Home Tags Defacement

Tag: Defacement

A vulnerability in the Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a HTTP response splitting attack. The vulnerability is due to the failure of the application or its environment to properly san...
Unless of course your site is so dull that a little hacker defacement will cheer it up The plugin gurus at WordFence have this week found three critical security holes in third-party WordPress extensions that are being actively exploited by hackers to take over websites.…
Anyone can get angry at you and become a hacktivist. Here's how to protect your organization from these increasingly common cyber attacks.
"Keys made the CMS far weaker by taking and creating new user accounts."
WordPress sites slow to update to the recent 4.7.2 security release run the risk of falling victim to a handful of defacement attacks spotted by Sucuri.
EnlargeSean Rayford/Getty Images / Aurich reader comments 116 Share this story “Through our e-mails and our social media accounts we get death threats all the time,” said Janisha Gabriel. “For anyone who’s involved in this type of work, you know that you take certain risks.” These aren’t the words of a politician or a prison guard but of a Web designer.

Gabriel owns Haki Creatives, a design firm that specializes in building websites for social activist groups like Black Lives Matter (BLM)—and for that work strangers want to kill her. When these people aren’t hurling threats at the site’s designer, they’re hurling attacks at the BLM site itself—on 117 separate occasions in the past six months, to be precise.

They’re renting servers and wielding botnets, putting attack calls out on social media, and trialling different attack methods to see what sticks.
In fact, it’s not even clear whether ‘they’ are the people publicly claiming to perform the attacks. I wanted to know just what it takes to keep a website like BlackLivesMatter.com online and how its opponents try to take it down. What I found was a story that involves Twitter campaigns, YouTube exposés, Anonymous-affiliated hacker groups, and a range of offensive and defensive software.

And it’s a story taking place in the background whenever you type in the URL of a controversial site. BlackLivesMatter.com Although the Black Lives Matter movement has been active since 2013, the group’s official website was set up in late 2014 after the shooting of Michael Brown in Ferguson, Missouri. Until that point, online activity had coalesced around the #BlackLivesMatter hashtag, but when the mass mobilizations in Ferguson took the movement into the public eye, a central site was created to share information and help members connect with one another. Since its creation, pushback against BLM has been strong in both the physical and digital world.

The BLM website was taken down a number of times by DDoS attacks, which its original hosting provider struggled to deal with.
Searching for a provider that could handle a high-risk client, BLM site admins discovered MayFirst, a radical tech collective that specializes in supporting social justice causes such as the pro-Palestinian BDS movement, which has similarly been a target for cyberattacks. MayFirst refers many high-profile clients to eQualit.ie, a Canadian not-for-profit organization that gives digital support to civil society and human rights groups; the group’s Deflect service currently provides distributed denial of service (DDoS) protection to the Black Lives Matter site.
In a report published today, eQualit.ie has analyzed six months’ worth of attempted attacks on BLM, including a complete timeline, attack vectors, and their effectiveness, providing a glimpse behind the curtain at what it takes to keep such a site running. The first real attack came only days after BLM signed up with Deflect.

The attacker used Slowloris, a clever but dated piece of software that can, in theory, allow a single machine to take down a Web server with a stealthy but insistent attack.

Billed as “the low bandwidth yet greedy and poisonous http client,” Slowloris stages a “slow” denial of service attack.
Instead of aggressively flooding the network, the program makes a steadily increasing number of HTTP requests but never completes them.
Instead, it sends occasional HTTP headers to keep the connections open until the server has used up its resource pool and cannot accept new requests from other legitimate sources. Elegant as Slowloris was when written in 2009, many servers now implement rules to address such attacks.
In this case, the attack on BLM was quickly detected and blocked.

But the range of attack attempts was about to get much wider. Enlarge / The Slowloris tool running in a terminal. Anonymous “exposes racism” On May 2, 2016, YouTube channel @anonymous_exposes_racism uploaded a video called “Anonymous exposes anti-white racism.” The channel, active from eight months before this date, had previously featured short news clips and archival footage captioned with inflammatory statements (“Louis Farrakhan said WHITE PEOPLE DESERVE TO DIE”).

But this new video was original material, produced with the familiar Anonymous aesthetic—dramatic opening music, a masked man glitching across the screen, and a computerized voice speaking in a strange cadence: “We have taken down a couple of your websites and will continue to take down, deface, and harvest your databases until your leaders step up and discourage racist and hateful behavior.
Very simply, we expect nothing less than a statement from your leadership that all hate is wrong… If this does not happen we will consider you another hate group and you can expect our attention.” The “we” in question was presumably a splinter cell of Anonymous known as the Ghost Squad Hackers.

Three days previously, in a series of tweets on April 29, Ghost Sqaud’s self-styled admin “@_s1ege” claimed to have taken the BLM site offline.

Ghost Squad had a history of similar claims; shortly before this, it had launched an attack against a Ku Klux Klan website, taking it offline for a period of days. Dr.

Gabriella Coleman is an anthropologist and the author of Hacker, Hoaxer, Whistleblower, Spyconsidered the foremost piece of scholarship on Anonymous. (She also serves as a board member of eQualit.ie.) She said that Ghost Squad is currently one of the most prolific defacement and DDoS groups operating under the banner of Anonymous, but she also noted that only a few members have ever spoken publicly. “Unless you’re in conversation with members of a group, it’s hard to know what their culture is,” said Coleman. “I could imagine hypothetically that a lot of people who use the Ghost Squad mantle might not be for [attacking Black Lives Matter] but also might not be against it enough to speak out. You don’t know whether they all actively support it or just tolerate it.” Just as with Anonymous as a whole, this uncertainty is compounded by doubts about the identity of those claiming to be Ghost Squad at any given time—a fact borne out by the sometimes chaotic attack patterns shown in the traffic analytics. Enlarge / A screenshot of BlackHorizon in action. The April 29 attack announced by S1ege was accompanied by a screenshot showing a Kali Linux desktop running a piece of software called Black Horizon.

As eQualit.ie’s report notes, BlackHorizon is essentially a re-branded clone of GoldenEye, itself based on HULK, which was written as proof-of-concept code in 2012 by security researcher Barry Shteiman. All of these attack scripts share a method known as randomized no-cache flood, the concept of which is to have one user submit a high number of requests made to look like they are each unique.

This is achieved by choosing a random user agent from a list, forging a fake referrer, and generating custom URL parameter names for each site request.

This tricks the server into thinking it must return a new page each time instead of serving up a cached copy, maximizing server load with minimum effort from the attacker. But once details of the Ghost Squad attack were published on HackRead, a flurry of other attacks materialized, many using far less effective methods. (At its most basic, one attack could be written in just three lines of Python code.) Coleman told me that this pattern is typical. “DDoS operations can attract a lot of people just to show up,” she said. “There’ll always be a percentage of people who are motivated by political beliefs, but others are just messing around and trying out whatever firepower they have.” One group had first called for the attack, but a digital mob soon took over. Complex threats Civil society organizations face cyberattacks more often than most of us realize.
It’s a problem that these attacks exist in the first place, of course, but it’s also a problem that both successful and failed attempts so often happen in silence. In an article on state-sponsored hacking of human rights organizations, Eva Galperin and Morgan Marquis-Boire write that this silence only helps the attackers. Without publicly available information about the nature of the threat, vulnerable users lack the information needed to take appropriate steps to protect themselves, and conversations around effective defensive procedures remain siloed. When I spoke to Galperin, who works as a global policy analyst at the Electronic Frontier Foundation, she said that she hears of a civil society group being attacked “once every few days,” though some groups draw more fire and from a greater range of adversaries. “[BLM’s] concerns are actually rather complicated, because their potential attackers are not necessarily state actors,” said Galperin. “In some ways, an attacker that is not a nation state—and that has a grudge—is much more dangerous. You will have a much harder time predicting what they are going to do, and they are likely to be very persistent.

And that makes them harder to protect against.” By way of illustration, Galperin points to an incident in June 2016 when prominent BLM activist Deray Mckesson’s Twitter account was compromised despite being protected by two-factor authentication.

The hackers used social engineering techniques to trick Mckesson’s phone provider into rerouting his text messages to a different SIM card, an attack that required a careful study of the target to execute. Besides their unpredictability, persistence was also a defining feature of the BLM attacks.

From April to October of this year, eQualit.ie observed more than 100 separate incidents, most of which used freely available tools that have documentation and even tutorials online. With such a diversity of threats, could it ever be possible to know who was really behind them? Chasing botherders One morning soon after I had started researching this story, a message popped up in my inbox: “Hello how are you? How would you like to prove I am me?” I had put the word out among contacts in the hacking scene that I was trying to get a line on S1ege, and someone had reached out in response. Of course, asking a hacker to prove his or her identity doesn’t get you a signed passport photo; but whoever contacted me then sent a message from the @GhostSquadHack Twitter account, used to announce most of the team’s exploits, a proof that seemed good enough to take provisionally. According to S1ege, nearly all of the attacks against BLM were carried out by Ghost Squad Hackers on the grounds that Black Lives Matter are “fighting racism with racism” and “going about things in the wrong way.” Our conversation was peppered with standard-issue Anon claims: the real struggle was between rich and poor with the media used as a tool to sow division and, therefore, the real problem wasn’t racism but who funded the media. Was this all true? It’s hard to know.
S1ege’s claim that Ghost Squad was responsible for most of the attacks on BLM appears to be new; besides the tweets on April 29, none of the other attacks on BLM have been claimed by Ghost Squad or anyone else.

To add more confusion, April 29 was also the date that S1ege’s Twitter account was created, and the claim to be staging Op AllLivesMatter wasn’t repeated by the main Ghost Squad account until other media began reporting it, at which point the account simply shared posts already attributing it to them. Despite being pressed, S1ege would not be drawn on any of the technical details which would have proved inside knowledge of the larger attacks. Our conversation stalled.

The last message before silence simply read: “The operation is dormant until we see something racist from their movement again.” Enlarge / Number of connections per day to the Black Lives Matter website.

DDos attacks are the massive spikes. eQualit.ie Behind the mask As eQualit.ie makes clear, the most powerful attacks leveraged against the BLM website were not part of the wave announced back in April by Ghost Squad.
In May, July, September, and October, a “sophisticated actor” used a method known as WordPress pingback reflection to launch several powerful attacks on the site, the largest of which made upwards of 34 million connections. The attack exploits an innocuous feature of WordPress sites, their ability to send a notification to another site that has been linked to, informing it of the link.

The problem is that, by default, all WordPress sites can be sent a request by a third party, which causes them to give a pingback notification to any URL specified in the request.

Thus, a malicious attacker can direct hundreds of thousands of legitimate sites to make requests to the same server, causing it to crash. Since this attack became commonplace, the latest version of WordPress includes the IP address requesting the pingback in the request itself. Here’s an example: WordPress/4.6; http://victim.site.com; verifying pingback from Sometimes these IP addresses are spoofed—for illustration purposes, the above example ( corresponds to Google’s public DNS server—but when they do correspond to an address in the global IP space, they can provide useful clues about the attacker.
Such addresses often resolve to “botherder” machines, command and control servers used to direct such mass attacks through compromised computers (the “botnet”) around the globe. Enlarge eQualit.ie In this case, the attack did come with clues: five IP addresses accounted for the majority of all botherder servers seen in the logs.

All five were traceable back to DMZHOST, an “offshore” hosting provider claiming to operate from a “secured Netherland datacenter privacy bunker.” The same IP addresses have been linked by other organizations to separate botnet attacks targeting other groups.

Beyond this the owner is, for now, unknown. (The host’s privacy policy simply reads: “DMZHOST does not store any information / log about user activity.”) The eQualit.ie report mentions these details in a section titled “Maskirovka,” the Russian word for military deception, because hacking groups like Ghost Squad (and Anonymous as a whole) can also provide an ideal screen for other actors, including nation-states. Like terrorism or guerrilla combat, DDoS attacks and other online harassment fit into a classic paradigm of asymmetrical warfare, where the resources needed to mount an attack are far less than those needed to defend against it.

Botnets can be rented on-demand for around $60 per day on the black market, but the price of being flooded by one can run into the hundreds of thousands of dollars. (Commercial DDoS protection can itself cost hundreds of dollars per month. eQualit.ie provides its service to clients for free, but this is only possible by covering the operating costs with grant funding.) The Internet had long been lauded as a democratizing force where anyone can become a publisher.

But today, the cost of free speech can be directly tied to the cost of fighting off the attacks that would silence it. Corin Faife is a freelance journalist writing on the intersection of technology and politics. You can find him in one of the many bars of Montreal, Canada, or on Twitter at @corintxt.
So says Imperva after trolling the dark web Prefab phishing campaigns cost less to run and are twice as profitable as traditional phishing attacks, according to a new study by security vendor Imperva. Cybercriminals are lowering the cost and increasing the effectiveness of email phishing by buying complete packages of compromised servers and all the other components necessary to run a campaign of phishing attacks.

These so-called phishing-as-a-service bundles are cheaper than trying to cobble together it an email campaign from scratch.

That probably seems obvious to you, but it's useful to see some research confirming it. For one thing, the tactic is driving an across-the-board increase in phishing attacks. Phishing is the starting point for most network and data breaches.
Imperva researchers began their study by going through listings on dark-web marketplaces.

This allowed them to estimate the cost of phishing campaigns and gave them a clearer picture of the business model behind these all-too-commonplace scams. Based on the costs of the studied campaign – which used phishing pages, a spam server, an email list of 100,000 email addresses and access to compromised servers – the overall estimated expenses of an unmanaged phishing scam is about $27.65, Imperva estimates. In addition, they saw that hackers were easily able to hijack compromised webservers for their campaign, which further lowered up-front costs. Based on the researchers’ analysis of costs, PhaaS is about a quarter of the cost and two times more profitable than a traditional unmanaged phishing campaign, which tends to be more labour intensive. Lowering the costs and technology barriers associated with phishing will almost certainly lead to an increase in phishing campaigns, and the number of people falling victim to these cybercrime operations. The ease of purchase and low cost of PhaaS campaigns is highly likely to make frauds that rely on tricking marks into handing over login credentials for sensitive websites even more commonplace, Imperva concludes. “The combination of PhaaS and compromised web servers has significantly lowered the monetary, technological and time investment needed to conduct a successful phishing campaign,” said Amichai Shulman, cofounder and CTO of Imperva. “It’s no longer feasible for enterprises to use the client-side approach of endpoint software to fight phishing attempts, because people continue to click nefarious links in email. One way to slow the attacks is to choke off easy access to compromised servers, which would make the phishing business model more expensive and lower profitability.” Imperva researchers deconstructed a phishing campaign initiated in mid-June, 2016.

The researchers found that people are most likely to take the email phishing bait while at work, rather than at home.

Around a third (35 per cent) of successful phishing attacks were activated between 0900 and noon while victims were at work, busy writing and replying to emails.

The researchers also found that victims were more likely to enter their username and password to open an email attachment – in this case an Adobe PDF file – than to click on a URL in the email before filling in a web form with their login credentials. Imperva researchers were able to link the campaign to an Indonesian hacking group that began its “career” with a series of web defacement attacks against targets in the US, Australia and Indonesia.
In late 2015, the group graduated to money-making hack attacks against online shops that use the Magento e‑commerce system. Two-thirds (68 per cent) of the victim credentials harvested by the group did not exist in previously known public breaches (one-third had been breached in the past). Imperva’s latest Hacker Intelligence Initiative report, Phishing made easy: Time to rethink your prevention strategy?, can be found here [PDF].

An Infographic summarising the main findings of the study is here [PDF]. ® Sponsored: Want to know more about PAM? Visit The Register's hub
Europol: Cybercrims getting more devious Europol’s annual cyber-crime survey warns that the quality of spearphishing and other "CEO fraud" is continuing to improve and "cybercrime-as-a-service" means an ever larger group of fraudsters can easily commit online attacks. Many threats remain from last year – banking trojan attacks are still an issue for businesses and individuals although this has now been eclipsed by ransomware which is growing more quickly. The ease of access to cyber-crime tools means that it now exceeds real world crime in terms of value in many European countries. The report warns that although there is very limited use of these tools by extremist groups, the fact that they're simple to use, and fairly simple to access via the Dark web, means that could quickly change.
It notes that such groups make wide use of social media for propaganda and recruitment there is little evidence of use of cyber-attack capabilities beyond website defacement. Europol is also seeing the first evidence of organised criminal gangs beginning to exploit contactless cards. It warns of increasing use of booter/stresser tools to run DDos attacks. It has also seen a marked improvement in the quality and apparent authenticity of spear-phishing attacks – making them ever harder to separate from genuine communications. Data remains a key target for cybercrims.

But they’re increasingly using it either to encrypt, for ransom, for direct extortion or to further more complex fraud, not just for immediate gain. Another change this year is an increase in live streamed child sexual abuse. Europol said: “The use of end-to-end encrypted platforms for sharing media, coupled with the use of largely anonymous payment systems, is facilitating an escalation in the live streaming of child abuse. Offenders target regions where there are high levels of poverty, limited domestic child protection measures and easy access to children.” Beyond recommending more resources for cyber-crime law enforcement Europol wants more collaboration and intelligence sharing to deal with Darknet investigations and prevent duplication of effort and improve sharing of tools and tactics. More broadly it calls for a phenomenon-based approach to replace incident response.
It notes that successes in combating fraud in the airline industry could be replicated for other industries.

Equally operations to target offenders who need to be in a physical location – like car rental – in order to collect the proceeds of cyber-crime. The full Internet Organised Crime Threat Assessment 2016 is available to download here.
Cyrus Farivarreader comments 8 Share this story Attorneys representing Matthew Keys have filed their formal appeal to the 9th Circuit. Keys is the California journalist who was convicted of hacking-related crimes in 2015. As Keys told Ars before he was sentenced, the appeal largely focuses on the argument that the government “constructively amended” the second count that he was charged with: 18 U.S.

Code § 1030 (a) (5) (A).

That law declares a crime has been committed if someone “knowingly causes the transmission of a program, information, code, or command, and, as a result of such conduct, intentionally causes damage without authorization, to a protected computer.” During closing arguments at trial, one of Keys’ lawyers, Jay Leiderman, said that Keys’ December 2010 defacement of one Los Angeles Times article lasted only 40 minutes and therefore caused no damage. Keys has never been charged with the actual short-lived “hack.” Instead, he was accused of handing over a login and password that accesses the content management system of the Tribune Company, which owns the Los Angeles Times.

The Department of Justice accuses Keys of handing this information to a British man who used it to create a new Tribune Company account.

The man, named George David Sharpe, used this account to access the Times’ own CMS and deface its headline. Post-conviction, Keys told Ars that he, in fact, did not hand off the login and password to the Tribune Company’s CMS. In the appeal brief filed Wednesday evening, Leiderman’s co-counsel Tor Ekeland made a similar argument: “For there to be CFAA Damage, there must be actual harm to a computer system, whether through the deletion of data or rendering it inaccessible.” He continued: There was no testimony at trial that conclusively established that any files were deleted. Rather, the trial testimony is consistent with the proposition that the changes to the latimes.com website story simply constituted a new saved version of the story, one that was easily restored to its prior version via the CMS, a CMS system that did not have its functionality impaired in any way and functioned at all relevant times as it was programed to do. Ekeland also said that prosecutors engaged in “constructive amendment” of the charges that Keys faced, which biased the jury.
In other words, prosecutors raised extraneous accusations—but did not formally file charges—that, prior to the Times defacement, Keys was involved in sending taunting e-mails to viewers of his then-employer, Fox 40. Plus, Ekeland argued, even if he did send the e-mails (which Keys has denied), copying the company e-mail list also did not constitute damage. Keys is currently serving a 24-month sentence at the United States Penitentiary in Atwater, California, 120 miles southeast of San Francisco. The government’s reply is due September 23, 2016.
After lying dormant for years, flaws in the HTTP Proxy header used in programming languages and applications, such as PHP, Go and Python, have now been fixed. Some flaws take longer—a lot longer—than others to get fixed.

The newly named HTTpoxy vulnerability was first discovered back in March 2001 and fixed in the open-source Perl programming language, but it has sat dormant in multiple other languages and applications until July 18.The HTTPoxy flaw is a misconfiguration vulnerability in the HTTP_PROXY variable that is commonly used by Common Gateway Interface (CGI) environment scripts.

The HTTPoxy flaw could potentially enable a remotely exploitable vulnerability on servers, enabling an attacker to run code or redirect traffic.

The flaw at its core is a name space conflict between two different uses for a server variable known as HTTP Proxy."There is a common system environment variable called "HTTP_PROXY," which can be used to communicate the HTTP (and sometimes HTTPS) proxy settings for an outgoing HTTP proxy to an application," Red Hat explains in its advisory on HTTpoxy. "This variable has a completely different purpose and context to that of the HTTP server-script variable."Red Hat's advisory notes that applications, language libraries and scripting modules use the HTTP server script environment variable to help configure a proxy for subsequent outgoing HTTP traffic. The risk is that since the two variables can be confused, an attacker could potentially redirect a server's outgoing connection to an arbitrary location.

The HTTpoxy flaw has a widespread impact, with the open-source PHP, Go, Python and HVVM languages at risk as well as the Apache HTTP and Tomcat servers.

As myriad applications rely on those languages and servers, there are multiple updates from application projects as well, including the popular Drupal open-source content-management system, which powers many U.S. government Websites, including Whitehouse.gov. Christopher Robinson, manager, Red Hat product security program management, explained that the HTTpoxy issue was first identified and fixed in 2001 in a Perl library. Perl is a popular open-source programming language. "The world of security was quite a bit different back in 2001.
It wasn't common to look at issues as having wide-reaching consequences," Robinson told eWEEK. "Today, there are a large number of security researchers investigating issues like never before."Robinson added that Web apps were also quite different in 2001, and tended to be more monolithic.

The idea of doing server-side HTTP requests while fulfilling a client-side request was also not very common.

Today, it is a different world with distributed applications and microservices."In a worst-case scenario for this issue, an attacker could possibly redirect outgoing HTTP traffic from a CGI script to other servers," Robinson said. "This could lead to the disclosure of sensitive information contained within both request and response sent between the CGI script and HTTP server."That said, Robinson emphasized that on Linux, the majority of Web applications no longer run as CGI scripts, meaning they are not vulnerable to this type of attack.Greg Knaddison, director of engineering at Card.com and Drupal Security Team member, noted that for most Drupal sites, HTTpoxy is probably only a "corner case" risk."The members of Drupal Security Team who worked on this issue were able to think of a few scenarios that would allow a determined attacker to completely take over a site," Knaddison told eWEEK. "Most of them involved stringing together the HTTPoxy vulnerability in the Guzzle library to achieve a defacement or a Cross-site scripting attack."Guzzle is a popular PHP HTTP client that can be used in a Drupal deployment stack. Knaddison added that Drupal core does not use the vulnerable HTTP proxy variable directly; however, Drupal 8 core and several Drupal 7 contributed modules used a version of the Guzzle library that was vulnerable.

The Drupal project has now issued an update and guidance on how to further mitigate the limited risk of HTTpoxy.For users of the popular Apache HTTP Web server, the Apache Software Foundation has issued guidance to help mitigate the risk.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.
Matthew Keys talks to reporters after he was sentenced to two years in prison.Cyrus Farivar Reporter Matthew Keys will not be going to federal prison today as he was scheduled to. His attorney, Jay Leiderman, tweeted the news today after he and the other lawyers on Keys’ legal team filed an emergency motion with the 9th Circuit Court of Appeals last night. An automatic stay has issued in the @MatthewKeysLive case. He will not be reporting to prison today. — Jay Leiderman (@JayLeidermanLaw) June 15, 2016 The Tuesday filing automatically triggers a temporary stay, according to the 9th Circuit’s Federal Rules of Appellate Procedure.
So the California journalist convicted in 2015 of hacking-related crimes will remain out of custody for now. Keys was convicted at trial under the Computer Fraud and Abuse Act (CFAA), the notorious anti-hacking federal law that dates back to the 1980s.

An effort to reform that law has languished in Congress.

The 29-year-old was scheduled to begin serving his two-year sentence beginning Wednesday at 2pm Pacific Time at a federal prison camp in Atwater, California, about 120 miles east of San Francisco. Even post-conviction, Keys has maintained that he did not hand over any login information that led to the 40-minute alteration of a Los Angeles Times headline in 2010. Hours before Keys’ sentencing hearing, Ars received a letter from someone under the pseudonym "Sam Snow," who claimed that he, and not Keys, was the one who actually handed over the login details.

This new claim by Snow will likely have no impact on the appeal. What is “damage,” anyway? The new filing to the appellate court came just hours after the federal judge who presided over Keys’ trial and sentencing, US District Judge Kimberly J. Mueller, denied a similar motion for release pending appeal. The motion to the 9th Circuit largely reiterates many of the same points that the defense team argued previously. Tor Ekeland, who authored the Tuesday filing, wrote that Keys is "not a flight risk nor a dangerous threat to the community." He continued: His case raises significant questions on appeal regarding the proper scope of the Computer Fraud and Abuse Act’s (CFAA) damage and loss provisions.

At trial, the district court also raised the possibility of a variance because the proof presented to the jury was for a different crime.

Despite this, the district court denied the Defendant’s motion for bail pending appeal on June 14, 2016.

Because these are substantial appellate issues that could meet any one of the factors listed in 18 U.S.C. 3143(b), this Court should reverse the denial and grant his release pending appeal. The defense attorney went on to say that because the defacement that occurred at the Times was ultimately corrected from a backup, no damage was actually inflicted. "The damage minimum is a jurisdictional requirement of a CFAA charge. Without damage, there can be no conviction," he wrote. "Courts across the country have denied damage findings even in more extreme cases where files were deleted but recoverable." In her Tuesday order, Judge Mueller found this argument unconvincing: Defendant also argues that because the data was backed up, there was no damage; the court finds this argument unpersuasive.

The inability of an employee such as Samantha Cohen to log in to work, and the employer’s inability to promptly change usernames and passwords, and resecure the compromised system all constitute damage.
Shurgard Storage Ctrs., Inc. v.
Safeguard Self Storage, Inc., 119 F.
Supp. 2d 1121, 1126–27 (W.D. Wash. 2000).

Defendant further argues the court improperly allowed testimony and instructions that supported and provided an overbroad definition of loss.

Defendant does not identify any testimony with particularity. Leiderman told Ars that the 9th Circuit will want the issue to be fully briefed both by Keys’ side and by government prosecutors before rendering a decision in the coming weeks.
Cyrus Farivar Lawyers for journalist Matthew Keys are set to appear before a federal judge in Sacramento, California, on Wednesday morning to ask that his upcoming self-surrender date be pushed back pending his appeal.

During the same hearing, the judge is also likely to set how much money Keys must pay in restitution to his former employer, Fox 40 and Tribune Media. The 29-year-old was convicted in 2015 of three counts of conspiracy and criminal hacking under the Computer Fraud and Abuse Act (CFAA) and was sentenced earlier this year to two years in prison.

For now, Keys is due to report to federal prison in Lompoc, California, next week.In a motion filed with the court on Tuesday, Tor Ekeland, one of Keys’ attorneys, noted that his client has consistently shown that "he is not a flight risk nor a dangerous threat to the community" and as such should be allowed to stay out of custody while his appeal is pending. Ekeland wrote: His case raises significant questions regarding the proper scope of the Computer Fraud and Abuse Act’s (CFAA) damage and loss provisions.

These issues led the Court to raise the possibility of a variance because the proof presented to the jury was for a different crime.

Because these are substantial appellate issues that could meet any one of the factors listed in 18 U.S.C. 3143(b), this Court should grant his release pending appeal. The appeal largely rests on the argument that Keys’ alleged actions—providing access to a content management system that ultimately resulted in the brief defacement of one Los Angeles Times article—caused no actual damage, and therefore, there was no damage under the CFAA. Even post-conviction, Keys has maintained that he did not hand over any login information that led to the 40-minute alteration of the LA Times headline. (Hours before Keys’ sentencing hearing, Ars received a letter from someone under the pseudonym "Sam Snow," who claimed that he, and not Keys, was the one who actually handed over the login details.) The judge will hear arguments in a separate hearing on July 6, 2016 regarding the motion to keep Keys out of prison entirely while the appeal is ongoing.