Page 2 of 5
Coming barely weeks after my essay on the security risks from embedded systems, the Proofpoint report of a spam-sending refrigerator was just too good to be true. I was skeptical, so I didn’t blog it. Now Ars Technica has a good analysis of the report, and is also skeptical. In any case: it could happen, and sooner or later it will.
A new Snowden document shows that the NSA is harvesting contact lists—e-mail address books, IM buddy lists, etc.—from Google, Yahoo, Microsoft, Facebook, and others.
Unlike PRISM, this unnamed program collects the data from the Internet . This is similar to how the NSA identifies Tor users. They get direct access to the Internet backbone, either through secret agreements with companies like AT&T, or surreptitiously, by doing things like tapping undersea cables. Once they have the data, they have powerful packet inspectors—code names include TUMULT, TURBULENCE, and TURMOIL—that run a bunch of different identification and copying systems. One of them, code name unknown, searches for these contact lists and copies them. Google, Yahoo, Microsoft, etc., have no idea that this is happening, nor have they consented to their data being harvested in this way.
These contact lists provide the NSA with the same sort of broad surveillance that the Verizon (and others) phone-record “metadata” collection programs provide: information about who are our friends, lovers, confidants, associates. This is incredibly intimate information, all collected without any warrant or due process. Metadata equals surveillance; always remember that.
The quantities are interesting:
During a single day last year, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers….
Note that Gmail, which uses SSL by default, provides the NSA with much less data than Yahoo, which doesn’t, despite the fact that Gmail has many more users than Yahoo does. (It’s actually kind of amazing how small that Gmail number is.) This implies that, despite BULLRUN, encryption works. Ubiquitous use of SSL can foil NSA eavesdropping. This is the same lesson we learned from the NSA’s attempts to break Tor: encryption works.
In response to this story, Yahoo has finally decided to enable SSL by default: by January 2014.
One more amusing bit: the NSA has a spam problem.
Spam has proven to be a significant problem for the NSA—clogging databases with information that holds no foreign intelligence value. The majority of all e-mails, one NSA document says, “are SPAM from ‘fake addresses and never ‘delivered’ to targets.”
The Washington Post published three NSA documents to support this article.
EDITED TO ADD: The New York Times makes this observation:
Spokesmen for the eavesdropping organizations reassured The Post that we shouldn’t bother our heads with all of this. They have “checks and balances built into our tools,” said one intelligence official.
Since the Snowden leaks began, the administration has adopted an interesting definition of that term. It used to be that “checks and balances” referred to one branch of the government checking and balancing the other branches—like the Supreme Court deciding whether laws are constitutional.
Now the N.S.A., the C.I.A. and the White House use the term to refer to a secret organization reviewing the actions it has taken and deciding in secret by itself whether they were legal and constitutional.
Two very interesting points in this essay on cybercrime. The first is that cybercrime isn’t as big a problem as conventional wisdom makes it out to be.
We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority. Spamming, stealing passwords or pillaging bank accounts might appear a perfect business. Cybercriminals can be thousands of miles from the scene of the crime, they can download everything they need online, and there’s little training or capital outlay required. Almost anyone can do it.
Well, not really. Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing. Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward. Just as unregulated fish stocks are driven to exhaustion, there is never enough “easy money” to go around.
The second is that exaggerating the effects of cybercrime is a direct result of how the estimates are generated.
For one thing, in numeric surveys, errors are almost always upward: since the amounts of estimated losses must be positive, there’s no limit on the upside, but zero is a hard limit on the downside. As a consequence, respondent errors— or outright lies—cannot be canceled out. Even worse, errors get amplified when researchers scale between the survey group and the overall population.
Suppose we asked 5,000 people to report their cybercrime losses, which we will then extrapolate over a population of 200 million. Every dollar claimed gets multiplied by 40,000. A single individual who falsely claims $25,000 in losses adds a spurious $1 billion to the estimate. And since no one can claim negative losses, the error can’t be canceled.
[…]
A cybercrime where profits are slim and competition is ruthless also offers simple explanations of facts that are otherwise puzzling. Credentials and stolen credit-card numbers are offered for sale at pennies on the dollar for the simple reason that they are hard to monetize. Cybercrime billionaires are hard to locate because there aren’t any. Few people know anyone who has lost substantial money because victims are far rarer than the exaggerated estimates would imply.
Interesting research: Kirill Levchenko, et al. (2010), “Click Trajectories—End-to-End Analysis of the Spam Value Chain,” IEEE Symposium on Security and Privacy 2011, Oakland, California, 24 May 2011.
Abstract: Spam-based advertising is a business. While it has engendered both widespread antipathy and a multi-billion dollar anti-spam industry, it continues to exist because it fuels a profitable enterprise. We lack, however, a solid understanding of this enterprise’s full structure, and thus most anti-spam interventions focus on only one facet of the overall spam value chain (e.g., spam filtering, URL blacklisting, site takedown). In this paper we present a holistic analysis that quantifies the full set of resources employed to monetize spam email—including naming, hosting, payment and fulfillment—using extensive measurements of three months of diverse spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites. We relate these resources to the organizations who administer them and then use this data to characterize the relative prospects for defensive interventions at each link in the spam value chain. In particular, we provide the first strong evidence of payment bottlenecks in the spam value chain; 95% of spam-advertised pharmaceutical, replica and software products are monetized using merchant services from just a handful of banks.
It’s a surprisingly small handful of banks:
All told, they saw 13 banks handling 95% of the 76 orders for which they received transaction information. (Only one U.S. bank was seen settling spam transactions: Wells Fargo.) But just three banks handled the majority of transactions: Azerigazbank in Azerbaijan, DnB NOR in Latvia (although the bank is headquartered in Norway), and St. Kitts-Nevis-Anguilla National Bank in the Caribbean. In addition, “most herbal and replica purchases cleared through the same bank in St. Kitts, … while most pharmaceutical affiliate programs used two banks (in Azerbaijan and Latvia), and software was handled entirely by two banks (in Latvia and Russia),” they said.
This points to a fruitful avenue to reduce spam: go after the banks.
Here’s an older paper on the economics of spam.
Interesting post—and discussion—on Making Light about ebook fraud. Currently there are two types of fraud. The first is content farming, discussed in these two interesting blog posts. People are creating automatically generated content, web-collected content, or fake content, turning it into a book, and selling it on an ebook site like Amazon.com. Then they use multiple identities to give it good reviews. (If it gets a bad review, the scammer just relists the same content under a new name.) That second blog post contains a screen shot of something called “Autopilot Kindle Cash,” which promises to teach people how to post dozens of ebooks to Amazon.com per day.
The second type of fraud is stealing a book and selling it as an ebook. So someone could scan a real book and sell it on an ebook site, even though he doesn’t own the copyright. It could be a book that isn’t already available as an ebook, or it could be a “low cost” version of a book that is already available. Amazon doesn’t seem particularly motivated to deal with this sort of fraud. And it too is suitable for automation.
Broadly speaking, there’s nothing new here. All complex ecosystems have parasites, and every open communications system we’ve ever built gets overrun by scammers and spammers. Far from making editors superfluous, systems that democratize publishing have an even greater need for editors. The solutions are not new, either: reputation-based systems, trusted recommenders, white lists, takedown notices. Google has implemented a bunch of security countermeasures against content farming; ebook sellers should implement them as well. It’ll be interesting to see what particular sort of mix works in this case.
It can be lucrative:
Avanesov allegedly rented and sold part of his botnet, a common business model for those who run the networks. Other cybercriminals can rent the hacked machines for a specific time for their own purposes, such as sending a spam run or mining the PCs for personal details and files, among other nefarious actions.
Dutch prosecutors believe that Avanesov made up to €100,000 ($139,000) a month from renting and selling his botnet just for spam, said Wim De Bruin, spokesman for the Public Prosecution Service in Rotterdam. Avanesov was able to sell parts of the botnet off “because it was very easy for him to extend the botnet again,” by infecting more PCs, he said.
EDITED TO ADD (11/11): Paper on the market price of bots.
New research: “Attacks and Design of Image Recognition CAPTCHAs.”
Abstract. We systematically study the design of image recognition CAPTCHAs (IRCs) in this paper. We first review and examine all IRCs schemes known to us and evaluate each scheme against the practical requirements in CAPTCHA applications, particularly in large-scale real-life applications such as Gmail and Hotmail. Then we present a security analysis of the representative schemes we have identified. For the schemes that remain unbroken, we present our novel attacks. For the schemes for which known attacks are available, we propose a theoretical explanation why those schemes have failed. Next, we provide a simple but novel framework for guiding the design of robust IRCs. Then we propose an innovative IRC called Cortcha that is scalable to meet the requirements of large-scale applications. Cortcha relies on recognizing an object by exploiting its surrounding context, a task that humans can perform well but computers cannot. An infinite number of types of objects can be used to generate challenges, which can effectively disable the learning process in machine learning attacks. Cortcha does not require the images in its image database to be labeled. Image collection and CAPTCHA generation can be fully automated. Our usability studies indicate that, compared with Google’s text CAPTCHA, Cortcha yields a slightly higher human accuracy rate but on average takes more time to solve a challenge.
The paper attacks IMAGINATION (designed at Penn State around 2005) and ARTiFACIAL (designed at MSR Redmond around 2004).
This is cool technology from HP:
Each printer with the ePrint capability will be assigned its own e-mail address. If someone wants to print a document from an iPhone, the document will go to HP’s data center, where it is rendered into the correct format, and then sent to the person’s printer. The process takes about 25 seconds.
Maybe this feature was designed with robust security, but I’m not betting on it. The first people to hack the system will certainly be spammers. (For years I’ve gotten more spam on my fax machine than legitimate faxes.) And why would HP fix the spam problem when it will just enable them to sell overpriced ink cartridges faster?
Any other illegitimate uses for this technology?
EDITED TO ADD (7/13): Location-sensitive advertising to your printer.
EDITED TO ADD (5/13): More info.
I think this is a first.
Information security, and protection of your e-money. Electronic payments and calculations, on means of a network the Internet or by means of bank credit cards, continue to win the world market. Electronic payments, it quickly, conveniently, but is not safely. Now there is a real war, between users and hackers. Your credit card can be forgery. The virus can get into your computer. Most not pleasant, what none, cannot give you guarantees, safety.
But, this disgrace can put an end.
I have developed the program which, does impossible the fact of abduction of a passwords, countersign, and personal data of the users. In the program the technology of an artificial intellect is used. As you cannot, guess about what the person thinks. As and not possible to guess, algorithm of the program. This system to crack it is impossible.
I assure that this system, will be most popular in the near future. I wish to create the company, with branches in the different countries of the world, and I invite all interested persons.
Together we will construct very profitable business.
Sidebar photo of Bruce Schneier by Joe MacInnis.