If there’s only a few large gangs operating — and other people are detecting these huge swings of activity as well — then that’s very significant for public policy. One can have sympathy for police officers and regulators faced with the prospect of dealing with hundreds or thousands of spammers; dealing with them all would take many (rather boring and frustrating) lifetimes. But if there are, say, five, big gangs at most — well that’s suddenly looking like a tractable problem.
Spam is costing us [allegedly] billions (and is a growing problem for the developing world), so there’s all sorts of economic and diplomatic reasons for tackling it. So tell your local spam law enforcement officials to have a look at the graph of Demon Internet’s traffic. It tells them that trying to do something about the spammers currently makes a lot of sense — and that by just tracking down a handful of people, they will be capable of making a real difference!
Entries Tagged "spam"
Page 4 of 5
Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona — up to £580,000 — in what security company McAfee is describing as the “biggest ever” online bank heist.
Over the last 15 months, Nordea customers have been targeted by emails containing a tailormade Trojan, said the bank.
Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved.
This is my favorite line:
Ehlin blamed successful social engineering for the heist, rather than any deficiencies in Nordea security procedures.
Um…hello? Are you an idiot, or what?
What could you do if you controlled a network of thousands of computers — or, at least, could use the spare processor cycles on those machines? You could perform massively parallel computations: model nuclear explosions or global weather patterns, factor large numbers or find Mersenne primes, or break cryptographic problems.
All of these are legitimate applications. And you can visit distributed.net and download software that allows you to donate your spare computer cycles to some of these projects. (You can help search for Optimal Golomb Rulers — even if you have no idea what they are.) You’ve got a lot of cycles to spare. There’s no reason that your computer can’t help search for extraterrestrial life as it, for example, sits idly waiting for you to read this essay.
The reason these things work is that they are consensual; none of these projects download software onto your computer without your knowledge. None of these projects control your computer without your consent. But there are lots of software programs that do just that.
The term used for a computer remotely controlled by someone else is a “bot”. A group of computers — thousands or even millions — controlled by someone else is a bot network. Estimates are that millions of computers on the internet today are part of bot networks, and the largest bot networks have over 1.5 million machines.
Initially, bot networks were used for just one thing: denial-of-service attacks. Hackers would use them against each other, fighting hacker feuds in cyberspace by attacking each other’s computers. The first widely publicized use of a distributed intruder tool — technically not a botnet, but practically the same thing — was in February 2000, when Canadian hacker Mafiaboy directed an army of compromised computers to flood CNN.com, Amazon.com, eBay, Dell Computer and other sites with debilitating volumes of traffic. Every newspaper carried that story.
These days, bot networks are more likely to be controlled by criminals than by hackers. The important difference is the motive: profit. Networks are being used to send phishing e-mails and other spam. They’re being used for click fraud. They’re being used as an extortion tool: Pay up or we’ll DDoS you!
Mostly, they’re being used to collect personal data for fraud — commonly called “identity theft.” Modern bot software doesn’t just attack other computers; it attacks its hosts as well. The malware is packed with keystroke loggers to steal passwords and account numbers. In fact, many bots automatically hunt for financial information, and some botnets have been built solely for this purpose — to gather credit card numbers, online banking passwords, PayPal accounts, and so on, from compromised hosts.
Swindlers are also using bot networks for click fraud. Google’s anti-fraud systems are sophisticated enough to detect thousands of clicks by one computer; it’s much harder to determine if a single click by each of thousands of computers is fraud, or just popularity.
And, of course, most bots constantly search for other computers that can be infected and added to the bot network. (A 1.5 million-node bot network was discovered in the Netherlands last year. The command-and-control system was dismantled, but some of the bots are still active, infecting other computers and adding them to this defunct network.)
Modern bot networks are remotely upgradeable, so the operators can add new functionality to the bots at any time, or switch from one bot program to another. Bot authors regularly upgrade their botnets during development, or to evade detection by anti-virus and malware cleanup tools.
One application of bot networks that we haven’t seen all that much of is to launch a fast-spreading worm. (Some believe the Witty worm spread this way.) Much has been written about “flash worms” that can saturate the internet in 15 minutes or less. The situation gets even worse if 10 thousand bots synchronize their watches and release the worm at exactly the same time. Why haven’t we seen more of this? My guess is because there isn’t any profit in it.
There’s no real solution to the botnet problem, because there’s no single problem. There are many different bot networks, controlled in many different ways, consisting of computers infected through many different vulnerabilities. Really, a bot network is nothing more than an attacker taking advantage of 1) one or more software vulnerabilities, and 2) the economies of scale that computer networks bring. It’s the same thing as distributed.net or SETI@home, only the attacker doesn’t ask your permission first.
As long as networked computers have vulnerabilities — and that’ll be for the foreseeable future — there’ll be bot networks. It’s a natural side-effect of a computer network with bugs.
This essay originally appeared on Wired.com.
EDITED TO ADD (7/27): DDOS extortion is a bigger problem than you might think. Right now it’s primarily targeted against fringe industries — online gaming, online gambling, online porn — located offshore, but we’re seeing more and more of against mainstream companies in the U.S. and Europe.
EDITED TO ADD (7/27): Seems that Witty was definitely not seeded from a bot network.
Blue Security was an Israeli company that fought spam with spam:
Eran Reshef had an idea in the battle against spam e-mail that seemed to be working: he fought spam with spam. Today, he’ll give up the fight.
Reshef’s Silicon Valley company, Blue Security Inc., simply asked the spammers to stop sending junk e-mail to his clients. But because those sort of requests tend to be ignored, Blue Security took them to a new level: it bombarded the spammers with requests from all 522,000 of its customers at the same time.
That led to a flood of Internet traffic so heavy that it disrupted the spammers’ ability to send e-mails to other victims — a crippling effect that caused a handful of known spammers to comply with the requests.
Then, earlier this month, a Russia-based spammer counterattacked, Reshef said. Using tens of thousands of hijacked computers, the spammer flooded Blue Security with so much Internet traffic that it blocked legitimate visitors from going to Bluesecurity.com, as well as to other Web sites. The spammer also sent another message: Cease operations or Blue Security customers will soon find themselves targeted with virus-filled attacks.
Last week Blue Security gave up:
Wednesday, Blue Security said it had to give up because it couldn’t sustain the fight against spammers. “Several leading spammers viewed [us] as a strategic threat to their spam business,” Eran Reshef, Blue Security chief executive wrote in the message posted to the company’s site.
“After recovering from the attack, we determined that once we reactivated the Blue Community, spammers would resume their attacks. We cannot take the responsibility for an ever-escalating cyber war through our continued operations.
“As much as it saddens us, we believe this is the responsible thing to do,” said Reshef, who did not respond to an e-mail requesting additional comment. Later Wednesday, a spokesman said that the company would not be making any additional statements beyond the message on its site.
One of the basic philosophies of security is defense in depth: overlapping systems designed to provide security even if one of them fails. An example is a firewall coupled with an intrusion-detection system (IDS). Defense in depth provides security, because there’s no single point of failure and no assumed single vector for attacks.
It is for this reason that a choice between implementing network security in the middle of the network — in the cloud — or at the endpoints is a false dichotomy. No single security system is a panacea, and it’s far better to do both.
This kind of layered security is precisely what we’re seeing develop. Traditionally, security was implemented at the endpoints, because that’s what the user controlled. An organization had no choice but to put its firewalls, IDSs, and anti-virus software inside its network. Today, with the rise of managed security services and other outsourced network services, additional security can be provided inside the cloud.
I’m all in favor of security in the cloud. If we could build a new Internet today from scratch, we would embed a lot of security functionality in the cloud. But even that wouldn’t substitute for security at the endpoints. Defense in depth beats a single point of failure, and security in the cloud is only part of a layered approach.
For example, consider the various network-based e-mail filtering services available. They do a great job of filtering out spam and viruses, but it would be folly to consider them a substitute for anti-virus security on the desktop. Many e-mails are internal only, never entering the cloud at all. Worse, an attacker might open up a message gateway inside the enterprise’s infrastructure. Smart organizations build defense in depth: e-mail filtering inside the cloud plus anti-virus on the desktop.
The same reasoning applies to network-based firewalls and intrusion-prevention systems (IPS). Security would be vastly improved if the major carriers implemented cloud-based solutions, but they’re no substitute for traditional firewalls, IDSs, and IPSs.
This should not be an either/or decision. At Counterpane, for example, we offer cloud services and more traditional network and desktop services. The real trick is making everything work together.
Security is about technology, people, and processes. Regardless of where your security systems are, they’re not going to work unless human experts are paying attention. Real-time monitoring and response is what’s most important; where the equipment goes is secondary.
Security is always a trade-off. Budgets are limited and economic considerations regularly trump security concerns. Traditional security products and services are centered on the internal network, because that’s the target of attack. Compliance focuses on that for the same reason. Security in the cloud is a good addition, but it’s not a replacement for more traditional network and desktop security.
This was published as a “Face-Off” in Network World.
The opposing view is here.
I’ve repeatedly said that two-factor authentication won’t stop phishing, because the attackers will simply modify their techniques to get around it. Here’s an example where that has happened:
Scandinavian bank Nordea was forced to shut down part of its Web banking service for 12 hours last week following a phishing attack that specifically targeted its paper-based one-time password security system.
According to press reports, the scam targeted customers that access the Nordea Sweden Web banking site using a paper-based single-use password security system.
A blog posting by Finnish security firm F-Secure says recipients of the spam e-mail were directed to bogus Web sites but were also asked to enter their account details along with the next password on their list of one-time passwords issued to them by the bank on a “scratch sheet”.
From F-Secure’s blog:
The fake mails were explaining that Nordea is introducing new security measures, which can be accessed at www.nordea-se.com or www.nordea-bank.net (fake sites hosted in South Korea).
The fake sites looked fairly real. They were asking the user for his personal number, access code and the next available scratch code. Regardless of what you entered, the site would complain about the scratch code and asked you to try the next one. In reality the bad boys were trying to collect several scratch codes for their own use.
The Register also has a story.
Two-factor authentication won’t stop identity theft, because identity theft is not an authentication problem. It’s a transaction-security problem. I’ve written about that already. Solutions need to address the transactions directly, and my guess is that they’ll be a combination of things. Some transactions will become more cumbersome. It will definitely be more cumbersome to get a new credit card. Back-end systems will be put in place to identify fraudulent transaction patterns. Look at credit card security; that’s where you’re going to find ideas for solutions to this problem.
Unfortunately, until financial institutions are liable for all the losses associated with identity theft, and not just their direct losses, we’re not going to see a lot of these solutions. I’ve written about this before as well.
We got them for credit cards because Congress mandated that the banks were liable for all but the first $50 of fraudulent transactions.
EDITED TO ADD: Here’s a related story. The Bank of New Zealand suspended Internet banking because of phishing concerns. Now there’s a company that is taking the threat seriously.
Advertisers are beaming unwanted content to Bluetooth phones at a distance of 100 meters.
Sure, it’s annoying, but worse, there are serious security risks. Don’t believe this:
Furthermore, there is no risk of downloading viruses or other malware to the phone, says O’Regan: “We don’t send applications or executable code.” The system uses the phone’s native download interface so they should be able to see the kind of file they are downloading before accepting it, he adds.
This company might not send executable code, but someone else certainly could. And what percentage of people who use Bluetooth phones can recognize “the kind of file they are downloading”?
We’ve already seen two ways to steal data from Bluetooth devices. And we know that more and more sensitive data is being stored on these small devices, increasing the risk. This is almost certainly another avenue for attack.
A reader sent this to me. He’s corresponding with the TSA about getting his name off the watch list, and was told that he should turn off his e-mail spam filter.
Sent: Monday, August 01, 2005 11:46 AM
To: ((Name Deleted))
Subject: Your e-mail has been received
Please do not respond to this automated response.
Your e-mail has been received by the Transportation Security Administration’s (TSA) Contact Center. Our goal is to respond as quickly as possible. However, at times, high volumes sometimes delay our response. We appreciate your patience. You may also find the answer to your question on our web site at www.tsa.gov .
To ensure that you are able to receive a response from the TSA Contact Center, we recommend that Spam filters be disabled and that your email account have ample space to receive large files and/or attachments.
Sidebar photo of Bruce Schneier by Joe MacInnis.