Author Archives: John S. Quarterman

Big U.S. Spam Spike in February 2012 SpamRankings.net

What could push the U.S. from 13 to 2 in worldwide SpamRankings.net, and way up to number one for the last week of February 2012?

In the U.S. rankings by ASN, seven out of ten are new, and NOC number 1 came up from number 9. Something pretty bad is going on. So bad Comcast didn’t place in the top 10 at all, for the first time in recent memory!

NOC has had this problem before, in July and November 2011, but never with this amount of spam volume. And this time many other ASNs show the same pattern.

The same issue may be in the Canadian rankings as well: AS 32613 IWEB-AS jumped from 8 to 1 for the month, with almost all the increase in the same last week of the month as for the U.S. problem ASNs.

There was even a similar curve in the World rankings, for Telefonica del Peru’s AS 6147 SAA.

Our next step is to drill down to see if these ASNs were infected by the same botnet. We did that for the medical ASNs last month, but this is a much bigger spam event this month.

-jsq

Davos discovers cyber attacks

Cyber attacks made the Davos Top 5 Global Risks in Terms of Likelihood. Davos, the annual conclave of the hyper-rich and famously elected, has also discovered Severe income disparity and Water supply crisis, so maybe they’re becoming more realistic.

However, in Figure 17 on page 25 they’ve got Cyber attacks as an origin risk, along with Massive incident of data fraud or theft and Massive digital misinformation. I think they’re missing the point, which is the real origin risk is poor infosec, and the origin of that is vendors like MSFT knowingly shipping systems with design flaws and people and organizations running them while hiding such problems.

Interesting comment on page 26: Continue reading

Is January’s medical spam caused by botnets?

Remember those three spamming medical organizations PSBL saw and the spike from CSHS that SpamRankings.net found in CBL data? Digging into the underlying data, and graphing them all on the same chart, we see this:

Even though the three three-digit-spamming medicos spam oddly coherently, we don’t find any botnets for them. This may be because most of that spam was seen by PSBL, and our botnet assignments come from CBL. CBL didn’t see any spam from those ASNs, so it didn’t have anything to assign for botnets. Maybe they’re infested by the same botnet; maybe not; can’t tell.

But it was CBL that saw that big spam spike for AS 22328 CSHS. And CBL did assign a botnet to that: Lethic. For all but two days of CSHS spam shown, CBL assigned Lethic to the total amount of spam from CSHS for that day. That may be because all that CSHS spam is coming from a single computer.

Of course, CBL’s botnet assignments are not perfect, but infosec professionals tell me CBL is about as good as it gets for that, so there’s a good chance this botnet assignment is correct.

The good news is that all of the trio of three-digit spamming medicos decreased their spam and even went to zero during the period shown.

And CSHS spam peaked at the end of January and started back down in February.

Pretty soon there may be once again little or no spam from medical organizations to rank.

-jsq

CSHS is back in January 2012 SpamRankings.net

In SpamRankings.net, January PSBL data reveals three three-digit U.S. medical spamming organizations, plus CSHS, and CBL data confirms a big spam spike from CSHS.

The three with more than 100 spam messages for the month were

each accounting for about a third of the total spam volume seen from medical organizations by CBL in January 2012.

Cedars-Sinai Health Systems‘ AS 22328 CSHS came in only seventh in PSBL data, with only 10 spam messages. But in CBL data, CSHS came in first, with 2,873 messages. That’s not a lot, compared to, for example, Comcast, which CBL saw spamming more than two million messages during the same month. But what patients would prefer to see from medical organizations is zero spam messages, since spam is a sneeze for infosec disease, and who wants to think their hospital’s information security or radiology computers might be infected?

Chances are CSHS will notice and clean it up pretty quick. Those other three medical orgs may have some sort of more chronic problem….

-jsq

SEC moving towards breach disclosure requirement?

The 13 October 2011 SEC guidance, CF Disclosure Guidance: Topic No. 2: Cybersecurity, leaves most of the decision of what sort of breaches are significant enough to disclose up to the affected organizations. But look at this:

During and After a Cyber Incident

Registrants may seek to mitigate damages from a cyber incident by providing customers with incentives to maintain the business relationship.
Hm, incentives like showing an improved reputational risk ranking?

Perhaps in order to prevent this sort of thing?

Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory.
The SEC is still missing at least one connection between dots:

Prior to a Cyber Incident

Registrants may incur substantial costs to prevent cyber incidents. Accounting for the capitalization of these costs is addressed by Accounting Standards Codification (ASC) 350-40, Internal-Use Software, to the extent that such costs are related to internal use software.
Sure, infosec costs money. But if infosec actually prevents loss of customer goodwill, infosec could attract and retain customers, so infosec could be a source of profit. If anybody knows about it, that is.

-jsq

Global Crossing spam spike, November 2011

In the November SpamRankings.net from PSBL data, Global Crossing’s AS 3549 GBLX spiked on 17 November and a few days before, pushing it into fifth place.

Did this spam spike come from any particular botnet?


AS 3549 GBLX PSBL spam volume left axis, CBL botnet volume right axis
It looks like GBLX is infested with many botnets, but the spike on 17 Nov roughly corresponds with a cutwail botnet volume peak on 16 Nov. Given that the ASN volume spike is from PSBL data and the botnet volume peak is from CBL data, a day off is plausible, due to different collection and delivery times.

There’s also a peak for grum (green line near the bottom) on 17 Nov, and peaks for festi and n/a on 18 Nov, where n/a is CBL’s marker for spam they detected without having to look as far as determining which botnet they think sent it.

So the spam spike could be from cutwail. Or it could be because of a coincidence of several botnet peaks. Or it could be some other botnet that happened to do a spam campaign on that day. Given that the PSBL GBLX peak builds up on 16 Nov, I’d guess it came mostly from cutwail.

We could try to resolve this question by digging into the specific addresses the GBLX spam PSBL saw came from and see if they match addresses CBL assigned to botnets.

-jsq

India, Bank of America, and CyberSURF: December 2011 SpamRankings.net

In SpamRankings.net for December 2011, worldwide India spammed the most, while Bank of America topped one U.S. ranking, and CyberSURF peaked in Canada, but Cleveland Clinic cleaned up its act.

More on those and other interesting rankings in later posts.

-jsq

Coal company reputation

Good news from the SEC for a change! They’re requiring coal plant operators to report health and safety violations, including fatalities, within a few days of occurence.

FuelFix posted from AP on 23 December 2011, SEC requiring coal firms to report safety problems

Earlier this week, the SEC announced new rules that require mining companies to start reporting any fatalities and all major health and safety violations, mine by mine, in their quarterly and annual financial reports. The filings are mandated in the wide-ranging Dodd-Frank Wall Street Reform and Consumer Protection Act, which Congress passed to try to increase corporate accountability.

The rules take effect 30 days after publication in the Federal Register. They require companies to report within four days any “significant and substantial” violations, citations, flagrant violations and imminent-danger orders issued by the federal Mine Safety and Health Administration.

Coal operators must also include the dollar value of proposed fines, whether the company has been or may be designated a pattern violator by MSHA, and any pending cases with the Federal Mine Safety and Health Review Commission.

What problem does this reporting solve? As the article points out: Continue reading

Comcast pushed out of first, yet wins November U.S. SpamRankings.net

How can an ISP both lose and win in top 10 rankings? By placing more than once!

Comcast got pushed out of first place by AS 46475 LIMESTONENETWORKS and AS 21788 NOC in the November 2011 Monthly U.S. SpamRankings.net from CBL volume. AS 20214 COMCAST-20214 did spam a third less (1,503,173 spam messages) than last month (2,193,898), but it was the spontaneous spam spewing of the two top place newcomers that pushed it down to third place.

Yet Comcast really won the month. It took 4 of the top 10 (places 3, 6, 7, and 10), which is twice as many as last time, and accounted for 30.29% of top 10 spam spewed, up from 23.9% last time. That percentage beats either of the top two this time.

-jsq

World PM2.5 Map as reputation

NASA posted 22 October 2009, New Map Offers a Global View of Health-Sapping Air Pollution
In many developing countries, the absence of surface-based air pollution sensors makes it difficult, and in some cases impossible, to get even a rough estimate of the abundance of a subcategory of airborne particles that epidemiologists suspect contributes to millions of premature deaths each year. The problematic particles, called fine particulate matter (PM2.5), are 2.5 micrometers or less in diameter, about a tenth the fraction of human hair. These small particles can get past the body’s normal defenses and penetrate deep into the lungs.
Even satellite measurements are difficult (clouds, snow, sand, elevation, etc.). But not impossible:

Continue reading