Tuesday, January 31, 2006

January's Security Streams

It's been quite a busy month, still I've managed to keep my blog up to date with over 30 posts during January, here they are with short summaries. Thanks for the comments folks!

I often get the question, how many people is my blog attracting, the answer is quantity doesn't matter, but the quality of the visits, still, for January there were 7,562 unique visits and over 13,000 pageloads. I'm already counting over 400 .mil sub domains, have the majority of security/AV vendors(hi!) reading it, and the best is how long they spend on average, and how often they come back. To sum up, 60% of all visits come from direct bookmark of my blog, 30% through referers, and 10% from search engines. It is also worth mentioning my last referring link, notice the domain and what they are interested in.

1. What's the potential of the IM security market? Symantec thinks big" gives a brief overview of the wise acquisition Symantec did and a little something the IM security market.

2. "Keep your friends close, your intelligence buddies closer!" mentioning the release of a book excerpt and provides further resources on various NSA and intelligence related topics

3. "Security quotes : a FSB (successor to the KGB) analyst on Google Earth" is Google Earth or satellite imagery a national security threat? At least the Russian FSB thinks so!

4. "How to secure the Internet" discusses the U.S National Strategy to Secure Cyberspace and some thoughts on the topic

5. "Malware - Future Trends" the original announcement for the release of my research

6. "Watch out your Wallets!" gives more info on ID theft and talks about a case that left a 22 years old student in debt of $412,000

7. "Would we ever witness the end of plain text communications?" a released report on the growth of VPNs prompted me to open up the topic, recently, Yahoo! communicate over SSL by default which is a great progress from my point of view

8. "Why we cannot measure the real cost of cybercrime?" an in-depth summary of my thoughts on why we cannot measure the real cost of cybercrime, and why I doubt the costs outpace those due to drug smuggling

9. "The never-ending "cookie debate" tries to emphasize on how the Cookie Monster should worry about cookies only, and what else to keep in mind concerning further techniques that somehow invade your privacy

10. "The hidden internet economy" here I argue on what would the total E-commerce revenues be given those afraid to purchase over the Internet actually start doing it.

11. "Security threats to consider when doing E-Banking" provides a link to practical research conducted by a dude I happen to know :)

12. "Insecure Irony" is indeed an ironical event, namely how a private enterprise, one used to gather intelligence actually lost sensitive info belonging to the Intelligence Community

13. "Future Trends of Malware" the post mentioning my Slashdotted research and the rest of the people and respected sites that recognized it

14. "To report, or not to report?" how can you measure costs when the majority of companies aren't even reporting the breaches, cannot define a breach, or think certain breaches don't require law enforcement intervention?

15. "Anonymity or Privacy on the Internet?" argues on what exactly different individuals are trying to achieve, is it Anonymity, is it Privacy and provides further resources on the topic

16. "What are botnet herds up to?" gives a brief overview of recent botnet herds' activities the ways used to increase the revenues through affiliate networks, or domaining. It also provides good resources on the topic of Bots and Botnets

17. "China - the biggest black spot on the Internet’s map" a very recent and resourceful overview of Internet Censorship in China, that also provides further resources on the topic

18. "FBI's 2005 Computer Crime Survey - what's to consider?" one day after the release of the FBI's survey I summarized the key points to keep in mind

19. "Why relying on virus signatures simply doesn't work anymore?" a very practical post that argues and tries to build more awareness on how the number of signatures detected by a vendor doesn't actually matter, still there are other solutions that will get more attention with the time. I received a lot of feedback on this, both vendors and from folks I met through my blog, thanks for the ideas!!

20. "2006 = 1984?" gives more details on private sector companies innovating in the wrong field, and further resources on censorship and surveillance practices

21. "Cyberterrorism - recent developments" an extended overview of Cyberterrorism, and a lot of facts worth mentioning obtained through a recently released report on the topic

22. "Still worry about your search history and BigBrother?" Some humor, be it even a black one is always useful

23. "Homebrew Hacking, bring your Nintendo DS!" Homebrew hacking is slowly emerging and I see a lot of potential in the "do it yourself culture"

24. "Visualization, Intelligence and the Starlight project" a post worth checkin' out, it provides an overview of various visualization technologies and talks about the Starlight project

25. "The Feds, Google, MSN's reaction, and how you got "bigbrothered"?" I'm not coining new terms here, "bigbrothered" is slowly starting to be used be pretty much everyone, yet I try to give practical tips on why the whole idea was wrong from the very beginning, and how other distribution vectors should also be considered

26. "Personal Data Security Breaches - 2000/2005" I came across a great report summarizing the issue, and tried to highlight the cases worth mentioning, some are funny, others are unacceptable

27. "Skype to control botnets?!" good someone is brainstoring, but that's rather unpractical compared to common sense approaches botnet herders currently use

28. "Security Interviews 2004/2005 - Part 1" Grab a beer and start going through this great contribution, soon to appear at Astalavista itself!

29. "Security Interviews 2004/2005 - Part 2" Part 2

30. "Security Interviews 2004/2005 - Part 3" and Part 3

31. "Twisted Reality" Everything is not always as it seems, and it's Google I have in mind :(

32. "How we all get 0wn3d by Nature at the bottom line?" :)

33. "Was the WMF vulnerability purchased/sold for $4000?!" among the few vendors I actually trust released a nice summary no one seems to be taking into consideration, still I find it truly realistic given the potential of the 0day market for software vulnerabilities

Till next month, and thanks to all readers for taking their time to go through my research and contributions!

Technorati tags :
,

Monday, January 30, 2006

Was the WMF vulnerability purchased for $4000?!

Going through Kaspersky's latest summary of Malware - Evolution, October - December 2005, I came across a research finding that would definitely go under the news radar, as always, and while The Hackers seem to be more elite than the folks that actually found the vulnerability I think the issue itself deserves more attention related to the future development of a market for 0day vulnerabilities.

Concerning the WMF vulnerability, it states :

"It seems most likely that the vulnerability was detected by an unnamed person around 1st December 2005, give or take a few days. It took a few days for the exploit enabling random code to be executed on the victim machine to be developed. Around the middle of December, this exploit could be bought from a number of specialized sites. It seems that two or three competing hacker groups from Russian were selling this exploit for $4,000. Interestingly, the groups don't seem to have understood the exact nature of the vulnerability. One of the purchasers of the exploit is involved in the criminal adware/ spyware business, and it seems likely that this was how the exploit became public."

Two months ago, I had a chat with David Endler, director of Security Research at TippingPoint, and their ZeroDayInitiative, that is an alternative to iDefense's efforts to provide money as a incentive for quality vulnerabilities submissions. The fact that a week or so later, the first vulnerability appeared on Ebay felt "good" mainly because what I was long envisioning actually happened - motivated by the already offered financial rewards, a researcher decided to get higher publicity, thus better bids. I never stopped thinking on who gains, or who should actually gain, the vendor, the end user, the Internet as a whole, or I'm just being a moralist in here as always?

This very whole concept seemed flawed from the very beginning to me, and while you wish you could permanently employ every great researcher you ever came across to, on demand HR and where necessary seems to work just fine. But starting with money as an incentive is a moral game where "better propositions" under different situations could also be taken into consideration. Researchers will always have what to report, and once ego, reputation and publicity are by default, it comes to the bottom line - the hard cash, not "who'll pay more for my research?", but "who values my research most of everyone else?". And when it comes to money, I feel it's quite common sense to conclude that the underground, have plenty of it. I am not saying that a respected researcher will sell his/her research to a illegal party, but the a company's most serious competitors are not its current, but the emerging ones, I feel quite a lot of not so publicly known folks have a lot to contribute..

Possible scenarios on future vulnerability purchasing trends might be :

- what if vendors start offering rewards ($ at the bottom line) for responsibly reported vulnerabilities to eliminate the need of intermediaries at all, and are the current intermediaries doing an important role of centralizing such purchases? I think the Full Disclosure movement, both conscious or subconscious :) is rather active, and would continue to be. Now, what if Microsoft breaks the rules and opens up its deep pocketed coat?

- how is the 0day status of a purchased vulnerability measured today? My point is, what if the WMF vulnerability was used to "nail down" targeted corporate customers, or even the British government as it actually happened , and this went totally unnoticed due to the lack of mass outbreaks, but the author sort of cashed twice, by selling the though to be 0day to iDefense, or ZeroDay's Initiative? What if?

- requested vulnerabilities are the worst case scenario I could think of at the moment. Why bother and always get excited about an IE vulnerability, when you know person/company X are running Y AV scanner, use X1 browser as a security through obscurity measure. That's sort of reverse model compared to current one where researchers "push" their findings, what if it turns into a "pull" approach, "I am interested in purchasing vulnerabilities affecting that version of that software", would this become common, and how realistic is it at the bottom line?

Some buddies often ask me, why do I always brainstorm on the worst case scenario? I don't actually, but try to brainstorm on the key factors and how the current situation would inevitably influence the future. And while I'm not Forrester Research, I don't charge hefty sums for 10 pages report on the threats posed by two-factor authentication or e-banking, do I? Still, I'm right on quite some occasions..

At the bottom line, ensure $ isn't the only incentive a researcher is getting, and don't treat them like they are all the same, because they aren't, instead sense what matters mostly to the individual and go beyond the financial incentive, or you'll lose in the long term.

What are you thoughts on purchasing vulnerabilities as far as the long term is concerned? What is the most effective compared to the current approaches way of dealing with 0day vulnerabilities? Might a researcher sell his findings to the underground given he knows where to do it? What do you think?

How we all get 0wn3d by Nature at the bottom line?

I just came across a clip courtesy of NASA that can be described as a beautiful devastation, still it reminds me of how insecure we are at the bottom line. And no, I don't see how you will distribute a signature for this, or can you? :)

Technorati tags :
,

Twisted Reality

I looked up the definition of Evil today, and I found it, I tried to play a Google War and came across 256 million occurrences of it, still there's a hope for all of us I guess. On the 17th of January I blogged on how China turned into the biggest black spot on the Internet's map, to find out that I even have activists commenting in my blog :)

Google has agreed to "remove certain sensitive information from our search results" you all know it by now, what you perhaps don't know is how what used to be the old Google still has its marks on the web. Google's Information for Webmasters still states that :

"Google views the comprehensiveness of our search results as an extremely important priority. We're committed to providing thorough and unbiased search results for our users."

I guess Chinese users should print this and stick it on their walls to remind them of the past as it says exactly the same. They have also removed their "censored notice" from "older removals", how come, and for what reason? Lack of accountability for when "local laws, regulations, or policies" were removing "sensitive information" before the date?! Google is my benchmark for disruption, but I guess its actions and "do no evil" motto were simply too pure for the business world, which on the majority of occasions is capable of destroying morale, even individuals..

Welcome in a "Twisted Reality" where one event looks like an entirely different one - on request, and the list is getting bigger!

But what is actually filtered in china these days, what are the topics of interest? Four years ago, a great initiative brough more insights into what's deemed "sensitive information", and while of course the list is changed on-the-fly, it is important to know how it blocks the top results, as this is where all the traffic goes.

Recently, CNET did a nice research on which sites are blocked by which search engine, I ever saw Neworder in there :)

The best thing about China's backbone is how centralized it really is and the way researchers are finding common censorship patters that could prove useful for future research. Is TOR with its potential applicable in China, and would initiatives such as the the Anonymous OS, or even TorPark, an USB extension of the idea, the future?

Meanwhile, in case they are interested parties reading this post, consider taking a look at the "Handbook for Bloggers and Cyber-Dissidents" courtesy of Reporters Without Borders.

Technorati tags :
, , , , , ,

Thursday, January 26, 2006

Skype to control botnets?!

I just read an article from CNET on how "Skype could provide botnet controls", with which I totally disagree. Skype and VoIP communications can actually provide botner herders with the opportunity to communicate, compared to acting as a platform for malicious attacks. And old fashioned DDoS attacks the way we know them work damn well as a concept. Years ago, quite some :) linux boxes worming was on the rise the Honeynet Project was conducting outstanding research to build awareness on this fact. These days, with the penetration of broadband, and the thousands of users with ISP like bandwidth make the need to look for bandwidht irrelevant. Instead of breaching into core routers and looking for bandwidth, that DDoS attack power is gathered through the collective breaching of thousands of hundreds unprotected, unaware or naive end users. Botnet communications are evolving each time a new disrupting technology pops up, on the other hand, botnet herders are having trouble in finding out the exact number of their botnet due to lack of server capacity, and as I've once mentioned in my Malware - future trends research, encryption seems to be the logical move. And the trade off would eventually be the delays of communication given the size of the botnet and the encryption approaches of course. Bots that lack the weakness of idleness on public IRC servers are already "talking" and trying to act as legit as possible, my point is that the bigger a botnet gets, the harder is to maintain it, that's logical, and it's good news for everyone, until someone standardize a possible communication protocol. Scary thoughts, but a simple botnet/malware communication protocol could for instance cause a lot of troubles for everyone. Is centralization of botnets a good thing for the industry in respect to tracking them, and how would things evolve? Skype is totally out of the question from my point of view, or is it not?

Some nice insights on botnet communications can be found at :

The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets

Technorati tags :
,,,,

Personal Data Security Breaches - 2000/2005

Another invaluable CRS report that I came across to, including detailed samples of all the data security breaches in between 2000 and 2005(excluding the ones not reported or still undergoing of course), covering :

- The accident
- Data publicized
- Who was affected
- Number of affected
- Type of data compromised
- Source of the info

Here are some cases worth mentioning as well :

1. Indiana University - malicious software programs installed on business instructor’s computer, November, 2005
2. University of Tennessee -inadvertent posting of names and Social Security numbers to Internet listserv, October, 2005
3. Miami University (Ohio) - report containing SSNs and grades of more than 20,000 students has been accessible via the Internet since 2002, September, 2005
4. Kent State University - five desktop computers stolen from campus, 100,000 people affected, September, 2005
5. University of Connecticut -hacking - rootkit (collection of programs that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network)placed on server on October 26,2003, but not detected until July 20, 2005

Quite a huge number of exposed people, and 20% of the problem represents lost or stolen laptops or tapes, the rest is direct hacking of course. It's impressive how easy is to get access to sensitive, both personal and financial information though what is already stored somewhere else in a huge and plain-text database for sure. And that simply shouldn't be allowed to happen, or at least someone has to be held accountable for not taking care of the confidentiality of the information stored.

Technorati tags :
,,,,

Tuesday, January 24, 2006

The Feds, Google, MSN's reaction, and how you got "bigbrothered"?

There's still a lot of buzz going on, concerning which search engine provided what type of data to law enforcement officials, and the echo effect of this event resulted in waves of angry end users, that among feeling "bigbrothered", now have yet another reason to switch back to Google, simple. MSN's silent reaction to this is the worst thing they could do given how actively they're trying to catch-up on search traffic. What did they provide anyway?

"Specifically, we produced a random sample of pages from our index and some aggregated query logs that listed queries and how often they occurred. Absolutely no personal data was involved. With this data you :

CAN see how frequently some query terms occurred
CANNOT look up an IP and see what they queried
CANNOT look for users who queried for both “TERM A” and “TERM B”

So picture, the following, "someone" requests his name, his friends' names, physical locations giving clues on possible area and while it isn't personal information(exact names, address etc.) it is personally identifiable one! If it happens once, it would become a habit, my point is that aggregating search info on ECHELON's wordlist is so realistic that you need a company to say NO, and evaluate the reactions of the others. The best thing is that I'm sure the majority of adult entertainment seekers don't need to take advantage of Echelon's Trigger Words Generator :)

Why you don't need to issue a subpoena to find out what's hot in the online porn world?

- take Google's advice into consideration, or start using Overture's keyword selector tool
- now ensure you have the most popular porn related keywords, and if in doubt, consult with an "insider" who would be definitely aware of what's hot, and who's to keep in mind
- use the first 20 pages from each popular search for your sample, these get the majority of traffic
- do a little research over Alexa to further back up your statements, and even use Google to measure the relative popularity of the first site that pop ups when you search for porn.
- ensure you have first consulted with traffic aggregators or paid reports on who's who online
- make sure before going online, another distribution vector so to say, the iPod is taken care of
- envision what's to come in the future, and mostly the interest and the social implications of these issues
- now, come up with ways to restrict children from using these going beyond the usual "But of course I'm over 21 years old" terms of use

What's to come up in the future? In one of my previous posts "Still worry about your search history and BigBrother?" I pointed out the possibilities for Search engines regulation and P3P, but the current self regulation is simply not working anymore.

Further resources on the topic can be found at :

Lorrie Cranor's Searching for Privacy : Design and Implementation of a P3P-Enabled Search Engine
PrivacyBird
An Analysis of P3P-Enabled Web Sites among Top-20 Search Results
Protecting Your Search Privacy: A Flowchart To Tracks You Leave Behind
Using search engines data, Google and forensics - clip

Technorati tags :
,,,,,

Image originally uploaded at Flickr by villoks

Monday, January 23, 2006

Visualization, Intelligence and the Starlight project

Today, I came across a stunning collection of complex networks visualizations, that reminded of how we must first learn to visualize and than go deeper into VR. Until, I first visited this project, the Atlas of Cyberspace was perhaps my favourite visualization resource, rather outdated, still has a lot to show. Visualization is important for today's greatly developed knowledge networks, data mining, and even information security or basic network management issues. But at the bottom line, who always has the best toys, or at least develops them? The academic world? Sort of, except that they need the private sector to go public, so that leaves the U.S military in my point of view :) and they sure do.


The Starlight - Information Visualization Technology is simply a remarkable concept that these folks actually turned into a reality. It uses both structured, unstructured, spatial and multimedia data and provides real-time output, and if you also consider that the project is reportedly down several years ago, for me it opens up the question, who's the successor?

It's national security applications and the syndication of data sources are so clearly visible, that reducing paper-work, platform dependence, information sharing, and perhaps not another Able Danger scenario(if one actually happened!) is the biggest advantage of such a project.


Going back to the "reality"(yeah sure!), in case you've never seen ChicagoCrimes, the free database of crimes reported in Chicago, it's yet another great initiative that again visualizes based on reports and Google Maps, and you don't need a security clearance to use it :) What's else to mention, is CNET's introduction of "The Big Picture" in cooperation with Liveplasma.com of course, clearly, the waves of information flow must be somehow filtered and there's a clear, both, commercial, public and intelligence need for it. Even VR investments are actively taking place, a lot's to come for sure!

Some concepts and clips on visualization :

TouchGraph Google Browser
Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization
F-Secure's visualization of the 1st PC virus, and W32.Bagle, and you can actually see the clip itself.
Visualization study the U.S - clip

Technoratai tags :
,,,,,,

Homebrew Hacking, bring your Nintendo DS!

Yesterday, Engadget reported about a "WiFi sniffer" that turns your Nintendo DS, into a wardriving tool and while it lacks certain features, it can still prove "handy", even fuel further security concerns over this steadily developing trend of homebrew hacking experiments. Removable media is a problem, but would gaming devices turn into a security threat as well? They can sure result in more malware, and this trend, among the many other, made me an impression in respect to the need of interoperability in the upcoming future.

Technorati tags :
,,,,,

Still worry about your search history and BigBrother?

The Patriot Search, recently started "helping" any government by making your search activity "public". Its search syntax terrorist:true *keyword*, and terrorist:false *keyword*, gives everyone the opportunity to be honest :) Why did the idea start at the first place? Because "only 4 out of 5 search engines allowed the government to see "private" user data". Though, a distinction between private searches VS personally identifiable searches should be made as well.

What's going to happen in the future? Search engines regulation, P3P, or stock market losses due to an initiative whose requirements I feel were totally wrong from the very beginning?

Consider going though David Berlind's comments as well!

Technorati tags :
,,,

Cyberterrorism - recent developments

I've once blogged about why you shouldn't stereotype when it comes to Cyberterrorism, and going through the most recent and well researched report on"Terrorism Capabilities for Cyberattack : Overview and Policy Issues"I came across great similarities to what I posted. I think cyberterrorism shouldn't be just perceived as shutting down a stock exchange, or slowing it down, the irony here is that it could actually happen for "good" on a certain occasions :)


Going back to the report, it's a very recent overview of cyberterrorism, and the way it's perceived. Flawed or not I'll leave up to you to decide. What made me an impression anyway?

- CIA's 2005 "Silent Horizon" to practice defending against a simulated widespread cyberattack directed against the United States. I really don't think frontal attack are of any interest, or are they?

- Stolen credit cards were used in the terrorist attacks in Bali. There have also been other cases, of exactly the same, using cyber activities for funding real world crime and terrorism.

- How sensitive information on a future Army command and control system was stolen from an unclassified system by at least reportedly, Chinese hackers. Unclasiffied doesn't necessarily mean someone wasn't having a false sense of security on a .mil domain I guess.

- The U.S Elite Military Hacking Crew, the so called Joint Functional Component Command for Network Warfare (JFCCNW) I feel every military forces have or should have these.

The report also highlights that the Internet is now a prime recruiting tool for insurgents in Iraq. Insurgents have created many Arabic-language Web sites that are said to contain coded plans for new attacks. Some reportedly give advice on how to build and operate weapons, and how to pass through border checkpoints .

- Other news articles report that a younger generation of terrorists and extremists, such as those behind the July 2005 bombings in London, are learning new technical skills to help them avoid detection by law enforcement computer technology

Which is exactly what I've mentioned in my post on Cyberterrorism. I feel, communication, and coordination, besides research is the ultimate goal here.

The only thing that make made me sort of a bad impression was how the only major innovation mentioned is quantum cryptography, and steganography mentioned just twice. I think that this isn't entirely the case, and breaking cryptography doesn't necessarily have to come in form of directly attacking the algorithm itself. That happens to be impossible sometimes, but the first time when I came across the fact that the AU government can use spyware on criminals with the idea too obtain keys, or whatsoever, it makes such issues irrelevant.

On the other hand, the way the Internet provides "them" with more opportunities, the more their traceability improves, or at least give clues to a certain extend.

Technorati tags :
,,,,

2006 = 1984?

I recently came across great, and very informative slides on current, and future trends of surveillance technologies that simply stick to the point, as any good slides so to say. "From Target Market to Total Surveillance" is courtesy of the The Special Interest Group for Military Applications (SIGMil) at the University of Illinois, and is among the many talks and quality projects they have running.

"The Survey of Orwellian Technologies" outlines the current situation of privacy invassion and who's who on the market for censorship solutions.

For instance it correctly states that :

- Cisco built the Great Firewall at discount to corner router market

-Video and telephone surveillance networks

-Buying habits and physical location history

-Net access history, web posts and email

Nortel, developed network traffic analysis system dedicated to catching political opposition (Falun Gong)

Motorola, competed with Nokia to provide location tracking

Microsoft, censors words in blog software

Yahoo, actively collaborates in tracking state political opponents via their email, search and chat usage

Google, censors prohibited sites/queries from search– Alters news results to favor nationalized news(Still, Google recently declined the request for access for its databases, compared to the rest of search engines, Yahoo!, MSN)

The worst in this case, from my point of viewis the experience gained by the companies, inthe wrong direction..

I once mentioned how businesses don't have a business choice but to comply, the thing is now the Western media has already started seeking accountability and higher levels of moral.

Basically, profitability shouldn't be an objective,when encouraging the further development of such "regimes". I guess, I still don't have a content filtering agreement with the Chinese government, but I don't even want to..:)

The entire idea of censorship in here is to avoid events in direct confrontation with current "reality", and I think the it isn't wise, keeping it quiet is even worse. The bad thing is that even IBM used to do "business" with the wrong party I guess . What is greed and profit maximization, what is business and morale? Words we remember on Xmas's day for sure!

More info on the topic can also be found at :

International Campaign Against Mass Surveillance

Balancing surveillance

Justifying the cost of digital video surveillance

Protecting Personal Data in Camera Surveillance

Society-and-Surveillance study journal

Technorati tags :

,,,,,

Thursday, January 19, 2006

Why relying on virus signatures simply doesn't work anymore?

As a fan of VirusTotal and Norman's Sandbox being always handy when making analyses or conclusions, and me looking for metrics and data to base my judgements on, besides experience, I feel their "Failures in Detection" of VT deserve more attention then they it's actually getting. With over 14, 000 files submitted on a weekly basis, where most of them are supposedly 0day malicious software, it's a great resource to consider. Using these scanners for the basis of its service (saw yours?!), it is still able to conclude the plain truth - signature based anti virus protection is having deep troubles as a concept these days. Moreover, vendors covering or enjoying monopolistic competition in specific geographical regions, without having the necessary AV expertise is something that is actually happening. So what made me an impression?

Failures in Detection (Last 7 days)

- 14, 016 failures that is, infected files not detected by at least one antivirus engine
- 372 samples detected by all vendors

What's important to note here is that, response time towards a new piece of malware in the wild is crucial as always. But that's great when it's actually achieved. The independent folks at Av-test.org, have featured a very nice Excel sheet on the "Reaction Times of the latest MS05-039-based Worm Attacks"(2005-08-22) so you can take a look for yourself. And as I've once mentioned my opinion on the growing possibility of 0day malware on demand, proactive measures would hopefully get the attention of vendors. Some folks are going as high as stating that AV scanners and AV defense as a concept will eventually end up as product line extension of a security appliance? Though, I feel you will never be able to license a core competency of a vendor that's been there before the concept of DDoS started getting public! And obviously, the number of signatures detected by them doesn't play a major role like it used years ago. Today's competitive factors have to do with, but not only of course :

Heuristic
Policy-Based Security
IPS (Intrusion Prevention Systems)
Behaviour Blockers
Protection against Buffer Overruns

I also advise you to go though a well written research on the topic of Proactive Antivirus protection, as it highlights the issues to keep in mind in respect to each of these. Is client side sandboxing an alternative as well, could and would a customer agree to act as a sandbox compared to the current(if any!) contribution of forwarding a suspicious sample? Would v2.0 constitute of a collective automated web petrol in a PC's "spare time"? How sound is this and the other concepts in terms of usability and deployment on a large scale?

Signatures are always a necessary evil as I like to say, ensure that at least your anti virus software vendor is not a newly born company with a modest honeyfarm and starting to perceive itself as a vendor, vendor of what? Solutions or signatures?!

Don't get me wrong, my intention behind this post was to make you think, as a customer or decion-maker on the approaches your current vendor uses, and how to make better decisions. At the bottom line, it's still a vendor's sensor network or client side submissions, even exchange of data between them, that provides the fastest response to *known* malware!

Technorati tags :
,,,,,

FBI's 2005 Computer Crime Survey - what's to consider?

Yesterday, the FBI has released their Annual 2005 Computer Crime Survey, and while I bet many other comments will also follow, I have decided to comment on it the way I've been commenting on the U.S 2004’s "Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" in previous posts. This one is compiled based on the 24, 000 participating organizations from 430 cities within the U.S, so look for the averages where possible :)

What are the key summary points, and what you should keep in mind?

- Attacks are on the rise, as always

That's greatly anticipated given the ever growing Internet penetration and the number of new users whose bandwidth power is reaching levels of a middle sized ISP. Taking into consideration the corporate migration towards IP based business infrastructure, and even the military's interest in that, it results in quite a lot of both, visible/invisible targets. My point is that, to a certain extend a new Internet user is exposed to a variety of events that are always static in terms of security breaches, or was it like that several years ago? Less 0day's, lack of client side vulnerabilities(browsers) the way we are seeing it today, and cookies compared to spyware were the "worst" that could happen to you. Things have changed, but malware is still on the top of every survey/research you would come across.

- The threat from within

Insiders dominate the corporate threatscape as always, and the average financial losses due to "Laptop/Desktop/PDA Theft", act as an indicator for intellectual or sensitive property theft that is actively quantified to a certain extend, though it is still mentioned in a separate section. As far as insiders and the responses given in here, "the threat you're currently not aware of, is the threat actually happening" to quote a McAfee's ad I recently came across to. Especially in respect to insiders.

- To report or not to report?

According to the survey "Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement's response. And 81% said they'd report future incidents to the FBI or other law enforcement agencies."

The key point here is the lack of understanding of what a threat is, or perhaps what exactly should be reported, or why bother at all? And given that out of the 9% reporting 91% are satisfied I can simply say that, "If you don't take care of your destiny, someone else will".

Overall, you should consider that the lack of quality statistics is the result of both, the "stick to the big picture" research and survey approaches, or because of companies not interested/understanding what a security threat worth reporting actually is? I greatly feel the industry and the Internet as a whole is in need of a commonly accepted approach, and while such exist, someone has to perhaps communicate them in a more effective way. Broad and unstructured definitions of security, result in a great deal of insecurities to a certain extend, or have the potential to, doesn't they?

- Who's attacking them?

Their homeland's infrastructure and the Chinese one, as the top attacks originally came from " The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading", and yes, Russia "of course". Though, you should keep in mind that whenever someone sparkles a debate on certain country's netblocks attacking another country's one, it's always questionable.

- What measures are actually taken?

Besides actively investing in further solutions, and re-evaluating their current measures, what made me an impression as worth mentioning is :
- patching, whether the patch comes from a third-party or the vendor itself is something else, yes it's the reactive measure that could indeed eliminate "known" vulnerabilities, yet it's proactive approaches companies should aim at achieving

- keeping it quiet, as you can see the 3rd measure taken is to actually not report what has happened, wrong, both in respect to the actual state of security, and the potential consequences in case a sensitive info breach occurred and customers did the job of reporting and linking it.

- tracing back? I think it's a bit unrealistic in today's botnets dominated Internet, namely an enterprise might find out that some of its external port scans are coming from internal infected PCs. When attacked you always want to know where the hell is it coming from, and who's involved, and while entirely based on the attackers techniques put in place, I feel that close cooperation with ISPs in reporting the infected nodes should get the priority compared to tracing the attacks back. That greatly depends on the attack, its severity, and traceability of course.

To sum up, the bottom line is that, antivirus software and perimeter based defenses dominate the perception of security as always, companies are actively investing in security and would continue to do so. It's a very recent survey for you to use, or brainstorm on!

Technorati tags :
,,,,

Tuesday, January 17, 2006

China - the biggest black spot on the Internet’s map

Chinese Internet users have the potential to outpace the number of the U.S Internet population, yet, the majority of them still remain behind the most sophisticated online censorship systems in the world, the Great Chinese Firewall. I am definitely not buying into the idea of trying to take control of all the information coming in and going out of a country for the sake of my well being, as any individual has the right to decide what's good and bad for them. If I, for instance knew there's a virus on the streets of my city, I would take immediate precautions, or at least, see how "my" government reacts on the crisis. Yet, how responsible, moral, or legal according to international human rights standards is to prosecute users who have been spreading the news about the SARS virus from within the Great Firewall is perhaps another point.

Isn’t central planning the panacea of Communism, be it, old-school or modern(an excuse for the old-school) one, and isn’t the obvious fact that the government cannot, but wants to play God, an utopia by itself? It is disturbing how business ethics surpass moral ones for the sake of business continuity, so to say. Though, efforts are made to break the ice, until a collective campaign is not started I doubt anything will change. For the time being, what they don't like, they either hijack(forward to another site), or completely restrict.

With over 100,000 cybercafes, and 30,000 state police enforcing policies on the Internet, the Chinese government is trying to estaliblish a very effective self-censorship atmosphere, namely, prosecuting those somehow violating it. The idea is to, of course, cut the costs of their censorship efforts.

U.S companies don’t have a business choice, but to comply in case they are interested in taking advantages of the business opportunities in the country.

Activists have been expressing their attitude towards assistance like that, while I feel the majority of business leaders still don't have the incentive to take action, besides the human moral obligations, ones that are often neglected when doing business. Sad, but true :)

For me, it's not businesses complying with local laws that bothers me, but the playground for the these vendors that’s fuelling innovation in the wrong direction. That very same innovation is later on to used on Western countries or pretty much anywhere around the world. For the time being, China is still winning against the Web, and the term cyberdissident is getting rather common. For instance, the recently started Cryptome.cn, pointed out a great link to the actual known number of Chinese actions against journalists. That's disturbing.

One of the most resourceful and timely research currently available is ONI's Internet Filtering in China in 2004-2005 : A Country Study. Interested in finding out whether a certain sites is currently blocked in China? Check the Real-Time Testing of Internet Filtering in China, courtesy of Harvard Law School, whose Empirical Analysis of Internet Filtering in China still gives an overview of the situation and what's to consider.

Further research and opinions on the topic can be found at :

Internet Development and Information Control in the People’s Republic of China
Internet censorship in mainland China
The Internet in China: Civilian and Military Uses
Internet in China: Big Mama is Watching You
Internet Filtering in China
The limits of Internet filtering : A moral case for the maximization of information access over the Internet
Controlling Online Information: Censorship & Cultural Protection
Tools for Censorship Resistance
The Filtering Matrix
Tor: An anonymous Internet communication system

Technorati tags :
,,,,

What are botnet herds up to?

Johannes B. Ullrich, with whom I had a chat once, did a great post providing us with real-life botnet herds "know how" or the lack of such. And while I agree that these are newbies, they are exploiting another growing trend. The vertical markers Johannes mentions are the result of abusing the affiliate networks themselves. Though, how can an affiliate network distinguish traffic coming from botnets, should it count it as malicious one, can they somehow link everything and see the entire picture? They sure can, but as soon as revenues keep coming in, they simply wouldn't. The botmasters' mentioned here are primarily acting as domainers, and the possibilities for abuse here are countless. In case you're interested in knowing more about the use and abuse of such networks, I recommend you to go through Ben Edelman's research on affiliate networks, and how easily they get abused. My point is that, if it takes a newbie to start realizing this, imagine the big players, as there are obviously some, at least in respect to the sizes of their botnets :)

If they make a buck for selling access to their resources, still have the opportunity to do it on their own, and cash again while giving instructions on how to "reinfect" yourself, that's a Ecosystem that I mentioned in my recently released "Malware - Future Trends" research. I feel this particular botnet herd is up to experiments, that obviously didn't go unnoticed.

What are your thoughts on the future of botnets, how would they abuse their power in Web 2.0? Week before I release my original publication, someone started coming up with "solutions" on how to abuse Google's AdSense, there's a lot to come for sure!

In case you want to know more about botnets, consider going through the following :

Bots and Botnets: Risks, Issues and Prevention
The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets
Botnets as a Vehicle for Online Crime
Botnets - the threat to the Critical National Infrastructure
Botnet Detection and Response
Tracking Botnets
Robot Wars – How Botnets Work
Worms, Viruses and Botnets - security awareness video

Technorati tags :
,,,

Monday, January 16, 2006

Anonymity or Privacy on the Internet?

Last week, Bruce Schneier wrote a great comment on Anonymity, how it won’t kill the Internet, and that it has to do with accountability mostly.

Logically, if identification is impossible, then there cannot be adequate accountability. Though, alternative methods based on the collective trust exist, and are as anonymous, as necessary. Spoofed identities, perhaps even hijacked ones should also be taken into consideration. But how important is Anonymity today? What is Anonymity and Privacy anyway? When is the first desired to preserve the second? How blur is the line in between? I think Anonymity is so much broader than it is originally perceived.

I’ve once mentioned the possibilities of IP cloaking for competitive intelligence/disinformation. On the other hand, for me today’s concept of anonymity has three dimensions :

- The individuals trying to achieve anonymity with the idea to express their right of free speech, and access censored information

A chinese citizen is the first thing that comes to my mind, though many others are having the same problems when trying to access information or express their right of free speech, such as Saudi Arabia, United Arab Emirates, Bahrain, Iran, Singapore, Burma, and Tunisia.

- Those trying to avoid accountability for certain actions, in one way or another

Anonymous-p2p.org has for instance featured a list of P2P applications that improve anonymity to a certain extend. In this case, anonymity is desired in order to cover up certain actions. The use of proxy servers to try to hide originating host should also be mentioned as a possibility.

- Those with an established pseudo-anonymity, netizens for instance

I think pseudo-anonymity is important in today’s society, it’s utopian worlds(online gaming worlds etc.), express freedom and promote creativity to a certain extend. The entire trust and accountability model is actually entrusted on the service, for instance, Ebay as mentioned in the original article. You trust that Ebay’s practices going beyond this pseudo-anonymity would achieve accountability in case it’s necessary.

What others think on privacy, and why is anonymity hard?

There’s no Privacy, get over it” Sun's CEO Scott McNealy, back in 1999

John Young, Cryptome.org on privacy, data aggregation, data mining, terrorism fears and our constantly digitized lifes :

Privacy should be a right of citizens worldwide, in particular the right to keep government and business from gaining access to private information and personal data. The argument that government needs to violate privacy in order to assure security is a lie. The business of gathering private information by corporations and then selling that to government and other businesses is a great threat to civil liberties. Much of this technology was developed for intelligence and military uses but has since been expanded to include civil society.

Dan Farmer and Charles C.Mann – Surveillance Nation

Low-priced surveillance technologies will help millions of consumers protect their property, plan their commutes, and monitor their families. But as these informal intelligence-gathering networks overlap and invade our privacy, that very could evaporate.”

Does Privacy still exist in the 21st century? Is Anonymity an excuse for Privacy? What do you think?

Further resources on privacy and anonymity can also be found at :

Real World Patterns of Failure in Anonymity Systems
Better Anonymous Communications
Introduction to P3P
HOWTO bypass Internet Censorship
Formalizing Anonymity - A Review
Anonymity made easy
Anonymity and Pseudonymity in Cyberspace :Deindividuation, Incivility and Lawlessness Versus Freedom and Privacy

Technorati tags :
,,,,

To report, or not to report?

Computerworld is running a story that, “Three more U.S states add laws on data breaches”, but what would be the consequences of this action? Less security breaches? I doubt so. Realistic metrics and reactions whenever an actual breach occurs, as well as its future prevention measures? Now that’s something I think.

Such legislations have a huge impact, both, on the industry, the public opinion, and company itself. No one likes admitting getting hacked, or having sensitive information exposed to unknown and obviously malicious party. Yet, if it wasn’t companies reporting these breaches, thousands of people would have been secretly exposed to possible identity theft, and we’ll be still living with the idea that the Megacorporations are responsibly handling our information. Which they obviously aren’t! And even if they try to hide it, sooner or later a victim will starting digging in, and the story ends up in mainstream news. Privacyrights.org have taken the time and effort to compile a "A Chronology of Data Breaches Reported Since the ChoicePoint Incident", and as you can see, it's not getting any better, though, reporting and legislations have the potential to change a lot.

At the bottom line, I am a firm believer that, reporting breaches greatly improves the accuracy of security metrics, and hopefully the solutions themselves. Security through obscurity is simply out of question when it comes to storing unencrypted databases online, or even distributing them offline, though, it’s still obviously very popular today.

What do you think? Are the long-term negative PR effects worth the uninterrupted business continuity as a whole? Are you comfortable with not knowing how exactly is any of the organizations possessing sensitive info on you, is taking care to secure it? I'm not!

As well as various other comments on the topic :

Information Security Breaches and the Threat to Consumers
Security Breaches : Notification, Treatment, and Prevention
Recommended Practices on Notification of Security Breach Involving Personal Information
What Does a Computer Security Breach Really Cost?

Technorati tags :

,,,

Future Trends of Malware

Great news, that I greatly anticipated, my "Malware - Future Trends" research got Slashdotted. The strange thing is how my actual post and numerous others from different respected sites weren’t approved. I guess I would have to live with that, given the huge number of hits and new subscribers to my feed I have received for the last couple of days :))

Someone once said, that it’s all about to courage to write down what you think. And he was right, but he missed to mention, that you should also stand behind what you believe in. There’s nothing more important than disseminating that kind of information to the broadest audience possible, in the fastest way achievable. The comments, links recognition and active feedback that I have been receiving, are the best benchmark for the usefulness of my research. So, thanks!

My “Malware – future trends” publication has recently appeared at :

Packetstormsecurity.org
Securiteam.com
Net-security.org
LinuxSecurity.com
Infosecwriters.com
WhiteDust.net
ISECA.org
BankInfoSecurity.com
Wiretapped.net
Astalavista.com
CGISecurity.com
Megasecurity.org
Secguru.com
Wikipedia's entry on Malware

to name few of the sites, and in various blog comments :

Computerworld’s IT Management Blog

Datamation's Blog

Sergio Hernando's post, and the Google translation

Alan Cardel's Blog

Worm Blog

And many others : 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20

The more naysayers, the more important is what you are doing, and I have come across a lot of them, though I wouldn’t even bother to link them back. They are a valuable incentive on a certain occasions. It's a great feeling that I missed for a little while, it reminds of the how differently people react to one another’s success and hard work. I totally enjoy people quoting me on every sentence from a 26 pages publication I pretty much finalized on Xmas eve, just for the idea of doing it. Cheer up, guys, and go through my points objectively.

What I truly like, is the debate it opened up here and there, one of the main ideas behind it. Feel free to post your comments at my original announcement, Malware - Future Trends.

Technorati tags :

,,,,,

Thursday, January 12, 2006

Insecure Irony

What’s the worst thing that could happen to BigBrother and any of its puppets? – Have their confidential info exposed due to the neglegence of a commercial organization, one that is used for gathering the majority of intelligence data these days. Now, that’s an insecure irony. It is a public secret that any government is gathering enormous information on its citizens through commercial organization's extremely rich databases. Everyone's in the system though, even the ghosts!

I also advise you to go though a great research on the topic of "Commecial Data and National Security" in case you want to know more on how governments and intelligence agencies use/abuse the data.

Technorati tags :

,,,,,

Security threats to consider when doing E-Banking

E-banking, and mobile commerce are inevitable part of our daily lifes, and would continue to get more popular. The bad thing is, that it's not just us, the end users benefiting from this fact, but also, the malicious attackers exploiting our naivety and lack of awareness on the threats to watch for. Candid Wuuest did an outstanding research on the insecurities of E-banking, and excellect job in comparing the different security measures next to one another. The slides will also provide you with a lot of useful info on the topic.

Further info on the topic an also be found at :

Why eBanking is Bad for your Bank Balance
Risk management principles for electronic banking

Technorati tags :
, ,,,

Wednesday, January 11, 2006

The hidden internet economy

How much does phishing, spam and spyware for instance cost on businesses? Should we measure in cash, or hardly quantified long-term affects such as reputation damage, loss of confidence in the business, or the percentage of people that would think twice before doing any E-shopping at all?

These days, I believe that there’s a huge number of individuals with purchasing power that tend to avoid online purchases at all. That's the baby boomers I am talking about, who as a matter of fact are having more and more disposable income!

Published in December, 2005, a poll published by the CSIA estimated that almost 50% of all adults in the U.S avoid making purchases online because they are afraid that their personal information could be stolen. And while impulsive teens are excluded, and the poll's quality is taken for granted, to me it highlights an important fact that I have always believed in -- that there is a hidden Internet economy that could boom given more confidence is build in ensuring that, this huge number of individuals will start bringing even more online revenues to any of the dotcom darlings. Untill then, stay tuned for yet another major security breach at a data aggregator :(

Technorati tags :
, , , ,