Wednesday, October 29, 2008

Phishing Registrar Accounts - ENOM is First Target

Criminals are now looking to use established domain names, via phishing targeted at domain registrars. This is possibly related to ICANN finally moving to stop the black hat registrars of the world.

According to the first report on the matter sent Yesterday to Registrar Operations (reg-ops) mailing list, the attacks seem to be run by gang of child pornography spammers. The domain names in the .biz TLD are all using fastflux technology to make the attack more difficult to mitigate.

Ironically, the email spam claims that the user's domain, according to the subject, has "Inaccurate whois information".

Until ENOM and other registrars get their anti phishing services in place, I believe it is the job of the Internet security operations community to help them out by taking down these attacks.

The Registrar Operations group (reg-ops) will be watching for these and mitigating them as fast as possible, in close cooperation with the registrars and the security community.

Gadi Evron,

Follow me on twitter!

ICANN Sends Termination Notice to Registrar

ICANN sent EstDomains a termination notice:
"Dear Mr. Tsastsin:

Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for EstDomains, Inc. (customer No. 919, IANA No. 943) is terminated...."

I believe this is a very positive step from ICANN, showing it is indeed an active part in shaping the Internet, as well as responsible to its constituents.

While I am sure this can not be an easy move to make, it is warranted in this case and I believe it to be a brave one. While such decisions must not be made rashly, it is my deepest regret WHOIS information is the only way to reach such ends.

Gadi Evron,

Follow me on twitter!

Sunday, October 12, 2008

Are you getting your news from spam? My mother does.

This is a story about my mother and Obama.

My mother: "Have you heard about Obama? Really impressive guy."
Me: "What about him?"
My mother: "x, y and z."
Me: "Where did you hear about this?"
My mother: "I read email too, you are not the only one who is into technology."

Luckily, my mother bases her opinion on more than just spam messages, being an educated woman. I am not sure about others.

I refused to believe this. I still do. Yet, it is true. More and more people get their news from spam, and worse--Form political opinion based on what they read in it, especially when their friends send it to them in chain letters ("hey, you have to see this!").

Be it political spam targeted to change the minds of voters, or regular malicious spam, catching eyes with political blurbs so that users will open the email messages. These messages reach people, and they read them.

I don't have exact numbers, as I am unaware of research which tried to measure it. I am however, now facing the truth. What made me wake up was my mother.

Speaking with friends, my mother is far from the only person to be influenced by such email messages, though.

Gadi Evron,

Follow me on twitter!

Friday, October 10, 2008

New stem cell research: "babies no longer required"

Two MAJOR leaps in stem cell research have been achieved, and published. In the past the only source for stem cells was from dead embryos, which caused many a-folk to be outraged by this use for "potential" (given, dead) babies. The moral, philosophical and scientific discussion aside, it just became much more interesting.

A year-old research declared skin cells can now be reprogrammed to act as stem cells. A new research declares stem cells can be extracted from testicles.
Study co-author Thomas Skutella, of the University of T├╝bingen in Baden-W├╝rttemberg, Germany, and his team isolated stem cells from adult, human testicles and cultivated them to become pluripotent cells, which can develop into many other types of cells.
While it was clear to me no ban can really stop research with such immense impact on humanity,(as well as a monetary impact on whoever holds the rights) this discovery is predicted to stop the opposition to stem cell research in its tracks. That may not be the case.

main moral objection is that "potential humans" (babies) were used, which is no longer the case, colourful language aside. Researchers have now shown that is no longer an issue (although naturally, further research is required).

The thing is, the opposition's argument is likely to change. It is true, "potential humans" will no longer (if the research holds water) be used, but the "don't play God argument" is about to be more strongly introduced.

These stem cells can just as easily be used to CREATE babies, and that is something the true opposition won't stand for, even if they were willing to give ground on it before.

Others may realize the huge impact on humanity this research will have, or changed their minds by now due to unfortunate personal or family medical experience. There will always be an opposition, or 20. That's what so beautiful about human society--the diversity.

Gadi Evron,

Follow me on twitter!

Tuesday, October 07, 2008

Logical fallacies and rationalizations, cont.

I recently came across this post, which reminded me of the logical fallacies and rationalizations discussion. The post discusses a vicious murder, but also touches on the very core of the subject we discussed, with a bit on "affecting change" and getting set in your ways, traditions and taboos.

Now, disengaging from the act of murdering three girls for "free will", which naturally, is difficult to do (as if we don't, it will hijack the discussion immediately)--this post has a very interesting first paragraph:
"Whenever you hear someone defend an action with the excuse that "it is our custom," "it is traditional," "we've always done it that way," "it is written so in our sacred texts," or variants thereof, slap 'em down and spit in their eye. Those are not excuses for anything but the perpetuation of bad old dogma rather than taking the useful step of actually thinking about causes and consequences fallacious shortcut that allows ancient evils to thrive."
Affecting change and getting movement in groups is a special interest of mine. The examples given above are the illiterate answers someone may give as to why they should or shouldn't do something (except for the "because it's written" which is a whole other unrelated concept).

More literate answers do exist when you speak with intelligent people, and then there can be several reasons why they hold to their beliefs, legitimately. These taboos came from somewhere and some of them were even a Very Good Idea™ at the time. Noticing things we know to be evil no longer are is difficult. Further, our beliefs are still what in many cases defines any group and shouldn't always be abandoned just because they are not necessarily reflecting reality.

Example from my life in computer security:
Sharing virus (computer) samples is considered "evil" and irresponsible by the Anti Virus industry, for reasons ranging from fear of spreading them to helping the criminals, or giving them feedback on what we know (not to mention losing a competitive edge).

And yet the landscape changed, these are everywhere nowadays so the criminals don't need "our" samples, while many defenders do--desperately--and have no "legal" means to get the same information. Yet, is it wrong for professional anti virus researchers to view such sharing as evil?

Getting set in your ways as well as following established taboos are quite fascinating in how they form and how they can be broken. Usual annoying disclaimer: nothing is ever black and white... blah blah.

The rationalizations mentioned, however, are another facet of the same thing we discussed earlier, I think?


Follow me on twitter!

Monday, October 06, 2008

Information warfare and defending organizations from computer espionage

This blog post is about computer-based espionage, and how we can defend our organizations against it. But I'd like to start from a mood piece of sorts.

There has been too much noise about information warfare lately. If we put DDoS (Distributed Denial of Service) and defacement attacks (such as in Estonia [PDF]) out of mind. The following two stories (coincidentally left to rot as Firefox tabs in my browser for the past two months) give a better understanding of what it is really about, without resorting to more scary stories about what China is, or isn't, doing.

We'll also touch on other interesting cases such as the Israeli Trojan horse case, when we talk about defensive measures in defending against computer-based espionage and targeted attacks.

The first is a report (without much detail or proof) on North Korea being involved in operations against South Korea using Trojan horses for espionage:

The second, is a lesson from history called The Farewell Dossier.

From Wikipedia:
The Farewell Dossier was a collection of documents containing intelligence gathered and handed over to NATO by the KGB defector Colonel Vladimir Vetrov (code-named "Farewell") in 1981-1982, during the Cold War.


This information led to a mass expulsion of Soviet technology spies. The CIA also mounted a counter-intelligence operation that transferred modified hardware and software designs over to the Soviets, resulting in the spectacular trans-Siberian incident of 1982. The details of the operation were declassified in 1996.
The resulting explosion was so big, it was supposedly confused for a Nuclear explosion by American decision makers until the CIA said: "oh, that's one of our operations."

A quote from this article puts it in a computer security perspective:
In June 1982, in a remote patch of Russian wilderness, a huge explosion ripped apart a trans-Siberian pipeline.

It wasn't a bomb that destroyed the natural gas pipeline and sent shock waves through the economy of what was then the Soviet Union. Instead, it was a software virus created by the CIA, according to a book by Thomas Reed, a former U.S. Air Force secretary and National Security Council member.
What does this mean?

While incapacitating and destruction-based attacks are certainly of significance, and important to defend against as they impact us directly, regardless of who the attacked party is or where in the world they are (DDoS attacks harm the Internet and its' users), smarter, quieter attacks, are all around us. How do we defend against them?

I expect most information warfare acts to be targeted, quiet, and covert. Espionage, or spying if you like, is not relevant to us unless we are the target. The diplomats and the intelligence communities of different countries can figure it out for us. It is an old occupation, and well covered by international law. Computers are simply another tool, or capability, to be used by these same people. There is nothing new here as far as how the game is played.

And yet, what if you are a target?

Recognizing there is a threat

You may have to defend against computer-based espionage for your own employer. Recent case studies, as well as research, have shown industrial espionage is indeed a big deal, and here are two examples.

One famous case from a few years ago which I had the unfortunate opportunity to study, lead incident response for in the Government, and brief Fortune 100 companies on, is the Israeli Trojan horse case.

Leading IT companies (most of which were local Israeli branches of Fortune 100 companies) were spied on using a Trojan horse built by an incompetent programmer, leaving traces of itself everywhere on the affected systems. This went on for for a long period of time, undetected by any of these companies.

The issue was only detected by chance when the creator of the Trojan horse used it for his own private purposes, and discovered during the investigation into this harassment case. The stolen information was fed directly to their competitors, which was most of the rest of the Israeli IT industry. The services themselves were rendered by civilian intelligence and investigation firms.

In another case Israeli case, the attackers broke into a local branch of the Post Office (also a small bank in Israel) and placed a wireless gateway connected to a switch inside. Through it they stole a few tens of thousands of Shekels in the few days they were in operation (the Israeli Post Office is a sort of a small bank). This case was also broken by complete chance, originally, as nothing was stolen, this was to be ignored by the bank and local authorities.

In other cases, intelligence agencies for various countries, such as France as a prominent example, have been spying on their own to make sure their own local companies have an edge competing with companies from other countries.

Here is an interesting quote from "The Industrious Spies, Industrial Espionage in the Digital Age".
This transition fosters international tensions even among allies. "Countries don't have friends - they have interests!" - screamed a DOE poster in the mid-nineties. France has vigorously protested US spying on French economic and technological developments - until it was revealed to be doing the same. French relentless and unscrupulous pursuit of purloined intellectual property in the USA is described in Peter Schweizer's "Friendly Spies: How America's Allies Are Using Economic Espionage to Steal Our Secrets."
Defending against computer-based espionage

For the purpose of defense, while I'd certainly hope for more resources (read a larger budget) and change my focus on where I apply it--there is no inherent difference in how you defend your organization from computer-based espionage than in protecting against any Joe hacker.

In espionage, the attacker has more resources, both technical and operational. That is the one technical difference, others are motive and legal standing.

Some of what I would do differently

I'd concentrate a bit more of my resources on network behavior analysis (which unfortunately, not many tools exist for, so good network security analysts are the main alternative), as well as on social engineering training and procedures.

Further, I'd prioritize cooperation with the physical security part of the organization, and HR (for personnel screening).

I'd also consider putting up a good deterrent as a cyber security policy. Both to add to the attackers risk, as well as to increase their cost.

First, by doing my job--making myself too difficult of a target in any way available to me, and letting people know about it. Stating the obvious with saying "do your job" is not too helpful, but is solid advice. It is a strong 180 degrees turn from strategies of the 1990's such as "let's not make ourselves a juicy challenge for these kids!"

Second, I'd invest anything I can spare on monitoring my network for anomalies and security incidents, starting with mapping what my network actually looks like. This might add to the risk factor for opponents that can't afford to be caught, and scare them. Covertness is the name of the game, or they would have come through the front door.

Entering am "industrial espionage defense" clause into your budget, or creating a “five year plan” to better protect your organization from organized industrial espionage, may just get you a larger budget to cope with your organization's security needs.

Do you have something you'd do different from (or in addition to) regular security practices when facing espionage from "organized" hackers? Any experience, or thoughts, you can share?

Gadi Evron,

Follow me on twitter!

Sunday, October 05, 2008

Time for self reflection

In case you don't read any of what I have to say below, read this: I have dual citizenship. Along with my homeland citizenship, I am of the Internet, and see it as my personal duty to try and make the Internet safe.

Atrivo (also known as Intercage), is a network known to host criminal activity for many years, is no more.

Not being sarcastic for once, this is time for some self reflection.

I wish I was one of those who sleep soundly tonight. Being clear in my conviction that Atrivo should be out of business, and being positive my decision to help that happen was sound--While I would do it again, I am sad.

I won't sleep soundly tonight, as that company, criminal and abusive as it clearly and contemptuously was, still sustained quite a few families in several layers of employment, from sysadmins sitting in the US of A all the way to minor low-level fraudsters employed by their clients' clients.

I will however, be able to look myself in the mirror for my part in the
effort to get rid of them--and even gloat some. My conscious is as clear to me as my sadness is crystal. We may not have changed the wall of battle in the long term and whenever one criminal falls, another jumps up to the opportunities of the land of the free--the Internet. But for once, just for a while, we halted the machine. We stopped the wheels of evil, even if only for a fortnight.

While doing so, ee also touched some lives in a destructive fashion. The criminals'.

No villain ever sees himself as the bad guy, as the saying goes. A friend recently showed me Russian language comments written on Brian Krebs' recent Washington Post story. In them, the posters ask: "why do you take our bread away?"

In a lecture during ISOI 5, some folks just didn't understand the meaning. Their bread. Their bread. We in the Western world, behind the cultural divide speak a different language. Their culture isn't poorer than ours, it is unequivocally different.

We can not truly comprehend what it means for some folks in Russia to no longer be able to feed their children this month. Nor can we understand that by sending email, we made those children starve. Cheap theatrics on my part, you say? You got that right. It doesn't make it any less true.

Cyber crime is a war waged against the Western world. At first, no one even noticed and it was a niche.. an art. While the artists still exist, they are a minority, the hackers. For the criminals however, motive is as irrelevant as nationality. Whatever actions are taken, be it a political defacement, fraud or spam, the unavoidable secondary impact remains the same: damage to the Western economy and security in an exponential growth which will become ever clearer in the coming years.

Yes, my friends. I would do the same again. I feel sorry for Atrivo, but they were harboring the equivalent for the Internet of active missile launchers firing on Israel from the Gaza strip. They are human beings who hit a curve in the road to their success. Cyber criminals, however, establish such growth as parasites and whatever I may feel for needing to resort to the end game weaponry, these people need to be smacked down like cockroaches.

Ten years ago they were a pride to their parents, today they are a scourge. What will they be in ten years?

If all reasonable and even some unreasonable approaches fail. That does not mean I don't have to feel sorry for them, and me. But it also doesn't mean we don't need to fight back.

Not even a hundred years ago, disastrously, war was business and an
acceptable horrifying part of life. A few years later, in 1918, war was
unthinkable. In the century since we who live in or are influenced by
Western culture made war no longer an option we can publicly stomach, while facing those who would play us like children because of it.

War is horrifying and evil, it is also a last resort in a world not as
ascendant as we would like to think. The Internet has its own "liberals" and I am proud to be one of them. However, I am also practical and see that wishing for a world we once had is not. A world where I could host files on my neighbor's servers openly, where children could happily use pocket calculators and go to libraries for their school work rather than Google and read Wikipedia. You did so, do your children?

This new world has its price, and that price is a complete loss of public privacy, and a culture of ineffective security.

We are reliant on our Auntie Jane's computer knowledge for our own security, and while not many would follow us to our bathrooms to infringe on our personal privacy, online we have no privacy, however much it helps us to lie to ourselves that something we do publicly (read, on the Internet) is private.

I accepted that, but that is because I am in the trenches for years. Others live better not knowing. But it doesn't mean I won't work diligently to make it remain.. functional.

Indeed, taking a step back from my niche in security, and seeing how bad things truly are--people can still surf for porn, and argue over who the best Star Trek captain is. Cyber crime, in all its immense activity of billions of incidents an hour, is background noise. But the background noise continually increases. When will it overflow?

All I really want is to maintain the functionality we have, regardless of the abuse. And yet... Going back to Atrivo, they made enough money by now. And regardless once more, their criminal clients are already back online elsewhere--in some places possibly hosted by what seems like Atrivo, only under a different name.

We did not win, but boy does it feel good to have a victory once in a while for morale's sake. We halted the machine, even if only just for a short time. That, my friends, also has strategic implications as far as our ability is to influence networks running clean on the Internet, although only time will determine if I am right on that.

Enough whining though. Who is next on the target list? :)

More seriously, why do I care so much? I have dual citizenship. Along with my homeland citizenship, I am of the Internet, and see it as my personal duty to try and make the Internet safe.

Gadi Evron,
Of the Internet.

Follow me on twitter!