Page 18 of 21
Interesting GAO testimony/report: “Internet Infrastructure: Challenges in Developing a Public/Private Recovery Plan,” Gregory C. Wilshusen, Director, Information Security Issues, Government Accountability Office (GAO), October 23, 2007.
Here’s a interesting paper from Carnegie Mellon University: “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants.”
The paper focuses on the large illicit market that specializes in the commoditization of activities in support of Internet-based crime. The main goal of the paper was to understand and measure how these markets function, and discuss the incentives of the various market entities. Using a dataset collected over seven months and comprising over 13 million messages, they were able to categorize the market’s participants, the goods and services advertised, and the asking prices for selected interesting goods.
Really cool stuff.
Unfortunately, the data is extremely noisy and so far the authors have no way to cross-validate it, so it is difficult to make any strong conclusions.
The press focused on just one thing: a discussion of general ways to disrupt the market. Contrary to the claims of the article, the authors have not built any tools to disrupt the markets.
The Colorado Rockies will try again to sell World Series tickets through their Web site starting on Tuesday at noon.
Spokesman Jay Alves said tonight that the failure of Monday’s ticket sales happened because the system was brought down today by an “external malicious attack.”
There was a presale that “went well”:
The Colorado Rockies had a chance Sunday to test their online-sales operation in advance.
Season-ticket holders who had previously registered were able to log in with a special password to buy extra tickets.
Alves said the presale went well, with no problems.
But some people found glitches, such as being told to “enable cookies” and to set their computer security to the “lowest level.” And some fans couldn’t log in at all.
Alves explained that those who saw a “page cannot be displayed” message had “IP addresses that we blocked due to suspicious/malicious activity to our website during the last 24 to 48 hours. As an example, if several inquiries came from a single IP address they were blocked.”
Certainly scalpers have an incentive to attack this system.
EDITED TO ADD (10/28): The FBI is investigating.
Interesting research:
The study, carried out by graduate student Earl Barr and colleagues in the computer science department of UC Davis and the University of New Mexico, exploited the workings of the Chinese firewall to investigate its effectiveness.
Unlike many other nations Chinese authorities do not simply block webpages that discuss banned subjects such as the Tiananmen Square massacre.
Instead the technology deployed by the Chinese government scans data flowing across its section of the net for banned words or web addresses.
When the filtering system spots a banned term it sends instructions to the source server and destination PC to stop the flow of data.
Mr Barr and colleagues manipulated this to see how far inside China’s net, messages containing banned terms could reach before the shut down instructions were sent.
The team used words taken from the Chinese version of Wikipedia to load the data streams then despatched into China’s network. If a data stream was stopped a technique known as “latent semantic analysis” was used to find related words to see if they too were blocked.
The researchers found that the blocking did not happen at the edge of China’s network but often was done when the packets of loaded data had penetrated deep inside.
Blocked were terms related to the Falun Gong movement, Tiananmen Square protest groups, Nazi Germany and democracy.
On about 28% of the paths into China’s net tested by the researchers, blocking failed altogether suggesting that web users would browse unencumbered at least some of the time.
Filtering and blocking was “particularly erratic” when lots of China’s web users were online, said the researchers.
The Science and Technology Committee of the UK House of Lords has issued a report (pdf here) on “Personal Internet Security.” It’s 121 pages long. Richard Clayton, who helped the committee, has a good summary of the report on his blog. Among other things, the Lords recommend various consumer notification standards, a data-breach disclosure law, and a liability regime for software.
Another summary lists:
If that sounds like a lot of the things I’ve been saying for years, there’s a reason for that. Earlier this year, I testified before the committee (transcript here), where I recommended some of these things. (Sadly, I didn’t get to wear a powdered wig.)
This report is a long way from anything even closely resembling a law, but it’s a start. Clayton writes:
The Select Committee reports are the result of in-depth study of particular topics, by people who reached the top of their professions (who are therefore quick learners, even if they start by knowing little of the topic), and their careful reasoning and endorsement of convincing expert views, carries considerable weight. The Government is obliged to formally respond, and there will, at some point, be a few hours of debate on the report in the House of Lords.
If you’re interested, the entire body of evidence the committee considered is here (pdf version here). I don’t recommend reading it; it’s absolutely huge, and a lot of it is corporate drivel.
EDITED TO ADD (8/13): I have written about software liabilities before, here and here.
EDITED TO ADD (8/22): Good article here:
They agreed ‘wholeheartedly’ with security guru, and successful author, Bruce Schneier, that the activities of ‘legitimate researchers’ trying to ‘break things to learn to think like the bad guys’ should not be criminalized in forthcoming UK legislation, and they supported the pressing need for a data breach reporting law; in drafting such a law, the UK government could learn from lessons learnt in the US states that have such laws. Such a law should cover the banks, and other sectors, and not simply apply to “communication providers”—a proposal presently under consideration by the EU Commission, which the peers clearly believed would be ineffective in creating incentives to improve security across the board.
According to the Internet Crime Complaint Center and reported in U.S. News and World Report, auction fraud and non-delivery of items purchased are far and away the most common Internet crimes. Identity theft is way down near the bottom.
Although the number of complaints last year207,492fell by 10 percent, the overall losses hit a record $198 million. By far the most reported crime: Internet auction fraud, garnering 45 percent of all complaints. Also big was nondelivery of merchandise or payment, which notched second at 19 percent. The biggest money losers: those omnipresent Nigerian scam letters, which fleeced victims on average of $5,100 followed by check fraud at $3,744 and investment fraud at $2,694.
[…]
The feds caution that these figures don’t represent a scientific sample of just how much Net crime is out there. They note, for example, that the high number of auction fraud complaints is due, in part, to eBay and other big E-commerce outfits offering customers direct links to the IC3 website. And it’s tough to measure what may be the Web’s biggest scourge, child porn, simply by complaints. Still, the survey is a useful snapshot, even if it tells us what we already know: that the Internet, like the rest of life, is full of bad guys. Caveat emptor.
The shortcomings of the present DNS have been known for years but difficulties in devising a system that offers backward compatability while scaling to millions of nodes on the net have slowed down the implementation of its successor, Domain Name System Security Extensions (DNSSEC). DNSSEC ensures that domain name requests are digitally signed and authenticated, a defence against forged DNS data, a product of attacks such as DNS cache poisoning used to trick surfers into visiting bogus websites that pose as the real thing.
Obtaining the master key for the DNS root zone would give US authorities the ability to track DNS Security Extensions (DNSSec) “all the way back to the servers that represent the name system’s root zone on the internet”.
Access to the “key-signing key” would give US authorities a supervisory role over DNS lookups, vital for functions ranging from email delivery to surfing the net. At a recent ICANN meeting in Lisbon, Bernard Turcotte, president of the Canadian Internet Registration Authority, said managers of country registries were concerned about the proposal to allow the US to control the master keys, giving it privileged control of internet resources, Heise reports.
Another news report.
Really. Or, for more fun, hack into the system and control someone else’s car from the Internet.
Interesting article.
And after all, there is another way to look at this shift. Younger people, one could point out, are the only ones for whom it seems to have sunk in that the idea of a truly private life is already an illusion. Every street in New York has a surveillance camera. Each time you swipe your debit card at Duane Reade or use your MetroCard, that transaction is tracked. Your employer owns your e-mails. The NSA owns your phone calls. Your life is being lived in public whether you choose to acknowledge it or not.
So it may be time to consider the possibility that young people who behave as if privacy doesn’t exist are actually the sane people, not the insane ones. For someone like me, who grew up sealing my diary with a literal lock, this may be tough to accept. But under current circumstances, a defiant belief in holding things close to your chest might not be high-minded. It might be an artifact—quaint and naïve, like a determined faith that virginity keeps ladies pure. Or at least that might be true for someone who has grown up “putting themselves out there” and found that the benefits of being transparent make the risks worth it.
Shirky describes this generational shift in terms of pidgin versus Creole. “Do you know that distinction? Pidgin is what gets spoken when people patch things together from different languages, so it serves well enough to communicate. But Creole is what the children speak, the children of pidgin speakers. They impose rules and structure, which makes the Creole language completely coherent and expressive, on par with any language. What we are witnessing is the Creolization of media.”
If you have control of a network of computers—by infecting them with some sort of malware—the hard part is controlling that network. Traditionally, these computers (called zombies) are controlled via IRC. But IRC can be detected and blocked, so the hackers have adapted:
Instead of connecting to an IRC server, newly compromised PCs connect to one or more Web sites to check in with the hackers and get their commands. These Web sites are typically hosted on hacked servers or computers that have been online for a long time. Attackers upload the instructions for download by their bots.
As a result, protection mechanisms, such as blocking IRC traffic, will fail. This could mean that zombies, which so far have mostly been broadband-connected home computers, will be created using systems on business networks.
The trick here is to not let the computer’s legitimate owner know that someone else is controlling it. It’s an arms race between attacker and defender.
Sidebar photo of Bruce Schneier by Joe MacInnis.