From the various files made available, some were easily viewable with a standard text editor, others – such as an executable called server_interface.exe – were more tricky. Thanks to a admittedly fairly hostile Full Disclosure security report we now have a clearer idea of what the package is capable of.

Penned by ‘CULT OF THE DEAD HADOPI’, the report refers to TMG as “Too Many Gremlins” along with reports not to expose them to bright lights. In it the server_interface.exe code is described as a Delphi service to which anyone can connect and start sending commands, no authentication (username/password) required. Perhaps even more worrying is a script which accepts auto-updates.

“An attacker can use the ‘Auto Update’ feature (\x82) to force the server to download updates from an evil FTP server he controls. Of course, a downloaded file is executed
just after the download,” write the researchers.

“Hence, anyone who wants to raise an army against Too Many Gremlins, look for an open port on TCP 8500,” they add.

The implication here is that if this software was present on all TMG servers, in addition to being able to turn them on and off at will a hacker could take them over with custom code of his own choosing, potentially creating “an army” which could be used to attack TMG or indeed, anyone else.

Commenting on the research, Bluetouff told TorrentFreak that the discovery of the vulnerabilities mean that the French 3 strikes program might already have been compromised.

“If TMG is vulnerable to injectioning on the system used to provide IP addresses to the HADOPI, the whole process is fu**** up,” he explained.

“Someone could for example inject the Culture Ministry’s IP range, or worse, gain access between TMG and HADOPI’s VPN by stealing certificates… then gain access to a huge amount of personal data,” he added.

“For instance we don’t know if this new ‘test server’ leak can compromise the LAN(S) of TMG with this exploit. Opacity is even for HADOPI. That’s why they went to audit TMG’s infrastructure with the CNIL [French Data Protection Office].”

“Anyway, this new episode shows that HADOPI was right to close their access,” he concludes.

That closure of access is a reference to Hadopi severing their Internet links to TMG once they found out about the leak and resorting to shifting IP addresses around by DVD and the postal system instead. That is hardly efficient and undoubtedly TMG will be working hard to get back into the 21st century.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Blogger and security researcher Olivier Laurelli, aka Bluetouff, told us that a TMG virtual machine had been leaking data, including security tools and, according to a later report by news resource Numerama, IP-addresses of French citizens.

Naturally the revelations generated controversy, with the Hadopi agency announcing that they had suspended electronic connections with TMG and had resorted to shifting file-sharing monitoring data around on DVD instead.

As the pressure mounted on TMG, in the middle of the week they called in Commission Nationale de l’informatique et des Libertés (CNIL) to investigate the security issue. CNIL is the French authority responsible for ensuring that data privacy law is applied to the collection, handling, and use of personal data,

Then yesterday, Telecom Paper reported that TMG would sue the person responsible for finding the security flaw, but adding that it would be unusual for the French courts to prosecute people who expose lax security as doing so is deemed to be in the public interest.

TMG’s position, however, is slightly more awkward than that.

After first trying to play the situation up, using language such as “we have been the victim of data theft”, TMG followed up with claims that the exposed information was in fact nothing to do with their main systems. Furthermore, the server from which it came allegedly carried no live end-user data and was in fact a mere test machine. According to a source quoted by PCInpact, this is why TMG left it unprotected.

So on what basis would TMG sue Bluetouff? TorrentFreak asked him.

“TMG first said to the press it was an unprotected test server with no confidential data, and that there was no hack. So I’m really wondering on what basis they could attack,” he explained.

“I guess they need to sue someone because of insurance stuff or just to avoid admitting their own fail. So just wait and see but I’m quite sure they won’t sue.”

Bluetouff then reminded us of the security flaw he discovered in software developed by ISP Orange, which inadvertently leaked users’ IP addresses as it tried to block file-sharing.

“Orange had the same reaction, to send me lawyers first over their splendid ‘hadopiware’. Then they tried to understand what happened and who is guilty of what afterwards,” he explained.

Then within minutes we had another message from Bluetouff. “Wow, that was fast,” he said.

As predicted, TMG had announced that they won’t sue after all, unless they find evidence of “a formal intrusion”, something which presumably won’t be possible on a server they left deliberately open.

Time will tell what conclusions the CNIL data inspectors will draw from the episode. Their report is forthcoming.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.