Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 09/08/06

Friday, September 08, 2006

A Study on The Value of Mobile Location Privacy

Right in between Flickr's introduction of geotagging, the term stalkerazzi got its necessary attention, then again it entirely depends on you to evolve as a Web 2.0 user and add more value to the ongoing folksonomy, or realize the possible privacy implications.

Yesterday, Danezis Cvrcek and Matyas Kumpost released an interesting study on The Value of Location Privacy :

"This paper introduces results of a study into the value of location privacy for individuals using mobile devices. We questioned a sample of over 1200 people from five EU countries, and used tools from experimental psychology and economics to extract from them the value they attach to their location data. We compare this value across national groups, gender and technical awareness, but also the perceived difference between academic use and commercial exploitation. We provide some analysis of the self-selection bias of such a study, and look further at the valuation of location data over time using data from another experiment."

While there're indeed privacy issues related to mobile devices, in the age of malware authors purchasing commercial IP Geolocation services to get a better grasp of the infected sample, and Google's growing concern on the use of networks such as Tor mimicking possible malicious bahavior you should ask yourself, what is it that you're trying to achive, Anonymity or Privacy preservation online and go for it without feeling like a hostage.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Email Spam Harvesting Statistics

Web application email harvesting has always represented an untapped threat, and it's not the basics of parsing or web application vulnerabilities I have in mind, but the already stored, in-transit, and saved contacts by infected people and their (insecure) platforms.

Malware is already averaging 1 piece in 600 social networking pages, which isn't surprising and is greatly proportional with the rise of web application vulnerabilities. Compared to personal data security breaches capable of providing the freshest and most recent emails of the parties involved, thus reseting a spammer's activities lifecycle, web email harvesting is still a rather common event.

Thankfully, there're already scaled initiatives such as the Distributed Spam Harvester Tracking Network making an impact :

"Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website. Using the Project Honey Pot system you can install addresses that are custom-tagged to the time and IP address of a visitor to your site. If one of these addresses begins receiving email we not only can tell that the messages are spam, but also the exact moment when the address was harvested and the IP address that gathered it.

To participate in Project Honey Pot, webmasters need only install the Project Honey Pot software somewhere on their website. We handle the rest — automatically distributing addresses and receiving the mail they generate. As a result, we anticipate installing Project Honey Pot should not increase the traffic or load to your website."

Some current project statistics:
- Spam Trap Addresses Monitored - 1,354,582
- Total Spam Received - 1,464,090
- Total Spam Servers Identified - 499,310
- IPs Monitored - 611,368
- Total Harvesters Identified - 10,653

Donate a MX record, or get yourself an account and start contributing. On the other hand, the host that's web crawling for fresh emails today, will definitely match with the one found in a phishing email at a later stage -- the growing transparency and the pressure put on spammers inevitably results in the Ecosystem I mentioned in my Malware - Future Trends research.

Related posts:
The Beauty of the Surrealistic Spam Art
Real-Time PC Zombie Statistics
The current state of IP spoofing
Dealing with Spam - The O'Reilly.com Way

Dancho Danchev

Benchmarking and Optimising Malware

With the growth and diversity of today's malware, performance criteria for a malicious code is reasonably neglected as a topic of interest, but that shouldn't be the case, as "the enemy you know is better than the enemy you don't know". As information warfare and malware often intersect for the purpose of balancing asymmetric forces, or conducting espionage, there're already research initiatives for multi-platform, multi-communication-environment code.
José M. Fernandez and Pierre-Marc Bureau constructively build awareness on how "the best is yet to come" in their research on Optimising Malware :

"In this paper, we address and defend the commonly shared point of view that the worst is very much yet to come. We introduce an aim-oriented performance theory for malware and malware attacks, within which we identify some of the performance criteria for measuring their “goodness” with respect to some of the typical objectives for which they are currently used. We also use the OODA-loop model, a well known paradigm of command and control borrowed from military doctrine, as a tool for organising (and reasoning about) the behavioural characteristics of malware and orchestrated attacks using it. We then identify and discuss particular areas of malware design and deployment strategy in which very little development has been seen in the past, and that are likely sources of increased future malware threats. Finally, we discuss how standard optimisation techniques could be applied to malware design, in order to allow even moderately equipped malicious actors to quickly converge towards optimal malware attack strategies and tools fine-tuned for the current Internet."

They've successfully distinguished the following generic and specific aim-oriented performance criteria :

Generic
- Number of hosts
- Persistence
- Anonymity

Fraud
- Money
- Credibility

Information theft
- Penetration
- Stealth
- Amount of information
- Host location

Access sale
- Upstream bandwidth
- Security

Destruction
- Propagation
- Upstream bandwidth
- Host location
- Damage

Information Warfare
- Speed
- Host Location
- Damage
- Exposure

Taking into consideration the OODA loop concept -- Observation, Orientation, Decision, Action -- the characteristics would get definitely improved with the time.

Related resources and recent posts:
Malware
Virus Outbreak Response Time
Malware Bot Families - Technology and Trends
Malware Statistics on Social Networking Sites

Dancho Danchev