14.1 C
Saturday, September 23, 2017
Home Tags Olympic

Tag: Olympic

Says security in danger of being left behind in technology accelerationShanghai, China, June 29: At the Mobile World Congress in Shanghai, network signalling security experts Evolved Intelligence warned that operators racing to deploy 5G services in time for the Winter Olympic games in 2018 were in danger of forgetting the security lessons of the past.Co-Founder and Commercial Director Peter Blackie said that not enough progress had yet been made on securing 5G network signalling. “It... Source: RealWire
Now annual gathering offers IT, security, startups, and more over three days in NOLA.
But we have no idea whether it’s evolutionarily valuable.
“Please don’t jump in, because this would be the last day on my job."
Enlarge / Light reading for a Friday afternoon.reader comments 149 Share this story Shortly after intelligence officials delivered a highly-classified briefing on the Russian government’s alleged interference in US politics to President-elect Donald Trump, the Office of the Director of National Intelligence (ODNI) published an unclassified version of the report. This version outlines the majority of the joint conclusions of the Central Intelligence Agency, National Security Agency, and Federal Bureau of Investigation. While it contains no major new hacking revelations, what is new is its focus on the role of Russia’s state-funded media organization, known as RT, and its international satellite media operations. Ars is still preparing a more thorough analysis of the report and its findings. But the gist of the CIA, NSA, and FBI analysts’ findings is that the Russian Federation’s president, Vladimir Putin, directly ordered intelligence agencies to collect data from the Democratic National Committee, the Hillary Clinton presidential campaign, and other organizations, and he orchestrated an effort to discredit Clinton, the Democratic party, and the US democratic political process through “information operations.” We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. We have high confidence in these judgements. In an appendix to the report, the agencies laid out a detailed, publicly-sourced analysis of RT’s alleged propaganda operations, including television programming that promoted the Occupy Wall Street movement and focused on information countering US government domestic and foreign policy. RT, in the agency’s assessment, used coverage of the Occupy Movement to promote the notion that change wasn’t possible within the US democratic system and that only “revolutionary action” could affect real change. The ODNI report mentions Russian TV network RT multiple times, including this anti-fracking segment. The report alleges that this clip was part of a state-sponsored response to “the impact of fracking and US natural gas production on the global energy market.” Russian TV network RT was mentioned many times in terms of being part of an official anti-America propaganda machine. Many of the ideas promoted by RT, such as coverage critical of “fracking” for natural gas in the United States, aligned both with domestic opposition to the US government and with Russia’s own interest in curtailing US development of natural gas and reducing the price of the oil and gas upon which Russia’s economy is highly dependent. The three US agencies found that the Russian government’s effort to affect the US election was “multifaceted;” it included fake hacktivists (Guccifer 2.0 and DCLeaks) pushing stolen data through online dumps and exclusive reveals to journalists; Internet “trolls” reinforcing tailored messages and “fake news” links denigrating Clinton and the Democrats while promoting Trump; and propaganda operations that included collaboration with WikiLeaks—including a “partnership” between WikiLeaks and RT. Putin’s motivations, according to the analysis, included the leak of the Panama Papers—a breach of documents from a Panama-based law firm that set up structures allowing many wealthy people, including members of the Russian government and supporters of Putin, to hide money overseas in secret accounts. “Putin publicly pointed to the Panama Papers disclosure and the Olympic doping scandal as US-directed efforts to defame Russia,” the report notes, which suggests “he sought to use disclosures to discredit the image of the United States and cast it as hypocritical.”
Russia-based hackers are apparently not happy with the attention they've been getting for their Olympic anti-doping agency "conspiracy" leaks.reader comments 43 Share this story This morning, Ars received an odd ask by Twitter direct message: "Hello, we are Fancy Bears' Hack Team.

Are you interested in WADA and USADA confidential documents?" Fancy Bears HT is the front for the hacking operation that spear-phished International Olympic Committee members to gain access to the systems of the World Anti-Doping Agency (WADA).

Those records were leaked—and in some cases, according to WADA officials, modified—in an effort to discredit the Olympics' drug-testing rules.

The leaks were seen by officials as retribution for the bans imposed on Russian athletes after widespread doctoring of drug tests by the Russians at multiple Olympic games was exposed by a WADA investigation. The hack of the United States Anti-Doping Agency (USADA) e-mails was first revealed in October.

A spokesperson for USADA told Ars that the e-mails were probably exposed during the Paralympic Games in Rio de Janeiro, possibly when a scientific advisor to USADA was using public Wi-Fi at the games. The Federal Bureau of Investigations and an outside information security firm are still investigating the breach.

But officials have indicated that, as in the WADA breach, the perpetrators are in some way tied to the group behind part of the network intrusion at the Democratic National Committee and the hacking of e-mail accounts of a number of political figures—including Hillary Clinton's campaign chairman, John Podesta. Those hacks were attributed by security researchers to a group designated by Crowdstrike as "Fancy Bear"—a name the hackers apparently liked so much that they adopted it for their Twitter account name and WADA/USADA leak site. On the other hand, whoever is behind the Fancy Bears Twitter account told Forbes' Thomas Fox-Brewster (who got a similar pitch by DM) that they were not the same Fancy Bear (aka APT28). Nothing in the e-mails leaked from USADA so far is particularly controversial.

The latest batch includes discussions with officials from a number of different countries' anti-doping agencies about contingency plans for what to do if Russian athletes were not banned from the Olympic games as well as preparation for a lawsuit to be filed by USADA and the Canadian Centre for Ethics in Sport against the International Olympic Committee that was never taken forward.

The contents of the e-mails, USADA Communications Manager Ryan Madden told Ars, "just show us doing our jobs." And it's that mundane level of content—and the resulting lack of interest in continued press coverage—that may have prompted Fancy Bears to reach out to Ars and other outlets this morning.

The WADA/USADA leaks are apparently not getting the amount of attention that Fancy Bears feels they deserve, as it offered a lure to write more about them: A transcript of Ars' chat with some Fancy Bears.
Enlarge / Trump denies there's any truth intelligence community claims of Russian interference in the election, claiming it could have been anyone.Chip Somodevilla | Getty Images reader comments 159 Share this story President-elect Donald Trump continues to discount or attempt to discredit reports that the intelligence community has linked the hacking of the DNC, the Hillary Clinton presidential campaign, and related information operations with a Russian effort to prevent Clinton from winning the election—thus assuring Trump's victory. In his latest of a stream of tweets, Trump posted: Unless you catch "hackers" in the act, it is very hard to determine who was doing the hacking. Why wasn't this brought up before election? — Donald J. Trump (@realDonaldTrump) December 12, 2016 The hacking was brought up well before the election. And it was monitored as it was happening—by the intelligence and law enforcement communities and by private information security firms. "CrowdStrike's Falcon endpoint technology did catch the adversaries in the act," said Dmitri Alperovitch, chief technology officer of Crowdstrike. "When the DNC brought us in to conduct an investigation in May 2016, we deployed this technology on every system within DNC's corporate network and were able to watch everything that the adversaries were doing while we were working on a full remediation plan to remove them from the network." Much of the evidence from Crowdstrike and other security researchers has been public since June and July. But while the hackers may have been caught in the act digitally, the details by themselves don't offer definitive proof of the identity of those behind the anti-Clinton hacking campaign. Public details currently don't offer clear insight into the specific intent behind these hacks, either. What is indisputable, however, is the existence of genuine hacking evidence. And this information certainly does provide enough to give the reported intelligence community findings some context. The evidence The FBI warned the DNC of a potential ongoing breach of their network in November of 2015. But the first hard evidence of an attack detected by a non-government agency was a spear-phishing campaign being tracked by Dell SecureWorks. That campaign began to target the DNC, the Clinton campaign, and others in the middle of March 2016, and it ran through mid-April. This campaign was linked to a "threat group" (designated variously as APT28, Sofacy, Strontium, Pawn Storm, and Fancy Bear) that had previously been tied to spear-phishing attacks on military, government, and non-governmental organizations. "[SecureWorks] researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government," the report from SecureWorks concluded. The DNC's information technology team first alerted party officials that there was a potential security problem in late March, but the DNC didn't bring in outside help until May. This is when CrowdStrike's incident response team was brought in. CrowdStrike identified two separate ongoing breaches, as detailed in a June 15, 2016 blog post by CrowdStrike CTO Dmitri Alperovitch. The findings were based both on malware samples found and a monitoring of the breach while it was in progress. One of those attacks, based on the malware and command and control traffic, was attributed to Fancy Bear. The malware deployed by Fancy Bear was a combination of an agent disguised as a Windows driver file (named twain_64.dll) in combination with a network tunneling tool that allowed remote control connections. The other breach, which may have been the breach hinted at by the FBI, was a long-running intrusion by a group previously identified as APT29, also known as The Dukes or Cozy Bear. Cozy Bear ran SeaDaddy (also known as SeaDuke, a backdoor developed in Python and compiled as a Windows executable) as well as a one-line Windows PowerShell command that exploited Microsoft's Windows Management Instrumentation (WMI) system. The exploit allowed attackers to persist in WMI's database and execute based on a schedule. Researchers at Fidelis who were given access to malware samples from the hack confirmed that attribution. In addition to targeting the DNC and the Clinton campaign's Google Apps accounts, the spear-phishing messages connected to the campaign discovered by SecureWorks also went after a number of personal Gmail accounts. It was later discovered that the campaign had compromised the Gmail accounts of Clinton campaign chair John Podesta, former Secretary of State Colin Powell, and a number of other individuals connected to the Clinton campaign and the White House. Many of those e-mails ended up on DC Leaks. The Wikileaks posting of the Podesta e-mails include an e-mail containing the link used to deliver the malware. After Crowdstrike and the DNC revealed the hacks and attributed them to Russian intelligence-connected groups, some of the files taken from the DNC were posted on a website by someone using the name Guccifer 2.0. While the individual claimed to be Romanian, documents in the initial dump from the DNC by Guccifer 2.0 were found to have been edited using a Russian-language version of Word and by someone using a computer named for Felix Dzerzhinsky, founder of the Soviet secret police. (The documents are linked in this article by Ars' Dan Goodin.) In addition to publishing on his or her own WordPress site, Guccifer used the DC Leaks site to provide an early look at new documents to The Smoking Gun using administrative access. The Smoking Gun contacted one of the victims of the breach and confirmed he had been targeted using the same spear-phishing attack used against Podesta. The DC Leaks site also contains a small number of e-mails from state Republican party operatives. Thus far, no national GOP e-mails have been released. (The New York Times reports that intelligence officials claim the Republican National Committee was also penetrated by attackers, but its e-mails were never published.) Attribution and motive There are several factors used to attribute these hacks to someone working on behalf of Russian intelligence. In the case of Fancy Bear, attribution is based on details from a number of assessments by security researchers. These include: Focus of purpose. The methods and malware families used in these campaigns are specifically built for espionage. The targets. A list of previous targets of Fancy Bear malware include: Individuals in Russia and the former Soviet states who may be of intelligence interest Current and former members of NATO states' government and military Western defense contractors and suppliers Journalists and authors Fancy Bear malware was also used in the spear-phishing attack on the International Olympic Committee to gain access to the World Anti Doping Agency's systems. This allowed the group to discredit athletes after many Russian athletes were banned from this year's Summer Games. Long-term investment. The code in malware and tools is regularly and professionally updated and maintained—while maintaining a platform approach. The investment suggests an operation funded to provide long-term data espionage and information warfare capabilities. Language and location. Artifacts in the code indicate it was written by Russian speakers in the same time zone as Moscow and St. Petersburg, according to a FireEye report. These don't necessarily point to Fancy Bear being directly operated by Russian intelligence. Other information operations out of Russia (including the "troll factory" operated out of St. Petersburg to spread disinformation and intimidate people) have had tenuous connections to the government. Scott DePasquale and Michael Daly of the Atlantic Council suggested in an October Politico article that the DNC hack and other information operations surrounding the US presidential campaign may have been the work of "cyber mercenaries"—in essence, outsourcing outfits working as contractors for Russian intelligence. There is also an extremely remote possibility that all of this has been some sort of "false flag" operation by someone else with extremely deep pockets and a political agenda. WikiLeaks' Julian Assange has insisted that the Russian government is not the source of the Podesta and DNC e-mails. That may well be true, and it can still be true even if the Russian government had a hand in directing or funding the operation. But that is all speculation—the only way that the full scope of Russia's involvement in the hacking campaign and other aspects of the information campaign against Clinton (and for Trump) will be known is if the Obama administration publishes conclusive evidence in a form that can be independently analyzed.

Greenford, UK (December 8, 2016) In the wake of Brexit there seems to be an air of gloom hanging over British business – but not at Ultra Electronics.

Based in Greenford, London, the Group continues to supply its products to some of the world’s biggest and most technologically advanced organisations.

Gemini, the world’s first licensed Bitcoin and Ether exchange, chose Ultra’s Hardware Security Module (HSM) to protect its most valuable information despite competition from US and mainland Europe cyber security giants.

The coup for Ultra outlines the significant amount of respect the organisation commands in the world of cyber security.

Gemini, founded and managed by Olympic rowers the Winklevoss brothers, allows clients to trade Bitcoins to USD, Ether to USD and Bitcoins to Ether.

The company is the first of its kind to receive a license from a major regulatory body, receiving its accreditation from the New York State Department of Financial Services (NYSDFS) in 2015.

Cryptocurrencies are fast becoming a more widely respected form of payment, so much so that the city of Zug, a well-known financial hub in Switzerland has started allowing residents to pay for public services with Bitcoins.

Ultra, Gemini and Bitcoin

For such a rapidly expanding business within a field where security is absolutely paramount, Gemini has ensured it recruits security professionals from some of the world’s most distinguished companies.

For a company which has invested so much in security personnel it begs the question, what exactly was it that made them choose the Ultra Electronics’ HSM?

According to Cem Paya, the CSO of Gemini;
“Information security is one of the most important parts of the Gemini business model and ensuring we utilise the most secure HSMs is vital.

There were a number of reasons as to why we chose to work with Ultra Electronics KeyperPlus. Not only did KeyperPlus have a superior key management system, comprehensive security options and Linux support but it also was without any severe vulnerabilities.”

The fact that Gemini chose Ultra Electronics is a positive sign.

Brexit or not – truly innovative companies who can offer unique product solutions will always be desired by the rest of the world. Rob Stubbs, Product Director at Ultra’s Communication & Integrated Systems business, outlines why he believes Gemini selected the KeyperPlus and how the Ultra team will continue to ensure it wins orders from market-leading businesses such as Gemini in the future.

“The success of Bitcoin is critically dependent on the security of exchanges such as Gemini. We have already seen the cyber-theft of Bitcoins from Mt.

Gox, Bitfinex and others totalling over $500m.

Gemini’s decision to use KeyperPlus was based on its own detailed security evaluation as well as the product’s international certification and market reputation so as to provide the upmost security for its clients.

HSMs are an important cyber security tool, and can be used to enhance any security system. KeyperPlus is the only network-attached HSM to incorporate a cryptographic module validated to FIPS 140-2 Level 4 overall, one of the toughest security standards in the world. Ultra’s Keyper™ HSMs have successfully maintained this level for over 15 years, earning them a deserved reputation as the world’s most trusted HSMs.

For example, two generations of Keyper™ HSM have been used by ICANN to protect the security of the global Internet domain name system, upon which the whole world-wide-web ultimately depends.”

Ultra Electronics’ experience and expertise within the cyber-security sector is set to stand both the business and the security of its clients’ valuable information in good stead for the foreseeable future.

If you have any further questions regarding either Ultra Electronics cyber-security capabilities or this article please contact:
Morgan Sellars, Marketing Executive:
Office: 020 8813 4621 – Email - Morgan.Sellars@ultra-cis.com

It’s also important that we highlight the work conducted by our North American partners at Connect IT Solutions Inc.

Their skill and security expertise were invaluable during the design, sale and management phases of this project.

If you have any questions regarding Connect IT Solutions or its services then please contact:
Jasper Rose, Vice President, Cyber Security Division:
Office: 1- 888-246-6350 x 102 Email - jrose@citsus.com Web - www.citsus.com

Cyber defense overall must be prioritized, says Intel Security’s Raj Samani Cybercriminals are spreading into the healthcare sector even though the price per stolen medical record remains lower than for comparable financial account crime. From hospitals becoming victims of hacking attacks to Olympic champions getting their health records leaked by hackers, the health sector has become a major target for cybercrime. The most lucrative cybercrime targeting healthcare industry data is aimed at stealing industrial secrets from pharmaceutical or biotech firms.

There’s a “concerted effort” by cybercriminals to recruit health care industry insiders as accomplices in these thefts.

Efforts to recruit insiders are far from subtle and can brazen online ads and offers sent through social media, according to a new study (PDF) by Intel Security. Intel Security researchers found evidence that formulas for next-generation drugs, drug trial results, and other business confidential information are all of potential interest to hackers turned industrial spies.

Confidential data is stored not only by pharmaceutical companies but with their partners and (sometimes) government regulators. Cybercriminals are taking advantage of the cybercrime-as-a-service market to execute their attacks on healthcare organizations through, for example, the purchase and rental of exploits and exploit kits in order to attack targeted organizations. Doctored records Away from the top end of the scale there’s even a market for the health records of ordinary people.
Stolen medical records are available for sale from $0.03 to $2.42 per record, McAfee Labs reports.

Comparable stolen financial account records are available for around $14.00 to $25.00.

And credit and debit card account data is available for $4.00 to $5.00 per account record. Protected health information could include family names, mothers’ maiden names, social security or pension numbers, payment card and insurance data, and patient address histories.

Easier-to-monetize credit card information commands a greater price on black markets, at least for the immediate future, as Intel Security explains: Upon stealing a cache of medical records, it is likely cybercriminals must analyze the data and perhaps cross-reference it with data from other sources before lucrative fraud, theft, extortion, or blackmail opportunities can be identified.

Financial data, therefore, still presents a faster, more attractive return-on-investment opportunity for cybercriminals. “In one case, a relatively non-technically proficient cyber thief purchased tools to exploit a vulnerable organization, leveraged free technical support to orchestrate his attack, and then extracted more than 1,000 medical records that the service provider said could net him about $15,564, Intel Security reports. Raj Samani, Intel Security’s CTO in EMEA and author of the McAfee Labs’ Health Warning report, said: “Given the growing threat to the industry, breach costs ought to be evaluated ... in terms of time, money, and trust – where lost trust can inflict as much damage upon individuals and organizations as lost funds.” “When a well-developed community of cybercriminals targets a less-prepared industry such as health care, organizations within that industry tend to play catch-up,” Samani continued. “Gaining the upper hand in cybersecurity requires a rejection of conventional paradigms in favor of radical new thinking. Where health care organizations have relied on old playbooks, they must be newly unpredictable. Where they have hoarded information, industry players must become more collaborative. Where they have undervalued cyber defense overall, they must prioritize it.” ®
Fake bear dump.Stewart Butterfield reader comments 5 Share this story A pattern of mischaracterization, misrepresentation, and outright alteration of breached data has emerged in two of the latest headline-grabbing batches of hacked files.
Investigators discovered that recently published data from anti-doping testing at the 2016 Olympics in Rio de Janeiro had been altered by parties connected to a Russia-based hacking group behind the breach, according to a report issued by the World Anti-Doping Agency (WADA) yesterday. The International Olympic Committee (IOC) dump, released by a group calling itself "Fancy Bears," was found by WADA's incident response team to contain altered information. "WADA has determined that not all data released by Fancy Bear (in its PDF documents) accurately reflects [Anti-Doping Administration and Management System (ADAMS)] data," a spokesperson for WADA wrote in a post on the investigation.

The attackers gained access by stealing ADAMS credentials through "spear phishing" e-mails sent to IOC officials who owned the accounts.

The attack was similar to the e-mails sent to DNC and Clinton campaign officials earlier this year. This fits into a pattern tied to recent hacks by "Fancy Bear" and other groups—organizations that researchers and government authorities believe are connected in some way to the Russian intelligence community—being used for misinformation.
Some of the data in the initial Democratic National Committee "dump" by the entity calling themselves Guccifer 2.0 was revealed to have been altered, and that leaked metadata indicated files had been edited by someone who spoke Russian. While the latest "leak" from Guccifer 2.0 allegedly against the Clinton Foundation's network contains no such smoking guns, the metadata does exist and suggest data came from previous "Fancy Bear" breaches at the DNC and other organizations that used the DNC's network. Forensic examination of the Guccifer 2.0 Clinton files specifically suggests the files came from previous breaches of the DNC and Democratic Congressional Campaign Committee (DCCC). Payroll files, expense reports, receipts, and lease documents for Democratic party field offices—as well as scans of checks issued for payment for FOIA requests and vendors—all point to the DCCC, DNC, and some state Democratic Parties.

Files not from the DNC or affiliated organizations came from GMBB (an advertising firm that does work for the Democratic Party), the Federal Election Commission, and the House of Representatives. Some of the more controversial documents in the collection posted directly on the Guccifer 2.0 WordPress blog, including one titled "Master Spreadsheet PAC Contributions," may have been modified before posting.

That file was created and edited once in February 2009.

Based on file metadata, it was pulled off the DCCC server on May 23, 2016.
Anti-doping body WADA says it ain't so Hackers may have doctored athletes’ data prior to leaking it, according to the World Anti-Doping Agency (WADA). The "Fancy Bear" hacking group has been releasing details of athletes' Therapeutic Use Exemptions (TUE*) after breaking into the systems of the fair play enforcement agency, as previously reported. WADA, which acknowledged the breach last month soon after leaked data surfaced on Fancy Bear’s website, said on Wednesday that “not all data released by Fancy Bear (in its PDF documents) accurately reflects ADAMS data” - implying some of the leaked information had been deliberately altered prior to its release. Russia is the prime suspect in the Fancy Bear attacks, thanks in large part to a ban by many sports preventing many Russian athletes from participating in the Rio Olympics. WADA itself has previously blamed a Russian hacking group for the breach, which it further condemned in its latest update. “The criminal activity undertaken by the cyber espionage group, which seeks to undermine the TUE program and the work of WADA and its partners in the protection of clean sport, is a cheap shot at innocent athletes whose personal data has been exposed,” WADA’s statement fumes. Fancy Bear compromised an account in WADA’s Anti-Doping Administration and Management System (ADAMS) created especially for the Rio 2016 Olympic Games.

This hack facilitated access to the medical history of athletes that participated in the games. WADA’s technical and forensic team’s current assessment is that hackers illegally accessed the Rio 2016 ADAMS Account multiple times between 25 August 2016 and 12 September 2016, using credentials obtained through a spear phishing campaign. The broader ADAMS system was not compromised in the attack, according to WADA.
In response to the admitted breach, WADA has tightened its security controls, introduced increased logging as well as hiring FireEye Mandiant to handle incident response. Security watchers have warned of the possibility of hacking attacks that involved data manipulation for several years, and the only real surprise on that front is that the attack affected a sporting rather than a banking organisation. Jason Hart, CTO of data protection at Gemalto, commented: “As the news that data from the WADA hack may have been manipulated shows, business leaders need to realise they are no longer just at risk from data simply being stolen.

As well as exposing gaps in a company’s security, the next frontier for cyber-crime will be data manipulation.

Data is the new oil and the thing most valuable to hackers. “Businesses can make vital decisions based on incorrect or exaggerated information, or data that has been stolen can be altered to change public sentiment regarding a business or individual, which hackers can exploit for personal or financial gain,” Hart said, adding that the fact that a breach can take months to detect further exacerbates the problem. Bootnote *The TUE process allows athlete to obtain approval to use a prescribed prohibited substance or method for the treatment of a legitimate medical condition, such as asthma.
Enlarge / Postal inspectors routinely investigate child pornography cases in the US.Joshua Lot/Getty Images reader comments 27 Share this story "[Rev.

Dr.] Jim [Parkhurst] plays guitar, sings in a symphony chorus, loves to hike, does crossword puzzles, and is an avid reader. He enjoys spoiling his twin nephews on annual trips to our national parks in the west." -Post announcing Parkhurst's new job, January 2015 In 2013, federal agents investigating the child pornography collection of one David S.

Engle—who was later sentenced in Washington state to 25 years in prison—came across a new set of eight images.

The pictures showed five boys, ranging in age from around seven to 15, urinating outdoors, shaving their pubic hair, and posing naked in bathtubs. According to an affidavit from Postal Inspector Maureen O'Sullivan, who helped investigate the images, the photo set was "emerging and being widely distributed and traded by child pornography collectors on a national and international scale." Being new and uncatalogued, the images were forwarded to the National Center for Missing and Exploited Children (NCMEC), which maintains a vast database on prohibited images for use in investigations and image blacklists. While law enforcement generally focuses on finding those who create and/or trade child pornography, a simultaneous effort is made to identify—and if necessary to secure—the victims.

At the federal level, this task is centralized within NCMEC at the Child Victim Identification Program (CVIP)—and this new image set wound up at CVIP accordingly.

The investigation of the pictures, which took three years to complete, opens a rare window into the world of digital detectives who specialize in tracing some of the world's most horrific imagery. An Embassy Suites hotel room—but which one? It turns out that federal agents largely run an investigation the way most of us would: on the public Internet. CVIP took the obvious first step and pulled all the Exchangeable Image File (EXIF) metadata from the photos.

Amazingly, this data had never been scrubbed (even Facebook scrubs EXIF metadata from uploaded photos for security and privacy reasons).

Though the images were not tagged with GPS locations, they did have dates attached.

This would become a crucial clue. Without names and dates, finding the photos' creator would be difficult.

Even if one could identify a particular hotel used in a photo, the huge number of possible dates would make guest check-in registries nearly worthless.

But with a date, identifying a particular hotel might solve the case immediately. To that end, CVIP agents looked through a subset of the pictures that had been taken in a hotel room on August 20, 2010.

Background items suggested a location in Colorado, while the décor of the room hinted at an Embassy Suites hotel.

To find out which hotel, CVIP "compared rooms in the images to online photos of hotel rooms in all of the Embassy Suites in the area." (This sounds like either a Google image search or a careful look at the Embassy Suites website.) The team decided that the location was the Embassy Suites in Denver. The information was sent back to the postal inspectors, who fired off a subpoena to Embassy Suites for everyone registered at a "small subset of the hotel's rooms" on the date in question. However, the registry turned up no clear leads.

The trail went cold. Let me Google that for you In February 2015, CVIP came back to the postal inspectors with new data. Unrelated investigations around the country had turned up additional images from the set, showing the same boys in Western locations, many of them outdoors. James Parkhurst UMC EXIF data revealed that these photos were taken two days earlier than the others, and one additional boy was now pictured. More importantly, "a particular landmark" in the new photos offered a specific location: a cabin within the Antero Hot Springs cabins in Salida, Colorado. In March 2015, the owner of the cabins sent postal inspectors information on guest rentals from the time. On the day the photos there had been taken, the cabin in question had been rented to "James Parkhurst" and three guests. Rather than delving into some super-secret law enforcement database, agents turned to Google and Facebook to ID Parkhurst. Quick searches revealed a 55-year-old man with the same name who lived in Portland and was working as the Executive Director of Camp and Retreat Ministries for the United Methodist Church's Oregon-Idaho Conference. A search of Facebook pages belonging to Parkhurst and his family members showed conversations about trips to national parks—along with names and (non-sexual) photos of the five boys in the prohibited image series. Three of the boys, it turned out, were sons of Parkhurst's cousin.

The other two were twins, both adopted from Vietnam by Parkhurst's brother. The full Facebook This discovery led to an August 2015 search warrant for the Facebook accounts of Parkhurst, the five boys, and their parents.

Cross-referencing the conversations and pictures returned by the social network with the prohibited images and their EXIF data, investigators sketched out specific dates and times during which Parkhurst appeared to be on trips alone with the boys in locations matching those in the prohibited photos. For instance, the earliest photos dated to August 2008, when Parkhurst allegedly took all five boys on a trip to Las Vegas, the Hoover Dam, and Yosemite National Park.

As part of that trip, the group stopped at Travertine Hot Springs and Buckeye Hot Springs.
Inspectors found references to both places on a public website devoted to naturism ("nudity is commonplace").

Another stop, at El Dorado Hot Springs, was listed on a separate site as one of the "best places for nude camping in Arizona." With another prohibited image, investigators used "public search engines" to identify a particular hotel in Mariposa, California.

As confirmation of the location, traveler pictures on a "hotel review website" matched the bathroom amenities and décor in the prohibited photo.
Still more images were identified based on "landmarks that are searchable on Google" or by matching one pond to "an online image of the Olympic Hot Springs in Olympic Park, Washington." Travertine Hot Springs in California. gastondog Revenge of the thumbnail Several of the photos from the set were circulating among child pornography collectors in cropped versions, with the pictures usually altered to remove an adult or to focus attention on the genitals. But the crops didn't hide the original image completely.
Investigators found that several of the image files still held thumbnail versions of the original image. One of these smaller but un-cropped images showed, in O'Sullivan's words, "Parkhurst nude next to [one of the boys]." Secret databases Assembling the case against Parkhurst eventually moved beyond open source information. Law enforcement periodically busts allegedly "legitimate" businesses selling things like "naturist films from around the world" that are actually child pornography. When that happens, investigators seize and archive all sales records for future investigations. For instance, in 2006, postal inspectors and the Los Angeles police raided Insider Video Club, which dealt in "DVDs, VHS tapes, and still images of nude men and boys;" the company's database was then seized.

And in October 2010, Toronto police shut down Azov Films, which specialized in this material, and they sent a copy of the sales database to the US. As part of the Parkhurst investigation, postal inspectors ran his name against these kinds of sales databases—and found hits at both Azov and Insider Video Club. Parkhurst had allegedly ordered Swim Party for $24.95 back in 1997 and Boys in the Mud in 2005 for $45.95.

Each video showed nude young boys and contained "no meaningful dialogue or storyline." Each video had been sent directly to Parkhurst's address. Federal Judge Youlee Yim You. But it was a third "ping" against a sensitive database that appears to have kicked the investigation into urgent mode. Postal inspectors plugged away on the Parkhurst case all the way through to July 2016, when they realized that Parkhurst had ongoing contact with the boys in the images—he had another trip coming up. A law enforcement sensitive database revealed that Parkhurst had booked tickets for himself and one of the boys—a senior in high school living near Chicago—to Greece, Italy, and Sweden.

The trip would begin on August 3. On August 1, Postal Inspector O'Sullivan took a search warrant to Federal Judge Youlee Yim You in Portland, had it signed, and assembled her team.

They raided Parkhurst's home the next morning, one day before the trip. According to O'Sullivan, the search team found some of the prohibited images on "one or more" of Parkhurst's digital devices. Parkhurst then agreed to speak to investigators. He allegedly admitted that he had taken the photos, acknowledged masturbating to at least some of them, but denied that he engaged in sexual activity with the boys. Parkhurst also suggested that his collection of nude images would not "qualify as child pornography." (US child pornography law actually includes a clause banning "lascivious exhibition of the genitals or pubic area" as a way to short-circuit any "but I didn't actually touch them!" defense.) Parkhurst was arrested.

According to the Oregonian, he resigned from his job and surrendered his ministerial credentials a few days later. He was eventually transferred to Denver, where he will stand trial. He had his first court appearance there this week. Creative searching While the Internet has enabled an explosion in child pornography—an issue that was largely under control in the analog era, thanks to the difficulty and expense of finding, creating, printing, and distributing it—it at least makes investigations simpler, too. Even though law enforcement has access to expensive or secret databases, many of the Parkhurst investigation leads were based on EXIF data and publicly available Internet pages.

Google, Facebook, hotel review and naturist websites, online maps, and image searches—it's all grist for the mill. Once a hotel or cabin has been located, once a person has been ID'd on Facebook, once a trip is suspected, then it's time for the subpoena, the warrant, or the secret database. Still, with all of the tech, search, and monitoring tools available to authorities today, one of the most useful investigative skills remains the ability to use the public Internet creatively.