Risk
1/31/2013
12:04 PM
Connect Directly
RSS
E-Mail
50%
50%

Mega Repeat: Search Engine Mimics Dotcom's MegaUpload

Crowdsourced MegaSearch site indexes all files on Mega, allowing users to share uploaded, encrypted content.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
There's a new file-sharing game in town: Mega-Search.me. But unlike dedicated file-sharing sites, this one is just a search engine designed for people to submit links to content that they've already uploaded to the file-storage site Mega.

In other words, thanks to an apparent crowdsourcing twist, the combination of Mega and Mega-Search.me enables people upload, share, or retrieve any file -- just as they did with the disgraced Megaupload. "Already more than 2000 links," claimed a tweet from Mega-Search last week.

Although files uploaded to Mega are encrypted, the decryption key is included in the link to the file that's generated for users. Thus any file URL that's publicly disclosed can be used by anyone else to download and decrypt the stored file. A file-sharing feature is notably absent in the official Mega site, which offers 50GB of cloud storage for free, as well as premium accounts offering more.

[ Read more about the new Mega site: 'Mega' Insecure: Kim Dotcom Defends Rebooted Megaupload Security. ]

Mega launched at 6:48 a.m. New Zealand time on Jan. 20, 2013 -- the precise anniversary of New Zealand police and FBI agents' raid last year of Megaupload founder Kim Dotcom's home and shutdown of all Megaupload servers in the United States.

The Department of Justice have accused Dotcom and three other key company officials of using Megaupload to illegally generate $175 million in profits, while causing $500 million in damage to copyright holders, by condoning and supporting illegal file sharing, in part by ignoring numerous takedown requests. Prosecutors are continuing to seek the four men's extradition from New Zealand to the United States to stand trial. All four men have said they're innocent, and fought the extradition request.

The launch of Mega was meant to signal Dotcom's "cloud storage" second coming, and this time on a more clear legal footing. Indeed, given the FBI's takedown of his previous site, this one appeared to be designed by the company's lawyers to protect the executives from any accusations that they were promoting the illegal sharing of files. Instead, the new service has been pitched as a competitor to Dropbox, Google Drive, and Microsoft SkyDrive, but with added security features. In particular, Mega promised to encrypt all files.

The service also stipulated that only a user who uploaded a file would be allowed to download it. As Mega's terms of service state: "If you allow others to access your data (e.g. by, amongst other things, giving them a link to, and a key to decrypt, that data) ... you are responsible for their actions and omissions while they are using the website and services and you agree to fully indemnify us for any claim, loss, damage, fine, costs (including our legal fees) and other liability if they breach any of these terms."

Last week, Mega -- and Megaupload -- attorney Ira P. Rothken said that in Mega's first 11 days, it had already responded to 150 takedown requests, comprising 250 files, reported Computerworld. Those takedown requests had come from the United States, among other countries. "Mega doesn't want folks to use its cloud storage services for infringing purposes," Rothken said.

Mega-Search.me would seem to make short work of any restrictions on file sharing. But who runs the service? That's not clear. The site uses the top-level domain for Republic of Montenegro (.me), and was registered about 24 hours after the launch of Mega, but the domain's administrator has been hidden using a domain privacy service based in Denver, Colo., which lists an email at that service as a contact point for the site. The site's owner didn't immediately respond to an email asking if the site was funded or supported in any way by Mega.

Posts made by the site's owner -- or owners -- to Twitter and Facebook this week, however, suggest that Mega-Search.me is an independent venture, and faltering. Notably, the Facebook page for Mega-Search.me reported Thursday morning that "MEGA just deleted all our links without checking their contents." The search engine's administrator posted that he suspected that Mega had begun using a tool to automatically identify all links submitted to the search engine, and then delete the related files from the Mega site.

Another post suggested a possible next step for the search engine. "We are searching for some help with the mega API [written in] PHP. In particular, the decryption part," read one Facebook post (translated from French). In other words, instead of the search engine relying on users to submit files they've submitted to Mega, the site could forcibly index every file on Mega itself.

Needed: One PHP coder with a bent for file sharing.

InformationWeek is surveying IT executives on global IT strategies. Upon completion of our survey, you will be eligible to enter a drawing to receive an Apple 32-GB iPad mini. Take our 2013 Global CIO Survey now. Survey ends Feb. 8.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.