Monthly Archives: November 2007

Bot Roast II: FBI Cracks Down on Bot Herders

cyber110607.jpg FBI indicts, and in some cases gets guilty pleas or sentences, eight people they say were involved in botnet-related activities:
Secure Computing’s prinicipal research scientist Dmitri Alperovitch was quite happy about the news.

“We welcome this news and applaud the FBI’s efforts and law enforcement worldwide in attempting to cleanup the cesspool of malware and criminality that the botmasters have promoted,” Alperovitch said in a press release. “Since botnets are at the root of nearly all cybercrime activities that we see on the Internet today, the significant deterrence value that arrests and prosecutions such as these provide cannot be underestimated.”

FBI Cracks Down (Again) on Zombie Computer Armies, By Ryan Singel, Threat Level, November 29, 2007 | 4:54:32 PM

Indeed, good news.

Now where are the metrics to show how much effect this actually had on number of botnets, number of bots, criminal activities mounted from bots, etc.? Baseline, ongoing changes, dashboard, drilldown?


PS: Interestingly, every blog or press writeup I’ve seen about this misuses the word “hacker” to apply to these crackers, yet the actual FBI announcement never makes that mistake: it says cyber crime.

Medical Object Panopticon: Hospital Real-Time Location System (RTLS)

carolina_logo.gif Mostly increased monitoring provokes privacy concerns. But what if it’s objects that are being monitored?

Carolinas HealthCare System (CHS), the third-largest public healthcare system in the US, has completed the first phase of an asset tracking program that is believed to be one of the largest healthcare real-time location system (RTLS) deployments in the US. Currently about 5,000 assets are being tracked over 1.4 million square feet at five facilities.

CHS plans to extend the WiFi-based RTLS system throughout its network, which includes 15 hospitals and medical centers in the Carolinas. Additional facilities totaling about 3 million square feet are scheduled to go live by the end of the quarter.

"As a healthcare organization, we’re required to upgrade or perform preventive maintenance regularly on medical equipment," Clay Fisher, director of information service at Carolinas HealthSystem, told RFID Update. "Imagine trying to find one specific IV pump when you have thousands of them across multiple facilities. We have reduced our ‘time-to-find’ for individual pieces of equipment from hours to less than ten minutes."

Carolinas HealthCare Launches Huge RTLS System, RFID Update, Tuesday October 9th, 2007

One odd side effect is that CHS says if your wireless network isn’t configured for VoIP, you should add that, because then it will have enough coverage to do RTLS.

Now if they can find a way to track patient orders between nursing shifts, and which doctors sign off on drugs without seeing their patients….


Myanmar Destablized by Chinese Imports

shankachin.jpg Well, not quite yet, but this could be the start:
“It is learnt that taking advantage of the inability of the Myanmar military junta to provide satisfactory and affordable mobile phone services in the Shan State and the Kachin State areas of North Myanmar, Chinese companies have been operating mobile phone services in Yunnan for the benefit of the people of North Myanmar.”

Chinese Mobile Phone Services in North Myanmar, By B. Raman, Paper no. 2470, South Asia Analysis Group, 21-Nov.-2007, quoted in Lots More Reasons Why China is the New America, By Bruce Sterling, Beyond the Beyond, Wired Blogs, November 23, 2007 | 8:35:27 AM

This bears watching, also because while I’ve been predicting the U.S. may end up buying fast Internet access from Japanese companies, just like cars, actually it could be Chinese companies.


Breached Party: Labour Loses Confidence Due to Lack of Breach Security

breachedwhale.jpg The U.K. Revenue ministry has been leaking massive amounts of personal information, and now it’s affected the ruling party:
The Government will face fresh questions over the loss of millions of voters’ personal data amid evidence the debacle has helped fuel a massive slump in public confidence.

One poll showed those backing Labour’s ability to handle economic problems had been more than halved to 28%, with just a quarter deeming Gordon Brown’s administration “competent and capable”.

And another gave the Tories a nine-point overall lead, its strongest position for 15 years, just weeks after Labour enjoyed an 11-point advantage in the same poll.

Confidence in Labour ‘plummets’, Press Association, Guardian Unlimited, Friday November 23, 2007 7:03 AM

A government in risk of falling due to lack of breach security and perceived lack of technical confidence might be what it takes to get governments and industry to take breach security seriously. For example by requiring breach reporting.


Bot Buyin

Pickers.jpg Bruce, seeing that the Storm Worm has sprouted stock tout popups on its own bots:
(((I’m guessing the next step is to contact Storm bot victims directly and ask them to join the Storm Network voluntarily. AFter all, if you obeyed that Storm spam pop-up, you cashed in; and this would be a valuable opportunity to become a foot-soldier in the biggest online organized=crime outfit ever.)))

Storm Worm spams its own bots, By Bruce Sterling, Beyond the Beyond, November 15, 2007 | 11:34:00 AM

Having proved that it can infect much of the Internet and the alleged security professionals can do nothing about it, Storm now bids to get its victims to join it?


Egerstad Arrested: Uses Tor to Snoop Snoopers; Is This a Crime?

So this fellow was just arrested and some of his computers confiscated: danegerstad_narrowweb__300x378,0.jpg
Dan Egerstad, a security consultant, intercepted data carried over a global communications network used by embassies around the world in August and gained access to 1000 sensitive email accounts. They contained confidential diplomatic memos and other sensitive government emails.

After informing the governments involved of their security failings and receiving no response, Egerstad published 100 of the email accounts, including login details and passwords, on his website for anyone curious enough to have a look. The site,, has since been taken offline.

Swedish Police Swoop on Dan Egerstad – UPDATE by Fergie, Fergie’s Tech Blog, 14 Nov 2007

He got this information by installing Tor, which people use to hide their IP addresses, and looking to see what passed over it. What he saw he thinks was people who had already broken into embassy accounts using them illicitly. He tried to inform governments, who (except for Iran) were uninterested. Then he posted his information online, thus probably stopping the snoopers.

So Egerstad gets arrested, yet this man, who says “Privacy no longer can mean anonymity” walks around free.


Malware Leverage: Dan Geer on How Attackers Can Bankrupt Defenders

cumulative.jpg I keep talking about the black hats using the leverage of the Internet. Dan Geer summarizes the situation:
The thing to remember is that the attacker’s workfactor is the cost of a new variant, and as the production of variants (whether of malware or URLs) is now automated, the arms race between attacker and defender can be manipulated by the attacker to bankrupt the defender.

A Quant Looks at the Future Extrapolation via Trend Analysis, by Dan Geer, v6xi07, accessed 13 Nov 2007 “Rescaled, cumulative,” page 22,

He’s got lots of data from various viewpoints to back up that assertion.


Privacy and Breach Reporting

Why do corporations and the government think we should trust them with everything, yet they shouldn’t even have to report security breaches?

Adam notes that the Commission on Cyber Security is currently meeting “to provide advice about cyber-security policy to the next presidential administration.” Adam has a recommendation:

Many of our fears about what happens after a company is breached have turned out to be false. This is the first key lesson. We have feared that companies will go out of business, people will lose their jobs, and customers will flee. Generally, these things happen only in extreme outliers, if at all. (Two companies have gone out of business; average customer churn is about 2%.)

The second lesson comes from studying the data. The dataloss list contains less selection bias about a broader set of incidents than any other public data I’ve ever seen.

So my goal for the 44th Presidency would be to overcome the fear that has held us back from having national cybercrime statistics, in the form of good law requiring breach disclosure.

How Government Can Improve Cyber-Security, by Adam Shostack, Emergent Chaos, 12 Nov 2007

This would be a big improvement.


What to Measure

05ANT-20070-1465-navigation.jpg Adam evaluates a New York Times article about NYC school evaluations, and sums it up:
The school that flunked has more students meeting state standards than the school that got an A.

Measuring the Wrong Stuff, by Adam Shostack, Emergent Chaos, 9 Nov 2007

Measurement is good, but for example in information security if your measurements aren’t relevant to the performance of the company (economic, cultural, legal compliance, etc.), measurement can waste resources or steer the ship of state or company onto ice floes.