Risk
1/31/2013
12:04 PM
Connect Directly
RSS
E-Mail
50%
50%

Mega Repeat: Search Engine Mimics Dotcom's MegaUpload

Crowdsourced MegaSearch site indexes all files on Mega, allowing users to share uploaded, encrypted content.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
There's a new file-sharing game in town: Mega-Search.me. But unlike dedicated file-sharing sites, this one is just a search engine designed for people to submit links to content that they've already uploaded to the file-storage site Mega.

In other words, thanks to an apparent crowdsourcing twist, the combination of Mega and Mega-Search.me enables people upload, share, or retrieve any file -- just as they did with the disgraced Megaupload. "Already more than 2000 links," claimed a tweet from Mega-Search last week.

Although files uploaded to Mega are encrypted, the decryption key is included in the link to the file that's generated for users. Thus any file URL that's publicly disclosed can be used by anyone else to download and decrypt the stored file. A file-sharing feature is notably absent in the official Mega site, which offers 50GB of cloud storage for free, as well as premium accounts offering more.

[ Read more about the new Mega site: 'Mega' Insecure: Kim Dotcom Defends Rebooted Megaupload Security. ]

Mega launched at 6:48 a.m. New Zealand time on Jan. 20, 2013 -- the precise anniversary of New Zealand police and FBI agents' raid last year of Megaupload founder Kim Dotcom's home and shutdown of all Megaupload servers in the United States.

The Department of Justice have accused Dotcom and three other key company officials of using Megaupload to illegally generate $175 million in profits, while causing $500 million in damage to copyright holders, by condoning and supporting illegal file sharing, in part by ignoring numerous takedown requests. Prosecutors are continuing to seek the four men's extradition from New Zealand to the United States to stand trial. All four men have said they're innocent, and fought the extradition request.

The launch of Mega was meant to signal Dotcom's "cloud storage" second coming, and this time on a more clear legal footing. Indeed, given the FBI's takedown of his previous site, this one appeared to be designed by the company's lawyers to protect the executives from any accusations that they were promoting the illegal sharing of files. Instead, the new service has been pitched as a competitor to Dropbox, Google Drive, and Microsoft SkyDrive, but with added security features. In particular, Mega promised to encrypt all files.

The service also stipulated that only a user who uploaded a file would be allowed to download it. As Mega's terms of service state: "If you allow others to access your data (e.g. by, amongst other things, giving them a link to, and a key to decrypt, that data) ... you are responsible for their actions and omissions while they are using the website and services and you agree to fully indemnify us for any claim, loss, damage, fine, costs (including our legal fees) and other liability if they breach any of these terms."

Last week, Mega -- and Megaupload -- attorney Ira P. Rothken said that in Mega's first 11 days, it had already responded to 150 takedown requests, comprising 250 files, reported Computerworld. Those takedown requests had come from the United States, among other countries. "Mega doesn't want folks to use its cloud storage services for infringing purposes," Rothken said.

Mega-Search.me would seem to make short work of any restrictions on file sharing. But who runs the service? That's not clear. The site uses the top-level domain for Republic of Montenegro (.me), and was registered about 24 hours after the launch of Mega, but the domain's administrator has been hidden using a domain privacy service based in Denver, Colo., which lists an email at that service as a contact point for the site. The site's owner didn't immediately respond to an email asking if the site was funded or supported in any way by Mega.

Posts made by the site's owner -- or owners -- to Twitter and Facebook this week, however, suggest that Mega-Search.me is an independent venture, and faltering. Notably, the Facebook page for Mega-Search.me reported Thursday morning that "MEGA just deleted all our links without checking their contents." The search engine's administrator posted that he suspected that Mega had begun using a tool to automatically identify all links submitted to the search engine, and then delete the related files from the Mega site.

Another post suggested a possible next step for the search engine. "We are searching for some help with the mega API [written in] PHP. In particular, the decryption part," read one Facebook post (translated from French). In other words, instead of the search engine relying on users to submit files they've submitted to Mega, the site could forcibly index every file on Mega itself.

Needed: One PHP coder with a bent for file sharing.

InformationWeek is surveying IT executives on global IT strategies. Upon completion of our survey, you will be eligible to enter a drawing to receive an Apple 32-GB iPad mini. Take our 2013 Global CIO Survey now. Survey ends Feb. 8.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.