McAfee Labs today released the McAfee Threats Report: First Quarter 2013, which reported a significant spike in instances of the Koobface social networking worm and a dramatic increase in spam. McAfee Labs also saw continued increases in the number and complexity of targeted threats, including information-gathering Trojans and threats targeting systems’ master boot records (MBRs).
McAfee Labs found almost three times as many samples of Koobface as were seen in Continue reading
John S. Quarterman, long time Internet denizen, wrote one of the seminal books about networking prior to the commercialization of the Internet. He co-founded the first Internet consulting firm in Texas (TIC) in 1986, and co-founded one of the first ISPs in Austin (Zilker Internet Park, since sold to Jump Point). He was a founder of TISPA, the Texas ISP Association. Quarterman was born and raised in Lowndes County, where he married his wife Gretchen. They live on the same land where he grew up, and participate in local community and government.
The water organization has since been incorporated as the Georgia non-profit WWALS Watershed Coalition:
WWALS is an advocacy organization working for watershed conservation of the Willacoochee, Withlacoochee, Alapaha, and Little River Systems watershed in south Georgia and north Florida through awareness, environmental monitoring, and citizen advocacy.
These ecrime meetings are always interesting and useful. -jsq
Press release of 29 March:
Containing the Global Cybercrime Threat is Focus of Counter eCrime Operations Summit (CeCOS VI) in Prague, April 25-27
CeCOS VI, in Prague, Czech Republic, to focus on harmonizing operational issues, cybercrime data exchange, and industrial policies to strengthen and unify the global counter-ecrime effort.
CAMBRIDGE, Mass.—(BUSINESS WIRE)—The 6th annual Counter eCrime Operations Summit (CeCOS VI) will convene in Prague, Czech Republic, April 25-27, 2012, as the APWG gathers global leaders from the financial services, technology, government, law enforcement, communications sectors, and research centers to define common goals and harmonize resources to strengthen the global counter-cybercrime effort.
CeCOS VI Prague will review the development of response systems and resources available to counter-cybercrime managers and forensic professionals from around the world.
Specific goals of this high-level, multi-national conference are to identify common forensic needs, in terms of the data, tools, and communications protocols required to harmonize cybercrime response across borders and between private sector financial and industrial sector responders and public sector policy professionals and law enforcement.
Key presentations will include:
Let’s look at the top 10 ASNs infested by Ogee according to spam volume for 1 Feb 2012 to 12 Mar 2012:
Right Axis: top 10 Ogee ASN volume (dotted curves)
It looks like Ogee is a new botnet, since all these top 10 ASNs came up from zero volume before 18 February 2012. The biggest initial peak in this graph is from AS 21788 NOC, #1 in the U.S. February top 10, and the biggest late surge is from AS 10439 CARINET, #8 in that same ranking. Right below CARINET is AS 32613 IWEB-AS, Canadian February #1. The rest of the 8 Ogee-infested from the U.S. top 10 previously described also are in there, except AS 7796 ATMLINK and AS 13768 PEER1.
New here are these three: Continue reading
Maybe not all, but most. Eight out of the U.S. top 10 for February show very close correlation with one botnet, Ogee. They are listed in the table on the right and shown in the chart below:
The chart also shows some ASNs reacted quickly and stopped the spamming, while others got worse. It’s a busy chart, so let’s look at simpler charts for one example each of resilient and susceptible ASNs.
AS 21788 NOC was one of the first and worst affected by this spam surge: Continue reading
In the U.S. rankings by ASN, seven out of ten are new, and NOC number 1 came up from number 9. Something pretty bad is going on. So bad Comcast didn’t place in the top 10 at all, for the first time in recent memory!as well: AS 32613 IWEB-AS jumped from 8 to 1 for the month, with almost all the increase in the same last week of the month as for the U.S. problem ASNs.
There was even a similar curve in the World rankings, for Telefonica del Peru’s AS 6147 SAA.
Our next step is to drill down to see if these ASNs were infected by the same botnet. We did that for the medical ASNs last month, but this is a much bigger spam event this month.
However, in Figure 17 on page 25 they’ve got Cyber attacks as an origin risk, along with Massive incident of data fraud or theft and Massive digital misinformation. I think they’re missing the point, which is the real origin risk is poor infosec, and the origin of that is vendors like MSFT knowingly shipping systems with design flaws and people and organizations running them while hiding such problems.
Interesting comment on page 26: Continue reading
But it was CBL that saw that big spam spike for AS 22328 CSHS. And CBL did assign a botnet to that: Lethic. For all but two days of CSHS spam shown, CBL assigned Lethic to the total amount of spam from CSHS for that day. That may be because all that CSHS spam is coming from a single computer.
Of course, CBL’s botnet assignments are not perfect, but infosec professionals tell me CBL is about as good as it gets for that, so there’s a good chance this botnet assignment is correct.
The good news is that all of the trio of three-digit spamming medicos decreased their spam and even went to zero during the period shown.
And CSHS spam peaked at the end of January and started back down in February.
Pretty soon there may be once again little or no spam from medical organizations to rank.
- Novant Health Inc.‘s AS 18495 NOVANT-AS1 with 396,
- Sutter Health‘s AS 46648 SUTTERHEALTH with 376,
- Texas Children’s Hospital‘s AS 11015 TCH-AS with 353,
Cedars-Sinai Health Systems‘ AS 22328 CSHS came in only seventh in PSBL data, with only 10 spam messages. But in CBL data, CSHS came in first, with 2,873 messages. That’s not a lot, compared to, for example, Comcast, which CBL saw spamming more than two million messages during the same month. But what patients would prefer to see from medical organizations is zero spam messages, since spam is a sneeze for infosec disease, and who wants to think their hospital’s information security or radiology computers might be infected?
Chances are CSHS will notice and clean it up pretty quick. Those other three medical orgs may have some sort of more chronic problem….
Hm, incentives like showing an improved reputational risk ranking?
During and After a Cyber IncidentRegistrants may seek to mitigate damages from a cyber incident by providing customers with incentives to maintain the business relationship.
Perhaps in order to prevent this sort of thing?
Cyber incidents may also result in diminished future cash flows, thereby requiring consideration of impairment of certain assets including goodwill, customer-related intangible assets, trademarks, patents, capitalized software or other long-lived assets associated with hardware or software, and inventory.The SEC is still missing at least one connection between dots:
Sure, infosec costs money. But if infosec actually prevents loss of customer goodwill, infosec could attract and retain customers, so infosec could be a source of profit. If anybody knows about it, that is.
Prior to a Cyber IncidentRegistrants may incur substantial costs to prevent cyber incidents. Accounting for the capitalization of these costs is addressed by Accounting Standards Codification (ASC) 350-40, Internal-Use Software, to the extent that such costs are related to internal use software.