawyers with the request to analyze Laboratory's expertise, found shortcomings unlike the public prosecutor.
The Russian legislation demands that expert must specify a technique used to conduct research or examination. This requirement allows other experts to check the results of expertise by reproducing experiment. Grigory Anufriev did not specify the technique he used, as well as, special references where the methods of similar examinations would be developed and presented.
In particular expert Igor Yurin, a head [11] of so-called «The National Centre for the fight against crimes in the sphere of high technologies» acted in court as a guest expert, insisted on methodical discrepancy between examination of Kaspersky Laboratory and the task which had been set by inspectors. He stated that no expertise can prove injuriousness of any Software as court is the only authority that entitled to do so, and that there are no techniques of research regarding binary vand initial code of the programs based on reading the Bible and disassembly in mind.
In the courtroom expert Yurin has complained that during familiarization with Anufriev's examination he was not sure whether this file somehow had been investigated. Though, Anufriev also had mentioned that the file was detected by Kaspersky's antivirus, he did not specify the file codes, also nothing was said in regard to the presence or absence of overlay hinged protection. According to Yurin, the examination made in Laboratory did not display any code sections or any functional or other identifying signs.
Speaking in court, Yurin has compared the conclusions from the Anufriev’s examination and the document made for the investigators by GroupIB and found contradiction. Judging by hash, appeared in the document of experts from GroupIB, the investigated object called dropper: the variation of a program which itself does not pose any special destructive functions (such programs extract other file, place them on a hard drive, register file in the system, and, at last, start files. This is the only what dropper is capable of).

 
 
11             This structure is not a state unit, therefore, phrase “National Center” should not be taken as this center is a part of executive branch.

There are also other remarks regarding examination of Grigory Anufriev that have been noticed by expert Yurin in courtroom:
- Experts from Group IB, were specifying the value of hash while showing the exact data object (script - X) that was examined. To compare, Anufriev's examination did not mention neither hash, file size, nor the information on last access to an investigated file.
- The expert of Laboratory had admitted confusion, having specified that he used disassemble IdaPro 6.0 released “Datarescue”. It's important to notice that version 6.0. had been released by another company.
- Whoever released program 6.0., this program does not allow to recreate precisely the initial text of the program using high level language, but allows to obtain only a certain text in assembler language, except some primal case when the program consists of several lines, consequently, it is possible to obtain version close to the original. The reasons is that during compilation the names of variables, constants, functions  are lost, at the same time some instructions are replaced by similar ones for optimization,  that is to say the program obtains significant changes.
As for the public prosecutor, the judge and the lawyers who are not quite familiar with programming and are not experts in this field of high technologies, such details, certainly were difficult enough to examine. There is a risk that the court taking into account examinations and experts' statements will draw the conclusions based not so much on mathematical accuracy but on intuition and general impressions. Nevertheless, one of the comments from expert Yurin presented in the courtroom had to be understood identically by everyone:  expert who analyses the results, can be tempted to make definitive conclusions, though, it is known that «even if he/she is well qualified in this programming language, it does not mean that he/she can properly understand and identify the initial code of the program written in the same language. It is especially relevant to the projects where considerable quantity of experts participated. There is a possibility that in such cases the developer can be confused in understanding what is going on in the program».

Hearings in 2011:
The judge refuses to consider case because of a poor quality of indictment, but the highest authority court cancels this decision.
The first attempt to carry out hearing was unsuccessful, then on 6/13/2012 judge Olga Alnykina satisfied the petition of the lawyer, Lyudmila Ajvar [12], and has decided criminal case
 
 
12 Ludmila Ayvar together with her husband, lawyer Irog Trunov lead Assosiation Bar “Trunov, Ayvar and partners».  Trunov is famous for representing interests of clients who were held as a hostage by the terrorists in the theater hall during musical “Nord-Ost”, then clients suffered from gas poison used by security force, which did not only provoked severe poisoning but also left some people chronically ill, even provoked  death of 130 people (information according the state authorities) and 174 people (according to the NGO "Nord-Ost", bringing together victims and their relatives)
«to be returned to General Attorney of the Russian Federation [13] in order to eliminate the obstacles that prevent the following legal investigation» and «to oblige the General Attorney of the Russian Federation to eliminate violations». The judge justified her decision as follow: «indictment does not have significant foundation for the accusation: the ambiguity of primary attributes of law edition on the basis of which the charges were laid. The above-stated circumstances display the presence of obstacles / …/, that exclude possibility for the court to reach legitimate and justified verdict or reach other decision on the basis of the drawn conclusion» [14].
As judge Alnykina explained, «the bill of particulars does not meet the requirements of paragraph 5 of Part 1 of Art. 220 Code of Criminal Procedure RF»: instead of revealing the evidence and to clarify its indication, investigation unit «discloses [only] the list of evidence».
The judge has rejected the indictment not only because it did not correspond to the requirements of the Criminal Procedure Code of Russia but also because inspectors accusing all four suspects «in committing a crime under Part 2 of Art. 272 of the Criminal Code and Part 3. 33 [and] Part 1 of Art. 273 of the Criminal Code of the Russian Federation "», have referred, for some inexplicable reason, to the Russian federal law №28-FЗ from the March 8th, 2011, devoted to agreement ratification between the former Soviet Republics of Azerbaijans, Kirghizia, Russia, Tajikistan, Turkmenia and Uzbekistan «which is dedicated to creation of the Central-Asian regional information coordination centre against illegal circulation of narcotics, psychotropic substances and their precursors». Having found inappropriate reference, judge Alnykina has specified that it «does not regulate changes in criminal and criminal-procedure legislation» in Russia.
Public prosecutor Kotov was trying to convince the judge to disagree with the lawyers' request, claiming that due to "technical error" charge had been brought in improper edition of the law №28-FЗ from March 7th, 2011, but his arguments had been rejected. Further the public prosecutor repeatedly explained [16] various contradictions in investigatory documents as «technical errors» and «the human factor». However, these explanations compel to ask a question: what kind of challenges the court faced with: with a systemic defect and shortcomings of the Russian public prosecutor body that presumes that numerous errors regarding evidences do not disturb a judicial legal investigation, or with low-qualified young inspectors of the Investigatory Department of FSB.


 
 
13 Abbreviation «RF» instead of “Russian Federation” is used in Russia to simplify the grammar
14 Quote from case №678324, volume 7, pages 47.
15 CCP – abbreviation for «Code of Criminal Procedure».
16 Ibid, page 46.
Nevertheless, the Judicial Board on criminal cases of the Moscow State Court, where the public prosecutor addressed his protest, cancelled the decision of judge Alnykinoj and returned the case in Tushinsky Court to carry out preliminary hearings [17].
Because the Russian judicial system cannot be considered independent by the European standards, the higher the judicial hierarchy the more dependent position. And if the district court decision can be sometimes unpredictable for the authorities and the public, it’s unlikely to expect surprises from courts of higher instances. And the decision which has been reached by the Moscow State Court in August, 2012 on the given case confirms the rule.

The short chr​onicle of judicial hearings for the first half of the year 2013

The aim for the hearings that took place on  May 29 and June 5 was to reach the decision whether the punishment for Vrublevsky will be changed. The integrated witnesses, signatures authenticity of whom were disputed by expert-graphologist, became more intense for last months. At the same time, litigation had new unexpected turn in its development, thanks to a number of expert evaluations that had been announced from March till May, as well as to certificates of the interrogated experts. During the trials held between Aeroflot and bank VTB 24 that carried out financial transactions the distribution of forces began to change. In the first half of the year the court perceived the financial damage proclaimed by “Aeroflot”, according to the company, as a result of ddos-attack at the beginning of April when Aeroflot could not appeal against judicial decision passed by The Moscow Arbitration Court according to which the airline claim towards VTB24 was rejected, as a result, the charges against Vrublevsky and brothers Artimovich could be questioned. Even if VTB gained a political support, the fact that lawyers of “Aeroflot” could not prove a presence of a financial damage, cause the doubts regarding whether Vrublevsky is guilty in respect with paragraph 2 of Art. 272 CC that assumes obligatory presence of a considerable material of the (financial) damage.
Despite that the court turns a blind eye on new amendments in the Article 272 CC and left accusation based on old (non-operational version of article of the Criminal Code) as relevant, lawyers still have an opportunity to achieve a charge to be requalified.
The defense that invited a several experts, whose arguments showed all ambiguity of the charges pressed against Vrublevsky and discrepancy of all examinations and expertise collected by investigation department, was convincing enough.
17 Case №678324, volume 7, page 79.

In March the CEO of the "The National Centre against crimes in the sphere of high technologies" PLC, Igor Yurin, questioned methodical correctness of the examination conducted by the expert of «Kaspersky Laboratory» LLC, Grigory Anufriev, regarding the analysis of the information collected from the suspect's laptop and disks.
Later executive director of Consulting Group "Aspect", Anton Genkin, who was an expert back in 2010 invited by the company "Aeroflot" to conduct a tender in order to choose payment decisions system, had doubts whether “Aeroflot” was planning to continue business relations with the payment system "Assist". He mentioned that "Assist" did not take part in the tender conducted by “Aeroflot”, thus, the statement of the prosecution that Vrublevsky could organize ddos-attack to show weakness of the security system of competitors, therefore, to compromise them, is groundless.
Back in April Leonid Raev, an expert-graphologist, who graduated from the faculty of criminology of the Volgograd Higher Investigatory School of the Ministry of Internal Affairs, testified in court. Having made a reservation that he had opportunity to familiarize only with digital images and photocopies of investigatory reports and not with originals, he could not use the special techniques to investigate documents. Raev pointed out for the court numerous different interpretations in signatures of the same individuals. As a result, he stated that in some cases signatures have been put not by the individuals on whose behalf the document was signed.

Compromised selection of witnesses and falsification of signatures as a basis f​or the bill of particulars

On 5th of June graphologist, Raeva, testified one more time. During May he made a detailed analysis of the new samples of the signatures collected by lawyers what became additional argument that demonstrated the falsification of the signatures from investigatory reports. This expert estimation added persuasiveness to the statement made on 29th of May where witness, Anastasia Kurochkina, argued that her signatures contained in several investigatory reports, have been forged, and that she has never participated in any investigatory actions neither on the case of ddos-attack, nor on other criminal cases.
Having noticed that signatures from the reports had a feature of slowness regarding their execution, in contrast, with mechanicalness, that is distinguishing feature as individual put his\her, though the years developed, signature. Raev ascertained essential distinctions between the samples of signatures from investigatory reports and other documents (in particular, in the judicial summons and examination sheet). In order to draw a certain conclusion, it is necessary to receive from inspector Dadinskij a list of signatures that were made on behalf of those individuals whose signatures were falsified by Dadinskij. Meanwhile, it can be assumed that all autographs belong to one person as they have common features, such as a wavy side of the endings and a triangular stroke with the termination located on the left.
18 Igor Feldman represents the interests of Dmitiry Artimovich and is the youngest among the lawyers that were chosen by the defendants. Except Feldman Ayvar, Zaitsev and Korneev who is defending the fourth suspect Maxim Permiakov, there are also state lawyers involved.
In the interview made by lawyer, Igor Feldman [18], on 29th of May, witness Yevseyev states that he can have an infinite number of signatures. The expert, without suspecting that quotation was literally reproduced in the courtroom, had ironically noticed that it indicates mental disorders of the individual.
Assuming that the person can possess an infallible memory, Raev has noticed that his arguments is possible to check, having asked «to examine around five» signatures. Reluctance of  Yevseyev and Tisljuka and the inspector Dadinsky to provide the samples of the signatures, convinced graphologist that he is right regarded, as «plus to [the expert] conclusion», confirming, «that the expert is right».
Extremely ambiguously, considering that graphologist has found resemblance between handwritings that allegedly belong to the witnesses and handwriting of the inspector, on 5th  of May inspector Sergey Dadinsky stated that in Russia «the witness institute is badly developed», that «people are afraid to go somewhere and participate in something»; «it is difficult to find individual who will be willing to spend with you as much time is needed», [preparing investigatory reports].
For now graphologist's estimations and some witnesses' testimonies suggest that the participation of  Nikita Yevseyev as a witness who also with according to the religious canons is a relative to the inspector, is not accident. It allowed the inspector Dadinsky to issue many reports as ostensibly assured by Yevseyev, and then during private conversation to advise to write a petition which authenticity can be questioned.
On 29th of June public prosecutor Kotov has referred to Yevseyev's statements and petitions where he claimed that on 29th and 30th of April Vrublevsky ostensibly tried to bribe him and threatened him during the telephone conversations. These unsubstantial statements, perhaps, would sound plausibly but the defense offered a number of proofs showed that Yevseyev mislead the court while testifying on 29th of May.
It is important to notice that his statement contradictes with a number of statements made by the witness Anastasiia Kurochkina and the inspector Dadinsky who appeared in court on 5th of May as a witness. Yevseyev denied any contacts with inspector of The Investigation Department of the FSB that would not be relevant to the investigation process but Dadinsky described their relationship as friendly relationship, though he did deny any relations, for example, based on religious practices or ceremonies.
Meanwhile, lawyer Pavel Zajtsev [19] also provide the court with documents to be put with the case materials, such as the letter, from 5/30/2013, made by the archpriest of the Epiphany Cathedral, Alexander Ageykin, confirming that the inspector Dadinsky became a godfather of Nikita Yevseyev's son. Earlier on 29th of May, Yevseyev himself stated he is devout Muslim.
 
 
19 Lawyer Pavel Zaitsev is a former investigator. Now he is a member of Moscow Board of Lawyers “MOVE” and is an expert of Council for Civil Society Institutions and Human Rights under the President of the Russian Federation, he is also a member of the presidium of the National Anticorruption Committee. Zaitsev is known, in particular, for his participation in the investigation regarding the smuggling of Italian furniture in 1999-2000. According to the Customs Committee, the state did not received about 8 million dollars. Zaitsev was the one who established involvement in the smuggling operations of some employees of the central apparatus of the FSB.

Did inspector forge the signature of his girlfriend?

More dramatic episode, than Vrublevsky's arrest, was the statement made by witness Kurochkina and stenographic expertise provided by lawyer Ajvar deciphered from audio record with conversation that was recorded between Dadinsky and Kurochkinoj on 20th of May. These citations indicate that the inspector tried to mislead the witness with regards to the accusations towards Vrublevsky, brothers Artimovich and Permjakov. Dadinsky asserted that the charges he pressed against suspects were connected with drug traffic, apologizing that he didn't let her know and put himself signature on her behalf. Nevertheless, the inspector considered admissible to ask Kurochkina to make a statement in which she would recognize these false signatures as her own, then he suggested not to appear in court on 29th of May claiming arrangement with the judge and the public prosecutor already have been reached.
After these remarks were quoted in court Dadinsky did not made any statements denying the accuracy of the quotes.
It can be noticed that the behavior of 29-year-old Anastas Kurochkin was more courageous compare to the behavior of inspector Dadinsky, and other witnesses: Yevseyev and Tisljuka. She was the only one interrogated on 29th of May and on 5th  of June who agreed to give to court the sample of her signature. Also unlike Dadinsky, she was tactful towards her former close friend and did not give any personal assessments about him. This courageous behavior is corresponds more to officer ethics, rather than negation, by the inspector, of the facts which have proved to be true in court.
Vrublevsky already was in custody, when Kurochkina has informed court that she received strange calls, also, including calls from detective agency. Unknown individuals called also to her work, asking, whether she has "office romances". Someone also called to her mother, assuring her that her daughter is blackmailer. As a result of such pressure, the witness has made decision to resign.
It is still unclear if Investigatory Committee and FSB undertook any actions regarding the request made by Kurochkina on 30th of May asking to give her the state protection and to clarify the circumstances of occurred false signatures made on her behalf.

Themis blinded in​ both eyes?

The Vrublevsky arrest occurred on 5th of June in a hall of Tushinsky District Court of Moscow became possible substantially because prosecutor Kotov ignored obvious infringement by the inspector Dadinsky at selection of witnesses paragraph 2.2 Article 60 CPC, forbidding all kind of relatives to participate in the role of witnesses in the criminal proceedings during lawsuit.
As judge Lunin clarified her decision to change restrictive measure by arguing that «there is no grounds to doubt Yevseyev's statements», and that they «are objective and there are solid ground for imprisonment», the whole complex of contradictions and the absurdities containing in certificates of Yevseyev, provoked lawyers openly to declare to the court a presence of convincing evidence that not only Yevseyev, but also the inspector Dadinsky in some cases committed perjury. Lawyers Lyudmila Ajvar, Pavel Zajtsev and Igor Feldman did not hide the intention to get authorization to obtain the materials in order to prove that inspector Dadinsky violated the law, as well as, to build a separate criminal case against the witness on a basis of committing perjury.
In first half of hearings while Vrublevsky has not been arrested yet, lawyers had presented to court the texts, assured by notary Afanaseva, that were  obtained from two mobile phones owned by Vrublevsky showing sms-massage exchange between defendant and witness Yevseyev who testified earlier. According to lawyer Ajvar, calm tone of these messages does not give any grounds to believe that Vrublevsky resorted to any threats.

Vrublevsky's​ arrest: false associations with Chronopay

For judge Natalia Lunina two incomplete days of hearings were enough that on 5th of June to make the decision on, whether to satisfy the petition of public prosecutor, Sergey Kotova, who asked on 29th  of May to change punishment to Russian financier, Pavel Vrublevsky, from recognizance not to leave on 6-month's arrest.
The press covering this news, positioned Vrublevsky as owner of payment system company "Chronopay". Actually, the company has co-owners, though, Vrublevsky founded the company back in 2003, within last two years he has completely departed from company affairs. At the time of last arrest Vrublevsky did not hold a position of CEO in "Chronopay" and did not participate in any activities on behalf of the company. His full attention was directed to created in 2012 fund RNP.

The first attempt ​to attain freedom

On 6th of June it was the first hearing that arrested a day earlier Vrublevsky watched from behind bars.
The defense found the punishment unreasonably strict, as a result, lawyers files a petition to change the sentence from 6-months imprisonment to house arrest where his movements and possibility to use communication facilities would be limited.
Representing Pavel Vrublevsky's interests the defender Lyudmila Ajvar mentioned that witness' statements on which basis the financier was taken into custody were based substantially on guesses and assumptions and, consequently, cannot have legal validity according to the current legislation.
Public prosecutor Kotov traditionally objecting the petitions of the defense finished debates with the exclamation: «Are we waiting until he will organize liquidation of the witness?!» Considering the fact that witness Yevseyev who on 30th of April asked court to grant state witness protection because he found in the remarks of Vrublevsky reasons to be afraid for his safety, still did not receive state protection. Therefore, prosecutor’s observation regarding organization someone's "liquidation" looks rather comical and hardly convincing.
Nevertheless,  judge Lunina has agreed with the public prosecutor that another measure of punishment (not connected with imprisonment) will not provide unobstructed judicial process and upheld the decision passed the day before on arrest of Vrublevsky.
From expertise that lawyers were planning to adduce by filing the petition on 6th of June, but the judge agreed to attach to the case materials only one, the expertise made by expert-graphologist, Raev. According to Lunina, even that graphologist testified 1.5 months earlier, he was so detailed by telling the court about the studied signatures that his observations represent obvious interest for the lawsuit.
Written by experts of NO «The Commonwealth of experts of the Moscow State Law Academy of the Kutafin» Gleb Shamaev and Anastasiia Semikalenova review regarding the examination of Kaspersky Laboratory, Grigory Anufrievs, judge Lunina has refused to attach to the case materials, having referred that the necessary "aspects" on this question have been considered by her earlier, and she does not see a necessity to use this review.
In second half of the hearing 6th of June lawyers and figurants of the case in the presence of the invited experts to scrutinize some electronic storages attached to evidences of the case, however that they did not have some technical devices necessary to conduct procedure methodically correct. Continuation will take place on Friday at 12:00.

Beforehand the defense expressed concern towards the invited candidate - employee of Laboratory Kaspersky, Grigory Anufriev - as an independent expert. Main objection for lawyers was the fact that Anufriev might be  interested in acknowledgement made by him before as an expect, that he has interest to prove his previous statement made in court earlier insisting that all defendants are guilty. However, the public prosecutor managed to convince court that Anufriev will exercise only additional role: only «promoting realization of technical action». Participation simultaneously of two experts in acquaintance with contents of electronic devices was caused by the agreement taken in previous sessions between defense and prosecution to use one expert from each party to make sure that of the parties could affect the result in accordance with their interest.

Lawyer Ajvar, knowing possible objections that could be announced by the state accuser while attempting to remove the expert that could be seen as expert from the prosecutor's side,  has opposed the other invited candidate, CEO of company "Chronopay" with the higher technical education Alexey Kovyrshin. When public prosecutor Kotov claimed that Kovyrshin can be seen as expert employed by Vrublevsky, company founder explained to the state accuser that Kovyrshin is the CEO and does not depend on shareholders such as Vrublevsky.
On 7th (?) of June lawyer Ajvar has submitted to the Moscow State Court the appeal on arrest of Vrublevsky. This appeal will be considered within 10 days.

The virus program ​has been written down on a DVD-disk when he was present at expertise in Group-IB.

During hearings on 10th  of June lawyers managed to receive convincing information that the virus program blocked the payment system, according to the investigation, written down on a DVD-disk considered by court, as basic proof against programmer, Dmitry Artimovich, on September 22nd, 2010 when the disk, according to evidences, was at Group-IB - as they say on the website, «one of the leading international companies on prevention and investigation of cybercrimes and fraud using high technologies» where it have been sent for research from Investigatory Department of FSB.
The expert of Kaspersky Laboratory, Grigory Anufriev, invited by prosecution, and expert Alexander Andriishin who works as programming engineer in "Information Innovation Company" LLC, invited by the defense, on termination of detailed examination of electronic devices (two laptops and a DVD-disk) testifying have solidary confirmed that the program has been created on 17th of September, and written down on a DVD-disk 5 days later, on September, 22nd, 2010. This information can affect a court course as on this disk, according to the state accuser, the virus program is written down.
Earlier state accuser asserted that this virus was obtained during special investigative activities from technical communication channels used by programmer Dmitry Artimovich up to August 11th, 2010. However, after lawyers with the assistance of the invited experts established that the virus program had been created on 17th of September, and then written down on a disk on 22nd of September 2010 - more than in a month after it has been ostensibly extracted by inspectors during special investigative activities, previously declared version of vents from side of investigation appears to be unpersuasive.
The answers which were given by both experts differed only in regard with phraseology, but not sense. So Grigory Anufriev, carefully selecting each word, explained that on 17th of September the program has been assembled in an executed file from initial texts. PETools program shows date of compilation of a virus file - 17th September. Alexander Andriishin in another words said that the date of 17th September is shown as the date when the program has been created from initial files.
Certain interest was represented also by checking whether one of the laptops obtained from Igor Artimovich have been switched on after confiscation. Expert Anufriev and expert Andriishin have agreed that on June 9th, 2010 before a search took place the laptop was switched off, but there are obvious signs that next day - 10th of June, it was used.
Lawyers tried to understand, whether Artimovich somehow could program his laptop so that it would start working automatically on next day.
Alexander Andriishin has confirmed that «it is almost improbable», but it is "theoretically possible".
Grigory Anufriev has expressed less unequivocal opinion, having noticed that he did not experiment with the PGP-program during examination. «If the computer has been switched off, and then someone wanted to log in, that, I believe, the password [nevertheless] was necessary, but, considering that I did not carry out experiment, I cannot exclude possibility of non-standard inclusion».
The nearest judicial hearings on concerning this case are planned on 10th of June, at 13:00, and from June, 18th the judge plans to begin interrogation of defendants. Judging by many signs, the case is reaching its finish line.

FSB illegally obtained the conversation from Facebook between Vrublevsky and Kurochkina

During the hearing in Tushino court correspondence taken from Facebook was attached to criminal case materials. The text of this conversation that belongs to Pavel Vrublevsky who is accused in regard with the criminal case on DDoS-attack towards Aeroflot and witness Anastasia Kurochkina was obtained as a result of unauthorized special investigation activities. The court allowed only coulisse from technical communication channels that is official coulisse of documents where the protocol of coulisse had to be made. “However, experts from Information Security Center of FSB, ignoring the international conventions and agreements, illegally obtained necessary data using SIA. The above was reported in the letter to Tushino District Court of Moscow, having referred that such data can't be obtained legally”  - stated lawyer Pavel Zaytsev.
The judge of Tushino District Court of Moscow, Natalia Nikolaevna Lunina, despite lawyers’ objections that correspondence was received off the record attached it to the case materials. This decision creates precedent taking in account that Facebook conversations of any Russian citizen can be obtained without any authorization.
During the same hearings comprehensive information on the facts of pressure upon the witness from the investigator of FSB could be recovered. Witness Kurochkina, indicated in protocols of evidence examination, declared that investigator Sergey Dadinsky was trying to convince her to perjury in court, motivating it that "the agreement with the judge already has been settled". Record of this conversation was offered to listen earlier in court, but was objected by the prosecutor and the judge as it was unclear who was on this record. Then its interpretation was read under the protocol. Thus, today expert Herman Zubov, previously having compared a voice on this record and record of  Dadinsky's voice, could give to the court complete information regarding whether it was Dadinsky who put on psychological pressure on the witness. "But the court didn't call the expert, insisting immediately to move on to interrogation of suspects", - reports lawyer Lyudmila Ayvar.
Lawyer Pavel Zaytsev, due to establishment of violations in course of investigative actions, petitioned for the termination of this criminal case. "After withdrawal of laptops from suspects accused of the attack execution, those laptops were switched on illegally and 2 Gb of information were written down. Also there are suspicions in fabrication of criminal case because the virus by which allegedly attack was made was created approximately in a month after the actual attack." - states Zaytsev. The creation date of the program (the virus) was confirmed by experts from defense and prosecution sides. It should be noticed that the CD with the virus at that time was in Group-IB. Besides, as declared by Zaytsev, the investigator of FSB "forgot" that head of an investigation team, according to paragraph 3 Art. 163 of the Criminal Procedure Code of the Russian Federation to accept criminal case to the procedure, i.e. he wasn't authorized to bring accusations against Artimovich I.A. and other individuals, also to sign the indictment on criminal case. It can seem insignificant, but any lawyer will confirm illegality of all subsequent investigative actions.
Today the decision of the Ninth Appeal Arbitration Court of Moscow, agreed to uphold the decision on rejection of the claim (on 146 million rubles of losses) made by Aeroflot, was presented to the court and later attached to the case files. Thus, there is no essential aspect – material damage - in the criminal case concerning Pavel Vrublevsky.

Pavel Vrublevsky explained why he confessed in attack towards Aeroflot 

On June 24th in Tushino District Court of Moscow, interrogation of suspects accused of DDoS-attack towards Aeroflot took place. Earlier, at the stage of interrogation, they admitted the guilt and confessed, however, later on denied  their statements. The court found out from Pavel Vrublevskogo and Igor Artimovich why such changes in the statements had been made.
On Monday, June 24th in Tushino Court, Pavel Vrublevsky and Igor Artimovich, allegedly involved in DDoS-attack towards Aeroflot in the summer of 2010, were interrogated. Both of them confessed during the period of the investigation, but subsequently rejected those statements. Accused declared that they were under strong psychological pressure, moreover, Artimovich was beaten up when he was taken from his house to Investigative Department of FSB of St. Petersburg.
Pavel Vrublevsky, considered by the prosecution side as the organizer of attack, was interrogated first. He explained that when the investigation began in 2011, he anticipatorily returned from vacation and was take into custody at the airport. During interrogation Vrublevsky was denying any participation in this crime, but having learned about content of the confession made by Igor Artimovich ("the prisoner's volume" by Igor Artimovich was posted in the Internet), he (Vrublevsky) also wrote a confession to avoid imprisonment that could have serious impact on his family, wife and three children. Vrublevsky was planning to achieve justice in court and not during the investigation. However, he didn't manage to avoid a pre-trial detention center, as a result, he spent 6 months in Lefortovo during the investigation. To get out on bail for Vrublevsky was possible because of the expiration of maximum possible detention term under articles of moderate severity. During this time the term of the Art. 273 of the Criminal Code (creation of harmful programs) has expired. Right now defendants are accused in regard with Art. 272 of CC, illegal access to information. According to Vrublevsky this article can't be relevant to DDoS because the result of similar attack does not allow access to the protected by the law information, only the public Internet resource is blocked for a while.
Igor Artimovich claimed that after arrest, having realized all seriousness of the situation and hopelessness of attempts to prove his innocence, also considering possible consequences of making unfavorable statements for the investigation, he decided to cooperate with the prosecution and gave "the necessary statements" by dictation. Lawyer Vladimir Markov who initially represented Artimovich's interests, was recommended by the investigation. Contrary to the certificate of joining the case on the agreement, Markov didn't sign any contracts neither with the client, nor with his relatives. According to Igor Artimovich, Markov's unqualified actions, in particular, became the reason for delusion concerning prospects of the case what lead to self-accusation recognition.
Interrogation of the programmer Dmitry Artimovich is planned for July 8th.
The fourth suspect on this case - former employee of Vrublevsky who earlier was working in FSB, Maxim Permyakov, won't be interrogated as he confirmed his confession. He only will express his  opinion during debates after all interrogations of the accused come to the end.
According to "Aeroflot" data, the airline suffered losses of more than 146 million rubles, however, the Arbitration Court of Moscow rejected the claim regarding recovery of civil damages, on a basis of proof absence.

Hackers or Bugs? Which is the Bigger Threat?

If you’re in the software business – and care about quality – then chances are you’ve probably lost sleep over the idea of hackers taking control of your application and running amok. For many, this is their #1 concern. Let’s call it hackerphobia.
But as a recent TechWeek article suggests, software developers should actually fear the software bug over the software hacker. Entomophobia, as it’s called, although not in the strict sense of the term.
Anyway, I wanted to share some of the author’s thoughts on the matter, as it’s not a view you see often in the mainstream tech press, but it’s certainly one we’ve emphasized in previous posts. Here are a few key excerpts that stood out to me:
Cyber attacks and cyber war may be headline grabbing, but a bigger threat to data security could be the software glitch. And the cause of this glitch is the data itself – or rather the sheer amount of it stored in our databases.
Databases are now so large that it is impossible to refresh them regularly, to run tests frequently and to fix errors quickly. This leads to more frequent and more dangerous software glitches. Whilst threats from large scale cyber-attacks should not be overlooked, for most organisations it is the threat of a software glitch that presents a clearer danger.
It seems these types of glitches are happening more frequently than ever before. Why? Often the cause lies in insufficient testing. When databases are as large and complex as they are today, trying to duplicate and refresh data sets for testing is becoming harder and harder. IT teams are spending more and more time responding to requests for copies of databases and in some cases they can’t fulfil those requests at all. Developers are pushed to finish projects faster, but often IT can’t meet their demands which results in minimal testing of applications before they go live.
In other instances, IT departments provide copies of databases for testing, but by the time a copy is available, the data is old. Data can be obsolete after only a couple of hours, but refreshing a single testing data set can takes days, so most tests never uses data which is up to date enough to be risk free.
Stopping glitches from occurring isn’t always possible and implementing a new application will always have inherent risks, but more can be done. Companies need to make testing a priority and equip their IT teams with technology and resources that will enable them to test often and on recent data. Neglecting testing, as some of the recent examples show, can have dire consequences.
In other words, software development departments are their own worst enemy – not the hackers. This is not meant to diminish the threat of hackers (or the need for security testing) but rather to highlight the sometimes downplayed threat of what seem like common software bugs.