France’s “Three Strikes” anti-piracy legislation was derailed last week following a server security breach at Trident Media Guard (TMG), the company which performed the file-sharing network monitoring for the government program. Now, new revelations over flaws in TMG’s security software have surfaced, dealing yet another blow to the program.
Security researchers closely examined the software after last week’s breach and data leak, and found that no authentication was required for hackers to connect to a port and have the ability to run a series of commands that would allow malicious executable files to be copied and run on the server.
Blogger and security researcher Olivier Laurelli told TorrentFreak that the release of an online analysis of the TMG software issues by a group calling themselves “The Cult of the Dead HADOPI” may be an indication that the “Three-Strikes” program has already suffered a more serious data breach than what has already been reported.
“If TMG is vulnerable to injectioning on the system used to provide IP addresses to the HADOPI, the whole process is fu**** up,” Laurelli explained. “Someone could, for example, inject the Culture Ministry’s IP range, or worse, gain access between TMG and HADOPI’s VPN by stealing certificates… then gain access to a huge amount of personal data.”
“For instance we don’t know if this new ‘test server’ leak can compromise the LAN(S) of TMG with this exploit. Opacity is even for HADOPI. That’s why they went to audit TMG’s infrastructure with the CNIL [French Data Protection Office],” he explains.
“Anyway, this new episode shows that HADOPI was right to close their access,” Laurelli says.
Public scrutiny of the “Three-Strikes” program, which was already high, will only grow with these new reports. The French government has yet to indicate whether or not they will pursue the eventual continuation of the program, but the more security problems that surface, the less likely that looks.