Wednesday, December 14, 2005

IP cloaking and competitive intelligence/disinformation are running a great article entitled "IP cloaking becoming a business necessity", that I simply can't resist to express my opinion on.

Great concept that’s been around since the days of Anonymizer, who were perhaps the first enterprise to start targeting enterprise and government
users looking for ways to hide their online activities, be it unstructured data aggregation, competitive intelligence or simple end users' browsing.

Getting back to SearchSecurity's article, I don’t really consider a company’s SEC fillings or annual reports (found on any corporate web site) a trade secret! In this particular case, I bet it was extraoridinary traffic from known partners that tipped them that there's a sudden interest in the company's business performance. Any organization could easily look for patters on its web server, such as how often certain stakeholders visit it, given they use their associated netblocks, or ones known to be used by them. What to also to note is that, given the stakeholders in this case, employees, stockholders, suppliers, government, the general public or anyone else has a claim on the way the organization operates, it would be hard, pretty much impossible to differentiate intentions of any of these.

Small companies can easily measure their popularity among the big players, again, given these companies use their netblocks, but a large corporation with hundreds of thousands visitors, would have to put extra efforts in measuring, not only what's popular, but who's reading it, and are they on our watchlist.

How to compile these? Even though I'm certain someone out there has taken the time and effort to compile a Fortune 500 IP ranges list the way have compiled a Government&Military; IP ranges list. I soon expect to see companies offering segmented service for watchlists like the ones I mentioned, for instance - law firms, financial institutions, non-profit organizations segmented on geographical location, let's say New York or Tokyo based ones. An in-house approach can always be applied by any company, no matter of its size, all you have to do is your homework at for instance :

RSA Security
ISS(Internet Security Systems)

An important trend though, is how the transparency that the ICANN wants to build whenever a domain is registered in order to easily prosecure cyber criminals will open up countless opportunities for open source intelligence professionals or wannabe's. A recently released report by the U.S Government Accountability Office, found 2.3M domain names registered with false data, given that's just the result they came up by sampling. Here're also the important findings. Without any doubt, it should be known who's who in the Internet's domain and IP blocks space, but knowing it and complying with this due to regulations, or good will is going to lead to further consequences for your organization.

Let's take anti-virus vendors for instance. I often say that anti virus is a necessary evil - given it's active!! Signatures based defense is futile, windows of opportunities emerge faster, 0day threats contribute, and overall, malware is starting to attack on a segmented based level => less major outbreaks, but the rates of signature updates is still a benchmark the public and some of the vendors like talking about. Email-Worm.Win32.Doombot.b for instance, is a good example of how the malware author is rendering the antivirus software into a useless application, just by blocking it from accessing its(publicly available, easy to find out through sniffin' etc.) update locations.

Even though the author wish he/she could "write" to these locations, that's not necessary, but the temporary advantage of exposing the user/organization to a particular window of opportunity, by making sure access to removal instructions and actual updates is disabled! Doombot's list is short, and a bit of a common sense one compared to others. And as always, the general public, sick of ads, and parasites, have taken the effort to constantly release updated hosts files to tackle their concerns. I wonder when, and how are vendors going to address this important from my point of view issue?

IP cloaking at the corporate level is still in its early stages, but represents a growing market due the following factors, among many others of course :

- governments and intelligence agencies are actively taking advantage of open source intelligence, OSINT, and vendors are already starting to offer relevant services. The Anonymizer among others, has also specially government/enterprise tailored services

- enterprises are getting extremely conscious about what others know of their surfing interests, and what are stakeholders on their watchlist looking at, on any of their extranets or corporate web sites

- citizens from countries with extremely restrictive Internet censorship practices will fuel the market's growth even more

Further reading can be found at :
Protecting Corporations from Internet Counter-Intelligence
Cloaking types

Technorati tags :